6292a Enu Companion

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6292A
Installing and Configuring Windows 7
Companion Content
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2009 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at
http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks
of the Microsoft group of companies. All other marks are property of their respective owners.
Product Number: 6292A

Released: 10/2009
Installing, Upgrading, and Migrating to Windows 7
Module 1
Contents:
Lesson 1: Preparing to Install Windows 7
Lesson 2: Performing a Clean Installation of Windows 7
Lesson 3: Upgrading and Migrating to Windows 7
Lesson 4: Performing an Image-Based Installation of Windows 7
11
Lesson 5: Configuring Application Compatibility
16
Module Reviews and Takeaways
18
Lab Review Questions and Answers
21
1-1
1-2
Lesson 1
Preparing to Install Windows 7

Contents:
Question and Answers
1-3

Key Features of Windows 7
Question: What are the key features of Windows 7 that will help your organization?
Answer: The answer may vary, but in general all the key features of Windows 7 will help users in
terms of usability, security, manageability, deployment, and productivity.
Editions of Windows 7
Question 1: Which edition of Windows 7 might you choose in the following scenarios?
Scenario 1: There are a few users in your organization. Currently, you do not have a centralized file
server and all of the computers are not joined to a domain.
Scenario 2: Your organization has more than one hundred users who are located in several offices
across the country. In addition, you have several users that travel frequently.
Answer: Choose Windows 7 Professional for Scenario 1 and Windows 7 Enterprise for Scenario 2.
Scenario 1: For a business environment, choose either Windows 7 Professional or Windows 7
Enterprise. Windows 7 Home Premium, Windows 7 Home Basic, and Windows 7 Starter are targeted
for home users. Because you only have few users, Windows 7 Professional will be the best fit.
Scenario 2: Choose Windows 7 Enterprise and take the advantage of features such as BranchCache
and DirectAccess to increase the productivity of your mobile users.
Question 2: What is the difference between the Enterprise and the Ultimate edition of Windows 7?
Answer: There is no difference in terms of features between the Enterprise and Ultimate editions.
Windows 7 Enterprise is available through Microsoft Software Assurance with Volume Licensing and
Windows 7 Ultimate is available through the retail channel. There is no upgrade path between the
two.
Hardware Requirements for Installing Windows 7

Question: What is the typical computer specification within your organization currently? Contrast
that specification to what was typically available when Windows Vista was released. Do you think
Windows 7 can be deployed to the computers within your organization as they currently are?
Answer: The answer may vary. Several years ago, when Windows Vista was released, the hardware
requirements were considered quite high. Since Windows 7 hardware requirements are the same with
Windows Vista, computers in most organizations will be able to install Windows 7.
Options for Installing Windows 7

Question: Which type of installation do you use in the following scenarios?
1-4
Scenario 1: Your users have computers that are at least three years old and your organization plans to
deploy Windows 7 to many new computers.
Scenario 2: There are only a few users in your organization, their computers are mostly new, but they
have many applications installed and a lot of data stored in their computers.
Answer: The answers may vary. Your selection of the type of installation may not be decided by just
these factors. In general, it is recommended that you perform a clean installation followed by
migration of user settings and data. Avoid selecting upgrade, unless it only involves a few users or
computers. In Scenario 1, you may want to purchase new hardware for your organization, perform a
clean installation of Windows 7, and migrate the necessary user settings and data. In Scenario 2, you
may want to perform an in-place upgrade to Windows 7.
Lesson 2
Performing a Clean Installation of Windows 7

Contents:
Detailed Demo Steps
1-5
1-6

Discussion: Considerations for a Clean Installation
Question: When do you typically perform a clean installation of Windows?
Answer: The answer may vary, but in general, consider the following circumstances.
Clean installation considerations
You must perform a clean installation in the following circumstances:
No operating system is installed on the computer.
The installed operating system does not support an upgrade to Windows 7.
The computer has more than one partition and needs to support a multiple-boot
configuration that uses Windows 7 and the current operating system.
A clean installation is the preferred installation method. Performing a clean installation ensures that
all of your systems begin with the same configuration and all applications, files, and settings are reset.
Methods for Performing Clean Installation

Question: In what situation will you use each method of performing a clean installation of Windows
operating system?
Answer: Running Windows installation from the product DVD is the most straightforward. Generally,
this method is used in a home or small business environment or to install a reference computer. You
can place the installation files in a network share so that you can run the Windows installation from
the network to computers that do not have a DVD drive. Having the Windows installation in a
network share also saves you the trouble of keeping the installation media. If you are installing
Windows in a large organization and want to standardize the environment, install Windows by using
an image.
Discussion: Common Installation Errors

Question: What potential issues might you encounter when installing Windows?
Answer: The answers may vary. The following table describes several installation problems and
solutions that can be used to identify and solve specific problems.
Problem
Solution
Installation media is damaged.
Test the CD or DVD on another system.
BIOS upgrade is needed.
Check your computer suppliers Internet site to

determine whether a basic input/output system
(BIOS) upgrade is available for Windows 7.
Hardware is installed improperly.
Check any messages that appear during the boot

phase. Install add-on hardware properly, such as
1-7
video cards and memory modules.
Hardware fails to meet minimum

requirements.
Use Windows Catalog to locate products designed

for Microsoft Windows and ensure that your
hardware meets the minimum requirements for the
edition of Windows 7 that you want to install.
Error messages appear during setup.
Carefully note any messages and search the

Microsoft Knowledge Base for an explanation.
Demonstration: Configuring the Computer Name and Domain/Work

Group Settings
Question: When will you configure the primary DNS suffix to be different from the Active Directory
domain?
Answer: In most cases, you will not configure the primary DNS suffix to be different from the Active
Directory domain. This is typically done in large organizations with a complex DNS structure that is
independent of the Active Directory DNS structure. An example of why you might configure a
different primary DNS suffix is to support applications that need to search in an alternate DNS
domain.
1-8
Detailed Demo Steps

Demonstration: Configuring the Computer Name and Domain/Work
Group Settings
Detailed demonstration steps
1.
Log on to the 6292-LON-CL1 virtual machine as CONTOSO\Administrator with a password

of Pa$$w0rd.
2.
Click Start and then click Control Panel.
3.
Click System and Security and then click System.
4.
In the Computer name, domain, and workgroup settings area, click Change settings.
5.
In the System Properties window, click the Change button. Note that the Network ID
button performs the same task with a wizard.
6.
In the Computer Name/Domain Changes window, click Workgroup and type

WORKGROUP. This is the name of the workgroup to be joined.
7.
Click OK.
8.
Click OK to acknowledge the warning.
9.
Click OK to close the welcome message.
10. Click OK to close the message about restarting.

11. In the System Properties window, click the Change button. Note that the Network ID
button performs the same task with a wizard.
12. In the Computer Name/Domain Changes window, click Domain and type
Contoso.com. This is the name of the domain to be joined.
13. Click the More button. Use this primary DNS suffix to have the computer search DNS
domains other than the Active Directory domain that it is joined to. The NetBIOS name is
used for backward compatibility with older applications.
14. Click the Cancel button.
15. In the Computer Name/Domain Changes window, click OK.
16. When prompted, in the Windows Security box, type Administrator with a password of
Pa$$w0rd.
17. Click OK three times and then click Close.
18. Click Restart Now.
19. After the system restarts, log on as Contoso\Administrator with a password of Pa$$w0rd.
Lesson 3
Upgrading and Migrating to Windows 7

Contents:
10
1-9
1-10

Considerations for Upgrading and Migrating to Windows 7
Question: You are deploying Windows 7 throughout your organization. Given the following
scenarios, which do you choose, upgrade or migration?
Scenario 1: Your organization has a standardized environment. You have several servers dedicated as
storage space and the computers in your organization are no later than two years old.
Scenario 2: Your organization has a standardized environment. You have several servers dedicated as
storage space and plan to replace existing computers, which are more than three years old.
Scenario 3: You do not have extra storage space and the computers in your organization are less than
two years old. In addition, there are only five users in your organization and you do not want to
reinstall existing applications to your user computers.
Answer: Scenario 1: Perform a wipe and load migration. To achieve a standardized environment,
perform a clean installation, followed by a migration. In this scenario, you have storage space, but you
do not plan to replace the existing hardware.
Scenario 2: Perform a side-by-side migration. To achieve a standardized environment, perform a
clean installation, followed by a migration. In this scenario, you have storage space and plan to
replace the existing hardware.
Scenario 3: Perform an in-place upgrade. In this scenario, you do not have the storage space required
to perform migration. Also, migration requires that you to reinstall all existing applications.
Tools for Migrating User Data and Settings

Question: How do you migrate applications to Windows 7?
Answer: You can migrate application settings but not the application itself. You have to re-install
your application before restoring the application settings in your destination computer.
1-11
Lesson 4
Performing an Image-Based Installation of Windows 7

Contents:
12
Detailed Demo Steps
13
1-12

Demonstration: Building an Answer File by Using Windows SIM
Question: Why might you use an answer file rather than manually completing the installation of
Windows 7?
Answer: An answer file is used to automate the installation process for speed and consistency. When
you use an answer file, you are assured that each installation is the same. Automating the installation
process is more efficient when multiple computers are configured at once.
Demonstration: Creating a Bootable Windows PE Media

Question: After you have created the iso file, what do you do with it?
Answer: Typically, the next step is to burn the iso file as a bootable CD or DVD. It can then be used to
perform imaging operations.
Demonstration: Configuring VHDs

Question: Given that a Windows 7 based VHD is configured to run in a Virtual PC, can you configure
the same VHD to run in native boot?
Answer: Yes. However, before a Windows 7-based VHD that is configured to run in Virtual PC can be
used to run in native boot, you must remove system-specific data from the Windows installation by
using Sysprep.
1-13
Detailed Demo Steps

Demonstration: Building an Answer File by Using Windows SIM
Build an answer file by using Windows SIM
1.
Log on to the 6292-LON-CL1 virtual machine as Contoso\Administrator with a password of

Pa$$w0rd.
2.
Click Start, point to All Programs, click Microsoft Windows AIK, and then click Windows
System Image Manager.
3.
In the Windows Image area, right-click Select a Windows image or catalog file and then click
Select Windows Image.
4.
Browse to E:\Labfiles\Mod01\Sources\, click install_Windows 7 ENTERPRISE.clg, and then

click Open.
Note: If a catalog file does not exist for this edition of Windows 7, then you will be prompted
to create a catalog file. The creation process takes several minutes. In this demonstration, you
are not prompted to create a catalog file because it has already been created for you.
5.
In the Answer File area, right-click Create or open an answer file, and then click New Answer
File.
6.
In the Windows Image area, expand Components and scroll down and expand x86_MicrosoftWindows-Setup. This group of settings is primarily used in the windowsPE stage of an
unattended installation. Notice that it includes Disk Configuration.
7.
Expand UserData and right-click ProductKey. Notice that this setting can only be applied in the
windowsPE stage. This is used for an unattended installation where Windows 7 is installed from
the install.wim file on the Windows 7 installation DVD.
8.
Scroll down and click x86_Microsoft-Windows-Shell-Setup. Notice that the option for the
product key is available here and shown in the Properties area.
9.
Right-click x86_Microsoft-Windows-Shell-Setup and click Add setting to Pass 4 specialize.

These settings are applied after an operating system has been generalized by using Sysprep.
10. In the Microsoft-Windows-Shell-Setup Properties area, in the ProductKey box, type 1111122222-33333-44444-55555 and press Enter. Placing a product key in this answer file prevents
the need to enter the product key during the installation of a new image.
11. Close Windows System Image Manager and do not save any changes.
Note: For more information, please refer to Windows SIM Technical Reference at
http://go.microsoft.com/fwlink/?LinkID=154216.
1-14
Demonstration: Creating a Bootable Windows PE Media

Create a bootable Windows PE media
1.
Log on to the 6292-LON-CL1 virtual machine as Contoso\Administrator with a password of

Pa$$w0rd.
2.
Click Start, point to All Programs, click Microsoft Windows AIK, and then click
Deployment Tools Command Prompt.
3.
At the command prompt, type copype.cmd amd64 E:\winpe_amd64 and press Enter. This
command copies the necessary files to the E:\winpe_amd64 folder. If the folder does not exist, it
is created.
4.
At the command prompt, type copy C:\Program Files\Windows

AIK\Tools\amd64\imagex.exe E:\winpe_amd64\iso and then press Enter. This adds the
ImageX tool to the files that will be added to the iso.
5.
At the command prompt, type oscdimg n bE:\winpe_amd64\etfsboot.com

E:\winpe_amd64\iso E:\winpe_amd64\winpe_amd64.iso and then press ENTER. This
command creates the iso file with Windows PE.
Note: For more information on copype, copy, and oscdimg, refer to:
http://go.microsoft.com/fwlink/?LinkID=154217
Demonstration: Modifying Images by Using DISM

Modify images by using DISM
1.
Log on to the 6292A-LON-CL1 virtual machine as Contoso\Administrator with a password of

Pa$$w0rd.
2.
Click Start, point to All Programs, click Microsoft Windows AIK, and then click Deployment
Tools Command Prompt.
3.
At the command prompt, type dism and press Enter. This displays help information for the
command.
4.
At the command prompt, type md C:\img and then press Enter.
5.
At the command prompt, type dism /mount-wim

/wimfile:E:\Labfiles\Mod01\Sources\install.wim /name:Windows 7 ENTERPRISE
/mountdir:C:\img and press Enter.
6.
When the image mounting is complete, at the command prompt, type dism /getmountedwiminfo and press Enter. This displays information about the mounted image. Notice
that an index number is displayed instead of the name.
7.
Type cd C:\img and press Enter.
8.
At the command prompt, type dir and press Enter. You can see the installation files for
Windows 7 ENTERPRISE and modify them.
9.
At the command prompt, type cd \ and press Enter.
1-15
10. At the command prompt, type dism /image:C:\img /? and press Enter. This displays the
available options for servicing an image such as adding a driver or adding a feature.
11. At the command prompt, type dism /image:C:\img /add-driver
/driver:E:\LabFiles\Mod01\vx6000\vx6000.inf and press Enter. This adds the driver for the
VX6000 Lifecam to the image so that it is available for all computers configured with this image.
12. At the command prompt, type dism /unmount-wim /mountdir:C:\img /discard and press
Enter. Use the /commit option to save changes.
13. Close all open Windows.
1-16
Lesson 5
Configuring Application Compatibility

Contents:
17

Updating Shims
Question: When do you use compatibility fix?
Answer: The answer may vary. You use compatibility fix in several scenarios, such as when a
compatibility issue exists on an application from a vendor that no longer exists, on an internally
created application, on an application for which a compatible version is to be released in the near
future, or an application that is non-critical to the organization, regardless of its version.
1-17
1-18

Review questions
You have decided to deploy Windows 7 in your organization. You are working from the organizations
head office. Your organization has five branch offices in the same country, and each branch office has less
than ten users. In total, there are one hundred users in your organizations head office. In addition, there
are several users that work from home or on-the-go, all over the country. Your organization also has plans
to grow to neighboring countries in the near future. This introduces languages that differ from your
organizations head office.
Your organization has a standardized and managed IT environment with Windows Servers 2008 R2 and
Active Directory in place. Almost all of the users are running Windows XP with Service Pack 3 and a few
are running Windows Vista with Service Pack 2.
Question 1: Which edition of Windows 7 is best suited for your organization?
Answer: In business scenarios, select either Windows 7 Professional or Windows 7 Enterprise. These two
editions are business-focused and support domain join and Active Directory.
You have several branch offices and several mobile employees. In this scenario, select Windows 7
Enterprise to take advantage of featuressuch as DirectAccess, BranchCache, and VPN Reconnectthat
will increase the productivity of your branch office and mobile employees.
Also, Windows 7 Enterprise supports all worldwide interface languages, which may be beneficial when
your organization expands to the neighboring countries.
Question 2: Which installation method do you choose?
Answer: Your organization has a standardized and managed IT environment and there are significant
numbers of computers involved in this deployment. Although some of your userswho are running
Windows Vista with Service Pack 2can upgrade directly to Windows 7, you still need to perform a clean
installation of Windows 7 followed by migration to preserve user settings and data. This ensures that all of
your users begin with the same configuration, and all applications, files, and settings are reset.
Consider performing the clean installation by using a standard image and follow the image-based
installation of Windows. You can deploy the image by using deployment tools such as Windows
Deployment Services (WDS) or Microsoft Deployment Toolkit (MDT).
Question 3: If migration is involved, which migration tool do you use?
Answer: You are dealing with significant numbers of computers in this scenario. Select User State
Migration Tool (USMT) to help you migrate user settings and data.
Common issues for installing Windows 7

Problem
Troubleshooting Tips
Installation media is damaged.
Test the CD or DVD on another system.
BIOS upgrade is needed.
Check your computer suppliers Internet site to

determine whether a basic input/output system (BIOS)
upgrade is available for Windows 7.
Hardware is installed improperly.
Check any messages that appear during the boot phase.
1-19
Install add-on hardware properly, such as video cards and

memory modules.
Hardware fails to meet minimum

requirements.
Use Windows Catalog to locate products designed for

Microsoft Windows and ensure that your hardware meets
the minimum requirements for the edition of Windows 7
that you want to install.
Error messages appear during setup.
Carefully note any messages and search the Microsoft

Knowledge Base for an explanation.
Common issues related to application compatibility problems

Problem
Application cannot be installed or run in

Windows 7.
Application can be installed and run, but
does not perform as it needs to.
Upgrade the application to a compatible

version.
Apply updates or service packs to the
application.
Use application compatibility features.
Modify the application configuration by creating
application fixes.
Run the application in a virtualized environment.
Select another application that performs the
same business function.
Best practices for installing, upgrading, and migrating to Windows 7
Always back up your data before performing an upgrade of operating system.
Install Windows by using an image to achieve a standardized computer environment.
Evaluate system requirements and application compatibility before upgrading the operating
system.
Run Sysprep /generalize before transferring a Windows image to another computer.
When capturing an image, use the ImageX /flags option to create the Metadata to apply to the
image.
Create architecture-specific sections for each configuration pass in an answer file.
1-20
Tools
Tool
Use for
Where to find it
Windows Setup
Installing Windows or upgrading

previous Windows versions
Windows 7 Product DVD
Windows Upgrade
Advisor
Assessing the feasibility of an

upgrade to Windows 7
Microsoft Download Center
Microsoft Assessment
and Planning Toolkit
Assessing organization readiness

for Windows 7
Windows Easy
Transfer
Migrating user settings and data

in side-by-side migration for a
single or few computers
Windows 7 Windows 7 Product DVD
Windows Automated
Installation Kit
(Windows AIK)
Supporting the deployment of

Windows operating system
User State Migration

Tool
Migrating user settings and data

for a large number of computers
Windows AIK
Windows SIM
Creating unattended installation

answer files
Windows AIK
ImageX
Capturing, creating, modifying,

and applying the WIM file
Windows AIK
Windows PE
Installing and deploying

Windows operating system
Windows 7 Product DVD
Sysprep
Preparing Windows installation

for disk imaging, system testing,
or delivery
Windows AIK
Diskpart
Configuring the hard disk
Windows 7
WDS
Deploying Windows over the

network
Microsoft Download Center for Windows

Server 2003 SP1 Server Role in Windows
Server 2008 and Windows Server 2008 R2
DISM
Servicing and managing

Windows images
Windows 7 Windows AIK
Application
Compatibility Toolkit
Inventorying and analyzing

organization application
compatibility
Compatibility
Administrator Tool
Creating application fixes
ACT
1-21

Question: Why do you use Sysprep before capturing an image?
Answer: Sysprep is used to generalize the operating system. This removes hardware specific information
such as drivers, so that they can be redetected when the image is placed on new hardware. Computer
specific operating system configuration settings such as SID numbers and the computer name are also
removed. This prevents conflicts on the network.
Question: Why is Windows PE required as part of the imaging process?
Answer: When you are taking or applying an operating system image, ImageX needs full access to the
hard drive. Windows PE runs independently of the operating system installed on the computer and allows
full access to the hard drive. If you did not use Windows PE, some operating system files will be in use
when you attempted to create or apply an image and the process would fail.
Configuring Disks and Device Drivers
Module 2
Contents:
Lesson 1: Partitioning Disks in Windows 7
Lesson 2: Managing Disk Volumes
Lesson 3: Maintaining Disks in Windows 7
Lesson 4: Installing and Configuring Device Drivers
13
17
23
2-1
2-2
Lesson 1
Partitioning Disks in Windows 7

Contents:
Detailed Demo Steps
2-3

What Is an MBR Disk?
Question: What are three restrictions of an MBR partitioned disk? Have you encountered these
limitations in your organization, and if so, what did you do to work around them?
Answer: The restrictions are that MBR partitioned disks are limited to four partitions, a 2 TB
maximum partition size, and there is no data redundancy provided.
What Is a GPT Disk?

Question: How does a GPT partitioned disk on a 64-bit Windows 7 operating system use an MBR?
Answer: On a GPT partitioned disk, Sector 0 contains a legacy protective MBR. The protective MBR
contains one primary partition covering the entire disk. The protective MBR protects GPT disks from
previously released MBR disk tools such as Microsoft MS-DOS FDISK or Microsoft Windows NT Disk
Administrator. These tools view a GPT disk as having a single encompassing (possibly unrecognized)
partition by interpreting the protected MBR, rather than mistaking the disk for one that is
unpartitioned. Legacy software that does not know about GPT interprets only the protected MBR
when it accesses a GPT disk.
Disk Management Tools

Question: What is the effect on existing data when you convert a basic disk to a dynamic disk and
vice versa?
Answer: Basic disks can be converted to dynamic disks without data loss. However, converting a
dynamic disk to basic is not possible without deleting all the volumes first.
Demonstration: Converting an MBR Partition to a GPT Partition

Question: Which tool do you prefer to use to convert a new disk to GPT, the Disk Management snapin or the diskpart.exe command-line tool?
Answer: Emphasize that both will work, but the students might express a preference.
2-4
Detailed Demo Steps

Demonstration: Converting an MBR Partition to a GPT Partition
Convert a disk to GPT by using Diskpart.exe
1.
Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password, Pa$$w0rd.
2.
Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then
click Run as administrator.
3.
At the command prompt, type diskpart and then press ENTER.
4.
At the DISKPART> prompt, type list disk and then press ENTER.
5.
At the DISKPART> prompt, type select disk 2 and then press ENTER.
6.
At the DISKPART> prompt, type convert gpt and then press ENTER.
7.
At the DISKPART> prompt, type exit and then press ENTER.
Convert Disk 3 to GPT by using Disk Management

1.
Click Start, right-click Computer, and then click Manage.
2.
In the Computer Management (Local) list, click Disk Management.
3.
In the Initialize Disk dialog box, click GPT (GUID Partition Table) and then click OK.
Verify the disk type

1.
In Disk Management, right-click Disk 2 and verify its type.
2.
In Disk Management, right-click Disk 3 and verify its type.
3.
Click outside the context menu.
Lesson 2
Managing Disk Volumes

Contents:
Detailed Demo Steps
2-5
2-6

Demonstration: Creating a Simple Volume
Question: In what circumstances will you use less than all the available space on a disk in a new
volume?
Answer: Answers vary, but include partitioning a disk to support dual-boot scenarios.
What Are Spanned and Striped Volumes?

Question: Describe scenarios when you create a spanned volume and when you create a striped
volume.
Answer: Create a spanned volume when you want to encompass several areas of unallocated space
on two or more disks. Create a striped volume when you want to improve the I/O performance of the
computer.
Demonstration: Creating Spanned and Striped Volumes

Question: What is the advantage of using striped volumes, and conversely what is the major
disadvantage?
Answer: Performance is the advantage at the potential cost of reduced fault tolerance.
Demonstration: Resizing a Volume

Question: When might you need to reduce the size of the system partition?
Answer: Answers will vary but to enable BitLocker, a non-encrypted partition must be available. In
some circumstances, this might not be present on a computer and reducing the system volume size
might prove useful. It might be worth mentioning that fragmentation and the placement of certain
types of files on the disks (such as the Master File Table (MFT)) can prevent you from realizing all the
available free space as a new volume.
2-7
Detailed Demo Steps

Demonstration: Creating a Simple Volume
Create a simple volume by using Disk Management
1.
If necessary, on LON-CL1 click Start, right-click Computer, and then click Manage.
2.
In the Computer Management (Local) list, click Disk Management.
3.
In Disk Management on Disk 2, right-click Unallocated and then click New Simple Volume.
4.
In the New Simple Volume Wizard, click Next.
5.
On the Specify Volume Size page, in the Simple volume size in MB box, type 100 and then
click Next.
6.
On the Assign Drive Letter or Path page, click Next.
7.
On the Format Partition page, in the Volume label box, type Simple, click Next, and then
click Finish.
Create a simple volume by using Diskpart.exe

1.
If necessary, click Start, point to All Programs, click Accessories, right-click Command Prompt,
and then click Run as administrator.
2.
At the command prompt, type diskpart and then press ENTER.
3.
At the DISKPART> prompt, type list disk and then press ENTER.
4.
At the DISKPART> prompt, type select disk 3 and then press ENTER.
5.
At the DISKPART> prompt, type create partition primary size=100 and then press ENTER.
6.
At the DISKPART> prompt, type list partition and then press ENTER.
7.
At the DISKPART> prompt, type select partition 2 and then press ENTER.
8.
At the DISKPART> prompt, type format fs=ntfs label=simple2 quick and then press ENTER.
9.
At the DISKPART> prompt, type Assign and then press ENTER.
Demonstration: Creating Spanned and Striped Volumes

Create a spanned volume
1.
On LON-CL1 in Disk Management on Disk 2, right-click Unallocated and then click New
Spanned Volume.
2.
In the New Spanned Volume wizard, click Next.
3.
On the Select Disks page, in the Select the amount of space in MB box, type 100.
4.
In the Available list, click Disk 3 and then click Add >.
5.
In the Selected list, click Disk 3, and in the Select the amount of space in MB box, type 250
and then click Next.
2-8
6.
7.
On the Format Partition page, in the Volume label box, type Spanned, click Next and then
click Finish.
8.
In the Disk Management dialog box, click Yes.
Create a striped volume

1.
In Disk Management, right-click Disk 2 and then click New Striped Volume.
2.
In the New Striped Volume wizard, click Next.
3.
On the Select Disks page, in the Available list, click Disk 3 and then click Add >.
4.
On the Select Disks page, in the Select the amount of space in MB box, type 512 and then
click Next.
5.
6.
On the Format Partition page, in the Volume label box, type Striped, click Next, and then
click Finish.
Demonstration: Resizing a Volume

Shrink a volume by using Diskpart.exe
1.
On LON-CL1, switch to the Command Prompt window.
2.
At the DISKPART> prompt, type list disk, and then press ENTER.
3.
At the DISKPART> prompt, type select disk 2, and then press ENTER.
4.
At the DISKPART> prompt, type list volume, and then press ENTER.
5.
At the DISKPART> prompt, type select volume 6, and then press ENTER.
6.
At the DISKPART> prompt, type shrink desired = 50, and then press ENTER.
7.
At the DISKPART> prompt, type exit, and then press ENTER.
8.
Switch to Disk Management, and view the new volume size.
Extend a volume by Disk Management

1.
In Disk 2, right-click Simple (F:) and then click Extend Volume.
2.
In the Extend Volume Wizard, click Next.
3.
In the Select the amount of disk space in MB box, type 50, click Next, and then click Finish.
4.
Close all open windows.
Note: For more information about diskpart, refer to

http://go.microsoft.com/fwlink/?LinkId=153231.
Lesson 3
Maintaining Disks in Windows 7

Contents:
10
Detailed Demo Steps
11
2-9
2-10

What are Disk Quotas?
Question: How do you increase free disk space after exceeding the quota allowance?
Answer: The following are ideas to increase free disk space after exceeding the quota allowance:
Delete unnecessary files
Have another user claim ownership of non-user specific files
Increase the quota allowance as volume size and policy permits
Demonstration: Configuring Disk Quotas (Optional)

Question: Will Quota management be useful in your organizations?
Answer: Answers will vary. In most cases there is no need to limit disk usage on computers running
Windows 7. However, it might be useful when multiple users share the same computer or when peerto-peer networking is performed in a workgroup. It is more common to implement quotas on servers.
2-11
Detailed Demo Steps

Demonstration: Configuring Disk Quotas (Optional)
Create quotas on a volume
1.
On LON-CL1, click Start and then click Computer.
2.
Right-click Striped (I:) and then click Properties.
3.
In the Striped (I:) Properties dialog box, click the Quota tab.
4.
On the Quota tab, select the Enable quota management check box.
5.
Select the Deny disk space to users exceeding quota limit check box.
6.
Click Limit disk space to, in the adjacent box type 6, and then in the KB list, click MB.
7.
In the Set warning level to box, type 4, and then in the KB list click MB.
8.
Select the Log event when a user exceeds their warning level check box and then click OK.
9.
In the Disk Quota dialog box, review the message and then click OK.
Create test files

1.
Open a Command Prompt.
2.
At the command prompt, type I: and then press ENTER.
3.
At the command prompt, type fsutil file createnew 2mb-file 2097152 and then press ENTER.
4.
At the command prompt, type fsutil file createnew 1kb-file 1024 and then press ENTER.
5.
Close the Command Prompt window.
Test the configured quotas by using a standard user account to create files
1.
Log off and then log on to the LON-CL1 virtual machine as Contoso\Alan with a password of
Pa$$w0rd.
2.
Click Start, click Computer, and then double-click Striped (I:).
3.
On the toolbar, click New Folder.
4.
Type Alans files and then press ENTER.
5.
In the file list, right-click 2mb-file, drag it to Alans files, and then click Copy here.
6.
Double-click Alans files.
7.
Right-click 2mb-file and then click Copy.
8.
Press CTRL+V.
9.
In the Address bar, click Striped (I:).
10. In the file list, right-click 1kb-file, drag it to Alans files, and then click Copy here.
11. Double-click Alans files.
12. Right-click 2mb-file and then click Copy.
2-12
13. Press CTRL+V.

14. In the Copy Item dialog box, review the message and then click Cancel.
Review quota alerts and event log messages

1.
Log off and then log on to the LON-CL1 virtual machine as Contoso\Administrator with a
password of Pa$$w0rd.
2.
Click Start and then click Computer.
3.
Right-click Striped (I:) and then click Properties.
4.
In the Striped (I:) Properties dialog box, click the Quota tab and then click Quota Entries.
5.
In the Quota Entries for Striped (I:), in the Logon Name column, double-click Contoso\Alan.
6.
In the Quota Settings for Alan Brewer (CONTOSO\alan) dialog box, click OK.
7.
Close Quota Entries for Striped (I:).
8.
Close Striped (I:) Properties.
9.
Click Start, and in the Search box, type event.
10. In the Programs list, click Event Viewer.

11. In the Event Viewer (Local) list, expand Windows Logs and then click System.
12. Right-click System and then click Filter Current Log.
13. In the <All Events IDs> box, type 36 and then click OK.
14. Examine the listed entry.
15. Close all open windows.
Lesson 4
Installing and Configuring Device Drivers

Contents:
14
Detailed Demo Steps
15
2-13
2-14

Installing Devices and Drivers
Question: What are the steps to install a driver in the driver store by using the Pnputil.exe tool?
Answer: The steps are as follows:
1.
Identify the name of the device driver.
2.
Start the Pnputil.exe tool from an elevated command prompt.
3.
Use the a parameter along with the path to the driver and name of the driver to perform
the addition to the driver store.
4.
Make note of the newly assigned driver name, including the number.
Demonstration: Managing Drivers

Question: If your computer does not startup normally due a device driver issue, what options are
there for performing driver roll back?
Answer: Try starting into Safe mode and then rolling the driver back.
2-15
Detailed Demo Steps

Demonstration: Managing Drivers
Update a device driver
1.
On LON-CL1 click Start, right-click Computer and then click Manage.
2.
In Computer Management, click Device Manager.
3.
Expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update Driver
Software.
4.
In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my
computer for driver software.
5.
On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
6.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key)
7.
Click Close.
8.
In the System Settings Change dialog box, click Yes to restart the computer.
Roll back a device driver

1.
Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of

Pa$$w0rd.
2.
Click Start, right-click Computer, and then click Manage.
3.
In Computer Management, click Device Manager.
4.
Expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key) and then click
Properties.
5.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver
tab.
6.
Click Roll Back Driver.
7.
In the Driver Package rollback dialog box, click Yes.
8.
Click Close, and then in the System Settings Change dialog box, click Yes to restart the
computer.
9.

Pa$$w0rd.
10. Click Start, right-click Computer, and then click Manage.

11. In Computer Management, click Device Manager.
12. Expand Keyboards and then click Standard PS/2 Keyboard.
13. Verify that you have successfully rolled back the driver.
14. Close Computer Management.
2-16
Install a driver into the driver store

1.
Click Start, point to All Programs, click Accessories, and then right-click Command Prompt.
2.
Click Run as administrator.
3.
At the Command Prompt, type E:, and then press ENTER.
4.
At the Command Prompt, type pnputil a E:\Labfiles\Mod02\HP Deskjet 960c

series\hpf960k.inf, and then press ENTER.
5.
In the Command Prompt, type pnputil e, and then press ENTER. Take note of the driver
version and date for the driver you just installed into the store.
2-17

Review questions
Question 1: You are implementing 64-bit Windows 7 and need to partition the disk to support 25
volumes, some of which will be larger than 2 TB. Can you implement this configuration using a single hard
disk?
Answer: Yes, you can format the disk for GPT rather than MBR. A GPT disk supports up to 128 volumes,
each much larger than 2 TB. In addition, you can boot 64-bit Windows 7 from a GPT disk.
Question 2: You have created a volume on a newly installed hard disk by using diskpart.exe. Now, you
want to continue using diskpart.exe to perform the following tasks:
Format the volume for NTFS
Assign the next available drive letter.
Assign a volume label of sales-data
What two commands must you use for these tasks?

Answer: The two commands are as follows:
format fs=ntfs label=sales-data
assign
Question 3: Your organization has recently configured Windows Update to automatically update the
Accounting departments computers at 03:00. This conflicts with the weekly defragmentation of the
computers on Wednesday mornings. You must reconfigure the scheduled defragmentation task to occur
at midnight on Tuesdays instead. List the steps to modify the defragmentation schedule.
Answer: Follow these steps to modify the defragmentation schedule:
1.
Right-click the volume in Windows Explorer, click Properties, click the Tools tab, and then click
Defragment Now.
2.
In the Disk Defragmenter window, click Configure schedule.
3.
In the Disk Defragmenter: Modify Schedule window, change Choose day to Tuesday, and
change Choose time to 12:00 AM (midnight). Click OK.
4.
Click Close on the Disk Defragmenter window, and OK on the Properties window.
Question 4: You recently upgraded to Windows 7 and are experiencing occasional problems with the
shortcut keys on your keyboard. Describe the first action you might take to the resolve the issue and list
the steps to perform the action.
Answer:
1.
Update the device driver for the keyboard. To manually update the driver used for the keyboard,
follow these steps in Device Manager:
2.
Double-click the Keyboard category of devices.
3.
Right-click the device and then click Update Driver Software.
2-18
4.
Follow the instructions in the Update Driver Software wizard.
Common issues
Identify the causes for the following common issues and fill in the troubleshooting tips. For answers, refer
to relevant lessons in the module and the course companion CD content.
Issue
Troubleshooting tip
Configuring disk quotas on

multiple volumes
Once a quota is created, you can export it and then import it for
a different volume. In addition to establishing quota settings on
an individual computer by using the methods outlined above,
you can also use Group Policy settings to configure quotas. This
enables administrators to configure multiple computers with the
same quota settings.
Exceeding the quota allowance
To increase free disk space after exceeding the quota allowance,

the user can try the following:
Delete unnecessary files
Have another user claim ownership of non-user specific
files
Increase the quota allowance as volume size and policy
permits
If you have a hardware problem, it

can be caused by hardware or a
device driver. Troubleshooting
hardware problems often starts by
troubleshooting device drivers.
To identify a device driver problem, answer the questions:

Did you recently upgrade the device driver or other
software related to the hardware? If so, roll back the
device driver to the previous version.
Are you experiencing occasional problems, or is the
device not compatible with the current version of
Windows? If so, upgrade the device driver.
Did the hardware suddenly stop working? If so,
upgrade the device driver. If that does not solve the
problem, reinstall the device driver. If the problem
continues, try troubleshooting the hardware problem.
Verify a disk requires

defragmentation
To verify that a disk requires defragmentation, in Disk

Defragmenter select the disk you want to defragment and then
click Analyze disk. Once Windows is finished analyzing the disk,
check the percentage of fragmentation on the disk in the Last
Run column. If the number is high, defragment the disk.
View shadow copy storage

information
To view shadow copy storage information, use the Volume

Shadow Copy Service administrative command-line tool. Start
an elevated Command Prompt and then type vssadmin list
shadowstorage. The used, allocated, and maximum shadow
copy storage space is listed for each volume.
Best practices
Supplement or modify the following best practices for your own work situations:
Every time a change is made to a computer, record it. It can be recorded in a physical notebook
attached to the computer, or in a spreadsheet or database available on a centralized share that is
backed up nightly.
If you keep a record of all changes made to a computer, you can trace the changes to
troubleshoot problems and offer support professionals correct configuration information. The
Reliability Monitor can be used to track changes to the system such as application installs or
uninstalls.
When deciding what type of volume to create, consider the following questions:
How critical is the data or information on the computer?
Can automatic replication be set up quickly and easily?
If the computer became unbootable, what will be the impact on your business?
Is the computer handling multiple functions?
Is the data on the computer being backed up on a regular basis?
Use the information in the following table to assist as needed.
Task
Reference
Add a new disk
http://go.microsoft.com/fwlink/?LinkId=64100
Best Practices for Disk

Management
Confirm that you are a

member of the Backup
Operators group or the
Administrators group
Search Help and Support for standard account and administrator

account. For information about groups:
Create partitions or
volumes
Device Management and

Installation
For information about

driver signing, including
requirements, review the
Driver Signing
Requirements for
Windows page in
Windows Hardware
Developer Central
Format volumes on the

disk
Overview of Disk
Management
Performance tuning
2-19
2-20
guidelines
Windows 7 Springboard
Series
Windows Device
Experience
Best Practices for Disk

Management
Tools
Tool
Use for
Where to find it
Defrag.exe
Performing disk defragmentation tasks from the

command-line
Command Prompt
Device Manager
Viewing and updating hardware settings, and

driver software for devices such as internal hard
drives, disc drives, sound cards, video or graphics
cards, memory, processors, and other internal
computer components
Control Panel
Device Stage
Help when interacting with any compatible device

connected to the computer. From Device Stage,
you can view the devices status and run common
tasks from a single window. There are pictures of
the devices which helps make it simpler to view
what is there.
Taskbar
Devices and
Printers
Provides users a single location to find and

manage all the devices connected to their
Windows 7 -based computers. Also provides quick
access to device status, product information, and
key functions such as faxing and scanning to
enhance and simplify the customer experience
with a Windows 7 - connected device.
Control Panel
Rearranging fragmented data so that disks and

drives can work more efficiently
In Windows Explorer,
right-click a volume, click
Properties, click the Tools
tab, and then click
Defragment Now.
Disk Management
Managing disks and volumes, both basic and

dynamic, locally or on remote computers.
Click Start, type

diskmgmt.msc in the
search box, and then click
diskmgmt.msc in the
results list.
Diskpart.exe
Managing disks, volumes, and partitions from the
Open a command prompt
Disk
Defragmenter
2-21
command-line or from Windows PE
and then type diskpart
Fsutil.exe
Performing tasks that are related to file allocation

table (FAT) and NTFS file systems, such as
managing reparse points, managing sparse files,
or dismounting a volume
Command Prompt
(elevated)
Pnputil.exe
Adding drivers to and managing drivers in the

device store
Command Prompt
(elevated)
Quota Settings
Tracking and restricting disk consumption
In Windows Explorer,
right-click a volume, click
Properties, click Quota,
and then click Show
Quota Settings.
File Signature
Verification
(Sigverf.exe)
Use to check if unsigned device drivers are in the

system area of a computer
Start menu
Volume Shadow
Copy Service
(Vssadmin.exe)
Viewing and managing shadow copy storage

space
Command Prompt
(elevated)
Windows Update
Automatically applying updates that are additions

to software that can help prevent or fix problems,
improve how your computer works, or enhance
your computing experience.
Online
Common terms, definitions, and descriptions

Term
Definition
Basic disk
A disk initialized for basic storage. A basic disk contains basic volumes, such as
primary partitions, extended partitions, and logical drives.
Dynamic disk
A disk initialized for dynamic storage. A dynamic disk contains dynamic volumes,
such as simple volumes, spanned volumes, striped volumes, mirrored volumes, and
RAID-5 volumes.
Volume
A storage unit made from free space on one or more disks. It can be formatted with
a file system and assigned a drive letter. Volumes on dynamic disks can have any of
the following layouts: simple, spanned, mirrored, striped, or RAID-5. All volumes on a
physical disk must be either basic or dynamic, and each disk must be partitioned.
You can view the contents of a volume by clicking its icon in Windows Explorer or in
My Computer. A single hard disk can have multiple volumes, and volumes can also
span multiple disks.
System volume
The disk volume that contains the hardware-specific files that are needed to start
Windows. On x86 computers, the system volume must be a primary volume that is
marked as active. This requirement can be fulfilled on any drive on the computer
that the system BIOS searches when the operating system starts. The system volume
can be the same volume as the boot volume; this configuration is not required.
2-22
There is only one system volume.
Boot volume
The disk volume that contains the Windows operating system files and the
supporting files. The boot volume can be the same volume as the system volume;
this configuration is not required. There is one boot volume for each operating
system in a multi-boot system.
Partition
A contiguous space of storage on a physical or logical disk that functions as though

it were a physically separate disk.
Disk
partitioning
The process of dividing the storage on a physical disk into manageable sections that
support the requirements of a computer operating system.
Logical Block
Address (LBA)
A method of expressing a data address on a storage medium. Used with SCSI and
IDE disk drives to translate specifications of the drive into addresses that can be used
by enhanced BIOS. LBA is used with drives that are larger than 528MB.
2-23

Question: In Exercise 1, you used the assign command in diskpart to assign a drive letter to a newly
created volume. Instead of assigning a drive letter, what else can you do?
Answer: Students can mount the volume into an empty folder on an existing NTFS volume. The
advantage of this is that it enables you to circumvent the 26 driver letter limitation imposed by the
alphabet.
Question: In Exercise 2, you used local disk quotas to manage disk consumption. Although this is a useful
local management tool, in an enterprise network based on Windows Server 2008, what other disk space
management tools can you use?
Answer: The File Server Resource Manager File Services role enables you to manage disk quotas, and in
addition provides quota templates, file screens, and storage reporting facilities.
Question: In Exercise 3, you used driver roll back to reverse a driver update you made. If your computer
will not start properly, how can you address a driver-related problem?
Answer: You can start the computer in Safe Mode and then access Device Manager to use the driver roll
back feature. Alternatively, if that is unsuccessful, you might use Windows RE to attempt to resolve the
problem.
Configuring File Access and Printers on Windows 7 Clients
3-1
Module 3
Contents:
Lesson 1: Overview of Authentication and Authorization
Lesson 2: Managing File Access in Windows 7
Lesson 3: Managing Shared Folders
Lesson 4: Configuring File Compression
11
Lesson 5: Managing Printing
14
17
20
3-2
Lesson 1
Overview of Authentication and Authorization

Contents:

Authentication and Authorization Process
Question: Which authentication method is used when a client computer running the Windows 7
operating system logs on to Active Directory?
Answer: Kerberos version 5 protocol is used unless smart cards are being used. If smart cards are
being used, then certificate mapping is the authentication method.
New Authentication Features in Windows 7

Question: What are some of the ways that fingerprint biometric devices are used in Windows 7?
Answer: Answers can vary, but the three primary uses include:
Log on to computers.
Grant elevation privileges through User Account Control (UAC).
Perform basic management of fingerprint devices in Group Policy settings by enabling,

limiting, or blocking their use.
3-3
3-4
Lesson 2
Managing File Access in Windows 7

Contents:
Detailed Demo Steps
3-5

What Are NTFS Permissions?
Question: Do you have to apply permissions to keep other people from accessing your files?
Answer: No. The default NTFS permissions do not allow standard users to read the documents that
other users have stored in their My Documents folder. However, administrators are able to access all
files on the system. If you need to prevent administrators from accessing a file, you must use an
additional security measure such as encryption.
What Is Permission Inheritance?

Question 1: Why does permission inheritance reduce administration time?
Answer: Administrators can change permissions at the parent level and have the same permissions
propagate throughout all the sub-folders without having to reassign permissions to each of those
folders individually.
Question 2: If NTFS permission is denied to a group for a particular resource while allowing the same
permission to another group for that resource, what will happen to the permissions of an individual
who is a member of both groups?
Answer: The user will be denied access.
Impact of Copying and Moving Files and Folders on Set Permissions

Question: Why is administration time reduced when files and folders are moved within the same
partition?
Answer: Answers can vary. Possible answers include: Administrators do not need to be concerned
about permissions being changed or altered because the permissions are kept if files and folders are
moved within the same partition. Likewise, administrators do not need to change the permissions of
the destination folder, which can have ramifications on other files and subfolders within the folder.
What Are Effective Permissions?

Question: If a group is assigned Modify permission to a folder and a user that is a member of that
group is denied Modify permission for the same folder, what is the users effective permission for the
folder?
Answer: Because the Deny permission takes precedence over the Allow permission, the user is denied
the Modify permission for the folder.
Discussion: Determining Effective Permissions

Question 1: The Users group has Write permission, and the Sales group has Read permission for
Folder1. What permissions does User1 have for Folder1?
Answer: User1 has Write and Read permissions for Folder1, because User1 is a member of the Users
group, which has Write permission, and the Sales group, which has Read permission.
3-6
Question 2: The Users group has Read permission for Folder1. The Sales group has Write permission
for Folder2. What permissions does User1 have for File2?
Answer: User1 has Read and Write permissions for File2, because User1 is a member of the Users
group, which has Read permission for Folder1, and the Sales group, which has Write permission for
Folder2. File2 inherits permissions from both Folder2 and Folder1.
Question 3: The Users group has Modify permission for Folder1. File2 is accessible only to the Sales
group, and they are only able to read File2. What do you do to ensure that the Sales group has only
Read permission for File2?
Answer: Prevent permissions inheritance for Folder2 or File2. Remove the permissions for Folder2 or
File2 that Folder2 has inherited from Folder1. Grant only Read permission to the Sales group for
Folder2 or File2.
3-7
Detailed Demo Steps

Demonstration: Configuring NTFS Permissions for Files and Folders
Create a folder and a document file
1.
Log on to the LON-CL1 as Contoso\Administrator with a password of Pa$$w0rd.
2.
Click Start, click Computer, and then double-click Local Disk (C:).
3.
On the toolbar, click New folder.
4.
Type Project Documents in the folder name.
5.
Double-click to open the Project Documents folder.
6.
Right-click an empty space in the Name column, point to New, and then click Microsoft Office
Word Document.
7.
Type Deliverables and then press ENTER.
Grant selected users write access to the file

1.
Right-click the Deliverables file and then click Properties.
2.
In the Deliverables Properties dialog box, on the Security tab, click Edit.
3.
In the Permissions for Deliverables dialog box, click Add.
4.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the
object names to select (examples) box, type Contoso\Adam, click Check Names, and then
click OK.
5.
In the Group or user names box, click Adam Carter (Contoso\Adam).
6.
In the Permissions for Deliverables dialog box, next to Write, select the Allow check box and
then click OK.
7.
In the Deliverables Properties dialog box, click OK.
Deny selected users the ability to modify the file

1.
Right-click the Deliverables file and then click Properties.
2.
In the Deliverables Properties dialog box, on the Security tab, click Edit.
3.
In the Permissions for Deliverables dialog box, click Add.
4.
object names to select (examples) box, type Contoso\Martin, click Check Names, and then
click OK.
5.
In the Group or user names box, click Martin Berka (Contoso\Martin).
6.
In the Permissions for Deliverables dialog box, next to Modify, select the Deny check box and
then click OK.
7.
In the Windows Security dialog box, click Yes.
8.
In the Deliverables Properties dialog box, click OK.
3-8
Verify the deny permissions on the file

1.
In the Project Documents folder, right-click Deliverables and then click Properties.
2.
In the Deliverables Properties dialog box, on the Security tab, click Advanced.
3.
In the Advanced Security Settings for Deliverables dialog box, on the Effective Permissions
tab, click Select.
4.
In the Select User, Computer, Service Account or Group dialog box, type Contoso\Martin,
click Check Names, and then click OK.
5.
Verify that none of the attributes are available as permissions.
6.
In the Advanced Security Settings for Deliverables dialog box, on the Effective Permissions
tab, click Select.
7.
In the Select User, Computer, Service Account or Group dialog box, type Contoso\Adam,
click Check Names, and then click OK.
8.
Verify that all attributes are selected except for Full control, Change permissions, and Take
ownership.
9.
In the Advanced Security Settings for Deliverables dialog box, click OK.
10. In the Deliverables Properties dialog box, click OK.

11. Close the Project Documents window.
Lesson 3
Managing Shared Folders

Contents:
10
3-9
3-10

What Are Shared Folders?
Question: What is a benefit of sharing folders across a network?
Answer: Sharing folders across a network keeps information up-to-date for a group of users and
decreases the chance of file duplication because all files for a user account can be stored in a shared
central repository.
Methods of Sharing Folders

Question 1: When is it necessary to avoid using Public folder sharing?
Answer: Avoid using Public folder sharing when security or privacy is a concern. Remember, you
cannot restrict people to viewing just some of the files in the Public folder. Because it is an all or
nothing situation, users can access all files in a public share.
Question 2: Do you have to apply permissions to share your files with other users on your computer?
Answer: No. A recommended method of sharing files is to share from an individual folder or by
moving files to the Public folder. Depending on how you choose to share the file or folder, you might
be able to apply permissions to some of your files.
Discussion: Combining NTFS and Share Permissions

Question 1: If a user is assigned Full Control NTFS permission to a file but is accessing the file
through a share with Read permission, what will be the effective permission the user will have on the
file?
Answer: The user will have only Read access to the file when accessing it over the network through
the share (because Read access is more restrictive than Full Control). If the user is logged on to the
console of the computer storing the file and accessing it locally, then the user has Full Control.
Question 2: If you want a user to view all files in a shared folder but can modify only certain files in
the folder, what permissions do you give the user?
Answer: The share permissions will have to allow the user to modify all files (this opens the folder
window wide, but it will get locked down with NTFS permissions). You must set the NTFS permissions
for the folder to allow the user Read access only (which flows to all the files). Then on the individual
files in the folder that you want the user to modify, assign the Modify NTFS permission.
Question 3: Identify a scenario at your organization where it might be necessary to combine NTFS
and Share permissions. What is the reason for combining permissions?
Answer: Answers will vary based on the experiences of each student.
Lesson 4
Configuring File Compression

Contents:
Detailed Demo Steps
12
3-11
3-12
Detailed Demo Steps

Demonstration: Compressing Files and Folders
Create folders in the Project Documents folder
1.
On LON-CL1, click Start, and then click Computer.
2.
In the Computer folder, double-click Local Disk (C:).
3.
In the Local Disk (C:) folder, double-click Project Documents.
4.
On the Project Documents folder menu, click New Folder.
5.
Type Compressed Files and then press ENTER.
6.
On the Project Documents folder menu, click New Folder.
7.
Type Uncompressed Files and then press ENTER.
Compress the C:\Project Documents\Compressed Files folder

1.
In the Project Documents folder, right-click Compressed Files and then click Properties.
2.
In the Compressed Files Properties dialog box, click Advanced.
3.
Select the Compress contents to save disk space check box and then click OK.
4.
In the Compressed Files Properties dialog box, click OK.
Copy files into the C:\Project Documents\Compressed Files folder

1.
Click Start, and in the Search programs and files box, type C:\Program Files\Microsoft
Office\CLIPART\PUB60COR and then press ENTER.
2.
Select the following files, right-click on them, and then click Copy:
AG00004_
3.
AG00011_
4.
Close the PUB60COR folder.
5.
Switch back to the C:\Project Documents folder.
6.
Right-click Compressed Files folder and then click Paste.
7.
Double-click Compressed Files folder.
8.
Right-click AG00004_ and then click Properties.
9.
Click Advanced.
10. Click Cancel and then click Cancel again to close the properties dialog box.
Move compressed files into the C:\Project Documents\Uncompressed Files folder

1.
2.
3.
4.
In the Project Documents folder, double-click Uncompressed Files.
5.
Right-click the Taskbar and then click Show Windows Side by Side.
6.
In the Compressed Files folder, drag AG00004_ to the Uncompressed Files folder.
3-13
Copy compressed files into the C:\Project Documents\Uncompressed Files folder

1.
In the Compressed Files folder, right-click and then drag AG00011_ to the Uncompressed Files
folder.
2.
Click Copy Here.
Compress a folder by using the Compressed (zipped) Folder feature

1.
2.
3.
4.
Right-click Uncompressed Files, click Send To, and then click Compressed (zipped) Folder.
5.
Type Zipped Data and then press ENTER.
6.
Drag the Zipped Data file to the Compressed Files folder.
7.
Double-click the Compressed Files folder.
8.
Press CTRL+Z to undo the move operation.
9.
Click the left arrow in the menu bar to go back to the Project Documents folder.
10. Right-click Zipped Data and then drag it to the Compressed Files folder.
11. Click Copy Here.
12. Double-click Compressed Files.
3-14
Lesson 5
Managing Printing
Contents:
Detailed Demo Steps
15
3-15
Detailed Demo Steps

Demonstration: Installing and Sharing a Printer
Create and share a local printer
1.
On LON-CL1, click Start, click Control Panel, and then click View devices or printers.
2.
In the menu, click Add a printer.
3.
In the Add Printer wizard, click Add a local printer.
4.
On the Choose a printer port page, in the Use an existing port list, click LPT1: (Printer Port)
5.
On the Install the printer driver page, in the Manufacturer list, click Epson, and in the Printers
list, click Epson Stylus Photo RX630 (M) and then click Next.
6.
On the Type a printer name page, click Next.
7.
On the Printer Sharing page, accept the defaults and click Next.
8.
Click Finish to complete the wizard.
Set permissions and advanced options for the printer

1.
In Devices and Printers, right-click Epson Stylus Photo RX630 (M) and then click Printer
properties.
2.
Click the Security tab and then click Add.
3.
object names to select (examples) box, type Contoso\IT, click Check Names, and then click
OK.
4.
In the Group or user names box, click IT (Contoso\IT).
5.
In the Permissions for IT dialog box, next to Manage this printer, select the Allow check box.
6.
In the Permissions for IT dialog box, next to Manage documents, select the Allow check box
and then click Apply.
7.
Click the Advanced tab.
8.
Select the Hold mismatched documents check box.
9.
Click the General tab.
10. In the Location field, type Headquarters.

11. Click Preferences.
12. Set Quality Option to Best Photo.
13. Click OK and then click OK again to close the dialog box.
14. Click OK to close the Epson Stylus Photo RX630 (M) Properties box.
3-16
Maintaining printer properties

In the Printer Properties dialog box updated in this demonstration, the following permissions can be
maintained:
Print
Manage this printer
Manage documents
The Printer Properties dialog box also included the following printer options that can be maintained.
Location
Printer Option
General tab
Printing Preferences, such as portrait/landscape orientation option and print quality
Ports tab
Configure Printer Port
Advanced
tab
Assign printer driver
Advanced
tab
Print spooling options
Advanced
tab
Hold mismatch documents option
Advanced
tab
Enable advanced printing features
3-17

Review questions
Question 1: You decided to share a folder containing the Scoping Assessment document and other
planning files created for your upcoming Microsoft Dynamics CRM implementation at Fabrikam, Inc.
However, now you do not want any of these planning files available offline. Which advanced sharing
options must you configure to enforce this requirement?
Answer: You must configure the caching options, which determine how offline versions of shared files will
be made available, if at all. By default, users must specify which files and programs are available offline.
Question 2: Contoso is installing Microsoft Dynamics GP and they have contracted with a vendor to
provide some custom programming work. Contoso asked Joseph, their senior IT desktop specialist, to
configure the NTFS permissions for the GP planning files it will be accumulating. Contoso has asked that
all IT users be assigned Modify permissions to the GP Implementation Planning folder. However, Contoso
only wants the subfolder titled Vendor Contracts to be available for viewing by a select group of
managers. How can Joseph accomplish this by taking into account permission inheritance?
Answer: Joseph can take a three step approach. First, he can assign the IT user group the Modify
permission for the GP Implementation Planning folder. Next, he can block inherited permissions on the
Vendor Contract subfolder. Third, he can restrict access to the subfolder by providing Read access to the
selected list of managers identified by Contoso.
Question 3: Peter is an IT professional working at Fabrikam. He is having trouble accessing a particular
file and suspects it has something to do with his NTFS permissions associated with the file. How can he
view his effective file permissions?
Answer: From the files property sheet, Peter can click the Security tab and then click Advanced. From
the Effective Permissions tab, he can enter his user alias and then view his effective permissions.
Question 4: Robin recently created a spreadsheet in which she explicitly assigned it NTFS file permissions
that restricted file access to just herself. Following the system reorganization, the file moved to a folder on
another NTFS partition and Robin discovered that other users were able to access the spreadsheet. What
is the probable cause of this situation?
Answer: When moving a file to a folder on a different NTFS partition, the file inherits the new folders
permissions. In this case, it is the new folder that the spreadsheet moved to allowed access by other user
groups.
Question 5: Contoso recently installed Windows 7 on its client computers. Because many of their sales
staff travel and work from various branch offices throughout any given month, Contoso decided to take
advantage of the location-aware printing functionality in Windows 7. Michael, a sales representative, was
pleased that he no longer had to configure printers each time he needed to print a document at a branch
office. However, to Michaels dismay, on his last trip he tried to connect to the company network using
Terminal Services and found that he still had to manually select the printer when he wanted to print a file.
Why did the system not automatically recognize the printer for Michael?
Answer: Because location-aware printing does not work when you connect to a network through Remote
Desktop (Terminal Services).
Best practices related to authentication and authorization

3-18
When setting up a computer, you are required to create a user account. This account is an
administrator account used to set up your computer and install any required programs.
Once you are finished setting up the computer, it is recommended to use a standard user
account for your daily computing.
It is safer to use a standard user account instead of an administrator account because it can
prevent users from making changes that affect everyone who uses the computer, especially if
your user account logon credentials are stolen.
Considerations when taking ownership of a file or folder include:
An administrator can take ownership of any file on the computer.
Assigning ownership of a file or folder might require elevating your permissions through
User Access Control.
The Everyone group no longer includes the Anonymous Logon group.
Best practices related to NTFS permissions

To simplify the assignment of permissions, you can grant the Everyone group Full Control share
permission to all shares and use only NTFS permissions to control access. Restrict share
permissions to the minimum required to provide an extra layer of security in case NTFS
permissions are configured incorrectly.
When permissions inheritance is blocked, you have the option to copy existing permissions or
begin with blank permissions. If you only want to restrict a particular group or user, then copy
existing permissions to simplify the configuration process.
Best practices related to managing shared folders

If the guest user account is enabled on your computer, the Everyone group includes anyone. In
practice, remove the Everyone group from any permission lists and replace it with the
Authenticated Users group.
Using a firewall other than that supplied with Windows 7 can interfere with the Network
Discovery and file-sharing features.
Tools
Use the following Command Prompt tools to manage file and printer sharing.
Tool
Description
Net share
Share folders from the Command Prompt
Net use
Connect to shared resources from the Command Prompt
Cacls.exe
Configure NTFS file and folder permissions from the Command Prompt
Compact.exe
Compress NTFS files and folders from the Command Prompt
Pnputil.exe
Preinstall printer drivers into the driver store
3-19
3-20

Question: You created the shared folder for all users. How can you simplify the process for users to access
the folder from their computers?
Answer: You can create a short cut on the user desktop for the shared folder or show the users how to
map a network drive to the shared folder. In a domain environment, you can also use Group Policy
settings to map the drive.
Question: You need to ensure that only specific users can access a shared folder across the network when
they are logged on the computer with the shared folder. How do you configure the permissions?
Answer: You will have to use NTFS permissions. Shared folder permissions are applied only when users
access the folder from across the network.
Question: You need to ensure that users can manage only the print jobs that they have sent to a shared
printer. Members of the HelpDesk group must be able to delete all print jobs. How do you configure the
printer permissions?
Answer: By default, everyone has permission to print to a printer and to manage their own print jobs. You
will have to assign the Manage documents permission to the HelpDesk group.
Configuring Network Connectivity
Module 4
Contents:
Lesson 1: Configuring IPv4 Network Connectivity
Lesson 2: Configuring IPv6 Network Connectivity
Lesson 3: Implementing Automatic IP Address Allocation
Lesson 5: Troubleshooting Network Issues
10
13
15
4-1
4-2
Lesson 1
Configuring IPv4 Network Connectivity

Contents:
Detailed Demo Steps

What Are Public and Private IPv4 Addresses?
Question: Which of the following is not a private IP address?
a.
16.16.254
b.
16.18.5
c.
168.1.1
d.
255.255.254
Answer: A and B.
Demonstration: Configuring an IPv4 Address

Question: When might you need to change a computers IPv4 address?
Answer: You must ensure that all computers on your network have a unique IPv4 address. If two
computers have the same IPv4 address, then you must change the IPv4 address on one of the two
computers.
4-3
4-4
Detailed Demo Steps

1.

Pa$$w0rd.
2.
Click Start, point to All Programs, click Accessories, and then click Command Prompt.
3.
At the command prompt, type ipconfig /all and then press ENTER. This displays the
configuration for all network connections on the computer.
4.
Close the command prompt.
5.
6.
Under Network and Internet, click View network status and tasks.
7.
In Network and Sharing Center, to the right of the Contoso.com Domain network, click Local
Area Connection 3. (Note: The local Area Connection number may be different in some cases.)
8.
In the Local Area Connection 3 Status window, click Details. This window shows the same
configuration information for this adapter as the ipconfig command.
9.
In the Network Connection Details windows, click Close.
10. In the Local Area Connection 3 Status window, click Properties. This window allows you to
configure protocols.
11. Click Internet Protocol Version 4 (TCP/IPv4) and then click Properties. You can configure the
IP address, subnet mask, default gateway and DNS servers in this window.
12. Click Advanced. The Advanced TCP/IP Settings window allows you to configure additional
settings such as additional IP addresses, DNS settings, and WINS servers for NetBIOS name
resolution.
13. Close all open windows without modifying any settings.
Lesson 2
Configuring IPv6 Network Connectivity

Contents:
Detailed Demo Steps
4-5
4-6

Question: Do you typically manually assign IPv6 addresses to a computer?
Answer: IPv6 is designed so that in most circumstances it must be configured dynamically. Link-local
addresses allow communication on the same IPv6 network without any configuration. However, to
control access to resources based on IPv6 addresses, you may need to assign a static IPv6 address.
4-7
Detailed Demo Steps

1.

Pa$$w0rd.
2.
3.
At the command prompt, type ipconfig /all and then press ENTER. This displays all network
connections for the computer. Notice that a link-local IPv6 address has been assigned.
4.
5.
6.
7.
Area Connection 3.
Note: The local Area Connection number may be different in some cases.
8.
In the Local Area Connection 3 Status window, click Details. This window shows the same
configuration information for this adapter and the ipconfig command.
9.
In the Network Connection Details windows, click Close.
10. In the Local Area Connection 3 Status window, click Properties. This window allows you to
11. Click Internet Protocol Version 6 (TCP/IPv6) and then click Properties. You can configure the
IPv6 address, subnet prefix length, default gateway, and DNS servers in this window.
12. Click Use the following IPv6 address and enter the following:
IPv6 address: 2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A
Subnet prefix length: 64
13. Click Advanced. The Advanced TCP/IP Settings window allows you to configure additional
setting such as additional IP addresses and DNS settings.
14. In the Advanced TCP/IP Settings window, click Cancel.
15. In the Internet Protocol Version 6 (TCP/IPv6) Properties window, click OK.
16. In the Local Area Connection 3 Properties window, click Close.
17. In the Local Area Connection 3 Status window, click Details. Verify that the new IPv6 address
has been added.
4-8
Lesson 3
Implementing Automatic IP Address Allocation

Contents:
Detailed Demo Steps
4-9
Detailed Demo Steps

Demonstration: Configuring a Computer to Obtain an IPv4 Address
Dynamically
1.

Pa$$w0rd.
2.
3.
connections for the computer.
4.
5.
6.
7.
Area Connection 3.
8.
In the Local Area Connection 3 Status window, click Properties. This window allows you to
9.
Click Internet Protocol Version (TCP/IPv4) and then click Properties.
10. Click Obtain an IP address automatically. Notice that the Alternate Configuration tab
becomes available when you do this.
11. Click Obtain DNS server address automatically.
12. Click the Alternate Configuration tab. Configuration information on this tab is used when no
DHCP server is available.
13. Click OK to save the changes.
14. In the Local Area Connection 3 Properties window, click Close.
15. In the Local Area Connection 3 Status window, click Details. Notice that DHCP is enabled and
the IP address of the DHCP server is displayed.
4-10
Lesson 5
Troubleshooting Network Issues

Contents:
11
Detailed Demo Steps
12
4-11

Demonstration: Troubleshooting Common Network Related Problems
Question: How is the ping command useful for troubleshooting?
Answer: The ping command can be used to verify connectivity between hosts. However, be aware
that firewall can block ping packets but still allow the packets for other applications. If you obtain a
response to a ping attempt, the host is definitely running. However, if you do not obtain a response
to a ping attempt, the host may still be functional.
4-12
Detailed Demo Steps

Demonstration: Troubleshooting Common Network Related Problems
1.

Pa$$w0rd.
2.
3.
connections for the computer. This shows all network adapter configuration information.
4.
At the command prompt, type ipconfig /displaydns and then press ENTER. This displays the
contents of the DNS cache.
5.
At the command prompt, type ipconfig /flushdns and then press ENTER. This clears the
contents of the DNS cache.
6.
At the command prompt, type ping 127.0.0.1 and then press ENTER. This pings the local host.
7.
At the command prompt, type ping 10.10.0.10 and then press ENTER. This verifies connectivity
to LON-DC1 by using an IPv4 address.
8.
At the command prompt, type ping LON-DC1 and then press ENTER. This verifies connectivity
to LON-DC1 by using a host name.
9.
At the command prompt, type nslookup d1 LON-DC1 and then press ENTER. This provides
detailed information about the host name resolution. You can use the d2 option for even more
detail.
10. Close the command prompt.
4-13

Review questions
Question 1: After starting her computer, Amy notices that she is unable to access her normal Enterprise
Resources. What tool can she use to determine if she has a valid IP address?
Answer: Run IPConfig /All or Ping your domain controllers IP Address
Question 2: When transmitting Accounts Receivable updates to the billing partner in China, Amy notices
that the files are being transmitted slowly. What tool can she use to determine the network path and
latency of the network?
Answer: Use Windows Diagnostics to identify the problem or use Pathping.exe to check for latency
Question 3: Amy notices that she cannot access normal Enterprise Web sites. She knows that she has a
valid IP address but wants to troubleshoot the DNS access of her computer. What tool must she use?
Answer: Use NSLookup.exe to troubleshoot DNS access issues
Question 4: What is the IPv6 equivalent of an IPv4 APIPA address?
Answer: IPv6 link-local addresses
Question 5: You are troubleshooting a network-related problem and you suspect a name resolution
issue. Before conducting tests, you want to purge the DNS resolver cache. How do you do that?
Answer: Use IPCongfig /flushdns to clear the DNS Resolver Cache
Question 6: You are troubleshooting a network-related problem. The IP address of the host you are
troubleshooting is 169.254.16.17. What is a possible cause of the problem?
Answer: The DHCP server is unavailable to the host
Common issues related to network connectivity

Identify the causes for the following common issues and fill in the troubleshooting tips. For answers, refer
to relevant lessons in the module and the course companion CD content.
Issue
Troubleshooting tip
Window 7 host cannot connect to a

SharePoint site
Use Windows Diagnostics to Identify the problem
Windows 7 host cannot access the

database server
Use IPConfig tool to view, renew ,or release an IP Address
Windows 7 Host cannot connect to the

internet
Use Ping to test the connectivity to the DNS Server
DNS server is not resolving FQDNS

correctly
Use the flushdns option with IPConfig
4-14
Tools
You can use the following tools to troubleshoot network connectivity issues.
Tool
Description
Network and
Sharing Center
The Network and Sharing Center informs you about your network and verifies
whether your PC can successfully access the Internet; then, it summarizes this info
in the form of a Network Map.
Netsh.exe
A command that you can use to configure network properties from the
command-line.
Pathping.exe
A command-line tool that combines the functionality of Ping and Tracert, and
that you can use to troubleshoot network latency and provide information about
path data.
Nslookup.exe
A command-line tool that you can use to test and troubleshoot DNS and name
resolution issues.
IPConfig.exe
A general IP configuration and troubleshooting tool.
Ping.exe
A basic command-line tool that you can use for verifying IP connectivity.
Tracert.exe
Similar to Pathping, which provides information about network routes.
4-15

Question: How are APIPA addresses for IPv4 similar to link-local addresses in IPv6?
Answer: Both APIPA addresses are designed to allow computers to communicate on the local network
automatically without the use of a DHCP server or any other IP address configuration. However, an APIPA
address is only used when a DHCPv4 server is unavailable. An IPv6 link-local address is always generated
for a host using IPv6. Additional IPv6 addresses can still be obtained for communication outside the local
network.
Question: How can you update a Windows 7 computer to use the correct information after a host record
is updated in DNS, but the Windows 7 computer is still resolving the name to the previous IP address?
Answer: When a computer resolves a name to an IP address by using DNS, the name and IP address are
cached locally. You can clear this cache at a command prompt with the command ipconfig /flushdns.
Configuring Wireless Network Connections
Module 5
Contents:
Lesson 2: Configuring a Wireless Network
5-1
5-2
Lesson 2
Configuring a Wireless Network

Contents:
Detailed Demo Steps

Demonstration: Connecting to a Wireless Network
Question: What advanced wireless settings do you consider that improve security?
Answer: A list of MAC addresses allowed connecting to the WAP.
Question: Can a user connect a computer to an unlisted network if he or she does not know the
SSID?
Answer: Yes, the user can scan for networks and some tools provide information about unlisted
networks. Hiding or not broadcasting the SSID only provides basic protection.
Question: What are possible issues that arise when you connect to unsecured networks?
Answer: Your information can be viewed by other parties on the network.
Improving the Wireless Signal Strength

Question: What devices can interfere with a wireless network signal?
Answer: The IEEE 802.11b and the IEEE 802.11g standard use the S-Band Industrial, Scientific and
Medical (ISM) frequency range, which ranges from 2.4 to 2.5 GHz. This frequency range is also used
by devices such as microwave ovens, cordless phones, baby monitors, wireless video cameras, and
Bluetooth adapters, which may cause interference to the wireless network signal.
The IEEE 802.11a uses the C-Band ISM, which ranges from 5.725 to 5.875 GHz. Therefore, fewer
devices will cause interference with a wireless network using this standard.
5-3
5-4
Detailed Demo Steps

Demonstration: Connecting to a Wireless Network
How to configure a wireless AP
The following are the various steps in the demonstration:
1.
Click Start and then click Network to view a list of devices available.
2.
Right-click the wireless AP and click View device webpage to configure the device.
3.
Enter the required credentials. These usually come from the devices manufacturer. It is
recommended to change these credentials after the initial configuration of the wireless AP.
4.
Click Wireless Settings. This is a Netgear router. Note that other devices may have different
administrative interfaces, but they contain similar settings.
5.
Enter ADATUM in Name (SSID) to change the default SSID to something relevant to your
organization.
6.
You can change the channel to avoid interference from other devices.
7.
Select g only for mode to configure the 802.11 mode. If you have older 802.11b devices, you
can enable support for them.
8.
Clear Allow Broadcast of Name (SSIS) to prevent the wireless AP to broadcast its SSID.
9.
Select WPA2 with PSK. The particular security options vary between manufacturers, but typically
include the ones offered here: WEP, WPA and WPA2, and support for both PSK and Enterprise
options.
Note: If you select an enterprise option, you must provide additional information about how
authentication is handled within your organization. For example, the name of a RADIUS server
and other settings.
10. Enter Pa$$w0rd in the Network Key.

11. Click Apply to save the settings. Most wireless APs have a separate persistent save which means
that the device remembers the settings even after you power it down and start again.
12. Most wireless APs also provide options for more advanced settings. These include MAC address
filtering and bridging and are out of the scope of this demonstration.
13. Close all opened Windows.
How to connect to an unlisted wireless network

1.
Right-click the wireless network icon on the system tray and click Open Network and Sharing
Center.
2.
Click Manage wireless networks.
3.
Click Add to launch the wizard to guide you through the process of defining the properties of
the network.
4.
Click Manually create a network profile to configure an infrastructure network.
5.
Enter ADATUM in Network name, select WPA2-Personal for Security type, select AES for
Encryption type, and enter Pa$$w0rd for Security Key/Passphrase to define the appropriate
SSID and the security settings that correspond to those defined on the wireless AP.
5-5
Note: The specifics of the settings vary from network to network. In addition, the options
available may be restricted by Group Policy. Your ability to create a network connection may be
restricted.
6.
Click Next to connect to the network and then click Close.
7.
Center. Click Wireless Network Connection (ADATUM) to view the status of the network.
8.
Click Close to close the Wireless Network Connection Status dialog box.
9.
By default, all networks are placed in the Public network profile, which is the most restrictive.
From the Network and Sharing Center, click Public network.
10. Click Work Network and then click Close. Once you define a network location profile for a
network connection, Windows remembers it for subsequent connections to that network.
11. Close all opened Windows.
How to connect to a public wireless network

1.
Center to view the available networks. You can also click the wireless network icon on the system
tray to view the available networks.
2.
Notice that there is a wireless network available; the shield icon next to the wireless signal icon
denotes that the wireless network is open. This is can cause a possible security issue. Always be
careful when connecting to public networks.
3.
Click the wireless network, select Connect Automatically, and then click Connect. This connects
you to the wireless network.
4.
Windows prompts the user to define the network location profile. Select public.
5.
Click Close and then close the Network and Sharing Center.
5-6

Common issues related to finding wireless networks and improving signal strength
The following table lists common issues related to finding wireless networks and
improving signal strength
Problem
Proximity or physical
obstruction
Interference from
other signal
Cannot detect
wireless network
The wireless network

adapter is in monitor
mode
Check for devices that may cause interference, such as cordless

phones, Bluetooth devices or any other wireless devices. Turn them off
or move them farther away.
Consider changing the wireless AP settings to use a different wireless
channel, or set the channel to be selected automatically if it is set to a
fixed channel number.
Check that your wireless network adapter has the correct driver and its
working properly.
Check your computer for an external switch for the wireless network
adapter.
Check that the wireless AP is turned on and working properly.
Check whether the wireless AP is configured to advertise its SSID.
Check the information that came with the router or access point to
find out what connection mode the device is set to. The mode must be
either ad hoc (when devices communicate directly without going
through a router or access point) or infrastructure (when devices
communicate by going through a router or access point). Make sure
the setting in Windows for this network matches the setting on the
device.
If you have other computers that are connecting to the network, try
temporarily disconnecting them.
If a network monitoring program is running on your computer, the

wireless network adapter will be set to monitor mode, which prevents
Windows from connecting to wireless networks. To connect to a
wireless network, close the network monitoring program or follow the
instructions in the program to exit monitor mode.
Windows is not
configured to
connect to the right
type of network
The router or wireless

AP is busy
Ensure that your client computer is as close as possible to the wireless

AP.
If you are unable to get closer to the wireless AP, consider installing an
external antenna to your wireless network adapter.
Check for physical objects that may cause interference, such as a thick
wall or metal cabinet and consider removing the physical objects or
repositioning the wireless AP or the client.
Add wireless APs to the wireless network whenever applicable.
5-7
Real-world issues and scenarios

Question 1: You are implementing wireless networking in your organization. Which wireless network
technology standards and which type of security (authentication and encryption) will you choose?
Answer: There are two main considerations that you need to take into account when choosing a wireless
network technology standard: speed and cost. If possible, choose the latest standard, which is 802.11n
because it gives you the best signal strength and the highest maximum speed.
One of the drawbacks of this standard is that it is still under development. Even so, many devices already
support this standard based on the Draft 2 proposal. Another consideration is that devices that support
this standard tend to be more expensive than the ones that support 802.11g.
Always choose the highest level of security available. In this case, WPA and WPA2 both enable secure
authentication and encryption. Select the Enterprise mode for WPA/WPA2 because it offers centralized
management of authentication with RADIUS servers.
Question 2: Your organization already has a wireless network in place. Your users are complaining that
the performance of the wireless network is not as good as the wired network. What can you do to
increase the performance of the wireless network?
Answer: Consider three main areas that can improve the performance of your wireless network: proximity,
obstruction, and interference. Based on these areas, you can implement one or more solutions, such as
adding wireless APs or removing obstruction and interference. Refer to the Improving the Wireless Signal
Strength topic for more information.
Tools
Tool
Use to
Where to find it
Network and
Sharing Center
Configure network settings
Control Panel Systray
Connect to a
Network
Configure Windows 7-based client to connect to

a wireless network
Network and Sharing

Center Systray
Netsh
Configure local or remote network settings
Command prompt
Windows Network
Diagnostics
Troubleshoot access to wireless networks
Network and Sharing

Center Systray
5-8

Question: In the lab, you were tasked with making the wireless network as secure as possible. Is this
appropriate in situations where you want to make the wireless network accessible to anyone, for example,
in a coffee shop? How will you go about configuring the wireless infrastructure to support access in this
way?
Answer: No, using the settings in the lab results in the network being inaccessible to anyone except
specifically authorized users and computers. To make the network accessible for anyone, enable broadcast
of the SSID to make the network more visible. In addition, configure the network for Open security that
is, no certificate or shared key or other authentication mechanism is required to connect.
Question: Is it advisable to connect this less-restricted wireless network to your corporate network?
Answer: No, it is ill advised. Since you have little control over who connects to the network, or the status
of their computer, enabling unrestricted access to the corporate network introduces security challenges.
Question: Can you think of a way in which legitimate users from your organization can connect wirelessly
to your infrastructure from the same coffee shop area, while not providing the same access to anonymous
users?
Answer: Provide two wireless access points,and configure your users computers with GPO to only
connect to the defined wireless networks; these networks require the high-level authentication settings
discussed in the lab. Conversely, anonymous users will see only the open network. Care must be taken to
avoid interference between the two networks.
Securing Windows 7 Desktops
Module 6
Contents:
Lesson 1: Overview of Security Management in Windows 7
Lesson 2: Securing a Windows 7 Client Computer by Using Local

Security Policy Settings
Lesson 3: Securing Data by Using EFS and BitLocker
10
Lesson 4: Configuring Application Restrictions
15
Lesson 5: Configuring User Account Control
20
Lesson 6: Configuring Security Settings in Windows Internet Explorer 8
24
Lesson 7: Configuring Windows Defender
29
Lesson 8: Configuring Windows Defender
33
37
44
6-1
6-2
Lesson 1
Overview of Security Management in Windows 7

Contents:
Detailed Demo Steps
Detailed Demo Steps

Demonstration: Configuring Action Center Settings
Change Action Center Settings
1.
2.
3.
In Control Panel, click System and Security and then click Action Center.
4.
Click the down arrow next to Security and scroll down to review the settings.
5.
Click Change Action Center Settings in the left window pane.
6.
Under Maintenance Messages, ensure that the Windows Troubleshooting and Windows
Backup check boxes are cleared and then click OK.
Change User Control Settings

1.
Click Change User Account Control Settings in the left window pane.
2.
Move the slide bar down by one setting and then click OK.
View archived messages

1.
Select View archived messages in the left window pane.
2.
View any archived messages about computer problems and then click OK.
3.
Close the Action Center window.
6-3
6-4
Lesson 2
Securing a Windows 7 Client Computer by Using

Local Security Policy Settings
Contents:
Detailed Demo Steps
6-5

How Multiple Local Group Policies Work
Question: An administrator disables the setting titled Disable the Security page in the Local Group
Policy object. The administrator then enables the same setting in a user-specific Local Group Policy
object. The user logging on to the computer is not an administrator. Which policy setting will be
applied to this Local Group Policy object?
Answer: Windows reads the Local Group Policy object first, followed by the Non-Administrators Local
Group Policy object, and then the user-specific Local Group Policy object. The state of the policy
setting is disabled when Windows reads the Local Group Policy object. The policy setting is not
configured in the Non-Administrators Local Group Policy object. This has no affect on the state of the
setting, so it remains enabled. The policy setting is enabled in the user-specific Local Group Policy
object. This changes the state of the setting to Enabled. Windows reads the user-specific Local Group
Policy object last; therefore, it has the highest precedence. The Local Computer Policy has a lower
precedence.
6-6
Detailed Demo Steps

Demonstration: Creating Multiple Local Group Policies
Create a custom management console
1.
Log on to LON-CL1 as Contoso\Administrator with a password of Pa$$w0rd.
2.
Click Start, in the Search programs and files box, type mmc and then press ENTER.
3.
In Console1 [Console Root], click File and then click Add/Remove Snap-in.
4.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy
Object Editor and then click Add.
5.
In the Select Group Policy Object dialog box, click Finish.
6.
In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy
7.
In the Select Group Policy Object dialog box, click Browse.
8.
In the Browse for a Group Policy Object dialog box, click the Users tab.
9.
In the Local Users and Groups compatible with Local Group Policy list, click Administrators
and then click OK.
10. In the Select Group Policy Object dialog box, click Finish.
11. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy
12. In the Select Group Policy Object dialog box, click Browse.
13. In the Browse for a Group Policy Object dialog box, click the Users tab.
14. In the Local Users and Groups compatible with Local Group Policy list, click NonAdministrators and then click OK.
15. In the Select Group Policy Object dialog box, click Finish.
16. In the Add or Remove Snap-ins dialog box, click OK.
17. In Console1 [Console Root], on the menu, click File and then click Save.
18. In the Save As dialog box, click Desktop.
19. In the File name box, type Multiple Local Group Policy Editor and then click Save.
Configure the Local Computer Policy

1.
In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local Computer
Policy.
2.
Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).
3.
In the results pane, double-click Logon.
4.
In the Logon Properties dialog box, click Add.
5.
In the Add a Script dialog box, click Browse.
6.
In the Browse dialog box, right-click in the empty folder, point to New, click Text Document,
and then press ENTER.
7.
Right-click New Text Document, and then click Edit.
8.
Type msgbox Default Computer Policy , click File, click Save As.
9.
Type ComputerScript.vbs, change Save as type: to All Files, and then click Save.
6-7
10. Close ComputerScript.vbs.

11. In the Browse dialog box, click on the ComputerScript file and then click Open.
12. In the Add a Script dialog box, click OK.
13. In the Logon Properties dialog box, click OK.
Configure the Local Computer Administrators Policy

1.
In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local
Computer\Administrators Policy.
2.
3.
4.
5.
6.
In the Browse dialog box, right-click in the empty folder, click New, click Text Document, and
then press ENTER.
7.
Right-click New Text Document and then click Edit.
8.
Type msgbox Default Administrators Policy , click File, and then click SaveAs.
9.
Type AdminScript.vbs, change Save as type: to All Files, and then click Save.
10. Close AdminScript.vbs.

11. In the Browse dialog box, click on the AdminScript file and then click Open.
Configure the Local Computer Non-Administrators Policy

1.
Computer\Non-Administrators Policy.
2.
3.
4.
5.
6.
In the Browse dialog box, right-click in the empty folder, click New, click Text Document, and
then press ENTER.
7.
Right-click New Text Document and then click Edit.
6-8
8.
Type msgbox Default Users Policy , click File, and then click SaveAs.
9.
Type UserScript.vbs, change Save as type: to All Files, and then click Save.
10. Close UserScript.vbs.

11. In the Browse dialog box, click on the UserScript file and then click Open.
14. Log off of LON-CL1.
Test Multiple Local Group Policies

1.
Log on to LON-CL1 as Contoso\Adam with a password of Pa$$w0rd.
2.
Click OK when prompted by the message box and then click OK again.
3.
Log off.
4.
5.
Click OK when prompted by the message box and then click OK again.
6.
On the desktop, right-click Multiple Local Group Policy Policy Editor and then click Open.
7.
Computer\Non-Administrators Policy.
8.
9.
10. In the Logon Properties dialog box, click Remove and then click OK.
11. In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local
Computer\Administrators Policy.
12. Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).
13. In the results pane, double-click Logon.
15. In Multiple Local Group Policy Editor [Console Root], in the tree, expand Local Computer
Policy.
16. Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).
17. In the results pane, double-click Logon.
19. Close the Multiple Local Group Policy Editor [Console Root] snap-in.
20. Click Yes if prompted to save.
21. Log off.
6-9
Demonstration: Configuring Local Security Policy Settings

Review the local security group policy settings
1.
2.
Click Start, and in the Search programs and files box, type gpedit.msc and then press ENTER.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows
Settings, and then expand Security Settings.
4.
Expand Account Policies and then click Password Policy.
5.
Click Account Lockout Policy.
6.
In the left pane, click and expand Local Policies and then click Audit Policy.
7.
In the main window, right-click Audit account management and then select Properties.
8.
In the Audit account management Properties dialog box, select Success and Failure and then
click OK.
9.
Click User Rights Assignments.
10. Click Security Options.

11. In the left pane, click and expand Windows Firewall with Advanced Security and then click
Windows Firewall with Advanced Security Local Group Policy Object.
12. In the left pane, click Network List Manager Policies.
13. In the left pane, click and expand Public Key Policies and then click Encrypting File System.
14. Click BitLocker Drive Encryption.
15. In the left pane, click Software Restriction Policies.
16. In the left pane, click and expand Application Control Policies.
17. Click and expand AppLocker.
18. In the left pane, click IP Security Policies on Local Computer.
19. In the left pane, click and expand Advanced Audit Policy Configuration.
20. Click and expand System Audit Policies Local Group Policy Object.
21. Close the Local Group Policy Editor.
22. Log off LON-CL1.
6-10
Lesson 3
Securing Data by Using EFS and BitLocker

Contents:
11
Detailed Demo Steps
13
6-11

What Is EFS?
Question: Explain why system folders cannot be marked for encryption.
Answer: EFS keys are not available during the startup process; therefore, if system files are encrypted,
the system file cannot start.
What Is BitLocker?
Question: BitLocker provides full volume encryption. What does this mean?
Answer: Full volume encryption means: 1) the entire Windows operating system volume can be
encrypted, and 2) fixed data volumes can be encrypted (with the requirement that the OS volume is
also encrypted).
BitLocker Modes
Question: What is a disadvantage of running BitLocker on a computer that does not contain TPM
1.2?
Answer: Computers without TPMs will not be able to use the system integrity verification during
boot-up that BitLocker can also provide.
Configuring BitLocker
Question: When turning on BitLocker on a computer with TPM version 1.2, what is the purpose of
saving the recovery password?
Answer: If the TPM ever changes or cannot be accessed, if there are changes to key system files, or if
someone tries to start the computer from a product CD or DVD to circumvent the operating system,
the computer will switch to recovery mode and will remain there until the user provides the recovery
password. Storing the recovery password so that it is accessible to the user allows him or her to
complete the startup process.
Configuring BitLocker to Go
Question: How do you enable BitLocker To Go for a USB flash drive?
Answer: Insert the drive, and in Windows Explorer, right-click the drive and then click Turn On
BitLocker.
Recovering BitLocker Encrypted Drives

Question: What is the difference between the recovery password and the password ID?
Answer: The recovery password is a 48-digit password and is used to unlock a system in recovery
mode. The recovery password is unique to a particular BitLocker encryption and can be stored in
Active Directory. A computers password ID is a 32-character password unique to a Computer Name.
6-12
Find the password ID under a Computers properties, which you can use to locate recovery passwords
stored in Active Directory.
6-13
Detailed Demo Steps

Demonstration: Encrypting and Decrypting Files and Folders by Using EFS
Encrypt files and folders
1.
2.
3.
Double-click Local Disk (C:).
4.
Right-click an empty space in the Name column, point to New, and then click Folder.
5.
Type Encrypted in the folder name and then press ENTER.
6.
Double-click Encrypted, and then right-click an empty space in the Name column, point to
New, and then click Microsoft Office Word Document.
7.
Type Private and then press ENTER.
8.
Click the left arrow in the menu bar to return to Local Disk (C:).
9.
Right-click the Encrypted folder and then click Properties.
10. On the General tab, click Advanced.

11. Select the Encrypt contents to secure data check box and then click OK.
12. In the Encrypted Properties dialog box, click OK, and then in the Confirm Attribute Changes
dialog box, click Apply changes to this folder, subfolders and files.
13. Click OK.
14. Click OK to close the Encrypted Properties dialog box and then log off.
Confirm that the files and folders are encrypted

1.
Log on to the LON-CL1 as Contoso\Adam with a password of Pa$$w0rd.
2.
3.
4.
Double-click the Encrypted folder.
5.
Double-click Private.
6.
Click OK when prompted with a message.
7.
Click OK to close the User Name box.
8.
Close the file.
9.
Log off.
Decrypt files and folders

1.
2.
Click Start, click Computer, and then double-click Local Disk (C:).
6-14
3.
Right-click the Encrypted folder and then click Properties.
4.
On the General tab, click Advanced.
5.
Clear the Encrypt contents to secure data check box and then click OK.
6.
Click OK to close the Encrypted Properties dialog box.
7.
In the Confirm Attribute Changes dialog box, click OK.
8.
Log off.
Confirm that the files and folders are decrypted

1.
2.
3.
4.
Double-click the Encrypted folder.
5.
Double-click Private.
6.
Type decrypted in the file.
7.
Save and close the file.
8.
Log off.
Lesson 4
Configuring Application Restrictions

Contents:
16
Detailed Demo Steps
17
6-15
6-16

What Is AppLocker?
Question: What are some of the applications that are good candidates for applying an AppLocker
rule?
Answer: The suggestions from the class will vary.
AppLocker Rules
Question: When testing AppLocker, you must carefully consider how you will organize rules between
linked GPOs. What do you do if a GPO does not contain the default AppLocker rules?
Answer: If a GPO does not contain the default rules, then either add the rules directly to the GPO or
add them to a GPO that links to it.
Demonstration: Enforcing AppLocker Rules

Question: What is the command to update the computers policy and where is it run?
Answer: The command is gpupdate /force and it is run as an administrator in the command
prompt.
What Are Software Restriction Policies?

Question: Why must AppLocker rules be defined in a GPO separate from SRP rules?
Answer: AppLocker rules are completely separate from SRP rules and cannot be used to manage preWindows 7 computers. The two policies are also separate. If AppLocker rules have been defined in a
Group Policy Object (GPO), only those rules are applied. Therefore, define AppLocker rules in a
separate GPO to ensure interoperability between SRP and AppLocker policies.
6-17
Detailed Demo Steps

Demonstration: Configuring AppLocker Rules
Create a new executable rule
1.
2.
3.
4.
Expand Application Control Policies and then double-click AppLocker.
5.
Click Executable Rules and then right-click and select Create New Rule.
6.
Click Next.
7.
On the Permissions screen, select Deny and then click the Select button.
8.
In the Select User or Group dialog box, in the Enter the object names to select (examples)
box, type Contoso\Marketing, click Check Names, and then click OK.
9.
Click Next.
10. On the Conditions screen, select Path and then click Next.
11. Click the Browse Files button and then click Local Disk (C:).
12. Double-click Windows, select Regedit, and then click Open.
13. Click Next.
14. Click Next again and then click Create.
15. Click Yes when prompted to create default rules.
Create a new Windows Installer Rule

1.
Select Windows Installer Rules and then right-click and select Create New Rule.
2.
Click Next.
3.
On the Permissions screen, click Deny and then click Next.
4.
On the Conditions screen, select Publisher and then click Next.
5.
Click the Browse button, browse to E:\Labfiles\Mod06, select Microsoft Article Authoring
Add-In, and then click Open.
6.
On the Publisher screen, move the slide bar up by three settings so that the rule scope is set to
Applies to all files signed by the specified publisher.
7.
Click Next.
8.
Click Next again and then click Create.
9.
Click Yes when prompted to create default rules.
6-18
Automatically generate the Script Rules

1.
Select Script Rules and then right-click and select the Automatically Generate Rules option.
2.
In Automatically Generate Script Rules, on the Folder and Permissions screen, click Next.
3.
Click Next again.
4.
Click Create.
5.
Click Yes when prompted to create default rules.
6.
Close the Local Group Policy Editor and then log off.
Demonstration: Enforcing AppLocker Rules

Enforce AppLocker rules
1.
2.
3.
4.
Expand Application Control Policies.
5.
Click AppLocker and then right-click and select Properties.
6.
On the Enforcement tab, under Executable rules, click the Configured check box and then
select Enforce rules.
7.
On the Enforcement tab, under Windows Installer rules, click the Configured check box and
then select Audit only.
8.
Click OK.
9.
Close the Local Group Policy Editor.
Confirm the executable rule enforcement

1.
Click Start, and in the Search programs and files box, type cmd and then press ENTER.
2.
In the Command Prompt window, type gpupdate /force and then press ENTER. Wait for the
policy to be updated.
3.
Click Start, and then right-click Computer and click Manage.
4.
Expand Event Viewer and then expand Windows Logs.
5.
Click System.
6.
In the result pane, locate and click the latest event with Event ID 1502.
7.
Review event message details under the General tab.
8.
Expand Services and Applications and then click Services.
9.
Right-click Application Identity service in the main window pane and then click Start.
10. Close the Command Prompt.

11. In the Event Viewer, expand Application and Services Logs and then expand Microsoft.
12. Expand Windows, expand AppLocker, and then click EXE and DLL.
13. Review the entries in the results pane.
14. Close Computer Management.
15. Log off.
6-19
6-20
Lesson 5
Configuring User Account Control

Contents:
21
Detailed Demo Steps
22
6-21

How UAC Works
Question: What are the differences between a consent prompt and a credential prompt?
Answer: A consent prompt is displayed to administrators in Admin Approval Mode when they
attempt to perform an administrative task. It requests approval from the user to continue with the
task being performed. A credential prompt is displayed to standard users when they attempt to
perform an administrative task.
Demonstration: Configuring Group Policy Settings for UAC

Question: Which User Account Control detects when an application is being installed in Windows 7?
Answer: User Account Control: Detect application installations and prompt for elevation.
Configuring UAC Notification Settings

Question: What two configuration options are combined to produce the end user elevation
experience?
Answer: User Account Control security settings configured in Local Security Policy and User Account
Control settings configured in the Action Center in Control Panel.
6-22
Detailed Demo Steps

Create a UAC Group Policy setting preventing access elevation
1.
2.
Click Start, and in the Search programs and files box, type gpedit.msc and then press
ENTER.
3.
In the Local Group Policy Editor, under Computer Configuration, expand Windows Settings,
expand Security Settings, expand Local Policies, and then click Security Options.
4.
In the results pane, double-click User Account Control: Behavior of the elevation prompt for
standard users.
5.
In the User Account Control: Behavior of the elevation prompt for standard users dialog
box, click Automatically deny elevation requests then click OK.
6.
Close Local Group Policy Editor console.
7.
Log off.
Test the UAC settings

1.
2.
Click Start, right-click Computer, and then select Manage.
3.
Click OK when prompted.
4.
Log off.
Create a UAC Group Policy setting prompting for credentials

1.
2.
Click Start, and in the Search programs and files box, type gpedit.msc and then press
ENTER.
3.
In the Local Group Policy Editor, under Computer Configuration, expand Windows Settings,
expand Security Settings, expand Local Policies, and then click Security Options.
4.
In the results pane, double-click User Account Control: Behavior of the elevation prompt for
standard users.
5.
In the User Account Control: Behavior of the elevation prompt for standard users dialog
box, click Prompt for credentials and then click OK.
6.
Close Local Group Policy Editor console.
7.
Log off.
Test the UAC settings

1.
2.
Click Start, right-click Computer, and then select Manage.
3.
Type Administrator in the User name field.
4.
Type Pa$$w0rd in the Password field.
5.
Click Yes.
6.
Close the Computer Management console.
7.
Log off.
6-23
6-24
Lesson 6
Configuring Security Settings in Windows Internet

Explorer 8
Contents:
25
Detailed Demo Steps
27
6-25

Discussion: What Is a Firewall?
Question: What type of firewall does your organization currently use?
Answer: Answers will vary
Question: What are the reasons that it was selected?
Answer: Answers will vary
Configuring the Basic Firewall Settings

Question: List the three network locations. Where do you modify them, and what feature of Windows
7 allows you to use more than one?
Answer: The three network locations are as follows:
Home or work (private) networks: for networks at home or work where you know and
trust the people and devices on the network. When Home or work (private) networks is
selected, Network Discovery is turned on. Computers on a home network can belong to a
HomeGroup.
Domain networks: for networks at a workplace that are attached to a domain. When this
option is selected, Network Discovery is on by default and you cannot create or join a
HomeGroup.
Public networks: for networks in public places. This location keeps the computer from being
visible to other computers. When Public place is the selected network location, HomeGroup
is not available and Network Discovery is turned off.
You can modify the firewall settings for each type of network location from the main Windows
Firewall page. To set up or modify network location profile settings, click Change advanced sharing
settings in the left pane of the Network and Sharing Center.
Multiple active firewall policies enable computers to obtain and apply domain firewall profile
information, regardless of the networks that are active on the computers.
Windows Firewall with Advanced Security Settings

Question: There are three types of rules that can be created in Windows Firewall with Advanced
Security. List each type and the types of rules that can be created for each.
Answer: The three types with their associated types are as follows:
Inbound and Outbound rules
Program rules
Port rules
Predefined rules
6-26
Custom rules
Connection Security Rules
Isolation rules
Authentication exemption rules
Server-to-server
Tunnel rules
Custom rules
Well-Known Ports Used by Applications

Question: What is the TCP port used by HTTP by a Web server?
Answer: The TCP port is 80.
Detailed Demo Steps

Configure an Inbound Rule
1.
2.
3.
Click System and Security.
4.
Click Windows Firewall.
5.
In the left window pane, click Advanced settings.
6.
In Windows Firewall with Advanced Security, select Inbound Rules in the left pane.
7.
Review the existing inbound rules, right-click Inbound Rules, and click New Rule.
8.
On the Rule Type page of the New Inbound Rule wizard, select Predefined and then select
Remote Scheduled Tasks Management from the dropdown menu.
9.
Click Next.
10. Select both of the Remote Scheduled Tasks Management (RPC) rules and then click Next.
11. Select Block the connection and then click Finish.
Configure an Outbound Rule

1.
On LON-CL1, click Start and then click All Programs.
2.
Click Internet Explorer.
3.
If prompted by the Welcome to Internet Explorer 8 wizard, click Ask me later.
4.
Type http://LON-DC1 into the Address field and then press ENTER to connect to the default
Web site on LON-DC1.
5.
Close Internet Explorer.
6.
In the Windows Firewall with Advanced Security console, select Outbound Rules in the left
pane.
7.
Review the existing Outbound rules, right-click Outbound Rules, and then click New Rule.
8.
On the Rule Type page of the New Outbound Rule wizard, select Port and then click Next.
9.
Select TCP, select Specific remote ports and then type 80.
10. Click Next.

11. Select Block the connection and then click Next.
12. On the Profile page, click Next.
13. Type HTTP TCP 80 in the Name field and then click Finish.
Test the Outbound Rule

1.
On LON-CL1, click Start and then click All Programs.
6-27
6-28
2.
Click Internet Explorer.
3.
Type http://LON-DC1 into the Address field and then press ENTER to attempt to connect to
the default Web site on LON-DC1.
4.
Close Internet Explorer.
Create a Connection Security Rule

1.
In Windows Firewall with Advanced Security, select Connection Security Rules in the left
pane.
2.
Right-click Connection Security Rules and then select the New Rule option.
3.
Select Server-to-server and then click Next.
4.
On the Endpoints page, click Next.
5.
Select Require authentication for inbound and outbound connections and then click Next.
6.
Select Advanced and then click the Customize button.
7.
Under First authentication, click the Add button.
8.
In the Add First Authentication Method dialog box, select Computer (Kerberos V5) and then
click OK.
9.
Under Second authentication, click the Add button.
10. In the Add Second Authentication Method dialog box, select User (Kerberos V5) and then
click OK.
11. In the Customize Advanced Authentication Methods, click OK.
12. Click Next and then click Next again.
13. Type Kerberos Connection Security Rule and then click Finish.
Review monitoring settings in Windows Firewall

1.
In Windows Firewall with Advanced Security, select Monitoring in the left pane.
2.
Expand Monitoring and then select Firewall.
3.
Click Connection Security Rules.
4.
Click Security Associations.
5.
Select Outbound Rules in the left pane.
6.
Select the HTTP TCP 80 rule and then right-click and select Disable Rule.
7.
Select Connection Security Rules.
8.
Select Kerberos Connection Security Rule, right-click and then click Disable Rule.
9.
Close Windows Firewall with Advanced Security.
10. Log off.
Lesson 7
Configuring Windows Defender

Contents:
30
Detailed Demo Steps
31
6-29
6-30

Discussion: Compatibility Features in Internet Explorer 8
Question: What compatibility issues do you think you may encounter when updating Internet
Explorer?
Answer: Answers can vary.
Enhanced Privacy Features in Internet Explorer 8

Question: Describe the difference between InPrivate Browsing and InPrivate filtering.
Answer: InPrivate Browsing helps protect data and privacy by preventing browsing history,
temporary Internet files, form data, cookies, usernames, and passwords from being stored or retained
locally by the browser. InPrivate Filtering monitors the frequency of all third-party content as it
appears across all Web sites visited by the user.
The SmartScreen Feature in Internet Explorer 8

Question: What Internet Explorer 7 feature does the SmartScreen Filter replace in Internet Explorer 8?
Answer: The SmartScreen Filter replaces the Phishing Filter from Internet Explorer 7.
Other Security Features in Internet Explorer 8

Question: Describe how the XSS Filter works.
Answer: The XSS Filter has visibility into all requests and responses flowing through the browser.
When the filter discovers likely XSS in a request, it identifies and neutralizes the attack if it is replayed
in the servers response. The XSS filter helps protect users from Web site vulnerabilities; it does not ask
difficult questions that users are unable to answer, nor does it harm functionality on the Web site.
6-31
Detailed Demo Steps

Demonstration: Configuring Security in Internet Explorer 8
Enable compatibility view for all Web sites
1.
2.
Click the Internet Explorer icon on the taskbar.
3.
If the Set Up Windows Internet Explorer 8 window comes up, click Ask me later.
4.
On the Tools menu, click Compatibility View Settings.
5.
Click to select the Display all websites in Compatibility View check box and then click Close.
Delete Browsing History

1.
On the Tools menu, click Internet Options.
2.
On the General tab, under Browsing history, click Delete.
3.
Select Preserve Favorites website data and History. Clear all other options.
4.
Click Delete.
5.
Click OK and then close Internet Explorer.
Configure InPrivate Browsing

1.
On LON-CL1, click the Internet Explorer icon on the taskbar.
2.
Type http://LON-DC1 into the Address bar and then press ENTER.
3.
Click on the down arrow next to the Address bar to confirm that the address you typed into it is
stored.
4.
In Internet Explorer, click the Tools button and then click Internet Options.
5.
Click the General tab. Under Browsing History, click Delete.
6.
In the Delete Browsing History dialog box, clear Preserve Favorites website data, select
Temporary Internet Files, Cookies, History, and then click Delete.
7.
Click OK to close Internet Options.
8.
Confirm that there are no addresses stored in the Address bar by clicking on the down arrow next
to the Address bar.
9.
On the Safety menu, click InPrivate Browsing.
10. Type http://LON-DC1 into the Address bar and then press ENTER.
11. Confirm the address you typed in is not stored by clicking on the down arrow next to the Address
bar.
12. Close the InPrivate Browsing window.
13. Close Internet Explorer.
6-32
Configure InPrivate Filtering

1.
Click the Internet Explorer icon on the taskbar.
2.
On the Safety menu, click InPrivate Filtering.
3.
Click Let me choose which providers receive my information to choose content to block or
allow.
4.
On the InPrivate Filtering settings window, click Automatically block.
5.
Click OK.
View add-on management interface

1.
On the Tools menu, click Manage Add-ons.
2.
Ensure that Toolbars and Extensions is selected and then click Research.
3.
Click Search Providers.
4.
Click Bing.
5.
Click Accelerators.
6.
Scroll down to show all available accelerators.
7.
Click InPrivate Filtering.
8.
Click Close.
9.
Close Internet Explorer and then log off.
Lesson 8
Configuring Windows Defender

Contents:
34
Detailed Demo Steps
35
6-33
6-34

What Is Malicious Software?
Question: What are common security risks that you must consider when deploying a new operating
system?
Answer: During a desktop deployment, it is important to address any security risks that affect
application compatibility, data loss, and user functionality. Some of the more common security risks
are categorized as follows:
Malware risks: Viruses, Trojan horses, spyware
Data risks: Stolen laptops or removable universal serial bus (USB) hard drives
Web browser risks: Malicious Web sites, phishing
Network risks: Internal worm attacks, internal workstations that do not comply with
organizational security policies
Question: How can you be sure that you have addressed the appropriate security risks before and
after a desktop deployment?
Answer: Conduct a structured security risk management process that will help you to identify and
assess risk, identify and evaluate control solutions, implement the controls, and then measure the
effectiveness of the mitigation. Identifying security risks before a desktop deployment helps you to be
proactive in mitigating and implementing solutions.
What Is Windows Defender?

Question: List the four Windows Defender alert levels. What are the possible responses?
Answer: The four alert levels are Severe, High, Medium, and Low. Possible responses are Quarantine,
Remove, and Allow. For potential changes to Windows Settings, possible responses are Permit and
Deny.
Scanning Options in Windows Defender

Question: Why might you consider creating a restore point before applying actions to detected
items?
Answer: Because Windows Defender can be set to automatically remove detected items and
selecting this option allows you to restore system settings in case you want to use software that you
did not intend to remove.
6-35
Detailed Demo Steps

Demonstration: Configuring Windows Defender Settings
Set Windows Defender options
1.
2.
Click Start, click Search programs and files, type Windows Defender, and press ENTER.
3.
In Windows Defender, on the menu, click Tools.
4.
In Tools and Settings, click Options.
5.
In Options, select Automatic scanning.
6.
In the main window, ensure that the Automatically scan my computer (recommended) check
box is selected.
7.
Set Frequency to Monday.
8.
Set Approximate time to 6:00 AM.
9.
Set type to Quick scan.
10. Ensure the Check for updated definitions before scanning check box is selected.
11. In Options, select Default actions.
12. Set Severe alert items to Remove.
13. Set Low alert items to Allow.
14. Ensure the Apply recommended actions check box is selected.
15. In Options, select Real-time protection.
16. In Options, select Excluded files and folders.
17. In Options, select Excluded file types.
18. In Options, select Advanced.
19. Click Scan e-mail.
20. Click Scan removable drives.
21. In Options, select Administrator.
22. Click Save.
View Quarantine Items

1.
In Tools and Settings, click Quarantined Items.
2.
Click View.
3.
Click the back arrow in the top menu bar.
Microsoft SpyNet
1.
In Tools and Settings, click Microsoft SpyNet.
6-36
2.
Select Join with a basic membership.
3.
Click Save.
Windows Defender Web site

1.
In Tools and Settings, point out the Windows Defender Website link.
2.
Review and discuss the content of the Windows Defender Web site.
6-37

Review questions
Question 1: When User Account Control is implemented, what happens to standard users and
administrative users when they perform a task requiring administrative privileges?
Answer: For standard users, UAC prompts the user for the credentials of a user with administrative
privileges. For administrative users, UAC prompts the user for permission to complete the task.
Question 2: What are the requirements for Windows BitLocker to store its own encryption and decryption
key in a hardware device that is separate from the hard disk?
Answer: A computer with Trusted Platform Module (TPM) or a removable Universal Serial Bus (USB)
memory device, such as a USB flash drive. If your computer does not have TPM version 1.2 or higher,
BitLocker stores its key on the memory device.
Question 3: When implementing Windows AppLocker, what must you do before manually creating new
rules or automatically generating rules for a specific folder?
Answer: Create the default rules
Question 4: You decide to deploy a third-party messaging application on your companys laptop
computers. This application uses POP3 to retrieve e-mail from the corporate mail server, and SMTP to
send mail to the corporate e-mail relay. Which ports must you open in Windows Firewall?
Answer: You must enable inbound POP3, which uses TCP port 110, and outbound SMTP, which uses port
TCP 25. You can configure the firewall rules by using specific port assignments or by specifying the
program.
Question 5: Describe how the SmartScreen Filter works in Internet Explorer 8.
Answer: With the SmartScreen Filter enabled, Internet Explorer 8 performs a detailed examination of the
entire URL string and compares the string to a database of sites known to distributed malware, then the
browser checks with the Web service. If the Web site is known to be unsafe, it is blocked and the user is
notified with a bold SmartScreen blocking page that offers clear language and guidance to help avoid
known-unsafe Web sites.
Question 6: What does Windows Defender do to software that it quarantines?
Answer: Windows Defender moves the software to another location on your computer, and then
prevents the software from running until you choose to restore it or remove it from your computer.
Question 7: What configuration options are available with Windows Defender, where do you set them,
and why?
Answer: To help prevent spyware and other unwanted software from running on the computer, turn on
Windows Defender real-time protection and select all real-time protection options. You are alerted if
programs attempt to install, run on the computer, or change important Windows settings.
Turn on real-time protections by clicking Tools, clicking Options, and then clicking
Real-time protection. In the Options area, perform the following additional tasks:
Configure automatic scanning
Specify default actions for specific alert levels
Customize a scan by excluding files, folders, and file types
6-38
Use the Advanced options to scan archived files, email, and removable drives, and to use
heuristics and create a restore point.
Select whether to use Windows Defender and what information to display to all users
of the computer. History, Allowed items, and Quarantined items are hidden by default
to protect user privacy.
Real-world issues and scenarios

Question 1: An administrator configures Group Policy to require that data can only be saved on data
volumes protected by BitLocker. Specifically, the administrator enables the Deny write access to
removable drives not protected by BitLocker policy and deploys it to the domain. Meanwhile, an end
user inserts a USB flash drive that is not protected with BitLocker. What happens, and how can the user
resolve the situation?
Answer: Since the USB flash drive is not protected with BitLocker, Windows 7 displays an informational
dialog indicating that the device must be encrypted with BitLocker. From this dialog, the user chooses to
launch the BitLocker Wizard to encrypt the volume or continues working with the device as read-only.
Question 2: Trevor has implemented Windows AppLocker. Before he created the default rules, he created
a custom rule that allowed all Windows processes to run except for Regedit.exe. Because he did not create
the default rules first, he is blocked from performing administrative tasks. What does he need to do to
resolve the issue?
Answer: Trevor needs to restart the computer in safe mode, add the default rules, delete any deny rules
that are preventing access, and then refresh the computer policy.
Question 3: A server has multiple network interface cards (NICs), but one of the NICs is not connected. In
Windows Vista, this caused the machine to be stuck in the public profile (the most restrictive rule). How is
this issue resolved in Windows 7?
Answer: The new multiple active firewall profile feature in Windows 7 solves the problem by applying the
appropriate rules to the appropriate network; in this case, the profile associated with the connected NIC
will be applied.
Common issues related to Internet Explorer 8 security settings

IT professionals must familiarize themselves with the common issues that are related
to Internet Explorer 8 security settings.
Diagnose Connection Problems button
The Diagnose Connections Problems button helps users find and resolve issues
potentially without involving the Helpdesk. When Internet Explorer 8 is unable to
connect to a Web site, it shows a Diagnose Connection Problem button. Clicking the
button helps the user resolve the problem by providing information to troubleshoot the
problem. This option was available in Internet Explorer 7 but is now simpler to find in
Internet Explorer 8.
Resetting Internet Explorer 8 settings
If Internet Explorer 8 on a users computer is in an unstable state, you can use the
Reset Internet Explorer Settings (RIES) feature in Internet Explorer 8 to restore the
default settings of many browser features. These include the following:
Search scopes
Appearance settings
Toolbars
ActiveX controls (reset to opt-in state, unless they are pre-approved)
Branding settings created by using IEAK 8
6-39
You can choose to reset personal settings by using the Delete Personal Settings option
for the following:
Home pages
Browsing history
Form data
Passwords
RIES disables all custom toolbars, browser extensions, and customizations that have
been installed with Internet Explorer 8. To use any of these disabled customizations,
you must selectively enable each customization through the Manage Add-ons dialog
box.
RIES does not do the following:
Clear the Favorites list
Clear the RSS Feeds
Clear the Web Slices
Reset connection or proxy settings
Affect Administrative Template Group Policy settings that you apply
Note: Unless you enable the Group Policy setting titled Internet Explorer Maintenance
policy processing, Normal mode settings on the browser created by using IEM are lost
after you use RIES.
To use RIES in Internet Explorer 8, follow these steps:

1.
Click the Tools menu and then click Internet Options.
2.
On the Advanced tab, click Reset.
3.
In the Reset Internet Explorer Settings dialog box, click Reset. To remove personal
settings, select the Delete Personal Settings check box. To remove branding, select the
Remove Branding check box.
4.
When Internet Explorer 8 finishes restoring the default settings, click Close, and then click OK
twice.
5.
Close Internet Explorer 8. The changes take effect the next time you open Internet Explorer 8.
6-40
Note: To prevent users from using the RIES feature, enable the Do not allow resetting
Internet Explorer settings policy in Group Policy Administrative Templates.
Best practices for User Account Control
UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the
Local Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is
preferred because it can be centrally managed and controlled. There are nine Group Policy object
(GPO) settings that can be configured for UAC.
Because the user experience can be configured with Group Policy, there can be different user
experiences, depending on policy settings. The configuration choices made in your environment
affect the prompts and dialog boxes that standard users, administrators, or both, can view.
For example, you may require administrative permissions to change the UAC
setting to Always notify me or Always notify me and wait for my response.
With this type of configuration, a yellow notification appears at the bottom of
the User Account Control Settings page indicating the requirement.
Best practices for Windows BitLocker
Because BitLocker stores its own encryption and decryption key in a hardware device that is
separate from the hard disk, you must have one of the following:
A computer with Trusted Platform Module (TPM).
A removable Universal Serial Bus (USB) memory device, such as a USB flash drive. If your
computer does not have TPM version 1.2 or higher, BitLocker stores its key on the memory
device.
The most secure implementation of BitLocker leverages the enhanced security capabilities of
Trusted Platform Module (TPM) version 1.2.
On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the
Windows operating system volume. However, this implementation will require the user to insert a
USB startup key to start the computer or resume from hibernation and does not provide the prestartup system integrity verification offered by BitLocker that is working with a TPM.
Best practices for Windows AppLocker
Before manually creating new rules or automatically generating rules for a specific folder, create
the default rules. The default rules ensure that the key operating system files are allowed to run
for all users.
When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If a
GPO does not contain the default rules, then either add the rules directly to the GPO or add
them to a GPO that links to it.
After creating new rules, enforcement for the rule collections must be configured and the
computers policy refreshed.
By default, AppLocker rules do not allow users to open or run any files that are not specifically
allowed. Administrators must maintain a current list of allowed applications.
6-41
If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To
ensure interoperability between Software Restriction Policies rules and AppLocker rules, define
Software Restriction Policies rules and AppLocker rules in different GPOs.
When an AppLocker rule is set to Audit only, the rule is not enforced. When a user runs an
application that is included in the rule, the application is opened and runs normally and
information about that application is added to the AppLocker event log.
At least one Windows Server 2008 R2 domain controller is required to host the AppLocker rules.
Best practices for Windows Defender
When using Windows Defender, you must have current definitions.
To help keep your definitions current, Windows Defender works with Windows Update to
automatically install new definitions as they are released. You can also set Windows Defender to
check online for updated definitions before scanning.
When scanning your computer, it is recommended that you select the advanced option to
Create a restore point before applying actions to detected items. Because

you can set Windows Defender to automatically remove detected items, selecting this option
allows you to restore system settings in case you want to use software that you did not intend to
remove.
Best practices for the Encrypted File System (EFS)

The following is a list of standard best practices for EFS users:
Users should export their certificates and private keys to removable media and store the media
securely when it is not in use. For the greatest possible security, the private key must be removed
from the computer whenever the computer is not in use. This protects against attackers who
physically obtain the computer and try to access the private key. When the encrypted files must
be accessed, the private key can easily be imported from the removable media.
Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that
the personal folder, where most documents are stored, is encrypted by default.
Users should encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level makes sure that files are not unexpectedly
decrypted.
The private keys that are associated with recovery certificates are extremely sensitive. These keys
must be generated either on a computer that is physically secured, or their certificates must be
exported to a .pfx file, protected with a strong password, and saved on a disk that is stored in a
physically secure location.
Recovery agent certificates must be assigned to special recovery agent accounts that are not
used for any other purpose.
Do not destroy recovery certificates or private keys when recovery agents are changed. (Agents
are changed periodically). Keep them all, until all files that may have been encrypted with them
are updated.
Designate two or more recovery agent accounts per organizational unit (OU), depending on the
size of the OU. Designate two or more computers for recovery, one for each designated recovery
agent account. Grant permissions to appropriate administrators to use the recovery agent
6-42
accounts. It is a good idea to have two recovery agent accounts to provide redundancy for file
recovery. Having two computers that hold these keys provides more redundancy to allow
recovery of lost data.
Implement a recovery agent archive program to make sure that encrypted files can be recovered
by using obsolete recovery keys. Recovery certificates and private keys must be exported and
stored in a controlled and secure manner. Ideally, as with all secure data, archives must be stored
in a controlled access vault and you must have two archives: a master and a backup. The master
is kept on-site, while the backup is located in a secure off-site location.
Avoid using print spool files in your print server architecture, or make sure that print spool files
are generated in an encrypted folder.
The Encrypting File System does take some CPU overhead every time a user encrypts and
decrypts a file. Plan your server usage wisely. Load balance your servers when there are many
clients using Encrypting File System (EFS).
Configuration guidelines for Windows Firewall with Advanced Security
You can configure Windows Firewall with Advanced Security in the following ways:
Configure a local or remote computer by using either the Windows Firewall with
Advanced Security snap-in or the Netsh advfirewall command.
Configure Windows Firewall with Advanced Security settings by using the Group Policy
Management Console (GPMC) or using the Netsh advfirewall command.
If you are configuring the firewall by using Group Policy, you need to ensure that the
Windows Firewall service has explicit write access by its service security identifier (SID) to
the location that you specify.
If you deploy Windows Firewall with Advanced Security by using Group Policy and then
block outbound connections, ensure that you enable the Group Policy outbound rules
and do full testing in a test environment before deploying. Otherwise, you might
prevent all of the computers that receive the policy from updating the policy in the
future, unless you manually intervene.
Resources for Internet Explorer 8

Use the following information as needed:
For more information about IANA port-assignment standards, visit the IANA Web site
Windows Internet Explorer 8 Technology Overview for Enterprise and IT Pros
Internet Explorer 8 Support page
Internet Explorer 8: Home Page
Internet Explorer 8 Frequently Asked Questions
Internet Explorer 8 newsgroups
Internet Explorer 8 Forum on TechNet
Internet Explorer 8: Help and Support
The new Application Compatibility Toolkit (ACT) with support for Internet
Explorer 8 is available from MSDN
The Application Compatibility Toolkit is accompanied by a white paper that

explains compatibility issues identified by the tool
Information about anti-phishing strategies
Information about the RIES feature
Internet Explorer Application Compatibility
6-43
6-44

Question: What are the types of rules you can configure in Windows Firewall?
Answer: You can create inbound and outbound firewall rules based on connections to a program,
TCP/UDP port, predefined and custom.
Question: What are some of the new security settings in Internet Explorer 8?
Answer: The new security settings available in Internet Explorer 8 include the compatibility view, InPrivate
Browsing and InPrivate Filtering.
Question: Will the default Windows Defender settings allow to check for new definitions, regularly scan
for spyware and other potentially unwanted software?
Answer: Yes, Windows Defender is by default configured to check for new definitions and perform
regular scans. You also have an option of configuring your own settings is required
Question: What are some of the types of scans Windows Defender can perform to detect malicious and
unwanted software?
Answer: Windows Defender can be used to scan e-mails, archives, compressed files, and content of
removable drives.
Optimizing and Maintaining Windows 7 Client Computers
Module 7
Contents:
Lesson 1: Maintaining Performance by Using the Windows 7
Performance Tools
Lesson 2: Maintaining Reliability by Using the Windows 7 Diagnostic

Tools
Lesson 3: Backing Up and Restoring Data by Using Windows Backup
10
Lesson 4: Restoring a Windows 7 System by Using System Restore Points
14
Lesson 5: Configuring Windows Update
17
19
21
7-1
7-2
Lesson 1
Maintaining Performance by Using the Windows 7

Performance Tools
Contents:
Detailed Demo Steps
7-3

Performance Monitor and Data Collector Sets
Question: Which resources can cause performance problems if you have a shortage of them?
Answer: Central processing unit (CPU), random access memory (RAM), disk, and network.
Demonstration: Using the Resource Monitor

Question: How can you simplify the task of monitoring the activity of a single process when it spans
different tabs?
Answer: If you select the check box for a process, then that process will be at the top of the list when
you move between tabs. This will simplify your ability to view different characteristics of a single
process and can be useful when you are trying to find the resource that is a performance bottleneck
for a process.
Demonstration: Analyzing System Performance by Using Data Collector

Sets and Performance Monitor
Question: How can you use Performance Monitor for troubleshooting?
Answer: You can use Performance Monitor to monitor resources when running an application that is
having problems. If a problem is occurring at a specific time, you can schedule a data collector set to
run at that time and collect additional information about resource usage when this problem occurs.
7-4
Detailed Demo Steps

Demonstration: Using the Resource Monitor
This demonstration shows how to use the Resource Monitor.
Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.
1.
Click Start. In the search box, type res and then click Resource Monitor. The Overview tab shows
CPU usage, disk I/O, network usage, and memory usage information for each process. Summary
information is provided in a bar above each section.
2.
Click the down arrow in the Disk section to expand it.
3.
Click the Views button and then click Medium. This controls the size of the graphs that display CPU
usage, disk I/O, network usage, and memory activity.
4.
Click the CPU tab. This tab has more detailed CPU information that you can filter so that it is based
on the process.
5.
In the Processes area, select the check box for a process and then expand the Associated Handles
area. This shows the files that are used by this process. It also keeps the selected process at the top of
the list for effortless monitoring.
6.
Click the Memory tab. This tab provides detailed information about memory usage for each process.
Notice that the previously selected process is still selected so that you can review multiple kinds of
information about a process as you switch between tabs.
7.
Click the Disk tab. This tab shows processes with recent disk activity.
8.
Expand the Disk Activity area and clear the Image check box to remove the filter and show all
processes with current disk activity. The Disk Activity area provides detailed information about the
files in use. The Storage area provides general information about each logical disk.
9.
Click the Network tab. This tab provides information about all processes with current network
activity.
10. Expand the TCP Connections area. This shows current TCP connections and information about those
connections.
11. Expand the Listening Ports area. This shows the processes that are listening for network connections
and the ports they are listening on. The firewall status for those ports is also shown.
12. Close the Resource Monitor.
Demonstration: Analyzing System Performance by Using Data Collector

Sets and Performance Monitor
This demonstration shows how to analyze system performance by using Data Collector Sets and
Performance Monitor.
1.
2.
Click Start, and in the search box, type per, and then click Performance Monitor.
3.
In the Performance Monitor window, click the Performance Monitor node. Notice that only %
Processor Time is displayed by default.
4.
Click the + symbol in the toolbar to add an additional counter.
5.
In the Available counters area, expand PhysicalDisk and then click % Idle Time.
6.
In the Instances of selected object box, click 0 C:, click Add, and then click OK.
7.
Right-click % Idle Time and then click Properties.
8.
In the Color box, click green and then click OK.
9.
In the left pane, expand Data Collector Sets and then click User Defined.
7-5
10. Right-click User Defined, point to New, and then click Data Collector Set.
11. In the Name box, type CPU and Disk Activity and then click Next.
12. In the Template Data Collector Set box, click Basic and then click Next. Using a template is
recommended.
13. Click Next to accept the default storage location for the data.
14. Click Open properties for this data collector set and then click Finish. On the General tab, you can
configure general information about the data collector set and the credentials that are used when it is
running.
15. Click the Directory tab. This tab lets you define information on how the collected data is stored.
16. Click the Security tab. This tab lets you configure which users can change this data collector set.
17. Click the Schedule tab. This tab lets you define when the data collector set is active and collecting
data.
18. Click the Stop Condition tab. This tab lets you define when data collection is stopped based on time
or data that is collected.
19. Click the Task tab. This tab lets you to run a scheduled task when the data collector set stops. This
can be used to process the collected data.
20. Click Cancel.
21. Notice that there are three kinds of logs listed in the right pane.
Performance Counter collects data that can be viewed in the Performance Monitor.
Kernel Trace collects detailed information about system events and activities.
Configuration records changes to registry keys.
22. In the right pane, double-click Performance Counter. Notice that all Processor counters are
collected by default.
23. Click Add.
24. In the Available counters area, click PhysicalDisk, click Add, and then click OK. All the counters for
the PhysicalDisk object are now added.
25. In the left pane, right-click CPU and Disk Activity and then click Start.
26. Wait a few moments and the data collector set will stop automatically.
7-6
27. Right-click CPU and Disk Activity and then click Latest Report. This report shows the data that is
collected by the data collector set.
28. Close the Performance Monitor.
Lesson 2
Maintaining Reliability by Using the Windows 7

Diagnostic Tools
Contents:
Detailed Demo Steps
7-7
7-8

Demonstration: Resolving Startup Related Problems
Question: When do you use the command prompt to perform system repairs manually?
Answer: You use the command prompt to perform system repairs manually if the automated tools
cannot repair the system.
7-9
Detailed Demo Steps

Demonstration: Resolving Startup Related Problems
This demonstration shows how to resolve startup related problems.
1.
Connect the DVD Drive in LON-CL1 to the Windows 7 installation DVD.
C:\Program Files\Microsoft Learning\6292\drives\Windows7_32bit.iso
2. Restart LON-CL1 and press a key to start from the DVD when you are prompted.
3. On the Windows 7 page, click Next.
4. Click Repair your computer.
5. In the System Recovery Options window, read the list of operating systems
found and then click Next.
6. Read the options that are listed.
Startup Repair tries to automatically repair a Windows system that is not starting correctly.
System Restore is used to restore system configuration settings based on a restore point.
System Image Recovery is used to perform a full restore from Windows backup.
Windows Memory Diagnostic is used to test physical memory for errors.
Command Prompt lets you manually access the local hard disk and perform repairs.
7. Click Command Prompt.

8. At the command prompt, type C: and press Enter.
9. At the command prompt, type dir and press Enter. Notice that there are no files
on the C: drive.
10. At the command prompt, type E: and press Enter.
11. At the command prompt, type dir and press Enter. Notice that this drive is the
C: drive when Windows 7 is running.
12. Close the command prompt and then click Restart.
7-10
Lesson 3
Backing Up and Restoring Data by Using Windows

Backup
Contents:
11
Detailed Demo Steps
12
7-11

Demonstration: Perform a Backup
Question: What files do you need to back up on a computer?
Answer: Back up all data files on a computer. Also, a full system image will help restore your
computer if a hard disk fails.
Demonstration: Restoring Data

Question: When do you need to restore to an alternate location?
Answer: Restore to an alternate location to keep the current version of a file and also get a copy of
an older version for comparison. For example, a file may have had some information added and some
deleted since a backup was performed. If you want to keep the new information that was added and
get the information that was deleted, you must have both versions of the file.
7-12
Detailed Demo Steps

Demonstration: Perform a Backup
This demonstration shows how to perform a backup.
1.
2.
Click Start and then click Documents.
3.
In the Documents window, right-click an open area, point to New, and then click Text Document.
4.
Type Important Document and then press ENTER.
5.
Double-click Important Document, enter some text in the document, and then close Notepad.
6.
Click Save to save the file and then close the Documents window.
7.
Click Start, point to All Programs, click Maintenance, and then Backup and Restore.
8.
Click Set up backup.
9.
Click Allfiles (E:) and then Next.
10. Click Let me choose and then Next. Notice that by default, both the libraries for all users and a
system image are selected.
11. Clear all check boxes in the window, select the bolded Administrators Libraries check box, and
then click Next.
12. Click Change schedule.
13. Ensure that the Run backup on a schedule (recommended) check box is selected; review the
available options for How often, What day, and What time, and then click OK.
14. Click Save settings and Run Backup.
15. Watch as the backup completes. Click View Details to see detailed progress.
16. Close the Backup and Restore window
Demonstration: Restoring Data

This demonstration shows how to restore data.
1.
2.
Click Start, point to All Programs, click Maintenance, and then Backup and Restore.
3.
Click Restore my files and then Browse for files.
4.
In the Browse the backup for file window, click administrator.CONTOSOs backup, and then in
the right pane, double-click Documents, click Important Document, and then Add files.
5.
Click Next.
6.
Click In the original location and then click Restore.
7.
When prompted that the file already exists, click Copy and Replace.
8.
Click Finish.
9.
Close Backup and Restore.
7-13
7-14
Lesson 4
Restoring a Windows 7 System by Using System

Restore Points
Contents:
15
Detailed Demo Steps
16
7-15

How System Restore Works
Question: What are the situations when you might need to use System Restore?
Answer: If your computer is running slowly or is not working properly, you can use System Restore to
return your computers system files and settings to an earlier point in time, using a restore point.
Question: When do you restore a file from a restore point rather than a backup?
Answer: You will use System Restore when you need to restore all system files in the computer to a
specific date and time. System Restore will only restore system files and will not recover any personal
files that were deleted or damaged.
What Are Previous Versions of Files?

Question: What are the benefits of maintaining previous versions of files?
Answer: If you accidentally change or delete a file or a folder, you can restore it to an earlier version
that is saved as part of a restore point.
Demonstration: Restoring a System

Question: When will the previous version of a file be unavailable?
Answer: The previous version of a file will not be available if it is stored on the local hard disk. If the
local hard disk fails or becomes corrupted, then you must restore this data from a backup.
7-16
Detailed Demo Steps

Demonstration: Restoring a System
This demonstration shows how to restore a system.
1.
2.
Click Start and then click Documents.
3.
Double-click Important Document, enter some new text, and then close Notepad.
4.
Click Save and then close the Documents window.
5.
Click Start, right-click Computer, and then click Properties.
6.
In the System window, click System protection.
7.
In the Protection settings area, click Local Disk (C:) (System) and then Configure.
8.
In the Restore Settings area, click Restore system settings and previous versions of files and then
click OK.
9.
In the Protection settings area, click Allfiles (E:) and then Configure.
10. In the Restore settings area, click Restore system settings and previous versions of files and then
OK.
11. In the System Properties window, click Create. The system typically performs this automatically,
rather than manually, before software installation is performed.
12. In the System Protection window, type Restore Point 1 and then click Create.
13. When the creation of the restore point is finished, click Close.
14. In the System Properties window, click OK and then close the System window.
15. Click Start and then click Documents.
16. Right-click Important Document and click Restore previous versions. This version of the file was
created during the restore point creation.
17. Click Cancel and close the Documents window.
18. Click Start, point to All Programs, click Accessories, System Tools, and then System Restore.
19. In the Restore system files and settings window, click Next.
20. Click Restore Point 1 and then Next.
21. On the Confirm your restore point page, click Finish.
22. Click Yes to continue. Be aware that this restores only system files, not data files.
23. Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.
24. Read the message in the System Restore window and click Close.
Lesson 5
Configuring Windows Update

Contents:
18
7-17
7-18

What Is Windows Update?
Question: How is the Automatic Updates feature useful?
Answer: It is an online catalog that ensures that your computer is always up-to-date.
Windows Update Group Policy Settings

Question: What is the benefit of configuring Windows update by using Group Policy rather than by
using Control Panel?
Answer: Using a group policy allows you to apply the configuration settings to multiple computers
by performing a single action. It also prevents users from overriding the settings.
7-19

Review questions
Question 1: You have problems with your computers performance, how can you create a data
collector set to analyze a performance problem?
Answer: You can create a Data Collector Set from counters in the Performance Monitor display, use a
template, or do it manually.
Question 2: You have received an e-mail message from an unknown person and suddenly you have a
virus and must restore your computer.
1.
What kind of system restore do you need to perform?
2.
Will the computer restore to software that you installed two days ago?
3.
How long are restore points saved?
4.
What if System Restore does not fix the problem?
Answer:
1.
You need to create a system restore to return your files to a point before you got the virus.
2.
Yes, a restore point is automatically created before a significant system event.
3.
Restore points are saved until the disk space System restore reserves are filled up. As new
restore points are created, old ones are deleted.
4.
If System restore does not fix the problem, you can undo the system restore or try choosing
a different restore point.
Tools
Tool
Use for
Where to find it
Performance
Information and Tools
Lists information for speed and performance
Control Panel
Performance Monitor
Multiple graph views of performance
Administrative Tools
Resource Monitor
Monitor use and Performance for CPU, disk,

network, and memory
Advanced tools in
Performance
Information and tools
Windows Experience
Index
Measure the computers key components
Performance
Information and Tools
Monitoring Tools
Performance Monitor
Performance monitor
Data Collector Set
Performance Counters
Performance monitor
7-20
Event Traces and system configuration data

Windows Memory
Diagnostic
Check your computer for memory problems
Administrative tools
Fix a Network Problem
Troubleshoots Network problems
Network and Sharing

Center
Reliability Monitor
Review your computers reliability and problem

history
Action center
Problem reports and

Solution tool
Choose when to check for solutions to

problems reports
Action Center
Startup Repair Tool
Scan the computer for startup problems
Windows 7 DVD
Backup and Restore

Tool
Back up or restore user and system files
System and Security
Image Backup
A copy of the drivers required for Windows to

run
Backup and Restore
System Repair Disc
Used to start the computer
Backup and Restore
System restore
Restore the computer to an earlier point in

time
Control Panel
Previous versions of
files
Copies of files and folders that Windows

automatically saves as part of a restore point.
System Properties
Restore Point
A stored state of the computers system files.
System Properties
Disk Space Usage
Adjust maximum disk space used for system

protection
System Properties
Windows Update
Service that provides software updates
System and Security
Change Update
Settings
Change settings for windows update
Windows Update
View update History
Review the computers update history
Windows Update
7-21

Question: What are the benefits of creating a data collector set?
Answer: When you configure a data collector set, you can customize the information that will be
included in the data collector set, and you can customize when the data will be collected. This is
useful if you need to analyze a specific computer performance issue at a specific time.
Question: Under what circumstances might you choose to disable system restore points on all
Windows 7 computers in your environment?
Answer: You might choose to disable system restore points on the Windows 7 computers if you have
a centrally managed process for managing data and for restoring computers in the event of a
computer failure. For example, if all users are required to store their files on a file server, you do not
need to use system restore points to recover user data. As an alternative to restoring computers from
system restore points, your organization may choose to just rebuild Windows 7 computers from an
image rather than spend the time restoring system files.
Configuring Mobile Computers and Remote Access in Windows 7
Module 8
Configuring Mobile Computers and Remote Access in
Windows 7
Contents:
Lesson 1: Configuring Mobile Computer and Device Settings
Lesson 2: Configuring Remote Desktop and Remote Assistance for

Remote Access
Lesson 3: Configuring DirectAccess for Remote Access
11
Lesson 4: Configuring BranchCache for Remote Access
13
17
20
8-1
8-2
Lesson 1
Configuring Mobile Computer and Device Settings

Contents:
Detailed Demo Steps
8-3

Tools for Configuring Mobile Computer and Device Settings
Question: Aside from USB, how can you establish a connection for synchronizing a Windows Mobile
device?
Answer: You can establish a connection for synchronizing a Windows Mobile Device with Serial,
Bluetooth, Wireless, and Infrared connections.
Demonstration: Configuring Power Plans

Question: Why are options such as what to do when I shut the power lid not configurable in the
Wireless Adapter Settings, Power Saving Mode?
Answer: This virtual machine emulates a desktop computer, and those options are unavailable on
desktop computers.
8-4
Detailed Demo Steps

Demonstration: Creating a Sync Partnership
This demonstration shows how to configure the Windows Mobile Device Center and how to synchronize a
Windows Mobile device.
Start the LON-DC1 and the LON-CL1 virtual machines. Leave them running throughout the duration of
the module.
Create appointments and contacts in Outlook

1.
Log on to LON-CL1 as Contoso\Administrator with the password Pa$$w0rd.
2.
Click Start, point to All Programs, click Microsoft Office, and then click Microsoft
Office Outlook 2007.
3.
In the Outlook 2007 Startup wizard, click Next.
4.
On the E-mail accounts page, click No, and then click Next.
5.
On the Create Data File page, select the Continue with no e-mail support check box
and then click Finish.
6.
In the User Name dialog box, click OK.
7.
If prompted, in the Welcome to the 2007 Microsoft Office System, click Next, click I dont want
to use Microsoft Update, and then click Finish.
8.
If prompted, in the Microsoft Office Outlook dialog box, click No.
9.
In Outlook, on the left, click Calendar.
10. In the results pane, click the Month tab and then double-click tomorrow.
11. In the Untitled Event dialog box, in the Subject field, type Quarterly meeting.
12. In the Location field, type Meeting room 1 and then click Save & Close.
13. If prompted with a reminder for the appointment, click Dismiss.
14. In Outlook, on the left, click Contacts.
15. On the menu, click New.
16. In the Untitled Contact dialog field, in the Full Name field, type Amy Rusko.
17. In the Job title box, type Production Manager and then click Save & Close.
18. Close Outlook.
Configure Windows Mobile Device Center

1.
Click Start, point to All Programs, and then click Windows Mobile Device Center.
2.
In the Windows Mobile Device Center dialog box, click Accept.
3.
In the Windows Mobile Device Center dialog box, click Mobile Device Settings and
then click Connection settings.
4.
In the Connection Settings dialog box, in the Allow connections to one of the
following list, click DMA and then click OK.
5.
In the User Account Control dialog box, in the User name box, type administrator.
6.
In the Password box, type Pa$$w0rd and then click Yes.
7.
Close Windows Mobile Device Center.
8-5
Connect the Windows Mobile device

1.
Click Start, point to All Programs, click Windows Mobile 6 SDK, click Standalone
Emulator Images, click US English, and then click WM 6.1.4 Professional.
2.
Wait until the emulator has completed startup.
3.
Click Start, point to All Programs, click Windows Mobile 6 SDK, click Tools, and then
click Device Emulator Manager.
4.
In the Device Emulator Manager dialog box, click the play symbol.
5.
From the menu, click Actions and then click Cradle.
6.
Close Device Emulator Manager.
Synchronize the Windows Mobile device

1.
In the Windows Mobile Member Center dialog box, click Dont Register.
2.
In Windows Mobile Device Center, click Set up your device.
3.
In the Set up Windows Mobile Partnership wizard, on the What kinds of items do
you want to sync? page, click Next.
4.
On the Ready to set up the Windows Mobile partnership page, click Set Up.
5.
After synchronization is complete, close Windows Mobile Device Center.
Verify that data has been synchronized

1.
On the Windows Mobile Device, click Start and then click Calendar.
2.
Click tomorrows date. Is the Quarterly Meeting showing?
3.
Click Start and then click Contacts. Are there contacts listed?
4.
Close all open Windows. Do not save changes.
Demonstration: Configuring Power Plans

This demonstration shows how to configure a power plan.
Create a power plan for Amys laptop

1.
On LON-CL1, click Start and then click Control Panel.
2.
Click System and Security, click Power Options, and then on the left, click Create a
power plan.
3.
On the Create a power plan page, click Power saver.
4.
In the Plan name box, type Amys plan and then click Next.
8-6
5.
On the Change settings for the plan: Amys plan page, in the Turn off the display box,
click 5 minutes and then click Create.
Configure Amys power plan

1.
In Power Options, under Amys plan, click Change plan settings.
2.
On the Change settings for the plan: Amys plan page, click Change advanced
power settings.
3.
Configure the following properties for the plan and then click OK.
Turn off hard disk after: 10 minutes
Wireless Adapter Settings, Power Saving Mode: Maximum Power Saving
Power buttons and lid, Power button action: Shut down
4.
On the Change settings for the plan: Amys plan page, click Cancel.
5.
Close Power Options.
Lesson 2
Configuring Remote Desktop and Remote Assistance

for Remote Access
Contents:
Detailed Demo Steps
8-7
8-8

Demonstration: Configuring Remote Assistance
Question: Under what circumstances does one use Remote Desktop Connection or Remote
Assistant?
Answer: Use Remote Desktop to access one computer from another remotely. For example, you can
use Remote Desktop to connect to your work computer from home. You will have access to all of
your programs, files, and network resources, as if you were sitting at your work computer.
Use Remote Assistance to give or receive assistance remotely. For example, a friend or a technical
support person can remotely access your computer to help you with a computer problem or show
you how to do something. You can help someone else the same way. In either case, both you and the
other person see the same computer screen and will both be able to control the mouse pointer.
8-9
Detailed Demo Steps

Demonstration: Configuring Remote Assistance
This demonstration shows how to enable and use Remote Assistance. Amy needs help with a Microsoft
Office Word feature. She requests assistance, and you provide guidance on the feature by using Remote
Assistance.
Create a Microsoft Office Word 2007 document

1.
If necessary, log on to the LON-CL1 virtual machine as Contoso\Don with a password of

Pa$$w0rd.
2.
Click Start, point to All Programs, click Microsoft Office, and then click Microsoft
Office Word 2007.
3.
In the Document window, type This is my document, and then click the Office button.
4.
Click Save and then click Save again.
Request Remote Assistance

1.
Click Start, and in the Search box, type remote assistance.
2.
In the Programs list, click Windows Remote Assistance.
3.
In the Windows Remote Assistance wizard, click Invite someone you trust to
help you.
4.
On the How do you want to invite someone to help you page, click Save this
invitation as a file.
5.
On the Save as page, in the File name box, type \\LON-dc1\users\Public\DonsInvitation.msrcincident and then click Save.
6.
Note the password.
Provide Remote Assistance

1.
Switch to the 6292A-LON-DC1 virtual machine and log on as Administrator with the password of
Pa$$w0rd.
2.
Open Windows Explorer, navigate to C:\Users\Public, and then double-click DonsInvitation.msrcincident.
3.
In the Remote Assistance dialog box, in the Enter password box, type the password you
noted in the previous task and then click OK.
4.
Switch to the LON-CL1 virtual machine.
5.
In the Windows Remote Assistance dialog box, click Yes.
6.
Switch to the LON-DC1 virtual machine.
7.
On the menu, click Request control.
8.
Switch to the LON-CL1 virtual machine.
9.
In the Windows Remote Assistance dialog box, click Yes.
8-10
10. Switch to the LON-DC1 virtual machine.

11. In Word, click the Review menu and select the text in the document window.
12. In the menu, click New Comment and then type This is how you place a comment in a
document.
13. Click the cursor elsewhere in the document window.
14. In the Windows Remote Assistance Helping Don menu, click Chat.
15. In the Chat window, type Does that help? and then press ENTER.
16. Switch to the LON-CL1 virtual machine.
17. Observe the message.
18. Type Yes, thanks, press ENTER, and then in the Menu, click Stop sharing.
20. Discard the file changes and then log off of LON-CL1.
21. Switch to the LON-DC1 virtual machine.
22. Close all open windows and then log off of LON-DC1.
Lesson 3
Configuring DirectAccess for Remote Access

Contents:
12
8-11
8-12

DirectAccess Requirements
Question: What is the certificate used for in DirectAccess?
Answer: To provide authentication.
Question: List three ways to deploy DirectAccess.
Answer: Three ways to deploy DirectAccess are as follows:
DirectAccess Deployment Wizard - simplifies deployment. The wizard can create and export
scripts, which can be reviewed, further customized, and applied manually.
Custom Scripts - primarily uses netsh.exe and is more complex, but provides vast design
flexibility.
Group Policy - only supported for configuring clients, not DirectAccess servers.
Lesson 4
Configuring BranchCache for Remote Access

Contents:
14
Detailed Demo Steps
15
8-13
8-14

What Is BranchCache?
Question: How does BranchCache prevent malicious users from accessing content?
Answer: Malicious users are unable to access content that they are not authorized to view because
cached content is encrypted.
How BranchCache Works

Question: Which BranchCache caching mode has a peer-to-peer architecture?
Answer: The distributed or cooperative caching mode has a peer-to-peer type of architecture;
content is cached on Windows 7 clients after it is retrieved from a Windows Server 2008 R2. Then it is
sent directly to other Windows 7 clients, as they need it, without those clients having to retrieve the
same content over the WAN link.
BranchCache Requirements
Question: Which of the following operating systems is a requirement on client computers using
BranchCache?
Answer: The answer(s) are in bold.
Windows Server 2008 R2
Windows Vista
Windows 7
Windows XP
Demonstration: Configuring BranchCache on a Windows 7 Client

Computer
Question: What is the effect of having the Configure BranchCache for network files value set to
zero (0)?
Answer: This is the acceptable round-trip delay time before caching is enabled. If you set a high
value, then caching might not occur at all. Setting the value of zero means that all files in a share are
cached, regardless of the delay.
8-15
Detailed Demo Steps

Demonstration: Configuring BranchCache on a Windows 7 Client
Computer
This demonstration shows how to enable and configure BranchCache.
Create and secure a shared folder

1.
Log on to the LON-DC1 virtual machine as Contoso\Administrator with a password of

Pa$$w0rd.
2.
Click Start, click Computer, and double-click Local Disk (C:).
3.
In the menu, click New folder.
4.
Type BranchCache and press ENTER.
5.
Right-click BranchCache and then click Properties.
6.
In the BranchCache Properties dialog box, on the Sharing tab, click Advanced
Sharing.
7.
In the Advanced Sharing dialog box, select the Share this folder check box and then click
Permissions.
8.
Click Remove and then click Add.
9.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the
Enter the object names to select (examples) field, type authenticated users, click
Check Names, and then click OK.
10. In the Permissions for Authenticated Users list, select the Allow check box next to
Full Control and then click OK.
11. In the Advanced Sharing dialog box, click Caching.
12. Select the Enable BranchCache check box and then click OK.
13. In the Advanced Sharing dialog box, click OK.
14. In the BranchCache Properties dialog box, click the Security tab.
15. Click Edit and then click Add.
16. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the
Enter the object names to select (examples) field, type Authenticated Users, click
Check Names, and then click OK.
17. In the Permissions for Authenticated Users list, select the Allow check box next to
Full Control and then click OK.
18. In the BranchCache Properties dialog box, click the Close button.
Configure BranchCache Group Policy settings

1.
On LON-DC1, click Start, point to Administrative Tools, and then click Group Policy
Management.
8-16
2.
In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand

Contoso.com, expand Group Policy Objects, click BranchCache, right-click
BranchCache, and then click Edit.
3.
Expand Computer Configuration, expand Policies, expand Administrative

Templates, expand Network, and then click BranchCache.
4.
Double-click Turn on BranchCache, click Enabled, and then click OK.
5.
Double-click Set BranchCache Distributed Cache mode, click Enabled, and then click
OK.
6.
Double-click Configure BranchCache for network files, click Enabled, under

Options type 0, and then click OK.
7.
Double-click Set percentage of disk space used for client computer cache, click
Enabled, under Options, type 10, and then click OK.
8.
Close Group Policy Management Editor.
9.
Close Group Policy Management.
Configure the client

1.
Switch to the LON-CL1 computer and log on as Contoso\Administrator with a password of

Pa$$w0rd.
2.
Click Start, click Control Panel, click System and Security, and then click Windows
Firewall.
3.
In Windows Firewall, click Allow a program or feature through Windows Firewall.
4.
Under Allowed programs and features, in the Name list, select the following check boxes
and then click OK. Also ensure that the check box under Domain is selected.
BranchCache Content Retrieval (Uses HTTP)
BranchCache Peer Discovery (Uses WSD)
5.
Close Windows Firewall.
6.
Open a Command Prompt.
7.
At the Command Prompt, type gpupdate /force and then press ENTER.
8.
At the Command Prompt, type netsh branchcache set service mode=DISTRIBUTED and then press
ENTER.
Verify the status of BranchCache

At the Command Prompt, type netsh branchcache show status and then press ENTER.
8-17

Review questions
Question 1: Amy wants to connect to the network wirelessly but is unable to, so she checks the
Windows Mobility Center to turn on her wireless network adapter. She does not see it in the Windows
Mobility Center. Why is that?
Answer: If a setting does not appear in the Windows Mobility Center, it might be because the
requested hardware (such as a wireless network adapter) or drivers are missing
Question 2: You have purchased a computer with Windows 7 Home edition. When you choose to
use Remote Desktop to access another computer, you cannot find it in the OS. What is the problem?
Answer: Remote Desktop is not available in Windows7 Home editions
Question 3: You have some important files on your desktop work computer that you need to retrieve
when you are at a clients location with your laptop computer. What do you need to do on your
desktop computer to ensure that you can download your files when at a customer site?
Answer: You need to configure remote access on your desktop computer. Select one of the access
options in the Remote Settings tab of System from System and Security in Control panel.
Question 4: Your company recently purchased a Windows Server 2008 computer. You have decided
to convert from a database server to a DirectAccess Server. What do you need to do before you can
configure this computer with DirectAccess?
Answer: You will need to upgrade to Windows Server 2008 R2 and maybe upgrade to an IPv6
infrastructure and possibly install a second network adapter in the server.
Question 5: Amy needs to configure her Windows 7 client computer to access take advantage of
BranchCache. How can Amy configure the client to do this?
Answer: In Windows 7, BranchCache is off by default. Client configurations can be performed
through Group Policy or manually on a per-client computer basis.
Common issues
Issue
Troubleshooting tip
BytesAddedToCache does not increase on the

first client when accessing the BranchCacheenabled server.
The client computer may be retrieving content from the

Internet Explorer cache. Be sure to clear the IE cache by
selecting Internet Options from the Tools menu and clicking
Delete. Ensure that BranchCache is enabled on the first
client using the netsh branchcache show status
command. If attempting to access a file share, verify that the
latency between the client and server is higher than the
minimum threshold. Ensure that the BranchCache feature is
installed on the server and is enabled for the protocol under
test. Check that the peerdistsvc server has started on
8-18
both the client and the server. An intermediate proxy may

alter the HTTP request coming from the client. Verify that the
proxy does not modify the ACCEPT-ENCODING HTTP header.
An intermediate proxy may downgrade the outgoing request
from HTTP 1.1 to HTTP 1.0. If the symptom is specific to file
traffic, ensure that the file is not in the transparent cache.
Transparent cache is a secondary cache where the file is
stored in addition to the BranchCache. Storing the file in the
transparent cache enables subsequent reads of the file to be
satisfied locally improving end-user response times and
savings on WAN bandwidth. To delete transparently cached
data, search for Offline Files applet in Control Panel. Click the
Disk Usage tab and then click Delete Temporary Files. Note
that this will not clear the BranchCache cache.
BytesAddedToCache does increase on the first

client when accessing the BranchCache
enabled server. BytesFromCache does not
increase on the second client when accessing
the BranchCache enabled server. Deployment
is Distributed Cache mode.
Ensure that BranchCache is enabled and that both clients are

configured to use the same caching mode using the netsh
branchCache show status command. Ensure that
the correct firewall exceptions are set on both clients using
the netsh branchcache show status command. Ensure that
both clients are connected to the same subnet using the
ipconfig command. Make sure the client cache is not full by
using the netsh branchcache show status ALL.
BytesAddedToCache does increase on the first

client when accessing the BranchCache
enabled server. BytesFromCache does not
increase on the second client when accessing
the BranchCache enabled server. Deployment
is Hosted Cache mode.
Ensure that BranchCache is enabled and that both clients are

configured to use the same caching mode using the netsh
branchcache show status command. Verify basic
connectivity from both client computers to the Hosted Cache
using the ping command. Ensure that the correct firewall
exceptions are set on both clients using the netsh
branchcache show status command. Ensure that the correct
firewall exceptions are set on the Hosted Cache server using
the netsh branchcache show status command. Ensure that
the certificate is properly installed and bound to port 443 on
the Hosted Cache computer.
Netsh shows BranchCache firewall rules have

not been set, even though they have been
configured using Group Policy.
Netsh checks the predefined BranchCache firewall rule

group. If you have not enabled the default exceptions
defined for BranchCache on Windows 7, Netsh will not report
your configuration correctly. This is likely to happen if you
defined firewall rules for clients using Group Policy and you
defined the Group Policy object on a computer running an
operating system older than Windows 7 or Windows Server
2008 R2 (which will not have the BranchCache firewall rule
group). Note that this does not mean BranchCache will not
function.
A client computer is running slowly. Is
Many computers drawing large amounts of content from one
BranchCache at fault?
8-19
client in a short time period may impact desktop

performance. Use performance monitor to check for high
service rates to peers. Examine BytesServedToPeers
relative to BytesFromCache and
BytesFromServer. The BranchCache service runs
isolated in its own service host. Examine the CPU and
memory consumption of the service host process housing the
branch caching service. Sustained high rates of service to
peers may be evidence of a configuration problem in the
branch office. Check to make sure that the other clients in
the branch office are capable of service data. Clear the cache
on the affected client using the netsh branchcache
flush command or reduce the cache size on the affected
client.
A page fails to load or a share cannot be

accessed.
When BranchCache is unable to retrieve data from a peer or

from the Hosted Cache, the upper layer protocol will return
to the server for content. If a failure occurs in the Branch
Caching component, the upper layer protocol must
seamlessly download content from the server. No
BranchCache misconfiguration or failure will prevent the
display of a Web page or connection to a share. If a failure
does occur, use the Network Diagnostic Framework Diagnose
button provided by Windows Explorer or Internet Explorer.
The client computer is unable to access the file

share even when connected to the server.
If the client computer is unable to access a file share on the

server due to the error Offline (network
disconnected), restart the client computer and access
the share again. If the client computer is unable to access a
file share on the server due to the error Offline (slow
connection), delete the temporarily cached data, restart the
computer, and access the share. To delete temporarily
cached data (the same as the transparent cache described
above), search for Offline Files applet in Control Panel. Click
the Disk Usage tab, and then click Delete Temporary Files
8-20

Question: In exercise 2, you enabled the Remote Desktop feature through the firewall by editing the
local firewall settings. Is there an alternative way in which you can make this change?
Answer: Yes, you can configure the settings through Group Policy on a domain controller. This
enables you to apply the settings to a larger group of computers in a single administrative step.
Question: If you attempted to connect to Dons computer from a computer out on the Internet
somewhere, what additional settings must you consider?
Answer: It is likely that in addition to Dons computers firewall settings, you will need to configure
or request configuration ofthe corporate firewall. You will need to enable TCP port 3389 to support
remote desktop. It is possible to use different ports over which to connect using Remote Desktop, but
this must be configured at the computer to which you want to connect.
Question: In exercise 3, you established the necessary settings to support BranchCache in Distributed
cache mode. If the Slough plant installed a file server, what other way can you implement
BranchCache?
Answer: In Hosted cache mode, where the local server can be used to store cached documents for
subsequent retrieval. The file server must be running Windows Server 2008.
Resources
Contents:
Microsoft Learning
Technet and MSDN Content
Communities
R-1
R-2
Microsoft Learning
This section describes various Microsoft Learning programs and offerings.
Microsoft Skills Assessments
Describes the skills assessment options available through Microsoft.
Microsoft Learning
Describes the training options available through Microsoft face-to-face or self-paced.
Microsoft Certification Program
Details how to become a Microsoft Certified Professional, Microsoft Certified Database

Administrators, and more.
Microsoft Learning Support
To provide comments or feedback about the course, send e-mail to

support@mscourseware.com.
To ask about the Microsoft Certification Program (MCP), send e-mail to

mcphelp@microsoft.com
Technet and MSDN Content
Device Management and Installation
Windows 7 Springboard Series
Windows Internet Explorer 8 Technology Overview for Enterprise and IT Pros
Microsoft Application Compatibility Toolkit (ACT) Version 5.5
Best practices for Disk Management
Search Help and Support for standard account and administrator account. For
information about groups
Adding a Disk
Choosing a file system: NTFS, FAT, or FAT32
Format a basic volume
Partition Styles
Format a Dynamic Volume
Create Partition or Logical Drive
Windows System Image Manager Technical Reference
Walkthrough: Create a Custom Windows PE Image
Copy
Oscdimg Command-Line Options
Best Practices for Disk Management
MSDN
This section includes content from MSDN for this course.
Performance Tuning Guidelines for Windows Server 2008
Windows Device Class Fundamentals
Driver Signing Requirements for Windows
The new Application Compatibility Toolkit (ACT) with support for Internet Explorer 8 is
available from MSDN
Internet Explorer Application Compatibility
R-3
R-4
Communities
This section includes content from Communities for this course.
Windows 7 hardware requirements
List of the Device Stage experiences
ACT 5.5
Driver Signing Requirements for Windows
Windows Hardware Requirements
Internet Explorer 8: Home page
Internet Explorer 8 newsgroups
Internet Explorer 8 FAQ
Information about anti-phishing strategies
Internet Explorer 8: Help and Support
Internet Explorer 8 Forum on TechNet
Internet Explorer 8 Help Microsoft Knowledge Base article 923737
Port Numbers
R-5
Send Us Your Feedback

You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before
submitting feedback. Search using either the course number and revision, or the course title.
Note Not all training products will have a Knowledge Base article if that is the case, please ask your
instructor whether or not there are existing error log entries.
Courseware Feedback
Send all courseware feedback to support@mscourseware.com. We truly appreciate your time and effort.
We review every e-mail received and forward the information on to the appropriate team. Unfortunately,
because of volume, we are unable to provide a response but we may use your feedback to improve your
future experience with Microsoft Learning products.
Reporting Errors
When providing feedback, include the training product name and number in the subject line of your email. When you provide comments or report bugs, please include the following:
Document or CD part number
Page number or location
Complete description of the error or suggested change
Please provide any details that are necessary to help us verify the issue.
Important All errors and suggestions are evaluated, but only those that are validated are added to the
product Knowledge Base article.

6292a Enu Companion

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

6292a Enu Companion

Caricato da

Copyright:

Formati disponibili

O F F I C I A L

Product Number: 6292A

Installing, Upgrading, and Migrating to Windows 7

Lesson 2: Performing a Clean Installation of Windows 7

Lesson 3: Upgrading and Migrating to Windows 7

Lesson 4: Performing an Image-Based Installation of Windows 7

Lesson 5: Configuring Application Compatibility

Module Reviews and Takeaways

Lab Review Questions and Answers

Installing and Configuring Windows 7

Preparing to Install Windows 7

Installing, Upgrading, and Migrating to Windows 7

Question and Answers

Hardware Requirements for Installing Windows 7

Options for Installing Windows 7

Installing and Configuring Windows 7

Installing, Upgrading, and Migrating to Windows 7

Performing a Clean Installation of Windows 7

Detailed Demo Steps

Installing and Configuring Windows 7

Question and Answers

No operating system is installed on the computer.

The installed operating system does not support an upgrade to Windows 7.

Methods for Performing Clean Installation

Discussion: Common Installation Errors

Installation media is damaged.

Test the CD or DVD on another system.

BIOS upgrade is needed.

Check your computer suppliers Internet site to

Hardware is installed improperly.

Check any messages that appear during the boot

Installing, Upgrading, and Migrating to Windows 7

video cards and memory modules.

Hardware fails to meet minimum

Use Windows Catalog to locate products designed

Error messages appear during setup.

Carefully note any messages and search the

Demonstration: Configuring the Computer Name and Domain/Work

Installing and Configuring Windows 7

Detailed Demo Steps

Log on to the 6292-LON-CL1 virtual machine as CONTOSO\Administrator with a password

Click Start and then click Control Panel.

Click System and Security and then click System.

In the Computer Name/Domain Changes window, click Workgroup and type

Click OK to acknowledge the warning.

Click OK to close the welcome message.

10. Click OK to close the message about restarting.

Installing, Upgrading, and Migrating to Windows 7

Upgrading and Migrating to Windows 7

Installing and Configuring Windows 7

Question and Answers

Tools for Migrating User Data and Settings

Installing, Upgrading, and Migrating to Windows 7

Performing an Image-Based Installation of Windows 7

Detailed Demo Steps

Installing and Configuring Windows 7

Question and Answers

Demonstration: Creating a Bootable Windows PE Media

Demonstration: Configuring VHDs

Installing, Upgrading, and Migrating to Windows 7

Detailed Demo Steps

Log on to the 6292-LON-CL1 virtual machine as Contoso\Administrator with a password of

Browse to E:\Labfiles\Mod01\Sources\, click install_Windows 7 ENTERPRISE.clg, and then

Right-click x86_Microsoft-Windows-Shell-Setup and click Add setting to Pass 4 specialize.