professor messer microsoft 70 680 configuring windows 7study guide

Professor Messer’s

Microsoft 70-680Configuring Windows 7 Study Guide

http://www.ProfessorMesser.comWindows 7 Editions

Windows 7 Hardware Requirements

Windows 7 Installation SourcesDVD-ROM• Available as an ISO file• Doesn’t scale very well

USB Drive• Faster than a DVD-ROM• Need at least 4 GB of space for OS files• Doesn’t scale well

Network Share• Copy Windows 7 Installation Media to a share• Boot with Windows PE• Still has scaling problems, but the installation

media can be easily updated

Windows Deployment Services (WDS)• Automated deployment• Requires a network, Server 2008, Active Directory• Uses multicast• Install on many computers simultaneously• Scales extremely well

© 2014 Messer Studios, LLC http://www.ProfessorMesser.comProfessor Messer’s 70-680 Windows 7 Study Guide -

Preparing a USB Drive


Booting Windows 7Dual-Booting• More than one operating system on one computer• Each OS generally needs a separate partition

• Can be on the same drive or different drives• Windows 7 needs 15 GB

• May need to resize partitions• Disk Management in Windows Vista and Windows 7 • Windows XP can’t do this without 3rd-party utilities

• If you install to VHD, you won’t need another partition

The Windows Hidden Partition• Contains boot information• Runs the Windows Recovery Environment (WinRE)

Managing the Windows Startup Menu with bcdedit• Boot Configuration Data Store Editor• Edits /boot/bcd• In the Windows 7 hidden partition

Backup and restore• bcdedit /export c:\save-bcd• bcdedit /import c:\save-bcd

Create a new entrybcdedit /copy {current} /d “New entry“

Other commandsbcdedit /set {current} description “New Entry Description”bcdedit /displayorder {ntldr} /addfirstbcdedit /default {ntldr}bcdedit /displayorder {12345678-1234-1234567890-1234} /addlast

Windows 7 Upgrade Paths

Windows 7 Anytime Upgrades

Microsoft Assessment and Planning Toolkit• Large-scale upgrade assessment• Integrates with Active Directory• Scans the network to find computers• Inventories computers, servers, and virtual machines• Many different operating systems• Doesn’t require any agent software


Windows 7 MigrationSide-by-side• Two computers• Move information from one to the other

Wipe-and-load• Export data, nuke and install, and import• Exported data can be deleted afterwards• Profiles copied to external device• USB storage, network share

Windows Easy Transfer• Migrate from Windows XP, Windows Vista, or Windows 7• Useful when moving to a new computer• Supports both side-by-side and wipe-and-load

User State Migration ToolUSMT• Included with the Windows Automated Installation Kit (AIK)• Very scalable

• Built for large enterprises• Works at the command line

• Migrate from Windows XP and Windows Vista to Windows 7• Migrate from Windows 7 to Windows Vista

Two-step process• Can be completely automated

• Take advantage of the command line• ScanState

• Compiles and stores the migration data• Must run in an elevated prompt (Vista, 7)

or as a Local Administrator (XP)• LoadState

• Loads profile onto the destination computer

Configuration settings• MigApp.xml - Migrate application settings

• Folder options, fonts, wallpaper settings, etc.• MigUser.xml - Migrate user folders, files, and file types• MigDocs.xml - Location of user documents• Config.xml - Exclude migration features

Storing the migrated data• Uncompressed

• Stored in folders, view using Windows Explorer• Compressed

• Uses less space, can’t be viewed in Windows Explorer• Hardlink

• Creates links to the user data• Links are followed when performing wipe-and-load

• Doesn’t duplicate files• Can save a lot of time

• You’ll need a minimum of 250 MB freeWindows Automated Installation Kit

• Windows SIM (System Image Manager)• Manages image distribution

• ImageX• Create and modify Windows images (WIM)

• DISM (Deployment Image Servicing and Management)• Modify an image with updates and drivers

• Windows PE (Preinstallation Environment)• A minimal boot OS

• OSCDIMG• Command line creation of ISO files

• USMT (User State Migration Tool)• Migrate user information between OS versions

Building and distributing a Windows 7 image

• Run audit mode (Shift-Ctrl-F3)• Bypass Windows Welcome• Tweak your reference image, load apps and drivers

• Sysprep• Clear unique names• Set Windows Welcome - Out-of-box-experience (OOBE)• c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown

• Reset the 30-day activation up to three times

• Plan Windows 7 installation on reference PC• Build an answer file

• Validate and save the answer file• Save Autounattend.xml to the root

• Perform Windows 7 installation• Use Sysprep to generalize and set oobe (out of box experience)

• Create bootable Windows PE disk or USB flash drive• Create image and store on network share• Deploy the image

Capturing an image

Sysprep and other prep

Create a Windows PE boot disk• You’ll want to add ImageX to the disk• It doesn’t come in the default configurationBoot to PE and create an image• This is why you added ImageX

• Have a destination ready for the image• Have your computer Sysprep’d prior to the imaging

• Your image should be ready for the first user• The final image is a WIM file


Deployment Image Servicing and Management (DISM)Working with images

• Get image information• DISM.exe /Get-WimInfo /WimFile:<WIM_file> [/Index:<image_index> | /Name:<image_name>]• IMAGEX [FLAGS] /INFO img_file [img_number | img_name] [new_name] [new_desc]

• Mount an image• DISM.exe /Mount-Wim /WimFile:<path_to_WIM_file> {/Index:<image_index> | /Name:<image_name>} /MountDir:<target_mount_directory> [/readonly]

• IMAGEX [FLAGS] /MOUNTRW [image_file image_number | image_name image_path]

• Get information on mounted image• DISM.exe /Get-MountedWimInfo• Clean an “Invalid” state with dism /Cleanup-Wim

• Manage .inf drivers on an active (online) or offline system• dism /online /get-drivers /all• dism /image:<imageDir> /get-drivers /all

• Adding and removing drivers• dism /image:<imageDir> /add-driver• dism /image:<imageDir> /remove-driver

• On x64, drivers must have digital signature, unless you use /forceunsigned

Managing applications• View, add, or remove packages or features• Work with cabinet (.cab) files or Windows Update (.msu) files• Administratively disable features• dism /image:<image directory> [/get-packages | /get-packageinfo | /add-package | /remove-package ] [/get-features | /get-featureinfo | /enable-feature | /disable-feature

• Packages are “pending” until the system is booted

• Don’t manage patches manually• Reimage again, then patch after it comes online• dism /image:<imageDir> [/check-apppatch | /get-apppatchinfo: | /get-apppatches | /get-appinfo | /get-apps]

• Do you know the GUID? Then include…• /productcode:{GUID}

• Can only check for .msp (patches) and .msi (installation) packages

Managing patches

• To save your changes, you must commit!• You can always discard and start over

• Commit or Discard• DISM.exe /Commit-Wim /MountDir:<target_mount_directory>• DISM.exe /Unmount-Wim /MountDir:<target_mount_directory> {/Commit | /Discard}

• Configure package installation order or tasks to run after deployment• Use Unattend.xml file

• DISM /Image:<path_to_mounted_image> /Apply-Unattend:<Path_To_unattend.xml>

• Create your Unattend.xml files using Windows System Image Manager (SIM)

Saving changes with a commit

Post-deployment tasks


Deployment options• Microsoft Deployment Toolkit (MDT) 2010

• Make the process easier• Deploying with Windows Deployment Services (WDS)

• Image many systems at one time• System Center Configuration Manager (SCCM) 2007

• Enterprise change and configuration management

Deployment types• Lite Touch Installation (LTI)

• Deploy without a large management infrastructure• Great for small and medium companies

• Zero Touch Installation (ZTI)• Integrates Systems Management Server (SMS) 2003 or

System Center Configuration Manager (SCCM) 2007 for complete automation

• Common in very large organizations

• Manage and distribute your WIMs• Everything you need to deploy an operating system• OS, drivers, apps, etc.

• Uses the Windows Automated Installation Kit• It’s required

• All that stuff we did manually? This automates it.• Install, automate, capture, image

Microsoft Deployment Toolkit 2010• Requirements

• Active Directory Domain Services• NTFS file system• Local Administrator rights• DHCP server (for PXE)

• WDS is graphical• WDSUTIL is command line

Windows Deployment Services

• Boot image• Boots the system (via PXE)

• Discover image• If you can’t PXE, you can discover the WDS server

• Install image• The big image that gets installed

• Capture image• A special image that captures an image from a system

• System Center Configuration Manager (SCCM) 2007• Enterprise change and configuration management

• Software deployment• Software metering• Inventory• Remote administration

• Can be integrated with Microsoft Deployment Toolkit (MDT) 2010 for ZTI

• Command line control• Software installation and updates• Domain management• Restart computers• Partition disks• Manage user state information• Image computers• Driver management

WDS images SCCM

Make a VHD SCCM features and capabilities• Use Disk Management to attach and detach• Use diskpart to create vdisk• Ideally, the VHD would be in a separate disk

• Or at least a different partition• Apply an existing WIM with ImageX

Boot from the VHD• bcdedit

• Modify your boot entries• Can only boot to a Windows 7 or

Windows 2008 R2 VHD• Change the “device“ and “osdevice“ to the VHD• Enable the hardware abstraction layer (HAL)• Can‘t use BitLocker or hibernation

• Not a great choice for laptops

Service your VHD• Microsoft System Center Virtual Machine Manager

• MSCVMM 2007 or MSCVMM 2008• Manage many VHDs and virtual machines• Windows Hyper-V Server• Physical to virtual migrations• Manage virtual workloads

• Update and maintain VHDs• Integrate with System Center Configuration Manager (SCCM)

orWindows Server Update Services (WSUS)

Service your VHD


Configuring DevicesAdding new drivers• Change device installation settings• Drivers can only be installed by Administrators

or modified by Group PolicyPlug and Play (PnP)• Automatic installation

• Checks the driver store• HKEY_LOCAL_MACHINE/Software/Microsoft/ Windows/CurrentVersion/DevicePath

• Copies the driver for use into C:\Windows\System32\drivers

• New drivers must be staged with pnputilSigned drivers• Cryptographic “signature”

• Verifies the driver publisher and file integrity• Must be Administrator to install unsigned drivers

• Sign the driver yourself to deploy for user installation• Certificate Authority can be very useful

• Windows Hardware Quality Labs (WHQL)• Check with directx

• File Signature Verification (sigverif)

• Control Panel / Device Manager (icon view)• Start / right-click Computer /Manage / Device Manager• Run “devmgmt.msc”

Application compatibilityApplication Compatibility Toolkit• Application Compatibility Manager• Compatibility Administrator

• View compatibility fixes for 3rd-party apps• Analyze your applications, create your own shim

• Internet Explorer Compatibility Test Tool• Demo/LabTesting IE8• Internet Explorer Compatibility Test Tool• Start the tool / Start IE8

• Surf and watchApp Compatibility Group Policies• Recover from problems or block issues when they occur• Computer Configuration\Administrative Templates\ System\Troubleshooting and Diagnostics\ Application Compatibility Diagnostics

Windows XP Mode• Run Windows XP as a virtual machine

• Windows 7 Professional, Windows 7 Ultimate, Windows 7 Enterprise• Integrates with the Windows 7 desktop• Uses a lot of disk space and memory resources

Application Compatibility

Group Policies


Software Restriction PoliciesGroup Policy• Use Group Policy to restrict application use - gpedit.msc

• A bit of overlap with AppLocker• Works for Windows XP, Windows Vista, and Windows 7• Computer Configuration \ Windows Settings \ Security Settings \ Software Restriction Policies

Enforcement properties• Include/exclude DLLs• Include/exclude local administrators• Enforce/ignore certificatesWhich policy wins?• Most specific first, then more general

• If AppLocker is in use, AppLocker always wins

• Hash Rules (most specific)• Certificate Rules• Path Rules• Network Zone Rules• Default Rules (most general)Hash rules• Unique identifier - You can’t fool the hash• Advantages

• Control very specific applications• Down to the version number

• Disadvantages• Must be created for every executable• Must be updated for each version

Certificate rules• Control application usage by publisher• Advantages

• Cryptographically improbable to beat• Disadvantages

• One certificate rule can affect many applications from the same publisher

• Application must be signed• Resource intensive

Path rules• Control application use based on files or folders• Advantages

• Can control specific areas or files• Disadvantages

• Can be circumvented by moving the file

Network zone rules• Control applications based on download location• Advantages

• Limits security risk from the outside• Disadvantages

• Only applies to .msi (installer) files• Not .exe files• Only applies to downloads from Internet Explorer

Configuring software restriction policies in Group Policy Editor


AppLockerAppLocker overview• Available in Windows 7 Ultimate and Windows Enterprise• Control users or groups• Requires Application Identity Service

• Defaults to “Manual”• Block rules always override Allow rules

• Except the implied Block

Rule categories• Executable Rules

• Control .exe and .com files• Windows Installer Rules

• Control .msi and .msp files• Doesn’t change the administrative permissions

• Script Rules - Control .bat, .cmd, .js, .ps1, and .vbs files• Build some default rules

AppLocker rule enforcement• Enforce rule types

• Audit rules• Enable DLL rule collection

• Can impact performance

Rule conditions• Publisher rules

• Pulled from the file information• Existing file and all future version

• Path rules• Similar to Software

Restriction Policies• File hash rules

• Also similar to Software Restriction Policies

• There are no exceptions for file hash conditions

AppLocker rules


Configuring Internet ExplorerCompatibility view• The browser is the new application environment• Browser versions are very different

• Can dramatically impact applications• Compatibility View turns back the clock

• Run Internet Explorer as an “older” version• Tools / Compatibility View Settings• Configured in Group Policy• Administrative Templates \ Windows Components \Internet Explorer \ Compatibility View

Security Settings• Categorize web sites into zones

• Internet• Local intranet• Trusted sites• Restricted sites

• Tools / Internet Options / SecuritySearch providers and add-ons• Configure in Tools / Manage Add-onsInPrivate policies• Administrative Templates \ Windows Components \Internet Explorer \ InPrivate

Managing certificates• Validate the source

• Trust the site• Encrypt the data

• Surf safelyCertificate problems• This website’s security certificate has been revoked

• Don’t trust this website• This website’s address doesn’t match the address in the security certificate

• Website is using a digital certificate that was issued to a different web address• This website’s security certificate is out of date

• Current date is either before or after the time period of the certificate• This website’s security certificate isn’t from a trusted source

• Certificate has been issued by a CA that isn’t recognized by Internet Explorer• Internet Explorer has found a problem with this website’s certificate

• There’s a problem with a certificate that doesn’t fit any other error conditions.


IPv4 and IPv6

19211000000

.

.168

10101000 .1

00000001..

13110000011

8 bits 1 byte=

32 bits = 4 bytes

1 octet=

DNS• Domain Name System• Converts names to IP addresses• www.professormesser.com = 74.208.221.234DHCP• Dynamic Host Configuration Protocol• Automatically assign IP address, subnet mask, gateway, and moreAPIPA• Automatic Private IP addressing• Connect an entire network without any configuration• 169.254.0.1 through 169.254.255.254 (subnet mask of 255.255.0.0)

fe80::5d18:652:cffd:8f52

fe80:0000:0000:0000:5d18:0652:cffd:8f52fe80

11111110100000000000

0000000000000000::

00000000000000000000

::

00000000000000000000

::

5d180101110100011000

::

06520000011001010010

::

cffd1100111111111101

::

8f521000111101010010

::

16 bits 2 bytes=

128 bits = 16 bytes

2 octets=

Address types• Unicast – one to one• Multicast – one to many• Broadcast – one to all (IPv4)• Anycast – one to nearest (IPv6)IPv6 Unicast Addresses• Global – Routable everywhere• Local – Used in the local network (no Internet) – fc00::/7• Link-local - Used in the local network segment only - fe80::/10

Teredo• Tunnel IPv6 through NATed IPv4

• End-to-end IPv6 through an IPv4 network• No special IPv6 router needed

• Addresses start with 2001::/32

IPv4 Addressing

RFC 1918 Private Addresses

IPv6 Addressing

Nework Address Translation (NAT)

ISATAP (Intra-Site Automatic Tunnel Addressing Protocol)• Automatically configures addressing to connect two IPv6

devices over a local IPv4 network • Not designed for site-to-site communication

• fe80::5efe:192.168.0.16

Integrating IPv4 and IPv6

• Convert from one IP address to another

• Commonly used to convert private internal addresses to be routed across the Internet

• Also used to advertise services with an external address, but the server actually resides on the inside of the network with a private address


Configuring IPv4GUI configuration• Local Area Connection Properties• Control Panel / Network and Sharing Center / Change

Adapter Settings / Right-Click on adapter / Properties• Internet Protocol Version 4 (TCP/IPv4)

Command-line configuration• netsh interface ipv4 set …

Confirming IPv4 connectivity• Confirm physical connectivity

• Are the lights blinking?• View your configuration• ipconfig /all• Did you get an IP address from the DHCP server?• Is it an APIPA address (169.254.0.1 – 169.254.255.254)?• Try to ipconfig /release and ipconfig /renew

• Connect to everything• ping your address, your gateway, a remote device• tracert to an external address

Configuring IPv6Connecting to an IPv6 network• Local Area Connection Properties

• Control Panel / Network and Sharing Center / Change Adapter Settings / Right-Click on adapter / Properties

• netsh interface ipv6 set address• netsh interface ipv6 show address• DNS

• IPv4 - A records• IPv6 – AAAA records

Confirming IPv6 connectivity• Confirm physical connectivity

• Are the lights blinking?• netsh interface ipv6 show neighbors

• View your configuration• ipconfig /all• netsh interface ipv6 show address

• Connect to everything• Windows 7 network utilities are IPv6 aware (with the -6 flag)• ping your address, your gateway, a remote device• tracert to an external address

Adding a network device• Control Panel / Network and Sharing Center / Set up a connection or network

• Change advanced sharing settings• Network discovery• File and printer sharing• Public folder sharing

Professor Messer Exam TipMicrosoft has a reputation for

tough certification exams. Make sure you know your material very well

before booking your exam!


802.11 wireless networking

802.11a• One of the initial wireless standards - October 1999• Operates in the 5 GHz range• 54 megabits per second (Mbit/s)• Smaller range than 802.11b

• Higher frequency is absorbed by objects in the way• Today, only seen in very specific cases

Security types• No authentication (open)• WPA-Personal, WPA2-Personal• WPA-Enterprise, WPA2-Enterprise• 802.1x (certificate or smart card)Encryption types• WEP (Wired Equivalent Privacy)• TKIP (Temporal Key Integrity Protocol)• AES (Advanced Encryption Standard)

802.11g• An “upgrade” to 802.11b - June 2003• Operates in the 2.4 GHz range• 54 megabits per second (Mbit/s)

• Same as 802.11a (but a little bit less throughput)• Backwards-compatible with 802.11b• Same frequency conflict problems as 802.11b

• IEEE standards for wireless networking• 802.11a, 802.11b, 802.11g, and 802.11n• Differences in speeds, distance,

channels, and frequencies

802.11b• Also an original 802.11 standard - October 1999• Operates in the 2.4 GHz range• 11 megabits per second (Mbit/s)• Better range than 802.11a

• Less absorption problems• More frequency conflict

• Baby monitors, cordless phones, microwave ovens, Bluetooth

802.11n• Standardized in 2009• Operates at 5 GHz and/or 2.4 GHz• 600 megabits per second (Mbit/s)• New standard has MIMO

• Multiple-input multiple-output

Wireless security and encryption• Control Panel / Network and Sharing Center / Connect to a network

• Icon in System Tray• netsh wlan show interfaces netsh wlan show networks mode=[ssid|bssid] netsh wlan add profile filename=“filename” netsh wlan connect name=<profile> ssid=<ssid>

• netsh wlan disconnect interface=“interface”

Preferred wireless networks• Configured in the network profile

• Automatically connect• Connect to a more preferred• Connect even if not broadcasting SSID

Configuring network adapters• Configure all adapter types

• Wired and wireless• Networking tab

• Protocols• Configure… button

• Hardware configuration

Location aware printing• New Windows 7 feature

• Based on wireless network connection

• Can also lock down the default

Connecting to a wireless network


Windows Firewall• Integrated into the operating system• Control Panel / Windows Firewall• Windows Firewall withAdvanced Security

• Click “Advanced settings”Windows Firewall features• Fundamental firewall rules• Based on applications

• No detailed control• No scope

• All traffic applies• No connection security rulesWindows Firewall with Advanced Security• Inbound rules• Outbound rules• Connection security rules• Granular

• Program, port, predefined services, custom• Custom

• Program, protocol/port, scope, action, profile

Remote ManagementRemote Assistance• User-initiated help

• End-user is in control• Send a file, an email, or Easy Connect• Control Panel / System / Remote Tab

• Advanced tab• Start / All Programs / Maintenance / Windows Remote Assistance

Remote Desktop• Initiated by the remote user

• Host computer is always waiting for a connection• Start / All Programs / Accessories / Remote Desktop Connection

• Only available in Windows 7 Professional, Ultimate, and Enterprise• Control Panel / System / Remote tab• Automatically configures Windows Firewall rules

• Host user cannot see desktop• You are logging on as a user

Windows PowerShell• Super-awesome powerful scripting

• Run PowerShell instead of your normal shell• Extends Windows functionality into the shell• Windows 7 includes PowerShell 2.0

• Over 240 cmdlets (command-lets)• Extensive use of pipelines

Executing remote commands• Windows Remote Shell (WinRS)

• Run shell command on a remote computer• Remote desktop not required• This is why we’ve been learning all those command line options

• Requires the Windows Remote Management Service • Set it up: WinRM quickconfig• Starts the service and configures the firewall

Remote Assistance


Resource accessFolder virtualization / Libraries• Build “folders” that reference files in other locations

• Local and network• Redirect user files to a network server

• Uses Offline Files technology• Synchronizes in the background

• Allows a user to be anywhere• Roaming user profile

Sharing folders• Basic sharing and advanced sharing• Central share management• Command line sharing

• net sharePrinters and queues• Share your printer with others

• Leverage expensive resources• Set access

• Who can print in color?HomeGroup settings• Old-school resource sharing

• Separate accounts, separate passwords• Connect computers in a HomeGroup

• Easy access to files and printers• Can only create a HomeGroup in Windows 7 Home

Premium, Professional, Ultimate, or Enterprise editions

Using the net share command

Windows HomeGroup

File and folder accessEncrypting File System (EFS)• OS-level file encryption

• Requires NTFS• Encrypt for multiple users

• Regardless of NTFS permissions• Create a Recovery Agent before

encrypting any files• cipher /R:filename

NTFS and share permissions• NTFS• icacls

• Share• net share

NTFS and share permissions• NTFS permissions apply to local

and network connections• Share permissions only apply to

connections over the network• The most restrictive setting wins

• Allow / Deny • Copy vs. Move

• Permissions are inherited from the parent object (copy)• Unless you move to a different folder on the same volume (move)

• Built-in Effective Permissions tool

NTFS permissions Share permissions

Professor Messer Exam TipGet your hands on as many study materials as possible. Books, videos, and Q&A guides

can all provide a different perspective of the same information.


User Account Control (UAC)Account Control activity• Limit software access

• Protect your computer• Inform you when important changes are made

• New device drivers• Windows Firewall changes• Modifying user accounts

• Secure Desktop• Limits automated access

Local Security Policy• Control Panel / Administrative Tools / Local Security Policy• secpol.msc• Subset of Group Policy

• Computer Configuration\Windows Settings\Security Settings

User Account Control• Keep the good programs working, keep the bad programs out• Privilege elevation

• Allow an application to run with administrator privileges• Admin approval mode

• Prompts the user for approval• Secure Desktop

• Locks the computer down until the UAC is answered

UAC Prompt Behavior• Control Panel / User Accounts

• Change User Account Control settings• Group Policy

• Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Authentication and AuthorizationConfiguring rights• Group Policy

• Computer Configuration\Policies\Windows Settings\• Security Settings\Local Policies\User Rights Assignment

• Different than NTFS or Share permissions• Control the use of the operating system

• Log on locally, create symbolic links, change the time zone, shut down the system, etc.

Managing credentials• Control Manager / Credential Manager

• Keeps your usernames and passwords in the Windows Vault• Include your own - Add a Windows Credential• Backup and restore the Windows Vault

• Uses the secure desktop for additional securityManaging certificates• “Manage file encryption certificates”

• Search from the start menu• Certificates Console - certmgr.msc• Command line - cipher.exe

Smart cards with PIV• Personal Identity Verification

• Biometric capture and storage, cryptographic algorithms, key sizes

• http://csrc.nist.gov/groups/SNS/piv/index.html• Carry your certificate with you

• Multifactor authentication• Username, password, smart card, fingerprint

• PIV is built-in to Windows 7 Group Policy• Computer Configuration\Policies\Windows Settings\

Security Settings\Local Policies\Security Options• Interactive logon: Require smart card• Interactive logon: Smart card removal behavior

Elevating user privileges• Use rights and permissions of another user

• Without logging out• GUI: Hold down Shift and right-click

• Run as different user• Command line: Use the “runas” command• RUNAS [ [/noprofile] [/profile] [/env] [/savecred | /netconly] ] /user:<UserName> program

Resolving authentication issues• Password reset disk or USB key

• Create this before you forget your password• Domain users are reset from the domain administration

• User Accounts / Manage Accounts• Access to EFS-encrypted information is lost• Unless you restore the EFS certificate


BranchCacheBranchCache overview• Caching for branch offices

• Without additional hardware or external services• Conserve bandwidth over slower links

• Windows 7 / Windows Server 2008 R2• Won’t work with older operating systems

• Seamless to the end-user• Same protocols• Same network connection• Same authentication methods• Activates when round-trip latency exceeds 80 milliseconds

Network infrastructure requirements• Hosted Cache Server

• Required at each remote location• Run distributed mode if cache server not local• Windows Server 2008 R2• Create SSL Certificate• Clients must trust the Certificate Authority

• Clients• Windows 7 Ultimate or Enterprise• May need to import the Certificate Authority• Use Group Policy

Configuring client settings• Group Policy

• Computer Configuration\Policies\Administrative Templates\ Network\BranchCache

• Command line• netsh Branchcache set service mode=distributed• netsh Branchcache set service mode=hostedclient location=hostedserver

• Enables BranchCache and configures Windows Firewall rules• Check the PeerDistSvc

• Service status: Started• Startup type: Manual

BitLocker and BitLocker To GoBitLocker overview• Encrypt an entire volume• Protects all of your data and the operating system• Lose you laptop? Your data is safe.• Data is always protected

• Even if the physical drive is moved to another computer• Windows 7 Ultimate and EnterpriseTPM (Trusted Platform Module)• Securely generates and stores cryptographic keys• Hardware-based pseudo-random number generator• Hash-key summary of the hardware and software• Platform authenticationBitLocker modes• BitLocker with a TPM

• No additional authentication factors• BitLocker with a TPM and a PIN

• Input your PIN during startup• BitLocker with a TPM and a USB startup key

• Where’s your USB key?• BitLocker without a TPM

• Must boot with a startup key on a USB flash drive • BitLocker with a TPM, a USB startup key, and a PIN

• Very secure. Used in high-security environmentsTroubleshooting BitLocker• Don’t forget your password!• Recovery Mode

• Use your USB drive with the recovery key• manage-bde -status c:• manage-bde -unlock c: -cert -ct <certificate_thumbprint>

• There is no “backdoor” or recovery process

Data Recovery Agents• Computer Configuration\Windows Settings\Security Settings\

Public Key Policies\BitLocker Drive Encryption• Configure the different drive recovery options

• Include the Data Recovery Agent for each• Configure the unique identifiers

• Computer Configuration\Administrative Templates\ Windows Components\BitLocker Drive Encryption\ Operating System Drives

• What if a computer already is using BitLocker?• manage-bde -setidentifier• manage-bde –protectors –get

Enabling BitLocker• Backup your computer• Control Panel / BitLocker - must be a local Administrator• Pick a startup process - Choose a PIN, create a startup key• No TPM? No problem! - Remember to configure the policyBitLocker To Go• Encrypt portable drives• Set Group Policies on “Removable Data Drives”

Professor Messer Exam Tip

The Microsoft 70-680 exam expects you to have a solid understanding

of the command line. Get as much hands-on work as you can!


DirectAccessDirectAccess overview• Automated VPN connectivity

• Always-on, regardless of location• Windows 7 Ultimate and Windows 7 Enterprise

• Seamless authentication• IPv6

• Unless you use Microsoft Forefront Unified Access Gateway

• Requires Windows Server 2008 R2• Must be in the Windows Domain• Two NICs• One inside, one outside

(Internet link needs two consecutive IP addresses)• Digital certificates for authentication

DirectAccess client configuration• Clients are determined by DirectAccess security group

• Group Policy Object is created during the DirectAccess setup process

• Lots of encryption• Client must have certificate that can properly

authenticate to the DirectAccess server• “Currently connected to: Internet and Corporate access”

Certificate management• Microsoft Management Console• mmc

• Certificates snap-in• Local Computer

• Certificates (Local Computer)\Personal\Certificates• Client authentication, Server Authentication

Command-line configuration and testing• Use netsh• netsh interface ipv6 set teredo enterpriseclient <ip address>

• netsh interface 6to4 set relay <ip address>• netsh interface httpstunnel add interface client https://myserver/IPHTTPS

• Did the Group Policy take?• netsh interface 6to4 show relay• netsh interface ipv6 show teredo• netsh interface httpstunnel show interfaces

Windows 7 mobilityMobility overview• Optimize your time on battery power• Offline file access and synchronization• Access files on a network share and cache locally• Power optimization

Offline files• Make files available, even when you’re not online

• Automatically sync when back online• Built-in sync conflict management

• Mark files• “Always available offline”

• Online mode• Write to the server, read from the cache

• Auto offline mode• If server goes away, converts to local cache operations• When server returns (check every 2 minutes),

revert to online mode• Manual offline mode

• Force yourself into offline mode - “Work offline”• Slow-link mode

• Kicks in when speeds drop below 64 kbps• Uses file cache, auto sync doesn’t run

Offline file Group Policy• Computer Configuration\ Administrative Templates\

Network\Offline Files• Administratively configure offline files, set slow-link speeds, change

sync processes

Enabling Tranparent caching• Increase file performance across WAN links - caching only; no sync• More flexible than BranchCache

• Works with Windows 7 Professional, no Domain Services required, files are not distributed across multiple systems or on Windows Server 2008 R2

• Kicks in when round-trip exceeds a configured latency• “Enable Transparent Caching” Group Policy

Managing Power• Control Panel / Power Options• Power down modes

• Sleep• Processor is turned off, memory is still active• Mouse and keyboard remains powered

• Hybrid Sleep• Processor is turned off, memory is active, copy is written to disk• Similar to Sleep mode

• Hibernate• All devices are turned off, memory is written to disk


Remote ConnectionsVPNs (Virtual Private Networks)

Authentication protocols• PAP (Password Authentication Protocol)

• Unencrypted passwords• Don’t use this one unless you have to

• CHAP (Challenge Authentication Protocol)• Send the password as a hash• Still not a very secure authentication protocol

• MS-CHAPv2• Microsoft version of CHAP• Integrates the Windows username and password• Some brute-force weaknesses

• PEAP/PEAP-TLS• Protected Extensible Authentication Protocol• Sends EAP authentication over TLS (Transport Layer Security)• Certificate-based, quite secure

• EAP-MS-CHAPv2/PEAP-MS-CHAPv2• The security of PEAP with Windows integration

• Smart card or certificate• Need certificate on both the client and the server

VPN objectives• Data encryption

• Scramble the data• Data integrity

• Verify the received data• Data authentication

• Verify the source• Replay protection

• Prevent man-in-the-middle capture and resend• Automatic

• Windows figures out which is the most secure

IKEv2 (Internet Key Exchange v2)• New in Windows 7

• IPv6, VPN reconnect support• Authentication options

• EAP and certificates• PEAP, EAP-MSCHAP v2, smart cards, other certs• No support for PAP, CHAP, or MS-CHAPv2• Uses udp/500

VPN protocols• SSTP (Secure Socket Tunneling Protocol)

• Uses tcp/443• Very compatible with existing firewalls• Doesn’t work through proxies

• L2TP/IPsec (Layer 2 Tunneling Protocol)• L2TP tunnels, IPsec to encrypt• Compatible with 3rd-party VPNs

• PPTP (Point-to-Point Tunneling Protocol)• Least-secure VPN protocol• Encryption but no data integrity or authentication

VPN reconnection• Move between networks

• VPN reconnects itself automatically without re-authentication• Uses IKEv2 tunneling protocol

• MOBIKE extension• IKEv2 Mobility and Multihoming

• Maximum timeout of 8 hours• Timeout is configurable• After 8 hours, you’ll have to reconnect manually

Dial-up connections• What are those?

• Very much in use, actually• Network and Sharing Center

• Set up a New Connection or Network• You’ll need to have a modem and a telephone line

Professor Messer Exam Tip

Not all exam centers provide the same quality of testing experience. Stop by and

do your own research before booking your exam!


Remote ConnectionsNAP (Network Access Protection)• Firewall

• Is firewall registered with Windows Security Center and enabled?

• Virus protection• Is an anti-virus application installed, registered,

and turned on? Is it up-to-date?• Spyware protection

• Is an anti-spyware application installed, registered, and turned on? Is it up-to-date?

• Automatic updating• Is the client computer configured to check for updates

from Windows Update?• Should the client download and install them?

• Security updates• Does the client computer have security updates installed

based on one of four security severity ratings in the Microsoft Security Response Center (MSRC)?

NAP Remediation• Users not matching the policy get a time-out

• Remediation network should have the tools to fix the issue• Windows Server Update Services• Updated signatures

• No remediation network?• Smaller organizations may not have the resources• Time to be your own help desk

Security Auditing• Get insight into connections from remote users

• Computer Configuration\Windows Settings\ Security Settings\Local Policies\Audit Policy\ Audit Logon Events

• Event Viewer / Security Log• Centralized logging

Remote Desktop• Remote Desktop Gateway Server

• Formerly known as Terminal Services Gateway• Manage with Group Policy

• User Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway

• RemoteApp• Run applications remotely• But they look like they’re running locally• The icon looks and works exactly the same to the end user

Windows Event Viewer / Security Log

Windows Security Health Validator

Updating Windows 7Configuring update settings• Control Panel / Windows Update

• Need Administrator permissions• Works in conjunction with the Windows Update Service

• Anyone can manually check for new updates• From the GUI• Windows Update AutoUpdate Client• wuauclt /detectnow

Windows Update categories• Important updates

• You really want to install these• Security updates

• Recommended updates• Not as critical, but still very useful• Corrects minor (but still annoying) application bugs

• Optional updates• New languages• New drivers

Update options• Install Updates Automatically (recommended)

• This is the default for a good reason• Download Updates But Let Me Choose Whether To Install Them

• They’re waiting for you to push the button• Check For Updates But Let Me Choose Whether To

Download & Install Them• Save bandwidth until you need the updates.

• Never Check For Updates (Not recommended)• A bad idea, unless you have a really, really good reason.

• Give Me Recommended Updates the Same Way I Receive Important Updates• Elevate the value of the recommendations

• Allow all Users to Install Updates On This Computer• This is the default, but this is best left for Administrators to decide


Updating Windows 7 (continued)Hidden updates, history, and uninstall• Hide an update

• You won’t be asked to update that patch again• You can unhide it later, if necessary• Standard users can’t hide updates

• View update history• What was that update, again?

• Uninstall any of your updates• Control panel / Programs and Features• Standard users can’t uninstall updates

Proxies and manual updates• Windows Update does NOT use Internet Explorer settings

• Use Web Proxy Auto Detect (WPAD) through DHCP or DNS• Import the proxy settings from Internet Explorer using netsh• netsh winhttp import proxy source=ie

• Install manually if you have the .msu files• Windows Update Stand-alone Installer (Wusa.exe)• Standard users can install updates• Wusa.exe d:\windows6.1-kb7654321-x64.msu /quiet /norestart

Windows Server Update Services (WSUS)• Central configuration

• Save bandwidth• Administrators determine the rollout schedule

• Group computers together for logical organization• Central rollback management

• Whoops. Can we take that back?• Managed through Group Policy

Windows Update policies• Computer Configuration\Administrative Templates\

Windows Components\Windows Update• Specify Intranet Microsoft Update Service Location

• Your internal update server• Enable Client-Side Targeting

• Group computers together for coordinated updates• Allow Signed Updates From an intranet Microsoft Update

Service Location• Rollout your own updates

Managing DisksManaging disk volumes• Two partition types• MBR (Master Boot Record)

• Four partitions per disk• Maximum 2 TB disk size

• GPT (GUID Partition Table)• 128 partitions per disk• Maximum 256 TB disk size

• Convert using Disk Manager or diskpart• DISKPART> convert gpt

Basic and dynamic disks• Basic disks

• MBR partitioned disks• Dynamic disks

• Logical Disk Manager (LDM) database instead of an MBR• LDM is replicated to other dynamic disks

• Moving disks between computers• Basic disks are independent

No problem!• Dynamic disks should all be moved at the same time• You may not be able to move the disks back

• The disk group name might be duplicated

Moving disks• Is everyone healthy?

• Don’t move disks with a non-healthy status• Uninstall the disks you want to move

• You’ll have to confirm this• For dynamic disks, Remove Disk• Move the disks to the new computer

• Move all disks in an array at the same time• Disk Management / Rescan Disks

• Import the Foreign Disks

Dynamic disk advantages• Simple

• Single disk• Spanned volumes

• Many disks look like one big disk• RAID in Windows 7 software

• Redundant Array of Independent Disks• RAID 0 - Striping• RAID 1 - Mirroring

• RAID supported in Microsoft Windows 7 Professional, Ultimate, and Enterprise

Converting disks• Basic to DynamicEasy-peasy

• Data remains intact• Partitions are converted to simple volumes

• Dynamic to Basic• Destructive process

• Backup your data, delete the dynamic volumes, convert to basic

• diskpart• DISKPART> select disk <number>• DISKPART> convert basic

Managing disk volumes• Simple volumes• Spanned volumes• Striped volumes - RAID 0• Mirrored volumes - RAID 1• Resize volumes• RAID 5 is NOT supported Windows 7!


Disk toolsDisk cleanup• Right-click a volume / Properties• Administrators get additional system file options

Disk defragmenter• Analyze your disk to determine fragmentation rate

• Over 10% fragmentation is candidate for a defrag• This can take a LONG time

• Set a schedule• Watch the fragmentation rate over time and adjust

accordingly• Run from the command line• defrag c:• defrag /c /h /u /v

Error Checking• Right-click volume / Properties /

• Tools tab / Error-Checking• Automatically fix file system errors

• This box must be checked to repair any file system problems

• This is the default• Scan for and attempt recovery of bad sectors

• Scans the entire drive, this could take some time

Removable device policies• Computer Configuration \ Administrative Templates \

System \ Removable Storage Access• Time (In Seconds) To Force Reboot• CD And DVD: Deny Execute, Read, or Write Access• Custom Classes: Deny Read or Write Access• Floppy Drives: Deny Execute, Read, or Write Access• Removable Disks: Deny Execute, Read, or Write Access• Does not include CD, DVD, or Floppy disks• All Removable Storage Classes: Deny All Access• All Removable Storage: Allow Direct Access In Remote Sessions• Tape Drives: Deny Execute, Read, or Write Access• WPD Devices: Deny Execute, Read, or Write Access

• Windows Portable Device

Monitoring Windows 7

The results of an Error-Checking scan

Event Viewer• Control Panel / Administrative Tools / Event Viewer• View log information

• Application, Security, Setup, System, Forwarded Events• Create custom views

• Focus on the information you often need

Event subscriptions• Centralize your event logs on a collector

• Instead of looking at every workstation manually• Collector-initiated subscriptions

• The collector asks for the event log information• Doesn’t scale very well• Every computer is listening for instructions

• Source-initiated subscriptions• The collector is always listening• Used in large environments• Much more flexible

Collector-initiated setup• Uses the Windows Remote Management Service on the

source computer• winrm quickconfig

• Add the collector computer to the source computer’s “Event Log Readers” group• Security Log must be read by a Local Administrator

• On the collector computer, run Windows Event Collector utility• wecutil quick-config

Source-initiated setup - collector computer• Configure Windows Remote Management Service on the collector• winrm quickconfig

• On the collector computer, run Windows Event Collector utility• wecutil quick-config

• Create a subscription to forward events from the event log of a remote computer• This is easy in Event Viewer• wecutil create-subscription subscription.xml

• Computer Configuration\Administrative Templates\ Windows Components\Event Forwarding\Configure...

• Add the Windows Remote Management Service on the source computer• winrm quickconfig

Performance Monitor• Control Panel / Performance Information and Tools /

Advanced Tools / Open Performance Monitor• perfmon

• Real-time performance information• Many different metrics

• Data Collector Sets• Store performance information to disk

• Create reports• Compile long-term information into a concise view

• System Diagnostics Report• perfmon /report


Performance settingsConfiguring page files• Expand your memory

• Temporarily store non-executing files out of active memory• Control Panel / System / Advanced System Settings /

Performance section; Settings button

Configuring hard drive write cache• Hard drives are slow, memory is fast

• Use the memory to speed your performance• USB drive write caching

• Quick removal (no caching) is the default• You can enable caching, but you have to be careful!

• Hard drive write caching• Enabled by default

What if you lose power?• Windows write-cache buffer flushing

Updated drivers• Can provide significant performance increases

• Drivers should be relatively current• Can provide significant performance decreases

• New is not necessarily better• Always have a backout plan

• Roll Back Driver button can be useful

Configuring networking performance• Control Panel / Internet Options / Advanced tab

• Manage the user experience• Accessibility

• More to process• Browsing

• Additional notification and error screens• Multimedia

• Automatically play animations and download pictures• Security

• Warning messages are extremely important

Configuring your desktop environment• Wallpaper

• Or should it be called “deskpaper?”• Start Menu

• Configure what you see• Get to your Administrative Tools faster

• Gadgets• Make your desktop work for you

• Icons• Enable/disable desktop icons

Configuring services and programs• Resolve performance issues

• Check the Event Log and Task Manager• Control Panel / Administrative Tools / Services

• Recovery tab• Dependencies tab

Mobile computing performance issues• Power

• Power configuration has a remarkable effect on performance• Check your power source• Control Panel / Power Options

• Heat / CPU• Many laptops will slow down when hot

This generally isn’t configurable• Always have good airflow

Configuring processor scheduling• Task Manager

• Control your processes• Set priority

• Realtime, High, Above Normal, Normal, Below Normal, Low• Set Affinity

• Assign an application to a CPU

Internet Options / Advanced tab

Control Panel / Power Options

Configuring power• Control Panel / Power Options

• Modify based on situation• Battery-powered devices have more options

Control Panel / Power Options /

Advanced settings


Windows 7 backupBackup options• Control Panel / Backup and Restore

• Configure everything from the GUI• Files and folders

• Save files, and versions of filesUse Shadow Copy technology to copy open files

• No system files, profile settings, Recycle Bin files, EFS files, temporary files

System images• Backup the entire volume

• It makes a VHDYou could boot from it (Ultimate and Enterprise)• Must backup to an NTFS partition

• FAT won’t work• Initiate from the command line• wbadmin start backup –backuptarget:d: -include:c: -quiet

• Schedule with Windows Task Scheduler

Backup locations• CD-ROM and DVD-ROM

• No re-writable DVDs• Hard disk - External and Internal• Network location

• Windows 7 Professional, Ultimate, and Enterprise• No tape drives• No flash drives

Backup structure• Files and folders

• Folder with the computer name• Full backups into a folder with multiple ZIP files for versions

• Catalog• What files are in the backup? Ask GlobalCatalog.wbcat.

• System Image backups• Stored in \WindowsImageBackup• Only one system image

• Updated each time

Windows 7 system recovery optionsSystem Restore• Restore points are created automatically

• And you can also create them manually• Control Panel / System / System protection

• System restore when booted or from System Recovery• Is your installation media available?

• Make sure you have enough disk space allocated• You’ll probably want to adjust this

Last Known Good configuration• Can’t log in?

• This can be an issue• System Recovery (F8)

• Each time you log on, the Last Known Good configuration is saved• Don’t log on unless you’re sure everything is ok!

• Your configuration is staged in \HKLM\System\ Current ControlSet• Copied from ControlSet001 to CurrentControlSet

when you log on

Complete restore• Remember those images you made?

• These can recover your entire system• Shadow copy FTW

• Boot from the Windows Installation media• Choose “Repair Your Computer”

Driver rollback• Easy to do from the Device Manager

• Built-in button• How did they know I would mess this up?

• Choose “Roll Back Driver”• Only available if there’s something to roll back into

Windows 7 file recovery optionsFile restore points• Two file backup storage locations

• Backup and Restore• Shadow copy

• Backup and Restore• Search from the Backup and Restore console

• Shadow copy• Created during a restore point• Right-click file / Restore previous versions

Restoring damanaged or deleted files• What if the file is missing or renamed?

• And no Windows backup!• Hopefully, you know where it WAS

• Restore from shadow copy• You’ll need to restore from the entire folder• Copy everything else to a safe place to avoid overwriting

Restoring user profiles• Similar to restoring individual folders• Just choose the entire \User\Username folder

professor messer microsoft 70 680 configuring windows 7study guide

Documents