Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
20687D
L E A R N I N G
P R O D U C T
O F F I C I A L
ii
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
email addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2014 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1.
DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c.
Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i.
Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j.
MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
l.
Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2.
USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1
Below are five separate sets of use rights. Only one set of rights apply to you.
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
c.
ii.
You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c.
Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7.
SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10.
ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11.
APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13.
14.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013
Acknowledgments
xii
Microsoft Learning wants to acknowledge and thank the following for their contribution toward
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Slavko Kukrika is Microsoft Certified Trainer (MCT) for more than 15 years. He holds many technical
certifications, and he is honored to be one of the Microsoft Most Valuable Professionals (MVPs). Slavko
specializes in Windows operating systems, Active Directory, and virtualization. He has worked with
Windows 8 since it was first publicly available, and he helped several mid-size customers to migrate to
Windows 8. Slavko regularly presents at technical conferences, and he is the author of several Microsoft
Official Courses. In his private life, Slavko is the proud father of two sons, and he tries to extend each day
to at least 25 hours.
Andrew Bettany is a published author, MVP (Windows ExpertIT Pro), holds numerous Microsoft
certifications, and has been a Microsoft trainer since 2005. Based in York, England, he manages the
University of York IT Academy and often participates in worldwide conferences and events. Most recently,
Andrew visited Haiti for the second time to deliver an intensive boot camp that focused on Windows
technologies to help the local community rebuild key IT skills following the earthquake in 2010.
Elias Mereb is a highly experienced infrastructure architect, consultant, trainer, and international speaker.
He currently holds more than 30 Microsoft certifications, including: MCP, MCSA: Security, MCTS, MCITP,
and MCT. He is also a six-time winner of the Microsoft Most Valuable Professional (MVP) award in the
Windows Expert-IT Pro technical expertise and Charter Springboard Series Technical Experts Program
(STEP) Member. Elias has been invited several times to speak at TechEd North America, TechEd Europe,
and the Microsoft Management Summit (MMS). He has participated as a SME, trainer, technical writer,
and technical reviewer in the design and development process of Microsoft certification exams and
courses that recently includes Windows Server 2008, Windows Server 2008 R2, Windows Server 2012,
Windows Server 2012 R2, Windows 7, Windows 8 and Windows 8.1 exams and courses for Microsoft
Learning.
Contents
Module 1: Windows 8.1 in an Enterprise Environment
Lesson 1: Managing Windows 8.1 in an Enterprise Environment
1-2
1-8
2-2
2-12
2-24
2-27
2-39
2-43
2-51
3-2
3-9
3-16
3-22
4-2
4-8
4-21
4-27
4-34
5-2
5-16
5-23
5-28
5-34
5-47
xiii
6-2
6-9
6-14
6-21
6-25
6-31
6-34
7-2
7-15
7-24
7-28
7-31
7-37
7-43
8-2
8-8
8-17
8-20
8-28
8-30
8-33
9-2
9-9
9-17
9-22
9-30
xiv
10-2
10-11
10-19
10-21
10-43
10-45
10-52
11-2
11-14
11-19
11-29
11-32
11-40
12-2
12-9
12-13
12-18
12-26
13-2
13-7
13-9
13-20
13-24
13-33
13-36
14-2
14-5
14-18
xv
15-2
15-6
15-13
15-19
15-24
L2-1
L2-3
L2-8
L3-11
L4-17
L4-27
L5-31
L5-38
L6-41
L6-44
L7-47
L7-49
L8-51
L8-53
L8-55
L9-57
L10-63
L10-65
L10-67
L11-69
L11-71
L12-73
L12-76
L13-79
L13-80
L13-84
L14-87
L15-95
xvi
Course Description
xvii
This course is intended for IT professionals who administer and support Windows 8.1 PCs, devices, users,
and associated network and security resources. The networks with which these professionals typically work
are configured as a Windows Server domain-based environment with managed access to the Internet
and cloud services. The course is also intended for students who seek certification in the 70-687
Configuring Windows 8.1 exam. NOTE: This course is based on Windows 8.1 Enterprise edition with
domain services provided by Windows Server 2012 R2.
Note Microsoft has renamed SkyDrive to OneDrive and SkyDrive Pro to OneDrive for
Business, and the course content uses the updated names. However, the virtual machines
in this course use the original release of Windows 8.1 Enterprise edition that refers to the
terms SkyDrive and SkyDrive Pro. Because of this, in the labs and demonstrations, you might
see a discrepancy between the course content and the user interface in the virtual
machines.
Audience
This course is intended for IT professionals who administer and support Windows 8.1 PCs, devices,
users, and associated network and security resources. The networks with which these professionals
typically work are configured as Windows Server domain-based environments with managed access to
the Internet and cloud services. This course is also intended to provide foundation configuration skills
for Enterprise Desktop/Device Support Technicians (EDSTs) who provide Tier 2 support to users who run
Windows desktops and devices within a Windows domain environment in medium to large enterprise
organizations. Students who seek certification in the 70-687 Configuring Windows 8.1 exam will also
benefit from this course.
Student Prerequisites
This course requires that you meet the following prerequisites:
Knowledge of Active Directory Domain Services (AD DS) principles and fundamentals of AD DS
management
Understanding of certificate security and working knowledge of the fundamentals of Active Directory
Certificate Services (AD CS)
Understanding of Windows client operating system essentials; for example, working knowledge of
Windows XP, Windows Vista, Windows 7 and Windows 8
xviii
Basic awareness of the following Windows deployment tools but no actual prerequisite skills with the
specific tools are assumed:
Course Objectives
After completing this course, students will be able to:
Describe solutions and features that are related to managing Windows 8.1 in an enterprise network
environment.
Determine requirements and perform the tasks for installing and deploying Windows 8.1.
Determine the most appropriate management tools to configure Windows 8.1 settings.
Configure disks, partitions, volumes, and device drivers in a Windows 8.1 system.
Configure resource connectivity for both domain-joined devices and devices that are not domain
members.
Implement tools and technologies that can help secure Windows 8.1 PCs and devices.
Describe Hyper-V for Windows 8.1 and describe how to use it to support legacy applications.
Course Outline
The course outline is as follows:
xix
Module 1, Windows 8.1 in an Enterprise Network Environment" describes solutions and features that are
related to managing Windows 8.1 in an enterprise network environment. Students will identify how to use
Windows 8.1 features and related solutions to support intranet, Internet, and Windows 8.1 clients that are
not domain members. They will also learn how to identify changes to the Windows 8.1 user interface and
how to perform customizations of the desktop and Start screen.
Module 2, Installing and Deploying Windows 8.1" describes how to identify hardware, software, and
infrastructure readiness for installing and deploying Windows 8.1, and also describes the different options
for installing Windows 8.1 on a computer. It also explains how students can customize a Windows 8.1
image file and deploy it by using appropriate installation tools. Additionally, this module describes the
methods students can use to manage volume activation in Windows 8.1.
Module 3, Tools Used for Configuring and Managing Windows 8.1 explains how to determine the most
appropriate management tools to configure Windows 8.1 settings. It describes tools for local and remote
management of Windows 8.1 and the use of Group Policy and Windows PowerShell in managing
Windows 8.1 settings.
Module 4, Managing Profiles and User State in Windows 8.1" describes how to manage profiles and user
state between Windows-based devices. Students will learn about managing user accounts and profiles in
Windows 8.1, configuring User State Virtualization by using Microsoft User Experience Virtualization and
Windows 8.1, and migrating user state and settings when migrating to Windows 8.1.
Module 5, Managing Disks and Device Drivers" explains how to configure partitions, volumes, and device
drivers in a Windows 8.1 system. It also explains how to manage virtual hard disks in the Windows 8.1 file
system.
Module 6, Configuring Network Connectivity" explains how to configure network connectivity by using
IPv4 and IPv6. It also describes how to implement automatic IP address allocation and name resolution.
Module 7, Configuring File Access and Printers on Windows 8.1 Clients" explains how to manage secure
file and folder access, create and manage shared folders, and configure file and folder compression. It also
explains how to enable and configure OneDrive access, and how to create and configure shared printers.
Module 8, Implementing Network Security" explains how to secure network connections by
implementing Windows 8.1 technologies. It explains how to configure Windows Firewall, Windows
SmartScreen, and Windows Defender. It also explains how to implement connection security rules to
secure network traffic.
Module 9, Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain
Members" explains how to configure resource connectivity for domain-joined devices and devices that are
not domain members. It also explains how to configure Workplace Join for computers that are not
domain members, and how to configure Work Folders.
Module 10, Securing Windows 8.1 Devices" explains how to implement tools and technologies that can
help secure Windows 8.1 desktops. It describes methods for authentication and authorization in Windows
8.1. It also describes how to use local Group Policy Objects to configure security and other settings, and it
explains the use of file encryption methods and User Account Control.
Module 11, Configuring Applications for Windows 8.1" explains how to configure and control
applications in Windows 8.1. It describes application deployment methods and explains how to install and
manage Windows Store apps. It also explains how to configure and secure Internet Explorer, and how to
configure application restrictions with AppLocker.
xx
Module 12, Optimizing and Maintaining Windows 8.1 Computers" explains how to optimize and
maintain Windows 8.1based computers. It also explains how to manage reliability, and how to configure
and manage software updates in Windows 8.1.
Module 13, Configuring Mobile Computing and Remote Access" explains how to configure Windows 8.1
settings that are applicable to mobile computing devices. It also describes DirectAccess, and how it can
provide remote access. This module also explains how to enable and configure virtual private network
access, Remote Desktop, and Windows Remote Assistance.
Module 14, Recovering Windows 8.1" explains how to recover Windows 8.1 from failures. It describes
how to provide for file and folder recovery, and how to identify when and how to recover Windows 8.1.
Module 15, Configuring Client Hyper-V" describes Hyper-V for Windows 8.1 and explains how to create
and configure virtual machines in Hyper-V for Windows 8.1. It also explains the use of virtual hard disks
and the creation and implementation of virtual machine checkpoints.
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical technical
information in a crisp, tightly focused format, which is essential for an effective in-class learning
experience:
xxi
Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills that are
learned in the module.
Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skill retention.
Modules: include companion content, such as questions and answers, detailed demonstration
steps, and additional reading links, for each lesson. Additionally, they include Lab Review
questions and answers and Module Reviews and Takeaways sections, which contain the review
questions and answers, best practices, common issues and troubleshooting tips with answers, and
real-world issues and scenarios with answers.
Resources: include well-categorized additional resources that give you immediate access to the
most current premium content on TechNet, MSDN, or Microsoft Press.
Course evaluation: at the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor:
xxii
This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Role
20687D-LON-DC1
20687D-LON-CL1
20687D-LON-CL2
20687D-LON-CL3
20687D-LON-CL4
20687D-LON-REF1
Blank virtual machine that is used for reference machine imaging and
capture scenarios
20687D-LON-SVR1
20687D-LON-SVR2
Software Configuration
The following software is installed on each virtual machine:
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Dual 120-gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better*
8 GB of RAM
DVD drive
Network adapter
* Striped
In addition, the instructors computer must be connected to a projection display device that supports
SVGA 1024 768 pixels, 16-bit colors.
Move your pointer to the lower-right corner of the desktop to open a menu with:
xxiii
Module 1
Windows 8.1 in an Enterprise Environment
Contents:
Module Overview
1-1
1-2
1-8
1-14
Module Overview
Windows client operating systems are essential to the functionality of almost every enterprise
environment. Most users perform the bulk of their computing tasks in the Windows client interface,
including editing documents, sending email, interacting with applications, and numerous other
tasks. Managing these clients, then, is an important task for enterprise information technology (IT)
administrators. You must manage Windows clients to ensure that operating systems and any applications
are operating properly. Providing adequate security measures, deploying new clients when required,
maintaining an inventory, and monitoring Windows clients in your environment are all essential tasks for
IT administrators. This module introduces you to Windows 8.1 and provides an overview of how you can
manage Windows 8.1 computers in your environment to meet common enterprise IT challenges.
Objectives
After completing this module, you will be able to:
Explain the different options for managing Windows 8.1 in an enterprise environment.
Lesson 1
Managing Windows clients in an enterprise environment can provide a variety of challenges. Windows
computers that come from outside your environment or that connect through the Internet to your
network are often outside the scope of many central configuration management tools. Moreover, even
central configuration management tools have limitations that provide challenges, depending on your
environment.
This lesson highlights some of the most common challenges facing administrators in the client
environment and the solutions that are available for Windows 8.1 devices.
Lesson Objectives
After completing this lesson, you will be able to:
Identify solutions for managing resource access for devices that are not domain-joined.
Explain how to manage Windows 8.1 devices by using enterprise management systems.
Virtual private network (VPN) clients cannot connect to a network with the same functionality as
internal clients.
Clients that are not connected to a network do not have access to resources.
A remotely connected client does not have enough available network bandwidth to run applications
that are hosted on enterprise servers.
1-3
Challenges related to client configuration typically involve not being able to enforce a configurations
standard, or being forced to perform the tedious task of manually configuring devices on an unplanned
basis:
Client computers that are not managed centrally might have different, potentially conflicting
configurations.
Centralized configuration management might not reach all clients in an enterprise network, and
typically cannot configure clients outside of an enterprise network.
Mobile devices that require specific configuration are left misconfigured or are unaccounted for.
Clients do not have consistent and current protection from malware and other malicious content.
Permissions and access to client settings might be different from client to client.
Users who bring their own devices and connect to an enterprise network could potentially
compromise enterprise security standards.
Users need access to resources on a network. Missing or misconfigured access to files and printers can
have a significant negative impact on business activity in an organization. Some examples of resource
access challenges include:
Files stored on an enterprise network are not available when a client is disconnected.
Group Policy
Group Policy helps you manage client computers
centrally in a domain environment. With Group Policy, you do not need to configure Windows 8.1
computers manually in your environment.
You can configure Windows 8.1 devices effectively by using centralized configuration management. In the
Active Directory Domain Services (AD DS) environment common to most Windows-based networks, you
can use Group Policy to provide centralized configuration management for Windows client computers.
When a Windows 8.1 client joins an AD DS domain, you can use Group Policy to specify configuration
settings for a client computer, including UI elements, security settings, available applications and features,
and operating system functionality. You also can use Group Policy to distribute common settings to client
computers, such as mapped drives, printers, or environment variables.
You can set Group Policy to affect as narrow or broad a scope of client devices as you determine if the
clients are connected to the domain where you implement the Group Policy.
You can use Microsoft User Experience Virtualization (UE-V) to provide consistent and synchronized user
settings configuration for Windows 8.1 computers. With UE-V, user profile information is stored remotely
and synchronizes with client computers when users log on and make changes to the environment. UE-V
enables a consistent user environment.
VPN
DirectAccess
DirectAccess takes the concept of VPN and uses Windows Server 2012 R2 technology to enable an
Internet-based client to connect to a domain controller on an internal network, authenticate a client
computer account, and accept sign-ins from users as if the client computer is connected to the internal
network. Because the appropriate authentication has been performed, you can manage DirectAccess
clients by using Group Policy, and they appear to other enterprise management systems as if they were
connected to the internal network.
Workplace Join
1-5
Work Folders
Work Folders enable users to synchronize their data from their user folder on a network to their own
device. When you implement Work Folders, locally created files also synchronize back to a network folder
location. You can configure Work Folders to synchronize network files without having a client joined to a
domain. In versions prior to Windows 8.1 and before Work Folders were introduced, domain membership
was required for this type of synchronization, and the client had to be connected to a corporate network
to initialize synchronization.
With Windows 8.1 and Windows Server 2012 R2, you can use remote business data removal to classify
and flag corporate files and to differentiate between these files and user files. With this classification, the
remote wipe of a Windows 8.1 device will not remove user-owned data when securing or removing
corporate data on the device.
Deploy applications. Configuration Manager enables you to deploy packaged applications to devices
in your environment.
Manage Endpoint Protection. Managing Microsoft System Center 2012 Endpoint Protection from
within Configuration Manager allows you to use a single console to manage desktop computers and
devices.
Deploy software updates. Configuration Manager uses the basic infrastructure of Windows
Server Update Services (WSUS) to provide software updates.
Deploy operating systems. Configuration Manager expands the capabilities of Windows Deployment
Services.
Inventory hardware and software. Configuration Manager includes hardware and software inventory
capabilities.
Track license compliance for software. You can use the Asset Intelligence and software metering
features in Configuration Manager to track license compliance.
Windows Intune
Windows Intune is a cloud service that you can use to secure and manage Windows client computers
and mobile devices. It uses a subscription-based model that does not require any on-premises
infrastructure to manage supported Windows client computers. Windows Intune can manage clients
irrespective of whether they are workgroup or domain members and without regard for their network
settings, as long as they are accessible over the Internet.
After you install Windows Intune client software, a computer account is created in Windows Intune,
and you now can manage that computer centrally. You can install the Windows Intune client in various
ways, such as by using Group Policy, by including it in a desktop image, or through the Windows Intune
company portal. An administrator also can deploy the client manually on a per-computer basis.
Windows Intune provides several benefits, including:
Updates. Windows Intune ensures that updates install on client computers. All updates through
Windows Update are available with Windows Intune, and you can deploy other non-Microsoft
updates by using Windows Intune.
Endpoint Protection. Windows Intune includes Windows Intune Endpoint Protection, which provides
real-time protection against malware such as viruses and spyware.
Software deployment. You can use Windows Intune for deploying software such as Windows client
operating systems or apps from Microsoft or third parties.
Monitoring and alerting. Windows Intune can monitor client computers and raise an alert when
certain criteria are met.
Reporting. Windows Intune provides several reports, such as detected software on client computers,
client computer inventory, and update reports on organizational use of licenses.
The Configuration Manager 2012 R2 console now includes interoperability features that enable
administrators to view all client devices irrespective of whether Windows Intune or Configuration Manager
2012 R2 manages them. This enables you to add any mobile devices that you manage with Windows
Intune into the Configuration Manager 2012 R2 console. You then can manage all the devices through a
single administrative tool.
1-7
If your company does not have Configuration Manager 2012 R2, you can still use Windows Intune to
manage mobile devices and Windows client computers. However, if you already have Configuration
Manager 2012 R2 installed, Windows Intune enables you to extend the reach of your management
infrastructure to include mobile devices through cloud services. Configuration Manager 2012 R2 still has
more client computer management features than Windows Intune. However, Configuration Manager
2012 R2 only includes a limited set of mobile device management features because it relies on Windows
Intune for those tasks.
Lesson 2
Windows 8.1 is the latest version of the Windows client operating system. It includes the same core
functionality as Windows 8, along with several important enhancements and functionality improvements
that affect an enterprise environment.
This lesson introduces you to Windows 8.1, demonstrates changes to the UI, and shows you how to
customize the interface and other Windows 8.1 settings.
Lesson Objectives
After completing this lesson, you will be able to:
2.
Start screen. The Start screen presents to you after signing in to Windows 8.1. The Start screen
contains tiles that represent installed apps on the computer.
3.
Desktop. By clicking on the Desktop tile from the Start screen, you can access the desktop, which
appears whenever you run desktop apps.
You can access Windows 8.1 interface elements with several convenient touch gestures, mouse gestures,
and keyboard shortcuts:
Start screen. Click the Start button on the taskbar or press the Windows logo key on the keyboard.
Display Charms menu. Point to the upper-right or lower-right corner or press Windows logo key+C
on the keyboard.
1-9
Get commands and shortcut menus. On the Start screen or in Windows Store apps, right-click the
screen or press Windows logo key+Z. You also can swipe up from the bottom of the screen to access
these commands and menus on a touch-screen device.
Switch between recently used apps. Point to the upper-left corner with the mouse and then click or
swipe in from the left on a touch-screen device.
Close an app. With Windows Store open, move the mouse to the top of the screen, click, and then
pull down. You also can swipe down from the top on a touch-screen device or press Alt+F4 on the
keyboard.
Display the Quick Link menu. Right-click the Start button or press Windows logo key+X on the
keyboard to display a menu of commonly used shortcuts to Windows interface components such as
the Shutdown menu, Task Manager, Command Prompt, and Control Panel.
You can navigate the Windows 8.1 interface by using the following gestures on touch-screen devices:
Pinch to zoom. You can pinch to zoom. You can reverse the pinching gesture to zoom out in many
apps and on the Start screen.
Press, hold, drag, and drop. You can use this gesture to move interface elements around in Windows
Store apps or to move and edit tiles on the Start Screen.
Windows logo key+J. Switch between the main app and a snapped app.
Windows logo key+O. Lock the screen orientation for accelerometer-enabled devices.
Windows logo key+Q. Open the Search charm to search for apps.
Windows logo key+Page Up or Page Down. Move the Start screen and apps to the next monitor.
For more information on the keyboard shortcuts in Windows 8.1, refer to:
Microsoft Accessibility: Keyboard Shortcuts
http://go.microsoft.com/fwlink/?LinkId=356124&clcid=0x409
2.
On the Navigation tab, in the Start screen section, select the Go to the desktop instead of Start
when I sign in check box.
Demonstration Steps
1.
2.
3.
4.
5.
6.
Open the Applications screen by clicking the Down Arrow at the bottom of the Start screen.
7.
8.
9.
Open the Quick Links menu, and then click Command Prompt.
10. Configure Windows 8.1 to start to the desktop instead of the Start screen.
2.
Run the Export-StartLayout Windows PowerShell cmdlet and specify the output file.
For example:
Export-StartLayout -path C:\path\StartLayout.xml -As XML
1-11
3.
Store the StartLayout.xml file in a network location where users have Read permissions.
4.
Edit the local policy on a Windows 8.1 computer, or create or edit a Group Policy Object (GPO) with
an appropriate Group Policy setting to specify the location of the StartLayout.xml file:
5.
Link the GPO in the Group Policy Management Console if you use Group Policy.
Note: When you use Start screen control to set the layout of the Windows 8.1 Start screen,
users cannot customize or make changes to the Start screen.
PC Settings
then clicking PC Settings at the bottom of the menu. The following settings are available within the PC
Settings screen:
Activate Windows. You can activate your version of Windows 8.1 from this screen.
PC & devices. The PC & devices screen contains a large number of configuration settings for the look
and feel of Windows 8.1, such as lock screen view; display resolution and orientation; and mouse,
touchpad, and other input device behavior. It also contains sections for adding and removing
peripheral devices, such as printers.
Accounts. You can configure both local and Microsoft-based accounts from this screen, including
sign-in options like account picture and picture passwords.
OneDrive. You can view and configure your online storage space from Microsoft OneDrive (formerly
SkyDrive) from this screen.
Search & apps. You can use this screen to control your search experience in Windows 8.1, and the
default settings for tasks such as notifications and default apps.
Privacy. You can control the behavior of devices such as cameras, and location-based behavior from
this screen.
Network. You can use the Network screen to manipulate network settings and connect to new
networks.
Time & language. You can use this screen to configure local and regional settings for time and
language display and input.
Ease of Access. The Ease of Access screen contains settings that enable the customization of input and
display methods.
Update & recovery. The Update & recovery screen presents options for updating your computer,
recovering previous versions of files, or enabling advanced recovery modes for Windows 8.1.
Demonstration Steps
1.
2.
3.
4.
5.
6.
7.
1-13
Windows Store enables users to access and install Windows Store apps. These apps are not like desktop
applications such as Microsoft Office 2010. Rather, they are full-screen apps that can run on a number of
device types, including x86, x64, and ARM platforms. However, not all Windows Store apps are compatible
with all platforms.
These apps can communicate with one another and with Windows 8.1 so that it is easier to search for and
share information, such as photographs.
When an app is installed, from the Start screen, users can see live tiles that constantly update with live
information from the installed apps.
Locating Apps
When users connect to the Windows Store, the landing pagethat is, the initial page users see when
accessing the Windows Storeis designed to make apps easy to locate. Apps are divided into categories
such as Games, Entertainment, Music & Videos, and others.
Users also can use the Windows 8.1 Search charm to search the Windows Store for specific apps. For
example, if a user is interested in an app that provides video-editing capabilities, he or she can bring up
the Search charm, type in a search string, and then click Store. The Windows Store returns suitable apps
from which the user can make a selection.
Installing Apps
A single tap or click on the appropriate app in the listing should be sufficient to install the app. The app
installs in the background so that a user can continue to browse the Windows Store. After the app installs,
a tile for the app appears on the users Start screen.
Updating Apps
Windows 8.1 checks the Windows Store for updates to installed apps on a daily basis. When an update
for an installed app is available, the Windows operating system updates the Store tile in the Start screen
to display an indication that updates are available. When a user selects the Store tile and connects to the
Windows Store, the user can choose to update one, several, or all of the installed apps for which updates
are available.
Many users have multiple devices, such as desktop and laptop computers. Windows Store allows five
installations of a single app to enable users to run the app on all of their devices. If users attempt to install
an app on a sixth device, they are prompted to remove the app from another device.
Module 2
Installing and Deploying Windows 8.1
Contents:
Module Overview
2-1
2-2
2-12
2-24
2-27
2-39
2-43
2-51
2-53
Module Overview
The Windows 8.1 operating system builds on the core functionality of Windows 8 and Windows 7 to
provide a stable client experience across many device form factors and processor architectures. In this
module, you will learn about the features that are available in different Windows 8.1 editions. This module
introduces planning considerations and hardware requirements for a Windows 8.1 installation. You also
will learn about the importance of device driver compatibility and application compatibility during
installation.
This module describes how you can perform a clean installation of Windows 8.1. It also describes how you
can upgrade or migrate to Windows 8.1 and the upgrade paths that are supported. You will learn about
the tools and technologies that you can use to customize an installation. You also will learn about
Windows 8.1 activation and the different activation options.
Objectives
After completing this module, you will be able to:
Lesson 1
Before you install Windows 8.1 on a computer, you must ensure that the hardware and software on that
computer is compatible with it. As you prepare for the installation, you must understand the minimum
hardware requirements and the installation methods that you can use.
In this lesson, you will learn about the planning process for a successful Windows 8.1 installation and
deployment. You will learn how to identify problematic devices, drivers, and apps, and you will determine
methods for mitigating compatibility issues. By doing so, you can minimize or eradicate the problems you
might face during or after installation.
Lesson Objectives
After completing this lesson, you will be able to:
You can perform a clean Windows 8.1 installation or upgrade an existing operating system. An
upgrade retains files, apps, and settings from the operating system that you upgraded. A clean
installation includes only default settings and apps from the Windows 8.1 installation. You also can
perform a clean installation and load the saved user settings from the previous environment.
All Windows 8.1 editions are available in 32-bit or 64-bit versions. Both versions include the same
features, but 64-bit versions support more memory and provide better security because they require
digitally signed device drivers.
Verify that your computer and devices are compatible with Windows 8.1 and that device drivers for
all components are available.
Verify that the apps that you plan to use are compatible with Windows 8.1 and that they are
supported on that platform.
You can deploy Windows 8.1 by using different methods. You should select a deployment method
based on the existing environment and the number of computers that you must deploy. The
deployment methods you can use include the following:
o
Using software deployment solutions such as Microsoft System Center 2012 R2 Configuration
Manager (Configuration Manager).
2-3
Windows 8.1. This edition contains only the key operating system features. It can run apps such as the
Microsoft Office System, and it is appropriate for use in home environments, which do not require
features such as BitLocker Drive Encryption and DirectAccess. From a planning perspective, it is
important to note that you cannot join computers that are running this edition of Windows 8.1 to an
Active Directory Domain Services (AD DS) domain. Also important to note is that you can activate
this edition of Windows 8.1 only with a retail license key.
Windows 8.1 Pro. This edition includes features such as BitLocker, Client Hyper-V, Domain Join,
Group Policy, and native boot from virtual hard disk. This edition of Windows 8.1 is suitable for smalland medium-size businesses that do not require technologies such as AppLocker, BranchCache,
DirectAccess, and Windows To Go to meet business objectives. You can use Windows 8.1 Pro with
retail license keys and with volume licensing options such as multiple activation keys (MAKs) and Key
Management Service (KMS) keys.
Windows 8.1 Enterprise. You are most likely to deploy this edition of Windows 8.1 in large business
environments. This edition includes all the features that are available in the Windows 8.1 operating
system, from being able to join an AD DS domain, to edition-specific features such as AppLocker,
BranchCache, DirectAccess, Windows To Go, and the ability to sideload Windows Store apps. You can
activate Windows 8.1 Enterprise only by using a volume license key.
The following table represents the key features that are available in each edition of Windows 8.1.
Feature
Windows 8.1
Windows 8.1
Enterprise
4 GB
4 GB
4 GB
128 GB
512 GB
512 GB
Workplace Join
Work Folders
Remote Desktop
Client only
Domain Join
Group Policy
Feature
Windows 8.1
Windows 8.1
Enterprise
Client Hyper-V
Only on x64
Only on x64
AppLocker
BranchCache
DirectAccess
Windows To Go
Understanding Windows RT
The Windows RT operating system is designed to run apps built on the Windows RT platform, and it is
only available as a preinstalled operating system on tablets and similar devices with ARM processors. ARM
provides a lightweight form factor with excellent battery life specifically for mobile devices. Windows RT is
preloaded with touch-optimized versions of Microsoft Office apps and is otherwise limited to running
Windows Store apps. Devices that run Windows RT cannot be members of AD DS domains, but they can
use Workplace Join and Work Folders.
Advantages of 64-bit Windows 8.1 Versions
Each Windows 8.1 edition is available in 32-bit and 64-bit versions. The 64-bit versions of Windows 8.1
are designed to work with computers that utilize the 64-bit processor architecture. Although the 64-bit
versions are similar in features to their 32-bit counterparts, there are several advantages to using a 64-bit
version of Windows 8.1, including the following:
Improved performance. 64-bit processors can process more data for each clock cycle, and therefore,
you can scale your apps to run faster. However, to benefit from this improved processor capacity, you
must install a 64-bit edition of the operating system.
Enhanced memory. A 64-bit operating system can use random access memory (RAM) more
efficiently, and it can address memory above 4 gigabytes (GB). This is unlike all 32-bit operating
systems, including all 32-bit editions of Windows 8.1, which are limited to 4 GB of addressable
memory.
Improved device support. Although 64-bit processors have been available for some time, in the
past, it was difficult to obtain third-party drivers for commonly used devices such as printers,
scanners, and other common office equipment. Since the release of the 64-bit versions of Windows 7,
the availability of drivers for these devices has improved greatly. Because Windows 8.1 is built on the
same kernel as Windows 7, most of the drivers that work with Windows 7 also work with Windows 8
and Windows 8.1.
Improved security. The architecture of 64-bit processors enables a more secure operating system
environment through Kernel Patch Protection, mandatory kernel-mode driver signing, and Data
Execution Prevention.
Support for the Client Hyper-V feature. This feature is supported only in the 64-bit versions of
Windows 8.1. Client Hyper-V requires 64-bit processor architecture that supports Second Level
Address Translation (SLAT).
2-5
The 64-bit versions of Windows 8.1 do not support the 16-bit Windows on Windows environment. If
your organization requires older versions of 16-bit apps, they will not run natively on 64-bit versions of
Windows 8.1. One solution is to run the app within a virtual environment by using Client Hyper-V.
In most cases, a computer will run the version of Windows 8.1 that corresponds to its processor
architecture. A computer with a 32-bit processor will run the 32-bit version of Windows 8.1, and a
computer with a 64-bit processor will run the 64-bit version of Windows 8.1. You can use the following
list to determine which version of Windows 8.1 you should install on a computer:
You can install 64-bit versions of Windows 8.1 only on computers with 64-bit processor architectures.
You can install 32-bit versions of Windows 8.1 on computers with 32-bit or 64-bit processor
architectures. When you install a 32-bit version of Windows 8.1 on a 64-bit processor architecture,
the operating system does not take advantage of any 64-bit processor architecture features or
functionality.
32-bit drivers will not work on 64-bit versions of Windows 8.1. If you have hardware that is supported
by 32-bit drivers only, you must use a 32-bit version of Windows 8.1, regardless of the computers
processor architecture.
You can install 32-bit versions of Windows 8.1 on 64-bit architecture computers to support older
16-bit versions of apps or for testing purposes.
Question: Can you use Microsoft Office 2013 on Windows RT?
user state virtualization), which means that user state is not stored locally, and you do not need to migrate
it at all. In such cases, when users sign in to a Windows 8.1 computer, their settings will be applied, and
they will have access to their documents.
The default Windows 8.1 installation image often is customized to include specific requirements for an
enterprise. For example, apps that are used on all clients, such as Microsoft Office 2013, are included in
the installation image, in addition to language packs, additional device drivers, and updates. Apps that
are used in an enterprise must be verified for compatibility with Windows 8.1, and when a customized
installation image is built, it must pass extensive testing. All these factors and the large number of clients
to which Windows 8.1 must be deployed make Windows 8.1 deployment in an enterprise environment a
lengthy project that requires extensive planning, preparation, and testing.
Question: Why do enterprises not use default Windows 8.1 DVD media to perform
installations?
16 GB of available hard disk space (32-bit) or 20 GB of available hard disk space (64-bit).
A DirectX 9 graphics device with a device driver that supports Windows Display Driver Model
(WDDM) 1.0 or newer.
In addition to these hardware requirements, Windows 8.1 includes several features that require a specific
hardware configuration before they will install or run correctly. These features are as follows:
The Windows 8.1 secured boot process requires a pre-boot environment that is based on Unified
Extensible Firmware Interface (UEFI). The secure boot process takes advantage of UEFI to prevent
starting unknown or potentially unwanted operating system boot loaders between the systems BIOS
start and the Windows 8.1 operating system start. The secure boot process is not mandatory for
Windows 8.1, but it greatly increases the integrity of the boot process.
Client Hyper-V requires a 64-bit processor architecture that supports SLAT. SLAT reduces the
overhead incurred during the virtual-to-physical address mapping process performed for virtual
machines.
The BitLocker and Virtual Smart Card features require a computer that supports Trusted Platform
Module (TPM) to provide the most seamless and secure experience. TPM allows the storage of
BitLocker encryption keys and Virtual Smart Cards within a microcontroller on a computers
motherboard.
2-7
Miracast is a Windows 8.1 feature that you can use to share your display with a Miracast-enabled
display or projector over a wireless connection. This feature requires a display adapter that supports
Miracast and uses a device driver that is designed for Windows 8.1.
To use touch and gestures as an input method, a tablet or monitor must support multitouch. If your
device does not support such input, you can still use a mouse and keyboard.
Windows Store apps require a minimum of 1024 768 screen resolution for the Snap feature. This
feature enables you to use Windows 8.1 apps side by side, making the app viewable while you use
other Windows Store apps. You cannot use Windows Store apps with resolution that is lower than
1024 768 because you will receive an error message if you start it in such a configuration.
Windows 8.1 includes support for three-dimensional (3-D) printing, but you should have a supported
3-D printer device.
Question: Do you have to create a virtual machine with at least 1 GB of memory if you want
to install Windows 8.1 Pro on that virtual machine?
A digital signature does not change driver functionalityit only confirms that the device driver was not
modified. Remember that 64-bit versions of Windows 8.1 require 64-bit drivers, and they cannot use 32bit drivers (and vice versa).
The Windows 8.1 setup process automatically checks the installation computer for device and driver
compatibility. However, when an organization deploys multiple installations of Windows 8.1 at once, it is
a best practice to ensure that the hardware for those computers is compatible with Windows 8.1.
Confirming hardware compatibility enables a smoother installation process.
The Windows Compatibility Center for Windows 8.1 website provides information about Windows 8.1
program and device compatibility. The website contains a catalog of programs and devices, and pertinent
compatibility information, including:
Compatibility status
The Windows Compatibility Center for Windows 8.1 website also enables community interaction, where
users can provide feedback for devices to confirm compatibility.
Windows Compatibility Center
http://go.microsoft.com/fwlink/?LinkId=266551&clcid=0x409
Question: Can you use a device driver from a 64-bit version of Windows 8 with a 32-bit
version of Windows 8.1?
UAC
User Account Control (UAC) adds security to the Windows operating system by controlling administratorlevel access to a computer and by restricting most users to run as standard users. When users attempt to
launch an app that requires administrative permissions, the system prompts them to confirm their consent
to do so.
2-9
UAC also limits the context in which a process executes to minimize the ability of users to expose their
computer to viruses or other malware inadvertently. This change affects any application installer or
update that requires administrator permissions to run, that performs unnecessary administrator checks or
actions, or that attempts to write to a non-virtualized registry location.
However, UAC might cause the following compatibility issues:
Custom installers, uninstallers, and updaters might not be detected and elevated to run as
administrator.
Standard user apps that require administrative privileges to perform their tasks might fail or might
not make this task available to standard users.
Apps that attempt to perform tasks for which the current user does not have the necessary
permissions might fail. How the failure manifests itself depends on how the app was written.
Control Panel apps that perform administrative tasks and make global changes might not function
properly and might fail.
Dynamic-link library (DLL) apps that run by using RunDLL32.exe might not function properly if they
perform global operations.
Standard user apps writing to global locations will redirect to per-user locations through
virtualization.
WRP
Windows Resource Protection (WRP) protects Windows resources such as files, folders, and registry keys in
a read-only state. This affects specific files, folders, and registry keys only. WRP limits updates to protected
resources to the trusted operating system installers, such as Windows Servicing. This enables better
protection for components and apps that ship with the operating system from the impact of other apps
and administrators. However, WRP might cause the following compatibility issues:
Application installers that attempt to replace, modify, or delete operating system files or registry
keys that WRP protects might fail with an error message that indicates that the resource cannot be
updated. This is because access to these resources is denied.
Applications that attempt to write new registry keys or values to protected registry keys might fail
with an error message that indicates that the change failed because access was denied.
Applications that attempt to write to protected resources might fail if they rely on registry keys or
values.
64-Bit Architecture
All Windows 8.1 editions are available as 32-bit and 64-bit versions. The 64-bit version of Windows 8.1
can run all 32-bit apps with the help of the Windows 32-bit on Windows 64-bit subsystem. Considerations
for the 64-bit Windows 8.1 include:
Apps or components that use 16-bit executable files, 16-bit installers, or 32-bit kernel drivers will fail
to start or will function improperly on a 64-bit version of Windows 8.1.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer manually adds a driver
by editing the registry, the system will not load this driver, and this can cause a system failure.
Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer manually adds a
driver by editing the registry, the system will not load the driver during load time if it is not signed.
WFP
Windows Filtering Platform (WFP) is an application programming interface (API) that enables developers
to create code that interacts with the filtering that occurs at several layers in the networking stack and
throughout the operating system. If you are using a previous version of this API in your environment, you
might experience failures when running security-class apps, such as network scanning, antivirus programs,
or firewall apps.
The operating system version number changes with each operating system release. For Windows 7, the
internal version number is 6.1; for Windows 8, the internal version is 6.2; for Windows 8.1, the internal
version is 6.3. The GetVersion function returns this value when it is queried by an app. This change affects
any app or application installer that specifically checks for the operating system version, and this change
might prevent the installation from occurring or the app from running.
Kernel-Mode Drivers
Kernel-mode drivers must support the Windows 8.1 operating system or be redesigned to follow the
User-Mode Driver Framework (UMDF). UMDF is a device driver development platform that the Windows
operating system uses.
Deprecated Components
Windows 8.1 does not include several deprecated APIs and DLLs that were available in the legacy
Windows XP and Windows Vista operating systems. Windows 8.1 also uses credential provider
framework and service isolation, which was not available in legacy Windows operating systems. Apps
that use deprecated APIs, DLLs, old credential providers, or do not support service isolation will have
compatibility issues in Windows 8.1. Some of these apps will have reduced functionality, and some might
fail to start.
Application Compatibility
http://go.microsoft.com/fwlink/?LinkID=378172&clcid=0x409
Question: Can you run a program that was developed for Windows XP on Windows 8.1?
Test your web applications and websites for compatibility with new releases and security updates to
Internet Explorer.
Mitigating an application compatibility issue typically depends on various factors, such as the type of
application and the current support for an application.
Mitigation Methods
Some of the more common mitigation methods include the following:
2-11
Applying updates or service packs to an application. Updates or service packs might be available to
address many compatibility issues, and they help an application to run on a new operating system
environment. After applying an update or service pack, additional application tests can ensure that
compatibility issues have been mitigated.
Running an application in a virtualized environment. If all other methods are unavailable, you might
be able to run an application in an older version of the Windows operating system by using
virtualization tools such as Client Hyper-V.
Using application compatibility features. You can mitigate application issues, such as operating
system versioning, by running an application in compatibility mode. You can access this mode by
right-clicking the shortcut or .exe file and then selecting compatibility mode from the Compatibility
tab.
Selecting another application that performs the same business function. If another compatible
application is available, consider switching to it. When using this approach, you must consider both
the cost of the application and the cost of employee support and training.
Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1
http://go.microsoft.com/fwlink/?LinkId=378203&clcid=0x409
Application Compatibility Toolkit (ACT) Technical Reference
http://go.microsoft.com/fwlink/?LinkId=378204&clcid=0x409
Lesson 2
Although you can perform a Windows 8.1 installation by using a number of different methods, the
image-based nature of the installation process and the desired resulta properly functioning
Windows 8.1 computerremain consistent, regardless of the method. Determining which method to use
and how to best implement that method are important parts of the planning process for a Windows 8.1
installation. This lesson will help you analyze the reasons behind using certain methods, and it will help
you understand how you can implement those methods. Also, this lesson will introduce you to Windows
To Go and native boot virtual hard disk methods.
Lesson Objectives
After completing this lesson, you will be able to:
DVD
Network share
USB drive
2-13
Upgrade installation. Perform an upgrade, which also is known as an in-place upgrade, when you
want to replace an existing version of Windows with Windows 8.1, and you need to retain all user
applications, files, and settings. To perform an in-place upgrade to Windows 8.1, run the Windows 8.1
Setup.exe installation program, and then click Upgrade. You can run Setup.exe from the product
DVD or from a network share. During an in-place upgrade, the Windows 8.1 installation program
automatically retains all user settings, data, hardware device settings, apps, and other configuration
information. Always back up all of your important data before performing an upgrade.
Migration. You perform a migration when you have a computer that is already running Windows 7,
and you need to move files and settings from your old operating system (the source computer) to the
Windows 8.1 computer (the destination computer). Perform a migration by doing the following:
o
There are two migration scenarios: side-by-side, and wipe-and-load, which also is called refresh. In sideby-side migration, the source computer and the destination computer are two different computers. In
wipe-and-load migration, the target computer and the source computer are the same. To perform wipeand-load migration, you perform a clean installation of Windows 8.1 on a computer that already has an
operating system by running the Windows 8.1 installation program, and then clicking Custom (advanced).
You can perform an automated installation when you use any of the above installation methods in
combination with an automation tool, such as MDT, to make the installation more seamless or to remove
repetitive tasks from the installation process. Automated installations can take many forms, including
pushing premade images to computers by using an enterprise-level tool, such as MDT, Windows DS, and
Windows Assessment and Deployment Kit (ADK), or even by creating an answer file manually to provide
information directly to the installation process.
Question: What is the main difference between a clean installation of Windows 8.1 and
migration to Windows 8.1?
Clean installation
Benefits
Drawbacks
Can be automated
Difficult to automate
Only supported in certain scenarios
You can perform a clean deployment of the Windows 8.1 operating system by using the following
methods:
Install from DVD. To use this method, the computer you are installing on must have a connected
optical drive. You can use the installation media provided with a retail copy of the operating system
or a copy of the installation media that is obtained from Microsoft Volume Licensing Services and
then written to optical media. You can use a customized image with optical media, but the size of the
image is constrained by the maximum amount of data that can be stored on a DVD. This installation
method is slower than installing from a USB device.
Install from USB. Retail versions of Windows 8.1 are available in this form. The drawback of this
method is that one USB device can only install the operating system on one computer at a time.
You can use customized images for this installation method. Installation from a USB device is quicker
than an installation from a DVD, but it requires you to modify BIOS or UEFI settings on the target
computer to allow boot from USB. You can perform an unattended installation if an unattended
installation file is located on the USB device.
Install from Windows DS. To use this method, you must deploy Windows DS and Dynamic Host
Configuration Protocol on Windows-based servers on the LAN. Another requirement is that target
computers must have a Pre-Boot Execution Environment (PXE) network card, or you must configure
a boot device to allow network communication. You can use this installation method with an
unattended installation file that is configured on a Windows DS server, with multiple operating
system images, and to deploy Windows 8.1 to multiple computers at once by using multicast.
Perform an image-based installation. You can use the Windows Preinstallation Environment (PE) to
start a computer and then use Deployment Image Servicing and Management (DISM) to apply the
Windows 8.1 image. You also can use deployment solutions such as MDT and Configuration Manager
to deploy Windows 8.1 and apps automatically across networks. By using MDT and Configuration
Manager, you can configure lite-touch installation (LTI) and ZTI. During the deployment, LTI requires
minimal user interaction, whereas ZTI requires no user interaction.
Install from a shared network folder. This method involves starting the computer by using
Windows PE and connecting to a copy of the installation files stored on a shared network folder. This
method is no longer commonly used because other methods are more efficient, such as installation
from USB devices, Windows DS, MDT, or Configuration Manager.
The method that you use to perform a clean installation depends on your organizations business
requirements. An organization that performs a small number of Windows 8.1 deployments that do not
require substantial customization should use the DVD or USB installation methods. An organization that
performs a large number of Windows 8.1 deployments should consider using MDT or Configuration
Manager.
Question: What happens with user settings, data, and installed apps if you perform a clean
installation of Windows 8.1 on a computer that has Windows 7 installed?
2-15
Are upgrading from a recent version of the Windows operating system that has compatible
applications.
In any potential upgrade scenario, there might be certain variables that favor an upgrade. However, there
also are disadvantages.
Advantages
Disadvantages
When you run an upgrade, Windows Setup automatically detects existing operating systems and their
potential for upgrade. Depending on the version of the operating system, you might see the following
options for retaining data from the previous version of the Windows operating system:
Windows settings. Windows settings such as your desktop background or Internet favorites and
history will be kept. Windows Setup does not move all settings.
Personal files. Anything that you save in the User folder is considered a personal file, such as the
Documents and Desktop folders.
Desktop apps. Some apps are compatible with Windows 8.1, and they will operate properly when
you install Windows 8.1. However, you may have to install some desktop apps after a Windows 8.1
installation finishes, so be sure to find the installation discs and installers for desktop apps that you
want to keep.
Nothing. Deletes everything and replaces your current version with a copy of Windows 8.1. Your
personal files will be moved to a Windows.old folder.
Upgrade Considerations
The following considerations might be critical in determining whether you choose to upgrade:
Amount of interaction. An upgrade does not require significant user interaction. You can use an
answer file to minimize user interaction and effort further when performing an upgrade.
State of user data. An upgrade does not require reinstallation of apps or any of the user settings, data,
hardware device settings, or other configuration information. However, you might have to reinstall
some apps after you perform an upgrade.
Note: You can perform an upgrade only if you run Setup.exe from the existing Windows
installation. You cannot perform an upgrade if you start a computer from Windows installation
media.
Question: Can you upgrade Windows 7 Pro to Windows 8.1 Pro if you start a computer from
Windows 8.1 DVD installation media?
2-17
The following table lists operating systems and upgrade path restrictions for upgrading to Windows 8.1.
Upgrading to
Windows 8.1
Keep Windows
settings, personal files,
and apps
Windows XP SP3
Yes
Yes
Windows 7
Yes
Yes
Windows 8
Yes
Yes
Windows 8.1
Yes
Yes
Note: You cannot preserve Windows settings and apps if you perform a cross-language
installation of Windows 8.1.
Windows 8.1
Enterprise
Ultimate
Yes
Professional
Yes
Home Premium
Yes
Yes
Home Basic
Yes
Yes
Starter
Yes
Yes
Yes
Even though an upgrade path is supported, it does not necessarily mean that you should perform an
upgrade installation by following that path. You should evaluate considerations for both upgrades and
migrations.
Windows 8 and Windows 8.1 Upgrade Paths
http://go.microsoft.com/fwlink/?LinkId=378205&clcid=0x409
Question: Can you upgrade the 32-bit version of Windows 8 Pro to the 64-bit version of
Windows 8.1 Pro?
In any potential upgrade scenario, there might be certain variables that favor a migration. However, there
also are disadvantages.
Advantages
Disadvantages
2.
3.
4.
Reinstall applications.
5.
Migration Scenarios
2-19
When planning a migration, you have to determine how you will move existing data to the newly
deployed operating system. The method that you use depends on the tools and resources that you have.
In enterprise environments, you can use Configuration Manager to automate the migration process.
Migration strategies also depend on whether users will be moving to new computers, or whether they will
use existing computers with a new operating system. You can perform the following types of migration:
Side-by-side migration. In a side-by-side migration, data and settings are moved from the original
operating system on one computer to the destination operating system on another computer. In
most automated side-by-side migrations, migration data is transmitted across a network. You also can
transfer migration data by using removable storage devices, although this is only practical when the
migration is performed manually.
Operating system refresh. This migration type is similar to a wipe-and-load migration. However, in
this type of migration, the source and destination operating systems are the same. You might perform
this type of migration when upgrading to a new operating system service pack, or if the original
operating system deployment suffers some type of corruption that makes a refresh operation more
practical than a manual attempt to resolve the fault.
Want a standardized environment for all users who are running a Windows operating system. A
migration takes advantage of a clean installation. A clean installation ensures that all of your systems
begin with the same configuration and that all applications, files, and settings are reset. With a
migration, you also can ensure that you retain user settings and data.
Have storage space to store the user state. Typically, you will need storage space to store the user
state when performing migration. USMT introduces hard-link migration, in which case you do not
need extra storage space. This is only applicable to wipe-and-load migrations.
Plan to keep existing computer hardware. If you do not plan to replace existing computers, you still
can perform a migration by performing a wipe-and-load migration.
Windows 8.1 also includes built-in functions that allow a refresh of the operating system. These are called
Reset your PC and Refresh your PC. PC refresh keeps all personal data and Windows Store apps, but you
must reinstall other software. PC reset returns an operating system to its original state, removing any
installed applications, settings, and user data. PC refresh and PC reset must be performed locally. If you
wanted to perform an operating system refresh across multiple computers, you would automate the task
with Configuration Manager.
Question: You have a user who wants to upgrade a Windows XP computer to Windows 8.1.
The computer meets all of the hardware requirements for Windows 8.1. The user wants to
retain all of the existing user settings and applications. The user has no time-related
requirements and can be without the computer while you install Windows 8.1. How should
you perform the Windows 8.1 installation?
Windows To Go Restrictions
Windows To Go functions in a way that is very similar to a traditional Windows 8.1 desktop deployment.
But because Windows To Go runs from a USB storage device, which has less storage and can be removed
while the computer is running, it has several restrictions when compared with a traditional Windows 8.1
desktop deployment:
By default, sleep and hibernation are disabled in Windows To Go. Though it is possible to enable this
functionality by configuring Group Policy, this can lead to data corruption.
Fixed internal disks on the host computer are offline. This is a security measure to ensure that third
parties do not gain access to files on the host computers file system, and that locally stored files are
not unintentionally modified when starting computers by using Windows To Go. If you need to, you
can use Disk Management to put locally attached disks online.
BitLocker uses a boot password rather than a TPM password because the Windows To Go device will
be used across multiple computers.
Windows Recovery Environment (RE) and push-button reset are disabled because Windows To Go
does not include a recovery image.
A USB storage device prepared with an x86 version of Windows To Go can be used with a computer
with an x86 or an x64 processor.
A computer prepared with an x64 version of Windows To Go only can be used with a computer that
has an x64-compatible processor.
The USB storage device with the Windows To Go deployment can be removed from the computer for
up to 60 seconds. If the USB device is not reconnected in that time, the computer will restart.
Windows To Go Requirements
Windows To Go only works with specific USB storage devices that are certified by Microsoft. One of the
requirements for Windows To Go is that the operating system recognizes the USB device as a fixed disk.
You create Windows To Go devices by using the Windows To Go Wizard. This wizard is only available on
computers that are running the Enterprise edition of Windows 8.1. You can start a computer from a
Windows To Go device if it is connected to a USB 2.0 or USB 3.0 port.
2-21
Windows To Go and traditional deployments differ in several ways, and both methods have their benefits
and drawbacks. Some of the key differences are as follows:
To use Windows To Go, you must configure a computer to boot from a USB device. Enabling boot
from USB poses a security risk because it can allow access to a computers volumes if technologies
such as BitLocker are not in use. Organizations should be wary of allowing non-administrative users
to boot from USB devices.
In a traditional deployment, BitLocker can be configured to use TPM. Windows To Go does not have
this security and only allows BitLocker to use a passphrase. The Windows To Go boot environment
might be modified by malicious software.
On Windows To Go, the Windows Store is disabled by default. You can change this by editing the
Allow Store to install apps on the Windows To Go workspaces policy setting, located in the
Computer Configuration\Administrative Templates\Windows Components\Store node of the Group
Policy Management Editor window. Windows Store is enabled by default on a traditionally deployed
Windows 8.1 computer.
Sleep and hibernation are disabled by default in Windows To Go and enabled on traditionally
deployed Windows 8.1 systems. If a user accidentally leaves his or her Windows To Go device in a
running computer, the computer will not shut down.
In a traditional installation, data is stored locally on hard disks. In Windows To Go, data is stored on a
USB device. USB devices are more likely to fail, which means that local data is more likely to be lost.
Users also are more likely to misplace a USB device than a portable computer.
Windows To Go allows users to take their apps and data with them. As long as they have compatible
hardware, they can access their apps and data.
Windows To Go assists Information Technology (IT) departments that want to allow users to use their
own devices, but also want to ensure that only securely managed operating systems can interact with
sensitive services on a network.
Note: A computer must be compatible with Windows 8.1 if you want to use it with
Windows To Go.
Windows To Go: Feature Overview
http://go.microsoft.com/fwlink/?LinkId=378206&clcid=0x409
Question: When would you use Windows To Go in your company?
Configuring a virtual hard disk with native boot includes creating and preparing the virtual hard disk,
installing or applying a Windows image, adding the virtual hard disk native boot option to the startup
menu, and restarting the computer. You can create a virtual hard disk by using Disk Management or
Diskpart.exe. Deploy Windows images by using Dism.exe, and add the boot option by using Bcdboot.exe.
Some of the main points to consider when planning for virtual hard disk with native boot are volume size,
deployment options, and operating systems that can be used for native boot.
Volume size
You must configure a virtual hard disk to have a smaller maximum size than the volume that hosts
the virtual hard disk. For example, if you have a 200-GB volume and a virtual hard disk that represents
a 500-GB volume, the computer will be unable to boot, even if the virtual hard disk only consumes
100 GB of the possible 500 GB. Multiple virtual hard disk files can reside on the same volume, although
it is necessary to keep volume size restrictions in mind when placing more than one virtual hard disk on
a volume. For example, you can create a 15-GB virtual hard disk, create a simple volume, and format it by
running the following commands:
diskpart
create vdisk file=C:\windows81.vhdx maximum=15000 type=fixed
select vdisk file=C:\windows81.vhdx
attach vdisk
create partition primary
assign letter=F
format quick
exit
Deployment options
You can deploy a virtual hard disk to a new computer in a preconfigured state, with apps already
installed and operating system settings already configured. You can copy a prepared virtual hard disk file
to a new computer and then configure the computer to boot from that virtual hard disk. You also can
configure Windows DS to deploy virtual hard disks as operating system images, just as you can configure
Windows DS to deploy operating system images in .wim file format. You can apply the first image from
the Install.wim file by running the following command:
Dism /Apply-Image /ImageFile:Install.wim /Index:1 /ApplyDir:F:\
Operating system
2-23
Computers that run Windows 8.1 Pro and Enterprise editions can use native boot from virtual hard disk.
After an image is applied to a virtual hard disk, you can add the native boot from virtual hard disk option
by running the following commands:
cd F:\Windows\System32
bcdboot F:\Windows
After you run these commands, the option for native boot is added to the startup menu, and you can
select it after you restart the computer.
Deploy Windows on a Virtual Hard Disk with Native Boot
http://go.microsoft.com/fwlink/?LinkId=378207&clcid=0x409
Question: Do you need to enable the Client Hyper-V feature if you want to use native boot
from a virtual hard disk that contains Windows 8.1 Pro?
A. Datum Corporation is considering the use of Windows 8.1 as its client operating system. You have been
provided with a testing environment and asked to install Windows 8.1 to evaluate the new environment.
For the initial installation on a single computer, you will use default Windows 8.1 DVD media.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machine: 20687D-LON-REF1
User name: Adatum\Administrator
Password: Pa$$w0rd
Only LON-REF1 is used for this lab. You do not need to sign in to any virtual machine to perform this lab.
Holly Dickson
Date
Dec. 2, 2013
Requirements Overview
A. Datum Corporation wants to create a test environment for a new app that was developed internally.
Ideally, we would like to be able to test the app on several different operating systems, but we have
been provided with only one system. We have been told that Windows 8.1 supports the same
virtualization as the servers in our production environment with Hyper-V, so maybe we could do it that
way? We also need to be able to create Windows To Go USB flash drive media.
The computer that we have been given has a quad-core, 2-GHz processor and 4 GB of RAM. The
processor supports Intel VT. It also has a 320-GB hard drive and a 512-megabyte (MB) graphics
processing unit (GPU).
The computer should be prepared for the Development team as soon as possible.
The main tasks for this exercise are as follows:
1.
Determine whether the customers computers meet the minimum requirements for Windows 8.1.
2.
2.
Does the customers computer meet the minimum system requirements for Windows 8.1 in the
following areas:
a.
Processor
b.
RAM
c.
Hard-disk space
d.
GPU
Does the customers computer meet the requirements for the following features:
o
Client Hyper-V
2-25
Given the hardware that you are using and the features that you require, which edition and version of
Windows 8.1 should you install on LON-REF1?
Results: After completing this exercise, you should have evaluated the installation environment and then
selected the appropriate Windows operating system edition to install.
You have confirmed that LON-REF1 meets the installation requirements for Windows 8.1. Your next step is
to install the Windows 8.1 operating system on LON-REF1 and to confirm the success of the installation.
The main tasks for this exercise are as follows:
1.
2.
3.
Open the Hyper-V Manager console on the host computer, and then open the Settings page for
20687D-LON-REF1.
2.
On the Settings page, click DVD Drive, and then attach the image file located at D:\Program Files
\Microsoft Learning\20687\Drives\Win81Ent_EVAL.iso.
Start the 20687D-LON-REF1 virtual machine. When the Windows Setup screen appears, select the
appropriate regional settings, and then click Next.
2.
Location: Drive 0
PC name: LON-REF1
Password: Pa$$w0rd
2.
Confirm that the Windows 8.1 Start screen appears. Open System Properties, and verify that:
o
Sign out.
Results: After completing this exercise, you should have performed a clean installation of Windows 8.1.
2.
In the Virtual Machines list, right-click 20687D-LON-REF1, and then click Revert.
3.
Lesson 3
2-27
The Windows 8.1 installation process is designed to be as fast and efficient as possible. However, installing
Windows 8.1 on multiple computers can be a time-consuming process if you do it manually on each
computer.
To expedite Windows 8.1 installation on multiple computers, or to standardize the Windows 8.1
installation process, Windows 8.1 deployment can be customized and automated. This lesson will
introduce you to the various tools and technologies that you can use to manage and automate
installation of Windows 8.1.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how to prepare a reference installation by using the System Preparation Tool (Sysprep).
Header. Defines the Windows image file content, such as memory, location of key resources
(metadata resource, lookup table, and XML data), and Windows image file attributes (version, size,
and compression type).
File Resource. A series of packages that contain captured data, such as source files.
Metadata Resource. Stores information on how captured data is organized in the Windows image file,
including directory structure and file attributes. There is one metadata resource for each image in a
Windows image file.
Lookup Table. Contains the memory location of resource files in the Windows image file.
XML Data. Contains additional miscellaneous data about the Windows image, such as directory and
file counts, total bytes, creation and modification times, and description information.
Integrity Table. Contains security hash information that is used to verify the integrity of the image
during an apply operation. This is created when you set the /check switch during a capture
operation.
The .wim file format addresses many challenges found in other imaging formats. The benefits of the .wim
file format include the following:
A single Windows image file can address many hardware configurations. The .wim file format does
not require the destination hardware to match the source hardware. This helps you reduce the
number of images tremendously, and you have the advantage of only having one image to address
the many hardware configurations.
A Windows image file can store multiple images in a single file. This is useful because you can store
images with or without core apps in a single image file. Another benefit is that you can mark one of
the images as bootable, which allows you to start a machine from a disk image that a Windows image
file contains.
The .wim file format enables compression and single instancing. This reduces the size of image files
significantly. Single instancing is a technique that enables multiple images to share a single copy of
files that are common between the instances.
The .wim file format enables you to service an image offline. You can add or remove certain
operating system elements, files, updates, and drivers without creating a new image. For example,
to add an update to a Windows XP image, you must deploy and start the master image, install the
update, and then generalize and capture the image again. With Windows 8.1, you can mount an
image file and then perform an integrated installation of the update (also known as a slipstreamed
installation) into the image file without needing to deploy or recapture the master image.
The .wim file format enables you to install an image on a partition that is smaller, equal to, or larger
than the original partition that was captured, as long as the target partition has sufficient space to
store the image content. This is different from sector-based image formats that require you to deploy
a disk image to a partition that is the same size or larger than the source disk.
Windows 8.1 includes the DISM tool, Dism.exe, which you can use for capturing, managing, and
deploying Windows image files. It also includes the DISM Windows PowerShell module with cmdlets
for managing Windows image files. Developers can use an API for the .wim file format, called
WIMGAPI, to work with Windows image files.
The .wim file format allows for nondestructive image deployment. Nondestructive image deployment
means that you can leave data on the volume where you apply the image, because when the image is
applied, it does not delete the disks existing contents.
The .wim file format enables you to start Windows PE from a Windows image file. The Windows 8.1
setup process uses Windows PE. The Windows image file is loaded into a RAM disk and runs directly
from memory.
Windows Imaging File Format (WIM)
http://go.microsoft.com/fwlink/?LinkId=378208&clcid=0x409
2-29
Catalog. This binary file (.clg) contains the state of the settings and packages in a Windows image.
The catalog file is not required for a Windows operating system deployment, and it is not included on
the Windows 8.1 DVD media. The catalog file is required if you want to create an answer file by using
Windows SIM, and it can be created by using this tool.
Windows ADK is a collection of tools and documentation that you can use to automate the
deployment of Windows operating systems and to assess deployed systems. Windows ADK tools are
used in most Windows deployment scenarios and include the following:
o
Windows SIM. You can use this tool to create unattended installation answer files and distribution
shares, or to modify the files that a configuration set contains.
Windows PE. This is a minimal 32-bit or 64-bit operating system with limited services, which
is built on the Windows 8.1 kernel. You can use Windows PE for capturing Windows images,
installing or deploying Windows, and for troubleshooting the deployment. Windows PE
provides read and write access to Windows file systems and supports a range of hardware
drivers, including network connectivity, which makes it useful for system recovery. You can run
Windows PE from a CD or DVD, USB flash drive, or on a network by using PXE. Windows ADK
includes several tools that you can use to build and configure Windows PE.
USMT. You can use this tool to migrate user settings and data files from a previous Windows
operating system to Windows 8.1.
DISM. You can use this tool to service and manage Windows images, and to apply updates,
drivers, and language packs to a Windows image, offline or online.
Sysprep. Sysprep prepares a Windows image for disk imaging, system testing, or delivery to a
customer. You can use Sysprep to remove any system-specific data from a Windows image, such
as the security identifier (SID). After removing unique system information from an image, you can
capture that Windows image and then use it for deployment on multiple computers. You also can use
Sysprep to configure a Windows operating system to start the out-of-box experience (OOBE) the next
time you start the system. Sysprep is available in all Windows operating systems since Windows Vista.
Windows DS. Windows DS is a server-based deployment solution that enables an administrator to set
up new client computers over a network without having to visit each client. Windows DS is a server
role that you can configure for Windows Server 2012 or Windows Server 2012 R2.
Virtual hard disk. The Microsoft .vhd file format and the new .vhdx file format are publicly available
format specifications that specify a virtual hard disk encapsulated in a single file, which is capable of
hosting native file systems and supporting standard disk operations. You can deploy Windows 8.1 to
.vhd or .vhdx files and start a computer from such files.
Deployment Walkthroughs
http://go.microsoft.com/fwlink/?LinkId=378209&clcid=0x409
Question: Can you set up Windows DS on a Windows 8.1 computer?
2.
Build a reference installation. A reference computer has a customized installation of Windows 8.1 that
you plan to duplicate on one or more destination computers. You can create a reference installation
by using Windows 8.1 installation media and an answer file. After the installation, you can perform
additional customizations. For example, you can install apps that are required on all destination
computers. After you configure a reference installation, you must generalize it by using Sysprep.
3.
Create bootable Windows PE media. You can create a Windows PE environment by using the
CopyPE.cmd script, customizing it, and writing it to bootable media such as Universal Disk Format,
2-31
CD, or DVD by using the MakeWinPEMedia.cmd script. Windows PE enables you to start a computer
for purposes of deployment and recovery. Windows PE starts a computer directly from memory,
enabling you to remove the Windows PE media after the computer starts. After you start a computer
in Windows PE, you can use the DISM tool to capture, modify, and apply file-based disk images.
4.
Capture an installation image. You can capture an image of your reference computer by using
Windows PE and the DISM tool. You can store the image that you capture locally on removable
media or on a network share.
5.
Modify an installation image. Optionally, you can use DISM or the Windows PowerShell commandline interface to modify Windows images when required. If additional drivers or Windows features
are required, or if image configuration requirements change, you can use DISM to modify an image
offline by mounting it to an empty folder and injecting drivers and updates, or by modifying the
operating system settings. You can modify the Windows image file without having to deploy the
Windows 8.1 image first.
6.
Deploy an installation image. After you have an image of your reference installation, you can deploy
the image to destination computers. You can use the DiskPart tool to format the hard drive and copy
the image from the network share. Use DISM to apply the image to the destination computer. For
high-volume deployments, you can store an image of the new installation on your distribution share
and deploy the image to destination computers by using deployment tools such as Windows DS,
MDT, or Configuration Manager.
Question: Can you create a customized Windows 8.1 installation image only by using tools
that are included in Windows 8.1?
Use an answer file to customize Windows installations so that the versions of Windows operating systems
deployed to each destination computer are configured in the same way. The two types of Windows
installations are attended and unattended:
In attended installations, you respond to Windows Setup prompts, selecting options such as the
partition to which you want to install and the Windows image to install.
In unattended installations, which offer many additional options, you automate this process to avoid
installation prompts. You can use an answer file with Windows Setup in two ways:
o
When you start Windows Setup by running Setup.exe, you can use the /unattend parameter to
explicitly specify an answer file name and location.
If you do not specify an answer file, for example, when you start a computer from Windows 8.1
media, Windows Setup looks for an answer file in several default locations, such as in the root
directory of all drives. In that case, the answer file must be named Unattend.xml or
Autounattend.xml.
Before beginning your deployment process, identify all the requirements of your environment. Consider
the following possible requirements:
Components
This section has all the component settings that are applied during Windows Setup. You can configure
component settings in different configuration passes: windowsPE, oobeSystem, generalize, specialize,
auditUser, auditSystem, and offlineServicing. Each of the configuration passes represents a distinct phase
of Windows Setup. Not all the phases of Windows Setup happen during Windows installation. Settings can
be applied during one or more passes.
Packages
Microsoft uses packages for the distribution of software updates, service packs, and language packs.
Packages also can comprise Windows features. You can configure packages so that you add them to
a Windows image, remove them from a Windows image, or change the settings for features within a
package. You can either enable or disable features in Windows. If you enable a Windows feature, the
resources, executable files, and settings for that feature are available to users of the system. If you
disable a Windows feature, the package resources are not available, but the Windows operating system
does not remove the resources from the system. Some Windows features might require you to install
other features before enabling the installed version of the Windows operating system. You need to
validate your answer file and then add any required packages. For example, you can disable the Windows
Media Player feature to prevent users from running it. However, disabling the package does not remove
those resources from the Windows image. The Windows operating system applies packages in an answer
file to the Windows image during the offlineServicing configuration pass.
While you can create an answer file manually by entering the appropriate XML code into the
Unattend.xml file, you typically create it by using the component of Windows ADK called Windows SIM.
Windows SIM requires a catalog of the Windows image before you can use it to create an answer file.
Windows 8.1 does not include a catalog file for the Windows images in Install.wim, but Windows SIM can
create the catalog dynamically. Answer files that Windows SIM creates are associated with a particular
Windows image. This enables you to validate the settings in an answer file to the settings available in the
Windows image. However, because you can use any answer file to install a Windows image, if there are
settings in the answer file for components that do not exist in the Windows image, then Windows ignores
those settings.
Note: An answer file can include destructive actions like deleting disk content and
formatting disk partitions. If you want Windows Setup to use an answer file automatically, and if
the answer file includes settings in the windowsPE and offlineServicing configuration passes, you
must rename the answer file Autounattend.xml.
Understanding Answer Files
http://go.microsoft.com/fwlink/?LinkID=386288&clcid=0x409
Methods for Running Windows Setup
http://go.microsoft.com/fwlink/?LinkId=378210&clcid=0x409
Question: What must you do before you can create an answer file for a Windows 8.1
installation?
Demonstration Steps
2-33
1.
2.
In the Components section of Windows SIM, add the following components, and then configure their
properties with following values in the answer file:
3.
amd64_Microsoft-Windows-Setup_6.3.9600.16384_neutral \DiskConfiguration\Disk
DiskID: 0
WillWipeDisk: True
amd64_Microsoft-Windows-Setup_6.3.9600.16384_neutral\DiskConfiguration\Disk
\CreatePartitions\CreatePartition
Extend: True
Order: 1
Type: Primary
amd64_Microsoft-Windows-Setup_6.3.9600.16384_neutral\ImageInstall\OSImage\InstallTo
DiskID: 0
PartitionID: 1
amd64_Microsoft-Windows-Setup_6.3.9600.16384_neutral\UserData
AcceptEULA: True
Organization: Adatum
You can configure the property values by using the following process:
a.
b.
Right-click the component, and then click the appropriate Add Setting to Pass choice.
4.
c.
In the Answer File pane, locate and then click the added component.
d.
In the corresponding Properties pane, double-click the setting, and then set the value.
Save the answer file on the desktop as Autounattend.xml. Open the answer file in Internet Explorer,
and then verify that the settings that you configured in Windows SIM are saved in the answer file.
Sysprep Tasks
You can use Sysprep to:
Note: Only use Sysprep to configure reference Windows installations. Remember that
Sysprep can delete existing system configurations. Do not use Sysprep to reconfigure an existing
Windows installation.
In Windows 8.1, the /mode:vm command-line parameter for Sysprep generalizes a virtual hard disk. You
can use this parameter if you will deploy the virtual hard disk on the same virtualization platform.
Note: You can run virtual machine mode only from inside a virtual machine.
Sysprep Command-Line Syntax
http://go.microsoft.com/fwlink/?LinkId=378211&clcid=0x409
System Preparation (Sysprep) Technical Reference
http://go.microsoft.com/fwlink/?LinkId=378212&clcid=0x409
Question: Why should you not run Sysprep on a Windows 8.1 computer that is deployed
and being used already?
2-35
Installing Windows 8.1. Windows PE runs every time you install Windows 8.1. The graphical tools that
collect configuration information during the setup phase are running within Windows PE.
Troubleshooting. Windows PE is useful for automatic and manual troubleshooting. For example, if
Windows 8.1 fails to start because of a corrupted system file, Windows PE can start automatically and
launch Windows RE.
Recovery. OEMs and IT pros can use Windows PE to build customized, automated solutions for
recovering and rebuilding computers that run Windows 8.1.
Benefits of Windows PE
Microsoft developed Windows PE as the primary tool for starting computers that do not have a functional
operating system. After a computer starts in Windows PE, you can prepare it for Windows installation and
then initiate Windows Setup from a network or local source. You also can service an existing Windows
installation or recover data. Because Windows PE is based on the Windows 8.1 kernel, it provides the
following capabilities:
Native support for the NTFS 5.x file system, including dynamic volume creation and management.
Native support for TCP/IP networking and file sharing. Windows PE can connect to network shares
onlyyou cannot share folders in Windows PE.
Optional support for Windows Management Instrumentation, Microsoft Data Access Component, and
HTML Application.
Ability to start from a number of media types, including CD, DVD, USB flash drive, and a Remote
Installation Services server.
Windows PE includes all Hyper-V drivers, except display drivers. This enables Windows PE to run in a
hypervisor. Supported features include mass storage, mouse integration, and network adapters.
Windows PE is available as part of Windows ADK. You can create a custom Windows PE environment by
running the CopyPE.cmd script. After that, you can customize the environment. For example, you can add
support for Windows PowerShell, database connectivity, or scripting. You also can copy additional drivers
and programs to Windows PE. You can write a customized Windows PE environment to bootable media
by running the MakeWinPEMedia.cmd script.
WinPE: Windows PE Overview
http://go.microsoft.com/fwlink/?LinkId=378213&clcid=0x409
Question: What are some of the tasks in which you can use Windows PE for
troubleshooting?
Question: How you can customize Windows PE?
Demonstration Steps
1.
2.
3.
Use DISM to view the properties of the Windows PE image, and then mount the image file located at
C:\winpe\media\sources\boot.wim to C:\winpe\mount folder.
4.
Use File Explorer to verify that there are four subfolders in the C:\winpe\mount folder.
5.
6.
Use File Explorer to verify that that there are no subfolders in the C:\winpe\mount folder.
7.
Note: In the past, the ImageX tool often was used for creating, mounting, and applying
Windows image files. This tool is still available as part of Windows ADK, but it is deprecated since
Windows 8. All of its functionality is included in DISM, and you should avoid using ImageX.
2-37
Although you can create an image that includes a single folder or folder hierarchy, you often will create
an image of the entire volume. You cannot add files that are opened exclusively by any process in the
image, and because of that, you cannot capture an image of the running operating system. You will need
to restart the computer to another operating system, such as Windows PE, before you can capture the
image of the Windows 8.1 installation. When capturing the image, you can specify additional options,
such as the file types to exclude from the image and the compression type to usecompression type can
be defined only when capturing the first image in the Windows image file. You can capture the content of
the volume C: to the file D:\Custom.wim by running the following command:
Dism /Capture-Image /ImageFile:D:\Custom.wim /CaptureDir:C:\ /Name:"Captured Windows 8.1
installation"
You cannot create and format a volume by using DISM, which means that the volume already must be
created and formatted before you can apply the image to it. For example, you can create and format a
volume by using Dism.exe. After the volume is prepared, you can deploy the first Windows image
contained in file D:\Custom.wim to volume C: by running the following command:
Dism /apply-image /imagefile:D:\Custom.wim /index:1 /ApplyDir:C:\
Besides capturing and applying Windows images, you can use DISM to service and manage Windows
images.
DISM - Deployment Image Servicing and Management Technical Reference
http://go.microsoft.com/fwlink/?LinkId=378214&clcid=0x409
Question: What must you do before you can capture an image of a Windows 8.1 computer
by using Dism.exe?
Imaging commands
Imaging commands enable image management tasks such as mounting an image file or enumerating
images in a file. You can use the following syntax for imaging commands:
Dism.exe [dism_global_options] {servicing_option} [<servicing_argument>]
Servicing commands
Servicing commands enable tasks that involve modifying a Windows image, such as injecting drivers,
adding packages, and modifying Windows configurations. You can use the following syntax for servicing
commands:
Dism.exe {/Image:<path_to_image> | /Online} [dism_global_options] {servicing_option}
[<servicing_argument>]
Question: Can you use Dism.exe to modify only Windows installation images in a .wim file?
2-39
You have been asked to modify the answer file that is being used for the A. Datum Windows 8.1
installation process. A. Datum is deploying a test group of Windows 8.1 computers, and it would like to
have a standard installation that requires no user input as part of the setup process.
Your task is to create a new answer file that automates the installation accordingly. Use it to test an
installation of Windows 8.1 on LON-REF1.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, and 20687D-LON-REF1
User name: Adatum\Administrator
Password: Pa$$w0rd
Start first the 20687D-LON-DC1 virtual machine, then start the 20687D-LON-CL1 virtual machine, and
sign in as Adatum\Administrator with password Pa$$w0rd.
In this exercise, you have been asked to configure an answer file to use with Windows 8.1 installations at
A. Datum. To modify this answer file, your IT administrator has given you the following information to
assist in the process.
Component
Property
Value
amd64_Microsoft-Windows-International-CoreWinPE_neutral
InputLocale
SystemLocale
UILanguage
UserLocale
en-US
en-US
en-US
en-US
amd64_Microsoft-Windows-International-CoreWinPE_neutral\SetupUILanguage
UILanguage
en-US
amd64_Microsoft-Windows-Setup_neutral
\DiskConfiguration\Disk
DiskID
WillWipeDisk
0
True
amd64_Microsoft-Windows-Setup_neutral
\DiskConfiguration\Disk\Create Partitions
\CreatePartition
Extend
Order
Type
True
1
Primary
Component
Property
Value
amd64_Microsoft-Windows-Setup_neutral
\DiskConfiguration\Disk\ModifyPartitions
\ModifyPartition
Active
Format
Order
PartitionID
True
NTFS
1
1
amd64_Microsoft-Windows-Setup_neutral
\ImageInstall\OSImage\InstallFrom\Metadata
Key
Value
/IMAGE/NAME
Windows 8.1
Enterprise
Evaluation
amd64_Microsoft-Windows-Setup_neutral
\ImageInstall\OSImage\InstallTo
DiskID
PartitionID
0
1
amd64_Microsoft-Windows-Setup_neutral\UserData
AcceptEULA
FullName
Organization
True
Adatum User
Adatum
amd64_Microsoft-Windows-Shell-Setup_neutral\OOBE
SkipMachineOOBE
SkipUserOOBE
True
True
amd64_Microsoft-Windows-Shell-Setup_neutral
\UserAccounts\LocalAccounts\LocalAccount
Description
DisplayName
Group
Name
Local Admin
Admin
Administrators
Admin
amd64_Microsoft-Windows-Shell-Setup_neutral
\UserAccounts\LocalAccounts\LocalAccount\Password
Value
Pa$$w0rd
2.
3.
Use the Hyper-V Manager console on the host computer to open the Settings page for
20687D-LON-CL1.
2.
In Settings, click Diskette Drive, and then attach the virtual floppy drive named Lab2BEx1.vfd found
at D:\Program Files\Microsoft Learning\20687\Drives.
Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd, and then start Windows
System Image Manager.
2.
In Windows System Image Manager, open answer file Autounattend.xml from Floppy Disk
Drive (A:).
3.
In the Answer File section of Windows SIM, verify that the answer file is configured with the
parameters that were specified in the preceding table.
4.
5.
6.
Task 3: Configure LON-REF1 and start the Windows 8.1 unattended installation
2-41
1.
2.
In Settings, click Diskette Drive, and then attach Lab2BEx1.vfd found at D:\Program Files
\Microsoft Learning\20687\Drives.
3.
In Settings, click DVD Drive, and then attach the DVD image file found at D:\Program Files
\Microsoft Learning\20687\Drives\Win81Ent_EVAL.iso.
4.
Start 20687D-LON-REF1, and then begin Windows Setup. Confirm that you are not prompted for any
information during installation. While Windows 8.1 installs, continue with the next exercise.
Note: During installation, LON-REF1 will restart two times. Do not press any key to start it
from DVD.
Results: After completing this exercise, you should have modified an unattended answer file to use for
automating the Windows 8.1 installation process.
One of your tasks is to capture a Windows 8.1 image. Before performing the task, you need to view the
content of the existing Windows image file and explore the benefits of using the .wim file format.
The main tasks for this exercise are as follows:
1.
View the information of the Windows 8.1 image in the Install.wim file.
2.
Capture an image.
3.
4.
Task 1: View the information of the Windows 8.1 image in the Install.wim file
1.
Add Windows 8.1 DVD media to LON-CL1 by attaching the DVD image file found at
D:\Program Files\Microsoft Learning\20687\Drives\Win81Ent_EVAL.iso.
2.
Use File Explorer to view the properties of the Install.wim file in the Sources folder on the DVD drive.
3.
Use Dism.exe with the Get-ImageInfo parameter to view the content of the Install.wim file.
4.
Use Dism.exe with the Get-WimInfo parameter to view the information about the first image in the
Install.wim file.
Use Dism.exe with the Capture-Image parameter to capture the content of the C:\Windows\Inf
folder to a file named C:\image.wim, and then name the image First image.
2.
3.
View the size of the C:\image.wim file, and then consider the benefits of Windows image
compression.
4.
Use Dism.exe with the Append-Image parameter to add the content of C:\Windows\Inf folder as a
second image to the C:\image.wim file, and then name the image Second Image.
5.
View the size of C:\image.wim, and then consider the benefits of single instancing when multiple
images in the same Windows image file have the same files.
6.
Use Dism.exe with the Get-ImageInfo parameter to view which images are contained in the
C:\image.wim file.
Use File Explorer to view the properties of the C:\image.wim file, including its size and date of last
modification.
2.
Create a folder named C:\mount and use Dism.exe with the Mount-Wim parameter to mount the
second image in the C:\Image.wim file to the C:\mount folder.
3.
4.
Create a subfolder named Folder1, and then delete three files in the C:\mount folder.
5.
Use Dism.exe with the Unmount-Wim and Commit parameters to unmount the image.
6.
7.
Use Dism.exe with the Get-WimInfo parameter to view and compare the properties of the second
and first image in the C:\image.wim file.
Sign in to LON-REF1 as user Admin with password Pa$$w0rd. Verify that Windows 8.1 is installed.
2.
Add Windows PE media to LON-REF1 by attaching the DVD image file found at D:\Program Files
\Microsoft Learning\20687\Drives\WindowsPE.iso.
3.
4.
5.
6.
Use Dism.exe with the Capture-Image parameter to capture the C: drive to the G:\Win81.wim file,
and then name the image CustomImage.
Note: You can continue with the lecture while the capture is in progress.
Results: After completing this exercise, you should have viewed Windows image information and
captured a Windows 8.1 image.
Lesson 4
2-43
Product activation is a requirement of the Windows 8.1 operating system. It requires validation for
each Windows 8.1 license through an online activation service at Microsoft, by phone, through KMS, or
through AD DS. Activation enhances protection from software piracy, and it helps you manage operating
system and application instances within an environment. This lesson describes how activation works and
the volume activation models to consider for an effective Windows 8.1 desktop deployment.
Lesson Objectives
After completing this lesson, you will be able to:
Describe activation.
What Is Activation?
All editions of Windows 8.1 require activation.
Activation confirms the status of a Windows
product and ensures that the product key has
not been compromised. The activation process
links the softwares product key to a particular
installation of that software on a device. If the
device hardware changes considerably, you need
to activate the software again. Activation assures
software integrity and provides you access to
Microsoft support and a full range of updates.
Activation also is necessary if you want to comply
with licensing requirements.
Unlike Windows 7, Windows 8.1 does not have a grace period. You must activate Windows 8.1
immediately upon installation. Failure to activate a Windows operating system will prevent users from
completing customization. In older versions of the Windows operating system, activation and validation
by using the Windows Genuine Advantage tool occurred separately. This caused confusion for users who
thought the terms were interchangeable. In Windows 8, activation and validation occur at the same time.
If you wish to evaluate Windows 8.1, Microsoft provides a separate evaluation edition that is available as
an .iso image file to MSDN subscribers and Microsoft partners.
There are three main methods for activation:
Retail. Any Windows 8.1 product purchased at a retail store comes with one unique product key that
you type in during product installation. Use the product key to complete activation after installing the
operating system.
OEM. OEM system builders typically sell computer systems that include a customized build of
Windows 8.1. You can perform OEM activation by associating the operating system to the computer
system BIOS.
Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization.
Volume customers set up volume licensing agreements with Microsoft. These agreements include
Windows upgrade benefits and other benefits related to value-added software and services. Microsoft
Volume Licensing customers use Volume Activation Services to assist in activation tasks, which consist
of Active Directory-based activation, KMS, and MAK models.
You can view the Windows 8.1 activation status on the System properties page or by running the
following command:
cscript C:\windows\system32\slmgr.vbs -dli
Volume Activation Services is a server role in Windows Server 2012 and Windows Server 2012 R2. This
role service enables you to activate Windows 7, Windows Server 2008, and newer Windows operating
systems automatically, without having to contact Microsoft product activation servers. With Volume
Activation Services, you can configure KMS and enable Active Directory-based activation:
o
Active Directory-based activation is a role service that allows you to use AD DS to store activation
objects, which can greatly simplify the task of maintaining volume activation services for a
network. You can use Active Directory-based activation to activate only AD DS-joined computers,
and activation requests are processed during client computer startup. Any computer that runs
Windows 8, Windows Server 2012, or a newer Windows operating system with a generic VLK that
is joined to the domain will activate automatically and without user interaction. Computers will
2-45
stay activated as long as they remain members of the domain and maintain periodic contact with
a domain controller. Activation takes place after the licensing service starts.
MAK activation uses product keys that can activate only a specific number of computers. If the use
of volume licensing media is not controlled, excessive activations can occur, and after the depletion
of the activation pool, no further computers can be activated. You do not use MAKs to install
Windows 8.1, but rather, to activate it after installation. You can use MAKs to activate any
Windows 8.1 edition.
Plan for Volume Activation
http://go.microsoft.com/fwlink/?LinkId=378216&clcid=0x409
Licensing and Volume Activation
http://go.microsoft.com/fwlink/?LinkId=378217&clcid=0x409
Question: How can you determine if Windows 8.1 is activated? How you can activate
Windows 8.1?
You then can activate the KMS host by using online or phone activation.
During installation, a KMS host automatically attempts to publish its existence in service (SRV) resource
record locations within the Domain Name System (DNS). This provides the ability for both domain
members and stand-alone computers to activate against the KMS infrastructure. Client computers locate
the KMS host dynamically by using the service (SRV) resource records found in DNS or the connection
information specified in the registry. Client computers then use information obtained from the KMS host
to activate.
Client computers that are not activated attempt to connect with the KMS host every two hours.
To stay activated, client computers must renew their activation by connecting to the KMS host at least
once every 180 days.
After activation, client computers attempt to renew their activation every seven days. After each
successful connection, the expiration extends to the full 180 days.
Client computers connect to the KMS host for activation by using anonymous remote procedure
calls (RPCs) over TCP/IP and by using default port 1688. You can configure this port information. The
connection is anonymous, enabling workgroup computers to communicate with the KMS host. You
might need to configure the firewall and the router network to pass communications for the TCP port
that will be used.
To use KMS activation with Windows 8, Windows Server 2012, or newer Windows operating systems, the
computer must contain a Windows marker in the BIOS, and it must have a qualifying operating system
license, which often is obtained through OEMs as part of a new computer purchase.
Volume Activation Overview
http://go.microsoft.com/fwlink/?LinkId=286471&clcid=0x409
Question: Can a Windows 8.1 computer be a KMS host?
Main Considerations
Many organizations have complex volume licensing infrastructures to support KMS and Microsoft Office
installations. To add Active Directory-based activation to these environments, administrators must assess
their current implementations and determine what role Active Directory-based activation will play in
their environment. Some considerations include how to upgrade operating systems and applications to
versions that support Active Directory-based activation. For environments that will run only Windows 8,
Windows Server 2012, and newer Windows operating systems, Active Directory-based activation is a
suitable option for activating all clients and servers, and you might be able to remove any KMS hosts. If an
2-47
environment will continue to contain older volume-licensed operating systems and applications,
administrators need a KMS host to maintain activation status, in addition to enabling Active Directorybased activation.
Planning considerations when working with Active Directory-based activation include the following:
You do not need an additional host server with Active Directory-based activation. Your existing
domain controllers can support activation clients with the following limitations:
o
You cannot use Active Directory-based activation with non-Microsoft directory services.
The AD DS schema must be at the Windows Server 2012 or higher level to store activation
objects.
Domain controllers that run older versions of Windows Server can activate clients after the AD DS
schema has been extended to Windows Server 2012 or higher level.
Active Directory-based activation is forest-wide, and you only need to implement it once, even if the
forest contains multiple domains.
There are no threshold limits that must be met before computers can be activated by using
Active Directory-based activation.
In an environment that uses Active Directory-based activation, the volume activation process takes place
in the following steps:
1.
An enterprise administrator installs the Active Directory-based activation role service on a domain
controller. After that, the administrator activates the KMS host key with Microsoft-hosted activation
services. Administrators can complete this installation from any computer that has a Volume
Activation Management Tool (VAMT) console.
2.
When a domain-joined computer that is running Windows 8, Windows Server 2012, or a newer
Windows operating system with a generic VLK starts, the licensing service on the client automatically
queries the domain controller for licensing information. Lightweight Directory Access Protocol (LDAP)
is used for the authentication.
Note: You cannot use Active Directory-based activation to license computers that are not
members of the domain.
3.
If a valid activation object is found, then the activation will continue silently and will not require user
intervention. For Active Directory-based activation, the same renewal guidelines are applicable as for
KMS activation.
4.
If volume licensing information is not found in AD DS, computers that are running Windows 8,
Windows Server 2012, or a newer Windows operating system will try to find a KMS host and try
activation by using the KMS activation process.
Active Directory-Based Activation Overview
http://go.microsoft.com/fwlink/?LinkId=378218&clcid=0x409
Active Directory-Based Activation vs. Key Management Services
http://go.microsoft.com/fwlink/?LinkId=378219&clcid=0x409
Question: What type of connection is established between a Windows 8.1 computer and a
Windows Server 2012 R2 domain controller when Active Directory-based activation is
performed?
VAMT
You can use VAMT to automate and centrally manage the volume and retail-activation process of
Windows operating systems, Microsoft Office software, and certain other Microsoft products. VAMT
manages volume activation by using MAK or KMS. VAMT is a standard Microsoft Management Console
(MMC) snap-in, and it is available as part of Windows ADK. You can install VAMT on a computer that is
running Windows 7, Windows Server 2008, or a newer version of the Windows operating system. You can
use VAMT to manage and specify a group of computers to activate based on the following:
AD DS
Workgroup names
IP addresses
LDAP queries
Note: VAMT cannot manage volume activation for legacy Windows XP or Windows Server
2003 operating systems. However, you can still manage Microsoft Office 2010 or Microsoft Office
2013 on those two operating systems by using VAMT.
VAMT provides a single console for managing activations and for performing other activation-related
tasks, such as the following:
Adding and removing computers. VAMT can discover computers in a local environment by querying
AD DS and workgroups, by the computer name or IP address, or by using LDAP.
Discovering products. VAMT can discover Windows operating systems, Microsoft Office programs,
and other products that are installed on client computers. It uses a Microsoft SQL Server database
for storing discovery information and activation data.
Monitoring activation status. You can use VAMT to gather product activation information such as the
last five characters of a product key. You also can determine a product edition and whether the
product has a licensed, grace, or unlicensed licensing state.
2-49
Managing product keys. You can store multiple product keys and use VAMT to install these keys for
remote client products. You also can determine the number of activations remaining for MAKs.
Managing activation data. VAMT uses an SQL database to store activation data, and it can export this
data to other VAMT hosts or to an archive in XML format.
Reporting on volume licensing. VAMT can provide the licensing status of every computer in the
database.
Performing proxy authentication. If you are on a network that requires a user name and password to
reach the Internet, VAMT enables you to sign in and perform proxy activation.
You can use the Volume Activation Services server role to issue and manage Microsoft software volume
licenses in a simplified and automated manner, to install and activate a KMS host key, and to configure
KMS. After this service is installed, you can use it to issue, monitor, and manage volume licenses for
Microsoft products that support volume activation based on computer account information in AD DS. You
can configure Active Directory-based activation and KMS activation when installing the Volume Activation
Services server role. This server role also includes the Volume Activation Tools console, which you can use
to activate and manage one or more volume activation license keys in AD DS or on a KMS host.
Question: What is the main benefit that VAMT provides for an environment without direct
Internet connectivity?
If your computer will not activate over the Internet, ensure that an Internet connection is available
and that the computer has the correct TCP/IP settings. You also might need to set a proxy
configuration from your browser. If the computer cannot connect to the Internet, try telephone
activation.
If Internet and telephone activation both fail, you will need to contact the Microsoft Product
Activation Center.
Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command.
Ensure that the KMS service (SRV) resource record is present in DNS and that DNS does not restrict
dynamic updates. If DNS restrictions are intentional, you will have to provide the KMS host write
permission to the DNS database, or you will have to create the service (SRV) resource records
manually.
Ensure that firewalls and routers do not block TCP port 1688.
If your computer will not activate, verify that the minimum number of clients required for activation
contact the KMS host. Until the KMS host has a count of 25, it will not activate Windows clients,
including Windows 8.1.
Display the client Windows Application event log for event numbers 12288, 12289, and 12290 for
possible troubleshooting information.
Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command.
Ensure that computers can communicate with domain controllers. This includes network connectivity
and DNS name resolution.
Ensure that there is at least one activation object in the AD DS configuration partition. If there are two
activation objectsone for client and one for server operating systemsthe client object can be
safely deleted because the server object will activate both clients and servers.
Active Directory-based activation is available only for domain-joined computers. If you remove a
computer from the domain, activation will fail on the next activation attempt.
Volume Activation Troubleshooting
http://go.microsoft.com/fwlink/?LinkId=378221&clcid=0x409
Question: Will the user be notified immediately if a Windows 8.1 computer cannot
reactivate by using a KMS host?
2-51
A. Datum has captured a reference Windows 8.1 image. You have been asked to perform the offline
update of the image by injecting the driver and enabling the Telnet Client feature. You also will deploy
the updated image and test the changes.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual machine: 20687D-LON-DC1, 20687D-LON-CL1, and 20687D-LON-REF1
User name: Adatum\Administrator
Password: Pa$$w0rd
In this lab, students are using the Windows 8.1 image that they started capturing at the end of the
previous lab. If the capture process has not yet finished or if you decided to skip Lab B, be aware that
LON-CL1 includes the pre-created image E:\labfiles\mod02\sources\install.wim, which can be used
instead.
Students will mount a Windows 8.1 image and perform offline servicing of the image by injecting the
driver. They then will unmount the image and apply it to the LON-REF1 computer.
The main tasks for this exercise are as follows:
1.
2.
Use Deployment Image Servicing and Management (DISM) to deploy a Windows image.
2.
3.
Note: If image Win81.wim is not yet captured or you did not capture it in the previous lab,
you can use E:\labfiles\mod02\sources\install.wim instead.
4.
Use the dir command to view driver packages in the mounted Windows 8.1 image.
5.
Use Dism.exe to inject the driver E:\Labfiles\Mod02\Drivers\dc3dh.inf into the mounted image.
6.
Use the dir command to confirm that the folder for the driver package has been created in the
C:\mount\Windows\System32\DriverStore\FileRepository folder.
7.
Use Dism.exe with the Get-Features parameter to list the Windows 8.1 features and their states in the
mounted image.
8.
Use Dism.exe to enable the Telnet Client feature in the mounted image.
9.
Use Dism.exe with the Unmount-Wim parameter to unmount the image and commit the changes.
2.
Create a primary partition on the disk, format it with the NTFS, and then assign drive letter C to the
volume.
3.
4.
Use the dir command to verify that the Windows 8.1 image has been applied to drive C.
Results: After completing this exercise, you should have updated a Windows 8.1 installation image.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
2-53
Module 3
Tools Used for Configuring and Managing Windows 8.1
Contents:
Module Overview
3-1
3-2
3-9
3-16
3-22
3-27
Module Overview
The Windows 8.1 operating system provides several methods to configure operating system components
while signed in locally or connected remotely. This module describes the primary management tools in
Windows 8.1 and the scenarios for using them.
Objectives
After completing this module, you will be able to:
Identify the tools used to perform local and remote management of Windows 8.1.
Lesson 1
Lesson Objectives
After completing this lesson, you will be able to:
Computer Management. Contains a number of commonly used tools in a single console: Task
Scheduler, Event Viewer, Shared Folders, Local Users and Groups, Performance, Device Manager, Disk
Management, Services, and WMI Control.
Defragment and Optimize your drives. Use to defragment hard disks to increase overall disk
performance. Normally, you do not need to run this tool because defragmentation is scheduled once
per week by default.
Disk Cleanup. Use to scan your hard disks for temporary files and other files that can be removed
without affecting the performance of Windows 8.1 or your apps. You can use this tool to free up disk
space quickly without removing data or apps.
3-3
Event Viewer. Use to view and search event logs to diagnose and troubleshoot app, service, and
operating system issues.
iSCSI Initiator. Use to connect Windows 8.1 to an Internet SCSI (iSCSI) target and use the iSCSI target
as storage.
Local Security Policy. Use to configure local security settings in Windows 8.1. In most cases, you will
use Group Policy to configure computers that run Windows 8.1 instead of the local security settings.
ODBC Data Sources (32-bit). Use to configure Open Database Connectivity (ODBC) connections to
data sources for 32-bit apps.
ODBC Data Sources (64-bit). Use to configure ODBC connections to data sources for 64-bit apps.
Performance Monitor. Use to view real-time performance data, and to record and view historical
performance and configuration data.
Print Management. Use to configure local printers and remote print servers in a single console.
Resource Monitor. Use to view real-time central processing unit, memory, hard disk, and network
resource utilization.
Services. Use to configure the startup type for services and the credentials that are used by services.
System Configuration. Use to control the startup process for Windows 8.1 by disabling programs or
services that run at startup. You also can set some boot options, such as the default operating system
on a multiboot system.
System Information. Use to view information about the hardware and software configuration of a
computer that runs Windows 8.1. The information that displays includes drivers, startup programs,
and hardware resources.
Task Scheduler. Use to create scheduled tasks. You also can review the scheduled tasks that are
created during the installation of Windows 8.1.
Windows Firewall with Advanced Security. Use to create and manage rules for Windows Firewall.
Windows PowerShell (x86). Use to open a command prompt in the Windows PowerShell
command-line interface (CLI) that you can use to manage Windows 8.1.
Windows PowerShell ISE. Use to simplify the development of Windows PowerShell scripts. This
tool provides color-coded error checking as you enter Windows PowerShell Integrated Scripting
Environment (ISE) commands. Windows PowerShell ISE also provides a list of available parameters
for cmdlets.
Not all snap-ins have a corresponding administrative tool. To use a snap-in that is not part of an existing
administrative tool, you need to create a custom management console that includes the snap-in. Snap-ins
that are not part of an administrative tool include:
Certificates. Use this snap-in to manage certificates for users and the local computer.
NAP Client Configuration. Use this snap-in to manage the client for Network Access Protection (NAP)
to ensure computer health before network access is granted.
Resultant Set of Policy. Use this snap-in to view reports on Group Policy application.
You also can create customized MMC configurations with snap-ins that you commonly use. Customized
MMC configurations increase your productivity by eliminating the need to open multiple administrative
tools. After you create a custom management console, you can save it as an .msc file. Once the .msc file is
saved, you can reuse it later or share it with other administrators.
From the Start screen, type MMC, and then click the mmc tile or press Enter.
2.
From the MMC window, click File, and then click Add/Remove Snap-in.
3.
Choose one or more snap-ins from the list of available snap-ins, and then click OK.
4.
When you close the console window, click Yes when prompted to save the custom management
console, and then save the file to a convenient location.
After these steps are complete, you can double-click the saved console app to open the MMC with the
snap-ins that you specified in step 3 already loaded.
3-5
Remote management capability. You can use Windows PowerShell to manage remote computers,
provided remote management is enabled and the user who is performing the remote management
has the proper authorization.
Script-based execution. You can use Windows PowerShell scripts to build automation and complex
logic into management tasks.
Commands provide Windows PowerShells main functionality. These come in many varieties: cmdlets
(pronounced command-lets), functions, workflows, and more. These commands are building blocks,
designed to be pieced together to implement complex and customized processes and procedures.
Windows PowerShell provides a CLI that you can use to enter cmdlets interactively. However, Windows
PowerShell is not restricted to the command-line. For example, the Active Directory Administrative
Center in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 is a GUI that
uses Windows PowerShell to perform all of its tasks.
This architecture and the ability to use Windows PowerShell directly as a CLI, or to use it through a
GUI that embeds the shell, is intended to help increase consistency and coverage for administrative
capabilities. For example, an administrator might rely completely on a GUI app to perform tasks.
However, if the administrator must perform some task or implement some process that the GUI does not
explicitly support, the administrator instead can use the shell directly. When correctly implemented, this
architecture helps ensure that anything that can be done in the GUI also can be done in the CLI, with the
CLI offering the additional ability to customize processes and procedures.
RPC
Remote management by using RPC requires the RPC and RPC endpoint mapper services to be running.
These two services are configured to start automatically. You also need to configure Windows Firewall
to allow remote management. You can enable predefined rules in Windows Firewall to allow remote
management for specific parts of Windows 8.1, such as:
Event logs
Scheduled tasks
Services
Volumes
Window Firewall
WinRM
WinRM is a web service that provides remote management access to Windows 8.1. Remote management
by using WinRM requires you to start the Windows Remote Management (WS-Management) service and
to configure a listener. By default, this service is configured as a manual startup type. You also need to
configure a listener for WinRM. A WinRM listener configures the web service to listen on a specific port.
The default port for WinRM is 5985.
In most cases, you will want to configure WinRM with the default configuration that apps expect. To
configure WinRM manually with the default configuration, run winrm /quickconfig. The /quickconfig
option configures the service to start automatically, creates a listener on port 5985, and configures
Windows Firewall to allow remote communication on port 5985.
In large organizations, manually configuring WinRM on each computer is not feasible because it is too
time-consuming. Instead, you can use Group Policy to perform all of the necessary actions.
Remote Desktop
Remote Desktop allows you to connect to a remote computer and have the desktop of that remote
computer display locally. When you connect, you sign in just as you would if you were sitting in front
of the computer. This allows you to sign in and run apps just as a user would for troubleshooting.
3-7
Some organizations also provide remote access for users by using Remote Desktop and the Remote
Desktop Gateway on Windows Server 2012 R2. This allows users to control their own desktop computer
remotely and have access to all of their data and apps.
When users connect remotely, you can allow the redirection of printers and local drives. Printer redirection
allows you to print from an app on a remote computer and have it print on a local printer. Drive
redirection allows you to save files from a remote computer on a local computer.
By default, Remote Desktop is not enabled. You can enable and configure Remote Desktop in the System
Properties or by using Group Policy. Any necessary firewall rules for Windows Firewall are configured
when you enable Remote Desktop.
By default, local Administrators are allowed to connect remotely, but you can add any users or groups
that are required. When you add users or groups, they are made members of the Remote Desktop Users
local group that has rights to connect by using Remote Desktop.
When you use Remote Desktop, you need to sign in to the remote computer. This creates a session for
your user account and disconnects a user that is signed in. You cannot view what the user is doing. You
can use Windows Remote Assistance to view the desktop of a computer when a user is signed in, and
you see what the user sees. You also can request to take control of the mouse and keyboard to perform
troubleshooting. The ability to connect to an existing user session is useful for troubleshooting problems
that might relate to user-specific configurations, such as permissions or settings in the user profile.
You can offer remote assistance to a user on a remote computer, or a user on a remote computer can
request assistance. When you offer remote assistance, you connect to a remote computer by name or
IP address, and the user is prompted to allow remote assistance. When users request remote assistance,
they can generate an invitation file that you open to connect, or you can use Easy Connect. Easy Connect
requires you to enter a 12-character password that the user selects. Easy Connect works over the Internet
if Peer Name Resolution Protocol is allowed through all firewalls.
By default, Windows Remote Assistance is not enabled. You enable Windows Remote Assistance in the
System Properties. There are no permissions to configure for Windows Remote Assistance because it is
allowed based on the currently signed-in user who is allowing it.
Overview of RSAT
RSAT is a collection of server administration tools
that can be installed on a Windows 8.1 computer.
RSAT includes Server Manager, MMC snap-ins,
Windows PowerShell providers, and commandline tools for managing Windows Server 2012 R2,
Windows Server 2012, Windows Server 2008 R2,
Windows Server 2008, and some Windows
Server 2003 roles and features.
RSAT for Windows 8.1 includes management tools
for the following Windows roles and features:
DirectAccess
Failover clustering
IP Address Management
NIC Teaming
Lesson 2
3-9
You can use Windows PowerShell for system administration, as an alternative to more complex scripting
languages such as Microsoft Visual Basic, Scripting Edition (VBScript). You can perform relatively complex
administrative tasks by using scripts or the Windows PowerShell pipeline. To simplify creating and editing
scripts, you can use Windows PowerShell ISE. You also can perform remote administration by using
Windows PowerShell. This module will introduce you to the important Windows PowerShell concepts and
explain how to use Windows PowerShell for local and remote management of Windows 8.1 computers.
Lesson Objectives
After completing this lesson, you will be able to:
The Env: drive contains environmental variables that are stored in memory.
The Variable: drive contains the variables that are stored in memory.
Cmdlets
Cmdlets use a naming convention of a verb or action, followed by a noun or a subject. For example, to
retrieve a list of services, you would use the Get-Service cmdlet. This standardization helps you learn
more easily how to accomplish administrative tasks.
Some common cmdlet verbs are:
Each cmdlet has options called parameters. Some parameters are required, and some parameters are
optional. The parameters vary for each cmdlet.
The following example shows how to start the Application Identity service by using the Name parameter.
Start-Service Name Application Identity
Note: The cmdlets that are available for use on a computer system varies depending on the
version of Windows PowerShell that has been installed and the snap-ins with cmdlets that have
been installed.
You can run batch files and executable files at a Windows PowerShell command prompt. For example,
you can run Ipconfig.exe at a Windows PowerShell command prompt, and it behaves exactly the same as
if you ran it from a command prompt. This allows you to start using Windows PowerShell as your default
command-line environment for administration.
In some cases, commands or options for commands contain reserved words or characters for
Windows PowerShell. In such a case, you can enclose the command in single quotation marks to prevent
Windows PowerShell from evaluating the reserved word or combination of words. You also can use the
grave accent (`) character to prevent the evaluation of a single character.
In rare cases, an executable file does not run correctly at a Windows PowerShell command prompt. You
should test batch files to ensure that they work properly at a Windows PowerShell command prompt.
Windows PowerShell is designed to work well for managing multiple computers or for performing
bulk operations in the Windows environment. You can leverage Windows PowerShell features, such as
variables, scripts, and system interoperability to encapsulate tedious and time-consuming management
tasks into scripts or cmdlets that only take seconds to run.
3-11
Save-Help cmdlet. The Save-Help cmdlet enables you to save help for installed modules that are
present on remote computers.
The new default setting for execution policy in Windows Server 2012 R2 is RemoteSigned.
Support for Windows PowerShell Workflow debugging and remote script debugging.
Windows PowerShell Workflow will reconnect to managed nodes automatically after an unexpected
crash or restart.
You can disconnect from and connect to existing sessions in Windows PowerShell Web Access.
You can open multiple Windows PowerShell Web Access windows in a single browser session.
For more information, see the following webpage on the Microsoft TechNet website.
What's New in Windows PowerShell
http://go.microsoft.com/fwlink/?LinkId=378231&clcid=0x409
Line numbers and column numbers are displayed. This simplifies troubleshooting because error
messages display the line number and column number where the error occurred.
Ability to run selective code. You can select a specific portion of a script to run. This allows you to test
parts of a script as you create it.
Debugging tools. You can set break points in a script and then query variable values to identify why
errors are occurring, or you confirm that the values are correct.
A command toolbar. This provides a list of cmdlets and parameters that are available for those
cmdlets. In some cases, this prevents the need to view help documentation for a cmdlet.
Multiple tabs for multiple scripts. You can have multiple scripts open at the same time, each
contained on its own tab. This allows you to move content from one script to another.
Demonstration Steps
Prepare the computer to run scripts
1.
On LON-CL1, open Administrative Tools, and then open Windows PowerShell ISE.
2.
In Windows PowerShell ISE, at the Windows PowerShell command prompt, use the
Get-ExecutionPolicy cmdlet to view the current execution policy for scripts.
2.
Read the script, and then explain what the script is doing. Note the following:
o
2.
3.
Run the script, and then read the output. Notice that it does not have multiple colors.
4.
5.
Run the script, and then read the output. Notice that running services are green and services that are
not running are red.
6.
7.
8.
In the Commands pane, build a Write-Host command with the following options:
9.
BackgroundColor: Gray
ForegroundColor: Black
2.
At the command prompt, type Set-Location E:\Labfiles\Mod04, and then press Enter.
3.
Execution Policy
3-13
By default, the execution policy does not allow Windows PowerShell scripts to execute automatically. This
safeguards a computer by preventing unattended scripts from running without an administrators
knowledge. You can set five execution policies:
Restricted. This is the default policy for Windows 8.1. It does not allow configuration files to load, nor
does it allow scripts to run. The Restricted execution policy is perfect for any computer on which you
do not run scripts, or on which you run scripts only rarely. Keep in mind that you could open the shell
manually with a less restrictive execution policy.
AllSigned. This policy requires that a trusted publisher sign all scripts and configuration files, including
scripts that are created on your local computer. This execution policy is useful for environments
where you do not want to run any script unless it has a trusted digital signature. This policy needs
additional effort because it requires you to digitally sign every script that you write, and then resign
each script every time that you make any changes to it.
RemoteSigned. This policy requires that a trusted publisher sign all scripts and configuration files
downloaded from the Internet. This execution policy is useful because it assumes that local scripts are
ones that you create yourself and that you trust them. It does not require those scripts to be signed.
Scripts that are downloaded from the Internet or received through email, however, are not trusted
unless they carry an intact, trusted digital signature. You could still run those scripts by running the
shell under a lesser execution policy, for example, or even by signing the script yourself. However,
those are additional steps that you have to take, so it is unlikely that you would be able to run such
a script accidentally or unknowingly.
Unrestricted. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, you are warned about potential dangers and must give permission
for the script to run. The Unrestricted execution policy typically is not appropriate for production
environments because it provides little protection against accidentally or unknowingly running
untrusted scripts.
Bypass. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, the script will run without any warnings. This execution policy typically
is not appropriate for production environments because it provides no protection against accidentally
or unknowingly running untrusted scripts.
You can view the execution policy for a computer by using the Get-ExecutionPolicy cmdlet. To configure
the execution policy, you must open an elevated Windows PowerShell command prompt and then run
the Set-ExecutionPolicy cmdlet. After you configure the execution policy, you can run a script by typing
the entire name of the script.
Running a Script
When you run a script, you cannot provide just the name of the scriptyou need to provide the path
to the script as well. If the file is not in the current directory, you can provide a complete path, such as
C:\scripts\Myscript.ps1. You also can specify a relative path such as .\Myscript.ps1, which runs the script
from the current directory.
The following script displays a list of files on drive C that have been modified in the last seven days.
$date=(Get-Date).AddDays(-7)
Get-ChildItem C:\ -Recurse | Where-Object {$_.LastWriteTime gt $date}
The first line of this script gets the date seven days prior to the current date and puts it in a variable
named $date. The second line of the script obtains a list of all of the files on drive C and uses WhereObject to filter the list of files to include only those that have a LastWriteTime that is greater than the
value of $date.
This example shows how to query a list of processes from a remote computer.
Get-Process ComputerName LON-DC1.adatum.com
3-15
You can use Windows PowerShell remoting to run cmdlets or scripts on remote computers, regardless of
whether the cmdlets support the ComputerName parameter. You also can use Windows PowerShell
remoting to create a remote session at a Windows PowerShell command prompt or in Windows
PowerShell ISE.
To enable Windows PowerShell remoting, you need to use the Enable-PSRemoting cmdlet. The EnablePSRemoting cmdlet configures WinRM if it is not already configured and configures all of the necessary
permissions. You also can use Group Policy to enable Windows PowerShell remoting.
This example shows how to retrieve a directory listing from a remote computer.
Invoke-Command ComputerName LON-DC1.adatum.com ScriptBlock {Get-ChildItem C:\}
Note: When you run a script on a remote computer, the script does not need to exist on
the remote computer. The script is copied from the local computer to the remote computer.
This example shows how to create a remote session at a Windows PowerShell command prompt.
Enter-PSSession ComputerName LON-DC1.adatum.com
In this demonstration, you will see how to enable Windows PowerShell remoting on a client computer and
how to use Windows PowerShell remoting in several basic scenarios.
Demonstration Steps
1.
Ensure that you are signed in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
2.
Ensure that you have the correct execution policy in place by runnning the command
Set-ExecutionPolicy RemoteSigned.
3.
4.
5.
6.
7.
Get a list of the most recent 10 Security event log entries from LON-CL1 and LON-DC1.
Lesson 3
Group Policy is an effective way to manage the configuration of Windows 8.1 computers. You can
configure thousands of settings and enforce them on desktop computers. In addition to Group Policy
settings, you can use Group Policy Preferences to configure the user environment with options such as
printers and drive mappings. To ensure that you can implement Group Policy for your organization, you
need to understand how Group Policy Objects (GPOs) are processed. You also should be aware of the
tools that you can use to troubleshoot the application of Group Policy.
Lesson Objectives
After completing this lesson, you will be able to:
GPOs
A Group Policy setting is the most specific component of Group Policy. It defines a specific configuration
change to apply to an object (a computer, a user, or both) within AD DS. Group Policy has thousands of
configurable settings. These settings can affect nearly every area of the computing environment. Not all
settings can be applied to all older versions of Windows Server and Windows operating systems. Each new
3-17
version introduces new settings and capabilities that only apply to that specific version. If a computer has
a Group Policy setting applied that it cannot process, it simply ignores it.
Most policy settings have three states:
Not Configured. The GPO will not modify the existing configuration of the particular setting for the
user or computer.
The effect of the configuration change depends on the policy setting. For example, if you enable the
Prohibit Access to Control Panel policy setting, users will be unable to open Control Panel. If you
disable the policy setting, you ensure that users can open Control Panel. Notice the double negative in
this policy setting: you disable a policy setting that prevents an action, thereby allowing the action.
User settings. These settings modify the HKey_Current_User hive of the registry.
Computer settings. These settings modify the HKEY_Local_Machine hive of the registry.
User and computer settings each have three areas of configuration, as described in the following table.
Section
Description
Software settings
Contains software settings that can deploy to either the user or the
computer. Software that deploys or publishes to a user is specific to that
user. Software that deploys to a computer is available to all users of that
computer.
Windows operating
system settings
Contains script settings and security settings for both user and computer,
and Internet Explorer maintenance for the user configuration.
Administrative
templates
The Group Policy Management Editor window displays the individual Group Policy settings that are
available in a GPO. These display in an organized hierarchy that begins with the division between
computer settings and user settings, and then expand to show the Computer Configuration node and the
User Configuration node. All Group Policy settings and preferences are configured in the Group Policy
Management Editor window.
In addition to the Group Policy sections shown in the preceding table, a Preferences node is present
under both the Computer Configuration and User Configuration nodes in the Group Policy Management
Editor window. Preferences provide even more capabilities with which to configure the environment.
Group Policy Preferences are discussed later in this module.
Edit the local GPO to restrict the use of registry editing tools.
Edit the local GPO to allow administrators to use registry editing tools.
Demonstration Steps
Edit the local GPO to restrict the use of registry editing tools
1.
2.
3.
Edit the local GPO to allow administrators to use registry editing tools
1.
Open the Microsoft Management Console, add the Group Policy Object Editor snap-in, and then
select the Administrators GPO. In the Browse for a Group Policy Object window, click the Users tab,
click Administrators, and then click OK.
2.
3.
4.
Revert the LON-CL1 virtual machine. Do not revert LON-DC1, as it will be used in the next
demonstration.
Install printers
Schedule tasks
3-19
Many of the tasks that you can perform by using Group Policy Preferences would have otherwise required
scripting to perform. In some cases, Group Policy Preferences can be used in place of logon scripts.
Targeting
You can use targeting for individual Group Policy Preferences in a GPO. By using targeting, you can
specify the criteria that must be met for a preference item to apply. Security group membership is a
commonly used criterion for targeting. For example, you can map drive M to the marketing share only
for users who are members of the Marketing security group.
Other criteria for targeting include:
IP address range
Operating system
Computer name
A battery is preset
AD DS site
Note: Group Policy Preferences are not present in local GPOs.
GPO Storage
AD DS GPOs are stored as two components: a
Group Policy container and a Group Policy template.
The Group Policy container is an AD DS object that is stored in the Group Policy container in the AD DS
database. The Group Policy container defines basic attributes of a GPO, but it does not contain any of the
settings. The settings are contained in the Group Policy template, which is a collection of files that are
stored in the SYSVOL of each domain controller in the %SystemRoot%\SYSVOL\Domain\Policies\ path.
This method of storage means that domain-based GPOs are stored and synchronized across all domain
controllers in the domain.
GPO Linking
AD DS GPOs can be applied to an AD DS infrastructure by linking the GPO. A GPO can link to an AD DS
site, an AD DS domain, or to an AD DS OU. This enables you to apply GPO settings to specific computers
within an AD DS structure, or to the entire domain.
GPO Inheritance
GPO settings are inherited from parent objects in AD DS so that GPOs applied at a higher level are passed
down to computers and users in child objects in AD DS. This behavior ensures that settings applied at a
high levellike the domainare applied to all computers. In special cases, inheritance can be modified or
blocked to provide a very specific configuration environment for certain computers or users.
GPO Application
By default, AD DS GPOs apply to all users and computers within the parent object where the GPO is
linked. This application can be modified by filtering the application of GPOs by Windows Management
Instrumentation (WMI) filters or security groups.
Demonstration Steps
Use the GPMC to create a new GPO
1.
2.
3.
2.
In Computer Configuration, prevent the last logon name from displaying, and then prevent Windows
Installer from running.
3.
In User Configuration, remove the Search link from the Start menu, and then hide the display
settings tab.
4.
5.
3-21
1.
2.
3.
Domain GPOs. Policies that link to the domain process next. There often are multiple polices at the
domain level. These policies process in order of preference.
4.
OU GPOs. Policies linked to OUs process next. These policies contain settings that are unique to the
objects in that OU. For example, Sales users might have special required settings. You can link a policy
to the Sales OU to deliver those settings.
5.
Child OU policies. Any policies that link to child OUs process last.
Objects in the containers receive the cumulative effect of all polices in their processing order. In the
case of a conflict between settings, the last policy applied takes effect. For example, a domain-level policy
might restrict access to registry editing tools, but you could configure an OU-level policy and link it to the
Information Technology (IT) OU to reverse that policy. Because the OU-level policy applies later in the
process, access to registry tools would be available to users in the IT OU.
If multiple policies apply at the same level, an administrator can assign a preference value to control the
order of processing. The default preference order is the order in which the policies were linked.
You also can disable the user or computer configuration of a particular GPO. If one section of a policy
is known to be empty, then you should disable the empty section to speed up policy processing. For
example, if you have a policy that only delivers user desktop configuration, you could disable the
computer side of the policy.
Security filtering. You can use security filtering to specify specific users, computers, or groups that are
able or not able to process a GPO. For example, you could specify that members of the Technical
Support group have special security settings.
Enforcement. You can use enforcement to ensure that settings in a specific GPO apply regardless
of any lower-level GPOs that would normally override this GPO. For example, you could specify
standardized security settings at the domain level.
Block inheritance. You can use block inheritance to prevent settings from a higher-level OU from
being inherited by a lower-level OU. For example, settings applied at the domain level could be
blocked from affecting users in the IT OU.
Note: When a link is enforced and a lower-level OU blocks inheritance, the settings in the
enforced GPO are applied.
Computers on the machine floor require that Windows Update be disabled. These computers are not
updated until the equipment manufacturer verifies that the updates are compatible with the
applications that run on the equipment.
Computers on the machine floor should not allow remote management. This is done to ensure that
changes are not made remotely that might affect the equipment.
Remote Desktop should be allowed on all computers that are not on the machine floor.
Windows PowerShell remoting should be enabled for all computers that are not on the machine
floor.
Servers and domain controllers should not be affected by configurations that are applied to desktop
computers.
You should implement these configuration settings and then test the configuration with LON-CL1, a
computer on the machine floor, and LON-CL2, a computer in the Finance department.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, 20687D-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
3-23
You need to determine the best way to manage computers that are running Windows 8.1 for A. Datum.
There are 100 internal computers that are used by various departments. Some departments have different
needs than others:
Computers on the machine floor require that Windows Updates be disabled. These computers are not
updated until the equipment manufacturer verifies that the updates are compatible with the apps
that run the equipment.
Computers on the machine floor should not allow remote management. This is done to ensure that
changes are not made remotely that might impact the equipment.
Remote Desktop should be allowed on all computers that are not on the machine floor.
Windows PowerShell remoting should be enabled for all computers that are not on the machine
floor.
Servers and domain controllers should not be affected by configurations that are applied to desktop
computers.
What tool will you use to apply the configuration changes to domain-joined computers?
2.
Are there any OU structure requirements to meet the management needs on the internal network?
3.
Results: After completing this exercise, you will have planned the management of Windows 8.1
computers.
After completing your plan, you need to begin implementing it. The implementation process includes
setting up GPOs and OUs to allow for the separate management of client computers and machine floor
computers.
You will create two OUs, named MachineFloor and CorpComputers. Computers from the machine floor
will be placed into the MachineFloor OU, and the rest of the Windows 8.1 computers will be placed into
the CorpComputers OU.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
1.
2.
3.
4.
5.
6.
Restart LON-CL1 and LON-CL2, and then sign in to both as Adatum\Administrator with password
Pa$$w0rd.
2.
3.
Create a new GPO named MachineFloor, and then link it to the MachineFloor OU.
4.
5.
2.
3.
Open C:\results.htm.
4.
In Internet Explorer, read the Summary and verify that Inheritance is blocking all non-enforced
GPOs linked above Adatum.com/MachineFloor.
5.
On LON-DC1, in Group Policy Management, create a new GPO named CorpComputers, and then
link it to the CorpComputers OU.
2.
3.
4.
5.
6.
7.
3-25
1.
2.
In Computer Management, connect to LON-CL1, and then verify that you can access Event Viewer.
3.
Connect to LON-CL2. This connection fails because remote management has not been configured for
the computers in the MachineFloor OU.
Results: After completing this exercise, you should have implemented an OU structure and GPO structure
to support remote management of computers.
As part of implementing your management plan for Windows 8.1, you need to configure Windows
PowerShell remoting for all computers except those on the machine floor. You need to configure a GPO
that links to the domain to configure Windows PowerShell remoting and test the functionality of your
configuration.
The main tasks for this exercise are as follows:
1.
2.
3.
2.
On LON-CL1, open Windows PowerShell, and then run Get-ADUser. This command is not recognized
because the cmdlets for AD DS administration are not installed on LON-CL1.
3.
At the Windows PowerShell command prompt, create a remote session by running Enter-PSSession
ComputerName LON-DC1.
4.
5.
2.
Create a new GPO named Enable PS Remoting, and then link it to Adatum.com.
3.
Edit the Enable PS Remoting GPO, and then browse to Computer Configuration\Policies
\Administrative Templates\Windows Components\Windows Remote Management
(WinRM)\WinRM Service.
4.
IPv4 filter: *
IPv6 filter: *
5.
6.
7.
8.
9.
2.
Run Get-Service Winrm to verify that the WinRM service is now running.
3.
On LON-DC1, open Windows PowerShell, and then run Get-Service Winrm ComputerName
LON-CL1.
4.
To view the execution policy on LON-CL1, run Invoke-Command ComputerName LON-CL1 {GetExecutionPolicy}.
5.
Results: After completing this exercise, you will have implemented Windows PowerShell remoting in the
Adatum.com domain.
2.
In the Virtual Machines list, right-click 20687D-LON-DC1, and then click Revert.
3.
4.
3-27
Module 4
Managing Profiles and User State in Windows 8.1
Contents:
Module Overview
4-1
4-2
4-8
4-21
4-27
4-34
4-38
Module Overview
User profiles store user settings and data. For users working on a single computer, profiles can be stored
locally. However, for users who roam between multiple computers, the user profile, or at least some parts
of it, should be available on the network. This module describes the different user profile types. It also
describes Microsoft User Experience Virtualization (UE-V), which you can use to synchronize settings
between computers without using roaming user profiles. The operating system itself provides user
profiles, whereas UE-V is a separate product that is part of the Microsoft Desktop Optimization Pack.
In this module, you will learn about UE-V features and how to deploy and configure it on your network.
You also will learn how to migrate user state and settings to computers that run Windows 8.1 operating
systems.
Objectives
After completing this module, you will be able to:
Lesson 1
A user who signs in to the Windows operating system must have his or her user profile, which stores user
settings such as the desktop theme, data such as the files stored in the Documents folder, screen saver
settings, and desktop icons. This lesson introduces each user profile type, explains how to configure user
profiles, and explains when to use a user profile type. It also describes how you can use Group Policy for
managing user profiles and the differences between roaming user profiles and redirected folders.
Lesson Objectives
After completing this lesson, you will be able to:
User part of the registry. User profiles contain the NTuser.dat file, which is the user part
of the registry. When the user signs in, the system loads this file, and it is mapped to the
HKEY_CURRENT_USER registry subtree. NTuser.dat contains user settings such as desktop
background and screen saver settings.
Set of folders. For each user who signs in, a separate subfolder with his or her name is created in the
Users folder. This folder is a container for applications, user settings, and data that are organized in
various subfolders, such as AppData, Desktop, Downloads, and Documents.
4-3
User settings are persistent. With user profiles, users have the same settings as when they signed out
the last time.
If multiple users are sharing the same computer, individual users have their own customized
environment when they sign in.
Settings in the user profile are unique to each user. When users change settings in their user profiles,
this does not affect other users whose profiles are on the same computer.
Customize the Start screen
http://go.microsoft.com/fwlink/?LinkId=378222&clcid=0x409
Customize the Default User Profile by Using CopyProfile
http://go.microsoft.com/fwlink/?LinkId=378223&clcid=0x409
Question: By default, where is the local user profile stored in Windows 8.1?
When a user signs in to a computer for the first time, the operating system automatically creates a local
user profile for all subsequent sign-ins to the same computer. The local user profile is used only when a
user signs in to the computer where the profile was created, and it is useful when a user is using a single
computer. If a user roams between multiple computers, then by default, separate local user profiles will
be created on each computer. This means that modifications and documents that the user created on one
computer will not be used or available on other computers. Therefore, local profiles should be avoided if a
user signs in to multiple devices.
In a domain environment, administrators can configure a user with a roaming user profile by configuring
his or her profile path. With roaming user profiles, user settings and data are stored on a network location
and locally on the computer where the user signs in. When a user signs in, the local copy of the user
profile is compared to the copy that is stored on the network location, and only new files are copied
locally. The user can change settings and create data files, which are stored in the local user profile copy.
When the user signs out, these changes are copied to the network location. If users roam between
multiple computers, their documents and settings will follow them.
If a user profile contains a lot of data, or if the user stores large files on the desktop, then the process
of signing in to the computer might take a long time. If a user signs in to multiple computers at the
same time, changes performed on one computer will override changes performed on a second computer
because user profile changes are copied to the network location only when the user signs out. Some parts
of the user profile, such as Temporary Internet Files or AppData\Local, are never copied to the network
location, even if roaming user profiles are used.
Administrators can configure users with mandatory user profiles first by configuring them with roaming
user profiles and then by renaming the NTuser.dat file in their profiles to NTuser.man. The .man extension
causes user modifications to the profile to be discarded at the next sign-in and user profiles to behave as
read-only.
User profiles become super-mandatory when the administrator adds the .man extension to a users
roaming user profile folder name. For example, if a roaming user profile is stored in the \\Server\Profiles
\User1.V2 folder, the administrator can add the .man extension to the folder and store the roaming user
profile at \\Server\Profiles\User1.man.V2. Mandatory and super-mandatory user profiles behave similarly;
both do not preserve user modifications. If a user is configured with a super-mandatory profile, he or she
will not be able to sign in if the network copy of the profile is not available. In such cases, users with a
normal mandatory profile would still be able to sign in, and they would get temporary profiles, which
could be against company policy.
Question: When would you configure users with roaming user profiles?
Set the schedule for a background upload of a roaming user registry file
4-5
Folder Redirection is a Group Policy setting that is most often used for configuring user profiles.
Administrators can use Folder Redirection to redirect individual folders from a user profile to a new
location. For example, an administrator can redirect the Documents folder from a local or roaming
user profile to a separate network location. The contents of a redirected folder are available from any
computer on the network and are not copied to the computer on which a user signs in, as with roaming
user profiles. Folder Redirection also provides users with access to the same configuration and data on
multiple domain computers without copying user profiles locally, as with roaming user profiles. You can
configure Folder Redirection by modifying Policies\Windows Settings\Folder Redirection settings in the
User Configuration part of the Group Policy.
Redirected folders are stored only on a network share, and users access them transparently in the same
way as when they are stored in a local user profile. The Offline Files feature, which is enabled by default
when redirected folders are used, provides users with access to content in redirected folders even if
there is no network connectivity. The administrator configures Folder Redirection by using user settings
in Group Policy, and by doing so, can redirect individual folders in a user profile. In Windows 8.1, an
administrator can redirect 13 folders in user profiles, including Desktop, Start Menu, and Documents.
Administrators can redirect predefined folders and folders in a user profile only. For each user with
redirected folders, a new subfolder with the users sign-in name will be created, and folders can be
redirected to the same location or to a different location based on user group membership.
When you configure Folder Redirection, you can configure what will happen if Folder Redirection is no
longer effective. Options are to leave the redirected content on the network location or to move the
content to the original location to a users profile. Folder Redirection can redirect many parts of a user
profile, but settings stored in NTuser.dat cannot be redirected. Because of this, some administrators use
roaming user profiles together with Folder Redirection.
Folder Redirection provides several advantages:
Contents of redirected folders are available from any computer in the domain.
Contents of redirected folders are not copied to local computers, which minimizes network traffic
during user sign-in.
Administrators can set quotas (limiting disk space) and permissions on redirected folders. By doing so,
administrators can control how much space a user can utilize and whether the user can modify
contents of that part of the folderfor example, Desktop.
Redirected folders are stored on network locations (network shares) and not on local computers. If a
local hard drive fails, users can still access data in redirected folders from a different computer.
Contents of redirected folders can be backed up centrally because they are not stored locally on user
computers. If Shadow Copies for Shared Folders is configured on a network location, users can access
previous versions of their redirected files.
Folder Redirection Overview
http://go.microsoft.com/fwlink/?LinkId=378224&clcid=0x409
Question: What is the main difference between roaming user profiles and redirected
folders?
Demonstration Steps
1.
On LON-DC1, in Active Directory Users and Computers, show the Profile Path property of user
Adam Barr, who is located in the Marketing organizational unit (OU).
2.
On LON-DC1, in the Group Policy Management Console (GPMC), show how the Documents folder is
redirected to \\LON-DC1\Redirected in the Folder Redirection Group Policy.
3.
On LON-DC1, verify that the Profiles and Redirected folders are empty.
4.
5.
On Adam Barrs desktop, create a folder named Presentations, add a shortcut to Local Disk (C:), and
then add the This PC icon.
6.
In Notepad, create a file with your name, and then save it in the Documents library.
7.
Verify that the file is stored in the \\LON-DC1\redirected\Adam\Documents folder, and that it is not
stored inside the Adam local profile.
8.
9.
On LON-DC1, verify that the Profiles and Redirected folders are no longer empty. The Profiles folder
contains the Adam Barr roaming user profile (Adam.V2), whereas the Redirected folder contains the
Adam redirected Documents folder.
11. Verify that the This PC icon is on the desktop, in addition to the Presentations folder and the Local
Disk (C:) shortcut.
12. Verify that you can access the file transparently with your name that you created in Notepad.
4-7
To use the Primary Computer feature, the Active Directory Domain Services (AD DS) schema must be
extended to at least the Windows Server 2012 level. A Windows Server 2012 domain controller is not
required, but the AD DS schema must be extended. The Primary Computer feature will work only when
a user signs in to a Windows 8, Windows Server 2012, or a newer Windows operating system because
older versions of Windows operating systems will ignore the Primary Computer setting. The Group Policy
settings that configure the Primary Computer feature require Windows 8, Windows Server 2012, or a
newer operating system. Older clients and servers will not understand these settings, so they will simply
ignore the settings.
An administrator can configure the primary computers list for a user in one of two ways:
By configuring the msDS-Primary Computer user attribute, for example, in Active Directory
Administrative Center.
After configuring the list of primary computers for a user, an administrator also should enable the
Redirect folders on primary computers only and Download roaming profiles on primary computers
only Group Policy settings.
Deploy Primary Computers for Folder Redirection and Roaming User Profiles
http://go.microsoft.com/fwlink/?LinkID=291264&clcid=0x409
Question: Do you need Windows Server 2012 or newer domain controllers in your network
to limit where Folder Redirection and roaming user profiles will be available?
Lesson 2
UE-V is an enterprise-scale User State Virtualization solution that synchronizes application and operating
system settings across many devices in a domain environment. It requires an agent on each client device,
and it stores configuration data on a shared folder. An administrator can use Group Policy to configure
UE-V settings and control which application settings will synchronize. Before you can use UE-V, you
first must first deploy the UE-V agent to each computer on which you want to use UE-V for settings
synchronization. You also must create and share the folder for the settings storage location. If you want
to synchronize more than just default settings, you also must create custom settings location templates,
store them to the settings template catalog, and configure clients with the settings template catalog
location.
Lesson Objectives
After completing this lesson, you will be able to:
Describe UE-V.
Overview of UE-V
For users who work on multiple computers,
you can use roaming user profiles and Folder
Redirection to make their settings and data
available on every domain computer to which
they sign in. An administrator can configure a
user's primary computers list to control which
computers will use Folder Redirection and
roaming user profiles. However, roaming user
profiles and Folder Redirection include all user
profile settings and data.
4-9
UE-V stores settings on a network location as soon as a user closes an application, and those settings can
synchronize on other computers without the user having to sign out. Computers periodically synchronize
their settings with a network location, and if computers have permanent connectivity to a network
location, you can configure them to use those settings immediately.
Note: If a user links a Microsoft account with his or her domain account, UE-V only
synchronizes settings for desktop apps. Users can synchronize other settings, such as operating
system settings and Windows Store apps settings, by using Microsoft OneDrive (formerly
known as SkyDrive).
UE-V synchronizes settings between apps on different platforms, as long as they are stored in the same
location. Regardless of how an app is deployed, UE-V can synchronize settings between locally installed
apps on one computer, Microsoft Application Virtualization (App-V) apps on another computer, and
RemoteApp programs on another Remote Desktop Session Host computer. UE-V also can synchronize
settings between Windows Store apps and between physical and virtual computers, such as the virtual
desktops used in Virtual Desktop Infrastructure (VDI) implementations.
Note: UE-V is not part of the Windows operating system. It is available as a part of the
Microsoft Desktop Optimization Pack, which is available to customers with an appropriate
agreement with Microsoft.
Before you can use UE-V, you must install the UE-V agent on each computer on which you want
to synchronize settings by using UE-V.
Microsoft Desktop Optimization Pack (MDOP)
http://go.microsoft.com/fwlink/?LinkId=392419
Note: UE-V can synchronize settings only, not user data. To make user data available from
multiple domain computers, use Folder Redirection.
You can use UE-V to synchronize operating system settings, apps settings, and Windows Store apps
settings between computers that run supported operating systems and are members of the AD DS
domain. The following table lists the operating systems and system requirements for using UE-V.
Operating system
Edition
Architecture
Microsoft .NET
Framework
Ultimate, Enterprise, or
Professional
32-bit or 64-bit
.NET Framework 4
or newer
Standard, Enterprise,
Data Center, or Web
Server
64-bit
.NET Framework 4
or newer
Windows 8 and
Windows 8.1
Pro or Enterprise
32-bit or 64-bit
Standard or Datacenter
64-bit
Besides the requirements for supported operating systems, there are no additional random access
memory (RAM) requirements for UE-V. Administrator user rights are required to install the UE-V agent,
and you must restart the computer to make the UE-V agent operational.
You must install .NET Framework 4 or newer and Windows PowerShell 3.0 or newer before you can install
the UE-V agent. A default installation of Windows 8 or Windows 8.1 meets those requirements. However,
on Windows 7 SP1, you first need to install Windows PowerShell 3.0 before you can install the UE-V agent.
UE-V compares local time on a client computer with the time stamp of the stored settings on a network
location to decide if settings synchronization is required. Because of that, computer clocks on UE-V client
computers should be synchronized, which is the default behavior in an AD DS environment. If computer
clocks are not synchronized, older settings can overwrite newer settings, or newer settings might not be
stored to the network location.
Question: Can you synchronize user documents between computers by using UE-V?
UE-V Agent
A settings storage location is the network location where the UE-V agent stores the settings that are
synchronized. Administrators can specify this location during UE-V agent installation, in AD DS as a user's
home folder, or by using Group Policy. The settings storage location can be on any file share where users
have read and write access. The UE-V agent verifies the location and creates a hidden system folder
named SettingsPackages into which it stores settings.
4-11
A settings location template is an XML file that specifies the settings locations where values are stored on
a computer, not the settings values. Only settings defined in the settings location templates are captured
and applied on UE-V client computers. Several settings location templates, such as Microsoft Office 2010,
Microsoft Office 2007, Windows Internet Explorer 8, Windows Internet Explorer 9, Internet Explorer 10,
and desktop settings, are included with UE-V. Administrators can create additional settings location
templates by using UE-V Generator.
A settings template catalog is a folder that stores settings location templates. This usually is a shared
folder, although a settings template catalog also can be a local folder. By default, a UE-V agent reads new
or updated settings location templates from this folder once per day. This is done by a scheduled task
named Template Auto Update, which runs daily at 3:30 A.M., and it applies the changes (modified, added,
or removed templates) to the UE-V agent. If only the default settings location templates are used, then
the settings template catalog is not used.
Settings Packages
Desktop app settings, Windows settings, and Windows Store app settings are stored in settings packages,
which the UE-V agent creates in the settings storage location. A settings package is a collection of settings
that are defined in the settings location templates. A UE-V agent that runs on one computer reads and
writes to a settings storage location independently of UE-V agents that run on other computers. The most
recent settings and values are applied when the next UE-V agent synchronizes with the settings storage
location.
UE-V Generator
UE-V includes several operating system and application settings location templates. When you need to
synchronize the settings of additional applications, you can use the UE-V Generator to create additional,
custom settings location templates. UE-V Generator monitors the registry (the HKEY_CURRENT_USER
registry subtree) and file system (the AppData\Roaming and AppData\Local folders in user profiles) to
discover where application settings are stored. Administrators can modify a generated template and
include it in the settings template catalog. You also can use the UE-V Generator for editing existing
templates or for validating templates that were created in another XML editor.
Question: How often is the settings template catalog checked for changes?
When you start an app, UE-V applies settings to the app from the local cache. App settings are saved to a
network settings storage location when the app is closed. This means that a user does not have to sign
out and then sign in to another computer to synchronize app settings, like when roaming user profiles are
used. When using UE-V to synchronize settings, the user can be signed in to multiple computers at the
same time. When you configure app settings and close an app, the app settings are written to the settings
storage location in a settings package. When the user starts the application on another computer, the
UE-V agent reads and applies app settings from the local cache on that computer. If the local cache has
not yet synchronized with the settings storage location, you can wait for synchronization to occur, trigger
synchronization manually, or modify the UE-V configuration to always use the settings from the settings
storage location on the network. The user experience with UE-V is similar to having app settings roam
with a user.
Note: If computers have permanent connections to a settings storage location, you can
configure the UE-V agent to always apply the settings from the network settings storage location.
You can do so by setting the synchronization method (SyncMethod) to none, for example, when
installing a UE-V agent or by running the Set-UevConfiguration cmdlet.
Desktop background and Ease of Access settings are applied when a user signs in, when a computer is
locked, or when a remote connection is established. To optimize the sign-in experience, these settings
are not synchronized by default. You can enable desktop background and Ease of Access settings by
using Company Settings Center, Group Policy, the Windows PowerShell cmdlet Enable-UevTemplate, or
Windows Management Instrumentation (WMI). Like synchronizing app settings, a user does not have to
sign out to store Windows settings to the settings storage location. The UE-V agent saves settings when a
user signs out, when a computer is locked, or when a remote connection is disconnected.
Users sometimes accidentally modify settings. UE-V provides the capability to restore application
or operating system settings to the initial values that were on a computer before the first UE-V
synchronization of settings. UE-V can restore settings on a per-application or per-operating system
setting basis. The settings are restored the next time a user starts the application or when a user signs in
to an operating system. You can restore settings only by using Windows PowerShell or WMIthere is no
graphical interface for it. UE-V provides the Restore-UevUserSetting Windows PowerShell cmdlet, which
you can use to restore user settings for an application or a group of Windows settings.
Question: Does a user have to sign out to synchronize application settings when using
UE-V?
Note: Microsoft account provides you with a unified identity, which you can use for
accessing Microsoft and non-Microsoft cloud services. You can link your domain or workgroup
account with your Microsoft account, and you can also use it for transparent access to Microsoft
Store, OneDrive, or for signing in to Windows 8.1.
4-13
Roaming user profiles can synchronize only the entire profile, including the settings and data that are
stored in the profile. You cannot control which settings you want to synchronize, but in Windows 8 and
Windows 8.1, you can control which computers you want to synchronize settings on by configuring the
Primary Computer user Active Directory attribute. Roaming user profiles are copied to a file server only
when users sign out, and they are not synchronized periodically. When you configure Folder Redirection,
redirected folders are exempt from this copying.
If you use UE-V, to be able to synchronize settings, you must install a UE-V agent on the computer.
UE-V can synchronize only those settings that are defined in settings location templates, and it is the
only solution that can synchronize settings between physical and virtual applications. UE-V also is the only
solution that applies settings periodically, and not only when the user signs in. UE-V is not included in the
operating system, and you must obtain and license it separately. On the other hand, roaming user profiles
is a feature of domain-joined computers that run any version of the Windows operating system. Microsoft
account is freely available, and you can use it to sign in on any computer that runs Windows 8 or
Windows 8.1.
Question: Can you use Microsoft account to synchronize settings between Windows 7
computers and Windows 8.1 computers?
Share permissions
Administrators
Full Control
Full Control
Account
File permissions
Apply to
Administrators
Full Control
Creator/owner
Full Control
You can configure the UE-V agent with the settings storage location by using an installation
parameter, a Windows PowerShell cmdlet, or Group Policy settings. If users have a home directory
defined and you configure a network share as the settings storage location, UE-V will store settings
packages on a network share, and not in the user home directory.
2.
Configure the settings template catalog. The settings template catalog is not required, and it will be
used only if you want to use UE-V to synchronize additional application settings in addition to the
ones that are provided by default. The settings template catalog is a network share where custom
settings location templates are stored. If your UE-V deployment will use the settings template catalog,
you should create and share a folder with the permissions shown in the following tables.
Account
Share permissions
Everyone
No permissions
Domain computers
Read permission
Administrators
Read/write permission
Account
File permissions
Apply to
Creator/owner
Full Control
Domain computers
Everyone
No Permissions
Administrators
Full Control
You can configure the UE-V agent with the settings template catalog location by using an installation
parameter, a Windows PowerShell cmdlet, or Group Policy settings.
3.
Add UE-V Group Policy administrative templates. You can configure UE-V by using Group Policy, but
before doing so, you must add UE-V administrative templates, which are .admx and .adml files, to the
appropriate location. This could be either the local %SystemRoot%\PolicyDefinitions folder on each
computer from where you will configure Group Policy, or the central store on the domain controller,
%SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions, if your domain environment is configured
to use it. After you copy UE-V Group Policy administrative templates to this location, the Microsoft
User Experience Virtualization node appears under Policies\Administrative Templates
\Windows Components in the Computer Configuration and User Configuration parts of Group Policy
settings.
Question: What must you do before you can use Group Policy to configure UE-V?
Deploying UE-V
You must install the UE-V agent on each computer
that will use UE-V to synchronize settings. The UE-V
installation file supports various command-line
parameters such as SettingStoragePath,
SettingsTemplateCatalogPath, and SyncMethod,
which you can use for initial UE-V configuration.
All command-line parameters are documented in
the UE-V administrator's guide on the Microsoft
TechNet website.
4-15
You want to deploy the UE-V agent after operating system images are
deployed.
You are configuring the UE-V agent by using Group Policy and not by
using command-line options.
You use the Microsoft Deployment Toolkit (MDT) for operating system
deployment.
You want to deploy the UE-V agent as part of an operating system
deployment.
Windows Intune
Method
Scripted installation
After the UE-V agent is installed, you must restart the computer to make the UE-V agent operational.
After the installation, a new service named User Experience Virtualization is installed. Also, the following
six scheduled tasks are added:
These tasks periodically synchronize the local cache with the settings storage location, check for
updates in the UE-V settings location templates, and upload data if you joined the Customer Experience
Improvement Program (CEIP). UE-V agent installation also installs the Company Settings Center, which
you can use to control what settings UE-V should synchronize, to trigger the synchronization manually,
and to view the synchronization status of UE-V.
Microsoft User Experience Virtualization (UE-V) 1.0
http://go.microsoft.com/fwlink/?LinkId=378226&clcid=0x409
Question: Where can users see UE-V synchronization status and manually trigger UE-V
synchronization?
4-17
After you install the UE-V Group Policy ADMX files, the Microsoft User Experience Virtualization node
appears under Policies\Administrative Templates\Windows Components in the Group Policy Management
Editor window. You can configure some UE-V Group Policy settings only for computers, some only for
users, and some for both. The following table lists the policy settings that you can configure for UE-V.
Policy setting name
Target
Computers and
Users
Computers and
Users
Settings template
catalog path
Computers Only
Computers and
Users
Synchronization
timeout
Computers and
Users
Computers and
Users
Computers Only
Tray Icon
Computers Only
Do not synchronize
Windows 8 Apps
Computers and
Users
Roam Applications
settings
Users Only
Roam
Windows settings
Users Only
UE-V settings that can be configured in different places have the following order of precedence:
1.
2.
3.
Configuration settings defined by the current user who is using Windows PowerShell or WMI.
4.
Configuration settings defined for the computer that is using Windows PowerShell or WMI.
This means that if the same UE-V settings are configured in multiple places, configuration in the user part
of Group Policy has precedence over configuration in the computer part of Group Policy. Group Policy
has precedence over locally configured settings.
Question: When will a UE-V setting that is configured through Group Policy be effective on
a UE-V client?
Settings must be stored in an accessible location. UE-V can synchronize settings only in the
HKEY_CURRENT_USER registry subtree and the AppData\Roaming or AppData\Local folders in a
user profile. If an application stores its settings in other locations, you cannot synchronize its settings
by using UE-V.
Settings should not be specific to a particular computer. Some settings such as network configuration
are relevant only for a certain computer and should not be synchronized with other computers.
Settings must be synchronized without the risk of corrupting data. For example, if settings are stored
in a database file, these settings should not be synchronized by using UE-V. You should consider
some other solution, such as storing the database file with configuration settings on a network
location.
When you install a UE-V agent, it includes settings location templates for operating system settings
and common Microsoft applications. You can view the list of registered settings location templates by
running the Get-UevTemplate cmdlet. These templates are stored in the Microsoft User Experience
Virtualization\Templates folder and include the desktop apps and Windows settings in the following table.
Application category or Windows settings
Description
Description
4-19
Windows accessories
Desktop background
Ease of Access
Desktop settings
Note: You can download Microsoft Office 2013 UE-V templates from the UE-V 2.0
template gallery.
Microsoft UE-V 2.0 template gallery
http://go.microsoft.com/fwlink/p/?LinkId=246589
UE-V also synchronizes Windows Store app settings. Settings location templates are not used for
Windows Store apps because they synchronize only the settings that were configured to synchronize by
the app developer. You can run the Windows PowerShell cmdlet Get-UevConfiguration to view the list
of Windows Store apps for which settings are synchronized.
If you want to synchronize app settings that are not covered by default settings location templates, then
you must create additional settings location templates. If the settings location template for your app has
been developed already, you can obtain it online.
TechNet Gallery - resources for IT professionals
http://go.microsoft.com/fwlink/?LinkId=378227&clcid=0x409
You also can use UE-V Generator to create custom settings location templates and store them in a
settings template catalog. You do not need to copy the default settings location templates to the settings
template catalog. To provide UE-V with a custom settings location template, you must perform the
following steps:
1.
Install the UE-V Generator. The UE-V Generator is a part of UE-V, and it is used for creating and
editing custom settings location templates. The UE-V Generator monitors an app to discover and
capture the locations where the app stores its settings. The monitored app must be a traditional
desktop app because UE-V Generator does not create templates for virtualized applications,
applications offered through Remote Desktop Services, Java applications, and Windows Store apps.
UE-V Generator requires .NET Framework 4 or newer.
2.
Create a custom settings location template by using the UE-V Generator. You can do this by
running UE-V Generator and pointing it to the application for which you want to create the settings
location template. UE-V Generator will start the application and monitor the registry and file system
to discover the locations where the application stores its settings. UE-V Generator monitors the
HKEY_CURRENT_USER registry subtree and the AppData\Roaming and AppData\Local folders in
a user profile. After the application opens, you can close it and UE-V Generator will capture the
locations that it accessed. You can review the locations, edit the template, and store it as a settings
location template .xml file.
3.
Deploy the custom settings location template to the catalog. Because the settings template catalog is
a network share, you simply can copy the .xml file that the UE-V Generator created to that network
share. Each UE-V client computer has a Template Auto Update scheduled task that runs once daily
and updates settings location templates on a client. You can force the UE-V agent to apply custom
settings location templates from a catalog immediately by running
ApplySettingsTemplateCatalog.exe or by using the Windows PowerShell cmdlet RegisterUevTemplate.
To enable UE-V to use custom settings location templates, you also must create a settings template
catalog on a file server and configure the settings template catalog path for the UE-V agentall of which
you can perform as part of UE-V environment preparation.
Question: How can you use UE-V to synchronize the settings of third-party applications?
4-21
The Marketing department at A. Datum Corporation has many users who often use different computers.
You have been asked to evaluate different solutions that would enable user settings and data to roam
with users when they use one of the computers on which UE-V is installed, and from which UE-V will
synchronize settings.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-SVR1, 20687D-LON-CL1, and 20687D-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
Start 20687D-LON-DC1 first and after that start 20687D-LON-SVR1, 20687D-LON-CL1, and
20687D-LON-CL2. Sign in as Adatum\Administrator with Pa$$w0rd password to LON-DC1 and
LON-SVR1, but do not sign in to LON-CL1 and LON-CL2.
As you evaluate different solutions, the first step is to explore user data and settings solutions that
Windows 8.1 provides. You plan to implement roaming user profiles and Folder Redirection. Because
user profile content should be available only on approved computers, you also will implement Primary
Computer settings.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
6.
Task 1: Create folders for roaming user profiles and Folder Redirection
1.
On LON-DC1, open File Explorer, and on drive C, create a folder named Profiles. Grant Domain
Users Full Control permissions to the folder, and then share it with Full Control permissions for
Everyone.
2.
On drive C, create a folder named Redirected. Grant Domain Users Full Control permissions to the
folder, and then share it with Full Control permissions for Everyone.
Configure Adam Barr, which is located in the Marketing OU, with profile settings that point to
\\LON-DC1\Profiles\%username%.
Create a Group Policy Object named Folder Redirection, and then link it to Marketing.
2.
Configure the Folder Redirection group policy setting to redirect the Documents folder to
\\LON-DC1\Redirected.
1.
On LON-DC1, verify that the Profiles and Redirected folders are empty.
2.
3.
On Adams desktop, create a folder named Presentations, add a shortcut to Local Disk (C:), and
then add the This PC icon.
4.
In Notepad, create a file with your name, and then save it in the Documents library.
5.
Verify that file is stored in the \\LON-DC1\redirected\adam\Documents folder and is not stored inside
Adam Barrs local profile.
6.
7.
On LON-DC1, verify that the Profiles and Redirected folders are no longer empty. The Profiles folder
contains the adam roaming user profile (Adam.V2), whereas the Redirected folder contains the adam
redirected Documents folder.
8.
9.
Verify that the This PC icon is on the desktop, in addition to the Presentations folder and the Local
Disk (C:) shortcut.
10. Verify that you can transparently access the file with your name in Notepad.
11. Sign out of LON-CL2.
2.
3.
2.
3.
Sign in to LON-SVR1 as Adatum\Adam, and then verify that the This PC icon, Presentations folder,
and the Local Disk (C:) shortcut are not on the desktop. Also, verify in Notepad that the file with your
name is not available in the Documents library. Sign out of LON-SVR1.
4-23
4.
On LON-DC1, edit the value of the msDS-PrimaryComputer attribute of Adam Barr and replace
LON-CL2 with LON-SVR1.
5.
Sign in to LON-SVR1 as Adatum\Adam, and then verify that the Presentations folder is on the
desktop, in addition to the Local Disk (C:) shortcut and the Computer icon. Also verify in Notepad that
the file with your name is available in the Documents library. Because you configured LON-SVR1 as
Adam Barrs Primary Computer, redirected folders are now available.
6.
Results: After completing this exercise, you should have configured roaming user profiles and Folder
Redirection. You also should have configured the user Adam Barr with the Primary Computer setting.
You have demonstrated to your management the benefits of roaming user profiles, Folder Redirection,
and Primary Computer settings. Because A. Datum has an enterprise agreement with Microsoft and access
to the Microsoft Desktop Optimization Pack, you have been asked to implement a pilot deployment of
UE-V. You will demonstrate how UE-V can synchronize additional apps. Based on the results of your
demonstration, management will decide whether to deploy UE-V in production.
The main tasks for this exercise are as follows:
1.
Prepare the environment for deploying Microsoft User Experience Virtualization (UE-V).
2.
3.
4.
5.
6.
7.
8.
On LON-DC1, create a folder named UEVdata. Grant Domain Users Full Control permissions to the
folder, and then share it with Full Control permissions for Everyone.
2.
On LON-DC1, create a folder named UEVTemplates. Grant Domain Users Full Control permissions
to the folder, and then share it with Full Control permissions for Everyone.
On LON-DC1, verify that there is no Microsoft User Experience Virtualization node available in
Group Policy Object under User Configuration\Policies\Administrative Templates
\Windows Components.
2.
3.
Create a Group Policy named UE-V, and then link it to the Adatum.com domain.
4.
5.
2.
Install the UE-V agent by running AgentSetup.exe in the E:\Labfiles\Mod03 folder. Restart
LON-CL1 after completing the installation.
3.
4.
2.
3.
On LON-CL1, use the Get-UevConfiguration cmdlet to verify that UE-V configuration is effective.
You will see that values for SettingsStoragePath and SettingsTemplateCatalogPath are configured
as you set them in Group Policy. You also will see that the current SyncMethod is set to
SyncProvider.
4.
On LON-CL2, run Calculator, and then choose the Date calculation view. Close Calculator.
5.
On LON-CL1, run Calculator, and then verify that it is not extended with options for date calculation.
6.
7.
On LON-CL1, run Calculator, and then verify that it is extended with options for date calculation.
8.
On LON-CL1, use the Set-UevConfiguration cmdlet with the SyncMethod parameter to disable use
of local cache.
9.
On LON-CL2, run WordPad, and then clear the Ruler and Status bar check boxes on the View tab.
Close WordPad.
2.
3.
In Notepad, select Font Size 20, type your name, and then save the file in the Documents library.
Close Notepad.
4.
On LON-DC1, verify that the UEVdata folder now has a brad subfolder.
5.
On the View tab, click Hidden items. Double-click the Brad folder, and then verify that it contains a
SettingsPackages subfolder.
6.
Double-click the SettingsPackages folder, and then verify that it contains multiple subfolders for the
applications and Windows settings that UE-V synchronizes.
4-25
7.
Sign in to LON-CL1 as Adatum\Brad with password Pa$$w0rd. Run Calculator, and then verify that
is extended with options for date calculation, as you configured it on LON-CL2. On the View menu,
click Programmer, click Unit conversion, and then close Calculator.
8.
On LON-CL1, run WordPad, and then verify that the Ruler and Status bar check boxes are not
selected, exactly as you configured it on LON-CL2. Close WordPad.
9.
On LON-CL1, verify that the shortcut to Local Disk (C:) is not present on the desktop.
Note: Contents of the desktop are not synchronized by UE-V. Instead, you should use
Folder Redirection or roaming user profiles to do so.
10. Verify in Notepad that File Size 20 is configured, but that the file with your name is not available in
the Documents library.
On LON-CL1, run Calculator, and then verify that it is in Programmer view and extended with Unit
conversion. Close Calculator.
2.
Use the Get-UevTemplate cmdlet to view which settings location template Calculator uses.
3.
4.
Run Calculator, and then verify that is in default Standard mode, the way it was before the first UE-V
synchronization.
5.
2.
3.
Run Microsoft User Experience Virtualization Generator. Click Create a settings location template
and point to C:\Program files (x86)\Remote Desktop Connection Manager\RDCMan.exe.
4.
In Remote Desktop Connection Manager, modify one of the available options, and then close Remote
Desktop Connection Manager.
5.
Include nonstandard file locations in the settings location template and save the settings location
template to \\LON-DC1\UEVTemplates\RDCMan.xml.
On LON-CL1, use the Get-UevTemplate cmdlet to verify that no settings location template that
contains string rdc is registered.
2.
3.
4.
5.
On LON-CL1, run Remote Desktop Connection Manager, configure Auto save interval to 3
minute(s), and then close Remote Desktop Connection Manager.
6.
On LON-CL2, run Remote Desktop Connection Manager, and then verify that Auto save interval is
selected and configured to 3 minute(s).
Results: After completing this exercise, you should have successfully implemented and configured UE-V
for synchronizing apps and Windows settings.
2.
In the Virtual Machines list, right-click 20687D-LON-DC1, and then click Revert.
3.
4.
Lesson 3
4-27
Many users spend a significant amount of time configuring their Windows-based environment. They
might customize items such as desktop wallpaper, the appearance of user interface elements, or other
operating system and application components. This grouping of specific settings is referred to as user
state. User state is an important part of the migration process when you replace a computer, or when you
install a new operating system on a computer. This lesson introduces you to user state migration and to
the tools and methods you can use in planning and implementing a user state migration in a Windowsbased environment.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how to migrate user settings and data by using the User State Migration Tool (USMT).
User preferences. These include user profile features, web browser settings, and mail settings.
Consider which user accounts, operating system settings, and user preferences you want to migrate
or standardize:
o
User accounts. Computers might have settings related to domain and local user accounts. You
must determine whether local user accounts should be migrated. You also should consider if
you must enable the accounts on destination computers and how you will deal with password
requirements.
Operating system settings. Identify which operating system settings to migrate and to what
extent you want to create a new standard environment on the destination computers. Operating
system settings can include appearance, mouse actions such as single-click or double-click,
keyboard settings, Internet settings, email account settings, dial-up connections, accessibility
settings, and fonts.
User data. This includes data that is stored on local hard drives. Typically, critical data is stored on file
servers. However, users sometimes store data on local hard drives.
Application settings. These include application-specific configuration settings, preferences, and data
files. User state migration does not include migration of actual applications. Determine and locate
the application settings that you want to migrate. You can acquire this information when you are
testing new applications for compatibility with a new operating system. You should consider whether
the destination version of an application is newer than the source version and where the specific
application settings are stored. Settings might be stored in the registry, .ini files, or in text or binary
files. To determine the location of an application setting, review the applications documentation or
relevant websites.
Windows 8.1 provides two options for performing user state migration: Windows Easy Transfer and USMT.
Windows 8.1 includes the Windows Easy Transfer tool, which provides a wizard-based process for
migrating user data and files from one Windows-based computer to another. Windows Easy Transfer can
transfer the data from a source computer to a number of different intermediary media types, and then it
can restore that data on a destination computer. End users primarily use Windows Easy Transfer, and it is
designed to perform migrations with a small number of computers. The Windows Easy Transfer process
cannot be automated, and it is not an appropriate solution if you need to migrate data for a large number
of users.
Note: This tool is deprecated and has reduced functionality compared to Windows Easy
Transfer in Windows 8. However, it is still a part of Windows 8.1, and you can use it in
Windows 8.1.
USMT
USMT is a set of command-line tools that gives administrators more control over user data migrations.
You can use USMT in large environments where you need to migrate the data of multiple users on
multiple machines. The command-line interface for USMT helps administrators incorporate USMT into
enterprise environments and automated processes. USMT uses tools to capture and store user data in
the first phase of the migration, and then restore the data to another operating system from the captured
data. USMT is included in the Windows Assessment and Deployment Kit (ADK) for Windows 8.1.
Question: You have been asked to upgrade 10 computers in a small branch office from
Windows 7 to Windows 8.1. You also have been asked to perform a clean installation of
Windows 8.1 and to show the local manager how to migrate user files and other data after
installing Windows 8.1. The manager will perform the Windows 8.1 installation and user state
migration for the rest of the computers. Which tool should you demonstrate to the
manager?
4-29
You can use the Windows Easy Transfer tool when you need to migrate settings and data for a limited
number of users and you do not need to customize and automate the migration process. You can use
Windows Easy Transfer to transfer user accounts and settings, files and folders, email settings, contacts
and messages, application settings, Internet settings, and favorites. You cannot use Windows Easy Transfer
to transfer installed apps or advanced configurations such as custom registry keys. Apps must be installed
already on a Windows 8.1 computer before you can transfer the app settings by using Windows Easy
Transfer. You can use Windows Easy Transfer to transfer data and settings to Windows 8.1 only from
Windows 8, Windows RT, or Windows 7 source computers.
Question: Can you use Windows Easy Transfer to migrate user settings and data between
two Windows 8.1 computers?
Benefits of USMT
USMT provides the following benefits to
organizations that deploy Windows operating
systems:
It reduces the cost of deploying Windows operating systems by preserving user states. This reduces
the time needed for users to become familiar with new operating systems, and this reduces the time
required to customize desktops and locate missing files and settings.
It reduces end-user downtime, which reduces help desk calls and increases employee satisfaction with
the migration experience.
It minimizes migration storage by using hard-link migration. For use in the computer refresh scenario,
hard-link migration stores are saved locally on the computer that is being refreshed. It drastically
It can perform migration from alternate locations (offline migration). This enables you to collect data
from offline Windows operating systems by using the ScanState tool in the Windows Preinstallation
Environment. In addition, USMT supports migrations from previous operating system installations
contained in Windows.old directories.
Components of USMT
The following list defines the USMT components:
ScanState. This tool scans a source computer, collects the files and settings, and then creates a store.
ScanState does not modify the source computer. By default, it compresses the files and saves them as
a migration store. ScanState copies files into a temporary location and then to the migration store.
LoadState. This tool migrates files and settings, one at a time, from the store to a temporary location
on the destination computer. Files are decompressed, and decrypted if necessary, during this process.
LoadState then transfers files to their correct locations, deletes their temporary copies, and begins
migrating more files. Compression improves performance by reducing network bandwidth usage and
the space required for the store. You can turn off compression with the /nocompress option.
USMTUtils. This tool can perform several functions related to compression, encryption, and validation
of a migration store. USMTUtils also can manage USMT files manually in the event of a corrupted
data store or a locked hard-link store.
Migration XML files. These are the XML files that USMT uses for migrations. They include the
MigApp.xml, MigUser.xml, or MigDocs.xml files, and any custom .xml files that you create:
o
MigDocs.xml. This file contains rules for the MigXmlHelper.GenerateDocPatterns helper function,
which can find user documents on a computer automatically without creating extensive custom
migration .xml files.
MigUser.xml. This file contains rules for migrating user profiles and data.
Config.xml. To exclude data from a migration, you can create and modify the Config.xml file by
using the /genconfig option with the ScanState tool. This optional file has a different format from
the migration .xml files because it does not contain migration rules. The Config.xml file lists the
elements that can be migrated. Specify migrate=no for the elements that you want to exclude
from the migration. You also can use this file to control some migration options for USMT.
Component manifests. The component manifest files control which operating system settings are
migrated and how they are migrated, and you cannot modify them. If you want to exclude certain
operating system settings, you need to create and modify a Config.xml file.
USMT internal files. All other files included with USMT are for USMT internal use, and you should not
modify them.
Question: Do you need to install Windows ADK on the source computer from which you
plan to migrate user settings?
2.
4-31
USMT controls what data to migrate by using migration .xml filesMigApp.xml, MigDocs.xml, and
MigUser.xmland any custom .xml files that you create. The user state consists of several components:
user data, operating system elements, and supported applications settings.
User data
ScanState uses rules in the MigUser.xml file to collect everything in a users profile. ScanState then
performs a file extensionbased search on most of the system for other user data.
By default, USMT migrates the following user data and access control lists (ACLs) by using the
MigUser.xml file:
Folders from each user profile. USMT migrates everything in a users profile, including My Documents,
My Video, My Music, My Pictures, Desktop files, Start menu, Quick Launch settings, and Favorites.
Folders from the All Users and Public profiles. USMT also migrates the following from the All Users
profile or the Public profile: Shared Documents, Shared Video, Shared Music, Shared Desktop files,
Shared Pictures, Shared Start menu, and Shared Favorites.
File types. The ScanState tool searches the fixed drives and collects and migrates files that have any of
the following file name extensions: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp,
.one*, .oqy, .or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk,
.txt, .vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, .xls*.
ACL. USMT migrates the ACL for specified files and folders from source computers.
The following data does not migrate by using the MigUser.xml file:
Files outside of a user profile that do not match one of the file name extensions in the MigUser.xml
file.
By default, USMT migrates most standard operating system features to destination computers. Some
settings such as fonts are not available for an offline migration until after the destination computer
restarts.
We recommend installing all applications on a destination computer before restoring the user state
to ensure that migrated settings are preserved. The versions of installed applications must match the
application version on the source computer. USMT only migrates the settings that were used or changed
by a user. If an application setting on the source computer was not used, it will not migrate.
However, if you are satisfied with the default migration behavior defined in the MigApp.xml,
MigUser.xml, and MigDocs.xml files, but you want to exclude certain elements, you can create and modify
the Config.xml file and leave the other .xml files unchanged. For example, you must create and modify the
Config.xml file to exclude any of the operating system settings that are migrated. You must create and
modify this file to change any of the default store-creation or profile-migration behaviors.
The Config.xml file has a different format compared to other migration .xml files because it does not
contain any migration rules. It only contains a list of the operating system features, applications, and user
documents that can be migrated, in addition to user-profile and error-control policies. For this reason,
excluding features by using the Config.xml file is easier than modifying migration .xml files because you
do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard
characters in this file.
How To Include Files and Settings
http://go.microsoft.com/fwlink/?LinkId=378228&clcid=0x409
The following syntax provides an example of how you can configure ScanState to scan a source computer:
Scanstate \\LON-SRV1\DesktopMigration /i:migapp.xml /i:miguser.xml /config:config.xml /o
/ui:DBService /ue:Adatum\Don
Application settings. USMT does not migrate settings from older versions of an application. It also
does not migrate application settings and some operating system settings when a local account is
created.
Installed applications. USMT does not migrate installed applications. You have to reinstall all
applications on a destination computer before restoring application settings.
Operating system settings. USMT does not migrate the following operating system settings:
o
Mapped network drives, local printers, hardware-related settings, drivers, passwords, application
binary files, synchronization files, dynamic-link library files, or other executable files.
Files and settings that migrate between operating systems with different languages.
2.
4-33
1.
Run the LoadState tool on the destination computer. Specify the same set of .xml files that you
specified when you used the ScanState tool. However, you do not have to specify the Config.xml file
unless you want to exclude some files and settings that you migrated to the store.
2.
Sign out after running the LoadState tool. Some settings, such as fonts, wallpaper, and screen saver,
will not take effect until the next time the user signs in.
Question: How can you ensure that user data is safe during a migration?
You have been asked to implement the upgrade of 10 new computers that are being deployed to the
Research department at A. Datum. Max Stevens, the IT manager from the Research department, has sent
you an email outlining the upgrade requirements.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, and 20687D-LON-CL3
User name: Adatum\Administrator
Password: Pa$$w0rd
Start the LON-DC1 first and then start LON-CL1 and LON-CL3 virtual machines if they are not running
already. You do not need to sign in to any computer.
Sent:
To:
Ed@adatum.com
Subject:
User State Migration for the new Windows 8.1 computers in the Research department
Hi Ed,
We have 10 new Windows 8.1 computers that are being deployed within the Research department. We
need to ensure that no user data stored on the old computers is lost in the migration, and that all user
data is migrated to the new computers. What I want you to do is use USMT to help with the user state
migration. Here are some additional things to consider:
The contents of the Shared Video, Shared Music, and Shared Pictures folders should not be migrated
from Windows 7 to the new Windows 8.1 computers.
We have a custom folder named ResearchApps that has to be migrated from all the old computers to
the new Windows 8.1 computers.
4-35
All domain profiles that are on each existing computer should be migrated to the new systems.
You can use \\LON-DC1\Data as a location to store the data store during the migration. The data
store should be compressed to minimize space. Because there is no confidential information on these
specific computers, we do not need the migration store to be encrypted.
Thanks,
Max
Your user state migration information states that several operating system features should not be
migrated. You also have to migrate an additional folder from the old computers to the new Windows 8.1
computers. Your first task is to create the custom XML files that address these requirements.
The main tasks for this exercise are as follows:
1.
2.
3.
2.
Verify that Don has a black desktop and that the Computer and Don Funk folders are on the desktop.
3.
4.
5.
At a command prompt, map a network drive located on LON-DC1 by using the following command:
Net Use F: \\LON-DC1\USMT
6.
Change to drive F, and then create a Config.xml file by using the following command:
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
7.
At the command prompt, type notepad config.xml to view the Config.xml file.
8.
Modify the XML code to exclude the following from the migration:
o
Shared Video
Shared Music
Shared Pictures
Note: For each of the folders, look for component displayname, and then change the
migrate attribute to no.
2.
Maximize the Notepad window. This is a custom XML file that is used to migrate a specific folder
named ResearchApps to the new workstation.
3.
Change the variable <Foldername> to ResearchApps. The entire line should read as follows:
<pattern type= File>C:\ResearchApps\* [*]</pattern>
4.
Verify that there is a C:\ResearchApps folder on the disk and that it contains multiple files.
5.
Create a new text document with your name in the C:\ResearchApps folder.
Results: After completing this exercise, you should have created and customized XML files to use with the
User State Migration Tool (USMT).
Now that you have the required custom XML files, you can perform the USMT migration task. Use USMT
to capture the current user state on LON-CL3 by using ScanState and the custom migration files. Then,
restore the user state to LON-CL1 and confirm the migration.
The main tasks for this exercise are as follows:
1.
2.
3.
2.
3.
4.
Verify that the \\LON-DC1\Data shared folder stores the USMT.MIG captured user state.
2.
3.
4.
Open the Command Prompt window, and then map network drive F to \\LON-DC1\USMT. Use the
following command:
Net Use F: \\LON-DC1\USMT
5.
Change to drive F, and then restore user state on the destination computer by using the following
command:
Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
6.
Verify that the C:\Users folder contains subfolders named Ed and Don.
7.
4-37
1.
2.
Verify that the Computer and Don Funk folders, in addition to a text document with your name, are
on the desktop.
3.
Verify that the C:\ResearchApps folder with all its content has migrated successfully, including the file
with your name.
Results: After completing this exercise, you should have captured and restored user states by using USMT.
2.
In the Virtual Machines list, right-click 20687D-LON-DC1, and then click Revert.
3.
4.
Module 5
Managing Disks and Device Drivers
Contents:
Module Overview
5-1
5-2
5-16
5-23
5-28
5-34
5-47
5-49
Module Overview
The Windows 8.1 operating system simplifies common tasks for information technology (IT)
professionals who manage and deploy desktops and laptops, devices, or virtual environments. It also
helps IT professionals take advantage of the tools and skills similar to those that they use in Windows 7
and Windows 8.
Although most computers that run Windows 8.1 have a single physical disk that is configured as a single
volume, this is not always the case. For example, there might be times when you want to have multiple
operating systems on a single computer, or you might want to have virtual memory on a different
volume. Therefore, it is important that you understand how to create and manage simple, spanned,
and striped volumes. You also might be interested in implementing the Storage Spaces feature. In
addition to traditional storage, you can use Windows 8.1 to create and access virtual hard disks from
within the operating system installed on a physical computer. To help maintain and optimize file system
performance, you must be familiar with file system fragmentation and the tools that you can use to
defragment a volume. Additionally, a good understanding of disk quotas is helpful if you are managing
available disk space on installed volumes.
To ensure that previously installed devices continue to work in Windows 8.1, Microsoft is working to
make device drivers available directly from Windows Update or from device manufacturer websites.
Objectives
After completing this module, you will be able to:
Lesson 1
Before you can use a disk in Windows 8.1, you must prepare it for use. You must partition the disk by
using the master boot record (MBR) partitioning scheme or the GUID partition table (GPT) partitioning
scheme. After partitioning the disk, you must create and format one or more volumes before an operating
system can use the disk.
You can use disk management tools to perform disk-related tasks, such as creating and formatting
partitions and volumes, assigning drive letters, and resizing disks.
Lesson Objectives
After completing this lesson, you will be able to:
Resize a volume.
5-3
The MBR is stored at a consistent location on a physical disk, enabling a computers BIOS to reference it.
During the startup process, a computer examines the MBR to determine which partition is active on the
installed disks. The active partition contains the operating system startup files.
Note: You can install the rest of an operating system on another partition or disk. In
Windows 8.1, when you boot to an MBR disk, the active partition must contain the boot sector,
Windows Boot Manager, and related files.
Four partitions on each disk. MBR-based disks are limited to four partitions. All of these can be
primary partitions, or one can be an extended partition with logical volumes inside. You can configure
the extended partition to contain multiple volumes.
A 2 terabyte (TB) maximum partition size. A partition cannot be larger than 2 TB.
No redundancy provided. The MBR is a single point of failure, and if it becomes corrupted or
damaged, it can render an operating system unable to start.
MBR disks can be either basic or dynamic disk types. Dynamic disks support additional options that are
not available on a basic disk, including volumes that are able to span multiple disks and fault tolerant
volumes.
GPT Disks
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on a
disk. Each GPT partition has a unique GUID and partition-content type. Also, each LBA that the partition
table describes is 64 bits in length. The UEFI specifies the GPT format, but it is not exclusive to UEFI
systems. Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems.
However, they cannot start from them. 64-bit Windows operating systems support GPT for boot disks on
UEFI systems.
128 partitions per disk. This is a vast improvement over MBR-based disks.
18 exabyte volume size. This is a theoretical maximum because hard-disk hardware that can support
such vast volume sizes is not yet available.
You can implement GPT-based disks on Windows Server 2008 and newer versions, Windows Vista,
Windows 7, Windows 8, and Windows 8.1. You cannot use the GPT partition style on removable disks.
GPT Architecture
A GPT-partitioned disk defines the following sectors:
Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the entire
disk:
o
The protective MBR protects GPT disks from previously released MBR disk tools, such as MS-DOS
Fdisk or Windows NT Disk Administrator.
These tools view a GPT disk as having a single encompassing (possibly unrecognized) partition by
interpreting the protected MBR, rather than mistaking the disk for one that is not partitioned.
Legacy software that does not know about GPT interprets only the protected MBR when it
accesses a GPT disk.
Sector 1 contains a partition table header. The partition table header contains the unique disk GUID,
the number of partition entries (usually 128), and pointers to the partition table.
The partition table starts at sector 2. Each partition entry contains a unique partition GUID, the
partition offset, length, type (also a GUID), attributes, and a 36-character name.
The following table describes the partitions that Windows 8.1 creates when you install it on a GPT disk.
Partition
Type
Size
Description
EFI system
partition (ESP)
100 megabytes
(MB)
Microsoft
Reserved (MSR)
partition
128 MB
Operating
system
Remaining disk
5-5
Note: The Storage module cmdlets contained in the Windows PowerShell 4.0 commandline interface replace DiskPart.
Windows PowerShell 4.0. Windows PowerShell is a scripting language that accomplishes many tasks
in the Windows environment. Starting with Windows PowerShell 3.0, disk management commands
have been added for use as stand-alone commands or as part of a script.
Note: Windows 8.1 does not support remote connections in workgroups. Both the local
computer and the remote computer must be in a domain to use Disk Management to manage a
disk remotely.
Note: Do not use disk-editing tools such as DskProbe.exe to make changes to GPT disks.
Any change that you make renders the checksums invalid, which might cause the disk to become
inaccessible. To make changes to GPT disks, use Windows PowerShell, DiskPart, or Disk
Management.
With either tool, you can initialize disks, create volumes, and format a volume file system. Additional
common tasks include moving disks between computers, changing disks between basic and dynamic
types, and changing the partition style of disks. You can perform most disk-related tasks without
restarting a system or interrupting users, and most configuration changes take effect immediately.
Disk Management
Using the Disk Management snap-in to the Microsoft Management Console (MMC), administrators can
quickly manage standard fault-tolerant volume sets and can confirm the health of each volume. Disk
Management in Windows 8.1 provides the same features with which you might be familiar from previous
versions, including:
Simpler partition creation. When you right-click a volume, you can choose whether to create a basic,
spanned, or striped partition directly from the menu.
Disk conversion options. When you try to add more than four partitions to a basic disk, you are
prompted to convert the disk to dynamic or to the GPT partition style. You also can convert basic
disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic is not
possible without first deleting all of the volumes.
Extend and shrink partitions. You can extend and shrink partitions directly from the Windows
interface.
On the Start screen, type disk. This will display the Everywhere search screen.
2.
Type diskmgmt.msc in the search box, and then click diskmgmt in the results list.
DiskPart
Using DiskPart, you can manage fixed disks and volumes by using scripts or direct input from the
command line. At the command prompt, type DiskPart, and then enter commands at the DiskPart
command prompt. The following are common DiskPart actions:
To view a list of DiskPart commands, at the DiskPart command prompt, type commands.
To create a DiskPart script in a text file and then run the script, type a script similar to DiskPart /s
testscript.txt.
To create a log file of the DiskPart session, type DiskPart /s testscript.txt > logfile.txt.
The following table shows several DiskPart commands that you will use frequently in this scenario.
Command
Description
list disk
Displays a list of disks and related information, including disk size, the
amount of available free space on the disks, whether the disks are basic
or dynamic, and whether the disks use the MBR or GPT partition style.
The disks marked with an asterisk (*) are the ones against which the
commands will execute.
Selects the specified disk, where <disknumber> is the disk number, and
gives it focus.
convert gpt
Converts an empty, basic disk with the MBR partition style to a basic
disk with the GPT partition style.
For additional information about DiskPart commands, start Disk Management, and then open the Help
Topics from the Help menu.
Note: You can abbreviate many, but not all of the DiskPart commands. For example, use
SEL instead of SELECT and PART instead of PARTITION.
5-7
Prior to Windows 8, if you wanted to script disk management tasks, you would have to make calls to
Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. Windows
PowerShell 3.0 and 4.0 now includes commands for natively managing disks. The following table details
some Windows PowerShell commands.
Command
Description
Additional parameters
Get-Disk
Clear-Disk
Initialize-Disk
Set-Disk
Get-Volume
Must back up the entire contents of the hard disk before making a change, which is true for any
major change that you make to disk contents.
Must ensure that disks are online before you can initialize them or create new partitions or volumes.
To bring a disk online or take it offline in Disk Management, right-click the disk name, and then click
the appropriate action.
Can convert from GPT to MBR only if the disk does not contain any volumes or partitions.
Should use Event Viewer to check the system log for disk-related messages.
All MBR disks initially are basic disks, which then can convert to dynamic disks. Dynamic disks can be
useful when fault tolerance or spanning of disks is required.
Dynamic disks support the following features:
Ability to be extended.
Creation of simple, spanned, striped, mirrored, and redundant array of independent disks (RAID)-5
volumes.
Note: In a multiboot scenario, if you are in one operating system, and you convert a basic
MBR disk that contains an alternate operating system to a dynamic MBR disk, you will not be
able to start in the alternate operating system.
Description
5-9
Business desktop
computer with
one disk
Most business users require a basic disk and one basic volume for storage,
but do not require a computer with volumes that span multiple disks or that
provide fault-tolerance. This is the best choice for those who require simplicity
and ease of use.
Business desktop
computer with
one disk and
more than one
volume
If small business users want to upgrade their operating systems and reduce the
impact on their business data, they must store an operating system in a
separate location from business data.
This scenario requires a basic disk with two or more basic volumes. Users can
install an operating system on the first volume, creating a boot volume or
system volume, and use the second volume to store data.
When a new version of an operating system releases, users can reformat the
boot or system volume, and then install the new operating system. The business
data, located on the second volume, remains untouched.
A simple volume might provide better performance than striped data layout schemes. For example, when
serving multiple, lengthy, sequential streams, performance is best when a single disk services each stream.
Also, workloads that are composed of small, random requests do not always result in performance
benefits when you move them from a simple to a striped data layout.
The emergence of solid-state drives (SSDs), which offer extremely fast data transfer rates, offer the
Windows 8.1 user another decision related to storing data. SSDs currently are more expensive and
have smaller capacities compared to traditional magnetic hard disk drives (HDDs). This combination
of performance, size, and cost is an acceptable compromise when used in small form factor devices;
however, a desktop PC might benefit from a combination of an SSD for Windows system files and a
large capacity HDD for business data.
This demonstration shows how to create a simple volume. First, you create a volume by using the Disk
Management snap-in, and then you will use Windows PowerShell.
Demonstration Steps
Using Disk Management
1.
2.
3.
4.
Complete the New Simple Volume Wizard by using the following settings:
o
2.
3.
Get-Disk -Number 3
Format-Volume -Confirm:$false
Get-Partition (Note the partition number you just created on disk 3, as you will use that in the
next step.)
In File Explorer, verify that the volumes that you created are visible.
Question: In what circumstances will you use less than all of the available space on a new
volumes disk?
A mirrored volume also is known as a RAID-1 volume. A striped volume combines equal-sized areas of
unallocated space from multiple disks. You use a mirrored volume when you wish to provide redundancy
for your system partition. Both spanned volumes and striped volumes require a Windows operating
system to be running to recognize the volumetherefore, neither of those solutions can provide
protection against disk failures for a system partition.
When creating a mirrored volume, the disk for the shadow volume must be at least the same size as the
volume being mirrored. Once the mirror is established, you cannot resize the mirrored volume.
There are two main benefits of using mirrored volumes. Recovering from a disk failure is very quick as
there is no data to rebuild. Additionally, read operations have a slight performance boost because you can
read from both disks simultaneously.
5-11
There are two main disadvantages of using mirrored volumes. Write operations are slightly slower as every
write needs to occur on both disks. Also, using mirrored volumes is the least efficient use of space
compared with other RAID configurations.
A spanned volume gives users the option to gather noncontiguous free space from one or many disks
into the same volume. A spanned volume does not provide any fault tolerance. Additionally, because the
areas that you combine are not necessarily equally distributed across the participating disks, there is no
performance benefit to implementing spanned volumes. I/O performance is comparable to simple
volumes.
You can create a spanned volume by extending a simple volume to an area of unallocated space on a
second disk, or you can designate multiple disks during the volume-creation process. The benefits of
using spanned volumes include uncomplicated capacity planning and straightforward performance
analysis.
If you create a new spanned volume, you must define the same properties as when you create a simple
volume in terms of size, file system, and drive letter. Also, you must define how much space to allocate to
the spanned volume from each physical disk.
You can create spanned volumes on dynamic disks only. If you attempt to create a spanned volume on
basic disks, the Windows operating system prompts you to convert the disk to dynamic after you have
defined the volumes properties and confirmed the choices.
It is possible to shrink a spanned volume. However, it is not possible to remove an area from a specific
disk. For example, if a spanned volume consists of three 100-MB partitions on each of three disks, you
cannot delete the third element. Depending on the space consumption on the volume, you can reduce
the volumes total size.
Note: When you shrink a spanned volume, no data loss occurs. However, the number
of disks involved might decrease. If the spanned volume resides on a single disk, the spanned
volume converts to a simple volume. If there are empty dynamic disks that result from shrinking a
spanned volume, the empty dynamic disks convert to basic disks.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of
unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk limit
for spanned volumes.
You should create a striped volume when you want to improve the I/O performance of a computer.
Striped volumes provide for higher throughput by distributing I/O across all disks that are configured as
part of the set. The more physical disks that you combine, preferably across several disk controllers, the
faster the potential throughput is. For most workloads, a striped data layout provides better performance
than simple or spanned volumes, as long as you select the striped unit appropriately based on workload
and storage hardware characteristics. The overall storage load balances across all physical drives.
Striped volumes also are well suited for isolating the paging file. By creating a volume where Pagefile.sys
is the only file on the entire volume, the paging file is less likely to become fragmented, which helps
improve performance. Redundancy is not required for the paging file normally. Striped volumes provide
a better solution than RAID-5 for paging file isolation. This is because the paging file activity is writeintensive, and RAID-5 is better suited for read performance than write performance.
Because no capacity is allocated for redundant data, RAID-0 does not provide data-recovery mechanisms
such as those in RAID-1 and RAID-5. The failure of any disk results in data loss on a larger scale than it
would on a simple volume because it disrupts the entire file system that spreads across multiple physical
disks. The more disks that you combine in RAID-0, the less reliable the volume becomes.
When you create a striped volume, you will define the file system, drive letter, and other standard volume
properties. Additionally, you must define the disks from which to allocate free space. The allocated space
from each disk must be identical in size.
It is possible to delete a striped volume, but it is not possible to extend or to shrink the volume.
Configuration Changes
There are times when you might want to upgrade or in some way alter the configuration of computer
hardware or software. For example:
When a fault in software, hardware, or the combined architecture results in apps failing to run.
Other forms of volume management with different types of fault tolerance and recovery are available.
These include using RAID-1 or RAID-5 volumes, hardware mirroring, and disk duplexing. You could
consider using these forms of volume management in your enterprise if the standard Windows 8.1 tools
are not sufficient for your needs.
Question: How will the emergence of solid-state drives (SSDs) in enterprise workstations,
devices, and enterprise storage arrays change the storage landscape?
Demonstration Steps
Creating a spanned volume
1.
2.
3.
Right-click the unallocated space on Disk 2, and then start the New Spanned Volume Wizard.
4.
Complete the New Spanned Volume Wizard by using defaults, except for the following information:
5.
Right-click the unallocated space on Disk 2, and then start the New Striped Volume Wizard.
2.
Complete the New Striped Volume Wizard by using the defaults, except for the following
information:
o
Question: What is the advantage of using striped volumes, and conversely, what is the major
disadvantage?
5-13
To perform a shrink operation, ensure that the disk either is formatted with NTFS or unformatted and
that you are part of the Backup Operator or Administrators group. When you shrink a volume, contiguous
free space relocates to the end of a volume. There is no need to reformat the disk, but to ensure that the
maximum amount of space is available, make sure you perform the following tasks before shrinking:
Defragment the disk. This rearranges the disk sector so that unused space is at the end of the disk.
Ensure that no page files are stored on the volume that you are shrinking.
When you shrink a volume, unmovable files (for example, a page file) do not relocate automatically. It is
not possible to decrease the allocated space beyond the point where the unmovable files are located. If
you need to shrink a partition further, transfer the unmovable file to another disk, shrink the volume, and
then transfer the unmovable file back to the disk.
Note: Volume Shadow Copy Service (VSS) is a technology in the Windows operating
system that allows users to restore previous versions of files. Windows 8.1 has deprecated the
Previous Versions feature that creates snapshots of local volumes. However, users can still use the
Previous Versions feature when accessing file shares on a Windows Server 2012 R2 server. To view
the amount of space used by the shadow copy feature, use the VSS administrative command-line
tool. Start an elevated command prompt from the Administrative menu by pressing the Windows
logo key+X, clicking Command Prompt (Admin), and then typing vssadmin list shadowstorage.
Defragmentation in Windows 8.1 improves on previous versions of the Windows operating system. You
now can optimally replace some files that you could not relocate in Windows Vista or earlier versions.
Note: Please note that you might destroy or lose data if you shrink a raw partition,
meaning a partition that does not have a file system but does contain data. Remember to make a
backup prior to extending or shrinking a partition or volume.
You can shrink simple and spanned dynamic disks, but not others. Here are a few ways in which you can
increase the size of a simple volume:
Extend the simple volume on the same disk. The volume remains a simple volume.
Extend a simple volume to include unallocated space on other disks on the same computer. This
creates a spanned volume.
This demonstration shows how to shrink a volume with the DiskPart tool. Then, the Disk Management tool
is used to extend a simple volume.
Demonstration Steps
Using DiskPart
1.
2.
Start DiskPart.
3.
4.
shrink desired=50
Compare the size of the Simple2 volume with the size previously reported.
2.
3.
Start the Extend Volume Wizard, and then extend the spanned volume with 50 MB from Disk 3.
Question: When might you need to reduce the system partitions size?
Resiliency description
Simple (none)
Two-way mirror
All files in the pool are maintained on at least two different physical drives,
mirroring your data.
Three-way mirror
Parity
At least three drives store the data and parity bit. This is the most efficient
storage option, but also, potentially the poorest regarding performance, as
the parity information needs to be calculated.
Note: Notice the change to modern and familiar terminology when discussing types of disk
redundancy compared with the traditional RAID-0, RAID-1, and RAID-5 nomenclature seen
earlier in the module.
5-15
The Storage Spaces feature allows the addition of disparate disk types, such as internal/external, USB
drives, Serial ATA, and other types. During the addition of the storage, a drive is formatted and configured
as a new storage pool.
Note: Ensure that you have made a backup or removed any data before adding a drive, as
Windows 8.1 will format any drive that is added to a storage pool as part of the configuration.
After you configure a storage space, you can modify the storage space name and size and even delete the
space completely, which will return the space back to the storage pool.
Note: Deleting a storage space will permanently delete all the files it contains. Ensure that
you move or back up any data before deleting a storage space.
Question: Discuss scenarios when you would use Storage Spaces in a client workstation
environment.
Lesson 2
When you first create a volume, you typically create new files and folders on a volumes available free
space in contiguous blocks. This provides an optimized file system environment. As the volume becomes
full, the availability of contiguous blocks diminishes. This can lead to suboptimal performance. This lesson
explores file system fragmentation and the tools that you can use to reduce fragmentation. You also will
see how Windows 8.1 automatically checks and fixes most file system issues and how you can configure
disk quotas to monitor and control how disks are filled.
Lesson Objectives
After completing this lesson, you will be able to:
Although NTFS is more efficient at handling disk fragmentation than earlier file systems, this
fragmentation still presents a potential performance problem. Combined hardware and software advances
in the Windows operating system help to mitigate the impact of fragmentation and deliver better
responsiveness.
Question: How does the increasing storage capacity of HDDs affect file fragmentation?
Defragmenting a Disk
When you optimize a disk, files are relocated
optimally. This ability to relocate files is beneficial
when you are shrinking a volume because it lets
the system free up space that you can later
reclaim.
Windows 8.1 defragments drives automatically
on a scheduled basis, running weekly in the
background to rearrange data and reunite
fragmented files. You can check the status of
a defragmentation or perform a manual
optimization at any time by launching the
Optimize Drives tool.
5-17
To optimize a volume or drive manually, or to change the automatic optimization schedule, right-click a
volume in File Explorer, click Properties, click the Tools tab, and then click Optimize. You then can perform
the following tasks:
You also can start the optimization process by launching Defragment and Optimize Drives from the
Administrative Tools section within Control Panel\System and Security.
To verify that a disk requires defragmentation, in the Optimize Drives tool, select the disk that you want to
defragment, and then click Analyze. After Windows finishes analyzing the disk, check the percentage of
fragmentation on the disk in the Current status column. If the number is high, you should defragment the
disk. The Optimize Drives tool might take from several minutes to a few hours to finish defragmenting,
depending on the size and degree of fragmentation of the disk or USB device, such as an external hard
drive. You can use the computer during the defragmentation process, although disk access might be
slower and the defragmentation might take longer.
You can configure and run disk defragmentation from an elevated command prompt by using the defrag
command-line tool. Use Defrag /? at a command prompt for available options.
You can minimize file system fragmentation:
Partition a disk so that you isolate static files from those that are created and deleted frequently, such
as some user-profile files and temporary Internet files.
Use the Disk Cleanup feature (Cleanmgr.exe) to free disk space that is consumed by each users
preferences for console files that the profile saves.
Use the Optimize Drives tool to help reduce the impact of disk fragmentation on disk volumes,
including USB drives. The Optimize Drives tool rearranges fragmented data so that disks and drives
can work more efficiently.
Newer drives such as SSDs do not need to be defragmented in the same way as HDDs because files are
not accessed mechanically. If a SSD or USB flash drive becomes fragmented, only a small amount of
performance benefit will be gained by optimizing the drive because all files are accessed at equally
high speed, regardless of the location or level of fragmentation. Because of the volume of read/write
operations that are required during the optimization process, SSDs should not be defragmented.
Note: Defragmenting an SSD or a USB flash drive can decrease the life span of a drive
significantly.
Unlike previous versions of Chkdsk, Windows can now repair a volume while the Windows operating
system is still running. Windows can take the volume offline temporarily while it carries out repairs. For all
boot and system drive repairs, the Windows operating system cannot be running, and these actions will
perform at the next system restart.
Note: The computer or device must be connected to AC power during the 3 A.M.
automated maintenance window for this procedure to take place. Alternatively, if the
maintenance window is missed, the task is carried over until the next time that AC power is
connected and the operating system is idle.
In addition to automatic scanning, you can manage disk health manually by using the Chkdsk command
from an elevated command prompt or within Windows PowerShell with one of the following commands.
Command
Description
/?
volume
Specifies the drive letter (followed by a colon), mount point, or volume name.
Filename
The FAT file system or FAT32 only: specifies the files to check for
fragmentation.
/F
/V
On FAT or FAT32: displays the full path and name of every file on a disk. On
NTFS: displays cleanup messages, if any.
Command
Description
5-19
/R
Locates bad sectors and recovers readable information. Implies /F when /scan
is not specified.
/L:size
NTFS only: changes the log file size to the specified number of kilobytes (KB). If
size is not specified, displays the current size.
/X
Forces the volume to dismount first if necessary. All opened handles to the
volume would then be invalid. Implies /F.
/I
/C
/B
/scan
/forceofflinefix
NTFS only: bypass all online repair; all defects found are queued for offline
repair (i.e. Chkdsk /spotfix). Must be used with /scan.
/perf
NTFS only: uses more system resources to complete a scan as fast as possible.
This might have a negative performance impact on other tasks that are
running on a system. Must be used with /scan.
/spotfix
/sdcleanup
NTFS only: garbage collect unneeded security descriptor data. Implies /F.
/offlinescanandfix
Question: In addition to the automatic scheduled maintenance that the Windows operating
system performs, what other options could be considered to prevent unexpected data loss?
Note: The Administrator user account is exempt from any warnings or disk space
limitations.
Several different methods are available to the user for managing disk quotas.
Disk Properties
From the File Explorer window, view the properties of a selected disk or volume. You can use the
Quota tab to enable and manage quotas on individual drives. You can use the GUI to configure the same
settings that are available to the disk quota Group Policy Object (GPO). Additionally, you can manage and
view individual quota entries. When you manage individual quota settings, you can perform the following
tasks:
Create a new quota entry. You can configure settings that override the default values for specific
users.
Delete a quota entry. You can remove a previously created quota entry and allow the default settings
to apply to the user.
Export and import. You can export configured settings on a specific volume, and you can import the
settings on another volume for ease of management.
Over time, the amount of available disk space inevitably diminishes. Therefore, you should ensure that you
have a contingency plan to increase storage capacity.
Fsutil
You can manage quotas by using the fsutils quota command from an elevated command prompt or
from within Windows PowerShell with one of the following commands:
Violations. Queries the application and system logs for quota violations.
Group Policy
In either a local or domain-based GPO, you can add the Administrative Templates, System, and Disk
Quotas section. The policy settings available within this GPO are:
Note: Quotas track separately for each volume. When restricting disk space limits, each
user shares the same limit per volume. By contrast, Windows Server 2012 and newer versions
allow administrators more detailed restrictions, including the ability to set different limits for each
user.
Question: Will quota management be useful in your organization?
5-21
This demonstration shows how to configure drive defragmentation, check a volume for errors, and create
a disk quota.
Demonstration Steps
Configure drive defragmentation
1.
2.
3.
Open an administrative Windows PowerShell window, and then run the following command on
drive l:
o
4.
5.
Defrag I: /A
Defrag I: /H /U /V
Open an administrative Windows PowerShell window, and then run the following command on
drive l:
o
2.
Chkdsk /scan I:
If the tool finds errors, you can attempt to repair them by typing the following command on drive l:
o
Chkdsk /spotfix I:
2.
3.
Click the Quota tab, and then enable quotas with the following settings:
o
4.
5.
6.
Open a Command Prompt window, and then run the following commands on drive l:
o
7.
The quota is exceed and an error is displays, indicating that there is not enough space on the disk to
save the additional user file.
8.
Lesson 3
Lesson Objectives
After completing this lesson, you will be able to:
Describe the tools used to create, delete, and mount virtual hard disks in Windows 8.1.
Describe how to manage virtual hard disk files in the Windows 8.1 file system.
5-23
Portability. Virtual hard disk files might be easier to move between systems, particularly when shared
storage is used.
Performance. In high I/O scenarios, the additional overhead of using a virtual hard disk can affect
performance.
Physical failures. A .vhd file does not protect against cluster failure on the underlying physical disks.
Multiboot. Windows 7 and Windows 8.1 support native boot from virtual hard disk. This can allow
you to start a system from multiple .vhd files to support different applications without the need to
install them in the same operating system.
Managing desktop image deployment. You can use virtual hard disks as reference images for either
physical or virtual machines to ensure that each system starts with a common image.
Physical disk virtualization. You can use virtual hard disks in conjunction with underlying storage that
is configured for resiliency.
Windows 8.1 supports both virtual disk formats: .vhd and .vhdx. The .vhdx format has a metadata
structure that is aimed at reducing data corruption and improving alignment on large sector disks. Virtual
hard disks are limited to 2 TB of storage, whereas the new .vhdx format is suitable for virtual disks up to a
supported maximum size of 64 TB.
For more information on the .vhdx format, go to:
Hyper-V Virtual Hard Disk Format Overview
http://go.microsoft.com/fwlink/?LinkId=266557
You can configure virtual hard disks as three types: fixed-size, dynamically expanding, or differencing.
Fixed-size
A fixed-size virtual hard disk is allocated its maximum size when you create a virtual disk. The fixed-size
disk type is the recommended type of virtual disk in the following scenarios:
When I/O performance is required to be as high as possible. Because the file does not dynamically
expand as data is created within it or copied to the virtual disk, fixed-size virtual disks typically are
only 6 percent slower than the underlying physical drive.
When a dynamically expanding disk increases in size, the host physical drive could run out of space
and cause write operations to fail. The use of fixed-size virtual disks ensures that this does not happen
because the full drive size has already been committed to the virtual disk.
The file data will not become inconsistent because of a lack of storage space or power loss.
Dynamically expanding virtual disks depend on multiple write operations to expand the file. The
internal-block allocation information can become inconsistent if all I/O operations to the virtual disk
file and the host volume are not complete and persisted on the physical disk. This can happen if the
computer suddenly loses power.
Dynamically expanding
A dynamically expanding virtual hard disk starts very small in size and grows as large as the data that is
written to it. As more data writes to a dynamically expanding virtual hard disk, the file increases to the
configured maximum size. For example, a 50-gigabyte (GB) dynamically expanding virtual hard disk that
has 10 GB of data files copied to it will occupy approximately 10 GB space on the physical hard drive and
can accommodate a further 40 GB of data. With the improvements in the .vhdx format, we recommend
the dynamically expanding disk type when creating .vhdx drives.
Note: The .vhdx format is not backward compatible with Windows 7.
Differencing disk
A differencing disk tracks the changes made from another virtual disk. Creating a parent/child relationship
between virtual disks can save significant disk space. Because this disk type lets you use the contents of
a base disk (parent) without making changes to the base disk, all changes are made to the differencing
(child) disk. You should configure base disks as read-only to prevent changes to them. All changes made
when using the virtual machine then write to the differencing disk. A differencing disk must be a
dynamically expanding disk.
Note: You can create differencing disks only by using DiskPart or Windows PowerShell.
Managing Virtual Hard Disk Files in the Windows 8.1 File System
Virtual disks are supported fully by Windows 8.1,
and you should understand the tools that are
available to create, mount, and delete virtual
disks.
Several methods are available for managing
virtual disks in Windows 8.1: by using Disk
Management, DiskPart, and by using Windows
PowerShell 4.0.
Disk Management
The Disk Management snap-in for the MMC
provides a familiar GUI where a user can create,
attach, and detach virtual disks within a Windows operating system.
5-25
After you create a new virtual disk, a new disk appears in the console, and you need to initialize this disk
so that the Windows operating system can manage the drive. After it initializes, you can treat the drive
like any other drive. For example, you can format it, assign a drive letter to it, or the system can create a
mount point and use the drive. After a virtual disk is allocated a drive letter, it is mounted and you can
access the drive by using File Explorer to carry out normal activitiesit behaves just like a physical drive.
Note: A virtual disk appears in the Disk Management console with a light blue drive icon to
indicate to the user that it is a virtual disk.
If you wish to remove a virtual hard disk from your system, for example, to make it portable, or to connect
it to a virtual machine, you first must return to Disk Management to detach the disk. While a virtual disk
is online and managed by Disk Management, it is not possible to delete the virtual disk from within File
Explorer, as the file is marked as an open file by the system. If the virtual disk is external to the system, for
example, if it resides on a USB drive, disconnecting the USB drive without first detaching the virtual disk
can corrupt the .vhd file and make it unusable.
Note: Take care when placing virtual hard disks on portable drivesthey can become
corrupted easily if they are in use when you disconnect the portable drive.
Although Disk Management gives users the ability to configure virtual disks from a GUI, there are some
limitations, such as the inability to create differencing virtual disks. To access more powerful options,
consider using DiskPart and Windows PowerShell, which provide more control of virtual disks from the
command-line with cmdlets.
To create a virtual hard disk by using DiskPart, you use the create vdisk command at the DiskPart
command prompt. You can create and manage virtual disks by using one of the following commands
within DiskPart:
Create vdisk
Detach vdisk
Expand vdisk
Select vdisk
The following table shows the available options that the create vdisk command supports.
Option
Description
file=<filename>
Specifies the complete path and file name of the virtual disk file.
The file might be on a network share.
maximum=<n>
type=<fixed|expandable>
sd=<sddl string>
parent=<filename>
source=<filename>
noerr
To create a differencing virtual disk from an existing parent virtual disk you would use the following
command:
CREATE VDISK FILE=i:\newdiffdisk.vhdx PARENT=i:\parentdisk.vhdx
To mount a virtual disk by using DiskPart, you first must use the select vdisk command to specify the
virtual hard disk file, and then use the attach vdisk command. The following table shows the available
options that the select vdisk command supports.
Option
Description
file = <filename>
Specifies the complete path and file name of the virtual hard disk file. The file
might be on a network share.
noerr
The following table shows the available options that the attach vdisk command supports.
Option
Description
readonly
Attaches the virtual disk as read-only. Any write operation will return an I/O
device error.
sd=<sddl string>
usefilesd
Specifies that the security descriptor on the virtual file itself should be used on
the virtual disk. If not specified, the disk will not have an explicit security
descriptor unless specified with sd=<sddl string>.
5-27
To unmount a virtual disk by using DiskPart, you first must use the select vdisk command to specify the
virtual hard disk file, and then use the detach vdisk command. The detach vdisk command only
supports the noerr option.
Windows PowerShell 4.0 and 3.0 contain native disk management cmdlets that you can use to script or
manage virtual disks in an enterprise environment.
Windows PowerShell includes commands that you can use to manipulate existing disk image files, which
can be .iso, .vhd, or .vhdx files. You can use the following commands with existing disk image files.
Cmdlet
Description
Dismount-DiskImage
Dismounts a disk image (virtual hard disk or ISO image) so that it can no
longer be accessed as a disk.
Get-DiskImage
Returns information about one or more disk images (virtual hard disk or
ISO image) for the specific location.
Mount-DiskImage
Mounts a disk image (virtual hard disk or ISO image), making it appear
as a normal disk.
Note: Use the VirtualDisk cmdlet within Windows PowerShell to manage the virtual disks
found in Storage Spaces.
To mount an existing .iso, .vhd, or .vhdx file, you use the following command:
Mount-DiskImage ImagePath <Path>\<FileName>
Note: To view all the available cmdlets in the Storage module for Windows PowerShell, run
the following cmdlet:
Get-Command Module Storage
To view the cmdlets for working with disk images, run the following cmdlet:
Get-Command Module Storage *DiskImage*
A. Datum Corporation has purchased additional hard drives for the laptop computers used by the
Marketing department. You need to modify the hard drive configuration manually. Because of application
requirements, you need to create several simple partitions, a spanned partition, and a striped partition.
The laptop computers are shared and require that you place a quota on the spanned drive. In certain
instances, you plan to use virtual hard drives.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL2
User names: Adatum\Administrator and Adatum\Alan
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
A. Datum has purchased additional hard drives for the laptop computers used by the Marketing
department. To ensure that the new disks can store corporate Microsoft Office PowerPoint presentations
and media, you need to create and manage the volumes on the newly installed hard disks.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
6.
2.
3.
4.
Complete the New Simple Volume Wizard by using the following settings:
o
5.
6.
2.
5-29
Get-Partition (Note the partition number you just created on Disk 3. You will use that in the next
step.)
3.
4.
In File Explorer, verify that the volume that you created is visible.
5.
Close File Explorer, and then minimize the Windows PowerShell command prompt window.
2.
Start the Extend Volume Wizard, and then extend Simple1 with 500 MB from Disk 2.
3.
2.
3.
Note the disk number, partition number, and size for drive H.
4.
At the Windows PowerShell command prompt, run the following command, and then substitute the
DiskNumber and PartitionNumber information with the information you recorded in the previous
step:
o
5.
6.
Compare the size of the Simple2 volume with the size previously reported.
7.
1.
2.
Right-click the unallocated space on Disk 2, and then start the New Spanned Volume Wizard.
3.
Complete the New Spanned Volume Wizard by using defaults, except for the following information:
4.
Right-click the unallocated space on Disk 2, and then start the New Striped Volume Wizard.
2.
Complete the New Striped Volume Wizard by using defaults, except for the following information:
3.
Results: After completing this exercise, you should have created several volumes on a client computer.
In this exercise, you will configure a disk quota on one of the new volumes. You will enforce a quota limit
and then sign in as a standard user to test it.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
2.
3.
4.
Click the Quota tab, and then enable quotas with the following settings:
o
2.
Open a Command Prompt window, and then run the following commands on drive I:
o
2.
3.
4.
5.
6.
7.
Review the message that appears when you make the second copy, and then click Cancel.
8.
1.
2.
3.
4.
Click the Quota tab, and then open the Quota Entries.
5.
Review the entries for Alan Steiner in the Quota Entries for StripedVol (I:) dialog box, and then
close all open windows.
6.
Open the Event Viewer, and then look for events with an Event ID of 36.
7.
Review the event or events found, and then close all open windows.
Results: After completing this exercise, you should have created and tested a disk quota.
5-31
2.
Mount the virtual hard disk file, browse to the virtual hard disk file, and create files on the drive.
3.
2.
3.
Complete the Create and Attach Virtual Hard Disk Wizard by using the following settings:
o
4.
5.
Task 2: Mount the virtual hard disk file, browse to the virtual hard disk file, and
create files on the drive
1.
Using the virtual hard disk I:\DemoDisk.VHDX that was created previously, bring the disk online, and
then format the unallocated space, naming the drive SimpleVHD1.
2.
In File Explorer, verify that a new drive named SimpleVHD1 has been created.
3.
4.
Create a new Notepad document named Test.txt, and then save it on the new drive.
5.
Using the virtual hard disk I:\virtualdisk2.vhdx that was created previously, bring the disk online,
and then format the unallocated space, naming the drive SimpleVHD2.
6.
In File Explorer, verify that a new drive named SimpleVHD1 has been created.
7.
8.
Open the Test folder, and then create a new Notepad document named Test.txt.
2.
3.
4.
5.
5-33
Results: After completing this exercise, you should have created, mounted, and then deleted a virtual
hard disk file.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
Lesson 4
Devices have changed from being single-function peripherals to complex, multifunction devices with a
large amount of local storage and the ability to run many apps. They have evolved from a single type of
connection, such as USB 1.0, to multi-transport devices that support USB 3.0, Bluetooth, and Wi-Fi. Newer
connection methods such as near field communication and Miracast wireless display capabilities are
emerging technologies that have built-in support within Windows 8.1.
Many of todays devices often are integrated and sold with services that are delivered over the Internet.
Internet delivery has simplified the delivery mechanism, which means that a computers ability to
recognize and use devices has expanded to cover several possibilities. Microsoft constantly expands the
list of devices and peripherals that are tested for compatibility with Windows 8.1.
The device experience in Windows 8.1 is designed on existing connectivity protocols and driver models to
maximize compatibility with existing devices. You can use the following areas in Windows 8.1 to manage
devices:
The Devices and Printers control panel item gives users a single location to find and manage all the
devices that connect to a Windows 8.1based computer, and it provides quick access to device status,
product information, and key functions such as faxing and scanning. This enhances and simplifies the
customer experience with a Windows 8.1connected device.
Device Manager is used to view and update hardware settings and driver software for devices such as
internal hard drives, network cards, sound cards, video or graphics cards, memory, processors, and
other internal computer components.
Building on the Plug and Play concept, seamless user experiences begin with the ability to effortlessly
connect devices to a Windows 8.1 device. Windows Update automatically retrieves up-to-date and newly
released drivers, and when appropriate, users are given an option to download and install additional apps
for the device. These components all help reduce support calls and increase customer satisfaction.
Lesson Objectives
After completing this lesson, you will be able to:
5-35
Windows 8.1 is available in 32-bit and 64-bit versions. Drivers that were developed for the 32-bit version
do not work with the 64-bit version, and vice versa. Make sure that you obtain appropriate device drivers
before you install Windows 8.1.
Driver Signing
The device drivers that are included with Windows 8.1 have a Microsoft digital signature that indicates
whether a particular driver or file has met a certain level of testing, is stable and reliable, and has not been
altered since it was digitally signed. Windows 8.1 checks for a drivers digital signature during installation
and prompts the user if no signature is available.
Note: The signature file is stored as a .cat file in the same location as the driver file.
The driver store is the driver repository in Windows 8.1. A driver package is a set of files that make up
a driver. It includes the .inf file, any files that the .inf file references, and the .cat file that contains the
digital signature for the device driver. You can preload the driver store with drivers for commonly used
peripheral devices. The driver store is located in %SystemRoot%\System32\DriverStore.
Installing a driver is a two-stage process. First, you install the driver package into the driver store. You
must use administrator credentials to install the driver package into the driver store. The second step is
to attach the device and install the driver. A standard user can perform this second step.
During hardware installation, if the appropriate driver is not available, Windows 8.1 uses Windows Error
Reporting to report an unknown device. This enables OEMs to work with Microsoft to provide additional
information to users, such as a statement of nonsupport for a particular device, or a link to a website with
additional support information.
In Windows 8.1, the Device Metadata Retrieval Client provides an end-to-end process for defining and
distributing device metadata packages. These packages contain device-experience XML documents that
represent a devices properties and functions, together with applications and services that support the
device. Through these XML documents, the Devices and Printers control panel category page, and Device
Stage, users are presented with an interface that is specific to a device, which the device maker defines.
Windows 8.1 uses Windows Metadata and Internet Services (WMIS) to discover, index, and match device
metadata packages to specific devices that connect to a computer. Device makers also can distribute
device metadata packages directly to a computer through their own setup applications.
Note: You can use the Pnputil.exe tool to add a driver to the Windows 8.1 driver store
manually.
Be uniquely identified.
Windows 8.1 reads this information when a device attaches to a computer and then completes
the configuration so that the device works properly with other installed devices. When properly
implemented, Plug and Play provides automatic configuration of PC hardware and devices. The driver
architecture for Windows supports comprehensive, operating systemcontrolled Plug and Play. Plug
and Play technologies are defined for Institute of Electrical and Electronics Engineers 1394 (IEEE 1394),
Peripheral Component Interconnect (PCI) cards, PC Card/CardBus, USB, SCSI, Advanced Technology
Attachment (ATA), Industry Standard Architecture (ISA), LPT, and Component Object Model (COM). You
can use Device Manager to install device drivers manually that are not compliant with Plug and Play.
Windows 8.1 introduces several improvements to the way that users can discover and use the devices
that their computers host and which connect to their computers. Windows 8.1 can detect nearby devices
in the home, automatically making them available for use. Windows 8.1 also can install a Windows 8.1
device app automatically from the Windows Store when users connect their device for the first time.
Windows 8.1 device apps that are companions to a device or PC have the ability to take advantage of
the full range of functionality of that device or PC.
The success of a driver installation depends on several factors. Two key factors are whether a device is
supported by a driver package that is included with a Windows operating system, available on Windows
Update, or available from the Windows Store, and whether the user has media with the driver package
that the vendor provides. Windows 8.1 includes several features that help an administrator make device
driver installation more straightforward for users:
Staging driver packages in the protected driver store. A standard user without any special privileges
or permissions can install a driver package that is in the driver store.
Configuring client computers to search a specified list of folders automatically when a new device
attaches to the computer. A network share can host these folders. When a device driver is accessible
in this manner, the Windows operating system does not need to prompt the user to insert media.
Restarting the system is rarely necessary when installing Plug and Play devices or software
applications. This is true because of the following reasons:
5-37
The Plug and Play Manager installs and configures drivers for Plug and Play devices when the
operating system is running.
Applications can use side-by-side components instead of replacing shared, in-use dynamic-link
libraries (DLLs).
These features improve the user experience and reduce help desk support costs because standard users
can install approved driver packages without requiring additional permissions or administrator assistance.
These features also help increase computer security by ensuring that standard users only can install driver
packages that you authorize and trust.
When a user inserts a device, the Windows operating system detects it and then signals the Plug and
Play service to make the device operational. Plug and Play queries the device for identification strings
and searches the driver store for a driver package that matches the identification strings. If a matching
package is found, Plug and Play copies the device driver files from the driver store to their operational
locations, typically %SystemRoot%\System32\Drivers, and then updates the registry as needed. Finally,
Plug and Play starts the newly installed device driver.
If a matching package is not found in the driver store, the Windows operating system searches for a
matching driver package by looking in the following locations:
Media or a manufacturers website that is provided after the system prompts the user.
A Windows operating system also checks that the driver package has a valid digital signature. If a
certificate that is valid but is not found in the trusted publisher store signs a driver package, the Windows
operating system prompts the user for confirmation.
Staging device driver packages in this manner provides significant benefits. After a driver package stages
successfully, any user who logs on to that computer can install the drivers simply by plugging in an
appropriate device.
Devices that are not compatible with Plug and Play are becoming increasingly rare as manufacturers stop
producing them in favor of Plug and Play devices. The term non-Plug and Play typically applies to older
equipment with devices that require manual configuration of hardware settings before use. To view nonPlug and Play devices, in Device Manager, click the View menu, click Show hidden devices, and then
expand Non-Plug and Play Drivers.
To add a driver, use the -a parameter to specify the path and name of the driver, for example, pnputil -a
<PathToDriver>/<Driver>.inf. The Windows operating system validates that the signature attached to
the package is valid, the files are unmodified, and the file thumbprints match the signature.
After adding a driver, note the assigned number. Drivers are renamed oem*.inf during the addition. This is
to ensure unique naming. For example, the file MyDriver1.inf might be renamed oem0.inf. You can view
the published name by using the -e parameter, for example, pnputil -e.
Typically, you do not need to uninstall a Plug and Play device. Just disconnect or unplug the device so
that the Windows operating system does not load or use the driver.
The following table lists the options available with pnputil.exe:
Option
Description
-a <PathToDriver>/<Driver>.inf
-a <PathToDriver>/*.inf
-I a <PathToDriver>/<Driver>.inf
-e
-d OEM<#>.inf
-f -d OEM<#>.inf
Device Manager
Device Stage
5-39
Windows 8.1 introduces Windows 8.1 device apps, which build on the Plug and Play experience from
Windows 7. Using these apps, device manufacturers can deliver an app that pairs with their device and
downloads automatically to the user the first time the device connects. Providing a Windows 8.1 device
app gives hardware developers a unique opportunity to highlight device functionality.
Device Manager
Device Manager helps you install and update the drivers for hardware devices, change the hardware
settings for those devices, and troubleshoot problems. You can perform the following tasks in Device
Manager:
View a list of installed devices. View all devices that are installed currently based on their type, by
their connection to the computer, or by the resources they use. This device list is recreated after every
system restart or dynamic change.
Uninstall a device. Uninstall the device driver and remove the driver software from the computer.
Enable or disable devices. If you want a device to remain attached to a computer without being
enabled, you can disable the device instead of uninstalling it. Disable is different from uninstall
because only the drivers are disabled, and the hardware configuration is not changed.
Update device drivers. If you have an updated driver for a device, you can use Device Manager to
apply the updated driver.
Roll back drivers. If you experience system problems after updating a driver, you can roll back to a
previous driver. Using this feature, you can reinstall the last device driver that was functioning before
the installation of the current device driver.
You can use Device Manager to manage devices on a local computer only. On a remote computer,
Device Manager works in read-only mode. This means that you can view but not change that computers
hardware configuration. Device Manager is accessible in the Hardware and Sound category in Control
Panel.
The status of a device shows whether a device has drivers installed and whether the Windows operating
system is able to communicate with the device. To view the status of a device, follow this procedure in
Device Manager:
1.
2.
On the General tab, the Device status area shows a description of the current status.
Hidden Devices
The most common type of hidden device is for non-Plug and Play devices, storage volumes, and internal
network adapters. To view hidden devices in Device Manager, click View, and then click Show hidden
devices.
The Hardware and Sound category in Control Panel provides an additional place to manage devices,
such as Devices and Printers. Wizards guide you through the setup process, which reduces complex
configuration tasks. Windows 8.1 recognizes new devices and automatically attempts to download and
install any drivers that are required for a device.
After a device connects, it appears in the Devices and Printers control panel category page. Devices that
display in this location usually are external ones that you connect to or disconnect from a computer
through a port or network connection. These devices include, but are not limited to, the following:
Portable devices, such as mobile phones, music players, and digital cameras.
All devices plugged into a USB port on a computer, such as flash drives, webcams, keyboards, and
mice.
All printers, whether they are connected by USB cable, the network, or wirelessly.
Devices such as internal hard drives, disk drives, sound cards, video or graphics cards, memory,
processors, and other internal computer components.
Older devices, such as mice and keyboards, that connect to a computer through a PS/2 or serial port.
In Devices and Printers, a multifunction printer displays and can be managed as one device instead of
individual printer, scanner, or fax devices. In Device Manager, each individual component of a
multifunction printer is displayed and managed separately.
PC Settings
A new option with Windows 8.1 is PC settings. To access PC settings, you click the Settings charm from the
lower-right corner of the Start screen, and then click Change PC settings. In the left pane, you can click PC
and devices, click Devices, and then add devices or remove already installed devices, or you can search for
recommended apps for the device.
Device Stage
5-41
Device Stage provides users with a new way to access devices and advanced options for managing them.
Devices that are in use are shown with a photorealistic icon. This icon can include quick access to common
device tasks and status indicators that let users quickly discern battery status, device synchronization
status, remaining storage capacity, and other information. Device makers can customize this experience
to highlight device capabilities and branding, and they can include links to product manuals, additional
applications, community information and help, or additional products and services.
The entire Device Stage experience remains current. Graphics, task definitions, status information, and
links to websites distribute to computers by using WMIS.
For a list of device-stage experiences, go to:
Windows 8.1 device experience
http://go.microsoft.com/fwlink/?LinkId=266558
Critical updates. Dynamic Update replaces files from the Windows 8.1 operating system DVD that
require critical fixes or updates. Dynamic Update also replaces DLLs that Setup requires. The only files
that download are those that replace existing files. No new files download.
Device drivers. Dynamic Update only downloads drivers that are not included on an operating system
installation CD or DVD. Dynamic Update does not update existing drivers, but you can obtain these
by connecting to Windows Update after Setup is complete.
When updated device drivers are required, Microsoft tries to ensure that you can get them directly from
Windows Update or from device manufacturer websites. Look up Windows Update first to update drivers
after they install. If an updated device driver is not available through Windows Update, find the latest
version of a device driver by any of the following methods:
Note: Exercise care and caution when searching the Internet for device drivers because
malware and viruses frequently masquerade on driver download websites. Wherever possible,
only download drivers from Microsoft or a manufacturers website.
You can perform manual device updates in Device Manager. To update a device driver manually, follow
this procedure in Device Manager:
1.
2.
3.
Windows 8.1 also includes several enhancements to the upgrade experience, including a load driver
feature. If an upgrade is blocked because of incompatible or missing drivers that are required for the
system to start, you can use this feature to load a new or updated driver from the Compatibility Report
and continue with the upgrade.
A digital signature uses an organization's digital certificate to encrypt specific details about the package.
The encrypted information in a digital signature includes a thumbprint for each file that is included with
the package. A special cryptographic algorithm referred to as a hash algorithm generates this thumbprint.
The algorithm generates a code that only that files contents can create. Changing a single bit in the file
changes the thumbprint. After the thumbprints generate, they combine together into a catalog and then
are encrypted.
Note: 64-bit versions of Windows 8.1 require that all drivers be digitally signed.
If your organization has a Software Publishing Certificate, you can use that to add your own digital
signature to drivers that you have tested and that you trust. If you experience stability problems after you
install a new hardware device, an unsigned device driver might be the cause.
Note: To disable the enforcement of driver signatures, access the Advanced Boot Options
menu and select Disable driver signature enforcement. The next topic describes the procedure
for accessing the Advanced Boot Options menu.
5-43
You can use Sigverif.exe to check if unsigned device drivers are in the system area of a computer.
Sigverif.exe writes the results of a scan to a log file that includes the system file, the signature file, and the
signature files publisher. The log file shows any unsigned device drivers as unsigned. You then can choose
whether to remove the unsigned drivers.
To remove an unsigned device driver, follow this procedure:
1.
Run sigverif to scan for unsigned drivers, and then review the resulting log file.
2.
3.
Manually move any unsigned drivers from %SystemRoot%\System32\Drivers into the temporary
folder.
4.
5.
If this resolves the problem, try to obtain a signed driver from the hardware vendor, or replace the
hardware with a device that is compatible with Windows 8.1.
You can obtain a basic list of signed and unsigned device drivers at a command prompt by running the
driverquery command with the /si switch.
Note: Some hardware vendors use their own digital signatures, so drivers can have a valid
digital signature even if Microsoft has not tested them. The Sigverif report lists the vendors for
each signed driver. This can help you identify problem drivers that particular vendors issued.
Because device driver software runs as a part of an operating system, it is critical that only known and
authorized device drivers are permitted to run. Signing and staging device driver packages on client
computers provide the following benefits:
Improved security. You can allow standard users to install approved device drivers without
compromising computer security or requiring help desk assistance.
Reduced support costs. Users only can install devices that your organization has tested and is
prepared to support. Therefore, you maintain the security of computers as you simultaneously reduce
the demands on the help desk.
Better user experience. A driver package that is staged in driver store works automatically when
the user plugs in a device. Alternatively, driver packages placed on a shared network folder can be
discovered whenever an operating system detects a new hardware device. In both cases, a user is not
prompted before installation.
On each computer, the Windows operating system maintains a store for digital certificates. As the
computer administrator, you can add certificates from trusted publishers. If a package is received for
which a matching certificate cannot be found, a Windows operating system requires confirmation that the
publisher is trusted. By placing a certificate in a certificate store, you inform a Windows operating system
that packages that are signed by a certificate are trusted.
You can use Group Policy to deploy certificates to client computers. By using Group Policy, you can install
a certificate automatically to all managed computers in a domain, organizational unit, or site.
2.
On the recovery page, click See advanced repair options, click Troubleshoot, and then click
Advanced options.
3.
From the Advanced options menu, click Windows Startup Settings, and then click Restart.
4.
On the subsequent restart, you can access the Advanced Boot Options menu. You then select Safe
Mode from the list.
Alternatively, you can use the Msconfig.exe tool to enable safe mode for the next restart from within
Windows 8.1.
Note: To ensure that the function keys operate properly, you should use full-screen mode
when using safe mode.
After you have started a computer successfully in safe mode, as an administrative user, follow this
procedure to roll back a device driver:
1.
2.
3.
In the Properties dialog box, click the Drivers tab, and then click Roll Back Driver.
4.
Note: Rolling back a driver can cause the loss of new functionality and can reintroduce
problems that the newer version addressed.
Note: The Roll Back Driver button is available only if a previous version of the driver
was installed. If the current driver for the device is the only one that was ever installed on the
computer, then the Roll Back Driver button is not available.
System Restore
5-45
In rare cases, after you install a device or update a driver for a device, a computer might not start. This
problem might occur in the following situations:
The new device or driver causes conflicts with other drivers on the computer.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are
unable to recover a computer by using a driver rollback, consider using System Restore.
You can use System Restore when you want to retain all new data and changes to existing files, but still
want to perform a restoration of the system from when it was running well. Windows 8.1 lets you return a
computer to the way it was at a previous point in time without deleting any personal files. System Restore
is reversible because an undo restore point creates before the restore operations are completed. During
the restoration, a list of files appears that shows applications that will be removed or added.
To restore a computer to a previous configuration by using System Restore, you can use:
Safe mode.
At the Start screen, type recovery in the Everywhere search screen, select Recovery, and then select
Open System Restore.
Even the earliest versions of the Windows NT operating system provided the Last Known Good
Configuration startup option as a way of rolling a system back to a previous configuration. In
Windows 8.1, some startup-related configuration and device-related configuration information is stored
in the registry databasespecifically, the HKLM\SYSTEM hive. A series of control sets are stored beneath
this registry hive, most notably CurrentControlSet and LastKnownGood. The latter is located in the
HKLM\SYSTEM\Select node.
When you make a device configuration change to a computer, the change is stored in the
CurrentControlSet key in the appropriate registry folder and value. After you restart a computer and
successfully sign in, the Windows operating system synchronizes the CurrentControlSet key and the
LastKnownGood key.
However, if after a device configuration change, you experience a startup problem but do not sign in,
the two control sets are out of synchronization, and the LastKnownGood key contains the previous
configuration set.
To use the Last Known Good Configuration startup option, restart the computer without logging on, and
then press F8 during the boot sequence to access the Advanced Boot Options menu. Select Last Known
Good Configuration (advanced) from the list.
If you have a hardware problem, the cause could be hardware or a device driver. Fortunately, the process
to update device drivers to newer versions is straightforward. Alternatively, you can roll back device
drivers to older versions or reinstall them. Troubleshooting hardware problems often starts by
troubleshooting device drivers. To identify a device driver problem, answer the following questions:
Did you recently upgrade a device driver or other software related to the hardware? If so, roll back
the device driver to the previous version.
Are you experiencing occasional problems, or is the device not compatible with the current version of
the Windows operating system? If so, upgrade the device driver.
Did the hardware suddenly stop working? If so, upgrade the device driver. If that does not solve the
problem, reinstall the device driver. If the problem continues, try troubleshooting the hardware
problem.
This demonstration shows how to update a device driver and then roll back that driver update. You also
will install a driver into the driver store. This demonstration requires two machine restarts.
Demonstration Steps
Update a device driver
1.
2.
3.
Expand Keyboards, and then update the Standard PS/2 Keyboard driver to the PC/AT Enhanced
PS/2 Keyboard (101/102 Key) driver.
4.
2.
3.
Expand Keyboards, and then roll back the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver.
4.
5.
6.
7.
Verify that you have successfully rolled back the Standard PS/2 Keyboard driver.
8.
2.
3.
Check the list of installed OEM drivers by typing the pnputil e command, and then press Enter.
When you have finished the demonstration, revert all virtual machines back to their initial state:
1.
2.
In the Virtual Machines list, right-click 20687D-LON-CL2, and then click Revert.
3.
4.
5-47
A. Datum recently purchased new laptop computers for the Sales department. The Sales manager has
reported an error with one of the laptop drivers that is causing problems. You have identified the issue
and determined that you need to install an updated driver. Also, you must ensure that members of the
Sales department are able to roll back the driver if it causes errors.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
20687D-LON-DC1
20687D-LON-CL2
By default, standard users cannot install device drivers. When you know that certain Plug and Play devices
will be used in your environment, you can preload device drivers so that users can use the devices.
The main task for this exercise is as follows:
1.
2.
3.
4.
Check the list of installed OEM drivers by typing pnputil e, and then press Enter.
Results: After completing this exercise, you should have installed a driver into the protected driver store.
Several A. Datum users in the Sales department would like to update a poorly performing wireless
network device driver on their new laptop computers. You have been asked to demonstrate to these users
how they update a device driver and also how they can roll back a device driver if the updated one does
not provide acceptable performance gains.
The main tasks for this exercise are as follows:
1.
2.
2.
Expand Keyboards, and then update the Standard PS/2 Keyboard driver to the PC/AT Enhanced
PS/2 Keyboard (101/102 Key) driver.
3.
2.
3.
Expand Keyboards, and then roll back the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver.
4.
5.
6.
7.
Verify that you have successfully rolled back the Standard PS/2 Keyboard driver.
8.
Results: After completing this exercise, you should have installed and rolled back a device driver.
2.
In the Virtual Machines list, right-click 20687D-LON-CL2, and then click Revert.
3.
4.
Troubleshooting Tip
5-49
Tools
The following table lists some of the tools that are available for managing hard disks and devices.
Tool
Used for
Where to find it
Defrag.exe
Command prompt
Device Manager
Devmgmt.msc
or
Embedded in Computer
Management
Start screen
or
Taskbar
Control Panel
Disk Management
Diskmgmt.msc
DiskPart
Fsutil.exe
Pnputil.exe
Module 6
Configuring Network Connectivity
Contents:
Module Overview
6-1
6-2
6-9
6-14
6-21
6-25
6-31
6-34
6-40
Module Overview
The Windows 8.1 operating system provides enhanced networking functionality compared with
earlier Windows client operating systems, and it provides support for newer technologies. By default,
Windows 8.1 implements both TCP/Internet Protocol version 4 (IPv4) and TCP/Internet Protocol version 6
(IPv6). Understanding IPv4, IPv6, and the operating systems access capabilities will help you configure
and troubleshoot Windows 8.1 networking features.
Objectives
After completing this module, you will be able to:
Lesson 1
IPv4 uses a specific addressing scheme and name-resolution mechanism to transmit data between
connected nodes. To connect and configure computers that are running Windows 8.1 to a network, you
must understand the concepts of the IPv4 addressing scheme.
Lesson Objectives
After completing this lesson, you will be able to:
In a typical situation, communication starts with a request to connect to another host by its computer
name. However, to communicate, the requesting host needs to know the media access control (MAC)
address of the receiving hosts network interface. Conversely, the receiving host needs to know the
senders MAC address. Once the requesting host discovers the MAC information, it caches it locally. A
MAC address is a hard-coded, unique identifier assigned to network interfaces by the manufacturers of
network adapters. Before the requesting host can find the receiving hosts MAC address, a number of
steps occur. A high-level overview of these steps is:
1.
2.
The name Server1 must be resolved to an IPv4 address. There are a number of methods to
accomplish this.
3.
Once the sender knows the recipients IPv4 address, it determines whether the IPv4 address is remote
or on the local subnet. The subnet mask is used for this purpose.
6-3
4.
If local, an Address Resolution Protocol (ARP) request is broadcast on the local subnet. If it is remote,
an ARP request is sent to the default gateway. It then is routed to the correct subnet.
5.
The host that owns that IPv4 address will respond with its MAC address and a request for the senders
MAC address.
6.
Once the exchange of MAC addresses completes, IPv4 communication negotiation and the exchange
of IP data packets can occur.
IPv4 divides the address into four octets, as the following example shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in
decimal form, as the following example shows:
192.168.1.200
The subnet on which the computer resides, which is the network ID.
This enables a networked computer to communicate with other networked computers in a routed
environment.
The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes, and a networks
number of hosts determines the required class of addresses. Class A through Class E are the names that
IANA has specified for IPv4 address classes.
Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses, whereas
you can use Class D for multicasting. Additionally, IANA reserves Class E for experimental use.
host ID. Class A, B, and C networks use default subnet masks. The following table lists the characteristics of
each IP address class.
Class
First octet
Number of
networks
Number of hosts
per network
1 to 127
255.0.0.0
126
16,777,214
128 to 191
255.255.0.0
16,384
65,534
192 to 223
255.255.255.0
2,097,152
254
In complex networks, subnet masks might not be simple combinations of 255 and 0. Rather, you might
subdivide one octet with some bits that are for the network ID and some for the host ID. If you do not use
an octet for subnetting, this is classless addressing, or Classless Interdomain Routing (CIDR). You either use
more or less of the octet, and this type of subnetting uses a different notation, which the following
example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many leftmost subnet bits are set to 1 in the mask. This notation style is called
CIDR. This subnet mask in binary notation would look like this:
11111111.11111111.11110000.00000000
The first 20 bits are set to 1 and indicate the subnet ID, and the last 12 zero placeholders represent how
many bits are used to identify the host.
Planning Supernetting and Classless Interdomain Routing (CIDR)
http://go.microsoft.com/fwlink/?LinkId=154437&clcid=0x409
What Is a Subnet?
A subnet is a network segment, and single or multiple routers separate the subnet from the rest of the
network. When your Internet service provider (ISP) assigns a network to a Class A, B, or C address range,
you often must subdivide the range to match the networks physical layout. Subdividing enables you to
break a large network into smaller, logical subnets.
When you subdivide a network into subnets, you must create a unique ID for each subnet, which you
derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to
the network ID. By doing so, you can create more networks.
By using subnets, you can:
Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome the limitations of current technologies, such as exceeding the maximum number of hosts
that each segment can have.
6-5
When a host on the network uses IPv4 to transmit a packet to a destination subnet, IPv4 consults
the internal routing table to determine the appropriate router to ensure that the packet reaches the
destination subnet. If the routing table does not contain any routing information about the destination
subnet, IPv4 forwards the packet to the default gateway. The host assumes that the default gateway
contains the required routing information.
In most cases, you can use a Dynamic Host Configuration Protocol (DHCP) server to assign the default
gateway automatically to a DHCP client. This is more straightforward than manually assigning a default
gateway on each host.
relatively small number of public IPv4 addresses, and at the same time, enable local hosts to connect to
remote hosts and services on the Internet.
IANA defines the following address ranges as private. Internet-based routers do not forward packets
originating from, or destined to, these ranges.
Class
Mask
Range
10.0.0.0/8
10.0.0.0 - 10.255.255.255
172.16.0.0/12
172.16.0.0 - 172.31.255.255
192.168.0.0/16
192.168.0.0 - 192.168.255.255
In todays network environments, it is most common for organizations to have one or more public,
routable IP addresses from an ISP assigned to the external interfaces of their firewall appliance.
Additionally, they use the designated private IP subnets internally.
Note: Request For Comments (RFC) 3330 defines these private address ranges.
Question: Which of the following is not a private IP address?
a. 171.16.16.254
b. 192.16.18.5
c. 192.168.1.1
d. 10.255.255.254
You can configure IPv4 settings on a Windows 8.1 computer by using the Network and Sharing Center,
the Netsh command-line tool, or the Windows PowerShell command-line interface.
To configure IPv4 by using Netsh, you can use the following example:
Netsh interface ipv4 set address name="Local Area Connection" source=static
addr=172.16.16.3 mask=255.255.255.0 gateway=172.16.16.1
The following table describes some of the Windows PowerShell cmdlets that you can use to view and
configure IPv4 settings.
Cmdlet
Set-NetIPAddress
Set-NetIPInterface
Set-NetRoute
Set-DNSClientServerAddresses
Demonstration
6-7
This demonstration shows how to configure an IPv4 address manually by using the Network and Sharing
Center.
Demonstration Steps
View the current network connection configuration
1.
2.
Open a Command Prompt window, and then use ipconfig /all to view the current IPv4 configuration.
This displays the configuration for all network connections on the computer.
In Network and Sharing Center, view the Ethernet Status. This window shows the same configuration
information for this adapter as the IPConfig command.
2.
View the IPv4 configuration for Ethernet. You can configure the IP address, subnet mask, default
gateway, and DNS servers in this window.
3.
View the Advanced settings. In the Advanced TCP/IP Settings window, you can configure additional
settings, such as additional IP addresses, DNS settings, and Windows Internet Name Service
(WINS) servers for NetBIOS name resolution.
Question: When might you need to change a computers IPv4 address?
IPConfig
Ping
Tracert
IPConfig
IPConfig is a command-line tool that is used to display basic IPv4 configurations. IPConfig supports a
number of parameters including:
All. Displays all the TCP/IP configuration information for all network adapters.
Release. Sends a DHCPRELEASE message to the DHCP server, which will release the current DHCP
configuration of all network adapters or a specific network adapter.
Renew. Renews the DHCP configuration for all network adapters or a specific network adapter that
are configured to use DHCP.
When you run IPConfig without any parameters, it will display the current IP address, subnet mask, and
default gateway.
Ping
Ping is a command-line tool used to verify connectivity to another computer by sending four Internet
Control Message Protocol (ICMP) Echo Request messages. The receiving computer will respond with a
reply to each request along with the round-trip time of the packets. Ping has a number of parameters
including:
-t. Specifies that ping continues sending echo request messages to the destination until interrupted
by pressing CTRL+BREAK.
-a. Specifies that reverse name resolution is performed on the destination IP address. If this is
successful, ping displays the corresponding host name.
Note: Most Internet sites and firewalls block ICMP traffic. This makes the Ping tool less
useful outside of your own local area network (LAN).
Tracert
Tracert is a command-line tool used to display the routing path and measure the delays of packets while
in transit. This can help determine incorrect entries in routing tables that are affecting the routing of IP
traffic.
There are many cmdlets available for the configuration and testing of IPv4. The following table describes
some of the common cmdlets:
Cmdlet
Description
Get-NetIPAddress
Get-NetIPv4Protocol
Get-NetRoute
New-NetIPAddress
New-NetRoute
Remove-NetIPAddress
Remove-NetRoute
Set-NetIPAddress
Set-NetRoute
Test-connection
Lesson 2
6-9
Though most networks to which you connect Windows 8.1-based computers currently provide IPv4
support, many also support IPv6. To connect computers that are running Windows 8.1 to IPv6-based
networks, you must understand the IPv6 addressing scheme and the differences between IPv4 and IPv6.
Lesson Objectives
After completing this lesson, you will be able to:
Stateless and stateful address configuration. IPv6 has autoconfiguration capability without DHCP,
and it can discover router information so that hosts can access the Internet. This is a stateless address
configuration. A stateful address configuration is when you use the DHCP version 6 (DHCPv6) protocol.
Stateful configuration has two additional configuration levels: one in which DHCP provides all the
information, including the IP address and configuration settings, and another in which DHCP provides
just configuration settings.
Required support for Internet Protocol security (IPsec). The IPv6 standards require support for the
Authentication Header (AH) and Encapsulating Security Payload (ESP) headers that IPsec defines.
Although IPsec does not define support for its specific authentication methods and cryptographic
algorithms, IPsec is defined from the start as the way to protect IPv6 packets.
Note: IPsec provides for authentication and optionally, encryption for communications
between hosts.
Restored end-to-end communication. The global addressing model for IPv6 traffic means that
translation between different types of addresses is not necessary, such as the translation done by
NAT devices for IPv4 traffic. This simplifies communication because you do not need to use NAT
devices for peer-to-peer applications, such as video conferencing.
Prioritized delivery. IPv6 contains a field in the packet that lets network devices determine that
the packet processing should occur at a rate that you specify. This enables traffic prioritization. For
example, when you are streaming video traffic, it is critical that the packets arrive in a timely manner.
You can set this field to ensure that network devices determine that the packet delivery is timesensitive.
Support for single-subnet environments. IPv6 has much better support of automatic configuration
and operation on networks consisting of a single subnet. You can use this to create temporary,
ad-hoc networks through which you can connect and share information.
Extensibility. The design of IPv6 enables you to extend it with less constraint than IPv4.
TCP/IP v4 and v6
http://go.microsoft.com/fwlink/?LinkId=154442&clcid=0x409
DirectAccess enables remote users to access a corporate network anytime they have an Internet
connection because it does not require a virtual private network (VPN). DirectAccess provides a flexible
corporate network infrastructure to help you remotely manage and update user PCs on and off a network.
DirectAccess makes the end-user experience of accessing corporate resources over an Internet connection
nearly indistinguishable from the experience of accessing these resources from a computer at work.
DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients.
Windows 8.1 services such as file sharing and remote access use IPv6 features, such as IPsec. This includes
VPN Reconnect, which uses Internet Key Exchange version 2, an authentication component of IPv6.
The Windows 8.1 operating system supports remote troubleshooting capabilities such as Windows
Remote Assistance and Remote Desktop. Remote Desktop enables administrators to connect to multiple
Windows Server sessions for remote administration purposes. You can use IPv6 addresses to make
6-11
remote desktop connections. Windows Remote Assistance and Remote Desktop uses the Remote Desktop
Protocol to enable users to access files on their office computer from another computer, such as one
located at their home.
IPv6 Addresses
The most obvious, distinguishing feature of IPv6 is
its use of much larger addresses. IPv4 addresses
are expressed in four groups of decimal numbers,
such as 192.168.1.1. Each grouping of numbers
represents a binary octet. In binary, the preceding
number is as follows:
11000000.10101000.00000001.00000001 (4
octets = 32 bits)
This might seem complex for end users, but the assumption is that users will rely on DNS names to resolve
hosts, meaning they rarely will type IPv6 addresses manually. The IPv6 address in hexadecimal also is
easier to convert to binary. This simplifies working with subnets and in calculating hosts and networks.
Unicast. An IPv6 unicast address is equivalent to an IPv4 unicast address. You can use this address
type for one-to-one communication between hosts. Each IPv6 host has multiple unicast addresses.
There are three types of unicast addresses:
o
Global unicast addresses. These are equivalent to public IPv4 addresses. They are globally
routable and reachable on the IPv6 portion of the Internet.
Link-local addresses. Hosts use link-local addresses when communicating with neighboring hosts
on the same link. For example, on a single-link IPv6 network with no router, hosts communicate
by using link-local addresses.
Link-local addresses are local-use unicast addresses with the following properties:
IPv6 link-local addresses are equivalent to IPv4 Automatic Private IP Addressing (APIPA)
addresses.
Unique local unicast addresses. Unique local addresses provide an equivalent to the private
IPv4 address space for organizations, without the overlap in address space when organizations
combine.
Multicast. An IPv6 multicast is equivalent to an IPv4 multicast address. You use this address type
for one-to-many communication between computers that you define as using the same multicast
address.
Anycast. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When
IPv6 addresses communicate to an anycast address, only the closest host responds. You typically use
this address type for locating services or the nearest router.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign
multiple unicast addresses to each host. To verify communication processes on a network, you must know
for what purposes IPv6 uses each of these addresses.
Interface Identifiers
The last 64-bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4
address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface
identifier is unique to each interface, IPv6 uses interface identifiers rather than MAC addresses to identify
hosts uniquely.
IPv6 Address Types
http://go.microsoft.com/fwlink/?LinkId=154445&clcid=0x409
Description
IPv6 hosts can locate default routers on the link automatically by using the
following two ICMPv6 messages:
Router solicitation. When it is first coming online, an IPv6 host
multicasts a router solicitation message.
Router advertisement. Each router on the active link that hears the
solicitation message will respond with a router advertisement message
that contains the address of the router.
Prefix discovery
Address
autoconfiguration
Task
Address resolution
Description
Address resolution functions much like router discovery. The ICMPv6
protocol uses two message types:
Neighbor solicitation. The sender requests the MAC address of a
neighbor node on the local link.
6-13
Duplicate address
detection
The first step in establishing communication is still name resolution, as in IPv4. For example, if an IPv6 host
wants to communicate with a host named Server1, it must first resolve that name to an IPv6 address. In
DNS, host names map to IPv6 addresses by AAAA resource records. When the DNS server returns the
IPv6 address of the host, the prefix of the IPv6 address determines whether the destination host is local
or remote. If the destination is on the local link, then the next-hop address is the direct address of the
recipient on the local link. If the destination is not on the local link, then the next-hop address of the
packet is the router.
How IPv6 Works: IPv6 Routing
http://go.microsoft.com/fwlink/?LinkId=378232&clcid=0x409
Lesson 3
Windows 8.1 enables both the IPv4 and IPv6 protocols to obtain configuration automatically. This means
that you can efficiently deploy IP-based computers that are running Windows 8.1.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the process with which to troubleshoot and resolve IPv4 autoconfiguration problems,
Static Configuration
You can configure static IPv4 configuration
manually for each of your networks computers.
When you perform IPv4 configuration, you must
configure the:
IPv4 address
Subnet mask
Default gateway
DNS server
Static configuration requires that you visit each computer and input the IPv4 configuration. This
method of computer management is time-consuming if your network has more than 10 to 12 computers.
Additionally, making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign IPv4 configurations automatically for a large numbers of computers
without having to assign each one individually. The DHCP service receives requests for IPv4 configuration
from computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4
information from scopes that you define for each of your networks subnets. The DHCP service identifies
the subnet from which the request originated and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process, but you must be aware that if you use DHCP to assign
IPv4 information and the service is business-critical, you must do the following:
Include resilience into your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network, and it can prevent communication.
6-15
If you use a laptop to connect to multiple networks, such as at work and at home, each network might
require a different IP configuration. Windows 8.1 supports the use of APIPA and an alternate static IP
address for this scenario.
When you configure Windows 8.1 computers to obtain IPv4 addresses from DHCP, use the Alternate
Configuration tab to control the behavior if a DHCP server is not available. By default, Windows 8.1
uses APIPA to assign itself an IP address automatically from the 169.254.0.0 to 169.254.255.255 address
range. This enables you to use a DHCP server at work and the APIPA address range at home without
reconfiguring IP settings. Additionally, this is useful for troubleshooting DHCP. If the computer has an
address from the APIPA range, it is an indication that the computer cannot communicate with a DHCP
server.
Tentative. Verification occurs to determine if the address is unique. Duplicate address detection
performs verification by using Neighbor Discovery protocol. A node cannot receive unicast traffic to a
tentative address.
Valid. The address has been verified as unique, and can send and receive unicast traffic.
Preferred. The address enables a node to send and receive unicast traffic.
Deprecated. The address is valid but its use is discouraged for new communication.
Invalid. The address no longer allows a node to send or receive unicast traffic.
Types of Autoconfiguration
Types of autoconfiguration include:
Stateless. The receipt of router advertisement messages is the basis for address configuration.
Stateful. Configuration is based on the use of a stateful address configuration protocol, such as
DHCPv6, to obtain addresses and other configuration options:
o
A host also uses a stateful address configuration protocol when there are no routers present on
the local link.
Both. The receipt of router-advertisement messages and DHCPv6 is the basis for configuration.
If there are specific scope options that you need to configure, such as the IPv6 addresses of DNS servers,
then a DHCPv6 server is necessary.
When IPv6 attempts to communicate with a DHCP server, it uses multicast IPv6 addresses to communicate
with the DHCP server. This is different from IPv4, which uses broadcast IPv4 addresses.
When a host obtains an IPv6 address from a DHCPv6 server, the following occurs:
The server sends an advertisement message to indicate that it offers IPv6 addresses and configuration
options.
The client sends a request message to a specific DHCPv6 server to request configuration information.
The selected server sends a reply message to the client that contains the address and configuration
settings.
A DHCPv6 server sends a reply message to the client with the requested configuration settings.
Note: DHCPv6 is a service that provides stateful autoconfiguration of IPv6 hosts. It can
configure IPv6 hosts automatically with an IPv6 address and other configuration information,
such as DNS servers. This is equivalent to DHCPv4 for IPv4 networks.
Demonstration Steps
View the current IPv4 configuration
Sign in to LON-CL1 as administrator, and then verify the current IPv4 configuration by using the
Windows PowerShell cmdlet Get-NetIPConfiguration Detailed.
Open the Ethernet properties, and then view the IPv4 settings for the selected network connection.
2.
3.
4.
When you have finished the demo, revert the virtual machines to their initial state.
a.
b.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
c.
d.
Using IPConfig
If the computer is experiencing connectivity
problems, you can use IPConfig to determine
the computers IP address.
If the address is in the range 169.254.0.1 to
169.254.255.254, the computer is using an
APIPA address. This might indicate a DHCPrelated problem. From the client computer, open
an elevated command prompt, and then use the
IPConfig options in the following table to diagnose the problem.
Note: An elevated command prompt provides a context for running command-line tools
and programs with administrative rights. To open an elevated command prompt, right-click the
Command Prompt shortcut, and then click Run as administrator, providing administrative
credentials if prompted.
Option
Description
6-17
/all
/release
/renew
This option forces the client computer to renew its DHCP lease. This is useful
when you think that the DHCP-related issue is resolved, and you want to obtain
a new lease without restarting the computer.
/release6
/renew6
Note: You can use the IPConfig /release6 and /renew6 options to perform these same
tasks on IPv6-configured computers.
Solution
Verify that the client computer has a valid and functioning network
connection. First, check that related client hardware (cables and
network adapters) are working properly at the client end by using basic
network and hardware troubleshooting steps.
If the client hardware appears to be prepared and functioning
properly, check that the DHCP server is available on the network by
pinging it from another computer on the same network as the affected
DHCP client.
First, use the ping command to test connectivity from the client to the
server. To force ping to use IPv6, use the -6 parameter. An example is
the command ping -6 Server1.Adatum.com. Your next step is to
either verify or manually attempt to renew the client lease. Depending
on your network requirements, it might be necessary to disable IP
autoconfiguration at the client. Before you make this decision, you
should learn more about IP autoconfiguration and how it works.
For DHCP clients, verify that the most commonly used and supported
options have been configured at the server, scope, client, or class level
of options assignment.
Change the IP address list for the router (default gateway) option at
the applicable DHCP scope and server. If you configure the router
option as a Server Option at the affected DHCP server, remove it there
and set the correct value in the Scope Options node for the applicable
DHCP scope that services the client.
In rare instances, you might have to configure the DHCP client to use a
specialized list of routers that is different from other scope clients. In
such cases, you can add a reservation and then configure the router
option list specifically for the reserved client.
A DHCP server can only service requests for a scope that has a network
ID that is the same as the network ID of its IP address.
Completing the following steps might correct this problem:
1. Configure a BOOTP/DHCP relay agent on the client subnetthat is,
the same physical network segment. The relay agent can be located
on:
o The router itself
o A computer that is running Microsoft Windows NT Server and
the DHCP relay agent component
Problem
Solution
2. At the DHCP server, do the following:
6-19
o In the scope, make sure that the subnet mask is correct for the
remote subnet.
o Do not include this scope, which is the one for the remote subnet,
in superscopes configured for use on the same local subnet or
segment where the DHCP server resides.
o Make sure there is only one logical route between the DHCP
server and the remote subnet clients.
Many DHCP clients are
unable to get IP addresses
from the DHCP server.
Ensure that you do not configure multiple DHCP servers on the same
LAN with overlapping scopes.
You might want to rule out the possibility that one of the DHCP servers
in question is a computer that is running Small Business Server (SBS).
On a computer that is running Windows SBS, the DHCP Server service
automatically stops when it detects another DHCP server on the LAN.
Using superscopes
http://go.microsoft.com/fwlink/?LinkId=154466&clcid=0x409
Configuring scopes
http://go.microsoft.com/fwlink/?LinkId=154467&clcid=0x409
6-21
A. Datum Corporation is introducing new laptop computers for some of its managers. You need to test
how the IPv4 configuration will behave when the managers are away from the office and a DHCP server is
unavailable.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20687D-LON-DC1 and 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and then in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
You need to determine how the Windows 8.1 client operating system currently receives its IPv4 address.
You need to provide an automated way for client computers to receive IPv4 configuration. You will
configure a Windows 8.1 client to receive IPv4 configuration from a DHCP server and then verify the
configuration.
The main tasks for this exercise are as follows:
1.
2.
3.
2.
Open a Command Prompt window, and then run the command ipconfig /all.
o
Is DHCP enabled?
2.
Is DHCP enabled?
Results: After completing this exercise, you should have configured LON-CL1 to obtain an IPv4
configuration automatically from a DHCP server.
2.
3.
4.
2.
Use the DHCP management console to deactivate the IPv4 scope named A Datum Scope:
a.
b.
c.
2.
3.
In the TCP/IPv4 properties for Ethernet, use the Alternate Configuration tab to configure the
following:
o
IP address: 172.16.16.10
2.
At the command prompt, type ipconfig /release, and then press Enter.
3.
At the command prompt, type ipconfig /renew, and then press Enter.
4.
At the command prompt, type ipconfig /all, and then press Enter:
o
6-23
2.
IP address: 172.16.16.10
Results: After completing this exercise, you should have tested various scenarios for dynamic IP address
assignment and then configured a static IP address.
When you have finished the lab, leave the virtual machines running, as you will need them for the
next lab.
Lesson 4
6-25
Computers can communicate over a network by using a name in place of an IP address. Computers use
name resolution to find an IP address that corresponds to a name, such as a host name. This lesson
focuses on different types of computer names and the methods to resolve them.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the tools you can use to resolve name resolution issues.
Host Name
A host name is a user-friendly name that is associated with a hosts IP address and identifies it as a
TCP/IP host. A host name can be no more than 255 characters in length and must contain alphanumeric
characters, periods, and hyphens.
The host name combines an alias with a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the
Internet.
NetBIOS Name
Applications use the 16-character NetBIOS name to identify a NetBIOS resource on a network. A NetBIOS
name represents a single computer or a group of computers. NetBIOS uses the first 15 characters for a
specific computers name and the final sixteenth character to identify a resource or service on that
computer. An example of a NetBIOS name is NYC-SVR2[20h].
Windows supports a number of different methods for resolving computer names, such as DNS, WINS, and
the host name resolution-process.
Resolve IP addresses to host names. This is useful when a log file contains only a hosts IP address.
Locate a mail server for email delivery. This is used for the delivery of all Internet email.
WINS provides a centralized database for registering dynamic mappings of a networks NetBIOS names.
Support is retained for WINS to provide backward compatibility.
While you can use WINS, you also can resolve NetBIOS names by using the following:
Broadcast messages. Broadcast messages do not work well on large networks because routers do not
propagate broadcasts.
Lmhosts file on all computers. Using an Lmhosts file for NetBIOS name resolution is a
high-maintenance solution because you must maintain the file manually on all computers.
Depending on the configuration, Windows 8.1 resolves host names by performing the following actions:
1.
Checking whether the host name is the same as the local host name.
2.
3.
4.
Windows resolves hosts names that are single-label, unqualified names by performing the following
actions:
6-27
1.
Converting the host name to a NetBIOS name and checking the local NetBIOS name cache.
2.
3.
Broadcasting as many as three NetBIOS name query request messages on the subnet that is directly
attached.
4.
Note: Windows 8.1 can use Link-Local Multicast Name Resolution for networks that do
not have a DNS server. For example, if a Windows 8.1 computer must resolve a single-label name,
it first will try to petition a DNS server. If there is no DNS server or no response from the DNS
server, Windows 8.1 will use. If this is unsuccessful, Windows 8.1 will attempt resolution by using
the NetBIOS methods that the above section explains.
Note: You can exert control over the precise order used to resolve names. For example, if
you disable NetBIOS over TCP/IP, none of the NetBIOS name-resolution methods are attempted.
GlobalNames Zone
GlobalNames Zone is a feature in Windows Server 2008 and newer versions. GlobalNames Zone provides
single-label name resolution for large enterprise networks that do not deploy WINS. Some networks
might require the ability to resolve static, global records with the single-label names that WINS currently
provides. These single-label names refer to well-known and widely used servers with statically assigned
IP addresses. A GlobalNames Zone is created manually and is not available for dynamic registration of
records. GlobalNames Zone helps your customers migrate to DNS for all name resolution. The DNS Server
role in Windows Server 2008 and newer versions supports the GlobalNames Zone feature.
GlobalNames Zone assists in the migration from WINS. However, it is not a replacement for WINS.
GlobalNames Zone supports the single-label name resolution of records that are registered in WINS
dynamically and those that are not managed by IT administrators typically. Support for these dynamically
registered records is not scalable, especially for larger customers with multiple domains and forests.
The recommended GlobalNames Zone deployment is to use an AD DS-integrated zone, named
GlobalNames, which is distributed globally.
Instead of using GlobalNames Zone, you can choose to configure DNS and WINS integration. Do this
by configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The
advantage of this approach is that you can configure client computers to only use a single name service
(DNS) and still be able to resolve NetBIOS-compliant names.
Understanding DNS Client Settings
http://go.microsoft.com/fwlink/?LinkId=154441&clcid=0x409
Event Viewer
IPConfig
Ping
NSlookup
Windows PowerShell
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. The System log will reference IP conflicts, which can prevent services form starting. When these
events occur, a Windows operating system records the event in an appropriate event log. You can use
Event Viewer to read the log. When you troubleshoot errors in Windows 8.1, view the events in the event
logs to troubleshoot the problems cause.
Event Viewer enables you to access the Application, Security, Setup, and System logs under the Windows
Logs node. When you select a log and then select an event, a preview pane under the event list contains
details of the specified event. To help diagnose network problems, look for errors or warnings in the
System log related to network services.
Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a
Windows 8.1 networking problem, the Diagnose Connection Problems option helps diagnose and repair
the problem, and will return a description of the potential problem and a possible remedy. The solution
might require manual intervention from the user.
IPConfig
IPConfig displays the current TCP/IP network configuration. Additionally, you can use IPConfig to refresh
DHCP and DNS settings as discussed in the previous Windows Network Diagnostics topic. For example,
you might need to flush the DNS cache.
Ping
Ping might verify IP-level connectivity to another TCP/IP computer. Ping sends and receives Internet
Control Message Protocol (ICMP) echo request messages and displays the receipt of corresponding echo
reply messages. Ping is the primary TCP/IP command used to troubleshoot connectivity. Ping is more
useful on an internal network because firewalls on the Internet commonly block ICMP requests.
NSlookup
NSlookup displays information that you can use to diagnose a DNS infrastructure. You can use NSlookup
to confirm connection to a DNS server and that the required records exist. You can use NSlookup in the
following two modes:
Interactive. To use NSlookup in interactive mode, type NSlookup at the command prompt and press
Enter. By default, NSlookup will query against the local DNS server. Interactive mode provides many
options for NSlookup, such as setting a specific DNS server to be queried. You can view the available
6-29
options by typing Help at the interactive command prompt. A common use for NSlookup in
interactive mode is to query for a specific type of record. For example, to query for Mail Exchanger
MX records from the interactive mode command prompt, you would type set q=mx and press Enter,
and then type the name of the domain you are looking for and press Enter again. The query will
return only the MX records for that domain.
Noninteractive. The noninteractive mode is useful for quick lookups of names. For example, to
discover the IP address of a computer named Server1 in the Contoso.com domain, you can type the
query NSlookup Server1.Contoso.com directly at the command prompt, and the local DNS server
will respond with a reply to the query.
Windows PowerShell
You also can use Windows PowerShell cmdlets for configuring and troubleshooting network settings. The
following table lists some of these cmdlets and their purposes.
Cmdlet
Purpose
Clear-DnsClientCache
Get-DnsClient
Get-DnsClientCache
Get-DnsClientGlobalSetting
Retrieves global DNS client settings like the suffix search list.
Get-DnsClientServerAddress
Register-DnsClient
Set-DnsClient
Set-DnsClientGlobalSetting
Configures global DNS client settings like the suffix search list.
Set-DnsClientServerAddress
Microsoft Message Analyzer is the replacement for Network Monitor, which Microsoft last released
as version 3.4. The Microsoft Message Analyzer provides more capabilities than Network Monitor for
determining network issues. It can capture, display, and analyze live network traffic in multiple viewing
formats such as grids, charts, and timeline views. It also allows you to import, aggregate, and analyze data
from log and trace files.
Integrated event and message capture at different system levels and endpoints
6-31
An intern has been unsuccessful in attempts to resolve a network connectivity problem on a Windows 8.1
computer, and has not documented the changes made to the computer. You need to restore network
connectivity for the computer.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 15 minutes
Virtual machines: 20687D-LON-DC1 and 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment.
Windows 8.1 clients are experiencing issues when connecting to network resources. As the network
administrator, you must resolve these issues by performing troubleshooting steps to identify and resolve
the issues.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
On LON-CL1, in the properties of Local Area Connection, disable the IPv6 protocol.
2.
Access drive letter P by using File Explorer. Are you able to access the mapped drive P?
Use the techniques and tools from this module to determine the following information:
o
Results: After completing this exercise, you should have created a connectivity problem between
LON-CL1 and LON-DC1.
You must use troubleshooting tools and techniques to resolve and test the resolution of the connectivity
issue.
The main tasks for this exercise are as follows:
1.
2.
3.
Use the tools and techniques from this module to resolve the problem.
Access drive letter P by using File Explorer. Are you able to access mapped drive P?
2.
Open a Command Prompt window, and at the command prompt, run the following commands:
o
ping lon-dc1
ping 172.16.0.10
ipconfig /all
Use the tools and techniques from this module to resolve the problem.
Results: After completing this exercise, you should have resolved the connectivity problem between
LON-CL1 and LON-DC1.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
6-33
Lesson 5
An increasing number of devices use wireless connections as the main method for accessing corporate
intranets and the Internet. Additionally, many users have come to expect a wireless infrastructure in a
corporate workplace. As a result, a strong knowledge of wireless connectivity is a requirement for todays
networking environment. This lesson discusses the various wireless standards and the configuration and
support of Windows 8.1 wireless clients.
Lesson Objectives
After completing this lesson, you will be able to:
Ad hoc. Ad hoc networks can connect wireless devices dynamically in a peer-to-peer configuration
without the use of any infrastructure devices.
6-35
The 802.11 standard has been evolving since 1997. There have been many improvements in transmission
speed and security of the 802.11 technology since then. A letter of the alphabet designates each new
standard, as the following table shows.
Specification
Description
802.11a
802.11b
This specification provides 11 Mbps and operates in the 2.4 GHz range.
802.11e
802.11g
802.11n
802.11ac
This specification builds on 802.11n to attain data rates of 433 Mbps. 802.11ac
operates only in the 5 GHz frequency range.
Wireless Security
Wireless security has been the biggest consideration by organizations planning a wireless implementation.
Because wireless traffic travels across open airwaves, it is susceptible to interception by attackers.
Therefore, organizations utilize several security technologies to address these concerns. Most Wi-Fi
devices support multiple security standards. The following table describes the current security methods
available for wireless networks:
Security method
Wired Equivalent
Privacy (WEP)
Description
WEP is the oldest form of wireless security. Some devices support different
versions:
WEP 64-bit key
WEP 128-bit key
WEP 256-bit key
The security issues surrounding WEP are well-documented, and WEP should
not be used unless it is the only alternative.
Wi-Fi Protected
Access (WPA)
WPA2
This is an improved version of WPA that has become the Wi-Fi security
standard. WPA2 employs Advanced Encryption Standard (AES), which
employs larger encryption key sizes.
The security methods that a given wireless device supports depend on the vendor and the devices age.
All modern wireless devices should support WPA2.
Broadband Management
Previously, most mobile broadband devices typically came with connection-management software that
users had to install and configure on a computer. Depending on the provider, this software could be
difficult to configure, and it sometimes interfered with Windows internal connection-management
functions. In Windows 8 and Windows 8.1, you can use the network settings to manage individual Wi-Fi,
broadband, or Bluetooth devices to turn them off or on. You do not have to install extra software.
Windows 8.1 also supports airplane mode, which allows you to disable all radio devices simultaneously.
Windows 8.1 also gives priority to available preferred Wi-Fi networks over broadband connections by
default. When you are out of range of a preferred Wi-Fi network, the broadband connection is restored
automatically.
Many data plans have limits on how much data you can use before extra charges come into play. To track
data usage, each individual wireless network provides information on the current amount of data that you
have used. You have the ability to reset the counter when you choose, so you can track data usage the
way that you want, such as on a monthly basis or even by session.
Plan Purchase
If you already have a subscription to a data plan with a provider, you just need to plug in your device.
If you want to purchase a subscription, you can go to the Networks Settings pane, and click Connect next
to an advertised providers icon. This will direct you to the providers website where you can purchase a
data plan. After purchasing your plan, you can provision your computer automatically for that providers
network. In the background, the Windows operating system gathers information by using a database of
access-point names so that it can provision your system to connect to the providers network.
Broadband Tethering
Windows 8.1 supports broadband tethering for up to 10 devices. Now, any computer or device can use a
broadband-enabled Windows 8.1 device as a wireless hotspot. To set up tethering, you only have to share
the network connection from the Network item in Control Panel. Once shared, a network name and
password are required. The password must be eight characters long.
6-37
1.
In Control Panel, view by icons, and then open the Network and Sharing Center.
2.
In the Network and Sharing Center window, click Set up a new connection or network.
3.
In the Set up a Connection or Network window, click Manually connect to a wireless network, and
then click Next. This option will appear only if a wireless device is installed.
4.
In the Manually connect to a wireless network window, enter the following details:
5.
a.
b.
c.
d.
You also have the option to Start the connection automatically and Connect even if the network
is not broadcasting.
After the initial configuration of the network, you can open the properties to change settings or to further
configure the wireless network to:
In Windows 8 or Windows 8.1, you can use the Network Settings pane from the Start screen settings to
configure wireless network settings by performing the following procedure:
1.
2.
Click the wireless network Available icon. If no wireless networks are in range, the icon will say
Unavailable. The Networks pane will appear with a list of available wireless networks.
3.
Click the name of the wireless network to which you want to connect, and then click Connect.
4.
5.
Choose whether you want to share your files with others on the network.
Windows will remember the settings, and then reconnect automatically when you are in range. If you
need to change the configuration, you can right-click the wireless network name in the Network pane,
and then click View connection properties.
The building layout and construction material can significantly affect signal interference. Buildings with a
lot of brick or steel construction pose issues with signal availability. When placing APs, you should avoid
physical obstructions as much as possible. Even objects such as metal cabinets can cause signal blockage.
Try to avoid placing APs near reflective surfaces. Signals can bounce off mirrors and windows, thereby
reducing signal range. Avoid installing APs close to electrical equipment such as motors and fluorescent
lights. Consider using Wi-Fi repeaters to extend the range of the AP to provide better coverage.
Interference can come from other networks. If you are in a small area with many competing wireless
networks, such as in large office buildings, you might be able to get better performance by changing the
Wi-Fi channel. APs operate on specific channels and usually come preconfigured for a certain channel.
There are non-Microsoft tools available that you can use to analyze your environment and see which
channels are the most populated by other wireless networks. Choose the channel with the least traffic for
your network. The 2.4 GHz frequency and the 5 GHz frequency support different channels.
Other considerations to improve your wireless environment include:
Update your firmware to the latest versions for both APs and client network adapters.
On Windows 8.1, you can adjust the Advanced Power Options for the wireless network adapter to use
maximum power.
Consider using Wi-Fi repeaters to extend the range of the AP to provide better coverage.
Consider upgrading the antenna of the AP, and consider the use of hi-gain and omnidirectional
antennas to increase signal distance and coverage.
Issue
Resolution
6-39
Make sure that you enter the wireless password correctly. In smaller
wireless networks, this information is on the administration page of
the wireless router.
Make sure that the wireless adapter has the proper drivers. You
might have to go to the vendor site to obtain the latest version of
drivers.
Make sure you configure the SSID correctly. Also, make sure that
you configure the wireless adapter to use the proper encryption
protocol, such as WPA or WPA2.
Hardware issues
Make sure that the Windows operating system supports the wireless
adapter. You can perform this check at the Windows Compatibility
Center.
You also can use the Windows automated troubleshooter in Windows 8.1. Right-click the network icon in
the notification area of your taskbar, and then click Troubleshoot problems.
Troubleshooting Tip
Review Questions
Question: After starting her computer, Amy notices that she is unable to access her normal
resources. What tool can she use to determine if she has a valid IP address?
Question: When transmitting accounts receivable updates to a billing partner in China, Amy
notices that the files are transmitting slowly. What tool can she use to determine the network
path and latency of the network?
Question: Amy notices that she cannot access normal enterprise websites. She knows that
she has a valid IP address but wants to troubleshoot the DNS access of her computer. What
tool must she use?
Question: What is the IPv6 equivalent of an IPv4 APIPA address?
Question: You are troubleshooting a network-related problem, and you suspect a nameresolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do
you do that?
Question: You are troubleshooting a network-related problem. The IP address of the host
you are troubleshooting is 169.254.16.17. What is a possible cause of the problem?
Tools
You can use the following tools to troubleshoot network connectivity issues.
Tool
Description
6-41
The Network and Sharing Center informs you about your network
and verifies whether your computer can access the Internet
successfully. Then, it summarizes this information in the form of a
network map.
Netsh.exe
Pathping.exe
NSlookup.exe
IPConfig.exe
Ping.exe
Ping.exe is a basic command-line tool that you can use for verifying
IP connectivity.
Tracert.exe
Windows PowerShell
Module 7
Configuring File Access and Printers on Windows 8.1
Clients
Contents:
Module Overview
7-1
7-2
7-15
7-24
7-28
7-31
7-37
7-43
7-45
Module Overview
This module provides the information and tools that you need to manage access to shared folders and
printers on a computer that is running the Windows 8.1 operating system. Specifically, the module
describes how to share and protect folders, configure folder compression, and how to install, configure,
and manage printers. Additionally, this module introduces Microsoft OneDrive (formerly known as
SkyDrive) functionality.
To maintain network or local file and printer systems, it is essential to understand how to safeguard these
systems and make them operate as efficiently and effectively as possible. This includes setting up File
permissions (previously known as NTFS permissions), compressing and managing shared folders and files,
and configuring printers.
Objectives
After completing this module, you will be able to:
Lesson 1
One of the most common way that users access data is from network file shares. You can control access to
file shares with file share permissions and File permissions. Understanding how to determine effective
permissions is essential to securing your files.
You can use File permissions to define the level of access that users have to files that are available on a
network or locally on a Windows 8.1 computer. This lesson explores File permissions and describes the
tools for managing files and folders, in addition to the effect of various file and folder activities on these
permissions.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how copying and moving files and folders affect access.
7-3
Shared folder permissions. These allow security principals such as users to access shared resources
from across a network. Shared folder permissions only are in effect when a user accesses a resource
from a network. The next lesson covers this topic in detail.
File permissions. These are always in effect, irrespective of whether a user accesses a file by
connecting across a network or by logging on to the local machine where the resource is located. You
can grant File permissions to a file or folder for a named group or user.
Each NTFS file and folder has an access control list (ACL) with a list of users and groups who have
permissions on the file or folder. Each entry in the ACL is an access control entry that identifies the specific
permissions granted to a user or group.
User rights allow administrators to assign specific privileges and logon rights to groups or users. These
rights authorize users to perform specific actions, such as logging on to a system interactively or backing
up files and directories. User rights are different from permissionsuser rights apply to user accounts,
whereas permissions are attached to objects.
Administrators can employ user rights to manage who has the authority to perform operations that span
an entire computer rather than a particular object. Administrators assign user rights to individual users or
groups as part of a computers security settings. Although you can manage user rights centrally through
Group Policy, Windows 8.1 applies user rights locally. Users can, and usually do, have different user rights
on different computers.
Unlike permissions, which an objects owner (or a user with appropriate permissions) grants, you assign
users rights as part of a computers local security policy.
There are two types of user rights: privileges, such as the right to back up files and directories, and logon
rights, such as the right to log on to a system locally.
Possible Scenarios
Conflicts between rights and permissions typically occur only where the rights that are required to
administer a system overlap with resource-ownership rights. When there is a conflict, rights override
permissions.
For example, to create a backup of files and folders, backup software must be able to traverse all folders
in an NTFS volume, list the contents of each folder, read the attributes of every file, and read data in any
file that has its archive attribute set. It is impractical to arrange this access by coordinating with the owner
of every file and folder. Therefore, the required rights are included in the Back up files and directories
user right, which is assigned by default to two built-in groups: Administrators and Backup Operators. Any
user who has this right can access all files and folders on the computer to back up the system. The same
default permissions that allow members of the Backup Operators group to back up and restore files also
enables them to use the groups permissions for other purposes, such as reading another users files or
installing Trojan horse programs. Therefore, you should limit the Backup Operators group to highly
trusted user accounts that require the ability to back up and restore computers.
The ability to take ownership of files and other objects is another case where an administrators need to
maintain a system takes priority over an owners right to control access. Normally, you can take ownership
of an object only if its current owner grants you permission to do so. Owners of NTFS objects can allow
another user to take ownership by granting the other user Take Ownership permission. Owners of Active
Directory Domain Services (AD DS) objects can grant another user the Modify Owner permission. A user
who has this right can take ownership of an object without the current owners permission. By default, the
right is assigned only to the built-in Administrators group. Administrators typically use this to take and
reassign ownership of resources for which the current owner is no longer available.
Special permissions provide a finer degree of control for assigning access to files and folders.
However, special permissions are more complex to manage than standard permissions.
Description
Full Control
Modify
With this permission, you can see folder content, read files, and start
programsthis applies to an object and any child objects by default. The
specific permissions that make up Read and Execute permissions are Traverse
Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended
Attributes, and Read Permissions.
Read
Write
With this permission, you can change folder and file contentthis applies to
an object and any child objects by default.
The specific permissions that make up Write permissions are Create Files/Write
Data, Create Folders/Append Data, Write Attributes, and Write Extended
Attributes.
Special permissions
A custom configuration.
Note: Groups or users that are granted Full Control on a folder can delete any files in that
folder, regardless of the permissions protecting the file.
To modify File permissions, you must have the Full Control File permission for a folder or file. The one
exception is for file and folder owners. The owner of a file or folder can modify File permissions, even if
they do not have any current File permissions. Administrators can take ownership of files and folders to
make modifications to File permissions.
7-5
Special permissions give you a finer degree of control for assigning access to files and folders. However,
special permissions are more complex to manage than standard permissions. The following table defines
the special permissions for which you can provide custom configuration for each file and folder.
File permissions
Description
Traverse
Folder/Execute File
The Traverse Folder permission applies only to folders and allows or denies
a user permission to move through folders to reach other files or folders
even if the user does not have permissions for the traversed folders.
Traverse Folder takes effect only when you do not grant the Bypass
Traverse Checking user right to a group or user. The Bypass Traverse
Checking user right checks user rights in the Group Policy snap-in. By
default, the Everyone group is given the Bypass Traverse Checking user
right.
The Execute File permission allows or denies access to program files that
are running. If you set the Traverse Folder permission on a folder, the
Execute File permission is not set automatically on all files in that folder.
The List Folder permission allows or denies a user permission to view file
names and subfolder names in a folder. The List Folder permission applies
only to folders and affects only the contents of that folder. This permission
is not affected if the folder on which you are setting the permission is listed
in the folder list.
The Read Data permission applies only to files, and it allows or denies a
user from viewing data in files.
Read Attributes
The Read Attributes permission allows or denies a user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. NTFS
defines the attributes.
Read Extended
Attributes
The Create Files permission applies only to folders, and it allows or denies a
user from creating files in a folder.
The Write Data permission applies only to files and allows or denies the
user from making changes to a file and overwriting existing content by
NTFS.
Create Folders/Append
Data
The Create Folders permission applies only to folders and allows or denies a
user from creating folders in the folder.
The Append Data permission applies only to files and allows or denies a
user from making changes to the end of the file but not from changing,
deleting, or overwriting existing data.
Write Attributes
The Write Attributes permission allows or denies a user from changing the
attributes of a file or folder, such as read-only or hidden. NTFS defines the
attributes.
The Write Attributes permission does not imply that you can create or
delete files or folders. It includes only the permission to make changes to
the attributes of a file or folder.
File permissions
Description
Write Extended
Attributes
The Delete Subfolders and Files permission applies only to folders and
allows or denies a user from deleting subfolders and files even if you do not
grant Delete permission on the subfolder or file.
Delete
The Delete permission allows or denies a user from deleting the file or
folder. If you do not have the Delete permission on a file or folder, you can
still delete the file or folder if you have the Delete Subfolders and Files
permission on the parent folder.
Read Permissions
Change Permissions
Take Ownership
Conditions
In Windows 8.1, you can assign conditions that must be met for a permission to take effect. You can base
conditions on group memberships or the device with which a user accesses a file or folder. When viewing
the File permissions for a file or folder, the applied conditions are listed in the Condition column in the
Advanced Security Settings for <file/foldername>.
When you use a Group condition, you can specify that the permission will apply to the user based on
the following group membership rules:
o
When you use a Device condition, you can specify that the permission will apply if a user accesses the
file from a specified computer or computers. The following topic explains this condition further.
You can specify multiple conditions for the configured permission to apply. For example, you can create a
permission that would give members of the Financial group Full Control permissions if they also are
members of the Managers group and are accessing the folder from <computername>.
7-7
Permission inheritance allows the File Permissions that are set on a folder to apply automatically to files
that users create in that folder and its subfolders. This means that you can set File Permissions for an
entire folder structure at a single point. If you have to modify the permissions, you then only have to
perform the change at that single point.
For example, when you create a folder called MyFolder, all subfolders and files created within MyFolder
automatically inherit that folders permissions. Therefore, MyFolder has explicit permissions, while all
subfolders and files within it have inherited permissions.
You also can add permissions to files and folders below an initial point of inheritance without modifying
the original permissions assignment. This grants a specific user or group different access than the
inherited permissions.
If the Allow or Deny check boxes that are associated with each of the permissions appear shaded, a file or
folder has inherited permissions from its parent folder. There are three ways to make changes to inherited
permissions:
Make changes to a parent folder, and then the file or folder will inherit these permissions.
Select the opposite permission (Allow or Deny) to override the inherited permission.
Choose not to inherit permissions from a parent object. You then can make changes to the
permissions or remove a user or group from the permissions list of the file or folder.
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her
file even though he is a member of the Marketing group. She can exclude Bob by explicitly denying him
permission to read the file. Normally, this is how you use explicit denial to exclude a subset (such as
Bob) from a larger group (such as Marketing) that is granted permission to perform an operation.
Note that while possible, the use of explicit denials increases the complexity of the authorization policy,
which can create unexpected errors. For example, you might want to allow domain administrators to
perform an action but deny domain users. If you attempt to implement this by explicitly denying domain
users, you also deny any domain administrators who also are domain users. Though it is sometimes
necessary, you should avoid the use of explicit denials.
In most cases, Deny overrides Allow unless a folder inherits conflicting settings from different parents. In
that case, the setting inherited from the parent closest to the object in the subtree will have precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has an
explicit Allow permission entry. Explicit permissions take precedence over inherited permissions
even inherited Deny permissions.
Child objects only inherit permissions that they are capable of inheriting. When you set permissions on a
parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the
following procedure to assign permissions that can be inherited:
1.
In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2.
In the Advanced Security Settings for <file or folder> dialog box, the Inherited From column lists
from where the permissions are inherited. The Applies To column lists the folders, subfolders, or files
to which the permissions are applied.
3.
Double-click the user or group for which you want to adjust permissions.
4.
In the Permissions Entry for <name> dialog box, click the Applies to drop-down list, and then
select one of the following options:
5.
Subfolders only
Files only
Click OK in the Permission Entry for <name> dialog box, click OK in the Advanced Security
Settings for <name> dialog box, and then click OK in the Properties dialog box.
If the Special permissions entry in Permissions for <User or Group> box is shaded, it does not
imply that this permission is inherited. Rather, this means that a special permission is selected.
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit
these permissions. You can block permission inheritance to restrict access to these files and subfolders. For
example, you can assign all Accounting users the Modify permission to the ACCOUNTING folder. On the
subfolder WAGES, you can block inherited permissions and grant only a few specific users access to the
folder.
Note: When permission inheritance is blocked, you have the option to copy existing
permissions or begin with blank permissions. If you only want to restrict a particular group or
user, then copying existing permissions simplifies the configuration process.
To prevent a child file or folder from inheriting permissions from a parent folder, select This folder only in
the Applies to drop-down list when you set up permissions for the parent folder.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following
procedure:
1.
In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2.
In the Advanced Security Settings for <file or folder> dialog box, click Disable inheritance.
3.
4.
In the Block Inheritance dialog box, select any of the following options:
o
Cancel
Click OK in the Advanced Security Settings for <name> dialog box, and then click OK in the
Properties dialog box.
7-9
The Advanced Security dialog box for folders includes a check box labeled Replace all child object
permission entries with inheritable entries from this object. Selecting this check box will replace the
permissions on all child objects that you have the ability to change permissions on, including child objects
that had Block inheritance configured. This can be particularly useful if you need to change permissions
on a large number of subfolders and files, especially when the original permissions were set incorrectly.
Icacls
File Explorer
File Explorer provides a simple interface that is familiar to most Windows users. You can perform several
functions by using File Explorer, including:
File Explorer is pinned to the taskbar by default in Windows 8.1. You can use File Explorer to access the
properties of any file or folder that is attached to a local computer if you have the rights to do so. You can
manage the attributes and local security File permissions of those files and folders.
The toolbar in File Explorer is context sensitive such that when you click a particular type of object, like a
document or a bitmap image, the toolbar presents actions that you can perform on that type of object.
Windows PowerShell
Windows PowerShell provides cmdlets to manage files and folders. To manage File Permissions, you can
use the Get-ACL and Set-ACL cmdlets. For example, to see the current ACL on the C:\Perflogs directory
with the output in list format, you would run the following command:
Get-ACL C:\perflogs | Format-List
To modify the ACL of a file or folder, use the Set-ACL cmdlet in conjunction with the Get-ACL cmdlet.
The Get-ACL cmdlet provides the input by getting the object that represents the ACL of the file or folder.
Then the Set-ACL cmdlet changes the ACL of the target file or folder to match the values supplied by
the Get-ACL cmdlet. For example, to set the ACL on the folder C:\Qtr1_Sales to match the permissions,
including inheritance settings, on a folder named C:\Qrt2_Sales, you would run the following command:
Get-ACL C:\Qrt1_Sales | Set-ACL C:\Qrt2_Sales
You also can create variables and arguments to modify existing ACLs.
For more information on the Set-ACL cmdlet, refer to:
Set-Acl
http://go.microsoft.com/fwlink/?LinkId=378245&clcid=0x409
Icacls
Icacls is a command-line utility to display or modify ACLs. It can grant standard permissions such
as Modify or Full Control, or specific permissions such as Write Data/Add File or Delete, and it can
modify inheritance settings. For example, to disable inheritance, remove the inherited ACLs, and set
new permissions for the Adatum\Sales group to be Modify and the Administrators group to be Full
Control on the folder C:\Data and all the objects in the folder, you would run the following command:
Icacls C:\data /inheritance:r /grant Adatum\Sales:(oi)M /grant Administrators:(oi)F
Where (oi) instructs Icacls to have objects in the folder inherit the Modify permission.
Demonstration Steps
Create a new folder
1.
2.
3.
2.
Disable inheritance for the Adatum folder, and then convert the inherited permissions to explicit
permissions.
3.
4.
Note the change in the Inherited From column. Note the contents of the Applies To column.
In the Advanced Security Settings for Adatum dialog box, click OK.
2.
Open the Adatum folder, and then create a new file named PermissionsTest.txt.
2.
1.
Add the Managers group, and then grant them Modify permissions to the PermissionsTest file.
2.
3.
4.
7-11
The Effective Permissions feature determines the permissions a user or group has on an object by
calculating the permissions that are granted to the user or group. The calculation takes into account
the permissions in effect from group membership and any of the permissions inherited from the parent
object. It looks up all domain and local groups in which the user or group is a member.
Note: The Effective Permissions feature always includes the Everyone group when
calculating effective permissions, as long as the selected user or group is not a member of the
Anonymous Logon group.
The Effective Permissions feature only produces an approximation of the permissions that a user has. The
actual permissions a user has might be different because permissions can be granted or denied based on
how a user logs on. The Effective Permissions feature cannot determine this logon-specific information,
because the user might not log on. Therefore, the effective permissions it displays reflect only those
permissions that a user or group specifies, not the permissions specified by the logon.
For example, if a user connects to a computer through a file share, the logon for that user is marked as a
Network Logon. You then can grant or deny permissions to the well-known security identifier Network
that the connected user receives. This way, a user has different permissions when logged on locally than
when logged on over a network.
You can view effective permissions in the Advanced Security Settings for <folder> dialog box. You can
access this dialog box from a folders Properties dialog box by using the Advanced button on the Security
tab, or directly from the Share menu on the ribbon.
How Does Copying and Moving Files and Folders Affect Access?
When copying or moving a file or folder, the
permissions might change, depending on where
you move the file or folder. Therefore, when you
copy or move files or folders, it is important to
understand the impact on permissions.
When you copy a file or folder within a single NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a different NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a non-NTFS partition, such as a FAT file system partition, the copy
of the folder or file loses its File Permissions because non-NTFS partitions do not support File
Permissions.
Note: When you copy a file or folder within a single NTFS partition or between NTFS
partitions, you must have Read permission for the source folder and Write permission for the
destination folder.
When moving a file or folder, permissions might change, depending on the permissions of the destination
folder. Moving a file or folder has the following effects on File Permissions:
When you move a file or folder within an NTFS partition, the file or folder inherits the permissions of
the new parent folder. If the file or folder has explicitly assigned permissions, those permissions are
retained, in addition to the newly inherited permissions.
Note: Most files do not have explicitly assigned permissions. Instead, they inherit
permissions from their parent folder. If you move files that have only inherited permissions, they
do not retain these inherited permissions during the move.
7-13
When you move a file or folder to a different NTFS partition, the folder or file inherits the permissions
of the destination folder. When you move a folder or file between partitions, Windows 8.1 copies the
folder or file to the new location and then deletes it from the old location.
When you move a file or folder to a non-NTFS partition, the folder or file loses its File Permissions
because non-NTFS partitions do not support File Permissions.
Note: When you move a file or folder within an NTFS partition or between NTFS partitions,
you must have both Write permission for the destination folder and Modify permission for the
source file or folder. Modify permission is required to move a folder or file because Windows 8.1
deletes the folder or file from the source folder after it copies it to the destination folder.
The Copy command is not aware of the security settings on folders or files. However, commands that are
more robust have this awareness. For example:
Xcopy has the /o switch to include Ownership and NTFS ACL settings.
Robocopy has several switches that will cause security information to be copied:
o
Scenario
User1 is a member of the Users group and the
Sales group. The graphic on the slide, which shows
folders and files on an NTFS partition, includes
three situations, each of which has a
corresponding discussion question.
Question: The Users group has Write
permission, and the Sales group has Read permission for Folder1. What permissions does
User1 have for Folder1?
Question: The Users group has Read permission for Folder1. The Sales group has Write
permission for Folder2. What permissions does User1 have for File2?
Question: The Users group has Modify permission for Folder1. The files in Folder 2 should
only be accessible to the Sales group, and they should only have read permissions to the
files. What do you need to do to ensure that the members of the Sales group only have Read
permission to the files in Folder 2?
Feature
Description
Claims-based
authentication
Conditional expressions
Both Windows Server 2012 R2 and Windows 8.1 provide advanced security settings in the ACL Editor. You
can access these settings by opening the Security Properties of the file or folder and clicking Advanced. In
the Advanced Security Settings dialog box, adding a security principal displays the Permission Entry screen
where you can configure conditions to limit access. For example, you might set a condition that specifies
that only computers in the HR computer group can access the HR shared folder. You also can specify
conditions that file classification properties define, such as a files business impact value. You can define
multiple conditions by using the AND or OR operators to provide specific access.
Lesson 2
7-15
Collaboration is an important part of an administrators job. Your team might create documents that
only team members can share, or you might work with a remote team member who needs access to your
teams files. Because of collaboration requirements, you must understand how to manage shared folders
in a network environment.
Sharing folders enable users to connect to a shared folder over a network and to access the folders and
files that the shared folder contains.
Shared folders can contain applications, public data, or a users personal data. Managing shared folders
helps you provide a central location for users to access common files, and it simplifies the task of backing
up data that those folders contain. This module examines various methods of sharing folders, along with
the effect this has on file and folder permissions when you create shared folders on an NTFS-formatted
partition.
Lesson Objectives
After completing this lesson, you will be able to:
Windows 8.1 uses the Public folder to simplify file sharing. With Public folder sharing enabled, the Public
folder and all the folders within the Public folder are shared automatically with the name Public. You do
not have to configure file sharing on separate folders. Just move or copy a file or folder that you want to
share on the network to the Public folder on your Windows 8.1 client.
In Windows 8.1, members of the Administrators, Power Users, and Server Operators groups can share
folders. Other users who are granted the Create Permanent Shared Objects user right also can share
folders. If a folder resides on an NTFS volume, you must have at least Read permission to share the folder.
When you share a folder, you must decide the permissions that a user or group will have when they
access the folder through the share. This is called sharing permissions.
Basic sharing permissions are simplified greatly in Windows 8.1, which offers two choices:
Read. The look but do not touch option. Recipients can open, but not modify or delete a file.
Read/Write. The full control option. Recipients can open, modify, or delete a file.
You can share folders with others on a network in several different ways:
In File Explorer
You can use Shared Folders to manage all file shares centrally on a computer. Use this snap-in to create
file shares, set permissions, and to view and manage open files and the users who connect to a computers
file shares. Additionally, you can view the properties for the folder, which would allow you to perform
actions such as specifying File Permissions.
Using the Shared Folders snap-in presents the Create a Shared Folder Wizard when you create a new
share. By default, the share name is the same as the folder name, and all users have Read access share
permissions.
Using the Share with option from the shortcut menu or ribbon.
Note: When sharing a folder through File Explorer the default permission assigns the
Everyone group Full Control permission. For all other methods of sharing, the default permission
assigns the Everyone group Read permission.
Using the Share with Option from the Shortcut Menu or Ribbon
The Share with option is a simple and fast way to share a folder. When you right-click a folder and then
select Share with, you get a submenu that allows you to either stop sharing the folder or share the folder
with specific people. When you share with specific people, you can select Everyone or use Find people to
share the folder with specific groups. After selecting who you want to share with, you can set either Read
or Read/Write permissions. The wizard will set the Share permissions as Everyone Full Control and the
File Permissions based on what you selected. The share name will be the same as the folder name.
Using the Properties dialog box provides two options. You can click the Share button, which then presents
the same dialog box as Share with Specific people, or you can click the Advanced Sharing button. When
you use Advanced Sharing, you can specify the Share name. The default is the same as the folder name,
and you can specify share permissions as Full Control, Change, or Read. Additionally, because you are in
the Properties dialog box, you can click the Security tab and set File Permissions.
7-17
You can share a folder through the command line by using the net share command, which the following
example shows in its basic form:
Net Share name=drive:path
This will create a simple share, which uses the share name that you specify and grants all users Read
permissions. Additional options are listed in the following table.
Option
Description
/Grant:user
permission
Allows you to specify Read, Change, or Full share permissions for the
specified user.
/Users:number
Allows you to limit the number of users who can connect to the share.
/Remark:text
/Cache:option
sharename /Delete
Windows PowerShell 4.0 introduces several cmdlets that you can use to manage shares in Windows 8.1.
The command for creating a share by using Windows PowerShell 4.0 is:
New-SmbShare Name ShareName Path C:\LocalFolder
Additional Windows PowerShell commands for managing shares are listed in the following table.
Command
Description
Get-SmbShare
Set-SmbShare
Remove-SmbShare
Get-SmbShareAccess
Get-Acl
Grant-SmbShareAccess
Set-Acl
Used to set the NTFS ACL for a specified resource (this cmdlet is not new).
Basic folder sharing is the simplest form of folder sharing because it enables users to share a folder quickly
and simply. You can create basic folder shares by using the File Explorer Share with Wizard or the net
share command without any additional options.
The maximum number of concurrent connections to the folder. The default number is 20 concurrent
connections.
Shared folder permissions. The default permissions are Read permissions for the special group
Everyone. The permissions that are set here are only share permissions. This does not modify the
underlying File Permissions.
Caching options. The default caching option allows user-selected files and programs to be available
offline. You can disable offline files and programs, or you can configure files and programs to be
available offline automatically.
When you turn on Public folder sharing in Windows 8.1, anyone with an account on your computer or a
PC on your network can access the contents of these folders. To share something, copy or move it into
one of the Public folders. By default, Windows 8.1 provides the following Public folders:
Documents
Music
Pictures
Videos
7-19
You can view these folders by clicking File Explorer from the Start screen, and then clicking Libraries to
expand the folders.
By default, Public folder sharing is not enabled. However, files stored in the Public folder hierarchy are
available to all users who have an account on a given computer and can log on to it locally. You can
configure Windows 8.1 to allow access to Public folders from a network in the Change advanced sharing
settings link in the Network and Sharing Center in the All Networks section. You can:
Turn on sharing so that anyone with network access can read and write files in Public folders.
Turn off Public folder sharing. Users who log on to this computer can still access these folders.
Public folder sharing does not allow you to fine-tune sharing permissions, but it does provide a simple
way to make your files available to others. When you enable Public folder sharing, the system group
Everyone is granted Full Control permissions for the share and File Permissions.
Users must have appropriate File Permissions for each file and subfolder in a shared folderin
addition to the appropriate shared folder permissionsto access those resources.
When you combine File Permissions and shared folder permissions, the resulting permission is the
most restrictive one of the effective shared folder permissions or the effective File Permissions.
The share permissions on a folder apply to that folder, to all files in that folder, to subfolders, and to
all files in those subfolders when the content is accessed through the share.
Note: If the Guest user account is enabled on your computer, the Everyone group includes
anyone. As a best practice, remove the Everyone group from any permission lists, and replace it
with the Authenticated Users group.
The following analogy can be helpful in understanding what happens when you combine NTFS and
share permissions. When you are dealing with a shared folder, you must always go through the shared
folder to access its files over a network. Therefore, you can think of the shared folder permissions as a
filter that only allows users to perform those actions that are acceptable to the share permissions. All File
Permissions that are less restrictive than the share permissions filter out so that only the most restrictive
permissions remain.
For example, if a share permission is set to Read, the most that you can do is read through the share, even
if individual NTFS file permission is set to Full Control. If you configure the share permission to Modify,
you are allowed to read or modify the share. If the File Permission is set to Full Control, the share
permissions filter the effective permission to Modify.
Question: If you assign a user Full Control File Permission to a file, but the user accesses the
file through a share with Read permission, what will be the effective permissions that the user
will have on the file?
Question: If you want a user to be able to view all files in a shared folder but only be able to
modify certain files in that folder, what permissions do you give the user?
Question: Identify a scenario at your organization where it might be necessary to combine
NTFS and share permissions. What is the reason for combining permissions?
Troubleshoot problems
You can customize currently active network connections and set up a new connection. Use the graphical
view of your current network to change the description and icon appearance of network components to
include more information. View and change network connection properties by clicking View Status on
the right side of the connection listing.
You can maintain the following network connections in this section:
Connect to the Internet. Set up a wireless, broadband, or dial-up connection to the Internet.
Connect to a workplace. Set up a dial-up or virtual private network connection to your workplace.
Note: You can change the network location profile between private and public. This
changes firewall and visibility settings for that network connection.
7-21
The Network and Sharing Center includes a Change advanced sharing settings link that you can use to
enable, disable, and change the way that various network services behave. The first time that you connect
to a network, you must choose a network location. This automatically sets the appropriate firewall,
security, and sharing settings for the type of network to which you connect.
If you connect to networks in different locations, such as from your home network, at a local coffee shop,
or at work, then choosing a network location can help ensure that your computer is always set to an
appropriate security level. When users connects to a new network, they can select one of the following
network locations in Windows 8.1:
Private. In a trusted private network, all computers on a network are in a private network, and you
recognize them. Do not choose this network location for public places such as coffee shops and
airports.
Network discovery and file and printer sharing are turned on for private networks. This allows you to
see and access other computers and devices on a network, and it allows other network users to see
and access your computer.
Guest or Public. If you do not recognize all the computers on a network (for example, you are in
a coffee shop or airport, or you have mobile broadband), then this is a public network and is not
trusted. This location helps you keep your computer from being visible to other computers around
you and helps protect your computer from any malware from the Internet. Also, choose this option
if you connect directly to the Internet without using a router or if you have a mobile broadband
connection. Network discovery and file and printer sharing are turned off.
Domain. The domain network location is for domain networks such as those in corporate workplaces.
Your network administrator typically controls this type of network location.
Windows 8.1 automatically applies correct network settings based on the network location. For each of
these network profiles, you can configure the network sharing settings found in the following table.
Feature
Settings
Result
Network
discovery
On
Off
On
Off
When file and printer sharing is on, people on the network can
access files and printers that you have shared from your
computer.
Note: By default, Windows 8.1 uses Windows Firewall with Advanced Security. Therefore,
using another firewall might interfere with the network discovery and file sharing features.
Setting
Result
Public folder
sharing
On
Off
Media streaming
On
Off
File sharing
connections
128-bit encryption
40-bit or 56-bit
encryption
Note: When a Server Message Block (SMB) client connects to a Windows share, the systems
negotiate their highest level of encryption, and the server will transfer an encryption key to the
client. This encryption key generates an encrypted hash of the connecting users password. This
hash then is sent to the server with the user name. The server then will decrypt the hash and
validate the user. This ensures that a users password is never transmitted. If you are using older
client systems, you might need to allow 40-bit or 56-bit encryption.
Troubleshoot Problems
Use this feature to diagnose and repair network problems and to get troubleshooting information for the
following network components:
Internet connections
Shared folders
HomeGroup
Network adapter
Incoming connections
Printers
7-23
1.
Locate the password for your homegroup by going to HomeGroup settings on the first PC. Note the
password from the Membership section. You will need to enter it on the new computer.
2.
On the new Windows 8.1 PC, go to the HomeGroup settings and locate the Membership section.
Windows will detect the homegroup automatically and prompt you for the password.
3.
The HomeGroup settings screen allows you to select which libraries or devices and printers you wish to
share with other users in the HomeGroup. The default permission for shared libraries is Read, but you can
change this. You also can exclude specific files from sharing. You can choose to share resources such as
individual files or devices with specific people or with everyone in the HomeGroup.
The homegroup will show up in File Explorer in the left pane and is named Homegroup. Expanding the
Homegroup folder will display the resources that are available on the network by the user name of the
owner of the device or library.
Homegroups have the following restrictions:
Computers that run Professional or Enterprise versions of Windows operating systems cannot create
homegroups, but they can join them.
Devices that run Windows RT 8.1 can join a homegroup, but they cannot create one or share content
in one.
You cannot delete homegroups, but if nothing is shared and no computers have joined the homegroup, it
effectively does not exist.
Lesson 3
The primary focus of this lesson is to examine the two methods in Windows 8.1 for compressing files and
folders to consume less disk space: NTFS file compression and compressed files and folders.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the impact of moving and copying compressed files and folders.
Volumes, folders, and files on an NTFS volume are either compressed or uncompressed.
New files that are created in a compressed folder are compressed by default.
The compression state of a folder does not necessarily reflect the compression state of the files within
that folder. For example, you can compress a folder without compressing its contents, and you can
compress some or all of the files in a compressed folder.
NTFS compression works with NTFS-compressed files without decompressing them because they are
decompressed and recompressed without user intervention:
o
When you open a compressed file, the Windows operating system automatically decompresses it
for you.
When the file closes, the Windows operating system compresses it again.
NTFS-compressed file and folder names display in a different color to make them easier to identify.
NTFS-compressed files and folders only remain compressed while they are stored on an NTFS volume.
7-25
The compressed bytes of a file are not accessible to applications, which see only the uncompressed
data:
o
Applications that open a compressed file can perform tasks on it as if the file was not
compressed.
and files. You also can move compressed files and folders to any drive or folder on your computer, the
Internet, or your network.
Compressing folders by using Compressed (zipped) Folder does not affect a computers overall
performance. CPU utilization increases only when you use Compressed (zipped) Folder to compress a file.
Compressed files take up less storage space, and you can transfer them to other computers more quickly
than uncompressed files. You can work with compressed files and folders the same way you work with
uncompressed files and folders.
Alternatively, if a compressed folder has been created already, and you need to add a new file or folder to
it, you can drag the desired file to the compressed folder instead of using the Send To Compressed
(zipped) Folder command.
You should be aware of the differences between zipped folder compression and NTFS folder compression.
A zipped folder is a single file inside of which Windows allows you to browse. Some applications can
access data directly from a zipped folder, while other applications require that you first unzip the folder
contents before the application can access the data.
In contrast, individual files within a folder are compressed by NTFS compression. Therefore, NTFS
compression does not experience the data access issues that are associated with zipped folders because
it occurs at the individual file system level and not the folder level. Additionally, zipped folders are useful
for combining multiple files into a single email attachment, whereas NTFS compression is not.
File and folder compression that uses the Send To Compressed (zipped) Folder command is different from
the NTFS file and folder compression that was discussed earlier:
For selected files or folders, the Send To Compressed (zipped) Folder command compresses the
selected content into a portable zip file. The original file or folder is left unchanged, but a new,
compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the
size of the selected file, folder, or volume by compressing its content.
Note: Unlike NTFS-compressed folders and files, you can move or copy compressed
(zipped) folders without change between volumes, drives, and file systems.
Demonstration Steps
Compress a file
1.
2.
3.
4.
Compress a folder
1.
2.
3.
7-27
You have users in the Marketing department who need to share files. You will create a shared folder on
the network and configure permissions such that Marketing users have Modify permission to the shared
folder and all other users have Read permission. You will also test the access to the shared folder.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 15 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, 20687D-LON-CL2
User names: Adatum\Administrator and Adatum\Ed
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687B-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Repeat steps 2 and 3 for 20687D-LON-CL1 and 20687D-LON-CL2. Do not sign in until directed to
do so.
2.
3.
4.
5.
6.
2.
Configure the Marketing folder so that the Marketing security group has Modify permission.
2.
2.
3.
4.
2.
3.
4.
7-29
Results: After completing this exercise, you should have created and shared a folder for the Marketing
department.
Compress a folder.
Switch to LON-CL1.
2.
3.
Results: After completing this exercise, you will have compressed a folder.
When you finish the lab, leave the virtual machines running, as they are needed for the next lab.
Lesson 4
Overview of OneDrive
7-31
In this lesson, you will learn about Microsofts OneDrive service (formerly SkyDrive) and its integration
with Windows 8.1. The lesson will describe both the consumer version of OneDrive and the enterprise
version, OneDrive for Business (formerly SkyDrive Pro).
One of the decisions that organizations frequently need to make is whether to allow users to use the
consumer version of OneDrive in their enterprise. This lesson will also explain how to restrict access to
OneDrive in an enterprise.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how to synchronize and recover OneDrive files with Windows 8.1.
Features
OneDrive offers many features that enable users to access and use OneDrive as best fits their needs,
such as:
Microsoft Office. You can use Microsoft Office to save documents to OneDrive by clicking the File
menu in Office 2013, clicking Save (or Save As), and then selecting OneDrive as the save location.
Microsoft Office Web Apps. You can use Office Web Apps to view and edit documents that are stored
in OneDrive.
PDF and OpenDocument Format (ODF) support. You can view PDF and ODF documents that are
saved in OneDrive.
Bing integration. You can use the Bing Save & Share feature to save search histories in a OneDrive
folder.
Accessing OneDrive
You can access OneDrive in several different ways, including:
Windows Server 2008 SP2 and the Windows Platform Update for Windows Server 2008 or newer
An iOS app
An iPad app
Windows 8.1
OneDrive Privacy
The Microsoft Online Privacy Statement specifies the terms of use of the personal information that you
provide when you use OneDrive. Before you use Microsoft online services, you must read and understand
the privacy statement. The main points in the privacy statement include the following:
Microsoft collects personal information from you when you register, and may combine this
information with data that other companies and Microsoft services collect.
To personalize your experience, Microsoft tracks your interaction with their sites by using cookies and
other technologies.
Microsoft does not share your personal information with third parties, but may provide this
information to companies that work on behalf of Microsoft.
Microsoft uses your personal information to provide services such as personalized content and
advertising to inform you about Microsoft products and services, and to invite you to surveys of
Microsoft services.
Terms of Service
The OneDrive terms of service specify how the information you post on OneDrive will be used. Some of
the main terms of service are:
Ownership of Content. You own content such as documents, videos, photos, and email that you
upload to the services store. The same is true of content that you store on the services, or transfer
through it. Microsoft does not claim ownership of your content, except for Microsoft material, such
as clip art, that Microsoft licenses to you, and that you may use in your content.
7-33
Access of Content. You can choose who you share your content with. You can choose not to share
your content, to share your content publicly, or choose other users with whom you want to share
your content. If you share your content with other users, they may use, reproduce, distribute, or
display your content for free.
Microsoft Use of Content. Microsoft may use, modify, adapt, save, reproduce, distribute, and display
your content to protect you, and to improve Microsoft services. In such cases, Microsoft protects
your privacy by taking necessary steps. Examples of such usage of your content include isolation of
information from content to prevent and protect you from spam and malware.
Removal of Content. Microsoft may ask you to remove content that is in violation of the anti-spam
policy, the Microsoft Code of Conduct, or your local law, or if you infringe on a third partys
intellectual property. If you fail to comply, you might lose access to your account, or your account
might be cancelled. In such cases, Microsoft may also remove your content without asking you.
2.
3.
To start the wizard for synchronizing your domain account with your Microsoft account, click
Connect your Microsoft account.
In the wizard, you can choose which features you want to synchronize, including:
Language preferences. Keyboards, other input methods, display language, and more.
You can toggle the synchronization setting of these options from the Sync your settings menu on the PC
Settings page.
As an information technology (IT) administrator, you might wish to prevent your users from accessing
OneDrive from organizational systems. You can accomplish this by using Group Policy. In the appropriate
Group Policy Object (GPO), go to the Computer Configuration\Policies\Administrative Templates
\Windows Components\OneDrive node and enable the Prevent the usage of OneDrive for file storage
policy setting. When this Group Policy setting applies to the client system, if users try to start OneDrive,
they will receive a notification that the system administrator has blocked the use of OneDrive.
If you need to block access to OneDrive for all devices, including users personal devices, you could create
a URL block list on your organizational firewall.
When you first create a OneDrive account, you have three folders by default: Documents, Pictures, and
Public. By default, the share folder setting for the Documents and Pictures folders are set to This folder
is not shared, which means that you are the only one who can access it. The Public folder is shared as
Everyone Can view, which means anybody can see, but not edit, any documents in that folder. When
you create a new folder in OneDrive, you can choose how you want to share it. When you share a file or
folder, the word Shared appears on it.
You can invite individuals or groups by using email and grant them permissions to specific files or folders.
You can grant email recipients read-only permission or edit permission. You also can specify whether the
recipients need a Microsoft account or not. You can share a link to an item or publish directly to social
media, such as Facebook or LinkedIn.
You can stop sharing or modify permissions by selecting the shared item and clicking the Share button on
the menu bar.
7-35
Synchronization
Windows 8.1 provides a redesigned synchronization model for OneDrive that is more efficient. The files
in the OneDrive folder appear to be stored on the local hard disk, but the files are stored as placeholders
that take a small amount of space. Placeholder files contain a thumbnail and basic information about
the file. Files download to your local computer when you open them. This is beneficial for tablets,
smartphones, and other devices that have limited disk space. You also can control whether
synchronization and backup to OneDrive will occur when you are on a metered connection, such
tethered to a smartphone. Synchronization happens automatically and cannot trigger manually.
Note: If you have Apple devices, you can configure pictures that you store in the Camera
Roll folder to upload to OneDrive automatically.
You also can choose to make some files or folders available offline in the same way as with network-based
files. Simply right-click the file or folder in OneDrive, and click Make available offline. This will keep a
synchronized copy on the local hard disk. If you edit or add a file to OneDrive while you are offline, it
stores on the local hard drive until you connect to the Internet. Then it synchronizes across all your
OneDrive-enabled devices. If you are offline, you cannot edit files unless they have been cached to the
local disk previously.
Conflict Resolution
If you edit a cached file on one of your offline devices and then edit the same file from a different device
that is online, when synchronization occurs, you will get two versions of the file on the device that was
offline. The one that was modified while offline will be appended with the name of the device. For
example, if you edit a cached version of File1.txt on an offline device named Client1 and then modify
File1.txt from an online device before synchronization occurs, when the offline device connects to the
internet, a new file named File1.txt-Client1 will be created and synchronized to all devices.
Recovering Files
Occasionally, users might accidentally delete files. When users delete a file from a OneDrive folder, it
goes to the Recycle Bin on the local machine and also to the Recycle Bin on all other Windows computers
where OneDrive is enabled. You can restore a file or folder to OneDrive from any of the Recycle Bins in
which it appears.
OneDrive for Business is included with Microsoft Office Professional Plus 2013 and Office 365 plans, but
you also can download it as a free, stand-alone product. The download is available in .msi format, so you
can deploy it by using Group Policy. There also is a free mobile app that is available from the Windows
app store. The mobile app will only work with Office 365 subscriptions and cannot synchronize with onpremises implementations of SharePoint.
Note: To install OneDrive for Business, a client computer must be running Windows 7 or a
newer operating system.
Lesson 5
Managing Printers
To set up a shared printing strategy to meet your users needs, you must understand Windows 8.1
printing components and how to manage them.
7-37
This lesson examines printing components in a Windows 8.1 environment, including printer ports and
drivers.
The instructor will demonstrate how to install and share a printer, and you will review how to use the Print
Management tool to administer multiple printers and print servers.
Lesson Objectives
After completing this lesson, you will be able to:
Three-dimensional printing.
NFC Printing
Windows 8.1 supports NFC printing. Users can
tap their handheld device against a printer that
is equipped with an NFC tag and print directly.
These tags are inexpensive and can be purchased
and programmed for any existing printer. IT
departments now can provide printing support for a wide variety of handheld devices.
NFC currently is available for smartphones as a way to transfer files simply by touching the devices
together. That technology is expanding and becoming available for other purposes, such as printing.
3-D Printing
3-D printing is an emerging technology. Microsoft has worked closely with software and hardware
partners to build on this technology. Because 3-D printing is based on traditional two-dimensional
printing, there are familiar management abilities, such as print queue management. Now, companies that
design virtual models have the capability to print physical versions of those models at reasonable costs.
3-D printing has existed for some time, but it has been cost prohibitive for all but the largest
organizations. Desktop 3-D printers are making headway and soon will be within reach of small and
medium-size businesses.
Windows 8.1 detects printers that you connect to your computer, and it installs the driver for the printer
automatically if the driver is available in the driver store. However, a Windows operating system might not
detect printers that connect by using older ports, such as serial or parallel ports, or network printers. In
these cases, you must configure a printer port manually.
Installing a Driver
A printer driver is a software interface that enables a computer to communicate with a print device.
Without a printer driver, the printer that connects to a computer will not work properly. A printer driver is
responsible for converting a print job into a page-description language (PDL) that the printer can use to
print a job. The most common PDLs are PostScript, Printer Control Language, and XML Paper
Specification (XPS).
In most cases, drivers are included with the Windows operating system, or you can find them by checking
for updates with Windows Update in Control Panel. If the Windows operating system does not have a
driver that you need, you can find it on the disc that came with the printer or on the manufacturer's
website.
If the Windows operating system does not recognize your printer automatically, you must configure the
printer type during the installation process. The Printer Setup Wizard presents you with an exhaustive list
of currently installed printer types. However, if your printer is not listed, you must obtain and install the
necessary driver.
You can preinstall printer drivers in the driver store, thereby making them available in the printer list by
using the pnputil.exe command-line tool.
When you connect a new printer to your computer, the Windows operating system tries to find and install
a software driver for the printer. Occasionally, you might see a notification that a driver is unsigned or
altered, or that the Windows operating system cannot install it. You have a choice whether to install a
driver that is unsigned or has been altered since it was signed.
Demonstration Steps
1.
2.
3.
When you have finished the demo, revert all virtual machines back to their initial state:
1.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
7-39
After you initiate a print job, you can view, pause, or cancel it through the print queue. The print queue
shows you what is printing or waiting to print. It also displays information such as job status, who is
printing what, and how many unprinted pages remain. From the print queue, you can view and maintain
the print jobs for each printer.
You can access the print queue from the Print Management console through the See whats printing
option on the Devices and Printers. Documents that are listed first will be the first to print.
Open the print queue for the specific printer by performing the steps outlined previously.
2.
To cancel an individual print job, right-click the print job you want to remove, and then click Cancel.
3.
To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item that is
printing currently might finish, but the remaining items will be cancelled.
1.
Open the print queue for the specific printer by performing the steps outlined previously.
2.
To pause or resume an individual print job, right-click the print job, and then click Pause or Resume.
3.
To pause all print jobs, click the Printer menu, and then click Pause Printing. To resume printing,
click Resume Printing.
If a print job is printing in the wrong color ink or wrong size paper, you can start over. To restart a print
job:
1.
Open the print queue for the specific printer by performing the steps outlined previously.
2.
If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the
print queue:
1.
Open the print queue for the specific printer by performing the steps outlined previously.
2.
3.
Click the General tab, and then drag the Priority slider left or right to change its print order. Items
with higher priority print first.
You might need to support both 32-bit and 64-bit printer drivers. The Print Management console allows
you to add printer drivers to the printer driver store in the Windows\System32\spool\drivers folder. You
can use the Add Printer Driver Wizard to add drivers.
You also can add print devices by using the Network Printer Installation Wizard. The wizard allows you to:
7-41
The All Printers node shows information about each printer, including the queue status, number of jobs in
the queue, name and version of the printer driver, and the driver type.
Troubleshooting Printing
Printing problems are common in most
organizations. How you approach troubleshooting printing issues might depend on how
you installed the printer on the client operating
system. For example, your approach will vary
depending on whether the printer connects
locally by using a USB cable or if it is a network
printer.
You can isolate and resolve common printer issues
by answering the following questions:
Is the print device connected to the workstation locally, or is it a mapped network printer?
Determine if the problem is isolated to a single user or a single printer on the print server.
Even in large organizations, it is common to have users with printers that connect directly to their
workstations by using a USB cable or through the network. Troubleshooting steps for these types of issues
include:
Checking the local print queue to see if there is a hung print job and deleting it.
Removing the print device and reinstalling the printer. This will often entail locating and downloading
the printer driver from a vendor website.
If a problem is restricted to a single user, deleting and remapping the printer will often clear the issue.
If the problem affects all users of that printer, check the print queue on the server for a hung print job
and delete it.
Check that the IP address of the print device has not changed.
Objectives
After you complete this lab, you will be able to create and share a local printer.
Lab Setup
Estimated Time: 10 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, 20687D-LON-CL2
User names: Adatum\Administrator and Adatum\Ed
Password: Pa$$w0rd
7-43
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Repeat steps 2 and 3 for 20687D-LON-CL1 and 20687D-LON-CL2. Do not sign in until directed to
do so.
2.
3.
4.
2.
3.
Create and Share a Microsoft OpenXPS printer named ManagersPrinter by using the Nul port.
2.
Configure the ManagersPrinter so that Managers can print to it, and not Everyone.
3.
1.
2.
Connect to ManagersPrinter.
3.
Switch to LON-CL1, verify that the test page is in the ManagersPrinter queue, and then click Resume
Printing.
Results: After completing this exercise, you should have created, shared, and tested a printer.
2.
In the Virtual Machines list, right-click 20687D-LON-CL2, and then click Revert.
3.
4.
7-45
To simplify the assignment of permissions, you can grant the Everyone group Full Control share
permission to all shares and use only File Permissions to control access. Restrict share permissions to
the minimum required to provide an extra layer of security in case File Permissions are configured
incorrectly.
When permission inheritance is blocked, you have the option to copy existing permissions or begin
with blank permissions. If you only want to restrict a particular group or user, then copy existing
permissions to simplify the configuration process.
If the guest user account is enabled on your computer, the Everyone group includes anyone. In
practice, remove the Everyone group from any permission lists and replace it with the Authenticated
Users group.
Using a firewall other than that supplied with Windows 8.1 can interfere with the network discovery
and file sharing features.
Tools
Use the following command-line tools to manage file and printer sharing.
Tool
Description
Net share
Net use
lcacls.exe
Compact.exe
Pnputil.exe
Module 8
Implementing Network Security
Contents:
Module Overview
8-1
8-2
8-8
8-17
8-20
8-28
8-30
8-33
8-35
Module Overview
When computers are connected to a network, they are exposed to potential security threats. You need
to formulate a strategy to protect your computers. User policies, antivirus software, encrypted network
traffic, and other protective measures work together to help shield your Windows 8.1 computers from
security threats. It also is important to identify possible threats and to optimize appropriate Windowsbased network security features, such as Windows Firewall and Windows Defender, to help eliminate
them.
Objectives
After completing this module, you will be able to:
Lesson 1
Security is an integral part of any computer network, and you must consider it from many perspectives.
You must understand the nature of network-based security threats and be able to implement appropriate
security measures to mitigate these threats. In this lesson, you will learn about some of the network
security threats and the defense-in-depth strategy that helps you lessen your vulnerability to them. Finally,
you will learn about ways to mitigate the various network security threats that are discussed.
Lesson Objectives
After completing this lesson, you will be able to:
Describe defense-in-depth.
What Is Defense-in-Depth?
You can mitigate risks to your computer network
by providing security at different infrastructure
layers. The term defense-in-depth typically
describes the use of multiple security technologies
at different points throughout your organization.
Users are unaware of the policies. When users are unaware of policies, you cannot expect them to
follow them.
Users view the policies as unnecessary. If you do not adequately communicate the reasons for
policies, some users will think of them as unnecessary.
Social engineering. Users and computer administrators are vulnerable to social engineering, where
hackers manipulate them into violating policies or revealing sensitive data. An example of this is
when you receive an email that appears to be from your bank, asking you to update your account
information by following a link in the email that resolves to a website that does not belong to your
actual banking system.
Mitigation
You should consider taking the following actions to mitigate these threats:
Physical Security
8-3
With respect to securing computer systems, enterprise administrators commonly overlook physical
security. If any unauthorized person can gain physical access to a computer, then most other security
measures are of little consequence. Make sure that computers that contain the most sensitive data, such
as servers, are physically secure.
In general, anyone who has physical access to computer systems can:
Damage systems. This can be as simple as storing a server next to a desk, where a user might
accidentally bump into it or spill a drink on it.
Install unauthorized software on systems. Hackers can use unauthorized software to attack systems.
For example, there are tools available to reset the administrator password on a Windows-based
workstation or member server.
Steal hardware. Hackers can steal laptops if you do not ensure that users secure them. They even can
steal servers, which often include extremely sensitive data and intellectual property, if you do not
secure them properly.
Mitigation
You should consider taking the following actions to mitigate these threats:
Perimeter
Perimeter networks mark the boundary between public and private networks. By providing specialized
servers such as reverse proxy servers in your perimeter network, you can provide corporate services across
a public network in a more secure manner.
Note: You can use a reverse proxy server to publish services such as email or web services
from a corporate intranet without placing email or Web servers in the perimeter.
You also need to consider the following access issues:
Remote access client. Though you can control the conditions under which they can connect, these
client computers access your network from a remote location over which you have little or no control.
Because of this, these types of clients have access to more data than a typical Internet client that
connects to a webpage.
Business partners. You do not control the networks of business partners, which means that you
cannot ensure that they have appropriate security controls in place. Therefore, if a business partner
is compromised, the network links between your organization and that partner pose a risk.
Mitigation
You should consider taking the following actions to mitigate these threats:
Internal Networks
As soon as you connect computers to a network, they are susceptible to a number of threats. Internal
network layer security refers to services and processes on your internally controlled network, including
LANs and wide area networks (WANs). The latter includes Multiprotocol Label Switching circuit, where
you control all aspects of the network.
Security threats to an internal network include eavesdropping, spoofing, denial-of-service (DoS) attacks,
and replay attacks. This is especially relevant when communication occurs over public networks because
users are working from home, remote offices, or other locations, such as coffee shops.
Mitigation
You should consider taking the following actions to mitigate these threats:
Implement IPsec.
Host
The host layer refers to a networks individual computers. This includes the operating system, but not
application software. Host-layer security includes operating system services such as a Web server, and
hackers can compromise it by:
Default operating system configurations. Operating systems and their services include default
configurations. In some cases, the default configuration might not include a password or might
include sample files with vulnerabilities. Attackers use their knowledge of default configurations to
compromise systems.
Viruses that attack hosts. A virus uses operating system flaws or default configurations to infect a host
and replicate itself.
Mitigation
You should consider taking the following actions to mitigate these threats:
Use host-based antivirus, antimalware, and antispyware software, such as Windows Defender.
Application
8-5
The application layer refers to apps that run on hosts. This includes additional services such as mail servers,
and desktop apps such as the Microsoft Office System. The risks to apps are similar to the risks that hosts
face, which can include:
App vulnerabilities. Apps are complex programs that are likely to have vulnerabilities. Attackers can
use these vulnerabilities to install malicious apps or remotely control a computer.
Default app configurations. Apps such as databases might have a default password or no password at
all. Not securing the default configuration simplifies the work of attackers who attempt to access a
system.
Viruses that users introduce. In some cases, users introduce viruses by their actions rather than by
flaws. In other cases, an app actually is a Trojan horse that contains malicious code embedded in what
appears to be a useful app.
Mitigation
You should consider taking the following actions to mitigate these threats:
Enable only required features and functionality for operating systems and apps.
Data
The final layer of security is the data security layer. This includes data files, app files, databases, and Active
Directory Domain Services (AD DS). When your data layer becomes compromised, it can result in:
Unauthorized access to data files. Unauthorized access to data files might result in unauthorized users
reading data, such as users inadvertently viewing the salaries of other staff members. It also might
result in data modification, which could cause it to be inaccurate.
Unauthorized access to AD DS. Hackers could reset user passwords and then attack your network by
using the new passwords.
Modification of app files. When app files are modified, they might perform unwanted tasks, such as
data replication over the Internet, where an attacker can access it.
Mitigation
You should consider taking the following actions to mitigate these threats:
Implement encryption.
Note: File permissions was called NTFS permissions previously, but now it applies to both
NTFS and ReFS files and folders.
DoS attack. This type of attack limits the function of a network app, or it makes the app or network
resource unavailable. Hackers can initiate a DoS attack in several ways and often are aware of
vulnerabilities in the target app that they can exploit to render it unavailable. DoS attacks often are
performed by overloading a service that replies to network requestslike Domain Name System
(DNS)with a large number of fake requests in an attempt to overload and shut down a service or
the server that hosts the service.
Note: Hacking is a generic term that refers to the act of trying to crack a computer
program or code. When talking about network security, hacking is an important topic because
hackers will hack your network to attack it, your extended user base, or your cache of apps and
sensitive intellectual property.
Port scanning. Apps that run on a computer using the TCP/IP protocol use Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) ports to identify themselves. One way that attackers
exploit a network is to query hosts for the ports on which they listen for client requests. These ports
are said to be open. Once attackers identify an open port, they can use other attack techniques to
access a network.
Man-in-the-middle (MITM) attack. The network attacker uses a computer to impersonate a legitimate
host on the network with which your computers are communicating. The attacker intercepts all of the
communications that are intended for a destination host. The attacker might wish to view the data in
transit between the two hosts, but also can modify the data in transit before forwarding the packets
to the destination host.
8-7
IPsec. IPsec provides a way to authenticate IP-based communications between two hosts and, where
desirable, encrypt that network traffic.
Firewalls. Firewalls allow or block network traffic based on the type of traffic.
Perimeter networks. A perimeter network is an isolated area on your network to and from which you
can define network traffic flow. When you need to make network services available on the Internet,
it is not advisable to connect hosting servers directly to the Internet. By placing these servers in a
perimeter network, you can make them available to Internet users without letting those users gain
access to your corporate intranet.
VPNs. When users must connect to an organizations intranet from the Internet, it is important that
they do so as securely as possible. The Internet is a public network, and data in transit across the
Internet is susceptible to eavesdropping or MITM attacks. By using VPNs, you can authenticate and
encrypt connections between remote users and your organizations intranet, thereby mitigating risk.
Server hardening. By only running the services that you need, you can make servers inherently more
secure. To determine what services you require, you must establish a baseline of security among your
servers. It is sometimes difficult to determine precisely which Windows Server services you need to
support the functionality that you or your enterprise requires. Therefore, you can use tools such as
the Security Configuration Wizard or the Microsoft Baseline Security Analyzer to help you.
Domain Name System Security Extensions (DNSSEC). DNSSEC provides the ability for DNS servers
and resolvers to trust DNS responses by using digital signatures for validation. All signatures
generated are contained within the DNS zone itself in the new resource records. When a resolver
issues a query for a name, the accompanying digital signature is returned in the response. Validation
of the signature then is performed through the use of a preconfigured trust anchor. Successful
validation proves that no data modification or tampering has occurred.
Lesson 2
Windows Firewall provides built-in functionality that you can use to protect Windows 8.1 computers from
unauthorized access attempts or other unwanted incoming or outgoing traffic on a network. Unwanted
traffic often comes from Internet-based sources, but the network security of any computer also can be
compromised from a LAN or WAN. You can use Windows Firewall to filter incoming and outgoing traffic
based on the traffics characteristics and the type of network to which a Windows 8.1 computer is
connected.
Lesson Objectives
After completing this lesson, you will be able to:
Domain networks. These are networks at a workplace that attach to a domain. Use this option for any
network that allows communication with a domain controller. Network discovery is on by default, and
you cannot create or join a HomeGroup.
Private networks. These are networks at home or work where you know and trust the people and
devices on the network. When you select Home or work (private) networks, this turns on network
discovery. Computers on a home network can belong to a HomeGroup.
Guest or public networks. These are networks in public places. This location keeps the computer from
being visible to other computers. When you select the Public place network location, HomeGroup is
not available and network discovery is turned off.
8-9
You can modify the firewall settings for each type of network location from the main Windows Firewall
page. Click Turn Windows Firewall on or off, select the network location, and then make your selection.
You also can modify the following options:
Block all incoming connections, including those in the list of allowed programs.
Note: A system administrator can configure Windows Firewall settings by using Group
Policy.
The Public networks location blocks certain programs and services from running, which protects a
computer from unauthorized access. If you connect to a Public network and Windows Firewall is on, some
programs or services might ask you to allow them to communicate through the firewall so that they can
work properly.
Firewall Exceptions
Generally, it is safer to add a program to the list of allowed programs than to open a port for the app. If
you open a port without scoping the port to a specific app, you make a hole in the firewall, and it stays
open until you close the portwhether a program is using it or not. If you add a program to the list of
allowed programs, you are allowing the app itself to poke a hole in the firewall, but only when necessary.
The holes are open for communication only when required by an allowed program or computer.
To add, change, or remove allowed programs and ports, click Allow an app or feature through Windows
Firewall in the left pane of the Windows Firewall page, and then click Change settings. For example, to
view performance counters from a remote computer, you must enable the Performance Logs and Alerts
firewall exception on the remote computer.
To help decrease security risks when you open communications, consider the following:
Remove programs from the list of allowed programs, or close ports when you do not require them.
Never allow a program that you do not recognize to communicate through the firewall.
Windows 8.1 includes multiple active firewall policies. These firewall policies enable computers to
obtain and apply a domain firewall profile, regardless of the networks that are active on the computers.
Information technology (IT) professionals can maintain a single set of rules for remote clients and those
that physically connect to an organizations network. To set up or modify profile settings for a network
location, click Change advanced sharing settings in the left pane of the Network and Sharing Center.
You also can display firewall notifications in the taskbar. Click Change notification settings in the left pane
of the Windows Firewall page, and then for each network location, check or clear the Notify me when
Windows Firewall blocks a new app check box.
Use the Windows Firewall with Advanced Security Properties dialog box to configure basic firewall
properties for domain, private, and public network profiles. A firewall profile is a way of grouping settings,
including firewall rules and IPsec rules. Use the IPsec Settings tab on the Windows Firewall with Advanced
Security Properties dialog box to configure the default values for IPsec configuration options.
Note: To access the global profile settings in Windows Firewall with Advanced Security
Properties, perform one of the following procedures:
In the navigation pane, right-click Windows Firewall with Advanced Security, and then click
Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Overview
section, click Windows Firewall Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Actions pane,
click Properties.
The options that you can configure for each of the three network profiles are:
8-11
Inbound connections. Configure to block connections that do not match any active firewall rules,
block all connections regardless of inbound rule specifications, or allow inbound connections that do
not match an active firewall rule.
Outbound connections. Configure to allow connections that do not match any active firewall rules, or
block outbound connections that do not match an active firewall rule.
Settings. Configure display notifications, unicast responses, local firewall rules, and local IPsec rules.
Name. Use a different name for each network profiles log file.
Size limit (KB). The default size is 4,096. Adjust this if necessary when troubleshooting.
No logging occurs until you set one or both of following two options to Yes:
Rules are a collection of criteria that define what traffic you will allow, block, or secure with a firewall. You
can configure the following types of rules:
Inbound
Outbound
IPsec
Inbound rules
Inbound rules explicitly allow or block traffic that matches the rules criteria. For example, you can
configure a rule to allow traffic that is secured by IPsec for Remote Desktop through the firewall, but
block the same traffic if IPsec does not secure it. You must use a separately configured IPsec rule to secure
the traffic.
When you first install the Windows operating system, Windows Firewall blocks all unsolicited inbound
traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that
describes that traffic. For example, if you want to run a Web server, you must create a rule that allows
unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows
Firewall with Advanced Security takes, which is whether to allow or block connections when no inbound
rule applies.
Outbound rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or
deny traffic originating from a computer that matches a rules criteria. For example, you can configure a
rule to explicitly block outbound traffic to a computer by IP address through the firewall, but allow the
same traffic for other computers.
Program rules. These control connections for a program. Use this type of firewall rule to allow a
connection based on the program that is trying to connect. These rules are useful when you are not
sure of the port or other required settings, because you only specify the path to the programs
executable (.exe) file.
Port rules. These control connections for a TCP or UDP port. Use this type of firewall rule to allow a
connection based on the TCP or UDP port number over which the computer is trying to connect. You
specify the protocol and the individual or multiple local ports to which the rule applies.
Predefined rules. These control connections for a Windows-based experience. Use this type of firewall
rule to allow a connection by selecting one of the programs or experiences from the list. Networkaware programs that you install typically add their own entries to this list so that you can enable and
disable them as a group.
Custom rules. Configure these as necessary. Use this type of firewall rule to allow a connection based
on criteria that other types of firewall rules do not cover.
Consider the scenario in which you want to create and manage tasks on a remote computer by using the
Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote
Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the
predefined rule type on an inbound rule.
Alternatively, you might want to block all web traffic on the default TCP Web server port 80. In this
scenario, you create an outbound port rule that blocks the specified port. The next topic discusses wellknown ports, such as port 80.
Ipsec rules
Firewall rules and IPsec rules are complementary, and both contribute to a defense-in-depth strategy
to protect a computer. IPsec rules secure traffic as it crosses a network by using IPsec. Use IPsec rules to
specify that connections between two computers must be authenticated or encrypted. IPsec rules specify
how and when authentication occurs, but they do not allow connections. To allow a connection, create an
inbound or outbound rule. After an IPsec rule is in place, you can specify that inbound and outbound
rules apply only to specific users or computers.
You can create the following IPsec rule types:
Isolation rules. These isolate computers by restricting connections based on authentication criteria,
such as domain membership or health status. Isolation rules allow you to implement a server or
domain isolation strategy.
Authentication exemption rules. These designate connections that do not require authentication. You
can designate computers by specific IP address, an IP address range, a subnet, or a predefined group,
such as a gateway.
You typically use this type of rule to grant access to infrastructure computers, such as Active Directory
domain controllers, certification authorities (CAs), or Dynamic Host Configuration Protocol servers.
Server-to-server rules. These protect connections between specific computers. When you create
this type of rule, you must specify the network endpoints between which you want to protect
communications. Then, you designate requirements and the type of authentication that you want
to use, such as the Kerberos version 5 protocol. A scenario in which you might use this rule is to
authenticate the traffic between a database server and a business-layer computer.
8-13
Tunnel rules. These secure communications that travel between two computers by using tunnel mode
in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you
route between two defined endpoints.
For each endpoint, specify a single computer that receives and consumes the sent network traffic, or
specify a gateway computer that connects to a private network onto which the received traffic is
routed after extracting it from the tunnel.
Custom rules. Configure these as necessary. Custom rules authenticate connections between two
endpoints when you cannot set up authentication rules by using the other rule types.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules, IPsec
rules, and security associations (SAs). The Monitoring page displays which profiles are active (domain,
private, or public), and the settings for the active profiles.
The Windows Firewall with Advanced Security events also is available in Event Viewer. For example, the
ConnectionSecurity operational event log is a resource that you can use to view IPsec-related events. The
operational log is always on, and it contains events for IPsec rules.
The Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses of the source and
destination hosts.
The TCP or UDP port number that the apps are using. TCP or UDP communications use ports to name
the ends of logical connections that transfer data.
Well-Known Ports
The Internet Assigned Numbers Authority (IANA) assigns the well-known ports on most systems. Typically,
only system processes or programs that privileged users execute can use these ports. Ports receive a
number between 0 and 65,535 and fall into three ranges:
Dynamic and private ports are those from 49,152 through 65,535.
To view the current TCP/IP network connections and listening ports, use the netstat -a command or the
Get-NetTCPConnection Windows PowerShell command-line interface cmdlet.
IANA assigns well-known ports to specific apps so that client apps can locate them on remote systems.
Therefore, to the extent that is possible, use the same port assignments with TCP and UDP. To view
a list of well-known ports and the associated services that are recognized by Windows 8.1, open the
C:\Windows\System32\drivers\etc\Services file. The following table identifies some well-known ports.
Port
Protocol
Application
21
TCP
23
TCP
25
TCP
Simple Mail Transfer Protocol (SMTP) that email servers and clients use to
send email
53
UDP
DNS
53
TCP
DNS
80
TCP
110
TCP
Post Office Protocol version 3 (POP3) that email clients use for email
retrieval
143
TCP
Internet Message Access Protocol (IMAP) used for email retrieval from
email clients
161
UDP
389
TCP
443
TCP
3389
TCP
Typically, it is not necessary to configure applications to use specific ports. However, you must be aware of
the ports that applications use to ensure that the required ports are open through your firewall when you
use a port rule.
Remember that when you add a TCP or UDP port to the rules list, the port is open whenever Windows
Firewall with Advanced Security is running, regardless of whether there is a program or system service
listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic,
create a program rule instead of a port rule. With a program rule, the port opens and closes dynamically
as the program requires. You also do not need to be aware of the port number that the application uses.
If you change the application port number, the firewall automatically continues communication on the
new port.
8-15
In this demonstration, you will see how to configure inbound and outbound firewall rules for Windows
Firewall.
Demonstration Steps
Test Remote Desktop connectivity
1.
2.
Open the Start screen, and then start Remote Desktop Connection.
3.
4.
Switch to LON-CL1.
2.
3.
4.
Predefined Rules:
Switch to LON-CL2, open the Start screen, and then start Remote Desktop Connection.
2.
Connect to LON-CL1.
3.
Switch to LON-CL1.
2.
Open the Start screen, and then start Remote Desktop Connection.
3.
4.
2.
3.
4.
Open the properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab.
5.
Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.
Open the Start screen, and then start Remote Desktop Connection.
2.
3.
8-17
Remote Desktop is enabled on all client systems through a Group Policy Object (GPO). However, as part
of your infrastructure security plan, you must configure certain desktops systems, such as the Human
Resources department systems, for limited exposure to remote connections. Before implementing firewall
rules in a GPO, you want to validate your plan by manually configuring the rules on local systems. You
decide to control this through local firewall rules that block traffic on the client systems, using LON-CL1 as
a test computer.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, 20687D-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
2.
3.
2.
Open the Start screen, and then start Remote Desktop Connection.
3.
4.
2.
3.
Predefined Rules:
o
4.
Switch to LON-CL2, open the Start screen, and then start Remote Desktop Connection.
2.
Connect to LON-CL1.
3.
Results: After completing this exercise, you should have created an inbound Windows Firewall rule.
You must implement a firewall rule on LON-CL1 that prevents it from connecting to LON-DC1 with the
Remote Desktop Connection app.
The main tasks for this exercise are as follows:
1.
2.
3.
Switch to LON-CL1.
2.
Open the Start screen, and then start Remote Desktop Connection.
3.
4.
2.
Program: C:\Windows\System32\mstsc.exe
8-19
3.
Open the Properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab.
4.
Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.
Open the Start screen, and then start the Remote Desktop Connection app.
2.
3.
Results: After completing this exercise, you should have configured and tested an outbound firewall rule.
When you finish the lab, leave the virtual machines running, as they are needed for the next lab.
Lesson 3
IPsec is a suite of protocols that can protect data in transit through a network by using security services
and, optionally, digital certificates with public and private keys. Because of its design, IPsec helps provide
much better security than previous protection methods. Network administrators who use IPsec do not
have to configure security for individual programs.
You can use IPsec rules to configure IPsec settings for specific connections between your computer
and other computers. Windows Firewall with Advanced Security uses IPsec rules to evaluate network
traffic, and then it blocks or allows messages based on criteria that you establish in the rule. In some
circumstances, Windows Firewall with Advanced Security will block the communication. If you configure
settings that require security for a connection (in either direction), and the two computers cannot
authenticate each other, then IPsec blocks the connection. Once you enable and configure IPsec, it is
important that you know how to monitor IPsec.
Lesson Objectives
After completing this lesson, you will be able to:
Benefits of IPsec
You can use IPsec to ensure confidentiality,
integrity, and authentication in data transport
across channels that are not secure. Though its
original purpose was to secure traffic across public
networks, many organizations have chosen to
implement IPsec to address perceived weaknesses
in their own private networks that might be
susceptible to exploitation.
If you implement it properly, IPsec provides a
private channel for sending and exchanging
potentially sensitive or vulnerable data, whether
it is email, FTP traffic, news feeds, partner and
supply-chain data, medical records, or any other type of TCP/IP-based data.
IPsec:
IPsec Modes
IPsec has two modes:
Encapsulating security payload (ESP). This mode encrypts data using one of several available
algorithms.
Authentication Header (AH). This mode signs traffic, but does not encrypt it.
8-21
ESP and AH verify the integrity of all IP traffic. If a packet has been modified, the digital signature will
not match, and IPsec will discard the packet. ESP in tunnel mode encrypts the source and destination
addresses as part of the payload. In tunnel mode, a new IP header is added to the packet that specifies
the tunnel endpoints source and destination addresses. ESP can make use of Data Encryption Standard
(DES), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and DES encryption
algorithms in Windows Server 2012 R2. As a best practice, you should avoid using DES unless clients
cannot support the stronger encryption that AES or 3DES offer.
ESP and AH use sequence numbers. As a result, any packets that hackers attempt to capture for later
replay use numbers that are out of sequence. Using sequenced numbers ensures that an attacker cannot
reuse or replay captured data to establish a session or gain information. Using sequenced numbers also
protects against attempts to intercept a message and use it to access resources, possibly months later.
Securing traffic to servers. You can implement IPsec for all client computers that access a server. You
also can configure restrictions on the server, specifying which clients can connect.
Layer Two Tunneling Protocol (L2TP)/IPsec for VPN connections. You can combine the L2TP tunneling
protocol with IPsec, known as L2TP/IPsec, to provide additional data protection for VPN connections.
Site-to-site (gateway-to-gateway) tunneling. You can use IPsec to create site-to-site tunnels when you
need to connect to routers, gateways, or other network nodes that do not support L2TP/IPsec or
Point-to-Point Tunneling Protocol (PPTP) connections.
Enforcing logical networks (server/domain isolation). In a Windows-based network, you can isolate
server and domain resources logically to limit access to authenticated and authorized computers. For
example, you can create a logical network inside an existing physical network, where computers share
common requirements for secure communications. To establish connectivity, each computer in this
logically isolated network must provide authentication credentials to other computers.
This isolation prevents unauthorized computers and programs from gaining inappropriate access to
resources. IPsec ignores requests from computers that are not part of the isolated network. Server and
domain isolation can protect specific high-value servers and data, and it can protect managed
computers from unmanaged or rogue computers and users.
You can protect a network with two types of isolation:
Server isolation. To isolate a server, you configure specific servers to require an IPsec policy to accept
authenticated communications from other computers. For example, you might configure the
database server to accept connections from a web application server only.
Domain isolation. To isolate a domain, you use Active Directory domain membership to ensure that
computers that are domain members accept only authenticated and secured communications from
other domain-member computers. The isolated network consists only of that domains member
computers, and domain isolation uses an IPsec policy to protect traffic between domain members,
including all client and server computers.
Note: IPsec depends on IP addresses for establishing secure connections. Using dynamic IP
addresses for both clients and servers, or at either end of an IPsec connection, can introduce
significant complexity to the design of an IPsec policy.
Protect traffic over wireless 802.11 LANs. You can use IPsec to encrypt traffic over 802.11 networks.
However, you should not use IPsec for securing organizational 802.11 wireless LANs. You should use
Wi-Fi Protected Access 2 encryption and Institute of Electrical and Electronics Engineers, Inc. (IEEE)
802.1X authentication instead.
You also can use L2TP/IPsec VPN connections to protect remote access traffic over the Internet
between organizational networks.
Use IPsec in tunnel mode for remote access VPN connections. You should not use IPsec only for
Windows-based VPN clients and servers. Rather, use L2TP/IPsec or PPTP.
8-23
Authentication exemption. You can use an authentication exemption to designate connections that
do not require authentication. You can designate computers by a specific IP address, an IP address
range, a subnet, or a predefined group, such as a gateway.
Tunnel. A tunnel rule allows you to protect connections between gateway computers, and typically,
you use it when you are connecting across the Internet between two security gateways.
Custom. Sometimes, you cannot set up authentication rules that you need by using the rules available
in the New Connection Security Rule Wizard. In such cases, you can use a custom rule to authenticate
connections between two endpoints.
Firewall rules allow traffic through a firewall, but do not secure that traffic. To secure traffic with IPsec, you
can create connection security rules. However, when you create a connection security rule, this does not
allow the traffic through the firewall. You must create a firewall rule to do this if the traffic is not allowed
by the firewalls default behavior. Connection security rules do not apply to programs and services, but
rather, they apply between the computers that are the two endpoints.
Configuring Authentication
When you use the New Connection Security Rule
Wizard to create a new rule, you can use the
Requirements page to specify how you want
authentication to apply to inbound and outbound
connections. If you request authentication, this
enables communications when authentication
fails. If you require authentication, this causes the
connection to drop if authentication fails.
Use the Require authentication for inbound connections and request authentication for outbound
connections option if you want to require that all inbound traffic either is authenticated or else blocked.
Outbound traffic can be authenticated, but it is allowed if authentication fails. If authentication succeeds
for outbound traffic, that traffic is authenticated. You typically use this option in most IT environments in
which the computers that need to connect can perform the authentication types that are available with
Windows Firewall with Advanced Security.
Use the Require authentication for inbound and outbound connections option if you want to require
that all inbound and outbound traffic either is authenticated or else blocked. You typically use this option
in higher-security IT environments where you must protect and control traffic flow, and in which the
computers that must be able to connect can perform the authentication types that are available with
Windows Firewall with Advanced Security.
Default
Select the Default option to use the
authentication method that you configured on
the IPsec Settings tab of the Windows Firewall
with Advanced Security Properties dialog box.
The Computer and user (Kerberos V5) method uses both computer and user authentication, which means
that you can request or require both the user and the computer to authenticate before communications
continue. You can use the Kerberos V5 authentication protocol only if both computers and users are
domain members.
The Computer (Kerberos V5) method requests or requires the computer to authenticate by using the
Kerberos V5 authentication protocol. You can use the Kerberos V5 authentication protocol only if both
computers are domain members.
The User (Kerberos V5) method requests or requires the user to authenticate by using the Kerberos V5
authentication protocol. You can use the Kerberos V5 authentication protocol only if the user is a domain
member.
Computer Certificate
The Computer certificate method requests or requires a valid computer certificate to authenticate, and
you must have at least one CA to do this. Use this method if the computers are not part of the same
AD DS domain.
The Only accept health certificates method requests or requires a valid health certificate to authenticate.
Health certificates declare that a computer has met system health requirements, as determined by a
Network Access Protection (NAP) health policy server, such as all software and other updates that network
access requires. These certificates are distributed during the NAP health evaluation process. Use this
method only for supporting NAP.
Advanced
8-25
You can configure any available method, and you can specify methods for first authentication and second
authentication. First authentication methods include Computer (Kerberos V5), computer certificate, and
a Preshared key (not recommended). Second authentication methods include User (Kerberos V5), User
NTLM (Windows NT Challenge/Response protocol), user certificates, and computer certificates. Only
computers that are running Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008,
Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 support second
authentication methods.
You can use the Windows Firewall with Advanced Security console to monitor security policies that you
create in the Connection Security Rules node. However, you cannot view the policies that you create by
using the IP Security Policy Management snap-in. These security options are for use with Windows Vista,
Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows
Server 2012, and Windows Server 2012 R2. For older operating systems, such as Windows XP and
Windows 2000, you must use the Connection Security Rules node to view SAs and connections.
The Connection Security Rules node lists all of the enabled IPsec rules with detailed information about
their settings. Connection security rules define which authentication, key exchange, data integrity, or
encryption you can use to form an SA. The SA defines the security that protects the communication from
the sender to the recipient.
You can implement Connection Security Monitor as an MMC snap-in. It includes enhancements that you can
use to view details about an active connection security policy that the domain applies or that you apply
locally. Additionally, you can view Quick Mode and Main Mode statistics, and active connection security
SAs. You also can use Connection Security Monitor to search for specific Main Mode or Quick Mode
filters. To troubleshoot complex connection security policy designs, you can use Connection Security
Monitor to search for all matches for filters of a specific traffic type.
Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note that
there are some issues to consider when enabling DNS. For example, it only works in a specific filter view
for Quick Mode and in SAs view for Quick Mode and Main Mode monitoring. There also is the possibility
that you can affect a servers performance if several items in the view require name resolution. Finally, the
DNS record name resolution requires a proper pointer (PTR) resource record in DNS.
You can monitor computers remotely from a single console, but you must modify a registry value so that
the remote system accepts a console connection.
Setting the HKLM\system\currentcontrolset\services\policyagent\EnableRemoteMgmt registry
value to 1 prevents the IPsec service is not running error when you manage a computer remotely.
You can get basic information about the current IP security policy in the Active Policy node of the IP
Security Monitoring snap-in to the MMC. During troubleshooting, this is useful to identify which policy
IPsec is applying to the server. Details such as the policy location and when it was modified last provide
key details when you are determining the current in-place policy.
To view the IPsec rules in the active policy store, you can use the following Windows PowerShell
command:
Show-NetIPsecRule PolicyStore ActiveStore
The Main Mode SA is the initial SA that is established between two computers. This negotiates a set of
cryptographic protection suites between both hosts. This initial SA allows Quick Mode key exchange to
occur in a protected environment. The Main Mode SA also is known as the Internet Security Association
Key Management Protocol or Phase 1 SA. Main Mode establishes the secure environment to other
exchange keys, as required by the IPsec policy.
A Quick Mode SA depends on the successful establishment of a Main Mode SA. A Quick Mode SA also is
known as an IPsec or Phase 2 SA. This process establishes keys based on the information that the policy
specifies. Quick Mode SAs establish protected transmission channels for the actual application IP data that
the policy specifies.
Monitoring SAs
The Security Associations folder lists all of the Main Mode and Quick Mode SAs with detailed information
about their settings and endpoints.
Main Mode
Main Mode statistics provide data about the total number of SAs created and invalid packet information.
Quick Mode
Quick Mode provides more detailed information about connections. If you are having issues with an IPsec
connection, Quick Mode statistics can provide insight into the problem.
Demonstration Steps
Create a connection rule
8-27
1.
On LON-CL1, open Control Panel, open Windows Firewall, and then open the Advanced settings.
2.
Create a connection security rule that allows traffic on LON-CL1 with the following settings:
o
Rule: Isolation
Switch to LON-CL2, open a Command Prompt window, and then ping LON-CL1.
2.
Open an Administrator: Windows PowerShell window, and then run the following cmdlet:
Note: The ComputerKerberos and UserKerberos switches used in the following cmdlet
are case sensitive. Please type the command as written, including case.
New-NetIPsecRule DisplayName Authenticate all inbound connections InboundSecurity
Require OutboundSecurity Request -Phase1AuthSet ComputerKerberos -Phase2AuthSet
UserKerberos
Ping LON-CL1.
2.
Open Control Panel, open Windows Firewall, and then open the Advanced settings.
3.
Switch to LON-CL1, and open an Administrator: Windows PowerShell Command Prompt window.
2.
To examine the Main Mode Security Associations, run the following cmdlet:
Get-NetIPsecMainModeSA
3.
To examine the Quick Mode Security Associations, run the following cmdlet:
Get-NetIPsecQuickModeSA
4.
Revert the LON-DC1, LON-CL1, and LONCL2 virtual machines to prepare for the next lab.
A. Datum Corporation uses many outside consultants. The enterprises management has a concern that if
consultants were on the company network, they might be able to connect to unauthorized computers.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, 20687D-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should
be running already from the preceding lab.
You have decided to test using secured connections between computers on sensitive segments of your
network.
The main tasks for this exercise are as follows:
1.
2.
3.
Create an IPsec rule on LON-CL2 by using the Windows PowerShell command-line interface.
4.
2.
Create a connection security rule that allows traffic on LON-CL1 with the following settings:
o
Rule: Isolation
Switch to LON-CL2, open a Command Prompt window, and then ping LON-CL1.
2.
On LON-CL2, open an Administrator: Windows PowerShell window, and then run the following
cmdlet:
Note: The ComputerKerberos and UserKerberos switches used in the following cmdlet
are case sensitive. Please type the command as written, including case.
New-NetIPsecRule DisplayName Authenticate all inbound connections InboundSecurity
Require OutboundSecurity Request -Phase1AuthSet ComputerKerberos -Phase2AuthSet
UserKerberos
Note: The monitoring component for the newly created Connections Security Rule might
not be created in a timely fashion. To force the creation of the monitoring component, perform
the following steps:
8-29
1.
Open the Control Panel, open Windows Firewall, and then navigate to the Advanced Security
page.
2.
Under the Connection Security Rules node, double-click Authenticate all inbound connections.
3.
In the Description field, type Requires inbound authentication, and then click OK.
Ping LON-CL1.
2.
Open Control Panel, open Windows Firewall, and then open the Advanced settings.
3.
4.
Switch to LON-CL1, and then open a Windows PowerShell Command Prompt window in
Administrator mode.
5.
To examine the Main Mode Security Associations, run the following cmdlet:
Get-NetIPsecMainModeSA
6.
To examine the Quick Mode Security Associations, run the following cmdlet:
Get-NetIPsecQuickModeSA
Results: After completing this exercise, you should have created and tested IPsec rules.
When you finish the lab, leave the virtual machines running, as they are needed for the next lab.
Lesson 4
Malware might show up on computers and devices in your organization, despite your efforts to prevent it.
When this occurs, you must investigate it immediately and take appropriate action. Windows 8.1 includes
components that can help you identify and remove malware from computers in your environment.
Lesson Objectives
After completing this lesson, you will be able to:
Windows SmartScreen
The Windows SmartScreen safety feature in
Windows 8.1 helps protect against apps that
might contain malware or perform unwanted
operations on your computer. When an app is
executed, Windows SmartScreen takes advantage
of the Microsoft SmartScreen online databases to
determine whether an app has been identified as malicious. Windows SmartScreen then will warn you
prior to executing a potentially malicious app.
The SmartScreen filter that is built into Windows 8.1 and Internet Explorer scans incoming files, in addition
to visited sites, to determine the possibility that content might compromise your computer. If content
poses a risk, Windows SmartScreen will provide a warning to the user that the content or site might be
unsafe.
Windows Defender
Windows Defender helps protect your computer from spyware, malware, and viruses. Windows Defender
also is Hyper-V aware, meaning that it detects if Windows 8.1 is running as a virtual machine. Windows
Defender uses definitions to determine if software it detects is unwanted, and to alert you to potential
risks. To help keep definitions up-to-date, Windows Defender automatically installs new definitions as
they are released.
In Windows Defender, you can run a Quick, Full, or Custom scan. If you suspect spyware has infected a
specific area of a computer, you can customize a scan by selecting specific drives and folders. You also can
configure the schedule that Windows Defender will use.
You can choose to have Windows Defender exclude processes in your scan. Doing so can make the scan
complete faster, but your computer will be less protected. When Windows Defender detects potential
spyware activity, it stops the activity and then raises an alert.
8-31
Alert levels help you determine how to respond to spyware and unwanted software. You can configure
Windows Defender behavior when a scan identifies unwanted software. You also are alerted if software
attempts to change important Windows operating system settings.
To help prevent spyware and other unwanted software from running on a computer, turn on Windows
Defender real-time protection.
2.
In the Windows SmartScreen window, select the appropriate action you would like Windows SmartScreen
to take when an unrecognized app is downloaded.
Scan options
Description
Quick
Checks the areas that malware, including viruses, spyware, and unwanted software,
are most likely to infect.
Full
Checks all the files on your hard disk and all running programs.
Custom
As a best practice, you should schedule a daily Quick scan. At any time, if you suspect that spyware
has infected a computer, run a Full scan. When you run a scan, the progress displays on the Windows
Defender Home page. When Windows Defender detects a potentially harmful file, it moves the file to
a quarantine area and does not allow it to run or allow other processes to access it. Once the scan is
complete, choose to Remove or Restore Quarantined items and to maintain the Allowed list. A list of
Quarantined items is available from the Settings page. Click View to see all items. Review each item and
individually Remove or Restore each. Alternatively, if you want to remove all Quarantined items, click
Remove All.
Note: Do not restore software with severe or high alert ratings because it can put your
privacy and your computers security at risk.
If you trust detected software, stop Windows Defender from alerting you to risks that the software might
pose by adding it to the Allowed list. If you decide to monitor the software later, remove it from the
Allowed list.
The next time Windows Defender alerts you about software that you want to include in the Allowed list,
in the Alert dialog box, on the Action menu, click Allow, and then click Apply actions. Review and remove
software that you have allowed from the Excluded files and locations list on the Settings page.
Scan archive files. Scanning these locations might increase the time that is required to complete a
scan, but spyware and other unwanted software can install itself and attempt to hide in these
locations.
Scan removable drives. Use this option to scan the contents of removable drives, such as USB flash
drives.
Create a system restore point. Use this option before applying actions to detected items. Because you
can set Windows Defender to remove detected items automatically, selecting this option allows you
to restore system settings.
Allow all users to view the full History results. Use this option to allow all users that sign into this
computer to see the scanning history. If you do not select this option, users will only see scan results
that relate to their files.
Remove quarantined files after: <Time>. Removes quarantined files after a set period. When you
enable this option, the default period is one month, but you can set it from one day to three months.
8-33
You are planning to use Window Defender to check for malware every day. You also want to ensure that
Windows Defender will quarantine any files that it considers a severe risk to your systems security.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 15 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, 20687D-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should
be running already from the preceding lab.
You need to configure Windows Defender to perform a full scan every day at 2:00 A.M. Before
configuring Windows Defender, you plan to run a Quick scan. Finally, you want to configure the
default actions for Windows Defender to take and to check the items that you do not want it to scan.
The main tasks for this exercise are as follows:
1.
2.
3.
2.
On the Home page, perform a Quick scan, and then review the results.
3.
2.
In the Malware folder, open sample.txt in Notepad. The sample.txt file contains a text string to test
malware detection.
3.
In the sample.txt file, delete both instances of <remove>, including the brackets and any extra lines
or blank spaces.
4.
Save and close the file. Immediately, Windows Defender detects a potential threat.
5.
2.
On the History tab, click View Details, and then review the results.
3.
4.
Results: After completing this exercise, you should have configured and used Windows Defender.
2.
In the Virtual Machines list, right-click 20687D-LON-CL2, and then click Revert.
3.
4.
8-35
Best Practice: Configuration Guidelines for Windows Firewall with Advanced Security
You can configure Windows Firewall with Advanced Security in the following ways:
1.
Configure a local or remote computer by using either the Windows Firewall with Advanced Security
snap-in to the MMC or the cmdlets in the NetSecurity module for Windows PowerShell.
2.
Configure Windows Firewall with Advanced Security settings by using the Group Policy Management
Console or the cmdlets in the NetSecurity module.
3.
If you configure the firewall by using Group Policy, you need to ensure that the Windows Firewall
service has explicit write access by its service security identifier to the location that you specify.
4.
If you deploy Windows Firewall with Advanced Security by using Group Policy and then block
outbound connections, ensure that you enable the Group Policy outbound rules, and do full testing
in a test environment before deploying. Otherwise, you might prevent all of the computers that
receive the policy from updating the policy in the future, unless you intervene manually.
Create specific rules that help prevent social engineering, and educate users on these rules and their
relevance.
Restrict physical access to servers by locking doors, and then monitor server room access.
When you use Windows Defender, you must have current definitions.
To help keep your definitions current, Windows Defender automatically installs new definitions as
they are released. You also can set Windows Defender to check online for updated definitions before
scanning.
When you scan your computer, before applying actions to detected items, you should select the
advanced option to Create a system restore point. Because you can set Windows Defender to remove
detected items automatically, selecting this option allows you to restore system settings in case you
want to use software that you did not intend to remove.
Review Questions
Question: You need to ensure that traffic passing between a computer in the perimeter
network and one that is deployed in the internal network is encrypted and authenticated.
The computer in the perimeter is not a member of your Active Directory Domain Services
(AD DS) forest. What authentication methods could you use if you attempted to establish an
IPsec rule between these two computers?
Question: If you want to ensure that only domain computers can communicate with other
domain computers, how can you achieve this with Windows Firewall?
Question: What does Windows Defender do to software that it quarantines?
Module 9
9-1
9-2
9-9
9-17
9-22
9-30
9-35
Module Overview
Before you can start working on a computer that is running the Windows 8.1 operating system, you must
sign in. Signing in to a computer is a mandatory step, and based on your computer membership, you can
sign in with a local account, a domain account, or a Microsoft account. In an Active Directory Domain
Services (AD DS) environment, you typically would use a domain account exclusively because it has many
benefits. However, in todays world, users are not restricted to using company-owned computers only.
They commonly use their own devices for accessing company data. Windows 8.1 and Windows Server
2012 R2 have several new features such as Workplace Join, Work Folders, and Remote Business Data
Removal that are useful in such Bring Your Own Device (BYOD) scenarios. In this module, you will learn
about the benefits of domain accounts and Windows 8.1 features that are useful when administrators
need to control resource access for devices that are not domain members. You also will learn how to
configure and use Workplace Join and Work Folders.
Objectives
After completing this module, you will be able to:
Configure resource access for devices that are not domain members.
Lesson 1
9-2 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
A domain environment offers many advantages over workgroups, but it also has some specific
requirements, including that a device must join the domain before you can sign in to it with a domain
account. When you use a domain account, you can access resources such as network shares and printers
without entering your credentials again. Single sign-on (SSO) provides you transparent access to domain
resources. Windows 8 and newer versions enable you to connect your Windows account with your
Microsoft account and transparently access cloud-based services, such as OneDrive (formerly known as
SkyDrive) and Outlook.com.
Lesson Objectives
After completing this lesson, you will be able to:
Users more commonly today are not utilizing traditional desktop computers. Devices come in various
form factors that did not exist a few years ago, such as smartphones and tablets, and they usually are
not domain members. Sometimes, devices are not domain members because the company does not
own them, and sometimes because their operating system, such as Windows RT or third-party operating
systems, cannot be joined to the domain. However, users are familiar with such devices from their
personal use and they want to use them for work. This is known as the Bring Your Own Device (BYOD)
scenario.
Previously, only domain member computers and domain accounts could access apps. This no longer is
the case. Users still have a domain account as proof of their identity, but they need to access the same
company apps from various devices, running on different hardware architecture and various displays,
without providing credentials each time. They want the same experience on their personal devices as they
have when working in a domain environment.
9-3
Company servers typically store data, and users expect to access it securely from anywhere and from any
device. This presents new challenges for companies, as users are accessing and storing a local copy of
the data on their personal devices. Administrators must be able to control not only which data users can
access, but also which data can be cached locally and how to remotely wipe company data if users leave
the company or lose their devices. Furthermore, administrators have to be able to wipe the company data
off users personal devices without affecting their personal data.
New challenges to IT departments include:
Allowing users to work on the devices of their choice and providing consistent access to corporate
resources.
Unifying the environment, and providing unified applications and device management of the
company-owned and domain-owned devices, as along with BYOD devices.
Protecting company data, enforcing company policies, compliance requirements, and managing risk
regardless from where device data is accessed, or from which device.
Note: You can learn more on how Microsoft is addressing challenges of todays work
environment in Understanding Access and Information Protection at
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/WCA-B207
9-4 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
authentication. If, however, the logon names or passwords do not match, you will be prompted to enter
credentials that are valid for the file server that you attempt to access.
Centralizing your account store, and ensuring that all of your computers trust it, address the challenge of
using local accounts. AD DS provides a centralized account store that all domain-member computers will
trust. If you sign in with a domain account, you can access other domain computers, without providing
your user name and password again, by using SSO.
Question: Can you create a domain account on a Windows 8.1 computer?
You can set up a workgroup easily, and no server infrastructure is required for that. However, when
you need to manage more than just a few computers, you should not use a workgroup environment. A
domain-based environment has significant advantages. It provides centralized authentication services and
management for all domain-joined computers and domain users. If you need to set up a domain-based
environment, you must use Windows servers as domain controllers. Additionally, you will need additional
infrastructure such as Domain Name System (DNS) servers. A domain-based environment provides many
benefits when you need to manage more than a few computers and users. The following sections describe
some of the benefits that a domain-based environment provides.
Better Scalability
Domains are more scalable and can store and use billions of objects, such as domain users and computer
accounts. The key component of a Windows-based domain is AD DS. In AD DS, computers, similar to
users and groups, have accounts in the domain and are security principals. This means that computer
accounts have security identifiers (SIDs), can belong to groups, and can be given or denied access to
resources. All security principal accounts are treated as AD DS objects, and along with other objects are
stored in the AD DS database. The database resides on a domain controller. Domains can have any
number of domain controllers, and the AD DS database replicates to all domain controllers in the domain.
To provide redundancy and fault tolerance, even the smallest domains should have at least two domain
controllers.
Central Administration
Every domain controller stores an AD DS database. Any domain controller can perform authentication,
and you can modify domain objects on any writable domain controller. Consider a scenario where, as an
administrator, you connect to a domain controller and modify an AD DS object by creating, modifying, or
deleting domain users. You can perform these changes on any domain controller, and the changes to the
9-5
AD DS database replicate automatically from the domain controller on which you performed the change
to all other domain controllers.
Delegation of Control
In a domain environment, you can control permissions for every object in AD DS. Every AD DS object has
associated security settings, and by modifying the security of AD DS objects, you can delegate control in a
domain environment. For example, you can allow members of the Help Desk group to reset user account
passwords or site administrators to manage only AD DS objects at their site. You can delegate control at
different levels. For example, you can delegate permissions for the whole domain, for an organizational
unit (OU), or for a single computer account and can be specific, up to a property level.
A domain environment enables you to control those computers and folders that a specific account can
access, and to log its actions. You cannot do this with workgroups. SSO enables you to enter credentials
once, and then access resources on different domain computers without having to enter credentials again.
Actions that a user performs, such as printing a document or reading a document from a file share, can be
logged on the system where the action occurs, and then the system forwards the user to a single location.
In a domain environment, you can use domain-based Group Policy Object (GPO) policies and preferences
that you can apply to many users and computers at once. You can use a GPO to set any setting that is
applicable to a user or computer, such as ensuring that computers get important security updates or that
users get mapped drives and printers prepopulated on their devices.
Question: How can you enable help desk employees to reset user passwords in a domain
environment? Which tool should you use?
A domain must exist before you can add a computer to it. If you add a computer to a workgroup,
a new workgroup is created when you add the first computer to it. However, before you can add a
computer to a domain, the AD DS domain must exist and at least one domain controller must be
reachable.
9-6 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
The computer must be able to locate the domain controller, which typically resolves and locates a
domain controller. This means that the computer must have the correct TCP/IP settings.
You must have local administrator permissions for the computer. Only members of the local
Administrators group can add a computer to a domain.
You must have permissions to create a computer account in the domain, or a computer account must
exist, and you must have permissions to modify that account.
There are several different ways to add a computer to a domain. First, you can create a computer account
in a domain, which is prestaging a computer account. You then add the computer to a domain. You also
can add a computer to a domain, and a computer account is created automatically during that step.
Prestaging a computer account has two benefits. You can control the part of the AD DS domain in which
a computer object is created, and you can delegate control of who has permissions to add that computer
to a domain. If you add a computer to a domain and create its account in the same step, all computer
accounts are created in the same location of AD DS. By default, new computer accounts are created in the
Computers container.
Note: You can change the default AD DS location where new computer accounts are
created by using the redircmp.exe command.
As an administrator, you can prestage a computer account by using Active Directory tools such as Active
Directory Users and Computers or Active Directory Administrative Center, which are installed on a domain
controller by default. You can add a computer to a domain by configuring the computers System
Properties dialog box or by using the Windows PowerShell command-line interface.
To add a computer to a domain, type the following Windows PowerShell cmdlet, and then press Enter:
Add-Computer -Credential adatum\administrator -DomainName adatum.com
When you use the Add-Computer cmdlet, you also can specify the AD DS location where the computer
account should be created. For example, type the following cmdlet, and then press Enter.
Add-Computer -Credential adatum\administrator -DomainName adatum.com -OUPath
"OU=NewComputerOU,DC=adatum,DC=com"
After you add a computer to the domain, you should restart it. You can restart a computer by using the
Restart-Computer cmdlet or the Power options on the Settings charm.
Question: Can a local administrator add a Windows 8.1 computer to a domain?
Demonstration Steps
Join a computer to a domain by using the UI
1.
On LON-DC1, use Active Directory Users and Computers to verify that the LON-CL1 computer
account is not present in the Computers container.
2.
3.
Navigate to the System Properties Computer Name tab, and then join LON-CL1 to the
Adatum.com domain by using the adatum\administrator credentials.
4.
Restart LON-CL1.
5.
6.
On LON-DC1, use Active Directory Users and Computers to verify that the LON-CL1 computer
account is created in the Computers container.
2.
3.
4.
Restart LON-CL2.
5.
6.
On LON-DC1, use Active Directory Users and Computers to verify that the LON-CL2 computer
account is created in the NewComputerOU organizational unit.
9-7
Windows 8.1 is highly integrated with Microsoft account functionality. You can sign in to Windows 8.1 as
a local user or a domain user, but you also can sign in by using a Microsoft account if your computer has
Internet connectivity and the account is associated with either a local or a domain account. When you use
a Microsoft account, you can synchronize some of the Windows 8.1 settings between devices. You can
control these settings in the PC Settings app. To access the PC Settings app, click the Settings charm, and
then click Change PC settings at the bottom of the Settings charm. In the PC Settings app, you can set
9-8 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
your account picture and desktop background, among other settings. After you set up Windows once,
your settings will synchronize between every computer you sign in to by using your Microsoft account.
When you connect a Microsoft account with your local or domain account, you can access Microsoft
cloud services such as OneDrive, and the Mail and Calendar apps. You can browse the Windows Store
even if you do not have a Microsoft account, but to download and install an app from a Windows Store
app, you must sign up for a Microsoft account.
Small and medium environments typically use a Microsoft account to provide users access to, and
integration with, public cloud services, such as OneDrive. Enterprise environments typically implement
strict control and allow access only to company-owned resources. Typically, these environments use
integration with a Microsoft account less often.
Note: Your domain account or Group Policy settings might not allow you to connect a
Microsoft account or synchronize some settings.
You can disconnect your Microsoft account from your account whenever you want. To do so,
click Change PC settings on the Settings charm, click Accounts, and then click Disconnect your
Microsoft account.
You also can use your Microsoft account to access Windows Intune, Microsoft Office 365, Windows
Azure, and other Microsoft cloud services. You can create a new Microsoft account at Outlook.com, or
you can use an address that you already have as your Microsoft account. To sign up for a Microsoft
account at the Microsoft account sign-up webpage, perform the following procedure:
1.
2.
To use your own email address for your Microsoft account, enter it. If your email provider supports
Post Office Protocol version 3, you can even manage your existing address in Windows Live Hotmail
or Outlook.com. If you want to create a Hotmail account, click Sign up now, and then create a new
email address for your Microsoft account.
3.
Provide the rest of the information, and then read the Microsoft service agreement and the privacy
statement. If you agree to the terms, click I accept.
4.
If you used an existing email address to sign up, you will need to verify it to prove that it is yours.
Question: Can you sign in to a Windows 8.1 computer by using a Microsoft account if the
computer does not have Internet connectivity?
Lesson 2
9-9
Domain-joined devices trust an AD DS domain. You can sign in to such devices by using domain
credentials, and you can access domain resources without entering your credentials again. Domain
controllers do not trust devices that are not domain members, and you do not have SSO benefits when
you want to access domain resources from such devices. The Open Mobile Device Management protocol
enables you to enroll and manage Windows 8.1 devices regardless of their domain membership. Because
Windows 8.1 mobile devices can have different form factors and are not necessarily domain-joined, it is
important to ensure that locally stored data is secure and that you can remotely wipe company data if the
device is lost or stolen. Workplace Join is one of the new Windows 8.1 features that provide this capability,
but you can manage Windows 8.1 devices that are not domain members also by using Windows Intune or
Microsoft System Center 2012 R2 Configuration Manager.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the challenges of managing devices that are not domain members.
Explain how to manage data and settings on devices that are not domain members.
Describe the security features for devices that are not domain members.
Describe how to manage devices that are not domain members by using Windows Intune and
Configuration Manager.
9-10 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
authentication, you can enforce company policies by using Group Policy, and that you can use products
such as Microsoft System Center Configuration Manager for collecting device inventories and managing
devices. When a device is not domain-joined, a company has limited, or no, control over it. This is because
authentication occurs locally, and the domain has no knowledge of who is using the device. Domain
accounts cannot sign in to a device, and you cannot use them for managing a device or deploying apps.
You also cannot apply domain Group Policy to devices that are not domain-joined.
Question: Your company uses a client/server-based accounting app that you cannot install
on the third-party operating system that is running on a users device. How can the user still
use the company accounting app from his device?
Managing Data and Settings on Devices That Are Not Domain Members
With the consumerization of IT, people often
use their own devices for accessing company
resources. Such BYOD initiatives often are
encouraged by a company. Windows 8.1 and
Windows Server 2012 R2 include several features
that make using devices that are not companyowned easier and more secure. These features
include:
Virtual Desktop Infrastructure (VDI). The Windows Server 2012 R2 Remote Desktop Services
role implements VDI, which hosts multiple virtual desktops. These virtual desktops can include
Windows 8.1 virtual machines, to which you can connect from any device. They offer an experience
similar to using a local installation of Windows 8.1. You can use company apps and access company
data from a virtual desktop, but you must have network connectivity from your device to a virtual
desktop.
Workplace Join. Traditionally, devices either could be joined to a domain or be a workgroup member.
You could access company resources from domain-joined devices, but you could not access them
from a workgroup device without entering domain credentials. Workplace Join was introduced in
Windows 8.1 and requires that a domain has at least one Windows Server 2012 R2 member server.
When you join a device to a workplace, you get a certificate to access company resources, such as
internal websites and business apps. You also can allow enablement of apps and services on your
device by an IT administration who is using the Workplace Join feature.
The Open MDM protocol. You can use this protocol to manage mobile devices after they enroll in
the management system. Microsoft implemented support for the Open Mobile Device Management
(MDM) protocol in Windows 8.1, and you can use it for managing tablets and other BYOD devices
with third-party mobile device management products. The Open MDM protocol supports capabilities
such as inventory collection, settings management, application management, certificate provisioning,
Wi-Fi, virtual private network (VPN) profile management, and data protection.
9-11
Web Application Proxy. You can use Web Application Proxy for publishing web applications from
a company network to an external network. This enables users who are connected to an external
network to access and use a companys web applications from any device. Web Application Proxy
also enables Workplace Join for devices that are not connected to a company network.
Work Folders. You can use Work Folders to synchronize data from a companys Windows
Server 2012 R2 file server to your device. Work Folders functionality is similar to Offline Files, which
means that you can access and modify Work Folders content without network connectivity and
changes will synchronize back when network connectivity is restored. You can access Work Folders
from an external network if Web Application Proxy is implemented and domain membership is not
required, and you enable the device for Workplace Join.
Remote Business Data Removal. In a BYOD scenario, users access company data from devices that
also contain their personal data. One of the Remote Business Data Removal features is to treat
company data differently than personal data. An administrator can configure company data to
be encrypted on a device. This ensures that if a user leaves the company or loses his or her device,
company data on the device automatically becomes inaccessible or is removed completely, while
the users personal data remains intact.
Question: How does the Remote Business Data Removal feature enable you to comply with
a company security policy?
Microsoft is a member of the OMA, and it has implemented the Open MDM protocol in Windows 8.1.
Open MDM is a client/server protocol that you can use to manage mobile devices that are enrolled in
a management service. It does not require a domain environment. However, you first must assign the
device to the management server, and the device must trust the managed server before the device can
be managed. Open MDM uses the HTTPS protocol between the server and the managed devices, which
means that a public key infrastructure (PKI) must be in place. Features that Open MDM can manage
depend on the implementation and on the device features. Open MDM supports the following features:
Inventory collection
Settings management
Application management
Certificate provisioning
Data protection
The Open MDM protocol implements the Windows 8.1 Workplace Join feature. You also can manage
Windows 8.1 devices by using mobile device management products such as MobileIron or AirWatch.
For more information, see the OMA device management working group website.
Device Management
http://go.microsoft.com/fwlink/?LinkId=378235&clcid=0x409
[MS-MDM]: Mobile Device Management Protocol
http://go.microsoft.com/fwlink/?LinkId=378236&clcid=0x409
Question: Which Windows 8.1 feature is based on the Open MDM protocol? How can you
benefit from the Open MDM implementation in Windows 8.1?
9-12 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
Biometrics. You can authenticate users in all Windows 8.1 editions by using biometrics such as a
fingerprint. You also can use biometric authentication when you are signed in already, such as when
you want to establish a remote access connection, authenticate in a User Account Control dialog box,
or access Windows Store apps, their features, a certificate release, and more.
Pervasive device encryption. By default, Windows RT and Windows 8 encrypt all locally stored data on
a device. All Windows 8.1 editions include a similar feature, which you can enhance further by using
BitLocker Drive Encryption protection in the Pro and Enterprise editions. Windows 8.1 supports the
Encrypted Hard Drives feature, which are hard drives that are self-encrypting at a hardware level and
perform full disk hardware encryption.
Malware resistance. Windows 8.1 includes Windows Defender, which is an antivirus and antimalware
solution. Windows Defender scans for thumbprints of known malicious software (also called malware),
but it also includes network behavior monitoring, which detects unusual and suspicious behavior and
stops the execution of unknown malware. Internet Explorer 11 uses Windows Defender to scan
downloaded content (for example, ActiveX controls) before potentially harmful content is run.
Assigned access. Assigned access is included in all Windows 8.1 editions and in Windows RT 8.1. By
configuring assigned access, you can enable a single Windows Store app experience on a device. A
9-13
restricted and locked-down environment previously was known as the kiosk mode. You can use
assigned access to limit user accounts to a single app that you select. You can sign out of assigned
access by quickly pressing the Windows logo key five times. You can use assigned access only with
standard user accounts.
Remote Business Data Removal. When you access company data from Windows 8.1 and a local copy
of the data is stored on a device, you can configure such data as company data, encrypt it, and then
remotely wipe it if the device is lost or stolen. The Remote Business Data Removal feature can remove
the local copy of company data while user data on the device remains intact. Work Folders support
this feature, and you can implement this in other client apps. If you want to wipe data remotely or
make it inaccessible, you must use Windows Intune, Configuration Manager, or a similar product to
manage the device.
Internet Explorer 11. Internet Explorer 11 is included in Windows 8.1 and it provides many
improvements, such as faster webpage loads, side-by-side browsing, enhanced pinned site
notifications, and synchronization of app settings such as favorites and tabs across all your
Windows 8.1 devices. Internet Explorer 11 also uses an antimalware app on your device to scan
downloaded content before it runs.
Windows 8.1 includes Work Folders, which you can use with the Remote Business Data Removal feature.
When you use Work Folders, a local copy of the files is stored on the device, and you can configure
device policies to protect the local copy of the files by encrypting them and to require a password on the
device. However, in BYOD scenarios, devices can use different form factors, and with an increase in device
mobility, devices can sometimes be lost or stolen. You typically want to remove company data from such
devices and from all other user devices if a user leaves the company.
Note: The Work Folders feature only can store company data safely on a user device by
encrypting it, but it cannot wipe the company data remotely.
If a user device is lost or stolen, the user can initiate a remote wipe for his or her device from
Windows Intune Company Portal if the organization is using Windows Intune to manage the device. An
administrator can initiate a remote wipe for any managed device from the Windows Intune Administrator
Console, from the Configuration Manager console or from third-party management product that uses
MDM.
9-14 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
For more information about data removal by using Windows Intune, see to the following webpage at the
Windows Intune Help website.
What Happens if You Remove or Reset a Device Using the Company Portal
http://go.microsoft.com/fwlink/?LinkId=378238&clcid=0x409
Question: Can you use Remote Business Data Removal to wipe company data selectively
and remotely from a lost Windows 8 device that you are managing by using Windows
Intune?
Windows Intune
Manage devices in remote locations that are not part of the domain.
Manage devices that are out of the office for extended periods.
Manage devices that users purchase, and with which they access company resources.
Windows Intune does not require any on-premises infrastructure to manage supported devices and only
requires Internet connectivity. After you configure a device to be managed by Windows Intune, the
devices account is created in Windows Intune, and you can now manage that device centrally.
9-15
Updates. Windows Intune ensures that the installation of updates occurs on client computers. All
updates through Windows Update are available with Windows Intune, and you can deploy other,
non-Microsoft updates by using Windows Intune. You can control which updates are approved for
installation on specific computers. You can approve updates manually or create automatic approval
rules. These rules approve updates automatically when they become available, based on the product
that they update and the update classification. You also can review updates that clients require and
generate update reports.
Endpoint Protection. Windows Intune includes Windows Intune Endpoint Protection, which
provides real-time protection against malware such as viruses and spyware. Endpoint Protection also
can scan files and running programs periodically to mitigate detected threats and provide you with
notifications. Endpoint Protection replaces Windows Defender, which is included in Windows 8.1 by
default, but does not provide central management.
Software deployment. You can use Windows Intune for deploying software on Windows devices and
devices that are not based on Windows. You can add software by uploading it to Windows Intune,
configuring its properties, and then deploying it to target devices or user groups.
Monitoring and alerting. Windows Intune can monitor client computers and raise an alert when
certain criteria is met, such as when event log is full, free disk space is low, or a Microsoft Office app
is using a large amount of memory. Alerts display in the Windows Intune administrator console, and
you also can configure them to be sent to a specified email recipient.
Reporting. Windows Intune provides several reports, such as detected software on client computers,
client computer inventory, and update reports on a companys use of licenses. You can generate and
view reports based on a set of report criteria, such as update classification, update status, device
group, or available disk space.
Configuration Manager is an on-premises solution for managing computers and devices. You can use it
to manage domain-joined devices and devices that are not domain members. Configuration Manager
includes Windows Intune connector, which enables you to manage Windows Intune clients in the
Configuration Manager console to provide an integrated solution.
Deploy applications. You can target applications to users rather than devices, and Configuration
Manager determines the best way to deliver that application to the user from a specific device
whether the device is mobile, a remote desktop, or a PC. You can track and monitor application
deployment.
Manage Endpoint Protection. Managing Microsoft System Center 2012 R2 Endpoint Protection from
within Configuration Manager allows you to use a single console to manage PCs and devices.
9-16 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
Deploy software updates. Configuration Manager uses the basic infrastructure of Windows
Server Update Services (WSUS) to provide software updates. Without Configuration Manager, WSUS
is limited to distributing software updates from Microsoft. Configuration Manager extends the
capabilities of WSUS to include third-party product updates.
Inventory hardware and software. Configuration Manager includes hardware and software inventory
capabilities. You can use the inventory to identify which PCs in your organization are capable of
running specific software or operating systems.
Track license compliance for software. You can use the Asset Intelligence and software metering
features in Configuration Manager to track license compliance. In Asset Intelligence, you import
licensing information and correlate it with the software inventory. Software metering tracks when
applications are used.
For more information, see System Center 2012 R2 on the Microsoft website.
System Center 2012 R2 Configuration Manager
http://go.microsoft.com/fwlink/?LinkId=378240&clcid=0x409
Question: What must you first do before you can manage a Windows 8.1 device by using
Windows Intune?
Lesson 3
9-17
When a device is domain-joined, you can access company resources without entering credentials each
time. You can get a similar experience from a device that you enable for Workplace Join, but without
requiring that it is a domain member. Workplace Join provides an SSO experience when accessing internal
company websites and company apps. Users with domain accounts can implement Workplace Join on
their devices if their company has the appropriate infrastructure in place.
Lesson Objectives
After completing this lesson, you will be able to:
The Workplace Join feature is especially useful when users use their own devices to access company data.
Many organizations implement BYOD scenarios. If you enable Workplace Join, you can register and enroll
your devices in the company network. After you enroll a device, the device is associated with your user
account in the company directory, the device object is created in AD DS, and the user certificate is
installed on the device. The device object in AD DS establishes a link between the user and the device.
Further communication with company resources that support claims-based authentication from a device
enabled for Workplace Join includes information about the device and the user. When you configure an
app properly, you do not need to enter credentials again. After you enable the device for Workplace Join,
it is used as a second form of authentication. If multiple users use the same device, each user can enable a
device for Workplace Join independently. Administrators can configure apps that users can access from a
device enabled for Workplace Join without entering credentials, and they can then ensure that company
policies and security applies to those devices by configuring a device policy. You should be aware that a
company Group Policy applies only to domain-joined devices and not to devices enabled for Workplace
Join. If a device enabled for Workplace Join is compromised, or a device owner leaves the company, an
9-18 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
administrator can remove the device object from the domain, and by doing so, the administrator revokes
the devices ability to access domain resources.
For more information, see the following webpage on the Microsoft TechNet website.
Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor
Authentication Across Company Applications
http://go.microsoft.com/fwlink/?LinkId=378241&clcid=0x409
Question: What is the difference in accessing company resources from domain-joined
devices and devices that you enable for Workplace Join?
A device that is enabled for the Workplace Join feature is used as a second authentication factor when
accessing claims-based company apps. For such apps, administrators can control not only who can
access them, but also from which devices they can be accessed, and if they can be accessed only from
the company network or also from the Internet. Devices enabled for Workplace Join trust the company
certification authority (CA), which makes it easier to configure them for additional features, such as Work
Folders.
Question: Can you enable the Workplace Join feature for a Windows 8 tablet?
9-19
PKI. The Workplace Join feature requires that PKI is deployed and properly configured. Devices must
trust the CA, which is true by default for domain-joined devices, but requires manual configuration
on devices that are not domain members. Certificates must include information on where the list of
revoked certificates is available, such as the certificate revocation list (CRL) distribution point (CDP),
and where up-to-date certificates for the CA are available, such as authority information access (AIA).
Devices must be able to access the CRL, delta CRL, and AIA before they can use Workplace Join.
Note: Delta CRL is published in a file, which includes the Plus Sign character (+) in its
name by default. Internet Information Services (IIS) Web server does not allow access to files with
special characters in their names by default, and you must enable double escaping to allow it.
You can verify that you can access CRL, delta CRL, and AIA by running Pkiview.msc on the server
where Active Directory Certificate Services (AD CS) is installed.
Active Directory Federation Services (AD FS). A company must set up AD FS before users can use
the Workplace Join feature on their devices. You must configure AD FS with an SSL certificate from
a trusted CA, and the SSL certificate must have properly configured Subject Name and Subject
Alternative Name attributes.
Device Registration Service. Device Registration Service registers a device in AD DS when you perform
Workplace Join. It also provides the certificate to users who enabled their device for Workplace Join.
A DNS record for the host named Enterpriseregistration. The name Enterpriseregistration is
mandatory, and you cannot change it. The DNS server must resolve this name to the IP address of the
AD FS server, and the AD FS server must use it as one of its Subject Alternative Name attributes in
the SSL certificate.
Web Application Proxy. This is an optional component that is not required when you enable
Workplace Join on devices that are connected to the company network. If you want to enable
Workplace Join on devices that are not connected to the company network, but which are connected
to the Internet, you must set up Web Application Proxy.
A supported operating system on the device. The device that you want to enable for Workplace Join
must be running a supported operating system. Currently you can enable Workplace Join only on
devices that are running Windows 8.1, Windows RT 8.1, and iOS operating system.
When users enable Workplace Join on their devices, they can access a companys internal web
applications and company apps without entering credentials again. To use SSO, administrators must
9-20 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
configure claims-based web applications and create a relying party trust between the AD FS server to the
web server on which the web application is running.
For more information, the following Microsoft TechNet website:
Set up the lab environment for AD FS in Windows Server 2012 R2
http://go.microsoft.com/fwlink/?LinkId=378242&clcid=0x409
Question: What must you configure on a device before you can enable the Workplace Join
feature on it?
2.
3.
4.
5.
You need to enter user domain credentials. The device can be a workgroup member, but the user
must have a domain account to enable Workplace Join on the device.
6.
The device is enabled for Workplace Join. The Device Registration Service creates a domain object for
the joined device in the RegisteredDevices AD DS container, and the user is provided with a certificate
for client authentication.
Note: You must configure a device that you want to Workplace Join with network settings
to resolve company server names. You also must configure the device to trust the company CA.
For more information, see the following Microsoft TechNet website:
Walkthrough Guide: Workplace Join with a Windows Device
http://go.microsoft.com/fwlink/?LinkId=378243&clcid=0x409
Question: What information must you enter when you want to enable the Workplace Join
feature on a device?
9-21
In this demonstration, you will see how a user can enable the Workplace Join feature on a Windows 8.1
device. The entire company infrastructure has been set up already. Because the Windows 8.1 device is not
a domain member, you first must configure it to trust the company CA and then perform Workplace Join.
Demonstration Steps
1.
On LON-CL4, use Internet Explorer to connect to the company internal web app on the following
URL: https://lon-svr2.adatum.com/claimapp. Use Adatum\adam with the password Pa$$w0rd as
the credentials.
2.
3.
Open Internet Explorer, and then navigate to the same URL: https://lon-svr2.adatum.com
/claimapp. Verify that you are asked for your credentials again.
4.
5.
On the PC settings page, navigate to Network, and then navigate to Workplace. Join the device to
Workplace as adam@adatum.com with the Pa$$w0rd.
6.
On LON-DC1, use Active Directory Users and Computers to verify that the RegisteredDevices
container contains an object of type msDS-Device, which represents the LON-CL4 computer that you
enabled for Workplace Join. Make note of the name of the msDS-Device object.
7.
On the LON-CL4, use Internet Explorer to verify that the user has one certificate. This is the certificate
that Device Registration Service provided to the user when the device was enabled for Workplace
Join. Verify that globally unique identifier (GUID) is the same as the name of the msDS-Device object
from Active Name Directory Users and Computers.
8.
Use Internet Explorer to navigate to the internal web app by entering the following URL:
https://lon-svr2.adatum.com/claimapp. Use adatum\adam and Pa$$w0rd as the credentials.
9.
11. Use Internet Explorer to navigate to the internal web app by entering the following URL:
https://lon-svr2.adatum.com/claimapp. Verify that a webpage opens without asking for
credentials. You were not asked for credentials because you accessed it from the device that was
enabled for Workplace Join. Close Internet Explorer.
Lesson 4
9-22 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
Work Folders is a new Windows 8.1 feature that enables users to have their local copy of files in sync with
files on a Windows Server 2012 R2 file server. Users can use Work Folders even if their Windows 8.1 device
is not joined to the domain, and an administrator can configure policy for the local copy of the files. For
example, a local copy can be encrypted, and if a device is lost or an employee has left the company, the
local copy of the data in a Work Folder can be wiped remotely while user data on the device is left intact.
Lesson Objectives
After completing this lesson, you will be able to:
Work Folders allow home and office users to access their individual data, regardless of whether their
devices are connected to a company network or whether their devices are domain-joined or not. Work
Folders only store users individual files, and users can access their own Work Folders only. Work Folders
data is stored on a traditional file server, but devices also keep a local copy of the users subfolders in a
sync share, which is a user work folder. Users can access a local copy of their Work Folders even without
network connectivity, and any modifications they make synchronize with their Work Folders on a file
server immediately or after restoration of connectivity to the file server. Users can access and use Work
Folders from various devices, irrespective of their domain membership. Windows 8.1 and Windows RT 8.1
9-23
devices support Work Folders, and Windows 7 and iPad will support it in the future. If users are
using multiple devices that are configured with Work Folders, changes they make on one device are
synchronized with their other devices automatically. Because Work Folders content is stored on a file
server, you can use all the features that are available on a file server, such as dynamic access control,
auditing, quotas, file classification infrastructure, and protecting content with Rights Management
Services. You can define a policy for devices that access Work Folders. For example, you can create a
policy that requires that the local copy of the Work Folders data is encrypted on a device. You also can
use the Remote Business Data Removal feature to prevent access or remotely wipe the local copy of Work
Folders data on a device if the device is lost or if the employee leaves the company.
For more information, see the following webpage on the Microsoft TechNet website:
Work Folders Overview
http://go.microsoft.com/fwlink/?LinkId=378244&clcid=0x409
Question: Can you share your Work Folders content with your coworkers?
Sync share. A sync share is a unit of synchronization between the Work Folders server and client
devices. You can create multiple sync shares on a Work Folders server, and each sync folder maps to
the physical folder on the file server. For each user who uses Work Folders, a personal subfolder is
created inside the sync share, and users can access and synchronize the content of their subfolders
only. You can configure who can access a sync share and specify a device policy, such as specifying
that the local copy of Work Folders data on client devices must be encrypted. Although users can
have permissions to access multiple sync shares, they are limited to a single sync share. You can
access a sync share only by using the Work Folders feature by default, but an administrator also can
create a Server Message Block (SMB) share that uses the same folder as a sync share. If users can
access sync share content by using SMB access also, you can view synced content from devices that
do not use Work Folders. Because the sync share is stored on a file server, you can use features such
as dynamic access control, quotas, and file screening when managing its content.
9-24 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
User devices. These are the devices from which you can access, modify, and synchronize content
that is stored in Work Folders. You can access Work Folders from workgroup devices, devices that
are workplace-joined, or from domain member devices. The devices must be running one of the
supported operating systems, which currently are Windows 8.1 and Windows RT 8.1. Support for
Windows 7 and iPad devices has been announced. Devices also must trust the SSL certificate that the
Work Folders server is using. If you configure devices to use Work Folders, changes to local copies of
data are detected in real time and synchronized with the server. By default, devices check the Work
Folders server every 10 minutes and synchronize changes with local copies of the Work Folders data.
When you configure Work Folders on a device, you establish a Work Folders sync partnership between
the device and the file server. During initialization, the data directory, version database, and downloadstaging directory are created on a device. Version database helps to keep a local copy of the data in
sync with the data on file server. On the server side, when a user first synchronizes, similar structures are
created. The server Work Folders are provisioned only once per user, while the client side is provisioned
for each device on which the user is using Work Folders. When users modify their Work Folders content,
the following process takes place:
1.
When users modify local Work Folders content, the change is detected on the client in real time, the
client device initiates a sync session with the Work Folders server, and then uploads the changes.
2.
After the upload is complete, the Work Folders server applies uploaded changes to the users Work
Folders content. By default, the server is configured so that it can perform all modifications to the
users data. If there is an error, for example, when the server permissions are modified and the server
cannot apply the modifications, the user is notified about the problem. If the file is changed on
multiple user devices at the same time in the same synchronization cycle, based on the time stamp,
the latest version of the file keeps the original file name. The other copies of the file are preserved
in the same directory, but their name is extended with the name of the device on which the conflict
occurred, and a number is added if there are multiple conflicts for the same file. The Work Folders
server keeps 100 conflict files and after that, Work Folders synchronization stops for the user until the
user manually resolves the problem.
3.
Synchronization is initiated by the second client device. This can happen for two reasons: data is
modified also on the second client device, and the second client device initiates synchronization
of those modifications. Alternatively, if there are no local changes, the second device initiates
synchronization based on the pooling interval, which is 10 minutes by default. The second client
downloads changes from the Work Folders server and applies them to the local copy of the data.
In this first release of Work Folders, synchronization is limited to one partnership per user per device.
If multiple users use the same device, all users can have their own partnership with the sync folder on
the same or on different Work Folders servers, but the same user cannot create a sync partnership
with a second sync share on the same or different Work Folders servers.
Clients always initiate synchronization. A Work Folders server is passive and only responds to sync
requests.
Clients synchronize only with the Work Folders server. If users are using multiple devices, and they are
all configured with Work Folders, devices do not synchronize changes between themselves, but only
with the server. After one device synchronizes changes with a server, other devices get the changes
from the server.
The system that applies the change, which can be either the user device or the Work Folders server, is
responsible for conflict resolution. Conflicts are resolved automatically by renaming the conflicting
files with older time stamps.
Question: Can users access multiple Work Folders?
2.
9-25
Create a sync share for Work Folders. A sync share is the unit of synchronization that can be
synchronized with a user device. You can create a sync share by using Server Manager or by using
the New-SyncShare cmdlet. A sync share can be an existing SMB share, or you can point it to a new
folder. Multiple users can have access to the same sync share and because of that, you need to specify
the naming syntax for the user subfolders, which can be either user_alias or user_alias@domain. The
first syntax maintains compatibility with existing user folders that use aliases for their names, while
the second syntax eliminates conflicts between identical user aliases in multiple domains in the same
AD DS forest. By default, users synchronize their whole Work Folders structure, but you can limit the
synchronization to specific subfolders. You also can configure who has permissions to access the sync
folder and device policy, in which you define requirements that must be met on a device that will be
used for accessing sync shares.
After you configure Work Folders on a Windows Server 2012 R2 file server, you can deploy Work Folders
to client devices. Based on the client device type and whether it is domain-joined or not, you have
different options for deploying Work Folders:
Manual. You can configure Work Folders by using the Manage Work Folders option in Control Panel.
If the device is a domain member or is workplace-joined, you can enter a users email address, which
is used to automatically discover the Work Folders server where the users sync shares are located. If
the device is a member of a workgroup, you need to enter the Work Folders URL instead, as the user
email cannot be resolved.
Opt-in. You can configure Work Folders settings by using domain-based Group Policy, Windows
Intune, or Configuration Manager. However, those settings are not mandatory. Users can decide if
they want to use those settings and configure Work Folders on the device or not.
Mandatory. You can use the same three methods, domain-based Group Policy, Windows Intune, or
Configuration Manager, to deliver Work Folders settings to a device. However, these settings are
mandatory and users cannot modify them. Work Folders are configured transparently on devices
without user interaction.
Question: Can you use Group Policy to deploy Work Folders centrally to devices that are not
domain-joined?
9-26 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
9-27
Work Folderrelated settings are located in the user and computer parts of Group Policy. In the user part
of Group Policy, you can enable Work Folders, specify a Work Folders URL, and force automatic setup of
Work Folders. In the computer part of Group Policy, you can force all users of the device to which Group
Policy applies to use Work Folders automatically.
Note: If you configure the Work Folder settings in a domain-based Group Policy, those
settings can apply only to the domain-joined devices and to the users who sign in with domain
accounts. Those settings do not apply to devices that are members of a workgroup or that you
enable for Workplace Join. If you need to configure Work Folders automatically on devices that
are not domain members, you should use Windows Intune.
Question: Can you configure Work Folders settings in the user or computer part of Group
Policy?
In this demonstration, you will see how you can deploy Work Folders on a domain-joined Windows 8.1
device by using Group Policy and how to deploy Work Folders manually on workgroup Windows 8.1
devices.
Demonstration Steps
1.
On LON-CL1, sign out, and then sign in as user adatum\adam with the password Pa$$w0rd.
2.
Use File Explorer to create a new text document named On LON-CL1.txt in Work Folders.
3.
On LON-CL4, use Work Folders to Set up Work Folders. Use following settings:
4.
Verify that file On LON-CL1.txt is available in Work Folders on the LON-CL4 computer.
use the Get-SyncUserStatus cmdlet on the server to verify all that information. Based on the problem
that user has, there are several tools you could use for troubleshooting, including the following:
Server Manager
File Explorer
Certificates snap-in
Note: Active Directory Users and Computers, Server Manager, and the SyncShare module
for Windows PowerShell are not included in the default Windows 8.1 installation. If you want to
use them on a Windows 8.1 computer, you need to install Remote Server Administration Tools.
The following list explains some of the potential issues and troubleshooting steps that you should be
aware of:
9-28 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
Network connectivity and name resolution. Before you can configure Work Folders on a device, the
device must be able to connect to a Work Folders server. Additionally, you must configure it with a
DNS server, which resolves the Work Folders server URL and user email addresses.
Users must have a domain account that has synchronization access to a sync share on a Work Folders
server. If users do not have domain accounts or access to sync share, they will not be able to connect
to Work Folders.
The device from which users want to use Work Folders must be running a supported operating
system and must be able to comply with the sync folder device policy. For example, if the sync folder
device policy requires encryption of Work Folders, the device must be able to encrypt a local copy of
the Work Folders content.
The device must trust the SSL certificate of the Work Folders server. In a domain environment with an
enterprise CA, domain-joined devices trust the enterprise CA by default. If the device is not domainjoined, you must configure the device manually to trust a Work Folders server SSL certificate.
Users must have NTFS file system permissions to a sync share. When you create a sync share, users
have appropriate NTFS file system permissions by default. If you modify the NTFS file system
permissions , it is possible that users will no longer be able to synchronize changes.
If users change their domain passwords, they need to enter the latest password for accessing Work
Folders on a device that is not a domain member.
If users use multiple devices with Work Folders and modify the content on one device, modified
content does not synchronize immediately with other devices. Content synchronizes with the server,
but other devices synchronize based on the pooling interval, which is 10 minutes by default. You can
decrease the pooling interval or manually trigger the synchronization from the device.
Multiple files with similar names. If the same file is modified on multiple devices before the
synchronization happens, for example when devices do not have connectivity to a Work Folders
server, conflicts will happen during synchronization. Conflicts will be resolved automatically, and
there will be multiple copies of the file with a similar name. The names of the additional copies will be
extended with the device name. You must review the copies manually, merge the changes, and then
decide if you can remove additional copies.
Question: Can you use the Work Folders Windows PowerShell cmdlets or Server Manager on
Windows 8.1 by default?
9-29
If you want a solution for synchronizing data that is for collaboration and is shared between team
members, you should consider OneDrive for Business. OneDrive for Business is available as part of
Microsoft SharePoint Server 2013 and Microsoft SharePoint Online, and you can access it if your
company uses on premise SharePoint or if SharePoint is available as part of an Microsoft Office 365
subscription. You should be aware that depending on what the company is using, shared data is hosted
either in the company data center or in the cloud. You also should note that OneDrive for Business
support is not included in Windows 8.1. You can deploy it as part of Microsoft Office 2013 or as a separate
OneDrive for Business client. You can access OneDrive for Business from PCs and Windows Phone devices.
Other file synchronization technologies are for single-user access, although files that you store on
OneDrive often are shared with others. Work Folders and Folder Redirection store data on servers in a
company data center. However, Work Folders require that servers that store data are running Windows
Server 2012 R2, while you can redirect folders on a file server, irrespective of the Windows Server version
that it is running. Windows 8.1 includes support for both technologies, but you can use Folder Redirection
only on domain-joined devices. Work Folders are available regardless of whether the device is joined to
the domain. You can use Work Folders on Windows 8.1, Windows 8, Windows 7, and iPad devices, while
Folder Redirection is available on Windows XP and newer domain-joined computers.
OneDrive is a publicly available cloud storage service. Data that you save on OneDrive is stored in the
public cloud, and you do not need any local server infrastructure; you only need Internet connectivity.
OneDrive support is integrated in Windows 8.1, and you can access OneDrive from various devices
regardless of their operating system and domain membership. OneDrive is for personal data.
For more information, see the link on the Microsoft TechNet website
Work Folders Compared to Other Sync Technologies
http://go.microsoft.com/fwlink/?LinkId=378244&clcid=0x409
Question: A user has three Windows 8.1 devices and needs to keep files synchronized
among all three devices. Two devices are domain-joined Windows 8.1 computers.
Additionally, the user has a Windows 8.1 tablet, which is enabled for Workplace Join.
The users company has deployed two Windows Server 2012 R2 file servers. Which
synchronization technology should the user use?
9-30 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
A. Datum Corporation uses the AD DS environment, and all users access company data by using company
owned computers. Many users bring their own devices to work and would like to access company data
from them. These users complain that they must enter their credentials every time they access company
resources. Users with their own tablets complain that when they copy data locally, it is challenging to keep
it synchronized with files on the companys file servers. IT administrators complain that they do not have
an overview of user devices that are used for accessing company data, and that they cannot enforce
company security policies on data that is stored locally on such devices. A few weeks ago, a security
incident occurred because one of the managers lost his tablet, which contained confidential company
files.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-SVR1, 20687D-LON-SVR2, 20687D-LON-CL1,
20687D-LON-CL4
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and then in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Password: Pa$$w0rd
5.
6.
Repeat steps 2 and 3 for 20687D-LON-CL4. Do not sign in until directed to do so.
The IT department has decided that it will enable Workplace Join for the company. It has set up the
required infrastructure, and you must test the Workplace Join feature in Windows 8.1. You decide to use
your own Windows 8.1 device to perform the Workplace Join and test if you can use the internal company
website by providing credentials only once to use SSO functionality.
2.
3.
9-31
1.
On LON-DC1, configure Active Directory Users and Computers to show Advanced Features.
2.
Verify that user Adam Barr is in the Marketing OU, and that his User logon name is
Adam@Adatum.com.
3.
4.
Use Pkiview.msc to verify that status of all locations are OK, and that AIA Location #2, CDP Location
#2, and DeltaCRL Location #2 are accessible over http protocol.
Note: CDP Location and Delta CRL Location have short validity period and their status
could be shown as Expiring. You can ignore their value in Status column.
5.
Use DNS Manager to verify that Adatum.com zone has an Enterpriseregistration CNAME record that
points to LON-SVR1.adatum.com.
6.
On LON-SVR1, use AD FS Management to verify that the Enable device authentication check box is
selected, and that the Service communications certificate has following attributes:
o
CRL Distribution Points: One of the URLs is accessible over http protocol
Authority Information Access: One of the URLs is accessible over http protocol
2.
3.
4.
Install the Root-CA certificate in the Trusted Root Certification Authorities certificates store.
5.
Use Internet Explorer to connect to the internal company web app with the following URL:
https://LON-SVR2.adatum.com/claimapp. Use adatum\adam with the password Pa$$w0rd as the
credentials.
6.
7.
Open Internet Explorer, and then navigate to the same URL: https://LON-SVR2.adatum.com
/claimapp. Verify that you are asked for your credentials again, and then close Internet Explorer.
8.
On the PC settings page, navigate to Network, and then navigate to Workplace. Join the device to
Workplace as adam@adatum.com, by using adam@adatum.com with the password Pa$$w0rd as
the credentials.
9-32 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
1.
On LON-DC1, use Active Directory Users and Computers to verify that the RegisteredDevices
container contains an object of type msDS-Device, which represents the LON-CL4 computer that you
enabled for Workplace Join. Make note of the name of the msDS-Device object.
2.
On LON-CL4, use Internet Explorer to verify that the user has one certificate. This is the certificate that
Device Registration Service provided to the user when device was enabled for Workplace Join. Verify
that the GUID is the same as the name of the msDS-Device object from Active Directory Users and
Computers.
3.
Use Internet Explorer to navigate to the internal web app by entering the following URL:
https://LON-SVR2.adatum.com/claimapp. Use adatum\adam with Pa$$w0rd as the credentials.
4.
5.
6.
Use Internet Explorer to navigate to an internal web app by entering the following URL:
https://LON-SVR2.adatum.com/claimapp. Verify that a webpage opens without asking you for
credentials. You were not asked for credentials because you accessed it from the device that was
enabled for Workplace Join.
Results: After completing this exercise, you should have successfully implemented and tested the
Workplace Join feature.
Users currently are using Offline Files to keep local copies of data in sync with data on a file server.
However, many users are using devices that are not domain-joined, and they complain that they cannot
use Offline Files. The IT department is considering implementing Work Folders, but it must confirm that
users with devices that are not domain members will be able to use it, and that Work Folders will be
configured automatically on domain-joined devices. You were asked to implement a proof-of-concept
deployment of Work Folders. Based on the results, the IT department will decide if Work Folders meet the
companys needs.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
Task 1: Install the Work Folders feature and create a sync share
9-33
1.
2.
Use Server Manager to create New Sync Share. Use following data:
3.
Use Server Manager to verify that syncshare1 is listed in the WORK FOLDERS section and that user
Adam Barr is listed in the USERS section.
On LON-DC1, use IIS Manager to add https Site Bindings to the Default Web Site. Use
LON-DC1.adatum.com as a SSL certificate.
On LON-DC1, use Group Policy Management to create and link a Group Policy named Deploy Work
Folders to the Marketing OU.
2.
3.
On LON-CL1, sign out, and then sign in as adatum\adam with the password Pa$$w0rd.
4.
Use File Explorer to create a New Text Document named On LON-CL1 in Work Folders.
2.
On LON-CL4, use Work Folders to Set up Work Folders. Use following settings:
Verify that file On LON-CL1.txt is available in Work Folders on the LON-CL4 computer.
On LON-CL4, use File Explorer to create a New Text Document named On LON-CL4.txt in
WorkFolders.
2.
On LON-CL1, verify that only the On LON-CL1.txt file is displayed in Work Folders.
Note: Work Folders synchronizes every 10 minutes automatically. You also have an option to trigger
synchronization manually.
3.
4.
Use File Explorer to verify that both files, On LON-CL1 and On LON-CL2, are displayed in Work
Folders.
5.
Disable the Ethernet network connection by using Administrator and the password Pa$$w0rd as the
credentials.
9-34 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
6.
Modify the file On LON-CL1.txt in Work Folders by adding the following content: Modified offline.
7.
8.
On LON-CL4, modify the file On LON-CL1.txt in Work Folders by adding the following content:
Online modification.
9.
On LON-CL1, enable the Ethernet network connection. Use Administrator and the password
Pa$$w0rd as the credentials.
10. On LON-CL1, verify that four files are displayed in Work Folders, including On LON-CL1.txt and
On LON-CL1-LON-CL1.txt. Because the file was modified at two locations, a conflict occurred, and
one of the copies was renamed.
Results: After completing this exercise, you should have successfully configure the Work Folders feature.
2.
In the Virtual Machines list, right-click 20687D-LON-DC1, and then click Revert.
3.
4.
9-35
Module 10
Securing Windows 8.1 Devices
Contents:
Module Overview
10-1
10-2
10-11
10-19
10-21
10-43
10-45
10-52
10-54
Module Overview
Users are becoming increasingly computer-literate, and they expect more from the technology that they
use at work. They expect to be able to work from home, from branch offices, and on the road without a
decrease in their productivity or a loss of access to the programs and applications that they need most.
As the needs of users have changed, the demands on information technology (IT) support professionals
have increased. Today, support professionals need to provide more capabilities and to support greater
flexibility while continuing to minimize security risks. In this module, you will explore features of the
Windows 8.1 operating system that you can use to maintain a secure computer environment for your
users, such as Encrypting File System (EFS), BitLocker Drive Encryption, and User Account Control (UAC).
Objectives
After completing this module, you will be able to:
Lesson 1
Windows 8.1 provides a number of security technologies for devices, including authentication and
authorization, volume-based encryption for files and disks, and UAC. Some of these security technologies
strengthen the overall Windows infrastructure, and others are useful in controlling your system and your
data.
Before effectively defining Windows 8.1 security measures such as file permissions and file and folder
sharing properties, it is essential that you understand the user account types that are used during security
configuration and how the Kerberos Version 5 protocol authenticates and authorizes user logons. This
lesson examines the authentication and authorization features that provide the foundation for the
Windows security infrastructure.
Note: File permissions was called NTFS permissions previously, but now it applies to both
NTFS and ReFS files and folders.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how to integrate Virtual Smart Cards into the authentication process.
10-3
With authorization, a system can determine if an authenticated user is able to access and update secured
system resources. Authorized permissions include access to files and file directories, hours of access,
amount of allocated storage space, and other specifications. Authorization has two facets:
A system or application verifies users permission values when users attempt to access or update a
system resource.
You can provide authorization and access without implementing authentication. Typically, this is the case
when permissions are granted for anonymous users who are not authenticated. Usually, these permissions
are limited.
Standard. Users with this account type can use most of the capabilities of a computer. A person who
logs on with a standard user account can use most apps on a computer and can change settings that
affect his or her user account.
However, the user typically cannot install or uninstall software and hardware, delete files that the
computer requires, or change settings that affect other users or the computers security. The system
might prompt a standard user for an administrator password before he or she can perform certain
tasks.
Administrator. Users with this account type can make changes that affect other users. Administrators
can change security settings, install software and hardware, and access all files on a computer.
Administrators also can make changes to other user accounts.
Guest. Users with this account type have temporary access to another users computer. People who
use Guest accounts cannot install software or hardware, change settings, or create a password. You
must enable this feature before guests can use it.
Note: When you set up a computer, you must create an administrator user account, which
provides the ability to set up your computer and install any device-wide apps that you want.
After setup is complete, you should use a standard user account for your daily computing tasks.
Users then can use Windows Store to install user-specific apps. It is more secure to use a standard
user account than an administrator account. When you use a standard account, you can prevent
accidental changes that affect anyone who uses the computer, especially if your user account
credentials are stolen.
Kerberos protocol. Windows-based clients and servers use this as the main logon authentication
method. It provides authentication for user and computer accounts.
NTLM. This method provides backward compatibility with pre-Windows 2000 operating systems and
some applications. However, it is less flexible, less efficient, and not as secure as the Kerberos
protocol.
Certificate mapping. Typically, this method is used in conjunction with smart cards. The certificate
stored on a smart card links to a user account for authentication. A smart card reader is used to read
a smart card and authenticate a user.
Kerberos Authentication
For Windows 8.1 clients, the Kerberos authentication protocol provides the mechanism for mutual
authentication between a client and a server before a network connection opens between them.
Note: Active Directory Domain Services (AD DS) implements Kerberos authentication.
In a client/server application model:
Windows 8.1 clients are apps that act on behalf of users who need to perform tasks such as opening a
file, accessing a mailbox, querying a database, or printing a document.
Servers, such as Windows Server 2012, are apps that provide services to clients. Some examples of
services can include file storage, mail handling, query processing, print spooling, and a number of
other specialized tasks.
Clients initiate an action and servers respond. Typically, this means that a server listens to a
communications port, waiting for clients to connect and ask for service.
In the Kerberos security model, every client/server connection begins with authentication. The client and
server, in turn, step through a sequence of actions that helps parties on each end of the connection verify
that the other party is genuine. If authentication is successful, session setup completes, and the
client/server application can start working.
The Kerberos protocol allows you to turn off NTLM authentication once all network clients are capable
of Kerberos authentication. The Kerberos protocol is more flexible, efficient, and secure than NTLM. The
benefits of using Kerberos authentication are:
Faster connections. With NTLM authentication, an application server must connect to a domain
controller to authenticate each client. With Kerberos authentication, a server does not need to
connect to a domain controller. It can authenticate a Windows 8.1 client by examining the credentials
that a client presents. Clients can obtain credentials for a particular server once and then reuse them
throughout a network logon session.
Mutual authentication. By using NTLM, servers can verify the identities of their clients. However,
clients cannot use NTLM to verify a servers identity, and servers cannot verify the identity of other
servers. NTLM authentication is ideal for a network environment in which servers are assumed to be
genuine. The Kerberos protocol makes no such assumptions, and it enables parties at both ends of a
network connection to identify and verify the party on the other end.
Question: Which authentication method is used when a Windows 8.1 client computer logs
on to Active Directory Domain Services (AD DS)?
10-5
Group Policy/Local Policy. Administrators can use policies to specify security settings to apply to
Windows 8.1.
BitLocker and BitLocker To Go. These tools help mitigate unauthorized data access by rendering
data inaccessible when you decommission or recycle BitLocker-protected computers. BitLocker To Go
provides similar protection for data on removable data drives.
AppLocker. Administrators can use this tool to specify exactly what apps and services can run on a
users computer.
UAC. Users can use this tool to run their computers as standard users and perform all necessary daily
tasks.
Windows Firewall with Advanced Security. This snap-in provides protection from malicious users and
apps that rely on unsolicited incoming traffic to attack computers.
Windows Defender. This feature helps protect your computer from spyware and other forms of
malware.
Captures the input data from a biometric scan and stores it in a template.
Securely stores and manages the biometric template for future use.
Can be extended by developers by using the WBF application programming interface (API).
In addition to the low-level framework support, Windows 8.1 offers users the following management
features that support biometrics:
Credential Provider support that allows biometric data to be used to log on to a local or
domain-joined computer.
Note: Although WBF is built into Windows 8.1, you must install a biometric device to take
advantage of the framework. Installed devices will appear in Device Manager and Control Panel.
Biometric Fingerprints
Currently, the WBF in Windows 8.1 only supports the fingerprint biometric factor. All versions of
Windows 8.1 support biometrics, allowing users to acknowledge a multitude of requests, such as Windows
sign-in, remote access, and UAC, by using their fingerprints.
You can record your fingerprint by using biometrics in Windows 8.1 by following this procedure:
1.
2.
Note: The fingerprint option will only be available if there is a WBF-supported fingerprint
reader installed on the Windows 8.1 device.
10-7
When the biometric scanning process uses a fingerprint, the actual fingerprint picture is not itself stored.
Biometrics converts the scan into information that is required by the template. The sign-in process then
uses this information in a similar manner as the use of a password for authentication.
After you configure fingerprint-based authentication, you can use it as an alternative way to authenticate
at a Windows password prompt. Whenever the Windows operating system requires a specific user to
authenticate, the Credential Management UI (CredUI) will display the option to authenticate via a
fingerprint.
Note: Windows 8 provided a biometric devices control panel item. Windows 8.1 does not
include this item, but provides additional support through independent software vendors or
directly via the application that uses the fingerprint biometric feature.
Picture Passwords
Windows 8.1 operates in both touch and traditional PC scenarios. The touch interface offers a new way for
users to log on and authenticate. Windows 8 introduced the option to use a picture password or PIN as a
logon option. For touch users, the use of a picture password or PIN is more intuitive and quicker than the
use of an on-screen keyboard to type a complex password.
For your picture password, you can choose a picture that came with Windows 8.1, or you can add your
own picture and then create gestures to create your own personal logon. When selecting an appropriate
picture, use one that has several points of interest, as this will increase the complexity of the password.
Gestures
By selecting a personal picture and drawing gestures in a way that is meaningful only to the user, a
picture password can be extremely secure and difficult for a hacker to crack. When you add gestures to
your picture password, you can choose from the gestures below:
A tap
A straight line drawn between any two points of interest on your picture
Microsoft has increased the security of the picture password feature by introducing two safeguards
against repeated attacks:
When you enter your picture password incorrectly five times, the system will prevent you from using
the feature again until you log on with your plain text password.
To mitigate network attacks, the picture password is disabled in remote and network scenarios.
PIN Authentication
The option to use a four-digit PIN to sign in to Windows 8.1 offers users a simple, familiar, and quick
way to unlock their devices. Domain users are restricted from using a PIN password. However, an
administrator can override this restriction by configuring the Turn on PIN sign-in GPO within the
Computer Configuration\Administrative Templates\System\Logon container.
MSDN Blogs: Signing in with a picture password
http://go.microsoft.com/fwlink/?LinkId=378246&clcid=0x409
Note: Although a PIN might not be suitable in situations where complex passwords are
required, both the picture password and PIN sign-in options are attractive to users in low-risk
environments such as home users and those on personal devices.
Demonstration Steps
Create a picture password to sign in with gestures
1.
2.
On the Start screen, type Picture Password, and then click Set up picture password.
3.
Click Choose picture, and then draw three gestures on your picture.
4.
On the Start screen, type PIN, and then click Set up PIN sign-in.
2.
On the Sign-in options page, under the PIN option, click Add, and then create a PIN.
3.
Revert LON-CL4.
To address these issues, Windows 8.1 introduces Virtual Smart Card technology. Network administrators
can bring this technology to end users without the previous hardware requirements of card readers and
the cards themselves. At the same time, Virtual Smart Cards still take advantage of the Personal Identity
Verification benefits that the smart card feature provides.
Note: Smart cards are another example of a multifactor authentication. A user must have
access to a smart card reader and knowledge of the password or PIN to be able to authenticate
and gain access to a system.
10-9
Many Windows 8.1 devices now ship with a Trusted Platform Module (TPM) that meets specification
version 1.2. A Virtual Smart Card takes advantage of a devices tamper-proof TPM security chip to store
certificates that authenticate each user account. Because a TPM is an internal component of a device, you
configure a Virtual Smart Card to protect a device in an environment that is domain-joined or is not
domain-joined.
Being virtual, once you configure a device to use TPM, you do not require any further hardware or cards.
Effectively, the device acts as a smart card reader, and users supply an unlock PIN that is personal to them.
A TPM chip can store up to six Virtual Smart Cards.
Note: If a TPM is present, it might need to be turned on in the system BIOS/Unified
Extensible Firmware Interface (UEFI) firmware.
Note: You must run the Tpmvscmgr.exe command-line utility with local administrator
permissions to gain access to a TPM and generate a Virtual Smart Card.
Tpmvscmgr.exe
Windows 8.1 provides the Tpmvscmgr.exe Virtual Smart Card management tool that administrators can
use to provision Virtual Smart Cards on a device. The syntax of Tpmvscmgr.exe is as follows:
tpmvscmgr.exe create /name NameofVSC /pin prompt /puk prompt /adminkey random /generate
Notice that the command is configured to ask a user for a PIN. A user also is asked for a PIN unlock key
(PUK) that can be used to unlock a Virtual Smart Card and reset the PIN if it is forgotten. The default PIN
and PUK must be at least eight characters long. Once the command has completed, you will be notified
of the device instance ID for the NameofVSC. You should record this device instance ID so that if
required, you will be able to delete a Virtual Smart Card from a device. You also are able to configure an
administrator key, which provides an alternative method of unlocking a card for a PIN reset. In the above
example, Tpmvscmgr.exe will generate a random 48-hexadecimal digit administrator key.
In Windows 8.1, the process to enroll TPM-enabled devices to be used as a Virtual Smart Card device has
improved. The high-level process for using a Virtual Smart Card is as follows:
1.
2.
Create and install a Virtual Smart Card by using the Virtual Smart Card management tool,
Tpmvscmgr.exe.
3.
4.
The default PIN policy for a Virtual Smart Card that is generated by Windows 8.1 is as follows:
Minimum length of 8
Digits allowed
In a corporate AD DS environment, you likely have a CA configured already. Once your device has created
a Virtual Smart Card, you then will enroll for a logon certificate from your Windows CA by using the
Certificate Enrollment Wizard in the Certificates Microsoft Management Console (MMC) snap-in, which is
accessed by typing Certmgr.msc at the Start screen.
Note: A PIN typically is a secret numeric password. However, a Virtual Smart Card allows a
PIN to include digits, alphabetic and special characters, and not just numbers. The term PIN has
been retained because legacy smart cards used simple numeric PINs.
Understanding and Evaluating Virtual Smart Cards
http://go.microsoft.com/fwlink/?LinkId=378248&clcid=0x409
Lesson 2
10-11
Before learning about the important security features in Windows 8.1, it is important that you understand
the best ways in which to configure security-related settings in Windows 8.1. Although you can perform
computer-specific administration and configuration tasks manually, it can be more efficient to implement
your planned configuration settings by using GPOs. GPOs provide an infrastructure for centralized
configuration management of operating systems and the applications that run on operating systems. This
lesson discusses how to apply security settings by using Group Policy.
Lesson Objectives
After completing this lesson, you will be able to:
Describe how to use multiple local Group Policy Objects (MLGPOs) for non-domain joined devices.
Logon prompts
UAC
Prompt user to change password before expiration. Determines how many days in advance of a user
password expiration the operating system will provide a warning.
Interactive logon: Do not display last user name. Determines whether the name of the last user to sign
in to a computer displays in the Windows logon window.
Accounts: Rename administrator account. Determines whether a different account name is associated
with the SID for the administrator account.
Devices: Restrict CD-ROM access to locally logged on user only. Determines whether a CD-ROM is
accessible simultaneously to both local and remote users.
A local GPO is the least influential object in an AD DS environment because its settings can be overwritten
by GPOs that are associated with sites, domains, and organizational units (OUs). In an environment that is
not networked, or in a networked environment that does not have a domain controller, local GPO settings
are important because they are not overwritten by other GPOs. Stand-alone computers only use local
GPOs to control the environment.
Each Windows 8.1 computer has one local GPO that contains default computer and user settings,
regardless of whether the computer is part of an AD DS environment. In addition to this default local
GPO, you can create custom local user GPOs.
Account Policies
Account policy components include password
policies, account lockout policies, and Kerberos policies.
The policy settings under Account Policies are implemented at the domain level. A Windows Server 2012
domain can have multiple password and account lockout policies, which are called fine-grained password
policies. You can apply these multiple policies to a user or to a global security group in a domain, but not
to an OU.
Note: If you need to apply a fine-grained password policy to users of an OU, you can use a
shadow group, which is a global security group that is logically mapped to an OU.
You can configure settings for Account Policies by accessing the following location:
Password Policy
Password policies that you can configure are listed in the following table.
Policy
Password must meet
complexity
requirements
10-13
Function
Best practice
Contain a combination of at
least three of the following
types of characters:
uppercase letters, lowercase
letters, numbers, and
symbols (punctuation
marks).
Must not contain the users
user name or screen name.
Enforce password
history
Maximum password
age
Minimum password
age
Policy
Function
Best practice
Minimum password
length
Store passwords by
using reversible
encryption
Function
Best practice
Account lockout
threshold
Account lockout
duration
Reset account
lockout counter
after
Note: You can use the Local Group Policy Editor to configure GPO settings on a standalone Windows 8.1 workstation. To configure local Group Policy, run Gpedit.msc from the Run
box with elevated permissions.
10-15
After you configure the local policy, you can export security-related settings to a policy file and then save
them in a security template file with an .inf extension. You then can import the template into the Local
Group Policy Editor to use these templates to configure additional computers.
Question: What setting must you configure to ensure that users are allowed only three
invalid sign-in attempts?
Introduction to MLGPO
Local Group Policy is a subset of the broader Group Policy technology. Group Policy is domain-based,
whereas Local Group Policy is specific to a local computer. Both technologies allow you to configure
specific settings in the operating system and then force those settings to computers and users.
Local Group Policy is not as robust as Group Policy. For example, you can use Group Policy to configure
any number of policies that might affect some, all, or none of the users of a domain-joined computer. You
can even use Group Policy to apply policies to users that have specific group memberships.
The Local Group Policy layer is the topmost layer in the list of MLGPOs. Local Group Policy, which also
is known as the Local Computer Policy, is the only local GPO that allows computer settings. Besides
computer settings, you can select user settings. User settings that are contained in the Local Group Policy
apply to all users of the computereven the local administrator. Local Group Policy behaves the same as
it did in previous versions of the Windows operating system.
The Administrators and Non-Administrators local GPOs do not exist by default. You must create them if
you want to use them on your Windows 8.1 client. These GPOs act as a single layer and logically sort all
local users into two groups when a user signs in to the computer: a user is either an administrator or a
non-administrator. Users who are members of the Administrators group receive policy settings assigned
in the Administrators Local Group Policy. All other users receive policy settings assigned in the NonAdministrators Local Group Policy.
Local administrators can use the last layer of the local GPO, Per-User local GPOs, to apply specific policy
settings to a specific local user.
Processing Order
The benefits of MLGPOs come from the processing order of the three separate layers. The layers are
processed as follows:
1.
The local GPO applies first. This local GPO might contain both computer and user settings. User
settings contained in this policy apply to all users, including the local administrator.
2.
The Administrators and Non-Administrators local GPOs are applied next. These two local GPOs
represent a single layer in the processing order, and the user receives one or the other. Neither of
these local GPOs contains computer settings.
3.
User-specific Local Group Policy is applied last. This layer of local GPOs contains only user settings,
and you apply it to one specific user on a local computer.
Available user settings are the same between all local GPOs. It is possible that a policy setting in one local
GPO contradicts the same setting in another local GPO. Windows 8.1 resolves these conflicts by using the
Last Writer Wins method. This method resolves conflicts by overwriting any previous setting with the lastread (most current) setting. The final setting is the one that the Windows operating system uses.
For example, an administrator enables a setting in a local GPO. The administrator then disables the
same setting in a user-specific local GPO. When a non-administrator user signs in to the computer, the
Windows operating system reads the local GPO first, followed by the Non-Administrators local GPO, and
then the user-specific local GPO.
The state of the policy setting is enabled when the Windows operating system reads the local GPO. The
policy setting is not configured in the Non-Administrators local GPO. This has no effect on the state of the
setting, so it remains enabled. The policy setting is disabled in the user-specific local GPO. This changes
the state of the setting to disabled. Windows reads the user-specific local GPO last; therefore, it has the
highest precedence. The Local Computer Policy has a lower precedence.
Stand-alone computers benefit the most from MLGPOs because they are managed locally. Domain-based
computers apply Local Group Policy first and then domain-based policy. Windows 8.1 continues to use
the Last Writer Wins method for conflict resolution. Therefore, policy settings originating from domain
Group Policy overwrite any conflicting policy settings found in any Local Group Policy to include
administrative, non-administrative, and user-specific Local Group Policy.
You can disable the processing of local GPOs on clients that run Windows 8.1 by enabling the Turn off
Local Group Policy objects processing policy setting in a domain GPO. You can find this setting by
expanding Computer Configuration, expanding Administrative Templates, expanding System, and then
clicking Group Policy.
Creating MLGPOs
MLGPOs are created by adding the snap-in for the Group Policy Object Editor to the MMC and then
performing the following procedure:
1.
2.
3.
Select the object you for which you want to create a special GPO. You must add a separate instance
of the snap-in for each instance of the local GPO that you want to create.
10-17
Baselines that are based on Microsoft security guide recommendations and industry best practices.
You can compare your configuration against industry best practices for the latest Windows client and
Microsoft applications.
Centralized security baseline management features to manage the security and compliance process
efficiently.
Gold master support that allows the import of your existing Group Policy to reuse and deploy.
Stand-alone machine configuration that allows you to deploy your configurations to computers that
are not domain-joined.
Question: Discuss scenarios where you would use Security Compliance Manager in an
organization.
Question: Your organization creates operations manuals for customers and uses several
versions of Microsoft Word to produce the manuals, depending on client requirements.
What tool would you recommend for creating and maintaining baseline security
configurations for your organization if there is a requirement to ensure that all Microsoft
Office applications are configured with the latest security baseline?
10-19
Holly Dickson is the IT manager at A. Datum Corporation. She has expressed a concern that some of
the users on laptop computers are able to use registry editing tools, which could affect the operational
security of the A. Datum network. She wants you to investigate how best to configure security and other
settings on these computers.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Although you typically configure most security and other settings by using domain-based GPOs, you
decide that for the roaming laptop computers, implementing local GPOs would achieve Hollys goal of
securing them. You decide to implement multiple local GPOs to ensure that administrator and standard
user accounts can have different settings.
The main tasks for this exercise are as follows:
1.
2.
Edit the local GPO to allow administrators to use registry editing tools.
Task 1: Edit the local GPO to restrict use of registry editing tools
1.
2.
3.
4.
Restart LON-CL1.
5.
6.
Task 2: Edit the local GPO to allow administrators to use registry editing tools
1.
Open the Microsoft Management Console, add the Group Policy Object Editor snap-in, and then
select the Administrators GPO. In the Browse for a Group Policy Object dialog box, click the Users
tab, click Administrators, and then click OK.
2.
3.
4.
Results: After completing this exercise, you should have created and configured multiple local Group
Policy Objects (MLGPOs).
When you are finished with the lab, leave the virtual machines running, as they are needed for the
next lab.
Lesson 3
10-21
Devices, laptops, and hard drives can be stolen, which poses a risk for confidential data. You can secure
data against these risks by using a two-phase defensive strategy that incorporates both EFS and BitLocker.
This lesson provides a brief overview of EFS and BitLocker. However, IT professionals who are interested in
implementing EFS must research it thoroughly before making a decision to use it. To implement a secure
and recoverable EFS policy, you must have a more comprehensive understanding of EFS. If you implement
EFS without implementing proper recovery operations or without understanding how the feature works,
you can expose your data unnecessarily.
BitLocker is another defensive strategy that complements EFS. BitLocker protects against data theft or
exposure on computers that are lost or stolen, and it offers more secure data deletion when computers
are decommissioned. Data on a lost or stolen computer is vulnerable to unauthorized access, either
by running a software attack tool against it or by transferring the computer's hard disk to a different
computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by combining
two major data-protection procedures: encrypting the entire Windows operating system volume on a
hard disk, and encrypting multiple fixed volumes.
Lesson Objectives
After completing this lesson, you will be able to:
Describe EFS.
Describe how to encrypt and decrypt files and folders with EFS.
Describe BitLocker.
What Is EFS?
EFS is a built-in file encryption tool for Windowsbased file systems. A component of the NTFS file
system, EFS enables transparent encryption and
decryption of files by using advanced, standard
cryptographic algorithms. Any individual or
program that does not possess an appropriate
cryptographic key cannot read encrypted data.
You can protect encrypted files even from those
who gain physical possession of a computer on
which files are storedeven people who are
authorized to access a computer and its file
system cannot view the data.
Encryption is a powerful addition to any defensive plan, but you also must use other defensive strategies
because encryption is not the correct countermeasure for every threat. Also, every defensive weapon, if
you use it incorrectly, carries a potential for harm.
The basic EFS features are as follows:
EFS encryption does not occur at the application level. It occurs at the file-system level. Therefore, the
encryption and decryption process is transparent to the user and the application. If you mark a folder
for encryption, EFS will encrypt every file created in or moved to the folder. Applications do not have
to understand EFS or manage EFS-encrypted files any differently than unencrypted files.
If a user attempts to open a file and possesses the necessary key, the file opens without additional
effort on the users part. If a user does not possess the key, he or she receives an access-denied
message.
File encryption uses a symmetric key that it encrypts with a users public key, which is stored in
the file header. Additionally, it stores a certificate with the users public and private keys (known as
asymmetric keys) in the users profile. This key pair is bound to a user identity and made available to
the user who has possession of the user ID and password. The users private key must be available for
decryption of the file.
If a private key incurs damage or is lost, even the user who encrypted the file cannot decrypt it. If a
recovery agent exists, the file might be recoverable. If you implement key archival, then you can
recover the key and decrypt the file. Otherwise, the file might be lost. This encryption system is
referred to as Public Key Infrastructure.
You can archive a users certificate that contains his or her public and private keys, such as exporting
it to a USB flash drive. You then can keep the USB flash drive in a safe place for recovery if the keys
incur damage or are lost.
A users password protects the public and private keys. Any user who can obtain the user ID and
password can sign in as that user and then decrypt that users files. Therefore, a strong password
policy and strong user education must be components of an organizations security practices to
protect EFS-encrypted files.
EFS-encrypted files do not remain encrypted during transport if you save them to, or open them
from, a folder on a remote server. The file is decrypted and then traverses the network in plain text.
EFS then encrypts it locally if you save it to a folder on the local drive that is marked for encryption.
EFS-encrypted files can remain encrypted while traversing a network if you save them to a Web folder
by using the World Wide Web Distributed Authoring and Versioning protocol.
EFS is supported only on the NTFS file system. If a user has permission to decrypt a file and moves
or copies an encrypted file to a non-NTFS file system, such as a USB flash drive that is formatted with
the FAT or FAT32 file system, the file is decrypted and is no longer encrypted. If a user does not
have permission to decrypt a file and attempts to move or copy an encrypted file to a non-NTFS file
system, such as a USB flash drive that is formatted with the FAT or FAT32 file system, the operation
will result in a permission-denied error.
The following are additional important facts about implementing EFS on Windows 8.1:
Support for storing private keys on smart cards. Windows 8.1 includes full support for storing users
private keys on smart cards. If a user signs in to Windows 8.1 with a smart card, EFS also can use the
smart card for file encryption. Administrators can store their domains recovery keys on a smart card.
Recovering files is then as simple as signing in to the affected machine, either locally or by using
Remote Desktop, and using the recovery smart card to access the files.
10-23
Encrypting File System Rekeying Wizard. The Encrypting File System Rekeying Wizard allows users to
choose an EFS certificate, then select and migrate the existing files that will use the newly chosen EFS
certificate. Administrators can use the wizard to migrate users in existing installations from software
certificates to smart cards. The wizard also is helpful in recovery situations because it is more efficient
than decrypting and re-encrypting files.
Group Policy settings for EFS. You can use Group Policy to control and configure EFS protection
policies centrally for an entire enterprise. For example, Windows 8.1 allows page file encryption
through the local security policy or Group Policy.
Per-user encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote
servers. When this option is enabled, each file in the offline cache is encrypted with a public key from
the user who cached the file. Thus, only that user has access to the file, and even local administrators
cannot read the file without access to the user's private keys.
Selective Wipe. A new feature of Windows 8.1 in a corporate environment is Selective Wipe. If a
device is lost or stolen, an administrator can revoke the EFS key that was used to protect the files
on the device. Revoking a key prevents all access to data files that are stored on a users device.
Note: When users encrypt files in remote shared folders, their keys are stored on the file
server.
From a CA. An internal or third-party CA can issue EFS certificates. This method provides central
management and backups of keys.
By self-generating them. If a CA is unavailable, users can generate a key pair. These keys have a
lifespan of 100 years. This method is more cumbersome than using a CA because there is no
centralized management, and users become responsible for managing their own keys. Additionally,
it is more difficult to manage for recovery. However, it is still a popular method because no setup is
required.
EFS uses public key cryptography to allow file encryption. The keys are obtained from a users EFS
certificate. Because EFS certificates also might contain private key information, you must manage them
correctly.
Users can make encrypted files accessible to other users EFS certificates. If you grant access to another
users EFS certificate, that user can in turn make the file available to other users EFS certificates.
Note: You can issue EFS certificates only to individual users, not to groups.
Backing Up Certificates
CAs can archive and recover CA-issued EFS certificates. Users must back up their self-generated EFS
certificates and private keys manually. To do this, they can export the certificate and private key to a
Personal Information Exchange (.pfx) file, which is password-protected during the export process. The
password then is required to import the certificate into a users certificate store.
If you need to distribute only your public key, you can export the client EFS certificate without the private
key to Canonical Encoding Rules (.cer) files. A users private key is stored in the users profile in the RSA
folder, which you can access by expanding AppData, expanding Roaming, expanding Microsoft, and then
expanding Crypto. Because there is only one instance of the key, it is vulnerable to hard-disk failure or
data corruption.
The Certificates MMC snap-in exports certificates and private keys. The Personal Certificates store contains
the EFS certificates.
EFS users can share encrypted files with other users on file shares and in Web folders. With this support,
you can grant individual users permission to access an encrypted file. The ability to add users is restricted
to individual files. After you encrypt a file, you can enable file sharing through the user interface. You first
must encrypt a file and then save it before adding more users. You can add users from a local computer
or from AD DS if the user has a valid certificate for EFS.
Users who elect to share encrypted files must be aware of the following points:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over a network,
a file share or Web folder is required. Alternatively, users can establish remote sessions with
computers that store encrypted files by using Remote Desktop Services.
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting
access is not limited to the file owner. Caution users to share files only with trusted accounts because
those accounts can authorize other accounts. Removing the Write permission from a user or group of
users can prevent this problem, but it also prevents the user or group from modifying the file.
EFS sharing requires that the users who will have authorization to access the encrypted file have
EFS certificates. These certificates can be located in roaming profiles or in the user profiles on the
computer on which the file to be shared is stored, or they can be stored in and retrieved from AD DS.
EFS sharing of an encrypted file often means that users will access the file across a network. It is best
to use Web folders for encrypted file storage whenever possible.
If a user chooses to remotely access an encrypted file that is stored on a file share and authorizes
other users to access the file, the authorization process and requirements are the same as on the
local computer. Additionally, EFS must impersonate the user to perform this operation, and all the
requirements for remote EFS operations on files stored on file shares apply.
If a user chooses to remotely access an encrypted file that is stored on a Web folder and authorizes
other users to access the file, the file automatically is transmitted to the local computer in ciphertext.
The authorization process takes place on the local computer with the same requirements as for
encrypted files that are stored locally.
Question: Why is it not possible to encrypt system files with EFS?
Demonstration Steps
Create a new Microsoft Word document
1.
2.
Open File Explorer, and then create a new folder called Encrypted on drive C.
3.
Sign in as Holly.
2.
3.
Attempt to open the file to confirm that the file and folder have been encrypted.
Sign in as administrator.
2.
3.
Sign in as Holly.
2.
3.
What Is BitLocker?
BitLocker provides protection for a computer
operating system and the data that is stored
on the operating system volume. It helps ensure
that data stored on a computer remains encrypted
even if someone tampers with the computer
when the operating system is not running.
BitLocker provides a closely integrated solution in
Windows 8.1 to address the threats of data theft
or exposure from lost, stolen, or inappropriately
decommissioned computers.
10-25
It encrypts all data that is stored on a Windows operating system volume and configured data
volumes. This includes the Windows operating system, hibernation and paging files, applications, and
application data. BitLocker also provides umbrella protection for non-Microsoft applications, which
benefits the applications automatically when they are installed on an encrypted volume.
By default, it is configured to use a TPM to help ensure the integrity of startup components, which
an operating system uses in the early stages of the startup process. It locks any BitLocker-protected
volumes, so they remain protected even if someone tampers with the computer when the operating
system is not running. We will see later in this module that BitLocker can be enabled on devices
without a TPM chip.
Note: BitLocker is available in the Windows 8.1 Pro and Windows 8.1 Enterprise editions
only.
Providing a method to check that early boot file integrity has been maintained, and to help ensure
that there has been no adverse modification of those files, such as with boot sector viruses or root
kits.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for a Windows operating system volume.
Locking the system when it is tampered with. If any monitored files have been tampered with, the
system does not start. This alerts a user to tampering because the system fails to start as usual. In the
event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with a TPM, BitLocker verifies the integrity of early startup components, which helps
prevent additional offline attacks, such as attempts to insert malicious code into those components. This
functionality is important because the components in the earliest part of the startup process must be
available unencrypted so that the computer can start.
As a result, an attacker can change the code of those early startup components and then gain access to a
computer even though the data on the disk is encrypted. Then, if the attacker gains access to confidential
information, such as the BitLocker keys or user passwords, the attacker can circumvent BitLocker and
other Windows security protections.
EFS functionality
Encrypts files
Device Encryption
Device encryption is a new feature that is built into all versions of Windows 8.1. It uses the same
encryption technology that was implemented on Windows RT devices to help protect your devices
data by blocking hackers from accessing any of the files on your drive. In previous versions of Windows
operating systems, a thief could physically remove a drive from a computer and then install it into a
different device, thereby bypassing logon security.
By default, device encryption protects the operating system drive and any fixed data drives on the system
by using AES 128-bit encryption, which uses the same technology as BitLocker. Device encryption can be
used with a Microsoft account or a domain account.
Device encryption is enabled automatically on all versions of Windows 8.1 on new devices so that the
device is always protected. Supported devices that are upgraded to Windows 8.1 with a clean installation
also will benefit from device encryption.
10-27
A user can turn off device encryption by using PC info within PCs and devices, which is in Change PC
Settings. The Device Encryption section appears at the bottom of the PC info page and can be turned off
for all devices except those running Windows 8 RT.
BitLocker To Go
When a laptop is lost or stolen, the loss of data
typically has more impact than the loss of the
computer asset. As more people use removable
storage devices, they can lose data without losing
a computer. BitLocker To Go provides enhanced
protection against data theft and exposure by
extending BitLocker support to removable storage
devices such as USB flash drives, and you can
manage it through Group Policy.
In Windows 8.1, users can encrypt their removable
media by opening File Explorer, right-clicking the
drive, and clicking Turn On BitLocker. They then
will be asked to choose a method to unlock the drive. These options include:
Password. This is a combination of letters, symbols, and numbers that a user will enter to unlock a
drive.
Smart card. In most cases, an organization issues a smart card, and a user enters a smart card PIN to
unlock a drive.
After choosing an unlock method, users must print or save their recovery key. You can store this 48-digit
key in AD DS so that you can use it if other unlocking methods fail, such as when users forget their
passwords. Finally, users must confirm their unlocking selections to begin encryption. When you insert a
BitLocker-protected drive into your computer, the Windows operating system will detect that the drive is
encrypted automatically and then prompt you to unlock it.
BitLocker Requirements
In both Windows 7 and Windows 8.1,
BitLocker automatically prepares drives for use.
As a result, there is no need to create separate
partitions before turning BitLocker on. This is an
improvement over BitLocker in Windows Vista,
which required that users manually partition their
hard drive.
You can use BitLocker to encrypt operating system drives, fixed data drives, and removable data drives in
Windows 8.1. When you use BitLocker with data drives, you can format the drive with the exFAT, FAT16,
FAT32, or NTFS file system, but the drive must have at least 64 MB of available disk space. When you use
BitLocker with operating system drives, you must format the drive with the NTFS file system.
Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from
the hard disk, you must have one of the following:
On computers that do not have TPM 1.2, you still can use BitLocker to encrypt the Windows operating
system volume. However, this implementation requires the user to insert a USB startup key to start the
computer or resume from hibernation, and it does not provide the prestartup system-integrity verification
that BitLocker provides when working with a TPM.
Additionally, BitLocker offers the option to lock the normal startup process until a user supplies a PIN or
inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security
measures provide multifactor authentication and assurance that a computer will not start or resume from
hibernation until the correct PIN or startup key is presented.
Hardware Requirements
To turn on BitLocker, a computer must:
Have the hard drive space necessary for Windows 8.1 to create two disk partitions: one for the
operating system volume and one for the system volume:
o
Operating system volume. This partition includes the drive on which you install Windows.
BitLocker encrypts this drive, which no longer needs a drive letter.
System volume. A second partition is created as needed when you enable BitLocker in
Windows 8.1. This partition must remain unencrypted so that you can start the computer. This
partition must be at least 100 MB, and must be set as the active partition.
Have a BIOS that is compatible with TPM or supports USB devices during computer startup. The BIOS
must be:
o
Set to start first from the hard disk, and not the USB or CD drives.
Open Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2.
In the lower left corner, click TPM Administration. The TPM Management on Local Computer
console opens. If the computer does not have a TPM 1.2 chip, the Compatible TPM cannot be
found message appears.
BitLocker Modes
BitLocker can run on two types of computers:
10-29
On computers that have TPM 1.2, BitLocker uses the enhanced TPM security capabilities to help ensure
that your data is accessible only if the computer's startup components appear unaltered and the
encrypted disk is located in the original computer.
If you enable BitLocker on a Windows 8.1 computer that has TPM 1.2, you can add the following
additional factors of authentication to the TPM protection:
BitLocker offers the option to lock the normal startup process until a user supplies a PIN or inserts a
USB device, such as a flash drive, that contains a BitLocker startup key.
In a scenario that uses a TPM with an advanced startup option, you can add a second factor of
authentication to the standard TPM protection: a PIN or a startup key on a USB flash drive. To use a USB
flash drive with a TPM, the computer must have a BIOS that can read USB flash drives in the pre-operating
system environment (at startup). You can check your BIOS by running a hardware test near the end of the
BitLocker setup wizard.
These additional security measures provide multifactor authentication and help ensure that a computer
will not start or resume from hibernation until a user presents the correct authentication method.
On computers equipped with a TPM, each time a computer starts, each of the early startup components,
such as the BIOS, the boot sector, and the boot manager code, examines the code that is about to run,
calculates a hash value, and stores the value in the TPM. Once that value is stored in the TPM, it cannot be
replaced until the user restarts the system. A combination of these values is recorded.
You can use these recorded values to protect data by using the TPM to create a key that links to these
values. When you create this type of key, the TPM encrypts it and only that specific TPM can decrypt it.
Each time the computer starts, the TPM compares the values that are generated during the current
startup with the values that existed when the key was created. It decrypts the key only if those values
match. This process is called sealing and unsealing the key.
As part of its system integrity verification process, BitLocker examines and seals keys to the measurements
of the following:
If any of these items change unexpectedly, BitLocker locks the drive to prevent it from being accessed or
decrypted.
By default, BitLocker looks for and uses a TPM. You can use Group Policy to allow BitLocker to work
without a TPM and store keys on an external USB flash drive. However, BitLocker then cannot verify early
startup components.
You can enable BitLocker on a computer without TPM 1.2 as long as the BIOS has the ability to read from
a USB flash drive in the boot environment. This is because BitLocker will not unlock a protected volume
until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash
drive that contains the BitLocker startup key for that computer. However, computers without TPMs will
not be able to use the system-integrity verification that BitLocker provides.
If a startup key is located on a USB flash drive, your computer must have a BIOS that can read USB flash
drives in the pre-operating system environment (at startup). You can check your BIOS by running the
hardware test that is near the end of the BitLocker setup wizard.
To help determine whether a computer can read from a USB device during the boot process, use the
BitLocker System Check as part of the BitLocker setup process. This system check performs tests to
confirm that the computer can read from USB devices properly at the appropriate time and that the
computer meets other BitLocker requirements.
To enable BitLocker on a computer without a TPM, use Group Policy to enable the advanced BitLocker
user interface. With advanced options enabled, the non-TPM settings appear in the BitLocker setup
wizard.
Question: What is a disadvantage of running BitLocker on a computer that does not contain
TPM 1.2?
Require all removable drives to be BitLockerprotected before users can save data to them.
10-31
In addition to recovery passwords, you can use Group Policy to configure a domain-wide public key called
a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker.
Before you can use a data recovery agent, you must add it from the Public Key Policies item in either the
GPMC or the Local Group Policy Editor.
To use a data recovery agent with BitLocker, you must enable the appropriate Group Policy setting for the
drives that you use with BitLocker. These policy settings are:
When you enable the policy setting, select the Enable data recovery agent check box. There is a policy
setting for each type of drive, so you can configure individual recovery policies for each type of drive on
which you enable BitLocker.
You also must enable and configure the Provide the unique identifiers for your organization policy
setting to associate a unique identifier with a new drive that is protected with BitLocker. Identification
fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will
manage and update data recovery agents only when an identification field is present on a drive and is
identical to the value that is configured on the computer.
Using these policy settings helps enforce standard deployment of BitLocker in your organization. Group
Policy settings that affect BitLocker are located in Computer Configuration\Administrative Templates
\Windows Components\BitLocker Drive Encryption. Globally applied BitLocker Group Policy settings are
located in this folder. Subfolders for fixed data drives, operating system drives, and removable drives
support the configuration of policy settings specific to those drives.
Note: If you want to use BitLocker to protect an operating system drive on a computer that
does not have a TPM, you must enable the Require additional authentication at startup policy
setting, and then within that setting, click Allow BitLocker without a compatible TPM.
The BitLocker Drive Encryption folder contains the following subfolders: Fixed Data Drives, Operating
System Drives, and Removable Data Drives.
The following table summarizes some of the key policy settings that affect Windows 8.1 client computers.
Each setting includes the following options: Not configured, Enabled, and Disabled. The default setting for
each setting is Not configured.
Setting name
Location
Description
BitLocker Drive
Encryption folder
BitLocker Drive
Encryption folder
BitLocker Drive
Encryption folder
Prevent memory
overwrite on restart
BitLocker Drive
Encryption folder
Allow access to
BitLocker-protected
data drives from earlier
versions of Windows
Setting name
Location
Description
10-33
This allows you to control how BitLockerprotected fixed data drives are recovered in the
absence of the required credentials.
Require additional
authentication at startup
Operating System
Drives folder
Operating System
Drives folder
This allows you to control how BitLockerprotected operating system drives are recovered
in the absence of the required startup key
information.
Operating System
Drives folder
Removable Data
Drives folder
Removable Data
Drives folder
Removable Data
Drives folder
Allow access to
BitLocker-protected
removable drives from
earlier versions of
Windows
Removable Data
Drives folder
Configure use of
passwords for
removable data drives
Removable Data
Drives folder
Removable Data
Drives folder
This allows you to control how BitLockerprotected removable data drives are recovered
in the absence of the required startup key
information.
Group Policy settings that control TPM behavior are located in Computer Configuration\Administrative
Templates\System\Trusted Platform Module Services. The following table summarizes these settings.
Setting name
Default
Description
Disabled
None
Disabled
Disabled
You have seen in this module that BitLocker and BitLocker To Go offer enhanced protection against data
theft or data exposure from computers that might have been lost or stolen. We recommended that
medium and large organizations that deploy BitLocker should use the Microsoft BitLocker Administration
and Monitoring 2.0 tool to provide management capabilities for BitLocker and BitLocker To Go.
Administrators can use Microsoft BitLocker Administration and Monitoring to simplify the following
BitLocker management tasks:
Microsoft BitLocker Administration and Monitoring 2.0 enables administrators to enforce organizational
BitLocker encryption policies across an enterprise. It also enables administrators to monitor the
compliance of client computers with those policies, providing centralized reporting on the encryption
status of devices used on a network.
Note: Microsoft BitLocker Administration and Monitoring 2.0 is only available as part of the
Microsoft Desktop Optimization Pack, which offers Microsoft Software Assurance customers a
suite of premium utilities that are useful for administrators to manage desktop computers and
devices within an organization.
Microsoft BitLocker Administration and Monitoring 2.0 is not supported with Windows 8.1.
Microsoft is planning to release a newer version that is compatible with Windows 8.1.
10-35
In addition, Microsoft BitLocker Administration and Monitoring lets you access recovery key information,
which is helpful when users forget their PINs or passwords, or when their BIOS/UEFI firmware or boot
records change. By adopting an enterprise BitLocker management solution, organizations can increase the
level of effectiveness of BitLocker significantly and can reduce the administrative overhead and the total
cost of ownership.
Note: Microsoft BitLocker Administration and Monitoring 1.0 supports Windows 7, whereas
Microsoft BitLocker Administration and Monitoring 2.0 supports Windows 7 and Windows 8.
Microsoft BitLocker Administration and Monitoring 2.0 provides the following new features and
functionality:
Microsoft BitLocker Administration and Monitoring 2.0 client can now upgrade the Microsoft
BitLocker Administration and Monitoring 1.0 client.
Microsoft BitLocker Administration and Monitoring 2.0 can now upgrade previous version of the
Microsoft BitLocker Administration and Monitoring Server.
Microsoft BitLocker Administration and Monitoring 2.0 support for BitLockers enterprise scenarios on
Windows 8.
Configuring BitLocker
In Windows 8.1, you can enable BitLocker
from the Control Panel or by right-clicking the
volume that you want to encrypt. This initiates the
BitLocker Drive Encryption Wizard, which validates
system requirements. During the preparation
phase, BitLocker creates the second partition if it
does not exist.
Administration
You can manage BitLocker by using the BitLocker
Drive Encryption item within Control Panel.
Manage-Bde, also is available to add scripting
functionality remotely from the Windows
PowerShell command-line interface or from a Command Prompt window.
After you encrypt and protect a volume by using BitLocker, local and domain administrators can use the
Manage Keys page in the BitLocker control panel item to duplicate keys and reset PINs.
In Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2.
If the User Account Control dialog box appears, confirm that the action it displays is what you want,
and then click Continue.
3.
On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.
A message appears, warning that BitLocker encryption might have a performance impact on your
computer.
If your TPM is not initialized, the Initialize TPM Security Hardware Wizard appears. Follow the
directions to initialize the TPM, and then restart or shut down your computer.
4.
The Save the recovery password page shows the following options:
o
Save the password on a USB drive. Saves the password to a USB flash drive.
Save the password in a folder. Saves the password to a folder on a network drive or other
location.
Use one or more of these options to preserve the recovery password. For each, select the option and
then follow the wizard steps to set the location for saving or printing the recovery password.
When you finish saving the recovery password, click Next.
5.
On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check
check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and
then BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is
not, an error message will alert you to the problem.
6.
10-37
If the computer is ready for encryption, the Encryption in Progress status bar displays. You can
monitor the ongoing completion status of the disk-volume encryption by moving your pointer over
the BitLocker Drive Encryption icon, which is in the notification area at the bottom of your screen.
By completing this procedure, you will have encrypted the operating system volume and created a
recovery password unique to this volume. The next time that you sign in, you will see no change. If the
TPM ever changes or BitLocker cannot access it, or if there are changes to key system files or someone
tries to start the computer from a product CD or DVD to circumvent the operating system, the computer
will switch to recovery mode until the user supplies the correct recovery password.
Use the following procedure to change your computer's Group Policy settings so that you can turn on
BitLocker without a TPM. Instead of a TPM, you will use a startup key to authenticate yourself. The startup
key is on a USB flash drive that you insert into the computer before you turn it on.
For this scenario, you must have a BIOS that will read USB flash drives in the pre-operating system
environment (at startup). You can check your BIOS by running the system check that is in the final step of
the BitLocker wizard.
Before you start:
You must have a USB flash drive to save the recovery password.
You should try to use a second USB flash drive to store the startup key separate from the recovery
password.
Perform the following steps to turn on BitLocker on a computer without a compatible TPM:
1.
Run Gpedit.msc.
2.
If the User Account Control dialog box appears, confirm that the action it displays is the action that
you want to occur, and then click Continue.
3.
In the Local Group Policy Editor console tree, click Computer Configuration, click Administrative
Templates, click Windows Components, click BitLocker Drive Encryption, and then click
Operating System Drives.
4.
5.
Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and
then click OK. You have changed the policy setting so that you can use a startup key instead of a
TPM.
6.
7.
To force Group Policy to apply immediately, from a command prompt, type gpupdate.exe /force,
and then press Enter.
8.
From Control Panel, click System and Security, and then click BitLocker Drive Encryption.
9.
If the User Account Control dialog box appears, confirm that the action it displays is what you want,
and then click Continue.
10. On the BitLocker Drive Encryption page, click Turn On BitLocker. This will appear only with the
operating system volume.
11. On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every
startup option. This is the only option available for non-TPM configurations. You must insert this key
before you start the computer, each time you start it.
12. Insert your USB flash drive in the computer if you have not done so already.
13. On the Save your Startup Key page, choose the location of your USB flash drive, and then click
Save.
14. The following options are available on the Save the recovery password page:
o
Save the password on a USB drive. Saves the password to a USB flash drive.
Save the password in a folder. Saves the password to a folder on a network drive or other
location.
Use one or more of these options to preserve the recovery password. For each, select the option and
then follow the wizard steps to set the location for saving or printing the recovery password. Do not
store the recovery password and the startup key on the same media. When you have finished saving
the recovery password, click Next.
15. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check
check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts, and
BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is not,
an error message will alert you to the problem before encryption starts.
16. If the computer is ready for encryption, the Encryption in Progress status bar displays. You can
monitor the ongoing completion status of the disk-volume encryption by moving your pointer over
the BitLocker Drive Encryption icon, which is in the notification area at the bottom of your screen.
You also can click the Encryption icon to view the status.
By completing this procedure, you have encrypted the operating system volume and created a recovery
password that is unique to that volume. The next time that you turn your computer on, you must plug in
the USB flash drive with the startup key into one of the computers USB ports. If not, you will not be able
to access data on your encrypted volume.
If you do not have the USB flash drive that contains your startup key, then you will need to use recovery
mode and supply the recovery password to access data.
2.
3.
Forcing BitLocker into disabled mode keeps the volume encrypted, but the volume master key is
encrypted with a symmetric key that it stores unencrypted on the hard disk. The availability of this
unencrypted key disables the data protection that BitLocker offers, but it ensures that subsequent
computer startups succeed without further user input. When you re-enable BitLocker, the unencrypted
key is removed from the disk and BitLocker protection is turned on. Additionally, BitLocker identifies the
volume master key and encrypts it again.
10-39
Moving an encrypted volume, which is a physical disk, to another BitLocker-enabled computer requires
that you turn off BitLocker temporarily. No additional steps are required because the key that is
protecting the volume master key is stored unencrypted on the disk.
Note: Exposing the volume master key even for a brief period is a security risk. An attacker
can access the volume master key and full volume encryption key when these keys are exposed
by the clear key.
On unencrypted drives, data might remain readable even after the drive has been formatted. Enterprises
often use multiple overwrites or physical destruction to reduce the risk of exposing data on
decommissioned drives.
You can use BitLocker to create a simple, cost-effective decommissioning process. Leaving data
encrypted by BitLocker and then removing the keys results in an enterprise permanently reducing the risk
of exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all
BitLocker keys, because this requires solving 128-bit or 256-bit AES encryption.
Note: Perform the procedures that this section describes only if you do not want or need
the data in the future. You cannot recover the data in the encrypted volume if you perform the
procedures that this section details.
You can remove a volumes BitLocker keys by formatting that volume from Windows 8.1. The format
command has been updated to support this operation. To format the operating system volume, you can
open a command prompt by using the recovery environment that the Windows 8.1 installation DVD
includes.
Alternatively, an administrator can create a script that effectively removes all BitLocker key protectors.
Running such a script will leave all BitLocker-encrypted data unrecoverable when you restart the
computer. As a safety measure, BitLocker requires that an encrypted volume have at least one key
protector. Given this requirement, you can decommission the drive by creating a new external key
protector, not saving the created external key information, and then removing all other key protectors
on the volume.
After you remove the BitLocker keys from the volume, you need to perform follow-up tasks to complete
the decommissioning process. For example, reset the TPM to its factory defaults by clearing the TPM, and
discard saved recovery information for the volume, such as printouts, files stored on USB devices, and
information stored in AD DS.
Question: When turning on BitLocker on a computer with TPM 1.2, what is the purpose of
saving the recovery password?
Configuring BitLocker To Go
BitLocker To Go protects data on removable data
drives. It allows you to configure BitLocker on USB
flash drives and external hard drives. The option is
available to simply right-click on a drive in File
Explorer to enable BitLocker protection.
BitLocker To Go Scenario
Consider the following scenario. An administrator
configures Group Policy to require that users
can save data only on BitLocker-protected data
volumes. Specifically, the administrator enables
the Deny write access to removable drives not
protected by BitLocker policy setting and
deploys it to the domain.
Meanwhile, an end user inserts a USB flash drive. Because the USB flash drive is not protected with
BitLocker, Windows 8.1 displays an informational dialog box indicating that the device must be encrypted
with BitLocker. From this dialog, the user chooses to launch the BitLocker wizard to encrypt the volume or
continues working with the device as read-only.
If the user decides to implement the device as read-only and then attempts to save a document to the
flash drive, an access-denied error message appears.
Configuring BitLocker To Go
When you select the Turn On BitLocker menu option, you must specify how you want to unlock a drive in
the subsequent wizard. You can select one of the following methods:
A recovery password or passphrase. You can configure the complexity in Group Policy.
A smart card.
After you configure a device to use BitLocker, when a user saves documents to an external drive, BitLocker
encrypts them. When the user inserts the USB flash drive on a different computer, the computer detects
that the portable device is BitLocker-protected and prompts the user to specify the passphrase. The user
can specify to unlock the volume automatically on the second computer.
Note: In the above scenario, the second computer does not have to be encrypted with
BitLocker.
If a user forgets the passphrase for a device, he or she can use the I forgot my passphrase option from the
BitLocker Unlock Wizard to recover it. Clicking this option displays a recovery password ID that the user
supplies to an administrator, who then uses the password ID to obtain the devices recovery password.
This recovery password can be stored in AD DS and recovered with the BitLocker Recovery Password
Viewer.
Question: How do you enable BitLocker To Go for a USB flash drive?
A 48-digit number divided into eight groups. During recovery, use the function keys to type this
password into the BitLocker recovery console.
A recovery key in a format that can be read directly by the BitLocker recovery console.
10-41
The recovery password will be required if the encrypted drive must be moved to another computer or
changes are made to the system startup information. This password is so important that you should make
additional copies of the password and store it in safe places to ensure access to your data.
You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a
locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to
recover encrypted data from any other BitLocker encryption session.
A computer's password ID is a 32-character password that is unique to a computer name. You can find the
password ID under a computer's property settings, which you can use to locate passwords that are stored
in AD DS. To locate a password, the following conditions must be true:
Prior to searching for and providing a recovery password to a user, confirm that the person is the account
owner and is authorized to access data on the computer in question.
Search for the password in Active Directory Users and Computers by using either one of the following:
Drive label
Password ID
When you search by drive label, after locating the computer, right-click the drive label, click Properties,
and then click the BitLocker Recovery tab to view associated passwords.
To search by password ID, right-click the domain container, and then click Find BitLocker Recovery
Password. In the Find BitLocker Recovery Password dialog box, enter the first eight characters of the
password ID in the Password ID field, and then click Search.
Examine the returned recovery password to ensure it matches the password ID that the user provides.
Performing this step helps verify that you have obtained the unique recovery password.
Windows 8.1 BitLocker provides data recovery agent support for all protected volumes. This provides
users with the ability to recover data from any BitLocker and BitLocker To Go device when the data is
inaccessible. This technology assists in the recovery of organizational data on a portable drive by using the
key that the enterprise created.
Data recovery agent support allows you to dictate that all BitLocker-protected volumes, such as operating
system, fixed, and new portable volumes, are encrypted with an appropriate data recovery agent. The
data recovery agent is a new key protector that is written to each data volume so that authorized IT
administrators will always have access to BitLocker-protected volumes.
For devices that are not domain-joined, Windows 8.1 allows a user to back up their BitLocker recovery
key to a Microsoft account, which then is stored within the users OneDrive (formerly known as SkyDrive)
account. During BitLocker configuration on a fixed or removable drive, and just before encryption begins,
you are prompted to specify how you want to back up your recovery key. You are presented with the
following locations:
Save to a file
10-43
A user at A. Datum is working on a project that requires him to take his laptop computer home each day.
The data files are very sensitive and must be secure at all times. The laptop computer does not have
TPM 1.2.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should
be running already from the preceding lab.
2.
Enable BitLocker.
3.
2.
3.
4.
5.
Refresh the Group Policy settings on the local computer by running gpupdate /force.
On LON-CL1, open File Explorer, right-click Allfiles (E:), and then click Turn on BitLocker.
2.
Select the Enter a password option. This is necessary because the virtual machine does not support
USB flash drives.
3.
4.
Note: The drive will be encrypted as a background process; you do not need to wait for the
process to complete to continue the lab.
5.
Restart LON-CL1.
2.
3.
Right-click the Allfiles (E:) icon, and then click Unlock Drive.
4.
Enter password Pa$$w0rd to unlock the drive, and then verify access to the drive.
5.
Results: After completing this exercise, you should have encrypted the hard drive.
When you are finished with the lab, leave the virtual machines running, as they are needed for the
next lab.
Lesson 4
Configuring UAC
10-45
Many users sign in to their computers with a user account that has more rights than necessary to run their
applications and access their data files. Using an administrative user account for day-to-day user tasks
poses significant security risks. In older versions of the Windows operating system, administrators were
encouraged to use an ordinary user account for most tasks and to use the Run As account to execute
tasks that required additional rights. Windows 8.1 provides UAC to simplify and secure the process of
elevating your account rights. However, unless you know how UAC works and its potential impact, you
might have problems when you attempt to carry out typical end-user support tasks. This lesson introduces
how UAC works and how you can use UAC-related desktop features.
Lesson Objectives
After completing this lesson, you will be able to:
Describe UAC.
What Is UAC?
UAC is a security feature that provides a way
for users to elevate their status from a standard
user account to an administrator account without
signing out or switching users. UAC is a collection
of features rather than just a prompt. These
featureswhich include File and Registry
Redirection, Installer Detection, the UAC prompt,
the ActiveX Installer Service, and moreallow
Windows users to operate with user accounts
that are not members of the Administrators
group. These accounts typically are referred to
as standard users and are broadly described as
operating with least privilege. The most important fact is that when users sign in with standard user
accounts, the experience typically is much more secure and reliable.
Windows 8.1 reduces the number of operating system applications and tasks that require elevation so that
standard users can do more while experiencing fewer elevation prompts. This improves the interaction
with UAC while upholding high security standards.
When you need to make changes to your computer that require administrator-level permissions, UAC
notifies you as follows:
If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue.
If you are a standard user, providing permission temporarily gives you administrator rights to complete
the task, and then your permissions are returned back to a standard user when you are finished. This
ensures that even if you are using an administrator account, changes cannot be made to your computer
without your knowledge. This helps prevent malware and spyware from being installed on, or making
changes to, your computer.
Standard Users
When you enable UAC and a user needs to perform a task that requires administrative permissions, UAC
prompts the user for administrative credentials. In an enterprise environment, the help desk can give a
user temporary credentials that have local administrative permissions to complete a task.
The default UAC setting allows a standard user to perform the following tasks without receiving a UAC
prompt:
Install drivers from Windows Update or those that are included with the operating system.
View Windows settings. However, a standard user is prompted for elevated permissions when
changing Windows settings.
Reset the network adapter and perform other network diagnostic and repair tasks.
Administrative Users
Administrative users automatically have:
While it might seem clear that all users will not be able to read, alter, and delete any Windows resource,
many enterprise IT departments that run older versions of Windows operating systems had no other
option but to assign all of their users to the local Administrators group.
One of the benefits of UAC is that it allows users with administrative permissions to operate as standard
users most of the time. When users with administrative permissions perform a task that requires
10-47
administrative permissions, UAC prompts the user for permission to complete the task. When the user
grants permission, the task in question is performed by using full administrative rights, and then the
account reverts to a lower level of permission.
By default, many applications require users to be administrators because they check Administrators group
membership before running an application. No user security model existed for the Microsoft Windows 95
and the Microsoft Windows 98 operating systems. As a result, developers designed applications, assuming
that they would be installed and run by users with administrator permissions. A user security model was
created for Microsoft Windows NT, but all users were created as administrators by default. Additionally, a
standard user on a Windows XP computer must use the Run As command by right-clicking the executable
file within Windows Explorer, or sign in with an administrator account to install applications and perform
other administrative tasks.
The following list details some of the tasks that a standard user can perform:
Users cannot defragment the hard drive, but a service does this on their behalf
Open Date and Time in Control Panel and change the time zone
The following list details some of the tasks that require elevation to an administrator account:
Modify UAC settings in the Security Policy Editor snap-in (Secpol.msc) to the MMC
When you enable UAC, members of the local Administrators group run with the same access token as
standard users. Only when a member of the local Administrators group gives approval can a process use
the administrators full access token.
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that
require an administrator access token. When a standard user attempts to perform an administrative task,
UAC prompts the user to enter valid credentials for an administrator account. This is the default for
standard userprompt behavior.
The elevation prompt displays contextual information about the executable that is requesting elevation.
The context is different depending on whether the application is signed by Authenticode technology.
The elevation prompt has two variations that are detailed in the table below: the consent prompt and the
credential prompt.
Elevation prompt
Description
Consent prompt
Credential prompt
Note: Elevation entry points do not remember that elevation has occurred, such as when
you return from a shielded location or task. As a result, the user must re-elevate to enter the task
again.
While the number of UAC elevation prompts for a standard user who performs an everyday task has been
reduced in Windows 8.1, there are times when it is appropriate for an elevation prompt to be returned.
For example, viewing firewall settings does not require elevation; however, changing the settings does
require elevation because the changes have a system-wide impact.
10-49
When a permission or password is needed to complete a task, UAC will notify you with one of four
different types of dialog boxes. The following table describes the different types of dialog boxes that are
used to notify you, and the table provides guidance on how to respond to them.
Type of elevation prompt
Description
This item has a valid digital signature that verifies that Microsoft is
the publisher of this item. If you get this type of dialog box, it is
usually safe to continue. If you are unsure, check the name of the
program or function to decide if it is something you want to run.
This program does not have a valid digital signature from its
publisher. This does not necessarily indicate danger because many
older, legitimate apps lack signatures. However, use extra caution
and only allow a program to run if you obtained it from a trusted
source, such as the product CD or a publisher's website. If you are
unsure, search the Internet for the programs name to determine if
it is a known program or malware.
Most of the time, you should sign in to your computer with a standard user account. You can browse
the Internet, send email, and use a word processor, all without an administrator account. When you want
to perform an administrative task such as installing a new program or changing a setting that will affect
other users, you do not have to switch to an administrator account; the Windows operating system
will prompt you for permission or an administrator password before performing the task. Another
recommendation is that you create standard user accounts for all the people that use your computer.
Question: What are the differences between a consent prompt and a credential prompt?
The following table identifies the four settings that enable customization of the elevation prompt
experience.
Prompt
Description
Never notify me
UAC is off.
Always notify me
Because you can configure the user experience with Group Policy, there can be different user experiences,
depending on policy settings. The configuration choices made in your environment affect the prompts
and dialog boxes that standard users, administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always notify
me or Always notify me and wait for my response. With this type of configuration, a yellow notification
appears at the bottom of the User Account Control Settings page, indicating the requirement.
Question: Which two configuration options are combined to produce the end-user elevation
experience?
Demonstration Steps
View the current UAC settings
1.
2.
3.
Create a UAC Group Policy setting that prevents access elevation. Modify the User Account Control:
Behavior of the elevation prompt for standard users setting to Automatically deny elevation
requests.
2.
Attempt to open the Local Group Policy Editor snap-in, which is an administrative task.
10-51
1.
Sign in as administrator.
2.
3.
4.
Modify the User Account Control: Behavior of the elevation prompt for standard users setting
to Prompt for credentials.
2.
3.
4.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 15 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should
be running from the preceding lab.
2.
3.
2.
Open the Local Group Policy Editor, and then navigate to Computer Configuration
\Windows Settings\Security Settings\Local Policies\Security Options.
3.
Modify the User Account Control: Behavior of the elevation prompt for standard users setting
to Prompt for credentials on the secure desktop.
Enable the User Account Control: Only elevate executables that are signed and validated policy
setting.
2.
Enable the User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode policy setting, and then select the Prompt for consent on the secure
desktop option.
10-53
1.
2.
Open an administrative Command Prompt window. You are prompted by UAC for credentials on the
secure desktop. Provide the necessary credentials, and after the administrative Command Prompt
window opens, close it and then sign out.
3.
Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd, and then open Action
Center to verify that the notification settings for UAC are configured for Always notify.
Results: After completing this exercise, you should have reconfigured UAC notification behavior and
prompts.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
Users should export their certificates and private keys to removable media, and then store the media
securely when it is not in use. For the greatest possible security, you must remove a private key from a
computer whenever the computer is not in use. This protects against attackers who physically obtain
a computer and try to access the private key. When you must access encrypted files, you can import
the private key easily from the removable media.
Encrypt the My Documents folder for all users (User_profile\My Documents). This ensures that the
personal folder, where most documents are stored, is encrypted by default.
Users should encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level ensures that files are not decrypted unexpectedly.
Private keys that are associated with recovery certificates are extremely sensitive. You must generate
these keys either on a computer that is physically secure, or you must export their certificates to a .pfx
file, protect them with a strong password, and then save them on a disk that is in a physically secure
location.
You must assign recovery agent certificates to user accounts that you do not use for any other
purpose.
Do not destroy recovery certificates or private keys when recovery agents are changed (agents are
changed periodically). Keep them all until all files that might have been encrypted with them are
updated.
Designate two or more recovery agent accounts per organizational unit (OU), depending on the size
of the OU. Designate two or more computers for recovery: one for each designated recovery agent
account. Grant permissions to appropriate administrators who use the recovery agent accounts. It is a
good idea to have two recovery agent accounts. Having two computers that hold these keys provides
more redundancy for the recovery of lost data.
Implement a recovery agent archive program to ensure that you can recover encrypted files by
using obsolete recovery keys. You must export and store recovery certificates and private keys in a
controlled and secure manner. Ideally, as with all secure data, archives must be stored in a controlledaccess vault, and you must have two archives: a master and a backup. The master is kept on-site,
while the backup is located in a secure, off-site location.
10-55
Avoid using print spool files in your print server architecture, or make sure that print spool files are
generated in an encrypted folder.
EFS does take some CPU overhead every time a user encrypts and decrypts a file. Plan your server
usage wisely. Load balance your servers when many clients use EFS.
UAC security settings are configurable in the local Security Policy Manager (Secpol.msc) or the Local
Group Policy Editor (Gpedit.msc). However, in most corporate environments, Group Policy is preferred
because it can be managed and controlled centrally. You can configure nine GPO settings for UAC.
Because the user experience can be configured with Group Policy, there can be different user
experiences depending on policy settings. The configuration choices made in your environment
affect the prompts and dialog boxes that standard users, administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always
notify me or Always notify me and wait for my response. With this type of configuration, a yellow
notification appears at the bottom of the User Account Control Settings page, indicating the
requirement.
Although UAC enables you to sign in with an administrative user account to perform everyday user
tasks, it is still a good practice to sign in by using a standard user account for these everyday tasks.
Sign in as an administrator only when necessary.
BitLocker stores its own encryption and decryption key in a hardware device that is separate from the
hard disk, so you must have one of the following:
A removable USB storage device, such as a USB flash drive. If your computer does not have TPM 1.2
or newer, BitLocker stores its key on a memory device.
The most secure implementation of BitLocker takes advantage of the enhanced security capabilities
of TPM 1.2.
On computers that do not have TPM 1.2, you can still use BitLocker to encrypt the Windows
operating system volume. However, this implementation will require a user to insert a USB startup
key to start the computer or resume from hibernation and does not provide the prestartup systemintegrity verification that BitLocker offers when it works with a TPM.
Module 11
Configuring Applications for Windows 8.1
Contents:
Module Overview
11-1
11-2
11-14
11-19
11-29
11-32
11-40
11-43
Module Overview
Computer users require applications for every task they perform, such as editing documents, querying
databases, and generating reports. As part of administering the Windows 8.1 operating system, you
need a strategy for deploying and managing the applications that users in your organization will run
on their new Windows 8.1 computers and devices. Based on the specific needs of your organization, you
can choose from a variety of methods to deploy and manage applicationsfrom manual deployment
methods to fully automated management technologies. You also need a strategy to handle the
application compatibility issues that might arise when you try to run applications that were designed for
older versions of Windows operating systems.
Objectives
After completing this module, you will be able to:
Lesson 1
In your organization, scenarios might exist for which certain application deployment methods are more
appropriate than others. In this lesson, you will learn about traditional application deployment, in addition
to the methods that you can use to automate application deployment.
Lesson Objectives
After completing this lesson, you will be able to:
Desktop Apps
Desktop apps are the traditional apps, such as
Microsoft Office 2013. Most users and network
administrators are familiar with desktop apps.
Desktop apps can be installed on Windows 8.1
computers locally by an administrator with a
product DVD that contains a desktop app, or via a
network or by downloading an app from the Internet.
Windows desktop apps:
Can be automated.
Can be replaced by distributed app installation and execution methods in larger environments.
11-3
Can run on Windows 8.1, Windows 8, Windows RT 8.1, and Windows RT.
Are distributed in the .appx file format and must be digitally signed.
Run in full-screen mode by default when not running as active tiles. Two or more Windows Store apps
can be displayed at the same time on one or more displays.
If your organization has developed custom Windows Store apps, you can use a process called sideloading
to install these apps. When sideloading a Windows Store app, you use an .appx installer file. You can use
Dism.exe or the Windows PowerShell command-line interface to sideload and manage Windows Store
apps. For large-scale deployment of sideloaded apps, an enterprise also could use Microsoft System
Center 2012 R2 Configuration Manager.
Sideloading Windows Store apps has the following prerequisites:
To enable sideloading, configure the Allow all trusted apps to install policy setting. This item is located
in the Computer Configuration\Administrative Templates\Windows Components\App Package
Deployment node of the Group Policy Management Console.
The installation process for a desktop app begins, and the app installs. By default, all users run as standard
users. Windows 8.1 will prompt the user to elevate to full administrator privileges through User Account
Control (UAC) to install the application.
Note: Apps installed across a network can be installed automatically without user
intervention, depending on the configuration of the app package.
Windows Installer
The Windows Installer is the desktop app installation and configuration service for Windows 8.1. Windows
Installer packages are packaged apps in the .msi file format. An app that is designed for deployment on
Windows-based client computers often is available from a vendor in the .msi format already. You also can
use non-Microsoft app packaging products to convert app installers from the .exe file format to Windows
Installer packages in the .msi format.
A Windows Installer package in the .msi format includes the information that is necessary to add,
remove, and repair an application. You can install an app installer in the .msi format locally, or you can
deploy it through an automatic application deployment solution, such as Group Policy or Configuration
Manager. Because of the way that Windows Installer packages manage changes to an operating system,
applications that you deploy from these packages are more likely to uninstall cleanly than those that
you deploy by using applications installers in executable files. This fact is important from an applicationmanagement perspective because it is just as important to be able to remove an application cleanly
leaving no trace that the application was installed on a target computeras it is to install it correctly in
the first place.
If an app is packaged as an .msi file and is accessible from the target computer, you can run Msiexec.exe
from an elevated command prompt to install a desktop app. For example, to install an app from a shared
folder, run the following sample command from an elevated command prompt:
Msiexec.exe /i \\lon-dc1\apps\app1.msi
Administrators also can use Windows Installer to update and repair installed desktop apps.
The software must be packaged in the Windows Installer .msi file format.
You can target a deployment at the domain level, the site level, or the organizational unit level.
11-5
Assign. You can assign applications to users or computers. When you assign an application to a user,
the application installs when the user signs in. When you assign an application to a computer, the
application installs when the computer starts.
Publish. You can publish applications to users. Doing so makes an application available through the
Programs and Features item in Control Panel. You cannot publish applications to computers.
Difficulty in determining the success of deployments. Group Policy software deployment does not
include reporting functionality. The only way to determine whether an application has installed is to
check it manually.
No prerequisite checking. Group Policy software deployment does not enable you to perform
prerequisite checks directly. You can use Windows Management Instrumentation queries to check,
but doing so is a complex operation that requires significant expertise and time.
No installation schedule. Deployment will occur the next time a Group Policy refresh occurs. You
cannot schedule Group Policy software deployment to occur at a specific date and time.
Microsoft Deployment Toolkit (MDT) 2013 is a solution accelerator that you can use to automate the
deployment of operating systems and applications to computers. You can use MDT to perform lite-touch
installation (LTI). LTI requires that you trigger operating system deployment or application installation
on each computer, but it requires minimal intervention after the deployment begins. You can use MDT
to perform automated operating system and application deployment without deploying Configuration
Manager. However, you can use MDT when it is integrated with Configuration Manager to perform zerotouch installation (ZTI). ZTI enables operating system and application deployment and migration without
requiring any intervention.
You can use MDT to perform LTI deployment and migration from the following operating systems:
Windows 7
Windows Thin PC
The LTI process only requires the tools that are available in MDT. You do not need to deploy
Configuration Manager in your environment to perform LTI. To perform LTI by using MDT, perform the
following steps:
1.
Deploy MDT on a computer that will function as the management computer, create a deployment
share on this computer, and then import the image files that you will use.
2.
Create a task sequence and a boot image for the computer that will function as the reference
computer.
3.
Start the reference computer by using the medium that contains MDT. The task sequence files, task
sequence, and boot image transfer to the reference computer.
4.
Use the Windows Deployment Wizard to deploy the operating system. After deployment, capture the
reference computer as an image.
5.
6.
Create a new boot image and task sequence for deployment to the target computers.
7.
Start the deployment target computers by using the medium that contains MDT. The task sequence
files, task sequence, and boot image transfer to the reference computer.
8.
Configuration Manager provides a comprehensive platform for application deployment and management,
and it supports deploying applications in the .exe, .msi, .appv, and .appx file formats. Configuration
Manager enables administrators to target deployments to groups of users and computers, and to
configure deployments to occur at specific dates and times. Computers must have the Configuration
Manager client installed to receive software that Configuration Manager deploys.
Collections
Configuration Manager enables the deployment of applications to computers, users, and security groups.
Configuration Manager enables you to create collections that consist of manually created groups of users
or computers. Collections also can be based on the results of queries of user or computer properties.
Because Configuration Manager can collect information about all aspects of a user or computer, including
all AD DS attributes and software and hardware configurations, you can create focused collections
for targeted application deployment. For example, you can create a collection that includes only the
computers that are located at a specific site with a certain deployed application and a specific piece of
installed hardware.
Configuration Manager enables you to use multiple deployment types when deploying an application.
With this feature, you can configure a single application deployment but make it possible for that
deployment to occur in different ways, depending on the conditions that apply to the target computer
or user. For example, you can configure an application to install locally if a user is logged on to his or
her primary device, but to stream as an App-V application if the user is logged on to another device.
Deployment types also enable you to configure the deployment of the x86 version of an application if the
target computer has a 32-bit processor, or to configure the deployment of the x64 version if the target
computer has a 64-bit processor.
Reporting
Configuration Manager includes extensive reporting functionality. This feature enables you to determine
how successful an application deployment was after its completion. Configuration Manager also enables
you to simulate application deployments before performing them. This feature enables you to
determinebefore you perform an actual deploymentwhether any factors that you have not
considered might block a successful application deployment.
Configuration Manager supports Wake On LAN (WOL) functionality and maintenance windows. Instead
of interrupting a user with an application installation that might require a restart and the disruption of his
or her current productivity, WOL functionality enables application deployment to occur after-hours, when
the compatible computer is in a low power state. Configuration Manager sends a special signal to these
11-7
computers, which return to a fully powered-on state, perform the application installation, and then return
to the low power state.
Maintenance windows enable administrators to define when operations such as software installations and
software update deployments should occur. Maintenance windows give users a predictable period during
which they know that operations requiring a restart of their computers might occur. If users know that
their computers might need to restart at a certain time each week, they are less likely to leave important
documents and programs open at that time, thereby avoiding potential data loss.
Configuration Manager supports software inventory, software metering, and Asset Intelligence. A software
inventory enables you to determine which applications are installed on computers in your organization.
Software metering enables you to monitor how often particular applications are used. Asset Intelligence
enables you to check software licensing compliance, helping ensure that the number of applications
deployed within an organization equals the number of software licenses that are available for those
applications. With this information, you can make informed decisions with respect to future software
deployment. You also can use software inventory and software metering information as a basis for the
creation of collections.
You can use Windows Intune to perform software deployments on user or computer groups. Users and
computers can belong to multiple groups. You can configure Windows Intune to synchronize account
information from AD DS.
You need to deploy the Windows Intune client on target computers to use Windows Intune. If users have
local Administrator rights, they can perform this operation themselves by downloading Windows Intune
client software from the Windows Intune site in their organization. If users do not have Administrator
rights, they can install a Windows Intune client by using Windows Remote Assistance or by bringing their
computers to a branch office location.
You can use Windows Intune to deploy applications to Windows Intune clients in both the .exe and .msi
file formats. You must upload applications to Windows Intune before you can deploy them. You can make
software available as an optional installation or configure it as a required installation.
Windows Intune provides reporting on the success and failure of targeted application deployment. This
feature means that you can determine how many clients out of the target group successfully installed the
deployed application. It also is possible to use Windows Intune to remove applications that previously
were deployed to client computers.
You can integrate Windows Intune with Configuration Manager, enabling you to manage devices that
are hosted in both platforms from a single console. You can use Windows Intune to manage Windows 8.1
computers, irrespective of whether they are members of an AD DS domain. In addition, you can use
Windows Intune to manage computers that run Windows 8, Windows RT 8.1, Mac OS X, Windows 7,
Windows Vista, and Windows XP. You can use Windows Intune to manage PCs and devices at scale.
What Is App-V?
App-V, which is part of the Microsoft Desktop
Optimization Pack, is a Microsoft solution that
enables users to run virtualized applications
on their computers without having to install
or configure them locally. App-V benefits an
organization though faster deployment of
applications and updates, and it minimizes
conflicts between applications and various
versions of applications. Before a Windows 8.1
computer can run streamed App-V applications,
you must install the App-V client. The App-V
client provides an isolated execution environment
in which App-V applications run. The virtualized applications interact with the App-V client rather than
directly with a host operating system.
With App-V, you can perform nonpersistent application deployment. Nonpersistent application
deployment is useful in scenarios where a person might need to use an application on a computer on an
infrequent basis. This type of deployment also is useful in environments where people are not assigned to
specific computers. For example, a person might need to use a specific application that is not installed as
part of the standard operating-system build in an organization, or where people are assigned computers
each day on a first-come, first-served basis. With App-V, you can provision an application to a user no
matter which computer the user is assigned to. You can configure the application so that it will not remain
on the computer after the user signs out.
The Microsoft Desktop Optimization Pack is a suite of tools and technologies that are available to
customers who purchase Microsoft Software Assurance. App-V supports the virtualization of applications
that run on Windows 8.1 computers and Remote Desktop Services (RDS) on Windows Server 2012 R2.
App-V also supports client computers that run Windows 7, Windows Vista, and Windows XP. It also can
be used with RDS on Windows Server 2008 R2 and Windows Server 2008. Applications are still limited by
platform constraints. You cannot run an x64 application on an x86 host, and an application that requires 4
gigabytes (GB) of RAM to run in a traditional manner still requires 4 GB of RAM to run when sequenced.
You can use App-V to rapidly deploy software and reduce application delivery timesin some cases,
by over 80 percent. Reduced desktop image sizes save time and network bandwidth during deployment
and allow rapid deployment of applications directly to a device. You also can update software and
troubleshoot issues quickly by replacing centrally held source files, which you then can test and make
available to all users as they require the software.
Microsoft Application Virtualization case studies
http://go.microsoft.com/fwlink/?LinkId=392420
When planning whether to use App-V as a part of your organizations application deployment strategy,
consider the following:
App-V allows users to run different versions of the same application concurrently. Most applications
do not allow you to install a later version of an application side-by-side with an older version.
However, when applications are virtualized through App-V, the applications are unaware of each
other because each has its own silo that the App-V client provides.
App-V minimizes application conflict. Although unusual, applications can conflict because of
dynamic-link library (DLL) or application programming interface (API) conflicts. When applications
are virtualized and running in separate silos under the App-V client, these conflicts do not occur.
11-9
App-V applications can be streamed. App-V applications can be streamed from distribution points.
This feature means that rather than waiting for an entire application to be transferred across a
network and installed, a user can start using the application as soon as enough of it has transferred
across the network for it to begin running. App-V uses Hypertext Transfer Protocol (HTTP) for
streaming rather than Real-Time Streaming Protocol (RTSP), which was used in older versions of the
product.
A deployment does not require a restart. You can deploy an App-V application to a target computer,
and the user can run that application without requiring the target computer to restart.
No extra prerequisite components are required. Other than the App-V client, which must be present,
any prerequisite components are included when sequencing the application. It is not necessary to
deploy extra components, such as Microsoft Visual C++ runtime files, prior to deploying a
sequenced application.
Upgrades are simplified. Because an App-V application runs in its own silo that is disconnected from
the operating system, you can deploy an upgrade to an application over the existing application. This
process is called resequencing.
Nonpersistent installation. You can configure streamed App-V applications so that they are not
stored in the App-V cache after a user signs out. This feature enables you to have applications follow
users as they sign in to different computers, while ensuring that only one instance of an application is
deployed to a user. It also enables sensitive applications to be present on the local computer only
when specific users are signed in, and otherwise, to be inaccessible.
Applications use local resources. A drawback of Windows Server 2012 R2 RemoteApp is that when
multiple users are using a RemoteApp program from the same Remote Desktop (RD) Session Host
server, that server might be under resource pressure. On the other hand, an App-V application uses
the resources of the local computer; therefore, the application does not consume the resources of the
App-V server.
The sequencing process records all changes that the installation of an application makes to a client
computer. These changes include those made to files and folders, environment variables, .ini files, and the
registry. The sequencing process functions in the following way:
1.
2.
The Sequencer records all changes to files, registry settings, environment variables, and DLLs, in
addition to any other changes to the computer that hosts the Sequencer.
3.
4.
The Sequencer runs the application in this environment. This includes all the modifications that were
made to the computer that hosts the Sequencer.
5.
The technician performing the sequencing performs any required post-installation configuration
tasks. The Sequencer records any additional modifications.
6.
The Sequencer generates .appv and .msi files and writes them to the folder that the technician
specified.
The computer that functions as the Sequencer needs special preparation. This preparation involves
shutting down services and applications, such as antimalware scanners, that might cause problems with
the sequencing process. You should deploy the role of Sequencer on a virtual machine. The Sequencer
records changes that are made to the host operating system during the application installation. When you
deploy the Sequencer on a virtual machine, you can use virtual machine checkpoints to roll the virtual
machine back to a clean configuration after you sequence each application. This computer should run
the same operating system as the clients on which you will deploy the sequenced application. You can
sequence an x86 application on a computer that runs an x64 version of the App-V Sequencer.
The stand-alone deployment model requires that you deploy a minimal amount of infrastructure. In this
deployment model, you must deploy a Sequencer to create sequenced applications, and you must deploy
the App-V client to all the Windows 8.1 client computers that will consume App-V applications. In the
stand-alone deployment model, you deploy sequenced applications in Windows Installer format manually
with Group Policy or through Windows Intune. Applications that you deploy by using the stand-alone
deployment model remain on target computers until they are uninstalled.
11-11
being installed on all Windows 8.1 client computers and the computer that functions as the Sequencer,
this model requires the deployment of the following components:
Management server. This server enables administrators to manage the App-V infrastructure and to
assign the rights that allow users to consume applications.
Management server database. This database stores configuration settings for the management server.
Publishing server. Sequenced applications are streamed to App-V clients over HTTP from the
publishing server.
Reporting server. This server enables the generation of reports that detail application deployment and
consumption.
You can deploy each of the preceding roles on the same server. In large environments, you deploy
publishing servers to each branch office so that Windows 8.1 computers will be able to stream
applications locally rather than across wide area network (WAN) links.
You can use Configuration Manager to deploy applications in the .appv and .msi formats to client
computers. An advantage of the Configuration Manager integrated model over the other models is
that you can configure the application deployment process to detect automatically whether a target
computer has an App-V client installed and, if a client is not present, to deploy a client before deploying
the application. The Configuration Manager integrated model supports streaming when deploying
sequenced applications in the .appv format, and it supports local installation when using sequenced
applications in the .msi format. The Configuration Manager integrated model requires that you have
deployed Configuration Manager in your environment previously and have configured a computer to
function as an application sequencer.
Users of computers that run the x86 version of Windows 8.1 need to access an application that is
available only in an x64 version.
Users of computers that have 4 GB of RAM need to run an application that requires 8 GB of RAM.
In each of the preceding scenarios, the application is provided to the user through RemoteApp. The
application displays locally but runs on a platform that has appropriate hardware resources to support
the application. RemoteApp programs can run directly on RD Session Host servers or on separate virtual
machines in a Remote Desktop Virtual Desktop Infrastructure (VDI) scenario. From a users perspective,
little difference exists between a RemoteApp program that runs on an RD Session Host server and a
RemoteApp program that is installed on a virtual machine in a VDI scenario.
Running a RemoteApp program on an RD Session Host server has the following advantages and
disadvantages:
You install applications directly on RD Session Host servers and then make them available to users as
RemoteApp programs. This technique makes it simpler to deploy applications than by using
RemoteApp on VDI.
You cannot deploy different versions of the same application on RD Session Host servers. The
exception to this rule occurs when you also deploy the App-V client on an RD Session Host
Application Virtualization server.
You must configure each RD Session Host server in the server farm identically.
You can scale this solution by adding more identically configured RD Session Host servers. Doing so
can be complicated if a large number of applications need to be deployed on each RD Session Host
server.
The RemoteApp on VDI solution has the following advantages and disadvantages:
You install applications on virtual machines and make them available to users as published
RemoteApp programs.
Having to deploy Windows Server 2012 R2 Hyper-V and configure virtual machines for VDI can
make this solution seem more complex from an administrative standpoint.
Applications run on client virtual machines. Therefore, applications that are not supported on
RD Session Host servers can be deployed as RemoteApp programs.
You do not need to configure virtual machines identically. You install an application on one or more
virtual machines, and the Remote Desktop Connection Broker connects users to virtual machines that
have the RemoteApp program installed.
Make sure that you have enough virtual machines with an application installed to meet the demand
for that application. In complex environments, you can use Microsoft System Center 2012 R2 Orchestrator and Microsoft System Center 2012 R2 - Virtual Machine Manager to automate the
deployment of extra virtual machines and applications to meet specific demands.
RemoteApp on VDI is more scalable. You can deploy Hyper-V, virtual machines, and use cloned
virtual machines.
11-13
You can make RemoteApp programs available through RD Web Access. When you do so, users can
connect to an RD Web Access server to launch applications. By default, the location of an RD Web
Access site is https://<ServerFQDN>/RDWeb, where <ServerFQDN> represents the fully qualified domain
name (FQDN) of the RD Web Access server. When a user connects to this site, the site displays a list of
RemoteApp programs and RD Session Host servers to which that user has access.
You can publish RemoteApp programs through Group Policy by configuring the default connection
URL policy with the address of the RemoteApp feed. When you do so, the list of available RemoteApp
programs is published to the Start screen of Windows 8.1. The default location of this feed is
https://<ServerFQDN>/Rdweb/webfeed.aspx. You can configure the default connection URL by editing
the following policy: User Configuration\Policies\Administrative Templates\Windows Components
\Remote Desktop Services\RemoteApp and Desktop Connections.
Lesson 2
Windows 8.1 supports Windows Store apps, which were introduced with Windows 8 and Windows RT.
Windows Store apps are small, light, and easily accessible. It is important that you know how to manage
user access to the Windows Store, which will enable you to control the installation and use of these apps.
Lesson Objectives
After completing this lesson, you will be able to:
These apps can communicate with one another and with Windows 8.1 so that it is easier to search for and
share information, such as photographs. After an app is installed, from the Start screen, users can see tiles
that constantly update with live information from installed apps.
The landing page is the initial page that users see when accessing the Windows Store. When users connect
to the Windows Store, they can locate apps easily on the landing page. Windows Store Apps are divided
into categories such as Games, Entertainment, Music & Videos, and others.
Users also can use the Windows 8.1 Search charm to search the Windows Store for specific apps. For
example, if a user is interested in an app that provides video-editing capabilities, he or she can select the
Search charm, type in a search text string, and then click Store. The Windows Store returns suitable apps
from which the user can make a selection.
11-15
Installing Windows Store apps is a straightforward task for most users. A single tap on the appropriate
app in the listing should be sufficient to install the app. Apps install in the background so that users can
continue browsing the Windows Store. After an app is installed, a tile for the app appears on the users
Start screen.
Windows 8.1 checks the Windows Store for updates to installed apps on a daily basis. When an update for
an installed Windows Store app is available, Windows updates the Store tile on the Start screen to display
an indication that updates are available. When a user selects the Store tile and connects to the Windows
Store, the user can choose to update one, several, or all of his or her installed apps for which updates are
available.
Many users have multiple devices, such as desktop and laptop computers. The Windows Store allows 81
installations of a single Windows Store app so that users can run the app on all of their devices. If users
attempt to install an app on an 82nd device, they are prompted to remove the app from another device.
From the Start screen, run gpedit.msc with administrative permissions, and then load the Local
Group Policy Editor.
2.
Under Local Computer Policy, expand User Configuration, expand Administrative Templates,
expand Windows Components, and then click Store.
3.
4.
In the Turn off the Store application dialog box, click Enabled, and then click OK.
5.
When the Windows Store is disabled, users will see a Windows Store isnt available on this PC message
when they attempt to access the Store tile on the Start screen.
Note: You can use a GPO to disable the Windows Store for target computers, specific users,
or groups of users.
In addition to disabling the Windows Store on a computer, you also can use AppLocker to control which
apps can be installed.
Note: This module covers AppLocker later.
Managing Updates
Information technology (IT) administrators have limited control over updates for installed Windows Store
apps. By default, the update process for apps is automated for users of Windows 8.1 computers. It is
possible to turn off automatic updates for apps at any time by configuring the App updates setting within
the Windows Store. Unless you disable the automatic app updates, you cannot control which updates are
available. Once triggered, all updates will be downloaded.
To prevent malware from deploying via the sideloading process, Windows 8.1 only allows apps that have
been signed by the developer using a trusted root certificate. If your organization creates a LOB app, it
also should be signed by using the organizational trusted root certificate. You can use a self-signed
certificate to sideload an app, but administrators should note that this is not a best practice in a
production environment.
The Allow all trusted apps to install GPO setting must be enabled.
11-17
In a Bring Your Own Device (BYOD) scenario where a personal device such as a Microsoft Surface 2 tablet
is used in the workplace, you also can sideload this device with LOB apps by first installing a sideloading
product key on the device. A sideloading product key can be obtained in the following ways:
Select Command Prompt (Admin) from the Administrative menu by pressing Windows logo
key+X.
2.
3.
4.
Enable sideloading.
Demonstration Steps
Enable sideloading
1.
2.
3.
Under Local Computer Policy in the navigation pane, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click App Package
Deployment.
4.
5.
In the Allow all trusted apps to install dialog box, click Enabled, and then click OK.
6.
7.
2.
Install the certificate into the Local Machine Trusted Root Certification Authorities certificate
store.
3.
Note: Your Windows Store apps must be digitally signed and can be installed only on
computers that trust the certification authority that provided the apps signing certificate.
2.
3.
On the Start screen, type TestAppTKL1 and then press Enter. Verify that the six groups of tiles are
present in the TestAppTKL1 app.
On the Start Screen, right-click the TestAppTKL1 tile, and then click Uninstall.
2.
Lesson 3
11-19
A browser is like any other application. You either can manage and secure it well, or manage it poorly.
If you manage a browser poorly, you and your organization risk consuming more time and money
supporting users and dealing with security infiltrations, malware, and loss of productivity.
Users can browse more safely by using Internet Explorer 11, which in turn helps maintain customer trust
in the Internet and helps protect the IT environment from the evolving threats that the web presents.
Internet Explorer 11 specifically helps users maintain their privacy with features such as InPrivate
Browsing and InPrivate Filtering. The SmartScreen Filter provides protection against social engineering
attacks by:
Identifying malicious websites that try to trick people into providing personal information or installing
malware.
Internet Explorer 11 helps prevent a browser from becoming an attack agent, and it provides more
detailed control over the installation of ActiveX controls with per-site and per-user ActiveX features.
The cross-site scripting filter protects websites from attacks.
Lesson Objectives
After completing this lesson, you will be able to:
Internet Explorer 11 provides an automatic Compatibility View that invokes an older Internet Explorer
engine to display webpages whenever detecting a legacy website. This helps improve compatibility with
applications written for older versions of Internet Explorer. If you do not see the Compatibility View
button appear in the Address bar, there is no need to turn on Compatibility View because Internet
Explorer 11 will have detected that the webpage has loaded correctly.
Note: By default, intranet sites and apps continue to run in Internet Explorer 11, which
supports Compatibility View.
Compatibility View in Internet Explorer 11 helps display a webpage as it is meant to be viewed. This view
provides a straightforward way to fix display problems such as out-of-place menus, images, and text. The
main features in Compatibility View are:
Internet websites display in Internet Explorer 11 standards mode by default. Use the Compatibility
View button to fix sites that render differently than expected.
Internet Explorer 11 remembers sites that have been set to Compatibility View so that a user only
needs to press the button once for a site. After that, the site always renders in Compatibility View
unless it is removed from the list.
Intranet websites display in Compatibility View by default. This means that internal websites that were
created for older versions of Internet Explorer will work.
You can use Group Policy to set a list of websites to render in Compatibility View.
Switching in and out of Compatibility View occurs without requiring that a user restart the browser.
The Compatibility View button only displays if is not clearly stated how the website is to render. In other
cases, such as viewing intranet sites or viewing sites with a <META> tag or a / HTTP header that
indicates Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 standards, the
button is hidden.
When Compatibility View is activated, the page refreshes and a balloon tip in the taskbar notification area
indicates that the site is now running in Compatibility View.
The Compatibility View settings option in the Tools menu enables you to customize the Compatibility
View to meet enterprise requirements. For example, you can configure it so that all intranet sites display
in Compatibility View (the default), or you can configure it so that all website are viewed in Compatibility
View.
Privacy Features
One of the biggest concerns for users and
organizations is the issue of security and privacy
when using the Internet. Internet Explorer 11
helps users maintain their security and privacy. For
enterprises that need users to be able to browse
without collecting browsing history, Internet
Explorer 11 has a privacy mode called InPrivate
Browsing, which allows users to surf the web
without leaving a trail. As an alternative to
InPrivate Browsing, a user can use the Delete
Browsing history option found in the Internet
options dialog box to delete their browsing
history manually without losing site functionality.
InPrivate Browsing
11-21
InPrivate Browsing helps protect data and privacy by preventing the browser from locally storing or
retaining browsing history, temporary Internet files, form data, cookies, user names, and passwords. This
leaves virtually no evidence of browsing or search history as the browsing session does not store session
data.
From an enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than
using the Delete Browsing history option to maintain privacy because there are no logs kept or tracks
made during browsing. InPrivate Browsing is a proactive feature because it enables you to control what
is tracked in a browsing session.
Some users might attempt to use InPrivate Browsing to conceal their tracks when browsing prohibited
or nonwork websites. However, you have full manageability control, and you can use Group Policy to
configure how your organization uses InPrivate Browsing.
Tracking Protection
Most websites today contain content from several different sites. The combination of these sites
sometimes is referred to as a mashup. People begin to expect this type of integrationfrom something
like an embedded map from a mapping site, to greater integration of advertisements or multimedia
elements. Organizations try to offer more of these experiences because it draws potential customers to
their site. This capability makes the web more robust, but it also provides an opportunity for a hacker to
create and exploit vulnerabilities.
Every piece of content that a browser requests from a website discloses information to that site,
sometimes even if a user has blocked all cookies. Often, users are not fully aware that their web browsing
activities are tracked by websites other than those they have consciously chosen to visit.
Tracking Protection monitors the frequency of all third-party content as it appears across all websites that
a user visits. An alert or frequency level is configurable and is initially set to 10. Third-party content that
appears with high incidence is blocked when the frequency level is reached. Tracking Protection does not
discriminate between different types of third-party content. It blocks content only when it appears more
than the predetermined frequency level.
Note: Tracking Protection Lists can help increase your browsing privacy. When you install
a Tracking Protection List, you will prevent the websites specified in the list from sending your
browsing history to other content providers. Microsoft maintains a website that contains Tracking
Protection Lists that you can install.
Cookies and cookie protection are one aspect of online privacy. Some organizations write scripts to clean
up cookies and browsing history at the end of a browsing session. This type of environment might be
necessary for sensitive data, for regulatory or compliance reasons, or for private data in the healthcare
industry.
The Delete Browsing History dialog box in Internet Explorer 11 enables users and organizations to delete
browsing history selectively. For example, a history can be removed for all websites except those in a
users Favorites. You can switch this feature on and off in the Delete Browsing History dialog box, and it
is called Preserve Favorites website data.
You can configure Delete Browsing history options through Group Policy. You also can configure which
sites are included automatically in Favorites. This allows you to create policies that ensure security without
affecting daily interactions with a users preferred and favorite websites. The Delete browsing history on
exit check box in Internet options allows you to delete the browsing history automatically when Internet
Explorer 11 closes.
The SmartScreen Filter was introduced in previous versions of Internet Explorer and has developed into a
range of defensive tools, including:
SmartScreen Filter, which is the spam filtering solution that is built into Microsoft email solutions.
The SmartScreen Filter component of Internet Explorer 11 relies on a web service that is backed by a
Microsoft-hosted URL reputation database. The SmartScreen Filters reputation-based analysis works
alongside other signature-based antimalware technologies, such as Windows Defender, to provide
comprehensive protection against malware. With the SmartScreen Filter enabled, Internet Explorer 11
performs a detailed examination of an entire URL string and compares the string to a database of sites
known to distribute malware. The SmartScreen Filter then checks the website that a user is visiting against
a dynamic list of reported phishing sites and malware sites. If the website is known to be unsafe, it is
blocked and the user is notified.
11-23
You can check the safety of a website manually with SmartScreen Filter. To do so, perform the following
procedure:
1.
2.
3.
4.
2.
3.
4.
2.
3.
4.
ActiveX controls
Plug-ins
Browser extensions
Toolbars
Explorer bars
Search providers
Accelerators
Microsoft Silverlight
Apple QuickTime
Java applets
2.
3.
In the Manage Add-ons dialog box, in the Show drop-down list, click All add-ons.
4.
Find the name of the add-on that you want to modify in the reading pane. To disable an add-on,
click it, and then click Disable. To enable an add-on, tap or click it, and then click Enable.
5.
Note: Add-ons will work only in Internet Explorer for the desktop. The Windows UI version
of Internet Explorer always runs with Enhanced Protected Mode enabled, which means add-on
free browsing.
If an organization wants to restrict users from viewing Adobe Flash videos, you can turn this feature on or
off by using the Group Policy setting by performing the following procedure:
1.
2.
3.
In the Local Group Policy Editor, expand User Configuration, expand Administrative Templates,
expand Windows Components, expand Internet Explorer, expand Security Features, expand Addon Management, and then double-click Turn off Adobe Flash in Internet Explorer and prevent
applications from using Internet Explorer technology to instantiate Flash objects.
4.
Click Enable.
5.
Windows 8.1 provides more than 90 GPOs that allow IT professionals to manage Internet Explorer 11 by
using Group Policy. Settings that are related to Internet Explorer 11 can be found within the following
locations in the Local Group Policy Editor:
11-25
Another popular add-on that can increase productivity for users is modifying the default Internet search
provider. This can be achieved by performing the following procedure:
1.
2.
3.
4.
Right-click the name of the search provider that you want to use in the reading pane, and then click
Set as default.
5.
If the search provider is not listed, click Find more search providers.
6.
7.
8.
In the Manage Add-ons dialog box, click Search Providers, right-click the search provider that you
added, and then click Set as default.
9.
The Internet Explorer Administration Kit (IEAK) 11 is a set of tools that IT professionals can use to create,
deploy, and manage customized versions of Internet Explorer 11 for use in organizations.
Internet Explorer Administration Kit Information and Downloads
http://go.microsoft.com/fwlink/?LinkId=378256&clcid=0x409
Atari Arcade with Internet Explorer 11 brings arcade classics to the web this is an example
of the capabilities available within the modern browser.
http://go.microsoft.com/fwlink/?LinkId=378257&clcid=0x409
ActiveX controls are relatively straightforward to create and deploy, and they provide extra functionality
beyond regular webpages. Organizations cannot control the inclusion of ActiveX controls or how they are
written. Therefore, organizations need a browser that provides flexibility in dealing with ActiveX controls
so that they are usable, highly secure, and pose as small a threat as possible.
Per-user ActiveX
By default, Internet Explorer 11 employs ActiveX Opt-In, which disables most controls on a user's
computer. Per-user ActiveX makes it possible for standard users to install ActiveX controls in their own
user profile without requiring administrative permissions. This helps organizations realize the full benefit
of UAC, giving standard users the ability to install ActiveX controls that are necessary in their daily
browsing.
In most situations, if a user happens to install a malicious ActiveX control, the overall system remains
unaffected because the control is installed under the users account only. Because installations are
restricted to a user profile, the cost and risk of a compromise are lowered significantly.
When a webpage attempts to install a control, an information bar is displayed to the user. The user can
choose to install the control system-wide or only for his or her user account. The options in the ActiveX
menu vary depending on a users rights, as managed by Group Policy settings, and whether the control
has been packaged to allow per-user installation. You can disable this feature in Group Policy.
Per-site ActiveX
When a user navigates to a website that contains an ActiveX control, Internet Explorer 11 performs a
number of checks, including a determination of where a control is permitted to run. If a control is installed
but is not permitted to run on a specific site, an information bar appears that asks the users permission to
run on the current website or on all websites. Administrators can use Group Policy to preset Internet
Explorer configurations with allowed ActiveX controls and their related trusted domains.
Most sites have a combination of content from local site servers and content obtained from other sites or
partner organizations. Cross-Site Scripting attacks exploit vulnerabilities in web applications and enable an
attacker to control the relationship between a user and a website or web application that they trust.
Cross-Site Scripting can enable attacks such as:
Cookie theft, including session cookies, which can lead to account hijacking.
Monitoring keystrokes.
Internet Explorer 11 includes a filter that helps protect against Cross-Site Scripting attacks. The Cross-Site
Scripting Filter has visibility into all requests and responses flowing through the browser. When the filter
discovers likely Cross-Site Scripting in a request, it identifies and neutralizes the attack if it is replayed in
the servers response. The Cross-Site Scripting filter helps protect users from website vulnerabilities. It does
not ask difficult questions that users are unable to answer, nor does it harm functionality on a website.
DEP
Internet Explorer 7 introduced a Control Panel option to enable memory protection to help mitigate
online attacks: DEP or No Execute (NX). DEP/NX helps thwart attacks by preventing code from running
in memory that is marked non-executable, such as a virus disguised as a picture or video. DEP/NX also
makes it harder for attackers to exploit certain types of memory-related vulnerabilities, such as buffer
overruns.
11-27
DEP/NX protection applies to both Internet Explorer and the add-ons it loads. No additional user
interaction is required to activate this protection, and unlike Internet Explorer 7, this feature is enabled by
default for Internet Explorer 11.
Protected Mode was first introduced in Internet Explorer 7 with Windows Vista as a defense-in-depth
feature, which reduced the amount of permissions that a browser was given to modify system settings
or to write to a computers hard disk. Internet Explorer 11 builds on the additional security in previous
versions of Internet Explorer. Unlike Internet Explorer 10, Enhanced Protected Mode is turned on by
default in Internet Explorer 11.
The inclusion of some additional capabilities in Enhanced Protected Mode is described in the following
table.
Enhancement
Description
64-bit processes
Demonstration Steps
Configure Compatibility View
1.
2.
3.
4.
2.
2.
3.
Verify that the website address has not been retained in the browsing history.
2.
Download a file
1.
Navigate to http://LON-DC1, and then click the Download Current Projects link.
2.
3.
4.
11-29
Holly Dickson at A. Datum Corporation is concerned about her users security settings when they are
browsing the Internet, especially when they are doing so while connected to their customers networks.
She has asked you to investigate the improvement of Internet Explorer security settings on her users
computers.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 15 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
In this exercise, you will implement some of the security and compatibility features in Internet Explorer 11.
The main tasks for this exercise are as follows:
1.
2.
3.
4.
5.
6.
Download a file.
1.
On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open Internet
Explorer.
2.
On the Tools menu, click Internet options and then open the Delete Browsing History dialog box.
2.
In the Delete Browsing History dialog box, select the Preserve Favorites website data and History
check boxes. Clear all other options, click Delete, and then click OK.
3.
4.
Open Internet Explorer, navigate to http://LON-DC1, and then verify that this sites address is stored
in your history.
5.
Delete the browsing history again, selecting only Temporary Internet files and website files,
Cookies and website data, and History.
6.
2.
Navigate to http://LON-DC1.
3.
Confirm that this address has not been retained in your site history.
4.
2.
3.
Click the Current Projects link on the intranet home page. This fails to load a required add-on. Close
the newly opened tab.
4.
5.
Click the Current Projects link on the intranet home page. This attempt is successful.
In Internet Explorer, from the Tools menu, open the Manage Add-ons dialog box.
2.
Browse to http://LON-DC1, and then click the Download Current Projects link.
2.
3.
4.
Close Excel.
5.
6.
11-31
Results: After completing this exercise, you should have successfully configured security and compatibility
settings in Internet Explorer.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
Lesson 4
The reliability and security of enterprise devices significantly increases with the ability to control which
applications a user, or set of users, can run. Overall, an application lockdown policy can lower the total
cost of computer ownership in an enterprise. AppLocker controls application execution and simplifies the
ability to author an enterprise application lockdown policy. It also reduces administrative overhead and
helps administrators control how users access and use files such as .exe and .appx files, scripts, Windows
Installer files (.msi, .mst, and .msp files), and .dll files.
Lesson Objectives
After completing this lesson, you will be able to:
Explain how AppLocker rules work to enforce your chosen application usage policy.
What Is AppLocker?
Todays organizations face a number of challenges
in controlling which applications run on client
computers, including:
Windows Vista addressed this issue by supporting software restriction policies, which administrators used
to define the list of applications that users were allowed to run. AppLocker builds on this security layer,
providing you with the ability to control how users run all types of applications, such as executable files,
Windows Store .appx apps, scripts, Windows Installer files (.msi, .mst, and .msp), and .dll files.
AppLocker Benefits
You can use AppLocker to specify exactly what is allowed to run on user PCs and devices. This allows
users to run the applications, installation programs, and scripts that they require to be productive, while
still providing the security, operational, and compliance benefits of application standardization.
Limit the number and types of files that are allowed to run, by preventing unlicensed software
or malware from running, and by restricting the ActiveX controls that are installed.
Reduce the total cost of ownership by ensuring that workstations are homogeneous across an
enterprise and that users only run software and applications that an enterprise approves.
AppLocker Rules
You can prevent many problems in your work
environment by controlling what applications
a user can run. AppLocker lets you do this
by creating rules that specify exactly what
applications a user is allowed to run, and can be
configured to continue to function even when
applications are updated.
Because AppLocker is an additional Group
Policy mechanism, IT professionals and system
administrators need to be comfortable with Group
Policy creation and deployment. This makes
AppLocker ideal for organizations that currently
use Group Policy to manage their Windows 8.1 computers or have per-user application installations.
11-33
A new AppLocker Microsoft Management Console (MMC) snap-in in the Group Policy Management
Console (GPMC) offers an improvement to the process of creating AppLocker rules. AppLocker provides
several rule-specific wizards. You can use one wizard to create a single rule and another wizard to
generate rules automatically, based on your rule preferences and the folder that you select. The four
wizards that AppLocker offers administrators to author rules are:
Executable Rules
Script Rules
At the end of the wizards, you can review a list of analyzed files. You then can modify the list to remove
any file before rules are created for the remaining files. You also can receive useful statistics about how
often a file has been blocked, or test the AppLocker policy for a specific computer.
Accessing AppLocker
To access AppLocker, run Gpedit.msc from the Start screen. Then browse to Computer Configuration,
Windows Settings, Security Settings, and then Application Control Policies. Expand the Application Control
Policies node, and click AppLocker.
In AppLocker you can configure Executable Rules, Windows Installer Rules, and Script Rules. For example,
you can right-click the Executable Rules node, and then click Create New Rule. You then can create a rule
that allows or denies access to an executable file based on such criteria as the file path or publisher.
AppLocker also will let you apply both default and automatically generated rules.
Many organizations implement standard user policies, which allow users to sign in to their computers only
as a standard user. More independent software vendors are creating per-user applications that do not
require administrative rights to be installed and are instead installed and run in the user profile folder. As
a result, standard users can install many applications and circumvent an application lockdown policy.
With AppLocker, you can prevent users from installing and running per-user applications by creating a set
of default AppLocker rules. Default rules also ensure that the key operating system files are allowed to run
for all users.
Note: Before you manually create new rules or automatically generate rules for a specific
folder, you must create default AppLocker rules.
Specifically, default rules enable the following:
All users can run files in the default Program Files directory.
All users can run all files that are signed by the Windows operating system.
2.
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3.
By creating these rules, you also have automatically prevented all non-administrator users from being
able to run programs that are installed in their user profile directory. You can recreate the rules at any
time.
Note: Without default rules, critical system files might not run. Once you have created one
or more rules in a rule collection, only applications that are affected by those rules are allowed to
run. If default rules are not created and you are blocked from performing administrative tasks,
restart the computer in safe mode, add the default rules, delete any Deny rules that are
preventing access, and then refresh the computer policy.
Once you create default rules, you can create custom application rules. To facilitate creating sets or
collections of rules, AppLocker includes a new Automatically Generate Rules Wizard that is accessible from
the Local Security Policy console. This wizard simplifies the task of creating rules from a user-specified
folder. By running this wizard on reference computers and specifying a folder that contains the executable
files for applications for which you want to create rules, you can quickly create AppLocker policies
automatically.
When you create a rule manually, you can choose whether it is an Allow or Deny rule. Allow rules enable
applications to run, whereas Deny rules prevent applications from running. The Automatically Generate
Rules Wizard only creates Allow rules.
Note: After you create one or more rules in a rule collection, only applications that are
affected by those rules are allowed to run. For this reason, always create the default AppLocker
rules for a rule collection first. If you did not create default rules and are prevented from
performing administrative tasks, restart the computer in safe mode, add the default rules, delete
any Deny rules that are preventing access, and then refresh the computer policy.
11-35
You can create exceptions for executable files. For example, you can create a rule that allows all Windows
processes to run except Regedit.exe and then use audit-only mode to identify files that will not be
allowed to run if the policy is in effect. You can create rules automatically by running the wizard and
specifying a folder that contains the executable files for applications for which to create rules.
Note: Do not select a folder that contains one or more user profiles. Creating rules to allow
executable files in user profiles might not be secure.
Before you create the rules at the end of the wizards, review the analyzed files and view information
about the rules that will be created. After the rules are created, edit them to make them more or less
specific. For example, if you selected the Program Files directory as the source for automatically
generating the rules and also created the default rules, there is an extra rule in the Executable Rules
collection.
2.
In the console tree under Application Control Policies\AppLocker, right-click Executable Rules,
and then click Automatically Generate Rules.
3.
4.
In the Browse For Folder dialog box, select the folder that contains the executable files that you
want to create the rules for, and then click OK.
5.
Type a name to identify the rules, and then click Next. To help sort the rules in the MMC list view, the
name that you provide is used as a prefix for the name of each rule that is created.
6.
On the Rule Preferences page, click Next without changing any of the default values. The Rule
generation progress dialog box is displayed while the files are processed.
7.
On the Review Rules page, click Create. The wizard closes, and the rules are added to the Executable
Rules details pane.
After automatically generating rules based on your preferences, you can edit the rules to make them
more detailed.
With the advent of new experimental identification technologies in web browsers and operating
systems, more independent software vendors are using digital signatures to sign their applications. These
signatures simplify an organizations ability to identify applications as genuine and to create a better and
more trustworthy user experience.
Creating rules based on the digital signature of an application helps make it possible to build rules that
survive application updates. For example, an organization can create a rule to allow all versions greater
than 9.0 of a program to run if it is signed by the software publisher. In this way, when the program is
updated, IT professionals can deploy the application update safely without having to build another rule.
Note: Before performing the following procedure, ensure that you have created default
rules.
Perform the following procedure to allow only signed applications to run:
1.
To open the Local Security Policy MMC snap-in, on the Start screen, type secpol.msc, and then press
Enter.
2.
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3.
4.
5.
6.
7.
On the Publisher page, note that the default setting is to allow any signed file to run, and then click
Next.
8.
9.
On the Name and Description page, accept the default name or enter a custom name and
description, and then click Create.
By using this rule and ensuring that all applications are signed within your organization, you can be sure
that users only run applications from known publishers.
Note: This rule prevents unsigned applications from running. Before implementing this
rule, ensure that all of the files that you want to run in your organization are digitally signed. If
any applications are not signed, consider implementing an internal signing process to sign
unsigned applications with an internal signing key.
If you created default rules and then selected the Program Files folder as the source to generate rules
automatically, there are one or more extraneous rules in the Executable Rules collection. When you create
the default rules, a path rule is added to allow any executable file in the entire Program Files folder to run.
This rule is added to ensure that users are not by default prevented from running applications. Because
this rule conflicts with rules that were generated automatically, delete this rule to ensure that the policy is
more specific. The name of the default rule is (Default Rule) Microsoft Windows Program Files Rule.
Perform the following procedure to delete a rule:
1.
2.
In the console tree under Application Control Policies\AppLocker, click Executable Rules.
3.
In the details pane, right-click (Default Rule) Microsoft Windows Program Files Rule, and then
click Delete.
4.
To determine if any applications are excluded from the rule set, enable the Audit only enforcement
mode.
11-37
Before you can enforce AppLocker policies, you must start the Application Identity service. You need to be
a member of the local Administrators group, or equivalent, to start the service by using the following
procedure:
1.
Click Start, type Services, and then click View local services.
2.
3.
In the Application Identity Properties dialog box, in the Startup type list, click Automatic, click
Start, and then click OK.
Note: If an AppLocker rule is not working, check to see that the Application Identity service
has started. This service is required to be running for AppLocker to work.
Question: When testing AppLocker, you must consider carefully how you will organize rules
between linked Group Policy Objects (GPOs). What do you do if a GPO does not contain the
default AppLocker rules?
Demonstration Steps
Create a custom AppLocker rule
1.
Sign in as administrator.
2.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Application Control Policies, and then double-click AppLocker.
4.
Permissions: Deny
Group: Marketing
Program: C:\Windows\Regedit.exe
2.
Description
Enforce rules
Audit only
To view information about applications that are affected by AppLocker rules, use Event Viewer. Each event
in the AppLocker operational log contains detailed information, such as the following:
The security identifier for the user that is targeted in the rule
Review the entries in the log to determine if any applications were not included in the rules. The following
table identifies three events to use in determining which applications are affected.
Event ID
Level
Event text
Description
8002
Informational
Access to <file_name> is
allowed by an administrator.
8003
Warning
Access to <file_name> is
monitored by an
administrator.
8004
Error
Access to <file_name> is
restricted by an
administrator.
Demonstration
This demonstration will show the different enforcement options and how to configure the enforcement
for the rule that was created in the previous demonstration. The demonstration then will verify the
enforcement with gpupdate.
Demonstration Steps
Enforce AppLocker rules
1.
2.
3.
Configure Enforcement:
o
11-39
1.
2.
3.
Review the System log for Event ID 1502. This tells us that the Group Policy settings were refreshed.
4.
Start the Application Identity service, which is required for AppLocker enforcement.
2.
Attempt to run Regedit.exe from the command prompt. You are successful, as the signed-in user is
not a member of the Marketing group.
3.
Sign in as Adatum\Administrator.
4.
Open Event Viewer, and in Application and Services Logs\Microsoft\Windows\ AppLocker, select
the EXE and DLL log.
5.
Review the entries. Locate Event ID 8004. It indicates that an attempt was made to run Regedit.exe,
which was allowed to run.
6.
Holly is concerned that people in her department are spending time listening to music files. She wants a
way to disable the Windows Media Player. You decide to implement AppLocker to prevent members of
the IT group from running this program.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
20687D-LON-DC1
20687D-LON-CL1
2.
2.
Open the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Application Control Policies, and then double-click AppLocker.
3.
4.
Permissions: Deny
Group: IT
11-41
1.
In the Local Group Policy Editor, open the AppLocker Properties, and then configure the Executable
rules for Enforce rules.
2.
Close the Local Group Policy Editor, and then open an elevated command prompt. Run the
gpupdate /force command.
3.
Results: After completing this exercise, you should have created the required AppLocker rule.
In this exercise, you will confirm the executable rule and then test it by signing in as a member of the IT
group.
The main tasks for this exercise are as follows:
1.
2.
2.
3.
View the System log in Event Viewer. Check for Event ID 1502.
4.
5.
2.
3.
4.
5.
6.
Results: After completing this exercise, you should have verified the function of your executable
AppLocker rule.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
11-43
Before you manually create new rules or automatically generate rules for a specific folder, you should
create the default AppLocker rules. The default rules ensure that key operating system files are
allowed to run for all users.
When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If a
GPO does not contain default rules, then add the rules directly to the GPO or add them to a GPO that
links to it.
After creating new rules, you must configure enforcement for the rule collections and then refresh the
computer's policy.
By default, AppLocker rules do not allow users to open or run any files that are not specifically
allowed. Administrators must maintain a current list of allowed applications.
If AppLocker rules are defined in a GPO, only those rules are applied. To ensure interoperability
between software restriction policy rules and AppLocker rules, define software restriction policy rules
and AppLocker rules in different GPOs.
When you set an AppLocker rule to Audit only, the rule is not enforced. When a user runs an
application that is included in the rule, the application opens and runs normally, and information
about that application is added to the AppLocker event log.
Troubleshooting Tip
Review Questions
Question: What are some of the privacy features in Internet Explorer?
Question: Trevor has implemented AppLocker. Before he created the default rules, he
created a custom rule that allowed all Windows processes to run except for Regedit.exe.
Because he did not create the default rules first, he is blocked from performing
administrative tasks. What does he need to do to resolve the issue?
Tools
Tool
Use for
Where to find it
Windows PowerShell
Windows 8.1
Dism.exe
Windows 8.1
Msiexec.exe
Managing installations
Command line
Gpupdate
Command line
Module 12
Optimizing and Maintaining Windows 8.1 Computers
Contents:
Module Overview
12-1
12-2
12-9
12-13
12-18
12-26
12-28
Module Overview
Users have high expectations of technology. Therefore, performance is a key issue in todays business
environment, and it is important to consistently optimize and manage your systems performance.
The Windows 8.1 operating system includes several monitoring and configuration tools that you can use
to obtain information about computer performance, to maintain reliability, and to configure operating
system and app updates.
Objectives
After completing this module, you will be able to:
Lesson 1
A computer system that performs at a low efficiency level can cause problems in a work environment.
Poor performance potentially reduces user productivity and consequently increases user frustration.
Computers that are not performing to their full capability need to be examined so that you can determine
the source of the poor performance and correct it. Windows 8.1 helps you to determine potential causes
of poor performance and then provides appropriate tools to resolve performance issues.
Lesson Objectives
After completing this lesson, you will be able to:
Analyze system performance by using Performance Monitor and data collector sets.
Reliability is a measure of how a system conforms to expected behavior. A system that often deviates from
the behavior that you configure or expect has poor reliability.
Question: What factors can influence computer system performance?
Question: What factors might contribute to reliability issues in a computer system?
12-3
App history. The App history tab displays statistics and resource consumption by apps. This is useful
for identifying a specific app that is consuming excessive resources.
Startup. The Startup tab displays items that are configured to run at startup. You can choose to
disable any listed programs.
Users. The Users tab displays resource consumption on a per-user basis. You also can expand the user
view to see more detailed information about the specific processes that a user is running.
Details. The Details tab lists all the running processes on a server, providing statistics about the CPU,
memory, and other resource consumption. You can use this tab to manage running processes. For
example, you can stop a process, stop a process and all related processes, and change the priority
values of processes. By changing the priority of a process, you determine how much CPU resources
the process can consume. By increasing the priority, you allow the process to request more CPU
resources.
Services. The Services tab provides a list of running Windows services with related information,
including whether a service is running and the processor identifier (PID) value of a running service.
You can start and stop services by using the list on the Services tab.
Generally, you might consider using Task Manager when a performance-related problem first
becomes apparent. For example, you might examine running processes to determine if a particular
program is using excessive CPU resources. Always remember that Task Manager only shows current
resource consumption. You also might need to examine historical data to determine the true picture
about a server or computers performance and response under load.
Monitoring Tools
Reports
Monitoring Tools
Monitoring Tools contains the Performance Monitor, and it provides a visual display of built-in Windows
performance counters, either in real time or as historical data.
Performance Monitor includes the following features:
Performance Monitor uses performance counters to measure a systems state or activity, while the
operating system or individual apps might include performance counters. Performance Monitor requests
the current value of performance counters at specified time intervals.
You can add performance counters to Performance Monitor by performing a drag-and-drop operation on
the counters or by creating a custom data collector set.
Performance Monitor features multiple graph views that you can use for a visual review of performance
log data. You can create custom views in Performance Monitor that you can export as data collector sets
for use with performance and logging features.
A data collector set is a custom set of performance counters, event traces, and system-configuration data.
After you create a combination of data collectors that describe useful system information, you can save
them as a data collector set, and then run and view the results.
A data collector set organizes multiple data-collection points into a single, portable component. You can
use a data collector set on its own, group it with other data collector sets and incorporate it into logs, or
view it in Performance Monitor. You can configure a data collector set to generate alerts when it reaches
thresholds so that third-party apps can use it.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or
until it reaches a predefined size. For example, you can run a data collector set for 10 minutes every hour
during your working hours to create a performance baseline. You also can set a data collector to restart
when it reaches set limits so that a separate file will be created for each interval.
12-5
You can use data collector sets and Performance Monitor tools to organize multiple data collection points
into a single component that you can use to review or log performance.
Performance Monitor also includes default data collector set templates to help system administrators
begin the process of collecting performance data that is specific to a server role or monitoring scenario.
Reports
Use the Reports feature to view and generate reports from a set of counters that you create by using data
collector sets.
Resource Monitor
Use this view to monitor the use and performance of CPU, disk, network, and memory resources in real
time. This lets you identify and resolve resource conflicts and bottlenecks.
By expanding the monitored elements, system administrators can identify which processes are using
which resources. In previous versions of Windows operating systems, Task Manager made this real-time,
process-specific data available, but only in a limited form.
Demonstration Steps
1.
2.
3.
View the information on the Overview tab. This tab shows CPU usage, disk I/O, network usage, and
memory usage information for each process. A bar above each section provides summary
information.
4.
View the information on the CPU tab. This tab has more detailed CPU information that you can filter
so that it is based on the process.
5.
View the information on the Memory tab. This tab provides detailed information about memory
usage for each process. Notice that the process that you selected previously remains selected so you
can review multiple kinds of information about a process as you switch between tabs.
6.
View the information on the Disk tab. This tab shows processes with recent disk activity.
7.
View the information in the Network tab. This tab provides information about all processes with
current network activity.
In this demonstration, you will see how to analyze system performance by using data collector sets and
Performance Monitor.
Demonstration Steps
Open Performance Monitor
1.
2.
Examine a report
For example, if you suspect high consumption of your CPU processing capacity, you can view the CPU
tab and then see exactly what processes are executing on your machine, how many threads they are
executing, and how much CPU use is occurring. You also can view your computers installed memory,
how much the operating system can use, how much it is using currently, and how much is reserved for
hardware. From the Disk view, you can view all disk I/O and detailed information on disk activity. You can
view processes with network activity in the Network view, and monitor which processes are running and
consuming too much bandwidth.
Additionally, Resource Monitor enables you to investigate which product, which tool, or which app is
running currently and consuming CPU, disk, network, and memory resources.
Diagnosing problems.
By using data collector sets, you can establish a baseline to use as a standard for comparison. Create a
baseline when you first configure a computer, at regular intervals of typical usage, and when you make
any changes to a computers hardware or software configuration. If you have appropriate baselines, you
can determine which resources are affecting a computers performance.
12-7
You can monitor your system remotely. However, the use of counters across a network connection for an
extended period can congest network traffic. If you have disk space on a server for performance log files,
we recommend that you record performance log information locally.
Performance issues can occur because of the number of sampled counters and the frequency with which
sampling occurs. Therefore, it is important to test the number of counters and the frequency of data
collection. This lets you determine the right balance between your environments needs and the provision
of useful performance information. For an initial performance baseline, however, we recommend that you
use the highest number of counters possible and the highest frequency available. The following table
shows commonly used performance counters.
Counter
Usage
This counter measures the percentage of time the disk was idle during
the sample interval. If this counter falls below 20 percent, the disk
system is saturated. You might consider replacing the current disk
system with a faster one.
PhysicalDisk\Avg. Disk
sec/Read
This counter measures the average time, in seconds, to read data from
the disk. If the number is larger than 25 milliseconds (ms), that means
the disk system is experiencing latency when it is reading from the disk.
PhysicalDisk\Avg. Disk
sec/Write
PhysicalDisk\Avg. Disk
Queue Length
This counter indicates how many I/O operations are waiting for the
hard drive to become available. If the value is larger than two times the
number of spindles, it means that the disk itself might be the
bottleneck.
Memory\Cache Bytes
This counter indicates the amount of memory that the file-system cache
is using. There might be a disk bottleneck if this value is greater than
300 megabytes (MB).
Memory\% Committed
Bytes In Use
Memory\Available MBytes
This counter indicates the number of Page Table Entries not currently in
use by the system. If the number is less than 5,000, there might be a
memory leak.
Memory\Pool Nonpaged
Bytes
This counter measures the size, in bytes, of the nonpaged pool. This is
an area of system memory for objects that cannot be written to disk, but
instead must remain in physical memory as long as they are allocated.
There is a possible memory leak if the value is greater than 175 MB (or
100 MB with a /3GB switch).
Counter
Usage
This counter measures the size, in bytes, of the paged pool. This is an
area of system memory for objects that can be written to disk when
they are not being used. There might be a memory leak if this value is
greater than 250 MB (or 170 MB with the /3GB switch).
Memory\Pages/sec
This counter measures the rate at which pages are read from, or written
to, the disk to resolve hard page faults. If the value is greater than 1,000,
as a result of excessive paging, there might be a memory leak.
Processor\% Processor
Time
Processor\% Interrupt
Time
This counter measures the time that the processor spends receiving and
servicing hardware interruptions during specific sample intervals. This
counter indicates a possible hardware issue if the value is greater than
15 percent.
System\Processor Queue
Length
Network Interface\Bytes
Total/sec
This counter measures the rate at which bytes are sent and received
over each network adapter, including framing characters. The network is
saturated if you discover that more than 70 percent of the interface is
consumed.
Network Interface\Output
Queue Length
Process\Handle Count
Process\Thread Count
Process\Private Bytes
This counter indicates the amount of memory that this process has
allocated that it cannot share with other processes. If the value is greater
than 250 between the minimum and maximum number of threads,
there might be a memory leak.
If you monitor several data collector sets that sample data at frequent intervals, this can create a load on
the system that you are monitoring and large log files that you will need to analyze. Plan the monitoring
of the counters and sampling intervals carefully to ensure that the data that you collect represents system
performance accurately.
12-9
Users at A. Datum Corporation are about to receive new Windows 8.1 computers. Use Performance
Monitor to establish a performance baseline and measure a typical computers responsiveness under a
representative load. This will help ensure that resources such as RAM and CPU are specified correctly for
these computers.
Objectives
After you have completed this lab, you will be able to:
Lab Setup
Estimated Time: 25 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
In this exercise, you will create a performance baseline against which to measure future performance.
The main tasks for this exercise are as follows:
1.
2.
2.
3.
4.
Performance counter
Counters to include:
Start the data collector set, and then start the following programs:
o
Close all Microsoft Office apps, and in Performance Monitor, stop the Adatum Baseline data collector
set.
In Performance Monitor, locate Reports\User Defined\Adatum Baseline. Click the report that has a
name that begins with LON-CL1.
2.
Memory\Pages/sec
Network Interface\Packets/sec
Results: After completing this exercise, you should have created a performance baseline.
12-11
In this exercise, you introduce additional computer workload by running a script that performs various
tasks on the computer.
The main task for this exercise is as follows:
1.
On LON-CL1, in Performance Monitor, start the Adatum Baseline data collector set.
2.
Results: After completing this exercise, you should have generated additional load on the computer.
In this exercise, you will compare the results that you collected during performance monitoring with those
collected earlier when you created the baseline.
The main task for this exercise is as follows:
1.
2.
3.
After a few minutes, close the instance of C:\Windows\System32\Cmd.exe launched by the script.
4.
Switch to Performance Monitor, and then stop the Adatum Baseline data collector set, if necessary.
5.
In Performance Monitor, locate Reports\User Defined\Adatum Baseline. Click the second report
that has a name that begins with LON-CL1.
6.
7.
Memory\Pages/sec
Network Interface\Packets/sec
8.
9.
Close all open windows and programs, and then go back to the Start screen.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
Results: After completing this exercise, you should have identified the computers performance
bottleneck.
Lesson 2
12-13
Windows 8.1 includes several diagnostic tools that you can use to identify and potentially provide a
workaround for different hardware and driver failures that might occur on a Windows 8.1 computer. This
lesson introduces you to these tools and explains how you can use them to diagnose problems in your
environment.
Lesson Objectives
After completing this lesson, you will be able to:
Unreliable Memory
Memory problems can be especially difficult to troubleshoot because they frequently manifest themselves
as app issues. Failing memory can cause app failures, operating system faults, and stop errors, and it can
be difficult to identify because problems can be intermittent. For example, a memory chip might function
perfectly when you test it in a controlled environment. However, it can start to fail when you use it in a
hot computer.
Failing memory chips return data that differs from what an operating system stored originally. This can
lead to secondary problems, such as corrupted files. Frequently, administrators take extreme steps, such
as reinstalling apps or operating systems, to repair problems, only to have the failures persist.
Network-Related Problems
Network errors frequently cause an inability to access network resources and can be difficult to diagnose.
Network interfaces that you do not configure correctly, incorrect IP addresses, hardware failures, and
many other problems can affect connectivity. Operating system features such as cached credentials enable
users to sign in as domain users, even when a network connection is not present. This feature can make it
appear as if users have logged on to the domain successfully, even when they have not. Although this
feature is useful, it does add another layer to the process of troubleshooting network connections.
Startup Problems
When diagnosing startup problems, you usually do not have access to Windows 8.1 troubleshooting and
monitoring tools. Malfunctioning memory, incompatible or corrupted device drivers, missing or corrupted
startup files, or corrupted disk data can all cause startup failures.
If the Windows Memory Diagnostics tool detects any problems with physical memory, Microsoft Online
Crash Analysis automatically prompts you to run the tool.
You can restart your computer and check for problems immediately, or you can schedule the tool to run
when the computer next restarts.
When the computer restarts, the Windows Memory Diagnostics tool tests the computers memory. When
this tool runs, it shows a progress bar that indicates the status of the test. It might take several minutes for
the tool to finish checking a computer's memory. When the test finishes, the Windows operating system
restarts again automatically, and the tool provides a clear report that details the problem. It also writes
information to the event log so that it can be analyzed.
You can run the Windows Memory Diagnostics tool manually. You have the same two choices: run the
tool immediately or schedule it to run when the computer restarts. Additionally, you can start the
Windows Memory Diagnostics tool from installation media.
Advanced Options
To access advanced diagnostic options, press F1 while the test is running. Advanced options include the
following:
Pass count. Enter the number of times that the test mix should repeat the tests.
Press the Tab key to move between the advanced options. When you finish selecting your options, press
F10 to start the test.
12-15
Shared Folders. Inability to access shared files and folders on other computers.
HomeGroup. Inability to view the computers or shared files in a homegroup for workgroupconfigured computers.
Connections to a Workplace Using DirectAccess. Problems with connecting to your workplace when
using DirectAccess.
The Windows Network Diagnostics tool runs automatically when it detects a problem. You also can decide
to run the tool manually by using the Diagnose option on the Local Area Connections Status dialog box.
If Windows 8.1 detects a problem that it can repair automatically, it will do so. If Windows 8.1 cannot
repair the problem automatically, it directs the user to perform simple steps to resolve the problem
without having to call support.
A System Stability Chart summarizes system stability for the past year in daily increments. This chart
indicates any information, error, or warning messages, and it simplifies the task of identifying issues and
the date on which they occurred.
The System Stability Report also provides information about each event in the chart. These reports include
the following events:
Software Installs
Software Uninstalls
Application Failures
Hardware Failures
Windows Failures
Miscellaneous Failures
Reliability Monitor tracks key events about the system configuration, such as the installation of new apps,
operating system patches, and drivers. It also tracks the following events and helps you identify the
reasons for reliability issues:
Memory problems
Hard-disk problems
Driver problems
Application failures
Reliability Monitor is a useful tool that provides a timeline of system changes and then reports on a
systems reliability. You can use this timeline to determine whether a particular system change correlates
with the start of system instability.
12-17
You can use the Problem Reports and Solutions tool to track resolution information and to recheck and
find new solutions. You can start the Problem Reports and Solutions tool from Reliability Monitor. The
following tools are available:
Lesson 3
To keep Windows 8.1 systems functioning properly and to protect them, you must update systems
regularly with the latest security updates and fixes. Windows Update enables you to download and install
important and recommended updates automatically instead of visiting the Windows Update website.
You must be aware of the available Windows Update configuration options, and you must be able to
guide users on how to configure these options.
Lesson Objectives
After completing this lesson, you will be able to:
Identify the most common methods for managing software updates in Windows 8.1.
Windows Server Update Services (WSUS) is a server role that you can install on a Windows Server 2012
R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 computer. WSUS enables an
administrator to manage and control the update process in many ways, including the following:
Microsoft System Center 2012 Configuration Manager performs many configuration managementbased
tasks in an enterprise, including update management. You can use Configuration Manager to incorporate
WSUS into your configuration management environment and to provide greater control over update
scheduling, deployment, and reporting. Configuration Manager also can deploy non-Microsoft updates.
Windows Intune
12-19
Windows Intune enables cloud-based configuration management for client computers that are within an
organizations networks or simply connected to the Internet. Windows Intune provides features similar to
Configuration Manager. However, Windows Intune enables you to extend configuration management
beyond an organizations networks.
You can turn on Automatic Updates during the initial Windows 8.1 setup, or you can configure it later.
Windows Update downloads a computers updates in the background while you are online. If your
Internet connection is interrupted before an update downloads fully, the download process resumes when
the connection becomes available.
Configure Settings
The Automatic Updates feature of Windows Update downloads and installs important updates, including
security and critical performance updates. However, you have to select recommended and optional
updates manually.
The time of installation depends on the configuration options that you select. Most updates occur
seamlessly, with the following exceptions:
If an update requires a restart to complete installation, you can schedule it for a specific time.
When a software update applies to a file that is in use, Windows 8.1 can save the apps data, close the
app, update the file, and then restart the app. Windows 8.1 might prompt the user to accept the
Microsoft Software License Terms when the app restarts.
You should use the recommended settings to download and install updates automatically.
The recommended settings automatically download and install updates daily at 3:00 A.M. If a
computer is turned off, the installation will be done the next time the computer is turned on.
By using the recommended settings, users do not have to search for critical updates or worry that
critical fixes might be missing from their computers.
You can use Configuration Manager for environments that have a large number of computers or that
require specialized management that WSUS does not provide.
Change Settings
From the Windows Update page, you also have access to the Change settings feature. On the Change
settings page, four settings are available for Important updates:
Check for updates but let me choose whether to download and install them.
We recommend that you choose to have updates installed automatically so that Windows will install
important updates as they become available.
If you do not want updates to install or download automatically, you can instead select the option to
be notified when updates apply to your computer so that you can download and install them yourself.
For example, if you have a slow Internet connection or your work is interrupted because of automatic
updates, you can have Windows check for updates but download and install them yourself later at a
suitable time.
Uninstall Updates
If you would like to remove an installed update, from the View update history page, click Installed
Updates. You then can view all the installed updates, and where necessary, you can right-click an update,
and then click Uninstall.
Hide Updates
If an update attempts to reinstall at a later time, you can hide the update. To hide an update that you do
not wish to install, from Windows Update, click the link for the available updates. Right-click the update
that you do not want to install, and then click Hide update.
If you have resolved the underlying problem with an update that you uninstalled, and you wish to install
it, you first must unhide the update. From Windows Update, click Restore hidden updates.
12-21
If you enable this policy setting, Install Updates and Shut Down will not appear as a choice in the Shut
Down Windows dialog box even if updates are available for installation when the user selects the Shut
Down option in the Start menu.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be
available in the Shut Down Windows dialog box if updates are available when the user selects the
Shut Down option in the Start menu.
Do not adjust the default option to Install Updates and Shut Down in the Shut Down Windows
dialog box.
You can use this policy setting to manage whether the Install Updates and Shut Down option is
allowed to be the default choice in the Shut Down Windows dialog box.
If you enable this policy setting, the user's last shutdown choice, such as Hibernate and Restart, is the
default option in the Shut Down Windows dialog box, regardless of whether the Install Updates and
Shut Down option is available in the What do you want the computer to do? list.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be
the default option in the Shut Down Windows dialog box if updates are available for installation when
the user selects the Shut Down option in the Start menu.
Enabling Windows Update Power Management to automatically wake up the system to install
scheduled updates
This policy setting specifies whether Windows Update will use the Windows power management
features to wake up your system automatically from hibernation if updates need to install.
Windows Update will wake up your system automatically only if you configure Windows Update to
install updates automatically. If the system is in hibernation when the scheduled install time occurs
and there are updates to apply, Windows Update will use the Windows power management features
to wake the system automatically to install the updates.
The system will not wake unless there are updates to install. If the system is on battery power, when
Windows Update wakes it up, it will not install updates, and the system will return to hibernation
automatically in two minutes.
This setting specifies whether the computer will receive security updates and other important
downloads through the Automatic Updates feature. If Automatic Updates are enabled on a computer,
you must select one of the four options in the Group Policy setting:
o
2 = Notify before downloading any updates and notify again before installing them
When Windows finds updates that apply to your computer, an icon appears in the status area
with a message that updates are ready to download.
Clicking the icon or message provides the option to select the specific updates that you want to
download. Windows then downloads your selected updates in the background.
When the download is complete, an icon again appears in the status area with notification that
the updates are ready to install. Clicking the icon or message provides the option to select which
updates to install.
o
3 = (Default setting) Download the updates automatically and notify when they are ready
to be installed
Windows finds updates that apply to your computer and then downloads them in the
background so that the user is not notified or interrupted during this process.
When the download is complete, an icon appears in the status area with notification that the
updates are ready to install. Clicking the icon or message provides the option to select which
updates to install.
4 = Automatically download updates and install them on the schedule specified below
Specify the schedule by using the options in the Group Policy setting. If no schedule is specified,
the default schedule for all installations will be daily at 3:00 A.M.
If any of the updates require a restart to complete the installation, Windows will restart the
computer automatically. If a user is logged on to the computer when Windows is ready to restart,
the user will be notified and given the option to delay the restart.
o
5 = Allow local administrators to select the configuration mode that Automatic Updates
must notify and install updates
With this option, local administrators will be allowed to use the Automatic Updates control
panel item to select a configuration option. For example, they can choose their own scheduled
installation time. Local administrators will not be allowed to disable Automatic Updates
configuration.
To use the Configure Automatic Updates policy setting, click Enabled, and then select one of the
options (2, 3, 4, or 5).
If the status is set to Enabled, Windows recognizes when the computer is online and then uses its
Internet connection to search Windows Update for updates that apply to a computer.
If the status is set to Disabled, you must manually download and install any updates that are available
on Windows Update.
If the status is set to Not Configured, the use of Automatic Updates is not specified at the Group
Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
12-23
With this setting, you can specify a server on a network to function as an internal update service. The
Automatic Updates client will search this service for updates that apply to computers on the network.
To use this setting, you must set two server name values: the server from which the Automatic
Updates client detects and downloads updates, and the server to which updated workstations upload
statistics. You can set both values to be the same server.
If the status is set to Enabled, the Automatic Updates client connects to a specified intranet Microsoft
Update service instead of Windows Update to search for and download updates. Enabling this setting
means that end users in your organization do not have to go through a firewall to get updates, and it
gives you the opportunity to test updates before deploying them.
If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy
or user preference, the Automatic Updates client connects directly to the Windows Update site on the
Internet.
This policy specifies how long a Windows operating system will wait before checking for available
updates. The exact wait time is determined by using the hours that you specify in this policy, minus 0
to 20 percent of the hours specified. For example, if this policy is used to specify a 20-hour detection
frequency, all clients to which this policy applies will check for updates anywhere between 16 and 20
hours.
If the status is set to Enabled, Windows checks for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows checks for available updates at the default
interval of 22 hours.
Non-administrative users can install all optional, recommended, and important content for which
they received a notification. Users will not see a User Account Control window and do not need
elevated permissions to install these updates, except in the case of updates that contain user
interface, End User License Agreement, or Windows Update setting changes.
If you disable or do not configure this policy setting, only administrative users will receive update
notifications. By default, this policy setting is disabled.
If the Configure Automatic Updates policy setting is set to Disabled or Not Configured, then the
Elevate Non-Admin policy setting has no effect.
Enhanced notification messages convey the value of optional software, and they promote its
installation and use. This policy setting is intended for loosely managed environments in which you
allow end-user access to the Microsoft Update service.
If you enable this policy setting, a notification message will appear on users' computers when the
featured software is available. Users can click the notification to open the Windows Update app and
get more information about the software or install it. Users also can click Close this message or Show
me later to defer the notification as appropriate. In Windows 8.1, this policy setting only will control
detailed notifications for optional apps.
If you disable or do not configure this policy setting, Windows 8.1 users will not be offered detailed
notification messages for optional apps. By default, this policy setting is disabled. If you are not using
the Microsoft Update service or if the Configure Automatic Updates policy setting is disabled or is
not configured, the Turn on Software Notifications policy setting has no effect.
This setting controls how many minutes the Windows Update service will wait before shutting down
when there are no scans, downloads, or installations in progress. If configured to zero, the service will
run always.
This setting specifies whether Automatic Updates will install certain updates automatically that
neither interrupt Windows services nor restart the Windows operating system. If you set the status to
Enabled, Automatic Updates will install these updates immediately once they are downloaded and
ready to install.
If you set the status to Disabled, such updates will not install immediately. If the Configure
Automatic Updates policy is disabled, this policy has no effect.
This setting specifies whether Automatic Updates will deliver both important and recommended
updates from the Windows Update service. When this policy is enabled, Automatic Updates will install
recommended and important updates from Windows Update. When disabled or not configured,
Automatic Updates will continue to deliver important updates if it is configured already to do so.
This setting specifies that to complete a scheduled installation, Automatic Updates will wait for the
computer to be restarted by any user who is logged on, instead of causing the computer to restart
automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a
scheduled installation if a user is logged on to the computer. Instead, Automatic Updates will notify
the user to restart the computer.
If the status is set to Enabled, a scheduled restart will occur in the specified number of minutes after
the previous prompt for restart was postponed.
If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
If the status is set to Enabled, a scheduled restart will occur at the specified number of minutes after
the installation is finished.
If the status is set to Disabled or Not Configured, the default wait time is 15 minutes.
12-25
This setting specifies the amount of time for Automatic Updates to wait, following system startup,
before proceeding with a scheduled installation that was missed previously.
If you set the status to Enabled, a scheduled installation that did not take place earlier will occur at
the specified number of minutes after the computer is next started.
If you set the status to Disabled, a missed scheduled installation will occur with the next scheduled
installation.
If you set the status to Not Configured, a missed scheduled installation will occur one minute after the
computer is next started.
This setting specifies the target group name or names that will be used to receive updates from an
intranet Microsoft Update service.
If you set the status to Enabled, the specified target group information is sent to the Microsoft
Update service, an intranet that uses this information to determine which updates must deploy to a
computer.
If the intranet Microsoft Update service supports multiple target groups, this policy can specify
multiple group names separated by semicolons. Otherwise, you must specify a single group.
If the status is set to Disabled or Not Configured, no target group information will be sent to the
intranet Microsoft Update service.
This policy setting allows you to manage whether Automatic Updates accepts updates that are signed
by entities other than Microsoft when an update is found on an intranet Microsoft Update service
location.
If you enable this policy setting, Automatic Updates accepts updates that are received through an
intranet Microsoft Update service location if the updates are signed by a certificate in the Trusted
Publishers certificate store of the local computer.
If you disable or do not configure this policy setting, updates from an intranet Microsoft Update
service location must be signed by Microsoft.
Note: This setting sometimes is used on a critical system that cannot be restarted or
changed without first being scheduled. If you enable this setting, you must implement another
method of update delivery to ensure that these systems are kept up-to-date.
When A. Datum received the first shipment of Windows 8.1 computers, Holly disabled Automatic Updates
because she was concerned that they would cause problems with a custom app on these systems.
After extensive testing, you have determined that it is extremely unlikely that Automatic Updates will
cause a problem with this app.
Objectives
After you complete this lab, you will be able to configure local Windows Update settings.
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
20687D-LON-DC1
20687D-LON-CL1
You have to confirm that Automatic Updates are disabled for the Windows 8.1 computers, and then you
must enable Automatic Updates by implementing a Group Policy.
The main tasks for this exercise are as follows:
1.
2.
3.
Verify that the Automatic Updates setting from the Group Policy Object is being applied.
On LON-CL1, open Windows Update, and then verify that Automatic Updates are disabled.
Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd, and then open the Group
Policy Management administrative tool.
2.
Enabled
12-27
Task 3: Verify that the Automatic Updates setting from the Group Policy Object is
being applied
1.
On LON-CL1, at a command prompt, run gpupdate /force to update the Group Policy settings.
2.
Open Windows Update, and then verify that the new settings have been applied.
Results: After completing this exercise, you should have configured Windows Update settings by using
Group Policy Objects.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
Module 13
Configuring Mobile Computing and Remote Access
Contents:
Module Overview
13-1
13-2
13-7
13-9
13-20
13-24
13-33
13-36
13-38
Module Overview
Mobile computers are available in many types and configurations. This module includes descriptions of
various available mobile devices and describes how you can synchronize them with a computer that is
running the Windows 8.1 operating system. Additionally, this module describes various power options
that you can configure in Windows 8.1.
Windows 8.1 helps end users become more productive, regardless of their location or that of the data
they need. For users who want to use virtual private networks (VPNs) to connect to enterprise resources,
new features in Windows 8.1 and Windows Server 2012 R2 create a seamless experience. You can use
DirectAccess, VPN, and Remote Desktop functionality to enable users to access their work environments
from anywhere they are connected.
Objectives
After completing this module, you will be able to:
Configure DirectAccess.
Lesson 1
Lesson Objectives
After completing this lesson, you will be able to:
Describe the tools for configuring mobile computers and device settings.
Tablet PCs
Ultrabook computers
Mobile phones
People often use the terms laptop and notebook interchangeably. However, the term notebook computer
refers to a computer that is lighter or smaller than a laptop. A laptop computer is a portable computer
that contains an integrated screen, battery, keyboard, and pointing device. A laptop computer also might
contain a CD or DVD drive. Many organizations issue laptop computers to employees rather than desktop
computers so that they can work remotely. Hardware manufacturers are responding to this demand by
producing laptops with specifications that are equivalent to or better than many desktop computers.
Tablet PCs
A tablet PC is a fully functional laptop computer with a touchscreen that interacts with a users fingers or
a stylus. Tablet PCs might have a detachable keyboard and touchpad. Many tablet PC screens also turn or
fold onto the keyboard. Most tablet PCs allow multiple touch inputs simultaneously on the screen,
allowing for complex gestures such as pinching to zoom and scrolling. Windows 8.1 provides an
optimized UI for devices that support touchscreens.
Ultrabook Computers
13-3
Ultrabook computers are thin, lightweight laptop computers. Ultrabook computers enable users to
perform multiple tasks, and are typically equipped with 4 gigabytes (GB) of RAM and high-speed Intel
mobile processors. Display sizes are typically 13.3 inches diagonally.
Windows Phone devices are smartphones that feature an operating system with the familiar Windows UI
and applications that are part of the Windows 8.1 operating system and Microsoft Office.
Windows Phone devices also include Music and Videos Hubs and typically feature mobile phone,
Bluetooth, wireless broadband, and Wi-Fi capabilities. Although you can sometimes use a keyboard on
these devices, they typically are touchscreen devices on which you can use your finger to navigate the
operating system and use applications. Additionally, the Windows Phone operating system supports voice
commands.
Note: Bluetooth is a wireless communications protocol that uses shortwave radio signals to
replace cables and enable compatible devices to communicate with each other. Bluetooth uses a
low-powered radio signal in the unlicensed 2.4 gigahertz (GHz) to 2.485 GHz spectrum, also
known as the industrial, scientific, and medical band.
Bluetooth employs a technology called adaptive frequency hopping, which helps devices switch
frequencies within the industrial, scientific, and medical band. Bluetooth enables compatible
devices to switch frequencies up to 1,600 times a second within the industrial, scientific, and
medical band to maintain optimal connectivity.
Mobile Phone
A mobile phone, also known as a cellular phone, is a portable telephone that uses a form of radio
connectivity. Many mobile phones now have some personal digital assistant (PDA) and media player
functionality. You typically use a numerical keypad or touch screen as the input for this device type.
Power Management
Windows 8.1 Power Management includes a simple-to-find battery meter that tells you at a glance what
power plan you are using and how much battery life is remaining. Use the battery meter to access and
change the power plan to meet your needs. For example, you might want to conserve power by limiting
the central processing unit (CPU) or configuring when your hard drive will turn off.
Power plans let you adjust your computers performance and power consumption. To access power plans
in Windows 8.1, from Desktop, in the taskbar, right-click the battery icon, and then click Power Options.
You also can change the Battery Status in the Windows Mobility Center. To access the Windows Mobility
Center, in Control Panel, in the Hardware and Sound category, click Adjust commonly used mobility
settings.
Display brightness
Volume
Battery Status
External Display
Sync Center
Presentation Settings
Computer manufacturers can customize the Windows Mobility Center to include other hardware-specific
settings, such as Bluetooth or auxiliary displays.
Presentation Settings
Mobile users often have to reconfigure their computer settings for meetings or conference presentations,
such as changing screen-saver timeouts or desktop wallpaper. To improve the user experience and avoid
this inconvenience, Windows 8.1 includes a group of presentation settings that you can apply when you
connect to a display device.
To access the presentation settings, click Presentation Settings in the Windows Mobility Center in Control
Panel. When you finish a presentation, return to the previous settings by clicking the notification area
icon.
13-5
By using Windows 8.1 power options, you can conserve a mobile computers battery. A user can change
various performance options, such as:
CPU speed
Display brightness
By using the CPU speed option, you can lower the speed of the computer processor, thereby reducing its
power consumption. Screen brightness requires power, and lowering the brightness reduces power usage.
Power Plans
In Windows 8.1, power plans help you maximize computer and battery performance. With power plans,
you can change a variety of system settings to optimize power or battery usage with a single click,
depending on the scenario. There are three default power plans:
Power saver. This plan saves power on a mobile computer by reducing system performance. Its
primary purpose is to maximize battery life.
High performance. This plan provides the highest level of performance on a mobile computer by
adapting processor speed to your work or activity, and by maximizing system performance.
Balanced. This plan balances energy consumption and system performance by adapting the
computers processor speed to your activity.
The balanced plan provides the best balance between power and performance. The power saver plan
reduces power usage by lowering the performance. The high performance plan consumes more power
by increasing system performance. Each plan provides alternate settings for AC or DC power.
You can customize or create additional power plans by using Power Options in Control Panel. Some
hardware manufacturers supply additional power plans and power options. When you create additional
power plans, be aware that the more power the computer consumes, the less time it runs on a single
battery charge. By using Power Options, you can configure settings such as Choose what closing the lid
does.
In addition to considering power usage and performance, you also must consider the following three
options for turning a computer on and off:
Shut down
Hibernate
Sleep
Shut Down
When you shut down a computer, Windows 8.1 does the following:
Saves the memory contents to the hard disk or discards them as appropriate.
Windows 8.1 then signs out the active user and turns off the computer.
Hibernate
When you put a computer in hibernation, Windows 8.1 saves the system state and the system memory
contents to a file on the hard disk and then shuts down the computer. This state requires no power
because the hard disk is storing the data.
Windows 8.1 supports hibernation at the operating system level without any additional drivers from a
hardware manufacturer. Hibernation data is stored in a hidden system file called Hiberfil.sys. This file is the
same size as the physical memory in the computer and typically is located in the root of the system drive.
Sleep
Sleep is a power-saving state that saves work and open programs to memory. This provides fast resume
capability, typically within several seconds. Sleep does consume a small amount of power.
Windows 8.1 automatically goes to sleep when you press the power button on a computer. If the battery
power of the computer is low, Windows 8.1 puts a computer in hibernation.
Alternatively, you can enable hybrid sleep, during which Windows 8.1 saves data to the hard disk and to
memory. If a power failure occurs on a computer when it is in hybrid sleep, data is not lost. Use hybrid
sleep as an alternative to hibernation. Hybrid sleep uses the same Hiberfil.sys hidden system file as
hibernation.
Demonstration Steps
Create a power plan for Adams laptop
1.
2.
3.
Using the existing power saver plan, create a new plan named Adams plan.
2.
13-7
Adam is about to take a long trip to visit all of A. Datum Corporations customers in the United Kingdom.
Before he leaves, he would like you to optimize the power consumption on his Windows 8.1 laptop.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 15 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Repeat steps 2 and 3 for 20687D-LON-CL1. Do not sign in until directed to do so.
Adam wants to ensure that his computers battery lasts as long as possible between charges while he is on
his trip. He does not want to impose on his customers by asking to plug his computer into an electrical
socket at their offices, and he would rather charge his laptop in the evenings at his hotel.
The main tasks for this exercise are as follows:
1.
2.
2.
3.
4.
On the Power Options page, next to Adams power-saving plan, click Change plan settings.
2.
3.
Close all open windows, and then sign out from LON-CL1.
Results: After completing this exercise, you should have successfully created and configured a suitable
power plan for Adams laptop computer.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
Lesson 2
Overview of DirectAccess
13-9
The DirectAccess feature in Windows 8.1 enables seamless remote access to intranet resources without
first establishing a user-initiated VPN connection. The DirectAccess feature also ensures seamless
connectivity to an application infrastructure for internal users and remote users.
Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess
enables any application that supports Internet Protocol version 6 (IPv6) on a client computer to have
complete access to intranet resources. DirectAccess also enables you to specify resources and client-side
applications that are restricted for remote access.
Lesson Objectives
After completing this lesson, you will be able to:
DirectAccess Components
To deploy and configure DirectAccess, your
organization must support the following
infrastructure components:
DirectAccess server
DirectAccess clients
Internal resources
Group Policy
DirectAccess Server
The DirectAccess server can be any computer that runs the Windows Server 2012 R2 or Windows
Server 2012 operating systems that you join to a domain, which accepts connections from DirectAccess
clients, and that establishes communication with intranet resources. This server provides authentication
services for DirectAccess clients and acts as an Internet Protocol security (IPsec) tunnel mode endpoint for
external traffic. The new Remote Access server role allows centralized administration, configuration, and
monitoring for both DirectAccess and VPN connectivity.
Compared with the previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium-size organizations. The wizard does so by
removing the need for full PKI deployment and removing the requirement for two consecutive public
Internet Protocol version 4 (IPv4) addresses for the physical adapter that is connected to the Internet. In
Windows Server 2012 R2, the wizard detects the actual implementation state of the DirectAccess server,
and automatically selects the best deployment, thereby not showing the administrator the complexity of
manually configuring IPv6 transition technologies.
DirectAccess Clients
A DirectAccess client can be any domain-joined computer that runs the Enterprise edition of Windows 7,
Windows 8, or Windows 8.1.
Note: With off-premises provisioning, you can join a client computer in a domain without
connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer that is using 6to4 or Teredo from connecting to
the DirectAccess server, the client computer automatically attempts to connect by using Internet Protocol
over Secure Hypertext Transfer Protocol (IP-HTTPS), which uses a Secure Sockets Layer (SSL) connection to
ensure connectivity.
A DirectAccess client uses the Network Location Server to determine its location. If the client computer
can securely connect to the Network Location Server by using HTTPS, then the client computer assumes it
is on the intranet, and the DirectAccess policies are not enforced. If the Network Location Server cannot
be contacted, the client assumes it is on the Internet. The Network Location Server is installed on the
DirectAccess server with the Web server role.
Note: The URL for the Network Location Server is distributed by using a Group Policy
Object (GPO).
Internal Resources
You can configure any IPv6-capable application that is running on internal servers or client computers
to be available for DirectAccess clients. For older applications and servers that do not have IPv6 support,
such as Windows Server 2003 or other non-Microsoft operating systems, Windows Server 2012 R2
includes native support for protocol translation (NAT64) and a name resolution (DNS64) gateway to
convert IPv6 communication from the DirectAccess client to IPv4 for internal servers.
You must deploy at least one AD DS domain running, at a minimum, Windows Server 2003 domain
functional level. DirectAccess provides integrated multiple-domain support, which allows client computers
from different domains to access resources that might be located in different trusted domains.
Group Policy
13-11
You need to use Group Policy for the centralized administration and deployment of DirectAccess settings.
The Getting Started Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. DirectAccess enables client
authentication requests to be sent over an HTTPS-based Kerberos proxy service that is running on the
DirectAccess server. This eliminates the need for establishing a second IPsec tunnel between clients and
domain controllers. The Kerberos proxy will send Kerberos requests to domain controllers on behalf
of the client. However, for a full DirectAccess configuration that allows NAP integration, two-factor
authentication, and force tunneling, you still must implement certificates for authentication for every
client that will participate in DirectAccess communication.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 Service Pack 2 or
newer, or a non-Windows DNS server that supports DNS message exchanges over ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and to enforce security policy for DirectAccess clients over the Internet. DirectAccess provides
the ability to configure NAP health check directly from the setup UI.
Remote Access (DirectAccess, Routing and Remote Access) Overview
http://go.microsoft.com/fwlink/?LinkID=269658&clcid=0x409
6to4. 6to4 enables DirectAccess clients to connect to the DirectAccess server over the IPv4-based
Internet. You can use 6to4 when clients have a public IP address. IPv6 packets are encapsulated in an
IPv4 header and sent over the 6to4 tunnel adapter to the DirectAccess server. You can configure the
6to4 tunnel adapter for DirectAccess clients and the DirectAccess server by using a GPO. 6to4 cannot
work if clients are located behind an IPv4 network address translation (NAT) device.
Teredo. Teredo enables DirectAccess clients to connect to the DirectAccess server across the IPv4
Internet, when clients are located behind an IPv4 NAT device and where you should configure the
firewall to allow outbound traffic on User Datagram Protocol (UDP) port 3544. Clients that have a
private IPv4 address use Teredo to encapsulate IPv6 packets in an IPv4 header and send them over
the IPv4-based Internet. You can configure Teredo for DirectAccess clients and the DirectAccess
server by using a GPO.
IP-HTTPS. IP-HTTPS enables DirectAccess clients to connect to the DirectAccess server over the
IPv4-based Internet. IP-HTTPS is used by clients that are unable to connect to the DirectAccess
server by using ISATAP, 6to4, or Teredo. You can configure IP-HTTPS for DirectAccess clients and the
DirectAccess server by using Group Policy.
IPv6 Transition Technologies
http://go.microsoft.com/fwlink/?LinkID=154382&clcid=0x409
It is critical that the Network Location Server be available from each company location, because the
behavior of the DirectAccess client depends on the response from the Network Location Server. Branch
locations might need a separate Network Location Server at each branch location to ensure that the
Network Location Server remains accessible even when there is a link failure between branches.
The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the Network
Location Server URL.
Because the FQDN of the Network Location Server URL corresponds to an exemption rule in the
Name Resolution Policy Table (NRPT), the DirectAccess client instead sends the DNS query to a locally
configured DNS server (an intranet-based DNS server). The intranet-based DNS server resolves the
name.
2.
The DirectAccess client accesses the HTTPS-based URL of the Network Location Server, and during
this process, it obtains the certificate of the Network Location Server.
13-13
3.
Based on the certificate revocation list (CRL) distribution points field of the Network Location Servers
certificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point to
determine if the Network Location Servers certificate has been revoked.
4.
If the HTTP response code is 200, the DirectAccess client determines the success of the Network
Location Server URL (successful access, certificate authentication, and revocation check). Next, the
DirectAccess client will use the network location awareness service to determine if it should switch to
the domain firewall profile and ignore the DirectAccess policies because it is on the organizations
network.
5.
The DirectAccess client computer attempts to locate and log on to the AD DS domain by using its
computer account. Because the client no longer references any DirectAccess rules in the NRPT for
the rest of the connected session, all DNS queries are sent through interface-configured DNS servers
(intranet-based DNS servers). With the combination of network location detection and computer
domain logon, the DirectAccess client configures itself for normal intranet access.
6.
Based on the computers successful logon to the domain, the DirectAccess client assigns the domain
(firewall network) profile to the attached network.
By design, the DirectAccess connection security tunnel rules are scoped for the public and private firewall
profiles, and they are disabled from the list of active connection security rules.
The DirectAccess client has successfully determined that it is connected to its intranet, and it does not use
DirectAccess settings (NRPT rules or connection security tunnel rules). The DirectAccess client can access
intranet resources normally. It also can access Internet resources through normal means, such as a proxy
server.
2.
3.
The client attempts to access intranet resources first, and then Internet resources.
The client tries to resolve the FQDN of the Network Location Server URL. Because the FQDN of the
Network Location Server URL corresponds to an exemption rule in the NRPT, the DirectAccess client
does not send the DNS query to a locally configured DNS server (an Internet-based DNS server). An
external Internet-based DNS server would not be able to resolve the name.
2.
The DirectAccess client processes the name resolution request as defined in the DirectAccess
exemption rules in the NRPT.
3.
Because the Network Location Server is not found on the same network where the DirectAccess client
is currently located, the DirectAccess client applies a public or private firewall network profile to the
attached network.
4.
The Connection Security tunnel rules for DirectAccess, scoped for the public and private profiles,
provide the public or private firewall network profile.
The DirectAccess client uses a combination of NRPT rules and connection security rules to locate and
access intranet resources across the Internet through the DirectAccess server.
After starting up and determining its network location, the DirectAccess client attempts to locate and log
on to a domain controller. This process creates an IPsec tunnel, or an infrastructure tunnel, by using the
IPsec tunnel mode and encapsulating security payload (ESP), to the DirectAccess server. The process is as
follows:
1.
The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name
query that is addressed to the IPv6 address of the intranet DNS server and forwards it to the
DirectAccess clients TCP/IP stack for sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3.
Because the destination IPv6 address in the DNS name query matches a connection security rule that
corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client (both
the computer and the user) authenticates itself with its installed computer certificate and its NTLM
credentials, respectively.
The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.
5.
The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server and back through the IPsec infrastructure
tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When a user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
The application or process that attempts to communicate constructs a message or payload, and
hands it off to the TCP/IP stack for sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
13-15
3.
Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel, which specifies the IPv6 address space of the entire intranet, the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
accounts Kerberos credentials.
4.
The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5.
The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.
When a user or a process on a DirectAccess client attempts to access an Internet resource, such as an
Internet Web server, the following process occurs:
1.
The DNS client service passes the DNS name for the Internet resource through the NRPT. There
are no matches. The DNS client service constructs the DNS name query that is addressed to the IP
address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for
sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3.
Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4.
The Internet DNS server responds with the IP address of the Internet resource.
5.
The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.
6.
Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
intranet tunnel or connection security rules is sent and received normally.
The process of accessing the domain controller and intranet resources is very similar to the connection
process, because both of these processes use NRPT to locate appropriate DNS server to resolve the name
queries. However, the main difference is in the IPsec tunnel that is established between the client and
DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the IPsec
infrastructure tunnel, and when accessing intranet resources, a second IPsec tunnel is established to access
intranet resources.
Demonstration Steps
1.
Switch to LON-SVR2.
2.
On LON-SVR2, in the Server Manager console, select Remote Access Management. Complete the
Getting Started Wizard with the following settings:
3.
a.
b.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients
to connect to Remote Access server box, type 131.107.0.2.
c.
On the Remote Access Review page, remove the Domain Users group, and then add the
DA_Clients group.
d.
On the Remote Access Review page, clear the Enable DirectAccess for mobile computers
only check box.
Restart LON-SVR2.
Remote clients. In the wizard, you can configure the following client computer settings for
DirectAccess:
o
Select groups. You can select which groups of client computers will be configured for
DirectAccess. By default, the Domain Computers group will be configured for DirectAccess. In
the wizard, you can edit this setting and replace the Domain Computers group with a custom
security group.
Enable DirectAccess for mobile computers only. This setting is enabled by default, but you can
disable it in the wizard.
DirectAccess Connectivity Assistant. The DirectAccess Connectivity Assistant runs on every client
computer and provides DirectAccess connectivity information, diagnostics, and remediation
support.
13-17
Resources that validate connectivity to an internal network. DirectAccess client computers need
information that will help them decide whether they are located on an intranet or the Internet.
Therefore, they will contact resources that you provide in this wizard. You can provide the URL
that will be accessed by HTTP request or the FQDN that will be contacted by PING command. By
default, this is not configured.
Allow DirectAccess clients to use local name resolution. This setting is disabled by default.
Remote access server. In the wizard, you define the network topology where the DirectAccess server is
located:
o
On an edge of the internal corporate network, where the edge server has two network adapters.
On a server located behind an edge device, where the server has two network adapters.
On a server located behind an edge device, where the server has one network adapter.
One of the preceding settings is already selected in the wizard. The public name or IPv4 address
where DirectAccess clients connect from the Internet is already entered in the wizard.
You can also define the network adapter to which the DirectAccess clients connect, in addition to the
certificates that IP-HTTPS connections use.
Infrastructure servers. In the wizard, you define infrastructure servers. DirectAccess clients connect
to these servers before they connect to internal corporate resources. By default, two entries are
configured: the domain name suffix and DirectAccess-NLS name followed by the domain name suffix.
For example, if the domain name is contoso.com, then the following entries are configured:
contoso.com and DirectAccess-NLS.contoso.com.
Demonstration Steps
1.
On LON-SVR2, switch to Server Manager, and then open the Remote Access Management console.
2.
3.
In the Remote Access Setup window, under the image of the client computer labeled as Step 1
Remote Clients, click Edit to display the DirectAccess Client Setup window.
4.
Review the default settings of all items in the menu on the left, Deployment Scenario, Select
Groups, and Network Connectivity Assistant, and then close the window without saving any
changes.
5.
In the Remote Access Setup window, under the image of the client computer labeled as Step 2
Remote Access Servers, click Edit to display the Remote Access Server Setup window.
6.
Review the default settings of all items in the menu on the left, Network Topology, Network
Adapters, and Authentication, and then close the window without saving any changes.
7.
In the Remote Access Setup window, under the image of the client computer labeled as Step 3
Infrastructure Servers, click Edit to display the Infrastructure Server Setup window.
8.
Review the default settings of all items in the menu on the left, Network Location Server, DNS, DNS
Suffix Search List, and Management, and then close the window without saving any changes.
9.
In the Remote Access Setup window, under the image of the client computer labeled as Step 4
Application Servers, click Edit to display the DirectAccess Application Server Setup window.
10. Review the default settings for all items, and then close the window without saving any changes.
11. Close all open windows.
NRPT. The DirectAccess GPOs also will create NRPT entries for the client computer. You can view
the configuration of the NRPT by running the Get-DNSClientNrptPolicy cmdlet in the Windows
PowerShell command-line interface. The NRPT will have an entry for each DNS namespace that has
been configured for DirectAccess.
IPv6 connectivity. IPv6 must be enabled on the DirectAccess client to connect to the DirectAccess
server. When you ping by DNS name to the DirectAccess server or to internal network resources, the
address will be converted to IPv6 through IPv6 and IPv4 transition technologies.
Incorrect Group Policy application is the most common cause of DirectAccess client configuration issues,
but network connectivity configuration and Windows Firewall configuration also can affect DirectAccess
functionality. You can use the following tools to confirm or troubleshoot DirectAccess connectivity in
Windows 8.1.
13-19
You can use several DirectAccess Windows PowerShell cmdlets to configure and view the configuration
status of a DirectAccess client. The most relevant cmdlets for troubleshooting and configuration are GetDAConnectionStatus and Get-DAClientExperienceConfiguration.
Cmdlet
Description
Get-DAConnectionStatus
Disable-DAManualEntryPointSelection
Enable-DAManualEntryPointSelection
Get-DAClientExperienceConfiguration
Get-DAEntryPointTableItem
New-DAEntryPointTableItem
Remove-DAEntryPointTableItem
Rename-DAEntryPointTableItem
ResetDAClientExperienceConfiguration
Reset-DAEntryPointTableItem
Set-DAClientExperienceConfiguration
Set-DAEntryPointTableItem
You can use the Workplace Connection page to determine if DirectAccess is on a client computer. To view
DirectAccess status, open the Charms menu, click PC Settings, click Network, click Connections, and then
click Workplace Connection. The Workplace Connection page will provide your current DirectAccess
status and a link that enables you to collect DirectAccess logs.
Many users at A. Datum work from outside the organization. This includes mobile users and people
who work from home. These users currently connect to the internal network by using a third-party VPN
solution. The Security department is concerned about the security of the external connections and wants
to ensure that the connections are as secure as possible. The Support team wants to minimize the number
of support calls related to remote access and would like to have more options for managing remote
computers.
IT management at A. Datum is considering deploying DirectAccess as the remote access solution for the
organization. As an initial proof-of-concept deployment, management has requested that you configure a
simple DirectAccess environment to use with Windows 8.1 client computers.
Objectives
After completing this lab, you will be able to:
Configure DirectAccess.
Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-SVR1, 20687D-LON-SVR2, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Switch to LON-SVR2.
2.
From the Start screen, type ncpa.cpl, and then press Enter.
3.
In the Network Connections window, right-click Ethernet 2, and then click Enable.
4.
13-21
You must prepare the DirectAccess infrastructure for deployment. You must install the Remote Access
server role on LON-SVR2, and configure DirectAccess on the DirectAccess server by using the Getting
Started Wizard.
The main tasks for this exercise are as follows:
1.
2.
3.
On LON-SVR2, install the Remote Access server role with the DirectAccess and VPN (RAS) role service.
2.
In Active Directory Users and Computers, create a new global security group named DA_Clients in
the Users container.
3.
Switch to LON-SVR2.
2.
On LON-SVR2, in Server Manager, select Remote Access Management. Complete the Getting
Started Wizard with the following settings:
a.
b.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients
to connect to Remote Access server box, type 131.107.0.2.
c.
On the Remote Access Review page, remove the Domain Users group, and add the
DA_Clients group.
d.
On the Remote Access Review page, clear the Enable DirectAccess for mobile computers
only check box.
3.
Restart LON-SVR2.
4.
Wait for LON-SVR2 to restart, and then sign in as Adatum\Administrator with password Pa$$w0rd.
5.
Open the Remote Access console, and then view the Operations Status page.
6.
All components should have a Status of Working and a green check mark beside them. If this is not
the case, click Refresh to update the Operations Status view. You might have to do this several times.
Results: After completing this exercise, you should have configured DirectAccess by using the Getting
Stared Wizard.
Now that you have configured DirectAccess, you need to verify that DirectAccess is working. You will start
by verifying the changes made by the Getting Started Wizard, and then you will verify that client
computers can access the internal network by using DirectAccess.
The main tasks for this exercise are as follows:
1.
2.
Switch to LON-CL1.
2.
Restart LON-CL1, and then sign in as Adatum\Administrator with password Pa$$w0rd to apply the
GPOs.
3.
4.
At the command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is
applied to the Computer Settings.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, and then
repeat steps 3 and 4 on LON-CL1.
5.
Verify that the following message displays: DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings are inactive when this computer is inside a corporate network.
6.
To move the client from the intranet to the public network, go to the Start screen, type ncpa.cpl, and
then press Enter.
7.
In the Network Connections window, right-click the Ethernet connection, and then click Disable.
8.
In the Network Connections window, right-click the Ethernet 2 connection, and then click Enable.
9.
Switch to LON-SVR1.
2.
In File Explorer, create a shared folder named C:\Data with the default settings for the Everyone
group.
3.
Switch to LON-CL1.
4.
On the Start screen, type \\LON-SVR1\Data, and then press Enter. Note that you are able to access
the folder content.
5.
13-23
6.
Move the pointer to the lower-right corner of the screen, and in the notification area, click Search,
and in the Search box, type cmd.
7.
Note: Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an
IP-HTTPS address.
8.
At the command prompt, type the following command, and then press Enter:
Netsh name show effectivepolicy
9.
Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.
10. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
Results: After completing this exercise, you should have validated the DirectAccess deployment.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
Lesson 3
To implement and support a VPN environment properly within your organization, you must understand
how to select a suitable tunneling protocol, how to configure VPN authentication, and how to configure
other settings to support your chosen environment.
Lesson Objectives
After completing this lesson, you will be able to:
Configure a VPN.
Remote access
Site-to-site
Remote access VPN connections enable users that are working at home, at customer sites, or from public
wireless access points to access a server that exists in your organizations private network. They do so by
using the infrastructure that a public network, such as the Internet, provides.
From a users perspective, a VPN is a point-to-point connection between a computer, the VPN client, and
your organizations server. The exact infrastructure of the shared or public network is irrelevant because it
logically appears as if the data is sent over a dedicated private link.
13-25
Site-to-site VPN connections, which also are known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices or with other organizations over a
public network, while maintaining secure communications.
A routed VPN connection across the Internet logically operates as a dedicated wide area network link.
When networks connect over the Internet, a router forwards packets to another router across a VPN
connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a
routed connection to the network to which the VPN server is attached. The calling router (the VPN client)
authenticates itself to the answering router (the VPN server), and for mutual authentication, the answering
router authenticates itself to the calling router.
In a site-to site VPN connection, the packets that are sent from either router across the VPN connection
typically do not originate at the routers.
VPN connections that use Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP)
with IPsec, and Secure Socket Tunneling Protocol (SSTP) have the following properties:
Encapsulation. With VPN technology, private data is encapsulated with a header that contains routing
information, which allows the data to traverse the transit network.
Authentication. Authentication for VPN connections takes the following three forms:
Data origin authentication and data integrity. To verify that the data that is sent over a VPN
connection originated at the connections other end and was not modified in transit, the data
contains a cryptographic checksum based on an encryption key that only the sender and receiver
know. Data origin authentication and data integrity are available only for L2TP/IPsec connections.
Data encryption. To ensure confidentiality as data traverses a shared or public transit network, the
sender encrypts the data and the receiver decrypts it. The encryption and decryption processes
depend on both the sender and the receiver using a common encryption key. Intercepted packets
sent along a VPN connection in a transit network will be unintelligible to anyone who does not have
the common encryption key.
The encryption keys length is an important security parameter. You can use computational
techniques to determine the encryption key. However, such techniques require an increasing amount
of computing power and computational time as encryption keys become larger. Therefore, it is
important to use the largest possible key size to help ensure data confidentiality.
PPTP
PPTP encrypts and encapsulates traffic in an IP
header and then sends it across an IP network.
You can use PPTP for remote client and site-tosite VPN connections. When using the Internet,
the VPN server provides the following
functionality to the client:
Encryption. The PPP frame is encrypted with Microsoft Point-to-Point Encryption by using encryption
keys. These keys are generated by the Microsoft version of the Challenge Handshake Authentication
Protocol version 2 (MS-CHAPv2) or the Extensible Authentication Protocol-Transport Layer Security
(EAP-TLS) authentication process. VPN clients must use MS-CHAPv2 or EAP-TLS authentication.
L2TP
L2TP enables you to encrypt multiple-protocol traffic to send over any medium that supports point-topoint datagram delivery, such as IP or asynchronous transfer mode. L2TP is a combination of PPTP and
Layer Two Forwarding (L2F). L2TP represents the best features of PPTP and L2F.
L2TP relies on IPsec for traffic encryption. The combination of L2TP and IPsec is known as L2TP/IPsec.
L2TP is built into Windows 8.1, Windows 8, Windows Vista, and Windows XP remote access clients, and
VPN server support for L2TP is built into the Windows Server 2008 and Windows Server 2012 families, as
follows:
First layer: L2TP encapsulation. A PPP frame (an IP datagram) is wrapped with an L2TP header
and a UDP header.
Second layer: IPsec encapsulation. The resulting L2TP message is wrapped with an IPsec
ESP header and trailer, an IPsec authentication trailer that provides message integrity and
authentication, and a final IP header. The IP header contains the source and destination IP
addresses that correspond to the VPN client and the VPN server.
Encryption. The L2TP message is encrypted with either Advanced Encryption Standard (AES) or Triple
Data Encryption Standard (3DES) by using encryption keys that the IKE negotiation process generates.
SSTP
SSTP is a tunneling protocol that uses HTTPS over TCP port 443. SSTP commonly is used in scenarios
where PPTP and L2TP/IPsec traffic might be blocked by firewalls. SSTP uses the SSL channel of HTTPS to
encapsulate PPP traffic.
When a client tries to establish an SSTP-based VPN connection, SSTP first establishes two-way
communication on the HTTPS layer with the SSTP server. When this communication is established,
the protocol packets flow as the data payload, as follows:
13-27
Encapsulation. SSTP encapsulates PPP frames in IP datagrams for transmission over a network. SSTP
uses a TCP connection over port 443 for tunnel management and as PPP data frames.
Encryption. The SSTP message is encrypted with the SSL channel of HTTPS.
IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec tunnel mode protocol over UDP port 500.
Because of its support for mobility, IKEv2 is much more resilient than other protocols to changing network
connectivity. This resiliency makes it a good choice for mobile users who move among access points and
even switch between wired and wireless connections. An IKEv2 VPN provides resilience to the VPN client
when the client either moves from one wireless hotspot to another or switches from a wireless to a wired
connection. This ability is a requirement of VPN Reconnect.
The use of IKEv2 and IPsec enables support for strong authentication and encryption methods, as follows:
Encapsulation. IKEv2 encapsulates datagrams by using IPsec ESP or Authentication Header (AH)
headers for transmission over a network.
Encryption. The message is encrypted via one of the following protocols by using encryption keys that
are generated from the IKEv2 negotiation process: AES 256, AES 192, AES 128, or 3DES encryption
algorithms.
IKEv2 is supported only on computers that run Windows 8.1, Windows 8, Windows 7, Windows
Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2.
VPN Authentication
Authenticating users is an important
security concern, especially when they connect
over a public network such as the Internet.
Authentication methods typically use an
authentication protocol that is negotiated during
the connection establishment process.
Windows Server 2012 R2 and Windows 8.1
support a number of authentication methods:
EAP. EAP uses an arbitrary authentication mechanism to authenticate a remote access connection.
The remote access client and the authenticator, which is either the remote access server or the
Remote Authentication Dial-In User Service (RADIUS) server, negotiate the exact authentication
scheme to use.
Digital certificates. Certificates are digital documents that are issued by certification authorities
(CAs), such as Active Directory Certificate Services (AD CS) and the VeriSign public CA. You can use
certificates for many purposes, such as code signing and securing email communication. However,
with VPNs, you use certificates for network access authentication because they provide strong
security for authenticating users and computers, and they eliminate the need for less-secure,
password-based authentication methods. Network Policy Servers use EAP-TLS and Protected
Extensible Authentication Protocol (PEAP) to perform certificate-based authentication for many
types of network access, including VPN and wireless connections.
Two authentication methods, EAP and PAP, use certificates when you configure them with certificatebased authentication types. With EAP, you can configure the authentication type TLS (EAP-TLS), and with
PEAP, you can configure the authentication types TLS (PEAP-TLS) and MS-CHAPv2 (PEAP-MS-CHAPv2).
These authentication methods always use certificates for server authentication. Depending on the
authentication type that you configure with the authentication method, you also might use certificates for
user authentication and client computer authentication.
The use of certificates for VPN connection authentication offers the strongest form of authentication that
is available in Windows 8.1. You must use certificates for IPsec authentication on VPN connections that
are based on L2TP/IPsec. PPTP connections do not require certificates, although you can configure PPTP
connections to use certificates for computer authentication when you use EAP-TLS as the authentication
method. For wireless clients, use PEAP with EAP-TLS and smart cards or certificates for authentication.
Each of these authentication methods has advantages and disadvantages in terms of security, usability,
and breadth of support. However, password-based authentication methods do not provide strong
security, and we do not recommend them. You should use a certificate-based authentication method for
all network access methods that support certificate use.
VPN Reconnect
In dynamic business scenarios, users must be
able to access data securely at any time, from
anywhere, and continuously, without interruption.
To meet these requirements, you can configure
the VPN Reconnect feature that is available in
Windows Server 2012 R2, Windows Server 2012,
Windows Server 2008 R2, Windows 8.1,
Windows 8, and Windows 7. With this feature, users can access an organizations data by using a VPN
connection, which automatically reconnects if connectivity is interrupted. This feature also enables
roaming among different networks.
VPN Reconnect uses IKEv2 technology to help provide seamless and consistent VPN connectivity. VPN
Reconnect automatically reestablishes a VPN connection when Internet connectivity becomes available
again. Users who connect via a wireless mobile broadband card benefit most from this capability.
13-29
Consider a user with a Windows 8.1 laptop. When the user travels to work on a train, he or she connects
to the Internet by using a wireless mobile broadband card and then establishes a VPN connection to the
companys network. When the train passes through a tunnel, the Internet connection is lost. After the train
emerges from the tunnel, the wireless mobile broadband card automatically reconnects to the Internet.
With Windows Vista, the VPN does not reconnect automatically. Therefore, the user has to repeat the
multistep process of connecting to the VPN manually. Doing so is time-consuming for mobile users with
intermittent connectivity.
With VPN Reconnect, Windows 8.1, Windows 8, and Windows 7 automatically reestablish active VPN
connections when Internet connectivity is reestablished. Even though the reconnection might take several
seconds, users reconnect automatically and have access to internal network resources.
The system requirements for using the VPN Reconnect feature are:
Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 as a VPN server.
Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows
Server 2008 R2 as the VPN client operating system.
A PKI, because a remote connection with VPN Reconnect requires a computer certificate. Certificates
issued by either an internal or a public CA can be used.
VPN Auto-Trigger
You can configure Windows 8.1 to connect automatically through VPN when applications or network
locations are used that require organizational network resources. Configuration for VPN Auto-trigger in
Windows 8.1 is performed by using Windows PowerShell cmdlets that enable you to add and remove
triggers for the following scenarios:
App-based triggering. When app-based triggering is configured, the VPN connection is triggered by
a specific app being run. In this case, the app is added as a trigger to the VPN connection profile by
using the Add-VpnConnectionTriggerApplication cmdlet. You can remove app triggers by using
the Remove-VpnConnectionTriggerApplication cmdlet in Windows PowerShell.
Name-based triggering. You configure name-based triggering by adding DNS name suffixes to
the VPN connection profile by using the Add-VpnConnectionTriggerDns cmdlet. You can remove
name-based triggers by using the Remove-VpnConnectionTriggerApplication cmdlet in Windows
PowerShell.
When a VPN profile is configured with one more triggers, the user is presented with an option in the
network connection window labeled, Let apps automatically use this VPN connection. When the check
box for this option is selected, VPN Auto-trigger will connect the VPN.
you cannot use VPN Auto-triggering. VPN Auto-triggering requires split-tunneling to be enabled on
the VPN connection.
The client computer is joined to a domain. VPN Auto-trigger is not supported on domain-joined
computers. You can use a domain-joined computer to create and configure VPN profiles that support
VPN Auto-triggering, but the actual Auto-triggering functionality will not operate on the domainjoined computer.
Demonstration Steps
Create a new VPN connection
1.
2.
3.
Configure the initial settings, including 172.16.0.10 as the target IPv4 address and HQ as the name.
Connect to LON-DC1 with the HQ VPN, and then authenticate by using the Adatum\Administrator
account.
2.
Connection Manager is a client network-connection tool that enables a user to connect to a remote
network, such as an Internet Service Provider or a corporate network that a VPN server protects.
The CMAK is an optional component that is not installed by default. You must install CMAK to create
connection profiles that your users can install and use to access remote networks.
13-31
Demonstration Steps
Install the CMAK feature
1.
2.
Open Control Panel, and then enable the RAS Connection Manager Administration Kit (CMAK)
feature.
2.
Use File Explorer to examine the contents of the folder that was created by the CMAK wizard to
create the connection profile. Normally, you now would distribute this profile to your users.
Lesson 4
13-33
Many organizations use remote management and troubleshooting so that they can reduce
troubleshooting time and reduce travel costs for support staff. Remote troubleshooting allows support
staff to operate effectively from a central location.
Lesson Objectives
After completing this lesson, you will be able to:
Remote Desktop
Remote Desktop uses the Remote Desktop Protocol (RDP) to enable users to access files on their office
computer from another computer, such as one located at their home. Additionally, Remote Desktop
allows administrators to connect to multiple Windows Server sessions for remote administration purposes.
While a Remote Desktop session is active, Remote Desktop locks the target computer, prohibiting
interactive logons for the sessions duration.
Note: Microsoft RemoteFX delivers a rich user experience for Virtual Desktop
Infrastructure by providing a three-dimensional virtual adapter, intelligent codecs, and the ability
to redirect USB devices in virtual machines. RemoteFX is integrated with the RDP, which enables
shared encryption, authentication, management, and device support.
Remote Assistance
Remote Assistance allows a user to request help from a remote administrator. To access Remote
Assistance, run the Windows Remote Assistance tool. By using this tool, you can do the following:
Users can send Remote Assistance invitations through email or by saving a request to a file that a remote
administrator can read and act on.
Windows Firewall
Windows 8.1 prevents remote troubleshooting tools from connecting to a local computer by using
Windows Firewall. However, by default, Windows Firewall will allow Remote Desktop and Remote
Assistance traversal of the firewall.
To enable support for other applications, complete the following procedure:
1.
2.
Click Allow a program or feature through the Windows Firewall, and then select for what you
want to enable an exception.
2.
Allow connections from computers running any version of Remote Desktop. This is a less
secure option.
Allow connections only from computers running Remote Desktop with Network Level
Authentication. This is a more secure option.
3.
Click Select Users. If you are prompted for an administrator password or confirmation, type the
password or provide confirmation.
4.
If you are an administrator on the computer, your current user account will be added automatically to
the list of remote users, and you can skip the next two steps.
5.
6.
To specify the location in which to search for the remote user, click Locations, and then select
the location you want to search.
b.
13-35
Enter the object names to select, type the name of the user that you want to add as a remote
user, and then click OK.
On the source computer, you need to perform the following to access the remote computer:
1.
2.
Before connecting, enter the logon credentials on the General tab, and make desired changes to the
options in the following tabs:
o
Display. Choose the remote desktop display size. You have the option to run the remote desktop
in full-screen mode.
Local Resources. Configure local resources for use by the remote computer, such as Clipboard
and printer access.
Programs. Specify which programs you want to start when you connect to the remote computer.
3.
Save these settings for future connections by clicking Save on the General tab.
4.
This demonstration shows how to enable and use Remote Assistance. Adam needs help with a Microsoft
Word feature. He requests assistance, and you provide guidance on the feature by using Remote
Assistance.
Demonstration Steps
Create a Microsoft Word 2013 Document
1.
2.
Create a blank document, and then type This is my document into the new Microsoft Word
document.
Open Remote settings, and then specify administrative credentials when prompted by User Account
Control.
2.
3.
4.
Save the invitation to a shared folder location that is accessible by your invitee.
2.
Retrieve the Remote Assistance request file, and then enter the password.
3.
4.
Take remote control, and then direct the user how to create a comment in a Word 2013 document.
5.
Create a chat window, and then ask the user if they are satisfied with the offered solution.
6.
Adam has a desktop computer in his office in London that he might wish to use while he travels around
the UK between his customers.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 15 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, 20687D-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
20687D-LON-DC1
20687D-LON-CL1
You also will need to start and connect to 20687D-LON-CL2. Do not sign in until directed to do so.
You decide to enable Remote Desktop on his desktop computer so that Adam can access it to work on his
data files should the need arise. Before Adam leaves, you decide to test the Remote Desktop connection
to his desktop computer from his laptop.
The main tasks for this exercise are as follows:
1.
Enable Remote Desktop through the firewall, and enable Remote Desktop on Adams office
computer.
2.
Task 1: Enable Remote Desktop through the firewall, and enable Remote Desktop on
Adams office computer
1.
On LON-CL1, open Windows Firewall, and then enable Remote Desktop through the firewall for all
network location profiles (Domain, Private, and Public).
2.
In Control Panel, in System and Security, click Allow remote access, and then select the following
options:
a.
b.
13-37
3.
4.
Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd, and then open Remote
Desktop Connection.
5.
Specify the computer to connect to as LON-CL1, and then click Show Options.
6.
On the Advanced tab, under Server authentication, in the If server authentication fails dropdown list, click Connect and dont warn me.
Note: You also can enable this firewall rule indirectly by enabling Remote Desktop from
Control Panel\System\Remote settings.
Connect to LON-CL1. When prompted, enter the user name Adatum\Adam and the password
Pa$$w0rd.
2.
3.
Close the Remote Desktop session, and then close all open windows.
4.
Results: After completing this exercise, you should have verified that Remote Desktop is functional.
2.
In the Virtual Machines list, right-click 20687D-LON-CL2, and then click Revert.
3.
4.
Module 14
Recovering Windows 8.1
Contents:
Module Overview
14-1
14-2
14-5
14-18
14-24
Module Overview
It is important to protect data on your computer from accidental loss or corruption. To recover from a
problem, typically it is easier to restore system settings than to reinstall an operating system and apps.
The Windows 8.1 operating system provides a number of features that you can use to protect important
data files, in addition to tools that you can use to recover a computer that will not start or that starts with
errors. You can use features such as File History, System Protection, and synchronization with Microsoft
OneDrive (formerly known as SkyDrive) to protect your data. To support your users, it is important that
you understand how to use these features and tools.
Objectives
After completing this module, you will be able to:
Lesson 1
Although you might implement a file-recovery strategy for user data that is stored on network file servers
or network-accessible storage devices, you should remember that users often save their work to local
storage. Consequently, it is important that you provide some method of local file recovery so that you can
recover these data files if they become corrupted or you delete them accidentally.
Lesson Objectives
After completing this lesson, you will be able to:
A computer that is running Windows 8.1 stores data files and settings in several locations, so you need to
ensure that you protect all of them. You can help protect these data files and settings by:
Storing them on a file server, such as when you are using Folder Redirection.
File History
14-3
With File History, Windows 8.1 can save copies of your files automatically to a removable local drive or to
a shared folder on a network. After you enable File History, it periodically saves a copy of your modified
files to a designated location. Windows 8.1 saves modified files each hour and keeps file versions
indefinitely by default. However, you can configure the interval at which saves occur and how long
Windows 8.1 will keep saved files.
File History save files from the following folders:
Contacts
Desktop
Favorites
Documents
Music
Pictures
Videos
Note: You cannot add additional folders or libraries to this list, but you can add folders to
the libraries that File History is protecting. You also can define exceptions if you do not want all
files for the included folders and libraries to be included in File History.
To recover files, from the File History dialog box, you can click Restore personal files, and then select the
file from the folders or libraries. Alternatively, you can recover files directly from File Explorer. Navigate to
the folder that contains a deleted file, and then on the Home ribbon, click History. File History opens and
lists the recoverable files.
Question: Is File History turned on by default?
Question: Can you protect additional folders by using File History?
In this demonstration, you will see how to configure File History in Windows 8.1 and use this feature to
recover a deleted file.
Demonstration Steps
1.
Create a new Microsoft Word 2013 document named Recovery file in the Documents library.
2.
Modify the contents of the Recovery file document, and then save the file.
3.
Use File History to add \\LON-DC1\FileHistory as an available drive, and then turn on File History.
4.
5.
Lesson 2
14-5
Registry corruption and issues with device drivers or system services can result in startup-related
problems. Systematic troubleshooting is essential so that you can determine and resolve the underlying
cause of the problem quickly and efficiently.
This lesson describes how to identify and troubleshoot issues that affect an operating systems ability to
start, and how to identify problematic services that are running on an operating system. It also describes
how to use troubleshooting tools in Windows 8.1. These tools are known collectively as the Windows
Recovery Environment (RE).
Lesson Objectives
After completing this lesson, you will be able to:
Bootmgr.exe replaces much of the functionality of the legacy NTLDR bootstrap loader that was in
Windows XP and older versions of the Windows operating system. Bootmgr.exe is a separate entity, and
it is unaware of other startup operations of the operating system. Bootmgr.exe switches the processor
into 32-bit or 64-bit protected mode, prompts the user for which operating system to load (if there are
multiple operating systems), and starts NTLDR if you have are using Windows XP or older operating
systems.
Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads
the operating system kernel (Ntoskrnl.exe) and device drivers with start values of 0, which, combined with
Bootmgr.exe, makes Winload.exe functionally equivalent to NTLDR. Winload.exe initializes memory, loads
drivers that should start, and then transfers control to the kernel.
If the BCD contains information about a current hibernation image, Bootmgr.exe passes that
information to Winresume.exe. Bootmgr.exe exits, and then Winresume.exe starts. Winresume.exe reads
the hibernation image file and uses it to return the operating system to its prehibernation running state.
When you switch on a computer, the startup process loads the BIOS. When it loads the BIOS, the system
accesses the boot drive master boot record (MBR), followed by the drives boot sector.
The Windows 8.1 startup process occurs in the following steps:
1.
The BIOS performs a power-on self-test. From a startup perspective, the BIOS enables a computer
to access peripherals, such as hard disks, keyboards, and a computer display, prior to loading an
operating system. If any critical hardware component is malfunctioning or is not present, you can
hear a sound and see an error if a display is connected.
2.
The computer uses information in the BIOS to locate a startup device, for example, a DVD drive,
network adapter, or a hard disk. A computer can start from a hard disk only if it contains the MBR. A
computer calls and loads Bootmgr.exe, which then locates an active drive partition on sector 0 of the
discovered hard disk.
3.
Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines
installed operating systems, and then displays a boot menu if needed.
4.
5.
Otherwise, Winload.exe initializes memory and loads drivers that are set to begin at startup. These
drivers are for fundamental hardware components such as disk controllers and peripheral bus drivers.
Winload.exe then transfers control to the kernel of the operating system, Ntoskrnl.exe.
6.
The kernel initializes, and then device drivers and services with start values that are greater than zero
(0) are loaded in the order of their start value and dependency. During this phase, you will see the
screen switch to graphical mode as the Session Manager (Smss.exe) initializes the Windows
subsystem.
7.
The operating system displays the logon screen, and a user can sign in to Windows 8.1.
14-7
Windows 8.1 includes two technologies that enhance the security of the startup process. These
technologies help ensure that the boot environment is in a known and trusted state before antimalware
software that is installed on the computer becomes active. These technologies are:
Measured Boot. Measured Boot provides antimalware software that runs on Windows 8.1 with a
tamper-proof log of all startup components that were running before the antimalware software
started. This provides antimalware software with enough information to determine whether those
startup components are trustworthy, or whether a malware infection has modified them. Measured
Boot requires a client computer to have a trusted platform module chip.
Secure Boot. Secure Boot is a feature of the Windows 8.1 operating system that blocks unauthorized
firmware, operating systems, or Unified Extensible Firmware Interface (UEFI) drivers from running
during startup. Secure Boot functions by referring to a database of authorized software signatures
and software images. If Secure Boot does not trust the firmware, it must be restored before boot can
continue. If Secure Boot finds an untrusted version of Bootmgr.exe, the Secure Boot process will boot
a backup copy of Bootmgr.exe. If it locates problems with drivers or Ntoskrnl.exe, Secure Boot loads
Windows RE automatically. Secure Boot requires UEFI, and you cannot use it with computers that
boot by using BIOS.
Secured Boot and Measured Boot: Hardening Early Boot Components against Malware
http://go.microsoft.com/fwlink/?LinkId=392421
Windows RE
Windows RE is a recovery platform that is based
on the Windows Preinstallation Environment
(Windows PE). Windows RE provides three main
functions:
Accessing Windows RE
To access Windows RE, perform the following procedure:
1.
Insert a Windows 8.1 installation DVD, and then start the computer.
2.
3.
After you configure language and keyboard settings, click the Repair your computer link.
4.
Click the Troubleshoot option. After that, you can select if you want to Refresh your PC, Reset your
PC, or select from Advanced options, which includes Startup Repair and System Image Recovery.
Note: Some computer manufacturers do not include a setup disk. Therefore, the process of
accessing Windows RE might vary from the steps that this topic provides.
Windows 8.1 provides an on-disk Windows RE. A computer that is running Windows 8.1 can fail over
automatically to the on-disk Windows RE if it detects a startup failure. Startup failure is detected when any
of following happens:
A Windows operating system restarts unexpectedly, two times in two minutes after the startup.
During startup, the Windows loader sets a status flag that indicates when the boot process starts. The
Windows loader clears this flag before it displays the Windows logon screen. If the startup fails, the loader
does not clear the flag. Consequently, the next time the computer starts, Windows loader detects the flag,
assumes that a startup failure has occurred, and then presents to you an option to start Recovery instead
of Windows 8.1. A computer must start successfully for the Windows loader to remove the flag. If there is
an interruption to a computers power during the startup sequence, the Windows loader does not remove
the flag. Be aware that this automatic failover requires the presence of both the Windows Boot Manager
and the Windows loader. If either of these elements of the startup environment is missing or corrupted,
automatic failover cannot function, and you must initiate a manual diagnosis and repair of the computers
startup environment.
Windows Recovery Environment (Windows RE) Overview
http://go.microsoft.com/fwlink/?LinkId=378260&clcid=0x409
Windows 8.1 provides Advanced options for Startup Settings that you can use to change Windows startup
behavior. When you configure Startup Settings, after the computer starts, you can select one of the
following startup options:
Enable debugging
14-9
Based on a schedule. Windows 8.1 includes scheduled tasks, which can trigger restore point creation.
A restore point is created automatically if no restore point has been created for seven days.
Automatically, if you choose to use System Restore to restore to a previous restore point. In this
instance, System Restore creates a new restore point before it restores the system to a previous
state. This provides you with a recovery option should the restore operation fail or result in issues.
Windows RE does not create a restore point for the current state if you are in Safe mode and you
restore to a previous state.
You can access System Restore and revert Windows settings from Windows 8.1 environment or from
Windows RE. This means that you can restore your computer to an earlier restore point even if you cannot
start Windows 8.1. If you want to restore your computer to an earlier restore point from Windows RE, you
need to select a user and provide the users password before you can use System Restore.
Note: Windows 8.1 includes a System Restore scheduled task named SR, which you can
configure to create restore points automatically at scheduled intervals.
If you install a device driver that results in a computer that is unstable or that fails to operate entirely,
you might use System Restore. Older versions of Windows operating systems had a mechanism for driver
rollbacks, but it required the computer to start successfully. With Windows 8.1, you can use System
Restore to perform driver rollbacks by accessing the restore points, even when the computer does not
start successfully.
System Restore also provides protection against accidental deletion of programs. System Restore creates
restore points when you add or remove programs, and it keeps copies of application programs (file names
with an .exe or .dll extension). If you accidentally delete an .exe file, you can use System Restore to recover
it by selecting a recent restore point prior to your deletion of the program.
Restore points
http://go.microsoft.com/fwlink/?LinkId=378261&clcid=0x409
Question: How can you configure Windows 8.1 to create restore points automatically more
often than every seven days?
Windows 8.1 stores the BCD data in the same format as a registry hive. For BIOS-based systems, the BCD
data files are on the active partition, in Boot directory, which is marked as system and hidden. For UEFIbased systems, BCD files are on the EFI system partition.
Question: One of your coworkers would like to modify Windows 8.1 startup settings, but he
is not able to find the Boot.ini file. How can you help him?
Minimal. Start Windows in safe mode, in which only critical system services are running and
networking is disabled.
Alternate shell. On startup, opens a command prompt in safe mode, in which only critical
system services are running. Networking and the GUI are disabled.
14-11
Active Directory repair. On startup, opens the Windows GUI in safe mode, running critical
system services.
Network. On startup, opens the Windows GUI in safe mode, running only critical system
services. Networking is enabled.
No GUI boot. Does not display the Windows Welcome screen when starting.
Advanced options:
Number of processors. Limits the number of processors that are used on a multiprocessor
system.
PCI Lock. Prevents reallocation of I/O and interrupt request (IRQ) resources on the peripheral
component interconnect (PCI) bus.
BCDEdit.exe. BCDEdit.exe is a command-line tool in Windows 8.1 that replaces Bootcfg.exe. This
advanced tool is for administrators and IT professionals. You can use BCDEdit.exe to change the BCD
and perform tasks such as removing entries from the list that displays operating systems. BCDEdit.exe
enables you to:
o
Adding a new hard disk to your Windows 8.1 computer and changing the logical drive
numbering.
Installing additional operating systems on your Windows 8.1 computer to create a multiboot
configuration.
Deploying Windows 8.1 to a new computer with a blank hard disk, which requires you to
configure the appropriate boot store.
BootRec.exe. Rebuild BCD by using the BootRec.exe tool with the /rebuildbcd option in Windows RE.
You must run BootRec.exe in Windows RE. If rebuilding BCD does not resolve startup issues, you can
export and delete BCD, and then run this option again. By doing this, you ensure that BCD rebuilds
completely.
Note: In Windows 8.1, you cannot access advanced startup settings by pressing F8 during
the startup process, as you were able to do in older versions of Windows operating systems.
When the computer restarts, you are presented with the following options:
Enable debugging. By selecting the debugging mode, you can start Windows 8.1 in a special
troubleshooting mode. In this mode, you can monitor the behavior of device drivers and determine
whether a specific device driver is causing Windows 8.1 to stop unexpectedly.
Enable boot logging. When you use this mode, the Windows 8.1 start process creates and writes to a
file named Ntbtlog.txt. This file records the device drivers that Windows 8.1 installs and loads during
startup.
Enable low-resolution video. In this mode, you can start Windows 8.1 in a special low-resolution
mode of 640480. This mode can be necessary when you attempt to resolve incorrectly applied
graphics resolution settings.
Enable Safe Mode. In the safe mode, Windows 8.1 can start with a minimal set of drivers, services,
and applications. You can use safe mode to disable services and applications that might be causing
the Windows operating system to stop. Computers often start in the safe mode when they are unable
to start normally. Safe mode does not load network drivers, so network connectivity is not possible in
safe mode.
Enable Safe Mode with Networking. Safe mode with networking is similar to safe mode, except that it
allows network connectivity.
14-13
Enable Safe Mode with Command Prompt. This version of safe mode starts with a Command Prompt
window rather than the Windows interface. In this mode, you can disable applications and services
from the command line if you are unable to perform this operation by using safe mode.
Disable driver signature enforcement. In this mode, you can load device drivers that are not signed
digitally. This might be necessary when testing device drivers with Windows 8.1 that have not been
released formally.
Disable early launch anti-malware protection. In this mode, you can start Windows 8.1 without
the early launch antimalware functionality running. This functionality might stop Windows 8.1 from
starting in certain circumstances, but it should be disabled only after other options have been tried.
Disable automatic restart after failure. Use this option to stop Windows 8.1 from automatically
restarting after a failure occurs. You might need to use this option if Windows 8.1 enters a reboot
cycle.
Launch Recovery Environment. Use this option to start Windows RE. You can use the recovery
environment to trigger the Refresh your PC or Reset your PC function.
Question: Can you access Startup Setting options by pressing F8 during computer startup?
Refresh your PC
This option enables you to retain your personal
data, apps, and settings, but replaces the
Windows 8.1 operating system. This is useful
when it is important to retain user-related files
and settings, but you do not have the time to
determine the specific cause of a startup problem
or to resolve it. You need Windows installation or
recovery media if you want to perform a refresh.
Note: Because it is quite likely that user settings might have created the startup problem
from which you are attempting to recover, the Refresh your PC option is careful about which
settings to restore. For instance, this option does not restore file associations, display settings, and
Windows Firewall settings during the refresh process.
Note: It is possible to use the Recimg.exe command-line tool to create a refresh image,
which enables you to refresh your computer to a specific point in time.
Reset your PC
This option removes all user data, user settings, and apps and then reinstalls Windows 8.1. You should
select this option when there is no need to retain user data or settings. By using this setting, you revert
your computer to the deployment defaults. You need Windows installation or recovery media if you want
to perform a reset.
System Restore
Windows 8.1 provides System Restore capabilities that you can access from the System Tools folder. If you
have a system failure or another significant problem with your computer, you can use System Restore to
return your computer to an earlier state.
The primary benefit of System Restore is that it restores your system to a workable state without
reinstalling the operating system or causing data loss. Additionally, if a computer does not start
successfully, you can use System Restore by starting Windows RE from Windows 8.1 media.
System Image Recovery replaces your computers current operating system with a complete computer
image that you created previously. You can use this tool only if you have made a recovery drive of your
computer. You should use this tool only if other recovery methods are unsuccessful, because it is very
intrusive and it overwrites all data on a computer.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. Before you can use Startup Repair, you must provide the password of the
administrator account that previously signed in to the computer. Startup Repair detects most common
startup issues and automatically corrects them. It performs the following functions:
Replace or repair disk metadata. Disk metadata consists of several components, including the boot
sector and the MBR. If these files are missing or corrupted, the startup process fails. If you suspect that
an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk
metadata. Startup Repair automatically checks and, if necessary, repairs the disk metadata. Damage to
disk metadata often occurs because of unsuccessful attempts to install multiple operating systems on
a single computer. Another possible cause of metadata corruption is a virus infection.
Repair boot configuration settings. Windows 8.1 uses a configuration store that is stored in a Boot
folder on an active partition. If the boot configuration data is damaged or deleted, the operating
system fails to start. The Startup Repair tool checks and, if necessary, rebuilds BCD by scanning for
Windows installations on the local hard disks, and then storing the necessary BCD.
Resolve incompatible driver issues. Installing a new hardware device and its associated device
driver often causes the Windows operating system to start incorrectly. The Startup Repair tool
performs device driver checks as part of its analysis of your computer. If Startup Repair detects a
driver problem, it uses System Restore points to attempt a resolution by rolling back the
configuration to a known working state.
Command Prompt
Windows 8.1 uses a Command Prompt tool from the Windows RE tool set as its command-line
interface. The Command Prompt tool is more powerful than the Recovery Console from older versions of
Windows operating systems, and its features are similar to the command prompt that is available when
Windows 8.1 is running normally. The Command Prompt tool performs the following functions:
Resolves problems with a service or device driver. If a computer that is running Windows 8.1
experiences problems with a device driver or Windows service, use the Command Prompt tool to
attempt a resolution. For example, if a device driver fails to start, use the Command Prompt tool
to install a replacement driver or disable the existing driver from the registry. For example, if the
Netlogon service fails to start, type Net Start Netlogon at the command prompt. You also can use
the SC tool (Sc.exe) command-line tool to start and stop services.
14-15
Recovers missing files. The Command Prompt tool enables you to copy missing files to your
computers hard disk from original source media, such as the Windows 8.1 installation DVD or USB
flash drive.
Accesses and configure BCD. Windows 8.1 uses a BCD store to retain information about the operating
systems that you install on the computer. You can access this information by using the BCDEdit.exe
tool at the command prompt. You also can reconfigure the store if necessary. For example, you can
reconfigure the default operating system on a dual-boot computer with the BCDEdit.exe /default id
command.
Repairs the boot sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that is running Windows 8.1 will fail to start successfully. You can launch the
BootRec.exe command at the command prompt to resolve problems with the disk metadata.
Runs diagnostic and troubleshooting tools. The Command Prompt tool provides access to many
programs that you can access from Windows 8.1 during normal operations. These programs include
several troubleshooting and diagnostics tools, such as the Registry Editor (Regedit.exe), a disk and
partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe,
Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you
can use to determine which programs and services are running currently.
Note: Windows PE is not a complete operating system. Therefore, when you use the
Command Prompt tool in Windows RE, remember that not all programs that work in the
Windows operating system will work at the command prompt. Additionally, because there are
no logon requirements for Windows PE and Windows RE, Windows 8.1 restricts the use of some
programs for security reasons, including many that administrators typically run.
Question: Can you use System Image Recovery without any previous preparation?
Question: What is the main difference between the Refresh your PC and Reset your PC
options?
Demonstration Steps
1.
On 20687D-LON-CL1, mount the Windows 8.1 installation DVD from D:\Program Files
\Microsoft Learning\20687\Drives\ Win81Ent_Eval.iso, and then start the virtual machine.
2.
Initialize setup from the DVD, and then click Repair your computer.
3.
Click Troubleshoot from the available options, and then click Advanced options.
4.
Click Command Prompt, and then run the following commands to view the startup environment:
Bcdedit /enum
Bootrec /scanos
Diskpart
5.
In Diskpart, type the following commands to view information about the disks and volumes installed
on LON-CL1:
List disk
List volume
6.
7.
8.
9.
On LON-CL1, sign in as Adatum\Administrator with the password Pa$$w0rd, and then open an
elevated command prompt
10. Create a duplicate boot entry by running the following command at the elevated command prompt:
bcdedit /copy {current} /d Duplicate boot entry
11. Verify the presence of Duplicate boot entry in the store with the following command, and then
restart the computer:
Bcdedit /enum
12. When the Windows operating system restarts, wait until the Choose an operating system menu
appears, and then click Change defaults or choose other options. Select the following options in
turn:
o
Troubleshoot
Advanced options
Startup Settings
Restart
13. Start Windows in Safe Mode, and then sign in as Adatum\Administrator with the password
Pa$$w0rd.
Note: If a Windows 8.1 computer does not have a recovery partition, you can create one by
running the recimg.exe command. The Refresh your PC feature uses a recovery partition, and it
contains a copy of desktop apps and Windows system files. However, a recovery partition does
not contain your documents, personal settings, user profiles, and Windows Store apps.
Recovery Drive
http://go.microsoft.com/fwlink/?LinkId=378264&clcid=0x409
Question: Can you create a recovery drive on a DVD?
Question: Which recovery tasks can you perform when you start a computer from a recovery
drive?
14-17
You must demonstrate to your coworkers how you can configure and use File History to protect
documents. You also need to recover a Windows 8.1 computer that belongs to one of the employees at A.
Datum Corporation. To do this, you first will examine the recovery options available in Windows 8.1. You
then will attempt to resolve a startup issue, and you will document the solution that you used to resolve
the issue.
Objectives
After completing this lab, you will be able to:
Resolve a problem.
Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and then in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
A. Datum users are complaining that they cannot find any backup apps in Windows 8.1. You must
demonstrate to these users how they can use File History to protect files that are stored locally on their
computers.
The main tasks for this exercise are as follows:
1.
2.
3.
14-19
On LON-DC1, create a folder named FileHistory. Grant domain users Full Control permissions to the
folder, and then share it with Full Control permissions for Everyone.
Create a new Word 2013 document named Recovery file in the Documents library.
2.
3.
Use File History to add \\LON-DC1\FileHistory as an available drive, and then turn on File History.
4.
5.
On LON-CL1, verify that the File History feature is protecting three file folders and four libraries. Also,
verify file History is only protecting the Recovery file.docx currently.
2.
Use File Explorer to add the folder E:\Labfiles\Docs to the Documents library.
3.
4.
5.
Use File History to restore the Windows.docx file to the E:\Labfiles folder.
6.
Use File Explorer to verify that the Windows.docx file is restored to E:\Labfiles folder.
Results: After completing this exercise, you should have configured and used the File History feature.
2.
3.
4.
5.
2.
3.
Use File Explorer to navigate to the E:\Labfiles\Mod14 folder, and then install XML Notepad. Verify
that XML Notepad 2007 shortcut is added to the desktop.
4.
5.
Use Device Manager to update the driver for Microsoft Hyper-V Virtual Keyboard with a driver for
Microsoft Wireless Keyboard 700 v2.0 (106/109).
Note: Be aware that you must clear the Show compatible hardware check box to be able
to select it.
6.
In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) is shown with an
exclamation point (!).
1.
Use System Restore to scan for programs that would be affected if you restored the Initial settings
restore point.
2.
3.
4.
Verify that My document.txt is still on desktop and that the XML Notepad 2007 shortcut is no longer
present on the desktop.
5.
Use Device Manager to verify that Microsoft Hyper-V Virtual Keyboard is present. Microsoft Wireless
Keyboard 700 v2.0 (106/109) was removed, as you added it after the restore point was created.
6.
Use System Restore to verify that an additional restore point with the description Restore Operation
and Type of Undo was created.
7.
Shut down LON-CL1, and then wait until LON-CL1 is turned off.
On 20687D-LON-CL1, mount the Windows 8.1 installation DVD from D:\Program Files
\Microsoft Learning\20687\Drives\ Win81Ent_Eval.iso, and then start the virtual machine.
2.
Initialize setup from the DVD, and then select Repair your computer.
3.
Select Troubleshoot from the available options, and then select Advanced options.
4.
Use System Restore to verify that restore points that were created can be restored from Windows RE.
Verify which programs would be affected if you would restore the Restore Operation restore point.
Do not restore any restore point, and return to the Advanced options screen.
5.
Click Command Prompt, and then run the following commands to view the startup environment:
Bcdedit /enum
Bootrec /scanos
Diskpart
6.
In Diskpart, type the following commands to view information about disks and volumes installed on
LON-CL1:
List disk
List volume
7.
8.
9.
14-21
1.
On LON-CL1, sign in as Adatum\Administrator with the password Pa$$w0rd, and then open
command prompt
2.
Create a duplicate boot entry by running the following command at the elevated command prompt:
bcdedit /copy {current} /d Duplicate boot entry
3.
Verify the presence of Duplicate boot entry in the store with the following command, and then
restart the computer:
Bcdedit /enum
When the Windows operating system restarts, wait until the Choose an operating system menu
appears, and then click Change defaults or choose other options. Select the following options in
turn:
o
Troubleshoot
Advanced options
Startup Settings
Restart
2.
Start the Windows operating system in safe mode, and then sign in as Adatum\Administrator with
the password Pa$$w0rd.
3.
Revert and restart the 20687D-LON-CL1 virtual machine in preparation for the next exercise.
Results: After completing this exercise, you should have used various Windows 8.1 operating system
startup-recovery tools.
In this exercise, you will attempt to fix a computer that is running Windows 8.1. The computer does not
start successfully. You have an open help-desk ticket so that you can determine the likely cause of the
problem.
A. Datum Incident Record
Incident number: 161071
Date and time of call
Jan 25 10:45am
User
Adam Carter
Incident Details
Adam Carter has reported that his computer will not start properly.
Additional Information
Adam has been trying to install an additional operating system on his computer so that he can run a
specific line-of-business application. He abandoned the installation after getting only partway through
the process. Since then, his computer displays the following error message when it starts:
Windows Boot Manager.
File: \Boot\BCD
Status: 0xc0000034
Info: The Windows Boot Configuration Data (BCD) file is missing required information.
Plan of Action
2.
3.
Read the help-desk Incident Record (in the exercise scenario in the student handbook) for Incident
161071.
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Password: Pa$$w0rd
2.
14-23
Open File Explorer, run the E:\Labfiles\Mod14\Scenario1.vbs script, and then wait while LON-CL1
restarts.
Results: After this exercise, you should have reproduced the reported startup problem on Adams
computer.
On LON-CL1, attempt to resolve the problem by using your knowledge of the startup architecture
and the available tools for troubleshooting the startup environment.
2.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have resolved the startup problem and documented
your solution.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
Tools
Tool
Use for
Where to find it
BCDEdit.exe
Command-line
Sc.exe
Managing services
Command-line
MSConfig.exe
Windows RE
Safe Mode
Troubleshooting startup
BootRec.exe
Command-line
Module 15
Configuring Client Hyper-V
Contents:
Module Overview
15-1
15-2
15-6
15-13
15-19
15-24
15-27
Module Overview
Hyper-V is the primary platform for infrastructure virtualization. Hyper-V enables multiple operating
systems to run in individual virtual machines that share the same physical platform. Virtual machines can
be isolated or connected to a network. This module will introduce you to Client Hyper-V in Windows 8.1
and explain the fundamentals of working with virtual machines in a Client Hyper-V environment.
Objectives
After completing this module, you will be able to:
Manage checkpoints.
Lesson 1
Client Hyper-V is a Windows 8.1 feature that is available only in the 64-bit version of the operating
system. You can use Client Hyper-V to create and run multiple virtual machines on the same Windows 8.1
computer. You can isolate virtual machines or connect them to a network. You also can use them to
provide an additional environment, such as for running applications that are not compatible with
Windows 8.1.
This lesson introduces you to Client Hyper-V functionality in Windows 8.1, and it introduces scenarios
that might benefit from a virtual environment. Client Hyper-V provides the same core virtualization
technology that is included in Windows Server 2012 R2.
Lesson Objectives
After completing this lesson, you will be able to:
Client Hyper-V is a feature that enables virtualization within a Windows 8.1 environment. Client Hyper-V
uses the same virtualization engine as Hyper-V in Windows Server 2012 R2 and contains the same core
feature set. Client Hyper-V replaces the Windows XP Mode that was previously available in Windows 7,
and it has some significant differences in functionality:
Compatibility with Hyper-V in Windows Server. Client Hyper-V supports the same standard
functionality as Hyper-V in Windows Server. You can import and export virtual machines and virtual
hard disks between Hyper-V and Client Hyper-V without any requirement for conversion or
modification.
Support for 64-bit virtual machines. Client Hyper-V can provide both a 32-bit and a 64-bit virtualized
hardware environment for virtual machines. Windows XP Mode supported only 32-bit virtualized
hardware.
15-3
The following table compares the availability of some features between Client Hyper-V and Hyper-V.
Feature
Sleep and hibernate for physical computer and
virtual machines
Client Hyper-V in
Windows 8.1
Hyper-V in
Windows Server 2012 R2
Yes
Hyper-V Replica
Yes
Yes
Yes
Yes
Yes
Network virtualization
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Memory. A computer must have at least 4 gigabytes (GB) of physical memory to support Client
Hyper-V. The memory in a computer is allocated and unallocated dynamically as required by the
virtual machines. You can run several virtual machines on a Windows 8.1 host if it meets the minimum
memory requirement. Depending on the specific requirements of virtual machines, you might need
to install more physical memory.
Storage. Client Hyper-V supports the same storage migration capability that is included in Hyper-V
in Windows Server 2012 R2. This means that you can store virtual machines independently of the
underlying storage. Additionally, you can move virtual machines storage between local drives, to a
USB drive, or to a remote file share without having to stop the virtual machines.
Processor. A computer must have an x64 processor that supports hardware-assisted virtualization and
Data Execution Prevention (DEP). Additionally, it must be running the 64-bit Windows 8.1 edition of
the operating system. Client Hyper-V requires a 64-bit processor architecture that supports secondlevel address translation. Second-level address translation reduces the overhead incurred during the
virtual-to-physical address mapping process performed for virtual machines.
Hyper-V Manager is the primary tool for managing Client Hyper-V. It is a console based on Microsoft
Management Console (MMC). Hyper-V Manager provides complete access to Client Hyper-V functionality
in Windows 8.1. Windows Server 2012 R2 Hyper-V also uses Hyper-V Manager, so any experience in either
operating system will correspond directly to the other.
The other graphical tool that is installed with Client Hyper-V is the Virtual Machine Connection tool. You
can use the Virtual Machine Connection tool to connect to a virtual machine with an interface that is very
similar to Remote Desktop Protocol.
Note: Both Hyper-V Manager and the Virtual Machine Connection tool are installed if you
turn on the Hyper-V GUI Management Tools feature in Windows 8.1.
The Hyper-V module for the Windows PowerShell command-line interface enables you to manage Client
Hyper-V by using Windows PowerShell cmdlets. The Hyper-V module can be useful for scripting Client
Hyper-V management or managing remote Hyper-V installations.
Note: You can view the entire list of cmdlets that relate to Hyper-V by running the
Get-Command -Module Hyper-V cmdlet at a Windows PowerShell command prompt.
Question: What must you do to enable administration of Client Hyper-V by using Windows
PowerShell?
You can create several virtual machines, each with a different installed version of a Windows
operating system, to test a new app. For example, you could install Windows 8.1 on the first virtual
machine, Windows 7 on the second virtual machine, and Windows XP on the third virtual machine.
You can configure each virtual machine to your testing specifications and then revert the machines
after testing is complete so that the machines are immediately ready for the next testing task.
15-5
If you encounter problems with a virtual machine in Windows Server 2012 R2 in your production
Hyper-V environment, you can copy or export that virtual machine from the production environment,
import it into Client Hyper-V, perform the required troubleshooting, and then export it back into the
production environment.
With Client Hyper-V, you can use Hyper-V virtualization, wireless network adapters, and sleep states
on your desktop computer. For example, if you run Client Hyper-V on a laptop and close the lid, the
virtual machines that are running go into a saved state and resume when the machine wakes.
Virtual machine tools that are created for Hyper-V in Windows Server, such as Sysinternals Disk2VHD
tools, also work in Client Hyper-V.
Using virtual machine networking, you can create a multiple machine environment for test,
development, and demonstration. This environment is secure and does not affect a production
network.
You can use preconfigured virtual hard disks to test new Microsoft software. Microsoft.com hosts a
large number of ready-to-use virtual hard disk files that you can use with Hyper-V or Client Hyper-V.
After you import a file, virtual hard disks provide a functional test version of the specific product for
evaluation. With virtual hard disk files, there is no need to upgrade or configure operating systems, or
to download and install apps. The entire environment is ready to go in the virtual hard disk file the
first time you start the virtual machine.
Question: Can you run two virtual machines with the same name and TCP/IP network
settings in the same Client Hyper-V environment?
Lesson 2
You can use Client Hyper-V for creating and running virtual machines. You can create virtual machines
in several different ways. This lesson explains how you can create virtual machines by using Hyper-V
Manager and Windows PowerShell. This lesson also explores hardware components of the virtual
machine, explains the differences between Generation 1 and Generation 2 virtual machines, and describes
the process for creating and managing virtual machines in Client Hyper-V.
Lesson Objectives
After completing this lesson, you will be able to:
Hyper-V-specific devices. Client Hyper-V does not present synthetic components to the virtual
machine as actual hardware. It presents them to the operating system on the virtual machine as
a functionality that the device driver can use. Newer operating systems, such as Windows 8 and
Windows 8.1, support such functionality by default when running in virtual machines, and for other
operating systems, you need to install integration services to support them. Hyper-V-specific devices
are not available during startup, and you cannot start a virtual computer from them.
Creating a virtual machine in Hyper-Manager is a wizard-based process that prompts you for necessary
information to create the virtual machine. When creating a virtual machine, you must specify several
virtual machine settings at the time of creation:
Virtual machine name. The name that you specify identifies the virtual machine in Hyper-V Manager
and is used in the naming of various virtual machinerelated files.
Virtual machine location. By default, a virtual machine is created and located on a computers system
drive. If your computer has multiple physical hard disks, you typically can increase the performance of
15-7
your virtual machine by placing it on a disk that is separate from the system disk. For computers with
solid-state drives (SSDs), this is not as effective.
Virtual machine generation. Before Client Hyper-V in Windows 8.1, Hyper-V only supported what
today is known as Generation 1 virtual machines. You now can create Generation 2 virtual machines,
which include support for secure boot and which can be started either from a SCSI virtual disk or by
using a network adapter. If you want to use a Generation 2 virtual machine, you must install at least
Windows Server 2012 or a 64-bit version of Windows 8 or newer to the virtual machine. After creating
a virtual machine, you cannot change its generation.
Memory. The amount of memory that you specify will be assigned to a virtual machine from the
available physical memory on your Windows 8.1 computer. You also can configure a virtual machine
to use Dynamic Memory.
Network connection. Your virtual machine can have one or more virtual network adapters. By default,
a new virtual machine is created with a single network adapter that can be connected to a virtual
switch. You can create a virtual switch that will connect virtual machines to an external network
through a physical network adapter, or you can create a self-contained virtual switch to provide an
isolated network environment. Alternatively, you might choose not to connect a virtual machine to
any virtual switch.
Virtual hard disk location. By default, a single virtual hard disk is created in the same directory that is
specified for the virtual machine location. You also might choose to use a preexisting virtual hard disk.
For example, many Microsoft products are available for trial purposes in preconfigured .vhd files.
Operating system installation media. Unless you are attaching a virtual hard disk that already has
an installed operating system, you will need to install an operating system on your virtual machine.
You can specify an .iso image CD/DVD file to use as installation media, or you can attach a physical
CD/DVD drive from the host machine to the virtual machine, and then install the operating system
from that media.
Open Hyper-V Manager from the Start screen by typing Hyper-V Manager, and then press Enter.
2.
In Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine.
3.
4.
On the Specify Name and Location page, in the Name field, type the name of your virtual machine.
Select where you want to store the virtual machine and its associated virtual hard disks, and then click
Next.
5.
On the Specify Generation page, select if you want to create a Generation 1 or Generation 2
virtual machine, and then click Next.
6.
On the Assign Memory page, in the Memory field, specify the amount of memory to assign the
virtual machine, select if you want to use Dynamic Memory, and then click Next.
7.
On the Configure Networking page, in the Connection list, select the appropriate network switch,
and then click Next.
8.
On the Connect Virtual Hard Disk page, create a new virtual hard disk or use an existing virtual hard
disk file that you have created already, and then click Next.
9.
On the Installation Options page, select from where you want to install an operating system on the
virtual machine, and then click Next.
10. On the Completing the New Virtual Machine Wizard page, click Finish.
If you want to create new virtual machine by using Windows PowerShell, you can run the New-VM
cmdlet. You should be aware that the New-VM cmdlet has a limited set of options, but you can modify
and customize a virtual machine after you create it. You can create a new virtual machine by performing
the following procedure:
1.
On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows
PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog
box.
2.
In the Administrator: Windows PowerShell window, run the following cmdlet to create a
Generation 1 virtual machine named Windows 8.1 with 4 GB of memory, with its files stored in
C:\VMs folder, with a 100 GB virtual hard disk named Disk1.vhdx, and connected to a virtual switch
named Private:
New-VM Name Windows 8.1 Generation 1 MemoryStartupBytes 4GB Path C:\VMs
NewVHDPath C:\VMs\Windows 8.1\Disk1.vhdx -NewVHDSizeBytes 100GB SwitchName Private
Question: Can you convert a Generation 1 virtual machine that has Windows Server 2012 R2
installed to a Generation 2 virtual machine?
Generation 1 virtual machines contain the components that are listed in the following table.
Component
Description
15-9
BIOS
Memory
Processor
Configures the number of processors that are available to a virtual machine, the
resource control, the processor compatibility settings, and the non-uniform
memory access settings.
IDE controller
Connects IDE virtual disks and DVD to a virtual machine. Generation 1 virtual
machines have two IDE controllers. Devices that are connected to IDE controllers
can be used to start a virtual machine.
SCSI controller
Connects SCSI virtual disks to a virtual machine. SCSI controllers are synthetic,
which means that a Generation 1 virtual machine cannot start from a virtual disk
that is connected to it.
Network adapter
Connects a virtual machine with a virtual switch. Network adapters are synthetic,
which means that Generation 1 virtual machines cannot use it for Pre-Boot
Execution Environment (PXE) boot.
Legacy network
adapter
Connects a virtual machine with a virtual switch. Legacy network adapters are
emulated, which means that they are available during startup, and Generation 1
virtual machines can use them for PXE.
Fibre Channel
adapter
COM port
Diskette drive
As part of the virtual machine settings, you also can configure management settings. In the Management
section, you can configure the components that are listed in the following table.
Component
Description
Name
Specify the name of a virtual machine and add comments about it.
Integration
Services
Enable services that a Hyper-V host will offer to a virtual machine. To use any of
the services, Integration services must be installed and supported on the virtual
machine operating system.
Checkpoint File
Location
Specify the folder in which checkpoint files for a virtual machine will be stored.
You can modify this location until the first checkpoint is created.
Specify the folder in which the Smart Paging file for a virtual machine will be
created, if necessary.
Component
Description
Automatic Start
Action
Specify whether to start a virtual machine automatically after the Hyper-V host
restarts, and how long after Hyper-V is running to start them.
Automatic Stop
Action
Specify the state in which to place a virtual machine when the Hyper-V host
shuts down.
Windows 8.1 and Windows Server 2012 R2 fully support the existing type of virtual machines, and
they provide support for the new type of virtual machines. Virtual machines that were created before
Windows 8.1 are automatically named as Generation 1 virtual machines, while newly created virtual
machines are called Generation 2 virtual machines. When you create a virtual machine in Windows 8.1,
you can decide if you want to create a Generation 1 or Generation 2 virtual machine. Generation 2 is built
on the assumption that operating systems are virtualization-aware. Generation 2 removes all legacy and
emulated virtual hardware devices and uses only synthetic devices. BIOS-based firmware is replaced with
advanced Unified Extensible Firmware Interface (UEFI) firmware that supports secure boot. Generation 2
virtual machines start from a SCSI controller or by using PXE from a network adapter. All legacy and
emulated devices are removed from Generation 2 virtual machines.
Question: Can you modify virtual machine memory settings while a virtual machine is
running?
Off. A virtual machine that is stopped does not consume any resources on the host machine, and it
exists in a state similar to a physical computer that is powered off.
Starting. When a virtual machine is first started, it remains in the starting state for a brief moment,
during which required resources are checked and assigned to the virtual machine. After this check
and assignment occurs, the starting state changes.
Running. A virtual machine is in its normal operable state when Running is displayed. A running
virtual machine responds to keyboard and mouse input and shows whatever information is being
sent to the virtual machines display adapter when you are connected to the virtual machine.
Paused. When a virtual machine is paused, it still maintains its allocation of host-computer resources,
but it places the virtual machines operating system in a temporary sleep state.
15-11
Saved. When a virtual machine is in the saved state, its current operating state is saved to the hard
disk, and it stops consuming host computer resources until you start it and place it into a running
state. When a Client Hyper-V computer that supports hibernate and sleep modes enters one of these
modes, virtual machines that are running will enter the saved state.
When you connect to a virtual machine, the Enhanced Session Mode is used by default in Client Hyper-V
on Windows 8.1. Enhanced Session Mode uses the Remote Desktop Services (RDS) component in virtual
machines and establishes a full Remote Desktop session to a virtual machine. This means that local
resources such as smart cards, printers, drives, USB devices, or any other supported Plug and Play devices
can redirect to virtual machines. You also can use a shared Clipboard for copying content to virtual
machines, or even copy files to virtual machines, even if the virtual machine does not have network
connectivity. Enhanced Session Mode is available only if you connect to virtual machines that are running
Windows 8.1 or Windows Server 2012 R2. RDS must be running on the virtual machine, and the user
account that is used to log on to the virtual machine must be a member of the Remote Desktop Users
local group.
You can export and import virtual machines between computers that are running Client Hyper-V
or Hyper-V in Windows Server 2012 R2. Exporting and importing virtual machines enables multiple
troubleshooting and testing scenarios that might be impossible in a physical computing environment.
When you export a virtual machine, this exports all components that comprise the virtual machine to the
path that you specify. There are four parts to each exported virtual machine:
The Virtual Machines folder contains an .exp file that contains the GUID of the exported file.
The Virtual Hard Disks folder contains copies of each of virtual hard disk that is associated with the
virtual machine. If the virtual hard disk is a differencing virtual hard disk, all base images that are
associated with the virtual hard disk will be copied to the export folder.
The Snapshots folder contains a file with an .exp extension for each checkpoint of the virtual machine.
When you import a virtual machine, Client Hyper-V reads the configuration file (Config.xml) and then
creates a virtual machine by using the configuration information. As part of the import process, Hyper-V
deletes all of the .exp files, which prevents importing the virtual machine a second time, and then replaces
them with XML files. When you import a virtual machine, you have the following options:
Register the virtual machine in-place or Register the virtual machine. When you select either of these
options, Client Hyper-V creates a virtual machine that uses the same unique identifier (ID) as the
exported virtual machine.
Copy the virtual machine. When you select this option, Client Hyper-V copies the virtual machine and
replaces the unique ID for the virtual machine with a new ID.
Windows 8.1 enhances the process of importing a virtual machine considerably, and the export process is
no longer required. You can simply copy virtual machine data files between Client Hyper-V computers
and then run the Import Virtual Machine Wizard on the destination Windows 8.1 computer to
import virtual machines. The Import Virtual Machine Wizard detects and fixes more than 40 types of
incompatibilities between Client Hyper-V environments. It prompts you to provide missing information,
such as the location of a parent virtual hard disk or a virtual switch to which the virtual machine should be
connected, when the appropriate virtual switch is not available.
Question: Why would you rather import a virtual machine into Client Hyper-V than create
new virtual machine and configure it to use existing virtual hard disks?
Question: Can you use Enhanced Session Mode to start a virtual machine from a USB
device?
Lesson 3
15-13
Just as physical computers store data on physical hard disks, virtual machines store data on virtual hard
disks, which are actually files that reside on physical hard disks. There are different types of virtual hard
disks available, and this lesson explains the differences between the various types. Virtual hard disks can
be in one of two formats: .vhd, and .vhdx. Windows 8.1 also can mount and access their content from
physical computers.
Lesson Objectives
After completing this module, you will be able to:
IDE controllers are available only in Generation 1 virtual machines. Each virtual machine has two IDE
controllers and can have up to two devices, hard drives or DVD drives, attached to each controller.
While a virtual machine is running, you cannot add devices to or remove devices from an IDE
controller.
SCSI controllers are available in all virtual machines. Generation 1 virtual machines can use a SCSI
controller only as a data disk, whereas Generation 2 virtual machines start from SCSI controller
attached disks or DVD drives.
A SCSI controller is synthetic, and you can add disks to or remove disks from a SCSI controller while
a virtual machine is running. A virtual machine can have up to four SCSI controllers, and each SCSI
controller supports up to 64 devices, which means that each virtual machine can have as many as 256
virtual SCSI disks.
You can use different hard disk typessuch as fixed size, dynamically expanding, differencing, and
attached physical disks (pass-through disks)with both controller types.
A virtual machine uses storage controllers for accessing storage. The type of storage controller that a
virtual machine uses does not have to be the same type that Client Hyper-V is using. For example, a
Windows 8.1 computer can have only physical SCSI storage, but you can configure virtual machines
with IDE controllers and use IDE-attached virtual hard disks that are stored on the SCSI storage of the
Windows 8.1 computer.
You can store virtual machine virtual hard disks locally on a Windows 8.1 computer, on Server Message
Block (SMB) 3.0 file shares, or on a storage area network (SAN) logical unit number (LUN).
.vhd. This format supports virtual hard disks up to 2,048 GB in size. This format has been available
since Microsoft Virtual Server 2005 was released, which means that you can use the .vhd format with
older versions of Hyper-V and with traditional Microsoft virtualization products such as Windows
Virtual PC.
.vhdx. This format supports virtual hard disks up to 64 TB in size. This format has been available
since Windows 8 and Windows Server 2012 and is not compatible with older versions of Hyper-V.
Experience with the .vhd format guides .vhdx format improvements. The .vhdx format provides better
data corruption protection and optimizes structural alignments on large sector physical disks.
When you compare the .vhd and .vhdx formats, the .vhdx format provides the following benefits:
Protection against data corruption by logging updates to .vhdx metadata structures, which can be
especially important during power failures.
Ability to store custom metadata about a file, such as which operating system is installed in .vhdx, or
which patches are applied to it.
Improved alignment of the virtual hard disk format to work better with large sector disks.
Larger block sizes for dynamic and differential disks, which improves their performance.
4 kilobytes (KB) logical sector virtual disk, which increases performance when used by applications
that are designed for 4-KB sectors.
Efficiency in data representation, which results in smaller file size so that an underlying physical
storage device can reclaim unused space (trim operation).
You can create three types of virtual hard disks: fixed size, dynamically expanding, and differencing. After
you create a virtual hard disk, you can edit it and change its format. When selecting a virtual hard disk
format, you should be aware of the following factors:
Fixed size. When you create a fixed-size virtual hard disk, Client Hyper-V allocates space for the entire
virtual hard disk. For example, if you create a 100-GB fixed-size virtual hard disk, Client Hyper-V
creates a 100-GB file, even when it does not include any data. Creation of large fixed-size virtual hard
disks can take significant time because Client Hyper-V has to create the file to the entire specified size
and fill its content with zero values. The size of a fixed-size virtual hard disk does not change, because
Client Hyper-V allocates all of the storage space when it creates the virtual hard disk. You cannot
create fixed-size virtual hard disks that require more space than is available on a physical disk. Fixedsize virtual hard disks are larger than dynamically expanding virtual hard disks, and as such, moving
them can be more time-consuming.
15-15
Dynamically expanding. When you create a dynamically expanding virtual hard disk, Client Hyper-V
only creates a small file. That file then grows as you write data to the virtual hard disk until it reaches
its fully allocated size. The size of the dynamically expanding disk only grows. It does not shrink, even
if you delete data. For example, if you create a 100-GB dynamically expanding virtual hard disk, Client
Hyper-V creates a file that is only a few megabytes in size. When you write to that virtual hard disk
file, it will grow; however, when you delete information from the virtual hard disk, it will not shrink.
When you start using a dynamically expanding virtual hard disk, such as formatting partitions and
installing an operating system on it, the virtual hard disk will start growing until it reaches its
maximum size of 100 GB. Client Hyper-V creates the dynamically expanding virtual hard disk much
faster because it does not allocate all the space at once. However, when you add data to a virtual
hard disk, it might fragment in the same way that any file would on a volume. You can create
dynamically expanding virtual hard disks that would require more space on a physical disk than is
currently available. Dynamically expanding virtual hard disks are smaller than other virtual hard disk
types until their maximum size is reached.
Differencing. A differencing virtual hard disk always links to another virtual hard disk in a parent/child
relationship. It cannot exist on its own. The parent virtual hard disk can be fixed-size or dynamically
expanding, but as soon as it becomes a parent disk for a differencing virtual hard disk, you cannot
write to it, so it will neither grow nor shrink. A differencing virtual hard disk is always dynamically
expanding. You also can chain differencing virtual hard disks, as long as all base (parent) disks are not
written to. In this scenario, one differencing virtual hard disk uses another differencing virtual hard
disk as a base disk. The differencing virtual hard disk stores changes for the parent disk and provides
a way to isolate changes without altering the parent disk. When you use a differencing virtual hard
disk, you can access all the data from the parent disk, and changes you make are written only to the
differencing virtual hard disk, not to the parent disk. In other words, reads for modified data are
served from the differencing virtual hard disk, and reads of all other data are served from the parent
virtual hard disk. Metadata is used in both cases to determine from where data should be read, which
results in differencing virtual hard disks having slower performance than fixed-size or dynamically
expanding virtual hard disks. Differencing virtual hard disks must use the same format as the parent
diskseither .vhd or .vhdx. You cannot specify a size for a differencing virtual hard disk. Differencing
virtual hard disks can grow as large as the parent disk size limit. However, unlike dynamically
expanding disks, you cannot compact differencing virtual hard disks directly. You can compact a
differencing virtual hard disk only after it merges with its parent disk.
Note: Using differencing virtual hard disks can be beneficial in some scenarios. For
example, you could use as a parent a virtual hard disk that has a clean installation of the
Windows 8.1 operating system, and you could use a new differencing virtual hard disk as a
virtual machine hard disk. You could even create multiple differencing virtual hard disks for
multiple virtual machines that would use the same Windows 8.1 virtual disk as their parent disk.
Question: Is there any difference between connecting a virtual hard disk to a virtual machine
by using an IDE or SCSI virtual controller?
Question: Can Client Hyper-V allocate more storage space to a differencing virtual hard disk
than to the parent disk to which it links?
Use hard drives that are at least 10,000 revolutions per minute (RPM).
Consider using a SAN for virtual machine storage. SANs provide several benefits, such as high
performance and high availability. Also, you can assign additional space for virtual machines as long
as the SAN has storage available.
Client Hyper-V enables you to run virtual machines that use virtual hard disks that are stored locally
or on SMB 3.0 shares.
Internet SCSI (iSCSI) SANs can provide relatively inexpensive storage for virtual machines. Using iSCSI
also enables you to configure virtual machines with direct access to storage.
Configure antivirus software on Windows 8.1 physical computers to exclude all .vhd, .avhd, .vfd, .vsv,
and .xml files that are stored on hard drives that are hosting virtual machines. Alternatively, you can
use virtualization-aware antivirus software.
You can create a virtual hard disk while you are creating a virtual machine or outside of the New Virtual
Machine Wizard. If you create a virtual hard disk as a separate task, it is not attached to a virtual machine,
and you must add it to a virtual IDE or a virtual SCSI controller before you can use it on a virtual machine.
You can create a new virtual hard disk in Hyper-V Manager or by using Windows PowerShell.
On the Windows 8.1 computer, in Hyper-V Manager, in the Actions pane, click New, and then click
Hard Disk.
2.
3.
On the Choose Disk Type page, select a virtual disk typefor example, Dynamically expanding
and then click Next.
4.
On the Specify Name and Location page, in the Name field, type the name of the virtual hard disk
file, and in the Location field, type an appropriate location, and then click Next.
5.
On the Configure Disk page, do not change the default values, and then click Next.
6.
On the Completing the New Virtual Disk Wizard page, click Finish.
15-17
1.
On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows
PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog
box.
2.
In the Administrator: Windows PowerShell windows, run following cmdlet to create a 100-GB
dynamically expanding virtual hard disk named Dynamic.vhdx in the C:\VHDs folder:
New-VHD Path C:\VHDs\Dynamic.vhdx -SizeBytes 100GB Dynamic
3.
Run the following cmdlet to add a virtual hard disk to a SCSI controller in the virtual machine named
Windows 8.1:
Add-VMHardDiskDrive VMName Windows 8.1 ControllerType SCSI Path
C:\VHDs\Dynamic.vhdx
In older versions of Hyper-V, virtual machines used virtual hard disks exclusively. Therefore, while one
virtual machine was using a virtual hard disk, another virtual machine could not use the same virtual hard
disk. In Client Hyper-V in Windows 8.1, you can share virtual hard disks between multiple virtual machines.
This can be especially useful when you configure failover clustering in virtual machines. You can enable
virtual hard disk sharing only for .vhdx files that are connected to a virtual SCSI controller. You cannot use
virtual hard disk sharing for .vhd files that are connected to a virtual IDE controller. You can enable virtual
hard disk sharing only if the shared .vhdx is stored on a failover cluster.
In older versions of Hyper-V, it was not possible to limit I/O operations per second per virtual machine.
If a virtual machine had an application that was storage-intensive, and with a large number of read
and write operations to the storage, the virtual machine could monopolize Hyper-V, and other virtual
machines could have slower access to storage. In Windows 8.1, Client Hyper-V includes an option to
configure QoS parameters when virtual machines access storage so that you can provide enough I/O
operations per second to each virtual machine. You can configure the storage QoS for each virtual hard
disk. By specifying the maximum I/O operations per second value on advanced features of a virtual hard
disk, you can balance and throttle storage I/O between virtual machines. This prevents a virtual machine
from consuming excessive storage I/O operations, which could affect other virtual machines.
Question: When would you use shared virtual hard disks?
such as virtual hard disks, configuration, checkpoints, and Smart Paging to different locations while a
virtual machine is running. For example, after you create the first checkpoint for a virtual machine, you
cannot modify the checkpoint file location setting unless you delete all virtual machine checkpoints or use
storage migration.
You can perform storage migration by using the following procedure:
1.
Before migration starts, all virtual machine read and write operations are performed at the source
virtual hard disk.
2.
When storage migration starts, virtual hard disk content is copied over the network to the destination,
while all the read and write operations are still performed on the source virtual hard disk.
3.
After the initial copy is complete, write operations for the virtual hard disks mirror to both the source
and destination virtual hard disks.
4.
After the source and destination virtual hard disks synchronize completely, the virtual machine
switches over and starts using the destination virtual hard disk.
5.
Storage migration is only supported for virtual hard disks, current virtual machine configurations,
checkpoints, and Smart Paging files. When you migrate virtual machine storage, you can move all the
data files to the same location or to different locations. During this storage migration process, the virtual
machine continues to run on the same Windows 8.1 computer with the Client Hyper-V feature.
Note: Use the storage migrations Hyper-V settings to specify how many storage migrations
you can perform simultaneously. By default, two simultaneous storage migrations are configured,
but you can increase this number.
When you move virtual machine storage, you have the option to move all virtual machine data to a
single location, to move the virtual machine data to different locations, or to move only virtual machine
virtual hard disks. If you choose to move virtual machine data to different locations, you can specify a
new location for each of the virtual machine data items, which includes virtual hard disks, current
configurations, checkpoints, and Smart Paging files. You can move virtual machine storage to other
folders on the same Hyper-V host or to an SMB 3.0 share. You then can complete the Move Wizard and
perform the move. For example, you can use the Move Wizard to modify the checkpoint file location
when a virtual machine already has checkpoints.
Note: In Hyper-V in Windows Server 2012 and Windows Server 2012 R2, you can move a
virtual machine between Hyper-V hosts while it is running. Client Hyper-V does not support this
feature, and you can move the virtual machine storage only, not the virtual machine itself.
Question: Can you use storage migration to move only virtual hard disks?
Question: Do you need to be a local administrator to use the Move Wizard?
Lesson 4
Managing Checkpoints
15-19
Checkpoints are a Hyper-V feature that you can use to create a point-in-time snapshot of a virtual
machine and then revert to it if needed. In previous versions of Hyper-V, this feature was called Snapshots,
and you can still see references to Snapshots in Windows 8.1. The primary benefit of checkpoints in Client
Hyper-V is that you can use them to create hierarchies of changes, and then you can revert to them at any
time. Checkpoints can be quite useful in some scenarios, such as when testing Windows operating system
updates. However, you must use checkpoints carefully to avoid issues, especially when reverting virtual
machines in distributed environments such as Active Directory Domain Services (AD DS). This lesson
describes how to create and work with virtual machine checkpoints.
Lesson Objectives
After completing this lesson, you will be able to:
Checkpoints can be useful when you need to revert virtual machines to an earlier state. You can undo
all the changes that took place after a specified state, such as the changes that occurred during testing,
development, or in a training environment. Conversely, checkpoints in production environments can
cause serious issues, such as the loss of user data.
Creating Checkpoints
When you create a checkpoint, the result is always the same, irrespective of the method you choose.
After you create a checkpoint, you should not modify its files on a disk directly because this could cause
problems with the checkpoint or even with the running virtual machine. You can create checkpoints by
using one of the following procedures:
In Hyper-V Manager, you can right-click a virtual machine, and then click Checkpoint (or in the
Action pane, click Checkpoint).
You can use Virtual Machine Connection by clicking Checkpoint in the Action menu, or by using the
Checkpoint-VM Windows PowerShell cmdlet.
Factors to Consider
When you are considering checkpoints, you should be aware of the following factors:
When you create a checkpoint of a virtual machine, the virtual machine is configured with a
differencing virtual hard disk even if it used a fixed-size virtual hard disk before. Differencing virtual
hard disks might perform slower than normal disks because the two files (base and differencing) need
to be read from.
Checkpoints require additional storage space. If you create a checkpoint of a running virtual machine,
it also contains a virtual machine memory snapshot. Creating multiple checkpoints can use up a large
amount of storage space.
Although you can use checkpoints to revert a virtual machine to an earlier point in time, you should
not consider them backups. Even if you use checkpoints, you should still make regular backups.
If you no longer need a checkpoint, you should delete it immediately. However, this can cause
merging of differencing virtual hard disks. In Windows 8.1, the merging process happens
asynchronously in the background while the virtual machine is running.
A virtual machine is limited to 50 checkpoints. The actual number of checkpoints might be fewer and
depends on the available storage.
Question: Which checkpoint requires more space: a checkpoint of a running virtual machine,
or a checkpoint of a virtual machine that is turned off?
Creating Checkpoints
When you create a checkpoint, Client Hyper-V performs the following procedure in the background:
1.
2.
For each virtual hard disk that the virtual machine is using, Client Hyper-V creates a differencing
virtual hard disk, configures it to use the virtual machine's virtual hard disk as a parent, and then
updates virtual machine settings to use the created differencing virtual hard disk.
3.
4.
5.
15-21
Because a virtual machine is paused before a checkpoint is created, you cannot create a checkpoint of a
virtual machine that is in a paused state. As the virtual machine resumes, while the memory is saving to
the disk, Client Hyper-V intercepts memory changes that have not yet been written to the disk, writes the
memory pages to the disk, and then modifies the virtual machine memory. Creating a checkpoint can take
considerable time, depending on the virtual machine memory, physical disk speed, and what is running
on the virtual machine. However, the process of checkpoint creation is transparent, and a virtual machine
does not experience any outage.
Client Hyper-V creates a saved state file and a memory content file for a virtual machine only if a
checkpoint is created while the virtual machine is running, and not if the virtual machine is turned off.
The location of virtual machine checkpoint files is configured for each virtual machine, and by default, it is
the same location where the virtual machine configuration is stored. When you create the first checkpoint,
Client Hyper-V creates a Snapshots subfolder and stores checkpoint files there. You can modify the
location of the checkpoint files only until the first checkpoint is created. After this, the checkpoint file
location setting is read-only. You can modify this setting only after deleting all checkpoints, or by using
the Move Wizard.
Using Checkpoints
When you select a checkpoint, you have the following options available in the Actions pane:
Settings. This option opens the virtual machine settings that were in effect at the moment
the checkpoint was created. All of the settings are read-only because you cannot change the
configuration that was used in the past. The only settings that you can modify are the checkpoint
name and the notes associated with the checkpoint.
Apply. This option applies a checkpoint to a virtual machine, which means that you want to return the
virtual machine to its exact historical state. When you apply a checkpoint, any change in the virtual
machine since the last checkpoint was made is lost. Before applying a checkpoint, Client Hyper-V
prompts you to create a new checkpoint to avoid possible data loss.
Export. This option exports a virtual machine checkpoint, which creates an exact copy of the virtual
machine at the moment in which you created the checkpoint.
Rename. This option renames a checkpoint to provide better information about the state of a virtual
machine when you created the checkpoint. The checkpoint name is independent of the checkpoint
content, and by default, it contains the date and time of checkpoint creation.
Delete Checkpoint. This option deletes a checkpoint if you no longer want to be able to revert a
virtual machine to the state it was in when you created the checkpoint.
Delete Checkpoint Subtree. This option deletes the selected checkpoint and any checkpoints that
originate from it. Checkpoints that originate from it are listed below it in the Checkpoint pane.
When you right-click a virtual machine with at least one checkpoint, you also can click the Revert option.
This returns a virtual machine to the last checkpoint.
Question: Can you modify the configuration of a virtual machine checkpoint if you created
that checkpoint when the virtual machine was turned off?
Question: How are multiple branches created in a checkpoint tree?
Applications that use clock vector synchronization. Applying a checkpoint to a virtual machine
can corrupt applications that use clock vector synchronization. Examples of such applications are
AD DS, Distributed File System (DFS) Replication, and Microsoft SQL Server replication. For these
applications to work, each member of a replica set must maintain a monotonically increasing logical
clock. When you apply a checkpoint, it reverts the logical clock on the virtual machine, causing clock
values to associate to different transactions. As a result, members of the replica set will not converge
to the same state, thereby causing data corruption.
Before using checkpoints in your Hyper-V environment, you should consider the following:
15-23
Checkpoints can be very useful for testing applications or deployments, but they typically are not
used regularly in a production environment. Using checkpoints might cause significant problems with
applications or services that are time sensitive or that use data replication, such as Microsoft Exchange
Server or SQL Server.
Checkpoints are not a replacement for a consistent backup strategy. However, you can use
checkpoints in scenarios such as operating system upgrades and other tasks where you might want
to revert to the original state of a virtual machine should the task fail.
Hyper-V virtual machine checkpoints have multiple uses in your network, predominately in a test lab.
You can use checkpoints in a lab environment for testing a new deployment. When creating a new
server, you can use a checkpoint for each phase of a servers creation. In a training environment, you
can use checkpoints to revert a server to the previous lab.
If you are going to use checkpoints for testing or training, the primary consideration is hard drive
space. Checkpoints can use a large amount of hard drive space because each checkpoint creates a
new differencing virtual hard disk.
Note: Client Hyper-V in Windows 8.1 projects a unique value that is named Generation
ID into a virtual machine through an emulated BIOS device that is named Microsoft Hyper-V
Generation Counter. The Generation ID changes each time you apply a checkpoint, which
enables an operating system in a virtual machine to detect that the checkpoint was applied.
Virtual Machine Generation ID
http://go.microsoft.com/fwlink/?LinkId=260709
Question: Can you prevent checkpoint creation from inside a virtual machine?
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 15 minutes
Virtual machine: 20687D-LON-CL5
User name: Admin
Password: Pa$$w0rd
To perform this lab, you must start the host computer to 20687D-LON-CL5. To do this, restart the host
computer and choose 20687D-LON-CL5 from the Start menu. Sign in as Admin with password
Pa$$w0rd.
You have been asked to turn on the Hyper-V feature on LON-CL5, a stand-alone Windows 8.1 computer
in the IT department. To ensure that the IT department has access to all options in the virtual
environment, you have been asked to install all of the management tools available for Client Hyper-V.
The main task for this exercise is as follows:
1.
On LON-CL5, verify that no program that contains the word Hyper-V is installed.
2.
Use the Get-Command cmdlet to verify that no cmdlets from the Hyper-V module are currently
available.
3.
Use the Windows Features window to turn the Hyper-V feature on.
4.
Restart the computer, and then select 20687D-LON-CL5 when prompted during startup to choose
an operating system.
5.
6.
7.
Use the Get-Command cmdlet to verify that many cmdlets from the Hyper-V module are available.
Results: After completing this exercise, you should have installed the Client Hyper-V feature.
15-25
You have been asked to create a virtual network and virtual machine to accommodate app testing, and to
demonstrate the Client Hyper-V environment to the application testing team. The virtual network and
virtual machine should adhere to the following specifications.
Virtual network:
Virtual machine:
2.
3.
2.
2.
On LON-CL5, use Hyper-V Manager to create a new virtual hard disk with the following settings:
o
Format: VHDX
Name: Dynamic.vhdx
Location: C:\VM
Size: 100 GB
Use Hyper-V Manager to create a new virtual hard disk with the following settings:
o
Format: VHD
Type: Differencing
Name: Differencing.vhd
3.
4.
Location: C:\VM
In Windows PowerShell, use the New-VHD cmdlet to create a new virtual hard disk with the
following settings:
o
Path: C:\VM\Fixed.vhdx
Size: 1 GB
In File Explorer, browse to the C:\VM folder, and then confirm that Fixed.vhdx allocates 1 GB disk
space, while Dynamic.vhdx and Differencing.vhd allocates much less disk space.
2.
On LON-CL5, use Hyper-V Manager to create a new virtual machine with the following settings:
o
Name: LON-VM2
Generation: Generation 2
Use the Windows PowerShell cmdlet New-VM to create a new virtual machine with the following
settings:
o
Name: LON-VM1
Generation: Generation 1
Startup Memory: 1 GB
3.
4.
Verify that you can start and connect to the LON-VM1 virtual machine.
Results: After completing this exercise, you should have created a virtual network and a virtual machine in
Client Hyper-V.
Tools
Tool
Description
Where to find it
Hyper-V Manager
Start screen
Start screen
15-27
Course Evaluation
Your evaluation of this course will help Microsoft
understand the quality of your learning experience.
Please work with your training provider to access
the course evaluation form.
Microsoft will keep your answers to this survey
private and confidential and will use your
responses to improve your future learning
experience. Your open and honest feedback is
valuable and appreciated.
2.
Does the customers computer meet the minimum system requirements for Windows 8.1 in the
following areas:
a.
b.
RAM: 4 GB YES
c.
d.
Does the customers computer meet the requirements for the following features:
o
Client Hyper-V: 64-bit Second Level Address Translation (SLAT) capable YES
You should install a 64-bit version of Windows 8.1 Enterprise. Windows 8.1 Enterprise supports
Client Hyper-V, and is the only Windows 8.1 edition that supports the creation of Windows To Go
USB flash drive media. You should use the 64-bit version to be able to use Client Hyper-V.
Results: After completing this exercise, you should have evaluated the installation environment and then
selected the appropriate Windows operating system edition to install.
On the host computer, double-click the Hyper-V Manager icon on the desktop or click Start, click
Administrative Tools, and then click Hyper-V Manager.
2.
In the Hyper-V Manager console, right-click 20687D-LON-REF1, and then click Settings.
3.
In the Settings for 20687D-LON-REF1 window, under IDE Controller 1, click DVD Drive in the lefthand column.
4.
In the details pane, click Image file, and then click Browse.
5.
In Hyper-V Manager, right-click the 20687D-LON-REF1 virtual machine, and then click Start.
2.
In Hyper-V Manager, right-click the 20687D-LON-REF1 virtual machine, and then click Connect.
3.
When the Windows Setup screen appears, select the appropriate regional settings, and then click
Next.
4.
5.
On the License terms page, select the I accept the license terms check box, and then click Next.
6.
On the Which type of installation do you want? page, click Custom: Install Windows only
(advanced).
7.
8.
On the Personalize screen, type LON-REF1 in the PC name field, and then click Next.
9.
13. In the Password hint field, type Forgot already?, click Finish, and then wait for the installation to
complete.
2.
On the Start screen, click the Desktop tile to view the desktop of LON-REF1.
3.
Click the File Explorer icon on the taskbar. The This PC window opens.
4.
In the This PC window, in the navigation pane, right-click This PC, and then click Properties.
5.
Workgroup is WORKGROUP
6.
7.
On the Start screen, click User, and then click Sign out.
Results: After completing this exercise, you should have performed a clean installation of Windows 8.1.
2.
In the Virtual Machines list, right-click 20687D-LON-REF1, and then click Revert.
3.
L2-3
1.
On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click
Administrative Tools, and then click Hyper-V Manager.
2.
In the Hyper-V Manager console, right-click 20687D-LON-CL1, and then click Settings.
3.
4.
In the details pane, click Virtual floppy disk (.vfd) file, browse to D:\Program Files
\Microsoft Learning\20687\Drives, double-click Lab2BEx1.vfd, and then click OK.
2.
On the Start screen, type Image Manager, and then press Enter. The Windows System Image
Manager starts.
3.
In Windows System Image Manager, click File, and then click Open Answer File.
4.
In the Open dialog box, navigate to Floppy Disk Drive (A:), select Autounattend.xml, and then
click Open. Notice that the Components and Packages nodes are added in the Windows Image
pane, and the Answer File pane is populated with installation passes.
5.
In the Answer File pane, expand 1 windowsPE, and then select amd64_Microsoft-WindowsInternational-Core-WinPE_neutral. In the amd64_Microsoft-Windows-International-Core-WinPE
pane, verify that InputLocale, SystemLocale, UILanguage, and UserLocale have en-US values.
6.
7.
8.
9.
In the Answer File pane, expand ImageInstall, expand OSImage, expand InstallFrom and then select
MetaData[Key=/IMAGE/NAME]. In the Metadata[Key=/IMAGE/NAME] Properties pane, verify
that the Value setting has a value of Windows 8.1 Enterprise Evaluation.
10. In the Answer File pane, expand 7 oobeSystem, expand amd64_Microsoft-Windows-ShellSetup_neutral, expand UserAccounts, expand LocalAccounts, and then click
LocalAccount[Name=Admin]. In the LocalAccount[Name=Admin] Properties pane, verify the
values of the following settings:
o
DisplayName: Admin
Group: Administrators
Name: Admin
12. On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click
Administrative Tools, and then click Hyper-V Manager.
13. In the Hyper-V Manager console, right-click 20687D-LON-CL1, and then click Settings.
14. In the Settings for 20687D-LON-CL1 window, click Diskette Drive.
15. In the details pane, select None, and then click OK.
Task 3: Configure LON-REF1 and start the Windows 8.1 unattended installation
1.
On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click
Administrative Tools, and then click Hyper-V Manager.
2.
In the Hyper-V Manager console, right-click 20687D-LON-REF1, and then click Settings.
3.
4.
In the details pane, select Virtual floppy disk (.vfd) file, browse to D:\Program Files
\Microsoft Learning\20687\Drives, and then double-click Lab2BEx1.vfd.
5.
6.
In the details pane, click Image file, browse to D:\Program Files\Microsoft Learning
\20687\Drives, double-click Win81Ent_EVAL.iso, and then click OK.
7.
8.
In the 20687D-LON-REF1 on localhost window, click Actions, and then click Start.
9.
Observe the Windows 8.1 installation process. Confirm that you are not prompted for any information
during installation. While Windows 8.1 installs, continue with the next exercise.
Note: During installation, LON-REF1 will restart two times. Do not press any key to start it
from DVD.
Results: After completing this exercise, you should have modified an unattended answer file to use for
automating the Windows 8.1 installation process.
In the Hyper-V Manager console, right-click 20687D-LON-CL1, and then click Settings.
2.
3.
In the details pane, click Image file, browse to D:\Program Files\Microsoft Learning
\20687\Drives, double-click Win81Ent_EVAL.iso, and then click OK.
4.
On LON-CL1, in File Explorer, open the D:\Sources folder, and then view the properties of the
Install.wim file.
Note: Note that the file is 2.99 GB (3,214,415,031 bytes) and that there is another Windows
image file named Boot.wim in the folder.
L2-5
5.
On the Start screen, type deployment, and then run Deployment and Imaging Tools Environment.
6.
In Deployment and Imaging Tools Environment, run the following command to view the content of
the Install.wim file:
dism /Get-ImageInfo /ImageFile:d:\sources\install.wim
7.
Verify that the .wim file has one image named Windows 8.1 Enterprise Evaluation and that image has
a size of more than 12 GB. This demonstrates how the .wim file format effectively compresses files.
8.
You can view more details about the image by using the image index. For example, you can get more
extensive information about the Windows 8.1 Enterprise Evaluation image by running the following
command:
dism /Get-WimInfo /WimFile:d:\sources\install.wim /index:1
At the Deployment and Imaging Tools Environment command prompt, create a Windows image file
that contains the contents of the C:\Windows\Inf folder by running the following command:
dism /Capture-Image /ImageFile:c:\image.wim /CaptureDir:c:\windows\inf /name:First
Image
2.
Open File Explorer, browse to C:\Windows, right-click the Inf folder, and then click Properties.
3.
At the Deployment and Imaging Tools Environment command prompt, run the following command
to view the size of the Windows image file that you created:
dir c:\image.wim
Note: You will see that image.wim is less than 5 MB in size, which shows how effectively the
initial files were compressed when they were added to the Windows image file.
4.
To capture the same content in a second image in the image.wim file, run the following command:
dism /Append-Image /ImageFile:c:\image.wim /CaptureDir:c:\windows\inf /name:Second
Image
Note: Note that the second image, which has the same content as the first image, is added
much quicker.
5.
Review the size of the Windows image file that now contains two images.
6.
At the Deployment and Imaging Tools Environment command prompt, run the following command:
dir c:\image.wim
Note: Note that image.wim is only slightly larger. The .wim file format uses single instance
store, so each file is stored only once. Because the files in both images of the Windows image file
are the same, each file is contained only once.
7.
Run the following command to verify which images are contained in the image.wim file:
dism /Get-ImageInfo /ImageFile:c:\image.wim
In File Explorer, view the size of the file C:\Image.wim and when the file was last modified.
2.
At the Deployment and Imaging Tools Environment command prompt, run the following two
commands to create an empty folder and mount the second image in image.wim to the created
folder:
mkdir c:\mount
dism /mount-wim /wimfile:c:\image.wim /index:2 /mountdir:c:\mount
3.
In File Explorer, view the properties of the C:\mount folder. Note that the contents of the folder are
exactly the same as the contents of C:\Windows\inf folder
4.
In File Explorer, navigate to the C:\mount folder, and then create a subfolder named Folder1. Select
and delete any three files in the C:\mount folder.
5.
6.
7.
View the properties of the Windows image file by running the following command:
dir c:\image.wim
8.
View the contents of the Windows image file by running the following command:
dism /Get-ImageInfo /ImageFile:c:\image.wim
9.
Run the following commands to view the content of the second and first image in the image.wim file:
dism /Get-WimInfo /WimFile:c:\image.wim /index:2
dism /Get-WimInfo /WimFile:c:\image.wim /index:1
Note: Note that the second image has one more directory and three files less than the first
image. All those modifications were performed in the offline image.
Sign in to LON-REF1 as Admin with password Pa$$w0rd. Verify that Windows 8.1 is installed.
2.
In the Hyper-V Manager console, right-click 20687D-LON-REF1, and then click Settings.
3.
4.
In the details pane, click Image file, browse to D:\Program Files\Microsoft Learning
\20687\Drives, double-click WindowsPE.iso, and then click OK.
5.
On LON-REF1, open a command prompt as an Administrator, click Yes in the User Account Control
dialog box, and then run the following command:
C:\Windows\System32\sysprep\sysprep.exe
6.
In the System Preparation Tool 3.14 dialog box, click Generalize, and then click OK.
7.
When LON-REF1 restarts, press any key to start it from the DVD media.
8.
9.
L2-7
Note: You can continue with the lecture while the capture is in progress.
Results: After completing this exercise, you should have viewed Windows image information and
captured a Windows 8.1 image.
2.
Open File Explorer, navigate to the C:\mount folder, and then verify that the folder is empty.
3.
On the Start screen, type command, and then click Command Prompt.
4.
Note: If image Win81.wim is not yet captured or you not capture it in the previous lab, you
can use E:\labfiles\mod02\sources\install.wim instead.
5.
View the driver packages in the mounted Windows 8.1 image by running the following command:
dir /OD c:\mount\Windows\System32\DriverStore\FileRepository
6.
7.
Verify that the driver has been added to the offline image by running the following command:
dir /OD c:\mount\Windows\System32\DriverStore\FileRepository
8.
List the Windows 8.1 features and their state in the mounted image by running the following
command:
dism /Image:c:\mount /Get-Features /format:Table
9.
Enable the Telnet Client Windows feature by running the following command:
dism /Image:c:\mount /Enable-Feature:TelnetClient
10. Unmount the Windows 8.1 image, and then commit the changes by running the following command:
Dism.exe /unmount-wim /mountdir:c:\mount /commit
On LON-REF1, at the command prompt, run the following commands to partition and format the
disk. Press Enter after each command:
diskpart
select disk 0
clean
create partition primary
format fs=ntfs quick
assign letter c
exit
2.
At the command prompt, apply the Windows 8.1 image by running the following command:
Dism.exe /apply-image /imagefile:g:\win81.wim /index:1 /applydir:c:\
3.
L2-9
Verify that the Windows 8.1 image has been applied to drive C by running the following command.
dir c:\
Results: After completing this exercise, you should have updated a Windows 8.1 installation image.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
What tool will you use to apply the configuration changes to domain-joined computers?
Answer: You can use Group Policy to apply all of the necessary configuration settings to domainjoined computers.
2.
Are there any organizational unit (OU) structure requirements to meet the management needs on the
internal network?
Answer: Yes, the computers on the machine floor need to be managed separately from other client
computers. Also, the servers and domain controllers need to be managed separately from client
computers. The simplest way to do this is to place the different types of computers in different OUs
and then link only appropriate Group Policy Objects (GPOs) to the OUs.
3.
Answer: Yes, you could use security filtering as an alternative to creating separate OUs. You would
need to create security groups that contain the appropriate computer accounts and then specify Read
and Apply permissions to specific GPOs. In general, it is easier to implement OUs in this scenario.
Results: After completing this exercise, you will have planned the management of Windows 8.1
computers.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2.
In Active Directory Administrative Center, in the navigation pane, click Adatum (local).
3.
In the Tasks pane, under Adatum (local), click New, and then click Organizational Unit.
4.
In the Create Organizational Unit window, in the Name box, type MachineFloor, and then click OK.
5.
In the Tasks pane, under Adatum (local), click New, and then click Organizational Unit.
6.
In the Create Organizational Unit window, in the Name box, type CorpComputers, and then
click OK.
7.
8.
9.
10. In the Move window, click MachineFloor, and then click OK.
12. Restart LON-CL1 and LON-CL2, and then sign in to both as Adatum\Administrator with password
Pa$$w0rd.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click MachineFloor. Notice that no GPOs are linked.
3.
4.
Right-click MachineFloor, and then click Create a GPO in this domain, and Link it here.
5.
In the New GPO window, in the Name box, type MachineFloor, and then click OK.
6.
On the Linked Group Policy Objects tab, right-click MachineFloor, and then click Edit.
7.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
8.
9.
In the Configure Automatic Updates window, click Disabled, and then click OK.
On LON-CL2, on the Start screen, type power, and then click Windows PowerShell.
2.
At a command prompt in the Windows PowerShell command-line interface, type gpupdate /force,
and then press Enter.
3.
4.
5.
In Internet Explorer, read the Summary and verify that Inheritance is blocking all non-enforced
GPOs linked above Adatum.com/MachineFloor.
6.
7.
2.
Right-click CorpComputers, and then click Create a GPO in this domain, and Link it here.
3.
In the New GPO window, in the Name box, type CorpComputers, and then click OK.
4.
On the Linked Group Policy Objects tab, right-click CorpComputers, and then click Edit.
5.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
6.
7.
In the Configure Automatic Updates window, click Enabled, and then click OK.
L3-13
8.
Under Computer Configuration, expand Windows Settings, expand Security Settings, expand
Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security,
and then click Inbound Rules.
9.
10. In the New Inbound Rule Wizard, on the Rule Type tab, click Predefined.
11. In the Predefined box, select COM+ Remote Administration, and then click Next.
12. On the Predefined Rules tab, click Next.
13. On the Action tab, click Allow the connection, and then click Finish.
14. Right-click Inbound Rules, and then click New Rule.
15. In the New Inbound Rule Wizard, on the Rule Type tab, click Predefined.
16. In the Predefined box, select Remote Event Log Management, and then click Next.
17. On the Predefined Rules tab, click Next.
18. On the Action tab, click Allow the connection, and then click Finish.
19. Close the Group Policy Management Editor window.
20. Close Group Policy Management.
21. On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell.
22. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.
23. Close the Windows PowerShell Command Prompt window.
On LON-DC1, in Server Manager, click Tools, and then click Computer Management.
2.
In Computer Management, right-click Computer Management (Local), and then click Connect to
another computer.
3.
In the Select Computer window, in the Another computer box, type LON-CL1, and then click OK.
4.
5.
Right-click Computer Management (LON-CL1), and then click Connect to another computer.
6.
In the Select Computer window, in the Another computer box, type LON-CL2, and then click OK.
This connection fails because remote management has not been configured for the computers in the
MachineFloor OU.
7.
In the error window, read the message, and then click OK.
8.
Results: After completing this exercise, you should have implemented an OU structure and GPO structure
to support remote management of computers.
1.
2.
At the Windows PowerShell command prompt, type Enable-PSRemoting, and then press Enter.
3.
When prompted to configure Windows Remote Management (WinRM), type A, and then press Enter.
4.
When prompted to configure the PSSession, type A, and then press Enter.
5.
On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell.
6.
At the Windows PowerShell command prompt, type Get-ADUser, and then press Enter. This
command is not recognized because the cmdlets for Active Directory Domain Services (AD DS)
administration are not installed on LON-CL1.
7.
8.
9.
When prompted for a filter, type an asterisk (*), and then press Enter.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then click
Adatum.com.
3.
Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.
4.
In the New GPO window, in the Name box, type Enable PS Remoting, and then click OK.
5.
Click the Linked Group Policy Objects tab, right-click Enable PS Remoting, and then click Edit.
6.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Administrative Templates, expand Windows Components, expand Windows Remote
Management (WinRM), and then click WinRM Service.
7.
8.
In the Allow remote server management through WinRM window, click Enabled.
9.
10. In the IPv6 filter box, type an asterisk (*), and then click OK.
11. In the Group Policy Management Editor window, under Policies, expand Windows Settings, expand
Security Settings, and then click System Services.
12. In the details pane, scroll down and double-click Windows Remote Management
(WS-Management).
13. In the Windows Remote Management (WS-Management) Properties window, select the Define this
policy setting check box, click Automatic, and then click OK.
14. In the Group Policy Management Editor window, under Security Settings, expand Windows
Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then
click Inbound Rules.
15. Right-click Inbound Rules, and then click New Rule.
16. In the New Inbound Rule Wizard, on the Rule Type tab, click Predefined.
17. In the Predefined box, select Windows Remote Management, and then click Next.
18. On the Predefined Rules tab, click Next.
19. On the Action tab, click Allow the connection, and then click Finish.
20. Close the Group Policy Management Editor window.
L3-15
1.
On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell.
2.
At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
3.
Type Get-Service Winrm, and then press Enter to verify that the WinRM service is now running.
4.
5.
6.
7.
8.
Results: After completing this exercise, you will have implemented Windows PowerShell remoting in the
Adatum.com domain.
When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1.
2.
In the Virtual Machines list, right-click 20687D-LON-DC1, and then click Revert.
3.
4.
On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Local Disk (C:).
2.
In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder.
Type Profiles as the folder name, and then press Enter.
3.
4.
In the Profiles Properties dialog box, on the Security tab, click Edit, and then click Add.
5.
In the Enter the object names to select box, type Domain, and then click OK.
6.
7.
In the Permissions for Domain Users section, click Full control in the Allow column, and then
click OK.
8.
On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click
Permissions.
9.
In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK
twice.
11. In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder.
Type Redirected as the folder name, and then press Enter.
12. Right-click the Redirected folder, and then click Properties.
13. In the Redirected Properties dialog box, on the Security tab, click Edit, click Add, and in the Enter
the object names to select box, type Domain, and then click OK.
14. Click Domain Users, and then click OK.
15. In the Permissions for Domain Users section, click Full control in the Allow column, and then
click OK.
16. On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click
Permissions.
17. In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK
twice.
18. In the Redirected Properties dialog box, click Close.
19. Close File Explorer.
1.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2.
In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click the Marketing organizational unit (OU). In the details pane, right-click Adam Barr, and then
click Properties.
3.
On the Profile tab, in the Profile path box, type \\LON-DC1\Profiles\%username%, and then
click OK.
4.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
In the Group Policy Management Console (GPMC), in the navigation pane, expand Forest:
Adatum.com, expand Domains, and then expand Adatum.com.
3.
In the navigation pane, right-click the Marketing OU, and then click Create a GPO in this domain,
and Link it here.
4.
In the Name field, type Folder Redirection, and then click OK.
5.
In the GPMC, in the navigation pane, expand the Marketing OU, right-click Folder Redirection, and
then click Edit. The Group Policy Management Editor window opens.
6.
In the Group Policy Management Editor window, under User Configuration in the navigation pane,
expand Policies, expand Windows Settings, and then expand Folder Redirection.
7.
8.
In the Documents Properties dialog box, click the Basic Redirect everyones folder to the same
location option in the Setting drop-down box.
9.
In the Target folder location section, in the Root Path box, type \\LON-DC1\Redirected, and then
click OK.
On LON-DC1, in File Explorer, verify that the Profiles and Redirected folders are empty.
2.
3.
On the Start screen, click the Desktop tile. Right-click anywhere on the desktop, point to New, and
then click Folder. Type Presentations as the folder name, and then press Enter.
4.
5.
In the Personalization dialog box, click Change desktop icons, and then select the Computer check
box in the Desktop icons section. Click OK, and then close the Personalization dialog box.
6.
On the desktop, right-click anywhere, point to New, and then click Shortcut. Click Browse, expand
This PC, click Local Disk (C:), click OK, click Next, and then click Finish. A shortcut to drive C is
added to the desktop.
7.
8.
On the Start screen, type Notepad, and then press Enter. Type your name in Notepad. On the File
menu, click Save As, enter your name in the File Name box, and then click Save.
9.
Close Notepad.
L4-19
10. On the taskbar, click File Explorer, and then double-click Documents in the details pane. In the
details pane, right-click the file with your name, and then click Properties. Verify that the location of
that file points to the network, to \\LON-DC1\redirected\adam\Documents and that it is not stored
inside Adam Barrs local profile. Click OK.
11. Sign out of LON-CL1.
12. On LON-DC1, in File Explorer, verify that the Profiles and Redirected folders are no longer empty. The
Profiles folder contains the Adam Barr roaming user profile (Adam.V2), while the Redirected folder
contains Adam Barrs redirected Documents folder.
13. Sign in to LON-CL2 as Adatum\Adam with password Pa$$w0rd.
14. On the Start screen, click the Desktop tile. Verify that the This PC icon is on the desktop, in addition
to the Presentations folder and the Local Disk (C:) shortcut.
15. On the toolbar, click the Start icon.
16. On the Start screen, type Notepad, and then press Enter. On the File menu, click Open, click the file
with your name, and then click Open. You verified that you can transparently access files that were
created on other computers and saved in a redirected folder.
17. Sign out of LON-CL2.
On LON-DC1, maximize the Active Directory Users and Computers window. To turn on Advanced
Features view, on the View menu, click Advanced Features.
2.
In the navigation pane of Active Directory Users and Computers, click the Computers container,
right-click the LON-CL1 computer account in the details pane, and then click Properties.
3.
On the Attribute Editor tab, in the Attributes section, double-click the distinguishedName
attribute, press Ctrl+C to copy its value to the Clipboard, and then click OK twice.
In the navigation pane, click the Marketing OU, right-click Adam Barr in the details pane, and then
click Properties.
5.
On the Attribute Editor tab, in the Attributes section, click the msDS-PrimaryComputer attribute,
and then click Edit.
6.
Right-click in the Value to add box, click Paste, and then click Add.
7.
Right-click in the Value to add box, and then click Paste again. Replace LON-CL1 with LON-CL2,
and then click Add.
8.
9.
12. In the Group Policy Management Editor window, navigate to Computer Configuration\Policies
\Administrative Templates\System\User Profiles. Double-click the Download roaming profiles
on primary computers only policy setting, click Enabled, and then click OK.
13. In the Group Policy Management Editor window, navigate to User Configuration\Policies
\Administrative Templates\System\Folder Redirection. Double-click the Redirect folders on
primary computers only policy setting, click Enabled, and then click OK.
14. Close the Group Policy Management Editor window and the GPMC.
1.
Switch to LON-SVR1, and on the taskbar, click Windows PowerShell. Type gpupdate /force, and
then press Enter.
2.
3.
4.
Verify that the This PC icon, Presentations folder, and Local Disk (C:) shortcut are not on the desktop.
This is because LON-SVR1 is not set as one of Adam Barrs primary computers and his roaming user
profile is not available on LON-SVR1.
5.
6.
On the Start screen, type Notepad, and then press Enter. On the File menu, click Open. Verify that
Documents is selected in the navigation pane, but the file with your name is not available. This is
because LON-SVR1 is not set as one of Adam Barrs primary computers, and his redirected folders are
not available on LON-SVR1. Click Cancel and sign out of LON-SVR1.
7.
On LON-DC1, maximize the Active Directory Users and Computers window. Click the Marketing OU
in the navigation pane. Right-click Adam Barr in the details pane, and then click Properties.
8.
On the Attribute Editor tab, in the Attributes section, click the msDS-PrimaryComputer attribute,
and then click Edit.
9.
In the Multi-valued String Editor dialog box, click the value that starts with CN=LON-CL2, and then
click Remove.
10. In the Value to add box, replace LON-CL2 with LON-SVR1, click Add, and then click OK twice.
11. Sign in to LON-SVR1 as Adatum\Adam with password Pa$$w0rd.
12. Verify that the Presentations folder is on the desktop, as well as Local Disk (C:) shortcut. This is
because you configured LON-SVR1 as Adam Barrs Primary Computer and roaming user profile is
effective.
13. On the taskbar, click the File Explorer icon. In This PC, in the details pane, double-click Documents.
Double-click the file with your name in the details pane. The file opens in Notepad. Because you
configured LON-SVR1 as Adam Barrs Primary Computer, redirected folders now are available.
14. In Notepad, on the File menu, click Exit, and then sign out of LON-SVR1.
Results: After completing this exercise, you should have configured roaming user profiles and Folder
Redirection. You also should have configured the user Adam Barr with the Primary Computer setting.
L4-21
1.
On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Local Disk (C:).
2.
In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder.
Type UEVdata as the folder name, and then press Enter. Right-click the UEVdata folder, and then
click Properties.
3.
On the Security tab, click Edit. Click Add, type Domain in the Enter the object names to select
box, and then click OK. Click Domain Users, and then click OK.
4.
In the Permissions for Domain Users section, click Full control in the Allow column, and then
click OK.
5.
On the Sharing tab, click Advanced Sharing. Select the Share this folder check box, and then click
Permissions.
6.
In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK
twice.
7.
8.
In File Explorer, in the details pane, right-click on an empty space, point to New, and then click
Folder. Type UEVTemplates as the folder name, and then press Enter. Right-click the UEVTemplates
folder, and then click Properties.
9.
On the Security tab, click Edit. Click Add, type Domain in Enter the object names to select box,
and then click OK. Click Domain Users, and then click OK.
10. In the Permissions for Domain Users section, click Full control in the Allow column, and then
click OK.
11. On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click
Permissions.
12. In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK
twice.
13. In the UEVTemplates Properties dialog box, click Close.
14. Minimize the File Explorer window.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
In the GPMC, in the navigation pane, expand Forest: Adatum.com, expand Domains, and then
expand Adatum.com. Right-click Default Domain Policy, and then click Edit.
3.
In the Group Policy Management Editor window, under User Configuration in the navigation pane,
expand Policies, Administrative Templates, and then expand Windows Components. Verify that
there is no Microsoft User Experience Virtualization node.
4.
5.
6.
In the GPMC, right-click the Adatum.com domain in the navigation pane, and then click Create a
GPO in this domain, and Link it here. In the Name field, type UE-V, and then click OK.
7.
In the GPMC, in the navigation pane, right-click the UE-V Group Policy, and then click Edit.
8.
In the Group Policy Management Editor window, under User Configuration in the navigation pane,
expand Policies, expand Administrative Templates, expand Windows Components, and then click
the Microsoft User Experience Virtualization node.
9.
In the details pane, right-click Settings storage path, click Edit, click Enabled, in Settings storage
path, type \\LON-DC1\UEVData\%username%, and then click OK.
10. In the Group Policy Management Editor window, under Computer Configuration in the navigation
pane, expand Policies, expand Administrative Templates, expand Windows Components, and
then click the Microsoft User Experience Virtualization node.
11. In the details pane, right-click Settings template catalog path, click Edit, click Enabled, in Settings
template catalog path, type \\LON-DC1\UEVTemplates, and then click OK.
12. Close the Group Policy Management Editor window and the GPMC.
2.
On the Start screen, type Explorer, and then click File Explorer.
3.
In File Explorer, navigate to the E:\Labfiles\Mod03 folder, and then double-click AgentSetup.exe.
4.
On the Welcome to the Microsoft User Experience Virtualization Agent Setup Wizard page,
click Next.
5.
On the End-User License Agreement page, select the I accept the terms in the License
Agreement check box, and then click Next.
6.
On the Microsoft Update page, select Do not use Microsoft Update, and then click Next.
7.
On the Customer Experience Improvement Program page, select Do not join the program at
this time, and then click Next.
8.
9.
On the Completed the Microsoft User Experience Virtualization Agent Setup Wizard page, click
Finish, and then click Restart.
2.
3.
On LON-CL1, verify that the UE-V configuration is effective. On the Start screen, type Windows
PowerShell, and then press Enter.
L4-23
4.
In Windows PowerShell, run Get-UevConfiguration, and then press Enter. You will see that values
for SettingsStoragePath and SettingsTemplateCatalogPath are configured as you set them in
Group Policy. You also will see that the current SyncMethod is set to SyncProvider.
5.
You can view other UE-V Windows PowerShell cmdlets by running the Get-Command Module UEV
cmdlet.
6.
7.
On LON-CL2, on the Start screen, type Calculator. Verify that desktop app is selected, and then press
Enter. On the View menu, click Date calculation. The Calculator is extended with options for date
calculation. Close Calculator.
8.
On LON-CL1, on the Start screen, type Calculator. Verify that desktop app is selected, and then press
Enter. Verify that the Calculator is not extended with options for date calculation, as the local cache is
used and it has not yet been synchronized with the settings storage location. Close Calculator.
9.
On LON-CL1, on the Start screen, type Company, and the press Enter. Click Close in the dialog box.
10. In Company Settings Center, click Sync Now. By doing that, you manually trigger synchronization of
the local cache, which happens automatically every 30 minutes.
11. In Company Settings Center, click Close.
12. On LON-CL1, on the Start screen, type Calculator, and then press Enter. Verify that Calculator is now
extended with options for date calculation, as you configured it on LON-CL2.
13. On LON-CL1, on the Start screen, type PowerShell, and then press Enter.
14. In Windows PowerShell, disable the use of local cache by running the following cmdlet:
Set-UevConfiguration SyncMethod None
On LON-CL2, on the Start screen, type WordPad, and then press Enter.
2.
In WordPad, click the View tab, and then verify that the Ruler and Status bar check boxes are
selected by default. Clear the Ruler and Status bar check boxes, and then close WordPad.
3.
On the desktop, right-click anywhere, point to New, and then select Shortcut. Click Browse, expand
This PC, click Local Disk (C:), click OK, click Next, and then click Finish.
Note: A shortcut to Local Disk (C:) is added to the desktop.
4.
On the Start screen, type Notepad, and then press Enter. On the Format menu, select Font, select 20
as Size, and then click OK. Type your name in Notepad. On the File menu, click Save As, type your
name in the File Name box, and then click Save. Close Notepad.
5.
On LON-DC1, in File Explorer, verify that the UEVdata folder now has a brad subfolder.
6.
On the View tab, click Hidden items, double-click the Brad folder, and then verify that it contains
the SettingsPackages subfolder. Double-click the SettingsPackages folder, and then verify that it
contains multiple subfolders for the applications and Windows settings that UE-V synchronizes.
7.
On LON-CL2, on the Start screen, type Calculator. Verify that desktop app is selected, and then press
Enter.
8.
In Calculator, on the View menu, click Programmer, and then click Unit conversion. Close
Calculator.
9.
10. On LON-CL1, from the Start screen, type Calculator. Verify that desktop app is selected, and then
press Enter. The Calculator is in Programmer mode and extended with Unit conversion, as you
configured it on LON-CL2. Close Calculator.
11. On LON-CL1, open WordPad.
12. On the View tab, verify that the Ruler and Status bar check boxes are not selected, which is not the
default configuration, but it is exactly as you configured it on LON-CL2. Close WordPad.
13. On LON-CL1, verify that a shortcut to Local Disk (C:) is not present on the desktop. You created it on
the desktop on LON-CL2, and it is stored in that user profile. UE-V does not synchronize the contents
of the desktop; instead, you should use Folder Redirection or roaming user profiles to make data
roam between computers.
14. On LON-CL1, on the Start screen, open Notepad. On the Format menu, select Font, verify that font
size 20 is selected, and then click OK.
15. On the File menu, click Open. In the navigation pane, expand This PC, and then select Documents.
16. Verify that the file with your name is not available in the details pane. You created a file with your
name on LON-CL2, and it is stored in that user profile. UE-V synchronizes settings only, not data. You
should use Folder Redirection or roaming user profiles to make data roam between computers. Click
Cancel, and then close Notepad.
On LON-CL1, on the Start screen, open Calculator. Verify that Calculator is in Programmer view and
extended with Unit conversion. Close Calculator.
2.
3.
At the Windows PowerShell command prompt, run Get-UevTemplate *calc* to view which settings
location template TemplateId is used for Calculator.
4.
5.
On the Start screen, open Calculator, and then verify that is in default Standard mode, the way it was
before the first UE-V synchronization.
6.
2.
3.
Open File Explorer, and then double-click ToolsSetup.exe in the E:\Labfiles\Mod03 folder.
4.
On the Welcome to the Microsoft User Experience Virtualization Generator Setup Wizard page,
click Next.
5.
Select the I accept the terms in the License Agreement check box, and then click Next.
6.
Select the Do not use Microsoft Update check box, and then click Next.
7.
On the Customer Experience Improvement Program page, select Do not join the program at
this time, and then click Next.
L4-25
8.
9.
On the Completed the Microsoft User Experience Virtualization Generator Setup Wizard page,
click Finish, and then click Restart.
12. In Microsoft User Experience Virtualization Generator, click Create a settings location template.
13. Click Browse for the File path, browse to C:\Program files (x86)\Remote Desktop Connection
Manager, click RDCMan.exe, and then click Open.
14. On the Specify Application page, click Next.
Note: You will create a settings location template for Remote Desktop Connection
Manager.
15. After a few seconds, Remote Desktop Connection Manager will start. In Remote Desktop Connection
Manager, on the Tools menu, click Options.
16. In the Options dialog box, select Click to select gives focus to remote client, and then click OK.
Close Remote Desktop Connection Manager.
17. In the Discover Locations dialog box, click Next.
18. On the Review Locations page, select the Files tab, click Nonstandard (1), select File path, and
then click Next.
19. On Edit Template page, view settings location template properties. You could modify the registry
and files that are used for storing configuration data on this page. Click Create, and in the File name
box, type \\LON-DC1\UEVTemplates\RDCMan.xml, and then click Save.
20. In the Create a Settings Location Template Wizard, click Close, and then close the Microsoft User
Experience Virtualization (UE-V) Generator page.
2.
Note: Output shows that no settings location template that contains string rdc is
registered.
3.
Register the Remote Desktop Connection Manager settings location template by running following
cmdlet: Register-UevTemplate \\LON-DC1\UEVTemplates\RDCMan.xml.
Note: By default, settings location templates updates are registered once per day; by
running the cmdlet, you manually register the template.
4.
To verify that the template is registered, run following cmdlet: Get-UevTemplate *rdc*. You can see
that Remote Desktop Connection Manager (with TemplateId Remote-Desktop-RDCMan-v-2-2) is
listed.
5.
6.
On the Start screen, click the Desktop tile, and then click File Explorer on the taskbar.
7.
8.
On LON-CL1, on the Start screen, type remote, and then click Remote Desktop Connection
Manager.
9.
10. In the Options dialog box, select Auto save interval, and then type 3 in the minute(s) box. Click
OK, and then close Remote Desktop Connection Manager.
11. On LON-CL2, on the Start screen, type remote, and then click Remote Desktop Connection
Manager.
12. In Remote Desktop Connection Manager, on the Tools menu, select Options, and then verify that
Auto save interval is selected and configured to 3 minute(s). Click OK, and then close Remote
Desktop Connection Manager.
Results: After completing this exercise, you should have successfully implemented and configured UE-V
for synchronizing apps and Windows settings.
2.
In the Virtual Machines list, right-click 20687D-LON-DC1, and then click Revert.
3.
4.
L4-27
2.
Verify that Don has a black desktop and that the Computer and Don Funk folders are on the desktop.
3.
On the desktop, right-click anywhere, select New, select Text Document, and then type your name.
4.
Sign out of LON-CL3, and then sign back in to LON-CL3 as Adatum\Administrator with password
Pa$$w0rd.
5.
6.
At the command prompt, type the following command, and then press Enter:
Net Use F: \\LON-DC1\USMT
7.
8.
At the command prompt, type the following, and then press Enter:
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
Note: The creation of the Config.xml file will begin. Wait until the command finishes.
9.
At the command prompt, type notepad config.xml, and then press Enter.
10. To exclude Shared Video, under the Documents node, modify the line to match the following code:
component displayname="Shared Video" migrate="no"
11. Under the Documents node, modify the line to match the following code:
component displayname="Shared Music" migrate="no"
12. Under the Documents node, modify the line to match the following code:
component displayname="Shared Pictures" migrate="no"
2.
Maximize the Notepad window. This is a custom XML file that is used to migrate a specific folder
called ResearchApps to the new workstation.
3.
Change the variable <Foldername> to ResearchApps. The entire line should read as follows:
<pattern type= "File">C:\ResearchApps\* [*]</pattern>
4.
5.
6.
In Windows Explorer, in the navigation pane, expand Computer, and then click Local Disk (C:). In the
details pane, double-click ResearchApps, and then verify that there are several files in the folder.
7.
In Windows Explorer, right-click in the details pane, select New, select Text Document, and then
type your name.
8.
Results: After completing this exercise, you should have created and customized XML files to use with the
User State Migration Tool (USMT).
2.
Verify that there is no content on the \\LON-DC1\Data share by running the following command:
Dir \\lon-dc1\data
3.
4.
Wait until the ScanState process completes, and then verify that the state is captured on the network
share by running the following command:
Dir \\lon-dc1\data /s
2.
From the Start screen, type cmd, and then press Enter.
3.
Click the File Explorer icon on the taskbar. Go to C:\Users, and then verify that there is no subfolder
named Ed or Don.
4.
In File Explorer, click Local disk (C:), and then verify that there is no ResearchApps folder on drive C.
5.
6.
7.
At the command prompt, type the following, and then press Enter:
Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
8.
When the LoadState task completes, In File Explorer, in the C:\Users folder, verify that there are
subfolders named Ed and Don.
9.
L4-29
1.
2.
3.
Notice the Computer and Don Funk folders on the desktop, in addition to a text document with your
name.
4.
5.
In File Explorer, in the details pane, double-click Local Disk (C:), double-click ResearchApps, and
then verify that all the files from LON-CL3 have migrated, including the file with your name.
Results: After completing this exercise, you should have captured and restored user states by using USMT.
2.
In the Virtual Machines list, right-click 20687D-LON-DC1, and then click Revert.
3.
4.
2.
3.
4.
Right-click the unallocated space on Disk 2, and then click New Simple Volume.
5.
In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click
Next.
6.
On the Specify Volume Size page, change the Simple volume size in MB value to 5103, and then
click Next.
7.
8.
On the Format Partition page, in the Volume label text box, type Simple1, and then click Next.
9.
On the Completing the New Simple Volume Wizard page, click Finish.
10. In the Microsoft Windows dialog box, click Format disk, then in the Format Simple 1 (F:) dialog
box, click Start, then click OK twice.
11. When the New Simple Volume Wizard is complete, close Disk Management and any open windows.
Open the Start screen, type pow, right-click Windows PowerShell, and then select Run as
administrator.
2.
In the Administrator: Windows PowerShell window, type get-disk, and then press Enter.
3.
In the Administrator: Windows PowerShell window, type Get-Disk -Number 3 | New-Partition Size
(5GB) | Format-Volume -Confirm:$false FileSystem NTFS NewFileSystemLabel Simple2, and
then press Enter.
4.
In the Administrator: Windows PowerShell window, type Get-Partition, and then press Enter. Make
note of the PartitionNumber of the volume you just created on Disk Number 3. You will use this
information in the next step.
5.
6.
In File Explorer, verify the visibility of the volume that you created, and then close File Explorer.
7.
Open the Start screen, type diskmgmt.msc, and then press Enter.
2.
3.
In the Extend Volume Wizard, on the Welcome to the Extend Volume Wizard page, click Next.
4.
On the Select Disks page, select Disk 2, in the Select the amount of space in MB text box, type
500, and then click Next.
5.
6.
1.
2.
At the Administrator: Windows PowerShell command prompt, type Get-Partition, and then press
Enter.
3.
Note the disk number, partition number, and size for drive H.
4.
5.
At the Administrator: Windows PowerShell command prompt, type Get-Partition, and then press
Enter.
6.
Compare the size of the Simple2 volume with the size previously reported.
7.
Open the Start screen, type diskmgmt.msc, and then press Enter.
2.
Right-click the unallocated space on Disk 2, and then click New Spanned Volume.
3.
In the New Spanned Volume Wizard, on the Welcome to the New Spanned Volume Wizard page,
click Next.
4.
On the Select Disks page, select Disk 3. Hold down the Shift key, select Disk 4, and then click Add.
5.
On the Select Disks page, select Disk 2, and in the Select the amount of space in MB text box,
type 2000.
6.
On the Select Disks page, select Disk 3, and in the Select the amount of space in MB text box,
type 1500.
7.
On the Select Disks page, with Disk 4 selected, in the Select the amount of space in MB text box,
type 4000, and then click Next.
8.
9.
On the Format Volume page, in the Volume label text box, type SpannedVol.
10. Select the Perform a quick format check box, and then click Next.
11. On the Completing the New Spanned Volume Wizard page, click Finish.
12. Review the Disk Management warning, and then click Yes.
Right-click the unallocated space on Disk 2, and then click New Striped Volume.
2.
In the New Striped Volume Wizard, on the Welcome to the New Striped Volume Wizard page,
click Next.
3.
On the Select Disks page, click Disk 3. Hold down the Shift key, click Disk 4, and then click Add.
4.
On the Select Disks page, in the Select the amount of space in MB text box, type 2000, and then
click Next.
5.
6.
On the Format Volume page, in the Volume label text box, type StripedVol.
7.
Select the Perform a quick format check box, and then click Next.
8.
On the Completing the New Striped Volume Wizard page, click Finish.
9.
L5-33
Results: After completing this exercise, you should have created several volumes on a client computer.
2.
Click This PC, right-click StripedVol (I:), and then click Properties.
3.
In the StripedVol (I:) Properties dialog box, click the Quota tab.
4.
On the Quota tab, select the Enable quota management check box, and then select the Deny disk
space to users exceeding quota limit check box.
5.
Click Limit disk space to, in the adjacent box, type 6, and then in the KB list, click MB.
6.
In the Set warning level to box, type 4, and then in the KB list, click MB.
7.
Select the Log event when a user exceeds their warning level check box, and then click OK.
8.
In the Disk Quota dialog box, review the message, and then click OK.
9.
Open the Start screen, type com, and in the Everywhere search screen, click Command Prompt.
2.
3.
At the command prompt, type fsutil file createnew 2mb-file 2097152, and then press Enter.
4.
At the command prompt, type fsutil file createnew 1kb-file 1024, and then press Enter.
5.
6.
Open the Start screen, click Administrator, and then click Sign out.
2.
3.
4.
5.
6.
7.
In File Explorer, in the details pane, copy the 2mb-file and the 1kb-file, and then paste both files in
Alans files.
8.
9.
In the Alans files folder, right-click 2mb-file, click Copy, and then press Ctrl+V.
2.
3.
4.
Click This PC, right-click StripedVol (I:), and then click Properties.
5.
In the StripedVol (I:) Properties dialog box, click the Quota tab, and then click Quota Entries.
6.
In the Quota Entries for StripedVol (I:) dialog box, in the Name column, double-click Alan Steiner.
7.
Review the entries in the Quota Settings for Alan Steiner dialog box, and then click OK.
8.
Close the Quota Entries for StripedVol (I:) and Striped Volume (I:) Properties dialog boxes.
9.
10. Open the Start screen, type eventvwr, and then press Enter.
11. Maximize the Event Viewer desktop app window.
12. In the Event Viewer (Local) list, expand Windows Logs, and then click System.
13. Right-click System, and then click Filter Current Log.
14. In the <All Events IDs> box, type 36, and then click OK.
15. Examine the listed entry.
16. Close all open windows.
Results: After completing this exercise, you should have created and tested a disk quota.
2.
Open the Start screen, type diskmgmt.msc, and then press Enter.
3.
In Disk Management, click the Action menu, and then click Create VHD.
4.
In the Create and Attach Virtual Hard Disk dialog box, in the Location text box, type
I:\DemoDisk.vhdx.
5.
In the Virtual hard disk size section, type 100, and then select MB from the drop-down list.
6.
Select the VHDX option in the Virtual hard disk format section.
L5-35
7.
Select the Dynamically expanding option in the Virtual hard disk type section, and then click OK.
8.
9.
Select Command Prompt (Admin) from the Administrative menu by pressing Windows logo
key+X.
10. In the Administrator: Command Prompt window, type DiskPart, and then press Enter.
11. In the Administrator: Command Prompt window, type create vdisk file=I:\virtualdisk2.vhdx
maximum=1048 type=expandable, and then press Enter.
12. Leave the Administrator: Command Prompt window open, and then proceed to the next task.
Task 2: Mount the virtual hard disk file, browse to the virtual hard disk file, and
create files on the drive
1.
2.
3.
Open the Start screen, type diskmgmt.msc, and then press Enter.
4.
In Disk Management, next to Disk 5, right-click the Disk, and then click Initialize Disk.
5.
In the Initialize Disk dialog box, select Disk 5, select the Master Boot Record option, and then
click OK.
6.
7.
In Disk Management, right-click the unallocated space on Disk 5, and then click New Simple
Volume.
8.
In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click
Next.
9.
On the Specify Volume Size page, change the Simple volume size in MB value to 97, and then
click Next.
11. On the Format Partition page, in the Volume label text box, type SimpleVHD1, and then click
Next.
12. On the Completing the New Simple Volume Wizard page, click Finish.
Note: When the New Simple Volume Wizard is complete, the drive is ready to use.
13. Close the Disk Management and the Microsoft Windows dialog box.
14. Open File Explorer, and then verify that the new drive named SimpleVHD1 has been created.
15. Select the new virtual drive, and then click New Folder on the File Explorer ribbon.
16. Name the new folder Test.
17. Create a new Notepad document named Test.txt, and then save it on the new drive.
18. Close File Explorer.
19. If the Administrator: Command Prompt window is still open, skip to step 22.
20. Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt,
and then click Run as administrator.
21. In the Administrator: Command Prompt window, type DiskPart, and then press Enter.
22. In the Administrator: Command Prompt window, type select vdisk file=I:\virtualdisk2.vhdx, and
then press Enter.
23. In the Administrator: Command Prompt window, type attach vdisk, and then press Enter.
24. In the Administrator: Command Prompt window, type List Disk, and then press Enter. Make note of
the Disk### of the disk that has an asterisk (*) next to it and has a size of 1,048 MB. You will use this
information in the next step.
25. In the Administrator: Command Prompt window, type create partition primary, and then press
Enter.
26. In the Administrator: Command Prompt window, type format fs=ntfs label=SimpleVHD2 quick,
and then press Enter.
27. In the Administrator: Command Prompt window, type assign, and then press Enter.
28. Close the Administrator: Command Prompt window.
29. Open File Explore, and then verify the visibility of the new virtual drive volume that you created.
30. Select the new virtual drive, and then click New Folder on the File Explorer ribbon.
31. Name the new folder Test.
32. Create a new Notepad document named Test.txt, and then save it on the new drive.
33. Close File Explorer.
2.
Open the Start screen, type diskmgmt.msc, and then press Enter.
3.
In Disk Management, right click Disk 5, and then select Detach VHD.
4.
Verify that the file name provided in the Detach Virtual Hard Disk dialog box is I:\DemoDisk.VHDX,
and then click OK.
5.
6.
7.
8.
Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt,
and then click Run as administrator.
9.
In the Administrator: Command Prompt window, type DiskPart, and then press Enter.
10. In the Administrator: Command Prompt window, type List vdisk, then press Enter.
11. In the Administrator: Command Prompt window, type select vdisk file=I:\virtualdisk2.vhdx, and
then press Enter.
12. In the Administrator: Command Prompt window, type detach vdisk, and then press Enter.
13. Open File Explorer, and then verify that the new virtual drive is no longer visible as a volume.
14. Open the Start screen, type diskmgmt.msc, and then press Enter.
15. In Disk Management, verify that Disk 6 is no longer visible.
16. Close the Disk Management window.
17. Close File Explorer.
L5-37
Results: After completing this exercise, you should have created, mounted, and then deleted a virtual
hard disk file.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
1.
2.
Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt,
and then click Run as administrator.
3.
4.
In the Administrator: Command Prompt window, type pnputil e, and then press Enter. Take note of
the published name for the driver you just installed into the store.
5.
Results: After completing this exercise, you should have installed a driver into the protected driver store.
2.
Select Device Manager from the Administrative menu by pressing the Windows logo key+X.
3.
In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update
Driver Software.
4.
In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.
5.
On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
6.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key), click
Next, and then click Close.
7.
In the System Settings Change dialog box, click Yes to restart the computer.
2.
Select Device Manager from the Administrative menu by pressing the Windows logo key+X.
3.
In Device Manager, expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key),
and then click Properties.
4.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab,
and then click Roll Back Driver.
5.
In the Driver Package rollback dialog box, click Yes, and then click Close.
6.
7.
8.
Select Device Manager from the Administrative menu by pressing the Windows logo key+X.
9.
In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click
Properties.
L5-39
10. In the Standard PS/2 Keyboard Properties dialog box, click the Driver tab, and then verify that the
driver has been rolled back to the Standard PS/2 Keyboard version.
11. Close Device Manager.
Results: After completing this exercise, you should have installed and rolled back a device driver.
2.
In the Virtual Machines list, right-click 20687D-LON-CL2, and then click Revert.
3.
4.
2.
On the Start screen, click the down arrow in the bottom left of the screen to display Apps by name,
scroll to the far left and then click Command Prompt.
3.
At the command prompt, type ipconfig /all, and then press Enter:
o
2.
In the Network Connections window, right-click Ethernet, and then click Properties.
3.
In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
4.
Click Obtain an IP address automatically, click Obtain DNS server address automatically, click
OK, and then click Close to close the Ethernet Properties window.
In the Network Connections window, right-click Ethernet, and then click Status, and then click
Details.
o
Is DHCP enabled?
Answer: Yes
2.
Results: After completing this exercise, you should have configured LON-CL1 to obtain an IPv4
configuration automatically from a DHCP server.
2.
3.
Expand lon-dc1.adatum.com, expand IPv4, and then click Scope [172.16.0.0] Adatum.
4.
5.
6.
2.
At the command prompt, type ipconfig /release, and then press Enter.
3.
At the command prompt, type ipconfig /renew, and then press Enter. The command will fail.
4.
At the command prompt, type ipconfig /all, and then press Enter:
o
2.
In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
3.
Click the Alternate Configuration tab, click User configured, and then enter the following:
o
IP address: 172.16.16.10
L6-43
4.
Clear the Validate settings, if changed, upon exit check box, and then click OK to save the settings.
5.
6.
At the command prompt, type ipconfig /release, and then press Enter.
7.
At the command prompt, type ipconfig /renew, and then press Enter.
8.
At the command prompt, type ipconfig /all, and then press Enter:
o
9.
2.
In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
3.
Click Use the following IP address, type the following, and then click OK:
o
IP address: 172.16.16.10
4.
5.
Results: After completing this exercise, you should have tested various scenarios for dynamic IP address
assignment and then configured a static IP address.
When you have finished the lab, leave the virtual machines running, as you will need them for the
next lab.
2.
In the navigation pane, right-click This PC, and then click Map network drive.
3.
4.
5.
On LON-CL1, point to the lower-right corner of the desktop, and then click Settings.
2.
3.
4.
5.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet.
6.
7.
Clear the Internet Protocol Version 6 (TCP/IPv6) check box, and then click OK.
8.
In the Ethernet Status window, click Close, and then close Network and Sharing Center.
9.
2.
Double-click Data(\\LON-DC1)(P:).
3.
4.
2.
On the Start screen, type CMD, and then click Command Prompt.
3.
At the command prompt, type ping lon-dc1, and then press Enter.
4.
At the command prompt, type ping 172.16.0.10, and then press Enter.
5.
At the command prompt, type ipconfig /all, and then press Enter.
6.
7.
8.
L6-45
Results: After completing this exercise, you should have created a connectivity problem between LONCL1 and LON-DC1.
2.
3.
4.
In the Subnet mask box, type 255.255.0.0, and then click OK.
5.
2.
3.
At the command prompt, type ping lon-dc1, and then press Enter.
4.
At the command prompt, type ping 172.16.0.10, and then press Enter.
5.
At the command prompt, type ipconfig /all, and then press Enter.
6.
Point to the lower-right corner of the display, and then click Settings.
2.
3.
4.
5.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet.
6.
7.
In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
8.
9.
Delete the Alternate DNS Server setting IPv4 address, and then click OK.
Results: After completing this exercise, you should have resolved the connectivity problem between LONCL1 and LON-DC1.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
2.
Click the Desktop tile, and then click the File Explorer icon on the taskbar.
3.
Navigate to E:\Labfiles\Mod09.
4.
In the Mod09 window, right-click, point to New, and then click Folder.
5.
2.
On the menu bar, click Share, and then click Specific people.
3.
In the File Sharing Wizard, click the drop-down list, select Everyone, and then click Add.
4.
Verify that the Permission Level for Everyone is Read, and then click Share.
5.
2.
In the Marketing Properties dialog box, click the Security tab, and then click Advanced.
3.
In the Advanced Security Settings for Marketing dialog box, click Add.
4.
In the Permission Entry for Marketing dialog box, click the Select a principle link.
5.
In the Enter the object name to select field, type Marketing, and then click OK.
6.
7.
8.
In the Advanced Security Settings for Marketing dialog box, click OK.
9.
2.
Click the Desktop tile, and then on the taskbar, click File Explorer.
3.
4.
In the Marketing window, right-click, point to New, and then click Text Document.
5.
6.
7.
Open the Start screen, click Ed Meadows, and then click Sign out.
On the Start screen, click the Desktop tile, and then on the taskbar, click File Explorer.
2.
3.
In the Marketing window, right-click, point to New, and then click Text Document.
4.
5.
Results: After completing this exercise, you should have created and shared a folder for the Marketing
department.
Switch to LON-CL1.
2.
3.
4.
5.
6.
7.
8.
9.
In the Confirm Attribute Changes dialog box, ensure that the Apply changes to this folder,
subfolders and files option is selected, and then click OK.
Results: After completing this exercise, you will have compressed a folder.
When you finish the lab, leave the virtual machines running, as they are needed for the next lab.
L7-49
1.
2.
On the Start screen, type control, and then click Control Panel in the Apps search results.
3.
4.
5.
In the Add Printer Wizard, click The printer that I want isnt listed.
6.
On the Find a printer by other options page, select the Add a local printer or network printer
with manual settings option, and then click Next.
7.
On the Choose a printer port page, select the drop-down list for Use an existing port, select nul:
(Local Port), and then click Next.
8.
On the Install the printer driver page, in the Manufacturer list, select Microsoft.
9.
In the Printers list, select Microsoft OpenXPS Class Driver, and then click Next.
10. On the Type a printer name page, in the Printer name field, type ManagersPrinter, and then click
Next.
11. Review the Printer Sharing page, and then click Next.
12. Review the Youve successfully added ManagersPrinter page, and then click Finish.
2.
3.
4.
5.
6.
7.
Click Add, in the Enter the object names to select field, type Managers, and then click OK.
8.
9.
On the Start screen, type control, and then click Control Panel in the Apps search results.
2.
3.
4.
In the Add Printer Wizard, click The printer that I want isnt listed.
5.
On the Find a printer by other options page, select the Select a shared printer by name option,
and then click Browse.
6.
7.
Double-click ManagersPrinter.
8.
9.
Review the Youve successfully added ManagersPrinter on LON-CL1 page, and then click Next.
10. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Print a test page.
11. Review the ManagersPrinter on LON-CL1 dialog box, and then click Close.
12. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Finish.
13. Close Devices and Printers.
14. On LON-CL1, in the Print Management app, verify that the Jobs In Queue column displays 1 for
ManagersPrinter.
15. Right-click ManagersPrinter, and then select Resume Printing.
16. Close all open windows.
Results: After completing this exercise, you should have created, shared, and tested a printer.
2.
In the Virtual Machines list, right-click 20687D-LON-CL2, and then click Revert.
3.
4.
2.
On the Start screen, type Remote, and then click Remote Desktop Connection.
3.
4.
5.
Open the Start screen on LON-CL1, click Administrator, and then click Sign out.
2.
3.
4.
5.
In the left pane, click Advanced settings, right-click Inbound Rules, and then click New Rule.
6.
In the New Inbound Rule Wizard window, select Predefined, click the drop-down list, click Remote
Desktop, and then click Next.
7.
On the Predefined Rules page, select all available rules, and then click Next.
8.
On the Action page, select Block the connection, and then click Finish.
9.
Switch to LON-CL2.
2.
From the Start screen, type Remote, and then click Remote Desktop Connection.
3.
4.
5.
Results: After completing this exercise, you should have created an inbound Windows Firewall rule.
Switch to LON-CL1.
2.
On the Start screen, type Remote, and then click Remote Desktop Connection.
3.
4.
5.
Open the Start screen on LON-DC1, click Administrator, and then click Sign out.
1.
On LON-CL1, on the taskbar, click the Windows Firewall with Advanced Security window, and then
click Outbound Rules.
2.
3.
On the Rule Type page, verify that you are creating a Program rule, and then click Next.
4.
On the Program page, browse and select C:\Windows\System32\mstsc.exe, click Open, and then
click Next.
5.
On the Action page, verify that the action is Block the Connection, and then click Next.
6.
On the Profile page, verify that all profiles are selected, and then click Next.
7.
On the Name page, type Block Outbound RDP to LON-DC1 in the Name field, and then click
Finish.
8.
In the Windows Firewall with Advanced Security window, click the Block Outbound RDP to
LON-DC1 rule, and then in the Actions pane click Properties.
9.
Click the Scope tab, and then under the Remote IP address heading, select the These IP addresses
option.
10. Under the Remote IP address heading, click Add, in the This IP address or subnet field, type
172.16.0.10, and then click OK.
11. In the Block Outbound RDP to LON-DC1 Properties dialog box, click OK.
From the Start screen, type Remote, and then click Remote Desktop Connection.
2.
3.
4.
Results: After completing this exercise, you should have configured and tested an outbound firewall rule.
When you finish the lab, leave the virtual machines running, as they are needed for the next lab.
L8-53
1.
Switch to LON-CL1.
2.
Open the Settings charm, and then on the Desktop menu, click Control Panel.
3.
4.
In the left pane, click Advanced settings, and then click Connection Security Rules.
5.
6.
On the Rule Type page, verify that Isolation is selected, and then click Next.
7.
On the Requirements page, select Require authentication for inbound connections and request
authentication for outbound connections, and then click Next.
8.
On the Authentication Method page, select Computer and user (Kerberos V5), and then click
Next.
9.
10. On the Name page, in the Name text box, type Authenticate all inbound connections, and then
click Finish.
11. Close the Windows Firewall with Advanced Security window.
Switch to LON-CL2.
2.
Open a Command Prompt window, type ping LON-CL1, and then press Enter.
3.
Verify that the ping generated four Request timed out messages.
4.
On LON-CL2, from the Start screen, type Power, right-click Windows PowerShell, and then click
Run as administrator.
2.
In the Administrator: Windows PowerShell window, type the following, and then press Enter:
Note: The ComputerKerberos and UserKerberos switches used in the following cmdlet
are case sensitive. Please type the command as written, including case.
Note: The monitoring component for the newly created Connections Security Rule might
not be created in a timely fashion. To force the creation of the monitoring component, perform
the following steps:
1.
Open the Settings charm, and then on the Desktop menu, click Control Panel.
2.
3.
4.
5.
6.
In the Description field, type Requires inbound authentication, and then click OK.
1.
In the Administrator: Windows PowerShell window, type ping LON-CL1, and then press Enter.
2.
Verify that the ping generated four Reply from 172.16.0.50: bytes=32 time=xms TTL=128 messages
(your times might vary).
3.
Open the Settings charm, click Control Panel, click System and Security, and then click Windows
Firewall.
4.
5.
In the left pane, expand Monitoring, and then expand Security Associations.
6.
Click Main Mode, and then examine the information in the center pane.
7.
Click Quick Mode, and then examine the information in the center pane.
8.
9.
10. From the Start screen, type Power, right-click Windows PowerShell, and then click Run as
administrator.
11. To examine the Main Mode Security Associations (SAs), run the following cmdlet:
Get-NetIPsecMainModeSA
12. To examine the Quick Mode SAs, run the following cmdlet:
Get-NetIPsecQuickModeSA
Results: After completing this exercise, you should have created and tested IPsec rules.
When you finish the lab, leave the virtual machines running, as they are needed for the next lab.
Switch to LON-CL1.
2.
Open the Settings charm, and then on the Desktop menu, click Control Panel.
3.
Click View by:, then select Large Icons, and then click Windows Defender.
4.
On the Windows Defender Home tab, ensure that the Quick scan option is selected.
5.
6.
L8-55
1.
2.
In the Malware folder, open sample.txt in Notepad. The sample.txt file contains a text string to test
malware detection.
3.
In the sample.txt file, delete both instances of <remove>, including the brackets and any extra lines
or blank spaces.
4.
Save and close the file. Immediately, Windows Defender detects a potential threat.
5.
Open the Settings charm, and then on the Desktop menu, click Control Panel.
2.
3.
4.
5.
Select the check box for Virus:DOS/EICAR_Test_File, and then click Remove.
6.
Results: After completing this exercise, you should have configured and used Windows Defender.
2.
In the Virtual Machines list, right-click 20687D-LON-CL2, and then click Revert.
3.
4.
On LON-DC1, on the Start screen, type users, and then run Active Directory Users and Computers.
2.
In Active Directory Users and Computers, on the View menu, select Advanced Features.
3.
In Active Directory Users and Computers, in the navigation pane, click Marketing. In the details pane,
right-click Adam Barr, and then select Properties.
4.
In the Adam Barr Properties dialog box, click the Account tab. Verify that User logon name is
Adam@Adatum.com, and then click Cancel.
5.
In Active Directory Users and Computers, in the navigation pane, click RegisteredDevices, and then
verify that no object is listed in the details pane.
6.
7.
In the Pkiview [Enterprise PKI] console, in the navigation pane, click AdatumCA (V0.0). In the
details pane, verify that AIA Location #2, CDP Location #2, and DeltaCRL Location #2 have a
location that is accessible over http protocol.
Note: CDP Location and Delta CRL Location have a short validity period and their status
could be shown as Expiring. You can ignore their value in the Status column.
8.
Close pkiview.
9.
On the Start screen, type dns, and then click DNS console.
10. In DNS Manager, in the navigation pane, expand LON-DC1, expand Forward Lookup Zones, and
then click Adatum.com. In the details pane, verify that there is an Enterpriseregistration CNAME
record that points to LON-SVR1.adatum.com.
11. Close DNS Manager.
12. On LON-SVR1, on the Start screen, type ad fs, and then run AD FS Management.
13. In AD FS Management, in the navigation pane, select Authentication Policies, right-click
Authentication Policies, and then select Edit Global Primary Authentication.
14. In the Edit Global Primary Authentication dialog box, on the Primary tab, verify that the Enable
device authentication check box is selected, and then click OK.
15. In AD FS Management, in the navigation pane, expand Service, and then click Certificates. In the
details pane, right-click CN-LON-SVR1.adatum.com under Service communications, and then
select View Certificate.
16. In the Certificate dialog box, click the Details tab. Select Subject Alternative Name,
and then verify that has values DNS Name=LON-SVR1.adatum.com and
DNS Name=Enterpriseregistration.adatum.com.
L9-58 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
17. Select the CRL Distribution Points field, and then verify that one of the URLs is accessible over http
protocol.
18. Select the Authority Information Access field, and then verify that one of the URLs is accessible over
http protocol. Click OK.
19. Close AD FS Management.
2.
On LON-CL4, on the Start screen, type command, and then click Command Prompt.
3.
At the command prompt, run nslookup enterpriseregistration.adatum.com. Verify that the name
is resolved to an IP address, and then close the Command Prompt window.
4.
On LON-CL4, on the Start screen, type \\LON-DC1\certificate, and then press Enter.
5.
In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password
field, type Pa$$w0rd, and then click OK.
6.
In certificate, in the details pane, right-click Root-CA, and then click Install Certificate.
7.
In the Certificate Import Wizard, select Local Machine, and then click Next. Click Yes in the User
Account Control dialog box.
8.
On the Certificate Store page, select Place all certificates in the following store, click Browse,
select Trusted Root Certification Authorities, click OK, and then click Next.
9.
In the Certificate Import Wizard, on the Completing the Certificate Import Wizard page, click
Finish, and then click OK.
11. In Internet Explorer, in the address box, type https://LON-SVR2.adatum.com/claimapp, and then
press Enter to access the internal company web app.
12. In the Windows Security dialog box, in the User name field, type adatum\adam, and in the
Password field, type Pa$$w0rd, and then click OK. Confirm that the webpage opens and Adams
claims are displayed.
13. Verify that no Claim Type starts with http://schemas.microsoft.com/2012/01/devicecontext.
14. Close Internet Explorer.
15. On the taskbar, click the Internet Explorer icon. In the Internet Explorer address box, type
https://LON-SVR2.adatum.com/claimapp, and then press Enter.
16. Verify that the Windows Security dialog box opens again. In the Windows Security dialog box, in
the User name field, type adatum\adam, and in the Password field, type Pa$$w0rd, and then click
OK. This confirms that you are asked for credentials each time you access the company web app from
a device that is not a domain member
17. Close Internet Explorer.
18. On the Start screen, type settings, and then click PC settings.
19. On the PC settings bar, select Network.
20. On the Network bar, select Workplace. In Enter your user ID to get workplace access or turn on
device management field, type adam@adatum.com, and then click Join.
L9-59
21. Under Connecting to Adatum, verify that adam@adatum.com is in the first textbox. Enter
Pa$$w0rd in the second textbox, and then click Sign in. Confirm that the device has joined your
workplace network and that the button label changed from Join to Leave.
22. Move the pointer to the upper-left edge of LON-CL4, and then click the desktop tile.
On LON-DC1, in Active Directory Users and Computers, in the navigation pane, right-click
RegisteredDevices, and then select Refresh. Confirm that one object of type msDS-Device is listed
in the details pane. This object represents the LON-CL4 computer that you enabled for Workplace
Join. Make note of the name of the msDS-Device object.
2.
3.
In Internet Explorer, press the Alt key. On the Tools menu, select Internet options.
4.
In the Internet Options dialog box, click the Content tab. In the Certificates section, click
Certificates.
5.
In the Certificates dialog box, on the Personal tab, verify that one certificate is listed and that it has
a GUID in the Issued To field. This is the certificate that Device Registration Service provided to the
user when device was enabled for Workplace Join. Verify that the GUID is the same as the name of
the msDS-Device object from Active Directory Users and Computers. Click Close, and then click OK
in the Internet Options dialog box.
6.
7.
In the Windows Security dialog box, in the User name field, type adatum\adam, and in the
Password field, type Pa$$w0rd, verify that the Remember my credentials check box is not selected,
and then click OK. Confirm that the webpage opens and that Adams claims are displayed.
8.
9.
10. Open Internet Explorer, and then access the same company app at https://LON-SVR2.adatum.com
/claimapp.
11. Verify that a webpage opens without asking you for credentials. You were not asked for credentials
because you accessed it from the device that was enabled for Workplace Join.
Results: After completing this exercise, you should have successfully implemented and tested the
Workplace Join feature.
On LON-DC1, on the taskbar, click the Windows PowerShell icon, and type the following cmdlet,
and then press Enter.
Install-WindowsFeature FS-SyncShareService
Note: After the feature is installed, you will get a warning because Windows automatic
updating is not enabled. You can ignore the warning.
L9-60 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
2.
Minimize the Windows PowerShell window, and then click the Server Manager icon on the taskbar.
3.
In Server Manager, in the navigation pane, click File and Storage Services, click Work Folders, click
TASKS in WORK FOLDERS section, and then select New Sync Share.
4.
In the New Sync Share Wizard, on the Before you begin page, click Next.
5.
On the Select the server and path page, in the Enter a local path field, type C:\syncshare1, click
Next, and then click OK.
Note: If LON-DC1 is not listed in Servers section, click Cancel. In Server Manager, click
Refresh, then repeat this task from step 3 on.
6.
On the Specify the structure for user folders page, verify that User alias is selected, and then click
Next.
7.
On the Enter the sync share name page, click Next to accept the default sync share name.
8.
On the Grant sync access to groups page, click Add, and in the Enter the object name to select
field, type Marketing, click OK, and then click Next.
9.
On the Specify device policies page, verify the two available options. Clear the Automatically lock
screen, and require a password policy, and then click Next.
12. In Server Manager, verify that syncshare1 is listed in the WORK FOLDERS section and that user Adam
Barr is listed in the USERS section.
On LON-DC1, on Start screen, type iis, and then run Internet Information Services (IIS) Manager.
2.
In Internet Information Services (IIS) Manager, in the navigation pane, expand LON-DC1
(ADATUM\Administrator).
3.
Expand Sites, right-click Default Web Site, and then select Edit Bindings.
4.
5.
In Add Site Binding, select https as Type. In the SSL certificate box, select LON-DC1.adatum.com,
click OK, click Yes and then click Close.
6.
L9-61
1.
On LON-DC1, in Server Manager, click the Tools menu, and then select Group Policy Management.
2.
In the Group Policy Management console, in the navigation pane, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, and then select Marketing.
3.
Right-click Marketing, and then select Create a GPO in this domain, and Link it here. In the Name
field, type Deploy Work Folders, and then click OK.
4.
5.
In the Group Policy Management Editor, under User Configuration, in the navigation pane, expand
Policies, Administrative Templates, Windows Components, and then click the Work Folders
node.
6.
In the details pane, right-click Specify Work Folder settings, and then select Edit.
7.
In the Specify Work Folder settings dialog box, select Enabled. In the Work Folders URL field, type
https://lon-dc1.adatum.com, select the Force automatic setup check box, click OK, and then close
the Group Policy Management Editor.
8.
On LON-CL1, sign out, and then sign in as adatum\adam with the password Pa$$w0rd.
9.
11. In This PC, in the navigation pane, click Work Folders. Right-click in the details pane, select New,
select Text Document, and then name the file On LON-CL1.
On LON-CL4, on taskbar, right-click the Start icon, and then click Control Panel.
2.
In Control Panel, in the Search Control Panel field, type work, and then click Work Folders.
3.
On the Manage Work Folders page, click Set up Work Folders, and then on the Enter your work
email address page, click Enter a Work Folders URL instead.
4.
On the Enter a Work Folders URL page, in the Work Folders URL box, type
https://lon-dc1.adatum.com, and then click Next.
5.
In the Windows Security dialog box, in the User name field, type adatum\adam, and in the
Password field, type Pa$$w0rd, and then click OK.
6.
On the Introducing Work Folders page, review the local Work Folders location, and then click Next.
7.
On the Security policies page, select the I accept these policies on my PC check box, and then
click Set up Work Folders.
8.
On the Work Folders has started syncing with this PC page, click Close.
9.
On the Work Folders page, verify that the On LON-CL1.txt file is displayed.
On LON-CL4, in Work Folders, right-click in the details pane, select New, select Text Document,
and then name the file On LON-CL4.
2.
On LON-CL1, in Work Folders, verify that only the On LON-CL1 file is displayed.
Note: Work Folders synchronizes every 10 minutes automatically. You also have an option to trigger
synchronization manually.
L9-62 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
3.
In File Explorer, in the navigation pane, right-click Work Folders, and then click Sync Now. Press F5
to refresh the view, and then verify that both files, On LON-CL1.txt and On LON-CL4.txt, are displayed
in the details pane.
4.
On the taskbar, right-click the Start button, and then select Control Panel.
5.
In Control Panel, in the Search Control Panel field, type network, and then click View network
connections. Right-click Ethernet, and then select Disable. In the User Account Control dialog box,
type Administrator as User name, Pa$$w0rd as Password, and then click Yes.
6.
On LON-CL1, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
7.
In Notepad, type Modified offline, close Notepad, and then click Save.
8.
In Work Folders, right-click in the details pane, select New, select Text Document, and then name
the file Offline LON-CL1.
9.
On LON-CL4, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
10. In Notepad, type Online modification, close Notepad, and then click Save.
11. On LON-CL1, in Network Connections, right-click Ethernet, and then select Enable. In the User
Account Control dialog box, type Administrator as User name, Pa$$w0rd as Password, and then
click Yes.
12. Switch to Work Folders. Verify that four files are displayed in the details pane, including
On LON-CL1 and On LON-CL1-LON-CL1. Because the file was modified at two locations, a conflict
occurred, and one of the copies was renamed.
Results: After completing this exercise, you should have successfully configured the Work Folders feature.
2.
In the Virtual Machines list, right-click 20687D-LON-DC1, and then click Revert.
3.
4.
L10-63
2.
On the Start screen, type group, click Settings, and then click Edit group policy.
3.
In the Local Group Policy Editor, under User Configuration, expand Administrative Templates,
click System, and then double-click Prevent access to registry editing tools.
4.
In the Prevent access to registry editing tools window, click Enabled, and then click OK.
5.
Close the Local Group Policy Editor, and then restart LON-CL1.
6.
7.
8.
Task 2: Edit the local GPO to allow administrators to use registry editing tools
1.
2.
In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3.
In the Add or Remove Snap-ins window, in the Available snap-ins box, click Group Policy Object
Editor, and then click Add.
4.
5.
In the Browse for a Group Policy Object dialog box, click the Users tab, click Administrators, and
then click OK.
6.
7.
8.
In the Microsoft Management Console, expand Local Computer\ Administrators Policy, expand
User Configuration, expand Administrative Templates, click System, and then double-click
Prevent access to registry editing tools.
9.
In the Prevent access to registry editing tools window, click Disabled, and then click OK.
10. Close the Microsoft Management Console, and then click No to not save the settings.
11. On the Start screen, type regedit, click regedit.exe, and then verify that the administrator can start
Regedit.exe.
12. Close the Registry Editor.
Results: After completing this exercise, you should have created and configured multiple local Group
Policy Objects (MLGPOs).
When you are finished with the lab, leave the virtual machines running, as they are needed for the
next lab.
L10-65
1.
2.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Administrative
Templates, expand Windows Components, and then expand BitLocker Drive Encryption.
4.
Click Operating System Drives, and then double-click Require additional authentication at
startup.
5.
In the Require additional authentication at startup dialog box, click Enabled, and then click OK.
6.
7.
8.
At the command prompt, type gpupdate /force, and then press Enter.
9.
2.
In the navigation pane, click This PC, right-click Allfiles (E:), and then click Turn on BitLocker.
3.
In the BitLocker Drive Encryption (E:) dialog box, click Use a password to unlock the drive. This is
necessary because the virtual machine does not support USB flash drives.
4.
On the Choose how you want to unlock this drive page, in the Enter your password and Reenter
your password boxes, type Pa$$w0rd, and then click Next.
5.
On the How do you want to back up your recovery key? page, click Save to a file.
6.
In the Save BitLocker recovery key as dialog box, click Local Disk (C:).
7.
On the File Explorer toolbar, click New folder, type BitLocker, and then press Enter
8.
In the Save BitLocker recovery key as dialog box, click Open, click Save, click Yes, and then click
Next.
9.
On the BitLocker Drive Encryption (E:) page, click Start encrypting, and then click Close.
Note: The drive will be encrypted as a background process; you do not need to wait for the
process to complete to continue the lab.
10. Restart LON-CL1.
2.
3.
4.
5.
Right-click Allfiles (E:), click Open, verify that the drive is encrypted, and then click OK.
6.
7.
Enter password Pa$$w0rd, press Enter to unlock the drive, and then verify access to the drive
contents.
8.
Results: After completing this exercise, you should have encrypted the hard drive.
When you are finished with the lab, leave the virtual machines running, as they are needed for the
next lab.
L10-67
2.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Local Policies, and then click Security Options.
4.
In the results pane, double-click User Account Control: Behavior of the elevation prompt for
standard users.
5.
In the User Account Control: Behavior of the elevation prompt for standard users dialog box,
click Prompt for credentials on the secure desktop, and then click OK.
In the results pane, double-click User Account Control: Only elevate executables that are signed
and validated.
2.
In the User Account Control: Only elevate executables that are signed and validated dialog box,
click Enabled, and then click OK.
3.
In the results pane, double-click User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode.
4.
In the User Account Control: Behavior of the elevation prompt for administrators in Admin
Approval Mode dialog box, click Prompt for consent on the secure desktop, and then click OK.
5.
Close the Local Group Policy Editor, and then sign out.
2.
3.
Open the Administrative menu by pressing the Windows logo key+X, and then click Command
Prompt (Admin). The Windows operating system displays the User Account Control prompt.
4.
In the User name field, type Administrator, in the Password field, type Pa$$w0rd, and then
click Yes.
5.
6.
Sign out.
7.
8.
Open the Administrative menu by pressing the Windows logo key+X, and then click Control Panel.
9.
10. In System and Security, click Change User Account Control settings.
11. Verify that the slider is configured for Always notify.
Results: After completing this exercise, you should have reconfigured UAC notification behavior and
prompts.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
L11-69
2.
3.
4.
Right-click the bar to the left of the home symbol, and then click Menu bar.
5.
On the Menu bar, click Tools, and then click Compatibility View settings.
6.
Verify that Internet Explorer uses Microsoft compatibility lists, and then click Close.
2.
3.
In the Delete Browsing History dialog box, select the Preserve Favorites website data and History
check boxes. Clear all other options, click Delete, and then click OK.
4.
5.
6.
7.
Click the Down Arrow next to the Address bar to confirm that the address you typed is stored.
8.
9.
10. In the Delete Browsing History dialog box, clear the Preserve Favorites website data check box,
select the Temporary Internet files and website files, Cookies and website data, and History
check boxes, and then click Delete.
11. Click OK to close the Internet Options dialog box.
12. Confirm that there are no addresses stored in the Address bar by clicking on the Down Arrow next to
the Address bar.
2.
3.
Confirm that the address that you typed is not stored by clicking the Down Arrow next to the
Address bar.
4.
5.
1.
2.
3.
4.
On the Security tab, click Local intranet, under Security level for this zone, move the slider to
High, and then click OK.
5.
6.
7.
8.
On the Security tab, click Trusted sites, and then click Sites.
9.
In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this
zone check box, click Add, and then click Close.
2.
3.
4.
5.
6.
Click Close.
In the Address bar, type http:// LON-DC1, and then press Enter.
2.
3.
4.
5.
6.
7.
8.
Results: After completing this exercise, you should have successfully configured security and compatibility
settings in Internet Explorer.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
L11-71
1.
2.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Application Control Policies, and then double-click AppLocker.
4.
5.
6.
7.
In the Select User or Group dialog box, in the Enter the object names to select (examples) box,
type IT, click Check Names, click OK, and then click Next.
8.
9.
Click Browse Files, in the File name box, type C:\Program Files\Windows Media Player
\wmplayer.exe, and then click Open.
In the Local Group Policy Editor, right-click AppLocker, and then click Properties.
2.
On the Enforcement tab, under Executable rules, select the Configured check box, click Enforce
rules, and then click OK.
3.
4.
Select Windows PowerShell from the Administrative menu by pressing the Windows logo key+X.
5.
At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait for
the policy to update.
6.
Results: After completing this exercise, you should have created the required AppLocker rule.
2.
Select Computer Management from the Administrative menu by pressing the Windows logo
key+X. Expand Event Viewer, expand Windows Logs, and then click System.
3.
In the results pane, locate and click the latest event with Event ID 1502.
4.
5.
6.
7.
1.
2.
Type Media Player at the Start screen, and then click Windows Media Player.
3.
4.
Select Event Viewer from the Administrative menu by pressing the Windows logo key+X.
5.
In Event Viewer, expand Application and Services Logs, expand Microsoft, expand Windows,
expand AppLocker, and then click EXE and DLL.
6.
Review the entries in the results pane. Locate Event ID 8004. This shows that Holly attempted to run a
prohibited application.
7.
8.
Sign out.
Results: After completing this exercise, you should have verified the function of your executable
AppLocker rule.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
L12-73
2.
In the lower-left corner, right-click the Windows icon, and then click Control Panel.
3.
4.
5.
6.
Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
7.
In the Create new Data Collector Set Wizard, on the How would you like to create this new data
collector set? page, in the Name box, type Adatum Baseline.
8.
9.
On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
10. On the Which performance counters would you like to log? page, in the Sample interval box,
type 1, and then click Add.
11. In the Available counters list, expand Memory, select Pages/sec, and then click Add.
12. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add.
13. In the Available counters list, expand PhysicalDisk, select % Disk Time, and then click Add.
14. Under PhysicalDisk, select Avg. Disk Queue Length, and then click Add.
15. In the Available counters list, expand Processor, select % Processor Time, and then click Add.
16. In the Available counters list, expand System, select Processor Queue Length, click Add, and then
click OK.
17. On the Which performance counters would you like to log? page, click Next.
18. On the Where would you like the data to be saved? page, click Next.
19. On the Create the data collector set? page, click Finish.
20. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start.
21. Pause the pointer over the lower-right corner of the desktop, and then click Start.
22. On the Start screen, click the Down Arrow, and then in Apps, click Word 2013.
23. In the User Name dialog box, click OK.
24. In Microsoft Word 2013, if prompted to Help Protect and Improve Microsoft Office, click Dont
make changes, and then click OK.
25. Pause the pointer over the lower-right corner of the desktop, and then click Start.
26. On the Start screen, click the Down Arrow, and then in Apps, click Excel 2013.
27. Pause the pointer over the lower-right corner of the desktop, and then click Start.
28. On the Start screen, click the Down Arrow, and then in Apps, click PowerPoint 2013.
29. Close all open Microsoft Office apps, and then switch to Performance Monitor.
30. In the navigation pane, right-click Adatum Baseline, and then click Stop.
In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the report that has a name that begins with LON-CL1.
2.
View the chart. On the menu bar, click the drop-down arrow, and then click Report.
3.
Memory\Pages/sec
Network Interface\Packets/sec
Results: After completing this exercise, you should have created a performance baseline.
1.
On LON-CL1, in Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then
click Start.
2.
From the Start screen, type cmd, and then click Command Prompt.
3.
In the Administrator: Command Prompt window, type E:\Labfiles\Mod12\Load.cmd, and then press
Enter.
Results: After completing this exercise, you should have generated additional load on the computer.
2.
3.
L12-75
Answer: Answers will vary depending on the usage scenario and host configuration, although the
central processing unit (CPU) and network likely are being used heavily.
4.
After a few minutes, click OK at the prompt, and then close the instance of
C:\Windows\System32\Cmd.exe that the script launched, if necessary.
5.
6.
In the navigation pane, right-click Adatum Baseline, and then click Stop.
7.
In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the second report that has a name that begins with LON-CL1.
8.
View the chart. On the menu bar, click the drop-down arrow, and then click Report.
9.
Memory\Pages/sec
Network Interface\Packets/sec
Answer: The script is affecting the CPU and network. However, no resources are approaching limits.
11. Close all open windows and programs, and then go back to the Start screen.
Results: After completing this exercise, you should have identified the computers performance
bottleneck.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
2.
Pause the pointer in the lower-right corner of the display, and then click Settings.
3.
4.
5.
Click Never check for updates (not recommended), and then click OK.
1.
2.
Pause the pointer over the lower-right corner of the desktop display, and then click Start.
3.
On the Start screen, click Administrative Tools, and then double-click Group Policy Management.
4.
If necessary, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
5.
6.
7.
8.
9.
In the Configure automatic updating box, click 4 Auto download and schedule the install, and
then click OK.
Task 3: Verify that the Automatic Updates setting from the Group Policy Object is
being applied
1.
Switch to LON-CL1.
2.
Pause the pointer in the lower-right corner of the display, and then click Start.
3.
On the Start screen, type Command, and then click Command Prompt.
4.
At the command prompt, type gpupdate /force, and then press Enter.
5.
6.
7.
Results: After completing this exercise, you should have configured Windows Update settings by using
Group Policy Objects.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
L12-77
L13-79
2.
3.
4.
5.
6.
7.
In the Plan name box, type Adams power-saving plan, and then click Next.
8.
On the Change settings for the plan: Adams power-saving plan page, click Create.
On the Power Options page, next to Adams power-saving plan, click Change plan settings.
2.
On the Change settings for the plan: Adams power-saving plan page, click Change advanced
power settings.
3.
Configure the following properties for the plan, and then click OK:
o
4.
On the Change settings for the plan: Adams power-saving plan page, click Cancel.
5.
6.
Results: After completing this exercise, you should have successfully created and configured a suitable
power plan for Adams laptop computer.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
On LON-SVR2, in Server Manager, click Manage, and then click Add Roles and Features.
2.
3.
4.
5.
On the Select server roles page, click Remote Access, and then click Next.
6.
7.
8.
On the Select role services page, click DirectAccess and VPN (RAS).
9.
In the Add Roles and Features Wizard window, click Add Features, and then click Next.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2.
In Active Directory Users and Computers, right-click the Users container, click New, and then click
Group.
3.
In the New Object Group window, type DA_Clients in the Group name box, and then click OK.
4.
5.
6.
In the Properties dialog box, click the Members tab, and then click Add.
7.
8.
9.
Switch to LON-SVR2.
2.
On LON-SVR2, in Server Manager, click Tools, and then select Remote Access Management.
3.
In the Remote Access Management console, under Configuration, click DirectAccess and VPN.
4.
5.
6.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients to
connect to the Remote Access server box, type 131.107.0.2, and then click Next.
L13-81
7.
8.
On the Remote Access Review page, verify that two Group Policy Objects (GPOs have been created:
DirectAccess Server Settings and DirectAccess Client Settings.
9.
10. In the Remote Access Setup window, click Domain Computers (ADATUM\Domain Computers),
and then click Remove.
11. Click Add.
12. In the Select Groups window, type DA_Clients, and then click OK.
13. Clear the Enable DirectAccess for mobile computers only check box, and then click Next.
14. On the DirectAccess Client Setup page, click Finish.
15. On the Remote Access Review page, click OK.
16. On the Configure Remote Access page, click Finish to finish the DirectAccess wizard.
17. In the Applying Getting Started Wizard Settings dialog box, click Close.
18. Restart LON-SVR2.
19. Wait for LON-SVR2 to restart, and then sign in as Adatum\Administrator with password Pa$$w0rd.
20. In Server Manager, click Tools, and then click Remote Access.
21. In the Remote Access Management console, click Operations Status.
22. All components should have a Status of Working and a green check mark beside them. If this is not
the case, click Refresh to update the Operations Status view. You might have to do this several times.
Results: After completing this exercise, you should have configured DirectAccess by using the Getting
Stared Wizard.
When you configured the DirectAccess server, the wizard created two Group Policies and linked them
to the domain.
2.
Restart LON-CL1, and then sign in as Adatum\Administrator with password Pa$$w0rd to apply the
GPOs.
3.
On LON-CL1, from the Start screen, type cmd, and then press Enter.
4.
At the command prompt, type the following command, and then press Enter:
gpresult /R
5.
Under the Computer Settings section, verify that the DirectAccess Client Settings GPO is applied.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as
Adatum\Administrator with password Pa$$w0rd, and then repeat steps 3 and 4 on LON-CL1.
6.
At the command prompt, type the following command, and then press Enter:
netsh name show effectivepolicy
7.
Verify that the following message displays: DNS Effective Name Resolution Policy Table Settings.
Note: DirectAccess settings are inactive when this computer is inside a corporate network.
8.
To move the client from the intranet to the public network, go to the Start screen, type ncpa.cpl, and
then press Enter.
9.
In the Network Connections window, right-click the Ethernet connection, and then click Disable.
10. In the Network Connections window, right-click the Ethernet 2 connection, and then click Enable.
11. Close the Network Connections window.
12. Close all open windows.
Switch to LON-SVR1.
2.
Click the File Explorer icon on the taskbar, and in the This PC window, double-click Local Disk (C:).
3.
In the Local Disk (C:) window, right-click in the empty space in the details pane, click New, click
Folder, type Data, and then press Enter.
4.
In the Local Disk (C:) window, right-click Data, click Share with, and then click Specific people.
5.
In the File Sharing window, from the drop-down list, select Everyone, click Add, click Share, and then
click Done.
6.
Switch to LON-CL1.
7.
On the Start screen, type \\LON-SVR1\Data, and then press Enter. Note that you are able to access
the folder content.
8.
9.
Move the pointer to the lower-right corner of the screen, and in the notification area, click Search,
and in the Search box, type cmd.
10. At the command prompt, type ipconfig, and then press Enter.
Note: Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an
Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) address.
11. At the command prompt, type the following, and then press Enter:
Netsh name show effectivepolicy
12. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.
13. At the command prompt, type the following command, and then press Enter:
Powershell
L13-83
14. At the command prompt in the Windows PowerShell command-line interface, type the following
command, and then press Enter:
Get-DAClientExperienceConfiguration
Results: After completing this exercise, you should have validated the DirectAccess deployment.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
Task 1: Enable Remote Desktop through the firewall, and enable Remote Desktop on
Adams office computer
1.
On LON-CL1, from the Start screen, type Control Panel, and then click the Control Panel tile.
2.
3.
4.
In the Name list, select Remote Desktop, and then enable the application for each of the network
profiles: Domain, Private, and Public. Click OK.
5.
6.
In the System Properties dialog box, under Remote Desktop, click Allow remote connections to
this computer.
7.
8.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box,
type Adam, click Check Names, and then click OK.
9.
14. In the Remote Desktop Connection dialog box, in the Computer box, type lon-cl1, and then click
Show Options.
15. Click the Advanced tab.
16. Under Server authentication, in the If server authentication fails drop-down list, click Connect
and dont warn me.
2.
3.
In the User name box, type Adatum\Adam, in the Password box, type Pa$$w0rd, and then
click OK.
4.
5.
On the Start screen, type This PC, right-click This PC, and then click Properties.
6.
7.
Close the Remote Desktop session. In the Remote Desktop Connection dialog box, click OK.
8.
9.
Switch to LON-CL1.
Results: After completing this exercise, you should have verified that Remote Desktop is functional.
2.
In the Virtual Machines list, right-click 20687D-LON-CL2, and then click Revert.
3.
4.
L13-85
L14-87
On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Local Disk (C:).
2.
In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder.
Type FileHistory as the folder name, and then press Enter.
3.
4.
In the FileHistory Properties dialog box, on the Security tab, click Edit. Click Add, enter Domain in
the Enter the object names to select box, and then click OK. Click Domain Users, and then click
OK.
5.
In the Permissions for Domain Users section, in the Allow column, select the Full control check box,
and then click OK.
6.
7.
Select the Share this folder check box, and then click Permissions. In the Permissions for Everyone
section, in the Allow column, click Full Control, and then click OK twice.
8.
On LON-CL1, on the Start screen, type file, and then click File Explorer.
2.
In File Explorer, in the navigation pane, expand This PC, and then click Documents.
3.
Right-click in the details pane, point to New, click Microsoft Word Document, and then name the
document Recovery file.
4.
5.
In the First things first. dialog box, select the Ask me later check box, and then click Accept.
6.
7.
8.
In Word, save the file by pressing Ctrl+S, and then close Word.
9.
On the desktop, right-click the Start icon, and then click Control Panel.
10. In Control Panel, in the Search Control Panel field, type history, and then click File History.
11. In the File History dialog box, in the navigation pane, click the Select drive link.
12. In Select Drive, click Add network location, in the Folder field, type \\LON-DC1\FileHistory, click
Select Folder, and then click OK.
13. In the File History dialog box, in the details pane, click Turn on.
14. In the File History dialog box, in the navigation pane, click Advanced settings. Review the options,
and then click Cancel.
15. In File Explorer, in the navigation pane, click Documents.
16. In File Explorer, right-click Recovery file.docx, press the Shift key, and then select Delete. Click Yes
in the Delete File dialog box.
17. In File Explorer, click the Home tab, and then click History.
18. In Documents File History, right-click Recovery file.docx, and then click Restore.
19. In File Explorer, notice that the Word document has been recovered.
20. Double-click Recovery file.docx, and then verify that it has the content that you typed earlier.
21. Close File Explorer and the Documents File History window.
On LON-CL1, In the File History dialog box, in the navigation pane, click Restore personal files.
2.
In the Home File History window, verify that three file folders and four libraries are shown. Doubleclick Documents, and then verify that only Recovery file is shown. Close Documents File History.
3.
In File Explorer, click the View tab, select Options, and then select Change folder and search
options.
4.
In the Folder Options dialog box, in the Navigation pane section, select Show libraries, and then
click OK.
5.
In File Explorer, in the navigation pane, expand Libraries. Right-click the Documents library, and
then click Properties.
6.
In the Documents Properties dialog box, click Add. In the Folder field, type E:\Labfiles\Docs, click
Include folder, and then click OK.
7.
In the File History dialog box, in the details pane, click Run now.
8.
In File Explorer, navigate to the E:\Labfiles\Docs folder. Right-click Windows.docx, press the Shift
key, and then select Delete. In the Delete File dialog box, click Yes.
9.
In the File History dialog box, in the navigation pane, click Restore personal files.
10. In Home File History, double-click Documents. Right-click Windows.docx, select Restore to, in
the Folder field type E:\Labfiles, and then click Select Folder.
11. In File Explorer, verify that file Windows.docx is restored to the E:\Labfiles folder.
12. Close File Explorer, File History, and the Documents File History window.
Results: After completing this exercise, you should have configured and used the File History feature.
On LON-CL1, open File Explorer, in the navigation pane, right-click This PC, and then click
Properties.
2.
3.
In the System Properties dialog box, in the Protection Settings section, select Local Disk (C:)
(System), click Configure, select Turn on system protection, and then click OK.
L14-89
4.
In the System Properties dialog box, click Create. Type Initial settings in the System Protection
dialog, click Create, and then click Close.
5.
6.
In File Explorer, navigate to the E:\Labfiles\Mod14 folder, and then double-click XmlNotepad.msi.
7.
In the XML Notepad 2007 Setup Wizard, click Next, select I accept the terms in the License
Agreement, click Next two times, click Install, and then click Finish.
8.
9.
10. Right-click the desktop, point to New, click Text Document, type My document as its name, and
then press Enter.
11. On the toolbar, right-click the Start icon, and then click Device Manager.
12. In Device Manager, expand Keyboards, right-click Microsoft Hyper-V Virtual Keyboard, and then
select Update Driver Software.
13. In the Update Driver Software dialog box, select Browse my computer for driver software. Select
Let me pick from a list of device drivers on my computer, and then clear the Show compatible
hardware check box. In the Model section, select Microsoft Wireless Keyboard 700 v2.0
(106/109), click Next, click Yes in the Update Driver Warning box, and then click Close.
14. In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) is shown with an
exclamation point (!).
In File Explorer, in the navigation pane, right-click This PC, and then select Properties.
2.
3.
4.
5.
Select the Initial settings restore point, and then click Scan for affected programs. Verify that XML
Notepad 2007 is shown, as you installed it after the restore point was created. Click Close.
6.
In the System Restore dialog box, click Next, click Finish, and then click Yes. Wait until LON-CL1 is
restarted and System Restore is performed.
7.
8.
9.
In the System Restore dialog box, click Close. Verify that My document.txt is still on desktop and
that the XML Notepad 2007 shortcut is no longer present on the desktop.
10. On the toolbar, right-click the Start icon, and then click Device Manager.
11. In Device Manager, expand Keyboards, and then verify that Microsoft Hyper-V Virtual Keyboard is
present. Microsoft Wireless Keyboard 700 v2.0 (106/109) was removed, as you add it after the restore
point was created.
12. On the toolbar, click the File Explorer icon.
13. In File Explorer, in the navigation pane, right-click This PC, and then click Properties.
14. In the System window, in the navigation pane, click System protection.
15. In the System Properties dialog box, click System Restore.
16. In the System Restore dialog box, select Choose a different restore point, and then click Next.
17. In the System Restore dialog box, verify that the additional restore point with the description
Restore Operation and Type of Undo was created. Click Cancel.
18. On the toolbar, right-click the Start icon, select Shut down or sign out, and then select Shut down.
Wait until LON-CL1 is turned off.
2.
In the Open dialog box, in the File name box, type D:\Program Files\Microsoft Learning
\20687\Drives\Win81Ent_Eval.iso, and then click Open.
3.
4.
When you see the Press any key to boot from CD or DVD message, press Spacebar, and then Setup
loads.
5.
6.
7.
8.
9.
11. In the System Restore dialog box, click Next. Select the Restore Operation restore point, and then
click Scan for affected programs. Verify that XML Notepad 2007 is listed as a program that might
be restored. Click Close, and then click Cancel.
Note: You can use System Restore from the Windows Recovery Environment (RE).
12. On the Choose an option page, click Troubleshoot, and then click Advanced options.
13. On the Advanced options page, click Command Prompt.
14. At the command prompt, type bcdedit /enum, and then press Enter. Review the output and verify
that Windows 8.1 is listed as the default Windows Boot Loader operating system.
15. At the command prompt, type Bootrec /scanos, and then press Enter.
16. At the command prompt, type diskpart, and then press Enter.
17. At the command prompt, type list disk, and then press Enter.
18. At the command prompt, type list volume, and then press Enter.
19. At the command prompt, type exit, and then press Enter.
20. At the command prompt, type exit, and then press Enter.
21. On the Choose an option page, click Troubleshoot.
22. On the Troubleshoot page, click Advanced options.
23. On the Advanced options page, click Startup Repair.
24. On the Choose a target operating system page, click Windows 8.1. Startup Repair starts.
L14-91
25. After a few seconds, the Startup Repair couldnt repair your PC page appears. This is because there
is nothing wrong with your computer. Click Advanced options.
26. On the Choose an option page, click Continue. Windows starts normally.
2.
On the Start screen, type cmd, and then click Command Prompt.
3.
At the command prompt, type the following command, and then press Enter:
bcdedit /copy {current} /d Duplicate boot entry
4.
Verify the presence of Duplicate boot entry in the store by running the following command:
bcdedit /enum
5.
At the command prompt, type shutdown /r, press Enter, and then click Close.
When the Windows operating system restarts, wait until the Choose an operating system menu
appears, and then click Change defaults or choose other options.
2.
3.
4.
5.
6.
7.
In the Startup Settings menu, type 4 to select and enable Safe Mode.
8.
9.
10. In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
11. In the Revert Virtual Machine dialog box, click Revert.
12. In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Start.
13. In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Connect.
Results: After completing this exercise, you should have used various Windows 8.1 operating system
startup-recovery tools.
Read the help-desk Incident Record (in the exercise scenario in the student handbook) for Incident
161071.
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Plan of Action:
Visit with the user, and then view the error on his computer.
Use Windows RE to recover the startup environment by using the Command Prompt tool, and then
running Bootrec.exe /RebuildBCD to repair the boot store.
Switch to LON-CL1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
2.
3.
4.
5.
Results: After this exercise, you should have reproduced the reported startup problem on Adams
computer.
Switch to LON-CL1.
2.
3.
In the Open dialog box, in the File name box, type D:\Program Files\Microsoft Learning
\20687\Drives\ Win81Ent_Eval.iso, and then click Open.
4.
On the Action menu, click Reset. In the dialog box, click Reset.
5.
When you see the Press any key to boot from CD or DVD message, press Spacebar, and then Setup
loads.
6.
7.
8.
9.
11. At the command prompt, type Bootrec /Scanos, and then press Enter.
12. At the command prompt, type Bootrec /RebuildBCD, and then press Enter.
13. At the command prompt, type A, and then press Enter.
L14-93
14. At the command prompt, type exit, press Enter and then click Continue to restart LON-CL1. When
LON-CL1 starts, do not press any keys.
15. Sign in to LON-CL1 by using the following credentials:
o
Password: Pa$$w0rd
17. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have resolved the startup problem and documented
your solution.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
4.
L15-95
On LON-CL5, from the Start screen, type Hyper-V, and then confirm that no match is found.
2.
On the Start screen, type powershell, right-click Windows PowerShell, and then select Run as
administrator. Click Yes in the User Account Control dialog box.
3.
At the Windows PowerShell command-line interface command prompt, run the following cmdlet,
and then verify that no cmdlet is listed:
Get-Command Module Hyper-V
4.
From the Start screen, type features, and then click Turn Windows features on or off.
5.
In the Windows Features window, select the Hyper-V check box, and then click OK.
6.
On the Windows completed the requested changes page, click Restart Now.
7.
8.
9.
10. On the Start screen, type powershell, right-click Windows PowerShell, and then select Run as
administrator. Click Yes in the User Account Control dialog box.
11. At the Windows PowerShell command prompt, run the following cmdlet:
Get-Command Module Hyper-V
Note: The output shows many cmdlets, which confirms that the Hyper-V module is
installed and available.
Results: After completing this exercise, you should have installed the Client Hyper-V feature.
On LON-CL5, from the Start screen, type Hyper-V, and then click Hyper-V Manager.
2.
In Hyper-V Manager, right-click LON-CL5, and then click Virtual Switch Manager.
3.
In the Virtual Switch Manager window, in the Create virtual switch section, click Private, and then
click Create Virtual Switch.
4.
In the Virtual Switch Properties section, type Private Network in the Name field, and then click OK.
1.
2.
In Hyper-V Manager, select LON-CL5, and then in the Actions pane, click New, and then click Hard
Disk.
3.
In the New Virtual Hard Disk Wizard, on the Before You Begin page, click Next.
4.
On the Choose Disk Format page, confirm that VHDX is selected, and then click Next.
5.
On the Choose Disk Type page, confirm that the default disk type for virtual hard disk is
Dynamically expanding, and then click Next.
6.
On the Specify Name and Location page, in the Name field, type Dynamic.vhdx. In the Location
field, type C:\VM, and then click Next.
7.
On the Configure Disk page, confirm that Create a new blank virtual hard disk is selected, in the
Size field, type 100, and then click Next.
8.
On the Completing the New Virtual Hard Disk Wizard page, click Finish.
9.
On LON-CL5, in Hyper-V Manager, in the Actions pane, click New, and then click Hard Disk.
10. In the New Virtual Hard Disk Wizard, on the Before You Begin page, click Next.
11. On the Choose Disk Format page, select VHD, and then click Next.
12. On the Choose Disk Type page, click Differencing, and then click Next.
13. On the Specify Name and Location page, in the Name field, type Differencing.vhd. In the
Location field, type C:\VM, and then click Next.
14. On the Configure Disk page, click Browse, and then browse to F:\Program Files
\Microsoft Learning\Base\.
15. In the Base folder, click Base14C-W81-Office2013.vhd, click Open, and then click Next.
16. On the Completing the New Virtual Hard Disk Wizard page, click Finish.
17. On LON-CL5, in Windows PowerShell, create a fixed-size virtual hard disk by running the following
cmdlet:
New-VHD Path C:\VM\Fixed.vhdx -SizeBytes 1GB Fixed
22. In the VM folder, verify that Dynamic.vhdx and Differencing.vhd are allocated much less space on
the disk, even though you configured Dynamic.vhdx with 100 gigabytes (GB).
On LON-CL5, in Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine.
2.
In the New Virtual Machine Wizard, on the Before You Begin page, click Next.
3.
On the Specify Name and Location page, in the Name field, type LON-VM2, and then click Next.
4.
On the Specify Generation page, click Generation 2, and then click Next.
L15-97
5.
On the Assign Memory page, in the Startup memory field, type 1024, select the Use Dynamic
Memory for this virtual machine check box, and then click Next four times.
6.
On the Competing the Virtual Machine Wizard page, click Finish. A virtual machine named
LON-VM2 is created.
7.
On LON-CL5, in Windows PowerShell, create a Generation 1 virtual machine, and then attach it to a
virtual hard disk by running the following two cmdlets:
New-VM Name LON-VM1 MemoryStartupBytes 1GB Generation 1 BootDevice IDE
Add-VMHardDiskDrive VMName LON-VM1 ControllerType IDE Path C:\VM\Differencing.vhd
8.
In Hyper-V Manager, double-click the LON-VM1 virtual machine, and then from the Action menu,
select Start. Verify that the virtual machine starts.
Results: After completing this exercise, you should have created a virtual network and a virtual machine in
Client Hyper-V.