You are on page 1of 230

MCTS 70-680
Rapid Review:
Configuring Windows 7

Orin Thomas

Published with the authorization of Microsoft Corporation by:
O’Reilly Media, Inc.
1005 Gravenstein Highway North
Sebastopol, California 95472
Copyright © 2012 Orin Thomas
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.
ISBN: 978-0-7356-5729-8
1 2 3 4 5 6 7 8 9 LSI 7 6 5 4 3 2
Printed and bound in the United States of America.
Microsoft Press books are available through booksellers and distributors worldwide. If
you need support related to this book, email Microsoft Press Book Support at mspinput@microsoft.com. Please tell us what you think of this book at http://www.microsoft.
com/learning/booksurvey.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/
IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of
companies. All other marks are property of their respective owners.
The example companies, organizations, products, domain names, email addresses,
logos, people, places, and events depicted herein are fictitious. No association with
any real company, organization, product, domain name, email address, logo, person,
place, or event is intended or should be inferred.
This book expresses the author’s views and opinions. The information contained in
this book is provided without any express, statutory, or implied warranties. Neither
the authors, O’Reilly Media, Inc., Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly
or indirectly by this book.
Acquistions and Developmental Editor: Ken Jones
Production Editor: Kristen Borg
Composition: Dessin Designs
Technical Reviewer: Zachary Niemann
Copyeditor: Nancy Sixsmith
Proofreader: Teresa Horton
Indexer: Angela Howard
Cover Design: Best & Company Design
Cover Composition: Karen Montgomery

Contents at a Glance
Introduction xv
Chapter 1

Installing, Upgrading, and Migrating to Windows 7

Chapter 2

Deploying Windows 7

21

Chapter 3

Configuring Hardware and Applications

41

Chapter 4

Configuring Network Connectivity

65

Chapter 5

Configuring Access to Resources

97

1

Chapter 6

Configuring Mobile Computing

123

Chapter 7

Monitoring and Maintaining Systems that Run Windows 7

147

Chapter 8

Configuring Backup and Recovery Options

179

Index 195
About the Author

209

Contents
Introduction xv

Chapter 1

Installing, Upgrading, and Migrating to Windows 7 1
Objective 1.1: Perform a clean installation. . . . . . . . . . . . . . . . . . . . . 1
Exam need to know

1

Identifying hardware requirements

2

Setting up as the sole operating system

3

Setting up as dual boot

5

Installation methods

6

Boot from the source of installation

6

Preparing the installation source: USB, CD,
network share, WDS

7

Can you answer these questions?

9

Objective 1.2: Upgrade to Windows 7 from previous
versions of Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Exam need to know

10

Upgrading from Windows Vista

10

Migrating from Windows XP

11

Upgrading from one edition of Windows 7 to
another edition of Windows 7

13

Can you answer these questions?

13

Objective 1.3: Migrate user profiles. . . . . . . . . . . . . . . . . . . . . . . . . . 14
Exam need to know

14

Side-by-side vs. wipe and load

14

Migrating from one machine to another

15

Migrating from previous versions of Windows

18

Can you answer these questions?

19

What do you think of this book? We want to hear from you!
Microsoft is interested in hearing your feedback so we can continually improve our
books and learning resources for you. To participate in a brief online survey, please visit:

microsoft.com/learning/booksurvey

v

Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 2

Objective 1.1: Perform a clean installation

19

Objective 1.2: Upgrade to Windows 7 from
previous versions of Windows

19

Objective 1.3: Migrate user profiles

20

Deploying Windows 7

21

Objective 2.1: Capture a system image. . . . . . . . . . . . . . . . . . . . . . . 21
Exam need to know

21

Preparing system for capture

22

Manual capture

22

Creating a WIM file

23

Automated capture

23

Can you answer these questions?

24

Objective 2.2: Prepare a system image for deployment. . . . . . . . . 24
Exam need to know

24

Inserting an application into a system image

25

Inserting a driver into a system image

26

Inserting an update into a system image

27

Configuring tasks to run after deployment

27

Can you answer these questions?

28

Objective 2.3: Deploy a system image. . . . . . . . . . . . . . . . . . . . . . . . 28
Exam need to know

28

Manually deploying a customized image

28

Automated deployment methods

30

Can you answer these questions?

33

Objective 2.4: Configure a VHD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Exam need to know

33

Creating, deploying, booting, mounting, and
updating VHDs

33

Offline updates

36

What do you think of this book? We want to hear from you!
Microsoft is interested in hearing your feedback so we can continually improve our
books and learning resources for you. To participate in a brief online survey, please visit:

microsoft.com/learning/booksurvey

vi

Contents

. . . . . . . . . 41 Exam need to know 41 Updating. . . . . . . . . . . 56 Exam need to know 56 Configuring Compatibility View 57 Configuring security settings 58 Configuring providers 59 Managing add-ons 59 Contents vii . . . . . . . . . .3: Deploy a system image 38 Objective 2. . . . . . . . . . . . . . . . . . . . and uninstalling drivers 42 Signed drivers 44 Configuring driver settings 44 Resolving problem device driver 45 Conflicts between drivers 46 Can you answer these questions? 46 Objective 3. disabling. . . . . . . . . .4: Configure a VHD 39 Configuring Hardware and Applications 41 Objective 3. . 47 Exam need to know 47 Setting compatibility mode 47 Implementing shims 49 Compatibility issues with Internet Explorer 50 Can you answer these questions? 50 Objective 3. . . . . 38 Chapter 3 Objective 2. . . . . . . . .3: Configure application restrictions. . . . . . . . . . . .4: Configure Internet Explorer. 51 Exam need to know 51 Setting Software Restriction Policies 51 Setting Application Control Policies 53 Setting through Group Policy or Local Security Policy 55 Can you answer these questions? 56 Objective 3. . .2: Prepare a system image for deployment 38 Objective 2. . . . .Offline servicing 37 Can you answer these questions? 37 Answers . . . . . . . . . . . . . . . . . . .1: Configure devices. . . . . .1: Capture a system image 38 Objective 2. . . . . . . . . . . . .2: Configure application compatibility. .

. . . . . . . . . . . . . . . . . . . . . . .4: Configure Internet Explorer 64 Configuring Network Connectivity 65 Objective 4. . . . . .Controlling InPrivate mode 61 Certificates for secure websites 62 Can you answer these questions? 63 Answers . . . . . . . . . . . . . . . . . . . . . . .2: Configure IPv6 network settings. . . .1: Configure devices Chapter 4 63 Objective 3. 73 Exam need to know 73 Configuring name resolution 73 Connecting to a network 74 Setting up a connection for a network 76 Network locations 76 Resolving connectivity issues 76 Link local multicast name resolution 77 Can you answer these? 78 Objective 4. .2: Configure application compatibility 63 Objective 3. . . . . . . . 63 Objective 3. . 78 Exam need to know viii Contents 78 Adding a physically connected or wireless device 78 Connecting to a wireless network 79 Configuring security settings on the client 80 Set preferred wireless networks 82 Configuring network adapters 82 Configuring Location Aware Printing 83 Can you answer these questions? 83 . . . . . . .3: Configure network settings . . . . . . . . . . . . . . . .1: Configure IPv4 network settings. . . . . . . . . . . 65 Exam need to know 65 Connecting to a network 66 Configuring name resolution 67 Setting up a connection for a network 69 Network locations 69 Resolving connectivity issues 70 APIPA 72 Can you answer these questions? 73 Objective 4. . . .3: Configure application restrictions 64 Objective 3. . .

. . . . . . . . .2: Configure file and folder access. . . 95 Chapter 5 Objective 4. . . . . . . . . . . . . . . . . . .1: Configure shared resources . . . . . . . . . . . . . . . . . . . . . . . .Objective 4. . .4: Configure Windows Firewall 96 Objective 4. . . . . . . . . .5: Configure remote management 96 Configuring Access to Resources 97 Objective 5.1: Configure IPv4 network settings 95 Objective 4. . . . . . . . . . . . . . . . . 102 Exam need to know 103 Encrypting files and folders by using EFS 103 Configuring NTFS permissions 104 Resolving effective permissions issues 106 Copying files vs. . . .4: Configure Windows Firewall. 90 Exam need to know 90 Remote management methods 90 Configuring remote management tools 91 Executing PowerShell commands 94 Can you answer these questions? 94 Answers . moving files 106 Can you answer these questions? 107 Contents ix . . .5: Configure remote management . . . . . . . . . . . . . . . . . . . . . . 84 Exam need to know 84 Allowing or denying an application 84 Configuring rules for multiple profiles 86 Network profile specific rules 87 Configuring notifications 88 Configuring authenticated exceptions 88 Can you answer these questions? 89 Objective 4. . . . . . .3: Configure network settings 95 Objective 4. 97 Exam need to know 97 Folder virtualization 98 Shared folder permissions 99 Printers and queues 101 Configuring HomeGroup settings 101 Can you answer these questions? 102 Objective 5. . .2: Configure IPv6 network settings 95 Objective 4. .

.5: Configure BranchCache. . . .Objective 5. . . . .3: Configure User Account Control (UAC) . . . . .1: Configure shared resources 121 Objective 5. . . . . . . .2: Configure file and folder access 121 Objective 5. . . . . . . . . . . . .4: Configure authentication and authorization 122 Objective 5. . 117 Exam need to know 117 Distributed Cache mode vs. . . 121 Chapter 6 Objective 5. . . . . . . . .1: Configure BitLocker and BitLocker To Go . . . . . . . . 107 Exam need to know 107 Configuring Local Security Policy 107 Configuring admin vs. . . . . 123 x Contents Exam need to know 123 Configure BitLocker and BitLocker To Go policies 124 Managing Trusted Platform Module (TPM) PINs 126 . . . . 111 Exam need to know 111 Resolving authentication issues 112 Configuring rights 113 Managing credentials 114 Managing certificates 114 Smart cards with PIV 115 Elevating user privileges 115 Multifactor authentication 116 Can you answer these questions? 116 Objective 5. . . . . . .3: Configure User Account Control (UAC) 122 Objective 5. . . . . . . . . . . . .5: Configure BranchCache 122 Configuring Mobile Computing 123 Objective 6. . . standard UAC prompt behaviors 109 Configuring Secure Desktop 110 Can you answer these questions? 111 Objective 5. . . . . . . .4: Configure authentication and authorization. Hosted mode 117 Network infrastructure requirements 118 Configuring settings 119 Certificate management 120 Can you answer these questions? 121 Answers .

. 129 Exam need to know 129 Configuring client side 130 Configuring authentication 131 Network infrastructure requirements 132 Can you answer these questions? 133 Objective 6. . . 137 Exam need to know 137 Establishing VPN connections and authentication 138 Enabling a VPN Reconnect 139 Advanced security auditing 140 NAP quarantine remediation 141 Dial-up connections 142 Remote Desktop 142 Published apps 143 Can you answer these questions? 143 Answers . . .4: Configure remote connections 145 Monitoring and Maintaining Systems that Run Windows 7 147 Objective 7. . . . . . .1: Configure BitLocker and BitLocker To Go 144 Chapter 7 Objective 6. .2: Configure DirectAccess 144 Objective 6. . . . .3: Configure mobility options. . . . . . . . . . .3: Configure mobility options 144 Objective 6. . . . . . . . . . . . . . 133 Exam need to know 133 Configuring offline file policies 134 Transparent caching 135 Creating and migrating power policies 136 Can you answer these questions? 137 Objective 6. . . . . . . .Configuring startup key storage 127 Data recovery agent support 128 Can you answer these questions? 129 Objective 6. . . . . . . . . . . . . . . . . . . . . . . 147 Exam need to know 147 Configure update settings 148 Contents xi . . . . . . . . . 144 Objective 6. . . . . . . . . . . . . . . . . . .1: Configure updates to Windows 7 . . . . . .4: Configure remote connections . . . . . . . . .2: Configure DirectAccess.

. . . .3: Monitor systems.Determine source of updates 149 Configuring Windows Update policies 151 Review update history 153 Check for new updates 154 Rolling back updates 155 Can you answer these questions? 156 Objective 7. . . . . .2: Manage disks. . . . . . . . . . . . . . . . . . . . . . . . 163 Exam need to know 163 Configuring event logging 163 Filtering event logs 164 Event subscriptions 164 Data collector sets 165 Generating a system diagnostics report 166 Can you answer these questions? 166 Objective 7. . . .4: Configure performance settings . . . . . . . . . . . . . . . . 156 Exam need to know 156 Managing disk volumes 156 Managing file system fragmentation 158 RAID 160 Removable device policies 161 Can you answer these questions? 162 Objective 7. . . . . . . . . 167 xii Contents Exam need to know 167 Configuring page files 167 Configuring hard drive cache 168 Updated drivers 169 Configuring network performance 170 Configuring power plans 171 Configuring processor scheduling 174 Configuring desktop environment 174 Configuring services and programs to resolve performance issues 175 Mobile computing performance issues 176 Configuring power 177 Can you answer these questions? 177 . . . . . . . . . . . . .

. . . . . . . . . . . .3: Configure file recovery options. . . . . . . . folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3: Monitor systems 178 Objective 7. . or full system 181 Scheduling backups 182 Can you answer these questions? 183 Objective 8. . . . . . .Answers . . . . . . . . 178 Chapter 8 Objective 7. . . . .2: Configure system recovery options . .1: Configure backup. . . . . . . . . . . . 183 Exam need to know 183 Configuring system restore points 184 Restoring system settings 185 Last Known Good Configuration 185 Complete restore 186 Driver rollback 187 Can you answer these questions? 188 Objective 8. . . . . . . . . . .1: Configure backup 193 Objective 8. . . . . . . . . . . . . . . . . . . . . . . . .2: Manage disks 178 Objective 7. . . . . .3: Configure file recovery options 194 Index 195 About the Author 209 Contents xiii . .2: Configure system recovery options 194 Objective 8. . 179 Exam need to know 179 Creating a system recovery disk 180 Backing up files. . . .1: Configure updates to Windows 7 178 Objective 7. . . . 193 Objective 8. . . . . . . . 188 Exam need to know 188 Configuring file restore points 189 Restoring damaged and deleted files by using shadow copies 189 Restoring previous versions of files and folders 191 Restore user profiles 192 Can you answer these questions? 193 Answers . . .4: Configure performance settings 178 Configuring Backup and Recovery Options 179 Objective 8. .

.

Upgrading. you might have realworld experience with other Windows client operating systems. which makes complete coverage a real challenge. The 70-680 exam is aimed at professionals who have at least one year of experience supporting desktop operating systems in organizational environments. If you encounter a topic in this book that you do not feel completely comfortable with. This book will review every concept described in the following exam objective domains: ■■ Installing. Configuring. and Migrating to Windows 7 ■■ Deploying Windows 7 ■■ Configuring Hardware and Applications ■■ Configuring Network Connectivity ■■ Configuring Access to Resources ■■ Configuring Mobile Computing ■■ Monitoring and Maintaining Systems that Run Windows 7 ■■ Configuring Backup and Recovery Options This is a Rapid Review and not a comprehensive exam prep or skills training resource such as the Microsoft Press Self-Paced Training Kit. This book should be an excellent supplement to your existing independent study and real-world experience with the product. You can also purchase practice tests. The exam team does not give anyone access to the exam questions and regularly adds new questions to the exam. The Rapid Review series is intended for exam candidates who already have a solid grasp on the exam objectives through a combination of experience. The coverage in this book is as complete as possible based on the information available. to determine if you need further study on particular topics. If you review a topic and find that you don’t understand it. you can visit the links described in the text. Although this experience focuses on the Windows 7 operating system. you should consider consulting books such as the Windows® 7 Resource Kit and the MCTS Self-Paced Training Kit (Exam 70-680): Configuring Windows® 7 from Microsoft Press. The book covers every exam objective for the 70-680 exam as presented in the objective domain. It is important to note that you should have real world experience with Windows 7 prior to taking the 70-680 exam and that having practical knowledge is a key component to achieving a passing mark.Introduction T his Rapid Review is designed to help you assess—and complete—your readiness for MCTS Exam 70-680: Windows 7. such as Windows Vista and Windows XP that you can build on and apply. and study and could use a concise review guide to help with the final stages of preparation. xv . skills. in addition to researching the topic further using Microsoft TechNet. Most candidates who take this exam work in an environment where Windows 7 either has been deployed or is about to be deployed. or use the one available with the Training Kit. as well as consulting support forums.

Acknowledgments I’d like to thank my good mate Ken Jones at O’Reilly for his support in getting the Rapid Review series off the ground. xvi .microsoft. Support & Feedback The following sections provide information on errata. feedback.asp.Note  The MCTS Self-Paced Training Kit (Exam 70-680): Configuring Windows® 7 provides comprehensive coverage of each 70-680 exam objective.com/ learning/mcp/default. review questions. The exams and corresponding certifications are developed to validate your mastery of critical competencies as you design and develop. the reader. the production editor. along with exercises. you can find me on Twitter: http://twitter. It’s always a pleasure to work with Ken. Computer professionals who become Microsoft certified are recognized as experts and are sought after industry-wide. Microsoft Certified Professional Program Microsoft certifications provide the best method for proving your command of current Microsoft products and technologies. or implement and support. the book wouldn’t have come together as well as it has! As always I’d like to thank my wife Oksana and son Rooslan for their patience with me during the writing process. and practice tests. If you have any questions about anything and you want to get in touch with me. the production manager. Certification brings a variety of benefits to the individual and to employers and organizations. and Nancy Sixsmith. and I’m forever thankful for the opportunities that he presents me with as an author. book support. for picking up this book. Without your assistance and professionalism. the technical reviewer. More Info  For a full list of Microsoft certifications. I’d also like to thank you. and contact information. Kristen Borg. The Training Kit also includes a discount voucher for the exam. I’d also like to thank Zachary Niemann. Dan Fauxsmith. go to www.com/OrinThomas. solutions with Microsoft products and technologies. the copy editor.

Any errors that have been reported since this book was published are listed on our Microsoft Press site at oreilly. If you need additional support.microsoft. Thanks in advance for your input! Stay in Touch Let’s keep the conversation going! We’re on Twitter: http://twitter.microsoft.com: http://go. and your feedback our most valuable asset.com/FWLink/?Linkid=242588 If you find an error that is not already listed. and we read every one of your comments and ideas. email Microsoft Press Book Support at mspinput@ microsoft. your satisfaction is our top priority. you can report it to us through the same page. We Want to Hear from You At Microsoft Press. Please note that product support for Microsoft software is not offered through the addresses above.com/MicrosoftPress xvii .com. Please tell us what you think of this book at: http://www.Errata We’ve made every effort to ensure the accuracy of this book and its companion content.com/learning/booksurvey The survey is short.

.

Exam need to know ■■ Identifying hardware requirements For example: How to determine whether computer hardware meets the minimum requirement for the deployment of Windows 7. 1 . This chapter covers the following objectives: ■■ Objective 1. ■■ Setting up as the sole operating system For example: How to deploy Windows 7 as the only operating system on a computer.C hap t e r 1 Installing. and the steps that you should take to prepare each installation source. and how to migrate user profiles and data to Windows 7 from previous versions of Windows. and Migrating to Windows 7 A pproximately 14 percent of the 70-680 exam focuses on the topic of installing. and migrating to Microsoft Windows 7. Upgrading. how to perform a traditional and dual-boot installation. how to upgrade to Windows 7 from previous editions of the Windows client operating system.3: Migrate user profiles Objective 1.1: Perform a clean installation ■■ Objective 1. the different methods that you can use to deploy Windows 7. upgrading. That means that you need to have a good grasp of how to perform a clean installation.1: Perform a clean installation This objective requires you to demonstrate that you know how to determine whether a particular hardware profile is appropriate for the Windows 7 operating system.2: Upgrade to Windows 7 from previous versions of Windows ■■ Objective 1.

16 GB available hard disk space (32-bit) or 20 GB (64-bit) Device that supports DirectX9 Graphics with a WDDM 1. Home Basic. EXAM TIP  When considering answering an exam question.0 or higher compatible graphics adapter. CD. Network share. 1 GB RAM (for 32-bit editions) or 2 GB RAM (for 64-bit editions). WDS For example: How to configure a USB installation source. Upgrading. and Ultimate allow for two physical processors. The hardware requirements for the 32-bit (x86) editions of Windows 7 differ from the hardware requirements of the 64-bit (x64) edition of Windows 7. Although these are the listed minimum hardware requirements. ■■ Installation methods For example: Choose when to use a PXE-based or media-based installation. Enterprise. and Home Premium recognize only a single processor. Windows Starter. ■■ Boot from the source of installation For example: How to determine when to use bootable media to install Windows 7. depending on whether you are installing the x86 or x64 version of an edition. use an answer based on the published documentation rather than what you might have been able to accomplish shoehorning Windows 7 onto a computer in the real world.■■ Setting up as dual boot For example: How to configure Windows 7 to dual boot with Windows Vista. each with eight cores. Answer: False. For example: ■■ ■■ 2 Windows 7 Professional. True or False? The minimum amount of disk space required for Windows 7 Enterprise edition (x64) is 16 GB. ■■ Preparing the installation source USB. True or False? Windows 7 Home Premium edition will support a system configuration where there are two separate physical processors. The 32-bit editions do not support more than 4 GB of RAM. Windows 7 has the following hardware requirements: ■■ ■■ ■■ ■■ 1 GHz or faster 32-bit or 64-bit processor. Identifying hardware requirements You need to know the minimum hardware requirements for the 32-bit and 64-bit versions of Windows 7. and Migrating to Windows 7 . in some cases it might be possible to actually install Windows 7 on computers that don’t reach these specifications. The number of processors supported by Windows 7 depends on the edition of Windows 7. Chapter 1  Installing. Answer: False.

Answer: False. Windows 7 SP1 supports the following: ■■ ■■ The 32-bit versions of Windows 7 can support up to 32 processor cores. Power on the computer.A single processor can have multiple cores with dual-core. click Custom. Installing Windows 7 on a computer that does not have an existing operating system requires some form of bootable media. When setting up Windows 7 as the sole operating system on a computer that has no existing operating system. quad-core. The computer boots to the Install Windows screen. You can use a DVD-ROM with the Windows 7 installation media installed. Install Windows 7 in a multiboot configuration. You can’t install the Windows 7 operating system on a removable USB disk drive. you have several options: ■■ ■■ ■■ Install Windows 7 on a computer that does not have an operating system installed. a specially prepared USB storage device. perform the following steps: 1. Upgrading. Click Next. You can install Windows 7 on a local hard disk drive as long as there is enough space on the volume. or a PXE boot to deploy Windows 7. On the Please Read The License Terms page. Upgrade a previous version of Windows to Windows 7. MORE INFO To learn more about the hardware requirements of Windows 7.microsoft. To install Windows 7. The 64-bit versions of Windows 7 Enterprise and Ultimate edition support up to 256 processor cores. EXAM TIP  You can also use the WinPE environment in advanced deployment scenarios. and Migrating to Windows 7  Chapter 1 3 . 2. consult the following webpage: http://windows. Setting up as the sole operating system You need to know what steps to take to perform a fresh installation of Windows 7 as the sole operating system on a computer. On the Which Type Of Installation Do You Want? page. This topic is also covered later in this chapter. EXAM TIP  Understand the difference between processors and cores. This topic is covered later in the chapter. True or False? You can install a bootable version of the Windows 7 operating system on a removable USB disk drive. You use Custom for all installations except upgrades. 3. review the license terms and choose I Accept The License Terms.com/en-US/windows7/products/ system-requirements. and 8-core processors common on desktop and mobile configurations. Installing.

This process is necessary only if the hard disk drive is not recognized by the installation routine. you can choose an existing partition that has unallocated space. If a computer has a special type of disk drive that is not recognized. You learn more about network locations in Chapter 4.com/en-us/library/gg318048(WS. 4 Chapter 1  Installing. 6. EXAM TIP  Remember that if a computer has an existing operating system. and you need to specify a user name and a computer name. The computer reboots. With a traditional installation. True or False? Windows 7 Professional edition supports VHD boot.4. installation begins.aspx. You don’t need to choose to format and partition the hard disk and can allow the Windows 7 installation routine to perform this task for you by choosing an existing partition with unallocated space as long as it meets the minimum size requirements. This type of deployment is known as native VHD boot. On the Where Do You Want To Install Windows? page. You are asked to provide a password for this default administrative account and to provide a password hint. you have the option of upgrading the existing installation or installing in a dual-boot configuration. “Monitoring and Maintaining Systems that Run Windows 7. consult the following webpage: http://technet.com/en-US/ windows7/Installing-and-reinstalling-Windows-7.microsoft.” 8.” MORE INFO To learn more about installing Windows 7 as the sole operating system on a computer. You learn more about updates in Chapter 7.10). Windows 7 Enterprise and Windows 7 Ultimate support native VHD boot. consult the following webpage: http://windows. Both these options are covered later in this chapter. You choose what the update settings the computer will use. Once you have selected the location. as opposed to on the formatted hard disk drive. Answer: False. You choose the computer’s current network location. you are given the option to provide a product key and to automatically activate Windows 7 when an Internet connection is detected. “Configuring Network Connectivity. You can also choose to partition and format a disk by clicking New or Drive Options (Advanced) if there is an existing partition scheme. you can click Load Driver to load the hard disk drive’s driver. and Migrating to Windows 7 . 9.microsoft. which is the case with traditional single operating system deployments. Upgrading. 7. Native VHD boot involves configuring a VHD file as a boot volume and installing all the operating system volume files within the VHD. “Deploying Windows 7.” MORE INFO To learn more about VHD native boot. You learn more about native VHD boot in Chapter 2. It is possible to install Windows 7 on a Virtual Hard Disk (VHD) file stored on an NTFS-formatted volume if the VHD is configured with an appropriate amount of free space. You choose the time and date settings. It is possible to click Skip to bypass entering the product key and activation. 5. The specified user name will be the default administrative account for the computer.

MORE INFO To learn more about booting Windows 7 in multiboot configurations. On the Please Read The License Terms page. an advanced scenario you learn about in Chapter 2). EXAM TIP  Unless a VHD boot is mentioned. it doesn’t matter which Windows 7 edition or version you install first. dual boot means multiple partitions. 6. When dual booting between installations of Windows 7. click Install Now. you must ensure that the older operating system is installed prior to the installation of Windows 7. 2. choose to retrieve up- dates. Insert the Windows 7 installation media.microsoft. It is possible to configure a computer dual boot as long as you have enough free disk space to create an appropriately sized second partition or if such a partition already exists. True or False? You must choose the Custom installation type when installing Windows 7 in dual-boot configuration. and Migrating to Windows 7  Chapter 1 5 . On the Get Important Updates For Installation page. Answer: True. Ensure that the original operating system is completely backed up. choose Custom.exe to trigger installation. You usually configure Windows 7 to dual boot by installing Windows 7 on a separate partition (although it’s possible to use a single partition with VHD boot. consult the following webpage: http://windows. Setup either launches automatically or you can run setup. On the What Type Of Installation Do You Want? page. EXAM TIP  Remember that older versions of Windows must be installed before you install Windows 7.Setting up as dual boot You need to know the conditions under which you can configure Windows 7 to dual boot. Upgrading. with one or more operating systems. You can configure Windows 7 to dual boot with another installation of Windows 7. perform the following general steps: 1. choose a partition or disk different from the one on which the original operating system is present. You can’t use the built-in operating system tools to install Windows 7 first and then install Windows XP in a dual-boot configuration. Answer: True. On the Where Do You Want To Install Windows? page. also known as multiboot. Installing. 5. On the Install Windows menu. 3. accept the license terms. You can also install Windows 7 in dual-boot configuration by installing Windows 7 on a separate disk drive.com/en-US/windows7/ Install-more-than-one-operating-system-multiboot. you do not boot from the installation media when configuring a dual-boot installation. In most cases. True or False? You need to have more than one partition if you are going to dual boot Windows 7 Home Premium edition with Windows XP. An exception to this rule is when you are configuring multiboot with VHD files. 4. When configuring Windows 7 to dual boot with Windows XP or Windows Vista. To install Windows 7 in dual-boot configuration.

take into account the computer hardware. Network Share  A network share can hold the Windows 7 installation files. You can connect to this network share when booted from Windows PE. PXE Boot  In this scenario you perform a PXE boot using a wired network card. You can’t directly install Windows 7 from CD-ROM as a single CD-ROM does not have the capacity to hold the Windows 7 installation files. Answer: False. EXAM TIP  When considering the best deployment method. You can also buy a copy of Windows 7 from Microsoft online and perform an installation after downloading an installer file to your computer. Windows Server 2003 with Service Pack 2. but this is an upgrade scenario addressed later in this chapter. You can boot from a CD-ROM that is configured with WinPE and then connect to an installation source. Windows Server 2008 R2. You can install Windows 7 in the following ways using this technique: 6 Chapter 1  Installing. the Windows 7 installation image is deployed from a machine running Windows Server 2008. You can’t PXE boot using a wireless network adapter. You can perform a clean installation of Windows 7 by booting off the installation media and installing the operating system.Installation methods You need to know different ways to deploy the Windows 7 operating system when performing a clean installation. Upgrading. but this scenario is not directly addressed by the 70-680 exam. or Windows Server 2003 R2 with Windows Deployment Services (WDS) installed. You can install Windows 7 from an ISO image if you are installing Windows 7 as a virtual machine hosted on Hyper-V. In PXE boot scenarios. System Center Configuration Manager 2012 leverages WDS for operating system deployment. Answer: False. True or False? You can install Windows 7 directly from an external USB CD-ROM drive. USB Installation Media  A specially prepared bootable USB disk that holds the Windows 7 installation files. and Migrating to Windows 7 . Boot from the source of installation You need to know which deployment methods allow you to boot from the installation media and which require you to be running an existing operating system. You can perform a fresh install of Windows 7 when one of the following locations is configured to host the Windows 7 installation files: ■■ ■■ ■■ ■■ DVD-ROM This can be a DVD-ROM manufactured by Microsoft or a DVDROM that you create from a disk image file in ISO format. True or False? You can install Windows 7 using a CD-ROM as an installation source.

You must use a wired network connection to PXE boot a computer. consult the following document: http://windows. network share. Not all computer BIOSs are configured to boot the computer off USBs. You might need to restart your computer for the new BIOS settings to take effect. CD. which can be a retail copy of Windows 7 or a DVD created from a Windows 7 ISO file. This media requires no preparation and can be used immediately. DVDs. It is also possible to boot from a USB drive configured as a WinPE disk. The installation files are on the DVD. Installing. Preparing the installation source: USB. but you can’t perform a direct installation in this manner and have to make a remote connection to the installation files. You can also boot from a DVD-ROM or CD-ROM that is configured as a WinPE disk. EXAM TIP  You can also use custom images with DVD-ROM. PXE Requires a PXE boot server to be present on the network. MORE INFO To learn more about booting Windows 7 from the installation media. or network adapters. Boot from USB flash drive  Requires the computer to have a USB port and an appropriate USB flash device prepared with the Windows 7 installation files. EXAM TIP  A PXE boot requires a PXE-compliant network adapter.microsoft. you can’t directly install Windows 7 using CD-ROMs—only DVD-ROMs.com/en-US/windows7/Startyour-computer-from-a-Windows-7-installation-disc-or-USB-flash-drive. WDS You need to know what steps to take to prepare certain installation source types so that they can be used to deploy the Windows 7 operating system. though these are usually deployed using other methods. True or False? You can use third-party. it is not possible to PXE boot off a wireless network using Windows Deployment Services. If your organization has a volume licensing agreement with Microsoft or if you have an MSDN or TechNet subscription. you can obtain disk image files in ISO format that you can burn to DVD-ROM by using the Burn Disc Image option in Windows 7 and Windows Server 2008 R2 or a third-party DVD-authoring utility. DVD-authoring software to burn Windows 7 installation images to DVD-ROM.■■ ■■ ■■ Boot from DVD-ROM  Requires the computer to have a DVD-ROM drive or an external DVD-ROM drive attached. Windows 7 installation media is commercially available on DVD-ROM. Upgrading. Answer: True. and Migrating to Windows 7  Chapter 1 7 . To boot from the installation source might require you to modify the computer’s BIOS. You can boot from an externally attached DVD-ROM drive that is connected from a USB port to install Windows 7. Even though the objective mentions CD.

you access this network location from within Windows. perform the following steps: 1. WDS is a role that you can install on computers running the Windows Server 2008.True or False? When preparing a USB storage device to function as Windows 7 installation media. Answer: False. Upgrading. and Windows Server 2003 R2 operating systems. Windows Server 2008. 3. type list disk. True or False? You can install the WDS role on computers running Windows 7 Enterprise edition. Identify the number that repre- sents the USB storage device. Type the following commands: clean create partition primary format fs=fat32 quick active exit 5. You can configure WDS to deploy 8 Chapter 1  Installing. To prepare a USB storage device to function as Windows 7 installation media. The account that you use to map the network drive must have read access to the shared folder that hosts the Windows 7 installation files. 2. True or False? You must boot using a WinPE disk or USB storage device to perform a clean installation of Windows 7 on a computer that does not have an existing operating system. you boot using a WinPE disk or USB storage device and then map a network drive. Type select disk X to select this storage device (X is the device number) 4. you format it using the NTFS file system. Preparing the USB storage device will wipe all data from that device. If you are performing a clean installation. Windows Server 2008 R2. The installation media includes the Win PE environment. Windows Server 2003 Service Pack 2. Answer: True. Open an elevated command prompt and type diskpart. Windows Vista. and Migrating to Windows 7 . EXAM TIP  Remember when you need to use a WinPE disk or USB storage device. At the DISKPART> prompt. or Windows Server 2008 R2. If you are upgrading a computer to Windows 7 or configuring a multiboot deployment. Copy all the files located on the Windows 7 installation media across to the USB storage device. A USB storage device needs to be approximately 4 GB in size or larger to function as installation media for Windows 7. Answer: False. Preparing a network share to host the installation files is a matter of copying the contents of the Windows 7 installation media to a share that will be accessible to the computers on which you want to install Windows 7. Connect a USB storage device to a computer running Windows 7.

What is the maximum number of physical processors supported by Windows 7 Enterprise (x64)? 2.10). Installing.aspx. You learn more about managing . from Windows XP to Windows 7. and Migrating to Windows 7  Chapter 1 9 . Windows image files are stored in . What method should you use to boot the computer? 4.WIM format. a special form of bootable image that contains extra network drivers and allows for the detection of WDS servers. In what format are the Windows image files that you use to populate WDS with Windows 7 installation images? Objective 1. you must install the WDS role and then populate the WDS server with Windows image files. You can use this file with WDS to deploy Windows 7.com/en-us/library/dd744343(WS. meaning that one WDS server can be used to simultaneously deploy many copies of Windows 7.2: Upgrade to Windows 7 from previous versions of Windows This objective requires you to demonstrate that you know the conditions under which it is possible to upgrade from Windows Vista to Windows 7. Upgrading. Can you answer these questions? You can find the answers to these questions at the end of the chapter.microsoft. The Windows 7 installation media contains the file install.Windows 7 through PXE boot. and when it is possible to upgrade one edition of Windows 7 to another edition. This requires that the computer has a PXE-capable network adapter that can connect to a wired network. consult the following webpage: http://technet. You have placed the Windows 7 installation files on a network share. it might be possible to boot off of a WDS discover image.wim. EXAM TIP  Remember that to use WDS you need to be able to perform a PXE boot or boot off a discover image. 1. If the computer’s wired network adapter is not PXE-compliant.WIM files in Chapter 2. You want to boot a computer that doesn’t have an existing operating system and use the files on the network share to install Windows 7. To prepare the WDS server. What steps must you take to prepare a computer running Windows XP so it can be configured to dual boot with the Windows 7 operating system? 3. MORE INFO To learn more about WDS. An advantage of using WDS on Windows Server 2008 and Windows Server 2008 R2 to deploy Windows 7 is that it uses multicast transmissions to deploy the operating system.

Upgrading. ■■ Migrating from Windows XP For example: How to know which steps to take to migrate from Windows XP to Windows 7. Enterprise. You can’t upgrade from an x86 version of Windows Vista to an x64 version of Windows 7 or from an x64 version of Windows Vista to an x86 version of Windows 7. and Ultimate editions of Windows 7. Answer: True. You can upgrade from Windows Vista Enterprise to the Enterprise edition of Windows 7. You can upgrade from Windows Vista Home Premium to the Home Premium and Ultimate editions of Windows 7. EXAM TIP  Remember to not only keep track of edition but also architecture when answering upgrade questions. You can upgrade from an x86 version of Windows Vista to an x86 version of Windows 7 and from an x64 version of Windows Vista to an x64 version of Windows 7. MORE INFO To learn more about supported upgrade paths. Home Premium. You can’t upgrade from one language version to another (for example.10). Upgrading from Windows Vista You need to know the conditions under which you can upgrade a computer running Windows Vista to Windows 7.com/en-us/library/dd772579(WS. You can upgrade from Windows Vista Ultimate to the Ultimate edition of Windows 7. and Migrating to Windows 7 .aspx. 10 Chapter 1  Installing. True or False? You can upgrade from Windows Vista Business (x64) to Windows 7 Enterprise (x64). ■■ Upgrading from one edition of Windows 7 to another edition of Windows 7 For example: How to know how to use Windows Anytime Upgrade to upgrade from one edition of Windows 7 to another. You can upgrade from Windows Vista Home Basic to the Home Basic.Exam need to know ■■ Upgrading from Windows Vista For example: How to know which versions of Windows 7 you can upgrade to on a computer running the x86 version of Windows Vista Business edition. consult the following TechNet document: http://technet. It is only possible to perform upgrades from specific editions of Windows Vista to specific editions of Windows 7. and Ultimate editions of Windows 7. You can upgrade from Windows Vista Business to the Professional. You can upgrade Windows Vista to Windows 7 under the following conditions: ■■ ■■ ■■ ■■ ■■ ■■ ■■ You can only upgrade to a version of Windows 7 that has the same processor. from a Russian version of Windows Vista to an English version of Windows 7).microsoft.

com/en-us/library/dd772579(WS. You launch an upgrade to Windows 7 from Windows Vista by running setup. Upgrading. Answer: True. Answer: False.microsoft. MORE INFO To learn more about Windows 7 upgrade paths. Migrating from Windows XP You need to know which steps to take to configure a computer running Windows XP so that Windows 7 is the sole operating system.exe from the location in which the installation files are present. and Migrating to Windows 7  Chapter 1 11 . Installing. You choose the Custom installation option only in dualboot scenarios. you should run the Windows 7 Upgrade Advisor. When performing an upgrade to Windows 7. Inserting the DVD installation media into the DVD-ROM drive or connecting the USB installation media will also launch a screen from which you can begin the upgrade. Prior to starting the upgrade.microsoft. This is an application you can download from Microsoft’s website that can check to determine whether there are any known compatibility issues with applications or hardware. ensure that the following conditions are met: ■■ ■■ You have upgraded Windows Vista to Service Pack 1 or later. ensure that you choose the Upgrade installation option rather than the Custom installation option. Prior to upgrading. You need to be a member of the local Administrators group on the computer running Windows Vista to successfully perform an upgrade. consult the following webpage: http://technet.True or False? Upgrading from Windows Vista to Windows 7 will retain applications and data. True or False? You choose Custom on the What Type Of Installation Do You Want? page when upgrading a computer from Windows Vista to Windows 7. A similar check is performed when you run the actual upgrade to Windows 7. consult the following document: http://windows.10). MORE INFO To learn more about the Windows 7 Upgrade Advisor. You can roll back a failed upgrade at any point in the process up until you perform a successful logon to the Windows 7 operating system.com/en-US/windows/downloads/upgradeadvisor. The volume on which Windows Vista is installed has at least 10 GB of free disk space.aspx. True or False? You can directly upgrade a computer running Windows XP to Windows 7. Upgrading from Windows Vista to Windows 7 has the benefit of retaining applications and data without having to perform a complex migration process using a tool such as the User State Migration Tool (USMT). EXAM TIP  Remember that Windows Vista needs at least Service Pack 1 to be upgraded to Windows 7.

and Migrating to Windows 7 . True or False? You choose Upgrade on the What Type Of Installation Do You Want? page when migrating a computer from Windows XP to Windows 7. Prior to beginning the migration process. If it does not. 6. You’ll learn more about migrating data later in this chapter. 12 Chapter 1  Installing. This should trigger Windows 7 Setup. If you have a specially prepared USB storage device that hosts the Windows 7 installation files. If you have an extra disk or can create a separate partition with an appropriate amount of disk space.old dialog box. boot from the installation media and then follow steps 2 to 7. double-click that file to trigger Windows 7 Setup.Answer: False. Continue the installation as normal. perform the following steps: 1. It is not possible to upgrade directly from Windows XP to Windows 7. 2. Proceed through the Get Important Updates For Installation page and the Please Read The License Terms page. click OK. choose Custom. Use Windows Easy Transfer to save important files and settings if performing a small number of migrations.exe directly from the device. If you have a Windows 7 installation DVD-ROM. In the Windows. open setup. 4. click Install Now. Upgrading. connect this device to the computer. To transition a computer running Windows XP as its sole operating system to Windows 7 as its sole operating system. the migration process assumes that you will be reinstalling the same applications that were running on the computer running Windows XP on the computer running Windows 7.exe directly from the device. EXAM TIP  You can upgrade directly from Windows XP to Windows Vista and then from Windows Vista to Windows 7. Use the USMT if you need to perform a large number of migrations. Even though you’ll be installing a separate operating system. You can perform a migration in which you replace the Windows XP operating system with the Windows 7 operating system. If you want to install the x64 version of Windows 7. Use the Windows 7 Upgrade Advisor to determine whether existing devices and applications will function with Windows 7. On the Install Windows page. If you are migrating to an x86 version of Windows 7. 7. If it does not. Answer: False. you can configure the computer to dual boot. 5. log on to Windows XP with an account that has local administrative rights and perform one of the following steps: ■■ ■■ ■■ If you have purchased Windows 7 from Microsoft’s online store and downloaded the installation file. This should trigger Windows 7 Setup. open setup. On the Which Type Of Installation Do You Want? page. 3. make a complete backup of the computer running Windows XP. place it in the DVD-ROM drive. Choose the disk partition that hosts the Windows XP installation.

10). Professional.MORE INFO To learn more about migrating from Windows XP to Windows 7. 1. EXAM TIP  Remember that you can’t directly upgrade from Windows XP to Windows 7.microsoft. You can’t use Windows Anytime Upgrade to do the following: ■■ Upgrade from an x86 edition to an x64 edition. You can use Windows Anytime Upgrade to perform the following edition upgrades: ■■ Windows 7 Home Basic to Home Premium. Upgrading from one edition of Windows 7 to another edition of Windows 7 You need to know the possible upgrade paths available using Windows Anytime Upgrade. consult the following webpage: http://technet. and Migrating to Windows 7  Chapter 1 13 . True or False? You can use Windows Anytime Upgrade to upgrade from Windows 7 Professional to Windows 7 Enterprise. Upgrading. consult the following webpage: http://windows. and Ultimate editions ■■ Windows 7 Home Premium to Professional and Ultimate editions ■■ Windows 7 Professional to Ultimate editions ■■ Starter to Home Premium. ■■ Upgrade to or from Windows 7 Enterprise. Professional. You want to upgrade your organization’s computers from Windows Vista to Windows 7. Can you answer these questions? You can find the answers to these questions at the end of the chapter. EXAM TIP  Remember which editions of Windows 7 it is possible to upgrade to and from using Windows Anytime Upgrade.com/en-US/windows7/help/ upgrading-from-windows-xp-to-windows-7. Windows Anytime Upgrade involves running the application and entering the new edition’s license key if you have one available or going online to purchase a key.microsoft. What prerequisites should the computers running Windows Vista meet before you attempt the upgrade? Installing. ■■ Upgrade from an x64 edition to an x86 edition. and Ultimate editions MORE INFO To learn more about Windows 7 upgrade paths.com/en-us/library/dd772579(WS. You can use Windows Anytime Upgrade to upgrade from certain editions of Windows 7 to editions with more features. Answer: False.aspx.

look at the hardware specifications listed in the question.3: Migrate user profiles This objective requires you to demonstrate that you know which tools to use to migrate user profile data from one computer to another from a previous version of Windows to Windows 7. Answer: True. Which tool should you use to determine whether any hardware or applica- tions installed on a computer running Windows Vista have compatibility problems with Windows 7? Objective 1. and what factors dictate that you use one migration type over another. ■■ Migrating from previous versions of Windows For example: How to migrate profile data from Windows XP to Windows 7. Upgrading. wipe and load For example: How to determine when it is appropriate to use a side-by-side or wipe-and-load migration. To which versions and editions of Windows 7 can you upgrade? 3.2. ■■ Migrating from one machine to another For example: How to migrate from Windows 7 on one computer to Windows 7 on another. 14 Chapter 1  Installing. True or False? A side-by-side migration is appropriate if your organization’s computers had 512 MB of RAM and 10 GB hard disk drives and could not be upgraded. Exam need to know ■■ Side-by-side vs. A side-by-side migration involves shifting user profile data from one computer to another computer. You have a computer running the x64 version of Windows 7 Home Premium. Your organization has Windows Vista Enterprise (x64) deployed. wipe and load You need to know the difference between these two migration types. Which editions of Windows 7 can you upgrade to using Windows Anytime Upgrade? 4. Side-by-side vs. EXAM TIP  When considering whether desktop replacement is necessary. Side-by-side migrations can use removable storage or a network location to host exported profile data. You use side-by-side migrations in desktop replacement scenarios. and Migrating to Windows 7 . When replacing a user’s computer and the original computer has profile data locally stored. you need to perform a side-by-side migration. and the situations in which you would perform a side-byside versus wipe-and-load migration. Desktop replacement scenarios are common when an organization is transitioning to Windows 7 and its current hardware does not support the operating system.

Installing. and you import it using Windows Easy Transfer on the destination computer.aspx. and Migrating to Windows 7  Chapter 1 15 .com/en-us/library/dd446674(WS. documents. A wipe-and-load migration involves removing the current operating system and replacing it with Windows 7. 100 GB of free space on the hard disk drives. and 8 GB of RAM. Wipe-and-load migrations can use removable storage. True or False? You can use Windows Easy Transfer to migrate data from computers running Windows XP (x64) to Windows 7 (x64). You use Windows Easy Transfer on the destination computer to restore that data. email. pictures. You might choose to perform a wipe-and-load migration rather than an upgrade when Windows Vista is the original operating system if you want to migrate from an x86 version of Windows Vista to an x64 version of Windows 7. music. Wipe-and-load migrations require that you have a location to store profile data. you can leverage the following methods of transferring profile data: ■■ ■■ ■■ Easy Transfer Cable  A special cable that has USB connectors. a network share. or using a hard-link migration. bookmarks. or a locally fixed disk if a hard-link migration store is used with USMT. Upgrading. Migration data is stored in the specified location. External Hard Disk or USB Flash Drive  You can also specify an internal hard disk drive or a network location with this method. Answer: True. and the other end to the destination. Profile data is transferred across the network from one computer to the other. Answer: True. Both computers are powered on during migration. Connect one end to the source computer. This is the only Windows Easy Transfer method that you can use to perform a wipe-and-load migration. MORE INFO To learn more about Windows 7 upgrade and migration. and digital certificates from the source computer to the destination computer. Wipe-and-load migrations are suitable when your organization’s computers can run Windows 7 current hardware. You use Windows Easy Transfer on the source computer in a side-by-side migration to collect all migrated data. Network  You run Windows Easy Transfer on both computers connected to the same LAN. a network location. You can download Windows Easy Transfer for computers running the 32-bit or 64-bit versions of Windows XP and Windows Vista. Windows Easy Transfer is a tool included with Windows 7. Migrating from one machine to another You need to know how to perform a side-by-side migration and can choose the appropriate tool to perform this migration given a specific set of conditions.True or False? A wipe-and-load migration is appropriate in your organization if you currently have desktop computers that have the 64-bit version of Windows XP installed. consult the following webpage: http://technet.microsoft. When using Windows Easy Transfer for side-by-side migration. either on an external drive.10). You can use Windows Easy Transfer to transfer local user accounts.

GenerateDocPatterns helper function. True or False? When using USMT in side-by-side migrations.com/en-us/windows7/Transfer-files-andsettings-from-another-computer. Upgrading. determine why one of the choices is inappropriate given the scenario.microsoft. USMT consists of two tools: ScanState and LoadState. EXAM TIP  If you have a choice of migration stores. consult the following TechNet document: http://windows. stored in XML format. You can use a network share or a locally attached storage device when using USMT.aspx.com/en-us/library/dd560792(WS.microsoft. True or False? You can use the hard-link migration store when migrating profile data from one machine to another. consult the following webpage: http://technet. You can’t use the hardlink migration store when migrating from one computer to another.10). you run the ScanState tool on the destination computer.0 ships with the following sample scripts: ■■ ■■ ■■ MigApp. USMT allows you to automate the process of migrating user profile data from one computer to another. you create a migration store that stores the migrated data.XML files.XML Used with the MigXMLHelper. USMT 4. MigDocs. ScanState is run on the source computer. MigUser. The properties of this sample script are covered in more detail later in the chapter.XML Contains sample rules to migrate application settings.You can’t use Windows Easy Transfer to transfer files from a 64-bit version of Windows to a 32-bit version of Windows. Answer: False. to specify which of the following are migrated: ■■ User accounts ■■ User files ■■ Operating-system settings ■■ Application settings You can use USMT with WDS and System Center Configuration Manager 2012 to fully automate the process of migrating user profiles. and Migrating to Windows 7 . User documents can be automatically located without the necessity of authoring complex migration . and LoadState is run on the destination computer. When using USMT to transfer data from one computer to another. Answer: False.XML Sample rules that gather everything in a user’s profile and scan local fixed drives for files with commonly extensions. MORE INFO To learn more about USMT and the items it can migrate. MORE INFO To learn more about Windows Easy Transfer. USMT uses migration rules. The hard-link migration store stores data on a fixed hard drive in wipe-and-load migrations. 16 Chapter 1  Installing.

to create a migration report. Answer: True. the ScanState tool will create a compressed migration store.exe /genmigxml:”C:\Migration\genMig.exe /hardlink /nocompress c:\HD-LINK /i:migdocs.exe \\migration\mystore /i:migdocs. in the c:\Migration folder.aspx. use this command: Scanstate.xml.xml” By default. You must run the ScanState tool on the source computer using local administrator privileges.xml and miguser. For example. Upgrading.True or False? You must have local administrator privileges on the source computer to run the ScanState tool. To use ScanState with the migdocs. run the following command: Scanstate.xml files to create a migration store on the file server \\Migration\\mystore using a detailed log file named scan. A migration report provides you with information about what USMT will migrate prior to performing the actual migration. named genMig. MORE INFO To learn more about scanstate.com/en-us/library/dd560781(WS. When using the encryption option. you have local administrator access to the source computer.microsoft. you must use the /decrypt /key:”mykey” options with the LoadState tool.log.xml /i:miguser.xml and migapp. and Migrating to Windows 7  Chapter 1 17 .xml configuration files.xml MORE INFO To learn more about loadstate.log EXAM TIP  Hard-link migration stores are the most efficient way of using disk space. Answer: True. If you boot the source computer using the WinPE environment. For example.exe.10). consult the following TechNet document: http://technet. If you are using a network share or if you are concerned about the security of the migration store. Installing.aspx.xml /v:13 /l:scan. use the following command: Scanstate.log To use a hard-link migration store named c:\HD-LNK.xml /i:migapp. you can encrypt the migration store data using the /encrypt / key:”mykey” switch with the ScanState tool.exe.xml /i:migapp.com/en-us/library/dd560804(WS. execute the following command: loadstate \\migration\mystore /i:migapp.microsoft. You use LoadState to restore data exported using the ScanState tool. True or False? You should install all applications that you exported data from on the source computer on the destination computer prior to running the LoadState tool.xml /v:13 /l:scan. You run the LoadState with local administrator permissions on the destination computer. consult the following TechNet document: http://technet. to restore all data from the \\migration\mystore network store when you used the migapp.10).

You must use ScanState with the /offline option to extract data when not booted in to the source operating system.aspx 18 Chapter 1  Installing.True or False? You can boot into the WinPE environment and use ScanState to capture profile data without booting into the original operating system. If possible.aspx.com/en-us/library/dd883247(WS. You should use USMT when performing side-by-side or wipe-and-load migrations of large numbers of computers because you can automate the migration process.10).old directory created during an upgrade from a previous version of Windows if you are booted into Windows 7.microsoft.com/en-us/library/ dd446674(WS. True or False? You can use a hard-link migration store with Windows Easy Transfer.aspx.microsoft. or Windows 7 installation. MORE INFO To learn more about migrating from previous versions of Windows. consult the following TechNet document: http://technet. Migrating from previous versions of Windows You need to know what steps to take when migrating from Windows XP or Windows Vista to Windows 7. consult the following webpage: http://technet. You can also use offline migration to gather files and settings from the Windows. Answer: False. You should use hard-link migration store in wipe-and-load scenarios when you want to minimize the amount of storage used to host migrated data.10).com/en-us/library/dd560758(WS. You should use ScanState to encrypt migrated data when stored on accessible network locations. perform a hard-link migration using the following Step-By-Step guide: http://technet. Answer: True. EXAM TIP  Spend time investigating and remembering the ScanState and LoadState syntax. Offline migration allows you to use the ScanState component of USMT when booted from the WinPE environment to gather settings and files from a Windows XP. Upgrading. You should use Windows Easy Transfer and an external hard disk drive or network location if you need to perform a wipe-and-load migration of a small number of computers.microsoft. You should consider the following strategies when migrating data from previous versions of Windows to Windows 7: ■■ ■■ ■■ ■■ ■■ If you need to perform a side-by-side migration of a small number of computers. Windows Vista. and Migrating to Windows 7 .10). MORE INFO To learn more about offline migration. you should consider Windows Easy Transfer when both computers are connected to the same LAN. You can’t use hard-link migration stores with Windows Easy Transfer.

Objective 1. 4. on which you want to deploy Windows 7 Enterprise (x64). Installing. Windows 7 Enterprise edition supports a maximum of two physical processors. and Migrating to Windows 7  Chapter 1 19 . You do not want to use removable storage or a network folder to store migration data. What migration store option should you choose? 4. 2. Objective 1. 3.1: Perform a clean installation 1. You need to migrate local user profile data from two computers running Windows Vista to two new computers running Windows 7. What steps can you take to accomplish this task? 3.2: Upgrade to Windows 7 from previous versions of Windows 1. which includes the Windows 7 installa- tion media.Can you answer these questions? You can find the answers to these questions at the end of the chapter. You need to boot off a WinPE disk. You can only upgrade from Windows Vista Enterprise (x64) to Windows 7 Enterprise (x64). You have 50 computers that have Windows Vista Enterprise (x86) installed. Upgrading. 1. 2. You need to run setup from within Windows rather than running it when booted off the Windows installation media. Images are in . What three methods can you use to migrate profile data using Windows Easy Transfer? 2.WIM format. You need to create a partition or add an extra disk that has enough space to host the Windows 7 operating system. or a USB storage device. You then can make a connection to the network share and can then install Windows 7. Which tools can you use to migrate profile data with a minimum of effort? Answers This section contains the answers to the “Can you answer these questions?” sections in this chapter. You should ensure that the computers running Windows Vista have at least Windows Vista Service Pack 1 installed and have at least 10 GB of free space on the operating system volume. You don’t have local administrator access on the computers running Windows Vista. You have five computers running Windows XP Professional (x64) that you want to replace with Netbook computers running Windows 7 Professional (x86).

and Migrating to Windows 7 . You can use the Windows Easy Transfer Cable. You can use Windows Anytime Upgrade to upgrade to the x64 versions of Professional and Ultimate. Objective 1. You can’t use Windows Easy Transfer to transfer profile data from a 64-bit version of Windows to a 32-bit version of Windows. or application-compatibility issues.3: Migrate user profiles 1. 3. Upgrading. You can use USMT to migrate profile data. 4. 4. Boot using WinPE and use ScanState to perform an offline migration.3. 20 Chapter 1  Installing. 2. or External Hard Disk/USB Flash Drive method of transferring profile data using Windows Easy Transfer. driver-. You can use the Windows 7 Upgrade Advisor to determine whether there are known hardware-. You should use a hard-link migration store with USMT to support this migration. Network.

This chapter covers the following objectives: ■■ Objective 2.exe to prepare an image. This topic also involves deploying and managing Virtual Hard Disks (VHDs) as a system image replacement. ■■ Manual capture For example: What steps should you take and what tools are required for image capture? ■■ Creating a WIM file For example: How to create a WIM file by performing a system image capture.1: Capture a system image ■■ Objective 2.C hap t e r 2 Deploying Windows 7 A pproximately 13 percent of the 70-680 exam focuses on the topic of deploying Microsoft Windows 7. Exam need to know ■■ Preparing system for capture For example: How to use sysprep. ■■ Automated capture For example: How to configure WDS to automate image capture.3: Deploy a system image ■■ Objective 2.2: Prepare a system image for deployment ■■ Objective 2.1: Capture a system image This objective requires you to demonstrate that you know what steps you need to take and what tools you need to have available to capture a Windows 7 operating system image in Windows Imaging (WIM) format. You also need to know how to extend that knowledge to being able to automate the process of image capture by configuring automated image capture with WDS. prepare a Windows 7 system image for deployment. and actually deploy the image to computers.4: Configure a VHD Objective 2. 21 . That means that you need to have a good grasp of how to capture a Windows 7 system image.

exe with the /oobe option. drivers. Preparing a Windows 7 image for capture involves deploying Windows 7. and updates on the computer. to shut down.exe. installing all necessary applications. You can bypass resetting activation using the SkipRearm setting. Configure Windows to boot to Out-Of-Box-Experience (OOBE) Windows boots to the Windows Welcome the next time the computer restarts. Manual capture You need to know what steps are involved in manually capturing a reference deployment of Windows 7 as a system image.10). True or False? You boot into the Windows Recovery Environment (WinRE) to perform manual image capture. Configure Windows to boot to Audit mode  With Audit mode.com/en-us/library/dd799240(WS.exe with the /audit option.exe multiple times on a computer.exe to do the following: ■■ ■■ ■■ ■■ Remove system-specific information from Windows  Sysprep. You can also check the computer’s functionality before you perform image capture. Reset Windows Product Activation  Sysprep can reset Windows Product Activation up to three times. True or False? You use Sysprep with the /audit option if you need to perform additional image customization before image capture. You accomplish this using sysprep. consult the following webpage: http://technet. You accomplish this by using sysprep. Answer: True. EXAM TIP  Remember the difference between OOBE and Audit mode. you can install third-party device drivers and applications. use the following command: Sysprep. and then running sysprep. 22 Chapter 2  Deploying Windows 7 . and to start in OOBE mode when next booted.exe can remove all deployment-specific information from a Windows image including the computer security identifier (SID) and computer name.exe /oobe /generalize /shutdown MORE INFO To learn more about sysprep.aspx.microsoft. You can’t use settings chosen in the Out-Of-Box-Experience (OOBE) Wizard to be applied. Microsoft recommends that you use the SkipRearm setting if you need to run sysprep. To configure a computer to remove all system-specific information. You cannot use the /oobe and /audit options together.exe with the /generalize option. but you accomplish this by using sysprep.exe.Preparing system for capture You need to know what utilities to use to ready a Windows 7 deployment for capture. You can use sysprep.

You use ImageX. you can copy that image to an available network location. Automated capture You need to know how to configure WDS to automate the capture process. perform the following steps: Deploying Windows 7  Chapter 2 23 .aspx. consult the following webpage: http://technet. Boot the computer off a specially prepared WinPE image that includes the ImageX. you use dism. you can PXE boot a reference computer and have the image capture perform automatically. With WinPE.wim of volume C: of the reference computer in which ImageX. in which the Windows AIK tool ImageX. Use the ImageX.wim “Win7 Deployment” /compress fast /verify MORE INFO To learn more about capturing images using ImageX.exe is available.microsoft. if you want to capture an image named d:\win7.exe.com/en-us/library/dd744298(WS. so once you complete the capture of the operating system image.microsoft. To automate the Image Capture Wizard.exe to capture an installation to WIM format. You can configure a bootable USB storage device with WinPE and also use it to store the captured WIM image.inf to automate the WDS’s Image Capture Wizard. When automated capture is configured correctly. consult the following webpage: http://technet.exe is located at the root of D: on the WinPE volume. MORE INFO To learn more about manual image capture.10).exe /capture C: d:\win7.exe to capture the Windows 7 reference deployment to a WIM file.exe tool.Answer: False. use this command: D:\imagex. 2.exe tool to capture the image.com/en-us/library/dd349348(WS.aspx#BKMK_4. True or False? You configure the file WDSCapture. ImageX. Creating a WIM file You need to know what tools to use to create a WIM file of a Windows 7 reference deployment. you can access network resources.inf to automate the Image Capture Wizard in WDS.10). For example. Answer: False. Automatic image capture uses an answer file named WDSCapture.exe is a component of the Windows Automated Installation Kit (AIK). You do this by performing the following steps: 1. True or False? After booting into WinPE. Manual capture involves manually booting the reference computer into the Windows Preinstallation Environment (WinPE). Answer: True.

Modify the boot image using dism. 1.2: Prepare a system image for deployment This objective requires you to demonstrate that you know how to add an application to a system image. This is usually the boot.exe so that the WDSCapture. Which utility do you use to capture a reference deployment as a WIM file? 3.microsoft.inf file that you created is stored as the Windows\Systemr32\wdscapture.inf 4. What environment should you boot into when performing a manual image capture? 4. 3. Which sysprep. and whether the captured image should be uploaded to the WDS server or copied to a network share. Can you answer these questions? You can find the answers to these questions at the end of the chapter. ■■ Configuring tasks to run after deployment For example: How to configure Windows 7 to automatically join a domain after image deployment. ■■ Inserting a driver into a system image For example: How to add new device drivers to an offline image using DISM.aspx. consult the following webpage: http://technet. ■■ Inserting an update into a system image For example: How to add software updates to an offline image using DISM. include important software updates into a system image. image names.inf file.1.wim file from the Windows Server 2008 R2 product DVD. destination locations. Create a WDSCapture.exe option would you use to so that you can add additional third-party drivers and applications? 2. MORE INFO To learn more about automating the capture process. add a device driver to a system image. Which file should you configure and add to a capture image to automate the WDS Image Capture Wizard? Objective 2.com/en-us/library/cc771321(WS. 24 Chapter 2  Deploying Windows 7 . This file is a text file that contains informa- tion about which volumes should be captured. Create a capture image.10). Add this capture image to the WDS server. Exam need to know ■■ Inserting an application into a system image For example: How to use Deployment Image Servicing and Management (DISM) to inject an application into an image. 2. and automate important post-installation tasks.

exe /unmount-wim /MountDir:c:\mount /commit To discard any changes that you made to the WIM image.cab format. use the following command: Dism. You can use Dism.exe /image:c:\mount /Add-Package /PackagePath:C:\packages\application. to add the package application.microsoft. use the following command: Dism. and unmount images.cab stored in the c:\packages directory to the mounted image c:\mount.aspx. you must commit the changes. a folder containing an expanded . the changes you made are lost.10). you need to copy the WIM file to a file system that allows you to make changes and then mount the image using the /Mount-Wim option.com/en-us/ library/dd744382(WS. Before you can modify a WIM image using dism.Inserting an application into a system image You need to know how to add an application to an existing WIM image.wim in the c:\mount directory. use the /Get-Packages option.exe to add and remove packages from a mounted WIM image. For example. If you dismount the image without committing changes.cab file. to check which packages have been installed on the mounted image c:\mount. To commit current changes and dismount the image that you mounted in the c:\mount directory.exe /mount-wim /wimfile:c:\images\win7. to mount the fourth image index of the WIM image c:\images\win7. Once the WIM image is mounted.exe /unmount-wim /MountDir:c:\mount /discard MORE INFO To learn more about using DISM to mount.exe /image:c:\mount /Get-Packages Deploying Windows 7  Chapter 2 25 .cab files. or a folder containing multiple . use this command: Dism. Answer: True.exe. use the following command: Dism.wim /index:4 /mountdir:c:\mount When you have completed image modification. commit. For example. use the following command: Dism.exe to add a single package in . cab To verify which packages have been added to the image. Answer: True. True or False? You use DISM to insert an application into a system image. consult the following TechNet document: http://technet. For example. You can use Dism.exe with the /Add-Package option. True or False? You must mount a WIM image before you make modifications such as adding packages and drivers. you add packages using Dism.

For example.cab MORE INFO To learn more about adding applications to images.microsoft. run this command: Dism.You can remove packages using the /Remove-Package option.aspx.inf / ForceUnsigned To verify that the driver has been added to the mounted image.inf format or all drivers in a specific folder and its subfolders recursively to a mounted WIM image. 26 Chapter 2  Deploying Windows 7 . True or False? You can use Dism.microsoft.exe to recursively add all drivers in a particular folder to a mounted WIM image. which you can determine by using the /Get-Packages option. either by specifying the package name. For example. to add all drivers under the c:\drivers folder recursively to the WIM image mounted in folder c:\mount. but you must specify each driver that you want to remove. Answer: True. For example. You can use the Dism.exe utility to add individual drivers in .com/en-us/library/dd744311(WS.10).com/en-us/library/dd799258(WS.cab use the following command: Dism.exe /image:c:\mount /Get-Drivers You can remove drivers using the /Remove-Driver option.exe.exe /image:c:\mount /Add-Driver /driver:c:\drivers /recurse You can use the /ForceUnsigned option with the /Add-Driver option to force the installation of unsigned drivers to computers running the x64 version of the Windows 7 operating system.10). Inserting a driver into a system image You need to know what steps you need to take to add a device driver to a mounted WIM image. MORE INFO To learn more about inserting drivers into images.exe /image:c:\mount /Remove-Driver /driver:graphicscard.exe /image:c:\mount /Add-Driver /driver:c:\drivers\unsigned. or by specifying the original package location. use the following command: Dism.exe /image:c:\mount /Remove-Package /PackagePath:c:\packages\ application. use this command: Dism. For example. to remove the driver graphicscard.inf You can’t remove default drivers from an image using Dism.inf from the WIM image mounted in the c:\mount folder. use the following command: Dism.aspx. to remove the package c:\packages\application. to add the driver c:\drivers\unsigned.inf to the image mounted in the c:\mount folder. consult the following webpage: http://technet. consult the following webpage: http://technet.

You can use the /Add-Package option to the Dism. you can’t remove updates in . use the following command: Dism.EXAM TIP  Remember that drivers must be in . For example. MORE INFO To learn more about applying answer files to WIM images. Microsoft recommends that you use Windows System Image Manager (SIM) to create your answer file.exe to apply an answer file to an operating system image.com/en-us/library/dd744522(WS. Answer: True.xml You can’t use other servicing commands in the same command that you use to apply the unattend. EXAM TIP  Remember the command required to add an answer file to a WIM image.msu to the WIM image mounted in folder c:\mount.exe utility to add updates in .10).cab format.xml answer file to the mounted WIM image. Configuring tasks to run after deployment You need to know how to use Dism. Answer: True.exe. to add the update c:\updates\kb12345.msu format into mounted WIM images using the Dism.msu format that you’ve added to a WIM image using Dism. to apply the answer file c:\answerfile\unattend.xml to the WIM image mounted as c:\mount. Although you can create your own answer files in any text editor.exe /image:c:\mount /Add-Package /PackagePath:c:\updates\kb12345.exe. For example. Windows SIM is part of the Windows AIK. True or False? You can apply an answer file created using Windows System Image Manager to a WIM file using DISM. Answer files allow you to automate post-deployment tasks such as domain join.exe /image:c:\mount /Apply-Unattend:c:\answerfile\unattend.aspx.exe. You can use the /Apply-Unattend option. Inserting an update into a system image You need to know what tools to use to insert a software update into a mounted system image using Dism. You should use Windows SIM to validate your answer file if you create it manually.exe tool.msu Unlike application packages in .microsoft.inf format for you to be able to inject them into images using Dism. True or False? You can insert updates that are in . You can use DISM to apply an answer file to an image. Deploying Windows 7  Chapter 2 27 .msu format to a mounted WIM image. use the following command: Dism. consult the following webpage: http://technet.

wim in the c:\imgmount directory? 2. from booting. and Zero-Touch Deployment strategies. to applying the image. 28 Chapter 2  Deploying Windows 7 . to partitioning disks.wim. Answer: False. ■■ Automated deployment methods For example: How to describe the difference been Lite-Touch and Zero-Touch Deployment. Which command would you use to mount the third image index of the image c:\WIM\win7ent. Manually deploying a customized image You need to know what steps to take to manually deploy a customized Windows 7 image.cab to the WIM image mounted as e:\imgmount? 3.exe. Manual image deployment requires direct intervention at all steps. What command would you use to add this unattended installation file to the mounted WIM image? Objective 2. True or False? You use DISM to apply the Windows 7 image in WIM format to a prepared volume when manually deploying a custom image. Lite-Touch. Exam need to know ■■ Manually deploying a customized image For example: How to deploy Windows 7 using ImageX. 1. You want to add this to the WIM image win7. Manual image deployment involves using command-line utilities to apply a customized WIM file to a specially prepared volume on a computer and then configuring the boot configuration data (BCD) store to support booting the deployed operating system.xml. which is mounted in the f:\mount directory.Can you answer these questions? You can find the answers to these questions at the end of the chapter. Which command would you use to accomplish this goal? 4. You have created an unattended installation file named c:\dev\unattend. You have extracted 10 device drivers to the directory f:\stage. and then configuring the computer to boot. Which command would you use to add the package d:\install\program.3: Deploy a system image This objective requires you to demonstrate that you know how to deploy a specially prepared system image through manual. You want to add these drivers to the WIM image mounted as d:\mount.

and the WIM file.exe /apply c:\win7ult. named win7ult. Apply the image to the volume using ImageX.exe tool. 4. For example. consult the following webpage: http://technet. if ImageX.exe to capture and deploy images and that you use DISM to service images. EXAM TIP  Remember that you use ImageX. From the WinPE command prompt. use the DiskPart utility to format and create the partitions that you will use to deploy the image.wim. Boot off the WinPE media that includes the ImageX.exe is in the root directory of your WinPE D: volume.aspx. For example.10).To manually deploy an image.com/en-us/library/ dd349348(WS.exe. use the following command to apply the image: D:\imagex. Transfer the WIM file from the location where it is stored to the local hard disk drive. perform the following steps: 1. to create a 50-MB system partition and then use the remainder of the disk to create a volume to host the Windows 7 image. is located in the root of volume C:. Deploying Windows 7  Chapter 2 29 .wim 1 c:\ 5. Use BCDboot to initialize the BCD store and copy the appropriate files to the system partition using the following command: C:\windows\system32\bcdboot c:\windows MORE INFO To learn more about manually deploying operating system images. perform the following steps: DiskPart Select disk clean create partition primary size=500 select partition 1 format fs=ntfs label=”system” assign letter=S active create partition primary select partition 2 format fs=ntfs label=”Windows 7” assign letter=C exit 3. 2.microsoft.

Answer: True. and updates already installed. configured through the answer file. and updates that the thin image does not include. device drivers. True or False? Lite-Touch. True or False? You can use WDS without an answer file to deploy Windows 7 images. device driver. A simple method of automating the deployment of a Windows 7 image is by using WDS and an answer file. consult the following webpage: http://technet. though this will require substantially more interaction on the part of the IT professional. Thick image  A Windows image that is deployed with applications. and updates are installed after image deployment. When configured.Automated deployment methods You need to know when it is appropriate to use WDS. Lite-Touch. device drivers. Lite Touch. High-Volume deployment uses MDT. MORE INFO To learn more about deploying Windows 7 using WDS. A Lite-Touch deployment strategy is one that requires a small amount of interaction for deployment to successfully occur. and update installation with Windows images.com/en-us/magazine/gg293118. Applications. EXAM TIP  You can remember the difference between thick and thin images by remembering that a thick image will be larger because it will include applications. High-Volume deployment strategy to handle application.microsoft. device drivers. and System Center Configuration Manager to deploy Windows 7 to computers in your organization.aspx. MDT is a Microsoft solution accelerator that provides a framework for the deployment of Windows operating systems. High-Volume deployments leverage the MDT. High-Volume deployment strategies use the following components: 30 ■■ Microsoft Assessment and Planning Toolkit ■■ Volume-licensed (VL) media provided by Microsoft ■■ MDT 2010 ■■ User State Migration Tool (USMT) ■■ Application Compatibility Toolkit (ACT) ■■ Windows Automated Installation Kit (AIK) Chapter 2  Deploying Windows 7 . MDT 2010 supports thin and thick images. Answer: True. ■■ ■■ Thin image  A Windows operating system image that is deployed with minimal customization. You can use WDS without an answer file. High-Volume deployment refers to large-scale operating system deployments. with additional configuration. a prepared operating system image is streamed to a PXE client. Microsoft Deployment Toolkit (MDT). You use MDT in a Lite-Touch. such as domain join.

Boot client computers using the WinPE image. High-Volume deployment. Create a distribution share on the file server.microsoft.microsoft.10). MORE INFO To learn more about Lite-Touch. consult the following webpage: http://technet. and operating system and application updates. You can learn about the current version of MDT on the Microsoft Deployment Toolkit (MDT) website at the following address: http://technet. Deploying Windows 7  Chapter 2 31 . Install additional components including USMT. This share will host operating systems. A task sequence is a list of instructions for installing and configuring Windows 7.aspx. You can deploy this WinPE image to clients by using either removable media or WDS. Setting up your organization’s environment to support a Lite-Touch.■■ ■■ File server distribution share Either media that allows clients to boot to start deployment. Deployment points determine how clients connect to files used in the distribution shared resource. A future revision of the 70-680 exam will deal with MDT 2012. High-Volume deployment involves the following general steps: 1. 5. and applications. Use MDT 2010 to create a deployment point. such as WinPE. Use MDT 2010 to create a task sequence for each different operating system configuration that you want to deploy. drivers. EXAM TIP  The current revision of the 70-680 exam deals with MDT 2010. and applications 7. Answer: True.com/en-us/solutionaccelerators/dd407791.com/en-us/library/dd919179(WS. application installers. (optional) 3. Configure WDS on Windows Server 2008 R2 (optional) and configure a file server as the distribution shared resource. 2.aspx True or False? Task sequences are sets of instructions for installing and configuring Windows. drivers. Use Application Compatibility Toolkit to determine the compatibility of your organization’s applications. Select one of the preconfigured task sequences to install a specific Windows configuration. device driver files. or a server configured with the WDS role. Install MDT 2010 on the file server. 8. Use the Microsoft Assessment and Planning Toolkit to assess your organiza- tion’s readiness for Windows 7 (optional). 4. Updating a deployment point creates special WinPE images that you can use with client computers to initiate deployment. Connect to the distribution shared resource. 6.

Answer: False. High-Volume deployment strategy leverages the automation potential of System Center Configuration Manager 2007 R2 to build and capture reference images. consult the following webpage: http://technet. A Zero-Touch. 3.microsoft. and then capture the custom image. High-Volume deployment strategy involves performing the following steps: 1. High-Volume deployment strategy requires that you have the following components: ■■ Microsoft Assessment and Planning Toolkit ■■ Volume-licensed (VL) media ■■ MDT 2010 ■■ USMT ■■ Application Compatibility Toolkit ■■ Windows AIK ■■ System Center Configuration Manager 2007 R2 True or False? You must configure MDT 2010 integration with System Center Configuration Manager 2007 R2 to use a Zero-Touch. EXAM TIP  Future revisions of the 70-680 exam are likely to mention MDT 2012 and System Center Configuration Manager 2012. The ZeroTouch. High-Volume deployments. Install MDT 2010 and configure the Configuration Manager 2007 R2 integration. High-Volume deployment strategy leverages both MDT 2010 and System Center Configuration Manager 2007 R2.com/en-us/library/dd919178(WS. deploy applications and drivers to the reference computer. Answer: True. EXAM TIP  Remember that Zero-Touch deployment requires System Center Configuration Manager.True or False? The Zero-Touch. 4. A Zero-Touch. High-Volume deployment strategy requires a System Center Operations Manager 2012 and System Center Orchestrator 2012 deployment. 2. 32 Chapter 2  Deploying Windows 7 . MORE INFO To learn more about Zero-Touch. Sysprep. High-Volume deployment strategies are almost completely automated and require little interaction from IT professionals other than powering on the client computers that are the target of the deployment. Create a custom reference image using Configuration Manager 2007 R2 to deploy Windows 7 to a reference computer. 5. High-Volume deployment strategy. Ensure that System Center Configuration Manager and Active Directory Domain Services are properly deployed and configured. Use the Application Compatibility Toolkit to determine application compat- ibility status (optional). Use the Microsoft Assessment and Planning Toolkit to verify your organiza- tion’s readiness for the deployment of Windows 7 (optional). A Zero-Touch.10). Zero-Touch.aspx.

Can you answer these questions?
You can find the answers to these questions at the end of the chapter.
1. Which tool do you use to create and validate answer files for Windows 7

deployments?
2. Which tool do you use to apply an image file in WIM format to an NTFS-

formatted volume?
3. Which tool can you use to create task sequences when leveraging the Lite

Touch, High-Volume deployment strategy?
4. Which infrastructure component is required to support a Zero-Touch, High-

Volume deployment strategy that isn’t to support a Lite-Touch, High-Volume
deployment strategy?

Objective 2.4: Configure a VHD
This objective requires you to demonstrate that you know how to manage operating
systems’ images in the VHD image format. This includes the steps you need to take
to create, mount, deploy, and update, operating system images in this format. You
also need to know how to add applications and drivers to operating system images
in this format.

Exam need to know
■■

Creating, deploying, booting, mounting, and updating VHDs
For example: How to create a VHD image.

■■

Offline updates
For example: How to add updates to a VHD image.

■■

Offline servicing
For example: How to add a package to a VHD image.

Creating, deploying, booting, mounting, and updating VHDs
You need to know what steps you need to take to create VHD files, how to deploy
VHD files, how to mount them, and what steps to take to update those files.
True or False? You can create VHD files using the Dism.exe command-line utility.
Answer: False. You can create a VHD using the Disk Management snap-in and the
DiskPart command-line utility. To create a VHD using the Disk Management snap-in,
perform the following general steps:
1. Open the Disk Management snap-in and click Create VHD on the Action

menu.
2. Specify the following properties of the VHD:
■■

Location  Where you want the VHD file to be placed. If you create a
fixed VHD, this location must have enough space to store the VHD file.

Deploying Windows 7  Chapter 2

33

■■

■■

Virtual Hard Disk Size  Size of the fixed VHD or the maximum size of
the dynamically expanding VHD.
Virtual Hard Disk Format  Fixed or dynamically expanding. Maximum
size of a dynamically expanding VHD is 2040 GB.

Once the VHD is created, you need to initialize it. After the VHD is initialized,
you can manage it as if it were a normal disk: creating volumes, formatting those
volumes, and creating drive letters.
You create VHDs from the command line using the DiskPart command-line utility. You need to perform this task from an elevated command prompt. For example,
to create an expandable VHD file named Win7Ult.vhd in the c:\VHD folder that can
grow to 50 GB in size, issue the following commands:
DiskPart
Create vdisk file=c:\VHD\win7Ult.vhd maximum=50000 type=expandable

To view current virtual disks from within DiskPart, use the list vdisk command.
To manipulate a VHD within DiskPart, you must select and then attach the disk. You
can do this with the following commands:
DiskPart
Select vdisk file=c:\vhd\win7ult.vhd
Attach vdisk

Once the disk is attached, you can create partitions and format those partitions.
For example, to create a partition inside the attached VHD that is 30 GB in size, use
the DiskPart command:
Create partition primary size=30000

To format the newly created partition with the NTFS file system, use the following DiskPart command:
Format fs=ntfs label=Win7 quick

To assign the VHD as a drive letter, use the assign letter=X DiskPart command.
For example, to assign the currently selected VHD file to drive V:, use this command:
Assign letter=v

MORE INFO To learn more about creating virtual hard disks, consult the following
webpage: http://technet.microsoft.com/en-us/library/gg318052(WS.10).aspx.

True or False? You can use the ImageX command-line tool to apply a Windows
image to a VHD.
Answer: True. After you have created a VHD, created a partition within that VHD,
formatted that partition, and assigned the VHD to a particular drive letter, you
can make a VHD bootable by applying a .WIM image to the VHD. You can use the
ImageX command-line tool from the Windows AIK to apply a .WIM image. You can
also use the Install-WindowsImage.ps1 PowerShell script that can be downloaded
from the Microsoft website.

34

Chapter 2  Deploying Windows 7

Use ImageX.exe /info <path to .WIM> to determine the index identifier of the
edition of Windows 7 that you wish to apply to the VHD file. Once you have determined the number, use the following syntax to apply the image to the VHD volume:
imagex /apply <path to .wim> <image_index> <VHD path>. For example, if the
WIM file is located at d:\sources\install.wim, you’ve mounted the VHD at V: and the
index number of the version of Windows 7 you wanted to install is 4, you would use
this command:
Imagex.exe /apply d:\sources\install.wim 4 v:\

You can make a VHD bootable using the bcdedit.exe command. For example, to
make the newly configured VHD c:\vhd\win7.vhd bootable, perform the following
steps:
1. Ensure that the VHD is detached.
2. From an elevated command prompt, type the following:
Bcdedit /copy {default} /D “VHD Boot”

3. A GUID will be output. You will use this GUID in the next two commands.
Bcdedit /set {GUID} device vhd=[c:]\vhd\win7.vhd
Bcdedit /set {GUID} osdevice vhd=[c:]\vhd\win7.vhd

MORE INFO To learn more about creating bootable virtual hard disks, consult the
following webpage: http://technet.microsoft.com/en-us/library/gg318049(WS.10).aspx.

True or False? You can deploy prepared bootable VHDs to computers without
operating systems using WDS.
Answer: True. You can deploy bootable VHDs to computers using the following
methods:
■■

■■

Boot using the WinPE environment and copy the bootable VHD file across
from a network share to a prepared local volume. It will then be necessary to
manually configure the boot configuration using bcdedit.exe
Use WDS on Windows Server 2008 R2. You can add bootable VHD files to
WDS using the WDSUtil command-line utility, but not using the WDS GUI.
This allows you to automate the deployment of VHD files instead of having
to deploy them manually.

MORE INFO To learn more about deploying virtual hard disks, consult the following
webpage: http://technet.microsoft.com/en-us/library/gg318050(WS.10).aspx.

True or False? You must attach a VHD before you can service the VHD.
Answer: True. To service a VHD using the DISM tool, you need to attach the VHD
file. This is done by assigning it to a volume. For example, to assign a VHD named
win7ult.vhd, which is located in the c:\vhd folder to volume V: in preparation for
servicing, issue the following commands from an elevated command prompt:

Deploying Windows 7  Chapter 2

35

Diskpart
Select vdisk file=c:\vhd\win7ult.vhd
Attach vdisk
Assign letter=v
exit

Be careful when servicing VHD images because you can’t discard changes in the
manner that you can when managing WIM files. You should make a copy of the
VHD prior to making modifications to the VHD. You’ll find out more about servicing VHD images later in this chapter. You detach a VHD once you have completed
servicing it. For example, to detach the VHD win7ult.vhd in the c:\vhd directory, use
the following commands from an elevated command prompt:
Diskpart
Select vdisk file=c:\vhd\win7ult.vhd
Detach vdisk
exit

MORE INFO To learn more about servicing VHD images, consult the following webpage: http://technet.microsoft.com/en-us/library/dd799267(WS.10).aspx.

EXAM TIP  Remember that only the Enterprise and Ultimate editions of Windows 7
can use native-VHD boot.

Offline updates
You need to know how to apply software updates to a VHD file without booting the
operating system hosted in the VHD.
True or False? You can apply software update files in .msu format to a VHD image.
Answer: True. You can add update files in .msu format to VHD images in a way that is
similar to adding an update file to a WIM image. You can add a package in .msu format to an image using the /Add-Package option. For example, to add the update c:\
updates\kb12345.msu to the VHD image mounted on volume V:, use this command:
Dism.exe /image:V:\ /Add-Package /PackagePath:C:\updates\kb12345.msu

You can verify which packages have been installed within an image by using the
/Get-Packages option. For example, to view which packages have been added to the
VHD mounted on volume V:, use this command:
Dism.exe /image:V:\ /Get-Packages

MORE INFO To learn more about updating VHD files, consult the following webpage: http://technet.microsoft.com/en-us/library/dd799267(WS.10).aspx.

36

Chapter 2  Deploying Windows 7

For ex- ample. to add the driver c:\drivers\driver.exe to add drivers to a VHD file. issue this command: Dism.com/en-us/library/gg318053(WS. For example. perform the following steps: 1. Use DiskPart or the Disk Management Console to mount the VHD that you want to service. What string of commands would you use from an elevated command prompt to create a 30-GB dynamically expanding VHD named Win7 in the c:\VHD directory. EXAM TIP  Remember that you can use DISM to add drivers to both WIM and VHD files.exe /image:V:\ /Add-Driver /driver:C:\drivers\driver.Offline servicing You need to know how to add drivers to VHD images when the operating system that the VHD hosts is not powered on.exe /image:V:\ /Get-Drivers Once you have finished adding drivers. you can dismount the VHD using either DiskPart or Disk Management.exe to list which drivers have been added to a VHD file.microsoft.10). You can add drivers to a VHD image in much the same way that you add drivers to a WIM image. and then format that newly created partition with the NTFS file system and the volume label Win7VHD? 2. To add drivers to a VHD image. 2. Answer: False.inf to the VHD that you’ve mounted as volume V:issue this command: Dism. What commands would you use from an elevated deployment tools com- mand prompt on a computer running Windows 7 to apply the fourth indexed operating system in the Windows image d:\sources\install. Answer: False. MORE INFO To learn more about adding drivers to VHD files. create a 25-GB partition within that VHD. to check which drivers have been added to the VHD mounted as V:. consult the following webpage: http://technet. Can you answer these questions? You can find the answers to these questions at the end of the chapter. You can verify that the driver has been added to the VHD by using the /Get-Driver option of the Dism.inf True or False? You can use ImageX.aspx. Use DISM to add drivers to the VHD using the /Add-Driver option. True or False? You use ImageX.wim to the VHD mounted on volume V:? Deploying Windows 7  Chapter 2 37 .exe command. 1.

exe /image:d:\mount /Add-Driver /driver:f:\stage /recurse 4.inf to automate the Image Capture Wizard in WDS.inf located in the c:\stage directory.xml Objective 2. Objective 2. High-Volume deployment strategy.1: Capture a system image 1.3. What method can you use to centralize the deployment of bootable VHDs to PXE clients? 4. Use Sysprep with Audit mode so that you can add additional drivers and applications. You use ImageX. Objective 2. You have mounted a VHD that you want to service as volume V:. You boot into the WinPE environment when performing a manual image capture. You use Microsoft Deployment Toolkit 2010 to create task sequences when leveraging the Lite-Touch. dism. 4.2: Prepare a system image for deployment 1. dism. 3.exe /mount-wim /wimfile:c:\WIM\win7ent.wim /index:3 /mountdir:c:\ imgmount 2. You configure WDSCapture.exe /image:f:\mount /Apply-Unattend:c:\dev\unattend. 2.exe to apply an image file in WIM format to an NTFS- formatted volume. You have a driver named graphicscard.3: Deploy a system image 1. 4. dism. You need to use System Center Configuration Manager 2007 R2 to support a Zero-Touch. High-Volume deployment strategy. You use ImageX. You use the Windows SIM to create and validate answer files. 3. dism.exe.cab 3. 2.exe /image:e:\imgmount /Add-Package /PackagePath:d:\install\ program. 38 Chapter 2  Deploying Windows 7 . What command would you use to add this driver to this VHD? Answers This section contains the answers to the “Can you answer these questions?” sections in this chapter.

exe /apply d:\sources\install.4: Configure a VHD 1. 4.Objective 2. Dism. Imagex. Use the following code to accomplish your goal: DiskPart Create vdisk file=c:\VHD\win7.vhd Attach vdisk Create partition primary size=25000 Format fs=ntfs label=Win7VHD quick Assign letter=v 2.inf Deploying Windows 7  Chapter 2 39 . You can use WDS to centralize the deployment of VHDs to PXE clients.vhd maximum=30000 type=expandable Select vdisk file=c:\VHD\win7.exe /image:V:\ /Add-Driver /driver:C:\stage\graphicscard.wim 4 v:\ 3.

.

You’ll also need to know how to deal with signed drivers. Exam need to know ■■ Updating. and uninstall drivers. manage application compatibility. That means that you need to have a good grasp of how to configure devices. You’ll need to know how to update. and uninstalling drivers For example: How to uninstall a driver from Windows 7.C hap t e r 3 Configuring Hardware and Applications A pproximately 14 percent of the 70-680 exam focuses on the topic of configuring hardware and applications. and how to deal with a problematic device driver. 41 .1: Configure devices ■■ Objective 3. how to resolve conflicts between drivers. and manage Internet Explorer. This chapter covers the following objectives: ■■ Objective 3. configure application restrictions.2: Configure application compatibility ■■ Objective 3. ■■ Signed drivers For example: How to know which versions of Windows 7 require digitally signed drivers. ■■ Configuring driver settings For example: How to configure a device to use a different interrupt request (IRQ). disable.4: Configure Internet Explorer Objective 3. disabling.1: Configure devices This objective requires you to demonstrate that you know how to manage applications and devices. ■■ Resolving problem device driver For example: How to determine when to roll back and when to remove a problematic device driver.3: Configure application restrictions ■■ Objective 3.

consult the following webpage: http://technet. A standard user can install a driver under the following conditions: ■■ ■■ The driver package is signed using a certificate present in the Trusted Publishers certificate store. True or False? A user who is a member of the power users local group on a computer running Windows 7 can manually update the device driver for any device.aspx. Set this policy to Disabled or Not Configured to have Windows check Windows Update for device drivers.com/ en-us/library/cc753716. Once the driver is staged in this location.■■ Conflicts between drivers For example: How to resolve a resource conflict between two device drivers.microsoft. The device setup class for the driver is listed in the Allow Limited Users To Install Drivers For These Device Classes policy. To block Windows 7 from checking Windows Update for updated drivers.microsoft. Set this policy to Enabled to prevent Windows from checking Windows Update.com/en-us/library/cc730965. Ensure that %systemroot%\inf is one of the folders listed in this location. it will be installed. Updating. You can add folders to the DevicePath setting by editing the HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\Current Version\DevicePath registry item. Windows will check the following locations: ■■ All folders specified in the DevicePath registry setting ■■ Windows Update hosted on the Microsoft website ■■ Any specific file path entered by the user When an applicable device driver is found. and uninstall a driver. If no applicable device driver is found. separating each location with a semicolon. Windows 7 will examine the driver store to determine whether an applicable device driver is staged there. Windows copies it to the driver store. configure the Computer Configuration\Administrative Templates\System Internet Communication Management\Internet Communication Settings\Turn Off Windows Update Device Driver Searching policy. Updating or changing a device driver requires that the user attempting the task be a member of the local Administrators group if the driver is not already in the drivers store. and uninstalling drivers You need to know what steps to take to update a specific driver. MORE INFO To learn more about updating or changing device drivers. consult the following webpage: http://technet. Answer: False. disable a specific driver. When a new device is detected. MORE INFO To learn more about changing the folders that Windows 7 examines when looking for device drivers. 42 Chapter 3  Configuring Hardware and Applications . disabling.aspx.

exe command-line utility. If the computer reports that the driver package is in use. Right-click the device that you want to remove in Device Manager and then click Uninstall. ensuring that it will automatically be installed when a compatible device is detected without requiring that a user with local administrator privileges provide permission. 3. To uninstall a device using Device Manager. remove the device from the computer. MORE INFO To learn more about uninstalling a device. you can uninstall the device or force removal of the package by using the –f option with the pnputil.True or False? You can use pnputil. Once the process is complete. On the Confirm Device Removal page. True or False? You can remove a device driver from the driver store using the pnputil. and the driver must be listed in the Allow Non-Administrators To Install Drivers For These Device Classes policy. Answer: True. If a new device that uses this driver is connected to the computer. Staging is useful in operating system deployment scenarios to ensure that all necessary drivers are part of the image. only the driver package is deleted. True or False? You must remove a driver from the driver store before you attempt to uninstall a device.microsoft.exe –e command. To remove a driver from the driver store. Windows needs to locate the driver files because they will no longer be located in the driver store. where OEM#. 2. you can choose the Delete The Driver Software For This Device option if you want to remove the device driver package from the driver store. You can also view the device’s properties and click Uninstall on the Drivers tab of the device properties. consult the following webpage: http://technet. perform the following steps: 1. It will be in the format OEM#.exe command-line utility from an elevated command prompt. 2.inf is the name of the device driver that you want to remove. type the command pnputil.com/en-us/library/cc725782. Answer: False. Staging a driver places it in the driver store. a user needs to be a member of the local Administrators group or the device setup class. Removing a staged device driver package from the driver store will not uninstall any currently operational devices that use those drivers.exe –d OEM#. perform the following steps: 1. When you remove a package.aspx.exe command.inf. Configuring Hardware and Applications  Chapter 3 43 . An administrator can stage a driver in the driver store using the pnputil. Answer: False. where # is a unique number.inf. To uninstall a device. A standard user can stage a driver only if the driver is signed and the device class is listed in the Allow Non-Administrators To Install Drivers For These Device Classes policy. Open an elevated command prompt and run the pnpuntil. To remove the driver from the driver store.exe from a standard command prompt to stage device drivers in the driver store. 3. Determine the name of the driver.

Signability. Signed drivers You need to know the situations under which a device driver must be signed. consult the following webpage: http://technet. MORE INFO  To learn more about driver singing in Windows 7. EXAM TIP  Remember that removing a driver package from the driver store does not uninstall any currently operational devices that use that driver.aspx. Kernel-mode drivers for 64-bit versions of Windows 7 must be signed by a CA that has an approved CA in its trust chain.MORE INFO  To learn more about removing device drivers. and SignTool tools in the Windows Driver Kit (WDK).com/en-us/library/dd919200(WS. Each system resource that a device uses must be unique to that device. True or False? You can install digitally signed drivers only on computers running x64 versions of Windows 7. True or False? You can configure which hardware resources are used by some devices using Device Manager. Answer: True. An exception to this is kernel-mode drivers. Answer: True. It is also possible to perform this task manually using Device Manager. You can install only device drivers that are signed by a trusted certification authority (CA) on computers running 64-bit versions of Windows 7. consult the following webpage: http://technet.microsoft.aspx.10). it is necessary to ensure that the organization’s CA is trusted by the computer running Windows 7. Plug and Play (PnP) devices manage this process automatically. An organization can use these tools to sign unsigned drivers or replace the digital signatures of other publishers with their own digital signature.com/en-us/library/cc730875.microsoft. An organization that wants to digitally sign driver packages needs to use the MakeCert. they cannot be signed by organizational CAs. EXAM TIP  Remember that drivers for 64-bit versions of Windows 7 must be signed. When using drivers that are signed by an organizational CA. Resources used by devices include the following: 44 ■■ Interrupt request (IRQ) line numbers ■■ Direct Memory Access (DMA) channels ■■ Input/output (I/O) port addresses ■■ Memory address ranges Chapter 3  Configuring Hardware and Applications . Configuring driver settings You need to know how to configure driver settings using Device Manager.

MORE INFO To learn more about rolling back device drivers.exe command. consult the following webpage: http://technet. you can remove the current driver. True or False? Members of the power users local group can roll back device drivers.aspx. If a driver is not functioning properly. alter the settings on the Resource tab of the Device’s properties in Device Manager. Once the newer nonfunctioning driver has been completely removed. consult the following webpage: http://support.com/en-us/library/cc732648. version. Configuring Hardware and Applications  Chapter 3 45 . Answer: True.Windows can’t automatically configure the resource settings for a non-PnP device. If a newly installed driver is functioning in a problematic way.microsoft. the account used to perform this task needs to be a member of the local Administrators group. A normal user can also perform this task if the driver is for a device class that is listed in the Allow Limited Users To Install Drivers For These Device Classes policy. Driver Verifier is included with Windows 7 and you launch it using the verifier. By default. You might need to use a special setup utility to configure resource allocation for these devices. Removing the newer driver is necessary only if the earlier version of the driver was not installed.com/kb/244617. You can use Driver Verifier to stress-test a system to determine whether a driver exhibits faulty behavior in situations such as when a system has low resources. Answer: False. hopefully better functioning. You can use Driver Verifier to troubleshoot driver issues. To configure the resources for a device. you can use Device Manager to roll the driver back to a previous.microsoft. consult the following webpage: http://technet. you can install the earlier version of the driver. The Roll Back Driver button is available only if a previous version of the current device driver was installed on the computer. MORE INFO To learn more about Driver Verifier.com/en-us/library/cc753282.aspx. EXAM TIP  Remember that you can roll back a driver only if a previous version of the driver was installed on the computer. and you have access to a previous version of the driver software that you believe will run properly.microsoft. Resolving problem device driver You need to know when you must remove a device driver and when you can roll back a device driver. True or False? You can use Driver Verifier to stress-test drivers to determine if they become faulty when subject to resource pressure. ensuring that you also delete it from the driver store. MORE INFO  To learn more about understanding device configuration.

such as attempting to upgrade drivers to newer versions or resolving resource conflicts. Disable each device in turn to verify that you have correctly identified which devices are conflicting.2 of the device driver on the computer. Answer: True. Answer: True. After checking technical support forums. but find that the device behaves erratically. You have just installed a new device on a computer running Windows 7. You download and install version 2. consult the following webpage: http://support. If you cannot resolve the conflict. True or False? You can use msinfo32. True or False? You can use Device Manager to determine which devices are in conflict with one another. 1.exe utility can be used to view the memory. The Hardware Resources\Conflicts/Sharing node will display where resources are being shared and where they are in conflict.1 of 46 Chapter 3  Configuring Hardware and Applications . determine whether the problem is caused by a resource conflict. Attempt to update the device driver software for each device. you discover that you can solve the problem by using version 2. You can pursue the following strategies in an attempt to resolve this conflict: ■■ ■■ ■■ ■■ Use Device Manager to determine which two devices are in conflict with each other.exe. EXAM TIP  Attempt to update drivers as a first step in resolving driver conflicts. Under what conditions can a user who is not a member of the local Adminis- trators group roll back a device driver? 2. you might need to replace one of the conflicting devices with one that is more compatible with your configuration.Conflicts between drivers You need to know what steps you can take to resolve conflicts between device drivers. might conflict rendering both devices nonfunctional.exe to view resource conflicts on a computer running Windows 7. MORE INFO To learn more about msinfo32.com/kb/300887.microsoft. Can you answer these questions? You can find the answers to these questions at the end of the chapter. If possible. It might be possible to manually reconfigure one of the devices so that the conflict no longer occurs. when installed on the same computer running Windows 7. Updated drivers might resolve the conflict issue. and IRQ resources assigned to every device connected to the computer. Although rare. The msinfo32. I/O. it is possible that two different devices or device drivers.

a program that functioned on a computer running Windows XP (SP 2) might not fully function when the Windows XP (SP 2) compatibility mode is selected. Some applications that run perfectly well on Windows XP can’t function when you attempt to run them on Windows 7. This objective requires you to demonstrate that you know how to set a compatibility mode. Answer: True. which you can also download from the vendor’s website.the device driver. Setting compatibility mode You need to know which options there are for running programs that are not compatible with Windows 7. Exam need to know ■■ Setting compatibility mode For example: How to configure Windows 7 to run a program using the Windows XP (SP3) compatibility settings. Windows 7 SP 1 supports the following compatibility modes: ■■ Windows 95 ■■ Windows 98/Me ■■ Windows NT 4. Although some aspects of the operating system environment are reproduced. and resolve compatibility issues with Internet Explorer. ■■ Implementing shims For example: How to deploy custom shims to computers running Windows 7.2: Configure application compatibility Some of the main things blocking organizations from adopting Windows 7 are application-compatibility issues.1 of this device driver is used instead of version 2. implement shims. Which tools can you use to view resource conflicts? 4. True or False? There is a Windows Me compatibility mode.2? 3. Which tool can you use to stress-test a driver to determine whether it func- tions problematically in low-resource scenarios? Objective 3. What steps should you take to ensure that version 2. You can configure a program to run using a compatibility mode by editing the settings on the Compatibility tab of the program’s properties dialog box. ■■ Compatibility issues with Internet Explorer For example: How to test webpages for compatibility with Internet Explorer on Windows 7. and you might have to take other steps to get it to function. Compatibility modes partially replicate the operating system environment of previous versions of Windows.0 (SP 5) Configuring Hardware and Applications  Chapter 3 47 .

consult the following webpage: http://windows. True or False? Users who are members of the local Administrators group can run the Program Compatibility Assistant manually. Disable Desktop Composition  Disables certain features of the Aero user interface while the application is running. Disable Display Scaling On High DPI Settings  Disables automatic resizing of applications if large-scale fonts cause problems with the application appearance. 48 Chapter 3  Configuring Hardware and Applications .com/en-US/windows7/Program-CompatibilityAssistant-frequently-asked-questions. Disable Visual Themes  Helps with applications that have display problems with visual themes. Run In 640 x 480 Screen Resolution  Use this option with applications that cannot display in resolutions above 640x480. The Program Compatibility Assistant can resolve User Account Control (UAC) conflicts or automatically configure the program to run in one of the compatibility modes listed earlier in this chapter. Answer: False. The Program Compatibility Assistant detects when you execute programs known to have compatibility issues with Windows 7. The Program Compatibility Assistant cannot be run manually. MORE INFO To learn more about the Program Compatibility Assistant.microsoft.■■ Windows 2000 ■■ Windows XP (SP 2) ■■ Windows XP (SP 3) ■■ Windows Server 2003 (SP 1) ■■ Windows Server 2008 (SP 1) ■■ Windows Vista ■■ Windows Vista (SP 1) ■■ Windows Vista (SP 2) ■■ Windows 7 Additional compatibility options that you can configure include the following: ■■ ■■ ■■ ■■ ■■ Run In 256 Colors  Use this option with applications that can run only with a limited color palette. It notifies you of the problem and provides information about a fix for when you next execute the program. True or False? Applications installed in Windows XP mode can be launched from the Windows 7 Start menu. The Program Compatibility Assistant runs automatically when it detects the execution of an application for which it has compatibility problem-resolution information.

True or False? You can use shims to make Windows XP device drivers compatible with Windows 7. or Ultimate. MORE INFO  To learn more about Windows XP mode. If organizations can’t get compatibility modes to work or can’t use the Application Compatibility Toolkit to make incompatible programs function. From the user’s perspective. This database contains shims for many popular applications. Windows XP can be opened as a separate window that functions as a full version of Windows XP. It is not possible to use shims to resolve compatibility issues with device driver or other kernelmode code such as some older anti-malware applications. You can create and manage custom shims Configuring Hardware and Applications  Chapter 3 49 .com/en-us/library/dd837644(WS. the program will be installed in the virtual operating system and will also be available directly from the Start menu on Windows 7. Windows XP mode is likely to work as a last resort.Answer: True. If your organization has unique incompatible applications that would not be present in the Microsoft shim database. and deploying Windows XP mode increases the number of operating system instances that the IT department needs to manage. Windows XP mode is a last resort because the virtual Windows XP operating system still needs to be managed and updated. Answer: False. If you install a program in the Windows XP mode operating system.microsoft. Answer: True. Users can interact with the virtual operating system in the same manner as they interact with the host operating system.10). Implementing shims You need to know when to use and deploy shims as an application compatibility solution. Shims function as a translation layer redirecting API calls from programs that have compatibility problems with Windows 7 to the shim. consult the following webpage: http://windows. consult the following webpage: http://technet.com/en-US/windows7/install-and-use-windows-xpmode-in-windows-7. Shims run as user-mode code inside a user-mode application process. Enterprise. MORE INFO To learn more about shims. Windows XP mode runs a virtualized copy of Windows XP (SP 3) on a computer running Windows 7 Professional. you can deploy a custom shim database to the Windows 7 client that will host shims that allow your organization’s unique incompatible applications to run.aspx. True or False? You can deploy a custom shim database as a part of operating system deployment. A shim database is already included with Windows 7. Windows 7 uses a shim database when attempting to load applications. and this database is updated through Windows Update. The shim code then translates those incompatible API calls into API calls understood by Windows 7.microsoft.

com/en-us/library/dd837647(WS. 1. or the current version of Internet Explorer. You need to ensure that these applications can run but want to minimize the number of operating systems to which you need to apply software updates every month. so that the application can be accessed by the browser running on the virtual machine.com/en-US/windows7/How-to-use-Compatibility-Viewin-Internet-Explorer-9. The IECTT is a tool that you can run to view web-based compatibility issues in real time. Compatibility issues with Internet Explorer You need to know how to use Internet Explorer Compatibility View and the Internet Explorer Compatibility Test Tool (IECTT). With Compatibility View. you’ll either have to use Compatibility View to display the web application if it doesn’t work in more modern versions of Internet Explorer or use a solution such as Windows XP mode. Answer: False. Answer: True. consult the following webpage: http://technet. you can automate the process of testing the compatibility of existing web applications to see how well they would work with Internet Explorer on Windows 7.microsoft.aspx.10). Which solution should you implement to meet your goals? 50 Chapter 3  Configuring Hardware and Applications . True or False? You can use Compatibility View to emulate the characteristics of third-party browsers. MORE INFO To learn more about deploying shim databases. With the IECTT. MORE INFO To learn more about the IECTT. Can you answer these questions? You can find the answers to these questions at the end of the chapter. you need to ensure that web applications used by people in your organization are compatible with either Internet Explorer 8.aspx.com/en-us/library/cc721989(WS. When upgrading to Windows 7. True or False? You can use the IECTT to automate the testing of internal websites to determine whether they are compatible with Internet Explorer. Compatibility View does not emulate the characteristics of third-party browsers. consult the following webpage: http:// technet.microsoft. which shipped with the operating system. You have three custom applications that are incompatible with Windows 7. In some cases. Internet Explorer can emulate the way that previous versions of Internet Explorer displayed webpages. MORE INFO To learn more about Compatibility View. consult the following webpage: http://windows.microsoft. You’ll learn more about managing Compatibility View later in this chapter. which is a part of the Application Compatibility Toolkit.and custom shim databases using the Compatibility Administrator.10).

Besides working with previous versions of Windows. True or False? You can use Software Restriction Policies to block the execution of applications on computers running Windows 7 Professional.3: Configure application restrictions This objective requires you to demonstrate that you know how to use Software Restriction Policies and Application Control Policies. Answer: True. Windows Vista. you can use Software Restriction Policies to control the execution of applications on editions of Windows 7 that don’t support AppLocker. You have one application that runs fine on Windows XP with SP 3. ■■ Disallowed  The application is blocked from executing. This application is used by three people. ■■ Setting Application Control Policies For example: How to configure Windows 7 to block the execution of all applications written by a particular vendor. Which editions of Windows 7 support Windows XP mode? 4. Software Restriction Policies are the predecessors to AppLocker Policies. Which tool can you use to automatically check websites on the intranet to determine whether they might have compatibility issues with Internet Explorer? Objective 3. Software Restriction Policies allow you to block the execution of applications on computers running Windows 7. Exam need to know ■■ Setting Software Restriction Policies For example: How to configure Windows 7 Professional edition to run all applications written by a specific vendor. also known as AppLocker Policies. Setting Software Restriction Policies You need to know the different types of Software Restriction Policies’ rules and their order of precedence. ■■ Setting through Group Policy or Local Security Policy For example: How to determine which tool to use to configure AppLocker on a stand-alone computer running Windows 7.2. Software Restriction Policies use the following settings: ■■ Unrestricted  The application can be executed. and Windows XP. What solutions could you use to ensure that these applications can run on the computers of these three users? 3. Configuring Hardware and Applications  Chapter 3 51 . to control the execution of applications and scripts on computers running Windows 7. but cannot be run on Windows 7 using a compatibility mode.

covered later in this chapter. True or False? You can use a default rule to block all applications except those allowed by explicit Software Restriction Policies. the more specific rule takes precedence. For example. . With the Enforcement Properties Policy. Answer: True. Default rules When two rules conflict for the same program. Basic User  Users can execute any applications that do not require administrative rights.exe. Default rules apply when no other Software Restriction Policy matches an application. With AppLocker rules. any block rule overrides allow rules. There are three default rules: ■■ ■■ ■■ Disallowed  Users cannot execute an application that isn’t specifically allowed by another Software Restriction Policy. with specific hash rules overriding all other rule types. Answer: True. You can modify the list of designated file types to include or exempt some executable file types. Hash rules 2. The order. 52 Chapter 3  Configuring Hardware and Applications . is as follows: 1.vbs. Only one default rule can be enforced using Software Restriction Policies. such as . Unrestricted  Users can execute any application not explicitly blocked by an existing Software Restriction Policy. Software Restriction Policies are applied in a specific order. Answer: True. Answer: True. The Designated File Types Policy specifies which file extensions are treated as executable and which are therefore subject to Software Restriction Policies. a certificate rule that sets a particular application to Unrestricted will override a path rule that sets a particular application to Disallowed. True or False? You can configure Software Restriction Policies so that they are enforced for all users except local administrators.True or False? Certificate rules override path rules.com. Users can execute applications that require administrative rights as long as there is a specific Software Restriction Policy that allows the application. with more explicit rules overriding general rules. Zone rules 5. you can configure the following settings: ■■ ■■ ■■ Whether Software Restriction Policies apply to all software files except DLLs or to all files including DLLs Whether Software Restriction Policies apply to all users or to all users except those who have accounts that are members of the local Administrators group Whether certificate rules are enforced or ignored True or False? You can configure new executable file types through policy. cannot be modified. although some. Path rules 4. and . Certificate rules 3.

Allows or blocks installation based on Internet zones location.aspx. You can use AppLocker Policies only with computers running Windows Enterprise and Ultimate. Hash Rules  Hash rules use a cryptographic hash to identify a file. The file is identifiable even if it changes name and location. Default rules are necessary because when you enable AppLocker. installer. Answer: True. You can apply AppLocker Policies to user or group accounts. the built-in rule of last resort blocks the execution of any application. and the updated file will still be signed by the same publisher.microsoft. the path rule no longer applies to that executable. MORE INFO To learn more about Software Restriction Policies. You can create AppLocker default rules automatically. Answer: False.com/en-us/library/dd349795(WS. A certificate rule will allow all applications published by a vendor.msi files) obtained from Internet locations. or registry key as the target of a Software Restriction Policy. You create default rules by right-clicking the Executable Rules. EXAM TIP  Remember that hash rules must be updated if you patch an application. True or False? Default rules are path rules. Certificate Rules  Identify files based on software publisher’s certificate.True or False? Certificate rules cover all applications digitally signed by the same vendor. Answer: True. The difference between the Software Restriction Policy rules is as follows: ■■ ■■ ■■ ■■ Path Rules  You can specify a file. You can use wildcards with path rules. Configuring Hardware and Applications  Chapter 3 53 . Certificate rules still apply even when you apply software updates to files because these updates will be from the vendor. AppLocker Policies can apply to the current and future versions of an application without needing maintenance. Certificate rules can’t be used to differentiate between different applications supplied by the same vendor.10). Setting Application Control Policies You need to know how to configure AppLocker to control the execution of programs on computers running Windows 7. Path rules are specific. or script that is not the subject of an existing Allow rule. consult the following webpage: http://technet. folder. Applying a software update to a file means that the cryptographic hash needs to be recalculated. True or False? You can use AppLocker Policies to block the execution of applications on computers running Windows 7 Professional. Multiple applications from a single publisher can be covered by a single rule. so if someone moves an executable to another location. Network Zone Rule  This rule applies to Windows Installer Packages (.

dll and . but you can configure them to apply to specific users or security groups.msi and .msp extensions. and members of the local Administrators group can run scripts in any path. You can create AppLocker rules for the following types of files: ■■ ■■ ■■ ■■ Executable Rules  Apply to applications that use the . Members of the local Administrators group also can execute any applications in any path. Use path rules with scripts that are frequently updated.msp extensions. AppLocker rules apply to Everyone. Not enabled by default. AppLocker rules can identify files using the following conditions: ■■ 54 Publisher Uses the publisher’s signing certificate extracted from the reference application file. All users can execute all applications located in the Program Files folder and the Windows folder. or file hash rules.ps1. A path rule that blocks will override a publisher rule that allows.Windows Installer Rules. all Windows Installer Files in the %systemdrive%\ Windows\Installer folder. . Default Windows Installer Rules  Everyone can use digitally signed Windows Installer files. Default Script Rules  All scripts in the Program Files and Windows folders can be executed. Members of the local Administrators group can run .msi and . It’s possible to use the following rule scopes: Chapter 3  Configuring Hardware and Applications . Answer: False.msp files in any path. Allowing a user to run an installer file doesn’t mean that the user has permission to install software.msi and .ocx extensions. .com extensions. The default Block rule does not override explicitly defined Allow rules. path rules. True or False? A path rule that blocks overrides a file hash rule that allows. The default rules for each rule type are as follows: ■■ ■■ ■■ Default Executable Rules  The default executable rules are path rules. Answer: False.cmd.js extensions. Default Rules are path rules.bat. True or False? Publisher rules can be created only for specific versions of executable files. AppLocker rules work based on file extension. or Script Rules node and then clicking Create Default Rules. A user who is not a member of the local Administrators group still can’t directly run an application that requires elevated privileges. DLL Rules  Applies to libraries that use the . Use hash rules with scripts that are rarely modified. Script Rules  Applies to files that use the . Answer: True. The exception to this is the AppLocker default Block rule. By default. True or False? DLL rules cover files with the .exe and . Explicitly defined Block rules always override Allow rules. Enabling DLL rules will likely cause an impact on performance. You can use Block rules to block the execution of applications allowed through the Default rules. Windows Installer Rules  Applies to files with the . and . This applies to publisher rules.

Setting through Group Policy or Local Security Policy You need to know when it is appropriate to configure AppLocker and Software Restriction Policies using domain-based Group Policy and when it is appropriate to use Local Security Policy. You use exceptions to allow specific applications to be exempt from more general rules. or folder and subfolders. True or False? You can use a file hash to specify an exception to a path-based executable rule. EXAM TIP  Remember the differences in what you can accomplish with AppLocker Policies and Software Restriction Policies. Auditing means that users can still execute applications blocked by the rule. File hash  Cryptographic hash of file.10). More manageable in AppLocker than they are in Software Restriction Policies because instead of having to manually generate a hash for each file. • Product Name  A specific product digitally signed by a specific publisher.• Any Publisher  Any digitally signed file. AppLocker rules can be configured either for Enforcement or Auditing. The least secure type of AppLocker rule because an attacker might be able to move unauthorized executable into folder covered by scope of path rule if NTFS permissions have been incorrectly applied. You can use a different way of identifying rules when creating an exception. • Publisher  Any file digitally signed by a specific publisher. MORE INFO To learn more about AppLocker. True or False? You can configure AppLocker and Software Restriction Policies through the Local Security Policy editor.com/en-us/library/ee791916(WS. folder. You can create exceptions for Block and Allow rules. True or False? You can configure AppLocker rules to use Audit mode. • File Name  A specific file name of a specific product digitally signed by a specific publisher. but an event will be written in the AppLocker Event Log. For example. • File Version  Specific version (or this version and higher) of a specific file name of a specific product signed by a specific publisher. consult the following webpage: http:// technet. Configuring Hardware and Applications  Chapter 3 55 . Answer: True. ■■ ■■ Path  You can specify file location. Answer: True. you can automatically generate hashes for all files. you could use a path-based exception to a publisherbased rule.microsoft. It is still necessary to update hash files for applications after applying software updates. located in the Applications and Service Logs\Microsoft\Windows node of Event Viewer.aspx.

56 Chapter 3  Configuring Hardware and Applications . Several custom applications written by a partner organization need to run on your organization’s Windows 7 Enterprise computers. At some point. What steps would you take to accomplish this goal? 4. You want to block all applications written by a specific publisher except one on computers running Windows 7 Enterprise. Internet Explorer 10 is likely to be available at around the time the next version of Windows client is released to manufacturing. You want to block all applications written by a specific publisher on a computer running Windows 7 Professional. 3.Answer: True. AppLocker Policies are located in the Computer Configuration\ Windows Settings\Security Settings\Application Control Policies node of a GPO. in the intervening time. or through Local Security Policy. Which tools can you use to configure AppLocker rules on stand-alone Windows 7 Enterprise computers functioning as kiosks? Objective 3. You can configure both AppLocker and Software Restriction Policies through Group Policy applied when a computer is a member of an Active Directory Directory Services domain. through local Group Policy.microsoft. Software Restriction Policies are located in the Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies node of a GPO. Can you answer these questions? You can find the answers to these questions at the end of the chapter. Exam need to know ■■ Configuring Compatibility View For example: How to configure Internet Explorer so that Compatibility View is disabled for intranet sites.com/en-us/library/ee449480(WS. consult the following webpage: http://technet. These applications are updated frequently. MORE INFO To learn more about AppLocker Policies.4: Configure Internet Explorer This objective requires you to demonstrate that you know how to configure and manage Internet Explorer.aspx. the 70-680 exam is likely to be updated to reflect the newest version of Internet Explorer that is compatible with Windows 7. 1. Keep this in mind when studying for the exam. What steps should you take to accomplish this goal? 2.10). Although Windows 7 included Internet Explorer 8 as its default browser. Internet Explorer 9 has been released. How can you ensure that these applications can be executed while also ensuring that other nonauthorized applications are still blocked? You must minimize the amount of time spent maintaining policies.

True or False? You can configure a list of websites that should use Compatibility View for all computers running Windows 7 through Group Policy.2. Turn Off Compatibility View  Disables Compatibility View.■■ Configuring security settings For example: How to configure zone settings. ■■ Controlling InPrivate mode For example: How to block users from being able to access InPrivate browsing. Users can switch to Compatibility View by clicking the broken page item in the address bar. With Compatibility View. Answer: True. including how to enable and disable it for different classes of websites. ■■ ■■ ■■ Turn on Internet Explorer 7 Standards Mode  Even though the policy mentions Internet Explorer 7. You can view a list of sites for which you have enabled Compatibility View in the Compatibility View Settings dialog box. users can view pages designed for previous versions of Internet Explorer. Configuring Compatibility View You need to know how to manage the Internet Explorer Compatibility View functionality. You can manually add and remove sites from this list. ■■ Display all intranet websites in Compatibility View. it also works with subsequent versions. True or False? With Compatibility View. This is a default option. Configuring Hardware and Applications  Chapter 3 57 . Answer: True. such as Internet Explorer 6. ■■ Certificates for secure websites For example: How to configure Internet Explorer to require use of TLS 1. You can use this dialog box to choose to enable some or all of the following: ■■ Include a list of updated websites from Microsoft. Internet Explorer can properly display sites designed for previous versions of Internet Explorer. ■■ Managing add-ons For example: How to configure Windows 7 to allow only specific add-ons to be used with Internet Explorer. ■■ Display all websites in Compatibility View. ■■ Configuring providers For example: How to configure Windows 7 so that users can use a different search provider. Turn Off Compatibility View Button  Disables the Compatibility View button. You can configure the policies in the \Administrative Templates\ Windows Components\Internet Explorer\Compatibility View node. It forces all sites to be displayed in Compatibility View.

microsoft. MORE INFO To learn more about Internet Explorer security settings. all sites that bypass the proxy server. The default setting is High and cannot be changed. The default setting is Medium. Restricted Sites Does not block users from using the site. Not used for websites that are explicitly added to the Local Intranet. Default setting is Medium High. you can configure different security settings based on a website’s address. consult the following webpage: http://windows. Protected Mode forces Internet Explorer to run as a low-integrity process that restricts the application from interacting with processes running at higher integrity levels. Use Policy List Of Internet Explorer 7 Sites  A set of sites automatically added to the list of sites used with Compatibility View. Answer: False. Local Intranet  Default setting attempts to detect intranet sites based on site address and name. MORE INFO To learn more about Compatibility View. Trusted Sites A special setting for sites that you explicitly trust not to damage your computer. True or False? Adding a site to the Restricted Sites zone means that users can’t use Internet Explorer. These security settings determine how Internet Explorer responds to content. Works with later versions of Internet Explorer. such as ActiveX controls and scripts. but does block the site from running scripted or active content. Trusted Sites.microsoft. but not remove any of the sites specified by this policy. Configuring security settings You need to know how to use security zones to control website functionality based on website addresses. The default setting is Medium.■■ ■■ Include Updated Web Sites Lists From Microsoft  Uses updated lists of sites from Microsoft. You can configure all sites that use a specific zone to use Protected Mode. and sites accessed by UNC address.com/en-US/windows7/How-to-use-Compatibility-Viewin-Internet-Explorer-9. With zones. The zones available in Internet Explorer on computers running Windows 7 are as follows: ■■ ■■ ■■ ■■ Internet  Applies to all websites by default.com/en-US/windows7/Change-InternetExplorer-Security-settings. Users can add extra sites. EXAM TIP  Remember that users can’t remove sites from the list of compatible sites configured through Group Policy. consult the following webpage: http://windows. You can configure this site to automatically include local sites not listed in other zones. or Restricted Sites zones. 58 Chapter 3  Configuring Hardware and Applications . Protected Mode is enabled by default for the Internet and Restricted Sites zones.

Managing add-ons You need to know how to control which add-ons can and can’t be installed for Internet Explorer on computers running Windows 7. Answer: True. True or False? You can block users from installing all unauthorized add-ons.com/en-us/library/ dd883248(WS. Add-ons enhance Internet Explorer’s functionality. MORE INFO  To learn more about advanced Internet Explorer security settings. You can configure add-ons through the following policies. and High. True or False? You can configure an authorized list of search providers using Group Policy. as was the case in previous versions. Medium-Low. Configuring providers You need to know how to manage which search providers are used on computers running Internet Explorer on Windows 7. You can use the Custom Level button to configure settings for a security zone. Medium. Search Providers. consult the following webpage: http://technet. modifying the default settings. MORE INFO To learn more about search providers. Accelerators.microsoft. In Internet Explorer 9. consult the following webpage: http://windows. You can manage add-ons by using the Manage Add-Ons dialog box and selecting the Toolbars And Extensions Add-On Type. located in the \Windows Components\Internet Explorer node: Configuring Hardware and Applications  Chapter 3 59 .The available security levels are Low. You can configure a list of providers using the following policy.aspx. users type a query directly into the address bar instead of into a specific search box. You can tighten or loosen some security settings without having to switch to another setting completely.microsoft. ActiveX controls are referred to as plug-ins. You can specify how you search for information on the Internet using the Internet Explorer 9 address bar. EXAM TIP  Remember that you can’t modify the security level assigned to the Restricted Sites zone. located in the \Windows Components\Internet Explorer Group Policy node: ■■ Add A Specific List Of Search Providers To The User’s Search Provider List  You can add specific providers to the list.10). and users can add and remove providers as long as the provider is on the list.com/en-US/windows7/Search-with-the-Internet-Explorer9-Address-bar. Answer: True. and Tracking Protection are also types of add-ons. often through providing extra toolbars. Medium-High.

consult the following webpage: http://windows. Do Not Allow User To Enable Or Disable Add-Ons  You can block users from managing add-ons. MORE INFO To learn more about managing accelerators. 60 Chapter 3  Configuring Hardware and Applications . Map  You can use a mapping service to display a location based on a highlighted address. If the policy is disabled. Accelerators are a special kind of add-on that enable you to select text on a webpage and then perform a function based on that text. consult the following webpage: http://windows. Answer: True. Accelerator Group Policy items are located in the \Windows Components\Internet Explorer\Accelerators node. Use Policy Accelerators  Limits accelerator use to those specified by Group Policy.com/en-US/windows7/How-to-use-Accelerators-inInternet-Explorer-9.microsoft. Deploy Default Accelerators  You can specify default accelerators. Deny All Add-Ons Unless Specifically Allowed In The Add-On List You can block the use of add-ons unless they are specifically allowed in Internet Explorer. There are additional policies located in the \Windows Components\Internet Explorer\Security Features\Add-on Management node.microsoft. such as performing a translation to another language or querying a mapping website for a street address. users must provide consent to activate add-ons. MORE INFO To learn more about managing add-ons. You can configure the following accelerator-related policies: ■■ ■■ ■■ ■■ Deploy Non-Default Accelerators  You can deploy accelerators. Accelerators categories include these: ■■ ■■ ■■ Email  You can forward selected text into an email message. Although users can deploy additional accelerators. True or False? Accelerators are used with the text on a webpage. Translate  You can forward text to a translation service. These policies include the following: ■■ ■■ Add-On List  You can specify a list of add-ons that can be used with Internet Explorer.com/en-US/windows7/Internet-Explorer-add-onsfrequently-asked-questions. they can’t modify the default accelerators. Users cannot remove accelerators deployed through this policy. Automatically Enable Newly Installed Add-Ons  When enabled. new add-ons are active after installation.■■ ■■ ■■ Disable Add-On Performance Notifications  Stops Internet Explorer from warning the user about add-ons that take more than an average amount of time to load. Turn Off Accelerators  Disables all accelerators.

You can manage InPrivate Filtering.com/en-US/internet-explorer/products/ie-9/features/ tracking-protection. When using InPrivate Browsing. It builds on the functionality of InPrivate Filtering available in earlier versions of Internet Explorer. Answer: True. Users trigger InPrivate Browsing by clicking InPrivate on the Tools menu.microsoft. Internet Explorer deletes that data. It does this by analyzing web content. you will be given a prompt asking you whether you want to allow or to block that content. InPrivate Browsing limits what data is stored by the browser. True or False? InPrivate Browsing blocks users’ activity being recorded by proxy servers. consult the following webpage: http://windows. consult the following webpage: http://windows. Answer: False. during the session. the browser stores data. Tracking Protection is a feature of Internet Explorer 9 that allows you to create a list that blocks content from specific websites that might affect your privacy because they track your web surfing activity across multiple websites. and InPrivate Browsing using the following Group Policies located in the Administrative Templates\Windows Components\Internet Explorer\Privacy node: ■■ ■■ ■■ Turn Off InPrivate Filtering  Disables InPrivate Filtering for computers running Internet Explorer 8. Configuring Hardware and Applications  Chapter 3 61 .microsoft.com/en-US/windows7/InPrivate-frequently-askedquestions. InPrivate Filtering was replaced by Tracking Protection with the release of Internet Explorer 9. MORE INFO To learn more about InPrivate browsing. InPrivate Filtering restricts how information can be tracked by external third parties. Turn Off InPrivate Browsing  Disables InPrivate browsing on computers running Internet Explorer. such as cookies provided when a user logs on to a site.Controlling InPrivate mode You need to know how to manage InPrivate Filtering/Tracking Protection and InPrivate Browsing on computers running Windows 7. InPrivate Browsing does not stop proxy servers from recording a user’s browsing activity. Tracking Protection. If the same content is detected across a configurable number of websites. MORE INFO To learn more about Tracking Protection. True or False? InPrivate Filtering/Tracking Protection allows you to block third parties from tracking browsing activity across multiple sites. When the session ends. Turn Off Tracking Protection  Disables Tracking Protection on computers running Internet Explorer 9 or later. You can also configure InPrivate Filtering to automatically block any content provider or third-party website without requiring a prompt.

Use TLS 1. InPrivate Filtering Threshold  The number of different sites containing the same third-party content that triggers InPrivate Filtering on computers running Internet Explorer 8.2  A more secure version of TLS 1.0. Answer: True. Use SSL 2. Certificates for secure websites You need to know how to configure Internet Explorer to check the validity of certificates used to identify websites and protect secure sessions to websites. Use TLS 1.1.0  Enabled by default. Warn About Certificate Address Mismatch  Performs a check to see whether website certificate matches website address. Enabled by default. Includes protection against cipher block chaining attacks. Enable only if infrastructure does not support SSL 3. and Untrusted Publishers by clicking the Publishers button on the Content tab of Internet Options.  EXAM TIP  Remember that InPrivate Filtering and Tracking Protection are different versions of the same feature. ■■ ■■ ■■ 62 Check For Publisher’s Certificate Revocation  Determines whether the publishing server’s signing certificate is valid. You import code-signing certificates into the Trusted Publishers store when you want to trust digitally signed drivers or software from a specific vendor. Tracking Protection Threshold  The number of different first-party sites that a third-party item can reference before Tracking Protection is triggered. Advanced Security Options related to certificates include the following: ■■ ■■ ■■ ■■ Check For Server Certificate Revocation  Determines whether the validity of SSL certificate on the web server is checked.0  Enabled by default. Disable Toolbars And Extensions When InPrivate Browsing Starts  Additional toolbars and extensions will be disabled in InPrivate Browsing sessions.0. ■■ Use SSL 3.0 because there are security risks in using SSL 2.1  A more secure version of TLS 1. Enabled by default. Check For Signatures On Downloaded Programs  Determines whether downloaded programs are digitally signed. Enabled by default.0  Not enabled by default. You can view a list of Trusted Root Certification Authorities. Not enabled by default. Enabled by default. defined in 2006. You can configure Internet Explorer to trust a new Root CA by importing the CA certificate using this dialog box. True or False? You can configure Internet Explorer to check to see whether the signing certificate of the CA that issued the SSL certificate is valid. ■■ Use TLS 1. Not enabled by default. Chapter 3  Configuring Hardware and Applications .■■ ■■ ■■ ■■ Do Not Collect InPrivate Filtering Data  Disables collection of private filtering data on computers running Internet Explorer 8.0. defined in 2008. Trusted Publishers. It is a more secure version of SSL than 2.

1 of the device driver. Which technology would you configure to block a specific third-party or- ganization from tracking browsing activity across multiple sites for users of Internet Explorer 9? Answers This section contains the answers to the “Can you answer these questions?” sections in this chapter.com/en-US/windows7/Get-information-about-Secure-Sockets-Layer-SSL-certificates. consult the following webpage: http://windows. Can you answer these questions? You can find the answers to these questions at the end of the chapter.1 because it wasn’t installed on the computer in the first place. 2. 3. EXAM TIP  Remember what steps you can take to configure Internet Explorer to trust a new Root Certificate Authority. 1. Which steps could you take to ensure that users can trust the SSL certificate used on a partner organization’s intranet if that SSL certificate was issued by that organization’s internal CA? 3. You can’t roll back to version 2.2 of the driver and remove it from the driver store.exe and Device Manager to view device resource conflicts. Objective 3. You can use Driver Verifier (verifier. A user who is not a member of the local Administrators group can roll back a device driver as long as the device class related to the device the driver is for is listed in the Allow Limited Users To Install Drivers For These Device Classes policy. You can then install version 2.MORE INFO To learn more about SSL certificates. Objective 3.exe) to stress-test a driver to determine whether it functions problematically in low-resource scenarios. You should use shims because using Windows XP mode would require an increase in the number of operating systems to which you need to apply software updates every month.1: Configure devices 1. You must uninstall version 2. Configuring Hardware and Applications  Chapter 3 63 .microsoft. You can use msinfo32. 4. In which zone should you place sites if you want to minimize the chance of users being harmed by rogue scripts or ActiveX controls? 2. Which steps would you take to ensure that users can use only a specific set of authorized add-ons with Internet Explorer? 4.2: Configure application compatibility 1.

4. This will ensure that only authorized add-ons are run with Internet Explorer.2. Configure the Add-On List and Deny All Add-Ons unless specifically allowed in the Add-On List Policies. 3. Add the certificate for the partner organization’s CA to the list of trusted Root CA in Internet Options. 4. 4. 3. You configure Tracking Protection to block a specific third-party organiza- tion from tracking browsing activity across multiple sites for users of Internet Explorer 9. Objective 3. Configure path rules either in Software Restriction Policies or AppLocker Policies. Windows 7 Professional. You place sites in the Restricted Sites zone if you want to block ActiveX con- trols and scripts from running on untrusted websites. Configure a Software Restriction Policy Certificate rule. 2. Create an AppLocker Executable rule that uses a publisher certificate for file identification. Either solution would resolve the problem. Enterprise. and Ultimate support Windows XP mode. 64 Chapter 3  Configuring Hardware and Applications . 3. You can use the either the Local Group Policy Editor or the Local Security Editor to configure AppLocker Rules on stand-alone Windows 7 Enterprise computers functioning as kiosks. You could use Windows XP mode. 2.4: Configure Internet Explorer 1. or you could create and deploy a shim for the application. The Internet Explorer Compatibility Test Tool. Create an exception for the application you want to exempt.3: Configure application restrictions 1. Objective 3.

5: Configure remote management Objective 4. Exam need to know ■■ Connecting to a network For example: How to configure a wired network adapter to support 802. 65 .4: Configure Windows Firewall ■■ Objective 4.1: Configure IPv4 network settings This objective requires you to demonstrate that you know how to configure IPv4 address settings so that computers running Windows 7 can interact with the LAN. This chapter covers the following objectives: ■■ Objective 4.3: Configure network settings ■■ Objective 4. and remote management technologies. ■■ Setting up a connection for a network For example: How to configure Windows 7 to connect to a Bluetooth personal area network. Windows Firewall with Advanced Security.C hap t e r 4 Configuring Network Connectivity A pproximately 14 percent of the 70-680 exam focuses on the topic of configuring network connectivity. network settings. That means that you need to have a good grasp of how to configure IPv4 and IPv6 addresses.2: Configure IPv6 network settings ■■ Objective 4. Windows Firewall.1X authentication.1: Configure IPv4 network settings ■■ Objective 4. ■■ Configure name resolution For example: How to use command-line utilities to set a preferred DNS server.

255. Connecting to a network You need to know how to configure a static IP address or how to configure Windows 7 to use a dynamic IP address.1 To configure interface “Local Area Connection” to use Dynamic Host Configuration Protocol (DHCP). To configure an IPv4 address for a computer running Windows 7. Computers running Windows 7 need an IP address to communicate on the local area network. and default gateway. usually Local Area Connection.168.101 255. perform the following steps: 1. and can be assigned dynamically or statically.255. 2.15. Computers running Windows 7 use dynamic IP addresses by default. ■■ APIPA For example: How to determine when Windows 7 has been assigned an APIPA address.15.■■ Network locations For example: How to describe the different network locations used with Windows 7. This can be an IPv4 or an IPv6 address.168. To have IP address configuration assigned automatically.101 with the subnet mask 255. to set the address 192. choose Use The Following IP Address and then specify an IP address. Answer: False. True or False? A computer needs a dynamically assigned IP address to communicate on a LAN.1 on adapter Local Area Connection. Choose Internet Protocol Version 4 (TCP/IPv4) and then click the Properties button. use the following command from an elevated command prompt: Netsh interface ipv4 set address “Local Area Connection” dhcp True or False? A computer will use an APIPA address if it is configured to use a dynamically assigned address but cannot communicate with a DHCP server. ■■ Resolving connectivity issues For example: How to choose the appropriate tool to diagnose a connectivity problem. subnet mask. Edit the network adapter’s properties. To configure an adapter’s IP address from an elevated command prompt.168. 66 Chapter 4  Configuring Network Connectivity .15. and then use the netsh interface ipv4 set address command.168.0 192. To specify a static IP address. use the following command: Netsh interface ipv4 set address “Local Area Connection” static 192. determine the adapter’s name.15. choose Obtain An IP Address Automatically. For example.0 and the default gateway as 192. You will learn more about IPv6 later in this chapter.255.255.

If the computer has been assigned an APIPA address. MORE INFO To learn more about IP address configuration. consult the following webpage: http://windows.Answer: True. Configuring name resolution You need to know how to configure name resolution for computers running Windows 7.com/en-US/windows7/Change-TCP-IP-settings.1X authentication requires that the computer authenticate to the wireless access point or the wired switch before it can establish a connection to the network. Edit the properties of the network connection that will be using 802.1X net- work to which you will be connecting. Start the Wired AutoConfig service and set it to start automatically.1X authentication with wireless networks.1X authentication. consult the following webpage: http://windows.exe command-line utility. 3. a switch failure. or the failure of the DHCP server. 2. the computer cannot contact the DHCP server. open the Manage Wireless Networks console and edit the properties of the wireless network for which you want to configure 802. a failure between the wall point and the switch. True or False? You can determine whether the Wired AutoConfig service is running by viewing a wired network adapter’s properties. choose the appropriate authentication method. Starting the Wired AutoConfig service makes the Authentication tab available.microsoft.1X configuration. To configure a computer running Windows 7 to support 802.1X authentication usually requires a certificate or smart card. 802. This may be because there is a problem with the physical network connection. 802. MORE INFO To learn more about configuring Windows 7 clients for 802.microsoft. EXAM TIP  The default gateway address must be on the same IPv4 subnet as the adapter’s IPv4 address. True or False? You can configure which DNS servers a client uses by using the Ipconfig. such as a failed UTP drop cable between the computer and the wall point. Answer: True. Open the Services console. On the Security tab of the wireless network’s properties.1X authentication. perform the following steps: 1.1X authentication on a wired network. Choose the appropriate network authentication method for the 802. To use 802. You can determine whether the DHCP server has responded to the client’s request for an IP address by checking the IP address configuration. Configuring Network Connectivity  Chapter 4 67 . the failure of a router.com/en-US/windows7/ Enable-802-1X-authentication.

For example.168. run the following from an elevated command prompt: Netsh interface ipv4 set dnsservers “Local Area Connection” static 192.100 In most organizations.com/en-us/library/ cc731521(WS.Answer: False.168. You can choose this option by editing the Internet Protocol Version 4 (TCP/ IPv4) properties or by executing the following command from an elevated command prompt: Netsh interface ipv4 set winsserver “Adapter Name” source=dhcp MORE INFO To learn more about configuring name resolution from the command line.15.10 as the primary DNS server.10).100 as the WINS server.168. to set the network adapter “Local Area Connection” to use the IP address 192.microsoft. You can choose this option by editing the Internet Protocol Version 4 (TCP/IPv4) properties or by executing the following command from an elevated command prompt: Netsh interface ipv4 set dnsservers “Adapter Name” source=dhcp True or False? Windows Internet Name Service (WINS) is used for NetBIOS name resolution. WINS resolution enables the translation of IP addresses into NetBIOS names. DNS resolution enables the translation of IP addresses into fully qualified domain names (FQDNs) and FQDNs into IP addresses.168. Answer: True.aspx. DHCP servers provide clients with the address of the WINS server. run the following from an elevated command prompt: Netsh interface ipv4 set winsserver “Local Area Connection” static 192.15. You configure WINS resolution for computers running Windows 7 by editing the Internet Protocol Version 4 (TCP/IPv4) properties on the adapter properties in the GUI or by using the netsh interface ipv4 set winsserver command. consult the following webpage: http://technet. EXAM TIP  Remember the difference between WINS and DNS.15. to set the network adapter “Local Area Connection” to use the IP address 192.10 primary In most organizations. DHCP servers provide clients with DNS server addresses. 68 Chapter 4  Configuring Network Connectivity . You configure DNS resolution for computers running Windows 7 by setting preferred and alternate DNS servers. For example. You can do this by editing the Internet Protocol Version 4 (TCP/IPv4) properties on the adapter properties in the GUI or by using the netsh interface ipv4 set dnsservers command.15.

and whether the wireless access point distributes IP addresses. configure wireless access point settings such as network name. password. You’ll learn more about creating VPN connections in Chapter 6. Connect To A Workplace  You can create a dial-up or VPN connection. broadband. Manually Connect To A Wireless Network  You can set up a connection to a hidden wireless network or to create a new wireless profile.” Set Up A Dial-Up Connection  You can connect to the Internet by setting up a modem. Set Up A New Network You can configure a new router or wireless access point.Setting up a connection for a network You need to know how to set up wired and wireless network connections using the Set Up A Connection Or Network Wizard. You can use the Set Up A Connection Or Network Wizard to set up different types of network connections for computers running Windows 7. Network locations You need to know the available network locations that you can assign to Windows 7 network interfaces. Set Up A Wireless Ad Hoc (Computer To Computer) Network  You can set up a temporary network for sharing an Internet connection or files. and phone number. authentication scheme. Configuring Network Connectivity  Chapter 4 69 . gives you the following options: ■■ ■■ ■■ ■■ ■■ ■■ ■■ Connect To The Internet  You can configure a connection to the Internet using a wireless network. consult the following webpage: http://windows.microsoft. MORE INFO To learn more about connecting to a Bluetooth PAN. It is available only if the computer has a wireless adapter. Answer: True. The Set Up A Connection Or Network Wizard. For example. Connect To A Bluetooth Personal Area Network (PAN)  You can set up a connection to a Bluetooth device or network.com/en-US/windows7/Connect-to-a-Bluetooth-personal-area-network-PAN. For example. or dial-up connection. password. if you directly connect a DSL modem to your computer. available through the Network and Sharing Center. “Configuring Mobile Computing. It is available only if the computer running Windows 7 has Bluetooth capability. you will be able to provision that modem with a user name. True or False? Windows 7 supports setting up a PAN across Bluetooth connections.

■■ Ipconfig Displays the IP address configuration. Computers running earlier versions of Windows support only one active network location type and apply the most restrictive profile when they detected multiple networks. Windows 7 supports more than one active network location type at a time. Windows 7 includes a large number of command-line utilities that can be used to diagnose network connectivity problems. including VPN and DirectAccess connections. You will learn about Windows Firewall and WFAS later in this chapter. consult the following webpage: http://technet.microsoft. including direct connections to the Internet and public access points. and DNS server address. 70 Chapter 4  Configuring Network Connectivity . You cannot apply this profile manually. MORE INFO To learn more about network location awareness. MAC address. where Windows 7 detects a domain controller. Answer: False. so you can configure rules for Windows Firewall and Windows Firewall with Advanced Security (WFAS) that will apply to some network types and not others. Windows 7 supports the following network locations: ■■ ■■ ■■ Domain  Profile is used when the computer is joined to an Active Directory domain.aspx. This profile is least permissive.10). Answer: True. the same network type will be assigned to the connection in the future. You can differentiate networks based on their characteristics. Can be set manually. You can use the following options in diagnosing and resolving network connectivity issues: • ipconfig /all  To determine whether the computer has been correctly assigned an IP address from a DHCP server and to determine the default gateway. Public Used with insecure networks. It is assigned to adapters.com/en-us/library/cc753545(WS.True or False? Administrators can manually configure the networks Windows 7 assigns to the domain network location. Home/Work (Private) A manually selectable location type used for networks that are indirectly connected to the Internet. Resolving connectivity issues You need to know which diagnostic tools you can use to diagnose and resolve network connectivity issues. Network is assumed to be secure. Supporting more than one active location means that multiple profiles can be functioning at the same time. True or False? You can use the ipconfig command to determine whether a DHCP server has provided the computer with an IP address. so that once you assign a network type to a particular connection. Can be set manually. Generally the most permissive profile. Windows 7 remembers the properties of networks. but not as permissive as the domain profile.

Netstat Displays all active TCP connections. • ipconfig /flushdns  To flush the DNS resolver cache. • ipconfig /renew  To renew the currently leased address. Answer: True. You can determine if there is a problem between the computer running Windows 7 and the destination host. also known as MAC address. ■■ ■■ ■■ ■■ ■■ ■■ ■■ Ping You can check point-to-point connectivity between computers running Windows 7. Useful if you want to determine whether a specific router is suffering reliability problems. The Network Troubleshooter provides a user-friendly interface for diagnosing network problems. Use the -4 parameter to ensure that you are using IPv4 with Ping. The ARP cache stores IP addresses and their resolved Ethernet addresses.com/en-us/library/dd163567. Use Nslookup when you suspect that connectivity problems might be caused by DNS problems. The Network Troubleshooter performs common network troubleshooting tasks. such as attempting to renew a DHCP lease automatically. such as a failed router. True or False? The Network Troubleshooter can automatically diagnose and repair common network problems.aspx. MORE INFO To learn more about troubleshooting and testing network connections. Arp  You can view the Address Resolution Protocol (ARP) cache.microsoft. Pathping A tool that combines the functionality of Ping and Tracert. With Network Troubleshooter. Tracert  You can see the path taken from the computer running Windows 7 to a destination host. If you can’t ping a specific network host on a remote network. You can view the reliability of each hop on the path between two hosts. Route You can view and modify the computer’s routing table. attempt to ping the default gateway address that you obtained running the ipconfig / all command. Network Troubleshooter can diagnose problems with the following: ■■ Internet Connections ■■ Shared Folders ■■ HomeGroup Configuring Network Connectivity  Chapter 4 71 . Use it to determine whether Windows 7 can resolve the Ethernet addresses of other computers on the LAN.• ipconfig /release  To release the currently leased address. Use the command ipconfig /flushdns to flush the DNS resolver cache before attempting to use Nslookup. non-IT professionals can resolve common network problems. Nslookup You can check the resolution of FQDN to IP address and IP address to FQDN. This tool can also display Ethernet statistics and the IP routing table. consult the following webpage: http://technet.

You can use APIPA addresses to allow computers running Windows 7 on a LAN to communicate when no DHCP server is present. APIPA You need to know how to determine whether the computer has been assigned an APIPA address and what modifications to make to Windows 7 to block APIPA address assignment. Computers with APIPA addresses can’t use that address to send and receive traffic from hosts on the Internet. it generates a problem report. Windows 7 computers that can’t obtain a dynamically configured IPv4 address from a DHCP server use APIPA addresses. You can resolve the situation either by setting an address manually or resolving the issue that blocked the dynamic address from being allocated.255. consult the following webpage: http://windows. 72 Chapter 4  Configuring Network Connectivity . EXAM TIP  The exam is more likely to ask you about diagnosing problems with specific utilities than to ask you about the Network Troubleshooter.microsoft.com/en-US/windows7/Using-the-Networktroubleshooter-in-Windows-7.■■ Network Adapter ■■ Incoming Connections ■■ Connection To A Workplace Using DirectAccess Network Troubleshooter is most useful for help desk support staff who can use it as first steps in a network troubleshooting routine during a support call. This can occur for a multitude of reasons. consult the following webpage: http:// msdn. You can disable APIPA on a computer running Windows 7 by editing the registry and adding the DWORD key IPAutoConfigurationEnabled.254. APIPA addresses fall in the range 169.168.microsoft. and setting the value to 0x0 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ Parameters\Interfaces\AdapterGUID. Each time Network Troubleshooter runs.254. from the DHCP server not being functional to problems with the network adapter or intervening network infrastructure. where AdapterGUID is the GUID of the specific network adapter. True or False? A computer that has the IPv4 address 192.254. MORE INFO To learn more about APIPA.1 to 169.254 is using an APIPA address. Users do not need to be members of the local Administrators group to use Network Troubleshooter. EXAM TIP  Remember that an APIPA address indicates that a computer that has a dynamically assigned IP address can’t receive an address from DHCP.0.com/en-us/library/aa505918. MORE INFO To learn more about basic troubleshooting techniques.aspx. IT professionals can reference this report when performing a more thorough fault diagnosis.169. Answer: False.

What is the APIPA address range? 3. and network locations. network connections.1X authenticated wired connections? 2. What command would you use to configure the interface “Local Area Con- nection” to use DHCP to obtain the address of DNS servers? Objective 4.0. ■■ Link local multicast name resolution For example: How to determine when Windows 7 will use link-local multicast name resolution.2: Configure IPv6 network settings This objective requires you to demonstrate that you know how to configure IPv6 name resolution. Configuring Network Connectivity  Chapter 4 73 . Which service must you configure to allow Windows 7 clients to use 802. and how to resolve connectivity issues. ■■ Resolving connectivity issues For example: How to choose the appropriate tool to diagnose IPv6 connectivity problems. 1.10. ■■ Connecting to a network For example: How to configure Windows 7 with an IPv6 address using the command line. ■■ Network locations For example: How to know which network location is associated with a global unicast IPv6 address. ■■ Setting up a connection for a network For example: How to connect to networks that require certificate-based authentication.255.101 that uses the subnet mask 255.0 and default gateway 10. What command would you use to assign the IP address 10.0. Exam need to know ■■ Configuring name resolution For example: How to configure Windows 7 with the IPv6 address of a DNS server. Configuring name resolution You need to know how to configure IPv6 name resolution for computers running Windows 7.255.1 to the “Local Area Connection” interface? 4.Can you answer these questions? You can find the answers to these questions at the end of the chapter.10.

aspx. but deprecated by RFC 3879. You can’t configure WINS name resolution for IPv6.com/en-us/library/cc753156(WS. • Site-local  Address prefix fec0::/10. You can configure a preferred and alternate DNS server that has an IPv6 address by editing the properties of a network adapter and then opening the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box. Used in the same way as a public IPv4 address for communication across the Internet. Windows 7 supports the following types of unicast addresses: • Global   Address prefix 2000::/3. Used when IPv6 addresses are not automatically configured. • Link-local   Address prefix fe80::/64. IPv6 generally uses auto-configured IP addresses. Used in the same way as private IP address space. You can also configure IPv6 DNS server configuration using the netsh interface IPv6 add dnsserver command from an elevated command prompt. to remove DNS server FEC0:0:0:FFFF::1 from the “Local Area Connection” interface. Answer: True. IPv6 name resolution works in a similar manner to IPv4 name resolution. Can also start with a 3000::/3. Use unique local addresses instead of site-local. EXAM TIP  WINS only uses IPv4 and does not use IPv6. use the following command: Netsh interface ipv5 delete dnsserver “Local Area Connection” FEC0:0:0:FFFF::1 MORE INFO To learn more about configuring IPv6 from the command line. Connecting to a network You need to know how to configure an adapter to use an automatically assigned or static IPv6 address. Configuring the provision of IPv6 addresses usually occurs through the configuration of routers or DHCP servers. consult the following webpage: http://technet. There are three types of IPv6 addresses: ■■ Unicast Address used by a single network interface. Answer: False. True or False? Unique local IPv6 addresses use the address prefix fc00::/7.True or False? You can use the Netstat command-line utility to configure IPv6 name resolution on a computer running Windows 7. Can also start with Fed0::/10. For example.microsoft. For example. 74 Chapter 4  Configuring Network Connectivity . use this command: Netsh interface ipv6 add dnsserver “Local Area Connection” FEC0:0:0:FFFF::1 You can use netsh to delete a DNS server for a configured interface. to add a DNS server with the IP address FEC0:0:0:FFFF::1 to the “Local Area Connection” interface. Used in the same way as an IPv4 APIPA address for traffic on the same network that will not be routed.10).

Stateless Auto-configuration  Uses router advertisements to inform hosts of appropriate IPv6 address prefix. select Obtain An IPv6 Address Automatically. and default gateway. choose Use The Following IPv6 Address and enter the IPv6 address. Used in the same way as private IP address space. For example. consult the following webpage: http://windows.microsoft. EXAM TIP  Remember the difference between stateful and stateless auto-configuration.• Unique local  Address prefix fc00::/7. perform the following steps: 1. Anycast Used by multiple nodes. Suitable for small organizations and individuals. subnet prefix length. To use a static IPv6 address. Select the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box and then click Properties. Edit the properties of a network adapter. IPv6 supports two different types of auto-configuration: ■■ ■■ Stateful Auto-configuration  Uses a DHCP server to provision clients with IPv6 addresses. Answer: True. EXAM TIP  Remember IPv6 address prefixes for unicast addresses. Configuring Network Connectivity  Chapter 4 75 . Routable within the organization. use the netsh interface ipv6 add address command. Can also start with fd00::/7. IPv6 uses auto-configuration to provision clients with addresses. True or False? IPv6 addresses can be automatically configured based on router advertisements.microsoft. to add the address FC80::3 to the “Local Area Connection” interface. Unlike IPv4.com/en-US/windows7/ Change-TCP-IP-settings. use this command: Netsh interface ipv6 add address “Local Area Connection” FC80::3 MORE INFO To learn more about configuring Windows 7 to use an IPv6 address.com/en-us/library/ms172318. MORE INFO  To learn more about IPv6 auto-configuration.aspx. To configure IPv6 addresses for interfaces from an elevated command prompt. ■■ ■■ To get IP address settings automatically. which uses DHCP servers to dynamically assign IP addresses. Suitable for organizational networks. ■■ ■■ Multicast Used by multiple nodes across the network and uses the FF prefix. but traffic only received by nearest node to transmission according to routing metrics. consult the following webpage: http://msdn. To configure a network interface to use a static or automatically assigned IPv6 address.

use the Setup A Connection Or Network Wizard and choose one of the following options: ■■ Connect To The Internet ■■ Set Up A New Network ■■ Manually Connect To A Wireless Network ■■ Connect To A Workplace ■■ Set Up A Dial-Up Connection ■■ Set Up A Wireless Ad Hoc (Computer To Computer) Network ■■ Connect To A Bluetooth Personal Area Network (PAN) Network locations You need to know which network profiles are used by IPv6 networks. These network locations are as follows: ■■ ■■ ■■ Domain  Profile is used with network adapters when Windows 7 determines that an Active Directory domain controller is directly contactable. True or False? You can specify an IPv6 address as the destination Internet address when configuring up a VPN connection. Answer: True. IPv6.com/en-us/network/bb545475. This profile cannot be applied manually. when setting up a VPN connection you can use an FQDN. Public Used when the adapter is assigned a IPv6 global unicast address or when connecting to a potentially hostile network. Home/Work (Private) A manually selectable location type used for networks that are indirectly connected to the Internet. True or False? IPv6-only networks use the same network profiles as IPv4-only networks. To set up a connection or network. A computer uses the same network locations independently of whether it is connecting to an IPv4 network. True or False? The Nslookup utility cannot be used to resolve the IPv6 addresses of fully qualified domain names. or IPv6 address as the destination Internet address. Setting up a connection for a network uses the same process whether the network uses IPv4. an IPv6 network. consult the following webpage: http://technet.microsoft. or both network-addressing schemes.Setting up a connection for a network You need to know how to set up a connection for an IPv6 network. such as those that use link-local or unique unicast addresses. Answer: True. For example. 76 Chapter 4  Configuring Network Connectivity . or a network that supports both IPv4 and IPv6. Resolving connectivity issues You need to know which tools you can use to resolve IPv6 connectivity issues. IPv4. MORE INFO To learn more about IPv6 and network profiles.

microsoft. EXAM TIP  Remember that LLMNR is used on the local network segment when DNS is not present or DNS cannot be used to successfully resolve a name. LLMNR sends a link-local scope name request message to IPv6 multicast address FF02::1:3.com). Tracert You can see the path taken from the computer running Windows 7 to a destination host. EXAM TIP  Remember that most of the tools that work for diagnosing problems on IPv4 networks will work on IPv6 networks.contoso. Computers running Windows 7 will fall back to using an LLMNR query if they can’t resolve a name to an IP address through a DNS query.aspx. Use the -6 option to force IPv6 (for example. Configuring Network Connectivity  Chapter 4 77 . consult the following webpage: http://technet.aspx. Use the -6 parameter to ensure that you are using IPv6 with Ping (for example. Use the -6 option with IPv6 (for example. MORE INFO To learn more about LLMNR. Ping You can check point-to-point connectivity between computers running Windows 7 and another host. tracert -6 www. pathping -6 www. Use Ipconfig to determine if the computer is using an appropriate IP address. You can view the path between two hosts and the reliability of each hop in that path.com/en-au/library/bb878128. Nslookup You can check the resolution of FQDN to IP address and IP address to FQDN.contoso.com). Pathping A combination of the Ping and Tracert tools. Link local multicast name resolution You need to know the situations in which link-local multicast name resolution (LLMNR) will be used by computers running Windows 7.contoso.com). True or False? LLMNR is never used if a Windows 7 client is configured with the IPv6 address of a DNS server. LLMNR is a protocol that allows IPv6 (and IPv4) hosts to perform name resolution on the local network segment without forwarding a query to a DNS server. ping -6 www.Answer: False. MORE INFO To learn more about network troubleshooting tools. consult the following webpage: http:// technet.com/en-us/magazine/ee924647. All Windows 7 clients listen on this address and respond when their host name matches the name request.contoso. The tools that you use to diagnose IPv4 problems also work with IPv6. nslookup –q=aaaa www.microsoft. Answer: False. Use the –q=aaaa option to return only IPv6 addresses (for example.com). You can use the following tools to diagnose IPv6 connectivity issues: ■■ ■■ ■■ ■■ ■■ Ipconfig Displays the IP address configuration.

78 Chapter 4  Configuring Network Connectivity . set preferred wireless networks. ■■ Configuring Location Aware printing For example: How to configure Windows 7 to use a different default printer depending on which network the client connected to. Which protocol allows IPv6 name resolution on the local network segment without the presence of a DNS server? Objective 4. and configure location-aware printing. True or False? You can see connected devices through View Network Computers And Devices on a Windows 7 client when Network Discovery is disabled. protocols.Can you answer these? You can find the answers to these questions at the end of the chapter. ■■ Configuring network adapters For example: How to enable and disable clients. What is the address prefix of a unique local address? 4. What is the address prefix of a link-local address? 3. ■■ Set preferred wireless networks For example: How to configure Windows 7 to use one network over another when multiple networks are available. configure network adapters. ■■ Connecting to a wireless network For example: How to list available wireless networks from the command line. connect automatically to a wireless network. configure network security settings. What is the address prefix of a global unicast address? 2.1x settings for network connections. ■■ Configuring security settings on the client For example: How to configure 802. Adding a physically connected or wireless device You need to know what steps to take to add a device. such as a storage device or printer. and services on a per-network adapter basis.3: Configure network settings This objective requires you to demonstrate that you know how to add a wired or wireless device. to an existing wired or wireless network. Exam need to know ■■ Adding a physically connected (wired) or wireless device For example: How to configure a Windows 7 client to discover a new storage device added to the network. 1.

Many devices. EXAM TIP  Remember that you must enable Network Discovery on the Windows 7 client for devices on the network to be visible in View Network Computers And Devices. switch. Use the View Network Computers And Devices item in Windows 7 to verify the presence of the device on the network. perform the following steps: 1. To add a wireless device to the network. verify that you have enabled Network Discovery. consult the following webpage: http://windows. such as network storage devices. network-enabled printers.com/en-US/windows7/Add-a-deviceor-computer-to-a-network. 2. Wireless devices require more configuration to add to an existing network because you will need to provide them with the details and authentication credentials for the wireless network. MORE INFO To learn more about adding devices or computers to a network. turn on Network Discovery through the Advanced Sharing Settings item in the Network And Sharing Center. Connect the device to a hub. On your Windows 7 client. 3. Power on the device. If the device is not visible. Power on the device. If the device is not visible. True or False? You can view available wireless networks from the command prompt. Set Up A Connection Or Network Wizard  You can choose to connect to a wireless network from Network and Sharing center. Configuring Network Connectivity  Chapter 4 79 . perform the following steps: 1. Configure the device to join a wireless network according to the instructions that shipped with the device. can be discovered by Windows 7 once they are connected to the same network segment. 3. Windows 7 clients can connect to wireless networks using the following methods: ■■ ■■ Network notification area icon  Click this icon to connect from the Windows 7 taskbar. Answer: True. You should be able to connect to the device. such as a storage device or network printer. To add a physically connected device to the network.Answer: False. in the Search Programs And Files text box on the Start menu. You can use this method to prepopulate wireless networks without having to initiate a connection. type View Network Computers And Devices.microsoft. and network scanners. 2. such as a wireless printer or storage device. or router using a network cable. Connecting to a wireless network You need to know how to configure a Windows 7 client to connect to a wireless network.

80 Chapter 4  Configuring Network Connectivity . You can use this method to create an ad hoc wireless network. You can use this method to prepopulate wireless networks without having to initiate a connection. you must specify the SSID name.com/en-us/library/ff802404. the command Netsh wlan show networks displays available wireless networks. EXAM TIP  WPA2-Personal is the strongest wireless security method you can use with a preshared key. Can use AES or TKIP to encrypt traffic.■■ ■■ ■■ Manage Wireless Networks dialog box  You can add new wireless networks or delete existing remembered wireless network connections. Configuring security settings on the client You need to know how to configure security settings such as 802.1x  IEEE 802. WEP  Open system authentication with Wired Equivalent Privacy (WEP).1X authentication. MORE INFO To learn more about connecting to wireless networks. No traffic encryption. Windows 7 supports the following wireless access point security types: ■■ ■■ ■■ ■■ ■■ ■■ ■■ 802. WPA-Personal  traffic.1X authentication with WEP. Can use AES or TKIP to encrypt traffic. Uses WEP for traffic encryption. For example. Can use AES or TKIP to encrypt traffic.microsoft.1X authentication on network connections. No Authentication (Open)  Open system authentication. Group Policy  Administrators can specify wireless network settings for domain-joined computers. consult the following webpage: http://technet. WPA with a preshared key. WPA-Enterprise  Wi-Fi Protected Access (WPA) with IEEE 802. To connect to a network that is not broadcasting its SSID. Also known as dynamic WEP. Netsh wlan command-line utility  You can view and join wireless networks from the command line. Uses WEP for traffic encryption. Can use AES or TKIP to encrypt WPA2-Personal  WPA2 with a preshared key. WPA2-Enterprise  WPA2 with IEEE 802.aspx. You can do this by choosing the Other Network option when connecting from the taskbar or through the Manually Connect To A Wireless Network option in Set Up A Connection Or Network.1X authentication.

10).1X authentication. Configuring Network Connectivity  Chapter 4 81 . you can configure 802. the Authentication tab becomes available on a network adapter’s properties.1X authentication to use either user or computer authentication. Answer: False. By configuring Advanced Settings on the Authentication tab of a network adapter’s properties. When this service is active.1X authentication.1X authentication ■■ Choose A Network Authentication Method • Microsoft: Smart Card Or Other Certificate • Microsoft: Protected EAP (PEAP) ■■ Remember My Credentials For This Connection Each Time I’m Logged On ■■ Fallback To Unauthorized Network Access True or False? You can configure 802.microsoft. Answer: True.1X authentication when connecting to authenticating switches in secure environments.1X authentication. • Guest Authentication  Allows limited guest access to the network. On the Authentication tab.aspx.1X authentication. you can configure the following settings: ■■ Enable IEEE 802. You can configure the following single sign in options: • • • • • Perform Immediately Before User Logon Perform Immediately After User Logon Maximum Delay Allow Additional Dialogs To Be Displayed During Single Sign On This Network Uses Separate Virtual LANs for Machine And User Authentication MORE INFO To learn more about 802.1X authentication. • Computer Authentication  Computer credentials are used for 802.True or False? Wired network connections on Windows 7 clients are enabled for 802.1X authentication for wired network connections by configuring the Wired AutoConfig service. As you learned earlier. you can limit network access to clients that have performed authentication. ■■ Enable Single Sign On For This Network  Determines how single sign in functions with 802. you can configure the following advanced settings: ■■ Specify Authentication Mode  Used when you want to configure specific types of 802.1X authentication by default.com/en-us/library/cc730878(WS. • User Authentication  User credentials are used for 802. EXAM TIP  Remember that you need to enable 802.1X authentication. consult the following webpage: http://technet.1X authentication. You can choose between the following: • User Or Computer Authentication  User or computer can perform 802. With 802.

You can use the Manage Wireless Networks dialog box to set preferred wireless networks. including rate-offlow and traffic prioritization. Services. with wireless networks toward the top of the list preferred over wireless networks lower on the list. consult the following webpage: http://windows. By editing the network adapter properties. MORE INFO To learn more about preferred wireless networks. Answer: False. Link-Layer Topology Discovery Responder  Enables the Windows 7 client to be discovered on the network. and Protocols on a per-network adapter basis. True or False? You can configure a Windows 7 client to connect to a particular wireless network when more than one wireless network that you regularly connect to is available.com/en-US/windows7/View-your-preferredwireless-networks. Link-Layer Topology Discovery Mapper I/O Driver  Enables the Windows 7 client to discover network infrastructure components such as other clients and devices. you can configure existing Clients. QoS Packet Scheduler  Enables network traffic control.Set preferred wireless networks You need to know how you can configure a Windows 7 client to connect to one wireless network in preference over another when both are in range. EXAM TIP  Remember that wireless networks closer to the top of the list have higher priority than wireless networks farther down the list. When the Windows 7 client is in range of one or more existing networks for which credentials are stored. Services. Click Properties to configure IPv4 address configuration. File And Printer Sharing For Microsoft Networks  Enables the Windows 7 client to share files and printers. Internet Protocol Version 6 (TCP/IPv6)  Enables the computer to use IPv6. or Protocol. You can configure Windows 7 to remember the credentials that you use to connect to different wireless networks. Chapter 4  Configuring Network Connectivity . it connects to the preferred wireless network. Service. Internet Protocol Version 4 (TCP/IPv4)  Enables the computer to use IPv4. Network adapters in Windows 7 come with the following clients and protocols enabled: ■■ ■■ ■■ ■■ ■■ ■■ ■■ 82 Client For Microsoft Networks A client can access resources on Microsoft networks. Click Properties to configure IPv6 address configuration. and Protocols or install a new Client.microsoft. True or False? IPv6 is disabled by default on all network adapters. Answer: True. Configuring network adapters You need to know how to enable and disable Clients.

With Location Aware Printing. consult the following webpage: http://technet. What technology should you configure to ensure that your default printer used in your home office is different than the default printer used at your place of work? 2. Your office has three wireless networks: Alpha. You have added a new network storage device to your wired home net- work. Default printers are associated with network names. The Professional. but not on another. such as an employee who works at different branch office locations during the week. Both clients are running Windows 7 Ultimate. What change should you make to ensure that the device is visible on the second Windows 7 client? Configuring Network Connectivity  Chapter 4 83 . A Windows 7 client has a single network adapter. and Gamma. Beta. Configuring Location Aware Printing You need to know what steps to take to configure a computer running Windows 7 to use a different default printer when connected to different networks. EXAM TIP  Location Aware Printing is useful for computers that are regularly moved to different locations. and Ultimate editions of Windows 7 support Location Aware Printing. which is accessible through the Devices And Printers Control Panel item. it is possible to disable them when necessary. 1.aspx. Which service needs to be enabled on the network adapter’s properties to ensure that other clients on the network can access the client’s shared folders and printer? 3.Although all these items are enabled by default. Answer: True. True or False? Windows 7 Professional edition supports Location Aware Printing. Enterprise.com/en-us/library/ee424302(WS. You have a laptop computer running Windows 7.10). You configure default printers for each network name using the Manage Default Printers dialog box. How can you ensure that your computer connects to wireless network Gamma when all three networks are in range? 4.microsoft. The device is visible in View Network Computers And Devices on one Windows 7 client. EXAM TIP  Remember that both the Link-Layer Topology Discovery Mapper I/O Driver and the Link-Layer Topology Discovery Responder must be enabled for the computer to be able to discover and be discovered on the LAN. Windows 7 clients can use a different default printer depending on the network to which they connect. You can configure the authentication options of a network adapter only if the Wired AutoConfig service is started. MORE INFO To learn more about Location Aware Printing. You can add additional clients for third-party network operating systems using this dialog box. Can you answer these questions? You can find the answers to these questions at the end of the chapter.

Exam need to know ■■ Allowing or denying an application For example: How to configure WFAS to block remote access to a specific service.Objective 4.exe. To allow or block a program through the command line. use the netsh firewall add allowedprogram command. True or False? You can allow programs through Windows Firewall by using the ipconfig command. ■■ Configuring rules for multiple profiles For example: How to configure Windows 7 to apply a firewall rule across multiple network profiles. Either select the program or feature from the list. run the following command from an elevated command prompt: Netsh firewall add allowedprogram “c:\app\program. You can allow or block inbound network traffic to programs or features on a computer running Windows 7. Allowing or denying an application You need to know how to configure Windows Firewall and WFAS to allow or block an application based on the application’s path. services. and with specific ports. or click Allow Another Program and then navigate to the executable file for that program.exe” “My Program” enable You can disable a program through the GUI by either removing the rule that allows the program or deselecting the profiles in which it is enabled. You can also disable rules using the netsh firewall set allowedprogram disabled command. ■■ Configuring notifications For example: How to configure Windows 7 to notify you when traffic to a program is blocked by Windows Firewall. to allow the program c:\app\ program. You should also be able to manage and configure connection security rules. To allow a program through Windows Firewall.4: Configure Windows Firewall This objective requires you to demonstrate that you know how to configure Windows Firewall and WFAS to support inbound and outbound connections to specific programs. ■■ Network profile specific rules For example: How to configure a firewall rule to apply only when the computer is using the Public network profile. 84 Chapter 4  Configuring Network Connectivity . open the Windows Firewall Control Panel item and then click Allow A Program Or Feature Through Windows Firewall. For example. Answer: False. ■■ Configuring authenticated exceptions For example: How to configure Windows 7 to allow remote access to a program or service when a connection is authenticated.

exe” action=block Configuring Network Connectivity  Chapter 4 85 . consult the following webpage: http://technet. perform the following steps. To allow an application. 1. choose the Custom rule type in the New Inbound Rule Wizard.exe located in the directory c:\app: Netsh advfirewall firewall add rule name=”ProgramRule” dir=in program=”c:\ app\app.aspx. Allow The Connection If It Is Secure  The connection is allowed only if it is secured using the settings in IPsec properties and a Connection Security Rule. Creating outbound rules involves running the New Outbound Rule Wizard. choose Inbound Rule and then click New Rule. services.microsoft. This will launch the New Inbound Rule Wizard. You can create WFAS rules from an elevated command prompt using the netsh in the advfirewall firewall context. Block The Connection  The connection is blocked. and specify the network profiles in which the rule applies. or block the connection. you can configure WFAS to allow or block both inbound and outbound traffic. Answer: True.10). allow if secure. The process for creating an outbound rule is the same as when you create a new inbound rule: You choose the rule type.MORE INFO To learn more about configuring Windows Firewall from the command line. EXAM TIP  Remember that Windows Firewall has limited functionality. Choose Program. or traffic on specific ports. The following command will create a WFAS rule named ProgramRule that will allow all inbound traffic to a program named app. True or False? You can create rules in WFAS to block outbound traffic for specific applications.exe” action=allow To block traffic to the same program. though this can be changed on a per-network profile basis by setting the Outbound connections drop-down from Allow (default) to Block. You’ll learn more about Connection Security Rules later in this chapter. Select the profiles in which the rule applies and give the rule a name. specify the program path. whether to allow. In WFAS. and choose one of the following options: ■■ ■■ ■■ Allow The Connection  The connection is allowed if other conditions are met. 3. 2.com/en-us/library/ cc771046(WS. WFAS does not block outbound connections by default. and you can block only inbound traffic to programs and features. Unlike Windows Firewall. You can use WFAS to block or allow programs. issue the command: Netsh advfirewall firewall add rule name=”ProgramRule” dir=in program=”c:\ app\app. To create a rule based on a Service.

Chapter 4  Configuring Network Connectivity . Firewall rules are represented by program and feature name. You also can configure the following additional limits on rules: ■■ ■■ ■■ ■■ ■■ 86 Interface Types You can specify that the rule applies to one or all of the following interface types: Local Area Network. Answer: False. Windows Firewall rules can apply across one or more network profiles.com/en-us/ library/dd734783(WS. WFAS will block network traffic computers not on this list. you can block outbound traffic. True or False? A firewall rule can only apply in a single network profile. Users You can specify user accounts or group accounts when you configure a firewall rule that allows only secure connections. Netsh firewall set allowedprogram “C:\apps\program.aspx. You can configure the profiles in which a Windows Firewall rule applies using the netsh firewall set allowedprogram command with the profile option. Answer: True.10). Configuring rules for multiple profiles You need to know how to configure a firewall rule to apply across multiple network profiles in both Windows Firewall and Windows Firewall with Advanced Security. Wireless. Computers You can specify a list of computers or security groups when you configure a firewall rule that allows only secure connections. WFAS will block network traffic from users not on this list. You can also choose to allow a program or feature for the domain network profile if your computer is a member of an Active Directory domain.microsoft. You can configure this by editing the properties of the WFAS rule or by specifying the network profiles during rule creation. WFAS will block traffic that does not meet the specified local and remote IP address scope condition. Edge Traversal You can block or allow traffic that has passed across a Network Address Translation router or firewall. Remote Access. You can choose the network profiles in which a firewall rule applies for Windows Firewall by choosing Allow Program Or Feature Through Windows Firewall on the Windows Firewall Control Panel item. consult the following webpage: http://technet.MORE INFO To learn more about adding Windows Firewall with Advanced Security rules using netsh.exe” “Program” profile=standard True or False? You can configure WFAS rules to only apply to wireless network interfaces. You can choose to enable firewall rules in the home/work (private) or public profiles. you can control the network profiles in which a rule applies. then clicking Change Settings. and then checking the profiles in which you want a specific allowed program or feature to be enabled. Scope You can specify local and remote IP addresses and IP address ranges. With WFAS. EXAM TIP  Remember that with WFAS.

consult the following webpage: http://technet. use this command: Netsh advfirewall firewall set rule name=”Alpha” new profile=Domain Network profile specific rules You need to know how to configure a Windows Firewall or WFAS rule to apply only in specific profiles. EXAM TIP  Remember that you can configure a firewall rule to apply to a specific interface type. You can configure the network profiles in which a WFAS rule applies on the Advanced tab of the rule’s properties. You can do this by choosing Allow Program Or Feature Through Windows Firewall on the Windows Firewall Control Panel item. You can choose for the rule to apply in the domain. For example.aspx.com/en-us/library/cc731927. or public profiles. EXAM TIP  Remember that you can use the domain profile only for computers that are members of Active Directory domains.microsoft.aspx. Configuring Network Connectivity  Chapter 4 87 . then clicking Change Settings.com/en-us/library/cc731927. You can configure rules to function in specific profiles from the command line by using the netsh advfirewall firewall set rule command with the profile option. True or False? Windows Firewall rules must always apply to the public profile. You can modify an existing WFAS rule using the netsh advfirewall firewall set rule command with the profile option and choose among the following options: ■■ Public  Applies to the public network profile ■■ Private  Applies to the work and home network profiles ■■ Domain  Applies to the domain network profile ■■ Any  Applies to all network profiles MORE INFO To learn more about applying WFAS rules in specific profiles.MORE INFO To learn more about WFAS advanced properties.microsoft. consult the following webpage: http://technet. private (home or work). Answer: False. and then checking the profile in which you want a specific allowed program or feature to be enabled. to set the rule named Alpha to apply in the domain profile. You can configure the profiles in which a Windows Firewall rule applies using the netsh firewall set allowedprogram command with the profile option. You can configure a firewall rule to apply in a single network profile. The allowed profile settings are as follows: ■■ Current  Applies to all currently active network profiles ■■ Domain  Applies only to the domain profile ■■ Standard  Applies only to the private profile ■■ All  Applies to all profiles except the private profile True or False? The private profile applies to both the home and work locations. Answer: True.

Configuring authenticated exceptions You need to know how to configure a connection security rule so that connections from specific computers do not require authentication.com/en-us/library/cc753002.Configuring notifications You need to know how to enable and disable notifications in Windows Firewall and WFAS. In the Customize Settings dialog box.aspx. Open the Windows Firewall console and then click Change Notification Settings.microsoft. True or False? You can configure WFAS notifications only for the domain profile. Authentication exemptions allow you to exempt computers or IP address ranges from needing to authenticate even when other connection security rules are being applied. Answer: False. To create an authentication exemption. Notifications inform the user that Windows Firewall has blocked a new program. but only for the computers specified in the authentication exemption rule. An authentication exemption makes all such rules function as if the Allow The Connection action were chosen. consult the following webpage: http://windows. MORE INFO To learn more about notification settings for WFAS. You configure notifications for WFAS by editing WFAS properties and clicking the Customize button in the Settings area for each profile. consult the following webpage: http://technet. Answer: True. open the WFAS console and perform the following steps: 88 Chapter 4  Configuring Network Connectivity . True or False? You can enable notifications in Windows Firewall on a per-network location basis. You can then choose whether a notification is displayed when a program is blocked from receiving inbound connections.com/en-US/windows7/UnderstandingWindows-Firewall-settings. Answer: True.microsoft. 2. EXAM TIP  Remember that notifications can be configured on a per-profile basis. You need to use authentication exemptions only when you are using connection security rules and you have configured WFAS rules with the Allow The Connection If It Is Secure action. MORE INFO To learn more about notification settings for Windows Firewall. choose whether to enable the Notify Me When Windows Firewall Blocks A New Program option for each network location. You configure notifications for Windows Firewall by performing the following steps: 1. True or False? Authentication exemptions enable you to bypass WFAS rules that require authentication.

16. You must run this command from an elevated command prompt and use the netsh advfirewall consec option. 1. click Add and then enter an IP address. MORE INFO To learn more about authentication exemptions. Select the Connection Security Rules node and click New Rule on the Actions pane. EXAM TIP  Authentication exemptions are most useful when you want to configure a management computer that can make remote connections when the authentication infrastructure has failed. use the following command: Netsh advfirewall consec add rule name=Exemptions endpoint1=any endpoint2=192.10).microsoft.1. On the Exempt Computers page.microsoft. consult the following webpage: http://technet.168. True or False? You can create authentication exemptions using the netsh commandline utility. Answer: True. 2.10). What steps would you take to block outgoing traffic from a specific applica- tion when the computer is connected to a public Wi-Fi access point? Configuring Network Connectivity  Chapter 4 89 . to create authentication exemptions from all computers on the subnet 192.0/24. consult the following webpage: http://technet. an IP subnet.com/en-us/library/cc811521(WS. For example.16. Specify the profiles in which the exemption applies and give the exemption a name. When using this command you must specify endpoint1 as “any” and endpoint2 as the addresses of the computers for which you want to configure the authentication exemption. or one of the following from the predefined list: ■■ Default gateway ■■ WINS servers ■■ DHCP servers ■■ DNS servers ■■ Local subnet 4. aspx. On the Rule Type page.aspx.0/24 action=noauthentication MORE INFO  To learn more about configuring authentication exemptions. Can you answer these questions? You can find the answers to these questions at the end of the chapter.168. 3. You can create authentication exemptions using the netsh commandline utility. select Authentication Exemption.com/en-us/library/dd736198(WS.

exe. Remote Desktop. What command-line command would you run to create an authentication exemption for all computers on the subnet 10. Chapter 4  Configuring Network Connectivity .2. The remote user requires local credentials that have Remote Desktop privileges. ■■ Configuring remote management tools For example: How to configure Windows 7 to accept Remote Desktop connections. ■■ Executing PowerShell commands For example: How to use PowerShell remoting to run a single command on multiple computers.0/24? Objective 4. Each remote management technology can be used when the remote and the local computers are members of the same Active Directory domain or when they are stand-alone systems. You can perform remote management of computers running Windows 7 using several different technologies. Exam need to know ■■ Remote management methods For example: How to select an appropriate remote management method. Remote management methods You need to know the appropriate remote management method for a specific task. The remote management technologies that you can use with Windows 7 include these: ■■ ■■ 90 Remote Assistance  Used in screen-sharing support scenarios. Remote Desktop  Allows remote full-screen login to a computer running Windows 7. True or False? You can perform remote management of computers running Windows 7 only if they are members of the same domain. What command should you use to accomplish this goal? 3. You want to create a WFAS rule named NetworkApplication that allows inbound traffic to this application. The remote user is given permission to connect by the currently logged-in user. each of which is appropriate for specific scenarios.100.5: Configure remote management This objective requires you to demonstrate that you know how to use and configure Windows 7 remote management technologies including PowerShell remoting. Answer: False. WinRS.10. What command-line command would you run to configure the WFAS rule named Epsilon to apply in the domain profile? 4. You have a network application in the c:\networkapp1 directory that uses the executable name networkapp1. and Remote Assistance.

aspx. you can connect without using Remote Assistance invitations. MORE INFO To learn more about Remote Assistance. In domain-based environments.■■ ■■ WinRS Allows remote execution of scripts and command-line utilities. you can forward an invitation file through an email message or by transferring the invitation file through another method such as a file share or USB storage device.10).microsoft. If Easy Connect is unavailable. Remote Assistance is a support tool that enables support staff. and you can’t view the logged-in user’s desktop. You can specify the period of invitation validity through the Remote Assistance Settings dialog box. Remote Desktop. but Microsoft recommends using a separate method such as an SMS message or reading the password over a telephone call. Remote user requires local credentials with permission to execute commandline utilities and scripts. the user can choose to allow a helper to respond to UAC prompts when accepting the connection. Remote Desktop does not require an invitation. Configuring Network Connectivity  Chapter 4 91 . Answer: False. and routers support the Peer Name Resolution Protocol (PNRP). EXAM TIP  Remote Assistance requires an invitation.com/en-us/ library/dd443489(WS. When connecting. True or False? Helpers remotely connected using Remote Assistance can respond to User Account Control (UAC) prompts. The computer user can terminate the Remote Assistance session at any time. MORE INFO To learn more about remote management methods for computers running Windows 7. usually referred to as helpers. to view the screen of a user logged in to a computer running Windows 7. both computers have Internet access. consult the following webpage: http://windows. and remote PowerShell sessions. consult the following webpage: http://technet. Configuring remote management tools You need to know how to configure Windows 7 to support Remote Assistance. a helper must enter a password that displays on the user’s screen. PowerShell Remoting  Allows remote execution of PowerShell commands and scripts.microsoft. Answer: True.com/en-US/windows7/Windows-Remote-Assistancefrequently-asked-questions. You can use Easy Connect only when both computers are running Windows 7. Remote Assistance requires the helper to have an invitation issued by the computer user. and you can view the logged-in user’s desktop. With Easy Connect. You can transmit this password with the invitation. True or False? It is possible to remotely log in through Remote Assistance without the logged-in user’s permission. Requires local credentials with permission to execute PowerShell commands and scripts.

Answer: False. only members of the local Administrators group can make a Remote Desktop connection to a computer running Windows 7.True or False? Computers running Windows 7 Home Premium support incoming Remote Desktop connections. ■■ ■■ ■■ ■■ ■■ ■■ You can remotely connect only to computers running Windows 7 Professional. If a user locks the screen of a Windows 7 computer. True or False? You can configure Remote Desktop so that only Remote Desktop clients that support Network Level Authentication can connect. you choose between allowing connections from any version of Remote Desktop or restricting connections to Remote Desktop clients that support Network Level Authentication. consult the following webpage: http://windows. 92 Chapter 4  Configuring Network Connectivity .com/en-US/windows7/Remote-Desktop-Connection-frequentlyasked-questions. True or False? By default. Enabling Remote Desktop automatically configures the firewall rules that allow inbound connections. A currently logged-in user can deny access to someone attempting console login or remote login. or Ultimate. you can alter which groups and users can log in by editing the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow Log On Through Remote Desktop Services policy. Answer: False. With Remote Desktop. Remote users on the Internet can make connections to Windows 7 computers with Remote Desktop enabled on internal networks through Windows Server 2008 R2 computers that host the Remote Desktop Gateway role. Answer: True. Remote Desktop has the following properties: ■■ All editions of Windows 7 include Remote Desktop Connection client software. Enterprise.microsoft. and Windows Server 2008 support Network Level Authentication. Members of the administrators and Remote Desktop Users local groups can connect through Remote Desktop to computers running Windows 7. MORE INFO To learn more about Remote Desktop. When you enable Remote Desktop. that user can remotely connect and resume the locked session using Remote Desktop. Windows 7. You can remotely log in to a Windows 7 computer if no user is locally logged in. ■■ Remote Desktop Connection is disabled by default. When you add specific users or groups through the Remote Desktop Users dialog box. clients that use the Remote Desktop Connection software or a compatible third-party alternative to make remote connections to computers running Windows 7 can view and interact with the desktop of the host computer. The Remote Desktop clients available in Windows Vista.

contoso.microsoft. consult the following webpage: http://technet.com/en-us/library/dd163506. For example.aspx.com/en-us/library/dd163506. To configure a computer to accept remote commands. consult the following TechNet document: http://technet. Answer: True. EXAM TIP  Remember the difference between allowing connections from computers running any version of Remote Desktop and computers running Remote Desktop with Network Level Authentication. specify the NetBIOS name.aspx. to run the hostname command on the computer win7-b. True or False? You use the WinRS command to execute command-line utilities on remote computers. When the computer is on the local network.contoso. You also specify the name of the remote computer using the –r parameter. Configuring Network Connectivity  Chapter 4 93 .microsoft. consult the following webpage: http://technet. to run the command hostname on the computer Win7-B.com/en-us/magazine/ff404238. you need to configure a bi-directional trust by executing the following command: Winrm set winrm/config/client @{TrustedHosts=”trusted FQDN or IP address”} You can configure WinRM settings through the \Computer Configuration\ Administrative Templates\Windows Components\Windows Remote Management and \Computer Configuration\Administrative Templates\Windows Components\ Windows Remote Shell group policy nodes. use the fully qualified domain name and address the http or https listener.com –u:win7-b\kim_akers hostname MORE INFO  To learn more about Remote Shell. True or False? You enable Windows Remote Shell (WinRS) by running the Windows Remote Management (WinRM) Quickconfig command. With WinRS.aspx. run the following command from an elevated command prompt: Winrm quickconfig To manage computers that are not part of the same Active Directory domain. you can execute command-line utilities on a remote computer. use this command: WinRS –r:http://win7-b.com across the Internet using the Kim-Akers local account.microsoft. using the Kim_Akers account. You can configure the http and https listener using the WinRM command. If the computer is on a remote network. For example. use this command: WinRS –r:Win7-B –u:Win7-B\Kim_Akers hostname MORE INFO To watch a Remote Shell video tutorial. Answer: True. You use the WinRS command to execute command-line utilities or scripts on the remote computer.MORE INFO  To learn more about Remote Desktop.

Do this from an elevated command prompt by issuing the following command: Winrm set winrm/config/client @{TrustedHosts=”Remote Computer or IP Address”} To open an interactive session. Answer: True.Executing PowerShell commands You need to know what steps to take to enable PowerShell remoting and to execute PowerShell commands on remote computers running Windows 7.GAMMA MORE INFO To learn more about PowerShell remoting. 1. you will need to configure remotely managed computers to be trusted. To set up PowerShell for remoting when the WinRM service is running. For example. When managing computers not in the same Active Directory domain. Answer: True.com/en-us/magazine/ff700227. consult the following webpage: http://technet. True or False? You can run one PowerShell command or script against multiple computers. run this command: Invoke-Command –scriptblock { Get-Hotfix } –computername ALPHA.aspx. You do this by using the Invoke-Command cmdlet with the Computername parameter. BETA. True or False? You can enable PowerShell remoting by running the Enable-PSRemoting cmdlet when the Windows Remote Management service is configured. run the Exit-PSSession cmdlet. Answer: True. to run the cmdlet GetHotfix on computers ALPHA. Can you answer these questions? You can find the answers to these questions at the end of the chapter. use this command: EnterPSSession –ComputerName:Win7-680 To end the session.BETA. open an elevated PowerShell session and run the following command: Enable-PSRemoting –force True or False? You need to configure remotely managed computers to be trusted when attempting to use PowerShell remoting for computers that are in different Active Directory environments. run the Enter-PSSession cmdlet with the ComputerName parameter. and GAMMA using the Kim_Akers local account credential. you can execute commands in parallel to more than one destination computer. to open an interactive session to computer Win7-680. With PowerShell remoting.microsoft. Which remote management technology would you use if you needed to remotely train a user on a new application? 94 Chapter 4  Configuring Network Connectivity . For example.

Link-local multicast name resolution (LLMNR). PowerShell remoting is configured on computer Win7A and Win7B. 3. Objective 4.0. What group should you add Rooslan’s user account to in order to allow him to accomplish this goal? 4. The APIPA range is 169. What command would you use on Win7A to open an interactive PowerShell session on Win7B? Answers This section contains the answers to the “Can you answer these questions?” sections in this chapter. Use this command: netsh interface ipv4 set address “Local Area Connection” static 10.10. 2. Global unicast addresses use the 2000::/3 prefix.0 through 169. The File and Printer Sharing For Microsoft Networks service must be enabled on the network adapter for other clients on the network to be able to access the client’s shared folders and printer.0 10. Turn on Network Discovery through the Advanced Sharing Settings item in Network and Sharing Center. Which editions of Windows 7 support incoming Remote Desktop connections? 3. Configure Gamma above Beta and Alpha in the Manage Wireless Networks list.3: Configure network settings 1.0.255.1: Configure IPv4 network settings 1. This will configure Gamma as a preferred wireless network.101 255. Link-local addresses use the FE80::/64 prefix. Use this command: netsh interface ipv4 set dnsservers “Local Area Connection” source=dhcp.1.2. 3. Objective 4. Configuring Network Connectivity  Chapter 4 95 . You must configure the Wired AutoConfig service. Objective 4.254.255. 4. 4. Rooslan wants to make a Remote Desktop connection to a computer running Windows 7 Enterprise.0. 2. but he is not a member of the local Administrators group on this computer.254.254. 2. 4.10.255. You should configure location-aware printing. 3.2: Configure IPv6 network settings 1. Unique local addresses use the fc00::/7 prefix.

EnterPSSession -ComputerName:Win7B. 4. 96 Chapter 4  Configuring Network Connectivity . 4. 2. Use this command: netsh advfirewall firewall set rule name=”Epsilon” new profile=Domain.4: Configure Windows Firewall 1.Objective 4.100. 3. 2.0/24 action=noauthentication. Use this command: netsh advfirewall consec add rule name=Exemptions endpoint1=any endpoint2=10. Create a WFAS outbound rule that blocks traffic from the application on the public profile. Enterprise.5: Configure remote management 1.exe” action=allow. 3. Add Rooslan’s account to the Remote Desktop Users group. Objective 4. Remote Assistance enables screen sharing. and Ultimate support incoming Remote Desktop connections. Windows 7 Professional. Use this command: netsh advfirewall firewall add rule name=”NetworkApplication” dir=in program=”c:\networkapp1\networkapp1.10.

1: Configure shared resources This objective requires you to demonstrate that you know how to configure folder redirections. This chapter covers the following objectives: ■■ Objective 5. and ensure that users can properly authenticate. 97 . ■■ Shared folder permissions For example: How to configure shared folder permissions to enable one group of users to read documents without being able to modify them. You need to have a good grasp of how to configure Microsoft Windows 7 to share resources to other users on the network. set up shared folder permissions so that users have an appropriate level of access. Exam need to know ■■ Folder virtualization For example: How to configure Windows 7 to redirect commonly used folders to a network share.4: Configure authentication and authorization ■■ Objective 5.3: Configure User Account Control (UAC) ■■ Objective 5. configure shared printers. and manage HomeGroup settings. configure permissions on files and folders.5: Configure BranchCache Objective 5.1: Configure shared resources ■■ Objective 5. You also need to understand how Windows 7 clients in branch offices can leverage BranchCache to speed up remote file and folder access.C hap t e r 5 Configuring Access to Resources A pproximately 13 percent of the 70-680 exam focuses on the topic of configuring access to resources.2: Configure file and folder access ■■ Objective 5.

which means that content in redirected folders will be available if the connection between the computer running Windows 7 and the host server is disrupted. Folder redirection maps folders (for example. Folder virtualization You need to know how to configure folder redirection for users who log on to computers running Windows 7. With folder virtualization. Answer: True. Answer: True. You can configure redirection for the following folders: 98 ■■ AppData (Roaming) ■■ Desktop ■■ Start Menu ■■ Documents ■■ Pictures ■■ Music ■■ Videos ■■ Favorites ■■ Contacts ■■ Downloads ■■ Links ■■ Searches ■■ Saved Games Chapter 5  Configuring Access to Resources . With folder redirection. Documents. True or False? You can use Group Policy to redirect the Favorites folder. common folders are available to the user independently of which computer is used.■■ Printers and queues For example: How to configure shared printer permissions so that one group of users can manage all documents in the printer queue. Favorites. and AppData) to shared folders. Downloads. part of user state virtualization and also known as folder redirection. Windows 7 improves the performance of folder redirection by leveraging offline files functionality. True or False? Folder redirection can redirect the Documents folder to a file server. You can configure folder redirection through Group Policy by editing the items under the \User Configuration\Policies\Windows Settings\Folder Redirection node. a user’s folders can be redirected to a specially configured file share. ■■ Configuring HomeGroup settings For example: How to configure a portable computer running Windows 7 Ultimate that is domain joined.

consult the following webpage: http://technet. modify. Using the Advanced Sharing dialog box.com/en-us/library/cc771969.microsoft. You can also configure permissions for the Everyone group or for individual local user accounts on the computer running Windows 7. you can choose the following permission levels: ■■ ■■ ■■ Owner This permission is assigned to the person who shares the folder. This person can then change permissions. Although this option provides the same options as the Basic choice. Answer: True. Advanced Sharing is available on the folder’s properties page. you can choose between the following options: ■■ Basic  Each person’s folder is redirected to the same location. Answer: True. and Configuring Access to Resources  Chapter 5 99 . add. Read/Write The person accessing the shared folder can read. Whenever possible. but cannot delete or modify the file. best practice is to assign share permissions to groups instead of individual users. Rather than configuring the Read.When configuring these policies.aspx. or delete the files. You can share items. you can limit the number of users who can access the share. If the computer is a member of a HomeGroup. True or False? The owner permission is automatically assigned to the person who shares the folder. Shared folder permissions You need to know which shared folder permissions can be configured by using both the Share and the Advanced Sharing options. When you choose to share a folder using simple sharing. Read/Write. This is straightforward when the computer is joined to a domain because you just use a domain-based group. you can configure permissions for the HomeGroup. such as the entire volume. MORE INFO To learn more about folder redirection. that you cannot share using simple sharing options. When you choose this option. Read The person accessing the shared folder can read the contents of the file. You can also configure additional permissions using the Advanced Sharing dialog box. you can differentiate these settings based on security group membership. True or False? The Change advanced share permission is functionally the same as the Read/Write simple share permission. you can choose to do the following: • • • • ■■ Redirect to the user’s home directory Create a folder for each user under the root path Redirect to a specific location Redirect to the local user profile location Advanced  Folders are redirected based on the user group.

You can centrally manage all folders shared on a computer running Windows 7 by using the Shared Folders node of the Computer Management console. Open Files node  This node shows folders and files currently being accessed remotely. Sessions node  This node shows which users are connected. You can configure caching from the Advanced Sharing dialog box so files shared by the computer running Windows 7 can have offline file access. No Files Or Programs From The Shared Folder Are Available Offline This setting blocks offline file access for files hosted on the computer running Windows 7.microsoft. You can configure the following options: ■■ ■■ ■■ Only The Files And Programs That Users Specify Are Available Offline Users can access only those files that are specifically set by the user to be available offline. use the following command syntax: Net share sharename=drive:path You can assign permissions using the Net Share command by using the following syntax: Net share sharename=[path] /grant:user.Owner share permissions. Answer: True. The big difference is that you can assign an Allow or Deny permission. True or False? You can configure shared folders on computers running Windows 7 to support the offline files functionality. with Deny settings overriding Allow settings. You can use the Net Share command to manage shared folders from a command prompt. The Change permission is the same as the Read/Write simple sharing permission because you can read. To create a shared folder. consult the following webpage: http://windows. and the location from which they are connecting. The Full Control permission confers the same rights as the Change permission. modify. delete. you instead configure Full Control. This console will provide you with the following information: ■■ ■■ ■■ Shares node  This node shows a list of all shares on the computer running Windows 7. and Read.com/en-US/windows7/Share-files-with-someone. All Files And Programs That Users Open From The Shared Folder Are Automatically Available Offline  This setting ensures that users will have offline access to files hosted on the computer running Windows 7. Change. and add files to the shared folder. MORE INFO To learn more about shared folders. 100 Chapter 5  Configuring Access to Resources .[Read/Change/Full] You can also use this command to configure caching options. The advanced Read share permission is the same as in simple sharing. how long they have been connected. except that users also can modify existing permissions.

Answer: False. MORE INFO To learn more about printer permissions. You can enable printer sharing in HomeGroup or in Advanced Sharing Settings after the printer is installed. resume. Manage Documents  A user or group can pause. With shared printers. consult this webpage: http:// windows. MORE INFO To learn more about sharing printers with other operating systems. restart. True or False? You can distribute printer drivers for Windows XP when sharing a printer on a computer running Windows 7.microsoft. These permissions include the following: ■■ ■■ ■■ Print  A user or group has permission to print.microsoft. True or False? Users can restart the printer with the Manage Documents permission.com/en-US/windows7/help/ sharing-files-and-printers-with-different-versions-of-windows. It is possible to assign specific permissions to printers beyond these default permissions. Manage This Printer  A user or group can pause and restart the printer. Configuring HomeGroup settings You need to know what can be shared with a homegroup and the conditions under which a homegroup can be created. and reorder any documents in the current print queue. other users on the network can send documents to a printer managed by a computer running Windows 7. consult the following webpage: http://windows. When a printer is shared.Printers and queues You need to know how to share printers and how to assign permissions to manage printers. Configuring Access to Resources  Chapter 5 101 . permissions. Users can modify spooler settings. and printer sharing. All members of the HomeGroup (or any members of the domain if the computer is domain joined) can submit jobs to the printer. Users can rearrange the documents they submit to the printer. properties. If the printer needs to be accessible to computers running Windows XP or Windows Vista.com/en-US/windows7/Why-cant-I-change-the-printer-properties. After pressing this button. cancel. you can add drivers for these operating systems by clicking the Additional Drivers button. clients running those operating systems are automatically provisioned with the appropriate drivers when they remotely connect to the printer. Answer: True. the Everyone group is granted the Print permission.

com/en-US/windows7/What-is-a-homegroup. and Ultimate editions can create homegroups as long as there is no existing homegroup or they are not members of a domain. If they are members of a domain. What steps can you take to ensure access to these files from any computer? Objective 5. Can you answer these questions? You can find the answers to these questions at the end of the chapter. Homegroups simplify file sharing by sharing libraries and folders. you can join a homegroup. 102 Chapter 5  Configuring Access to Resources . Which policy do you configure to prevent a domain-joined portable com- puter running Windows 7 from being able to join a homegroup? 2. 1. Professional. You can block computers joining homegroups by configuring the \Computer Configuration\Policies\Administrative Templates\Windows Components\HomeGroup\Prevent The Computer From Joining A Homegroup Group Policy item. manage NTFS File System (NTFS) permissions. Enterprise. Computers running Home Premium. A user must have administrative privileges to enable. Users without administrative privileges can select which libraries to share with the homegroup. Using computers running Windows 7 Starter and Windows 7 Home Basic. Which node of the Computer Management console provides you with infor- mation on which files hosted on shared folders are currently open? 4. A user has 10 important files hosted in the Documents folder.2: Configure file and folder access This objective requires you to demonstrate that you know how to manage the Encrypting File System (EFS). consult the following webpage: http://windows. but you can’t create one. and printers on non domain networks.True or False? Domain-joined computers can’t join homegroups. MORE INFO To learn more about homegroups.microsoft. Which permission should you assign to this group? 3. and leave a homegroup. and disentangle permissions when a user is a member of multiple groups that are assigned different permissions to the same resource. join. Answer: False. You also need to understand how the process of copying files differs from moving files. they can join an existing homegroup only. You want to have the AdminAssistants group be able to pause and restart shared printers.

EFS is available for the Professional. Similarly. Encrypted files display in Windows Explorer with green text.exe command-line utility to manage EFS from the command line. ■■ Configuring NTFS permissions For example: How to configure a folder so that it does not inherit the permissions of its parent folder. Enterprise. Although it is possible to add the EFS certificates of multiple users to encrypt individual files. EFS can be used only on volumes formatted with NTFS. To give additional users access to an EFS-encrypted file. EFS provides per-user encryption of files and folders. If you encrypt a folder.Exam need to know ■■ Encrypting files and folders by using EFS For example: How to configure a folder so that all new files created in the folder will be encrypted using EFS. You can use the cipher. If you encrypt a file using EFS and then copy it to a USB stick formatted with the FAT32 file system. Doing so is possible on stand-alone computers running Windows 7 only if the user has previously encrypted a file. and compression when a file is moved or copied between separate locations on the same volume. you need to have access to their public EFS certificates. all new files created in that folder are encrypted. ■■ Resolving effective permissions issues For example: How to use the Effective Permissions tool to calculate a user’s permission. the file remains encrypted and doesn’t compress. you can configure autoenrollment of EFS certificates so that public EFS certificates for all users are accessible through Active Directory. In domain environments. ■■ Copying files versus moving files For example: How to understand what happens to permissions. and Ultimate editions of Windows 7. Answer: False. which offer full volume encryption. True or False? You can use EFS to encrypt files stored on the FAT32 file system. you can’t do it at the folder level. If you copy an encrypted file to a compressed folder. Configuring Access to Resources  Chapter 5 103 . True or False? An EFS-encrypted file can be configured to be readable by multiple users. if you encrypt a file with EFS and then attach it to an email message. EFS is different from BitLocker and BitLocker To Go. files copied and moved to that folder are also encrypted. Encrypting files and folders by using EFS You need to know how to encrypt files and folders using EFS and how to configure recovery of those files and folders if the original owner can’t do so. the file is decrypted during the attachment process. Similarly. the file is automatically decrypted. encryption. Answer: True.

The security principal can also run programs in the folder. Chapter 5  Configuring Access to Resources .aspx. Granting this permission also grants the Read & Execute. List Folder Contents. If your organization has deployed a Microsoft Windows Server 2008 or Microsoft Windows Server 2008 R2 Active Directory Certificate Services CA.cer file. Read & Execute (RX)  The security principal can view the contents of existing files and folders. Read (R)  The security principal can view the contents of folders and open files.com/en-us/library/cc700811. You can create a separate recovery agent by using the following command: Cipher. Read. Recovery agents are special certificates that allow EFS-encrypted files to be decrypted. Configuring NTFS permissions You need to know which NTFS permissions are available and how they can be used to control access to files and folders. In domain environments. MORE INFO To learn more about EFS. and run programs in a folder. You can’t configure file and folder permissions for files and folders hosted on FAT or FAT32 volumes. By importing recoveryagent. the first administrator account in the domain is configured by the Default Domain Policy as a recovery agent.cer and recoveryagent.True or False? You can configure a recovery agent certificate using the Cipher. Permissions are assigned to security principals. consult the following webpage: http://technet.pfx. You can assign the following NTFS permissions: ■■ ■■ ■■ ■■ 104 Full Control (FC)  The security principal can view the contents of a file or folder. NTFS permissions can be applied to folders and individual files. Modify (M)  The security principal can change existing files and folders. Answer: True. and Write permissions. List Folder Contents.pfx. Answer: True.exe command-line utility. modify existing files and folders. Granting this permission also grants the Modify. Read.exe. A security principal can be a user or a security group. create new files and folders. True or False? Users granted the Modify permission to a folder can execute program files in that folder. you can issue a special data recovery agent certificate and use it in place of the certificate generated with cipher. NTFS permissions can be applied only to files and folders hosted on the NTFS file system. but can’t create new files and folders. microsoft. Read & Execute. You can edit the \Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System node and specify the location of the recoveryagent. a user can perform recovery of EFS recovery operations. and Write permissions.exe /r:recoveryagent Running this command will create two files: recoveryagent.

R&E. W ■■ Delete Subfolders and Files  FC ■■ Delete  FC.com/en-us/library/cc732880. M. LFC. M. LFC. W ■■ Write Attributes  FC. Answer: True. R. R ■■ Read Attributes  FC. R. R&E.microsoft. R ■■ Create Files/Write Data  FC. M. MORE INFO To learn more about permissions. R&E. Answer: False. LFC. R&E.aspx. W MORE INFO To learn more about special permissions consult the following webpage: http://technet.com/en-US/windows7/What-are-permissions.exe d:\binaries /grant Kim_Akers:(OI)RX Configuring Access to Resources  Chapter 5 105 . LFC. R&E. W ■■ Create Folders/Append Data  FC. True or False? You can’t back up NTFS permissions from the command line. M ■■ Read Permissions  FC. LFC.■■ ■■ Write (W)  The security principal can create new files and folders as well as make modifications to existing files and folders. R ■■ Read Extended Attributes  FC. M. M. with FC including all 14 special permissions. LFC ■■ List Folder/Read Data  FC. M. issue this command: Icacls. M. For example. This permission can be applied only to folders. M.exe file /grant user_or_group:permission and use /deny to apply a Deny permission instead of an Allow permission. M. These special permissions and the NTFS permissions that they are related to are as follows: ■■ Traverse Folder/Execute File  FC.microsoft. The 6 common NTFS permissions are actually combinations of 14 special permissions. Use the syntax Icacls. consult the following webpage: http://windows. M. to assign Kim Akers the Read and Execute permission on the d:\binaries folder. List Folder Contents (LFC)  The security principal can view the contents of folders. You can use the Icacls. R&E. True or False? The Delete Subfolders and Files special permission is associated only with the Full Control permission.exe command-line utility to view and modify NTFS permissions. W ■■ Change Permissions  FC ■■ Take Ownership  FC ■■ Synchronize  FC. W ■■ Write Extended Attributes  FC.

Answer: False. consult the following webpage: http://technet.10). the file or folder will inherit the permissions of the target folder. A file or folder moved from one volume to a separate volume inherits the permissions of the destination volume.You can also use Icacls. moving files You need to know what happens to permissions when a file is copied (as opposed to when it is moved). consult the following webpage: http://technet.com/en-us/library/cc753525(WS. Resolving effective permissions issues You need to know how to calculate security principals’ actual permissions when they are assigned different permissions to the same file or folder. they might have been assigned separate permissions to the same shared folder. usually through being members of multiple security groups. The Effective Permissions tool allows you to determine a user or group’s actual permissions for a specific file or folder. The basic rules are these: ■■ Permissions work cumulatively. use this command: Icacls. EXAM TIP  Remember that a Deny permission overrides an Allow permission. For example: ■■ ■■ ■■ 106 When you copy a file or folder from one folder to another. For example. Answer: False. A file or folder will retain its original permissions when you move that file or folder between folders on the same volume.microsoft.com/en-us/library/cc772184. This applies if the file is being copied within the same volume or to a different volume. MORE INFO To learn more about effective permissions. NTFS folder. You can access the Effective Permissions tool through the Advanced button on the Security tab of the target item’s properties.aspx. NTFS permissions work differently depending on whether a file is copied or moved on the same volume or to a different volume.exe to back up permissions and restore them. True or False? A file inherits the permissions of the target folder when moved to a new folder on the same volume. True or False? Effective permissions must always be calculated manually.aspx. If users are members of multiple groups.exe utility. or file stored on an NTFS file system. ■■ Deny permissions override Allow permissions. to back up all the permissions on the e:\shared_folder folder to a file named permissions.microsoft. Chapter 5  Configuring Access to Resources .exe e:\shared_folder\* /save permissions /t MORE INFO To learn more about the Icacls. Copying files vs.

exe command-line utility to move files and folders from one volume to another while retaining existing permissions. Can you answer these questions? You can find the answers to these questions at the end of the chapter. 1. Configuring Access to Resources  Chapter 5 107 .3: Configure User Account Control (UAC) This objective requires you to demonstrate that you know how to configure security policies related to UAC.You can use the robocopy. Which permissions should you assign to a folder if you want to allow a user to edit existing files stored in that folder. When moving a file from one folder to another folder on the same volume. You also need to know how to configure secure desktop functionality. Describe what happens when you move an EFS-encrypted file to a com- pressed folder on the same volume. When you move files or folders to FAT or FAT32 volumes.exe is an exception to the normal rules of moving and copying files.microsoft. including how to configure different behaviors for users with administrative privileged and nonprivileged accounts. robocopy. Rooslan is a member of three separate security groups assigned different NTFS permissions to the same folder. the files lose all existing permissions. consult the following webpage: http://support. Depending on the options used. Configuring Local Security Policy You need to know how to use the Local Security Policy console to configure security policies on a computer running Windows 7 and what configuration options are available. MORE INFO To learn more about permissions when files and folders are copied. what happens to that file’s permissions? 2. Exam need to know ■■ Configuring Local Security Policy For example: How to configure Windows 7 to require complex passwords ■■ Configuring admin versus standard UAC prompt behaviors For example: How to configure Windows 7 to require users with local administrator privileges to provide credentials. What tool can you use to calculate Rooslan’s actual permissions to that folder? 4. ■■ Configuring Secure Desktop For example: How to configure Windows 7 to ensure that all UAC prompts are displayed on the secure desktop. but not to alter the permissions of those files? Objective 5. 3.com/kb/266627.

” Network List Manager Policies  You can specify the properties of networks. These determine the length and complexity of passwords as well as what happens when a user enters an incorrect password a specific number of times. Software Restriction Policies  Administrators can control which software can be run on computers running Windows 7.aspx. and Security Options.com/en-us/magazine/ee851677. You learned about configuring Windows Firewall in Chapter 4. such as whether the network is Public or Private. IP Security Policies on Local Computer  This is a policy option used to support older implementations of IPsec.msc can be used to configure password and account lockout policies.msc in the Search Programs And Files dialog box). “Configuring Mobile Computing. User Rights Assignment allows you to configure which users can perform tasks such as logging on locally and backing up files. and certificate enrollment policies. Advanced Audit Policy Configuration  You can configure which advanced audit policies are active when advanced audit policy configuration is enabled.” Application Control Policies  Application Control Policies (AppLocker) are the technological successors to Software Restriction Policies. As you learned in Chapter 4. Using the Local Security Policy console. “Configuring Network Connectivity. 108 Chapter 5  Configuring Access to Resources . Windows Firewall With Advanced Security  You can configure firewall settings through policy. User Rights Assignment. you can manage policy items that are usually located in the Computer Configuration\Windows Settings\ Security Settings node of a typical Group Policy object (GPO). IPsec is configured for computers running Windows 7 through connection security rules. You can use security options to configure such things as whether users have to press Ctrl+Alt+Del to log on and what happens if a user that authenticated with a smart card ejects the card during a session. By using the Local Security Policy console (accessible by typing secpol. you can configure the following settings: ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ Account Policies  Includes password policies and account lockout policies. BitLocker. You learned about Software Restriction Policies in Chapter 3.microsoft. You learned about Application Control Policies in Chapter 3.True or False? Secpol. “Configuring Hardware and Applications. Local Policies  Includes Audit Policy. and whether the logged-on user can modify this designation. You’ll learn more about advanced audit policies in Chapter 6. You’ll learn more about configuring rights later in this chapter. Answer: True. Public Key Policies  You can configure EFS.” MORE INFO To learn more about using the Local Security Policy editor consult the following webpage: http://technet.

to which they can respond by clicking one of the available options. Prompt For Credentials On The Secure Desktop  A nonprivileged user can provide the credentials of a privileged user when providing a response to a UAC prompt. You have the following options when configuring the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy: • Elevate Without Prompting  When this option is configured. Answer: True. and the other for users who don’t have those privileges. You control the behavior of the UAC prompt through two policies: one policy for users with local administrator privileges. True or False? You can force administrators to re-enter their credentials when responding to UAC prompts. the privi- leged user is automatically allowed to perform the task without having to provide consent or credentials. users must reauthenticate. Answer: True. True or False? You can configure different UAC behavior depending on whether a user is a member of the local Administrators group on the computer running Windows 7. Prompt For Credentials  A nonprivileged user can provide the credentials of a privileged user on the standard interactive desktop. UAC has two basic prompt behaviors: prompt for consent and prompt for credentials. These policies are as follows: ■■ ■■ User Account Control: Behavior of the elevation prompt for standard users User Account Control: Behavior of the elevation prompt for administrators in Admin Approval mode True or False? You can configure UAC so that a standard user can respond to a UAC prompt by entering the credentials of a user who is a member of the local Administrators group. Configuring Access to Resources  Chapter 5 109 . usually by providing their password. users are asked a Yes or No question. standard UAC prompt behaviors You need to know which Group Policy items you need to configure to manage UAC behavior for standard and privileged users.Configuring admin vs. to provide an affirmative response to the UAC dialog box. This request occurs on the secure desktop. This can be overridden by User Account Control: Switch To The Secure Desktop When Prompting For Elevation policy and the secure desktop would be used. When prompted for consent. Answer: True. When prompted for credentials. You have the following options for controlling elevation prompt behavior for standard users: ■■ ■■ ■■ Automatically Deny Elevation Requests  Any attempt at privilege elevation is automatically blocked.

When in Secure Desktop mode. Remote Desktop and Remote Assistance fully support Secure Desktop.microsoft. This occurs on the secure desktop. • Prompt For Credentials  The privileged user provides credentials on the interactive desktop. and the secure desktop would be used. but it can be overridden by User Account Control: Switch To The Secure Desktop When Prompting For Elevation policy. and it might be necessary to disable Secure Desktop in certain circumstances to be able to remotely perform administrative tasks. This can be overridden by User Account Control: Switch To The Secure Desktop When Prompting For Elevation policy. and remotely connected users can respond to prompts on the secure desktop as if they were logged on locally.com/en-US/windows7/How-do-I-changethe-behavior-of-User-Account-Control-by-using-Group-Policy. • Prompt For Consent  The privileged user is prompted for consent on the interactive desktop. MORE INFO  To learn more about controlling UAC through Group Policy. and the secure desktop would be used. Secure Desktop is a special mode that Windows 7 enters when providing a UAC consent or credentials prompt. Secure Desktop can cause problems with some screen-sharing software. Configuring Secure Desktop You need to know how to configure UAC to use the secure desktop instead of the interactive desktop when dealing with UAC prompts. Answer: True. • Prompt For Consent For Non-Windows Binaries  This option requires consent only when running programs that aren’t part of Windows. • Prompt For Consent On The Secure Desktop  The privileged user must choose Yes or No on the secure desktop. True or False? Secure Desktop can protect against malware that can mask the UAC prompt. This can be overridden by User Account Control: Switch To The Secure Desktop When Prompting For Elevation policy and the secure desktop would be used.• Prompt For Credentials On The Secure Desktop  The privileged user must enter credentials to allow the elevation of privileges. Consent occurs on the interactive desktop. consult the following webpage: http://windows. 110 Chapter 5  Configuring Access to Resources . inadvertently tricking the logged-on user to provide consent to elevate the malware’s privileges. the UAC dialog box appears on a dimmed screenshot of the desktop when the operating system invokes UAC. Secure Desktop ensures that users are responding directly to the UAC prompt and are not responding to malware that can mask the UAC prompt.

Which Group Policy item would you configure to ensure that all UAC prompts occur on the secure desktop? 3. be able to elevate privileges as necessary. You can configure the User Account Control: Switch To The Secure Desktop When Prompting For Elevation policy to ensure that all prompts for credentials and prompts for consent appear on the secure desktop. Which Group Policy item would you configure to ensure that users logged on with accounts that do not have administrative privileges can provide the credentials of an account that has local administrative privileges? 2. Which command would you type in the Search Programs And Files dialog box to open the Local Security Policy console? Objective 5. manage certificates and smart cards.microsoft.4: Configure authentication and authorization This objective requires you to demonstrate that you know how to resolve issues related to authentication. Answer: True. It occurs no matter which settings you configure in the following policies: ■■ ■■ User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode User Account Control: Behavior of the Elevation Prompt For Standard Users MORE INFO To learn more about UAC and Secure Desktop. configure Group Policy so that specific users and groups are given appropriate rights. Currently administrators are prompted for consent by UAC when they need elevated permissions. 1. back up and modify saved credentials. Can you answer these questions? You can find the answers to these questions at the end of the chapter. Configuring Access to Resources  Chapter 5 111 . What modification would you make to Group Policy to ensure that administrators must enter their password when they want to elevate permissions? 4.com/en-US/windows7/User-Account-ControlSwitch-to-the-secure-desktop-when-prompting-for-elevation.True or False? You can configure all prompts for consent or prompts for credentials to appear on the secure desktop. and configure Group Policies to support multifactor authentication. consult the following webpage: http://windows. Exam need to know ■■ Resolving authentication issues For example: How to configure a password reset disk.

Chapter 5  Configuring Access to Resources . Reset user account password  It is possible to reset a user account password for a local user account only if there is a way for a user with local administrator privileges to log on to the computer. There are two ways to resolve this issue: ■■ ■■ 112 Password reset disk  A password reset disk can be used to reset a local account hosted on a computer running Windows 7. and stored passwords hosted in the Windows Vault through Credential Manager. ■■ Managing certificates For example: How to know which tool to use to request a new certificate. You cannot use a password reset disk to reset a domain-based account.■■ Configuring rights For example: How to configure Windows 7 so that only members of the local Administrators group can shut down a computer. that user loses access to all EFS-encrypted files. Answer: False. True or False? A password reset disk can be configured to recover a user password after the user has forgotten that password. Resolving authentication issues You need to know how to manage forgotten passwords for users of computers running Windows 7. it is possible to recover these items. A password reset disk must be created prior to the password being forgotten. When a local user’s password is changed. ■■ Managing credentials For example: How to back up passwords used to access websites and local network resources. personal certificates. If Windows Vault has been backed up using Credential Manager. A password reset disk can be stored on a USB storage device. ■■ Smart cards with PIV For example: How to configure Windows 7 to lock the screen if a user removes the smart card. it doesn’t have to be stored on a floppy disk (as the name implies). ■■ Multifactor authentication For example: How to configure Windows 7 to require that a user log on with a smart card. The most common authentication problem faced by users of computers running Windows 7 is forgotten passwords. ■■ Elevating user privileges For example: How to configure Windows 7 to run a program using administrator privileges.

When configuring policies to assign rights. Configuring Access to Resources  Chapter 5 113 . best practice is to specify a group instead of a user account. Unlocking an account does not reset the account password and doesn’t affect stored credentials or EFS certificates. important policies include the following: ■■ Allow Log On Through Remote Desktop Services ■■ Back Up Files And Directories ■■ Change The System Time ■■ Deny Log On Locally ■■ Deny Log On Through Remote Desktop Services ■■ Local And Unload Device Drivers ■■ Manage Auditing And Security Log ■■ Shut Down The System True or False? The Power Users group does not provide any special administrative rights. Although you should review all these policies as part of your exam preparation. Answer: True. MORE INFO To learn more about password reset disks. User rights are configured though the Computer Configuration\ Windows Settings\Security Settings\Local Policies\User Rights Assignment node of Group Policy.com/en-US/windows7/Create-a-password-reset-disk. Used only when Windows 7 is deployed in Common Criteria mode. There are 44 policies available in this node. the account can be unlocked by a user with local administrative privileges. True or False? You can block nonadministrative users from shutting down the system by configuring Group Policy. You can assign rights by adding users to the built-in local groups.microsoft. This way you can assign the right to a specific user by adding the user to a security group instead of modifying the Group Policy item. EXAM TIP  Remember that you can’t use password reset disks to reset domain-based user accounts. consult the following webpage: http://windows. Cryptographic Operators  Users can perform cryptographic operations. Configuring rights You need to know how to configure user rights through the User Rights Assignment node of a Group Policy object. The built-in local groups on a computer running Windows 7 are as follows: ■■ ■■ ■■ Administrators  Provides unrestricted access to the settings of the computer.If a user’s account has been locked out because too many incorrect passwords were entered in succession. Answer: True. Backup Operators  Users can override file and folder permissions to back up files.

com/en-US/windows7/What-is-Credential-Manager. Windows Vault can be backed up so that saved credentials can be transferred from one computer running Windows 7 to another. This is not appropriate in all cases. and other network resources. ■■ Performance Log Users  Users can schedule data collector sets. ■■ Performance Monitor Users  Users can access performance data. except for the Security log. Remote Desktop Services. Replicator  Users can use file replication in a domain environment. ■■ Power Users  Provided for backward compatibility.microsoft. You can open the Certificates console by typing certmgr.com/en-us/library/cc771990. You can use the Certificate Services console to import or export certificates. MORE INFO To learn more about the default local groups. Windows Explorer. ■■ Network Configuration Operators  Users can alter TCP/IP address settings. True or False? You cannot use the Certificates console to import a previously exported certificate.aspx. True or False? You can store passwords for Remote Desktop Services servers in Windows Vault. Event Log Readers  Users can read data stored in the event logs. which requires membership in the Administrators group. consult the following webpage: http://technet. This dialog box is available in Windows Internet Explorer. MORE INFO To learn more about Credential Manager. Credential Manager hosts this data in the Windows Vault. Does not confer rights.microsoft. websites. consult the following webpage: http://windows. In this case. and Remote Desktop Connection. the Certificates console can be used to request 114 Chapter 5  Configuring Access to Resources . Answer: True.msc in the Search Programs And Files text box. The most efficient way of deploying certificates to users is to use autoenrollment.■■ ■■ Distributed COM Users  Users can manipulate distributed COM objects. Managing certificates You need to know how to manage user and computer certificates used for authentication. Answer: False. ■■ ■■ Remote Desktop Users  Users can make remote connections to the computer through Remote Desktop Client. Credential Manager can store user names and passwords for file servers. You can add credentials to Windows Vault by choosing Remember My Credentials when presented with the Windows Security dialog box. such as the issuance of sensitive certificates. Managing credentials You need to know how to use Credential Manager to store logon names and passwords for network resources.

Elevating user privileges You need to know how to configure UAC to display an elevation prompt for credentials when a normal user performs an action that requires elevated privileges. MORE INFO To learn more about using smart cards with Windows 7.10). their request for elevation is either automatically denied or they can provide alternative credentials.microsoft.com/en-us/library/dd367851(WS. MORE INFO To learn more about importing and exporting certificates. If users are logged on with local administrative credentials. These policies have the following functionality: ■■ ■■ Interactive Logon: Require Smart Card  Enable this policy to force a user to log on with a smart card. Answer: False. You can choose between locking the computer. Used when implementing multifactor authentication. and disconnecting an active Remote Desktop session. There are several ways to elevate user privileges. Configuring Access to Resources  Chapter 5 115 . Interactive Logon: Smart Card Removal Behavior  Configure this policy to specify how the operating system will react if a smart card is removed while the user is logged on. Answer: True. The request is forwarded to the CA. True or False? A user who is logged on with a user account that does not have administrative privileges can’t elevate privileges.microsoft. True or False? You can have Windows 7 lock the screen if a user removes the smart card while logged on. Smart cards with PIV You need to know how to use smart cards with personal identity verification (PIV) with computers running Windows 7. consult the following webpage: http://technet. Smart cards host digital certificates that you can use authenticate with computers running Windows 7. If users aren’t logged on with an account that has local administrative credentials. You learned about these Group Policy configuration options earlier in this chapter.com/en-US/windows7/Import-or-exportcertificates-and-private-keys. which require elevated privileges. they can respond to this prompt either by providing consent or credentials. This means that you can use smart cards directly with Windows 7 without having to install thirdparty software. will automatically prompt the user with a UAC prompt.certificates that the user has permission to enroll in. depending on how Group Policy is configured. consult the following webpage: http://windows. Windows 7 supports the PIV standard. where it is either automatically approved or will be approved or rejected depending on the decision of the certificate services administrator. forcing logoff. Some applications.aspx. Group policies related to smart cards are located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node.

aspx.exe” MORE INFO To learn more about elevating permissions. Can you answer these questions? You can find the answers to these questions at the end of the chapter. on computers running Windows 7. to use biometric authentication. Windows 7 does not provide native support for this form of authentication. What steps can you take to ensure that you can run command-line utilities that require elevation? 2. 1. password.microsoft. and smart card. as part of a multifactor authentication scheme. What step would you take to ensure that users could log on to a computer running Windows 7 only if they had a smart card? 3. How can you ensure that users are logged off if they remove their smart card when logged on to a computer running Windows 7? 4. exe as user Kim_Akers on computer Adelaide.10). True or False? You can’t force users to log on to computers running Windows 7 with a smart card. The most common form of multifactor authentication used with Windows 7 is logging on with user name.A user can also elevate a process by right-clicking the process and choosing the Run As Administrator option. consult the following webpage: http://technet.com/en-us/library/ ee706526(WS.exe /user:Adelaide\Kim_Akers “program. such as smart card and password. MORE INFO To learn more about planning the deployment of smart cards with Windows 7. consult the following webpage: http://technet. issue this command: Runas.aspx. if you install third-party tools. to run the application program.com/en-us/magazine/ff431742. You use the Run As Administrator option to elevate a command prompt or PowerShell session when you start it. enable the Interactive Logon: Require Smart Card policy.microsoft. Answer: False. such as a fingerprint reader.exe command from the command line to run programs with another user’s credentials. If you want to ensure that multifactor authentication is used. For example. A user can also use the runas. This option triggers a UAC prompt to which the user must respond. Multifactor authentication You need to know how to support multiple authentication methods. It is possible. Which tool would you use to request a new certificate from a CA for which you had permission to enroll? 116 Chapter 5  Configuring Access to Resources .

know which BranchCache mode is appropriate for a given environment. Exam need to know ■■ Distributed Cache mode vs. understand the network infrastructure requirements for BranchCache. but no single client computer at the branch office holds all the cache. Distributed Cache mode involves a group of computers running Windows 7 at a branch office sharing the cache. BranchCache can be used with data stored on Windows Server 2008 R2 web and file servers. and what the certificate requirements are for Hosted Cache mode. Answer: False. Each member of the Distributed Cache holds part of the cache. When a Windows 7 client accesses content across the WAN.5: Configure BranchCache This objective requires you to demonstrate that you know how to configure BranchCache through Group Policy and the command line. BranchCache is a technology available to computers running Windows 7 Enterprise and Ultimate that allows them to store content accessed across a wide area network (WAN) link and share it with other Windows 7 clients on the branch office network. ■■ Certificate management For example: How to configure certificates to support Hosted Cache mode. Distributed Cache mode vs. Hosted mode For example: How to determine when Distributed Cache mode is more appropriate than Hosted mode. ■■ Configuring settings For example: How to configure Windows 7 to use Distributed Cache mode from the command line. True or False? All computers in Distributed Cache mode at a branch office host copies of the entire cache. The next Windows 7 client at the branch office accessing the same content across the WAN will instead access that content from the local cache on the peer computer. Hosted mode You need to know when you should choose to use Distributed Cache mode instead of Hosted Cache mode. it stores that content in its local cache. ■■ Network infrastructure requirements For example: How to determine what steps need to be taken to support Hosted Cache mode at a branch office. and can’t be used with data stored on file or web servers running earlier versions of Windows Server.Objective 5. Configuring Access to Resources  Chapter 5 117 . Distributed Cache mode has the advantage of not requiring a computer running Windows Server 2008 R2 to be deployed at the branch office.

com/en-us/library/dd637832(WS.microsoft. Clients must be configured with the address of the local Hosted Cache server by using netsh. You will learn how to do this later in this chapter. Answer: False. When the certificate is installed. If you are using Hosted Cache mode. BranchCache can be used with file shares and Internet Information Server (IIS) content.10).True or False? You can use a server running Windows Server 2008 as a Hosted Cache mode server. Hosted Cache mode uses a central branch office cache hosted on a server running Windows Server 2008 R2. where X is the percentage value of the active partition that you want to devote to the Hosted Cache: Netsh branchcache set cachesize size=80 percent=true MORE INFO To learn more about configuring Windows Server 2008 R2 to support BranchCache. EXAM TIP  Remember which editions of Windows 7 support BranchCache. BranchCache can be used only with computers running Windows 7 Enterprise and Ultimate. you need to link the certificate to BranchCache. MORE INFO To learn more about BranchCache modes.10).microsoft. 118 Chapter 5  Configuring Access to Resources . you must deploy a server running Windows Server 2008 R2 with the BranchCache feature installed on the branch office network. Servers hosting BranchCache content must be running Windows Server 2008 R2 and must have the BranchCache feature installed. Network infrastructure requirements You need to know what server and client operating systems need to be present to support a BranchCache deployment. consult the following webpage: http://technet. you must also install the BranchCache For Network Files role service and configure the \Computer Configuration\Administrative Templates\Network\Lanman Server\ Hash Publication For BranchCache policy. including Windows Server Update Services content.exe or through Group Policy. This server must have an SSL certificate installed that is trusted by all BranchCache clients. BranchCache will use up to 5 percent of the active partition on the Hosted Cache Size. You can modify this amount by using the following command. When configuring a file server to support BranchCache.aspx. You must also ensure that each computer running Windows 7 trusts the SSL certificate issued to the Hosted Cache mode server.com/en-us/ library/dd637785(WS. By default. consult the following webpage: http://technet. An advantage of Hosted Cache mode over Distributed Cache mode is that the cache is centralized and available as long as the server is online. Answer: False. True or False? BranchCache can be used by computers running Windows 7 Professional.aspx.

Set BranchCache Distributed Cache Mode  Configures Windows 7 to use Distributed Cache mode. you must run all commands except for netsh. Configure BranchCache For Network Files  Configures the round-trip latency that triggers the use of BranchCache.exe from an elevated command prompt when configuring BranchCache to use Distributed Cache mode.exe BranchCache reset  Resets and disables the current configuration.exe show status. Netsh. Answer: True. Netsh.exe BranchCache set service mode=distributed  Configures the client to use Distributed Cache mode. Configuring settings You need to know the Group Policy items and command-line tools that you can use to support BranchCache. The default is 5 percent. and then configure the appropriate Windows Firewall with Advanced Security rules. you need to enable BranchCache.exe BranchCache show status  Displays the Current Service mode and configuration details. but not shared with other Windows 7 clients on the branch office network. The default value is 80 milliseconds. To configure a Windows 7 computer as a BranchCache client.exe utility. You can use the following commands to manage BranchCache: ■■ ■■ ■■ ■■ Netsh. Netsh.exe BranchCache set service mode=local  Local mode is a special mode in which remote content is cached. Set BranchCache Hosted Cache Mode  Configures Windows 7 to use Hosted Cache mode. Configures appropriate firewall rules.  True or False? You must run netsh. When you configure BranchCache using netsh. Requires that the Turn On BranchCache policy be enabled. Set Percentage Of Disk Space Used For Client Computer Cache  Specifies amount of client disk space used to store BranchCache files. choose between Hosted Cache mode and Distributed Cache mode. Answer: False. Configuring Access to Resources  Chapter 5 119 . from an elevated command prompt. You can manually configure BranchCache using the netsh.exe. The BranchCache policies are located in the \Computer Configuration\Administrative Templates\Network\BranchCache node of a GPO.EXAM TIP  Remember that the Hosted Cache mode server on the branch office network must have the BranchCache feature installed. Requires that the Turn On BranchCache policy be enabled. True or False? The default round trip delay that triggers BranchCache is 150 milliseconds. You can use the following Group Policy items to configure BranchCache: ■■ ■■ ■■ ■■ ■■ Turn On BranchCache  Enables BranchCache.

Answer: True. BranchCache – Hosted Cache Client (HTTPS-Out)  Allows outbound traffic on TCP port 443.0:443 CERTHASH=<thumbprint> APPID={d673f5ee-a714-454d-8de2-492e4c1bd8f8} 120 Chapter 5  Configuring Access to Resources . Used with both Hosted Cache and Distributed Cache modes. The certificate needs to be trusted by all the BranchCache clients that will use the Hosted Cache mode server. You need to configure appropriate firewall rules when you configure BranchCache using Group Policy.exe BranchCache set cachesize  You can configure the size of the local cache. Netsh. Once the certificate has been imported into the Hosted Cache mode server’s local certificate store. The firewall rules that you configure for BranchCache on the client depend on whether you are using Distributed Cache mode or Hosted Cache mode. True or False? You need to install an EFS certificate on a computer that functions as a Hosted Cache server.■■ ■■ Netsh. Answer: False.0. determine the certificate thumbprint.aspx. consult the following webpage: http://technet. If you configure BranchCache manually using the netsh. True or False? A BranchCache client must always allow inbound and outbound traffic on TCP port 80. exe command-line utility. Certificate management You need to know how to manage the certificates that you need to deploy to support BranchCache. the appropriate firewall rules are generated automatically.0. Used only with Distributed Cache mode.10). MORE INFO To learn more about client settings for BranchCache. The firewall rules related to BranchCache are as follows: ■■ ■■ ■■ BranchCache – Content Retrieval (Uses HTTP)  Allows inbound and outbound traffic on TCP port 80. Once you have the thumbprint. The simplest way to accomplish this goal is to use an enterprise CA in the local domain to issue the SSL certificate because trust is automatically established. you can specify the location of the Hosted Cache mode server. The Hosted Cache mode server needs to have an SSL certificate installed where the subject name of the certificate is set to the fully qualified domain name of the server.microsoft. This rule is required only when using Hosted Cache mode. irrespective of whether it is using Hosted Cache or Distributed Cache mode. bind the certificate to BranchCache using the following command: NETSH HTTP ADD SSLCERT IPPORT=0.exe BranchCache set service mode=hostedclient location=hostedserver  Configures Hosted Cache mode. BranchCache – Peer Discovery (Uses WSD)  Allows inbound and outbound traffic on UDP port 3702.com/en-us/library/dd637820(WS.

where should you install SSL certificates? 2. consult the following webpage: http://technet. Which firewall rules should you enable for a client that is using BranchCache in Distributed Cache mode? Answers This section contains the answers to the “Can you answer these questions?” sections in this chapter. Objective 5.com functioning as the branch office Hosted Cache server? 3. Which firewall rules should you enable for a client configured to use Branch- Cache in Hosted Cache mode? 4.exe command that you would use to config- ure a client to use Hosted Cache mode with the server sydney. Assign the Manage This Printer permission because the AdminAssistants group can pause and restart the shared printer. 4. Files retain permissions when moved from one folder to another on the same volume. Can you answer these questions? You can find the answers to these questions at the end of the chapter.2: Configure file and folder access 1.1: Configure shared resources 1. Configure folder redirection for the Documents folder. 1. Ensure that the 10 important files are copied to this documents folder. Objective 5. but not to alter the permissions of that file. 4. You can use the Effective Permissions tool to calculate a user’s actual permis- sions to a resource when they are a member of multiple groups. hosted on shared folders.microsoft.com/en-us/library/ dd637793(WS. Configure the Prevent The Computer From Joining A Homegroup policy. 3. What is the syntax of the netsh. When using Hosted Cache mode. 2. The file remains encrypted and retains its permissions. 2. The Shared Folders\Open Files node provides information on which files. are currently being accessed. You should assign the Read & Write permission if you want to allow a user to edit an existing file.MORE INFO To learn more about configuring certificates for a Hosted Cache server.aspx.10). Configuring Access to Resources  Chapter 5 121 .contoso. 3.

4: Configure authentication and authorization 1. You can use the Certificates console to request a new certificate from a CA for which you had permission to enroll. 3. 4. You should enable the BranchCache – Peer Discovery (Uses WSD) rule and the BranchCache – Content Retrieval (Uses HTTP) rule.5: Configure BranchCache 1. You would configure the User Account Control: Switch To The Secure Desk- top When Prompting For Elevation policy to ensure that all prompts for credentials and prompts for consent use Secure Desktop. 122 Chapter 5  Configuring Access to Resources . contoso. You can open a command prompt using the Run As Administrator option to trigger an elevated command prompt. 2. Configure the User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode policy and set it to prompt for credentials or prompt for credentials on the secure desktop. Objective 5. You should install SSL certificates on the Hosted Cache mode server. 2. Configure the User Account Control: Behavior of the Elevation Prompt For Standard Users so that it will prompt for credentials. You should enable the BranchCache – Peer Discovery (Uses WSD) rule and the BranchCache – Hosted Cache Client (HTTPS-Out) rule to support clients when in Hosted Cache mode. 3. 2.exe BranchCache set service mode=hostedclient location=Sydney.3: Configure User Account Control (UAC) 1.Objective 5.msc to open the Local Security Policy console.com 3. 4. 4. You would configure the Interactive Logon: Require Smart Card policy to ensure that users logged on to a computer running Windows 7 with a smart card. You would use secpol. Objective 5. You would use the following command: Netsh. You can ensure that users log off when they remove their smart card from a computer running Windows 7 by configuring the Interactive Logon: Smart Card Removal Behavior policy and setting the Force Logoff option.

Exam need to know ■■ Configuring BitLocker and BitLocker To Go policies For example: How to know which BitLocker policy you would configure to ensure that users can’t write data to BitLocker To Go protected USB flash drives from other organizations. 123 . such as laptops and tables. ■■ Managing Trusted Platform Module (TPM) PINs For example: How to configure Windows 7 to require that a user enter a TPM PIN to successfully start the computer. So you need to have a good grasp of how to configure mobile computers running Microsoft Windows 7. ■■ Configuring startup key storage For example: How to configure BitLocker to require a startup key.C hap t e r 6 Configuring Mobile Computing A pproximately 10 percent of the 70-680 exam focuses on the topic of configuring mobile computing. and VPN connections.2: Configure DirectAccess ■■ Objective 6. with features such as BitLocker. offline files.3: Configure mobility options ■■ Objective 6.1: Configure BitLocker and BitLocker To Go Both portable computers and USB flash drives are likely to contain important confidential organizational data. If these devices aren’t protected through a technology such as BitLocker or BitLocker To Go. DirectAccess.1: Configure BitLocker and BitLocker To Go ■■ Objective 6. This chapter covers the following objectives: ■■ Objective 6.4: Configure remote connections Objective 6. it is incredibly easy for unauthorized third parties to recover the data stored on these devices.

TPM with startup key  Successful boot requires that the user must connect a USB device that hosts a preconfigured startup key to the computer powering on. Data cannot be recovered from a volume encrypted using BitLocker unless the person attempting the recovery has the BitLocker recovery key or access to a specially configured data recovery agent (DRA). User is unaware that BitLocker is functioning unless the boot environment is modified. Successful boot requires that the user must connect a USB device that hosts a preconfigured startup key prior to the computer powering on. True or False? You can configure BitLocker so that the computer can boot successfully only if a specially prepared USB storage device is connected. BitLocker protects unauthorized parties from recovering data from computers using an offline attack. TPM with PIN and startup key  Successful boot requires that the user connect a USB device that hosts a preconfigured startup key prior to boot and enters a PIN during boot. BitLocker can be made more secure through the use of a Trusted Platform Module (TPM) chip. You can use these in the following combinations to secure a computer: ■■ ■■ ■■ ■■ ■■ 124 TPM only mode  Does not require a PIN or startup key. Configure BitLocker and BitLocker To Go policies You need to be familiar with what you can and can’t accomplish using the BitLocker related group policies. requiring a user to enter the BitLocker recovery key if the boot environment has been altered. It accomplishes this by providing full volume encryption that is transparent to an authorized user of the computer. TPM with PIN  Successful boot requires that users enter a PIN to successfully boot the computer. A startup key is a special cryptographically generated file that can be stored on a removable USB device. Group Policy can be configured to determine whether this is simply a four-digit number or if a password containing alphanumeric characters and symbols is required. Chapter 6  Configuring Mobile Computing . BitLocker also offers boot integrity protection. personal identification number (PIN).■■ Data recovery agent support For example: How to configure BitLocker and BitLocker To Go to use a specific data recovery agent certificate to simplify the process of recovering data from protected drives. Answer: True. but doesn’t provide boot integrity protection. Startup key without a TPM  This combination provides hard disk encryption. and a BitLocker startup key. A TPM chip is a special chip that can store the BitLocker encryption key and also can store boot integrity information.

Deny Write Access To Fixed Drives Not Protected By BitLocker Blocks users from writing data to drives (other than the operating system drive) not protected by BitLocker). The policies available under each of these nodes are generally the same. Computers running the other editions of Windows 7 can read and write data on BitLocker To Go protected drives. Clients running Windows Vista and Windows XP can’t be configured to write data to BitLocker To Go protected disks.BitLocker policies are located in the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption node. with a startup key. Choose How BitLocker-Protected Operating System Drives Can Be Recovered  You can set a DRA. True or False? Windows XP clients can be configured to write to BitLocker To Go protected removable drives. You can configure password complexity. BitLocker To Go is available to clients running the Enterprise and Ultimate editions of Windows 7. You should especially review the following policy: ■■ Provide The Unique Identifiers For Your Organization  You can specify an organizational ID. Allow Enhanced PINs for Startup  You can use alphanumeric passwords with symbols as TPM startup PINs. BitLocker To Go provides full volume encryption for removable volumes including flash drives and removable hard disk drives. a 48-digit recovery password and a 256-bit recovery key as well as backup of password and keys to Active Directory. Use this ID with other policies to limit the use of BitLocker to drives encrypted within your organization. You should review these policies on a computer running Windows 7 prior to taking the exam. Operating System Drives. Under this node. Configuring Mobile Computing  Chapter 6 125 . Answer: False. BitLocker To Go doesn’t require a TPM chip or require that Group Policy be configured to require an authentication method such as a startup key. BitLocker To Go can be configured so that clients running the Windows Vista and Windows XP operating systems can read data from protected disks. but cannot be used to configure a drive to use BitLocker To Go. there are nodes for policies related to Fixed Data Drives. Configure Use Of Password For Fixed Data Drives  Determines whether a password is required to unlock BitLocker-protected fixed data drives (as opposed to operating system drives). The most important of these policies are as follows: ■■ ■■ ■■ ■■ ■■ ■■ Require Additional Authentication At Startup  You can specify startup authentication options including whether BitLocker must be used with a TPM. Configure Minimum PIN Length For Startup  You can specify the minimum length for the TPM startup PIN. and Removable Data Drives. and with a TPM startup PIN. You should review these policies prior to taking the exam.

BitLocker-protected.10). If a user forgets the TPM PIN. This policy can be found in the Computer Configuration\Administrative Templates\System\Trusted Platform Module Services node. consult the following webpage: http://technet.BitLocker To Go can be used with the following Group Policy items: ■■ ■■ ■■ ■■ ■■ ■■ Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions of Windows  Blocks or allows Windows Vista and Windows XP clients to read data from FAT-formatted. MORE INFO  To learn more about BitLocker and BitLocker To Go group policies. and Active Directory. Choose How BitLocker-Protected Removable Drives Can Be Recovered  Configures a DRA or recovery password for BitLocker To Go protected removable drives.com/en-us/library/ ee706521(WS. Can be used to force password complexity policies to be applied. True or False? You can require that TPM PINs be backed up to Active Directory.aspx. Configure Use Of Smart Cards On Removable Data Drives  You can enable or require the use of a smart card to authenticate access to a removable storage device. Managing Trusted Platform Module (TPM) PINs You need to know how to configure a TPM to require a PIN for successful boot and how to set. Configure Use Of Passwords For Removable Data Drives Determines whether a password is required to unlock BitLocker To Go protected drives. Answer: True. Control Use Of BitLocker On Removable Drives  You can control whether users can apply BitLocker protection to removable drives and whether users can remove BitLocker protection from removable drives. properly configured. EXAM TIP  Remember that computers running Microsoft Windows XP can read data only from drives configured with BitLocker To Go and then only under certain conditions. It is important to ensure that the TPM PINs or passwords are backed up and are recoverable. TPM Pin must be entered for the computer to successfully boot. TPM PINs can be a standard numerical password or can be alphanumeric with symbols. removable drives. You can ensure that TPM recovery information is backed up to Active Directory by enabling the Turn On TPM Backup To Active Directory Domain Services policy and selecting the Require TPM Backup to AD DS check box. Deny Write Access To Removable Drives Not Protected By BitLocker You can block users from writing data to any drive not protected by BitLocker. the computer won’t boot into Microsoft Windows 7. and recover those PINs. provides a method through which this goal can be accomplished. 126 Chapter 6  Configuring Mobile Computing . back up. You can also limit the writing of data to drives to those protected by BitLocker that were configured within your organization.microsoft.

True or False? Startup key files can be backed up to Active Directory. With the TPM Management console.com/en-us/library/cc755108(WS. A computer running Windows 7 can be configured to require that a startup key be present when the computer boots or resumes from hibernation.True or False? You can turn the TPM off using the TPM Management console. When you use a startup key in combination with a TPM. and part is stored on a USB flash drive.10).microsoft.aspx. You can also use the console to change the TPM owner password and reset the TPM to factory default settings. The TPM Management console is accessible through the BitLocker Drive Encryption Control Panel. you can recover by entering the recovery password or recovery key. Answer: False. Configuring startup key storage You need to know how to manage and recover BitLocker startup keys. If your organization’s domain controllers are running Windows Server 2008 or Windows Server 2008 R2. Individual startup keys are not backed up to Active Directory. MORE INFO To learn more about backing up TPM recovery information to Active Directory. The startup key can be stored on a USB flash drive formatted using the FAT. If your organization’s domain controllers are running Microsoft Windows Server 2003 Service Pack 1 or Service Pack 2.microsoft. consult the following webpage: http://technet. Answer: True. you must update the Active Directory schema to support backing up of TPM module recovery information. part of the encryption key that unlocks BitLocker-protected volumes is stored by the TPM. clear the TPM.com/en-us/library/ dd875529(WS. True or False? You must update the Active Directory schema to support TPM backup if your domain is running at the Microsoft Windows Server 2008 functional level. and enable or disable the TPM. consult the following webpage: http://technet. BitLocker startup keys are special cryptographically generated files that are stored on USB flash drives. Answer: False. reset TPM lockout. it is not necessary to update the schema to support this functionality. Configuring Mobile Computing  Chapter 6 127 .aspx.10). you can back up TPM recovery information in Active Directory Domain Services (AD DS). FAT32. If the startup key is lost. BitLocker can also be configured on computers that do not have TPMs if a startup key is used. or NTFS file system. EXAM TIP  Remember that it is possible to force the backup of TPM recovery information to Active Directory. MORE INFO To learn more about TPM management.

MORE INFO To learn more about startup keys. The advantage of a DRA is that you need to use only one certificate to perform recovery rather than having to extract a specific recovery key. True or False? You can use the manage-bde command to unlock a BitLockerprotected volume. perform the following steps: 1. Data recovery agent support You need to know how to configure BitLocker and BitLocker To Go so that a DRA can be used to recover BitLocker encrypted volumes. run the manage-bde –protectors –get command. To configure BitLocker to support a DRA. To recover a BitLocker-encrypted volume. Configure the following policies to allow particular volume types to be recov- erable with a DRA: ■■ Choose How BitLocker-Protected Operating System Drives Can Be Recovered ■■ Choose How BitLocker-Protected Fixed Drives Can Be Recovered ■■ Choose How BitLocker-Protected Removable Drives Can Be Recovered 4. Answer: True.exe –unlock <drive> -Certificate –ct <certificate thumbprint> command from an elevated command prompt. Specify the user account enrolled with a DRA certificate to the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption node. consult the following webpage: http://windows. 128 Chapter 6  Configuring Mobile Computing .microsoft. True or False? A data recovery agent (DRA) is a special digital certificate that you can use to recover specially prepared BitLocker encrypted drives. If you have enabled BitLocker on a volume prior to configuring a DRA. BitLocker can manage and update DRAs only when the identification field on the drive matches the value configured in this policy. You can use a DRA to recover information even if the recovery password is lost. Typically you use either a 48-digit recovery password or a 256-bit recovery key that is unique to the BitLocker-protected volume to recover data from a BitLocker-protected drive. To verify that a BitLocker-protected volume is configured for recovery using a DRA. Answer: True. 2. you can use the manage-bde –SetIdentifier command to make it recoverable via DRA. Configure the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Provide The Unique Identifiers For Your Organization policy. ensure that the DRA certificate is present in the certificate store and then run the manage-bde.com/en-US/windows7/Can-I-use-a-BitLocker-startup-keywith-a-TPM. The output of this command will display the certificate thumbprint associated with the DRA. 3.

microsoft.10). a 256-bit recovery key. a user simply powers on his or her computer. With DirectAccess. and then automatically gains access to the organization’s internal network. Exam need to know ■■ Configuring client side For example: How to know which editions of Windows 7 support DirectAccess. ■■ Network infrastructure requirements For example: How to describe the versions of Microsoft Windows Server that must be deployed on the organizational network to support DirectAccess. Which method can you use to enable BitLocker on a computer that does not have a TPM? 3.aspx.2: Configure DirectAccess The primary difference between DirectAccess and a typical VPN is that DirectAccess performs authentication at the computer level and doesn’t require any form of user authentication. ■■ Configuring authentication For example: How to know what type of certification authority (CA) you should use to automatically issue computer certificates to support DirectAccess authentication. Configuring Mobile Computing  Chapter 6 129 .com/en-us/library/dd875560(WS. Which polices would you configure to ensure that both a recovery password and a recovery key are required for operating system drives and that those items are backed up to Active Directory? 4. consult the following webpage: http://technet. 1. connects to an Internet access point. Which policy would you configure to enable users to use alphanumeric and symbol characters for their TPM Startup PIN? Objective 6. Which method would you use to ensure that BitLocker-protected drives can be recovered without having to recover the keys associated with an individual computer? 2. Can you answer these questions? You can find the answers to these questions at the end of the chapter. EXAM TIP  Remember that it is possible to recover BitLocker-protected volumes using a 48-digit recovery password.MORE INFO To learn more about using a DRA with BitLocker. or a specially configured DRA.

the computer account must be a member of a specially configured security group.Configuring client side You need to know what steps to take to prepare a computer running Windows 7 to function as a DirectAccess client. Chapter 6  Configuring Mobile Computing . encrypted VPN connection that makes an automatic connection when an Internet connection is detected. Answer: False. True or False? DirectAccess clients on the Internet need a globally routable IPv6 address to make a successful connection. Two GPOs are created: One applies to the DirectAccess clients and the other to the DirectAccess server. True or False? You need to manually configure Group Policy to support DirectAccess. These computers must be members of an Active Directory domain and must have a computer certificate for IPsec authentication installed. True or False? Windows 7 Professional supports DirectAccess. Answer: False. ■■ A public IPv4 address: DirectAccess will use 6to4. DirectAccess can be integrated with NAP to ensure that mobile clients are kept up to date with software updates and antimalware software and definitions. You don’t have to edit the policies manually. True or False? DirectAccess requires user authentication. This group is specified when running the DirectAccess Wizard during initial configuration on the DirectAccess server. ■■ ■■ 130 A private IPv4 address: DirectAccess will use Teredo unless the NAT device also provides 6to4 gateway functionality. so Group Policies and other management technologies can manage the computer as though it were connected to a LAN. When configuring a computer for DirectAccess. Answer: False. if the client’s Internet connection point provides the following): ■■ A globally routable IPv6 address: DirectAccess will use this address. DirectAccess does not require the user to authenticate when establishing a connection as authentication occurs using a computer certificate. DirectAccess configuration is pushed to the client through Group Policy. Group Policies for DirectAccess are configured when you run the DirectAccess Client Setup Wizard on the DirectAccess server during initial configuration. DirectAccess is a special type of IPv6. they are configured based on your responses to the DirectAccess Setup Wizard. Windows 7 Enterprise and Windows 7 Ultimate support DirectAccess. In that case. DirectAccess is bidirectional. The method that the client uses to connect to the DirectAccess server depends on its local connectivity (for example. the client will fall back to using IP-HTTPS. Answer: False. If these methods fail. DirectAccess will use 6to4.

MORE INFO To learn more about using DirectAccess and smart card authentication. If you want to use certificate autoenrollment to simplify the certificate deployment process. True or False? DirectAccess requires that users authenticate using a smart card. The certificates used by the clients should be trusted by the DirectAccess server.MORE INFO To learn more about DirectAccess requirements.microsoft. you can also use one or more Online Certificate Status Protocol (OCSP) arrays as CDPs. Answer: False. although this grants access only to domain controllers and DNS servers. The certificate used on the DirectAccess server must be trusted by the DirectAccess clients. consult the following webpage: http://technet. and the user can access network resources in a normal manner. but it is also possible to configure user authentication to require smart cards.10). Configuring authentication You need to know what steps you need to take to ensure that DirectAccess clients can authenticate. Answer: False. You need to ensure that the certificate revocation list (CRL) distribution points (CDPs) are accessible to DirectAccess clients. you’ll have to use an enterprise root or enterprise subordinate CA.10). If you are using Windows Server 2008 R2 CAs. This isn’t necessary because DirectAccess usually authenticates the computer before the user logs on.com/en-us/library/ dd637823(WS. You configure CDPs on the Extensions tab of the CA properties dialog box. this is done through user account and password credentials.aspx. True or False? You have to modify the properties of the default computer certificate template to enable automatic enrollment. DirectAccess uses computer certificates for authentication. Once the user logs on.com/en-us/library/ee382305(WS. Answer: True. You’ll have to make a duplicate of the existing computer certificate template and configure the duplicate to support autoenrollment. You can configure DirectAccess to use smart cards to authenticate remote users. True or False? If you are using a single CA to issue certificates for all DirectAccess components.microsoft. You can configure multiple CDPs for a single CA. By default. Although it is possible to use certificates from a trusted third-party CA because all computers using DirectAccess must be members of an Active Directory domain. CDPs are used in the following parts of the DirectAccess process: Configuring Mobile Computing  Chapter 6 131 . the CRL distribution point (CDP) needs to be accessible only on the internal network. you should use computer certificates issued from an internal CA to support this authentication. consult the following webpage: http://technet.aspx. DirectAccess authenticates the user. Configuring this method of authentication requires the same steps as configuring smart cards for access to the LAN.

Without access to the CDP. To function as a Direct-Access server. the internal network must have the following: 132 Chapter 6  Configuring Mobile Computing . True or False? At least one domain controller running Windows Server 2008 R2 must be a member of the same domain as the DirectAccess clients.■■ ■■ DirectAccess clients check CRLs to validate the DirectAccess server certificate when using IP-HTTPS connections. ■■ The DirectAccess server must have a minimum of two network adapters. EXAM TIP  Remember that if you want to use autoenrollment for computer certificates. Clients attempt to connect to this website to determine whether they are on the organizational network or on the Internet.10).aspx. DirectAccess clients must perform a certificate revocation check to validate the SSL certificate on the network location server. Answer: True. This website must be configured so that it can be accessed only by clients on the organization’s internal network. IP-HTTPS communication will fail.microsoft. True or False? The Internet interface of the DirectAccess server must be assigned two consecutive public IPv4 addresses. Network infrastructure requirements You need to know what components must be present on the organizational network to support a DirectAccess deployment. ■■ ■■ ■■ At least one of the network adapters on a DirectAccess server must be connected to the public Internet and must be assigned two consecutive public IPv4 addresses. MORE INFO To learn more about configuring CDPs.com/en-us/library/ee382302(WS. the host must meet the following requirements: ■■ The DirectAccess server must be a member of an Active Directory domain. you’ll need to modify the properties of the existing certificate template. This CDP needs to be accessible to clients on the Internet. The DirectAccess server is a server running Windows Server 2008 R2 with the DirectAccess Management Console feature installed. On top of the requirements for the DirectAccess server. This certificate must match the fully qualified domain name that is assigned to the public IP addresses used by the server’s external network interface. Answer: True. You must configure an internal website that is protected by an SSL certificate trusted by both the DirectAccess server and the DirectAccess clients. consult the following webpage: http://technet. The DirectAccess server must have a digital certificate that supports server authentication installed. At least one of the network adapters on the DirectAccess server must be connected to the internal network. This CDP needs to be accessible to clients on the internal network.

168. You are planning the deployment of CDPs to support certificate revocation checks for clients. 1. Can you answer these questions? You can find the answers to these questions at the end of the chapter. MORE INFO To learn more about DirectAccess requirements consult the following webpage: http://technet.com/en-us/library/ee382305(WS. What methods can a DirectAccess client that is issued the IP address 192. A DNS server running Windows Server 2008 R2 or Windows Server 2008 with hotfix Q958194 or Service Pack 2 installed.aspx. and migrating power policies.10).3: Configure mobility options The configuring mobility options objective deals with configuring mobile computers to support the use of offline files. Exam need to know ■■ Configuring offline file policies For example: How to configure Windows 7 to support offline files.microsoft. A server running Windows Server 2008 or Windows Server 2008 R2 with the Active Directory Certificate Services role installed that is configured as either an enterprise root or an enterprise subordinate CA. so those devices that only support IPv4 can be accessible to DirectAccess clients. What requirements must a Windows 7 computer meet to use DirectAccess? Objective 6. From which location does the CDP need to be accessible for clients that are using IP-HTTPS with DirectAccess? 2. EXAM TIP  Remember which editions of Windows 7 support DirectAccess.■■ ■■ ■■ At least one domain controller must be running Windows Server 2008 R2 or Windows Server 2008.15. you need to do one of the following: ■■ ■■ ■■ Configure all internal resources with IPv6 addresses. transparent caching. Configure a NAT-PT device. Configure ISATAP on the intranet so DirectAccess clients can tunnel IPv6 traffic over an internal IPv4 intranet. What kind of certificate needs to be installed on a DirectAccess client? 3. You must also ensure that all application servers that you want DirectAccess clients to interact with allow ICMPv6 traffic inbound and outbound.101 to connect to the Internet from a hotel DHCP server where NAT does not support 6to4 gateway functionality use to make a DirectAccess connection? 4. Configuring Mobile Computing  Chapter 6 133 . To ensure that DirectAccess clients can communicate with internal network resources.

Auto-offline  When a network disconnection or error is detected. users can make files available offline by right-clicking the file and then clicking the Always Available Offline option. True or False? Administrators can configure a list of files and folders that are always available for offline use through Group Policy.■■ Transparent caching For example: How to configure Windows 7 to use transparent caching. Slow-link  This mode is enabled automatically when the link speed falls below a default value of 64. The offline files policies that are available for computers running Windows 7 are as follows: ■■ ■■ 134 Administratively Assigned Offline Files  An administrator can specify network files and folders that are always available for offline use. Unless an administrator has configured a shared folder to block the use of offline files. Manual offline  User forces the transition to offline mode by selecting Work Offline in Windows Explorer. a Windows 7 client can locally cache files that are hosted in shared folders so that the user can access those files when the computer can’t initiate a direct connection to the hosting server. Windows 7 will go to auto-offline mode. Offline files policies are also available under the User Configuration\Administrative Templates\Network\ Offline Files node of a GPO. The Offline Files feature in Windows 7 can be used in the following operating modes: ■■ ■■ ■■ ■■ Online  Changes made to files are written first to the host file share and then to the local cache. client returns to online mode. Offline files policies are located in the Computer Configuration\ Administrative Templates\Network\Offline Files node of a GPO. Windows 7 will attempt reconnection every 2 minutes. True or False? Users can make files available for offline access. This is the default mode. If a connection is established. Read requests are handled by the local cache. it must be returned to online mode manually. Synchronization occurs automatically and can be triggered manually. When the link speed improves. the client treats the network as if a disconnection has occurred. File read and write operations occur against the offline files cache. Configuring offline file policies You need to know what offline file policies are available and how you can use them to accomplish specific objectives. the client returns to online mode. Chapter 6  Configuring Mobile Computing . Answer: True.000 bits per second. ■■ Creating and migrating power policies For example: How to import and export a power policy. When this happens. With Offline Files. Answer: True. Configure Background Sync  You can configure a sync schedule for folders in “slow-link” mode. When the computer is put in offline mode manually.

consult the following webpage: http:// technet. based on file extension. Allow Or Disallow Use Of The Offline Files Feature  You can block or allow the use of offline files. not to the cache. Older files will be synchronized later. is reserved to store offline files. although checks are performed to verify that the cached file is up to date. True or False? Transparent caching is enabled by default on computers running Windows 7 Enterprise and Ultimate.aspx. Encrypt The Offline Files Cache  Ensures that files stored in the offline files cache are encrypted. Transparent caching optimizes bandwidth consumption on WAN links for mobile users and users at branch office sites that are accessing network files and folders that have not been explicitly made available offline. Enable Transparent Caching  Used to enable transparent caching. Configure Slow-Link Mode  When Offline Files operates in slow-link mode. that you want to block from being made available through Offline Files. Exclude Files From Being Cached  You can specify file types.microsoft. only new files and folders in administratively assigned folders will sync at logon. Turn On Economical Application Of Administratively Assigned Offline Files  When enabled.10). Answer: True. all network file requests will be satisfied from the Offline Files cache even though the computer is still technically online. After a user has opened a file off a remote server where the network latency exceeds the configured value. in megabytes. This makes it different from BranchCache and Offline Files.com/en-us/library/gg277982(WS. the file is stored in the Offline Files cache on the local hard disk drive. MORE INFO To learn more about offline files. Subsequent file access is from the cached file. Remove ‘Make Available Offline’  You can block users from making network files and folders available offline. You’ll learn more about this topic later in the chapter. True or False? Transparent caching stores files in the Offline Files cache.■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ Limit Disk Space Used By Offline Files  You can configure how much disk space. Configuring Mobile Computing  Chapter 6 135 . Transparent caching You need to know how to enable transparent caching and the difference between it and Offline Files and BranchCache. Modifications to the file are written back to the server. Event Logging Level  You can specify the amount of detail related to Offline Files recorded in the event log.

pow is the name of the power scheme that you want to export. True or False? You can create a new power scheme using the powercfg. where name. You learned about BranchCache in Chapter 5. You enable transparent caching by configuring the Enable Transparent Caching policy that is available in the Computer Configuration\Administrative Templates\Network\Offline Files node of a Group Policy. You can either supply a GUID.com/en-us/library/ff633429(WS. True or False? You import and export power schemes using powercfg.000-millisecond network latency. or allow Windows 7 to generate and use a new GUID. open the Power Options Control Panel item. use the powercfg. Files subject to transparent caching are not available to the user when the user is offline.microsoft.Answer: False. To do this from the GUI.10).aspx. “Monitoring and Maintaining Systems that Run Windows 7.pow. click Create A Power Plan. “Configuring Access to Resources.” MORE INFO To learn more about transparent caching.exe utility.microsoft. Transparent caching is not enabled by default. Answer: True. use this command: powercfg –export name.exe utility. You must supply the GUID of the scheme that you want to duplicate. This command will output all current power schemes and their GUIDs. consult the following webpage: http://windows.exe by using the –duplicatescheme parameter. You create new power policies by duplicating existing policies and then modifying them. You’ll learn more about configuring power in Chapter 7. issue the command powercfg –import name. Creating and migrating power policies You need to know how to create a new power scheme.pow <GUID>. To export a power scheme. 136 Chapter 6  Configuring Mobile Computing .exe. The default value is to cache files if there is a 32. you must know the scheme’s GUID. You export and import power schemes from the command line using the powercfg. though this can be adjusted. as well as how to import and export an existing power scheme. You can create a new power scheme using powercfg. and then select the plan you want to use as the basis for the new plan.exe –list command from an elevated command prompt. To get a power scheme’s GUID. To import a power scheme. You cannot export or import a power scheme using the Power Options Control Panel item. consult the following webpage: http://technet. Transparent caching is also automatically enabled when you enable BranchCache. To export a power scheme. Answer: True.com/en-US/windows7/Change-create-or-delete-apower-plan-scheme. Power policies are also known as power schemes.” MORE INFO To learn more about creating power plans. EXAM TIP  Remember the difference between transparent caching and BranchCache. Enter a name for the plan and click Create.

■■ Dial-up connections For example: How to configure a dial-up connection. ■■ Advanced security auditing For example: How to configure Windows 7 to use advanced auditing policies. What policy should you configure to ensure that .com/en-us/library/cc748940(WS.microsoft.aspx.4: Configure remote connections Unless an organization has already deployed DirectAccess. What method would you use to export a power scheme? 3. Setting up remote access involves understanding VPN protocols and authentication. consult the following webpage: http://technet.exe to import and export power schemes. Can you answer these questions? You can find the answers to these questions at the end of the chapter. ■■ Published apps For example: How to configure RemoteApp applications to work from the Internet through the RD Gateway.10). Network Access Protection quarantine. dial-up. and Remote Desktop (RD) Gateway functionality. Configuring Mobile Computing  Chapter 6 137 . ■■ Remote Desktop For example: How to configure Windows 7 to use a RD Gateway server. What steps do you need to take to enable transparent caching on a com- puter running Windows 7? 4. it is likely that mobile computers will use a VPN to remotely access the organizational network.MORE INFO To learn more about powercfg. What command can you run to display the GUIDs of all power schemes on a computer running Windows 7? 2.exe. 1. ■■ NAP quarantine remediation For example: How to understand the NAP remediation process.mp3 files are not available as offline files? Objective 6. EXAM TIP  Remember that you use powercfg. Exam need to know ■■ Establishing VPN connections and authentication For example: How to configure Windows 7 to use SSTP as a VPN protocol. ■■ Enabling a VPN Reconnect For example: How to understand the requirements for deploying VPN Reconnect.

aspx. Answer: False. Windows 7 uses PPTP to support incoming VPN connections. they switch to a less secure protocol. Traditionally. Allows VPN Reconnect. which means that the client will attempt to use the most secure protocol. you can edit the VPN connection’s properties and specify that a specific protocol is used.com/en-us/library/ff687723(WS. Answer: True. CHAP. IKEv2  Can be used only with computers running Windows 7 and Windows Server 2008 R2. something that is not true of other VPN protocols. consult the following webpage: http:// technet. consult the following webpage: http://technet. MS-CHAPv2.) IKEv2 does not support PAP.Establishing VPN connections and authentication You need to know what the VPN options are for computers running Windows 7 and what authentication options are appropriate for a given set of circumstances. Users without local administrative privileges can create new VPN connections by clicking Set Up A New Connection Or Network and then Connect To A Workplace in the Network And Sharing Center. L2TP/IPsec Requires a certificate services infrastructure or can be used with preshared keys. If that is not available or is unsupported. EAP. 138 Chapter 6  Configuring Mobile Computing .10). certificate services is deployed to provision both VPN clients and servers with certificates for authentication. MORE INFO To learn more about the CMAK. Does not require access to digital certificates.microsoft. True or False? The IKEv2 VPN protocol supports VPN Reconnect. but the connection can use only that protocol and no others. SSTP requires a VPN server running Windows Server 2008 or Windows Server 2008 R2. and PEAP authentication protocols. or MS-CHAPv2 (without EAP) authentication protocols. Every edition of Windows 7 supports VPNs that use the following protocols: ■■ ■■ ■■ ■■ PPTP The least secure form of VPN. SSTP SSTP tunnels over port 443. By default. MORE INFO To learn more about VPN protocols. Creating a VPN involves specifying the address of the remote VPN server and providing authentication credentials. Administrators can also simplify the deployment of VPNs by creating Connection Manager Administration Kit (CMAK) profiles that automate the setup of remote access connections. a VPN connection will use only the L2TP/IPsec VPN protocol. Can use MS-CHAP.aspx. newly created VPN connections use the automatic VPN type. After you have created the connection. meaning that it can pass across almost all firewalls that allow Internet access. True or False? By default. (You’ll learn more about VPN reconnect later in this chapter.10).com/en-us/library/cc753977(WS.microsoft. Most thirdparty VPN solutions support L2TP/IPsec.

Not enabled by default. Microsoft Challenge Handshake Authentication Protocol (MSCHAPv2)  Password-based authentication protocol.com/en-us/library/dd637803(WS. consult the following webpage: http://technet. the VPN connection must be manually reestablished. PEAP-EAP-MS-CHAPv2 Most secure password-based authentication protocol for Windows 7 VPN clients. even when the computer switches Internet connections. True or False? IKEv2 requires a Routing and Remote Access server running Windows Server 2008 R2. If the disruption lasts longer than 8 hours. Not supported by remote access servers running Windows Server 2008 or Windows Server 2008 R2. Challenge Authentication Protocol (CHAP)  Password-based authentication protocol. Answer: False. the user Configuring Mobile Computing  Chapter 6 139 . With VPN Reconnect. Used when connecting to older third-party VPN servers. MORE INFO To learn more about remote access with VPN Reconnect. Answer: True. VPN connection can use credentials of currently logged-on user for authentication. Smart Card or Other Certificate  Use when supporting authentication of VPN connections is a smart card or other certificate.aspx. True or False? IKEv2 requires the user to manually reconnect when switching Internet connections. Enabled by default for Windows 7 VPN connections.True or False? PEAP-MS-CHAPv2 is a password-based authentication protocol. This automatic restoration can occur. Not supported by remote access servers running Windows Server 2008 or Windows Server 2008 R2. Only Routing and Remote Access servers running Windows Server 2008 R2 support IKEv2. If the computer is placed into hibernation. Answer: True. Enabling a VPN Reconnect You need to know how to configure Windows 7 to use the IKEv2 VPN protocol to automatically connect when the VPN connection is disrupted. Protected Extensible Authentication Protocol with Transport Layer Security (PEAP-EAP-TLS)  Certificate-based authentication protocol. VPN Reconnect uses the IKEv2 VPN protocol. Windows 7 supports the following authentication protocols for both VPN and dial-up connections: ■■ ■■ ■■ ■■ ■■ ■■ Password Authentication Protocol (PAP) Uses unencrypted passwords.10). You can configure IKEv2 with mobility to support a network outage time of up to 8 hours. Least secure option.microsoft. Requires deployment of computer certificate on VPN server. the underlying network connection can be disrupted for up to 8 hours without the user losing the existing VPN tunnel. Requires deployment of computer certificate on VPN server.

and Audit User Account Management. you can perform advanced auditing on computers running Windows 7. aspx. Audit IPsec Extended Mode. Audit Kernel Object.microsoft. You need to configure a special certificate template with Enhanced Key Usage (EKU) options to support IKEv2. With the Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Audit: Force Audit Policy Subcategory Settings policy. Advanced security auditing You need to know how to enable advanced auditing. Object Access  Includes the following audit policies: Audit Application Generated. Audit File System. Audit Handle Manipulation. Audit Logoff. Audit IPsec Main Mode. Audit Other Logon/Logoff Events. Audit Directory Service Changes. Audit Computer Account Management. Logon/Logoff  Includes the following audit policies: Audit Account Lockout. and Audit Other Account Logon Events. and Audit Directory Service Replication. Audit Distribution Group Management. Audit Process Creation. Advanced auditing is much more specific than the general audit categories.10). Audit File Share. Advanced audit policies are available in the following categories: ■■ ■■ ■■ ■■ ■■ ■■ 140 Account Logon  Includes the following audit policies: Audit Credential Validation. consult the following webpage: http://technet. True or False? You must enable a special policy to use advanced auditing options. EXAM TIP  Remember that the only VPN protocol you can use to switch Internet connections while maintaining the VPN link is IKEv2. Audit Process Termination. Chapter 6  Configuring Mobile Computing . Audit Kerberos Service Ticket Operations. Audit Certification Services. Audit Filtering Platform Connection. MORE INFO To learn more about configuring IKEv2–based remote access. DS Access  Includes the following audit policies: Audit Detailed Directory Service Replication.will have to reconnect manually. Audit Security Group Management. Audit Registry. and Audit Special Logon. and Audit RPC Events. Audit Detailed File Share. Audit Filtering Platform Packet Drop. Detailed Tracking  Includes the following audit policies: Audit DPAPI Activity. and Audit SAM. Answer: True. You configure auditing by configuring the policies that are located in the Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies node. Audit Logon. Account Management  Includes the following audit policies: Audit Application Group Management.com/en-us/library/ff687731(WS. Audit Directory Service Access. Audit IPsec Quick Mode. Audit Other Object Access Events. Audit Kerberos Authentication Service. Audit Network Policy Server. Audit Other Account Management Events.

it can’t locate and install an antivirus application. and Audit Other Policy Change Events. Audit Security System Extension. and Audit Sensitive Privilege Use. This service interacts with the Windows 7 Action Center. NAP requirements can include the following: ■■ ■■ ■■ ■■ Does the client have active antispyware software. For example. Audit Other System Events. Global Object Access Auditing  Includes the following audit policies: File System and Registry. Audit Authorization Policy Change. Audit Authentication Policy Change. NAP quarantine remediation You need to know what methods you can use to remediate Windows 7 clients that don’t meet Network Access Protection (NAP) health benchmarks.■■ ■■ ■■ ■■ Policy Change  Includes the following audit policies: Audit Audit Policy Change. Audit MPSSVC Rule-Level Policy Change. With NAP. to client computers that meet a minimum health benchmark. and Audit System Integrity.microsoft. and is that software up-todate? Does the client have active antivirus software. although Windows 7 Action Center can enable a disabled antivirus program during remediation. Answer: True. System  Includes the following audit policies: Audit IPsec Driver. MORE INFO To learn more about advanced audit policy configuration.10). which can trigger the necessary software updates and activate disabled applications and firewalls. True or False? Administrators can require that a firewall be present on all network connections as a criterion for allowing network access to VPN clients. and has the computer recently checked for updates? Is a firewall enabled for all network connections? Administrators specify which of these criteria must be met by configuring security health validators (SHVs). administrators can limit network access. Privilege Use  Includes the following audit policies: Audit Non Sensitive Privilege Use. Administrators can also configure NAP to perform remediation so that clients that don’t meet these benchmarks can perform the necessary checks and software updates required to bring them to an acceptable standard. Remediation is the process through which those clients are updated so that they meet the NAP requirements and are granted access to the network. Audit Security State Change. and is that software up-todate? Are automatic updates enabled.com/en-us/library/dd408940(WS. Windows 7 clients can take steps toward remediation as long as the Security Center service is enabled. There is a limit to what can be accomplished through remediation. Configuring Mobile Computing  Chapter 6 141 . in this case VPN access.aspx. consult the following webpage: http://technet. Audit Other Privilege Use Events. Audit Filtering Platform Policy Change.

com/en-US/windows7/Set-up-anincoming-VPN-or-dial-up-connection. Windows 7 supports dial-up connections using a modem to an ISP or other host. True or False? A client must establish a VPN connection prior to connecting to an RD Gateway Server. you can configure your computer to accept incoming modem calls by clicking New Incoming Connection from the Change Adapter Settings dialog box available from the Network And Sharing Center Control Panel item. Windows 7 also supports incoming dial-up connections. Answer: False. If you have a modem attached to your computer.MORE INFO To learn more about VPN remote access connections and NAP quarantine. consult the following webpage: http://technet.com/en-us/library/ cc984479. True or False? You can create a dial-up connection for a Windows 7 computer if it has a built-in cellular modem. Windows 7 can be used with both traditional landline modems and cellular modems.microsoft. MORE INFO To learn more about incoming VPN or dial-up connections. and whether a specific number needs to be provided to access an external line.microsoft. To configure an outbound dial-up connection. clients on the Internet can make Remote Desktop connections to servers on protected internal networks through an RD Gateway server on a perimeter network. in Network And Sharing Center. Answer: True. With RD Gateway. You’ll need to enter the phone number of the ISP as well as a user name and password. Answer: True. Clients can establish these connections without having to initiate a VPN connection. The client opens the specially configured Remote Desktop Connection application and can initiate the connection as if opening a 142 Chapter 6  Configuring Mobile Computing . Dial-up connections You need to know how to configure Windows 7 to support incoming and outgoing dial-up connections. carrier code. Remote Desktop You need to know how to configure Windows 7 clients to use RD Gateway to access internal Remote Desktop services. click Set Up A New Connection Or Network and then select Set Up A Dial-Up Connection. You can click Dialing Rules to specify options such as country code. True or False? Windows 7 supports incoming PPTP VPN connections.aspx. You can also use this method to configure a computer running Windows 7 to support incoming PPTP VPN connections through a NIC. consult the following webpage: http://windows.

Answer: True. The policies in this node include the following: ■■ ■■ Enable Connection Through RD Gateway  When enabled.10).microsoft. MORE INFO To learn more about RD Gateway. Administrators can configure this address on the RD Gateway tab of the RemoteApp Deployment Settings dialog box. MORE INFO To learn more about RemoteApp.com/en-us/library/cc772415. Set RD Gateway Server Address  You can specify the address of the RD Gateway Server. What conditions can NAP check for? 3.aspx. Published apps You need to know how to ensure that remote Windows 7 clients can connect to RemoteApp applications over the Internet. individual Remote Desktop Services applications can be published to client computers. Which VPN protocol does Windows 7 support for incoming connections? Configuring Mobile Computing  Chapter 6 143 . Can you answer these questions? You can find the answers to these questions at the end of the chapter. consult the following webpage: http://technet. Which VPN protocol supports VPN Reconnect? 4. RemoteApp applications can be used by clients on the Internet if the application is published with the address of an RD Gateway Server.com/en-us/library/dd560672(WS. 1. the client attempts a connection through the specified RD Gateway server if it cannot directly connect to the target Remote Desktop Services server. True or False? You configure the RD Gateway Server address prior to deploying RemoteApp applications to Windows 7 clients. Specify the RD Gateway server name and whether you want the client to bypass the RD Gateway server for local addresses. You can also configure RD Gateway settings through the User Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway node of a GPO.Remote Desktop Connection to a Remote Desktop host on the internal network. With the RemoteApp technology.microsoft. To configure Remote Desktop Client to use an RD Gateway. consult the following webpage: http://technet.aspx. What is the most secure password-based authentication protocol? 2. navigate to the Advanced tab of the Remote Desktop Connection Properties dialog box and click Settings under Connect From Anywhere.

from being made available offline. 2. The CDP for clients using IP-HTTPS with DirectAccess needs to be accessible from the Internet.Answers This section contains the answers to the “Can you answer these questions?” sections in this chapter.exe command-line utility to export a power scheme. You can use the Exclude Files From Being Cached to block specific file types. 2. You would configure the Store BitLocker Recovery Information In Active Directory Domain Services and Choose How BitLocker-Protected Operating System Drives Can Be Recovered policy to accomplish this goal. Objective 6. Clients on NAT networks where the NAT device does not support 6to4 func- tionality need to use Teredo or IP-HTTPS to make a DirectAccess connection. 3. 3. Transparent caching is enabled by configuring the Enable Transparent Cach- ing Group Policy. You run the powercfg. Needs a computer certificate installed. 4. A computer certificate that will be used for authentication needs to be in- stalled on the DirectAccess client. 144 Chapter 6  Configuring Mobile Computing . Allow Enhanced PINs for Startup. Objective 6.3: Configure mobility options 1. You can’t perform this task from the Power Options Control Panel item. and must be running either the Enterprise or Ultimate version of the operating system. 4. You would configure a DRA to ensure that BitLocker-protected drives can be recovered without having to provide individual recovery keys. 3. You need to use the powercfg.exe –List command to view the GUIDs of all power schemes on a computer. must be a member of the designated DirectAccess security group. based on file extension. It is necessary to know the GUID of the power scheme that you are going to export. 4. Objective 6. 2. must be a member of the domain. You can use BitLocker without a TPM if a startup key is configured.1: Configure BitLocker and BitLocker To Go 1.2: Configure DirectAccess 1.

2. and has the computer recently checked for updates? Is a firewall enabled for all network connections? 3. The IKEv2 VPN protocol supports VPN Reconnect. Configuring Mobile Computing  Chapter 6 145 .Objective 6. 4.4: Configure remote connections 1. NAP can check for the following conditions: Does the client have active anti- spyware software and is that software up to date? Does the client have active antivirus software and is that software up to date? Are automatic updates enabled. Windows 7 supports the PPTP protocol for incoming connections. PEAP-EAP-MS-CHAPv2.

146 Chapter 6  Configuring Mobile Computing .

contoso. how to use the options for Windows 7 volumes.1: Configure updates to Windows 7 ■■ Objective 7.3: Monitor systems ■■ Objective 7. so you need to have a good grasp of how to configure Windows Update settings. This chapter covers the following objectives: ■■ Objective 7.1: Configure updates to Windows 7 Although it is important to retain control over what updates are deployed to Windows 7. the more automated you can make the update deployment process.2: Manage disks ■■ Objective 7. the less direct work you’ll have to perform on individual computers. If you get the deployment of updates right.C hap t e r 7 Monitoring and Maintaining Systems that Run Windows 7 A pproximately 11 percent of the 70-680 exam focuses on the topic of monitoring and maintaining Windows 7.4: Configure performance settings Objective 7. ■■ Determine source of updates For example: How to configure Windows 7 to use WSUS. you’ll save yourself hundreds of hours of work over the Windows 7 operating system’s deployment lifetime. and how to monitor and improve Windows 7 performance. ■■ Configuring Windows Update policies For example: How to configure WSUS groups. what you can do with Windows 7 event logs and data collector sets. Exam need to know ■■ Configure update settings For example: How to configure Windows 7 to use a WSUS server at the address http://wsus.internal. 147 .

review installed updates. The options that you can configure with this dialog box are as follows: ■■ ■■ ■■ ■■ 148 Install Updates Automatically (Recommended)  Windows Update installs updates automatically at the time specified. True or False? A user who is not a member of the local Administrators group on a Windows 7 computer can check for updates. which is enabled by default on all clients running Microsoft Windows. and the user is notified that the updates are available for installation. ■■ Check for new updates For example: How to force Windows 7 to check for new updates. Download Updates But Let Me Choose Whether To Install Them Updates are downloaded to the computer. Answer: True. change update settings. With this item.■■ Review update history For example: How to determine which updates aren’t installed on a computer running Windows 7. but updates can still be checked for and installed manually. Only users with administrative privileges can change Windows Update settings. This is the default setting for Windows Update. Configure update settings You need to know how and where to configure settings related to Windows Update. whether recommended updates are treated in the same fashion as important updates. you can configure how Windows 7 deals with important updates. A user who can’t elevate privileges can use this Control Panel to check for and install updates. and whether users without administrative privileges can install updates on the computer. and review hidden updates. the frequency at which updates are checked. Answer: True. Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . Check For Updates But Let Me Choose Whether To Download And Install Them  The user is notified that updates are available for download and install. This means not only being familiar with the Windows Update item in Control Panel but also with the relevant Group Policies used to control Windows Update behavior. Windows Update relies on the Windows Update service. Never Check For Updates (Not Recommended)  Windows Update does not check for updates. ■■ Rolling back updates For example: How to hide an update. Through this Control Panel. True or False? Only a user who is a member of the local Administrators group can change Windows Update settings. The Windows Update Control Panel is the primary tool you use to manage software updates on clients running Windows 7. a user with Administrator privileges can check for updates. You can manually configure how Windows Update deals with updates by clicking the Change Settings item.

Optional updates still need to be installed manually. Determine source of updates You need to know how to set Windows Update to retrieve updates either from Microsoft Update or an alternate source such as a Windows Server Update Services (WSUS) server. True or False? By default. Answer: False. use the following command from an elevated command prompt: netsh winhttp import proxy source=ie Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 149 . To accomplish this goal. Netsh. Although you can configure Internet Explorer to use a proxy through Internet Options. When setting up the WSUS server.■■ ■■ Give Me Recommended Updates The Same Way I Receive Important Updates  This means that recommended updates are treated in the same manner as important updates. More Info To learn more about configuring update settings.exe command-line tool  Although Windows Update does not use the Internet Options settings directly. consult the following webpage: http://technet. only user accounts that are members of the local Administrators group can install updates. you can use the netsh.exe commandline tool to import the proxy settings configured for Internet Explorer. The first is to deploy a WSUS server on the local area network (LAN) and have the clients download updates from the WSUS server. Windows Update clients can’t contact the Microsoft Update servers on the Internet. If you disable this option. There are several ways to deal with this problem. EXAM TIP  Remember that permissions are required to update Windows 7 with a critical update. on networks that have specific firewall and proxy configurations. Windows Update can’t use these settings directly. You can configure clients running Windows 7 to determine proxy settings in two ways: ■■ ■■ Web Proxy Auto Detect (WPAD)  This feature allows computer services to locate an available proxy by querying a Dynamic Host Configuration Protocol (DHCP) option or checking a Domain Name System (DNS) record. Allow All Users To Install Updates On This Computer  This option is enabled by default. Alternatively. it is possible to configure a client running Windows 7 manually so that Windows Update can communicate with the Microsoft Update servers through the proxy.com/en-us/library/ee126108(WS. Windows Update on Windows 7 uses the proxy server settings configured through Internet Options in the Control Panel.microsoft. you can configure it to use the proxy.10).aspx. Occasionally.

1-kb123457-x64. which allows staggered update deployment. True or False? WSUS groups are security groups you create using Active Directory Users And Computers.microsoft.msu /quiet /norestart Wusa. such as when you are dealing with stand-alone computers that are not connected to a network. microsoft. WSUS allows administrators to organize client computers into groups.More Info For more information on configuring Web Proxy Auto Detect on DNS and DHCP servers. WSUS also allows administrators centrally to roll back the installation of an update across all computers in the organization. You can deploy updates on some computers. You can download Windows 7 update files directly from the Microsoft website.aspx. In some cases.1-kb123458-x64. which removes that update from all client computers in the organization. For example. administrators have to uninstall and then hide the update on each computer in the organization manually. If you want to script the installation of a number of . if an update causes a problem in an organization that relies only on Microsoft Update. consult the following document on Microsoft TechNet: http://technet.com/kb/934307. the update administrator can roll back the update from WSUS. you might have a script that installs three updates with these commands: Wusa.1-kb123456-x64. True or False? You can roll back the deployment of an update using WSUS.exe d:\windows6. When chaining the update installation.exe utility. consult the following article: http://support.msu /quiet More Info For more information about Wusa.msu files.exe d:\windows6. Answer: True.msu /quiet /norestart Wusa. you can configure a client to join a group by configuring the Enable Client Side Targeting policy. which you will learn about later in this lesson. If an update causes a problem in an organization that uses WSUS. consult the Windows Server Update Services TechCenter at the following address: http://technet. but not on others. More Info To learn more about WSUS.exe. For example. It is not necessary to hide a rolled-back update because the WSUS server makes approved updates available only to Windows Update clients.com/en-us/library/cc713344.msu extension. Update files have the . True or False? You can use the Windows Update Stand-alone Installer (Wusa. You create groups on the WSUS server. Answer: True.com/en-us/wsus/default.exe) utility to manually install updates downloaded from the Microsoft website. it is necessary to install update files directly. 150 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . you should use the /norestart parameter after each update except the last one that you want to install. aspx.exe d:\windows6. You can find these updates related to each update’s security bulletin. or by manually assigning computers to groups using the WSUS console. Answer: False. you can use the Wusa. After the groups are created on the WSUS server.microsoft.

Install Updates And Shut Down is the default option if updates are available for installation. and installation settings. When this policy setting is disabled or is not configured. You can configure Windows Update using these policies as follows: ■■ ■■ ■■ ■■ Do Not Display “Install Updates And Shut Down” Option In Shut Down Windows Dialog Box  You can configure whether the Shut Down menu displays the Install Updates And Shut Down option. Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 151 . You configure most Windows Update settings by configuring Group Policy. Enabling Windows Update Power Management To Automatically Wake The System To Install Scheduled Updates  This policy allows Windows Update to wake a hibernating computer to install updates. • Auto Download And Schedule The Install  Windows Update downloads and installs updates without user intervention. The Computer Configuration\Administrative Templates\Windows Components\Windows Update Group Policy node contains 16 policies.Configuring Windows Update policies You need to be familiar with the Group Policy items related to Windows Update and what you can accomplish with those policies. the user’s last shutdown choice is the default shutdown option. You can configure the following settings using this policy: • Notify For Download And Notify For Install  Windows Update does not download updates. • Allow Local Admin To Choose Setting  Configuring this setting allows a local administrator to override Windows Update settings. it notifies the user that updates are available for download and installation. The default setting has this option available. Answer: True. • Auto Download And Notify For Install  Windows Update downloads updates and notifies the user that updates are available for installation.. download. This policy is deprecated when the Do Not Display “Install Updates And Shut Down” Option In Shut Down Windows Dialog Box policy is enabled. Do Not Adjust Default Option To “Install Updates And Shut Down” In Shut Down Windows Dialog Box  When this policy setting is enabled. Updates do not install if the computer is hibernating on battery power. • Install Day and Install Time  Use these settings to configure the day and time that Windows Update will install updates. Several of these settings are similar to the ones that you can configure through the Windows Update Control Panel. Configure Automatic Updates  You can configure update detection. True or False? You can join a computer to an existing WSUS group using the Enable Client Side Targeting policy.

EXAM TIP  Remember the function of the Specify Intranet Microsoft Update Service Location policy. Using this policy. Allow Non-Administrators To Receive Update Notifications  This policy specifies whether users who are not members of the local Administrators group can install updates. Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . If you disable or don’t configure this policy. you can specify the update server and the statistics server. these are the same servers. Windows Update gives the logged-on user a 5-minute warning prior to restarting to complete the installation. Windows Update presents users with information about optional updates. This policy applies only if the Configure Automatic Updates policy is set to install updates at a specific time. The updates server is where the updates are downloaded from. Re-Prompt For Restart With Scheduled Installations  Use this policy to set the amount of time in which a user can postpone a scheduled restart when the Configure Automatic Updates policy is set to install updates at a specific time. you can specify the amount of time that Windows waits before automatically restarting after a scheduled installation. Turn On Software Notification  When you enable this policy. Updates that do require a restart are not installed until the conditions set in the Configure Automatic Updates policy are met. Turn On Recommended Updates Via Automatic Updates  Use this policy to configure Windows Update to install recommended updates as well as important updates.■■ Specify Intranet Microsoft Update Service Location  You can specify the location of an internal update server. This policy is the only way that you can configure Windows Update to use an alternate update server. updates that do not require a restart install automatically. This policy doesn’t work if you configure a client to retrieve updates from the Windows Update servers. such as one running WSUS. Windows Update waits until the currently logged-on user logs off if Windows Update installs updates that require a restart. Delay Restart For Scheduled Installations  Through this policy. No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installation  When you enable this policy. Allow Automatic Updates Immediate Installation  When you enable this policy. and the statistics server is the server in which clients report update installation information. ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ 152 Automatic Updates Detection Frequency  Configure this policy to specify how often Windows Update checks the local intranet update server for updates. and the Configure Automatic Updates policy is set to install updates at a specific time. In most cases.

Recommended Updates  These updates often address functionality issues. The Knowledge Base ID is a six-digit number. Answer: False. Knowledge Base articles also provide information about any potential problems that an update might cause. as well as the date they were installed and their importance classification. Optional Updates  These updates provide items such as driver updates and language packs. Allow Signed Updates From An Intranet Microsoft Update Service Location  This policy allows updates from third-party vendors to be distributed from the Automatic Updates location as long as those updates are digitally signed by a trusted publisher. Disabling this policy means that updates install at the next scheduled time. For example. In some cases.■■ ■■ ■■ Reschedule Automatic Updates Scheduled Installations  You can use this policy to configure a computer that has missed a scheduled update to perform the update a specific number of minutes after startup. Enable Client-Side Targeting  You can place computers into different software update groups. By clicking an update within the View Update History Control Panel. True or False? Recommended updates address critical security issues. such as KB123456. If you install an update on a client running Windows 7 and start experiencing problems. Use the View Update History Control Panel to view a list of all updates that have been successfully or unsuccessfully installed on a computer. updates with the important classification address security issues in which an exploit is already available to attackers on the Internet. often preceded by the letters KB. use this policy to ensure that a computer that was switched off at the scheduled update time installs updates 1 minute after starting up. Different software update groups allow the software update administrator to target the deployment of updates. EXAM TIP  Remember how to assign computers to different WSUS groups. you can find out more information about the update. you should consult the Knowledge Base article related to the update to determine whether these problems have been documented and whether there are any workarounds to deal with the issues related to the update. Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 153 . Updates can have one of the three following classifications: ■■ ■■ ■■ Important Updates  These updates often address critical security issues. This information provides a summary of the update and also provides a link to a Knowledge Base article that also provides detailed information about the update. Review update history You need to be able to determine which updates are installed on a particular computer and when those updates were installed. Knowing the Knowledge Base ID of an update is also important if you want to delete the update. allowing updates to be deployed to specific groups of computers in the organization rather than all computers in the organization.

Answer: False. you can restore updates that were hidden in the past. True or False? You can’t manually uninstall an update using the Windows Update Control Panel item. The computer needs to be able to contact the update source to be able to check for updates. and Windows Update does not present that particular update for installation through Windows Update in the future. Unlike the View Update History dialog box. Administrators and standard users can manually check for updates by clicking the Check For Updates item in the Control Panel. the Windows Update Control Panel lists all available updates that can be installed. By using the Restore Hidden Updates item in the Windows Update Control Panel. You can determine the Knowledge Base identifier of a particular update by using the View Update History Control Panel and double-clicking the update. It displays an update information dialog box from which you can determine the Knowledge Base ID. it will be available the next time an update check occurs. So you must know the Knowledge Base identifier of an update to uninstall it. Only users with administrative privileges can hide updates. Answer: True. Check for new updates You need to know how to force the Windows Update client to check for new updates. it will be presented for installation the next time a check occurs. You can also manually check for updates from the command line by issuing the following command: Wuauclt. When you uninstall an update. A user who is a member of the local Administrators group can uninstall an update through the Programs And Features Control Panel item. After you check for updates. True or False? You can initiate a Windows Update check from the command line. Choosing to hide an update effectively declines the update. Restoring a hidden update means that the update will be available the next time an update check occurs. so the update does not install.exe /detectnow 154 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . as opposed to waiting until the scheduled update time. When you manually check for updates.True or False? When you hide an update. You can also access this panel by clicking the Installed Updates item in the Windows Update Control Panel. It is possible to uninstall an update that has already been installed. Manually checking for updates does not automatically download and install updates. Declining an update does not mean that the update can’t be installed at a later stage. Windows Update checks only for updates. When reviewing updates that are available for installation. Answer: True. but also know how to set update checks to occur at specific times. you are presented only with the Knowledge Base identifier of the update. The update source can be the Microsoft Update servers on the Internet or a local update server. you can also right-click an update and select Hide Update.

The MBSA tool can check a computer to see whether it is missing updates based on updates published by Microsoft Update or can scan a computer based on a list of updates that are approved on a WSUS server. It is important to remember to hide any update after you uninstall it. You can use the MBSA tool to scan servers as well as clients.com/en-au/security/cc184923.microsoft. but it does become available again if you check for new updates. such as those that are present in Internet Information Server (IIS) and Microsoft SQL Server. EXAM TIP  Remember what tools you can use to check for missing updates. EXAM TIP  Remember what tools you can use to roll back a deployed update. When you uninstall an update. it will be presented for installation next time an update check occurs. To scan a computer. you might install an update only to find that it causes a conflict with some custom software deployed in your organization.True or False? An account needs to be a member of the Enterprise Admins group if it is to be used to scan computers for missing updates using the Microsoft Baseline Security Analyzer (MBSA). Answer: True. This requirement ensures that you cannot use the MBSA tool as an attack tool to scan other people’s computers to determine which vulnerabilities they may possess.2 or later of the MBSA to scan computers running Windows 7. For example. You can then use the Hide Update function to hide the update until the software vendor can develop a fix that makes the custom software compatible with the update. consult the following Microsoft TechNet webpage: http://technet. You must use version 2. You choose to uninstall the update to restore the functionality of the custom software. such as whether common administrative vulnerabilities are present and weak passwords are set. ensuring that other users who can install updates do not inadvertently install the update until the custom software fix is available. it does not appear in the list of hidden updates. Rolling back updates You need to know how to uninstall deployed updates from one or more computers.aspx. so it is possible to check for other vulnerabilities. Answer: False. Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 155 . you need to have Administrator access on the local computer and on any remote computer that you are scanning. More Info To get more information about the MBSA. You can also use the MBSA tool to determine whether there are problems with a computer’s security configuration. True or False? If you roll back an update.

For the exam. How would you remove a deployed update from a subset of computers run- ning Windows 7 on your organization’s network? 4. Windows 7 supports two different disk partitioning systems: Master Boot Record (MBR) and Globally Unique Identifier Partition Table (GPT).2: Manage disks In most real-world scenarios. you’ll need to know what modifications you can make to disks. including what steps you can take to make them perform better or be fault tolerant. 1. True or False? You can dual boot between Windows 7 and Windows XP only with a GPT disk. ■■ RAID For example: What versions of software RAID does Windows 7 support? ■■ Removable device policies For example: How do you block people from connecting their own USB thumb drives to their computers running Windows 7? Managing disk volumes You need to know how to create volumes and the type of volumes supported by Windows 7. Answer: False. How can you ensure that users can complete their work and not be forcibly logged off after an update has installed that requires a restart? Objective 7.Can you answer these questions? You can find the answers to these questions at the end of the chapter. What steps should you take if you want to check 100 computers running Windows 7 to see whether they are missing a specific software update? 2. ■■ Managing file system fragmentation For example: How to alter the defragmentation schedule. The differences between them are as follows: 156 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . you won’t bother modifying the default volume configuration of a computer running the Windows 7 operating system. However you might modify the default volume configuration for reasons such as simplifying the backup process. Exam need to know ■■ Managing disk volumes For example: How to shrink a volume to create additional space on a disk. What steps would you take to ensure that one group of computers running Windows 7 received an update but another group of computers waited 3 weeks before that update was deployed? 3.

microsoft. but can’t boot from GPT disks. or boot from GPT disks. making them problematic in multiboot scenarios. consult the following document: http://msdn. A GPT partition can be up to 18 exabytes. Answer: False. You can perform all basic disk functions on dynamic disks. Windows XP 32-bit cannot read.85). If Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 157 . The differences between them are as follows: ■■ ■■ ■■ You can create new volumes. Disk spanning involves extending a single volume over multiple disks. delete volumes. write. although Windows file systems are limited to a maximum size of 256 terabytes.aspx. Simple volumes. as well as create spanned volumes and striped volumes. consult the following document: http://msdn. GPT has redundant partition tables. You can create a simple volume using the Disk Management console by rightclicking the “unallocated” area of a disk when the Disk Management node of the Computer Management console is open and then clicking New Simple Volume.■■ ■■ ■■ ■■ ■■ When configured as a basic disk. once called partitions and sometimes used interchangeably. Answer: False. There are two types of disks available in Windows 7: basic disks and dynamic disks. You can create simple volumes on both basic and dynamic disks.aspx. True or False? You can only create a simple volume on a basic disk. but MBR supports only 4 partitions. You can convert disks from MBR to GPT and from GPT to MBR as long as the disk is empty and contains no partitions. Windows XP 64-bit can read and write data from GPT disks. You can grow a simple volume if there is unpartitioned space available on the host disk. and extend or shrink existing volumes on basic disks. When configured as a dynamic disk. can exist on a single disk. The amount of space you can shrink a volume depends on how much data is stored on the volume and the current level of file fragmentation.000 volumes. True or False? You can configure disk spanning across volumes hosted on basic disks.microsoft. both GPT and MBR support up to 2. More Info To learn more about basic and dynamic disks. Dynamic disks are accessible only to the operating system instance that converted them to dynamic.com/en-us/library/windows/desktop/ aa363785(v=vs. Extending a volume means consuming extra unpartitioned space on the same disk.com/en-us/windows/hardware/gg463525. GPT supports up to 128 partitions. More Info To learn more about GPT. You can shrink a volume if there is available space without losing data.

aspx.microsoft. Answer: False. EXAM TIP  Remember which disk type supports spanned volumes. Spanned volumes are volumes that are created across multiple dynamic disks. More Info To learn more about disk management. You can’t create and mount a differencing VHD file.com/en-us/library/windows/desktop/dd323654(v=VS. a spanned volume might use 4 GB on the first disk. More Info To learn more about VHDs. You can create spanned volumes only across dynamic disks. consult the following webpage: http://technet.microsoft. The drawback of spanned volumes is that if one of the disks hosting the spanned volume fails. but this space is not allocated to the VHD file at creation.85). consult the following TechNet document: http://technet. True or False? You can create a spanned volume across VHD files. For example.you are using the DiskPart tool. You can also shrink volumes when the volume or partition is selected in the DiskPart utility. VHDs are a special type of file that can be mounted by the Windows 7 operating system as a hard disk. When you create a fixed size VHD. The Shrink dialog box opens and displays the maximum amount that you can shrink the volume. The shrink querymax parameter displays how much free space is left.com/en-us/library/cc771607. Managing file system fragmentation You need to know how to defragment a volume from the GUI and the command line and configure the disk defragmenter schedule. 158 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . the file can expand as needed to the maximum size. True or False? You can’t create and mount differencing virtual hard disks (VHDs) in Windows 7. and 5 GB on the third disk to make a spanned volume of 12 GB in size. Answer: True. More Info To learn more about managing simple volumes. and the shrink parameter will perform the reduction. all space is allocated to the VHD when the file is created. you’ll need to know whether you are working with a dynamic or a basic disk because the tool requires you to create partitions when working with basic disks and volumes when working with dynamic disks. right-click the volume and click Shrink Volume. used by the Hyper-V role on Windows Server 2008 R2.microsoft. You can also configure the Enterprise and Ultimate editions of Windows 7 to boot from VHD. You can create two types of VHD files using the Windows 7 operating system: fixed size and dynamically expanding.aspx. To shrink a volume using Disk Management. you can’t create spanned volumes across attached VHD files. 3 GB on the second disk. by using the built-in Windows 7 SP1 operating system tools. all data hosted on that volume is lost.com/en-us/library/cc733060. consult the following document: http:// msdn. When you create a dynamically expanding VHD.aspx.

Disk performance improves when you ensure that each file on the disk is stored contiguously. The utility has the following syntax: Defrag <volume> | /C | /E <volumes> [/A | /X | /T] You can use these options in the following ways: ■■ <volume>  You can specify which volume the utility will defragment. /X  Performs a free space consolidation. ■■ /T  Provides a report on an existing defrag. More Info To learn more about disk defragmentation in Windows 7. You must run the defrag.exe command-line utility to consolidate free space prior to shrinking a volume. Answer: True.exe operation. You can configure only a single defragmentation schedule for a computer. You can configure defragmentation to occur daily. Windows 7 automatically performs a defragmentation operation on each volume at 1:00 A. ■■ ■■ ■■ /E  The utility defragments all volumes on the computer except the listed ones.exe utility from an elevated command prompt.True or False? You can configure separate defragmentation schedules for each volume. Answer: False. ■■ /M  Forces defragmentation of multiple volumes in parallel. ■■ /V  Provides extensive defragmentation statistics. ■■ /U  Displays progress of current defrag. defragmentation begins after the next boot. Because SSDs use a different method of performing disk read and write operations. consult the following webpage: http://blogs. You should do this prior to attempting to shrink a volume.M. /A  Provides a fragmentation analysis of the target volume. True or False? You can use the defrag. or monthly.aspx. If the computer is powered off at the scheduled time. You can accomplish this by ensuring that traditional non-SSD drives are defragmented regularly. ■■ /C  The utility defragments all volumes on the computer. weekly. On traditional non–solid-state drive (SSD) hard disk drives. File fragmentation occurs over time as computers write and delete files from storage devices. Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 159 . each Wednesday. You can configure the defragmentation schedule and determine which volumes will be defragmented by editing the properties of a disk.exe operations on the screen.msdn. and then clicking Defragment Now. ■■ /H  Forces the operation to run at normal rather than low priority. file fragmentation causes a decrease in disk performance because when reading a fragmented file. there is less benefit in defragmenting files stored on this type of disk. the computer must access different noncontiguous locations on the disk. selecting the Tools menu.com/b/e7/archive/2009/01/25/disk-defragmentation-background-and-engineering-the-windows-7-improvements.

but if a disk hosting the mirror fails. or RAID-1. You can’t configure the operating system volume as a striped volume. EXAM TIP  To maximize the amount of space available when shrinking a volume. You can create two types of RAID (Redundant Array of Inexpensive Disks) configurations using the Windows 7 operating system tools: RAID-0. a 250-GB disk. EXAM TIP  Remember how many disks are required to create each type of RAID volume.exe to perform a free space consolidation prior to the shrink operation. consult the following webpage: http://technet. known as a striped volume. but when you try to accomplish this 160 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . More Info To learn more about creating striped volumes. so you can create RAID-0 and RAID-1 volumes using the Diskpart utility or the Disk Management console. using all three disks you could create a 300-GB striped volume because you are limited to a maximum of 100 GB from each drive.com/en-us/library/cc732422. Mirrored volumes provide no improvement in performance.com/en-us/magazine/ff458356. if you had a 100-GB disk. Answer: False. You need a minimum of two volumes to create a mirrored volume or a striped volume. For example. but ensure that data remains available if a disk hosting a volume fails.More Info  To learn more about the defrag. The documentation for this feature can be contradictory. Answer: True. True or False? You need a minimum of three volumes to create a striped volume. you can create a 500-GB striped volume. known as a mirrored volume. True or False? Windows 7 does not support software RAID-5 at the operating system level. RAID You need to know which redundant disk configurations are supported by the Windows 7 operating system. Using only the two larger disks. use defrag. The size of the striped volume is determined by the smallest available volume space on the constituent disks. You can create striped volumes only on dynamic disks.exe utility. You can configure a mirror of the volume that hosts the operating system as long as you have enough space on a separate disk. all data on the striped volume is lost.aspx. A striped volume can be hosted across two or more disks. consult the following webpage: http://technet. Windows 7 supports operating system RAID-0 and RAID-1. You cannot create RAID-5 volumes using either the Diskpart utility or the Disk Management node of the Computer Management console. and a 300-GB disk.microsoft.aspx. Striped volumes provide you with improvements in read and write speed. You create mirrored volumes using dynamic disks as long as you have space available on the target disk that is equal to or larger than the size of the volume you want to mirror.microsoft.

and RAID-10 is a stripe of mirrored disks.task. True or False? You can allow administrators to use removable devices while blocking other users from using the same devices. Removable device policies You need to know how to control the use of removable storage devices in your organization. RAID-5 and RAID-10 do offer increased performance and are fault tolerant. Display A Custom Message Title When Installation Is Prevented By Policy  The message title presented to users when device installation is blocked. Allow Installation Of Devices Using Drivers That Match These Device Setup Classes  Allows the installation of device drivers for devices that match the list of defined device class GUIDs. You can create a list of authorized devices while blocking all others. which include removable storage devices. Allow Installation Of Devices That Match Any Of These Device IDs Shows a list of Plug and Play (PnP) hardware IDs of devices that can be installed. you can’t create RAID-5 volumes using the builtin Windows 7 operating system tools. Only used when the Prevent Installation Of Devices Not Described By Other Policy Settings policy is enabled. Although you could create RAID-5 arrays using the operating system in previous Windows client operating systems. by configuring policy settings located under the Computer Configuration\Policies\Administrative Templates\System\Device Installation\ Device Installation Restriction node in a standard Group Policy object (GPO). Answer: True. You can block the installation of removable devices. you’ll find the option dimmed in the Computer Management console or it will lead to an error when using the Diskpart utility. RAID-5 requires a minimum of three disks. you configure this hardware prior to installing the Windows 7 operating system. The policies that you can configure to block the installation of removable devices include the following: ■■ ■■ ■■ ■■ ■■ ■■ Allow Administrators To Override Device Installation Restriction Policies  Members of the local Administrators group can bypass device restriction policies. Prevent Installation Of Devices Not Described By Other Policy Settings  You can block the installation of all devices except those listed in another policy. So if you have a workstation that has a hardware RAID-5 array or a RAID10 controller and array. Windows 7 can be used with RAID-5 and RAID 10 if it is configured at the hardware level. Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 161 . and RAID-10 needs a minimum of four. Display A Custom Message When Installation Is Prevented By Policy The message text presented to users when device installation is blocked. RAID-5 is disk striping with parity.

■■ ■■ ■■ Prevent Installation Of Devices That Match Any Of These Device IDs Shows a list of PnP hardware IDs and compatible IDs for devices that you want to block. you’ll need to enable multiple policies. Takes precedence over other policies. To use this policy. a 500-GB disk. You have a 300-GB disk. What steps do you need to take to ensure that users can write data only to removable devices from your organization? 162 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 .aspx. BitLocker to Go is covered in more detail in Chapter 6.” Can you answer these questions? You can find the answers to these questions at the end of the chapter.microsoft. consult the following webpage: http://technet. You can also configure this policy to only allow data to be written to drives protected by BitLocker in the same organization. With Group Policy. What is the maxi- mum striped volume size you can create using these disks? 4. Prevent Installation Of Removable Devices  You can block the installation of all removable devices. Prevent Installation Of Devices Using Drivers That Match These Device Setup Classes  You can specify setup class GUIDs for device drivers that are blocked. What kind of redundant volumes can you create using the default Windows 7 operating system tools? 2. With BitLocker To Go.com/en-us/library/ hh125922(WS. What type of disks must you configure if you want to create a striped volume? 3. 1. Any existing removable devices can’t have their drivers updated. More Info To learn more about controlling access to external storage devices. True or False? You can deny write access to devices not protected by BitLocker.10). Answer: True. which is located in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\ Removable Data Drives node of a GPO. “Configuring Mobile Computing. you also need to configure the Provide Unique Identifiers For Your Organization policy. and a 600-GB disk. EXAM TIP  You need to provide a unique organizational identifier if you want to only allow write access to BitLocker To Go–protected storage associated with your organization. you should enable the policy related to administrators. you can configure Windows 7 so that users can’t write data to removable storage devices that are not protected by BitLocker To Go. If you want to allow users to use specifically approved devices. you can encrypt removable devices using the BitLocker Drive Encryption technology. If your organization only wants administrators to use removable devices. This configuration is done using the Deny Write Access To Removable Drives Not Protected By BitLocker policy.

Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 163 . Do Not Overwrite Events  This option creates archived logs that will have to be moved or deleted at some stage. the oldest events are replaced by newer events. if you configure the Security log with a new maximum size. All event logs have the same options. as well as being able to effectively leverage data collector set functionality. otherwise. True or False? You can configure a computer to shut down if it can’t write audit events to the Security event log. including configuring forwarding and filters. When each log reaches the default 20 MB in size. but can be changed. ■■ Generating a system diagnostics report For example: How to configure a schedule for the System Diagnostics data collector set. they will grow to consume the volume hosting them. ■■ Data collector sets For example: How to create a data collector set. not the other logs. Configuring event logging You need to know how to configure the properties of the event log. including log size and location. Answer: True.Objective 7. Exam need to know ■■ Configuring event logging For example: How to configure maximum event log file sizes. but you must configure these options on a log-by-log basis. Maximum Event Log Size (KB)  The default size is 20480 KB. and what to do when the maximum event log size is reached. monitoring systems primarily involves being able to manage and maintain event logs. ■■ Event subscriptions For example: How to forward event logs to another computer. You can configure the following event log properties: ■■ ■■ Log Path  Defaults to the %SystemRoot%\System32\Winevt\Logs folder. ■■ Filtering event logs For example: How to create an event log filter. Archive The Log When Full. For example. that new size applies only to the Security log. When maximum event log sized is reached: ■■ ■■ Overwrite Events As Needed (Oldest Events First)  This is the default option.3: Monitor systems For the 70-680 exam.

True or False? Event log filters are persistent. EXAM TIP  Remember that if you configure a log to overwrite events as needed. Answer: False. user.microsoft. new events will not be recorded. You can create an event log filter by selecting the event log that you want to filter and then clicking Filter Current Log in the Actions pane. With filters you can limit the display of individual event logs on the basis of event time. event level.microsoft.■■ Do Not Overwrite Events (Clear Logs Manually) This option requires an administrator to clear event logs on a regular basis. If the Audit: Shut Down System Immediately If Unable To Log Security Audits Group Policy item is enabled. EXAM TIP  Remember the difference between an event log filter and a view. Event subscriptions use HTTP or HTTPS to either send events from a source computer to a collector computer (known as source-initiated subscriptions) or have the collector computer retrieve certain event log items from source computers (collector-initiated subscriptions). Answer: True. you can add additional computers without reconfiguring the computer functioning as the event log collector. keyword. you must convert it into a Custom view. consult the following webpage: http:// technet.com/en-us/magazine/gg131917. More Info  To learn more about event log filtering consult the following webpage: http://technet. Filtering event logs You need to know how to limit the visible items in a log to those that have specific properties.aspx. you can configure computers to consolidate event log items centrally rather than storing them separately on each computer where they are generated. the system will shut down when it can’t write new events to the Security log. To make a filter persistent. True or False? By using source-initiated subscriptions. which is persistent and can be imported and exported to be used across multiple computers. otherwise. Custom views also have the benefit that you can use them to find specific events across multiple logs.com/en-us/library/cc722404. you’ll overwrite existing events. Event subscriptions You need to know about how event log items can be transmitted from one computer to another. event source. 164 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . or computer. and you must re-create them each time you restart the event viewers. More Info To learn more about event logs. event ID. Using event subscriptions and event forwarding.aspx. Event log filters are not persistent.

More Info To learn more about event subscriptions.10). or you can create a report that summarizes the information gathered by the data collector set. The computer account of the collector computer must be added to either the Event Log Readers or Administrators group on the source computer. You run the wecutil qc command on the collector computer to configure the event collector services. You can configure these computers using Group Policy. EXAM TIP  You don’t have to configure the event collector service on the source computer. Event Trace Data Collector  You can collect information about system events and activities. True or False? You can use data collector sets to trigger the execution of tasks after a particular threshold value is reached.With source-initiated subscriptions. Data collector sets You need to know how to use and create data collector sets in Performance Monitor on computers running Windows 7. You run winrm quickconfig on the collector computer when you are using source-initiated subscriptions. System Diagnostics  You can view and troubleshoot system reliability issues. Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 165 . Windows 7 includes the following data collector sets by default: ■■ ■■ System Performance  You can gather and review information about system performance. Collector-initiated subscriptions are generally used in small environments.microsoft. You use source-initiated subscriptions when you have large numbers of source computers. You configure a source computer so a collector computer can retrieve events from it by running the winrm quickconfig command from an elevated command prompt. you can add additional source computers to the subscription as needed.aspx. Answer: True. It is necessary to add this account to the Administrators local group only if events in the Security log are being forwarded. you can collect performance information. True or False? You need to enable the Windows Remote Management (WinRM) and event collector services on all computers involved in event subscriptions. Answer: True. Answer: False. You can organize and record multiple data collection points.com/en-us/library/cc749183(WS. consult the following webpage: http://technet. You can create one of the following types of custom data collector sets using the New Data Collector Set Wizard: ■■ ■■ Performance Counter Data Collector  You can collect performance counter statistics over time for later analysis. True or False? Using data collector sets. You can use Performance Monitor to view and analyze performance data.

system response times. The System Diagnostics report details the status of local hardware resources. You create data collector sets from the command line using the Logman command-line utility. Which type of custom data collector set should you create if you want to retrieve information about registry keys and the system state? 3. Answer: False. What tool should you use to accomplish this goal? 2. EXAM TIP  Remember what information can be provided by a System Diagnostics report. Generating a system diagnostics report You need to know how to run the System Diagnostics data collector set and what it can tell you about a computer running Windows 7. Can you answer these questions? You can find the answers to these questions at the end of the chapter. and processes that are running on the local computer. registry keys.com/en-us/library/cc749337. You can configure a task to run when this occurs. consult the following webpage: http://technet. The System Diagnostics report is a special data collector set that is located under the Data Collector Sets\System node in Performance Monitor. It also provides detailed system information and configuration data as well as recommendations for ways in which you can improve the computer’s performance. 1.■■ ■■ System Configuration Information  You can collect information about WMI management paths. True or False? A user who is not a member of the local Administrators group can run a System Diagnostics report. You want to be able to find specific events on the basis of keyword each time you open the event viewer. EXAM TIP  Remember that the System Diagnostics and System Performance data collector sets are included by default. and the system state. These events can be in the System or the Security log. What method can you use to quickly find out about system response times and configuration data? 166 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . A user must be a member of the local Administrators group to run the System Diagnostics report.microsoft. Which command should you run on the source computer to configure it for event forwarding? 4. More info To learn more about data collector sets. Performance Counter Alert  You can configure an alert that is triggered when a specific performance counter reaches a specific benchmark value.aspx.

The amount of physical RAM on the computer determines the size of the page file. ■■ Mobile computing performance issues For example: How to describe the functionality of Windows Mobility Center. ■■ Configuring power plans For example: How to configure Windows 7 to use a different power plan. ■■ Configuring services and programs to resolve performance issues For example: How to determine which processes are associated with a service. ■■ Configuring hard drive cache For example: How to disable write caching on a disk. the page file on computers running Windows 7 is managed by the operating system. Windows 7 automatically manages the size of the page file. True or False? By default. ■■ Configuring desktop environment For example: How to adjust visual effects for best performance. ■■ Configuring power For example: How to configure Windows 7 to issue a warning on a mobile computer when the battery is down to 5 percent of capacity. ■■ Configuring networking performance For example: How to configure Background Intelligent Transfer Service (BITS). you can improve the speed at which Windows 7 functions. Exam need to know ■■ Configuring page files For example: How to move the page file to a different disk. For example: Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 167 . ■■ Updated drivers For example: How to determine which tools you can use to update an existing device driver. Answer: True.Objective 7. Configuring page files You need to know the options for managing page files on computers running Windows 7.4: Configure performance settings By configuring performance settings. ■■ Configuring processor scheduling For example: How to set processor scheduling to favor background services. There are often drawbacks to improving performance. The page file is stored in the root folder of the volume that hosts the Windows system files. from reduced battery life to increased chances of data loss in the event of a power failure. By default.

You can configure the page file by opening the System item in Control Panel. the minimum is the amount of RAM plus 300 MB. and then clicking Change under Virtual Memory. The drawback of write caching is that it might lead to possible data loss during an equipment power outage. This policy is enabled by default in Windows 7. True or False? Write caching is disabled on USB storage devices by default. You can then clear the Automatically Manage Paging File Size For All Drives check box to configure a custom size for the page file and to enable page files on each of the computer’s volumes. A page file on a different volume can be custom size or system-managed size. If you do this. periodic data transfer commands are inhibited. EXAM TIP  Remember that you can improve performance by placing the page file on a disk separate from the one hosting the volume that hosts the operating system files. When you enable write caching on a device. You can disable write caching on removable storage devices by configuring the Removal Policy. clicking the Settings button. 168 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . Configuring hard drive cache You know how to enable and disable write caching on a device. Answer: True. Not all storage devices support this option. the minimum page file size equals 1.microsoft. The default maximum size is three times the amount of RAM. which is why you don’t have to use the Safely Remove Hardware option when removing a USB storage device.■■ ■■ ■■ ■■ If the computer has less than 1 GB of physical RAM and has an x86 processor. If you enable write caching. True or False? Enabling write caching on storage devices improves performance. Moving a paging file to a separate disk can improve performance. On computers that support Physical Address Extension (PAE). clicking the Advanced tab. Answer: True.5 times the amount of physical RAM. clicking Advanced. You enable or disable write caching by editing the storage device’s properties in Device Manager.aspx. you’ll experience better performance on the device. More Info To learn more about Windows 7 page files. you can also disable write-cache buffer flushing. If the computer has more than 1 GB of RAM.com/en-us/magazine/ff382717. but you’ll have to use the Safely Remove Hardware option when removing the USB storage device. the maximum page file size is 16 GB. choose No Paging File. consult the following webpage: http://technet. To remove a page file from a volume. Write caching is a technology that improves system performance by using RAM to store commands sent to data storage devices until the storage media can process them.

com/en-us/library/cc730965. You can also specify a local folder location if you have downloaded the updated drivers from the vendor’s website. Answer: True.microsoft. You can update device drivers by right-clicking a device within Device Manager and then clicking the Update Driver option. you might have installed a driver released in January 2012 only to find it buggy. and then clicking Roll Back Driver. EXAM TIP  Remember that you can roll back a device driver only if the currently installed driver is replacing an existing driver. More Info To learn more about updating or changing a device driver. Even though you can then find a version of the same device driver released in August 2011.aspx. With device driver rollback. you can’t roll back to that August 2011 version of the driver unless that version of the driver was installed for the device prior to you installing the January 2012 version. EXAM TIP  Remember what the drawback of enabling write caching is. This option is available only if a previous driver version exists on the computer running Windows 7. Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 169 . Answer: False. True or False? You can only update drivers using Windows Update. You perform driver rollback through Device Manager by right-clicking the device.com/kb/324805. You can configure the Turn Off Windows Update Device Driver Searching policy to prevent Windows 7 from checking Windows Update when a driver file is not found locally. You can use driver rollback only if a previous driver has been installed. you can restore a previously functioning driver if a new driver is found to be problematic. consult the following webpage: http://support.microsoft.microsoft. This process launches the Update Driver Software Wizard. This policy is located in the Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings node of a standard GPO. clicking Properties. True or False? You can roll back to a previous version of a driver only if that version was previously installed on the computer. More Info  To learn more about rolling back a device driver.com/en-us/library/cc732648. consult the following webpage: http://technet. clicking the Drivers tab.More Info To learn more about configuring disk write caching.aspx. For example. consult the following webpage: http://technet. Updated drivers You need to know how to update existing device drivers on computers running the Windows 7 operating system. with which you can check the local driver store as well as the Microsoft online driver repository for new drivers.

■■ Resume-BitsTransfer  Resumes a suspended BITS transfer job. to transfer files using idle network bandwidth. BITS usually runs automatically when used with services such as WSUS. Disabled by default. a file transfer service. not peers. This is very useful for reducing traffic in situations such as software update deployment. ■■ Get-BitsTransfer  Shows the current BITS transfer job. ■■ Remove-BitsTransfer  Stops the current BITS transfer job. You can configure the following BITS-related Group Policies: ■■ ■■ 170 Allow BITS Peercaching  When enabled. ■■ Complete-BitsTransfer  Completes a BITS transfer job. ■■ Suspend-BitsTransfer  You can pause a BITS transfer job.Configuring network performance You need to know about technologies such as BranchCache and Background Intelligent Transfer Service (BITS). Once this module is imported. True or False? A computer running Windows 7 can function as a server in BranchCache Hosted Cache mode. You learned about BranchCache in more detail in Chapter 5. client attempts to transfer files from other peers. BranchCache is a technology that allows computers running the Enterprise and Ultimate editions of Windows 7 to cache network file data from BranchCache-enabled sources on remote networks to be shared with other computers on the LAN. The advantage of BITS is that you can download very large files without adversely influencing the performance of other network applications. but you can also manage BITS from Windows PowerShell with the BitsTransfer module. In Distributed Cache mode. In Hosted Cache mode. ■■ Start-BitsTransfer  You can create and start a BITS transfer job. not just from the WSUS server. You can use BITS. Do Not Allow The Computer To Act As A BITS Peercaching Client When enabled. Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 .” True or False? You can use BITS to download large files without affecting other network applications. meaning that software update files can be retrieved from BITS peers. “Configuring Access to Resources. ■■ Set-BitsTransfer  You can configure a BITS transfer job. Answer: True. each computer running Windows 7 hosts a part of the cache. a computer on the branch office network running Windows Server 2008 R2 hosts the cache. you can use the following cmdlets: ■■ Add-BitsFile  Adds files to an existing BITS transfer job. client downloads from source. BITS transfers continue to function when users change their network connection or restart their computer. BITS transfers can also use other BITS clients on the local network as the source of files if they have recently accessed the same file. Answer: False.

microsoft. By default. A power plan is a collection of settings that determine how a computer running Windows 7 uses energy. Limit the BITS Peercache Size  Maximum size of BITS file cache. not the BITSAdmin. Set Up A Work Schedule To Limit The Maximum Network Bandwidth Used For BITS Background Transfers  Restricts BITS bandwidth according to a schedule. Answer: True.exe tool.■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ Do Not Allow The Computer To Act As A BITS Peercaching Server Allows other peers to retrieve downloaded files from this computer. Configuring power plans You need to know how to modify the settings of existing power plans and how to create new power plans. Limit The Maximum Number Of Ranges That Can Be Added To The File In A BITS Job  Ranges allow a portion of a file to be downloaded. Timeout For Inactive BITS Jobs  Number of days without a successful download action before a job is abandoned. The default is 90 minutes. Limit The Age Of Items In The BITS Peercache  Maximum age of files in the BITS file cache. The default is 8 Mbit/sec. Limit The Maximum Network Bandwidth Used For Peercaching You can specify limits.aspx. Limit The Maximum Number of BITS Jobs For Each User Maximum number of BITS jobs on a per-user basis. Set Up A Maintenance Schedule To Limit The Maximum Network Bandwidth Used for BITS Background Transfers  Restricts BITS bandwidth according to a schedule. More Info To learn more about BITS.com/en-us/magazine/ff382721. Limit The Maximum Number Of BITS Jobs For This Computer Maximum number of BITS jobs on a per-computer basis. Limit The Maximum Network Bandwidth For BITS Background Transfers  You can specify limits. Not usually required because BITS manually manages bandwidth allocation. consult the following webpage: http://technet. True or False? Computers running Windows 7 use the Balanced power plan by default. Limit The Maximum Number Of Files Allowed In A BITS Job Maximum number of files in a single job. Limit the Maximum BITS Job Download Time  Period during which an active download can run. EXAM TIP  Remember that BITS is managed from Windows PowerShell. Windows 7 ships with the following three power plans: Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 171 .

If the computer does not have an internal battery. shutdown. such as keyboards. You can configure basic and advanced settings for each power plan. you configure options for when the computer is running on battery power and when the computer is plugged into an external power supply. it shifts to the hibernate state. mice. You configure power plan settings using the Power Options Control Panel or the powercfg. Hibernate All devices are powered off. The difference between sleep. The settings that are available depend on each computer’s hardware configuration. Increases computer performance at a cost of reducing the amount of time a mobile computer can be used with a battery. Allows mobile users to extend usage time when using a computer with a battery. Users without local Administrator privileges can modify how the Power and Sleep buttons function. True or False? You can configure the power performance of a wireless adapter using advanced power plan settings. the contents of RAM remain in RAM. RAM remains active and maintains any open applications and documents. consult the following webpage: http://windows. and the contents of RAM are stored in a special file hosted on the operating system volume. This is the default plan. Hybrid Sleep  Like sleep. Users who can elevate privileges can also configure whether a password is required when the computer wakes from sleep. You can configure your own power plan based on an existing power plan. 172 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . with some computers not supporting the Dim The Display or Adjust Plan Brightness settings. More Info To learn more about power plans in Windows 7. .■■ ■■ ■■ Balanced Provides full performance when required and saves energy when the computer is not being used. When you configure power plan settings.microsoft. You can delete custom power plans only if the plan is not currently active. Appropriately configured devices. and hibernation is as follows: ■■ ■■ ■■ Sleep The processor and majority of system devices are turned off. which allows the computer to be restored to operation with applications and documents restored.com/en-US/windows7/Power-plans-frequentlyasked-questions. but in a low-power state. High Performance Maximizes screen brightness on computers that support it. You can’t delete any of the default power plans. If the computer is not woken after a preconfigured amount of time. can wake the computer from sleep. Many OEMs configure their own power plans as a part of their default Windows 7 operating system image. only the Plugged In settings are available. Hybrid sleep is used only by computers that do not have internal batteries. and network cards. The contents of RAM are also stored in a special file on the hard disk.exe command-line utility. Power Saver Limits system performance and reduces screen brightness on computers that support it.

Hibernate. Low. including slide shows. PCI Express Use this option to specify whether Windows 7 can leverage the PCI Express Link State Power Management feature with idle devices. Battery Use this option to specify the Reserve. Maximum Power Savings. what happens when the Sleep button is pressed. Power Management–related Group Policy items are located in the Computer Configuration\Administrative Templates\System\Power Management node. Turn Off Hard Disk  You can configure the period of activity that triggers the hard disk to be switched off. and Shut Down. USB Settings  Use this option to specify whether the selective suspend option is enabled for USB. Multimedia Settings You can configure whether a computer is allowed to sleep when a remote computer is accessing media over the network. or Off. and what happens when the Power button is activated.Answer: True. Sleep. Can be set to Moderate Power Savings. Display Use this option to specify the periods that must elapse before the display is dimmed and switched off. Power Buttons And Lid  You can configure what happens when the computer’s lid is closed. Sleep  You can configure the sleep and hibernation periods. You can also optimize or reduce video playback quality as a method of minimizing power usage. You can also specify display brightness during normal and dim use. It includes the option to specify whether timed events can be used to wake the computer. are available. Wireless Adapter Settings  You can specify power performance settings for wireless adapters. and Critical battery levels as a percentage and what actions to take when these levels are reached. Processor Power Management You can specify minimum and maximum processor states and whether a system cooling policy is enabled. Options include Do Nothing. Using advanced power plan settings. The Maximum Performance setting uses more energy than the Maximum Power Saving setting. including the following: ■■ Allow Applications To Prevent Automatic Sleep ■■ Allow Automatic Sleep With Open Network Files ■■ Turn On The Ability For Applications To Prevent Sleep Transition Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 173 . Desktop Background Settings  Use this option to specify whether animated desktops. you can configure the additional options not available through the Advanced Power Settings GUI. you can configure the following options: ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ ■■ Require A Password On Wakeup  Use this option to specify whether the user must enter a logon password when the computer wakes from sleep or hibernation. Through Group Policy.

You configure these visual options on the Visual Effects tab of the Performance Options dialog box. You can 174 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . a print server. More Info To learn more about powercfg. True or False? Windows 7 is configured by default to give better response time to background applications. you can configure a computer running Windows 7 to prioritize one type of application over another. You can configure the visual settings of a computer running Windows 7 to increase performance.microsoft. such as functioning as a file server. which is available through the Advanced tab of the System Properties dialog box. With powercfg.exe to configure options that aren’t available using GUI tools. EXAM TIP  Remember the difference between sleep and hibernation. you can configure several power management settings that can’t be configured through the power plan GUI. On very fast computers. True or False? You can use visual effects performance options to disable edge smoothing for screen fonts. It is the default setting on computers running the Windows 7 operating system. Background Services  This option is suitable for computers running Windows 7 that are functioning in a server role. or hosting a small website. You can configure Windows 7 power settings from an elevated command prompt. Answer: True.10). but on slower computers visual effects options can make a difference in how well a computer responds. The more visual effects settings that are enabled. consult the following webpage: http://technet. Configuring desktop environment You need to know how to configure visual effects settings to achieve the best mix between appearance and performance. you will not notice a performance change. the greater the decrease in overall performance. Answer: False. Configuring processor scheduling You need to know how to switch processor scheduling options between Programs and Background Services. Processor scheduling is configured on the Advanced tab of the Performance Options dialog box. The options that you can configure include these: ■■ ■■ Programs  This option gives active applications the best response time and a substantial share of available resources.com/en-us/library/cc748940(WS. Answer: True.exe. With processor scheduling.exe in Windows 7. including specifying which devices can wake a computer from a sleep state.aspx.True or False? You can use powercfg.

all appearance enhancements are disabled. and then clicking Set Priority.access this dialog box by clicking the Settings button in the Performance area of the Advanced tab of the System Properties dialog box. True or False? You can configure the priority of a service by configuring the priority of a process. You can view which processes and services are consuming system resources by using the Resource Monitor. all appearance enhancements are enabled. Adjust For Best Performance  When this option is enabled.com/en-US/windows7/Optimize-Windows-7-forbetter-performance. right-clicking the process. You can configure one of the following priorities: Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 175 . Custom  When you choose Custom. consult the following webpage: http://windows.microsoft. Configuring services and programs to resolve performance issues You need to know how to alter the priority of a running process. you can enable or disable the following individual appearance elements: • • • • • • • • • • • • • • • Animate Controls And Elements Inside Windows Animate Windows When Minimizing And Maximizing Animations In The Taskbar And Start Menu Fade Or Slide Menus Into View Fade Or Slide ToolTips Into View Fade Out Menu Items After Clicking Show Shadows Under Mouse Pointer Show Shadows Under Windows Show Translucent Selection Rectangle Show Windows Contents While Dragging Slide Open Combo Boxes Smooth Edges Of Screen Fonts Smooth-Scroll List Boxes Use Drop Shadows For Icon Labels On The Desktop Use Visual Styles On Windows And Buttons More Info To learn more about disabling visual effects. This is the default option. Adjust For Best Appearance  When this option is enabled. selecting the Processes tab. You can choose one of the following options: ■■ ■■ ■■ ■■ Let Windows Choose What’s Best For My Computer  The operating system enables and disables appearance enhancements as necessary. You can configure the priority of a process by opening the Task Manager. Answer: True.

com/en-US/windows7/Using-WindowsMobility-Center.microsoft. reducing the display brightness. 176 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . you can configure items such as display brightness. and disabling wireless. Mobile computing performance issues Mobile computing performance issues means knowing the options in Windows Mobility Center. volume.■■ Realtime ■■ High ■■ Above Normal ■■ Normal ■■ Below Normal ■■ Low To determine which process or processes are used by a specific service. and wireless network status from a single Control Panel.com/en-US/windows7/What-do-the-Task-Manager-memorycolumns-mean. True or False? You can use Windows Mobility Center to configure a computer in Presentation mode. More Info  To learn more about Task Manager. you can substantially increase the amount of time that the mobile computer can be used before the battery becomes completely drained. Answer: True. The processes related to the services on the Processes tab will display. which means that notifications do not appear on the screen. consult the following webpage: http://windows. This is useful when you want to ensure that items such as instant messages don’t appear on the screen during an important PowerPoint presentation. Selecting the Realtime option allocates almost all processor resources to a process and can have a negative impact on computer performance. rightclick the service on the Services tab of Task Manager and then click Go To Process.microsoft. so you can configure an appropriate priority. power plan. By switching which power plan is in effect. consult the following TechNet document: http://windows. battery status. With Windows Mobility Center. You can also use Windows Mobility Center to configure the computer to function in Presentation mode. More Info To learn more about Windows Mobility Center.

What tool can you use to lower the priority of a specific process? 4. The options that you can configure on the Power Management tab include these: ■■ Allow The Computer To Turn Off This Device To Save Power ■■ Allow This Device To Wake The Computer More Info  To learn more about device power options. You configure power options through the Power Management tab in each compatible device’s properties dialog box in Device Manager.Configuring power Configuring power means changing the power options for a device. You can create a power efficiency diagnostics report for a computer running Windows 7 by using the powercfg. Which technology should you use to support transfers of large files without interfering with network performance? 3. you can specify whether a specific device can wake the computer from a sleep state. consult the following webpage: http://technet. True or False? You can generate a power efficiency diagnostics report using built-in tools.aspx.com/kb/976034. What is the main drawback to enabling write caching? 2. 1.) When you configure these power options. Can you answer these questions? You can find the answers to these questions at the end of the chapter. consult the following webpage: http://support. EXAM TIP  Remember that you configure power management options to determine whether a computer can be woken by a special Wake On LAN packet intercepted by a compatible network adapter.com/en-us/library/cc731895. Answer: True.microsoft. This report will provide you with detailed information about how the computer uses energy and any issues that might exist. More Info To learn more about power efficiency diagnostic reports. you can use this functionality to enable Wake On LAN. such as certain devices not properly entering hibernation or sleep modes. Answer: True. (Not all devices allow configuring of power options. a feature that enables computers in a low-power state to be woken by network management services to install updates or new software.exe utility with the energy parameter. True or False? You can use the Power Management tab to block a specific device from being able to wake the computer from sleep. What tool do you use to generate a power efficiency diagnostics report? Monitoring and Maintaining Systems that Run Windows 7  Chapter 7 177 . For example.microsoft.

3. 2. 2. You can’t create a RAID-5 volume or a RAID-10 volume using the Windows 7 operating system tools. You can create a mirrored volume. You can only create striped volumes on dynamic disks. You can use WSUS groups to ensure that one group of computers running Windows 7 receives an update 3 weeks after another group of computers running Windows 7. Objective 7. The powercfg. You should run a Systems Diagnostic report. 4.3: Monitor systems 1. You can configure the No Auto-Restart With Logged On Users For Scheduled Automatic Updates Installation policy to ensure that users are not forcibly logged off to complete update installation. You need to configure the Deny Write Access To Removable Drives Not Protected By BitLocker policy and the Provide Unique Identifiers For Your Organization policy. 3. 4.2: Manage disks 1. Objective 7. Enabling write caching can lead to data loss if there is a power disruption. 178 Chapter 7  Monitoring and Maintaining Systems that Run Windows 7 . also known as a RAID-1 volume. You can create a 1000-GB striped volume if you use the 500-GB disk and the 600-GB disk only.1: Configure updates to Windows 7 1. BITS allows the transfer of large files by using idle network bandwidth. Objective 7. 2. You should use the Microsoft Baseline Security Analyzer to check whether 100 computers running Windows 7 are missing a specific update. Objective 7. 2. you can reduce the priority of a specific process. You create a System Configuration Information data collector set if you want to retrieve information about registry keys and the system state.4: Configure performance settings 1.exe command-line utility. You can use WSUS to roll back a deployed update. 3.Answers This section contains the answers to the “Can you answer these questions?” sections in this chapter. mini- mizing its impact on network performance. 4. You should run the winrm quickconfig command to prepare the source com- puter for event forwarding. 4. You should create a Custom view because these views are both persistent and can be used to find events across multiple logs. With Task Manager. 3.

folders.2: Configure system recovery options ■■ Objective 8. most organizations don’t have a coherent plan for ensuring that data on client computers is backed up.1: Configure backup Although up to 60 percent of organizational data is stored on client computers. This chapter covers the following objectives: ■■ Objective 8. or full system For example: Know what steps to take to back up user libraries. including when to use functionality such as System Restore and Last Known Good Configuration (LKGC). you need to have a good grasp of how to back up and recover computers running Microsoft Windows 7.C hap t e r 8 Configuring Backup and Recovery Options B ecause approximately 11 percent of the 70-680 exam focuses on the topic of configuring backup and recovery options. You don’t have to constantly monitor the backup to determine whether there is enough available space on the backup device because when the utility is used with a local storage device.1: Configure backup ■■ Objective 8. Windows 7 comes with a basic backup utility that you can use to schedule a regular backup and leave it to run. and how to leverage previous versions of files stored using shadow copy. 179 . Exam need to know ■■ Creating a system recovery disk For example: What steps do you need to take to create a recovery disk and in what situations would you use it? ■■ Backing up files. it automatically overwrites the oldest backup data with new backup data when the storage device reaches capacity.3: Configure file recovery options Objective 8.

you will need to access WinRE from the Windows 7 installation media or from a system repair disc. True or False? You can use the Windows 7 installation media to perform system repair tasks. Answer: True. You can perform the following tasks from the system repair disc: 180 Chapter 8  Configuring Backup and Recovery Options .■■ Scheduling backups For example: How to configure Windows 7 to back up a system image on a periodic basis. You can create a system repair disc on any computer that is running Windows 7 and has a DVD or CD writer by performing the following steps: 1. you can create a system repair disc on another computer running Windows 7 and use it with the computer that failed. but you can’t do this directly from the Backup And Restore Control Panel in Windows 7 SP1. System repair discs give you the option of creating a bootable device that you can use to perform system recovery operations. You can also use the Windows 7 installation media to perform the same tasks. Creating a system recovery disk You need to know how to create and when to use a system repair disc. prompting you to insert a writable CD or DVD. True or False? You can perform a Windows memory diagnostic from a system repair disc. In the left pane. A routine runs. and you don’t have access to the installation media or a system repair disc. Traditionally. Open the Backup And Restore item in the Control Panel. Windows 7 automatically installs the Windows Recovery Environment (WinRE). If a failure occurs. which includes the startup repair tool. If the boot volume is damaged. More Info To learn more about creating a system repair disc. Windows 7 automatically opens WinRE if Windows 7 can’t start. consult the following webpage: http://windows.com/en-US/windows7/Create-a-system-repair-disc. a system repair disc is a bootable CD or DVD. 2. Answer: True. Insert the writ- able optical media in the drive and allow the repair disc to be created. 3. It is possible to configure a bootable USB thumb device to function as a system repair disc. EXAM TIP  What the 70-680 exam objectives call a system recovery disk is called a system repair disc in the Windows 7 operating system user interface. Unlike previous versions of Windows. which allows the operating system to perform many repair tasks automatically without direct intervention.microsoft. click Create A System Repair Disc.

vhd) format. or email. System Restore  You can restore the computer’s system files to an earlier point in time without affecting personal files such as documents. More Info  To learn more about system recovery options. consult the following webpage: http://windows. such as missing or damaged startup files. By using the Backup And Restore item in the Windows 7 Control Panel. folders. pictures. This method is the recovery method of last resort. If you are doing a regular system image backup to a local or removable hard disk. System Image Recovery  You can restore a system image to the disk. or libraries to back up.zip files to the backup device. Data Files  Backup And Restore writes data file backups as compressed . Data file backup does not back up system files. and Backup And Restore writes only files that have changed since the backup to the same location. and attempts to repair them automatically. Windows Memory Diagnostic  You can perform tests against RAM to determine whether the RAM is faulty. Answer: True. folders.microsoft. temporary files. When you create a scheduled backup using the default settings. This image is compacted to remove empty space. Backing up files. True or False? File and folder backups are stored as . Windows 7 Backup And Restore creates a system image backup as well as the default Windows folders and local files stored in user libraries. or the full system either individually or collectively.com/en-US/windows7/What-are-the-system-recoveryoptions-in-Windows-7. Configuring Backup and Recovery Options  Chapter 8 181 . Startup repair scans the computer looking for common problems. You can select individual files. Command Prompt  You can open a command prompt to perform command-line tasks on the computer.zip files. This type of backup is incremental by default. It is the most aggressive form of recovery because it will overwrite existing data on the volume. you can perform the following types of backups: ■■ ■■ System Image Backup  This backup is a block level backup of an entire volume that is stored in virtual hard disk (.■■ ■■ ■■ ■■ ■■ Startup Repair You can fix certain problems. or full system You need to know the steps for backing up files. additional backups will be incremental at the block level. including replacing missing or damaged system files that might prevent Windows 7 from starting properly. user profile files. program files. as well as on shared folders. including DVDs and removable hard disks. EFSencrypted files. The backup can be stored on local media. or files in the Recycle Bin. folders.

Backup And Restore is designed so that once you turn it on. Automatically created folders with incremental names store changed files within subfolders. older backups are removed to make space for newer backups. Answer: False. Chapter 8  Configuring Backup and Recovery Options . so backups occur continuously. a backup occurs once per day. consult the following webpage: http://windows. EXAM TIP  Windows 7 Backup And Restore does not back up files stored on volumes formatted with the FAT file system. Then click Change Schedule. With Windows Backup you can configure “set and forget” backups. Answer: False. If you want to ensure that Backup And Restore does not delete older backup data to make way for new backup data. and navigating through the Set Up Backup Wizard until you reach the Review Your Backup Settings page. Weekly. a backup that takes place on December 28.True or False? You can’t use Backup And Restore to restore items from another computer running Windows 7. For example. it will continue to perform backups according to the schedule you specify. you’ll need to use the Advanced Restore option and select Files From A Backup Made On A Different Computer. ■■ 182 If you choose Daily. By default. True or False? When you set up a backup using the default settings. 2011 at 13:13:00 on a removable disk mounted as volume F: on a computer named Yarragon would be stored in the F:\ Yarragon\Backup Set 2011-12-28 131300 folder. but not at 2:15.M. you can choose to have a backup start at 2:00. but the name of the parent backup set folder is not updated until another full backup is performed. Daily backup is the highest frequency backup option available using Backup And Restore.com/en-AU/windows7/Back-up-and-restore-frequentlyasked-questions. You can change this schedule by opening the Backup And Restore item in the Control Panel. When the assigned storage device fills. Windows 7 creates a folder that shares the name of the computer and saves backups in subfolders with the name Backup Set <year-month-day> <time>. perform a one-off backup to a separate location. If you want to use the Backup And Restore Control Panel item to restore files from another computer. or Monthly. More Info  To learn more about Backup And Restore. Scheduling backups You need to know how to configure and modify a backup schedule on a computer running Windows 7.microsoft. you need to specify a time starting on the hour. For example. clicking Change Settings. You can choose how often you want to back up: Daily. Windows Backup backs up files weekly on Sunday at 7:00 P. When you select an external volume as target for a backup.

and system settings. restoring a system image backup. EXAM TIP  Remember that you can’t schedule backups to occur more often than once per day using Backup And Restore in Windows 7. If you choose Monthly. You are responsible for managing a number of computers running Windows 7 and you have been performing system image backups to a removable hard disk drive.2: Configure system recovery options The key to this exam objective is knowing when to use one recovery option instead of another. 1. and Last Known Good Configuration. System Restore. You are planning a backup strategy for your organization. Your organiza- tion uses a standard hardware platform for all personal computers running Windows 7. including all its applications. You don’t have access to the Windows 7 installation media. The main recovery options covered by this objective are system repair. consult the following webpage: http://windows. personal files. What type of backup should you schedule on each computer to accomplish this goal? 4. Configuring Backup and Recovery Options  Chapter 8 183 . What other method can you use to restore the computer? 3.com/en-AU/windows7/Back-up-and-restore-frequentlyasked-questions. to another computer. you need to specify a day of the week and a time starting on the hour. The primary disk drive on a computer running Windows 7 fails and you replace it. Backups will be stored on external USB drives. You want to ensure that you can quickly recover a computer running Windows 7. Which problems does startup repair attempt to automatically resolve? 2. including the option of Last Day. driver rollback. you need to specify which day of the month from 1 to 31.microsoft. What is the most frequent schedule you can configure for a system image backup using the Backup And Restore item in the Windows 7 Control Panel? Objective 8.■■ ■■ If you choose Weekly. Can you answer these questions? You can find the answers to these questions at the end of the chapter. and an hour to run the backup. More Info To learn more about scheduling backups. Exam need to know ■■ Configuring system restore points For example: How to configure Windows 7 restore point settings.

This is the default setting. Only Restore Previous Versions Of Files  When you use this setting. With System Restore. or system update. Chapter 8  Configuring Backup and Recovery Options . True or False? You can manually create system restore points. ■■ Last Known Good Configuration For example: How to determine the situations in which to use Last Known Good Configuration. Delete  You can delete all existing restore points. You can also use the Checkpoint-Computer PowerShell cmdlet from an elevated PowerShell session to force the creation of a restore point. only previous versions of a file’s snapshot are taken automatically. ■■ Driver rollback For example: How to know when you can roll a device driver back to a previous version. You can configure the following settings by clicking the Configure button when the System volume is selected on the System Protection tab of the System Properties dialog box: ■■ ■■ ■■ ■■ ■■ 184 Restore System Settings And Previous Versions Of Files  System Restore records system settings and file version information each time a restore point is created. Windows 7 automatically creates a restore point every day and also automatically creates a new restore point before you install a program. Turn Off System Protection  When this setting is enabled. You can force the creation of a restore point by clicking the Create button on the System Protection tab of the System Properties dialog box. ■■ Complete restore For example: How to determine when it is necessary to restore from a system image backup. You can’t restore to a previous restore point. device driver. restore points are disabled. you can create a restore point that will return system files and settings to a specific earlier point in time without changing any personal files. Max Usage  You can specify the maximum amount of space to store system settings and previous versions of files for System Restore. Answer: True. Configuring system restore points You need to know how to create a system restore point and allocate space to store restore point data.■■ Restore system settings For example: How to restore system settings without losing user data. You can’t manually configure a restore point schedule on a computer running Windows 7.

such as user-created documents. Last Known Good Configuration You need to know when you use this recovery option instead of other system repair or restore options. When you create a system restore point. You can’t use System Restore to recover damaged or deleted user files. EXAM TIP  Remember to be clear about the difference between System Restore and system image recovery. driver. consult the following webpage: http://windows. Restoring system settings You need to know how to perform a system restore—restoring a computer’s configuration to a specific previously existing restore point.exe utility By accessing the System Restore item on the System Recovery Options menu. consult the following webpage: http://windows. and registry modifications. Answer: False.com/en-US/windows7/What-is-System-Restore. True or False? Performing a system restore deletes any user documents created since the restore point was created. Performing a system restore does not affect personal files. however you don’t access previous versions of files through the System Restore functionality.com/en-US/windows-vista/System-Restore-frequently-askedquestions. You can perform a system restore in two ways: ■■ ■■ By opening the System Restore utility from within Windows 7. Windows 7 writes a new LKGC only after the computer Configuring Backup and Recovery Options  Chapter 8 185 . Answer: True.microsoft. photographs. More Info To learn more about System Restore. LKGC reverses the most recent system. True or False? Last Known Good Configuration (LKGC) is updated after a successful logon. either through the Control Panel or by running the rstrui.microsoft. it creates a new previous versions of files point. or email messages. You use LKGC if the operating system starts but then fails after the Starting Windows logo is displayed. Answer: False. You can only use System Restore to roll back system files and settings to an earlier point in time.More info  To learn more about System Restore. Performing a system restore only returns a computer’s system files to an earlier point in time. which you can access by booting off the Windows 7 installation media or a system repair disc True or False? You can use System Restore to recover any damaged or deleted file.

You can create a system image that includes multiple drives and partitions. Starting in LKGC does not modify any user files on the computer. keep in mind the configuration issue that required you to resort to LKGC in the first place. Complete restore You need to know what steps to take to perform a complete restore from a system image backup and when complete restore is appropriate.com/en-US/windows7/Using-Last-Known-Good-Configuration. Restarting in LKGC means that system changes made since the last successful logon will be lost. You have to reapply any changes. Restart or power on the computer and then press F8 after the firmware POST process completes. You can perform a complete restore by booting from the Windows 7 installation media or from a system repair disc.successfully starts in Normal mode and a user performs a successful logon. choose Last Known Good Configuration. perform the follow these steps: 1. You can perform a system image restore only to a volume that is the same size or larger than the volume captured by the system image. so a user doesn’t lose any new documents or changes made to existing documents when restarting using LKGC. the entire contents of the volume that you restore to are replaced by the contents of the system image. You should not use LKGC if the computer does not reach the stage of displaying the Starting Windows logo. True or False? You can access LKGC after the Starting Windows logo appears. EXAM TIP  Remember when you should use LKGC as a recovery option. When taking this action. but you can’t perform a successful logon. Answer: False. More Info  To learn more about LKGC. If the Starting Windows logo appears. 2. 186 Chapter 8  Configuring Backup and Recovery Options . On the Advanced Boot Options menu. you need to restart because you have missed being able to enter LKGC. You perform a complete restore by choosing the System Image Recovery option from System Recovery Options. If you use LKGC. Answer: True. such as installing updates or installing drivers. Performing a complete restore means you don’t choose to restore individual items. True or False? You can perform a complete restore by booting from the Windows 7 installation media. You should use LKGC if you make a change to the computer and the computer displays the Starting Windows logo after restarting. you lose all configuration modifications that were made since a user last logged on successfully.microsoft. consult the following webpage: http://windows. To access LKGC. Ensure that you remove all bootable media from the computer.

which is useful when a device driver causes problems after you have updated it. and the driver was not installed on the computer previously. follow these steps: 1. to configure them as disks on virtual machines hosted on computers running Hyper-V. When the restore completes. You learned about driver rollback in Chapter 7. On the Select A System Image Backup page. with careful preparation. with special configuration. consult the following webpage: http://windows. choose the Restore Your Com- puter Using A System Image That Was Created Earlier option. It is even possible. 4. Answer: False. 5. 7. it is possible. You can use driver rollback only if a previous version of the device driver was installed on the computer at some time in the past. to configure a computer to use the Windows 7 boot to . Click Repair Your Computer. 3. You perform driver rollback by editing the properties of a device in Device Manager. although this scenario is unlikely to be canvassed in the 70-680 exam.To perform a complete restore. Click Next and then click Finish. Ensure that you have access to the device that hosts the system image. In the System Recovery Options dialog box. Boot the computer using either the Windows 7 installation media or a system repair disc. EXAM TIP  Remember that restoring a system image wipes out everything on the current volume and replaces it with the contents of the system image. You can use driver rollback to return to a previously installed device driver.microsoft. the computer restarts. 8. 6.vhd created through the system image backup process. 2.com/en-US/windows7/What-is-a-system-image. When prompted. you can choose between the most recent image located on the media that hosts the system image or a previous image if you have more than one system image. More Info  To learn more about restoring a system image. Because system image files are stored in .vhd functionality to boot into a . insert the DVD at this point. Choose whether you want to Format And Repartition Disks. True or False? You can roll back to a previous version of a driver if you have the driver installation files available on removable storage media. Click Next. If your backup was stored on a DVD. “Monitoring and Maintaining Systems that Run Windows 7. Click Next. specify your regional preferences.” Configuring Backup and Recovery Options  Chapter 8 187 .vhd format. Driver rollback You need to know in which situations you should roll back a driver to a previous version to resolve a configuration problem.

EXAM TIP  If your computer doesn’t start because a newly installed device driver won’t let you log on. The system files of a computer running Windows 7 appear to be corrupt. you have to use driver rollback to resolve the issue.3: Configure file recovery options The most common form of recovery that IT professionals have to perform is that of deleted or corrupt files or folders. You restart the computer and log on.aspx. ■■ Restoring damaged or deleted files by using shadow copies For example: How to restore a deleted file or folder. 1. This morning. Windows 7 provides users with a simple way of being able to recover recently deleted files and folders without requiring a restoration of files from backup. and you want to return the computer to a state in which you are sure that all system files and user data are free of the infection. you notice several display corruption issues.More Info  To learn more about rolling back a device driver. and the system freezes at the logon screen. you don’t know whether the system is clean.com/en-us/library/cc732648. Through previous versions of file functionality. The frequency of this type of recovery vastly exceeds the frequency of system restore or system image recovery operations. Which method should you use to resolve this issue? Objective 8. You update the video driver of your computer running Windows 7. Can you answer these questions? You can find the answers to these questions at the end of the chapter. 188 Chapter 8  Configuring Backup and Recovery Options . Which technology should you use to resolve this issue as quickly as possible? 3. and you want to roll back these files to a previous point in time without altering any of the user data stored on the machine.microsoft. You update several drivers on a laptop computer running Windows 7 in preparation for rolling these drivers out across your organization’s fleet of laptops running Windows 7. You can lose up to 48 hours of data if you cannot meet this goal. Exam need to know ■■ Configuring file restore points For example: How to create a new restore point. After a few minutes. Which system recovery option should you use to accomplish this goal? 4. If you can successfully log on. What steps should you take to accomplish this? 2. You reboot to complete installation. consult the following webpage: http://technet. The computer was configured to take daily system image backups. a malware infection compromised a computer running Win- dows 7. you can use LKGC to resolve the issue. Despite your best attempts to remove the malware.

■■ Restoring user profiles For example: How to fix a corrupt user profile. You can force the creation of previous versions of a file’s restore point by clicking the Create button on the System Protection tab of the System Properties dialog box. You can use this cmdlet in a Task Scheduler task to automate the creation of checkpoints at specific times of the day. consult the following webpage: http://technet. More Info  To learn more about volume shadow copies. although if you store files on volumes other than the default system volume. Restoring damaged and deleted files by using shadow copies You need to know how to access the previous versions of files’ functionality to recover files without needing to restore them directly from backup. True or False? Previous version functionality isn’t enabled by default on computers running Windows 7.aspx. You can modify this amount to allow a greater number of previous versions of files to be stored by clicking the Configure button on the System Protection tab of the System Properties dialog box. the system volume is configured to host previous versions’ data. Windows 7 does this once per day.com/en-us/library/ee923636(WS. though the number of previous versions is usually much lower and is dependent on the amount of disk space allocated to previous versions of files. You can change this number by editing the registry. Windows 7 allocates 5 percent of a volume’s space to storing previous versions of files. A shadow copy is a copy of a file as it existed at a previous version in time. True or False? You can directly force the creation of a restore point. By default. but instead are created in response to specific events. Configuring file restore points You need to know how to create restore points and how to allocate disk space to host restore point data. Windows 7 creates previous versions of files at the same time that it creates system restore points. You can also use the Checkpoint-Computer PowerShell cmdlet from an elevated PowerShell session to force the creation of a restore point. By default. Answer: False. A volume can contain a maximum of 512 previous versions of the same file. Previous versions of files are copies of files and folders as they exist at a particular point in time. you Configuring Backup and Recovery Options  Chapter 8 189 . You have to enable this functionality on additional volumes. Answer: True.■■ Restoring previous versions of files and folders For example: How to restore a previous version of a file. The default is 64 shadow copies. You can also reconfigure this amount by using the vssadmin. Previous versions of files are copies of the files as they existed when a restore point is created or a backup is taken. By default.microsoft.exe command-line utility. Restore points aren’t created according to a configurable schedule.10).

which doesn’t overwrite the current version of the file. Previous versions of files are available only for those files that have been altered or deleted. only the version of the file as it exists when the restore point is created is available through previous file versions. You can use this process to recover damaged files without having to recover those files from backup. you’ll see a list of previous versions of the file. you can copy the previous version of the file to an alternate location. Users might need to recover several different versions of the same file to find a version that meets their recovery needs. You can also open the file directly by clicking Open. You can enable it on the System Protection tab of the System Properties dialog box. If you choose Restore. On the Previous Versions tab. You can restore previous versions of files by following these steps: 1. 3. You can control how previous versions of files function through Group Policy settings located in the \Administrative Templates\Windows Components\Windows Explorer\Previous Versions node in both the Computer Configuration and User Configuration areas of a Group Policy object (GPO).might need to enable this functionality. the Restore Files Wizard will be triggered. you’ll see previous versions of the files that are available through restoring from backup. Answer: True. System protection is not enabled for the volume hosting the files. You need to enable system protection on each volume that hosts files if you want to use previous versions of files’ functionality. Instead of restoring to the original location. You can use Windows 7’s previous versions of the files’ functionality to restore previous copies of files stored on the local file system. If you choose Copy. These policies are primarily used to restrict users from performing restoration using the previous versions’ functionality. The functionality that you can block through these policies is as follows: 190 Chapter 8  Configuring Backup and Recovery Options . (This option is not available if the previous version is stored on a backup instead of as a shadow copy.) If you are restoring a version that is contained within a backup. Right-click the file that you want to restore and click Restore Previous Versions. the previous version of the file will overwrite the current version of the file. and you’ll need to make the backup location available. 2. A restore point or backup has not been made since the file was altered. This works best if you are using locally attached storage or a removable device attached to the computer to store backup files. Although a user might modify a file several times throughout the day. Previous versions are not available in the following situations: ■■ ■■ ■■ The file has not been modified. If you are also using backup. you can copy previous versions of files to an alternate location. True or False? You can recover damaged files using previous versions of files.

just as you would when using the restore previous versions’ functionality normally. Answer: True. True or False? You can restore a previous version of a file or folder that has been deleted. Restoring previous versions of files and folders You need to know how to recover previous versions of files and folders that have either been changed or deleted.■■ ■■ ■■ ■■ ■■ ■■ Prevent Restoring Previous Versions From Backups  You can disable the Restore button on the Previous Versions tab for files available through backup. As you learned earlier.com/en-US/windows7/Previous-versionsof-files-frequently-asked-questions. EXAM TIP  Remember that previous versions of files are available only if the file has been modified or deleted. You can use the Windows 7 previous versions of files’ functionality to restore deleted files and folders just as you can use it to restore undamaged versions of files that have become corrupt. all the previous versions of files hosted on that hard disk are also lost. Prevent Restoring Remote Previous Versions  You can disable the Restore button for files and folders hosted on file shares. previous versions of files are copies of files and folders as they existed when a restore point is created or a backup is taken. Then click the Restore Previous Versions item. right-click the parent folder. Hide Previous Versions Of Files On Backup Location  You can hide the list of previous versions of files stored on backups. however. Previous versions of files written to backup are not lost. Configuring Backup and Recovery Options  Chapter 8 191 . To restore a deleted item. You can then restore deleted items or folders to their original location or copy them to new locations. which can be the volume if the file or folder is in the volume’s root directory. Prevent Restoring Local Previous Versions  You can disable the Restore button for files available locally.microsoft. EXAM TIP  If the hard disk hosting the files fails. Hide Previous Versions List For Remote Files  You can hide the list of previous versions available for files hosted on file shares. Restoring deleted items is a little different from restoring previous versions of files that already exist. Hide Previous Versions Lists for Local Files  You can hide the list of previous versions available for local files. More Info To learn more about restoring previous versions of files. consult the following webpage: http://windows.

If the account is a member of a domain. Use this account to create a new user account. shortcut links. Answer: False. and desktop icons. printer settings. follow these steps: a.log ■■ Ntuser. Navigate to the \Users folder. and Drives option is selected. User profiles are collections of settings. Answer: False. including those for desktop background. and screen savers.dat file when repairing a user profile. You can repair an existing profile for a computer that is a member of a domain or locally by following these steps to re-create it: 1. application. On the View tab of the Folder Options dialog box. Select all file and folders in this folder. You can log on to the computer using the newly created account. Delete the profile of the domain account. Open the folder associated with the old user account that has the corrupted profile. ensure that the Show Hidden Files. Prior to taking extreme action such as creating a new profile. 192 Chapter 8  Configuring Backup and Recovery Options . which is stored in the user’s profile folder. persistent network connections. Clear the Hide Protected Operating System Files check box.dat file.dat file. except the following: ■■ Ntuser. Copy the files from this old user account folder to the folder associated with the newly created user account. True or False? All user profile data is stored in the ntuser. and so on. mapped network drives. 5.dat ■■ Ntuser. A registry hive stores user-specific desktop settings. you’ll need to repair the user profile by re-creating it. is mapped to the HKEY_CURRENT_USER area of the registry when the user logs on. User profiles are updated when users log off from the computer. 2. Log on to the computer running Windows 7 with a user account that has lo- cal Administrator rights. settings. Sometimes Windows 7 might not load a profile correctly. which should have the profile data from the original account. Folders. User profiles are stored in the following way by Windows 7: ■■ ■■ A folder hierarchy under the C:\Users folder stores user-specific startup applications. 3. pointer preferences. The ntuser.ini 4. b. Log on to the computer locally and copy the files listed in step 3 to a temporary directory. restart the computer and attempt to log on again. 6. True or False? You copy the ntuser. but you aren’t using a roaming user profile. sound settings.Restore user profiles You need to know how to recover corrupt user profiles.dat. If this doesn’t work.

How can you increase this so that more than 2 weeks’ worth of previous files are available on the computer running Windows 7? Answers This section contains the answers to the “Can you answer these questions?” sections in this chapter. This folder had been stored on his computer for a number of months. You notice that only a week’s worth of previous files are stored on a comput- er running Windows 7. he realized that he wanted to keep one of those files. Several days ago. Use this disc to boot and perform a restore using the existing system image backups. d. More Info To learn more about repairing corrupted user profiles. and the user regularly edited the files it contained. Create a system repair disc using another computer running Windows 7. 4.microsoft. After he deleted the files.1: Configure backup 1. but did not keep any backups. Schedule a system image backup.com/en-US/windows7/fix-a-corrupteduser-profile. Startup repair tries to fix startup problems and replace damaged or missing system files. Which files should you not copy when attempting to create a new profile based on an existing profile? 4. Configuring Backup and Recovery Options  Chapter 8 193 .c. consult the following webpage: http://windows. You can configure a once-per-day schedule for system image backups. Log off and log back in with the account that has local administrator privileges. What PowerShell cmdlet can you use to force the creation of a restore point that can be used with previous versions of files? 3. Log on to the computer again with the domain account to re-create the profile. The user’s computer is running Windows 7 Enterprise Edition in the default configuration. a user of a stand-alone computer running Windows 7 deleted a folder containing several files. 2. This morning. What option could you suggest to the user to restore the files? 2. Objective 8. 1. Copy the files and folders back from the temporary directory to the newly created administrator account. which enables you to perform a system re- store on another computer because they have the same hardware platform. 3. he then emptied the Recycle Bin. Can you answer these questions? You can find the answers to these questions at the end of the chapter.

Checkpoint-Computer can be used from an elevated command prompt to force the creation of a restore point to be used with previous versions of files. using LKGC does not work. You should use driver rollback. 194 Chapter 8  Configuring Backup and Recovery Options . 4. 4. Use System Restore to restore system files to an earlier point in time without changing personal files.ini files when attempting to create a new profile based on an existing profile. You should not copy the ntuser.3: Configure file recovery options 1. previous versions of files are created on a regular basis. you can return to the configuration as quickly as possible. When Windows 7 computers are in the default configuration. 3.2: Configure system recovery options 1. You can increase the amount of space allocated on each volume to storing previous files data to increase the retention period for previous files. 2. 3.log. Because you logged on successfully. or ntuser. 2. Perform a system image recovery. depending on the amount of space dedicated to storing previous versions data. ntuser. This process will remove all existing files on the computer and replace them with files that you know are safe. With LKGC.Objective 8. Objective 8. Restart using the installation media or a system repair disc.dat.dat. The user should be able to use previous versions of files to restore the files. It is possible to recover previous versions of files for some time after they were deleted.

  155 ScanState tool used by.  161 scanning for updates with MBSA.Index Symbols 32-bit version of Windows 7 hardware requirements.  47–51 compatibility mode.  17 Software Restriction Policies not applying to.  17 offline file availability configured by.  67 A accelerators.  55 booting in.  27 applying to system image. configuring.  4 Active Directory for DirectAccess.  27.  47–49 Internet Explorer. IE.  131 for TPM backup.  149.  166 UAC configured separately for.  192 VPN client access configured by.  175–176 removing from system image. IE.  127 add-ons.  108 accounts.  140–141 195 .  60 Account Logon policies.  51–56 AppLocker Policies.  27 automating image capture. advanced.  48 answer files.  108 Aero user interface. See AppLocker Policies applications adding to system image. 72 Application Compatibility Toolkit. configuring.  50 Application Control Policies.  109–110 updates installed by.  154 upgrades to Windows 7 by.  30 anycast address. 108 Arp utility.  66–67.  49 installed in Windows XP mode. 16 64-bit version of Windows 7 hardware requirements.  50 Program Compatibility Assistant.  52 System Diagnostics reports run by.  115–116 event logs cleared by.  22 audit policies.  109– 110 removable device policies for.  164 event subscriptions used by.  23 creating.  53–55.  84–86 compatibility of. disabling. 36 allowing or denying with Windows Firewall or WFAS. 152 updates uninstalled by. 27 deploying system images.  140 Account Management policies. launching from Start menu.  48 shims.  141 Windows Update configured by.  165 LoadState tool used by.  112 user profiles repaired by.  71 Audit mode AppLocker rules for.  2–3 Windows Easy Transfer restrictions for. See groups.  59–60 administrators.  43 elevating privileges to.1x authentication. deploying.  26 restrictions for.  148. 151 WSUS groups created by.  150 Advanced Audit Policy Configuration.  140 Account Policies.  2–3 signed drivers used on. 113 CMAK configured by. 134 prompt behavior for.  25–26 adding updates to system image.  138 devices uninstalled by.  44 802. users activation resetting. 22 skipping at installation.  48–49 processes.  75 APIPA address.  11 user account password reset by. priority of.

authentication

authentication, 111–116. See also UAC
802.1X authentication,  67
certificates for,  114, 131–132, 139
Credential Manager,  114
for DirectAccess clients,  131–132
elevating user privileges,  115–116
exemptions from,  88–89
multifactor authentication,  116
password, resetting,  112
smart cards with PIV,  115
VPN protocols for,  139
when waking up from sleep or hibernation, 173
authorization, 111–116
UAC, 115–116
User Rights Assignment,  113–114
automated capture of system image,  23–24

B
Background Intelligent Transfer Service.
See BITS
background settings,  173
Backup Operators group,  113
backups, 179–183
external volume as target of,  182
file recovery from,  188–193
scheduling, 182–183
system image backup,  181
system recovery from,  183–188
system repair disc for,  180–181
Balanced power plan,  172
basic disks,  157
.bat files, AppLocker rules for,  54
battery
power plans affecting,  172, 173
Windows Mobility Center settings
for, 176–177
BCDboot utility,  29
bcdedit.exe utility,  35–36
BIOS settings, for bootable media,  7
BitLocker encryption,  123–129
BitLocker To Go,  125–126, 162
DRA (data recovery agent) for,  124,
128–129
recovery key for,  124
startup key for,  124, 127–128
TPM (Trusted Platform Module) chip
for,  124, 126–127
BITS (Background Intelligent Transfer
Service),  170–171

196

Bluetooth PAN (Personal Area Network),  69
books and publications. See also website
resources
MCTS Self-Paced Training Kit (Exam 70680) (Microsoft Press),  xv, xvi
Windows 7 Resource Kit (Microsoft
Press),  xv
bootable media,  3, 6–7
booting
in Audit mode,  22
bootable VHDs,  35
dual boot,  5, 156–157
native VHD boot,  4, 36
to OOBE,  22
PXE boot,  6, 7
BranchCache,  117–121, 170
certificate management,  120
configuring,  119–120
modes for,  117–118
network requirements for,  118–119

C
CA certificates. See SSL certificates
caching. See also BranchCache
ARP cache,  71
hard drive cache, configuring,  168–169
for offline file access,  100, 134
transparent caching,  135–136
CDP (CRL distribution point),  131
CD-ROM, as installation source,  6
certificate revocation list (CRL),  131
certificate rules, Software Restriction Policies, 52–54
certificates, for Hosted Cache mode
server, 120
certificates, for user and computer authentication, 114
for DirectAccess,  131–132
for VPN authentication,  139
certificates, for websites,  62–63
Challenge Authentication Protocol.
See CHAP
Change permission, for shared folders,  99–
100
Change Permissions special permission,  105
CHAP (Challenge Authentication Protocol),  139
Cipher.exe utility,  104
clean installation,  1–9
Client For Microsoft Networks,  82

disks. See also removable storage devices

.cmd files, AppLocker rules for,  54
color palette, 256 color compatibility for,  48
.com files, AppLocker rules for,  54
command-line utilities. See also specific
utilities
command prompt for, opening,  181
remote execution of. See WinRS
Compatibility Administrator,  50
compatibility of applications,  47–51
compatibility mode,  47–49
Internet Explorer,  50
Program Compatibility Assistant,  48
shims, deploying,  49
Compatibility View, Internet Explorer,  50,
57–58
computer name, specifying at installation,  4
computers, firewall rules specific to,  86
contact information for this book,  xvii
Create Files/Write Data special permission, 105
Create Folders/Append Data special permission, 105
Credential Manager,  114
CRL (certificate revocation list),  131
CRL distribution point. See CDP
Cryptographic Operators group,  113

D
data collector sets,  165–166
data recovery agent. See DRA, for BitLocker
default rules
AppLocker Policies,  53–54
Software Restriction Policies,  52–53
defrag.exe utility,  159
defragmentation, 158–160
Delete special permission,  105
Delete Subfolders and Files special permission, 105
deploying system image,  24–28, 28–33
Designated File Types Policy,  52
desktop composition, disabling,  48
desktop environment settings,  174–175
desktop replacement scenario, migration
using, 14
Detailed Tracking policies,  140
device drivers
adding to system image,  26–27
adding to VHD image,  37–38
configuring,  44–45
conflicts between,  46

locations for,  42
removing, 45
removing from driver store,  43–44
removing from system image,  26
rolling back,  45, 169, 187–188
signed, installing,  44
staging in driver store,  43
stress-testing, 45
troubleshooting, 45–46
updating,  42, 169
Device Manager
configuring device drivers,  44–45
conflicting drivers, determining,  46
rolling back device driver,  45
DevicePath registry setting,  42
devices
adding to network,  78–79
configuring,  41–47
power options for,  177
removable, controlling use of,  161–162
uninstalling, 43
DHCP server
determining if IPv4 address provided
by, 70
not connecting to APIPA address,  66–
67, 72
providing DNS server addresses,  68
providing IPv6 addresses,  75
providing WINS server address,  68
WPAD using,  149
differencing VHDs,  158
digitally signed device drivers,  44
DirectAccess, 129–133
authentication for,  131–132
client configuration,  130–131
compared to VPN,  129
network infrastructure for,  132–133
DirectX9 Graphics,  2
DiskPart utility,  29, 34–35
disks. See also removable storage devices
basic disks,  157
defragmentation of,  158–160
dual booting from,  156–157
dynamic disks,  157
external hard disk. See also removable
storage devices
migrating user profiles with,  15
Windows Easy Transfer used
with, 18
GPT partitioning for,  156–157
MBR partitioning for,  156–157

197

disks

disks,  continued
RAID configuration of,  160–161
space requirements,  2
spanning, 157
system recovery disk,  180–181
turning off after period of inactivity, 173
volumes
mirrored volumes,  160
simple volumes,  157
spanned volumes,  158
striped volumes,  160–161
types of,  157
dism.exe utility
adding application to system image,  25
adding driver to system image,  26–27
adding update to system image,  27
applying answer file to system image,  27
removing application from system image, 26
removing driver from system image,  26
display
256 color compatibility,  48
640 x 480 resolution compatibility,  48
power management for,  173
scaling, disabling for high DPI settings,  48
visual effects settings,  174–175
Distributed Cache mode, BranchCache,  117–
118, 119, 120
Distributed COM Users group,  114
.dll files, AppLocker rules for,  54
DNS name resolution,  68, 74–75
Domain network location,  70, 76
DRA (data recovery agent), for BitLocker,  124,
128–129
drivers. See device drivers
Driver Verifier,  45
DS Access policies,  140
dual boot,  5, 156–157
DVD-ROM
as bootable media,  7
as installation source,  6, 7
dynamically expanding VHD,  158
dynamic disks,  157

E
Easy Transfer Cable,  15
edge traversal, firewall rules based on,  86
EFS (Encrypted File System),  103–104

198

elevated prompt, behavior of,  109–111
elevating user privileges,  115–116
Encrypted File System. See EFS
encryption
BitLocker encryption,  123–129
of migration store,  17
of files and folders,  103–104
Enforcement Properties Policy,  52
event logging
configuring,  163–164
filtering,  164
subscriptions for,  164–165
Event Log Readers group,  114
.exe files, AppLocker rules for,  54
external hard disk. See also removable storage devices
migrating user profiles with,  15
Windows Easy Transfer used with,  18

F
FC (Full Control) permission, NTFS,  104
File And Printer Sharing For Microsoft Networks, 82
file hash rules. See hash rules
files
access to,  102–107
backing up,  181–182
copying, effect on permissions,  106
defragmentation of,  158–160
effective permissions, determining,  106
encrypting,  103–104, 123–129
moving, effect on permissions,  106
NTFS permissions,  104–106
offline access to,  100, 134–135
recovery of,  188–193
file restore points for,  189
previous versions of files,  191
Shadow Copies for,  189–191
user profiles,  192–193
special permissions,  105
Firewall, Windows. See Windows Firewall
fixed size VHD,  158
flash drive. See removable storage devices
folders
access to,  102–107
backing up,  181–182
copying, effect on permissions,  106
effective permissions, determining,  106
encrypting,  103–104, 123–129

Internet Protocol Version 6

moving, effect on permissions,  106
NTFS permissions,  104–106
redirection (virtualization) of,  98–99
shared folder permissions,  99–100
special permissions,  105
Full Control (FC) permission
for shared folders,  99–100
NTFS,  104

G
Globally Unique Identifier Partition Table.
See GPT
Global Object Access Auditing policies,  141
GPT (Globally Unique Identifier Partition
Table),  156–157
graphics adapter requirements,  2
Group Policy
AppLocker Policies, configuring,  55
BitLocker To Go,  126
BranchCache, 119–120
Compatibility View, configuring,  57
connecting client to wireless network,  80
Direct Access,  130
file recovery,  190–191
folder redirection,  98–99
Offline Files,  134–135
Power Management,  173
search providers, configuring,  59
smart cards,  115
Software Restriction Policies, configuring, 55
UAC prompt behavior,  109–110
User Rights Assignment,  113–114
Windows Update,  151–153
groups. See also administrators; homegroups; security groups
AppLocker rules for,  54–55
built-in local groups,  113–114
for rolling back device drivers,  45
Software Restriction Policies for,  52
for uninstalling devices,  43
for updating device drivers,  42

H
hard disk. See disks
hard drive cache, configuring,  168–169
hard-link migration store,  16, 17
hardware requirements,  2–3

hash rules
AppLocker Policies,  54–55
Software Restriction Policies,  52–54
Hibernate mode,  172
High Performance power plan,  172
High-Volume deployment,  30–32
homegroups, 101–102
Home/Work (Private) network location,  70,
76
Hosted Cache mode, BranchCache,  117–118,
119, 120
Hybrid Sleep mode,  172

I
IECTT (Internet Explorer Compatibility Test
Tool),  50
IE (Internet Explorer)
accelerators, managing,  60
add-ons, managing,  59–60
compatibility with,  50, 57–58
configuring,  56–63
InPrivate mode,  61–62
search providers for,  59
security zones for,  58–59
version of,  56
IKEv2 protocol,  138, 139
Image Capture Wizard, WDS,  23–24
ImageX.exe utility
applying WIM image to VHD,  34
creating a WIM file,  23
manually deploying a system image,  29
InPrivate mode, IE,  61–62
installer files, AppLocker rules for,  54
installing Windows 7. See also migrating to
Windows 7; upgrading to Windows 7
bootable media for,  3, 6–7
clean installation,  1–9
as dual boot,  5
hardware requirements,  2–3
partition for,  4, 5
as sole operating system,  3–4
sources for,  6, 7–9
interface types, firewall rules based on,  86
Internet Explorer. See IE
Internet Explorer Compatibility Test Tool.
See IECTT
Internet Explorer Compatibility View,  50,
57–58
Internet Protocol Version 4,  82
Internet Protocol Version 6,  82

199

  xv.  176 power policies for.  54 L L2TP/IPsec protocol.  108 200 Local Security Policy console. See LKGC lcacls.  105 Link-Layer Topology Discovery Mapper I/O Driver.js files. See monitoring Logon/Logoff policies.  66 name resolution.  66 troubleshooting.  18 wipe-and-load migration. AppLocker rules for. See LLMNR List Folder Contents (LFC) permission. See mobile computers Last Known Good Configuration. setting up. 17 Local Policies.  16. configuring.  138 laptops.  107–108 AppLocker Policies.  16.  105 LFC (List Folder Contents) permission.  143 remote connections. xvi MDT (Microsoft Deployment Toolkit). See profiles.  104 mobile computers BitLocker encryption for. from Windows XP.  74–75 troubleshooting.  14–19 side-by-side migration.  141– 142 offline file policies for.exe utility.  73–78 connections.  156– 157 MBSA (Microsoft Baseline Security Analyzer). 82 Link-Layer Topology Discovery Responder.  129–133 NAP quarantine remediation for.  16.  86 IPv4 addressing APIPA address. 17 MigDocs.XML script.  185–186 LLMNR (link-local multicast name resolution).  135–136 .  136–137 RemoteApp applications for.  83 location types for network.  76 statically assigned. advanced. 105 Lite-Touch. 70–72 IPv6 addressing configuring.  55 Software Restriction Policies. NTFS. NTFS.  30–32 Microsoft Baseline Security Analyzer.  65–73 connections.  77 LoadState tool. See IE (Internet Explorer) MigApp.  137– 143 security auditing.XML script. USMT. See MBSA Microsoft Challenge Handshake Authentication Protocol. 76–77 Ipconfig utility.  70.  74–75 name resolution.  14–15. NTFS. See also upgrading to Windows 7 migrating user profiles.  134–135 performance of.  66–67. 72 configuring.  105 List Folder/Read Data special permission.  140 M Manage Wireless Networks dialog.  108 J . setting up. See MS-CHAPv2 Microsoft Deployment Toolkit.  80 manual capture of system image. 11–13.  123–129 DirectAccess for.  55 Location Aware Printing. High-Volume deployment. 17 migrating to Windows 7. 77 IP Security Policies on Local Computer.  67–68 network locations.  30–31 LKGC (Last Known Good Configuration). See MDT Microsoft Internet Explorer.  69–70 statically assigned.  160 M (Modify) permission. network logging.  82 link-local multicast name resolution.  140–141 transparent caching for.  14–15.  16.  69 dynamically assigned.  22–23 MBR (Master Boot Record) partitioning. 15–18 from Windows XP or Windows Vista. 15 MigUser.  76 dynamically assigned.IP address IP address firewall scope based on.  73–74 network locations.  155 MCTS Self-Paced Training Kit (Exam 70-680) (Microsoft Press). 17 mirrored volumes.XML script.

86.  27.ocx files.msp files. 73–74 performance of. Software Restriction Policies notifications for add-on performance.  141–142 network adapters. for shared folders. See OCSP OOBE (Out-Of-Box-Experience).  69–70 for IPv6.  46 .  88 Nslookup utility.  90. AppLocker rules for.  131 . 36 multiboot. 87 Netsh interface utility. 134–135 offline migration. 141–142 native VHD boot. disabling.  54 .msu files. 163–166 data collector sets for.  114 Network Discovery. See also Windows Firewall.  66.dat file.  16.msi files.  163–164 filtering. 77 NAP (Network Access Protection).  90–95 PowerShell Remoting. 152 for WFAS and Windows Firewall. 7–9 to migrate to another computer. quarantine remediation. See zone rules.  35 as installation source.  118–119 connections. 68.  71.  71–72 network zone rules.  54 msinfo32.  75 multifactor authentication.  116 multimedia.  67–68 IPv6 addressing. 17 Network Troubleshooter.  85.  84.  170–171 profiles (location types) firewall rules for. 74.  140 OCSP (Online Certificate Status Protocol). 22 Owner permission. power management settings for. 77 NTFS permissions.  70–72. NTFS. 75 Netsh winhttp utility.  90.  54 offline file access.  164–165 power efficiency diagnostics report. 173 N name resolution IPv4 addressing.  99 P page files.  73–78 Location Aware Printing. AppLocker rules for.  82 Network Access Protection (NAP).  100 netsh BranchCache utility.  67–68.  166 MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol).  6.  192 O Object Access policies. 76.  91.  167–168 PAP (Password Authentication Protocol).  177 system diagnostics report.exe utility.  164 subscriptions for.  73–74.  165–166 event logging configuring.  37–38 offline updates to system images.  100.  119 Netsh firewall utility.  139 .  78–79 IPv4 addressing.  69.  82 Network Configuration Operators. adding to.  80 Netstat utility.  15 name resolution. configuring.  71 network BranchCache requirements for. AppLocker rules for.  91. 78–79 devices.  79 Network List Manager Policies. 89 Net share command.  36 Online Certificate Status Protocol. 76–77 wireless connecting client to. configuring.  139 201 .  76 remote management. 93 security settings for.  83 migrating user profiles with. non-administrators receiving. 94 Remote Assistance. 92–93 WinRS.  79–80 preferred.  104 monitoring.PAP (Password Authentication Protocol) Modify (M) permission.  80–81.  104–106 ntuser. 87. WFAS troubleshooting.  18 offline servicing of system images.  65–73 IPv6 addressing. 36 Netsh advfirewall utility. 91 Remote Desktop.  149 Netsh wlan utility. configuring.  108 network share to deploy bootable VHDs. setting up.  4. See dual boot multicast address.  60 for updates. setting. booting to. quarantine remediation.  86–87 for IPv4.

for UAC. See also authentication Pathping utility. network firewall rules for.  177 power options for devices.  113 password. 101 Private network location. 192–193 Program Compatibility Assistant.  177 202 power plans. See PAP password reset disks.  52–53 PCI Express Link State Power Management.  105 personal identity verification (PIV).  101 special permissions. 14–19 side-by-side migration.  4 profiles.  139 performance. 94 Power Users group. 167–177 desktop environment settings for.  141 processes.  86–87 for IPv4. 76 publisher rules.  76 profiles. with Location Aware Printing.  108 Public network location.  14–18 from Windows XP or Windows Vista.  2 RD Gateway.  175–176 processor scheduling. 18 wipe-and-load migration. See PEAPEAP-TLS .  139 PEAP-EAP-TLS (Protected Extensible Authentication Protocol with Transport Layer Security). smart cards with.  177 power options for devices. resetting. 76 Privilege Use policies. determining. priority of.  138 printers multiple defaults.  141 portable computers.  168–169 for mobile computing.  167–168 power efficiency diagnostics report.  176 monitoring. 5 MBR partitioning.exe utility.  175–176 processor cores. 43–44 Policy Change policies.  171–174 processes.  114 PPTP protocol.  71. AppLocker rules for. 174–175 hard drive cache.  136–137.  156–157 Password Authentication Protocol.  173 speed requirements.  2–3 power management for.  99–100 for shared printers. 83 sharing.  53–55 Software Restriction Policies. configuring.  115 Ping utility.  2 processor scheduling.  177 power plans.ps1 files.  173 PEAP-EAP-MS-CHAPv2 protocol.  114 permissions effective permissions. 77 PIV (personal identity verification).  112.  106 NTFS permissions.  4.  14–15 restoring. 7 Q QoS Packet Scheduler.  109–110 Protected Extensible Authentication Protocol with Transport Layer Security. user migrating. priority of. 171–174 Power Saver power plan. 165–166 of network.  91. data collector sets for.  172 PowerShell Remoting. 177 power efficiency diagnostics report.  71. AppLocker Policies.exe utility.  170–171 page files.  115 pnputil.partition partition GPT partitioning. See mobile computers powercfg.  174 product key.  82 R RAID (Redundant Array of Inexpensive Disks). configuring.  54 Public Key Policies.  69–70 for IPv6.  3 processors number supported.  54 PXE boot.  70.  43.  174 updating device drivers.  169 Performance Log Users group.  70. 174. smart cards with.  160–161 RAM requirements.  114 Performance Monitor Users group.  104–106 for shared folders. 77 path rules AppLocker Policies.  48 prompt behavior.  6.  136.  142–143 .  156–157 for installation.

See PowerShell Remoting.  91. 103–104 moving.  6.  46 files and folders.  104 Read Extended Attributes special permission.  80–81 secure desktop.exe utility.  71 testing with Tracert utility.  99–100 Read Permissions special permission. for mobile computers.  97–102 folder redirection (virtualization).  69 testing with Pathping utility.  106 effective permissions.  58 restrictions for applications.  104 rstrul.  90. See also authentication. NTFS.  188–193 system recovery. 93 removable storage devices BitLocker To Go for. for shared folders.  105 Read (R) permission.  183–188 recovery key.  86 services. 18 screen.  99–100 restore points file.  98–99 RemoteApp applications. See WFAS (Windows Firewall with Advanced Security) Windows Firewall. authorization advanced auditing.  110–111 security.  90. IE.msc utility. NTFS.  189–191 203 . 17.  69. 137–143 Remote Desktop Users group.  124 redirection of folders. 162 as bootable media. 184–185 Restricted Sites. 79 Shadow Copies.  71 R (Read) permission. 92–93. 105 Read permission.  7.  110–111 SSL certificates.  54 for DirectAccess.  59 secpol. priority of processes for.  114 remote management.  99 as NTFS security principals. configuring. NTFS.  113 WFAS rules applied to. See Windows Firewall security groups AppLocker rules applied to. See authorization router advertisements.  108 secure desktop.  106 NTFS permissions. 101 shared folder permissions.  189 system.  104–105 recovery from backups file recovery.  125–126.  86 folder redirection based on. NTFS. See display scripts AppLocker rules for.  86 for new network. determining.  185 runas.Shadow Copies Read Attributes special permission.  105 Read & Execute (RX) permission. 106 encrypting.  104 S ScanState tool. 8 migrating user profiles with.  90–95 PowerShell Remoting. for shared folders.  143 remote connections. 91 Remote Desktop. effect on permissions. WinRS search providers.  51–56 rights.exe utility. USMT.  71 Route utility.  104–106 shared resources. 142–143 WinRS.  175–176 Set Up A Connection Or Network Wizard. 76–77.  16.  104 Read/Write permission.  107–108 network security settings. not supported. 8 controlling use of. 101–102 printers.  15 Replicator group.  99 recovery agents.  98–99 homegroups.  62 WFAS.  54 remote execution of.  130 firewall rules based on. effect on permissions.  3 as installation source.  91.  102–107 copying. for mobile computers.  104 User Rights Assignment for. for BitLocker. viewing.  58–59 Local Security Policy console.  116 RX (Read & Execute) permission.  75 routers firewall rules based on. 140–141 IE security zones. 94 Remote Assistance.  161–162 installation on.  114 resources conflicts between.

  183–188 complete restore.  22 system diagnostics report.  36 updates for Windows 7.  49 side-by-side migration.  26 System Image Manager (SIM). performance device drivers. See also monitoring.  139 software.  153 configuring. See also applications adding to system image.  75 stateless auto-configuration. deploying.  160–161 subscriptions for events.  14–15. See TPM chip.  181 T tablets.  180–181 Trusted Platform Module. for BitLocker Trusted Sites. 28–33 preparation for deployment. 15–18 signed device drivers.  25–26 adding device driver to.  105 sysprep.  27 applying answer file to.  107–111 Local Security Policy.  181 configuring. 36 offline servicing of. 35–36 WIM format for.exe utility.  37–38 servicing.  148–149 .  33–38 adding driver to.  107–108 prompt behavior.  70–72. IE.  24–28 removing applications from.  181 System policies.  141 system recovery.  157 SIM (System Image Manager).  71.  187–188 to LKGC. 127–128 Startup Repair. See mobile computers Take Ownership special permission.  26–27 adding updates to.  62–63 SSTP protocol.  115 for DirectAccess.  45–46 network connectivity.  26 removing device driver from. configuring.  166 system image VHD image format for.  34–35 backup of. 101 shared folder permissions.  172 smart cards.  138 startup key.  184–185 system recovery disk.  27 applying to VHD image.  21–24 adding application to.  131 for VPN authentication.  180–181 System Restore. for BitLocker.  37–38 applying offline updates to.  181 stateful auto-configuration.  110–111 unicast address.  148.  4. See Windows SIM System Image Recovery. 77 Tracking Protection.  147–156 checking for.  75 striped volumes. 154–155 classifications of.  105 TPM (Trusted Platform Module) chip.  124.shared resources shared resources access to.  61–62 transparent caching. 101–102 printers. 21–24 deploying.  44 simple volumes. 33–34 deploying.  105 SSL certificates for BranchCache in Hosted Cache mode.  51–53.  99–100 shims. 105 troubleshooting.  27 204 capturing.  36 applying WIM image to.  109–110 secure desktop.  98–99 homegroups. 108 spanned volumes.  97–102 folder redirection (virtualization). 35 native boot using. See applications Software Restriction Policies.  164–165 Synchronize special permission.  186–187 driver rollbacks. 120 for websites.  124.  33–38 creating.  158 special permissions. for BitLocker. See Windows SIM Sleep mode. 76–77 system repair disc for.  74 updates for applications.  58 U UAC (User Account Control).  135–136 Traverse Folder/Execute File special permission. 126–127 Tracert utility.  185–186 system restore points for.

  128 BitLocker To Go. 17 sample scripts for.exe utility.  113–114 users.  16. configuring.  78–79 virtualization of folders. advanced.  33–38 creating.  16.  129 group policies.  157 spanned volumes.  137–143 protocols for. 60 add-ons.  37–38 applying offline updates to.  16. 89 backups.  149–150 uninstalling.  160–161 types of.  150. 35 native boot using. 33–34 deploying. 18 wipe-and-load migration. managing. installing.inf file. See UAC user name.  113 User State Migration Tool.  10–11 USB storage device.  9 Web Proxy Auto Detect. 81 certificates.  67. adding to images.  35 Image Capture Wizard.  139–140 W WDSCapture. See WPAD website resources accelerators.  13 from Windows Vista.  60 answer files.  11.  23–24 WDS (Windows Deployment Services) automating image capture with.  9–14.  26 AppLocker Policies.  129 for mobile computers.  151–153 rolling back. specifying at installation. 16–18 automating migration with. 12 upgrading to Windows 7.1X.  115 exemptions. See also groups AppLocker rules for. 155 source of.  86 unlocking account of.  12. 56 audit policies. 192–193 User Rights Assignment.  157 VPN (virtual private network) compared to DirectAccess.  158 striped volumes. 18 V verifier. preparing.  153–154 policies for.  138–139 reconnect.  34–35 backup of.  16 LoadState tool.  182.  36 applying WIM image to. 17. 154 Upgrade Advisor.  17 migration rules. 154–155 history of. See removable storage device User Account Control. 35–36 VHD (virtual hard disk). See VPN visual effects settings. See Driver Verifier VHD image format adding driver to.  4. applying.  8–9 server.  55. 14–19 side-by-side migration.  72 applications. reviewing.  158 View Network Computers And Devices. See USMT (User State Migration Tool) USMT (User State Migration Tool). 171 205 .  126 startup keys.  23–24 role.  27 APIPA address.  174–175 volumes mirrored volumes.  23–24 deploying system images. 183 BitLocker DRA with. 17 migration report.  16 ScanState tool. from Windows XP from another Windows 7 edition. See also migrating to Windows 7.  14–15 restoring.  54–55 firewall rules based on.  30–31 deploying VHD image.  181 configuring.  16 migration store.  14–18 from Windows XP or Windows Vista. 36 offline servicing of.website resources hiding.  160 simple volumes.  37–38 servicing. See redirection of folders virtual private network.  141 authentication 802.  126 BITS.  4 user profiles migrating.

 63 CMAK.  114 hardware requirements.  53 special permissions. 102 IE Compatibility View.  111 shared folders.  50 IPv4 address configuration. 133 disk management.  37 configuring. 116.  42 removing.  108 Location Aware Printing.  114 data collector sets.  160 sysprep.  45 Driver Verifier for. 43 dial-up connections.  22 .  59 secure desktop.  69 booting bootable media.  17 search providers.  191 folder redirection.  143 Remote Assistance.  143 RemoteApp applications. 116 powercfg.  99 for this book.  92 remote management.exe utility.  136.  23 206 installation. 49 simple volumes.  61 IE security settings. 138 Credential Manager.  140 ImageX.  177 power plans.  67 IPv6 address configuration. 132 certificates for Hosted Cache server.  68 NAP quarantine. USMT. 172 PowerShell Remoting. 159 device drivers adding to images.  25 EFS.  13.  4 network locations.  158 smart cards.  91 removable devices.  131. 174 power efficiency diagnostic reports.  7 in multiboot configurations. 75 lcacls.  xvii GPT.  7 from installation media.  166 defragmentation.  26 adding to VHD images.  45 locations for.  142 DirectAccess. 77 NTFS permissions. 157 groups.exe utility.  46 name resolution.  58 IE Tracking Protection.  5 BranchCache.  137.  101 printer sharing.  135 page files.  71. 77 LoadState tool.exe utility.  105 striped volumes.  3 homegroups. 15.  17 Local Security Policy console.exe utility.  83 MBSA.  105 offline file access.  74. 44 updating.  165 file recovery. 131 Software Restriction Policies.  61 IKEv2 protocol.  107 effective.exe utility.  100 shim databases.  157 dism.  94 printer permissions. 106 elevating.  58 IECTT.  106 LLMNR.  104 event logging. 76 network troubleshooting.  164 event subscriptions.  45 signed.  79 uninstalling.  91 Remote Desktop.exe utility. 169 devices adding to network. 50 IE InPrivate mode.  50 shims.  42. 72.website resources website resources. 120 CDPs.  158 disk types. 4 Internet Explorer Compatibility View.  101 Program Compatibility Assistant.  168 password reset disks.  121 SSL.  continued Bluetooth PAN.exe utility.  113 permissions for copied files.  162 scanstate.  48 RD Gateway.  142 native VHD boot.  118. 18 msinfo32. 44 rolling back. 155 migrating to Windows 7.  70. local.  115.

See WDS (Windows Deployment Services) Windows Easy Transfer.  127 TPM management. 154 Windows 7 Resource Kit (Microsoft Press).  58–59 SSL certificates for. 158 visual effects settings. 88 Windows Mobility Center.  150 websites.  34.  12.  85 authentication exemptions.Windows Vista system images automated image capture for. 16 VHD images. See WSUS Windows SIM (System Image Manager) creating answer files. 150 write caching. See also system image Windows 7 backup and recovery. See Wusa. See performance system repair disc for.  85. 31. See monitoring performance of. See WIM files Windows Memory Diagnostic.exe utility.  9.  88 rules for multiple profiles.  87 WIM files.  136 UAC.  29.  84–90 notifications.exe utility Windows Vista migrating user profiles from.  139 WDS.  110. 155 source of.  13 Windows Deployment Services. See also IE (Internet Explorer) internal.  2–3 installing.  148.  23 system recovery disk.  180–181 updates for. 13.  193 USMT.  180 system restore.  24 deploying. configuring. 93 wireless networks connecting to.  176 Windows XP mode.  169 WSUS.  148–149 hiding.  138 VPN Reconnect.  . See WFAS Windows image files.  11 Windows Easy Transfer. testing for compatibility with IE. See WinPE Windows Remote Management.  149 Windows 7 Upgrade Advisor. configuring. 23.  181 Windows Mobility Center. 87. 42 Windows Update Stand-alone Installer. 88 Windows 7 updates.  153–154 policies for.  165 WFAS (Windows Firewall with Advanced Security).  175 VPN connections.  10–11 207 . 15 user profiles. 9 WFAS.  86 rules for specific profiles. 11.  27 Windows Update blocking from checking for device drivers.  185 TPM backups to Active Directory.  127 transparent caching. 150 Wusa.  87 Windows Firewall with Advanced Security.  150. See backups hardware requirements.  62 Wecutil utility. 82 WPAD.  23 manual image capture of.  49 WinRS.exe capturing. See installing Windows 7 monitoring. 111 upgrading to Windows 7. 50 security zones for.  86–87 rules for specific profiles.  153 configuring.  35. See WinRM Windows Remote Shell.  86. 15–16 Windows Firewall allowing or blocking applications.  142 VPN protocols.  10.  176 Windows Preinstallation Environment. 108 allowing or blocking applications.  149–150 uninstalling.  84–90. 36 VHDs. See WinRS Windows Server Update Services.  151–153 rolling back. 32 ImageX.  147–156 checking for.  16 Windows Firewall.  88 rules for multiple profiles. 30. xv Windows Anytime Upgrade. reviewing.  80 preferred. 154–155 classifications of.  18 upgrading to Windows 7 from. 154–155 history of.  88–89 notifications.  84 configuring.

  168–169 Write Extended Attributes special permission.  172– 174 208 wireless network connecting client to.exe utility.  165 Winrm utility. restrictions on.  67 wireless adapters.  93.  14–15.  105 write caching.Windows XP Windows XP GPT partitioned disks.  48–49 WinPE disk.  91.  11–13 migrating user profiles from. 94 WinRM (Windows Remote Management).  165 WinRS (Windows Remote Shell). High-Volume deployment.  32– 33 zone rules.exe utility. 15 Wired AutoConfig service. Software Restriction Policies. power settings for. 76 WPAD (Web Proxy Auto Detect).  8 WinPE (Windows Preinstallation Environment) for manual image capture.  149– 150 Wuauclt.  150 W (Write) permission.  79–80 preferred.  23 for offline migration.  149 Write Attributes special permission. 105 Write (W) permission. 93 WINS name resolution.  18 upgrading to Windows Vista from.  70. 74 wipe-and-load migration. NTFS.  68. setting. as bootable media.  18 winrm utility.  154 Wusa. 157 migrating to Windows 7 from.  105 Z Zero-Touch. launching from Start menu.  82 Work (Private) network location.  12 Windows XP mode applications installed in. NTFS.  52– 54 .  105 WSUS (Windows Server Update Services).

About the Author Orin Thomas. You can follow him on Twitter at http://twitter. Microsoft MVP. is an author. MCITP.11 clients and he's certified on each Windows client operating system since Windows NT 4 Workstation.com/orinthomas. He regularly speaks at events in Australia and around the world including TechED and Microsoft Management Summit. and SQL Server. Windows Client. consultant. His first job was supporting Windows 3. MCT. and contributing editor at Windows IT Pro magazine. Orin founded and runs the Melbourne System Center Users Group. . Exchange Server. and has authored more than 20 books for Microsoft Press including books on Windows Server.

Thank you in advance for your input! . Your feedback will help us continually improve our books and learning resources for you.com/learning/booksurvey Tell us how well this book meets your needs­—what works effectively.What do you think of this book? We want to hear from you! To participate in a brief online survey. and what we can do better. please visit: microsoft.