Professional Documents
Culture Documents
O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
20687A
Configuring Windows 8
ii
Configuring Windows 8
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. These license terms also apply to any updates, supplements, internet based services and support services for the Licensed Content, unless other terms accompany those items. If so, those terms apply. BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below. 1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy Program Member, or such other entity as Microsoft may designate from time to time. b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or exceeds the hardware level specified for the particular MOC Course located at your training facilities or primary business location. d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. Licensed Content means the MOC Course and any other content accompanying this agreement. Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media. f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy Program.
h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in good standing that currently holds the Learning Competency status. i.
Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.
j.
Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular MOC Course. l. Private Training Session means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer.
m. Trainer Content means the trainer version of the MOC Course and additional content designated solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not include virtual hard disks or virtual machines. 2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content. 2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center: i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure server located on your premises where the Authorized Training Session is held for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of the Authorized Training Session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide.
b. If you are a MPN Member. i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1) Classroom Device, or (B) one (1) dedicated, secure server located at your premises where the training session is held for use by one (1) of your employees attending a training session provided by you, or by one (1) MCT that is teaching the training session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for use by one (1) End User attending a Private Training Session, or one (1) MCT that is teaching the Private Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all training sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content, 5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of each training session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide. c. If you are an End User: You may use the Licensed Content solely for your personal training use. If the Licensed Content is in digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install another copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1) copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control.
d. If you are a MCT. i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an Authorized Training Session or Private Training Session. For each license you acquire, you may install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control. ii.
Use of Instructional Components in Trainer Content. You may customize, in accordance with the most recent version of the MCT Agreement, those portions of the Trainer Content that are logically associated with instruction of a training session. If you elect to exercise the foregoing rights, you agree: (a) that any of these customizations will only be used for providing a training session, (b) any customizations will comply with the terms and conditions for Modified Training Sessions and Supplemental Materials in the most recent version of the MCT agreement and with this agreement. For clarity, any use of customize refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you may not separate the components and install them on different devices.
2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to that respective component and supplements the terms described in this Agreement. 3.
PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other provisions in this agreement, then these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final version. We also may not release a final version. Microsoft is under no obligation to provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them. These rights
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content, whichever is earliest (beta term). Upon expiration or termination of the beta term, you will irretrievably delete and destroy all copies of same in the possession or under your control. 4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content, which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an Internet-based wireless network. In some cases, you will not receive a separate notice when they connect. Using the Licensed Content operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access to any service, data, account or network by any means. 5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: install more copies of the Licensed Content on devices than the number of licenses you acquired; allow more individuals to access the Licensed Content than the number of licenses you acquired; publicly display, or make the Licensed Content available for others to access or use; install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend, make available or distribute the Licensed Content to any third party, except as expressly permitted by this Agreement. reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation; access or use any Licensed Content for which you are not providing a training session to End Users using the Licensed Content; access or use any Licensed Content that you have not been authorized by Microsoft to access and use; or transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6.
RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that appear on the Licensed Content or any components thereof, as delivered to you.
7.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, End Users and end use. For additional information, see www.microsoft.com/exporting. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8.
9. 10.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed Content in your possession or under your control.
11.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are the entire agreement for the Licensed Content.
12.
13.
APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.
14.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
16.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT CORPORATION AND ITS RESPECTIVE SUPPLIERS.
This limitation applies to o anything related to the Licensed Content, services made available through the Licensed Content, or content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas. Revised December 2011
Configuring Windows 8
Configuring Windows 8
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Andrew Warren has more than 25 years of experience in the IT industry, many of which he has spent teaching and writing. He has been involved as the subject matter expert (SME) for many of the Windows Server 2008 courses and the technical lead on a number of other courses. He also has been involved in developing TechNet sessions on Microsoft Exchange Server 2007. Based in the United Kingdom, he runs his own IT training and education consultancy.
David Susemiehl has worked as consultant, trainer, and courseware developer since 1996. David has extensive experience consulting on Microsoft Systems Management Server and Microsoft System Center Configuration Manager 2007, as well as Active Directory, Exchange Server, and Terminal Server/Citrix deployments. David has developed courseware development for Microsoft and Hewlett-Packard, and delivered those courses successfully in Europe, Central America, and across North America. For the last several years, David has been writing courseware for Microsoft Learning, and consulting on infrastructure transitions in Michigan.
Jason Kellington is a Microsoft Certified Trainer (MCT), Microsoft Certified IT Professional (MCITP), and a Microsoft Certified Solutions Expert (MCSE), as well as a consultant, trainer and author. He has experience working with a wide range of Microsoft technologies, focusing on the design and deployment of enterprise network infrastructures. Jason works in several capacities with Microsoft, as a SME for Microsoft Learning courseware titles, a senior technical writer for Microsoft IT Showcase, and an author for Microsoft Press.
Seth Dietz is a Microsoft Certified Technology Specialist (MCTS), Microsoft Certified Solutions Associate (MCSA), and MCITP, and he has more than 15 years of IT experience. He currently works as a Sr. Technical Account Manager with In-Touch Computer Services, Inc. in Charlotte, NC, where he focuses on implementing outsourced IT solutions for small and medium business. Seth has worked as a SME on several development projects for Microsoft certification exams since 2008. His specializations include virtualization, backup and disaster recovery, mobility and wireless, Remote Desktop Services, Microsoft Office 365, network infrastructure, and Microsoft Small Business Server. Seth has been a projectmanagement professional since 2004.
xii
Configuring Windows 8
Contents
Module 1: Installing and Deploying Windows 8
Lesson 1: Introducing Windows 8 Lesson 2: Preparing to Install Windows 8 Lesson 3: Installing Windows 8 Lab A: Installing Windows 8 Lesson 4: Automating the Installation of Windows 8 Lab B: Performing an Unattended Installation of Windows 8 Lesson 5: Activating Windows 8 1-2 1-7 1-14 1-18 1-21 1-32 1-35
Configuring Windows 8
xiv
Configuring Windows 8
Configuring Windows 8
Module 8 Lab C: Configuring and Testing UAC Module 9 Lab A: Configuring Internet Explorer Security Module 9 Lab B: Configuring AppLocker (Optional) Module 10 Lab A: Optimizing Windows 8 Performance Module 10 Lab B: Maintaining Windows Updates Module 11 Lab A: Configuring a Power Plan Module 11 Lab B: Implementing a VPN Module 11 Lab C: Implementing Remote Desktop Module 13 Lab: Recovering Windows 8
This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Note: This first release (A) MOC version of course 20687A has been developed on prerelease software (Release Preview (RP)). Microsoft Learning will release a B version of this course after the RTM version of the software is available.
This course will provide you with the knowledge and skills to install, manage, secure, and support Windows 8-based computers, devices, user accounts, and network resources. This course will teach you how to configure Windows 8 and troubleshoot various issues related to networking, data management, wireless connectivity and remote access. This course will also provide guidelines, best practices, and considerations that will help you optimize performance and minimize errors and security threats in Windows 8 client computers.
Audience
This course is intended for IT professionals, who have prior experience in configuring the Windows 8 operating system, and troubleshooting issues, and providing user support for Windows 8-based computers and devices. These IT professionals could be consultants, full-time desktop support technicians, or IT generalists who provide support for Windows 8 computers as part of their broader technical duties. IT professionals seeking certification in the 70-687 Windows 8 Configuring exam also may take this course.
Student Prerequisites
This course requires that you meet the following prerequisites: Experience managing computers running on the Windows 8 operating system.
Technical knowledge of networking fundamentals, including TCP/IP, User Datagram Protocol (UDP), and Domain Name System (DNS).
Familiarity with Active Directory Domain Services (AD DS) principles and the fundamentals of AD DS management. Understanding of the Public Key Infrastructure (PKI) components and working knowledge of the fundamentals of Active Directory Certificate Services (AD CS). Knowledge of Microsoft Windows Server 2008 or Windows Server 2008 R2 fundamentals.
Knowledge of Microsoft Windows client fundamentals; for example, working knowledge of Windows XP, Windows Vista, and/or Windows 7. Understanding of the fundamentals of management and experience using the Microsoft Office 2010 system or the Microsoft Office 2007 system. Knowledge of Windows Automated Installation Kit (WAIK) components including Windows PE, Windows System Image Manager (SIM), Volume Activation Management Tool (VAMT), ImageX, User State Migration Tool (USMT), and Deployment Image Servicing and Management (DISM) concepts and fundamentals.
xviii
Course Objectives
After completing this course, students will be able to: Plan and perform the installation of Windows 8. Install Windows 8 on computers that are running an existing operating system. Configure disks, partitions, volumes, and device drivers in a Windows 8 system. Configure network connectivity and troubleshoot connectivity issues. Install, configure, and maintain wireless network connections. Implement Windows 8 technologies to secure network connections. Share files and printers. Implement tools and technologies that can help secure Windows 8 desktops. Configure and control applications in Windows 8. Optimize and maintain Windows 8-based computers. Configure mobile computer settings and remote access. Describe Hyper-V for Windows 8, and describe how to use it to support legacy applications. Determine how to recover Windows 8 from various failures. Describe how to use Windows PowerShell to manage Windows 8.
Course Outline
This section provides an outline of the course:
Module 1, Installing Windows 8" describes the key features of Windows 8, and the differences between the various versions. This module also describes how to install and activate Windows 8 on a computer. Module 2, Upgrading and Migrating to Windows 8" describes how to install Windows 8 on computers that are running on other operating systems. The module describes the processes of upgrading or migrating to Windows 8, and discusses the differences between both.
Module 3, Managing Disks and Device Drivers" describes how to configure and manage disks, partitions, and volumes in a Windows 8 system. Additionally, this module describes how to install, configure, and troubleshoot device drivers. Module 4, Configuring and Troubleshooting Network Connections" compares IPv4 and IPv6 addresses, and describes how to configure both. The module also describes how to implement Automatic IP address Allocation and name resolution. The module concludes with a lab on troubleshooting network connectivity.
Module 5, Implementing Wireless Network Connections" provides an overview of wireless networks, and describes how to install, configure, and troubleshoot them. Module 6, Implementing Network Security" provides an overview of common network security threats, and how to mitigate them by configuring inbound and outbound firewall rules, connection security rules, Windows Defender, and host-based virus and malware protection.
Module 7, Configuring File Access and Printers on Windows 8 Clients" describes how to manage file access, and configure NTFS file-system permissions for files and folders. The module also provides an overview of shared folders, file compression, and the impact of moving and copying compressed files and folders. The module then goes on to describe how to create and share printers, and concludes with an overview of Windows Live SkyDrive. Module 8, Securing Windows 8 Desktops" describes new authentication and authorization features in Windows 8. The module also describes how to implement local Group Policy objects, secure data with Encrypting File Service (EFS) and BitLocker drive encryption, and configure User Account Control (UAC). Module 9, Configuring Applications" describes how to install and configure applications, application compatibility, and application restrictions in Windows 8. Additionally, the module describes how to configure and test Windows Internet Explorer security settings, and AppLocker rules that restrict the running of applications.
Module 10, Optimizing and Maintaining Windows 8 Client Computers" describes how to identify issues with performance and reliability, and use tools such as Resource Monitor, Data Collector Sets, and Performance Monitor. The module also describes how to optimize Windows 8 performance, and manage and maintain Windows updates. Additionally, the module describes how to manage Windows 8 reliability by using Windows diagnostic tools. Module 11, Configuring Mobile Computing and Remote Access" describes how to configure mobile computer settings and power plans, and provides an overview of mobile device sync partnerships and power-saving options. The module also describes how to enable and configure virtual private network (VPN) access, create and test a VPN, and configure remote desktop and remote assistance. The module concludes with an overview of DirectAccess, and how it works for internal and external clients.
Module 12, Implementing Hyper-V" describes the fundamentals of Hyper-V for Windows 8 and scenarios for using it. The module also describes how to create and configure virtual machines in Hyper-V, and how to manage virtual hard disks (VHDs) and snapshots. Module 13, Troubleshooting and Recovering Windows 8" describes how to back up data and use recovery options such as System Restore to recover Windows 8.
Appendix A, Using Windows PowerShell" describes the fundamentals of Windows PowerShell, and how to use Windows PowerShell cmdlets and remote commands.
xx
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, and Microsoft Press.
Student Course files on the http://www.microsoft.com/learning/companionmoc Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
This section provides the information for setting up the classroom environment to support the business scenario of the course.
In this course, you will use Microsoft Hyper-V to perform the labs. Important At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK. The following table shows the role of each virtual machine used in this course: Virtual machine 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 20687A-LON-CL3 20687A-LON-CL4 Role Domain controller in the Adatum.com domain Domain member Domain member Domain member Blank with no operating system installed, but is linked to the Windows 8 Enterprise client ISO
Software Configuration
The following software is installed on each VM: Windows Server 8 Windows 8 Client (Windows 8 Enterprise) Microsoft Office 2010 On the server, possibly also Windows Automated Installation Kit (AIK)
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
xxii
*Striped
In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 x 768 pixels, 16-bit colors.
Module 1
Installing and Deploying Windows 8
Contents:
Module Overview Lesson 1: Introducing Windows 8 Lesson 2: Preparing to Install Windows 8 Lesson 3: Installing Windows 8 Lab A: Installing Windows 8 Lesson 4: Automating the Installation of Windows 8 Lab B: Performing an Unattended Installation of Windows 8 Lesson 5: Activating Windows 8 Module Review and Takeaways 1-1 1-2 1-7 1-14 1-18 1-21 1-32 1-35 1-39
Module Overview
Windows 8 is the latest Microsoft client operating system. With new features and capabilities, it builds on the strong core functionality of Windows 7 to provide a stable and feature rich client experience, across many form factors. This module will introduce you to some new features of Windows 8, provide guidance on installing Windows 8, and introduce you the Windows 8 licensing environment.
Objectives
After completing this module, you will be able to: Describe the different editions of Windows 8. Prepare a computer for Windows 8 installation. Install Windows 8. Automate the installation of Windows 8. Explain Windows 8 licensing and activation.
1-2
Lesson 1
Introducing Window 8 W ws
Win ndows 8 is desi igned to meet a large scope of computing needs, and e t e g enable users to perform tasks o effic ciently. Windows 8 enables you to take advantage of co y omputing devic from tradit ces tional platform ms, and the latest tab and phone platforms. Th lesson will i ntroduce you to the key Win blet e his ndows 8 features and the different Windows 8 ed ditions that are available. The lesson also w describe why and when y e e will you mig select a spe ght ecific Windows edition. s
The design of Win ndows 8 enables it to support the unique w working styles of many diffe s erent people. T The new user interface and app mod increases users producti w e del u ivity, and the d design of the n new Start scree en mak it the centr hub of user activity and data integratio kes ral r d on.
Win ndows 8 repres sents Microsof most signif fts ficant change i operating sy in ystem design s since the intro oduction of th Microsoft Windows 95 operating syste Therefore, Windows 8 co he W o em. ontains more t than 300 new features. The following section highlights some of the most imp . g f portant feature and changes es s:
Start screen. The Start scree represents a significant sh in the way users find and interact with T en hift d h applications and informatio in Windows 8. The Start S a on s Screen is tile-b based, and its c configurable ti iles can display liv information and provide an interactive hub experienc for users. W its touchve n ce With friendly layou it is significa ut, antly different from the Start button interf t face that has b been implemented in Windows since Windows 95. s s Cloud integra ation. Window 8 provides in ws ncreased integ gration with clo oud-based ser rvices and information. Users signing in to a Window 8 desktop c ws computer can connect to the information and settings instantly that are im mportant to th hem. Windows 8 ensures a consistent user experience ac s r cross any computer, regardless of the compute location. o ers
C Configuring Windows 8 s
Reset and refresh your PC By using Res and Refres h, users and IT staff can retu a compute to a r C. set T urn er specific def fault state, or recover Windo 8 from erro or corrupt operating system files: r ows ors o o
Reset your PC remo y oves all personal data, apps, and settings fr rom the PC, an reinstalls W nd Windows. Refresh your PC kee all persona data, deskto eps al op-style apps, a other imp and portant setting and gs, reinstalls Windows, retaining the user experience and user dat e ta.
ws ctioning copy of Windows 8 that Windows To Go. Window To Go enables you to sup ply a fully func can start an run from a universal seria bus (USB) sto nd al orage device. W When users bo from a Win oot ndows To Go-enab bled USB devic they get a complete Win ce, ndows 8 experi ience, along w all of their with applications, files, and set ttings.
Remote De esktop Services Windows 8 now includes R s. n Remote Deskto Services (RD capability, which op DS) enables mu ultiple users to connect remo otely to the sa me computing infrastructure, each in an isolated g session. You can use Windows 8 in Virtual Desktop In u nfrastructure (V VDI) scenarios to provide robust and univers access to Windows 8 desktops. sal W Hyper-V. Hyper-V on Windows 8 prov W vides a flexible and high-per e rforming client virtualization n environmen You can tak advantage of this environ nt. ke nment to test a applications an IT scenarios in nd s multiple op perating system configuratio by using a single compu m ons, uter. By using H Hyper-V, IT departments can provide a consolidate and efficien virtual enviro e ed nt onment through virtual mac chine compatibility with Windo Server 201 ows 12.
Support for multiple form factors. Wind r m dows 8 is the f first Windows operating syst tem to provide e support for both the x86 and the ARM platform. Win r ndows 8 runs o PCs, as well as tablets and similar on d onment for us devices, pro oviding more ubiquitous acc u cess to the Win ndows 8 enviro sers.
Windows 8 Editions W E
Windows 8 com in three separate edition on W mes ns th x86 platform he m: Windows 8. This is the mo basic editio ost on available. It contains the key features t necessary for general hom and smallme business us se. Windows 8 Pro. This edition is designed to d support the needs of bus e siness and tech hnical professiona and supports a broader set of Window 8 technologies, including e als, s ws encryption, virtualizatio computer management, and domain c on, m connectivity.
Windows 8 Enterprise. Th edition supports the full s of Window 8 functionality, and additio his set ws onally includes en nterprise-level security, mobi ility, and confi guration.
1-4
Understanding Windows RT
Windows 8 is the first Windows client operating system that supports the ARM processor architecture that is commonly found in mobile devices such as tablets and phones. Windows RT is designed specifically to run apps built on the Metro platform, and it is available only as a preinstalled operating system on tablets and similar devices with ARM processors. ARM provides a lightweight form factor with excellent battery life, specifically for mobile devices. Windows RT is preloaded with touch-optimized versions of Microsoft Office applications, and is limited to running apps built using the Metro style UI. Note: Further detail on Windows RT is outside of the scope of this course. It is mentioned here for reference only. Unless otherwise noted, all references to Windows 8 in this course are for the x86 and x64 editions.
C Configuring Windows 8 s
Improved performance. The 64-bit processors p T can process more data fo each clock cycle, s or c enabling yo to scale you applications to run faster or support mo users. How ou ur s ore wever, to benef from fit this improv processor capacity, you must install a 6 ved c m 64-bit edition of the operati system. ing
Enhanced memory. A 64- operating system can m m -bit make more effic cient use of random access m memory (RAM), and it can address memory abo 4 gigabyte (GB). This is unlike all 32-b operating sy s ove es bit ystems, including all 32-bit editio of Window 8, which are limited to 4 G of addressa ons ws e GB able memory.
Improved device support Although 64-bit processor have been available for so d t. rs ome time, in th past it he nly was difficult to obtain third-party drive for common used devic such as pri ers ces, inters, scanner and rs, other comm office equ mon uipment. Since the re elease of the 64-bit versions of Windows V 6 Vista and Win ndows 7, the a availability of d drivers for these de evices has imp proved greatly. Because Wind . dows 8 is built on the same kernel as Windows 7, t most of the drivers that work with Wind e w dows 7 also w work with Wind dows 8.
Improved security. The ar s rchitecture of 64-bit process sors enables a more secure o operating syste em environmen through Kernel Patch Protection (KPP), mandatory ke nt ernel-mode dr river signing, and Data Execution Prevention (DE P EP). Support for the Client Hy r yper-V feature. This feature i only support in the 64-b versions of is ted bit f Windows 8. Hyper-V requ uires 64-bit pr rocessor archit tecture that supports second level address d s translation.
In most cases, a computer will run the version of Window 8 that corres n ws sponds to its p processor ar rchitecture. A computer with a 32-bit proc c h cessor will run the 32-bit ver rsion of Windo 8, and a co ows omputer with a 64-bit pr w rocessor will ru the 64-bit version of Wind un v dows 8. You ca use the foll an lowing list to de etermine whic version of Windows 8 should be installe on a compu ch W ed uter. You can ins stall 64-bit versions of Windo 8 only on computers wi 64-bit proc ows ith cessor architec cture.
You can ins stall 32-bit versions of Windo 8 on com puters with 32 ows 2-bit or 64-bit processor architecture When you in e. nstall a 32-bit version of Win ndows 8 on a 32-bit process architectur the sor re, operating system does no take advant s ot tage of any 64 4-bit processor architecture f r features or functionalit ty. 32-bit drive will not wo in 64-bit ve ers ork ersions of Wind dows 8. If you have hardwar that is suppo re orted by 32-bit drivers only, you must use a 32-bit version of Windows 8 regardless of the compute 3 8, f ers processor architecture. a You can ins stall 32-bit versions of Windo 8 on 64-b architecture computers to support earli ows bit e o ier versions of applications or for testing purposes. o p
1-6
The 64-bit editions of Windows 8 do not support the 16-bit Windows on Windows (WOW) environment. If your organization requires earlier versions of 16-bit applications, they will not run natively in Windows 8. One solution is to run the application within a virtual environment by using Client Hyper-V.
C Configuring Windows 8 s
Lesson 2 n
Th first step in installing Win he ndows 8 on a computer is to ensure that th hardware a software b c o he and being ru on the computer will be compatible wit Windows 8.. As a part of p un c th preparing for t Windows 8 the in nstallation proc cess, you need to understand minimum ha d ardware requir rements, ident problemat tify tic de evices, drivers, and applications, and unde , erstand the ins stallation meth hods available.
Th lesson will introduce you to these conc his cepts, and equ ip you with in formation that you need to plan a su uccessful Wind dows 8 installat tion.
Lesson Objectives
After completin this lesson, you will be able to: ng y Describe minimum recom m mmended hard dware requirem ments for insta alling Window 8. ws Explain how to check for device and screen resolutio n compatibilit w ty. Understand and identify common application-compa d atibility issues.. Identify me ethods for mitigating applica ation-compati bility issues. Describe th options available for installing Windows 8. he s
Th Windows 8 kernel has be refined and improved fro Windows 7 and, in many cases, you may see he een d om y im mprovements in general perf i formance on the same comp t puter in severa different are al eas.
1-8
In addition to the requirements listed in the preceding sect s p tion, Windows 8 contains sev veral features that requ a specific hardware configuration befo they will in uire ore nstall or run co orrectly:
The Windows 8 secured bo process req s oot quires a BIOS b based on Unified Extensible Firmware Interface EFI (UEFI). The se ecured boot pr rocess takes ad dvantage of UE to prevent the launching of unknown or g potentially un nwanted opera ating-system boot loaders b b between the sy ystems BIOS st tarting and the e Windows 8 operating system start.
While the sec cure boot proc cess is not man ndatory for Wi indow 8, it gre eatly increases the integrity o the of boot process. . Client Hyper- requires a 64-bit processo architecture that supports second level address translation -V 6 or e s (SLAT). SLAT reduces the ov verhead incurr during the virtual-to-phy red e ysical address mapping proc cess performed fo virtual mach or hines. The BitLocker feature requires a compute that support Trusted Plat r er ts tform Module (TPM) to prov vide the most seam mless and secu BitLocker experience. TP allows the s ure e PM storage of BitL Locker encrypt tion keys within a microcontroller on a compu uters motherb board.
How wever, there ar other device and comput re es ter hard dware compon nents that mus have drivers st s load as well. Cr ded ritical system components, su uch as hard drive cont h trollers, chipse graphics ets, adapters, network adapters, and other import k d tant system de evices, must ha drivers to f ave function prope erly.
The Windows 8 se etup process will check the installation com w mputer autom matically for device and drive er com mpatibility. How wever, when an organization is deploying multiple insta n allations of Win ndows 8 at once, its best to be sure that the comput hardware for those comp t ter f puters is comp patible with Windows 8. Con nfirming hardw ware compatib bility enables a smoother inst tallation proce ess.
The Compatibility Center for Windows 8 website on Micros y soft.com provid informatio about des on Win ndows 8 progra and device compatibility The website contains a cat am e y. talog of programs and devic ces, and pertinent com mpatibility info ormation including: Device make and model Links to more information about the device e a Compatibility status y Driver version available (32 ns 2-bit or 64-bit t)
C Configuring Windows 8 s
Th Compatibility Center for Windows 8 we he ebsite also ena ables commun interaction where users can nity n, provide feedbac for devices to confirm compatibility. ck
A new requirem ment in Window 8 is that Me ws etro-style app plications should have a mini imum of 1024x x768 sc creen resolutio and 1366x7 for the sna feature. Thi s enables you to snap a Met app to the side of on, 768 ap tro th desktop, ma he aking it viewab while you use other Met ro or tradition apps. If you attempt to la ble u nal u aunch a Metro style app with less than this required resolution, yo will receive an error mess M p n d ou sage. Th maximum supported reso he s olution for Win ndows 8 is 256 60x1440, allow wing for large f format traditio onal di isplays, or high h-pixel density displays on smaller form-fa y actor devices. Additiona Reading: ht al ttp://www.mic crosoft.com/en n-us/windows/ /compatibility/ /en-US /C CompatCenter r/Home.
During applicat tion setup and installation, an ap pplication mig try to copy files and shor ght rtcuts to fo olders that exis sted in a previo Windows operating syst ous tem, but no lo nger exist for the new opera ating sy ystem. This can prevent the application fro installing p n a om properly or eve installing at all. en t
User Account Control (UAC) adds security to Windows by controlling administrator-level access to the a y co omputer, and by restricting most users to run as standar users. When users attemp to launch an rd n pt n ap pplication that requires adm t ministrative per rmissions, the s system promp them to con pts nfirm their inte ention to do so. o
UAC also limits the context in which a proce executes, t minimize th ability of use to inadvert n ess to he ers tently ex xpose their computer to viru uses or other malware. This c m change affects any applicatio installer or update s on th requires ad hat dministrator pe ermissions to run, performs u r unnecessary a dministrator c checks or actio or ons, at ttempts to writ to a nonvirt te tualized registr location. ry ssues: However, UAC may result in the following compatibility is m t c Custom installers, uninsta allers, and upd daters may not be detected a elevated t run as t and to administrat tor.
Standard user application that require administrativ privileges to perform their tasks may fai or ns e ve o r il might not make this task available to st m tandard users..
Applications that attempt to perform tasks for which the current user does not have the necessary permissions may fail. How the failure manifests itself is dependent upon how the application was written. Control panel applications that perform administrative tasks and make global changes may not function properly and may fail.
Dynamic link library (DLL) applications that run using RunDLL32.exe may not function properly if they perform global operations. Standard user applications writing to global locations will be redirected to per-user locations through virtualization.
Windows Resource Protection (WRP) protects Windows resources, such as files, folders, and registries, in a read-only state. This affects specific files, folders, and registry keys only. WRP restricts updates to protected resources to the operating system trusted installers, such as Windows Servicing. This enables better protection for the components and applications that ship with the operating system from the impact of other applications and administrators. However, WRP may result in the following compatibility issues:
Application installers that attempt to replace, modify, or delete operating system files and/or registry keys that WRP protects may fail, with an error message indicating that the resource cannot be updated. This is because access to these resources is denied.
Applications that attempt to write new registry keys or values to protected registry keys may fail with an error message that indicates that the change failed because access was denied. Applications that attempt to write to protected resources may fail if they rely on registry keys or values.
64-Bit Architecture
Windows 8 fully supports the 64-bit architecture. The 64-bit version of Windows 8 can run all 32-bit applications with the help of the WOW64 emulator. Considerations for the 64-Bit Windows 8 include:
Applications or components that use 16-bit executables, 16-bit installers, or 32-bit kernel drivers will either fail to start or will function improperly on a 64-bit edition of Windows 8.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer manually adds a driver by editing the registry, the system will not load this driver, and this can cause a system failure. Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer manually adds a driver by editing the registry, the system will not load the driver during load time if it is not signed.
Windows Filtering Platform (WFP) is an application program interface (API) that enables developers to create code that interacts with the filtering that occurs at several layers in the networking stack and throughout the operating system. If you are using a previous version of this API in your environment, you may experience failures when running security-class applications, such as network scanning, antivirus programs, or firewall applications.
The operating system version number changes with each operating system release. For Windows 7, the internal version number is 6.1, whereas for Windows 8, the internal version number is 6.2. The GetVersion function returns this value when it is queried by an application. This change affects any application or application installer that specifically checks for the operating system version, and might prevent the installation from occurring or the application from running.
Co onfiguring Windows 8
Kernel-Mode Drivers K e
Ke ernel-mode dr rivers must sup pport the Wind dows 8 operat ting system or be redesigned to follow the Userr d e Mode Driver Fra M amework (UMDF). UMDF is a device drive r developmen platform tha was introduc in nt at ced Windows Vista. W
Test your web application and website for compati bility with new releases and security upda w ns es w ates to Windows In nternet Explore . er
Mitigating an application com M mpatibility issu typically dep ue pends on vario factors, suc as the type of ous ch ap pplication and current suppo for the app ort plication.
Mitigation Methods M M
So ome of the mo common mitigation met ore m thods include t following: the
Modifying the configurat t tion of the exis sting applicatio There can be compatibil issues that require on. lity a modificat tion to the app plication config guration, such as moving file to different folders, modifying h es registry ent tries, or changing file or fold permission s. der tandard User A You can use tools such as the Compatib e s bility Administ trator or the St Analyzer (insta alled with ACT) to detect and create applicat t c tion fixes (also called shims) to address compatibility issues. o Contact the software ven e ndor for inform mation about a additional compatibility solutions. any
Applying updates or serv packs to th application.. Updates or se vice he ervice packs m be available to may address ma of the com any mpatibility issue and they he the applica es, elp ation to run w the new op with perating system environment. Afte applying the update or se er e ervice pack, ad dditional applic cation tests can ensure that the compatib t bility issue has been mitigate ed. Upgrading the applicatio to a compat on tible version. If a newer, com f mpatible versio of the application on exists, the best long-term mitigation is to upgrade to the newer ve b m o ersion. Using th approach, y his you must consid both the cost of the upg der c grade and any potential prob blems that ma arise with ha ay aving two different versions of the application.
t onfiguration. If your compat f tibility issues a ppear to be pe ermissions-rela ated, Modifying the security co a short-term solution is to modify the security config m o s guration of the application. U e Using this approach, you must conduct a full-r analysis an gain consen risk nd nsus from your organization security team ns regarding the modificatio For examp you can m t ons. ple, mitigate the Int ternet Explorer Protected mo by r ode adding the site to the tru usted site list or by turning o Protected M off Mode, which w do not recommend. we
Running the application in a virtualized environment. If all other met a e f thods are unav vailable, you m may be able to run the applicati in an earlie version of W n ion er Windows using virtualization tools such as g Hyper-V. Late sections of this course will provide more details about Hyper-V. er t l e t
Using applica ation-compatib bility features. You can mitig gate applicatio issues, such as operatingon system versio oning, by runni the applica ing ation in compa atibility mode. You can acce this mode b ess by right-clicking the shortcut or .exe file, and then applyin Windows Vista or Window XP compatibility o d ng ws mode from th Compatibility tab. he You also can use the Progra Compatibility Wizard to assist in config am guring an app plications compatibility mode. The Pr rogram Compa atibility Wizard is in Control Panel, under Programs and d Features.
Selecting ano other applicatio that performs the same b on business functi r ion. If another compatible application is available, con nsider switching to the comp patible applica ation. When us sing this appro oach, you must con nsider both the cost of the application and the cost of em e d mployee supp port and trainin ng.
You also can use an image to perform a clean installati on. c Upgrade insta s allation. Perfor an upgrade which also is known as an in-place upgr rm e, n rade, when you want to replace an existing version of Windows with W Windows 8 and you need to r retain all user applications, files, and settings.
To perform an in-place upg grade to Windows 8, run the Windows 8 in e nstallation pro ogram (setup.e exe), and select Up pgrade. You ca run setup.e from the p roduct DVD or from a netwo share. Dur an exe ork ring an in-place upgrade, the Windows 8 insta W allation progra retains all u am user settings, d data, hardware e device setting applications, and other co gs, onfiguration in nformation au utomatically. A Always back up all of p your important data before performing an upgrade. e a
Migration. Yo perform a migration when you have a c ou m computer alrea running W ady Windows 7, and d need to move files and sett e tings from you old operatin system (source computer) to the Windo 8ur ng ) ows based compu (destinatio computer). Perform a mig uter on gration by doing the following: o Back up the users setti t ings and data
Configuring Windows 8
o o o
Perform a clean installation Reinstall the applications Restore the users settings and data
There are two migration scenarios: side-by-side, and wipe and load. In side-by-side migration, the source computer and the destination computer are two different computers. In wipe and load migration, the target computer and the source computer are the same. To perform wipe-and-load migration, you perform a clean installation of Windows 8 on a computer that already has an operating system, by running the Windows 8 installation program, and then selecting Custom (advanced). Automated installation. You perform an automated installation when you use one of the above methods of installation in combination with an automation tool, to make the installation more seamless, or to remove repetitive tasks from the installation process.
Automated installations can take many forms, including pushing precreated images to computers, using an enterprise-level tool such as the Microsoft Deployment Toolkit (MDT), Windows Deployment Services (WDS) and the Windows Assessment and Deployment Kit, or even by creating an answer file manually to provide information directly to the installation process.
Lesson 3
Alth hough you can perform Windows 8 installa n ation by using a number of different meth hods, the imag gebase nature of th installation process and the desired res ed he sulta properly functioning Windows 8 etermining wh com mputerremai consistent, regardless of the method. De in r hich method to use and how to o w best implement th method are important parts of the pla t hat p anning proces for a Window 8 installatio ss ws on.
This lesson will he you analyze the reasons behind using c s elp e b certain methods, help you to understand how o you can implement those methods, and introduce the Wind dows To Go m method, which is new in Win ndows 8.
Configuring Windows 8
2.
If your computer does not currently have an operating system, start the computer by using the product DVD. If your computer already has an operating system, you also can start the computer with the old operating system, and then run the Windows 8 installation from the product DVD on that operating system. Complete the wizard.
3.
Instead of a DVD, you can store the Windows 8 installation files in a network share. Generally, the network source is a shared folder on a file server. Perform the following steps to install Windows 8 from a network share: 1. If your computer does not currently have an operating system, start the computer by using the Windows Preinstallation Environment (Windows PE). You can start Windows PE from bootable media, such as a DVD or a USB flash drive, or from a network PXE boot, by using WDS. If your computer already has an operating system, you can start the computer with the old operating system. Connect to the network share that contains the Windows 8 files. Run the Windows 8 installation program (setup.exe) from the network share. Complete the wizard.
2. 3. 4.
Install Windows 8 to a reference computer, and then prepare the reference computer for duplication. Create a WIM image of the reference computer by using ImageX. You can run ImageX from a command prompt or from Windows PE. ImageX captures a volume image to a WIM file. WIM files are not tied to a particular hardware configuration, and you can modify them after capture to add new drivers, patches, or applications.
Use one of the following tools to deploy the image: ImageX WDS MDT
Note: You typically use the deployment tools in the preceding list in enterprise environments. Discussion of these tools is outside the scope of this course.
Internal disks are offline. To ensure data is not disclosed accidentally,, internal hard disks on the h o i d host computer are offline, by de e efault, when bo ooted into a W Windows To Go Similarly, if a Windows To Go o. drive is insert into a runn ted ning system, Windows Explo rer will not dis W splay the Wind dows To Go dr rive.
TPM is not us sed. When you use BitLocker Drive Encryp tion, a preope u r erating system boot passwor will rd be used for se ecurity rather than the TPM. This is becaus the TPM is t . se tied to a specific computer, and Windows To Go drives will move between computers. n Windows Rec covery Environment is not av vailable. In the rare case that you need to recover your e t Windows To Go drive, you should reimag it with a fre sh image of W ge Windows. Push Button Reset is not av R vailable. Resett ting to the ma nufacturers st tandard for the computer do e oes not really app when running Windows To Go, so the f ply T feature was di isabled. Creating a Windows To Go USB drive is only possible in Windows 8 E o n Enterprise
You can boot Win u ndows To Go drives on multiple computer During the f d rs. first boot on a computer, Win ndows To Go will detect all hardware on th computer, a then insta ll drivers. Whe returning to that w h he and en o com mputer, Windows To Go will identify the co omputer, and t then load the correct drivers automatically s y. Users can do this on multiple co omputers with the same Win ndows To Go d drive, which en nables the abil to lity roam between the m em.
32GB or large USB drive th you format with NTFS file system. This drive can be f er hat t e flash memory or an external hard drive. A computer that fulfills the minimum har t rdware require ements for Win ndows 8. Windows 8 En nterprise license for creating the drives. g
Co onfiguring Windows 8
If the problem persists, go back to step thre and repeat the process. p ee, t Question: What potentia issues might you encounte when install al t er ling Windows? ?
Objectives
Determine that the target computer meets the requirements of the intended Windows 8 edition. Perform a clean installation of Windows 8. Verify the successful installation.
Lab Setup
Estimated Time: 40 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Adatum\Administrator Password: Pa$$w0rd
Requirements Overview We want to create a test environment for a new application that we are developing. Ideally, we would like to be able to test the application on a number of different operating systems, but we have only been provided one system. We have been told that Windows 8 supports the same virtualization as the servers in our production environment, so maybe we could do it that way?
Configuring Windows 8
The computer that we have been given has a quad core, 2.0GHz processor and 4 GB of RAM. The processor supports Intel VT, I was told that was important. It also has a 320 GB hard drive and a 512 MB graphics processing unit (GPU). The computer should be prepared for the development team as soon as possible.
The main tasks for this exercise are as follows: 1. 2. Determine whether the customers computers meet the minimum requirements for Windows 8. Select the appropriate Windows edition to install on LON-CL4.
Task 1: Determine whether the customers computers meet the minimum requirements for Windows 8
Answer the following questions: Questions 1.
Does the customers computer meet the minimum system requirements for Windows 8 in the following areas: a. Processor b. RAM c. Hard-disk space d. GPU
2.
Does the customers computer meet the requirements for the following features: a. Hyper-V
Results: After completing this exercise, you will have evaluated the installation environment, and then selected the appropriate Windows edition to install.
After confirming that LON-CL4 meets the requirements for Windows 8 installation, you have been asked to install Windows 8 on the computer. The main tasks for this exercise are as follows: 1. 2. 3. Attach the Windows 8 DVD image file to LON-CL4. Install Windows 8 on LON-CL4. Confirm the successful installation of Windows 8 on LON-CL4.
Results: After this exercise, you should have performed a clean installation of Windows 8.
Co onfiguring Windows 8
Lesson 4 n
Th Windows 8 installation pr he rocess is designed to be as f fast and efficie as possible. However, inst ent . talling Windows 8 on multiple comp W m puters can be a time-consum ming process if you do it man f nually on each h co omputer.
To expedite the Windows 8 in o e nstallation on multiple comp m puters, or to st tandardize the Windows 8 in nstallation proc cess, Windows 8 is supported by a numbe r of tools that enable autom s d mation through hout the in nstallation proc cess. Th lesson will introduce you to the various tools and tec his s chnologies tha you can use to manage an at nd au utomate installation of Wind dows 8.
Lesson Objectives
After completin this lesson, you will be able to: ng y Describe th Windows Im he maging (WIM) Format. Describe th tools used to perform an image-based i he installation. Understand the image-ba d ased installatio process. on Explain how to use answe files to auto w er omate the insta allation proces ss. Build an an nswer file by us sing Windows System Image Manager (SIM e M). Explain how to build a reference installation by using Sysprep. w g Describe Windows PE. W Create boo otable Window PE media. ws Explain how to capture and apply insta w allation images by using Ima gex. s
Understand how to modi images by using Deploym d ify u ment Image Se ervicing and M Management (D DISM).
WIM Heade Defines the .wim file cont er. e tent, such as m memory locatio of key reso on ources (metada ata sion, size, and compression type). resource, lo ookup table, an XML data) and .wim file a nd attributes (vers File Resourc A series of packages that contain captu ce. t ured data, such as source file es.
Metadata Resource. Stores information on how captured data is organized in the .wim file, including directory structure and file attributes. There is one metadata resource for each image in a .wim file. Lookup Table. Contains the memory location of resource files in the .wim file.
XML Data. Contains additional miscellaneous data about the WIM image, such as directory and file counts, total bytes, creation and modification times, and description information. The ImageX /info command displays information based on this resource.
Integrity Table. Contains security hash information used to verify the integrity of the image during an apply operation. This is created when you set the /check switch during an ImageX capture operation.
Benefits of WIM
WIM addresses many challenges experienced with other imaging formats. The benefits of WIM file format include the following: A single WIM file can address many hardware configurations. WIM does not require that the destination hardware match the source hardware. This helps you to reduce the number of images tremendously, and you have the advantage of only having one image to address the many hardware configurations. WIM can store multiple images in a single file. This is useful because you can store images with and without core applications, in a single image file. Another benefit is that you can mark one of the images as bootable, which allows you to start a machine from a disk image that a WIM file contains. WIM enables compression and single instancing. This reduces the size of image files significantly. Single instancing is a technique that enables multiple images to share a single copy of files that are common between the instances.
WIM enables you to service an image offline. You can add or remove certain operating system elements, files, updates, and drivers without creating a new image. For example, to add an update to a Windows XP image, you must start the master image, add the update, and then prepare the image again. With Windows 8, you can mount the image file, and then slipstream the update into the image file without the need to start or recapture the master image.
WIM enables you to install an image on a partition that is smaller, equal to, or larger than the original partition that was captured, as long as the target partition has sufficient space to store the image content. This is unlike sector-based image formats that require you to deploy a disk image to a partition that is the same size or larger than the source disk. Windows 8 provides an API for the WIM image format called WIMGAPI that developers can use to work with WIM image files.
WIM allows for nondestructive image deployment. Nondestructive image deployment means that you can leave data on the volume where you apply the image, because, when the image is applied, it does not delete the disks existing contents. WIM enables you to start Windows PE from a WIM file. The Windows 8 setup process uses Windows PE. The WIM file is loaded into a RAM disk, and run directly from memory.
Co onfiguring Windows 8
Answer File This is an XM file that stores the e. ML answers for a series of GU dialog boxe The r UI es. answer file for Windows Setup is comm S monly called U nattend.xml. Y can create and modify this You e answer file by using Wind dows System Image Manage (Windows S IM). The Oobe er e.xml answer fi is ile used to cus stomize Windo Welcome, which starts a ows after Windows Setup and du uring the first s system startup. Catalog. Th binary file (. his .clg) contains the state of th e settings and packages in a Windows ima t d age. There must be a catalog for each Wind t dows 8 version that the imag contains. ge
Windows Assessment and Deployment Kit (Windows ADK) is a collection of tools and docume A d s s entation that you ca use to autom an mate the deplo oyment of Win ndows operati systems, an assess vario ing nd ous operating systems. The Windows ADK replaces the W s W r Windows Autom mated Installation Kit for Windows 7. The core tools used in mos Windows de st eployment sce narios include the following e g: o Windows SIM. This to enables yo to create un ool ou nattended inst tallation answe files and er distribu ution shares, or modify the files that a con o f nfiguration set contains.
Windows PE. This is a minimal 32 or 64-bit opera o ating system w limited services, built on the with n Windows 8 kernel. Use Windows PE in Windows installation an deploymen nd nt.
Windows PE provides read and wri access to W ite Windows file sy ystems and sup pports a range of e hardwa drivers, inc are cluding networ connectivity which makes it useful for t rk y, s troubleshootin and ng system recovery. You can run Window PE from the CD/DVD, USB flash drive, o a network by using the PX The ws B or y XE. Windows ADK includ several too that you can use to build and configure Windows PE. des ols n e . o ImageX This comma fies, and applies installation images for X. and-line tool captures, modif deploy yment.
USMT. This tool enab you to mig bles grate user sett tings from a p revious Windo operating system ows to Windows 8. DISM. This tool enab you to serv and mana Windows i T bles vice age images. You ca use it to ap an pply update drivers, and language pac to a Windo image, off es, d cks ows fline or online.
System Preparation (Sysp prep). Sysprep prepares a Wi indows image for disk imagi ing, system tes sting, or delivery to a customer. Yo can use Sys ou sprep to remo any system ove m-specific data from a Windo ows image, such as the security identifier (SID). h
After remov ving unique sy ystem information from an i mage, you can capture that Windows ima n age, and then use it for deploymen on multiple systems. You also can use S nt e Sysprep to con nfigure the Win ndows operating system to start Windows We s t elcome the nex time that yo start the sys xt ou stem. Sysprep is available in all installation of Windows n ns s.
Diskpart. This is a command s d-line tool for hard-disk con nfiguration. Windows Dep ployment Serv vices (WDS). WDS is a serverW -based deploy yment solution that enables an n administrator to set up new client compu r w uters over the network witho having to v out visit each clien nt. WDS is a built-in server role that you can configure for Windows Serv 2012. e r ver
VHD. The Mic crosoft .vhd file format and the new .vhdx file format are publicly avai t e ilable format specifications that specify a VHD encapsu s ulated in a sing file, capabl of hosting n gle le native file syste ems and supportin standard disk operations. VHD and VH DX files are us by Hyper-V or as part of the ng sed V f Windows 8 boot process.
You use an answe file to config u er gure Windows settings during installation. For example, you can configure the default Intern Explorer e net settings, networking configurations, and othe er cust tomizations. Additionally, the answer file A contains all of the settings required for an e unattended installation. During installation, you will not be promp pted with user interface page es. You can use Wind u dows SIM to as ssist in creating an answer fil although in principle you can use any t g le, n u text edit to create an answer file. tor
A re eference comp puter has a cus stomized installation of Wind dows that you plan to duplic u cate onto one or mor destination computers. Yo can create a reference ins re ou stallation by using the Wind dows product D DVD and an answer file e.
You can create a bootable Wind u b dows PE disk on a CD/DVD b using the C o by Copype.cmd sc cript. Windows PE s enables you to sta a computer for the purpo art oses of deploy yment and reco overy. Window PE starts the ws e com mputer directly from memory enabling you to remove t he Windows P media after the computer y y, PE r starts. After you st the compu in Window PE, you can use the Imag tool to cap tart uter ws n geX pture, modify, and app file-based disk images. ply d
Afte you have an image of you reference ins er n ur stallation, you can deploy th image to th destination he he from the netw com mputer. You can use the Disk kPart tool to fo ormat the hard drive and co py the image f d work shar Use ImageX to apply the image to the destination co re. X omputer. For h high-volume deployments, y you can store the imag of the new installation to your distribut ge o tion share and deploy the im d mage to destin nation com mputers by usin deploymen tools, such as WDS or MD T. ng nt a
Co onfiguring Windows 8
Use an answer file to customize Windows f in nstallations so that the versio of Window deployed to each destinat t ons ws o tion computer are the same. There r ar two types of Windows ins re stallations: atte ended and una attended: In attended installations, you respond to Windows Se d t etup prompts, selecting opti ions such as th he ws partition to which you wa to install and the Window image to in o ant nstall.
In unattend installation which offer many additio ded ns, r onal options, y automate t process to avoid you this o the installat tion prompts.
Be efore beginnin your deploy ng yment process identify all o your environ s, of nments require ements. Consider the fo ollowing possib requiremen ble nts: Hard drive partitions Support for BitLocker or a recovery solu r ution Additional out-of-box drivers Support for multilingual configurations r c s pplications Other post-installation modifications to Windows, su as installing additional ap m o uch g
Components C s
Th component section of an answer file contains all the component s he ts n c e settings that are applied du uring Window Setup. Comp ws ponents are or rganized into d different configuration passe windowsPE es: E, n of fflineServicing, generalize, sp pecialize, audit tSystem, audit tUser, and oob beSystem. Each configuration pass h re epresents a dif fferent phase of Windows Se o etup. Settings c be applied during one o more passes If a can d or s. se etting can be applied in mor than one co a re onfiguration pa you can ch ass, hoose the pass in which to apply s th setting. For more informa he ation about configuration pa asses, see Wind dows Setup Co onfiguration Passes.
Packages P
Microsoft uses packages to di M p istribute softw ware updates, s service packs, a language packs. Packag also and ges ca comprise Windows featur an W res. Yo can configu packages so that you add them to a W ou ure s Windows image remove them from a Wind e, m dows im mage, or chang the setting for features within a packag ge w ge. Yo can either enable or disable features in Windows. If y enable a W ou e n you Windows featu the resources, ure, ex xecutable files, and settings for that featur are available to users on t system. If y disable a re e the you
Win ndows feature, the package resources are not available, b Windows does not remo the resour r n but ove rces from the system. m features befor you can ena Som Windows fe me eatures may re equire that you install other f u re able the installed vers sion of Window You must validate your answer file, and then add an required pac ws. v a d ny ckages. For example, you can disable th Windows Media Player fe ature to preve end users f he M ent from running Win ndows Media Player. Howeve because you disable the p P er, package, Wind dows does not remove those t e reso ources from the Windows im mage. Win ndows applies packages in an answer file to the Window image durin the offlineSe n ws ng ervicing configuration pass. You also can use Package Manager to a packages t an offline W n add to Windows image.
While you can cre eate an answer file manually by entering th appropriate XML code in the r he e nto unattend.xml file, you typically create it by using a compon nent of the Win ndows ADK ca alled Windows SIM. Answer files that Windows SIM creates are ass W sociated with a particular W Windows image This enables e. you to validate the settings in th answer file to the setting s available in t Windows i he the image. Howev ver, because you can use any answe file to install any Windows image, if ther are settings in the answer file u er s re s r for components that do not exist in the Wind c dows image, W Windows ignore those settin es ngs.
You can use Wind u dows SIM to cr reate and edit answer files th should be used with Win hat ndows Setup. W While an answer file may contain only one or two se a y ettings, most a answer files co ontain all of the information e requ uired to complete the install lation without user intervent tion.
Dem monstration Steps n Bui an answe file by us ild er sing Window SIM ws
1. 2. 3. Use Windows System Image Manager and open a WIM file. s M Create a new answer file an modify image settings as needed. nd Save the file to the Desktop as autounattend.xml. t p
Configuring Windows 8
Configure the Windows operating system to start the Out-of-Box Experience (OOBE). Reset Windows product activation.
The following table lists some of the more common command-line options available for Sysprep. Option /audit Description
Restarts the computer in audit mode. Audit mode enables you to add drivers or applications to Windows. You also can test an installation of Windows before you send it to an end user. If you specify an unattended Windows setup file, the audit mode of Windows Setup runs the auditSystem and auditUser configuration passes.
/generalize
Prepares the Windows installation to be imaged. If you specify this option, Windows removes all unique system information from the installation. The SID resets, and Windows clears any system-restore points and deletes event logs. The next time that the computer starts, the specialize configuration pass runs. A new SID is created, and the clock for Windows activation resets, if the clock has not already been reset three times. Restarts the computer in Windows Welcome mode. Windows Welcome enables end users to customize their Windows operating system, create user accounts, name the computer, and other tasks. Any settings in the oobeSystem configuration pass in an answer file are processed immediately before Windows Welcome starts.
/oobe
Restarts the computer. Use this option to audit the computer and to verify that the first-run experience operates correctly. Shuts down the computer after the Sysprep command finishes running. Runs the Sysprep tool without displaying on-screen confirmation messages. Use this option if you automate the Sysprep tool. Closes the Sysprep tool after running the specified commands. Applies settings in an answer file to Windows during unattended installation. answerfile Specifies the path and file name of the answer file to use.
Win ndows PE is designed to mak large-scale, customized d eployments of the new Windows 8 operat ke f ting system distinctly more simple by addressing the following t m b t tasks: Installing Win ndows 8. Wind dows PE runs every time you install Windows 8. The grap e phical tools tha at collect config guration inform mation during the setup pha are running within Windo PE. ase g ows
Troubleshoot ting. Windows PE also is usef for automa and manua troubleshoo ful atic al oting. For exam mple, if Windows 8 fails to start because of a co b orrupted syste m file, Window PE can auto ws omatically star and rt launch the Windows Recov W very Environme ent. Recovery. Original Equipme Manufactu ent urers (OEMs) a nd Independe Software V ent Vendors (ISVs) c can use Windows PE to build cu s ustomized, aut tomated solut ions for recove ering and rebu uilding compu uters that are running Windows 8. 8
Optional supp port for WMI, Microsoft Dat Access Com ponent (MDA C), and HTML Application (H ta HTA). g Ability to star from a numb of media types, including CD, DVD, US flash drive ( rt ber SB (UFD), and a Remote Installation Services (RIS) server. Windows PE offline sessions are supporte o ed.
Co onfiguring Windows 8
Windows PE includes all Hyper-V drivers, except disp P H play drivers. Th enables Win his ndows PE to ru in un Hypervisor. Supported features include mass storage mouse integ ration, and ne . e e, etwork adapter rs. Question: What are some of the tasks in which you c use Windo PE for can ows troubleshoo oting?
Using Imag to Cap U geX pture and Apply the Installatio Image A on
Im mageX is a com mmand-line to that enable you ool es to capture, mod o dify, and apply file-based WI y IM im mages.
Im mageX task ks
Yo can use Ima ou ageX to perfor the following rm ta asks: View the co ontents of a WIM file. Image W eX provides th ability to vie the content of a he ew ts WIM file. Th is useful to see which ima his ages are availabl that you can deploy from within le n the WIM file.
Capture and apply image You can cap es. pture an imag e of a source c computer and save it as a W file WIM format. You can save the image to a distribution shar from which users can use Windows 8 S u re, h e Setup to install the image, or you can push the image out to t desktop by using various deployment the y s techniques. You also can use ImageX to apply the im . o mage to the destination computer. Mount images for offline image editing A common s g. scenario for Im mageX is custo omizing an exis sting image, inclu uding updatin files and folders. You can update and ed an offline image without ng dit t creating a new image for distribution. n r
Store multiple images in a single file. You can use ImageX to store multiple images in a single WIM file to take advantage of single instancing, which minimizes the size of the image file. This simplifies a users ability to deploy multiple images by using removable media or across a slower network connection. When you install Windows 8 by using a file with multiple images, users can select which image to apply. For example, you can have a WIM file that contains several role-based configurations, or images before and after certain updates. Compress the image files. ImageX supports two different compression algorithmsFast and Maximumto reduce the image size further. Implement scripts for image creation. You can use scripting tools to create and edit images.
The following table lists some of the more common command-line options available for ImageX. Command Flags EditionID Description Specifies the version of Windows that you need to capture. This is required if you plan to redeploy a custom Install.wim with Windows Setup. The quotation marks also are required. Display a list of files and folders within a volume image. Returns information about the .wim file. Information includes total file size, the image index number, the directory count, file count, and a description. Captures a volume image from a drive to a new .wim file. Captured directories include all subfolders and data.
dir info
capture apply
Applies a volume image to a specified drive. Note that you must create all hard disk partitions before beginning this process, and then run this option from Windows PE.
append
Adds a volume image to an existing .wim file. Creates a single instance of the file, comparing it against the resources that already exist in the .wim file, so you do not capture the same file twice. Removes the specified volume image from a .wim file. Exports a copy of a .wim file to another .wim file.
Mounts a .wim file with read or read/write permission. After you mount the file, you can view and modify all of the information that the directory contains. Unmounts a mounted image from a specified directory. If you have modified a mounted image, you must apply the /commit option to save your changes. Splits large .wim files into multiple read-only .wim files.
unmount
split
Co onfiguring Windows 8
DISM is a comm mand-line tool that combine es se eparate Windo platform te ows echnologies in a single, co nto ohesive tool fo servicing Windows images DISM or s. us the following technologi ses ies: Unattended Installation Answer File. When an answe r file is applied by using DIS the update that d A W d SM, es are specifie in the answe file are impl ed er lemented on t Windows image or the running operat the ting er system. Con nfigure default Windows set t ttings, add driv vers, packages software upd s, dates, and othe applications by using the settings in an answer file. e n Windows System Image Manager. DISM uses Window SIM to crea unattended answer files that it M M ws ate d uses, and also uses Windo SIM to cre ows eate distributio shares and modify the files that are in a on configuratio set. on
e ImageX. Th is a command-line tool th you can use to mount an image or to a his hat n apply an image to a drive so tha you can modify it by using the DISM co at g ommand-line u utility. After yo modify the image, ou use ImageX to capture th image, appe the image to a WIM, or export the im X he end e mage as a separ rate file. If there is no need to cap n pture, append, or export the image after yo modify it, u DISM to m ou use mount the image instead of usin ImageX. i ng OCSetup: OCSetup is a co O ommand-line tool that can b used when you are apply be ying updates to an o online Wind dows image. It installs or rem t moves Compo onent-Based Se ervicing (CBS) packages online by passing pac ckages to DISM for installatio or removal M on l. OCSetup ca also be used to install Mic an d crosoft System Installer (.msi) files by callin the m ng Windows Insta Windows In nstaller service (MSIExec.exe) and passing W e ) aller compone ents to it for installation or removal. Additionally, yo can use OCS A ou Setup to install packages tha have custom at m installers, su as .exe file uch es. Question: How does DISM use ImageX technology? X
You have been asked to modify the answer file that is being used for the A. Datum Windows 8 installation process. A. Datum would like to have specific information to be automatically added as part of the setup process on all of their computers: Your task is to modify the answer file accordingly, and use it to test an installation of Windows 8 on LON-CL4.
Objectives
Configure an answer file for the Windows 8 installation process. Use an answer file to install Windows 8.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1, 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Adatum\Administrator Password: Pa$$w0rd
5.
The main tasks for this exercise are as follows: 1. 2. Mount a virtual floppy drive on LON-CL1. Open the answer file using Windows SIM.
Configuring Windows 8
3. 4.
Make changes to the answer file. Save the answer file and remove the diskette drive.
In Settings, click the Diskette Drive, and attach the virtual floppy drive named Lab1BEx1.vfd found at C:\Program Files\Microsoft Learning\20687\Drives.
Task 4: Save the answer file and remove the diskette drive
1. 2. 3. Save the answer file to A:\ Open the Settings page for 20687A-LON-CL1 in Hyper-V Manager. Configure the Diskette Drive to None.
Results: After completing this exercise, you should have modified an unattended answer file to use for automating the Windows 8 installation process.
Task 1: Mount the diskette drive and the Windows 8 ISO on LON-CL4
1. 2. In Hyper-V Manager, open the Settings page for 20687A-LON-CL4. In Settings, click the Diskette Drive, and then attach Lab1BEx1.vfd found at C:\Program Files \Microsoft Learning\20687\Drives.
3.
In Settings, click the DVD Drive, and then attach the DVD image file found at C:\Program Files \Microsoft Learning\20687\Drives\Windows8.iso.
Task 2: Start the virtual machine and confirm the unattended installation
Start 20687A-LON-CL4 and begin Windows Setup using default settings. During setup, confirm that you are not prompted for a product key.
Results: After completing this exercise, you will have tested installation of Windows 8 by using an answer file.
Co onfiguring Windows 8
Lesson 5 n
Be eyond a single interactive in e, nstallation, Win ndows activati is an impo ion ortant consider ration for IT professionals. You can manag and maintai the activatio of multiple copies of Win ge in on ndows by using a set g of tools and tec f chnologies des signed to manage Windows activation and licensing. d
Th lesson will introduce you to Windows activation, the key methods available, and some commo issues his a on an troubleshoo nd oting tips for dealing with Windows activa d W ation.
Lesson Objectives
After completin this lesson, you will be able to: ng y Describe Microsoft Volum Activation. M me Explain the Key Managem ment Service. Understand common issu and troubleshooting tips for Windows activation. d ues s s
Volume Activation provides tw main types of wo s models that you can use in en m u nterprise envir ronments, and you can use a or all of th options thes two any he se models, depend m ding upon you organization needs and n ur ns network infras structure: MAK activa ation uses prod duct keys that can activate a specific numb of comput ber ters. If you do not control the use of volume e-licensed med excessive activations res in depletio of the activation dia, sult on pool. You cannot use MA to install Windows 8, but rather to acti c AKs W t ivate it after in nstallation. You can u use MAKs to activate any Windows 8 vo t y olume licensed edition. d
The Key Ma anagement Se ervice (KMS) model allows or rganizations to perform loca activations fo o al or computers in a managed environment without conne ecting to Micr rosoft individually. By default, Windows 8 volume editio connect to a system that hosts the KM service, whic in turn requ ons o t MS ch uests activation. KMS usage is targeted for managed enviro t m onments wher more than 2 physical and re 25 d/or virtual, com mputers connect consistently to the organi y izations netwo or where t ork, there are five s servers.
Th Volume Act he tivation Manag gement Tool (VAMT), includ with the W ( ded Windows ADK, is the applicat tion that yo can use to perform MAK Proxy Activation requests. Y can use th e VAMT to ma ou You anage and spe ecify a group of compu uters to be act tivated based upon the follo u owing: Active Directory Domain Services (AD DS) n
The VAMT receive activation co es onfirmation co odes, and then re-distributes them back to the systems that n s o requ uested activati ion. An MAK performs a one-time activation of co s omputers with Microsoft. On you activat the comput nce te ters, they require no fu y urther communication with Microsoft. The number of co M e omputers that you can activa ate with a specific MA is based on the type and level of the or h AK rganizations v volume license agreement w e with Microsoft. VAMT version 2.0 enables the follo owing function nality:
MAK Indepen ndent Activatio Each comp on. puter individua connects a activates w Microsoft either ally and with online or thro ough telephon ne MAK Proxy Activation. Activ A vation of mult tiple computer with one on line connectio to Microsof rs on ft
Activation Sta atus: ability to determine the activation sta e atus of Vista, W Windows 7, Wi indows 8, Windows Server 2008, Windows Server 2008 R2, an Windows Se W nd erver 2012 com mputers iated with a M Remaining MAK activations The current remaining act ivations associ M s. MAK key XML Import/E Export: allows for exporting and importing of data in a w g well- formed X XML format to o enable activation of system in disconnec ms cted environm ment scenarios Local reactiva ation. Enables reactivation of computers b ased on saved activation data stored in th f d he VAMT XML co omputer infor rmation list Configure for KMS activatio Convert MA activated v r on. AK volume edition of Vista, Win ns ndows 7, Windows 8, Windows Serve 2008, Windo Server 200 R2, and Win W er ows 08 ndows Server 2012 to KMS activation
Co onfiguring Windows 8
To enable KMS functionality, a KMS key is installed on the KMS host, w o e which then is ac ctivated by usi an ing on nline web serv at Microso Start the co vice oft. ommand wind dow on the hos computer b using elevated st by privileges, and then run the fo t ollowing comm mand:
cs script C:\win ndows\system32\slmgr.vbs -ipk <KmsKe ey>
Yo can then ac ou ctivate the KM host by usin either onlin e or telephone activation. MS ng e
During installation, a KMS host automatical attempts to publish its ex lly o xistence in Serv vice Location ( (SRV) re esource record within Doma Name System (DNS). Thiis provides the ability for both domain me ds ain e embers an stand-alone computers to activate against the KMS i nfrastructure. nd e o Client computers locate the KMS host dyna K amically by usi ng the SRV rec cords found in the DNS, or n co onnection info ormation that the registry specifies. The cli ent computers then use info t s ormation obtained from the KMS host to self-act h tivate.
Client comp puters must re enew their activation by con necting to the KMS host at least once eve 180 e ery days to stay activated. y After activa ation, the client computers attempt to rene their activa ew ation every sev days. After each ven r successful connection, the expiration is extended to t full 180 da c the ays.
Client comp puters connect to the KMS host for activat h tion by using a anonymous re emote procedu call ure (RPC) over TCP/IP, and by using default port 1688. Yo can configu this port in y ou ure nformation. The connec ction is anonym mous, enabling workgroup c g computers to c communicate with the KMS host. You may ne to configu the firewall and the route network to pass commun eed ure l er nications for th TCP he port that yo want to use ou e.
A KMS host and KMS clie t ents must use volume license media. v e
If your com mputer will not activate over the Internet, e ensure that an Internet conn nection is available. You may also need to set a proxy configuration from your browser If the compu cannot co t m r. uter onnect to the Inter rnet, try teleph hone activation n.
If Internet and telephone activation both fail, you will need to contact the Microsoft Activation Call Center.
Verify the activation status. You can verify activation status by looking for the Windows is activated message in the Windows 8 Welcome Center. You can also run the slmgr.vbs -dli command.
Ensure that the KMS SRV record is present in DNS, and that DNS does not restrict dynamic updates. If DNS restrictions are intentional, you will have to provide the KMS host write access to the DNS database, or manually create the SRV records. Ensure that your routers do not block TCP port 1688.
If your computer will not activate, verify that the KMS host is contacted by the minimum number of clients required for activation. Until the KMS host has a count of 25, Windows 8 clients will not activate. Display the client Windows Application event log for event numbers 12288, 12289, and 12290 for possible troubleshooting information.
Configuring Windows 8
Tools
Tool Application Compatibility Toolkit Windows ADK Windows SIM ImageX Use to Check application compatibility for Windows 8 Assess and deploy Windows Create and edit answer files Create, modify, and apply WIM-based image files Migrate user settings Service WIM-based image files Manage volume windows activation Where to find it
Module 2
Upgrading and Migrating to Windows 8
Contents:
Module Overview Lesson 1: Upgrading to Windows 8 Lesson 2: Migrating to Windows 8 Lesson 3: Migrating User Data and Settings Lab: Migrating to Windows 8 Module Review and Takeaways 2-1 2-2 2-7 2-11 2-18 2-20
Module Overview
Deciding whether you want to upgrade or migrate from a previous version of the Windows operating system, and how to perform an upgrade or migration, often can be a complicated process. A large number of parameters can contribute to the upgrade decision. However, at the end of the process, the goal is always the same. You want to have your computer running the latest operating system, while retaining settings or data that existed in Windows prior to installing Windows 8.
This module examines the upgrade process, identifies different methods that you can use for upgrading and migrating your operating system, and introduces you to the tools and processes that you can use to perform an upgrade or migration.
Objectives
After completing this module, you will be able to: Describe the options and processes for upgrading to Windows 8. Describe the options and processes for migrating to Windows 8. Identify the important settings and data to migrate, and explain how to migrate them.
2-2
Lesson 1
Whe you perform a clean insta en m allation of Win ndows 8, the in nstallation process does not transfer user settings from the previous oper rating system. If a previous W Windows insta llation or othe data exists o the er on com mputers hard disk, it is usually backed up and erased pri to a clean i nstallation. If y need to re d a ior you etain user settings, cons r sider performing an upgrade or a migratio to Window 8 instead. on ws t Dep pending on the version of yo current operating system you may not be able to up e our m, pgrade directly to y Win ndows 8. If you current oper ur rating system does not supp port direct upg grade to Windows 8, you mu ust consider performi a clean ins ing stallation and migrating user settings and data by using migration too m r ols.
Configuring Windows 8
Does not take advantage of the opportunity to start fresh with standardized reference configurations Preserved applications may not work correctly after upgrading from an earlier Windows version
Remnant files or settings from in-place upgrade may contribute to performance and security issues Does not allow for edition changes Can be done only on supported operating systems
When you run an in-place upgrade, Windows 8 Setup automatically detects existing operating systems and their potential for upgrade. Depending on the version of the operating system, you may see any of the following options for retaining data from the previous Windows version: Windows settings. Windows settings, such as your desktop background, or Internet favorites and history, will be kept. Windows does not move all settings. Personal files. Anything that you save in the User folder is considered a personal file, such as the Documents and Desktop folders.
Apps. Some apps are compatible with Windows 8, and they will operate properly when you install Windows 8. However, you may have to install some apps after Windows 8 finishes installing, so be sure to find the installation discs and installers for apps that you want to keep. Nothing. Deletes everything and replaces your current version with a copy of Windows 8. Your personal files will be moved to a windows.old folder.
The following considerations may be critical in determining whether you choose an in-place upgrade:
Amount of interaction. An in-place upgrade does not require significant user interaction. You can use the answer file to minimize user interaction and effort when performing an in-place deployment. State of user data. An in-place upgrade does not require reinstallation of applications, or any of the user settings, data, hardware device settings, or other configuration information. However, you might have to reinstall some applications after you perform the upgrade.
2-4
You cannot upgra previous Windows versio that do no have the sam feature set as the edition of u ade W ons ot me t n Win ndows 8 that you are installin The following table lists upgrade possi ng. ibilities based on Windows Edit tion. Windows Versio on Windows 7 Star W rter, Home Bas sic, Home Premium m Windows 7 Prof W fessional, Ultimate Window 8 ws X Windows 8 P Pro X X
u t cessarily mean that you shou perform an uld n Even though an upgrade path is supported, it does not nec upg grade installation by followin that path. You should eva ng Y aluate considerations for bot in-place th upg grades and mig grations.
C Configuring Windows 8 s
Ev valuate
Be efore starting the upgrade, you must evalu y uate whether y your compute meets the re er equirements ne eeded to run Windows 8. You should consider usin the Applica o s d ng ation Compatibility Toolkit (A ACT) and Micr rosoft Assessment and Planning (MA to assess your organizat ions readiness if you are up d AP) y s pgrading more than e on computer. ne Yo also must determine whe ou d ether any insta alled applicatio programs w have comp on will patibility proble ems while running on Windows 8. The Windows Assessment a Deployme Kit (ADK) fo Windows 8 w o s and ent or provides several tools that can assist with ev valuating pote ential compatibility problem ms.
Back Up B
To protect against data loss during the upg o d grade process, back up any d data and perso onal settings b before st tarting the upg grade. You can back up data to any appro n a opriate media, such as tape, r removable sto orage, er. writable CD or DVD disc media, or a network shared folde w D
Upgrade U
After evaluating your comput requiremen and backin up your dat and personal settings, you are g ter nts, ng ta u re eady to perform the actual upgrade. To pe m u erform the upg grade, run the Windows 8 in nstallation prog gram (setup.exe) from the product DVD or a netw m work share. If your compute supports an in-place upgr er rade to Windo 8, you can select Upgrad during the ows de in nstallation proc cess. The installation program prevents yo from selecti ng the upgrad option if an m ou de n in n-place upgrad is not possib This might occur for sev de ble. t veral reasons, s such as your co omputer may lack su ufficient disk sp pace or the Windows version that you are running does not support a direct upgrad W e s de to the Windows 8 edition that you select. If that is the cas stop the up o s f se, pgrade process, and resolve the in ndicated proble before atte em empting the upgrade again.. e Note: We recommend that you disab antivirus pr e t ble rograms before attempting a upgrade. an
Verify V
When the upgra completes log on to yo computer, and verify that all of the app W ade s, our plications an hardware devices functio correctly. If the Windows 8 Setup Comp nd d on patibility Report makes any re ecommendatio relating to program com ons mpatibility or d devices, follow those recomm mendations to co omplete the upgrade proces ss.
2-6
Update
Finally, determine whether there are any relevant updates to the Windows 8 operating system, and apply them to your computer. It is important to keep the operating system up to date to protect against security threats. You also can check for updates during the upgrade process. Dynamic Update is a feature of Windows 8 Setup that works with Windows Update to download any critical fixes and drivers that the setup process requires.
C Configuring Windows 8 s
Lesson 2 n
When you choo to migrate to Windows 8, you have mo flexibility i n determining how the migration W ose 8 ore g gration offers an alternative to in-place up process happen and what da needs to be retained. Mig ns ata e e pgrades th can often meet the requi hat m irements of mo complex o large-scale u ore or upgrades. Th lesson will introduce you to migration in Windows 8,, and help you to understand the migratio his u on process.
Lesson Objectives
After completin this lesson, you will be able to: ng y Explain mig gration in Wind dows 8. Describe th process for migrating to Windows 8. he W
What Is Migration? W
When you insta Windows 8 using a migrat W all tion sc cenario, you must first perform a clean m in nstallation of Windows 8, followed by migr W ration of user settings and data from the earlier Windows f m W ve ersion to Wind dows 8. Depending on your bu usiness environment, you ca use two mig an gration sc cenarios: side-by-side migrat tion and in-pla ace migration. m
In a migration scenario, also known as a ref n s k fresh co omputer scena ario, the source computer an the e nd de estination com mputer is the sa ame computer, or inpl lace, whereas in a side-by-sid migration, the i de t so ource compute and the des er stination comp puter are two d different comp puters. Both m migration scena arios re equire a clean installation of Windows 8. When you mig rate previous c W configurations from your old s d op perating system, you basical are moving files and setti ngs to a clean installation of the Windows 8 lly n s op perating system.
In any potential upgrade scen n l nario, there ma be certain v ay variables that f favor a migration. However, there also are disadva antages. Advantages A Offers the opportunity to clean up existing o o work stations and to crea more stable and ate e secure desk ktop environm ments. It takes advantage of the opportu unity for a fres sh nificant advant tage when crea ating start, a sign a managed environment. d . Avoids the performance degradation is d ssues w ace associated with the in-pla upgrade scenario, be ecause there are no remnant files a and setting gs. Disad dvantages
Re equires the use of migration tools, such as e indows Easy Tr Wi ransfer or User State Migration To (USMT), to save and resto user setting and ool ore gs da ta. equires reinstal llation of appli ications. Re
equires storage space for use settings and files to e er d Re be migrated. e ay pact on user p productivity be ecause Ma have an imp of the reconfiguration of appli ications and se ettings.
2-8
Advantages Allows for installation of any edition without concern for what edition was running previously on the workstations. Provides the opportunity to reconfigure hardware-level settings, such as disk partitioning, before installation. Exploits, such as virus, spyware, and other malicious software, do not migrate to the new installation of Windows, and security settings can be hardened by using Group Policy and Security Templates.
Disadvantages
Want a standardized environment for all users who are running Windows. A migration takes advantage of a clean installation. A clean installation ensures that all of your systems begin with the same configuration, and that all applications, files, and settings are reset. Migration ensures that you can retain user settings and data. Have storage space to store the user state. Typically, you will need storage space to store the user state when performing migration. USMT introduces hard-link migration, in which you do not need extra storage space. This is only applicable to wipe and load migration.
Plan to replace existing computer hardware. If you do not plan to replace the existing computers, you still can perform a migration by doing a wipe-and-load migration.
3.
Perform a clean installation of Windows 8. Run setup.exe, the Windows 8 installation program, and select Custom. The Custom option allows you to install Windows 8 on a partition that already has an operating system, such as earlier Windows versions. After the installation is done, the earlier Windows version is placed in a folder called Windows.old, along with the previous Program Files and Documents and Settings folders. Run setup.exe from the product DVD or from a network share. Alternatively, you can choose to format the partition by using a disk-management tool, such as Diskpart.exe, before performing a clean installation.
4. 5.
Reinstall applications. Before restoring your user settings and files, reinstall all applications so that migration will also restore application settings.
Restore user settings and data. You can use the same tool to restore user settings and data that you used to save them in Step 2. In addition, you can automate the migration process so that users do not have to interact with it.
C Configuring Windows 8 s
Migration Sc M cenarios
Pe erform a migra ation when yo ou:
Want a stan ndardized environment for all users runnin Windows. A migration takes advantage of a a ng e clean installation. A clean installation ensures that all of your system begin with the same n ms configuratio and that all applications, files, and sett on, , tings are reset . Migration en nsures that you can u retain user settings and data. d Have storag space to sto the user st ge ore tate. Typically, you will need storage space to store the u e user state when performing migration. USM introduces h m MT hard-link migr ration, in which you do not n h need extra storag space. This is only applica ge able to wipe an load migration. nd
Plan to replace existing computer hardware. If you d o not plan to replace the ex xisting comput ters, you can still per rform a migrat tion by doing a wipe and loa migration. ad Question: You have a user who wants to upgrade a W Y computer to W Windows 8. Windows XP c The compu meets all of the hardwar requirement for Window 8, and the user wants to uter o re ts ws retain all of the existing user settings an use the sam application The user ha no timef u nd me ns. as related requirements, and can be witho the compu d out uter while you install Window 8. How ws should you perform the Windows 8 ins W stallation? Question: One of your users has been promoted to a new position and the user has been n, given a new computer. The user would like to have t he new applic w cations that the job requires e installed, as well as the do s ocuments and settings from the old Wind ows 7 comput m ter transferred to the new co omputer. How should you pe erform the Wi ndows 8 installation?
Back Up B
Be efore installing the new operating system, you must bac up all user-r g ck related setting and program gs m se ettings. You ca use either WET or the USM Additional you should consider backing up the us data. an W MT. lly, d ser ractice to back up your data to Although the in nstallation prog gram will not erase user data it is good pr e a, k a protect against accidental loss or damage during installat d tion.
Ru the Window 8 installatio program (se un ws on etup.exe) from the product D m DVD or a netw work share, and d pe erform a clean installation by selecting Cu n b ustom (advance during the installation p ed) e process. Then f follow th on-screen in he nstructions to complete the installation.
2-10
Update
If you chose not to check for updates during the installation process, it is important to do so after verifying the installation. Keep your computer protected by ensuring that you have the most current patches and updates.
Install Applications
Performing an upgrade by using a clean installation and migration process does not migrate the installed applications. When you complete the Windows 8 installation, you must reinstall all applications. Windows 8 may block the installation of any incompatible programs. To install any of these programs, contact the software vendor for an updated version that is compatible with Windows 8.
Restore
After installing your application, use WET or USMT to migrate your application settings and user-related settings.
Co onfiguring Windows 8
Lesson 3 n
While the in-pla upgrade process generally is self-cont ained in Wind W ace p dows Setup, mi igration is not. Migration scena M arios require to oolsets that en nable you to ca apture the nec cessary inform mation for migr ration, an ensure that the informati moves successfully to the new Window installation. nd t ion e ws .
Th lesson will further explain the migration process, and give you an u his n d understanding of the tools t g that you ne to perform a migration installation of Windows 8 su eed m uccessfully.
Lesson Objectives
After completin this lesson, you will be able to: ng y Identify the tools for migrating user data and setting e gs. Describe ho to migrate user settings by using WET.. ow b Describe ho to migrate user settings by using the U ow b USMT. Explain fold redirection der n.
Application settings. You must determine and locate the applicatio settings tha you want to n on at migrate. Yo can acquire this informati when you are testing the new applicat ou e ion e tions for comp patibility with the ne operating system. ew Operating-system setting Operating-s gs. system setting may include appearance, mouse actions such gs e s as click or double-click, and keyboard settings, Intern settings, em d s net mail-account s settings, dial-u up connections, accessibility settings, and fonts.
File types, files, folders, an settings. When you plan your migratio identify the file types, files, f nd W on, e folders, and settings to migrate. For exa d m ample, you ne to determi and locate the standard file eed ine locations on each compu uter, such as th My Docume he ents folder and company-specified locatio You d ons. also must determine and locate the nonstandard file locations. d
2-12
USMT. Use USMT to perform a side-by-si migration for many com ide mputers and to automate the e process as mu as possible or to perform a migration on the same computer. USMT is available as uch e, n e part of the Windows ADK. A link to down W nload the Wind dows ADK can be found in t Tools section at n the the end of this module.
Sto Window 8 WET File to be Use on the So ore ws es ed ource Comp puter
To store Windows 8 WET files so that you can use them on a source com puter that doe not have WET, s s o n es you must first star WET on the destination co rt omputer, and t then perform the following steps: 1. 2. 3. 4. 5. 6. Close all activ programs. ve
Click Start, click All Progra ams, click Acce essories, click System Tools, and then click Windows E Easy Transfer. The Windows Eas Transfer win e sy ndow opens. Click Next an select the method to use to transfer file and settings from the source computer. nd m es s . Click This is my new comp m puter. Click I need to install it no t ow. Select the des stination medi where you want to store t Windows E ia w the Easy Transfer w wizard files. A Browse to Folder window opens. F w
7. 8.
Type the path and folder na h ame where yo want to stor the Window Easy Transfe Wizard files, and ou re ws er , then click Ne ext. Restart the so ource compute to install WE er ET.
Note: If Win ndows Firewall is enabled on your comput a prompt w appear ask n ter, will king you to enable an exce e eption to allow WET to work over the netw w work. Acceptin g this prompt opens a prog gram exceptio for %System on mRoot%\Syst tem32\MigW Wiz\MigWiz.ex the executa xe, able for WET T.
Configuring Windows 8
Migrate Files and Settings from the Source Computer to the Destination Computer
When you use WET, you can select one of the following methods to transfer files and settings from a supported operating system to Windows 8: Use an Easy File Transfer cable (a WET cable). Use a network connection. Use removable media such as a USB flash drive or an external hard disk.
Start WET on the computer from which you want to migrate settings and files by browsing to the removable media or network drive that contains the wizard files. Double-click migsetup.exe. The program also may start automatically when you insert the removable media. If your computer already has WET, you can run it from the System Tools program group folder. Click Next. Click An Easy Transfer cable. Click This is my old computer, and then complete the WET wizard.
3. 4. 5.
2. 3. 4.
Click This is my old computer. WET creates a Windows Easy Transfer key. The Windows Easy Transfer key functions like a password to protect files and settings, and is used to link the source and destination computer.
5. 6. 7. 8.
Follow the steps to enter the Windows Easy Transfer key on your destination computer to enable the network connection. On your destination computer, after you enter the WET key, click Next. A connection is established, and then Windows Easy Transfer checks for updates and compatibility. Click Transfer to transfer all files and settings. You can determine which files must be migrated by selecting only the user profiles that you want to transfer, or by clicking Customize.
Click Close after WET has completed the migration of files and settings to the destination computer.
Method 3: Transfer Files and Settings by Using Removable Media or a Network Share
Copy files from the source computer 1. Start WET on the computer from which you want to migrate settings and files by browsing to the removable media or network drive that contains the wizard files, and then double-clicking migsetup.exe. If your computer already has WET, you can run it from the System Tools program group folder. Click Next. Click An external hard disk or USB flash drive. Click This is my old computer. WET scans the computer.
2. 3. 4.
2-14
5. 6. 7. 8.
Click Next. Yo can determ ou mine which files must be mig grated by selec cting only the user profiles that you want to transfer, or by clicking Custo t omize. Enter a passw word to protect your Easy Tra t ansfer file, or l eave the box b blank, and the click Save. en Browse to the location on the network or the removab le media wher you want to save your Eas e t r re o sy Transfer file, and then click Save. a Click Next. WET displays th file name an location of the Easy Trans file that yo just created W he nd sfer ou d.
Cop files to the destination computer py e c 1. 2. 3. 4. 5. 6. 7. 8. Connect the removable me r edia to the des stination comp puter. Start Window Easy Transfe and then cli Next. ws er, ick Click An exte ernal hard dis or USB flash drive. sk Click This is my new comp m puter. Click Yes, open the file. Click Browse to locate whe the Easy Tr e ere ransfer file was saved. Click t file name, a then click s the and k Open.
Click Transfe to transfer all files and sett er tings. You also can determin which files m o ne must be migra ated by selecting only the user profiles that yo want to tran o p ou nsfer, or by clic cking Custom mize. Click Close af WET has completed moving your files fter c s.
The MigApp p.xml file: Spec this file with both the Sc cify canState and L LoadState com mmands to mig grate application se ettings to com mputers that are running Win ndows 8.
The MigUser r.xml file: Spe ecify this file with both the Sc canState and L LoadState com mmands to mig grate user folders, files, and file ty f ypes to compu uters that are r running Windo 8. ows The MigDocs.xml file: Spe ecify this file with both the S w ScanState and LoadState too to migrate a ols all user folders and files that are found by th MigXmlHel per.GenerateD a he DocPatterns he elper function. . Custom .xml files: You can create custom .xml files to customize the migration for your unique l n m e needs. For example, you ma want to cre ay eate a custom f to migrate a line-of-business (LOB) file e application or to modify the default migr ration behavio or.
Configuring Windows 8
Config.xml: If you want to exclude components from the migration, you can create and modify the Config.xml file by using the /genconfig option with the ScanState tool.
Component manifests for Windows Vista, Windows 7, and Windows 8: When the source or destination computer is running Windows Vista, Windows 7, or Windows 8, the component-manifest files control which operating system settings are migrated and how they are migrated. Down-level manifest files: When the source computer is running a supported version of Windows XP, these manifest files control which operating-system and Windows Internet Explorer settings are migrated and how they are migrated.
USMT internal files: All other .dll, .xml, .dat, .mui, and .inf files that are included with USMT are for internal use.
The USMT is useful for administrators who are performing installations on many Windows computers, or administrators who need to customize the migration of user data. For example, you can automate the USMT by scripting it in the logon script. If you are only migrating the user states of a few computers, you can use WET.
The hard-link migration store is for use only in wipe-and-load migration. Hard-link migration stores are stored locally on the computer that is being refreshed, and can migrate user accounts, files, and settings in less time by using megabytes (MBs) of disk space instead of gigabytes (GBs).
The ScanState tool provides various options related to specific categories. These categories are explained in the following sections.
ScanState Options
The following table describes the most commonly used ScanState options. Option StorePath Description
Indicates the folder in which to save the files and settings. For example, in a network share, StorePath cannot be c:\. You must specify StorePath on the ScanState command line, except when using the /genconfig option. You cannot specify more than one StorePath.
/i:[Path\]Filename /hardlink
Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to specify all of your .xml files. Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option. Additionally, the <HardLinkStoreControl> element can be used in the Config.xml file to change how the ScanState command creates hard-links to files that are locked by another application.
2-16
The LoadState too uses most of the same cat ol tegories and o options as the S ScanState tool The following l. cate egories and op ptions are spec cific to LoadSta ate.
Decrypts the store with the specified key. When yo use this opt h d ou tion, specify th encryption key in one of the following ways: he /key:KeyS String specifie s the encryptio key. If there is a space in on e KeyString you will nee to enclose it in quotation marks. g, ed t /keyfile:F FilePathAndNa ame specifies a .txt file that c contains the encryptio key. on
(local accoun create) Spec ifies that if a u nt user account is a local s (nondomain) account, and it does not ex on the dest xist tination comp puter, the USMT wil create the ac ll ccount on the destination co omputer but it will t be disabled. To enable the account, you must also spec /lae. If /lac is T cify c not specified, any local use accounts (that do not alrea exist on th , er ady he destination co omputer) will not be migrat ted. The passw word is the sam me password for the account y just create An empty p you ed. password is use by ed default. (local accoun enable) Enab the accou nt that was cre nt bles eated with /lac c. You must spe ecify /lac with this option.
/lae
Configuring Windows 8
When considering migration, putting folder redirection can expedite the migration process. If a users profile is redirected to a network folder, then you simply need to direct their profile on their new computer to the network location to apply their settings and data. Some reasons to use folder redirection include:
Ensuring My Documents folder content is backed up. Many users save documents in the My Documents folder, by default. If this is on the local hard drive, Windows 8 may never back up these files. However, you can redirect the contents of My Documents to a home folder or a shared network drive. Minimizing the size of roaming profiles. Redirecting folders takes them out of a roaming profile. This reduces the size of roaming profiles, which results in better logon performance.
You can configure folder redirection manually or by using a Group Policy Object (GPO). For example, for the My Documents folder, you can configure redirection on the Location tab in the properties of My Documents, or by using GPO.
When you redirect a folder, you have the option to copy the files from the current location to the new location. If you forget to copy the files, they are not available to the user. The files continue to exist in the old location, and users can copy them at a later time.
The most common issue that occurs when you configure folder redirection manually is that you might forget to reconfigure it when you assign a user to a new computer, or when you disable folder redirection by accident.
2-18
An A. datum Corporation user, Allie Bellew, has recently been assigned a new Windows 8 computer. You have been asked to assist her with the migration of her settings from her previous computer.
Objectives
Back up important user data and settings. Restore user data and settings to a target computer. Verify successful migration of user data and settings.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1. 20687A-LON-CL1, and 20687A-LON-CL3 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Results: After completing this exercise, you should have backed up important user data and settings.
Configuring Windows 8
In this exercise, you will use WET to restore the settings saved in \\LON-DC1\WET to Allies new Windows 8 computer, LON-CL1. The main task for this exercise is as follows: 1. Import the data and configuration settings on LON-CL1.
Results: After completing this exercise, you should have restored user data and settings to a Windows 8 computer by using WET.
Results: After completing this exercise, you should have confirmed the successful transfer of user data and settings.
2-20
Tools
Tool Windows Easy Transfer User State Migration Tool Use to Perform user data migration Perform user data migration Where to find it Start screen Windows ADK
Module 3
Managing Disks and Device Drivers
Contents:
Module Overview Lesson 1: Managing Disks, Partitions, and Volumes Lesson 2: Maintaining Disks, Partitions, and Volumes Lesson 3: Working with Virtual Hard Disks Lab A: Managing Disks Lesson 4: Installing and Configuring Device Drivers Lab B: Configuring Device Drivers Module Review and Takeaways 3-1 3-2 3-13 3-17 3-21 3-26 3-38 3-40
Module Overview
The Microsoft Windows 8 operating system simplifies common tasks for IT professionals who manage and deploy desktops, laptops, or virtual environments. It also helps IT professionals leverage tools and skills similar to those used with Windows 7.
Although most computers that are running Windows 8 have a single physical disk configured as a single volume, this is not always the case. For example, there may be times when you want to have multiple operating systems on a single computer, or to have virtual memory on a different volume. Therefore, it is important that you understand how to create and manage simple, spanned, and striped volumes. You can also use Windows 8 to create and access virtual hard disks (VHD) from within the operating system installed on the physical computer. To help optimize file-system performance, you must be familiar with file system fragmentation and the tools you can use to defragment a volume. Additionally, a good understanding of disk quotas is helpful if you are managing available disk space on installed volumes.
To ensure that previously installed devices continue to work in Windows 8, Microsoft is working to make the device drivers available directly from Windows Update or from device manufacturer websites.
Objectives
After completing this module, you will be able to: Describe the management of disks, partitions, and volumes. Describe the maintenance of disks, partitions, and volumes. Explain how to use VHDs. Describe how to manage disks. Describe the installation and configuration of device drivers. Explain how to configure device drivers.
3-2
Lesson 1
Befo you can us a disk in Windows 8, you must prepare it for use. You must partition the disk usin ore se u ng eith the master boot record (M her MBR) partition ning scheme o r the globally unique identif (GUID) par fier rtition tabl (GPT) partiti le ioning scheme After partitio e. oning the disk,, you must cre eate and forma one or more at e volu umes before th operating system can use the disk. he e You can use disk management to perform dis u m t sk-related task such as crea ks, ating and form matting partitio ons and volumes, assigning drive let tters, and resiz zing disks.
The MBR is stored at a consisten location on a physical dis k, enabling the computer BIOS to referenc it. d nt e ce Dur ring the startup process, the computer exa p amines the MB to determin which partit BR ne tion on the ins stalled disk is active. The active partition contains th operating-s ystem startup files. ks e he
Configuring Windows 8
Note: You can install the rest of the operating system on another partition or disk. In Windows 8, when you boot to an MBR disk, the active partition must contain the boot sector, boot manager, and related files.
The MBR partition scheme has been around for a long time, and it supports both current and early desktop operating systems, such as the MS-DOS and the Microsoft Windows NT Server 4.0 operating system. Consequently, the MBR partition scheme is supported widely. However, the MBR partition scheme imposes certain restrictions, including:
Four partitions on each disk: MBR-based disks are limited to four partitions. All of these can be primary partitions, or one can be an extended partition with logical volumes inside. You can configure the extended partition to contain multiple volumes. A 2 terabyte maximum partition size: A partition cannot be larger than 2 terabytes.
No redundancy provided: The MBR is a single point of failure, and if it becomes corrupt or incurs damage, it can render an operating system unbootable.
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on disk. Each GPT partition has a unique GUID and partition-content type. Also, each LBA that the partition table describes is 64 bits in length. The GPT format is specified by the Unified Extensible Firmware Interface (UEFI), but is not exclusive to UEFI systems. Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems. However, they cannot boot from them. The 64-bit Windows operating systems support GPT for boot disks on UEFI systems.
18 exabyte (EB) volume size: This is a theoretical maximum because hard-disk hardware is not yet available that supports such vast volume sizes. Redundancy: Cyclic Redundancy Checks (CRC) duplicates and protects the GPT.
You can implement GPT-based disks on Windows Server 2008, Windows Vista, Windows 7 and Windows 8. You cannot use the GPT partition style on removable disks.
GPT Architecture
A GPT partitioned disk defines the following sectors:
Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the entire disk: o
The protective MBR protects GPT disks from previously released MBR disk tools, such as Microsoft MS-DOS FDISK or Microsoft Windows NT Disk Administrator. These tools view a GPT disk as having a single encompassing (possibly unrecognized) partition by interpreting the protected MBR, rather than mistaking the disk for one that is not partitioned.
Legacy software that does not know about GPT interprets only the protected MBR when it accesses a GPT disk.
Sector 1 contains a partition table header. The partition table header contains the unique disk GUID, the number of partition entries (usually 128), and pointers to the partition table.
3-4
The partition table starts at sector 2. Each partition ent ry contains a u t h unique partitio GUID, the on partition offse length, type (also a GUID attributes, a nd a 36-chara et, e D), acter name.
The following table describes th partitions th Windows 8 creates when you install it on a GPT disk he hat n k. Pa artition A Ty ype EFI System Partition (ESP) Size 100 MB Des scription
Co ontains the boo manager, th files that ot he bo ooting an oper rating system r requires, the pla atform tools th run before an operating hat sys stem boot, or t files that the boot mana the ager mu access befo operating a system boot ust ore t. Th e ESP must be the first parti e ition on the disk, ecause it is imp possible to spa volumes wh an hen be e the ESP is logica lly between what you are att tempting to sp pan.
128 MB
Re eserved for Win ndows components. Th is partition is h hidden in Disk Management and k t, do not receive a drive letter. oes e . Us age example: When you con nvert a basic G GPT sk ecreases the si of ize dis to dynamic, the system de the MSR partitio and uses th space to cre e on, hat eate the Logical Disk Manager (LDM Metadata e M) pa rtition. Co ontains the OS and is the size of the remaining e dis sk.
Remainin disk ng
Diskpart.exe A scriptable command-line e: e tool, with fun nctionality that is similar to Disk t D Management and which in t, ncludes advanc features. Y can create scripts to automate disk-related ced You e tasks, such as creating volumes or conver rting disks to d dynamic. This t tool always runs locally. Windows Po owerShell version 3.0: Pow werShell is a sc cripting langua used to ac age ccomplish man ny tasks in the Windows enviro W onment. Starting with Powe rShell 3.0 disk management commands ha t ave been added for use as stand-alone comm f mands or as pa of a script. art
Note: Wind dows 8 does no support rem ot mote connectio in workgro ons oups. Both the local e com mputer and the remote comp e puter must be in a domain t use Disk Ma to anagement to manage a disk remotely. k
Configuring Windows 8
Note: Do not use disk-editing tools, such as DiskProbe, to make changes to GPT disks. Any change that you make renders the checksums invalid, which may cause the disk to become inaccessible. To make changes to GPT disks, use diskpart.exe or Disk Management.
With either tool, you can initialize disks, create volumes, and format the volume file system. Additional common tasks include moving disks between computers, changing disks between basic and dynamic types, and changing the partition style of disks. You can perform most disk-related tasks without restarting the system or interrupting users, and most configuration changes take effect immediately.
Disk Management
Using the Disk Management snap-in of the Microsoft Management Console (MMC), administrators quickly can manage standard, fault tolerant, and volume sets, and confirm the health of each volume. Disk Management in Windows 8 provides the same features with which you may be familiar, from previous versions, including: Simpler partition creation: When you right-click a volume, choose whether to create a basic, spanned, or striped partition directly from the menu.
Disk conversion options. When you add more than four partitions to a basic disk, you are prompted to convert the disk to dynamic or to the GPT partition style. You also can convert basic disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic is not possible without deleting all of the volumes first. Extend and shrink partitions: You can extend and shrink partitions directly from the Windows interface.
To open Disk Management: 1. 2. In the Start Screen, type d. This will display the Apps search window. Type diskmgmt.msc in the search box, and then click diskmgmt in the results list.
Diskpart.exe
Using Diskpart.exe, you can manage fixed disks and volumes by using scripts or direct input from the command line. At the command prompt, type diskpart, and then enter commands at the diskpart> prompt. The following are common diskpart actions: To view a list of diskpart commands, at the diskpart command prompt, type commands.
To create a diskpart script in a text file and then run the script, type a script similar to diskpart /s testscript.txt. To create a log file of the diskpart session, type diskpart /s testscript.txt > logfile.txt.
The following table shows several diskpart commands that you will use frequently in this scenario. Command list disk Description
Displays a list of disks and information about them, such as their size, amount of available free space, whether the disk is basic or dynamic, and whether the disk uses the MBR or GPT partition style. The disk marked with an asterisk (*) is the one that commands will be executed against. Selects the specified disk--where <disknumber> is the disk number--and gives it focus. Converts an empty, basic disk with the MBR partition style into a basic disk with the GPT partition style.
3-6
For additional information about diskpart.exe commands, start Disk Management, and then open the Help Topics from the Help menu.
PowerShell 3.0
In earlier versions of PowerShell, if you wanted to script disk-management tasks, you would have to make calls to Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. PowerShell 3.0 now includes commands for natively managing disks. The following table details some PowerShell commands: Command Get-Disk Description Returns information on all disks or disks that you specify with a filter. Additional parameters
-FriendlyName returns information about disks that have the specified friendly name. -Number returns information about a specific disk.
Clear-Disk Initialize-Disk
Cleans a disk by removing all partition information. Prepares a disk for use. By default, it creates a GPT partition. Updates the physical disk with the specified attributes. Returns information on all of the systems volumes, or those volumes that you specify with a filter.
-ZeroOutEntireDisk writes zeros to all sectors of the disk. -PartitionStyle<PartitionStyle> Specifies the type of the partition, either MBR or GPT.
Set-Disk
-PartitionStyle<PartitionStyle> Specifies the type of the partition, either MBR or GPT. You can use this to convert a disk that previously was initialized.
Get-Volume
-DriveLetter<Char> Gets information about the specified drive letter. -FileSystemLabel<String> returns information on NTFS or ReFS volumes.
Additional Reading: For more information, see Storage in Windows PowerShell: http://technet.microsoft.com/enus/library/hh848705.aspx.
When you add a new hard disk to a computer, and then start Disk Management, a wizard steps you through the initialization process, during which you select whether to have an MBR or a GPT partition style. Although you can change between partition styles at a later time, some of the operations are irreversible unless you reformat the drive. You should carefully consider the disk type and partition style that is most appropriate for your situation. Before you change the partition style, remember that you: Must be a member of the Backup Operators or Administrators group. Must back up the entire contents of the hard disk before making a change, which is true for any major change that you make to disk contents.
Must ensure that disks are online before you can initialize them, or create new partitions or volumes. To bring a disk online or take it offline in Disk Management, right-click the disk name, and then click the appropriate action. Can convert only from GPT to MBR if the disk does not contain any volumes or partitions. Should use Event Viewer to check the system log for disk-related messages.
C Configuring Windows 8 s
Note: In a multiboot scenario, if you are in one ope erating system and you con m, nvert a basic MBR disk that contains an alte M c ernate operati system to a dynamic MB disk, you wi not be ing BR ill ab to boot int the alternate operating sy ble to ystem.
3-8
Most business users require a basic disk and one basic volume for storage, but do not require a computer with volumes that span multiple disks or that provide fault-tolerance. This is the best choice for those who require simplicity and ease of use.
If small business users want to upgrade their operating systems and reduce impact on their business data, they must store the operating system in a separate location from business data. This scenario requires a basic disk with two or more basic volumes. Users can install the operating system on the first volume, creating a boot volume or system volume, and use the second volume to store data. When a new version of the operating system is released, users can reformat the boot or system volume, and install the new operating system. The business data, located on the second volume, remains untouched.
A simple volume may provide better performance than striped data-layout schemes. For example, when serving multiple, lengthy, sequential streams, performance is best when a single disk services each stream. Also, workloads that are composed of small, random requests do not always result in performance benefits when you move them from a simple to a striped data layout.
Using diskpart
1. 2. Start diskpart. In the diskpart command prompt, run the following commands: o o o o select disk 3 create partition primary size=5103 list partition select partition 2
C Configuring Windows 8 s
o o 3. .
Open Wind dows Explorer, and verify tha the volumes that you crea at s ated are visible e. Question: In what circum mstances will you use less tha all of the av y an vailable space on a new volumes di isk?
Ba disks supp asic port only prima partitions, ary ex xtended partitions, and logic drives. To use cal u sp panned or strip volumes, you must conv the ped y vert di isks to dynami volumes. Dy ic ynamic disks us a se da atabase to trac information about the dis ck n sks dy ynamic volumes and about the computer other t s dy ynamic disks. Because each dynamic disk in a computer stores a replic of the dynamic disk datab B i r ca base, Windows can re W epair a corrupt database on one dynam disk by usin the databas on another ted o mic ng se dy ynamic disk.
A spanned volume gives users the option to gather nonc ontiguous free space from o or many d o e one disks in the same volume. A span nto v nned volume does not provid any fault to d de olerance. Additionally, becau the use ar reas that you combine are not necessarily equally distrib c buted across th participatin disks, there is no he ng pe erformance be enefit to imple ementing span nned volumes. I/O performan is compara nce able to simple e vo olumes.
Yo can create a spanned volume either by extending a s ou y simple volume to an area of unallocated s e f space on a second disk, or you can designate multipl disks during the volume-c o le g creation proce The benefit of ess. ts us sing spanned volumes includ uncomplica v de ated capacity p planning and s straightforwar performance rd e an nalysis. If you are creati a new span ing nned volume, you must defi ne the same p properties as w when you creat a te simple volume in terms of size, file system, and drive lette It also is necessary to define how much space er. h to allocate to th spanned vo o he olume from eac physical dis ch sk. Yo can create only spanned volumes on dynamic disks. If you attempt to create a sp ou t panned volum on me ba disks, Win asic ndows prompts you to conve the disk to dynamic after you have def s ert r fined the volum mes properties, and confirmed the choices. e
It is possible to shrink a spann volume. However, it is n possible to remove an ar from a specific ned H not rea di For examp if a spanne volume consists of three 1 megabyte (MB) partitio on each of three isk. ple, ed 100 es ons f di isks, you canno delete the third element. Depending on the space co ot t n onsumption in the volume, y can you re educe the volu umes total size e.
Note: When you shrink a spanned volume, no data loss occurs. However, the number of disks involved may decrease. If the spanned volume resides on a single disk, the spanned volume is converted into a simple volume. If there are empty dynamic disks that result from shrinking a spanned volume, the empty dynamic disks are converted to basic disks.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk limit for spanned volumes.
For most workloads, a striped data layout provides better performance than simple or spanned volumes, as long as you select the striped unit appropriately, based on workload and storage hardware characteristics. The overall storage load is balanced across all physical drives.
Striped volumes also are well suited for isolating the paging file. By creating a volume where PAGEFILE.SYS is the only file on the entire volume, the paging file is less likely to become fragmented, which helps improve performance. Redundancy normally is not required for the paging file. Striped volumes provide a better solution than RAID 5 for paging file isolation. This is because paging file activity is write-intensive, and RAID 5 is better suited for read performance than write performance.
Because no capacity is allocated for redundant data, RAID 0 does not provide data-recovery mechanisms, such as those in RAID 1 and RAID 5. The loss of any disk results in data loss on a larger scale than it would on a simple volume, because it disrupts the entire file system that spreads across multiple physical disks. The more disks that you combine, the less reliable the volume becomes. When you create a striped volume, define the file system, drive letter, and other standard volume properties. Additionally, you must define the disks from which to allocate free space. The allocated space from each disk must be identical. It is possible to delete a striped volume, but it is not possible to extend or to shrink the volume.
Configuration Changes
There are times when you may want to upgrade or in some way alter the configuration of computer hardware or software. For example: When the addition of functionality adds value to your organization. When a fault in software, hardware, or the combined architecture results in an application failing. When a change in the functionality or role of a server or workstation occurs.
There are other forms of volume management, with different types of fault tolerance and recovery that this module does not cover. These include using RAID-1 or RAID-5 volumes, hardware mirroring, and disk duplexing. You could consider using these forms of volume management in your enterprise.
Co onfiguring Windows 8
Complete the New Spann Volume Wizard using de t ned W efaults, except for the follow t wing information: o o o o Use 20 MB from Disk 2 000 D Use 15 MB from Disk 3 500 D Use 40 MB from Disk 4 000 D Name the volume Sp panVol
5. .
Read the Disk Manageme warning, and then click Y ent Yes.
Question: What is the ad dvantage of us sing striped vo olumes, and co onversely what is the major t disadvantag ge?
To perform the shrink operati o ion, ensure tha the at di is either un isk nformatted or formatted with the f h NTFS file system and that you are part of th m, u he Ba ackup Operato or Administ or trator group. When W yo shrink a volume, contiguo free space relocates to t end of the volume. There is no need to ou ous e the e o re eformat the dis but to ensu that the ma sk, ure aximum amou of space is available, mak sure you pe unt ke erform th following ta he asks before shr rinking: Defragmen the disk, if yo do not hav a regular sch nt ou ve hedule for def fragmentation. Reduce sha adow copy disk k-space consumption. Ensure that no page files are stored on the volume th you are shrinking. t hat
When you shrink a volume, unmovable files (the page file or the shadow-copy storage area) do not relocate automatically. It is not possible to decrease the allocated space beyond the point where the unmovable files are located. If you need to shrink the partition further, move the page file to another disk, delete the stored shadow copies, shrink the volume, and then move the page file back to the disk. To view shadow copy storage information, use the Volume Shadow Copy Service administrative command-line tool. Start an elevated command prompt, and then type vssadmin list shadowstorage. The used, allocated, and maximum shadow copy storage space is listed for each volume.
Defragmentation in Windows 8 improves upon defragmentation in previous Windows versions. You now can optimally replace some files that you could not relocate in Windows Vista or earlier versions. A later topic discusses additional information about defragmenting. Note: Please note that you may destroy or lose data if you shrink a raw partition, meaning a partition that does not have a file system, but does contain data. Remember to make a backup prior to extending or shrinking a partition or volume.
You can shrink simple and spanned dynamic disks, but not others. Here are a few ways in which you can increase the size of a simple volume: Extend the simple volume on the same disk. The volume remains a simple volume. Extend a simple volume to include unallocated space on other disks on the same computer. This creates a spanned volume.
This demonstration shows how to resize a volume with the diskpart tool. Then, the Disk Management tool is used to extend a simple volume.
Compare the size of the Simple2 volume with the size previously reported.
Co onfiguring Windows 8
Lesson 2 n
When you first create a volum you typical are creating new files and folders on th volumes av W me, lly g d he vailable free space, in co ontiguous bloc This provid an optimiz file-system environment As the volum cks. des zed m t. me be ecomes full, th availability of contiguous blocks diminis he o shes. This can lead to subpar performance This e. le esson explores file-system fra agmentation and the tools t hat you can us to reduce fr a se ragmentation.
As the volume fills with data and other files f a s, co ontiguous area of free space are harder to find. as o File deletion als causes fragm so mentation of available a free space. Additionally, when you extend a file, n th here may not be contiguous free space following b th existing file blocks. This fo he orces the I/O manager to sav the remaind of the file in a noncontig uous area. Ov er time, contig m ve der n guous free spa ace be ecomes harder to find, leading to fragmen ntation of new stored cont wly tent. The incidence and exte of ent fragmentation varies, depend v ding on availab disk capaci ty, disk consum ble mption, and usage patterns. . Although the NTFS file system is more efficient at handlin disk fragme N m ng entation than earlier file syst tems, th fragmentation still presen a potential performance problem. Com his nts mbined hardwa and softwa are are ad dvances in Win ndows help to mitigate the impact of frag mentation and deliver bette responsiveness. i d er
The Optimize Driv tool rearranges data and ves d reun nites fragment files. It run automaticall on ted ns ly a sc cheduled basis. However, you can perform a u man nual optimizat tion at any time. To manually y optimize a volume or drive, or to change the t auto omatic optimiz zation schedul right-click a le, volu ume in Window Explorer (w ws which you can open o with the Windows Key + E), click Properties, click the Tool s tab, and then click Optimize. You then can h s perf form the follow wing tasks: Change Settin which allo you to: ngs, ows o o o o Enable or disable the automated opt a timization. Specify th automated optimization frequency. he Set a not tification for th hree consecutiv missed opt imization runs ve s. Select wh hich volumes that you want to optimize. t
Analyze the disk to determine whether it requires optim d mization. Launch a man nual optimizat tion.
You also can start the Optimization process by launching D u t b Defragment and Optimize Dr rives form the Adm ministrative too ols.
To verify that a disk requires de v efragmentation in the Optim n, mize Drives too select the disk that you w ol, want to defr ragment, and then click Ana t alyze. Once Windows finishe analyzing th disk, check t percentage of es he the frag gmentation on the disk in the Current stat column. If the number is high, defragm tus f s ment the disk. . The Optimize Driv tool might take from sev ves t veral minutes t a few hours to finish defra to s agmenting, dep pending on the size and degree of fragmen e ntation of the disk or univer serial bus ( rsal (USB) device, s such as an external har drive. You can use the com a rd mputer during the defragme g entation proce ess.
You can configure and run disk defragmentat u e tion from an e elevated comm mand prompt b using the d by defrag com mmand-line tool. Use the De efrag /? at the command pro ompt for available options. There are several ways that you can help prev vent file-system fragmentation: m Partition the disk so that yo isolate static files from tho that are cr ose ou reated and deleted frequent tly, such as some user-profile files and tempo e orary Internet files.
Use the Disk Cleanup feature to free disk space that is being consum by each us k med sers preferences for console files that the profile is saving. t e Use the Optim Drives too to help redu the impact of disk fragm mize ol uce t mentation on d volumes, disk including USB drives. The Optimize Drive tool rearrang fragmente data so that disks and drives B O es ges ed t can work more efficiently.
Co onfiguring Windows 8
Additionally, yo can manage quotas by using the fsutil quota and fsu behavior commands fro the ou e util om co ommand prom mpt. Once you create a quota, you can export it, and then imp O e u , port it for a dif fferent volume In addition t e. to es stablishing quo settings on an individual computer by using these m ota n y methods, you c also use Group can Po olicy settings to configure quotas. This lets administrato configure m t s ors multiple compu uters with the same qu uota settings.
Over time, the amount of ava O a ailable disk spa inevitably b ace becomes less. So you must e ensure that you have a plan to increa storage cap ase pacity. Note: Quotas are tracke separately for each volum ed f me.
5.
Open a command prompt, and then run the following commands on the drive l: o o fsutil file createnew 2mb-file 2097152 fsutil file createnew 1kb-file 1024
6.
Co onfiguring Windows 8
Lesson 3 n
With VHDs, you can present a portion of a hard drive as a independen hard drive t the Window 8 W u an nt to ws op perating system. VHDs gene erally are assoc ciated with virt tual machines.. Beginning wi Windows 7 ith 7, Windows opera W ating systems can mount VHDs directly. In this lesson, yo will learn what a virtual hard disk c ou is and how to mount one in Windows 8. m W
Windows 8 supports both virt W tual disk forma VHD and V ats: VHDX, and two virtual hard disk types: fixe and o ed dy ynamically exp panding. Both virtual hard disk formats su pport both ha disk types. Additionally, w ard when us sing diskpart.e a differenc exe, cing disk can be created. A d b differencing di lets you use a base disk w isk e without making changes to the base disk. All changes are written to the differencing disk. A d m d differencing di must isk be a VHD and must be dynam e m mically expand ding. VHD disks supp port up to 2 ter rabytes of stor rage, whereas the VHDX form is for virtu disks larger than 2 mat ual r TB with a suppo B orted maximum of 64 teraby m ytes. A fixed size virtu hard disk is allocated its maximum size when you cre ual e eate the virtua disk. The fixe disk al ed ty is the recommended typ for the VHD virtual disk fo ype pe D ormat for the f following reaso ons: The I/O per rformance is highest for fixed VHDs, becau the file is n dynamically expanded. use not
When a dyn namically expa anding disk is expanded, the host volume could run out of space and cause e t the write op perations to fa The use of fixed VHDs en ail. nsures that this does not hap s ppen.
The file data will not becom inconsistent due to lack o storage spac or power lo Dynamically w me of ce oss. expanding VH depend on multiple write operations to expand the file. The inter HDs e rnal-block allocation info ormation can become incon nsistent if all I/ O operations t the VHD file and the host to e t volume are not complete and persisted on the physica l disk. This can happen if the computer o n e suddenly lose power. es
The size of a dyna amically expan nding virtual ha disk is as la ard arge as the da that is writt to it. As mo ata ten ore data is written to a dynamically expanding vir a rtual hard disk the file incre ases to the configured maximum k, size. With the imp provements in the VHDX format, the dyna mically expand ding disk type is recommend e ded whe creating VH en HDX drives.
Attach. Attac ching a VHD activates the VH HD, so that it app pears on the ho computer as a local hard disk drive. If t VHD already has a disk ost a d the partition and file system vo olume when yo attach it, th e volume insid the VHD is assigned a drive ou de letter. The ass signed drive le etter is then av vailable for use similar to wh you insert a USB flash dr e, hen rive into a USB co onnector. All us sers (not just the current use can use the attached VHD in the same way t er) e D they use othe volumes on local physical hard-disk driv dependent on their secu er ves, urity permissio ons. Furthermore, because you can attach a VHD that is on a remote serv message block (SMB), you can c V ver manage your images remotely. r Detach. Deta aching a VHD stops the VHD from appeari on the hos computer. W s D ing st When you deta a ach VHD, you can copy it to oth locations. n her
You only can use diskpart to cr u reate VHD-formatted VHDs. To create a V VHD by using d diskpart, you u the use crea vdisk com ate mmand at the diskpart promp The followi table show the options the create vd d pt. ing ws disk com mmand suppor rts. Op ption file = (filename e) maximum=(n) m ty ype=(fixed|ex xpandable) Description
Specifies the complete pa and filenam of the virtu disk file. The file e ath me ual may be on a network sha re. The maximu amount of space that th e virtual disk e um f exposes, in megabytes. FIXED specifies a fixed siz e virtual disk f file. expandab specifies a ble es odate the alloc cated data. The e virtual disk file that resize to accommo xed. default is fix
Configuring Windows 8
Description Specifies a security descriptor in the security descriptor definition language (SDDL) format. By default, the security descriptor is taken from the parent directory.
parent=(filename)
Path to a parent virtual disk file to create a differencing disk. With the parent parameter, you should not specify maximum because the differencing disk gets the size from its parent. Also, do not specify type, because only expandable differencing disks can be created. Path to an existing virtual disk file to be used to prepopulate the new virtual disk file. When source is specified, data from the input virtual disk file is copied block for block from the input virtual disk file to the created virtual disk file. Be aware that this does not establish a parentchild relationship. For scripting only. When diskpart encounters an error, it continues to process commands as if the error did not occur.
sourcE=(filename)
noerr
To mount a virtual disk by using diskpart, you must first use the select vdisk command to specify the VHD file, and then use the attach vdisk command. The following table shows the options that the select vdisk command supports: Option file = (filename) noerr Description
Specifies the complete path and filename of the virtual disk file. The file may be on a network share. For scripting only. When diskpart encounters an error is encountered, it continues to process commands as if the error did not occur.
The following table shows the options the ATTACH VDISK command supports: Option readonly sd=(sddl string) usefilesd Description Attaches the virtual disk as read-only. Any write operation will return an input/output device error. Specifies a security descriptor in the SDDL format. By default, the security descriptor allows access like any physical disk.
Specifies that the security descriptor on the virtual file itself should be used on the virtual disk. If not specified, the disk will not have an explicit security descriptor unless specified with sd=(sddl string).
To unmount a virtual disk using diskpart, you first must use the select vdisk command to specify the virtual hard disk file, and then use the detach vdisk command. The detach vdisk command only supports the noerr option.
Disk Management provides a graphical interface for managing virtual disks. The Create VHD and Attach VHD options are available from the Action menu. When you create a virtual hard disk in Disk Management, you can create either VHD or VHDX files. The default selections for creating a virtual disk will create a VHD format drive with a fixed-disk type. You always must provide the path\file name and size of the file that you want to create. When you attach a VHD through Disk Management, you only need to specify the path\filename. When you attach a VHD, you have the option to make it read-only. When you want to unmount a virtual disk, you can right-click the disk, and then click Detach VHD.
Configuring Windows 8
You need to configure the hard drive configuration manually on some new desktop computers. Due to application requirements, you need to create several simple partitions, a spanned partition, and a striped partition. The client computers are shared, and require that you place a quota on the spanned drive. For certain instances, you plan on using virtual drives.
Objectives
Create simple, spanned, and striped volumes on the client computers. Create a quota on the client machines spanned volume.
Lab Setup
Estimated Time: 20 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL2 Adatum\Administrator and Adatum\Alan Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o User name: Adatum\Administrator Password: Pa$$w0rd Domain: Adatum
5.
Compare the size of the Simple2 volume with the size previously reported.
Configuring Windows 8
o o 4. 5.
Name the volume SpannedVol. Read the Disk Management warning, and then click Yes.
Results: After this exercise, you will have created several volumes on the client computer.
In this exercise, students configure a disk quota on one of the new volumes. Students enforce a quota limit, and then log on as standard users to test the quota limit. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create disk quotas on a volume. Create test files. Test the disk quota. Review quota alerts and logging.
Results: At the end of this exercise, you will have created and tested a disk quota.
Configuring Windows 8
Results: At the end of this exercise, you will have mounted an existing VHD file, and then used the virtual drive.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Lesson 4
Devices have changed from being single-function peripherals to complex, multifunction devices, with a large amount of local storage and the ability to run applications. They have evolved from a single type of connection, such as USB, to multi transport devices that support USB, Bluetooth, and WiFi. Many of todays devices are often integrated and sold with services that are delivered over the Internet, Internet delivery has simplified the delivery mechanism, which means that a computers ability to recognize and use devices has expanded to cover all possibilities. Microsoft has expanded the list of devices and peripherals that are being tested for compatibility with Windows 8.
The device experience in Windows 8 is designed on existing connectivity protocols and driver models to maximize compatibility with existing devices. The following are areas in Windows 8 that you can use to manage devices:
The Devices and Printers control panel gives users a single location to find and manage all the devices that connect to a Windows 8-based computer, and provides quick access to device status, product information, and key functions, such as faxing and scanning. This enhances and simplifies the customer experience with a Windows 8-connected device. Device Manager is used to view and update hardware settings and driver software for devices such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components.
Seamless user experiences begin with the ability to effortlessly connect devices. Additional drivers are retrieved automatically from Windows Update, and when appropriate, users are given an option to download and install additional applications for the device. These components all help reduce support calls and increase customer satisfaction.
Lesson Objectives
After completing this lesson, you will be able to: Describe device drivers in Windows 8. Describe the process for installing devices and drivers. Describe the process for installing drivers into the driver store. Describe the device driver management tools. Describe the options for updating drivers. Describe how to manage signed drivers. Discuss options for recovering from a driver issue. Manage drivers.
Co onfiguring Windows 8
Windows 8 is av W vailable in 32-bit and 64-bit versions. Drive developed for the 32-bit versions do n work ers d t not with the 64-bit versions, and vice versa. You must make s w v u sure that you o obtain the app propriate devic ce drivers before you install Windows 8. y
Driver Signin D ng
Th device drive that are pa of Windows 8 have a Mic he ers art s crosoft digital s signature that indicates whe ether a pa articular driver or file has me a certain lev of testing, i stable and re r et vel is eliable, and ha not been alt as tered since it was sign digitally. Windows 8 che ned W ecks for a drive digital sign ers nature during installation, an nd prompts the use if no signatu is available er ure e. Note: The signature file is stored as a .cat file in the same location as the driver file. e e e r
Th driver store is the driver repository in Windows 8. A d he e r W driver package is a set of file that make up a e es driver. It include the .inf file, any files that the .inf file refe es t ferences, and t .cat file tha contains the digital the at e signature for the device drive You can pre er. eload the drive store with dr er rivers for commonly used pe eripheral devic The driver store is locate in systemro ces. r ed oot\System32 2\DriverStore e.
In nstalling a driver is a two-stage process. Fir you install the driver pac rst, ckage into the driver store. Y You must use admin m nistrator credentials to install the driver pa ackage into the driver store. The second st is to e tep at ttach the devic and install the driver. A st ce t tandard user c an perform th second step his p. During hardwar installation, if the appropr re riate driver is n available, W not Windows 8 use Windows Er es rror Re eporting to report an unkno own device. Th enables Orig his ginal Equipme Manufactu ent urers (OEMs) to work o in conjunction with Microsoft to provide ad n w t dditional inform mation to the user, such as a statement of f no onsupport for a particular de evice, or a link to a website w additiona support info k with al ormation.
In Windows 8, the Device Metadata System provides an e n t m end-to-end pr ocess for defin ning and distributing de evice metadata packages. Th hese packages contain devic experience X s ce XML documen that repres nts sent the de evices propert and functi ties ions, together with applicati ons and servic that suppo the device. ces ort Th hrough these XML documen the Device and Printers folder and De X nts, es evice Stage pre esent users wit an th in nterface that is specific to the device, which the device m e h maker defines. Windows Online Quality Services (Winqual) validates dev W ) vice-experience XML docume e ents, and then signs n de evice metadata packages. Windows Metad W data and Inter rnet Services (W WMIS) distribu utes new or rev vised de evice-metadat packages th device mak ta hat kers submit thr rough Winqua al.
Win ndows 8 uses WMIS to discov index, and match device metadata pa W ver, d e ackages to specific devices th hat are connected to the computer. Device makers also can dis stribute device e-metadata packages directly to y the computer thro ough their own Setup applic cations. Note: You can use the Pn c nputil.exe tool to add a drive to the Wind ows 8 driver st er tore man nually.
Win ndows 8 reads this informatio when the device is attach to the com on d hed mputer, and th completes the hen configuration so that the device works properly with the ot t e ther installed d devices. Proper implemented, rly Plug and Play pro g ovides automat configuration of PC hardw tic ware and devi ices. The driver architecture for Win ndows support comprehens ts sive, operating system-contr rolled Plug and Play. Plug an Play techno d nd ologies are defined for Institute of Elect trical and Elect tronics Engine eers 1394 (IEEE 1394), Periph E heral Compone ent Inte erconnect (PCI) PC Card/Car ), rdBus, USB, Sm Computer System Interfa (SCSI), Adv mall ace vanced Techno ology Atta achment (ATA) Industry Stan ), ndard Architec cture (ISA), Lin Print Termin (LPT), and C ne nal Component O Object Mod (COM). You can use Dev Manager to install device drivers manu del vice t e ually that are n compliant with not Plug and Play. g Win ndows 8 introd duces several im mprovements to the way tha users can di at iscover and us the devices that se thei computers host and which connect to th computers Windows 8 c detect nea ir h h heir s. can arby devices in the n hom automatica making the available for use. Windo 8 also can install a Metro style device a me, ally em ows o app auto omatically from the Window Store, when users connect their device f the first tim Metro style m ws t for me. e device apps that are companion to a device or PC have the ability to lev a ns e verage the full range of func ctionality of th device or PC. hat P
Staging drive packages in the protected driver store. A standard use without any special privile er er, y eges or permission can install a driver packag that is in th e driver store. ns, ge Configuring client compute to search a specified list o folders auto c ers of omatically whe a new devic en ce attaches to th computer. A network share can host the folders. W he ese When a device d driver is access sible in this manne Windows do not need to prompt the user to insert media. er, oes t
Configuring Windows 8
Rebooting the system is rarely necessary when installing Plug and Play devices or software applications. This is true because of the following reasons: o
The Plug and Play Manager installs and configures drivers for Plug and Play devices when the operating system is running.
Applications can use side-by-side components instead of replacing shared, in-use dynamic-link libraries (DLLs).
These features improve the user experience and reduce help-desk support costs, because standard users can install approved driver packages without requiring additional permissions or the administrator assistance. These features also help increase computer security by ensuring that standard users only can install driver packages that you authorize and trust.
When a user inserts a device, Windows detects it, and then signals the Plug and Play service to make the device operational. Plug and Play queries the device for identification strings, and searches the driver store for a driver package that matches the identification strings. If a matching package is found, Plug and Play copies the device driver files from the driver store to their operational locations, typically %systemroot%\windows32\drivers, and then updates the registry as needed. Finally, Plug and Play starts the newly installed device driver. If a matching package is not found in the driver store, Windows searches for a matching driver package by looking in the following locations: Folders specified by the DevicePath registry entry. The Windows Update website. Media or a manufacturers website that is provided after the system prompts the user.
Windows also checks that the driver package has a valid digital signature. If the driver package is signed by a certificate that is valid, but which is not found in the Trusted Publishers store, Windows prompts the user for confirmation. Staging the device driver packages in this manner provides significant benefits. After a driver package is staged successfully, any user that logs on to that computer can install the drivers by simply plugging in the appropriate device.
Devices that are not compatible with Plug and Play are becoming increasingly rare as manufacturers stop producing them in favor of Plug and Play devices. The term non-Plug and Play typically applies to older pieces of equipment with devices that require manual configuration of hardware settings before use. To view non-Plug and Play devices, in Device Manager, click the View menu, click Show hidden devices, and then expand Non-Plug and Play Drivers.
To add a driver, use the -a parameter to specify the path an name of the driver, for ex a nd xample, pnput -a til <Pa athToDriver>/<Driver>.inf Windows validates that th signature at f. he ttached to the package is valid, the files are unmo odified, and the file thumbpr rints match the signature. e Afte adding a dri er iver, note the assigned numb Drivers ar renamed oe a ber. re em*.inf during the addition. This g is to ensure uniqu naming. For example, the file MyDriver1 o ue r 1.inf may be re enamed oem0 0.inf. You can v view the published nam by using th -e paramete for example pnputil -e. me he er, e Typically, you do not need to uninstall a Plug and Play devi ice. Just discon nnect or unplu the device s ug so that Windows doe not load or use the driver t es r. The following table lists the opt tions available with pnputil.e exe: Op ption -a <PathToDriv a ver>/<Driver>. .inf -a <PathToDriv a ver>/*.inf -I a <PathToDr river>/<Driver r>.inf -e e -d OEM<#>.inf d f -f -d OEM<#>.i f inf Des scription Ad the driver p dd package specif fied by <P PathToDriver>/ store. /<Driver>.inf to the driver s Ad all the drive packages in the path spec dd er cified. Ad and install t driver pack dd the kage specified by <P PathToDriver>/ /<Driver>.inf to the driver s store. Enumerate all th party drive packages. hird er De elete the driver package spec r cified by OEM M<#>.inf. Force the deletio of the drive package spe on er ecified by EM<#>.inf. OE
Co onfiguring Windows 8
Windows 8 intro W oduces Metro style device apps. Metro sty device apps build on the plug-and-play yle y ex xperience from Windows 7. Using these ap device ma m pps, anufacturers ca deliver an a thats pair with an app red th device, and automaticall downloaded to the user t he first time th device is co heir d ly d he onnected. Prov viding a Metro style dev app gives hardware deve M vice elopers a uniq opportunit to showcase device functionality. que ty e
View a list of installed devices: View all devices tha are currently installed based on their typ by d at y pe, their conne er ection to the co omputer, or by the resource they use. This device list is recreated afte every y es s system rest or dynamic change. tart c Uninstall a device: Uninstall the device driver, and r remove the dri iver software f from the comp puter. Enable or disable device If you want a device to re d es: t emain attache to a computer without be ed eing enabled, yo can disable the device ins ou stead of uninst talling it. Disab is different from uninstall ble because on the drivers are disabled and the hardwa configurat nly are tion is not chan nged.
Troublesho devices: Determine whe oot D ether the hard dware on your computer is w working properly. If a device is no operating co ot orrectly, it may be listed as U y Unknown Device, with a yellow question m mark next to it. Update de evice drivers: If you have an updated drive for a device you can use Device Manag to er e, ger apply the updated driver. u
Roll back drivers: If you experience sy d ystem problem after updati ng a driver, yo can roll bac to the ms ou ck previous dr river by using driver rollback Using this fe ature, you can reinstall the last device driv that d k. n ver was functio oning before th installation of the current device driver he t r.
ou evices only on a local compu uter. On a rem mote computer Device r, Yo can use Device Manager to manage de Manager works in read-only mode. This me M m eans that you c view, but n change, th computers can not hat s ha ardware config guration. Device Manager is accessible in t Hardware and Sound ca the ategory in Control Pa anel.
Hidden Devices
The most common type of hidden device is for non-Plug and Play devices and network adapters. To view hidden devices in Device Manager, click View, and then click Show hidden devices.
All devices plugged into a USB port on the computer such as flash drives, webcams, keyboards, and mice. All printers, whether they are connected by USB cable, the network, or wirelessly. Bluetooth and Wireless USB devices. The computer itself. Network-enabled scanners or media extenders.
Devices and Printers do not include the following: Devices, such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components. Speakers connected to the computer with conventional speaker wires. Older devices, such as mice and keyboards that connect to the computer through a PS/2 or serial port.
In Devices and Printers, a multifunction printer shows and can be managed as one device instead of individual printer, scanner, or fax device. In Device Manager, each individual component of a multifunction printer is displayed and managed separately.
PC Settings
A new option with Windows 8 is the PC Settings tool on the Start menu. To access this tool, you open the Start menu from the right corner, and then click on More PC Settings. In the left pane of that tool, you can click Devices, and then add devices or remove already installed devices.
Device Stage
Device Stage provides users with a new way to access devices and advanced options for managing them. Devices in use are shown with a photo-realistic icon. This icon can include quick access to common device tasks and status indicators that let users quickly discern battery status, device synchronization status, remaining storage capacity, and other information. Device makers can customize this experience to highlight device capabilities and branding, and can include links to product manuals, additional applications, community information and help, or additional products and services. The entire Device Stage experience remains current. Graphics, task definitions, status information, and links to websites are distributed to computers by using the Windows Metadata Information Service (WMIS).
Co onfiguring Windows 8
Additiona Reading: al Fo a list of device stage expe or eriences, go to http://msdn.m microsoft.com/ /en-us/window ws /h hardware/br25 59108.
Dynamic Updat is a feature that works with te t Windows Updat to download any critical fixes W te f an device drivers that are required during the nd se etup process. Dynamic Upda downloads new D ate drivers for devic that are co ces onnected to the co omputer and are required to run Setup. Th feature upd a o his dates the requ uired Setup file and improve the es es process so that you can get st tarted successf fully with Wind dows 8. Dynamic Updat downloads the following types of files: te t t
Critical Up pdates: Dynam Update rep mic places files from the Window 8 operating system DVD t m ws that require critical fixes or up pdates. Dynam Update also replaces DLL that setup re mic o Ls equires. The on files nly that are downloaded are those that rep place existing f files. No new f files are downl loaded. Device driv vers: Dynamic Update only downloads dr ivers that are n included o the operatin c not on ng system CD or DVD. Dynamic Update do not update existing driv oes e vers, but you ca obtain thes by an se connecting to Windows Update after se U etup is comple ete.
When updated device drivers are required, Microsoft is w W s working to ens ure that you can get them d directly from Windows Update or from device manufacturer Web sites. Look up Windows Up m b p pdate first to u update drivers after the are installed If the update device drive is not availa ey d. ed er able through W Windows Upda find ate, th latest versio of the devic driver by any of the follow he on ce wing methods:: Visit the computer manufacturers web bsite for an upd dated driver. Visit the hardware manuf facturers webs site. Search the Internet by us sing the device name. e
Yo can perform manual device updates in Device Manag To manua update the driver used for a ou m ger. ally e de evice, follow th hese steps in Device Manage D er: 1. . 2. . 3. . Double-clic the type of device you wa to update. ck ant Right-click the device and then click Up d pdate Driver Software. Follow the instructions in the Update Driver Software Wizard. n D e
Windows 8 also includes seve enhancements to the up W o eral pgrade experie ence, including a load driver feature. g If an upgrade is blocked due to incompatib or missing d s ble drivers that ar e required for the system to boot, o yo can use this feature to loa a new or up ou s ad pdated driver from the Com mpatibility Repo and contin with ort, nue th upgrade. he
Adm ministrators an end users who are installin nd w ng Win ndows-based software can use digital signa s atures to verify that a legitim y mate publisher has provided the r d soft tware package. It is an electr ronic security mark that indic m cates the publisher of the so oftware and if som meone has changed the drive packages original conten ts. If a publish signs a driv you can be er her ver, e confident that the driver comes from that pub e s blisher and ha not been alt as tered.
A digital signature uses the organization's dig e gital certificate to encrypt sp e pecific details a about the pack kage. The encrypted inf formation in a digital signatu includes a thumbprint fo each file inc ure or cluded with the e package. A specia cryptographic algorithm re al eferred to as a hashing algorithm generates this thumbp print. The algorithm gen nerates a code that only that files content can create. C e ts Changing a sin ngle bit in the file changes the thum mbprint. After the thumbprin are generat t nts ted, they are c combined toge ether into a catalog, and then encrypte ed. Note: 64-bi Windows 8 versions requir that all drive be signed. it v re ers
our on ware Publishing Certificate, y can use tha to add your own digital g you at r If yo organizatio has a Softw sign nature to drive that you have tested and that you trust If you experi ence stability problems after you ers t. install a new hardware device, an unsigned de a evice driver m ight be the cause.
You can use Sigve u erif.exe to chec if unsigned device drivers are in the sys ck s stem area of a computer. Sigv verif.exe writes the results of the scan to a log file that in s f ncludes the sys stem file, the s signature file, a and the signature files publisher. Th log file show any unsigne device driv he ws ed vers as unsigne You then ca ed. an choose whether to remove the unsigned drive o ers. To remove an uns r signed device driver, follow these steps: t 1. 2. 3. 4. 5. Run Sigverif to scan for un nsigned drivers and then rev iew the resulti log file. s ing Create a temp porary folder for the storage of unsigned drivers. f e Manually move any unsigned drivers from systemroot\ System32\Driv m vers into the te emporary folder. Disable or uninstall the asso ociated hardw ware devices. Restart the co omputer.
If th resolves the problem, try to obtain a sig his e gned driver fro the hardwa vendor or replace the om are hard dware with a device that is Windows 8-cap d W pable.
You can obtain a basic list of sig u gned and unsig gned device d drivers from a c command pro ompt by runnin the ng driv verquery command with the /si switch. e
Co onfiguring Windows 8
Note: Som hardware vendors use th own digita signatures so that drivers c have a me v heir al o can va digital sign alid nature, even if Microsoft has not tested th f s hem. The Sigve report lists the vendors erif d fo each signed driver. This ca help you ide or an entify problem drivers issued by particular vendors. m
Be ecause device driver softwar runs as a part of the opera re ating system, i is critical tha only known and it at au uthorized devi drivers are permitted to run. Signing an staging dev ice r nd vice driver pac ckages on clien nt co omputers prov vide the follow wing benefits: Improved security: You can allow stan ndard users to install approv device driv o ved vers without compromis sing computer security or req quiring help-d desk assistance e.
Reduced support costs: Users can onl install device that your organization ha tested and is : ly es as prepared to support. The o erefore, you will maintain the security of th computer a you simultan e he as neously reduce the demands on the help desk. t
Better user experience: A driver package that is sta ged in the driv store work automatically when ver ks the user plu in the device. Alternative driver pack ugs ely, kages placed o a shared ne on etwork folder c be can discovered whenever the operating sys e stem detects a new hardware device. In bo cases, the u e oth user is not prompt before inst ted tallation.
On each compu O uter, Windows maintains a st tore for digital certificates. A the computer administrator, you l As ca add certificates from trusted publishers If a package is received for which a matc an s. r ching certificat te ca annot be found, Windows re equires confirm mation that the publisher is t e trusted. By pla acing a certifica in ate th certificate st he tore, you infor Windows th packages s rm hat signed by that certificate are trusted. t e
Yo can use Gro Policy to deploy the cer ou oup d rtificates to clie computers Using Group Policy, you ca have ent s. p an th certificate automatically in he nstalled to all managed com mputers in a do omain, organiz zational unit, o site. or
Note: Rolling back a driver can cause the loss of new functionality, and can reintroduce problems that the newer version addressed. Note: The Roll Back Driver button is available only if a previous version of the driver was installed. If the current driver for the device is the only one that was ever installed on the computer, then the Roll Back Driver button is not available.
System Restore
In rare cases, after you install a device or update a driver for a device, the computer may not start. This problem may occur in the following situations: The new device or the driver causes conflicts with other drivers that are installed on the computer. A hardware-specific issue occurs. The driver that is installed is damaged.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are unable to recover the computer by using driver rollback, consider using System Restore.
System Restore can be used when you want to retain all new data and changes to existing files, but still perform a restore of the system from when it was running well. Windows 8 lets you return your computer to the way that it was at a previous point in time, without deleting any personal files. System Restore is reversible, because an undo restore point is created before the restore operations are completed. During the restoration, a list of files appears showing applications that will be removed or added. To restore a computer to a previous configuration by using System Restore, you can use: Safe Mode. Windows Recovery Environment (RE).
Even the earliest versions of the Microsoft Windows NT operating system provided the Last Known Good Configuration option as a way of rolling the system back to a previous configuration. In Windows 8, some startup-related configuration and device-related configuration information is stored in the registry database, specifically, the HKLM\SYSTEM hive. A series of Control Sets are stored beneath this registry hive, most notably CurrentControlSet and LastKnownGood. The latter is located in the HKLM\SYSTEM\Select node. When you make a device configuration change to the computer, the change is stored in the CurrentControlSet key, in the appropriate registry folder and value. After you restart the computer, and successfully log on, Windows synchronizes the CurrentControlSet key and the LastKnownGood key.
However, if, after a device configuration change, you experience a startup problem, but do not log on, the two control sets are out of sync, and the LastKnownGood key contains the previous configuration set. To use Last Known Good Configuration, restart the computer without logging on, and press F8 during the boot sequence to access the Advanced Boot Options menu. Select Last Known Good Configuration (advanced) from the list. If you have a hardware problem, the cause could be hardware or a device driver. Fortunately, the process to update device drivers to a newer version is straightforward. Alternatively, you can roll back device drivers to an older version or reinstall them. Troubleshooting hardware problems often starts by troubleshooting device drivers. To identify a device driver problem, answer the following questions: Did you recently upgrade the device driver or other software related to the hardware? If so, roll back the device driver to the previous version.
Configuring Windows 8
Are you experiencing occasional problems, or is the device not compatible with the current version of Windows? If so, upgrade the device driver. Did the hardware suddenly stop working? If so, upgrade the device driver. If that does not solve the problem, reinstall the device driver. If the problem continues, try troubleshooting the hardware problem.
This demonstration shows how to update a device driver and then uninstall that driver update. You also will install a driver into the driver store. This demonstration requires two machine restarts.
Expand Keyboards and update the Standard PS/2 Keyboard driver to the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Reboot the computer when prompted.
Verify you have successfully uninstalled the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Close Computer Management.
You are going to test the users ability to install drivers, and then install a driver in the protected store so that users will be able to install it.
Objectives
Install and configure a new driver. Uninstall a driver.
Lab Setup
Estimated Time: 10 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL2 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
By default, standard users cannot install device drivers. When you know certain plug and play devices will be used in your environment, you can preload the device drivers so that users can use the devices. The main task for this exercise is as follows: Install a device driver into the protected store.
At the command prompt, type pnputil a E:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files \driver\point64\point64.inf, and then press Enter. Check the list of installed OEM drivers by typing pnputil e, and then press Enter.
Results: At the end of this exercise, you will have installed a driver into the protected driver store.
Configuring Windows 8
Expand Keyboards, and update the Standard PS/2 Keyboard driver to the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Reboot the computer when prompted.
Verify you have successfully uninstalled the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Close Computer Management.
Results: At the end of this exercise, you will have installed and uninstalled a device driver.
If you have a hardware problem, the hardware or a device driver may be causing it. Troubleshooting hardware problems often starts by troubleshooting device drivers.
Tools
The following table lists some of the tools available for managing hard disks and devices: Tool Defrag.exe Used for Performing disk defragmentation tasks from the command-line. Viewing and updating hardware settings, and driver software for devices, such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components. Helps users interact with devices, and use the full functionality of the devices. Where to find it Command prompt
Device Manager
Configuring Windows 8
Used for Provides users a single location to find and manage all the devices connected to their Windows 8-based computers. Also provides quick access to device status, product information, and key functions, such as faxing and scanning to enhance and simplify the customer experience with a Windows 8-connected device. Rearranging fragmented data so that disks and drives can work more efficiently. Managing disks and volumes, both basic and dynamic, locally or on remote computers. Managing disks, volumes, and partitions from the command-line or from Windows PE. Performing tasks that are related to FAT and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume. Adding drivers to and managing drivers in the protected device store.
In Windows Explorer, right-click a volume, click Properties, click the Tools tab, and then click Optimize. diskmgmt.msc
Disk Management
Diskpart.exe
Fsutil.exe
Pnputil.exe
Module 4
Configuring and Troubleshooting Network Connections
Contents:
Module Overview Lesson 1: Configuring IPv4 Network Connectivity Lesson 2: Configuring IPv6 Network Connectivity Lesson 3: Implementing Automatic IP Address Allocation Lab A: Configuring Network Connection Lesson 4: Implementing Name Resolution Lesson 5: Troubleshooting Network Connectivity Lab B: Troubleshooting Network Connectivity Module Review and Takeaways 1 2 9 16 22 25 28 33 36
Module Overview
Network connectivity is essential in todays business environment. An increasing number of computer users want to connect their computers to a network, whether they are part of a business network infrastructure, operate a home office, or need to share files and access the Internet.
The Windows 8 operating system provides enhanced networking functionality compared with earlier Microsoft Windows desktop-operating systems, and it provides support for newer technologies.
Windows 8 implements both TCP/IP version 4 and TCP/IP version 6, by default. An understanding of both IPv4 and IPv6, and the operating systems access capabilities, help you configure and troubleshoot Windows 8 networking features.
Objectives
After completing this module, you will be able to: Describe how to configure a local area network (LAN) connection with IPv4. Describe how to configure a LAN connection with IPv6. Explain the implementation of automatic IP address allocation. Explain how to configure network connections. Explain the methods for resolving computer names. Explain the troubleshooting process for network connectivity problems. Describe how to troubleshoot common network-related problems.
4-2
Lesson 1
IPv4 divides the address into four octets, as th following ex 4 he xample shows s:
11 1000000.10101 1000.00000001 1.11001000
To make the IP ad m ddresses more readable, bina representa ary ation of the ad ddress typically shows it in y decimal form. For example: r
19 92.168.1.200
The address, in co onjunction with a subnet mask, identifies: h The compute unique identity, which is the host ID. ers The subnet on which the co omputer reside which is the network ID. es, e
This enables a net s tworked comp puter to comm municate with o other networke computers in a routed ed environment.
C Configuring Windows 8 s
Th Internet Assigned Numbe Authority (IANA) organiz IPv4 addresses into classe and a netw he ers zes es, works nu umber of host determines the required class of address Class A thr ts t ses. rough Class E are the names that s IA ANA has specif fied for IPv4 ad ddress classes.
Classes A, B, and C are IP addresses that you can assign to host comput d u o ters as unique IP addresses, while yo can use Cla D for multic ou ass casting. Additionally, IANA r reserves Class E for experime ental use.
In complex netw n works, subnet masks might not be simple combinations of 255 and 0. Rather, you m n might su ubdivide one octet with som bits that are for the netwo ID and som for the host ID. If you do not use o me e ork me an octet for sub n bnetting, this is known as cla s assless address ing, or Classle ss InterDomain Routing (CID You DR). ei ither use more or less of the octet, and this type of subn e netting uses a d different notat tion, which the e fo ollowing example shows:
17 72.16.16.1/25 55.255.240.0
Th following example shows the more com he s mmon represe ntation of clas ssless IPv4 add dressing:
17 72.16.16.1/20 0
Th /20 represe he ents how many subnet bits are in the mask This notation style is called Variable Length y k. n d Su ubnet Masking g. Additiona Reading: al Fo additional in or nformation on CIDR, go to http://go.micro n h osoft.com/fwli nk/?LinkId=15 54437.
4-4
What Is a Subnet?
A subnet is a network segment, and single or multiple routers separate the subnet from the rest of the network. When your Internet service provider (ISP) assigns a network to a Class A, B, or C address range, you often must subdivide the range to match the networks physical layout. Subdividing enables you to break a large network into smaller, logical subnets.
When you subdivide a network into subnets, you must create a unique ID for each subnet, which you derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to the network ID. By doing so, you can create more networks. By using subnets, you can: Use a single Class A, B, or C network across multiple physical locations. Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome limitations of current technologies, such as exceeding the maximum number of hosts that each segment can have.
When you use more bits for the subnet mask, you can have more subnets, but fewer hosts on each subnet. Using more bits than you need allows you to have more subnets, but it limits how many hosts you can have. Conversely, using fewer bits than you need allows for a larger number of hosts, but limits how many subnets you can have. You can calculate the number of subnet bits that your network needs by using the formula 2^n, where n is the number of bits. The result is the number of subnets that your network requires. The following table indicates the number of subnets that you can create by using a specific number of bits. Number of bits 1 2 3 4 5 6 Number of subnets 2 4 8 16 32 64
The masks host bits determine how many bits the supporting hosts on a subnet require. You can calculate the number of host bits required by using the formula 2^n-2, where n is the number of bits. This result is the least number of hosts that your network needs, and it also is the maximum number of hosts that you can configure on that subnet.
Configuring Windows 8
The following table shows how many hosts a class C network has available based on the number of host bits. Number of bits 7 6 5 4 3 2 Number of hosts 126 62 30 14 6 2
To determine subnet addresses quickly, you can use the lowest value bit in the subnet mask. For example, if you choose to subnet the network 172.16.0.0 by using 3 bits, this means the subnet mask is 255.255.224.0. The decimal 224 is 11100000 in binary, and the lowest bit has a value of 32, so that is the increment between each subnet address. The following table shows examples of calculating subnet addresses. Binary network number 172.16.00000000.00000000 172.16.00100000.00000000 172.16.01000000.00000000 172.16.01100000.00000000 172.16.10000000.00000000 172.16.10100000.00000000 172.16.11000000.00000000 172.16.11100000.00000000 Decimal network number 172.16.0.0 172.16.32.0 172.16.64.0 172.16.96.0 172.16.128.0 172.16.160.0 172.16.192.0 172.16.224.0
4-6
The following table shows exam mples of calcula ating host add dresses. De ecimal networ number rk 17 72.16.64.0 17 72.16.96.0 17 72.16.128.0 Hos range st 172 2.16.64.1 - 172 2.16.95.254 172 2.16.96.1 - 172 2.16.127.254 172 2.16.128.1 - 17 72.16.159.254
Whe a host deliv en vers an IPv4 pa acket, it uses th he subnet mask to de etermine whet ther the destin nation host is on the sam network or on a remote network. If the destination host is on the same network, the t me n e loca host delivers the packet. If the destinatio host is on a different netw al s f on work, the host transmits the t packet to a router for delivery. r Note: The host determine the Media Access Control (MAC) addres of the route for h es A ss er delivery, and the initiating host addresses the router explici i e itly, at the med access laye dia er.
en ses nsmit a packet to a destination subnet, IPv consults the t v4 e Whe a host on the network us IPv4 to tran inte ernal routing ta able to determ mine the appro opriate router t ensure the packet reache the destinati to es ion subnet. If the rout ting table does not contain any routing in a nformation abo the destina out ation subnet, IPv4 forw wards the pack to the defa gateway. The host assum that the de ket ault T mes efault gateway contains the y requ uired routing information. i In most cases, you can use a Dy m u ynamic Host Co onfiguration P Protocol (DHCP server to ass P) sign the defau ult gate eway automatically to a DHC client. This is more straig htforward than manually assigning a defa CP ault gate eway on each host.
C Configuring Windows 8 s
Th pool of IPv4 addresses is becoming smaller, so IANA is reluctant to allocate supe he 4 o erfluous IPv4 ad ddresses. Tech hnologies such as Network Address Transla A ation (NAT) en nable administrators to use a re elatively small number of public IPv4 addre esses, and at t he same time,, enable local h hosts to conne to ect re emote hosts an services on the Internet. nd IA ANA defines th following ad he ddress ranges as private. Inte ernet-based ro outers do not forward packe ets or riginating from or destined to, these rang m, ges. Class C A B C Mask 10.0.0 0.0/8 172.16 6.0.0/12 192.16 68.0.0/16 Range 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255
Note: Req quest for Comments (RFC) 3330 defines th hese private ad ddress ranges. Question: Which of the following is no a private IP address? f ot a. 171.16.16 6.254 b. 192.16.18 8.5 c. 192.168.1 1.1 d. 10.255.255.254
Yo can configu IPv4 settings on a Windo 8 compute by using the Network and Sharing Cent the ou ure ows er e d ter, Netsh command-line tool, or Windows Pow werShell Cmd dlets. To configure IPv using Netsh you can use the following example: o v4 h, g
Ne etsh interfac ipv4 set address name="Local Area Connection" source=stat ce a a " tic ad ddr=172.16.16 6.3 mask=255.255.255.0 gateway=172.1 16.16.1
4-8
The following table describes some of the Windows PowerShell Cmdlets that you can use to view and configure IPv4 settings: Cmdlet Set-NetIPAddress Set-NetIPInterface Set-NetRoute Set-DNSClientServerAddresses Description of IPv4 configuration uses Modifies an existing IP address and sets the subnet mask Enables or disabled DHCP for an interface Modifies routing table entries, including the default gateway (0.0.0.0) Configures the DNS server that is used for an interface
Demonstration
This demonstration shows how to configure an IPv4 address manually using the Network and Sharing Center.
In Network and Sharing Center, view the Local Area Connections Status. This window shows the same configuration information for this adapter as the IPConfig command. View the IPv4 configuration for Local Area Connection. You can configure the IP address, subnet mask, default gateway, and Domain Name System (DNS) servers in this window.
View the Advanced settings. In the Advanced TCP/IP Settings window, you can configure additional settings, such as additional IP addresses, DNS settings, and Windows Internet Naming Service (WINS) servers for NetBIOS name resolution. Question: When might you need to change a computers IPv4 address?
C Configuring Windows 8 s
Lesson 2 n
Th hough most networks to wh hich you conne Windows 8 ect 8-based compu uters currently provide IPv4 y su upport, many also support IP a Pv6. To connec computers t ct that are runnin Windows 8 to IPv6-based ng d ne etworks, you must understan the IPv6 ad m nd ddressing sche me, and the d differences betw ween IPv4 and IPv6. d
Lesson Objectives
After completin this lesson, you will be able to: ng y Describe th benefits of implementing IPv6. he Describe ho Windows 8 supports IPv6 ow 6. Describe th IPv6 address space. he s List IPv6 ad ddress types.
Stateless an stateful add nd dress configura ation: IPv6 has auto-configu capability w s ure without DHCP, and it , can discove router inform er mation so that hosts can acc t cess the Intern This is a sta net. ateless address s configuratio A stateful address config on. a guration is whe you use the DHCPv6 prot en e tocol. Stateful configuratio has two additional config on guration levels one in which DHCP provid all the s: h des information including the IP address and configurati settings, and another in which DHCP p n, ion provides just configu uration setting gs. c): andards require support for the Required su upport for Inte ernet Protocol Security (IPsec The IPv6 sta Authenticat tion Header (A and Encap AH) psulating Secur Payload (E rity ESP) headers th IPsec defin hat nes. Although IP Psec does not define suppor for its specif authenticati methods a cryptograp rt fic ion and phic algorithms, IPsec is define from the st as the way to protect IPv packets. , ed tart y v6
Restored en nd-to-end com mmunication: The global add T dressing mode for IPv6 traff means that el fic t translation between diffe erent types of addresses is no necessary, s a ot such as the translation done by NAT devices for IPv4 traffic. Th simplifies communication because you do not need to use NAT de his n u evices for peer-to-peer applicat tions, such as video conferen v ncing.
Prioritized de elivery: IPv6 contains a field in the packet t i that lets netwo devices det ork termine that the packet should be processed at a specified rate. This ena d d d ables traffic pr rioritization. Fo example, wh or hen you are streaming video tra affic, it is critica that the pac al ckets arrive in a timely mann You can se this ner. et field to ensur that network devices dete re k ermine that the packet delive is time-sen e ery nsitive.
Support for single-subnet environments: IPv6 has much better suppo of automat configuratio e h ort tic on and operation on networks consisting of a single subne You can use this to create temporary ad-hoc n s et. e e networks thro ough which yo can connect and share inf ou t formation. Extensibility: IPv6 has been designed so that you can ex xtend it with m much fewer co onstraints than IPv4.
Additional Reading: For more information on IPv6, go to http://go g o.microsoft.co m/fwlink/?Link kId=154442.
Dire ectAccess enab remote us bles sers to access the t corp porate network anytime they have an Inte y ernet connectio because it does not requ a virtual private on, uire netw work (VPN). DirectAccess pro ovides a flexib corporate n ble network infrast tructure to hel you remotely lp man nage and upda user PCs both on and off the network. DirectAccess makes the end user experience of ate f d acce essing corpora resources over an Interne connection nearly indistin ate o et nguishable from the experien of m nce acce essing these re esources from a computer at work. DirectA t Access uses IPv to provide g v6 globally routable IP add dresses for rem mote access clie ents.
Win ndows 8 service such as File Sharing and Remote Acces use IPv6 fea es, e ss, atures, such as IPsec. This inc cludes VPN Reconnect, which uses Inte N w ernet Key Exch hange Version 2 (IKEv2), an a authentication component o n of IPv6 6. The Windows 8 operating system supports remote troubles shooting capabilities, such as Remote Assi istance and Re emote Desktop Remote Desktop enables a p. administrators to connect to multiple Win s o ndows Serv sessions for remote administration pur ver rposes. IPv6 ad ddresses can b used to mak remote desk be ke ktop connections. Both Remote Assis h stance and Rem mote Desktop uses the Remote Desktop P Protocol (RDP) to enable users to ac ccess files on their office com mputer from a nother compu uter, such as on located at t ne their hom me.
Co onfiguring Windows 8
Th size of an address in IPv6 is four times larger he 6 l th an IPv4 ad han ddress. IPv6 addresses are expressed in hexadecimal (hex), as the fo n ollowing exam mple sh hows:
20 001:DB8:0:2F3 3B:2AA:FF:FE2 28:9C5A
Th might seem complex for end users, but the assumpti is that use rs will rely on DNS names to resolve his m t ion o ho osts, meaning they rarely will type IPv6 ad ddresses manu ally. The IPv6 address in hex also is easier to x co onvert to binary. This simplif working with subnets, an calculating hosts and net fies w nd tworks.
In the Hexadeci n imal Numberin System, som letters repr ng me resent number because in t hex system rs the m (b base16), there must be 16 un nique symbols for each posit tion. Because 1 symbols (0 through 9) alr 10 ready ex there mus be six new sy xist, st ymbols for the hex system. H e Hence, A throu F are used ugh d. Note: Use the Windows calculator in Windows 8 to work with he and binary. O e s o ex Open the ca alculator, click the View men and then click Programm Type 16, and then click Hex. The nu, c mer. k ca alculator will display 10. This aspect of hex d s xadecimal can be complex. A After reaching hex 9, the ne number is hex A (decima 10), and then B (decimal 1 up to F or ( ext al 11) (decimal 15). N Notice in the ca alculator that in hex mode, the buttons A through F app i t t pear along the left of the number pad. In e Hex mode, click F, and then click Dec. The result is decim 15. k c r mal
o Pv6 dress that is 12 bits in lengt break it int o eight groups of 16 bits. Co 28 th, onvert To convert an IP binary add ea of these ei ach ight groups into four hex ch haracters. For e each of the 16 bits, evaluate four bits at a time to de erive each hex number. You should number each set of four binary nu x umbers 1, 2, 4, and 8, startin from , ng th right and moving left. The first bit [0010 is assigned t value of 1,, the second b [0010] is ass he m e 0] the bit signed th value of 2, the third bit [0 he t 0010] is assigne the valued of 4, and final the fourth [0010] bit is as ed lly, ssigned th value of 8. To derive the hexadecimal value for this se he T h ection of four bits, add up th values that are he as ssigned to each bit where th bits are set to 1. In the exa he t ample of 0010 the only bit t 0, that is set to 1 is the bi assigned the 2 value. The rest are set to zero. The hex value of these bits is 2. it e e
Binary Values of each binary position Adding values where the bit = 1
The following example is a single IPv6 address in binary form. Note that the binary representation of the IP address is quite long. The following two lines of binary numbers is one IP address:
0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010
The 128-bit address is divided along 16-bit boundaries (eight blocks of 16 bits), as the example shows:
0010000000000001 0000001010101010 0000110110111000 0000000011111111 0000000000000000 1111111000101000 0010111100111011 1001110001011010
Each boundary is further broken into sets of four bits. Applying the methodology as previously described, convert the IPv6 address. The following table shows the binary and corresponding hexadecimal values for each set of four bits: Binary [0010][0000][0000][0001] [0000][1101][1011][1000] [0000][0000][0000][0000] [0010][1111][0011][1011] [0000][0010][1010][1010] [0000][0000][1111][1111] [1111][1110][0010][1000] [1001][1100][0101][1010] Hexadecimal [2][0][0][1] [0][D][B][8] [0][0][0][0] [2][F][3][B] [0][2][A][A] [0][0][F][F] [F][E][2][8] [9][C][5][A]
Each 16-bit block is expressed as four hex characters, and is then delimited with colons. The result is as follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
You can simplify IPv6 representation further by removing the leading zeros within each 16-bit block. However, each block must have at least a single digit. With leading zero suppression, the address representation becomes the following:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
Co onfiguring Windows 8
Compressing Zeros C g
When multiple contiguous ze blocks occu you can co mpress these, and then repr W ero ur, resent them in the ad ddress as a double-colon (::). This simplifie the IPV6 not es tation. The com mputer recogn nizes ::, and su ubstitutes it with the number of blocks nec cessary to mak the appropriate IPv6 address. ke In the following example, the address is exp n g pressed using z zero compress sion:
20 001:DB8::2F3B B:2AA:FF:FE28 8:9C5A
To determine how many 0 bit are represen o ts nted by the :: you can cou nt the number of blocks in t , the co ompressed add dress, subtract this number from eight, an then multip ly the result by 16. Using the t f nd y e previous examp there are seven blocks. Subtract seven from eight, an then multip the result ( ple, S nd ply (one) by 16 Thus, there are 16 bits or 16 zeros in the address whe re the double colon is locate 6. e ed.
Yo can use zer compression only once in a given addre Otherwise,, you cannot d ou ro n ess. determine the number of 0 bits represe f ented by each instance of a double-colon (::). To convert an address into binary, use the reverse of the method descr o a r ribed previously: 1. . 2. . 3. . Add in zero using zero compression. os c Add leading zeros. g Convert eac hex numbe into its binar equivalent. ch er ry
Global Unicast Addre esses: These ar re equivalent to public IPv4 addresses. They are glo obally routable and reachable on the IPv6 portion e of the Internet. The fields in the glob unicast add bal dress are:
Fix portion set to 001: The three high-ord bits are set to 001. The ad xed t t der ddress prefix f for currently assigne global addr ed resses is 2000:::/3. Therefore, all global unic cast addresses begin s th wit 2 or 3.
Glo obal Routing Prefix: This indicates the glob routing pre for a specific organizatio site. P efix ons bal Th combination of the three fixed bits and the 45-bit Glo he n obal Routing P Prefix is used to create o a 48-bit site pref which is assigned to an o 4 fix, organizations individual site Once the e. ass signment occu routers on the IPv6 Inter urs, rnet forward IP traffic that matches the 4 Pv6 t 48-bit pre to the org efix ganizations site routers. e
Subnet ID: Use this within an organizations site to identify subnets. This fields size is 16 bits. The organizations site can use these 16 bits within its site to create 65,536 subnets or multiple levels of addressing hierarchy and an efficient routing infrastructure. Interface ID: Indicates the interface on a specific subnet within the site. This fields size is 64 bits. This is either randomly generated or assigned by DHCPv6. In the past, it was based on the MAC address of the network interface card to which the address was bound. o
Link-Local Addresses: Hosts use link-local addresses when communicating with neighboring hosts on the same link. For example, on a single-link IPv6 network with no router, hosts communicate by using link-local addresses. Link-local addresses are local-use unicast addresses with the following properties: Link-local addresses are used between on-link neighbors and for Neighbor Discovery processes. This enables a computer to request further IPv6 configuration information from IPv6 routers and IPv6 DHCP servers. Link-local is the equivalent to Automatic Private IP Addressing (APIPA) addresses in IPv4.
Link-local addresses always begin with FE8. With the 64-bit interface identifier, the prefix for link-local addresses is always FE80::/64. An IPv6 router never forwards link-local traffic beyond the link.
IPv6 link-local addresses are equivalent to IPv4 APIPA addresses. When a DHCP server fails, APIPA allocates addresses in the private range 169.254.0.1 to 169.254.255.254. Clients verify their address is unique on the LAN using ARP. When the DHCP server is able to service requests, clients update their addresses automatically. Other characteristics of link-local addresses include: Link-local addresses always begin with FE80. An APIPA address is assigned automatically to an IPv4 host. Use of this address restricts communication to the local subnet, and typically is used when other suitable addresses are not available. o
Unique local unicast addresses: Unique local addresses provide an equivalent to the private IPv4 address space for organizations without the overlap in address space when organizations combine. The first seven bits have the fixed binary value of 1111110. All unique local addresses have the address prefix FC00::/7. The Local (L) flag is set to 1 to indicate a local address. The L flag value set to 0 has not yet been defined. Therefore, unique local addresses with the L flag set to 1 have the address prefix of FD::/8. The next 40 bits must be randomly assigned to give the resulting 48-bit unique local prefix relative uniqueness between organizations.
Multicast: An IPv6 multicast is equivalent to an IPv4 multicast address. You use this address type for one-to-many communication between computers that you define as using the same multicast address.
Anycast: An anycast address is an IPv6 unicast address that is assigned to multiple computers. When IPv6 addresses communication to an anycast address, only the closest host responds. You typically use this address type for locating services or the nearest router.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign multiple unicast addresses to each host. To verify communication processes on a network, you must know for what purposes IPv6 uses each of these addresses.
Configuring Windows 8
Interface Identifiers
The last 64-bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4 address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface identifier is unique to each interface, IPv6 uses the Interface Identifier rather than MAC addresses to identify hosts uniquely.
The Windows 8 environment uses Extended Unique Identifier (EUI)-64 addresses, which the Institute of Electrical and Electronics Engineers, Inc. (IEEE) defines. Gigabit adapters use an EIU-64 address in place of a MAC address. Network adapters using a MAC address generate a EUI-64 address by padding the 48-bit MAC address with additional information. To preserve privacy in network communication, generate an interface identifier rather than use the network adapters hardware address. To assign an interface identifier, IPv6 hosts can use the following: A randomly generated temporary identifier. A randomly generated permanent identifier. A manually assigned identifier.
Windows 8 uses randomly generated permanent interface identifiers by default, but you can disable this with the netsh tool. Additional Reading: For more information on IPv6 address types, go to http://go.microsoft.com/fwlink/?LinkId=154445.
As with IPv4, you can configure Windows 8 IPv6 settings by using the Network and Sharing Center, Netsh, or Windows PowerShell.
This demonstration shows how to configure an IPv6 address manually using Network and Sharing Center.
If necessary, log on to the computer as administrator, and then open a command prompt. View the current IPv6 configuration by using the IPConfig.exe /all command. This displays all network connections for the computer. Notice that a link-local IPv6 address has been assigned. In Network and Sharing Center, view the Local Area Connection properties, and then view the IPv6 settings for the selected network connection. You can configure the IPv6 address, subnet prefix length, default gateway, and DNS servers in this window.
2.
View the Advanced settings, and then close the open windows Question: Do you typically assign IPv6 addresses manually to a computer?
Lesson 3
Stat configuratio requires tha you visit eac computer a input the I tic on at ch and IPv4 configura ation. This met thod of computer management is tim c me-consuming if your netwo has more t g ork than 10 to 12 c computers. Add ditionally, making a large number of manu configurati ons heightens the risk of mi ual s istakes.
DH HCPv4
DHC CPv4 enables you to assign automatic IPv4 configuratio ns for large nu y a 4 umbers of com mputers withou ut having to assign each one indiv e vidually. The DHCP service re eceives reques for IPv4 con sts nfiguration fro om com mputers that yo configure to obtain an IP address au tomatically. It also assigns IP informatio ou Pv4 Pv4 on from scopes that you define for each of your networks sub m y r bnets. The DHC service iden CP ntifies the subn net from which the re m equest originat ted, and assign IP configura ns ation from the relevant scop e pe. DHC helps to sim CP mplify the IP co onfiguration process, but yo must be aw p ou ware that if you use DHCP to u assign IPv4 inform mation and the service is bus e siness-critical, y must do t following: you the
Include resilie ence into your DHCP service design so tha the failure o a single server does not pr e at of revent the service fro functioning. om Configure the scopes on th DHCP server carefully. If y make a mistake, it can af e he you ffect the whole e network, and it can prevent communication. t
Co onfiguring Windows 8
When you configure Window 8 computers to obtain an IPv4 address f W ws s from DHCP, us the Alternat se te Configuration tab to control the behavior if a DHCP serve is not availa t f er able. By default, Windows 8 uses APIPA to assign itself an IP ad n ddress automatically from th 169.254.0.0 to 169.254.25 he 55.255 address range. Th enables you to use a DHC server at work and the A PIPA address r his CP w range at home without e re econfiguring IP settings. Add P ditionally, this is useful for tro oubleshooting DHCP. If the computer has an g s ad ddress from th APIPA range it is an indic he e, cation that the computer can nnot communicate with a DHCP se erver.
Tentative: Verification is occurring to determine if the address is un V o e nique. Duplicate address det tection performs ve erification. A node cannot re n eceive unicast traffic to a ten ntative address s. Valid: The address has be verified as unique, and c send and r a een can receive unicast traffic. t Preferred: The address en T nables a node to send and re eceive unicast traffic. Deprecated The address is valid but its use is discour d: s raged for new communication. w Invalid: The address no lo e onger allows a node to send or receive un icast traffic.
A host also uses a sta ateful address configuration protocol whe there are no routers prese on en o ent the loc link. cal Both: Configuration is based on rec C ceipt of Route Advertiseme messages a DHCPv6. er ent and
When IPv6 attempts to communicate with a DHCP server, it uses multicast IPv6 addresses to communicate with the DHCP server. This is different from IPv4, which uses broadcast IPv4 addresses. When a host obtains an IPv6 address from a DHCPv6 server, the following occurs: The client sends a Solicit message to locate DHCPv6 servers. The server sends an Advertise message to indicate that it offers IPv6 addresses and configuration options.
The client sends a Request message to a specific DHCPv6 server to request configuration information. The selected server sends a Reply message to the client that contains the address and configuration settings. When a client requests configuration information only, the following occurs: o o The client sends an Information-request message.
A DHCPv6 server sends a Reply message to the client with the requested configuration settings.
Note: DHCPv6 is a service that provides stateful auto-configuration of IPv6 hosts. It can configure IPv6 hosts automatically with an IPv6 address and other configuration information such as DNS servers. This is equivalent to DHCPv4 for IPv4 networks.
Open the Local Area Connection properties, and then view the IPv4 settings for the selected network connection. Modify the connection to obtain an IPv4 configuration automatically. Verify these changes.
Co onfiguring Windows 8
This op ption displays all IP address c configuration information. If the computer uses DHCP, verify the DHCP Ser c s rver option in t output. Th the his indicat the server from which the client is attempting to obt tes f e tain an address. Also, ase verify the Lease Obt t tained and Lea Expires va alues to determ mine when the client e last ob btained an add dress. It some etimes is necessary to force the computer to release an IP address.
/release /renew
This op ption forces th client comp uter to renew its DHCP lease This is usefu when he e. ul you think that the DHCP-related is ssue is resolved and you wa to obtain a new d, ant lease without restarting the compu w uter. The IPv version of the /release co v6 t ommand. The IPv version of the /renew com v6 t mmand.
/release6 /renew6
Note: You can use the IPConfig /relea u I ase6 and /rene ew6 options to perform thes same tasks o se on IPv6-configu n ured computer rs.
The following are some troubleshooting examples. Problem The DHCP client does not have an IP address configured or indicates that its IP address is 0.0.0.0. Solution
Verify that the client computer has a valid functioning network connection. First, check that related client hardware (cables and network adapters) are working properly at the client end, using basic network and hardware troubleshooting steps. If the client hardware appears to be prepared and functioning properly, check that the DHCP server is available on the network by pinging it from another computer on the same network as the affected DHCP client.
The DHCP client appears to have automatically assigned itself an IP address that is incorrect for the current network.
First, use the ping command to test connectivity from the client to the server. Your next step is to either verify or manually attempt to renew the client lease. Depending on your network requirements, it might be necessary to disable IP autoconfiguration at the client. You can learn more about IP autoconfiguration and how it works prior to making this decision. For Microsoft DHCP clients, verify that the most commonly used and supported options have been configured at the server, scope, client, or class level of options assignment.
The DHCP client appears to be missing some network configuration details or is unable to perform related tasks, such as resolving names. The DHCP client appears to have incorrect or incomplete options, such as an incorrect or missing router (default gateway) configured for the subnet on which it is located.
Change the IP address list for the router (default gateway) option at the applicable DHCP scope and server. If you are configuring the router option as a Server Option at the affected DHCP server, remove it there and set the correct value in the Scope Options node for the applicable DHCP scope that services the client. In rare instances, you might have to configure the DHCP client to use a specialized list of routers different from other scope clients. In such cases, you can add a reservation, and then configure the router option list specifically for the reserved client. A DHCP server can only service requests for a scope that has a network ID that is the same as the network ID of its IP address. Completing the following steps might correct this problem:
Many DHCP clients are unable to get IP addresses from the DHCP server.
1. Configure a BOOTP/DHCP Relay Agent on the client subnet (that is, the same physical network segment). The relay agent can be located on the router itself; on a computer that is running Windows NT Server and the DHCP Relay Agent component; on a computer that is running Windows 2000 Server with the Routing and Remote Access service enabled and configured as a DHCP Relay Agent; or on a computer that is running a Windows Server 2003 operating system with the Routing and Remote Access service enabled and configured as a DHCP Relay Agent. 2. At the DHCP server, do the following: o Configure a scope to match the network address on the other side of the router where the affected clients are located.
o In the scope, make sure that the subnet mask is correct for the remote subnet.
Configuring Windows 8
Problem
Solution
o Use a default gateway on the network connection of the DHCP server in such a way that it is not using the same IP address as the router that supports the remote subnet where the clients are located.
o Do not include this scope, which is the one for the remote subnet, in superscopes configured for use on the same local subnet or segment where the DHCP server resides.
o Make sure there is only one logical route between the DHCP server and the remote subnet clients. Many DHCP clients are unable to get IP addresses from the DHCP server. Ensure that you do not configure multiple DHCP servers on the same LAN with overlapping scopes. You might want to rule out the possibility that one of the DHCP servers in question is a computer that is running Small Business Server. On a computer that is running Small Business Server, the DHCP Server service automatically stops when it detects another DHCP server on the LAN.
The DHCP client appears to be affected by another problem not described previously.
Search the Microsoft Web site for updated technical information that might relate to the problem you have observed. If necessary, you can obtain information and instructions that pertain to your current problem or issue.
Reference Links: See also: Test a TCP/IP configuration by using the ping command: http://go.microsoft.com/fwlink/?LinkId=154455 Verify, release, or renew a client address lease: http://go.microsoft.com/fwlink/?LinkId=154456 Configure TCP/IP for automatic addressing: http://go.microsoft.com/fwlink/?LinkId=154457 Disable automatic address configuration: http://go.microsoft.com/fwlink/?LinkId=154458 Manage Options and classes: http://go.microsoft.com/fwlink/?LinkId=154459 Assigning options: http://go.microsoft.com/fwlink/?LinkId=154460 DHCP Best Practices: http://go.microsoft.com/fwlink/?LinkId=154465 Using superscopes: http://go.microsoft.com/fwlink/?LinkId=154466 Configuring scopes: http://go.microsoft.com/fwlink/?LinkId=154467
Objectives
Modify the IPv4 settings for a LAN connection. Configure a LAN connection to use DHCP.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Configuring Windows 8
Results: After this exercise, you will have configured LON-CL1 to obtain an IPv4 configuration automatically from a DHCP server.
At the command prompt, run the following commands: o o o o o o o IPConfig /release IPConfig /renew IPConfig /all What is the current IPv4 address? What is the subnet mask? To which IPv4 network does this host belong? What kind of address is this?
Results: After this exercise, you will have tested various scenarios for dynamic IP address assignment, and then configured a static IP address.
Co onfiguring Windows 8
Lesson 4 n
Computers can communicate over a network by using a n e name in place of an IP addre Name reso ess. olution is used to find an IP address that correspon to a name, such as a host name. This le a t nds t esson focuses o on di ifferent types of computer names and the methods to re o n esolve them.
A host name is a user-friendly name that is associated wit a hosts IP a y th address and identifies it as a TCP/IP ho A host nam can be no more than 255 characters in length, and m ost. me 5 n must contain a alphanumeric ch haracters, perio and hyphens. ods, A host nam is an alias or a fully qualifi domain na me ied ame (FQDN). An alias is a single name associated wit an IP addres th ss. The host na ame combines an alias with a domain nam to create th FQDN. s me he
The elemen of the name include perio as separat nts ods tors. Applicatio use the str ons ructured FQDN on the N Internet. An example of an FQDN is payroll.cont e toso.com.
App plications use the 16-charact NetBIOS na t ter ame to identify a NetBIOS re y esource on a n network. A Net tBIOS nam represents a single computer or a group of computer NetBIOS us the first 15 characters for a me rs. ses r spec cific computer name and the final sixteen character t identify a re rs nth to esource or serv on that vice com mputer. An exa ample of a Net tBIOS name is NYC-SVR2[20 h].
Win ndows support a number of different met ts f thods for resol ving compute names, such as DNS, WINS and er S, the host name res solution- proce ess.
WIN provides a centralized database for registering dynam mappings of a networks NetBIOS nam NS c mic s mes. Sup pport is retaine for WINS to provide backw ed o ward compati bility. In addition to usin WINS, you can resolve Ne ng etBIOS names by using the f following:
networks beca Broadcast me essages. Broadcast messages do not work well on large n s ause routers do not o propagate br roadcasts. Lmhosts file on all compute Using an Lmhosts file for NetBIOS nam resolution i a high o ers. L r me is maintenance solution because you must maintain the f manually o all compute file on ers.
Whe an applicat en tion specifies a host name an uses Windo Sockets, TC nd ows CP/IP uses the DNS resolver e cach DNS, and Link-Local Mul he, L lticast Name Resolution (LLM R MNR) when it attempts to re esolve the host t nam The hosts file is loaded in the DNS re me. f nto esolver cache. If NetBIOS ove TCP/IP is en er nabled, TCP/IP also P uses NetBIOS nam resolution methods when resolving sing s me m n gle-label, unq ualified host n names. Win ndows resolves host names by performing the following actions: s b 1. 2. 3. 4. Checking whe ether the host name is the sa ame as the loc host name.. cal Searching the DNS resolver cache. e r Searching the Hosts file. e Sending a DN request to its configured DNS servers. NS
Configuring Windows 8
Windows resolves hosts names that are single-label, unqualified names, by performing the following actions: 1. Using LLMNR on the local subnet.
Note: LLMNR enables hosts in a network to resolve one another's computer names without using a name server and without relying on broadcasting. 2. 3. 4. 5. Converting the host name to a NetBIOS name and checking the local NetBIOS name cache. Sending a DNS request to its configured WINS servers.
Broadcasting as many as three NetBIOS Name Query Request messages on the subnet that is directly attached. Searching the Lmhosts file.
Note: You can exert control over the precise order used to resolve names. For example, if you disable NetBIOS over TCP/IP, none of the NetBIOS name-resolution methods are attempted. Alternatively, you can modify the NetBIOS node type, which results in a change to the precise order in which the NetBIOS name resolution methods are attempted.
GlobalNames Zone
The GlobalNames Zone (GNZ) is a feature of Windows Server 2008. The GNZ provides single-label name resolution for large enterprise networks that do not deploy WINS. Some networks might require the ability to resolve static, global records with single-label names that WINS currently provides. These singlelabel names refer to well-known and widely used servers with statically assigned IP addresses. A GNZ is manually created and is not available for dynamic registration of records. GNZ is intended to help your customers migrate to DNS for all name resolution. The DNS Server role in Windows Server 2008 supports the GNZ feature. GNZ is intended to assist in the migration from WINS. However, it is not a replacement for WINS. GNZ is not intended to support the single-label name resolution of records that are registered in WINS dynamically and those that are not managed by IT administrators typically. Support for these dynamically registered records is not scalable, especially for larger customers with multiple domains and/or forests. The recommended GNZ deployment is by using an AD DSintegrated zone, named GlobalNames, which is distributed globally.
Instead of using GNZ, you can choose to configure DNS and WINS integration. Do this by configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The advantage of this approach is that you can configure client computers to only use a single name service, DNS, and still be able to resolve NetBIOS-compliant names. Additional Reading: To read more about understanding DNS client settings on TechNet, go to http://go.microsoft.com/fwlink/?LinkId=154441.
Lesson 5
The tools and utilities included in this lesson help IT profess h sionals better m manage comp puters and trou ubleshoot prob blems, enablin them to kee users produ ng ep uctive while wo orking to redu costs, main uce ntain com mpliance, and improve opera ational efficien ncy.
Event logs are file that record significant eve es s ents on a comp puter, such as when a proces encounters an ss erro IP conflicts will be reflecte in the system log and mig prevent se or. w ed ght ervices form starting. When t these events occur, Win ndows records the event in an appropriate event log. Yo can use Even Viewer to re e ou nt ead the log. When you troubleshoot errors on Windows 8, view the events in the Event Log to determine the u w gs cause of the prob blem. Event Viewer enab you to acc bles cess the Applic cation, Securit Setup, and System logs under the Wind ty, dows Logs node. When you select a lo and then se og elect an event , a preview pane under the e event list cont tains deta of the spec ails cified event. To help diagnos network pro o se oblems, look f errors or warnings in the for Syst tem log related to network services. d s
Configuring Windows 8
IPConfig
IPConfig displays the current TCP/IP network configuration. Additionally, you can use IPConfig to refresh DHCP and DNS settings as discussed in the previous Windows Network Diagnostics topic. For example you might need to flush the DNS cache.
Ping
Ping might verify IP-level connectivity to another TCP/IP computer. Ping sends and receives Internet Control Message Protocol (ICMP) Echo Request messages and displays the receipt of corresponding Echo Reply messages. Ping is the primary TCP/IP command used to troubleshoot connectivity. However firewalls might block the ICMP requests.
Tracert
Tracert determines the path taken to a destination computer by sending ICMP Echo Requests. The path displayed is the list of router interfaces between a source and a destination. This tool also determines which router has failed and what the latency, or speed, is. These results may not be accurate if the router is busy as the router assigns the packets a low priority.
Pathping
Pathping traces a route through the network in a manner similar to Tracert. However, Pathping provides more detailed statistics on the individual steps, or hops, through the network. Pathping can provide greater detail because it sends 100 packets for each router, which enables it to establish trends.
Nslookup
Nslookup displays information that you can use to diagnose the DNS infrastructure. You can use Nslookup to confirm connection to the DNS server and that the required records exist.
Unified Tracing
The unified tracing feature is intended to help you simplify the process of gathering relevant data to assist in troubleshooting and debugging network connectivity problems. Data is collected across all layers of the networking stack, and then grouped into activities across the following individual components: Configuration information State information Event or Trace Logs Network traffic packets
Win ndows Network Diagnostics either complet the solutio automatical or requires that the user e tes on lly perf form steps to resolve the pro r oblem. These steps may requ the user to complete se s uire everal configur ration y changes to the co omputer. In ma cases, this capability may resolve netw any work problems without the u s user requ uiring addition support. nal
If Windows Netwo Diagnostic cannot fix th problem, yo may need t use addition diagnostic tools. W ork cs he ou to nal
If the subnet mask is incorrect, the computer has an inc correct Netwo ID, and the ork erefore, transm mission fails, especially to remote su ubnets. If the default gateway is inc correct or miss sing, the comp puter cannot tr ransmit data w remote with subnets. If the DNS server is incorrec or missing, the computer might not be able to resolve names and ct t e communication can fail.
The Ping utility co onfirms two-way communica ation between two compute This means that if the Pin n ers. s ng utility fails, the loc computers configuration may not be t cause of th problem. Use Ping to ensure cal s n the he tran nsmission using a logical pro g ocess, such as: 1. 2. 3. 4. Ping the remo computer. ote . Ping the local gateway. Ping the local IP address. Ping the loop pback address 127.0.0.1.
Configuring Windows 8
When using the Ping utility, remember: You can ping both the name and the computers IP address. If you successfully ping the IP address, but not the name, name resolution is failing. If you successfully ping the computer name, but the response does not resolve the FQDN name, resolution has not used DNS. This means a process such as broadcasts or WINS has been used to resolve the name and applications that require DNS may fail.
Request Timed Out indicates that there is a known route to the destination computer, but one or more computers or routers along the path, including the source and destination, are not configured correctly.
Destination Host Unreachable indicates that the system cannot find a route to the destination system, and therefore, does not know where to transmit the packet on the next hop. Ping can be blocked by a firewall on the network or at a windows computer.
You can use Tracert to identify each hop between the source and destination systems. If communication fails, use Tracert to identify how many hops are successful and at which hop system communication fails.
Nslookup enables you to ensure that the DNS server is available and contains a record for the computer with which you are attempting to transmit data. This functionality is vital because even if the computer is available, if DNS is not working correctly, you might not be able to transmit using names. If you suspect that name resolution is the problem, add an entry to the hosts file and then retest name resolution. You must purge the host-name resolution cache by using IPConfig /flushdns before rerunning the nameresolution test.
Configuring Windows 8
An intern has been unsuccessful in attempts to resolve a network connectivity problem on a Windows 8 computer. The changes made to the computer have not been documented. You need to restore network connectivity for the computer.
Objectives
Create a simulated problem. Use Windows tools to determine the cause of the problem. Resolve the problem.
Lab Setup
Estimated Time: 30-60 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
What IP address is the computer using? What subnet mask is the computer using? What network is the computer on?
Results: After this exercise, you will have created a connectivity problem between LON-CL1 and LONDC1.
Configuring Windows 8
Results: After this exercise, you will have resolved the connectivity problem between LON-CL1 and LONDC1.
Question: After starting her computer, Amy notices that she is unable to access her normal resources. What tool can she use to determine if she has a valid IP address? Question: When transmitting Accounts Receivable updates to the billing partner in China, Amy notices that the files are being transmitted slowly. What tool can she use to determine the network path and latency of the network? Question: Amy notices that she cannot access normal Enterprise Web sites. She knows that she has a valid IP address but wants to troubleshoot the DNS access of her computer. What tool must she use? Question: What is the IPv6 equivalent of an IPv4 APIPA address? Question: You are troubleshooting a network-related problem, and you suspect a name resolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do you do that? Question: You are troubleshooting a network-related problem. The IP address of the host you are troubleshooting is 169.254.16.17. What is a possible cause of the problem?
Tools
You can use the following tools to troubleshoot network connectivity issues. Tool Network and Sharing Center Description
The Network and Sharing Center informs you about your network and verifies whether your PC can successfully access the Internet. Then, it summarizes this info in the form of a Network Map. A command that you can use to configure network properties from the command-line.
Netsh.exe
Pathping.exe
A command-line tool that combines the functionality of Ping and Tracert, and that you can use to troubleshoot network latency and provide information about path data.
Configuring Windows 8
Tool Nslookup.exe
Description
A command-line tool that you can use to test and troubleshoot DNS and name resolution issues. A general IP configuration and troubleshooting tool. A basic command-line tool that you can use for verifying IP connectivity.
IPConfig.exe Ping.exe
Tracert.exe
Similar to Pathping, which provides information about network routes. Cmdlets available to view and configure network settings.
Windows PowerShell
Module 5
Implementing Wireless Network Connections
Contents:
Module Overview Lesson 1: Overview of Wireless Networks Lesson 2: Implementing a Wireless Network Lab: Planning the Implementation of Wireless Network Connections Module Review and Takeaways 5-1 5-2 5-8 5-13 5-18
Module Overview
A wireless network can refer to any type of wireless devices that are interconnected between nodes, without using wires or cables. This module describes a wireless local area network (WLAN), which is a type of wireless network that uses radio waves instead of cables to transmit and receive data between computers. A wireless network enables you to access network resources from a computer that is not physically attached to the network by cables.
Wireless network technologies have evolved tremendously over the past few years. The security and speed of wireless networks have become so reliable that increasingly, more organizations prefer to use wireless networks rather than traditional wired networks. Windows 8 provides a simple, intuitive, and straightforward user interface for connecting to wireless networks.
Objectives
After completing this module, you will be able to: Describe the standards and technologies related to wireless network connections. Configure a wireless network connection.
5-2
Lesson 1
Incr reasingly, organizations prefe wireless net er tworks over tra aditional wired networks. A w d wireless netwo ork prov vides users wit more flexibi th ility and mobil lity, as users ca attend internal meetings or conduct an pres sentations while maintaining connectivity and productiv g vity. Additiona lly, a wireless n network enabl les you to create a pu ublic network that allows your guests to h ave an Interne connection w et without creating secu urity issues for your corporat network. Wireless networ k technologies have evolved tremendousl te s d ly during the past se everal years, an many mobile computers now have built-in wireless n nd network adapt ters that support conn t nections to wir reless networks with improve levels of sta ed ability and reliability.
Providing Inte ernet access in public places You can crea a public ne n s. ate etwork that enables your gue ests to have an Internet connection, without causing possib security issu on your co c ble ues orporate netwo ork. Making roam ming convenien and enablin you to remo unsightly wires from you network. nt, ng ove ur
How wever, wireless networks also can result in some disadva ntages, includ s o ding potential radio interfere ence, incr reased security costs, and sec y curity risks tha may require you to spend time and mon to troubleshoot at ney and mitigate.
Ad-hoc mo ode. In this mo ode, two wirele network ad ess dapters are con nnected direct to one anot tly ther. This enable peer-to-pee communicat es er tion, where com mputers and d devices are con nnected direct to tly each other, instead of to a wireless router or a wirele ss access point (WAP). ,
You typically use ad-hoc networks to sh hare files, pres sentations, or a Internet connection temp an porarily among multiple compute and devices. To reach the Internet or a ers e another network, you must configure one of the peer-to-peer com o mputers as a ro outer that conn nects to the ne etwork.
Infrastructu mode. In th mode, wire ure his eless network a adapters conne only to spe ect ecial radio brid dges, or a WAP that connects dire t ectly to the wir network. T build an infrastructure wir red To reless network place k, WAPs throu ughout your organization. o
ect puters, includin laptops, to the network b connecting to the nearest WAP. ng by t Users can conne their comp ess w mode. Home or busine environments typically would use this m r Re egardless of th operating mode, a Service Set Identifier (SSID)also known as the wireless netwo he m e ork na ameidentifie a specific wi es ireless network by name. Yo can configure the SSID on the WAP for k ou n in nfrastructure mode, or config m gure the initial wireless clien t for ad-hoc m l mode. The WA or the initial AP l wireless client periodically adv w p vertises the SS so that oth wireless no des can discov and join th SID her ver he wireless network. w
802.11b 8
5-4
Advantages A High speed More simult taneous users Better signa range al Compatible with 802.11 b
Remarks
Widely used, especia y ally in pub places, such as blic airport and coffee ts shops. .
802 2.11n
Highest speed Not prone to interference t e Compatible with 802.11 a, b, g Best signal range r
Costs more than 802.11 1g Requi res N-capable e ork netwo adapter
Gainin popularity. ng
Note: Stand dard 802.11n is an amendme to the 802 .11 standard. T operating frequency ent The is in both the 5 gigahertz (GHz) and 2.4 GHz bands, which p n provides more scope that en e nables netw works to avoid interference with other wir d w reless devices. This standard supports a spe of up eed to 600 Mbps, with a range of ap 6 h pproximately 300 meters. 3 Win ndows 8 provid built-in sup des pport for all 80 02.11 wireless networks, but the wireless c t components of Win ndows are dependent upon the following: t
Capabilities of the wireless network adapter. The install wireless ne o led etwork adapter must suppor the rt wireless netw work or wireless security standards that you require. s u
Capabilities of the wireless network adapter driver. To e o enable you to configure wire eless network options, the driver for the wireless netwo adapter mu support the reporting of all of its capab d w ork ust e bilities to Windows.
Win ndows 8 provid a driver-ba des ased model for mob broadband devices. Earlier Windows versions requir users of mobile broadban devices to in bile d v re nd nstall third d-party softwa This can be difficult for IT professional to manage, because each mobile broadband are. ls device and provid requires dif der fferent software. Employees also have to b trained to u the software, be use and must have ad dministrative access to install it, which prev vents standard users from ea d asily adding a mob broadband device. With Windows 8, users can simp connect a m bile d h u ply mobile broadb band device an nd imm mediately begin using it. The interface in Windows 8 is th same regar e W he rdless of the m mobile broadba and
provider. You ca connect to a wireless bro an oadband just a s you connect to any other w t wireless netwo This ork. re educes the nee for training and managem ed ment efforts. Note: Ma devices pro any ovide built-in broadband wi reless capabilities. b
Th sudden wid he despread imple ementation of WLANs preceded any re security pla eal anning. Wirele ess de evices create many opportunities for m un nauthorized users to access private networks. Unlike the close cabling syst ed tem of an Ethe ernet ne etwork, which you can secur physically, wireless re w frames are sent as radio trans smissions that propagate beyo the physic confines of your ond cal of ffice or home. Any compute within range of the er e wireless network can receive wireless frame and w w es se its own. Without protect end W ting your wireless ne etwork, malicio users can use your wireless ous ne etwork to acce your privat information or launch atta ess te acks against yo computers or other com our s mputers ac cross the Internet. To protect your wireless netw o r work, you should configure a uthentication and encryptio options: on
Authenticat tion requires that computers provide valid account cred s d dentials, such a a user name and as e password, or proof of con o nfiguration wit an authenti th ication key, be efore you allow them to send data w d frames on your wireless network. Authe y n entication prev vents maliciou users from jo us oining your wireless network.
Encryption requires that the content of all wireless da frames be encrypted so that only the r t f ata receiver can interpre its contents. Encryption prevents malici ous users from capturing wi et m ireless frames sent on your wireless network and determining sensitive data Encryption a g a. also helps prev vent malicious users from sendin valid frame and accessin your private resources or the Internet, b ng es ng e because they w not will be able to connect to you WAP. c ur
WLAN supports the following security stand W s g dards: IEEE 802.11 1 IEEE 802.1X X Wi-Fi Prote ected Access (W WPA) Wi-Fi Prote ected Access 2 (WPA2)
IE 802.11 EEE
Th original IEEE 802.11 stand he dard defined the open syste m and shared key authentic cation methods for au uthentication and Wired Equ a uivalent Privac (WEP) for en cy ncryption. WEP can use eithe 40-bit or 10 P er 04-bit en ncryption keys However, the original IEEE 802.11 securit standard is relatively weak and cumber s. e ty rsome fo widespread public and pri or ivate deployment. Because o its security f of flaws, the IEEE has declared t that WEP has been deprecated, be W d ecause it fails to meet securit goals. Howe t ty ever, despite it shortcoming WEP ts gs, is still widely used.
To establish WE encryption for shared key authenticatio you must in o EP f y on, nstall the same secret key in each of e yo enterprise WAPs. You can do this ind our s c dividually for e each WAP or b using manuf by facturer-suppl lied
5-6
management software. Then, you must install that key in each client. There is no standard mechanism for distributing secret WEP keys to clients or WAPs. WAPs automatically deny access to any client that does not have the correct secret key, and prevent unauthorized users from connecting. Note: In the shared-key authentication mode, the WAP and the client go through a challenge-response cycle, similar to the NT LAN Manager (NTLM) authentication, which uses the WEP encryption key as the shared secret key.
IEEE 802.1X
IEEE 802.1X was a standard that existed for Ethernet switches, and was adapted to wireless LANs to provide much stronger authentication than the original 802.11 standard. IEEE 802.1X authentication is designed for medium and large wireless LANs that contain an authentication infrastructure consisting of Remote Authentication Dial-In User Service (RADIUS) servers and account databases, such as Active Directory Domain Service (AD DS).
IEEE 802.1X prevents a wireless node from joining a wireless network until the node performs a successful authentication. IEEE 802.1X uses the Extensible Authentication Protocol (EAP). Wireless network authentication can be based on different EAP authentication methods, such as those using user-name and password credentials or a digital certificate. The 802.1X requires clients to provide computer authentication when they connect to the network, and provides user authentication when a user logs on. If either authentication phase fails, the data-link layer access deviceincluding a WAP, bridge, or switchwill not forward packets to the network. This prevents an attacker from exploiting the network layer or reaching other network servers or clients. You must ensure that the client, the data-link device, and the authentication server all support the 802.1X protocol. The data-link device, which can be a WAP or a switch, detects new clients, passes the authentication to an authentication server, and locks out the client out if the authentication fails. The authentication server checks the clients credentials, and then reports the authentication status to the data-link device. Note: In the Windows Server 2012 operating system, the Network Policy and Access Services (NPAS) role enables secure wireless and wired solutions for which 802.1X enforcement is the basis. In Windows Server 2012, NPAS performs the role of a RADIUS server.
Although 802.1X addresses the weak authentication of the original 802.11 standard, it provides no solution to the disadvantages of WEP. While the IEEE 802.11i wireless LAN security standard was being finalized, the Wi-Fi Alliance, an organization of wireless equipment vendors, created an interim standard known as WPA. WPA replaces WEP with a much stronger encryption method known as the Temporal Key Integrity Protocol (TKIP). WPA also allows the optional use of the Advanced Encryption Standard (AES) for encryption. WPA is available in two different modes:
WPA-Enterprise. In the Enterprise mode, an 802.1X authentication server distributes individual keys to users that have a wireless designation, and is designed for medium- and large-infrastructure mode networks WPA-Personal. In the Personal mode, a preshared key (PSK) is used for authentication, and you provide the same key to each user. It is designed for small office/home office (SOHO) infrastructure mode networks.
Configuring Windows 8
The IEEE 802.11i standard formally replaces WEP and the other security features of the original IEEE 802.11 standard. WPA2 is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as being compatible with the IEEE 802.11i standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA. For example, WPA2 requires support for both TKIP and AES encryption. Similar to WPA, WPA2 is available in two different modes: WPA2-Enterprise and WPA2-Personal.
Because a WAP broadcasts its SSID on the network, it is inherently insecure and vulnerable to malicious attacks. For example, War Driving is a hacking technique in which users from outside your facility use wireless-client hardware and software to discover any WAPs that are broadcasting in the local area.
Therefore, in addition to implementing authentication and encryption, you can use the following methods to mitigate risks to your wireless network: Firewalls. You can address the WAP vulnerability by placing the WAPs outside your network firewalls. You then can force valid users to authenticate with the firewall or use virtual private network (VPN) connections to reach the internal network. This does not prevent unauthorized users from exploiting the WAPs for Internet access, but it does prevent them from exploiting the internal network. This method is commonly used by organizations to give Internet access to visitors.
Closed networks. Some WAPs support a closed network mode in which the WAP does not advertise its SSID. Users have to know the SSID to connect to the wireless network. Disabling SSID broadcasting does not stop hackers because although the SSID does not appear in a typical client, hackers still can detect the wireless signal and identify the SSID. SSID spoofing. You can use special software that generates numerous WAP packets that broadcast false SSIDs. This causes hackers to receive so many SSIDs that when they scan for a wireless network, they cannot separate the valid SSID from the false ones. Media access control (MAC) address filtering. Most WAPs support MAC address restrictions. These restrictions limit the clients with which the WAP can communicate by using their MAC address. This works well in smaller environments, but creates excessive administrative overhead in larger environments.
Additional Reading: For more information on WEP and its disadvantages, refer to: http://go.microsoft.com/fwlink/?LinkID=154212.
5-8
Lesson 2
In an organization with a wirele network, us n ess sers may choo se to use the w wireless netwo as the prim ork mary met thod of connecting to netwo resources. You should kn ork now how to cre eate and conn nect to a wirele ess netw work from a Windows 8-bas computer. You also need to know how to improve the wireless W sed d w sign strength for your users an how to trou nal nd ubleshoot com mmon wireless connection problems. This trou ubleshooting process uses th network dia p he agnostics inclu ded with Wind dows 7 and W Windows 8. You u need to be familia with networ diagnostics so that you ca assist users. ar rk an
To configure a WA you may need to enter its SSID, and th configure a valid TCP/IP address on yo c AP, n hen P our netw work. Typically a WAP has an administrato page that c an be accessed by an Intern browser by using y, a or d net y its default IP addr d ress. Dependin on the manufacturer, diffe ng erent WAPs ha different d ave default IP addr resses, and you can configure several WAPs from a command prom by using t Telnet com W c mpt the mmand-line to ool. W menting a wireless network, d not use do Note: Most WAPs have a default SSID. When implem the default SSID. Instead, chang the SSID to something un I ge nique, so that c client compute that ers connect automati ically will not have conflicts with other WA that are us h w APs sing their default SSID.
To connect to a wireless networ attach a wir c w rk, reless network adapter to yo computer, and then insta its k our all driv These adap ver. pters may be internal or exte ernal wireless a adapters. Man mobile computers have built-in ny adapters that you can enable by using a hardware switch. E u y External adapte are typically attached thr ers rough a un niversal serial bus (USB) or other externally accessible ha b y ardware port.
After attaching the hardware and installing the appropria hardware d ate device driver, y can use th you he fo ollowing metho to configu a Windows 8-based clien to connect t a wireless ne ods ure s nt to etwork:
Connect to a Network dialog box. This dialog box i s available from several loca o d ations in Windows 8 including th Control Pan The Conne to a Netw he nel. ect work dialog bo enables you to see all wire ox u eless networks in your area to which you can connect. n n Command line. The netsh wlan commands in the ne h etsh.exe tool e enable you to c configure wire eless cmdlets to networks and their settings manually. Additionally, yo can use Wi A ou indows PowerS Shell s configure wireless network settings. w
Group Polic Network ad cy. dministrators in an Active Di irectory enviro onment can us Group Policy to se y configure and deploy wir a reless network settings centr rally to domain member com n mputers. The W Wireless Network Po olicies Extensio is a Group Policy extensio that you can use to autom on P on mate configura ation of Wireless Ne etwork Group Policy settings s.
Additiona Reading: Fo more inform al or mation on how to use netsh,, refer to: w ttp://go.microsoft.com/fwlin nk/?LinkID=154213. ht Fo more inform or mation on how to use Group policy to man w p nage wireless network, refer to: r ht ttp://go.microsoft.com/fwlin nk/?LinkID=154214.
Yo can use the Manage Wir ou e reless Networ rks di ialog box to co onfigure wirele network co ess onnections. Yo can access t ou this window fro the Netwo and om ork Sh haring Center, which you can access from Control Panel or from the n network icon o the System Tray. To on view a wireless networks settings, from the Manage Wire eless Networks windows, righ s ht-click the wireless ne etwork profile, and then click Properties. ,
General Settings G
Th following se he ettings are ma andatory for ev very wireless n network profile e:
SSID. Every wireless netw y work has an SSID. If you are c configuring the wireless netw work profile m manually, you must know the exact SSID of the wireless networ to which you want to connect. k t w rk Network Type. There are two options: Access point and Adhoc n T e : t network. Selec Access poin to ct nt connect to a WAP, which means you ar configuring the wireless n h re network to ope erate as the infrastructu mode. Sele Adhoc netw ure ect work to conne to another wireless netw ect r work adapter, w which means that you are configuring the wir t reless network to operate in the ad-hoc m k mode.
Connect to a more prefer rred network if available. If you select th option, whe there are f his en multiple wireless networks in range, the computer will t to connect to one of the others instead of c try t e d this particular wireless netw r work. Connect eve if the network is not bro en oadcasting its name (SSID) Select this if the WAP is s ). configured to not advertise its SSID. o e
The following sett tings determin the type of authentication and encrypti used to co ne n ion onnect to a wir reless netw work: No authentic cation (open) Typically, you select this se ). ecurity type wh connectin to a public hen ng wireless netw work. If you sele this securit type, two op ect ty ptions are avai ilable for the e encryption type: None and WE EP.
Shared. Selec this security type if the wir ct reless network is using a sha k ared network s security key. If you select this sec curity type, only WEP is avail lable for the e ncryption type e.
WPA (Person and Enter nal rprise). Select this option if t wireless ne the etwork is using WPA g authentication. In the perso onal mode, you provide the same network security key t each user. In the k to enterprise mo ode, an authen ntication serve distributes a n individual ke to the users If you select this er ey s. security type, two options are available fo the encrypt ion type: TKIP and AES. a or
WPA2 (Perso onal and Ente erprise). Select this option if the wireless n t f network is usin WPA2 ng authentication. It also has the Personal an Enterprise m nd mode and two options for the encryption type: o TKIP and AES S. 802.1X. Selec this security type if your wireless networ is using 802 ct w rk 2.1X authentica ation. If you se elect this security type, only WEP is available fo the encrypt ion type. t P or
Co onfiguring Window 8 ws
Tro oubleshooting tips g Ensure that yo client com puter is as close as possible to the WAP. our
ser P, stalling an exte ernal If you are unable to get clos to the WAP consider ins antenna to yo wireless ne our etwork adapter r.
ysical objects t hat may cause interference, such as a thick wall e Check for phy or metal cabin and consid removing them or repos net, der sitioning the W or WAP the client. ever applicable e. Add WAPs to the wireless n etwork whene Interference from f other signals Check for dev vices that may cause interference, such as c cordless phones, Bluetooth dev vices or any ot her wireless de evices. Turn th hem off or mov ve them farther away. a
Consider chan nging the WAP settings to use a different w P wireless chann or nel, ed set the channe to be selecte automatica if it is set to a fixed channel el ally o number.
In cases where you cannot see the wireless network, cons n y e sider the follow wing troublesh hooting steps: Check that your wireless network adapter has the cor rrect driver an is working p nd properly. Check your computer for an external sw r r witch for the w wireless netwo adapter. ork Check that the WAP is turned on and working prope w erly. Check whet ther the WAP is configured to advertise its SSID. t s Question: What devices can interfere with a wireless network signa w s al?
Attempt to connect to a wireless netwo Use the Co w ork. onnect to a n network dialog box in Windo 8 g ows to list each available wire eless network, and then attem network c a mpt connections. Y can access the You Connect to a network dialog box from the Network and Sharing Center or from the network icon on o d m k m k the System Tray. Run the Windows Network Diagnostics tool. You can run the tool b right-clickin the Networ icon s n by ng rk on the System Tray, and then clicking Troubleshoot problems. t T t
2. .
3. 4. 5.
Review the diagnostic information. The Windows Network Diagnostics tool in Windows 8 will attempt to correct any problems. If this is not possible, the tool provides a list of possible problems. Identify the problem from the list of problems found. Use the list from the Windows Network Diagnostic tool to help identify the problem. Resolve the problem that you identify. Use the information in the previous step to implement a resolution.
Configuring Windows 8
A. Datum Corporation is planning to implement a wireless network to enable certain employees to connect their laptops to the corporate network. Additionally, they would like to enable visitors to connect their laptops to a restricted network that provides Internet access only.
Objectives
Create an implementation plan for a wireless network. Troubleshoot issues arising from the wireless deployment plan. Configure a wireless network policy.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o User name: Administrator Password: Pa$$w0rd Domain: Adatum
Holly Dickson is the IT manager at A. Datum, and you have been working with her on the wireless networking project. Holly wants you to determine what you need to enable wireless access for employees and visitors. The A. Datum offices take up the entirety of a small building that spans two floors, with the employees mainly confined to the upper floor. The ground floor provides conferencing facilities and a reception area. Holly has produced the A. Datum Wireless Network Requirements document. You must consider each requirement, and then make a corresponding proposal that indicates how you will meet that requirement. Note: Your instructor may decide to run this exercise as a class discussion.
A. Datum Wireless Network Requirements Document reference: HD-29-04-12 Document author Date Holly Dickson April 29
Requirements Overview I want to deploy wireless networks throughout the London offices. Security is critical, and we must deploy the strongest security measures available. Some of our older computer equipment supports earlier wireless standards only. Cordless telephones are in use in some parts of the building. We are located in a busy trading district, with other commercial organizations located nearby. Again, it is important that our network is not compromised. Additional Information
Proposals
The main tasks for this exercise are as follows: 1. 2. Read the A. Datum Wireless Network Requirements document. Update the document with your proposed course of action.
Configuring Windows 8
1. What technical factors will influence the purchasing decision for the WAPs that Holly needs to consider? 2. How many WAPs does Holly need to purchase? 3. Where will you advise Holly to place the WAPs? 4. Which security measures will you recommend to Holly? 2. Complete the proposals section of the A. Datum Wireless Network Requirements document.
Results: After this exercise, you should have a proposal for the implementation of wireless networks in the London offices of A. Datum.
Holly has placed a call to you on the help desk. The A. Datum wireless network is a great success. However, there have been some ongoing problems with intermittent connections. Additionally, some staff members can connect to the A. Datum corporate network from the parking lot. Note: Your instructor may run this exercise as a class discussion. A. Datum Incident Record Incident number: 501235 Date and time of call User May 21 10:45am Holly Dickson
Incident Details Intermittent connection problems from computers connecting to the wireless network. Some users can connect to the wireless access points from the parking lot. Plan of Action
The main tasks for this exercise are as follows: 1. 2. Read help-desk incident record 501235. Update the plan of action section of incident record 501235.
2. What do you suspect is causing these problems? 3. How will you rectify these problems? 2. Update the plan of action section of incident record 501235 with your recommendations.
Results: After this exercise, you should have a completed action plan for resolution of the A. Datum issues.
In this exercise, you will configure a wireless network policy that supports the wireless network design that you planned. Note: Group Policy Objects (GPOs) and implementing GPOs is discussed in Module 8: Securing Windows 8 Desktops. The main tasks for this exercise are as follows: 1. 2. Open Group Policy Management Editor. Create a wireless network policy.
Select the Create A New Wireless Network Policy for Windows Vista and Later Releases option. Configure the policy with the following settings: o o o o Policy Name: A Datum Wireless Policy Profile Type: Infrastructure Profile Name: A Datum Wireless Profile Network Name(s) (SSID): A Datum 1, A Datum 2.
Configuring Windows 8
4.
5.
Confirm all your changes, and then close all open windows.
Results: After this exercise, you should have implemented a wireless network policy.
Windows is not configured to connect to the right type of network The router or WAP is busy
You are implementing wireless networking in your organization. Which wireless network technology standards and which type of security (authentication and encryption) will you choose? Your organization already has a wireless network in place. Your users are complaining that the performance of the wireless network is not as good as the wired network. What can you do to increase the performance of the wireless network?
Tools
Tool Network and Sharing Center Use to Configure network settings Where to find it Control Panel System Tray
Connect to a Network
Configure Windows 8-based client to connect to a wireless network Configure local or remote network settings Troubleshoot access to wireless networks
Module 6
Implementing Network Security
Contents:
Module Overview Lesson 1: Overview of Threats to Network Security Lesson 2: Configuring Windows Firewall Lab A: Configuring Inbound and Outbound Firewall Rules Lesson 3: Securing Network Traffic Lab B: Configuring Connection Security Rules Lesson 4: Configuring Windows Defender Lab C: Configuring Host-Based Virus and Malware Protection Module Review and Takeaways 6-1 6-2 6-8 6-16 6-18 6-28 6-30 6-33 6-35
Module Overview
When you connect your computers to a network, you may expose them to additional security threats. You need to formulate a strategy to protect your computers. User policies, antivirus software, encrypted network traffic, and other protective measures work together to shield your computers from security threats. It is also important to identify possible threats, and optimize the appropriate Windows network security features, such as Windows Firewall and Windows Defender, to help to eliminate them.
Objectives
After completing this module, you will be able to: Describe the threats to network security. Explain how to configure Windows firewall. Explain how to configure inbound and outbound firewall rules. Explain how to secure network traffic. Explain how to configure connection security rules. Explain how to configure Windows Defender. Explain how to configure host-based virus and malware protection.
6-2
Lesson 1
Secu urity is an integral part of an computer network, and yo must consi ny ou ider it from ma perspectiv any ves. You must underst u tand the natur of network-based security threats, and b able to imp re y be plement appro opriate secu urity measures to mitigate th s hese threats. In this lesson, y will learn a n you about some of these threats and f the Defense-in-De epth strategy that helps you lessen your v t u vulnerability to them. Finally, you will learn o , n abo ways to mit out tigate the vario network security threats discussed. ous s
Denial-of-service. This attac limits the fu ck unction of a ne etwork applica ation, or makes the application or s network resource unavailab There are numerous way in which hac ble. n ys ckers can initia a denial-of ate fservice attack However, hackers are often aware of vul nerabilities in the target app k. n plication that t they can exploit, to render it una o available.
Note: Hacking is a generic term that refers to the act of trying to crack a comput t ter prog cking is an imp gram or code. When talking about network security, hac g portant topic because malicious users will hack your network to atta it, your ext ack tended user ba or you cac of ase, che app plications and sensitive intelle s ectual propert ty.
Port scanning Applications running on a computer usi ng the TCP/IP protocol use TCP or User g. s P Datagram Pro otocol (UDP) ports to identif themselves. One way that attackers exp p fy t ploit your netw work is to query host for the ports on which the listen for clie requests. T ts s ey ent These ports are said to be op e pen. Once attackers identify an open port, the can use othe attack techn o ey er niques to attem access to your mpt network.
C Configuring Windows 8 s
Man-in-the e-middle. The network attacker uses a com mputer to impe ersonate a legitimate host o the on network with which your computers are communicat ting. The attac cker intercepts all of the communica ations intended for the desti ination host. T attacker m ay wish to view the data in t The w transit between th two hosts, but also can mo he b odify the data in transit, bef fore forwarding the packets to the destination host.
Yo can mitigat risks to your computer ne ou te r etwork by prov viding security at differing in y nfrastructure la ayers. Th term defense-in-depth ty he ypically describ the use of multiple secur technologies at different points bes rity t th hroughout you organization ur n.
Ph hysical security measures mu complement organizatio y ust onal policies re egarding secur best practices. For rity ex xample, enforc cing a strong user password policy is not h u helpful if users write their pa s asswords down on n st ticky notes, and then attach those notes to their comput screens. Wh you are es d o ter hen stablishing a security fo oundation for your organizat y tions network it is a good id to start by creating app k, dea y propriate polici and ies procedures, and making users aware of them. Then you m progress t the other as d s may to spects of the d defensein n-depth model l. Ev when you implement rules to prevent security prob lems, users ca n circumvent t ven them, either by plan or inadvertently Some ways that users can compromise p r y. t policies and pr rocedures inclu ude: Users are unaware of th rules. When users are una u he n aware of the r rules, you cann expect them to not follow them m. Users view wing the rules as unnecessa If you do not adequatel communicat the reason f ary. ly te for rules, then some users will think of them as unnecess m sary.
Social engineering. Users and comput administrat tors are vulner ter rable to social engineering, where malicious users manipula them into breaking the ru or revealing sensitive da An examp of u ate b ules ata. ple this is when you receive an email that appears to be from your ban asking you to update you n a a nk, ur account inf formation by following a link in the email t k that resolves t a website th does not ac to hat ctually belong to your banking system. y s
Mitigation M
Yo should con ou nsider taking th following ac he ctions to mitig gate these thre eats: Create spec cific rules that help prevent social enginee s ering. Educate use on rules an their relevance. ers nd Implement compliance monitoring. m
6-4
Physical Security
Enterprise administrators commonly overlook physical security, with respect to securing their computer systems. If any unauthorized person can gain physical access to your computer, then most other security measures are of little consequence. Ensure that computers containing the most sensitive data, such as servers, are physically secure. In general, anyone that has physical access to computer systems can: Damage systems. This can be as simple as you store a server next to a desk, where a user may accidentally bump into it or knock over a drink onto it. Install unauthorized software on systems. Malicious users can utilize unauthorized software to attack systems. For example, there are utilities available to reset the administrator password on a Windows-based workstation or member server.
Steal hardware. Malicious users can steal laptops if you do not ensure that your users leave laptops secured. They even can steal servers, and their often sensitive data, that you do not secure properly.
Mitigation
Consider the following to help to mitigate physical security threats: Restrict physical access by locking doors. Monitor server room access. Install fire suppression equipment.
Perimeter
These days, no organization is an isolated enterprise. Organizations operate within a global community, and network resources must be available to service that global community. Perimeter layer security refers to the connectivity between your network and other untrusted networks. This might include building a website to describe your organizations services, or making internal services, such as web conferencing and email, accessible externally, so that users can work from home or from satellite offices. Perimeter networks mark the boundary between public and private networks. By providing specialist servers, such as reverse proxy servers, in your perimeter network, you can provide corporate services across the public network in a more secure manner. Note: A reverse proxy enables you to publish services from the corporate intranet, such as email or web services, without placing the email or web servers in the perimeter. There are other access issues that you need to consider, as well:
Remote access client. While you can control the conditions under which they can connect, these client computers are accessing your network from a remote location over which you have little or no control. Because of this, these types of clients have access to more data than your typical Internet client that connects to a web page.
Business partners. You do not control the networks of business partners, which means that you cannot ensure that they have appropriate security controls in place. Therefore, if a business partner is compromised, then the network links between your organization and that business partner pose a risk.
Configuring Windows 8
Mitigation
Consider the following to help to mitigate perimeter security threats: Implement firewalls at network boundaries. Implement network address translation (NAT). Use virtual private networks (VPNs), and implement encryption.
Internal Networks
As soon as you connect computers to a network, they are susceptible to a number of threats. Internal network layer security refers to services and processes on your internally controlled network, including local area networks (LANs) and wide area networks (WANs). The latter includes Multiprotocol Label Switching (MPLS) circuit, where you control all aspects of the network.
The security threats to the internal network include eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when communication occurs over public networks because users are working from home, remote offices, or other locations such as coffee shops.
Mitigation
Here are some considerations for how you can mitigate these threats: Segment your network. Implement Internet Protocol Security (IPsec). Implement a Network Intrusion Detection System (NIDS).
Host
The host layer refers to the networks individual computers. This includes the operating system, but not application software. Host-layer security includes operating system services, such as a web server, and it can be compromised by: Operating system vulnerabilities. An operating system is complex. Consequently, there are often vulnerabilities that hackers can exploit. These vulnerabilities enable attackers to install malicious software or control hosts.
Default operating system configurations. Operating systems and their services include default configurations. In some cases, the default configuration may not include a password or may include sample files with vulnerabilities. Attackers use their knowledge of default configurations to compromise systems. Viruses that attack hosts. The virus uses operating system flaws or default configurations to infect and replicate itself.
Mitigation
Consider the following to help you to mitigate these threats: Harden operating systems. Implement a host-based intrusion detection system (HIDS). Use host-based antivirus/anti-malware and anti-spyware software, such as Windows Defender.
6-6
Application
The application layer refers to applications that are running on the hosts. This includes additional services, such as mail servers, and desktop applications, such as the Microsoft Office suite of tools. The risks to applications are similar to the risks that hosts face, and can include: Application vulnerabilities. Applications are complex programs that are likely to have vulnerabilities. Attackers can use these vulnerabilities to install malicious applications or remotely control a computer.
Default application configurations. Applications, such as databases, may have a default password or no password at all. Not securing the default configuration simplifies the work of attackers attempting to access a system.
Viruses that users introduce. In some cases, users introduce viruses by their actions rather than by flaws. In other cases, an application is actually a Trojan horse that contains malicious code embedded in what appears to be a useful application.
Mitigation
Consider the following to help you to mitigate these threats: Run applications lowest level of privileges possible. Install Microsoft and third-party application security updates. Enable only required features and functionality for operating systems and applications.
Data
The final layer of security is data security. This includes data files, application files, databases, and Active Directory Domain service (AD DS). When your data layer becomes compromised, it can result in:
Unauthorized access to data files. Unauthorized access to data files may result in unintended users reading data, such as users inadvertently viewing salaries for other staff members. It also may result in data modification, which could cause it to be inaccurate. Unauthorized access to AD DS. Malicious users could reset user passwords, and then attack your network by using the new passwords.
Modification of application files. When application files are modified, they may perform unwanted tasks such as data replication over the Internet, where an attacker can access it.
Mitigation
Consider the following to help you to mitigate these threats: Implement and configure suitable NTFS files system permissions. Implement encryption. Implement rights management.
C Configuring Windows 8 s
Perimeter networks. A pe n erimeter netwo is an isolate area on your network to and from which you ork ed ble can define network traffic flow. When you need to m c y make network s services availab on the Inte ernet, it is not advis sable to connect the hosting servers direct to the Inter net. By placing these servers in a tly g s perimeter network, you can make them available to Internet users,, without lettin those users gain n c m ng access to yo corporate intranet. our Virtual private networks (VPNs). When your users mu connect to your corporat intranet from the ( ust te m Internet, it is important th they do so as securely as possible. The Internet is a p hat o s e public network and k, data in tran across the Internet is sus nsit sceptible to eav vesdropping o man-in-theor -middle attack ks. Utilizing VP enables yo to authentic PNs ou cate and encry connection between yo remote use and ypt ns our ers your corporate intranet, thereby mitiga t ating risk.
Server hard dening. By only running the services that y need, you can make you servers inherently y you ur more secur To determin what services you require you must est re. ne e, tablish a baseline of security among y services your server Because it is sometimes difficult to dete rs. s ermine precisely which Wind dows Server ur you need to support the functionality that you or you enterprise r o t requires, you c use tools such as can the Security Configuratio Wizard or th Microsoft B y on he Baseline Security Analyzer to help you. Intrusion de etection. Altho ough it is impo ortant to imple ement the preceding techniq ques to secure your e network, it also is sensible to monitor your network r e y regularly for si gns of attack. You can use intrusion-detection systems to do this, by implement ting them on d devices at the perimeter, suc as ch Internet-fac cing routers.
DNSSEC. DNSSEC provide the ability for DNS servers and resolvers to trust DNS responses by using es s digital signatures for valid dation. All sign natures genera ated are conta ained within th DNS zone it he tself in the new res source records When a reso s. olver issues a q query for a nam the accompanying digita me, al signature is returned in th response. Validation of th signature is then perform through th use s he V he s med he of a precon nfigured trust anchor. Succes a ssful validation proves that t data has no been modif n the ot fied or tampered with in any way w y.
6-8
Lesson 2
Win ndows has a bu uilt-in firewall that helps pro otect your com mputer from ac ccess attempts by unauthoriz s zed com mputers on the network. The unauthorize attempts co e ese ed ould be comin from the Internet or your local ng r LAN Firewalls work on the princ N. ciple of filterin network tra ng affic based on the traffics ch haracteristics, a and then either allowing or blocking the traffic, de n g epending on y your configura ation.
Private netw works: Network at home or work, where y know and trust the peop and device on ks you ple es the network. When you sele Home or work (private networks, this turns on N ect w e) Network Discov very. Computers on a home netw work can belon to a HomeG ng Group. Guest or pub networks: Networks in public places. This location keeps the com blic mputer from be eing visible to othe computers. When you select the Public place network location, Ho er c omeGroup is n not available, and Network Disc d covery is turne off. ed
You can modify th firewall sett u he tings for each type of netwo location fro the main W ork om Windows Firew wall pag Click Turn Windows Fire ge. W ewall on or of select the n etwork locatio and then m ff, on, make your sele ection. You can also mod the following options: u dify Block all inco oming connections, includ ding those in the list of allo owed program ms Notify me when Windows Firewall blo w ocks a new pro ogram
C Configuring Windows 8 s
Note: You system adm ur ministrator can configure Win ndows Firewall settings by using Group Po olicy (to be covered in Modu 8). ule
Th Public netw he works location blocks certain programs and services from running, which protects yo d m our co omputer from unauthorized access that yo do not auth ou horize. If you c connect to a Public network, and , Windows Firewa is on, some programs or services might ask you to al low them to co W all t ommunicate t through th firewall so that they can work properly. he w
It generally is sa to add a program to the list of allowe d programs th to open a port. If you op a afer p e han pen po you unlock and open the door, and it stays open un you close it whether a program is usin it or ort, ntil t, ng no If you add a program to the list of allow programs you are unlo ot. wed s, ocking the doo but not ope or, ening it. Th door is ope only for com he en mmunication, as and when a program or t computer r a the requires it. To add, change, or remove allowed program and ports, click Allow an app or featu through o ms n ure Windows Firew in the left pane of the Windows Firew page, and then click Ch W wall W wall d hange setting For gs. ex xample, to view performance counters from a remote co w e omputer, you must enable the Performan nce Lo and Alert firewall exce ogs ts eption on the remote compu r uter. To help decreas security risk when you ar opening com o se ks re mmunications,, consider the following: Only allow a program or open a port when necessary w y. Remove pro ograms from the allowed pr t rograms or clo ports when you do not re ose n equire them. Never allow a program th you do not recognize to communicate through the firewall. w hat t e
Windows 8 inclu W udes multiple active firewall policies. Thes e firewall polic enable computers to ob cies btain an apply doma firewall pro nd ain ofile, regardles of the netwo ss orks that are a active on the computers. IT hose that conn professionals ca maintain a single set of ru for remote clients and th an s ules e nect physically to the y co orporate network. To set up or modify pro ofile settings fo network loc or cation, click Ch hange advanc ced sh haring setting in the left pane of the Network and Sha gs p aring Center.
You also can display firewall notifications in th taskbar. Cli ck Change no u he otification set ttings in the le eft pan of the Wind ne dows Firewall page, and the for each net en twork location check or clea the Notify me n, ar whe Windows firewall block a new app check box. en f ks c
Win ndows Firewall with Advance Security is an example of a network-aw ed a ware application. You can cre eate a prof for each ne file etwork locatio type, with each profile con on ntaining differ rent firewall po olicies. For exa ample, you can allow inco oming traffic for a specific desktop manag f d gement tool w when the comp puter is on dom main netw works, but block traffic when the compute connects to public or private networks. n er Network awarene enables you to provide fle ess u exibility on the internal netw e work without s sacrificing secu urity when use travel. A pu ers ublic network profile must ha stricter fire p ave ewall policies t protect against to unauthorized acce A private network profile might have less restrictive firewall policies to allow file and ess. n e e prin sharing or peer-to-peer di nt iscovery.
Win ndows Firew with Ad wall dvanced Sec curity Prope erties
Use the Windows Firewall with Advanced Security Prop s S perties dialog b to configu basic firew ure wall box properties for dom main, private, and public net a twork profiles.. A firewall pro ofile is a way of grouping set ttings, including firewall rules and connection security rules. Use th IPsec Settings tab on the Windows he Fire ewall with Adv vanced Secur Properties dialog box to configure th default values for IPsec rity o he configuration opt tions. Note: To ac ccess the Wind dows Firewall with Advanc Security P l ced Properties, pe erform one of the following procedures: p In the navigat tion pane, righ ht-click Windo ows Firewall w with Advance Security, an then ed nd click Properties. tion pane, sele Windows Firewall with Advanced Se ect ecurity, and th in the hen In the navigat Overview sec ction, click Windows Firewa Properties all s. tion pane, sele Windows Firewall with Advanced Se ect ecurity, and th in the hen In the navigat Actions pane click Proper e, rties.
Configuring Windows 8
The options that you can configure for each of the three network profiles are: Firewall State: Turn on or off independently for each profile.
Inbound Connections: Configure to block connections that do not match any active firewall rules, block all connections regardless of inbound rule specifications, or allow inbound connections that do not match an active firewall rule. Outbound Connections: Configure to allow connections that do not match any active firewall rules or block outbound connections that do not match an active firewall rule. Settings: Configure display notifications, unicast responses, local firewall rules, and local connection security rules. Logging: Configure the following logging options: o o Name. Use a different name for each network profiles log file. Size limit (KB). The default size is 4096. Adjust this if you find it to be necessary when troubleshooting. No logging occurs until you set one or both of following two options to Yes: Log dropped packets Log successful connections
Rules are a collection of criteria that define which traffic you will allow, block, or secure with the firewall. You can configure different types of rules: Inbound Outbound Connection Security
Inbound Rules
Inbound rules explicitly allow or block traffic that matches the rules criteria. For example, you can configure a rule to allow traffic secured by IPsec for Remote Desktop through the firewall, but block the same traffic if it is not secured by IPsec.
When you first install Windows, Windows Firewall blocks all unsolicited inbound traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For example, if you want to run a Web server, then you must create a rule that allows unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows Firewall with Advanced Security takes, which is whether to allow or block connections when no inbound rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic, unless a rule blocks it. Outbound rules explicitly allow or deny traffic originating from the computer that matches the rules criteria. For example, you can configure a rule to explicitly block outbound traffic to a computer (by IP address) through the firewall, but allow the same traffic for other computers.
Program rules: Control connections for a program. Use this type of firewall rule to allow a connection based on the program that is trying to connect. These rules are useful when you are not sure of the port or other required settings, because you only specify the path to the program executable (.exe) file.
Port rules: Control connections for a TCP or UDP port. Use this type of firewall rule to allow a connection based on the TCP or UDP port number over which the computer is trying to connect. You specify the protocol and individual or multiple local ports.
Predefined rules: Control connections for a Windows experience. Use this type of firewall rule to allow a connection by selecting one of the programs or experiences from the list. Network-aware programs that you install typically add their own entries to this list so that you can enable and disable them as a group. Custom rules: Configure as necessary. Use this type of firewall rule to allow a connection based on criteria that other types of firewall rules do not cover.
Consider the scenario in which you want to create and manage tasks on a remote computer by using the Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the predefined rule type on an inbound rule.
Alternatively, you may want to block all web traffic on the default TCP web server port 80. In this scenario, you create an outbound port rule that blocks the specified port. The next topic discusses well-known ports, such as port 80.
Firewall rules and connection security rules are complementary, and both contribute to a defense-indepth strategy to protect your computer. Connection security rules secure traffic by using IPsec as it crosses the network. Use connection security rules to specify that connections between two computers must be authenticated or encrypted. Connection security rules specify how and when authentication occurs, but they do not allow connections. To allow a connection, create an inbound or outbound rule. After a connection security rule is in place, you can specify that inbound and outbound rules apply only to specific users or computers. You can create the following connection security rule types:
Isolation rules: Isolate computers by restricting connections based on authentication criteria, such as domain membership or health status. Isolation rules allow you to implement a server or domain isolation strategy. Authentication exemption rules: Designate connections that do not require authentication. You can designate computers by specific IP address, an IP address range, a subnet, or a predefined group, such as a gateway.
You typically use this type of rule to grant access to infrastructure computers, such as Active Directory domain controllers, certification authorities, or Dynamic Host Configuration Protocol (DHCP) servers.
Server-to-server rules: Protect connections between specific computers. When you create this type of rule, you must specify the network endpoints between which you want to protect communications. Then, you designate requirements and the type of authentication that you want to use, such as Kerberos version 5 protocol. A scenario in which you might use this rule is to authenticate the traffic between a database server and a business-layer computer. Tunnel rules: Secure communications that are traveling between two computers, by using tunnel mode in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you route between two defined endpoints.
For each endpoint, specify a single computer that receives and consumes the sent network traffic, or specify a gateway computer that connects to a private network onto which the received traffic is routed after extracting it from the tunnel. Custom rules: Configure as necessary. Custom rules authenticate connections between two endpoints when you cannot set up authentication rules by using the other rule types.
Co onfiguring Windows 8
Monitoring M
Windows Firewa uses the mo W all onitoring inter rface to display information about current firewall rules, y t co onnection secu urity rules, and security associations (SAs). The Monitori d ing Overview page displays which w s profiles are activ (domain, private, or public), and the se ttings for the a ve active profiles. Th Windows Firewall with Ad he dvanced Secur events also is available in Event Viewer. For example the rity o n e, ConnectionSecu urity operation event log is a resource th you can use to view IPsec nal s hat c-related even The nts. op perational log is always on, and it contains events for co a s onnection secu urity rules.
Well-Known Ports W
Th Internet Assigned Numbe Authority (IANA) assigns the well-know ports, and o most system he ers wn on ms. Ty ypically, only system process or program that privileg users exec s ses ms ged cute can use th hese ports. Por rts re eceive a number between 0 and 65,535, an fall into thr ranges: nd ree Well-known ports are tho from 0 thro n ose ough 1,023. Registered ports are thos from 1,024 through 49,15 se t 51. Dynamic an private ports are those fro 49,152 thr nd om rough 65,535.
To view the current TCP/IP ne o etwork connec ctions and liste ening ports, us the netstat -a command. se
IA ANA assigns we ell-known por to specific applications, so that client ap rts a o pplications can locate them on n re emote systems Therefore, to the extent that is possible, use the same port assignme s. o ents with TCP a and UDP. To view a list of well-kno own ports and the associate services reco d ed ognized by Windows 8, ope the en C:\Windows\Sy ystem32\driv vers\etc\Servi ices file. The fo ollowing table identifies som well-known ports. e me n Port 21 23 25 Protocol TCP TCP TCP Application n File Transfe Protocol (FT er TP)
Simple Mail Transfer Pro otocol (SMTP) t that email serv vers and client use ts to send em mail
Protocol UDP TCP TCP TCP TCP UDP TCP TCP TCP
Application Domain Name System (DNS) DNS Hypertext Transfer Protocol (HTTP) that a web server uses Post Office Protocol version 3 (POP3) that email clients use for email retrieval Internet Message Access Protocol (IMAP) used for email retrieval from email clients Simple Network Management Protocol (SNMP) Lightweight Directory Access Protocol (LDAP) Hypertext Transfer Protocol Secure (HTTPS) for secured web servers
Remote Desktop Protocol (RDP) is a proprietary protocol that provides a user with a graphical interface to another computer
Typically, it is not necessary to configure applications to use specific ports. However, you must be aware of the ports that applications are using, to ensure that the required ports are open through your firewall when you use a port rule. Remember, when you add a TCP or UDP port to the rules list, the port is open whenever Windows Firewall with Advanced Security is running, regardless of whether there is a program or system service listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic, create a program rule instead of a port rule. With a program rule, the port opens and closes dynamically as the program requires. You also do not need to be aware of the port number that the application is using. If you change the application port number, the firewall automatically continues communication on the new port.
Configuring Windows 8
Objectives
Test ping in the network. Create an inbound firewall rule. Create an outbound firewall rule. Test firewall rules.
Lab Setup
Estimated Time: 20 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o User name: Adatum\Administrator Password: Pa$$w0rd Domain: Adatum
5.
Configuring Windows 8
Results: At the end of this exercise, you will have configured and tested an inbound firewall rule.
Results: At the end of this exercise, you will have configured and tested an inbound firewall rule.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Lesson 3
IPse is a suite of protocols that can protect data in transit t ec t d through a netw work, by using security servi g ices and, optionally, digital certificat with public and private k tes c keys. Because o its design, IP of Psec helps pro ovide muc better security than previous protection methods. Ne ch n etwork administrators who u it do not have to use configure security for individual programs. y You can use conn u nection security rules to conf y figure IPsec set ttings for spec cific connections between your computer an others. Windows Firewall with Advance Security use the rule to e nd ed es evaluate netwo ork traff and then blocks or allow messages ba fic, b ws ased on the cri iteria that you establish in th rule. In som he me circumstances, Wi indows Firewall with Advanc Security w block the co ced will ommunication If you config n. gure settings that require security for a connection (in either dire n ection), and th two comput he ters cannot auth henticate each other, then IP h Psec blocks the connection. e Onc you enable and configure IPsec, it is important that yo know how to monitor IPsec. ce e ou
Benefits of IP Psec
You can use IPsec to ensure con u c nfidentiality, inte egrity, and auth hentication in data transport t acro insecure ch oss hannels. Thoug its original gh purpose was to se ecure traffic ac cross public netw works, many organizations have chosen to o h o imp plement IPsec to address per t rceived weakne esses in th own private networks th might be heir hat susc ceptible to exp ploitation. If yo implement it properly, IPsec provides a ou priv vate channel fo sending and exchanging or d pote entially sensitive or vulnerab data, wheth ble her it is email, FTP traffic, news feed partner and ds, d supply-chain data medical reco a, ords, or any other type of TC CP/IP-based da ata.
Co onfiguring Windows 8
IP Psec: Offers mutu authentication before an during com ual nd mmunications. Forces both parties to ide h entify themselv during the communicati process. ves e ion Enables con nfidentiality th hrough IP traffic encryption a digital pac and cket authentic cation.
IP Psec Modes s
IP Psec has two modes: m
Encapsulat ting Security Payload (ESP Encrypts da ta through on of several av P): ne vailable algorit thms. Authentica ation Header (AH): Signs tr raffic, but does not encrypt i s it.
ES and AH ver the integrit of all IP traff If a packet has been mod SP rify ty fic. dified, the digital signature w will no match, and IPsec will disc ot card the packet. ESP in tunne mode encry pts the source and destination el e ad ddresses as part of the paylo oad. In tunnel mode, a new I header is ad IP dded to the pa acket, specifyin the ng tu unnel endpoints source and destination ad ddresses. ESP c make use of Data Encryption Standard (DES), can d tr riple Data Encr ryption Standa DES (3DES) Advanced En ard ), ncryption Standard (AES), an DES encrypt nd tion algorithms in Windows Server 2008 R2. As a best practic you should avoid using D W s ce, d DES, unless the clients e ca annot support the stronger encryption tha AES or 3DES offer. e at S
ES and AH use sequence numbers. So any packets that m SP e malicious user attempt to c rs capture for late er re eplay are using numbers out of sequence. Using sequenc numbers e g t ced ensures that an attacker can nnot re euse or replay captured data to establish a session or ga in information illegally. Usin sequenced a n ng nu umbers also protects against attempts to intercept a me i essage and use it to access resources illega e ally, po ossibly months later.
Using IPsec U c
So ome network environments are ideal for using e u IP Psec as a security solution, while others are not. w e We recommend IPsec for the following uses: W d Packet filte ering: IPsec provides limited d firewall cap pabilities for en systems. Yo nd ou can use IPsec with the Ne etwork Addres ss Translation (NAT)/Basic Firewall compo F onent of the Rout ting and Remo Access Serv to ote vice permit or block inbound or outbound traffic. b t
Securing host-to-host traffic on spec h t cific paths: You can use IPsec to provide protection for traffic betw ween servers or other o static IP add dresses or sub bnets. For exam mple, IPsec can secure traffic between dom n c main controller in rs different sit or between web servers and database servers. tes,
Securing traffic to serve You can re ers: equire IPsec p rotection for a client comp all puters that acce a ess server. Add ditionally, you can set restrict c tions on which computers ca connect to a server that is h an running Wi indows Server 2008 R2.
Layer Two Tunneling Protocol (L2TP)/IPsec for VPN connections: You can use the combination of L2TP and IPsec (L2TP/IPsec) for all VPN scenarios. This does not require you to configure and deploy IPsec policies.
Site-to-site (gateway-to-gateway) tunneling: You can use IPsec in tunnel mode for site-to-site (gateway-to-gateway) tunnels, when you need interoperability with third-party routers, gateways, or end systems that do not support L2TP/IPsec or Point-to-Point Tunneling Protocol (PPTP) connections. Enforcing logical networks (server/domain isolation): In a Microsoft Windows-based network, you can isolate server and domain resources logically to limit access to authenticated and authorized computers. For example, you can create a logical network inside the existing physical network, where computers share common requirements for secure communications. To establish connectivity, each computer in this logically isolated network must provide authentication credentials to other computers.
This isolation prevents unauthorized computers and programs from gaining inappropriate access to resources. IPsec ignores requests from computers that are not part of the isolated network. Server and domain isolation can protect specific high-value servers and data, and protect managed computers from unmanaged or rogue computers and users. You can protect a network with two types of isolation:
Server isolation: To isolate a server, you configure specific servers to require IPsec policy to accept authenticated communications from other computers. For example, you might configure the database server to accept connections from the web application server only.
Domain isolation: To isolate a domain, you use Active Directory domain membership to ensure that computers that are domain members accept only authenticated and secured communications from other domain-member computers. The isolated network consists only of that domains member computers, and domain isolation uses IPsec policy to protect traffic that is sent between domain members, including all client and server computers.
Note: Because IPsec depends on IP addresses for establishing secure connections, you cannot specify dynamic IP addresses. It often is necessary for a server to have a static IP address in IPsec policy filters. In large network deployments, and in some mobile user cases, using dynamic IP addresses at both ends of the connection can increase the complexity of IPsec policy design.
Network management functions that must inspect the TCP, UDP, and protocol headers are less effective or cannot function at all due to IPsec encapsulation or IP payload encryption.
Co onfiguring Windows 8
Additionally, the IPsec protoc and implem e col mentation have characteristic that require special consid e cs e deration when you perfo the following tasks: w orm Protect tra affic over wire eless 802.11 LANs: You can use IPsec tra nsport mode t protect traff that L n to fic is sent over 802.11 netwo r orks. However, we do not rec commend IPse for providin security for ec ng corporate 802.11 wireless local area networks (LANs) . Instead, we r 8 s recommend th you use Wi hat i-Fi Protected Access (WPA) or 802.11 WPA encryption and Institute o Electrical an Electronics A o A2 of nd Engineers, Inc. (IEEE) 802.1X authentica ation. Support for IPsec, conf figuration man nagement, and trust d are required on client com mputers and servers. s
Because ma computers on a network do not suppo IPsec or th ey are not managed, it is no any s k ort ot appropriate to use IPsec alone to prote all 802.11 c e ect corporate wire eless LAN traffi Additionally IPsec ic. y, tunnel mod policies are not optimized for mobile cl de d lients with dyn namic IP addre esses. IPsec tun nnel mode also does not supp port dynamic address assign ment or user a a authentication which are ne n, ecessary for remote access VPN sc cenarios. Use L2TP/IP Psec VPN conn nections to sec cure remote ac ccess traffic to organizationa networks, w o al when that traffic is sent over pu ublic wireless networks that are connected to the Internet. n d
Use IPsec in tunnel mod for remote access VPN connections: We do not re i de e ecommend tha you at use IPsec in tunnel mode for remote ac n e ccess VPN scen narios for Windows-based V VPN clients and d servers. Inst tead, use L2TP P/IPsec or PPTP P.
Using the IP Security Policy MMC snap-in. P This MMC snap-in enable you to configure IPsec po s es olicies that app to compute that are run ply ers nning earlier Wind dows versions and to compu uters that are r running the cu urrent Window version. This MMC ws s snap-in is useful for envir u ronments where computers that are running these Wind dows versions coexist. You cannot use this snap-in to configure Windows Fi t irewall with Ad dvanced Secur settings. rity
Netsh is a command-line tool that you can use to co c e u onfigure netwo componen settings. Win ork nt ndows Firewall wit Advanced Security provides the netsh a th advfirewall co ontext, which y can use to you o configure Windows Firew with Advan W wall nced Security s settings. You also ca use the nets ipsec comm an sh mands to conf figure connect tion security ru ules.
Usin PowerShell cmdlets: ng In Windows 8 you can use PowerShell to configure IPse with cmdlet like: ec ts
New-NetIPsecRule -DisplayName Req quire Inbound Authenticat d tion -Policy yStore Adatum.com\gpo_name
Authenticati Exemption: You can use an authentic ion e cation exempti to designa connection that ion ate ns do not requir authentication. You can designate comp re puters by a spe ecific IP addre an IP addre ess, ess range, a subn or a predefined group, such as a gatew net, way. Server to Ser rver: A server-to-server rule protects conn nections betwe specific co een omputers. This type of rule usually protects connections between serve When you create the rule, you specify the u ers. u y network endp points between which comm munications are protected. Y then designate requirem e You ments and the authe entication you want to use. u Tunnel: A tun nnel rule allow you to prote connection between ga ws ect ns ateway comput ters, and typic cally, you use it wh you are connecting across the Internet between two security gatew hen t o ways. Custom: Som metimes, you cannot set up authentication rules that you need by usin the rules a n u ng available in th new Conne he ection Security Rule Wizard. In such cases, you can use a custom rule to authenticate connections between two endpoints. b
How Firewall Rules and Connection Security Rul Are Rela R S les ated
Firewall rules allow traffic through the firewall, but do not s w secure that traffic. To secure traffic with IPsec, you can create co onnection secu urity rules. How wever, when yo create a connection security rule, this d ou does not allow the traff through the firewall. You must create a firewall rule t do this, if th traffic is not fic e to he t allowed by the firewalls default behavior. Con t nnection secur rules do no apply to pro rity ot ograms and serv vices, but rathe apply betwe the compu er een uters that are t two endpo the oints.
Co onfiguring Windows 8
Use the Reques authenticat st tion for inbou und an outbound connections option to specify nd th all inbound and outboun traffic must authenticate, but that the c hat d nd connection is a allowable if au uthentication fails. However, if authenticat f , tion succeeds, traffic is prote ected. You typically use this option in either low-security environments or in an environment where compu n n t uters must be able to conne but ect, ca annot perform the types of authentication that are avail able with Windows Firewall with Advance m a n ed Se ecurity.
Require Auth R hentication for Inbound Connectio ons, and Re equest Auth hentication f for Outbound Co O onnections
Use the Require authenticat e tion for inbou und connectio ons, and requ uest authentic cation for out tbound co onnections op ption if you wa to require that all inboun traffic eithe is authentica ant nd er ated or else blocked. Outbound traffic can be authenticated, but it is allowed if authenticatio fails. If auth O t f on hentication suc cceeds fo outbound tr or raffic, that traff is authentic fic cated. You typ pically use this option in mos IT environme st ents in which the comp w puters that nee to connect can perform t authentication types that are available with ed the e Windows Firewa with Advanced Security. W all
Require Auth R hentication for Inbound and Outb bound Conn nections
Use the Require authenticat e tion for inbou und and outb ound connec ctions option if you want to require th all inbound and outboun traffic either is authentica hat d nd ated or else blo ocked. You typ pically use this option s in higher-securi IT environm n ity ments where yo must prote and control traffic flow, a in which th ou ect and he co omputers that must be able to connect can perform the authenticatio types that a available w e on are with Windows Firewa with Advanced Security. W all
Default
Select the Default option to use the authentication method that you configured on the IPsec Settings tab of the Windows Firewall with Advanced Security Properties dialog box.
The User (Kerberos V5) method requests or requires the user to authenticate using the Kerberos version 5 authentication protocol. You can use the Kerberos version 5 authentication protocol only if the user is a domain member.
Computer Certificate
The Computer Certificate method requests or requires a valid computer certificate to authenticate and you must have at least one certificate authority (CA) to do this. Use this method if the computers are not part of the same AD DS domain.
The Only accept health certificates method requests or requires a valid health certificate to authenticate. Health certificates declare that a computer has met system health requirements, as determined by a Network Access Protections (NAP) health policy server, such as all software and other updates that network access requires. These certificates are distributed during the NAP health evaluation process. Use this method only for supporting NAP.
Advanced
You can configure any available method, and you can specify methods for First Authentication and Second Authentication. First Authentication methods include Computer Kerberos, computer certificate, and a preshared key (not recommended). Second Authentication methods include User Kerberos, User NTLM (Windows NT Challenge/Response protocol), user certificates, and computer health certificates. Second authentication methods are only supported by computers that are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.
Co onfiguring Windows 8
Monitoring IPsec M g
Windows Firewa with Advanced Security W all is a stateful, hos st-based firewa that blocks all in ncoming and outgoing connections based on o its configuration Although a typical end-us s n. ser co onfiguration fo Windows Firewall still occurs via or th Windows Firewall Control Panel tool, ad he l dvanced co onfiguration now occurs in an MMC snapa -in na amed Window Firewall with Advanced Se ws h ecurity.
Th inclusion of this snap-in not only provid an he f n des in nterface for configuring Wind dows Firewall locally, bu also for con ut nfiguring Wind dows Firewall on o re emote comput ters and throug Group Policy. gh Firewall functions now integra with IPsec protection set ate ttings, reducin the possibili of conflict b ng ity between th two protect he tion mechanism ms.
Yo can use the Windows Fire ou e ewall with Adv vanced Securit console to m ty monitor securit policies that you ty t cr reate in the Co onnection Secu urity Rules nod However, y cannot vie the policies that you create by de. you ew us sing the IP Sec curity Policy sn nap-in. These security option are for use w Windows Vista, Window 7, s ns with ws Windows 8, Win W ndows Server 2008, Window Server 2008 R2 and Windo Server 201 For older 2 ws ows 12. op perating systems, such as Windows XP and Windows 20 W d 000, you must use IP Security Monitor to v y view SAs an connection nd ns.
Th Connection Security folde lists all of th enabled con he n er he nnection secur rules with detailed inform rity mation ab bout their settings. Connecti security rules define whi ch authenticat ion tion, key excha ange, data inte egrity, or encryption yo can use to form an SA. The SA defines the security th protects th communication r ou hat he from the sender to the recipie ent.
Th Security Ass he sociations fold lists all of the Main Mode and Quick M der e Mode SAs, with detailed infor h rmation ab bout their settings and endp points.
Main mode stat M tistics provide data about the total numbe of SAs create and invalid packet inform er ed d mation.
Quick mode pro Q ovides more detailed inform mation about co onnections. If you are having issues with a IPsec an co onnection, quick mode statis stics can provide insight into the problem . o
IP Security Monitor P M
Yo can implem ou ment IP Securit Monitor as an MMC snap- and it inclu ty a udes enhancements that you can -in, us to view deta about an active IPsec po se ails a olicy that the d domain applies or which you apply locally. s u . Additionally, yo can view qu mode and main mode st ou uick tatistics, and a active IPsec SA You also can use IP As. n Se ecurity Monito to search for specific main mode or quic mode filters To troublesh or n ck s. hoot complex IPsec po olicy designs, you can use IP Security Mon y P nitor to search for all matche for filters of a specific traf type. es ffic
Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note that there are some issues to consider when enabling DNS. For example, it works only in a specific filter view for quick mode and in SAs view for quick mode and main mode monitoring. There also is the possibility that you can affect the servers performance if several items in the view require name resolution. Finally, the DNS record name resolution requires a proper Pointer Record (PTR) in DNS.
You can monitor computers remotely from a single console, but you must modify a Registry value so that the remote system accepts a console connection. Setting the HKLM\system\currentcontrolset\services\policyagent\EnableRemoteMgmt Registry value to 1 prevents the IPsec service is not running error when you manage a computer remotely.
You can get basic information about the current IP security policy in the Active Policy node of the IP Security Monitoring MMC. This is useful during troubleshooting to identify which policy IPsec is applying to the server. Details such as the policy location and when it was modified last provide key details when you are determining the current policy in place. Additionally, use the following command to identify installed policies: netsh ipsec static show gpoassignedpolicy.
The Main Mode SA is the initial SA that is established between two computers. This negotiates a set of cryptographic protection suites between both hosts. This initial SA allows quick mode key exchange to occur in a protected environment. The Main Mode SA also is known as the Internet Security Association and Key Management Protocol (ISAKMP) or Phase 1 SA. Main Mode establishes the secure environment to other exchange keys, as required by the IPsec policy.
A Quick Mode SA depends on the successful establishment of a Main Mode SA. A Quick Mode SA also is known as an IPsec or Phase 2 SA. This process establishes keys based on the information that the policy specifies. Quick Mode SAs establish protected transmission channels for the actual application IP data that the policy specifies.
o o
Configuring Windows 8
o o
A. Datum uses many outside consultants. The enterprises management has a concern that if a consultant was on the company network, they may be able to connect to unauthorized computers.
Objectives
Create a connection security rule on one computer. Verify that connectivity is blocked from unauthorized computers. Create a connection security rule on a second computer. Verify the configured computers can communicate.
Lab Setup
Estimated Time: 20 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
Requirements: Require authentication for inbound connections and request authentication for outbound connections Authentication: Computer and user (Kerberos V5) Name: Authenticate all inbound connections
o o
Configuring Windows 8
Requirements: Require authentication for inbound connections and request authentication for outbound connections Authentication: Computer and user (Kerberos V5) Name: Authenticate all inbound connections
o o
Results: At the end of this lab, you will have created and tested connection security rules.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Lesson 4
Win ndows Defende helps to pro er otect your com mputer from sp pyware and other forms of m malicious softw ware. In Windows 8, Windows Defend has improv in several w W der ved ways. It integr rates with Actio Center to on prov vide a consiste means of alerting you wh action is r ent a hen required, and p provides an im mproved user experience when you are scanning for spywar or manually checking for updates. Addi re y itionally, in Win ndows 8, Windows Defender has less impact on overall s r system perform mance, though it continues t h to deliver continuous, real-time monitoring.
In Windows Defen W nder, run a quick, full, or cus stom scan If you suspect spyware has infected a sp n. s pecific area of the compu a uter, customize a scan by selecting specific drives and fo c olders. You also can configure the sche edule that Win ndows Defender will use. You can choose to have Window Defender exclude proces u o ws e sses in your sca while this c make the s an, can scan com mplete faster yo computer will be less protected. When Windows De our n efender detect potential spy ts yware activ vity, it stops th activity, and then raises an alert. he d Aler levels help you determine how to respond to spyware and unwante software. Yo can configu rt y e ed ou ure Win ndows Defende behavior wh a scan identifies unwant software. Y also are al er hen ted You lerted if softwa are atte empts to chang important Windows settin ge W ngs.
To help prevent spyware and ot h ther unwanted software from running on the computer, turn on Wind d m , dows Defender real-tim protection. me
Co onfiguring Windows 8
Th following ta he able identifies scanning options. Scanning opti S ion Quick Scan Full Scan Custom Scan Description Checks the area that malicio software, in C as ous ncluding viruses, spyware, and unwanted softw u ware, are most likely to infec t ct. Checks all the files on your h ard disk and a running pro C f all ograms. Enables users to scan specific drives and fo E o c olders.
We recommend that you sche W d edule a daily quick scan. At a time, if yo suspect that spyware has infected q any ou t th computer, run a full scan. he r When you run a scan, the pro W ogress displays on the Windo Defender Home page. W s ows When Window ws Defender detec a potentially harmful file, it moves the f to a quaran cts y file ntine area, and does not allo d ow it to run or allow other proces w sses to access it. Once the sc is complet choose to remove or restore can te, qu uarantined items and mainta the allowed list. A list of Quarantined i ain items is availab from the S ble Settings pa age. Click View to see all ite w ems. Review ea item, and i ach individually re move or restore each. Altern natively, if you want to remove all qua arantined items, click Remov All. ve oftware with se evere or high a alert ratings be ecause it can p your put Note: Do not restore so privacy and you computers security at risk ur k.
ware that has been detected stop Window Defender fr d, ws rom alerting y to risks tha the you at If you trust softw oftware might pose by addin it to the allo ng owed list. If yo decide to m ou monitor the sof ftware later, re emove it so from the allowe list. ed
Th next time Windows Defen he W nder alerts you about softwa that you w u are want to include in the allowed list, in e th Alert dialog box, on the Action menu, click Allow, a nd then click A he g A Apply actions Review and remove s. so oftware that yo have allowe from the Ex ou ed xcluded files an locations list on the Settings page. nd
Scan archiv files: Scann ve ning these loca ations might in ncrease the tim required to complete a s me o scan, but spyware an other unwan nd nted software can install itse and attemp to hide in these locations. elf pt Scan remo ovable drives: Use this optio to scan the contents of re on emovable drive such as USB flash es, B drives.
Create a system restore point: Use this option before applying actions to detected items. Because you can set Windows Defender to remove detected items automatically, selecting this option allows you to restore system settings.
Allow all users to view the full History results: Use this option to allow all users that log into this computer to see the scanning history. If you do not select this option, users will only see scan results that relate to their files. Remove quarantined files after <Time>: Removes quarantined files after a set period of time. When you enable this option, the default period is one month, but you can set it from one day to three months.
Configuring Windows 8
You are planning to use Window Defender to check for malicious files every day. You also want to ensure that Windows Defender will quarantine any files that it considers a severe risk to your systems security.
Objectives
Perform a quick scan. View the allowed items.
Lab Setup
Estimated Time: 10 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
You need to configure Windows Defender to perform a full scan every day at 2:00 AM. Before configuring Windows Defender, you plan on running a quick scan. Finally, you want to configure the default actions for Windows Defender to take and check the items that you do not want it to scan. The main tasks for this exercise are as follows: 1. 2. Perform a quick scan. View the allowed items.
Results: At the end of this lab, you will have configured and used Windows Defender.
Configuring Windows 8
Configure a local or remote computer by using either the Windows Firewall with Advanced Security snap-in or the netsh advfirewall command.
Configure Windows Firewall with Advanced Security settings by using the Group Policy Management Console (GPMC) or by using the netsh advfirewall command. If you are configuring the firewall by using Group Policy, you need to ensure that the Windows Firewall service has explicit write access by its service security identifier (SID) to the location that you specify. If you deploy Windows Firewall with Advanced Security by using Group Policy and then block outbound connections, ensure that you enable the Group Policy outbound rules, and do full testing in a test environment before deploying. Otherwise, you might prevent all of the computers that receive the policy from updating the policy in the future, unless you intervene manually. Best Practice: Implementing Defense-in-Depth
4.
Supplement or modify the following best practices for your own work situations: 1. 2. 3. 4.
Create specific rules that help prevent social engineering, and educate users on these rules and their relevance. Restrict physical access to servers by locking doors, and then monitor server room access. Implement antivirus and anti-spyware software. Implement host-based firewalls. Best Practice: Windows Defender
Supplement or modify the following best practices for your own work situations: 1. 2. When you use Windows Defender, you must have current definitions.
To help keep your definitions current, Windows Defender automatically installs new definitions as they are released. You also can set Windows Defender to check online for updated definitions before scanning. When you scan your computer, we recommend that you select the advanced option to Create a restore point before applying actions to detected items. Because you can set Windows Defender to remove detected items automatically, selecting this option allows you to restore system settings in case you want to use software that you did not intend to remove.
3.
Question: You need to ensure that traffic passing between a computer in the perimeter network and one deployed in the internal network is encrypted and authenticated. The computer in the perimeter is not a member of your AD DS forest. What authentication methods could you use if you attempted to establish a connection security rule between these two computers? Question: If you wanted to ensure that only domain computers can communicate with other domain computers, how could you achieve this easily with Windows Firewall? Question: You decide to deploy a third-party messaging application on your companys laptop computers. This application uses POP3 to retrieve email from the corporate mail server, and Simple Mail Transfer Protocol (SMTP) to send mail to the corporate email relay. Which ports must you open in Windows Firewall? Question: What does Windows Defender do to software that it quarantines?
Tools
Tool Ping Windows Firewall with Advanced Security Windows Defender Use for Testing network connectivity Managing inbound, outbound, and IPsec rules Anti-malware detection and removal Where to find it Command-line Control Panel Control Panel
Module 7
Contents:
Module Overview Lesson 1: Managing File Access Lesson 2: Managing Shared Folders Lesson 3: Configuring File Compression Lab A: Configuring File Access Lesson 4: Managing Printers Lab B: Configuring Printers Lesson 5: Overview of SkyDrive Module Review and Takeaways 7-1 7-2 7-12 7-20 7-24 7-27 7-30 7-32 7-35
Module Overview
This module provides the information and tools you need to manage access to shared folders and printers on a computer running the Windows 8 operating system. Specifically, the module describes how to share and protect folders, configure folder compression, and how to install, configure, and manage printers. Additionally, this module introduces the Windows Live SkyDrive functionality. To maintain network or local file and printer systems, it is essential to understand how to safeguard these systems and make them operate as efficiently and effectively as possible. This includes setting up NTFS file-system folder permissions, compressing and managing shared folders and files, and configuring printers.
Objectives
After completing this module, you will be able to: Describe file-access management. Describe management of shared folders. Describe the configuration of file compression. Explain how to configure file access. Describe the process of managing printers. Explain how to configure printers. Provide an overview of Windows Live SkyDrive.
7-2
Lesson 1
You can use NTFS file system pe u S ermissions to define the leve of access tha users have t files that are d el at to e avai ilable on your network or locally on your Windows 8 co mputer. This le W esson explores NTFS file-system s perm missions, as we as the effec of various file and folder a ell ct activities on these permission ns.
File and folder permissions define the type of access that yo grant to a u f ou user, group, or computer. Fo r or exam mple, you can let one user read a files con ntents, while y let another user make ch you hanges to that file. t You Or you can prevent all other use from acces y ers ssing that file. Y can set sim milar permissions on folders s. There are two leve of permissions: els
Shared folde permissions: Allow security principals, s er such as users, to access shar resources f red from across the network. Shared folder permissions only are in effect when a user access a resource from n ses the network. The next lesso covers this topic in greate detail. on t er NTFS file sys stem permissi ions: Are alwa in effect, w ays whether a user accesses the fi by connecting ile across the network or by lo ogging on to th local machi on which t resource is located. You can he ine the s grant NTFS permissions to a file or folder for a named g r group or user..
Configuring Windows 8
Each NTFS file and folder has an access control list (ACL) with a list of users and groups that are assigned permissions to the file or folder. Each entry in the ACL is an access control entry that identifies the specific permissions granted to a user or group.
User rights allow administrators to assign specific privileges and logon rights to groups or users. These rights authorize users to perform specific actions, such as logging on to a system interactively, or backing up files and directories. User rights are different from permissions, because user rights apply to user accounts, whereas permissions are attached to objects. Administrators can employ user rights to manage who has the authority to perform operations that span an entire computer, rather than a particular object. Administrators assign user rights, or privileges, to individual users or groups as part of the computers security settings. Although you can manage user rights centrally through Group Policy, they are applied locally. Users can, and usually do, have different user rights on different computers. Unlike permissions, which an objects owner (or user with the appropriate permission) grants, you assign user as part of the computers local security policy.
There are two types of user rights: privileges, such as the right to back up files and directories, and logon rights, such as the right to log on to a system locally.
Possible Scenarios
Conflicts between privileges and permissions typically occur only where the rights that are required to administer a system overlap the resource-ownership rights. When rights conflict, a privilege overrides a permission.
For example, to create a backup of files and folders, backup software must be able to traverse all folders in an NTFS volume, list the contents of each folder, read the attributes of every file, and read data in any file that has its archive attribute set. It is impractical to arrange this access by coordinating with the owner of every file and folder. Therefore, the required rights are included in the Back up files and directories privilege, which is assigned by default to two built-in groups: Administrators and Backup Operators. Any user who has this privilege can access all files and folders on the computer to back up the system. The same default permissions that allow Backup Operators to back up and restore files also enable them to use the groups permissions for other purposes, such as reading another users files or installing Trojan horse programs. Therefore, you should limit the backup operators group to highly trusted user accounts that require the ability to back up and restore computers. The ability to take ownership of files and other objects is another case where an administrators need to maintain the system, takes priority over an owners right to control access. Normally, you can take ownership of an object only if its current owner gives you permission to do so. Owners of NTFS objects can allow another user to take ownership by granting the other user Take Ownership permission. Owners of Active Directory Domain Services (AD DS) objects can grant another user the Modify Owner permission. A user who has this privilege can take ownership of an object without the current owners permission. By default, the privilege is assigned only to the built-in Administrators group. Administrators typically use this to take and reassign ownership of resources for which the current owner is no longer available.
7-4
The following table lists the standard NTFS file and folder permissions. You can choose whether to allow or deny each of the permissions. File permissions Full Control Modify Read and Execute Description Complete control of the file/folder and control of permissions. Read and write access. File can be read, and programs can be started. Folder content can be seen, and programs can be started. Read-only access. File content can be changed, and file can be deleted. Folder content can be changed, and files can be deleted. A custom configuration.
Read Write
Special permissions
Note: Groups or users granted Full Control on a folder can delete any files in that folder, regardless of the permissions protecting the file.
To modify NTFS permissions, you must be given the Full Control NTFS permission for a folder or file. The one exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions, even if they do not have any current NTFS permissions. Administrators can take ownership of files and folders to make modifications to NTFS permissions.
Special permissions give you a finer degree of control for assigning access to files and folders. However, special permissions are more complex to manage than standard permissions. The following table defines the special permissions for which you can provide custom configuration for each file and folder. File permissions Traverse Folder/Execute File Description
The Traverse Folder permission applies only to folders. This permission allows or denies the user from moving through folders to reach other files or folders, even if the user does not have permissions for the traversed folders. Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right. The Execute File permission allows or denies access to program files that are running. If you set the Traverse Folder permission on a folder, the Execute File permission is not automatically set on all files in that folder.
The List Folder permission allows or denies the user from viewing file names and subfolder names in the folder. The List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder on which you are setting the permission is listed in the folder list. The Read Data permission applies only to files, and allows or denies the user from viewing data in files.
Configuring Windows 8
Description
The Read Attributes permission allows or denies the user from viewing the attributes of a file or folder, such as read-only and hidden attributes. NTFS defines the attributes. The Read Extended Attributes permission allows or denies the user from viewing the extended attributes of a file or folder. Extended attributes are defined by programs, and they can vary by program.
The Create Files permission applies only to folders, and allows or denies the user from creating files in the folder. The Write Data permission applies only to files and allows or denies the user from making changes to the file and overwriting existing content by NTFS. The Create Folders permission applies only to folders and allows or denies the user from creating folders in the folder. The Append Data permission applies only to files and allows or denies the user from making changes to the end of the file but not from changing, deleting, or overwriting existing data.
Write Attributes
The Write Attributes permission allows or denies the user from changing the attributes of a file or folder, such as read-only or hidden. NTFS defines the attributes. The Write Attributes permission does not imply that you can create or delete files or folders. It includes only the permission to make changes to the attributes of a file or folder.
The Write Extended Attributes permission allows or denies the user from changing the extended attributes of a file or folder. Programs define the extended attributes, which can vary by program. The Write Extended Attributes permission does not imply that the user can create or delete files or folders. It includes only the permission to make changes to the attributes of a file or folder. The Delete Subfolders and Files permission applies only to folders and allows or denies the user from deleting subfolders and files, even if the Delete permission is not granted on the subfolder or file.
The Delete permission allows or denies the user from deleting the file or folder. If you have not been assigned Delete permission on a file or folder, you can still delete the file or folder if you are granted the Delete Subfolders and Files permission on the parent folder.
Read permissions allows or denies the user from reading permissions about the file or folder, such as Full Control, Read, and Write. Change Permissions allows or denies the user from changing permissions on the file or folder, such as Full Control, Read, and Write.
The Take Ownership permission allows or denies the user from taking ownership of the file or folder. The owner of a file or folder can change permissions on it, regardless of any existing permissions that protect the file or folder.
7-6
Con nditions
Win ndows 8 allows you to assign conditions th must be me for a permis s n hat et ssion to take e effect. Conditio ons can be based on group membe g erships or the device with wh d hich the user is accessing the file or folder. s e . Whe viewing the NTFS permissions for a file or folder, the applied cond itions are listed in the Cond en e dition colu umn in the Adv vanced Securit Settings for <file/folder n ty name>. When you use a Group con ndition. you can specify that the permissio will apply to the user base on on o ed the following group memb bership rules: o o o o Member of Any of the specified gro r e oup(s). Member of Each of th specified group(s). r he Not Mem mber of Any of the specified group(s). o Not mem mber of Each of the specifie group(s). ed
When you use a Device con ndition, you ca specify that the permissio will apply if the user is an t on accessing the file from a sp e pecified compu or comput uter ters.
You can specify multiple condit u m tions that must all be met fo the configur permission to be applied For t or red n d. exam mple, you can create a perm mission that wo ould give the F Financial group full control p p permissions if t they are also a membe of the Managers group an are accessin the folder fr er nd ng rom <comput tername>.
Perm missions inheritance allows the NTFS perm t missions that ar set on a fold to be appl re der lied automatic cally to files that users create in that folder and its subfolders. Th means that you can set N his NTFS permissio for ons an entire folder st e tructure at a single point. If you have to m y modify the perm missions, you t then only have to e perf form the change at that sing point. gle For example, whe you create a folder called MyFolder, all subfolders and files created within MyFold en d der auto omatically inhe that folder permissions Therefore, M erit rs s. MyFolder has e explicit permiss sions, while all subf folders and file within it hav inherited pe es ve ermissions.
You also can add permissions to files and fold u o ders below the initial point o inheritance, without modifying e of the original permissions assignm ment. This is do to grant a specific user or group a dif one fferent file acce ess than the inherited permissions. n d
Configuring Windows 8
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her file, even though he is a member of the Marketing group. She can exclude Bob by explicitly denying him permission to read the file. This is normally how explicit denies are used to exclude a subset (such as Bob) from a larger group (such as Marketing) that is given permission to perform an operation.
Note that use of explicit denials, while possible, increases the complexity of the authorization policy, which can create unexpected errors. For example, you might want to allow domain administrators to perform an action but deny domain users. If you attempt to implement this by explicitly denying domain users, you also deny any domain administrators who also are domain users. Though it is sometimes necessary, you should avoid the use of explicit denies in most cases.
In most cases, Deny overrides Allow unless a folder is inheriting conflicting settings from different parents. In that case, the setting inherited from the parent closest to the object in the sub tree will have precedence. Note: Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
Only inheritable permissions are inherited by child objects. When you set permissions on the parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the following steps to assign permissions that can be inherited: 1. 2. In Windows Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click Advanced. In the Advanced Security Settings for <file or folder> page, the Inherited From column lists from where the permissions are inherited. The Applies to column lists the folders, subfolders, or files to which the permissions are applied. Double-click the user or group for which you want to adjust permissions.
3. 4.
On the Permissions Entry for <name> page, click the Applies to field, and then select one of the following options: o o o o o o o This folder only This folder, subfolders, and files This folder and subfolder This folder and files Subfolders and files only Subfolders only Files only
7-8
5.
Click OK on the Permission Entry for <name> page, click OK on the Advanced Security Settings for <name> page, and then click OK on the Properties page.
If the Special Permissions entry in Permissions for <User or Group> is shaded, it does not imply that this permission is inherited. Rather, this means that a special permission is selected.
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit these permissions. You can block permission inheritance to restrict access to these files and subfolders. For example, all accounting users may be assigned Modify permission to the ACCOUNTING folder. On the subfolder WAGES, inherited permissions can be blocked with only a few specific users given access to the folder. Note: When permissions inheritance is blocked, you have the option to copy existing permissions, or begin with blank permissions. If you only want to restrict a particular group or user, then copying existing permissions simplifies the configuration process. To prevent a permission on a parent folder from being inherited by a child file or folder, select This folder only in the Applies to box when you set up permissions for the parent folder.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following steps: 1. 2. 3.
In Windows Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click Advanced. In the Advanced Security Settings for <file or folder> page, click Disable inheritance. In the Block Inheritance dialog box, select any of the following options: o o o Convert inherited permissions into explicit permissions on this object Remove all inherited permissions from this object Cancel
4.
Click OK on the Advanced Security Settings for <name> window, and then click OK on the Properties page.
C Configuring Windows 8 s
Disable inh heritance for the Adatum folder, and the convert the inherited per t en e rmissions to ex xplicit permission ns. Apply the change. c Note the ch hange in the in nheritance column. Note the contents of t Applies to column. e the
Add the Ma anagers group, and then gr rant them Mod dify permissio to the Perm ons missionsTest file.
How Does the Copying and Mo H oving of F Files and Fo olders Affe Config ect gured Permissions? P
When copying or moving a file or folder, th W o he pe ermissions mig change, de ght epending on where w yo move the fi or folder. Therefore, when you ou ile co or move fi or folders, it is important to opy iles t un nderstand the impact on permissions.
When you copy a file or folder within a single NTFS p f partition, the c copy of the folder or file inhe erits the permissions of the destination folder. s When you copy a file or folder to a diff f ferent NTFS pa artition, the co of the fold or file inher the opy der rits permissions of the destination folder. s
When you copy a file or folder to a non f n-NTFS partitio such as a F file system partition, the copy on, FAT m e of the folde or file loses its NTFS file sy er ystem permiss ions because n non-NTFS part titions do not support NTFS file sy ystem permissi ions.
Note: Wh you copy a file or folder within a single NTFS partitio or between NTFS hen e on n pa artitions, you must have Rea permission for the source folder and W m ad e Write permission for the n de estination fold der.
Whe moving a file or folder, permissions mig change, de en ght epending on t permission of the destin the ns nation fold Moving a file or folder has the followin effects on N der. f ng NTFS file syste m permissions s: When you mo a file or fo ove older within an NTFS partitio the file or f n on, folder inherits the permission of ns the new parent folder. If the file or folder has explicitly assigned perm r missions, those permissions a e are retained in ad ddition to the newly inherite permissions ed s.
Note: Most files do not have explicitly assigned perm a missions. Instea d, they inherit t perm missions from their parent fo older. If you move files that have only inhe m erited permiss sions, they do not retain thes inherited pe n se ermissions during the move.
When you mo a file or fo ove older to a diffe erent NTFS par rtition, the fold or file inhe der erits the permis ssions of the destina ation folder. When you move a folder or fi between pa W ile artitions, Wind dows 7 copies the folder or file to the new loc t cation, and the deletes it fro the old loc en om cation. When you mo a file or fo ove older to a non-NTFS partition the folder o file loses its NTFS file syste n, or em permissions, because non-N b NTFS partitions do not supp ort NTFS file s system permiss sions.
Note: When you move a file or folder within an NTFS partition or b n w S between NTFS partitions, oth mission for the destination fo older, and Mod permission for the dify n you must have bo Write perm source file or folder. Modify per rmission is required to move a folder or fil because Wi e le, indows 8 dele etes the folder or file from th source folder after it copi it to the de r he ies estination folde er. The Copy command is not awar of the secur settings on folders or file However m re rity n es. more robust com mmands do, for Example: Xcopy has the /o switch to include Owne e ership and NTF Access Cont List (ACL) settings. FS trol Robocopy has several switc ches that will cause security i information to be copied: o o /Copy:co opyflag(s) the default settin is the equiva e ng alent of /Copy y:DAT where D D=Data, A=Attributes and T=Timestamps. You can add the S flag where S S=Security, i.e. NTFS ACLs. /Sec is th equivalent of /Copy:DATS he o S.
Co onfiguring Windows 8
Th Effective Pe he ermissions feat ture determine the permiss ions a user or group has on an object, by es ca alculating the permissions th are granted to the user o group. The c hat d or calculation tak into account the kes pe ermissions in effect from gro membersh and any of the permissio inherited f e oup hip f ons from the paren nt ob bject. It looks up all domain and local groups in which t he user or gro is a memb oup ber. e ure udes the Every yone group wh hen Note: The Effective Permissions featu always inclu ca alculating effec ctive permissio as long as the selected u ons, s user or group is not a memb of the ber Anonymous Log group. gon
he ermissions feat ture only produces an appro oximation of th permissions that a user ha The he s as. Th Effective Pe ac ctual permissio the user ha may be different, since pe ons as ermissions can be granted o denied based on n or d ho a user logs on. This logon-specific info ow s ormation canno be determin by the Effective Permiss ot ned sions fe eature, because the user may not log on. Therefore, the effective perm e y T missions it disp plays reflect on those nly pe ermissions spe ecified by the user or group, and not the p u permissions spe ecified by the logon. Fo example, if a user is conne or ected to a com mputer throug h a file share, then the logon for that user is r marked as a Ne m etwork Logon. Permissions ca be granted or denied to the well-know security ID ( an wn (SID) Network which the connected user receives This way, a u d s. user has differe permission when logged on ent ns lo ocally than whe logged on over a network. en
Ef ffective permis ssions can be viewed on the Advanced Se v ecurity Setting for <folde dialog box You gs er> x. ca access this dialog box from a folders Pr an d roperties Dialo box, using t Advanced button on the og the e Se ecurity tab, or directly from the Share me on the ribb r enu bon.
Scenario
User1 is a member of the Use group and the ers t Sa group. The graphic on the slide, which shows ales t h fo olders and files on the NTFS partition, inclu s udes th hree situations, each of which has a co orresponding discussion que d estion. Question: The Users group has Write permission, and the Sales group has Re permission for Folder1. W , s ead n What permissions does User1 have for Folder1? Question: The Users group has Read permission for Folder1. The S p Sales group ha Write as permission for Folder2. What permissio does User1 have for File2 W ons 1 2? Question: The Users group has Modify permission fo Folder1. File is accessible only to the y or e2 e Sales group and they are able to read File2 only. Wh do you do to ensure that the Sales p, e hat t group has only Read perm o mission for File e2?
Lesson 2
Coll laboration is an important part of your job Your team m b. might create documents that are shared only t by its members, or you may work with a remo team mem o ote mber who need access to yo teams files ds our s. Because of collaboration requirements, you must understan how to man m nd nage shared fo olders in a net twork environment. Sharing folders gives users acce to those fol ess lders over a ne etwork. Users c connect to the shared fo can o older over the network to access the folders and file that the sha f es ared folder con ntains.
Shared folders can contain appl n lications, publi data, or a us ic sers personal data. Managin shared folders ng help you provide a central loca ps e ation for users to access com mmon files, and it simplifies t task of bac d the cking up data that those folders conta This modu examines v d e ain. ule various method of sharing f ds folders, along w with the effect this has on file and fo s older permissio when you create shared folders on a p ons partition forma atted with the NTFS file system. h e
Win ndows 8 uses the Public folde to simplify file sharing. W Public fold sharing ena er f With der abled, the pub blic fold ders and all the folders within the Public fo e n older are autom matically share with the name Public. You do ed not have to config gure file sharin on separate folders. Just m ng e move or copy the file or fold that you w der want to share on the ne etwork to the Public folder on your Windo 8 client. o ows
In Windows 8, me W embers of the Administrators, Power Users and Server O s, Operators grou can share ups fold ders. Other use who are gra ers anted the Crea Permanent Shared Objec user right c also share ate t cts can fold ders. If a folder resides on an NTFS volume you must hav at least Rea permission to share the fo r e, ve ad older. Whe you share a folder, you must decide the permissions that a user or group will hav when they en m e ve acce the folder through the sh ess t hare. This is ca alled sharing p ermissions.
Configuring Windows 8
Basic sharing permissions are greatly simplified in Windows 8, which offers two choices: Read: The look, but do not touch option. Recipients can open, but not modify or delete a file. Read/Write: The full control option. Recipients can open, modify, or delete a file.
There are several different ways in which you can share folders with others on the network: In the Microsoft Management Console (MMC) snap-in titled Shared Folders In Windows Explorer Through the command line Through computer management Using Windows PowerShell version 3.0 cmdlets
You can use the Microsoft Management Console (MMC) snap-in, Shared Folders, to manage all file shares centrally on a computer. Use this snap-in to create file shares and set permissions, and to view and manage open files and the users who are connected to the computers file shares. Additionally, you can view the properties for the folder, which would allow you to perform actions, such as specifying NTFS permissions. Using the Shared Folders snap-in presents the Create a Shared Folder Wizard when you are creating a new share. By default the share name will be the same as the folder name, and all users have read access share permissions.
Using the Share with Option from the Context Menu or Ribbon
The Share with option is a simple and fast way to share a folder. When you right-click a folder, and then select Share with, you get a fly-out menu that allows you to either Stop sharing the folder or share the folder with Specific people. When you are sharing with specific people, you can select Everyone or use Find people to share the folder for specific groups. After selecting who you want to share with, you can set either Read or Read\Write permissions. The wizard will set the Share permissions as Everyone Full Control and the NTFS permissions based on what you selected. The share name will be the same as the folder name.
Using the Properties dialog box provides two options. You can click the Share button, which then presents the same dialog box as Share with Specific people, or you can click the Advanced Sharing button. When you use advanced sharing, you can specify the share name. The default is the same as the folder name, and you can specify share permissions as Full Control, Change or Read. Additionally, since you are in the Properties dialog box, you can click the Security tab and set NTFS permissions.
You can share a folder through the command line by using the net share command, which the following example shows in its basic form:
Net Share name=drive:path
This will create a simple share, which uses the share name that you specify, and which grants all users Read permissions. Additional options include: Option /Grant:user permission /Users:number /Remark:text /Cache:option sharename /Delete Description
Allows you to specify Read, Change, or Full share permissions for the specified user. Allows you to limit the number of users that can connect to the share. Allows you to add a comment to the share. Allows you to specify the caching options for the share. Allows you to remove an existing share.
Additional PowerShell commands for managing shares include: Command Get-SmbShare Set-SmbShare Remove-SmbShare Get-SmbShareAccess Get-Acl Grant-SmbShareAccess Set-Acl Description Gets a list of the existing shares on the computer. Modify an existing share. Removes an existing share. Retrieves the share permissions for a share. Retrieves the NTFS ACL (this cmdlet is not new). Used to set share permissions on a share.
Used to set the NTFS ACL for a specified resource (this cmdlet is not new).
Co onfiguring Windows 8
Ba folder sharing is the sim asic mplest form of Any Folder sha aring, because it enables use to share a folder e ers qu uickly and simply. Basic folder shares are created by usin the Window Explorer Sh c ng ws hare with Wizard or th Net share command with he c hout any addit tional options.
Yo can use Advanced Sharin to exert more control ove the Any Fold sharing pro ou ng er der ocess. When y use you Advanced Sharing to share a folder, you mu specify the following info ust e ormation: A share na ame: The defau name is the folder name.. ult e The maxim mum number of concurren connection s to the folde The default number is 20 nt er: t 0 concurrent connections.
Shared folder permissio ons: The defau permissions are Read per ult s rmissions for th special grou he up Everyone. The permission set here are only share pe T ns ermissions. This does not mo s odify the underlying NTFS permissions.
Caching op ptions: The de efault caching option allows user-selected files and prog grams to be av vailable offline. You can disable offline files and programs, or configure file and program to be availa u o d r es ms able offline auto omatically.
Yo can access Advanced Sha ou aring through the: Create a Sh hared Folder Wizard from the Shared Folde snap-in. W er Sharing tab on the Prop b perties dialog box. Command line, by using the optional settings.
When you turn on Public fold sharing in Windows 8, an W der W nyone with an account on yo computer, or a PC our on your networ can access the contents of these folders To share som n rk, t o s. mething, copy or move it int one to of these public folders. f By default, Wind y dows 8 provides the followin Public folde ng ers: Documents s Music Pictures Videos
You can view thes folders by clicking Windo u se ows Explorer f from the Start screen, and th clicking t hen Libr raries to expand the folders. By default, Public folder sharing is not enable However, fi stored in t he Public folde hierarchy ar d g ed. iles er re avai ilable to all use who have an account on a given comp ers a n puter and can log on to it locally. You can configure Window 8 to allow access to the Public folders f ws a P from the netwo in the Cha ork ange advance ed sharing settings link in the Net twork and Sha aring Center. Y can either:: You Turn on sharing, so that any yone with netw work access ca read and w an write files in the Public folders. e Turn off Public folder sharin (people log ng gged in to this computer can still access th n hese folders).
Pub folder sharing does not allow you to fin blic a ne-tune sharin permissions but it does p ng s, provide a simp ple way to make your files available to others. Wh you enabl public folde sharing, the system group y r e hen le er Everyone is grante full control permissions fo the share an NTFS perm ed or nd missions.
Users must ha the appropriate NTFS file system perm ave missions for each file and sub bfolder in a shared folderin addition to the appropriate shared folder pe a ermissionsto access those resources. o
When NTFS file system permissions and shared folder p s permissions ar combined, t resulting re the permission is the most restr rictive one of the effective sh t hared folder p permissions or the effective N NTFS file system pe ermissions. The share per rmissions on a folder apply to that folder, to all files in t hat folder, to s t subfolders, and to d all files in tho subfolders. ose
Note: If the guest user ac e ccount is enabl on your co led omputer, the E Everyone group includes ove one m sion lists, and r replace it anyone. As a best practice, remo the Everyo group from any permiss h roup. with the Authenticated Users gr
The following ana alogy can be helpful in unde erstanding wha happens wh you combi NTFS and s at hen ine share perm missions. When you are dealing with a sha ared folder, yo must always go through t shared fold to ou s the der acce its files ove the network Therefore, yo can think of the shared fo ess er k. ou f older permissio as a filter t ons that only allows users to perform on those action that are acc y nly ns ceptable to the share permis e ssions on the fold ders contents. All NTFS perm missions that ar less restricti than the sh re ive hare permissions are filtered out, so that only the sh hare permissio remains. on
Co onfiguring Windows 8
Fo example, if the share perm or mission is set to Read, then t most that y can do is read through the the you sh hared folder, even if individu NTFS file pe e ual ermission is se to Full Contr If you are c et rol. configuring th share he pe ermission to Modify, then yo are allowed to read or mo M ou d odify the share folder cont ed tents. If the NT TFS pe ermission is se to Full Contr then the sh et rol, hare permissio filter the ef ons ffective permis ssion to Modif fy. Question: If a user is assi igned Full Con ntrol NTFS perm mission to a fi le, but is acces ssing the file through a share with Rea permission, what will be t he effective pe s ad ermission the user will have on the file? e Question: If you want a user to view al files in a shar folder, but can modify o u ll red t only certain files in the folder, what permissions do you give the u f user? Question: Identify a scen nario at your organization w o where it might be necessary t combine to NTFS and Share permissio What is th reason for c S ons. he combining per rmissions?
Yo can custom the curren active netw ou mize ntly work connectio and set u p a new conne ons, ection. Use the e of graphical view of your current network to optionally chan the descri ption and icon appearance o o o nge n ne etwork compo onents to inclu more infor ude rmation. View and change network connec ction propertie by es clicking View St tatus on the right side of th connection listing. r he Yo can mainta the followin network connections in t his section: ou ain ng Connect to the Internet: Set up a wirele broadband or dial-up co S ess, d, onnection to t Internet. the Set up a Ne etwork: Config gure a new rou or access p uter point. Set up a Dial-up Connect tion: Connect to the Internet using a dial-u connection t t up n. Connect to a Workplace: Set up a dial-up or virtual p private network (VPN) conne ection to your workplace.
Note: You can change the network location profile between private and public. This changes firewall and visibility settings for that network connection.
The Network and Sharing Center includes a Change advanced sharing settings link that you can use to enable, disable, and change the way that various network services behave. The first time that you connect to a network, you must choose a network location. This automatically sets the appropriate firewall, security, and sharing settings for the type of network to which you connect. If you connect to networks in different locations, such as from your home network, at a local coffee shop, or at work, then choosing a network location can help ensure that your computer is always set to an appropriate security level. When users connects to a new network, they can select one of the following network locations in Windows 8:
Private: In a trusted private network, all computers on the network are in a private network, and you recognize them. Do not choose this network location for public places such as coffee shops and airports. Network discovery and file and printer sharing are turned on for private networks. This allows you to see and access other computers and devices on the network, and allows other network users to see and access your computer.
Guest or Public: If you do not recognize all the computers on the network (for example, you are in a coffee shop or airport, or you have mobile broadband), then this is a public network, and is not trusted. This location helps you to keep your computer from being visible to other computers around you, and helps to protect your computer from any malicious software from the Internet.
Also choose this option if you are connected directly to the Internet without using a router, or if you have a mobile broadband connection. Network discovery, and file and printer sharing, are turned off. Domain: The domain network location is used for domain networks such as those in corporate workplaces. Your network administrator typically controls this type of network location.
Windows 8 automatically applies the correct network settings based on the network location. For each of these network profiles, you can configure the network sharing settings found in the following table. Feature Network Discovery File and Printer sharing Settings On Off On Off Result
When network discovery is on, your computer can see other network computers and devices, and is visible to other network computers. When file and printer sharing is on, people on the network can access files and printers that you have shared from your computer.
Note: By default, Windows 8 uses Windows Firewall with Advanced Security. Therefore, using another firewall might interfere with the Network Discovery and file-sharing features.
Configuring Windows 8
All Networks: These settings apply regardless of the network profile. The all networks settings are described in the following table. Feature Public folder sharing Media streaming Setting On Off On Off Result
When Public folder sharing is on, people on the network, including home-group members, can access files in public folders
When media streaming is on, people and devices on the network can access pictures, music, and videos on your computer. Your computer also can find media on the network. Windows uses 128-bit encryption to help protect file sharing connections. Some devices dont support 128-bit encryption and must use 40- or 56-bit encryption.
Troubleshoot Problems
Use this feature to diagnose and repair network problems, and to get troubleshooting information for the following network components: Internet connections Shared folders Homegroup Network adapter Incoming connections Connection to a workplace by using Windows 8 DirectAccess Printers
Lesson 3
The compress sion state of a folder does not necessarily reflect the com mpression stat of the files w te within that folder. Fo example, a folder can be compressed w or without compre essing its cont tents, and som or me all of the files in a compressed folder can be uncompre s n essed. NTFS compre ession works with NTFS-compressed files w w without decom mpressing them because the are m, ey decompressed and recomp pressed withou user interven ut ntion: o o When a compressed file is opened, Windows autom c W matically deco ompresses it fo you. or When the file closes, Windows comp e W presses it again n.
in NTFS-compre essed file and folder names are displayed i a different c f a color to make them clearer t to identify. ey NTFS-compre essed files and folders only remain compre r essed while the are stored o an NTFS on Volume. An NTFS-com mpressed file ca annot be encrypted.
Co onfiguring Windows 8
The compre essed bytes of a file are not accessible to a f applications, w which see only the uncompre essed data: o o ations that ope a compress file can op en sed perate on it as if it were not c compressed. Applica These compressed fil cannot be copied to ano c les c other file system m. Note: You can use the compact command-line too to manage N u c ol NTFS compres ssion.
Discussion: What Is the Impact of Movin and Cop D t ng pying Com mpressed F Files and Folders s?
Moving and cop M pying compres ssed files and folders ca change their compression state. an n Th discussion presents five situations in wh his s hich yo are asked to identify the impact of cop ou pying an moving com nd mpressed files and folders. You and Y yo classmates will discuss th possible sol our s he lutions to each situation. o Question: What happens to the compr s ression state of a file or folder wh you copy it hen within an NTFS partition? N ? Question: What happens to the compr s ression state of a file or folder wh you move it within an N hen e NTFS partition? ? Question: What happens to the compr s ression state o a file or fold er when you c of copy or move it between NTFS partition ns? Question: What happens to the compr s ression state o a file that yo copy or move between of ou FAT and NT volumes? TFS
Files can be ope ened directly from these f co ompressed fold ders, and some programs ca be run direc from these compressed folders withou an ctly e ut un ncompressing them. Files in the compressed folders are compatible w other file-c with compression programs and files. You also can move thes compressed files and folders to any driv or folder on your f c se d ve n co omputer, the Internet, or you network. ur
Compressing folders by using Compressed (zipped) Folders does not affect your computers overall performance. CPU utilization increases only when Compressed (zipped) Folders is used to compress a file. Compressed files take up less storage space, and you can transfer them to other computers more quickly than uncompressed files. You can work with compressed files and folders the same way you work with uncompressed files and folders.
By using the Send To > Compressed (zipped) Folder command in Windows Explorer, you can quickly:
Alternatively, if a compressed folder is already created, and you need to add a new file or folder to it, you can drag the desired file to the compressed folder instead of using the Send To > Compressed (zipped) Folder command.
There are differences to be aware of between zipped folder compression and NTFS folder compression. A zipped folder is a single file inside of which Windows allows you to browse. Some applications can access data directly from a zipped folder, while other applications require that you first unzip the folder contents before the application can access the data. In contrast, individual files within a folder are compressed by NTFS compression. Therefore, NTFS compression does not experience the data access issues associated with zipped folders, because it occurs at the individual file system level and not the folder level. Additionally, zipped folders are useful for combining multiple files into a single email attachment, whereas NTFS compression is not.
File and folder compression that uses the Send To > Compressed (zipped) Folder command is different from NTFS file and folder compression discussed earlier: For selected files or folders, the Send To > Compressed (zipped) Folder command compresses the selected content into a portable zip file. The original file or folder is left unchanged, but a new, compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the size of the selected file, folder, or volume by compressing its content.
Note: Unlike NTFS-compressed folders and files, you can move or copy compressed (zipped) folders without change between volumes, drives, and file systems.
Configuring Windows 8
Compress a folder
1. 2. Compress the Windows8Docs folder. Examine the folder and files in the folder.
Objectives
Create a folder shared to all users. Create a folder shared to specific users.
Lab Setup
Estimated Time: 15 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator and Adatum\Ed Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 and 3 for 20687A-LON-CL1 and 20687A-LON-CL2. Do not log on until directed to do so.
Configuring Windows 8
Results: At the end of this lab, you will have created a folder and shared it for all users. Question: Why were you unable to create a file in the Adatum shared folder?
Results: At the end of this exercise, you will have created and shared a folder for the Marketing department. Question: Why was Adam able to create a file, whereas Ed was not?
Co onfiguring Windows 8
Lesson 4 n
his mines the printing compone ents in a Windo 8 environment, includin printer port and ows ng ts Th lesson exam drivers.
Th instructor will demonstrate how to install and share a printer, and y will review how to use t Print he w you w the Management to to administer multiple pr M ool rinters and pri nt servers.
Windows 8 dete printers th you connect to your com W ects hat mputer, and it installs the dri iver for the pri inter au utomatically, if the driver is available in the driver store. However, Win f a e ndows might n detect prin not nters th connect by using older ports, such as serial or paralle ports, or net hat y p s el twork printers. In these cases, you must configure the printer po manually. m ort
In nstalling a Driver D
Th printer driv is a softwar interface tha enables you computer to communicate with the prin he ver re at ur o e nter de evice. Without a printer driv the printer that connects to your comp t ver, s puter will not w work properly. The printer driver is responsible fo converting the print job in a page des or t nto scription langu uage (PDL) tha the at printer can use to print the jo The most co ob. ommon PDLs are PostScript printer contr language (P t, rol PCL), an XML Paper Specifications (XPS). nd s In most cases, drivers come with the Windo application or you can f n d w ows n, find them by g going to Windows Update in Control Panel and checking for updates. If the Windows app u plication does n have the d not driver yo need, you can find it on the disk that ca ou c t ame with the p printer, or on the manufactu urer's Web site e.
If th Windows op he perating system does not rec m cognize your p printer automa atically, you m must configure the prin type durin the installation process. Th Printer Set nter ng he tup Wizard pr resents you wit an exhaustiv list th ve of currently installed printer typ However, if your printer is not listed, y must obtain and install t c pes. i you the necessary driver. You can preinstall printer driver into the driv store, there making the available in the printer list by u l rs ver eby em usin the pnputil ng l.exe comman nd-line tool.
Whe you connec a new printe to your com en ct er mputer, the Wi ndows applica ation tries to fi and install a ind soft tware driver fo the printer. Occasionally, you might see a notification that a driver is unsigned or or O y e altered, or that Windows canno install it. You have a choice whether to install a driver that is unsigned or W ot u has been altered since it was sig s gned.
You can use the Print Managem u P ment MMC to perf form all the ba management tasks for a printer. You c also manage printers fro the Device and asic can om es Prin nters page in the Control Pa t anel.
Onc you initiate a print job, yo can view, pa ce ou ause, or cance l it through th print queue. The print que he eue show you what is printing, or waiting to print. It also displa information such as job status, who is ws s w ays prin nting what, and how many unprinted page remain. From the print qu d es m ueue, you can v view and main ntain the print jobs for each printer.
You can access the print queue from the Print Managemen MMC snap-i through the See whats u t nt in e prin nting option on the Devices and Printers page in Cont Panel. Doc o s s trol cuments that a listed first w be are will the first to print.
Configuring Windows 8
To cancel an individual print job, right-click the print job you want to remove, and then click Cancel. To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item currently printing might finish, but the remaining items will be cancelled.
To pause or resume an individual print job, right-click the print job, and then click Pause or Resume. To pause all print jobs, click the Printer menu, and then click Pause Printing. To resume printing, click Resume Printing.
If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the print queue: 1. 2. 3. Open the print queue for the specific printer by performing the steps outlined previously. Right-click the print job to be reordered, and then click Properties.
Click the General tab, and then drag the Priority slider left or right to change its print order. Items with higher priority print first.
Objectives
Create and share a local printer
Lab Setup
Estimated Time: 10 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator and Adatum\Ed Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 and 3 for 20687A-LON-CL1 and 20687A-LON-CL2. Do not log on until directed to do so.
Configuring Windows 8
Switch to LON-CL1, verify that the test page is in the ManagersPrinter queue, and Resume Printing.
Results: At the end of this exercise, you will have created, shared, and tested a printer.
Lesson 5
PDF and Ope Document Format (ODF Support: Yo can view PDF and ODF d en t F) ou documents sav in ved SkyDrive. Bing Integra ation: You can use the Micro osoft Bing Sav & Share fea ve ature to save search histories in a s SkyDrive folder
Additional Reading: For more information on SkyDrive features, se http://wind ee: dows.microsoft ft.com/en-US/s skydrive /home. cessing SkyDr rive Acc SkyDrive can be accessed in sev a veral different ways, includin ng: Windows Hot tmail Windows PC running Windows Vista Service Pack 2 (S SP2) or newer= =. Windows Serv 2008 SP2 and the Platform Update for Windows Ser ver a r rver 2008 or ne ewer.
Co onfiguring Windows 8
Mac OS X 10.7 (Lion). 1 Windows Phone app. P An iPhone OS (iOS) app. An iPad app. A Windows 8 Metro style app. s e
Configuring SkyDrive C g e
Be efore you can use SkyDrive from the Wind f dows 8 Sk kyDrive tile, yo must conne your Doma (or ou ect ain lo ocal) account with your MicrosoftAccount. w To begin the pr o rocess, you sele the Setting ect gs ch harm from the Start screen, and then click More e k PC Settings on the PC settin screen, clic the C ngs ck Users section. Then, click the Connect butt to T ton st the wizard for synchronizing your acco tart ount with your Micro w osoft account. In the wizard, you ca choose which features yo want to an ou sy ynchronize: Personalize: Colors, back kground, lock screen, and your ac ccount picture e Desktop personalization: Themes, tas skbar, and mo re Ease of Access: High con ntrast, Narrato Magnifier a nd more or, Language preferences: Keyboards, other input met hods, display l language, and more d App Settin ngs: Certain se ettings in your apps Browser se ettings: Histor bookmarks, and favorites ry, , s Other Windows settings: Windows Ex xplorer and mo ouse settings Sign-in inf For some apps, websites, networks, and HomeGroup fo: d p
Yo can toggle the synchronization setting of these optio from the S ou ons Sync your sett tings menu on the PC n Se ettings menu. .
Configuring Windows 8
To simplify the assignment of permissions, you can grant the Everyone group Full Control share permission to all shares and use only NTFS permissions to control access. Restrict share permissions to the minimum required, to provide an extra layer of security in case NTFS permissions are configured incorrectly. When permissions inheritance is blocked, you have the option to copy existing permissions, or begin with blank permissions. If you only want to restrict a particular group or user, then copy existing permissions to simplify the configuration process.
Best Practice: Managing Shared Folders Supplement or modify the following best practices for your own work situations:
If the guest user account is enabled on your computer, the Everyone group includes anyone. In practice, remove the Everyone group from any permission lists and replace it with the Authenticated Users group. Using a firewall other than that supplied with Windows 8 can interfere with the Network Discovery and file-sharing features. Question: A. Datum is installing Microsoft Dynamics GP, and they have contracted with a vendor to provide some custom programming work. A. Datum asked Joseph, their senior IT desktop specialist, to configure the NTFS permissions for the GP planning files it will be accumulating. A. Datum has asked that all IT users be assigned Modify permissions to the GP Implementation Planning folder. However, A. Datum only wants the subfolder titled Vendor Contracts to be available for viewing by a select group of managers. How can Joseph accomplish this by taking into account permission inheritance? Question: Robin recently created a spreadsheet in which she explicitly assigned it NTFS file permissions that restricted file access to just herself. Following the system reorganization, the file moved to a folder on another NTFS partition and Robin discovered that other users were able to access the spreadsheet. What is the probable cause of this situation?
Tools
Use the following command prompt tools to manage file and printer sharing. Tool Net share Net use Cacls.exe Compact.exe Pnputil.exe Description Share folders from the command prompt. Connect to shared resources from the command prompt. Configure NTFS file and folder permissions from the command prompt. Compress NTFS files and folders from the command prompt. Preinstall printer drivers into the driver store.
Module 8
Securing Windows 8 Desktops
Contents:
Module Overview Lesson 1: Authentication and Authorization in Windows 8 Lesson 2: Implementing GPOs Lab A: Implementing Local GPOs Lesson 3: Securing Data with EFS and BitLocker Lab B: Securing Data Lesson 4: Configuring User Account Control Lab C: Configuring and Testing UAC Module Review and Takeaways 8-1 8-2 8-6 8-14 8-17 8-37 8-39 8-46 8-48
Module Overview
Users are becoming increasingly computer literate, and they expect more from the technology that they use at work. They expect to be able to work from home, from branch offices, and on the road, without a decrease in their productivity or access to the programs and applications that they need most. As the needs of users have changed, the demands on IT support professionals have increased. Today, support professionals are being asked to provide more capabilities and support greater flexibility, while continuing to minimize security risks. In this module, you will explore features of Windows 8 that help you maintain a secure computer desktop environment for your users.
Objectives
After completing this module, you will be able to: Describe authentication and authorization in Windows 8. Describe how to use local Group Policy Objects (GPOs) to configure security and other settings. Select a suitable disk encryption method. Configure User Account Control (UAC).
8-2
Lesson 1
Befo effectively defining Wind ore dows 8 security measures, su as NTFS fil uch le-system perm missions, and f file and folder sharing properties, it is essential th you unders g t hat stand the user account types that are used s d during security co onfiguration, and how the Ke erberos versio n 5 protocol a authenticates a authorizes user and s logo This lesson examines the authenticatio and author ons. on rization feature which prov es, vide the found dation for the Windows security infrast t s tructure.
Authorization allo a system to determine whether an aut ows o w thenticated user can access a update se and ecured system resources. Examples of authorized per a rmissions inclu file and file ude e-directory acc cess, hours of acce amount of allocated storage space, an other specif ess, f nd fications. Auth horization has t two facets: The system ad dministrator defines permiss d sions for system resources in m nitially.
The system or application verifies users permission valu when user attempt to a v p ues rs access or upda a ate system resource.
u a a thout impleme enting authent tication. This is typically the case s You can provide authorization and access wit whe permissions are granted for anonymous users who ar not authent en s f s re ticated. Usually these permis y, ssions are limited.
C Configuring Windows 8 s
Standard. This account allows you to us most T se of the capa abilities of the computer. A person that log in with a sta p gs andard user ac ccount can use most e programs on the comput and change settings that affect his or h user account. o ter e t her However, th user typically cannot install or uninstall software and hardware, delete files that t he l the computer requires, or cha r ange settings that affect oth users or the computers s t her e security. The sy ystem may promp a standard user for an adm pt u ministrator pas ssword before he or she can perform certa n ain tasks.
Administrat This accou allows you to make chan tor. unt nges that affec other users. A ct Administrators can s change security settings, install softwar and hardwa re, and access all files on the computer. re s e Administrat tors also can make changes to other user accounts. m
Guest. This account allow another person to have te ws emporary acce to your com ess mputer. People using e the guest account cannot install softwa or hardwar change sett t are re, tings, or create a password. Y e You must enable this feature before your gu uests can use i it.
Note: Wh you set up a computer, you are requir to create a n administrato user hen p y red or ac ccount, which provides the ability to set up your compu ter and install any programs that you a p s want to use. Aft setup is com w ter mplete, you sh hould use a sta andard user ac ccount for you daily ur co omputing task It is more se ks. ecure to use a standard user account, rathe than an adm er ministrator mputer, ac ccount, becaus it can preve making cha se ent anges that affe anyone wh uses the com ect ho es specially if you user account logon creden ur ntials are stole en.
Users must be authenticated to verify their identity when they access fi over a netw a n iles work. Authent tication is performed du dows 8 operat uring the netw work logon pro ocess. The Wind ting system su upports the following au uthentication methods for network logons m s:
Kerberos ve ersion 5 protoc This is the main logon a uthentication method used by clients and servers col. d that are run nning Microsoft Windows operating syste o ems. It provide authentication for user an es nd computer accounts. a Windows NT LAN Manag (NTLM). Th method pro N ger his ovides backward compatibili with pre-W ity Windows 2000 opera ating systems and some applications. How a wever, it is less f flexible, efficie and secure than ent, e the Kerbero version 5 pr os rotocol. Certificate mapping. This method is typ m pically used in conjunction w smart card The certificate with ds. stored on a smart card is linked to a user account for authenticatio A smart car reader is used to r on. rd read the sm cards and authenticate the user. mart
8-4
Kerberos Authentication
For Windows 8 clients, the Kerberos authentication protocol provides the mechanism for mutual authentication between the client and a server before a network connection is opened between them. Note: Active Directory Domain Services (AD DS) implements Kerberos authentication. In a client/server application model: Windows 8 clients are programs that act on behalf of users who need to perform a task, such as opening a file, accessing a mailbox, querying a database, or printing a document.
Servers, such as Windows Server 2012, are programs that provide services to clients. Some examples of the services can include file storage, mail handling, query processing, print spooling, and a number of other specialized tasks.
Clients initiate an action and servers respond. Typically, this means that the server listens at a communications port, waiting for clients to connect and ask for service.
In the Kerberos security model, every client/server connection begins with authentication. The client and server, in turn, step through a sequence of actions that help parties on each end of the connection verify that the party on the other end is genuine. If authentication is successful, session setup completes, and the client/server application can start working.
Mutual authentication. Using NTLM, servers can verify the identities of their clients. However, clients cannot use NTLM to verify a servers identity, and servers cannot verify the identity of another server. NTLM authentication is ideal for a network environment in which servers are assumed to be genuine. The Kerberos protocol makes no such assumptions and enables parties at both ends of a network connection to identify and verify the party on the other end. Question: Which authentication method is used when a client computer running the Windows 8 operating system logs on to AD DS?
C Configuring Windows 8 s
Windows BitLocker drive encryption and BitLocker T Go. These tools help mi B a To e itigate unauthorized data access by rendering data inaccessible when you decommissio or recycle BitLocker-prote s u on ected computers. BitLocker To Go provides si imilar protecti on for data on removable data drives. n
Windows AppLocker. This tool enables administrator to specify ex A rs xactly what pro ograms, applic cations, and service can run on a users compu es uter. Note: Mo odule 9: Config guring Applica ations discusse s AppLocker in detail. n
UAC. This tool enables us sers to run their computers a standard us as sers and perfor all necessar daily rm ry tasks. Windows Firewall with Advanced Secu A urity. Provides protection fro malicious u om users and prog grams that rely on unsolicited in n ncoming traffic to attack com c mputers. Windows Defender. Helps protect you from spywar and other fo u re orms of malicio software. ous
odule 6: Implem menting Netw work Security d describes Wind dows Defender and r Note: Mo Window Firewall with Advanc Security. W ced
8-6
Lesson 2
Befo we examin the importa security fea ore ne ant atures in Wind ows 8, it is imp portant that yo understand ou d the best ways in which to config w gure security-r related setting in Windows 8. Although y can perform gs you m com mputer-specific administratio and config c on guration tasks it can be more efficient to implement s, your planned con nfiguration sett tings by using GPOs, which p provide an inf frastructure for centralized r configuration management of the operating system and ap t pplications tha run on the o at operating syste em. This lesson discusses Group Policy fundament s tals, such as th difference b he between local a domain-b and based policy settings. Th lesson also describes how you can use G his w Group Policy t simplify managing compu to uters and users in an AD DS environm D ment.
Group Policy in Windows 8 uses XML-based templates to d W s t describe registr settings. Wh you enable ry hen e settings in these templates, Gro Policy allow you to app computer a user settings either on a local t oup ws ply and com mputer or through AD DS centrally. You can use Group Policy to: u Apply custom mized or specif configuratio fic ons. Deploy software application ns. Enforce secur settings. rity Enforce a stan ndardized desktop environm ment.
Configuring Windows 8
You can use Group Policy to restrict certain actions that may pose potential security risks. For example, you can restrict access to registry editing tools or restrict the use of removable storage devices. A GPO is a collection of Group Policy settings, and you can apply one GPO simultaneously to many different containers in AD DS. Conversely, you can apply multiple GPOs simultaneously to one container. In this case, users and computers receive the cumulative effect of all policy settings applied to them.
The local GPO is the least influential object in an AD DS environment because its settings can be overwritten by GPOs that are associated with sites, domains, and organizational units. In a non-networked environment, or in a networked environment that does not have a domain controller, the local GPO settings are more important because they are not overwritten by other GPOs. Stand-alone computers use only local GPOs to control the environment.
Each Windows 8 computer has one local GPO that contains default computer and user settings, regardless of whether the computer is part of an AD DS environment. In addition to this default local GPO, you can create custom local user GPOs. You can maintain these local GPOs by using the Group Policy Object Editor snap-in. Note: To access the Group Policy Management Editor, open a new management console window by running mmc.exe, and then add the Group Policy Management Editor to the console.
By using Group Policy, you can define the state of users' work environments once, and then rely on the system to enforce the policies that you define. With the Group Policy snap-in. you can specify policy settings for the following:
Registry-based policies include Group Policy for the Windows 8 operating system and its components, and for programs. To manage these settings, use the Administrative Templates node of the Group Policy Editor snap-in. Security options include options for local computer security settings. You can use the software installation and maintenance options to centrally manage program installation, updates, and removal. Scripts options include scripts for computer startup and shutdown, and user logon and logoff.
Computer Configuration. This section enables you to set policies that are applied to a computer, regardless of who logs on to the computers. Computer Configuration typically contains subitems for software settings, Windows settings, and administrative templates. User Configuration. This section enables you to set policies that apply to users, regardless of which computer they log on to. User Configuration typically contains subitems for software settings, Windows settings, and administrative templates.
To use the Group Policy Object Editor, perform the following steps: 1. 2. 3. 4. Expand the GPO that you want, such as Local Computer Policy. Expand the configuration item that you want, such as Computer Configuration. Expand the subitem that you want, such as Windows Settings.
Navigate to the folder that contains the policy setting that you want. The policy items are displayed in the right pane on the Group Policy Editor snap-in.
8-8
Note: If no policy is defined for the sele ected item, rig ht-click the fo older that you want, and then on the shortcut menu that appears, poin to All Tasks and then clic the comman that you n t nt s ck nd wan The comma nt. ands that are displayed on th All Tasks su d he ubmenu are co ontext-sensitiv Only ve. thos commands that are applic se cable to the se elected policy folder appear on the menu. . 5. g click the policy item that you want. y u In the Setting list, double-c
Note: When you work wit policy items in the Admin n th s nistrative Tem mplates folder click the r, Exte ended tab in the right pane of the Micros t soft Managem ent Console (M MMC) if you w want to view more inform w mation about th selected po he olicy item. 6. 7. Edit the settin of the policy in the dialo box that ap ngs og ppears, and the click OK. en When you are finished, quit the MMC. e t
maller networks it is likely tha you will con s, at nfigure all com mputers as part of the t Note: In sm defa AD DS site object. There ault e efore, you can disregard this AD DS contai s iner when plan nning GPO Os. 3. 4. l gs. Domain-level policy setting Organizational unit (OU) po olicy settings.
cally, you creat an OU to co te ontain objects, such as users and computers that you Note: Typic wish to administer in a similar manner. For ex h m xample, you m ight want to d delegate control of all thos objects to a local adminis se strator, or you might want al the objects in the OU to ha the ll ave sam configured settings. In sm networks, you can config me mall y gure most sett tings at the do omain-level, and then it is unnecessary to cre eate complex, nested OU str ructures for management pu urposes.
C Configuring Windows 8 s
Po olicy settings applied to high level conta a her ainers pass thr ough to all su bcontainers in that part of the n AD DS tree. For example, a po r olicy setting ap pplied to an O also applies to any child O below it. OU s OUs
a ects cy If policy settings are applied at multiple levels, the user o r computer re ceives the effe of all polic se ettings. In case of a conflict between policy settings, the policy setting applied last is the effective policy, e b y s th hough you can change this behavior as ne n b ecessary. Note: You can enforce individual policies, which en u nsures that the settings from an enforced e m po olicy take prec cedence over other settings further down the AD DS tree. o It also is possible to block inheritance, altho ough blocking is applied to c containers rath than to her po olicies. In large networks env e vironments, with many cont tainers and po licies, it can so ometimes be are di ifficult to determine which settings from which policies a in force on a given computer or user. w n A domain administrator can use the Group Policy Modeli and Group Policy Results nodes in u ing p s th Group Polic Managemen console to help determine the applicati of policies. he cy nt h e ion .
In ntroduction to MLGPO n
Lo Group Policy is a subset of a broader technology kn ocal t nown as Group Policy. Group Policy is dom p p main ba ased while Loc Group Polic is specific to the local com cal cy o mputer. Both t technologies allow you to co onfigure sp pecific settings in the operat s ting system and then force t hose settings t computers and users. to Lo Group Policy is not as ro ocal obust as Group Policy. For e p example, you c use Group Policy to conf can figure an number of policies that might affect so ny m ome, all, or non of the users of a domainne s -joined compu uter. Group Policy ev can apply policies to use that have sp ven ers pecific group m memberships.
However, prior to Windows Vista, Local Gr V roup Policy wa only able to apply one po as o olicy to a comp puter an all the local users of it, ev the local administrator. T nd ven This made it difficult to man nage stand-alo one co omputers effec ctively because the same po e olicy applied to the both adm o ministrators an the standard users. nd d Windows 8 give you the ability to apply different GPOs t stand-alone users. Windo 8 provides this W es to e ows s ab bility with thre layers of loc GPOs: ee cal Local Group Policy p Administrat and Non-A tor Administrators Group Policy User specifi Local Group Policy ic p
Each computer stores only one local GPO that contains the default computer and user settings. This policy is stored in the hidden %systemroot%\System32\GroupPolicy directory. Custom administrator, non-administrator, and user policies that you create are stored in: %systemroot%\System32\GroupPolicyUsers.
These layers of local GPOs are processed in order, starting with Local Group Policy, continuing with Administrators and Non-Administrators Group Policy, and finishing with user-specific Local Group Policy.
The Administrators and Non-Administrators Local GPOs do not exist by default. You must create them if you want to use them on your Windows 8 client. These GPOs act as a single layer and logically sort all local users into two groups when a user logs on to the computer: the user is either an administrator or a non-administrator. Users who are members of the administrators group receive policy settings assigned in the Administrators Local GPO. All other users receive policy settings assigned in the Non-Administrators Local GPOs.
Local administrators can use the last layer of the Local Group Policy object, Per-User Local Group Policy objects, to apply specific policy settings to a specific local user.
Processing Order
The benefits of MLGPOs come from the processing order of the three separate layers. The layers are processed as follows: 1. 2. The Local GPO applies first. This Local GPO may contain both computer and user settings. User settings contained in this policy apply to all users, including the local administrator. The Administrators and Non-Administrators Local GPOs are applied next. These two Local GPOs represent a single layer in the processing order, and the user receives one or the other. Neither of these Local GPOs contains computer settings. User-specific Local Group Policy is applied last. This layer of Local GPOs contains only user settings, and you apply it to one specific user on the local computer.
3.
Available user settings are the same between all Local GPOs. It is possible that a policy setting in one Local GPO contradicts the same setting in another Local GPO. Windows 8 resolves these conflicts by using the Last Writer Wins method. This method resolves the conflict by overwriting any previous setting with the last-read (most current) setting. The final setting is the one that Windows uses. For example, an administrator enables a setting in the Local GPO. The administrator then disables the same setting in a user-specific Local GPO. The user logging on to the computer is not an administrator. Windows reads the Local GPO first, followed by the Non-Administrators Local GPO, and then the userspecific Local GPO. The state of the policy setting is enabled when Windows reads the Local GPO. The policy setting is not configured in the Non-Administrators Local GPO. This has no effect on the state of the setting, so it remains enabled. The policy setting is disabled in the user-specific Local GPO. This changes the state of
Configuring Windows 8
the setting to disabled. Windows reads the user-specific Local GPO last. Therefore, it has the highest precedence. The Local Computer Policy has a lower precedence.
Stand-alone computers benefit the most from Multiple Local Group Policy objects because they are managed locally. Domain-based computers apply Local Group Policy first and then domain-based policy. Windows 8 continues to use the Last Writer Wins method for conflict resolution. Therefore, policy settings originating from domain Group Policy overwrite any conflicting policy settings found in any Local Group Policy to include administrative, non-administrative, and user-specific Local Group Policy.
You can disable the processing of local GPOs on clients that are running Windows 8 by enabling the Turn off Local Group Policy objects processing policy setting in a domain GPO. You can find this setting by expanding Computer Configuration, expanding Administrative Templates, expanding System, and then clicking Group Policy.
Select the object you for which you want to create a special GPO. You must add a separate instance of the snap-in for each instance of the local GPO that you want to create. Question: An administrator selects the Disable the Security page setting in the Local GPO. The administrator then enables the same setting in a user-specific Local GPO. The user logging on to the computer is not an administrator. Which policy setting will be applied to this Local GPO?
This demonstration shows how to create and verify settings of multiple local Group Policies in Windows 8.
Open management console, and add the Group Policy Object Editor snap-in to the console. Set the focus for the local computer. Add the Group Policy Object Editor snap-in to the console again, this time selecting the Administrators group as the focus.
Add the Group Policy Object Editor snap-in to the console for a third time, this time selecting the Non-administrators group as the focus. Save the console to the desktop.
A computer that belongs to an AD DS domain receives many of its security-related configuration settings through a GPO. You can use the Local Group Policy Editor to configure the same settings on a standalone workstation that is running Windows 8.
To configure local Group Policy, run gpedit.msc from the Run box with elevated privileges. You then can use the local Group Policy Object Editor to configure the security-related settings that the following table lists. Setting Password Policy Meaning A subcomponent of Account Policies that enables you to configure password history, maximum and minimum password age, password complexity, and password length. Note: This only applies to local accounts. Account Lockout Policy
A subcomponent of Account Policies that enables you to define settings related to the action that you want Windows 8 to take when a user enters an incorrect password at logon. Note: This only applies to local accounts.
Audit Policy
A subcomponent of Local Policies that enables you to define audit behavior for various system activities, including logon events and object access.
A subcomponent of Local Policies that enables you to configure user rights, including the ability to log on locally, access the computer from the network, and shut down the system. A subcomponent of Local Policies that enables you to configure many settings, including Interactive logon settings, User Account Control settings, and Shutdown settings. Enables you to configure the firewall settings. Enables you to configure user options for configuring new network locations. Include settings for Certificate Auto-Enrollment and the Encrypting File System (EFS) Data Recovery Agents. Enables you to identify and control which applications can run on the local computer.
Security Options
Windows Firewall with Advanced Security Network List Manager Policies Public Key Policies Software Restrictions Policies IP Security Policies
Enables you to create, manage, and assign Internet Protocol security (IPsec) polices.
Configuring Windows 8
Meaning Enables you to configure Automatic updating. Located under Administrative Templates\Windows Components.
Enables you to configure driver installation behavior. Located under Administrative Templates\System.
After you configure the local policy, you can export the security-related settings to a policy file, and then save them in a security template file with an .INF extension. You then can import the template into the Local Group Policy Editor to use these templates to configure additional computers.
This demonstration shows different security settings in the Windows 8 Local Group Policy Editor, and then reviews the changes to some of these settings.
Demonstration Steps
1. 2. 3. Log on as administrator. Open the Group Policy Editor management console snap-in.
Navigate to Computer Configuration, Windows Settings, Security Settings, and review the settings.
Holly Dickson is the IT manager at A. Datum Corp. She has expressed a concern that some of the laptop computers that are used outside of the A. Datum network are more susceptible to security breaches. She has asked that you investigate how best to configure security and other settings on these computers.
Objectives
Create multiple local GPOs. Apply the local GPOs.
Lab Setup
Estimated Time: 20 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1. Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Adatum
5.
Although you typically configure most security and other settings by using domain-based GPOs, you decide that for these laptop computers, implementing local GPOs would achieve Hollys goal of securing these roaming computers. You decide to implement multiple local GPOs to ensure that administrator and standard user accounts can have different settings: The default computer policy will be configured to display a warning dialog box. The non-administrators policy will be configured with certain security restrictions. The administrators policy will not be configured with the same security restrictions.
Configuring Windows 8
The main tasks for this exercise are as follows: 1. 2. 3. Create a management console for multiple local Group Policies. Configure the local computer settings. Configure Non-Administrators security settings.
Save the console to the Desktop with the name Multiple Local Group Policy Editor.
Results: After this exercise, you should have successfully created and configured multiple local GPOs.
Log on as Adatum\Holly with the password Pa$$w0rd, and then verify that the logon script runs on the desktop. Attempt to open Control Panel.
Results: After this exercise, you should have implemented and test multiple local GPOs successfully.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Co onfiguring Windows 8
Lesson 3 n
La aptops and de esktop hard dri ives can be sto olen, which po oses a risk for c confidential da You can se ata. ecure da against the risks by using a two-phased defensive strategy, one that incorpora ata ese ates both EFS and Windows BitLoc Drive Encryption. W cker
Th lesson prov his vides a brief ov verview of EFS However, IT professionals i S. interested in im mplementing EFS must research this feature tho m oroughly befor making a de re ecision on usin EFS. If you implement EFS ng without implem w menting proper recovery ope r erations or with hout understa anding how the feature work you e ks, ca cause your data to be unnecessarily exp an posed. To imp plement a secure and recoverable EFS polic you cy, must have a mo comprehen m ore nsive understa anding of EFS. Bi itLocker is ano other defensive strategy that complements EFS. BitLocke protects aga e t s er ainst data theft or t ex xposure on computers that are lost or stolen, and offers more secure d a data deletion when computers are de ecommissione Data on a lo or stolen computer is vu lnerable to un ed. ost nauthorized ac ccess, either by y ru unning a softw ware attack too against it or by transferring the compute hard disk t a different ol g er's to co omputer. BitLo ocker helps mitigate unautho orized data ac ccess on lost or stolen compu r uters by comb bining tw major data-protection pr wo rocedures: enc crypting the en ntire Windows operating sys stem volume o the on ha disk, and encrypting multiple fixed volumes. ard e
What Is EFS W S?
EF is the built-in file encryption tool for Windows FS W fil systems. A component of the NTFS file system, le c s EF enables tran FS nsparent encry yption and dec cryption of files by using advanced, sta f g andard cryptog graphic algorithms. Any individual or program that does y no possess the appropriate cryptographic key ot c ca annot read the encrypted da You can pr e ata. rotect en ncrypted files even from tho who gain physical e ose p po ossession of th computer on which the files are he o st toredeven people who are authorized to access e o th computer and its file syste cannot view the he em da ata.
You must understand that while encryption is a powerful addition to any defensive plan, you also must use other defensive strategies because encryption is not the correct countermeasure for every threat. Also, every defensive weapon, if you use it incorrectly, carries the potential for harm. The following are the basic EFS features:
EFS encryption does not occur at the application level, but rather, it occurs rather at the file-system level. Therefore, the encryption and decryption process is transparent to the user and the application. If you mark a folder for encryption, EFS will encrypt every file created in, or moved to, the folder. Applications do not have to understand EFS or manage EFS-encrypted files any differently than unencrypted files.
If a user attempts to open a file and possesses the necessary key, the file opens without additional effort on the user's part. If the user does not possess the key, he or she receives an "Access denied" message.
File encryption uses a symmetric key that is encrypted with the users public key and stored in the file header. A certificate with the users public and private keys (knows as asymmetric keys) is stored in the users profile. This key pair is bound to a user identity and made available to the user who has possession of the user ID and password. The users private key must be available for decryption of the file.
If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a recovery agent exists, the file may be recoverable. If you implement key archival, then you can recover the key, and decrypt the file. Otherwise, the file may be lost. This encryption system is commonly referred to as Public Key Infrastructure (PKI). The users certificate that contains his or her public and private keys can be archived, such as exported to a USB memory stick, and kept in a safe place to ensure recovery, if keys become damaged.
The users public and private keys are protected by the user's password. Any user who can obtain the user ID and password can log on as that user, and then decrypt that user's files. Therefore, a strong password policy and strong user education must be a component of each organization's security practices to ensure the protection of EFS-encrypted files.
EFS-encrypted files do not remain encrypted during transport if you save them to, or open them from, a folder on a remote server. The file is decrypted, and then traverses the network in plain text. EFS then encrypts it locally if you save it to a folder on the local drive that is marked for encryption. EFS-encrypted files can remain encrypted while traversing the network if you are saving them to a Web folder by using WebDAV. EFS is only supported on the NTFS file system. If a user moves or copies an encrypted file to a nonNTFS file system, like a universal serial bus (USB) memory stick that is formatted with the file allocation table 32-bit (FAT32) file system, the file will no longer be encrypted.
Support for AES 256-Bit Encryption. EFS supports industry-standard encryption algorithms including Advanced Encryption Standard (AES). AES uses a 256-bit symmetric encryption key and is the default EFS algorithm.
The following are additional important facts about implementing EFS on Windows 8: Support for Storing Private Keys on Smart Cards. Windows 8 includes full support for storing users private keys on smart cards. If a user logs on to Windows 8 with a smart card, EFS also can use the smart card for file encryption.
Configuring Windows 8
Administrators can store their domains recovery keys on a smart card. Recovering files is then as simple as logging on to the affected machine, either locally or by using Remote Desktop, and using the recovery smart card to access the files.
Encrypting File System Rekeying Wizard. The Encrypting File System Rekeying Wizard allows users to choose an EFS certificate, and then select and migrate existing files that will use the newly chosen EFS certificate. Administrators can use the wizard to migrate users in existing installations from software certificates to smart cards. The wizard also is helpful in recovery situations because it is more efficient than decrypting and re-encrypting files.
Group Policy Settings for EFS. You can use Group Policy to centrally control and configure EFS protection policies for the entire enterprise. For example, Windows 8 allows page file encryption through the local security policy or Group Policy.
Per-User Encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote servers. When this option is enabled, each file in the offline cache is encrypted with a public key from the user who cached the file. Thus, only that user has access to the file, and even local administrators cannot read the file without access to the user's private keys.
Note: When users encrypt files in remote shared folders, their keys are stored on the file server.
This method is more cumbersome than using a CA because there is no centralized management, and users become responsible for managing their own keys. Additionally, it is more difficult to manage for recovery. However, it is still a popular method because no setup is required.
EFS uses public key cryptography to allow the encryption of files. The keys are obtained from the users EFS certificate. Because the EFS certificates also may contain private key information, you must manage them correctly. Users can make encrypted files accessible to other users EFS certificates. If you grant access to another users EFS certificate, that user can, in turn, make the file available to other users EFS certificates. Note: You can issue EFS certificates only to individual users, not to groups.
Backing Up Certificates
CA administrators can archive and recover CA-issued EFS certificates. Users must back up their selfgenerated EFS certificates and private keys manually. To do this, they can export the certificate and private key to a Personal Information Exchange (PFX) file, which are password-protected during the export process. The password then is required to import the certificate into a users certificate store.
If you need to distribute only your public key, you can export the client EFS certificate without the private key to Canonical Encoding Rules (CER) files.
A users private key is stored in the users profile in the RSA folder, which is accessed by expanding AppData, expanding Roaming, expanding Microsoft, and then expanding Crypto. Because there is only one instance of the key, it is vulnerable to hard-disk failure or data corruption. The Certificate Manager MMC exports certificates and private keys. The Personal Certificates store contains the EFS certificates.
EFS users can share encrypted files with other users on file shares and in web folders. With this support, you can give individual users permission to access an encrypted file. The ability to add users is restricted to individual files. After you encrypt a file, you can enable file sharing through the user interface. You must first encrypt a file and then save it before adding more users. You can add users either from the local computer or from AD DS, if the user has a valid certificate for EFS. It is important that users electing to share encrypted files are aware of the following points:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over the network, a file share or Web folder is required. Alternatively, users can establish remote sessions with computers that store encrypted files by using Remote Desktop Services (RDS).
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting access is not limited to the file owner. Caution users to share files only with trusted accounts because those accounts can authorize other accounts. Removing the Write permission from a user or group of users can prevent this problem, but it also prevents the user or group from modifying the file. EFS sharing requires that the users who will be authorized to access the encrypted file have EFS certificates. These certificates can be located in roaming profiles or in the user profiles on the computer on which the file to be shared is stored, or they can be stored in and retrieved from AD DS. EFS sharing of an encrypted file often means that the file will be accessed across the network. It is best if web folders are used for encrypted file storage whenever possible.
If a user chooses to remotely access an encrypted file that is stored on a file share, and to authorize other users to access the file, the authorization process and requirements are the same as on the local computer. Additionally, EFS must impersonate the user to perform this operation, and all the requirements for remote EFS operations on files stored on file shares apply. If a user chooses to remotely access an encrypted file stored on a web folder, and to authorize other users to access the file, the file is automatically transmitted to the local computer in ciphertext. The authorization process takes place on the local computer with the same requirements as for encrypted files stored locally. You can authorize individual users to access encrypted files. Perform the following steps to share an encrypted file with other users: 1. 2. 3. In Windows Explorer, right-click the encrypted file, and then click Properties. On the General tab, select Advanced.
In the Advanced Attributes dialog box, under Compress or Encrypt Attributes, select Details.
Note: If you select an encrypted folder instead of an encrypted file, the Details button appears dimmed. You can add users to individual encrypted files, but not to folders. 4. 5. In the Encryption Details dialog box, click Add. Add a user from the local computer or from AD DS.
Co onfiguring Windows 8
What Is BitLocker? W
Bi itLocker provid protection for a comput des n ter op perating system and data sto ored on the op perating system volume. It ensures that da e ata st tored on a com mputer remains encrypted, even if e so omeone tampe with the co ers omputer when the op perating system is not running. BitLocker provides a close integrated solution in ely Windows 8 to address the thr W a reats of data th or heft ex xposure from lost, stolen, or inappropriate l ely de ecommissione personal computers. ed
Data on a lost or stolen comp o puter can beco ome vu ulnerable to un nauthorized ac ccess when a user u ei ither runs a software attack tool against it or transfers th computers hard disk to a different com t he mputer. Bi itLocker helps mitigate unau uthorized data access by enh hancing Windo file and sy ows ystem protectio ons. Bi itLocker also helps render da inaccessible when BitLoc h ata cker-protected computers ar decommissi d re ioned or recycled. r
BitLocker Drive Encryption performs two functions that provide both offline data protection and system integrity verification:
Encrypts all data stored on the Windows operating system volume (and configured data volumes). This includes the Windows operating system, hibernation and paging files, applications, and data that applications use. BitLocker also provides an umbrella protection for non-Microsoft applications, which benefits the applications automatically when they are installed on the encrypted volume.
Is configured by default to use a Trusted Platform Module (TPM) to help ensure the integrity of early startup components, which the operating system uses in the earlier stages of the startup process. It locks any BitLocker-protected volumes, so they remain protected even if someone tampers with the computer when the operating system is not running.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system volume. Locking the system when it is tampered with. If any monitored files have been tampered with, the system does not start. This alerts the user to the tampering since the system fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with the TPM, BitLocker verifies the integrity of early startup components, which helps prevent additional offline attacks, such as attempts to insert malicious code into those components. This functionality is important because the components in the earliest part of the startup process must be available unencrypted so that the computer can start. As a result, an attacker can change the code in those early startup components, and then gain access to the computer, even though the data on the disk was encrypted. Then, if the attacker gains access to confidential information, such as the BitLocker keys or user passwords, the attacker can circumvent BitLocker and other Windows security protections.
When a laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer asset. As more people use removable storage devices, they can lose data without losing a PC. BitLocker To Go provides enhanced protection against data theft and exposure by extending BitLocker drive encryption support to removable storage devices, such as USB flash drives, and you can manage it through Group Policy.
In Windows 8, users can encrypt their removable media by opening Windows Explorer, right-clicking the drive, and clicking Turn On BitLocker. They will then be asked to choose a method to unlock the drive. These options include: Password: This is a combination of letters, symbols, and numbers the user will enter to unlock the drive.
Smart card: In most cases, a smart card is issued by your organization and a user enters a smart card PIN to unlock the drive.
After choosing the unlock methods, users will be asked to print or save their recovery password. This is a 48-digit password that can also be stored in AD DS and used if other unlock methods fail such as when a
Co onfiguring Windows 8
pa assword is forg gotten. Finally, users will be asked to confi irm their unloc selections a to begin ck and en ncryption.
When you inser a BitLocker-p W rt protected driv into your co ve omputer, Wind dows will detec that the driv is ct ve en ncrypted automatically, and then prompt you to unlock it. k
Question: BitLocker prov vides full volum encryption . What does th mean? me his
rives Yo can use BitLocker to encr ou rypt operating system drives fixed data dr s, rives, and removable data dr in Windows 8. When you use BitLocker with data drives, y can forma the drive wit the exFAT, F n W h you at th FAT16, FA AT32, or NTFS file system, but the drive must have at le b m east 64 MB of a available disk s space. When y use you Bi itLocker with operating syste drives, you must format the drive with the NTFS file system. o em u h
Be ecause BitLock stores its own encryption and decrypti on key in a ha ker n ardware device that is separa from e ate th hard disk, you must have one of the following: he A computer with Trusted Platform Mod dule (TPM) ver rsion 1.2. A removable Universal Se erial Bus (USB) memory devi ce, such as a U flash drive USB e.
On computers that do not have TPM 1.2, yo can still use BitLocker to encrypt the W O t ou e Windows opera ating sy ystem volume. However, this implementation requires th user to inse a USB startu key to start the s he ert up t co omputer or res sume from hib bernation, and it does not pr rovide the prestartup system integrity veri m ification th BitLocker provides when working with a TPM. hat p
Add ditionally, BitLo ocker offers the option to lock the normal startup proce until the us supplies a P or ess ser PIN inse a removab USB device, such as a flas drive, that c erts ble , sh contains a start key. These additional sec tup e curity mea asures provide multifactor au e uthentication and assurance that the computer will not start or resum e me from hibernation until the corre PIN or start key is pres m ect tup sented.
To turn on BitLocker Drive Encry t yption, the computer's hard drive must m d meet the follow wing requireme ents:
Have the spac necessary fo Windows 8 to create the two disk partit ce or tions: one for the system volume and one for the operating system volume s e: o
v artition include the drive on which you in es n nstall Windows BitLocker encrypts s. System volume. This pa this drive which no lon e, nger needs a drive letter. d Operating system volume. A second partition is cre eated as neede when you enable BitLock in ed, ker Windows 8. This partition must rema unencrypte so that you can start the c s ain ed computer. This s partition must be 100 MB, and you must set it as t he active parti M m ition.
Have a BIOS that is compat t tible with TPM or supports U devices du USB uring compute startup. The BIOS er must be: o o o Trusted Computing Gro (TCG) com C oup mpliant. Set to sta first from th hard disk, and not the US or CD drives. art he a SB Able to read from a US flash drive during startup.. SB d
BitL Locker does no require a TPM. However, only a comput with a TPM can provide t additional ot o ter M the secu urity of prestar rtup system-in ntegrity verifica ation. Perform the following steps to determine if a com m g mputer has a TPM version 1.2 chip: n 1. 2. Open Contro Panel, click System and Security, and t ol S then click BitL Locker Drive E Encryption.
In the lower left corner, clic TPM Admin ck nistration. The Trusted Platf e form Module (TPM) Manage ement on Local Com mputer console opens. If the computer doe not have the TPM 1.2 chip the Compa e es p, atible TPM cannot be found mes b ssage appears. .
This topic provide an in-depth examination of s es o thes two BitLock modes. se ker
The most secure implementatio of BitLocker on r leve erages the enh hanced security capabilities of y o TPM 1.2. The TPM is a hardware component that M M e t ith man nufacturers ins stall in many newer compute It works wi BitLocker t help protect user data and to ers. to t d ensu that a com ure mputer that is running Windo 8 is not ta r ows ampered with w while the syste is offline. em
Configuring Windows 8
BitLocker supports TPM v1.2, but it does not support older TPMs. Version 1.2 TPMs provide increased standardization, security enhancement, and improved functionality compared to previous versions. Windows 8 was designed with these TPM improvements in mind.
On computers that have a TPM 1.2, BitLocker uses the enhanced TPM security capabilities to help ensure that your data is accessible only if the computer's boot components appear unaltered and the encrypted disk is located in the original computer. If you enable BitLocker on a Windows 8 computer that has a TPM 1.2, you can add the following additional factors of authentication to the TPM protection:
BitLocker offers the option to lock the normal boot process until the user supplies a PIN or inserts a USB device, such as a flash drive, that contains a BitLocker startup key. Both the PIN and the USB device can be required.
In a scenario that uses a TPM with an advanced startup option, you can add a second factor of authentication to the standard TPM protection: a PIN or a startup key on a USB flash drive. To use a USB flash drive with a TPM, the computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). You can check your BIOS by running a hardware test near the end of the BitLocker setup wizard. These additional security measures provide multifactor authentication, and help ensure that the computer will not start or resume from hibernation until the user presents the correct authentication method.
On computers equipped with a TPM, each time the computer starts, each of the early startup components, such as the BIOS, the boot sector, and the boot manager code, examines the code that is about to run, calculates a hash value, and stores the value in the TPM. Once that value is stored in the TPM, it cannot be replaced until the user restarts the system. A combination of these values is recorded. You can use these recorded values to protect data by using the TPM to create a key that links to these values. When you create this type of key, the TPM encrypts it, and only that specific TPM can decrypt it. Each time the computer starts, the TPM compares the values generated during the current startup with the values that existed when the key was created. It decrypts the key only if those values match. This process is called sealing and unsealing the key.
As part of its system integrity verification process, BitLocker examines and seals keys to the measurements of the following: The Core Root of Trust (CRTM) The BIOS and any platform extensions Option read-only memory (ROM) code MBR code The NTFS boot sector The boot manager
If any of these items change unexpectedly, BitLocker locks the drive to prevent it from being accessed or decrypted.
By default, BitLocker is configured to look for and use a TPM. You can use Group Policy to allow BitLocker to work without a TPM and store keys on an external USB flash drive. However, BitLocker then cannot verify the early startup components.
You can enable BitLocker on a computer with u c hout a TPM 1.2 as long as th BIOS has the ability to rea 2, he ad from a USB flash drive in the bo environme This is beca m d oot ent. ause BitLocker will not unloc the protected r ck volu ume until BitLo ocker's own vo olume master key is first rele k eased by either the compute TPM or by a USB r er's flash drive contain h ning the BitLoc cker startup ke for that com ey mputer. Howev computers without TPM will ver, Ms not be able to use the system-in e ntegrity verific cation that BitL Locker provide es. he ive, puter must hav a BIOS that can read USB flash ve B If th startup key is located on a USB flash dri your comp driv in the pre-o ves operating system environme (at startup) You can che your BIOS b running the ent ). eck by e hard dware test that is near the end of the BitLo ocker setup wi izard. To help determine whether a co h e omputer can read from a US device durin the boot pr SB ng rocess, use the e BitL Locker System Check as part of the BitLock setup proce This system check perfo ker ess. m orms tests to confirm that the computer can read from the USB devices p c properly at the appropriate time and that the e com mputer meets other BitLocke requirement o er ts. To enable BitLock on a compu without a TPM, use Gro Policy to e e ker uter oup enable the adv vanced BitLock ker user interface. Wit the advance options ena r th ed abled, the non n-TPM settings appear in the BitLocker set s e tup wiza ard. Question: What is a disadv vantage of running BitLocker on a comput that does n contain r ter not TPM 1.2?
In addition to reco overy passwor you can us Group Polic to configure a domain-wide public key called rds, se cy e a da recovery agent that will permit an ad ata l dministrator to unlock any d o drive encrypted with BitLock d ker. Befo you can us a data recov ore se very agent, you must add it from the Public Key Policies item in either the s r Group Policy Man nagement Con nsole (GPMC) or the Local Gr o roup Policy Ed ditor. To use a data reco u overy agent with BitLocker, you must enab the approp y ble priate Group P Policy setting fo the or driv that you are using with BitLocker. These settings are: ves B tected operating system driv can be rec overed. ves Choose how BitLocker-prot Choose how BitLocker-prot tected remova able data drive can be recov es vered. Choose how BitLocker-prot tected fixed da drives can be recovered. ata
Configuring Windows 8
When you enable the policy setting, select the Enable data recovery agent check box. There is a policy setting for each type of drive, so you can configure individual recovery policies for each type of drive on which you enable BitLocker.
You also must enable and configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is protected with BitLocker. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will manage and update data recovery agents only when an identification field is present on a drive and is identical to the value configured on the computer. Using these policy settings helps enforce standard deployment of BitLocker Drive Encryption in your organization. Group Policy settings that affect BitLocker are located in Computer Configuration \Administrative Templates\Windows Components\BitLocker Drive Encryption. Globally applied BitLocker Group Policy settings are located in this folder. Subfolders for fixed data drives, operating system drives, and removable drives support configuration of policy settings specific to those drives. Note: If you want to use BitLocker to protect an operating system drive on a computer that does not have a TPM, you must enable the Require additional authentication at startup Group Policy setting, and then within that setting, click Allow BitLocker without a compatible TPM.
The following table summarizes some of the key policy settings that affect Windows 8 client computers. Each setting includes the following options: Not Configured, Enabled, and Disabled. The default setting for each setting is Not Configured. Setting name Choose default folder for recovery password Location BitLocker Drive Encryption folder Description
This specifies a default location, which is shown to the user, to which the user can save recovery keys. This can be a local or network location. The user is free to choose other locations.
This allows you to configure the algorithm and cipher strength that BitLocker uses to encrypt files. If you enable this setting, you will be able to choose an encryption algorithm and key cipher strength. If you disable or do not configure this setting, BitLocker will use the default encryption method of AES 128-it with Diffuser, or the encryption method that the setup script specifies. This allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. BitLocker will manage and update data recovery agents only when the identification field on the drive matches the value that you configure in the identification field. This also applies to removable drives that you configure by using BitLocker to Go.
Description
This controls computer restart performance at the risk of exposing BitLocker secrets. BitLocker secrets include key material that you use to encrypt data. If you enable this setting, memory will not be overwritten when the computer restarts. This can improve restart performance, but does increase the risk of exposing BitLocker secrets. If you disable or do not configure this setting, BitLocker removes secrets from memory when the computer restarts. This determines whether BitLocker protection is required for fixed data drives to be writable on a computer. If you enable this setting, all fixed data drives that are not BitLockerprotected will be mounted as read-only. If the drive is BitLocker-protected, or if you disable or do not configure this setting, all fixed data drives will be mounted with read and write access.
This configures whether fixed data drives formatted with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, and Windows XP with Service Pack 3 (SP3) or Service Pack 2 (SP2) operating systems. This allows you to control how BitLockerprotected fixed data drives are recovered in the absence of the required credentials.
Choose how BitLockerprotected fixed drives can be recovered Require additional authentication at startup
This allows you to configure whether you can enable BitLocker on computers without a TPM, and whether you can use multifactor authentication on computers with a TPM. This allows you to control how BitLockerprotected operating system drives are recovered in the absence of the required startup key information.
Choose how BitLockerprotected operating system drives can be recovered Configure TPM platform validation profile Control use of BitLocker on removable drives Configure use of smart cards on removable data drives
Operating System Drive folder Removable Data Drives folder Removable Data Drives folder
This configures which of the TPM platform measurements stored in platform control registers (PCRs) are used to seal BitLocker keys. This controls the use of BitLocker on removable data drives.
This allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable drives on a computer.
Configuring Windows 8
Setting name Deny write access to removable drives not protected by BitLocker Allow access to BitLockerprotected removable drives from earlier versions of Windows
Description
This configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. This configures whether removable data drives formatted with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, and Windows XP with SP3 or SP2 operating systems. This specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length.
This allows you to control how BitLockerprotected removable data drives are recovered in the absence of the required startup key information.
None
This allows you to disable or enable specific TPM functions, but the next two settings can restrict which commands are available. Group Policy-based lists override local lists. You can configure local lists in the TPM Management console.
Ignore the default list of blocked TPM commands Ignore the local list of blocked TPM commands
Disabled
By default, BitLocker blocks certain TPM commands. To enable these commands, you must enable this policy setting. By default, a local administrator can block commands in the TPM Management console. You can use this setting to prevent that behavior.
Disabled
Co onfiguring BitLocker
In Windows 8, you can enable BitLocker from W u B eith Control Pan or by right-clicking the her nel volu ume that you want to encryp This initiate the w pt. es BitL Locker Setup Wizard, and the BitLocker Drive W e Prep paration tool validates system requiremen v nts. Dur ring the prepar ration phase, BitLocker creat B tes the second partition if it does not exist.
Administration n
You can manage BitLocker by using the BitLo u u ocker control panel. A command-line management c tool, manage-bde e.wsf, is also av vailable for IT Prof fessionals to perform scriptin functionalit p ng ty rem motely.
Afte you encrypt and protect the volume by using BitLocke local and d er er, domain admini istrators can use the Man nage Keys page in the BitLo ocker control panel to duplic p cate keys and reset the PIN.
The BitLocker con ntrol panel disp plays BitLocker's status, and provides the f functionality to enable or disable o BitL Locker. If BitLocker is actively encrypting or decrypting d y data due to a r recent installat tion or uninsta all requ uest, the progress status app pears. IT profes ssionals also ca use the BitL an Locker control panel to acce the l ess TPM managemen MMC. M nt Perf form the follow wing steps to turn on BitLocker Drive Encr t ryption: 1. 2. 3. In Control Panel, click Syste and Secur em rity, and then click BitLocke Drive Encry er yption.
If the User Ac ccount Control dialog box appears, confi irm that the ac ction it display is what you want ys and then click Continue. k
On the BitLocker Drive En ncryption page, click Turn O BitLocker on the operating system vol On lume. A message ap ppears, warnin that BitLock encryption might have a performance impact on you ng ker ur server. If your TPM is not initialized the Initialize TPM Security Hardware wiz s d, e y zard appears. Follow the directions to initialize the TPM, and then restart or shut down your computer. T t
4.
The Save the recovery pas e ssword page shows the follo s owing options s: o o Save the password on a USB drive: Sa aves the passw word to a USB flash drive. Save the password in a folder: Saves the password to a folder on a network drive or other n location. Print the password: Prints the passwo ord.
Use one or more of these options to pres m o serve the recov very password For each, sele the option and d. ect n, then follow th wizard step to set the location for savi or printing the recovery password. he ps ing g When you fin saving the recovery pass nish e sword, click Ne ext. 5. On the Encry the selecte disk volum page, confi ypt ed me irm that the Ru BitLocker System Check un check box is selected, and then click Continue. s t
Confirm that you want to re estart the com mputer by click king Restart N Now. The comp puter restarts, and then BitLocke verifies whet er ther the comp puter is BitLock ker-compatible and ready fo encryption. If it is e or not, an error message will alert you to the problem. a e
Configuring Windows 8
6.
If the computer is ready for encryption, the Encryption in Progress status bar displays. You can monitor the ongoing completion status of the disk-volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon, which is in the notification area at the bottom of your screen.
By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to this volume. The next time that you log on, you will see no change. If the TPM ever changes or BitLocker cannot access it, or if there are changes to key system files or someone tries to start the computer from a product CD or DVD to circumvent the operating system, the computer will switch to recovery mode until the user supplies the correct recovery password.
Use the following procedure to change your computer's Group Policy settings so that you can turn on BitLocker Drive Encryption without a TPM. Instead of a TPM, you will use a startup key to authenticate yourself. The startup key is on a USB flash drive that you insert into the computer before you turn it on.
For this scenario, you must have a BIOS that will read USB flash drives in the pre-operating system environment (at startup). You can check your BIOS by running the system check that is in the final step of the BitLocker wizard. Before you start: You must be logged on as an administrator. BitLocker must be installed on this server. You must have a USB flash drive to save the recovery password.
You should try using a second USB flash drive to store the startup key separate from the recovery password.
Perform the following steps to turn on BitLocker on a computer without a compatible TPM: 1. 2. 3. Run gpedit.msc.
If the User Account Control dialog box appears, confirm that the action it displays is the action that you want to occur, and then click Continue. In the Local Group Policy Editor console tree, click Computer Configuration, click Administrative Templates, click Windows Components, click BitLocker Drive Encryption, and then click Operating System Drives. Double-click the Require additional authentication at startup setting.
4. 5.
Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and then click OK. You have changed the policy setting so that you can use a startup key instead of a TPM.
6. 7. 8. 9.
To force Group Policy to apply immediately, from a command prompt, type gpupdate.exe /force, and then press Enter. From Control Panel, click System and Security, and then click BitLocker Drive Encryption.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
10. On the BitLocker Drive Encryption page, click Turn On BitLocker. This will only appear with the operating system volume.
11. On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every startup option. This is the only option available for non-TPM configurations. You must insert this key before you start the computer, each time you start it. 12. Insert your USB flash drive in the computer, if you have not done so already. 13. On the Save your Startup Key page, choose the location of your USB flash drive, and then click Save. 14. The following options are available on the Save the recovery password page: o o Save the password on a USB drive: Saves the password to a USB flash drive. Save the password in a folder: Saves the password to a folder on a network drive or other location. Print the password: Prints the password.
Use one or more of these options to preserve the recovery password. For each, select the option, and then follow the wizard steps to set the location for saving or printing the recovery password. Do not store the recovery password and the startup key on the same media. When you have finished saving the recovery password, click Next. 15. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts, and BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem before encryption starts.
16. If the computer is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk-volume encryption by dragging your mouse cursor over the BitLocker icon, which is in the notification area at the bottom of your screen. You also can click the Encryption icon to view the status. By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to that volume. The next time that you turn your computer on, you must plug in the USB flash drive with the startup key into one of the computers USB ports. If it is not, you will not be able to access data on your encrypted volume. If you do not have the USB flash drive containing your startup key, then you will need to use recovery mode. and supply the recovery password, to access data.
Forcing BitLocker into disabled mode keeps the volume encrypted, but the volume master key is encrypted with a symmetric key that it stores unencrypted on the hard disk. The availability of this unencrypted key disables the data protection that BitLocker offers, but ensures that subsequent computer startups succeed without further user input. When you reenable BitLocker, the unencrypted key is removed from the disk and BitLocker protection is turned on. Additionally, BitLocker identifies the volume master key, and encrypts it again.
Configuring Windows 8
Moving the encrypted volume, which is the physical disk, to another BitLocker-enabled computer requires that you turn off BitLocker temporarily. No additional steps are required, because the key protecting the volume master key is stored unencrypted on the disk. Note: Exposing the volume master key even for a brief period is a security risk, an attacker can access the volume master key and full volume encryption key when these keys were exposed by the clear key.
On unencrypted drives, data may remain readable even after the drive has been formatted. Enterprises often use multiple overwrites or physical destruction to reduce the risk of exposing data on decommissioned drives.
You can use BitLocker to create a simple, cost-effective decommissioning process. Leaving data encrypted by BitLocker, and then removing the keys, results in an enterprise permanently reducing the risk of exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all BitLocker keys, because this requires solving 128-bit or 256-bit AES encryption. Note: Perform the procedures that this section describes only if you do not want or need the data in the future. You cannot recover the data in the encrypted volume if you perform the procedures that this section details.
You can remove a volumes BitLocker keys by formatting that volume from Windows 8. The format command has been updated to support this operation. To format the operating system volume, you can open a command prompt by using the recovery environment that the Windows 8 installation DVD includes.
Alternatively, an administrator can create a script that effectively removes all BitLocker key protectors. Running such a script will leave all BitLocker-encrypted data unrecoverable when you restart the computer. As a safety measure, BitLocker requires that an encrypted volume have at least one key protector. Given this requirement, you can decommission the drive by creating a new external key protector, not saving the created external key information, and then removing all other key protectors on the volume After you remove the BitLocker keys from the volume, you need to perform follow-up tasks to complete the decommissioning process. For example, reset the TPM to its factory defaults by clearing the TPM, and discard saved recovery information for the volume, such as printouts, files stored on USB devices, and information stored in AD DS. Question: When turning on BitLocker on a computer with TPM 1.2, what is the purpose of saving the recovery password?
Co onfiguring BitLocker To Go
BitL Locker To Go protects data on removable data p o d driv It allows yo to configure BitLocker Dr ves. ou rive Encryption on USB flash drives and external hard a h driv The option is available by simply rightves. n click king on a drive in Windows Explorer to enable e BitL Locker protecti ion.
BitLocker To Go Scenario G
Con nsider the follo owing scenario An administr o. rator configures Group Policy to requ that users can uire save data only on data volumes protected by e s BitL Locker. Specific cally, the administrator enab bles the Deny write access to removable drives no ot prot tected by BitLo ocker policy, and deploys it to the domain a n.
he Mea anwhile, an en user inserts a USB flash dr nd rive. Because th USB flash d drive is not pro otected with BitL Locker, Window 8 displays an information dialog box indicating tha the device m ws a nal at must be encryp pted with BitLocker. Fro this dialog the user chooses to launch the BitLocker Wizard to en h om g, h r ncrypt the volu ume or continues working with the dev as read-on g vice nly. If th user decides to implemen the device as read-only an then attemp to save a d he s nt nd pts document to th he flash drive, an acc h cess denied err message ap ror ppears.
Afte you configure the device to use BitLocker, when the u er t user saves documents to the external drive e e, BitL Locker encrypts them. When the user inser the USB flas drive on a d rts sh different PC, th computer he dete that the portable device is BitLocker protected, and prompts the user to specify the passphra ects p e p d y ase. The user can spec to unlock the volume automatically on the second P cify t n PC. Note: In the above scenario, the second computer do not have to be encrypted with e d oes o BitL Locker.
If a user forgets th passphrase for the device he or she can use the I for he e, n rgot my passp phrase option n from the BitLocke Unlock wizard to recover it. Clicking this option displa a recovery password ID t m er i s ays that the user supplies to an administ t trator, who the uses the pa en assword ID to o obtain the dev vices recovery y pass sword. This rec covery passwo can be stor in AD DS a recovered with the BitLo ord red and ocker Recovery y Pass sword tool. ow able BitLocker To Go for a U SB flash drive? ? Question: Ho do you ena
Co onfiguring Windows 8
Th recovery pa he assword will be required if th encrypted d e he drive must be moved to ano other compute or er, ch hanges are ma to the system startup inf ade formation. This password is s important t s so that we recommend th you make additional cop of the pass hat a pies sword and sto re it in safe pla aces to ensure access to you data. e ur
Yo will need yo recovery password to un ou our p nlock the encry ypted data on the volume if BitLocker ent n f ters a lo ocked state. Th recovery pa his assword is uniq to this par que rticular BitLock encryption. You cannot u it to ker use re ecover encrypt data from any other BitL ted Locker encrypt tion session.
ique to a com puter name. Find the password ID A computer's pa assword ID is a 32-character password uni r un nder a computer's property settings, which you can use to locate pass swords stored in AD DS. To l locate a pa assword, the fo ollowing cond ditions must be true: e You must be a domain ad b dministrator or have delegat permissions te s. The client's BitLocker reco s overy information is configu ured to be stor in AD DS. red The clients computer has been joined to the domain s s n. on BitLocker Drive Encryptio must have been enabled o the client's computer. D on b s
Pr to searchin for and pro rior ng oviding a recov very password to a user, con nfirm that the person is the a account ow wner and is au uthorized to ac ccess data on the computer in question. t Se earch for the password in Ac p ctive Directory Users and Co y omputers by us sing either one of the follow e wing: Drive Label Password ID D
When you searc by drive lab after locati the compu W ch bel, ing uter, right-click the drive lab click Prope k bel, erties, an then click the BitLocker Recovery tab to view assoc iated passwor ds. nd To search by pa o assword ID, right-click the do omain contain and then select Find BitLocker Recov ner, very Pa assword. In th Find BitLoc he cker Recovery Password di y ialog box, ente the first eigh characters o the er ht of pa assword ID in the Password ID field, and then click Sea d arch.
Examine the returned recovery password to ensure it matches the password ID that the user provides. Performing this step helps to verify that you have obtained the unique recovery password.
Data recovery agent support allows you to dictate that all BitLocker protected volumes, such as operating system, fixed, and the new portable volumes, are encrypted with an appropriate data recovery agent. The data recovery agent is a new key protector that is written to each data volume so that authorized IT administrators will always have access to BitLocker protected volumes. Question: What is the difference between the recovery password and the password ID?
Configuring Windows 8
A user at A. Datum is working on a project that requires his data be restricted from other members of his project team. The data, stored in a shared folder, is accessible by all A. Datum personnel. You must select a method for providing data privacy for this users data files.
Objectives
Encrypt files and test access to these encrypted files.
Lab Setup
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
You decide that implementing encryption with EFS will enable the user to prohibit other team members from accessing his data files and maintain security of the file data. The main tasks for this exercise are as follows: 1. 2. 3. Create, share, and secure a data folder for the project team data. Create a sample data file. Encrypt the file and then test file access.
Task 1: Create, share, and secure a data folder for the project team data
1. 2. 3. On LON-DC1, open Windows Explorer. Create a folder called C:\Sales-Data. Share the C:\Sales-Data folder with the following properties: o o o Share name: Sales-Data Share permissions: Authenticated Users, Full Control NTFS permissions: Authenticated Users, Full Control
Switch to LON-CL1, and log on as Dan with the password of Pa$$word. Dan is a member of the sales team. Map a network drive to \\LON-DC1\Sales-Data using drive S:. Create a new Microsoft Word document in S: called Team Briefing. Add the following text to the document, and then save the file: This is the team briefing
Note: In Word, if prompted to Help Protect and Improve Microsoft Office, click Dont make changes, and then click OK.
Results: After this exercise, you should have encrypted shared files successfully.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Co onfiguring Windows 8
Lesson 4 n
Many users log on to their co M omputers with a user accoun that has mor rights than necessary to run their nt re ap pplications and access their data files. Usin an administ d ng trative user acc count for day-to-day user ta asks po oses significan security risks In earlier Windows version administrat ors were enco nt s. ns, ouraged to use an e or rdinary user ac ccount for most tasks, and to use the Run As feature of W o Windows to ex xecute tasks th hat re equired additio onal rights. Windows 8 provides User Acco ount Control (U UAC) to simplify and secure the process of eleva ating your acco ount rights. Ho owever, unless you know ho UAC works, and its poten s ow , ntial im mpact, you mig have problems when you attempt to c ght u carry out typical desktop-sup pport tasks. Th his le esson introduce how UAC works and how you can use U es w w UAC-related desktop feature es.
What Is UA W AC?
UAC is a securit feature that provides a wa for ty ay ea user to ele ach evate their stat from a stan tus ndard us account to an administra ser o ator account without w lo ogging off, switching users, or using Run as. o
UAC is a collect tion of features rather than just a s prompt. These featureswhic include File and f ch e Re egistry Redirec ction, Installer Detection, the UAC e prompt, the Act tiveX Installer Service, and more m allow Windows users to run with user accou w unts th are not me hat embers of the Administrators group. A s Th hese accounts typically are referred to as r St tandard Users, and are broad described as dly a ru unning with lea privilege. The most important fact is th at when users run with Stan ast ndard User accounts, th experience is typically mu more secure and reliable he uch e. Windows 8 redu W uces the numb of operatin system app ber ng plications and t tasks that requ elevation, so uire st tandard users can do more while experienc c w cing fewer ele evation prompt This improv the interac ts. ves ction with the UAC while upholding high security standards. w w g y When you need to make chan W d nges to your computer that require admin c nistrator-level permission, UA AC no otifies you as follows: f If you are an administrato click Yes to continue. a or, o
If you are not an adminis n strator, someon with an adm ne ministrator acc count on the c computer will have to enter his or her password for you to co r d ontinue.
If you are a stan ndard user, pro oviding permis ssion tempora rily gives you administrator rights to complete th task and the your permissions are retu he en urned back to standard user when you are finished. This ensures e th even if you are using an administrator account, chan hat u nges cannot be made to you computer without e ur
you knowing about it. This help prevent malicious software (malware) an spyware fro being insta ps e nd om alled on, or making cha anges to, your computer.
Ho UAC Works ow W
There are two gen neral types of user groups in n Win ndows 8: stand dard users and administrative e user UAC simplif users abili to run as rs. fies ity stan ndard users and perform all their necessary t y daily tasks. Admin nistrative users also benefit s from UAC because administrativ privileges are m ve a avai ilable only afte UAC requests permission from er the user for that instance.
Whe users have administrative permissions to their compu en e t uters, they can install additio n onal software. Despite corporate policies again installing unauthorized s e nst u software, many users still do it, which can m y make thei systems less stable and drive up support costs. ir t Whe you enable UAC, and a user needs to perform a task that requires administrative permissions, UAC en e p e prompts the user for administra ative credentia In a corpor als. rate environme the Help d ent, desk can give t the user temporary cr r redentials that have local administrative pr rivileges to complete the tas sk. the The default UAC setting allows a standard use to perform t following tasks without receiving a UA s er AC prompt: Install update from Windo Update. es ows included with the operating system. Install drivers from Window Update or those that are i ws
View Window settings. Ho ws owever, a stand dard user is pro ompted for ele evated privileg when chan ges nging Windows sett tings. Pair Bluetooth devices with the computer. h Reset the network adapter and perform other network diagnostic an repair tasks. o nd .
Administrative Users e
Adm ministrative use automatica have: ers ally Read/Write/E Execute permis ssions to all res sources. All Windows privileges.
While it may seem clear that all users will not be able to rea alter, and d m ad, delete any Win ndows resource, man enterprise IT departments that are runn ny s ning earlier Wi indows version had no othe option but t ns er to assign all of their users to the lo Administra ocal ators group. One of the benefi of UAC is th it allows us e its hat sers with admi nistrative privi ileges to run a standard use as ers mos of the time. When users with administra st w ative privileges perform a tas that require administrativ s sk es ve
Configuring Windows 8
privileges, UAC prompts the user for permission to complete the task. When the user grants permission, the task in question is performed using full administrative rights, and then the account reverts to a lower level of privilege.
Many applications require users to be administrators by default, because they check administrator group membership before running the application. No user security model existed for Microsoft Windows 95 and Microsoft Windows 98. As a result, developers designed applications assuming that they will be installed and run by users with administrator permissions. A user security model was created for Microsoft Windows NT, but all users were created as administrators by default. Additionally, a standard user on a Windows XP computer must use Run as or log on with an administrator account to install applications and perform other administrative tasks. The following table details some of the tasks that a standard user can perform, and what tasks require elevation to an administrator account. Standard users Establish a Local Area Network connection Establish and configure a wireless connection Modify Display Settings Users cannot defragment the hard drive, but a service does this on their behalf Play CD/DVD media (configurable with Group Policy) Burn CD/DVD media (configurable with Group Policy) Change the desktop background for the current user Open the Date and Time Control Panel and change the time zone Use Remote Desktop to connect to another computer Change user's own account password Configure battery power options Configure Accessibility options Restore user's backed-up files Set up computer synchronization with a mobile device (smart phone, laptop, or PDA) Connect and configure a Bluetooth device Administrators Install and uninstall applications Install a driver for a device, such as a digital camera driver Install Windows updates Configure Parental Controls Install an ActiveX control Open the Windows Firewall Control Panel Change a user's account type
Modify UAC settings in the Security Policy Editor snap-in (secpol.msc) Configure Remote Desktop access Add or remove a user account Copy or move files into the Program Files or Windows directory Schedule Automated Tasks Restore system backed-up files Configure Automatic Updates Browse to another user's directory
When you enable UAC, members of the local Administrators group run with the same access token as standard users. Only when a member of the local Administrators group gives approval can a process use the administrators full access token.
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that require an administrator access token. When a standard user attempts to perform an administrative task, UAC prompts the user to enter valid credentials for an administrator account. This is the default for standard user-prompt behavior. The elevation prompt displays contextual information about the executable that is requesting elevation. The context is different depending on whether the application is signed by Authenticode technology. The elevation prompt has two variations: the consent prompt and the credential prompt. Elevation Prompt Consent Prompt Credential Prompt Description
Displayed to administrators in Admin Approval Mode when they attempt to perform an administrative task. It requests approval to continue from the user. Displayed to standard users when they attempt to perform an administrative task.
Note: Elevation entry points do not remember that elevation has occurred, such as when you return from a shielded location or task. As a result, the user must reelevate to enter the task again.
While the number of UAC elevation prompts for a standard user performing an everyday task has been reduced in Windows 8, there are times when it is appropriate for an elevation prompt to be returned. For example, viewing firewall settings does not require elevation; however, changing the settings does require elevation because the changes have a system wide impact.
When a permission or password is needed to complete a task, UAC will notify you with one of four different types of dialog boxes. The following table describes the different types of dialog boxes used to notify you and provides guidance on how to respond to them. Type of elevation prompt A setting or feature that is part of Windows needs your permission to start. Description This item has a valid digital signature that verifies that Microsoft is the publisher of this item. If you get this type of dialog box, it is usually safe to continue. If you are unsure, check the name of the program or function to decide if it is something you want to run. This program has a valid digital signature, which helps to ensure that the program is what it claims to be and verifies the identity of the publisher of the program. If you get this type of dialog box, make sure the program is the one that you want to run and that you trust the publisher.
This program does not have a valid digital signature from its publisher. This does not necessarily indicate danger, since many older, legitimate programs lack signatures. However, use extra caution, and only allow a program to run if you obtained it from a trusted source, such as the original CD or a publisher's Web site. If you
Co onfiguring Windows 8
Descriptio on
are unsur search the I re, Internet for the programs n name to determ mine if it is a kn nown program or malicious m software.
We recommend that most of the time that you log on to your compute with a stand W d er dard user acco ount. Yo can browse the Internet, send email, an use a word processor, all without an ad ou e nd dministrator ac ccount. When you want to perform an administrativ task, such a installing a n W t ve as new program or changing a setting th will affect other users, yo do not have to switch to a administrat account; W hat o ou e an tor Windows will pr rompt yo for permiss ou sion or an adm ministrator pass sword before p performing the task. Anothe recommendation is e er th that you cr hat reate standard user accounts for all the pe s eople that use your compute er. Question: What are the differences between a conse prompt and a credential prompt? d ent
makes a chang a prompt appears, ge, Whe n a program m but t desktop is not dimmed. Otherwise, the user is the e prompted. not p Whe n a program m makes a chang a prompt appears, ge, the l and t desktop is dimmed to provide a visual cue being attempt that installation is b ted. Otherwise the e, user is not prompted.
Always notify me
ecause you can configure th user experie he ence with Grou Policy, ther e can be differ up rent user expe eriences, Be made in your environment a de epending on policy settings. The configura p . ation choices m affect the prom mpts an dialog boxe that standard users, administrators, or b nd es both, can view w.
For example, you may require administrative permissions to change the UAC setting to Always notify me or Always notify me and wait for my response. With this type of configuration, a yellow notification appears at the bottom of the User Account Control Settings page, indicating the requirement. Question: Which two configuration options are combined to produce the end-user elevation experience?
Create a UAC group policy setting that prevents access elevation. Modify the User Account Control: Behavior of the elevation prompt for standard users setting to be Automatically deny elevation requests.
Modify the User Account Control: Behavior of the elevation prompt for standard users setting to be Prompt for credentials.
Configuring Windows 8
Holly, the IT manager, is concerned that staff are attempting to perform configuration changes on their computers for which they have no authorization. While Windows 8 does not allow the users to perform these tasks, Holly wants to ensure users are prompted properly about the actions that they are attempting.
Objectives
Modify the default UAC prompting behavior.
Lab Setup
For this lab, you will use the available virtual machine environment. The required virtual machines should be running from the preceding lab.
Enable the User Account Control: Only elevate executables that are signed and validated value.
3.
Results: After this exercise, you should have reconfigured UAC notification behavior and prompts.
Configuring Windows 8
Users should export their certificates and private keys to removable media, and then store the media securely when it is not in use. For the greatest possible security, the private key must be removed from the computer whenever the computer is not in use. This protects against attackers who physically obtain the computer and try to access the private key. When you must access the encrypted files, you can import the private key easily from the removable media. Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that the personal folder, where most documents are stored, is encrypted by default. Users should encrypt folders rather than individual files. Programs work on files in various ways. Encrypting files consistently at the folder level ensures that files are not decrypted unexpectedly. The private keys that are associated with recovery certificates are extremely sensitive. You must generate these keys either on a computer that you secure is physically secured, or you must export their certificates to a .pfx file, protect them with a strong password, and save them on a disk that is stored in a physically secure location. You must assign recovery agent certificates to special recovery agent accounts that you do not use for any other purpose. Do not destroy recovery certificates or private keys when recovery agents are changed. (Agents are changed periodically). Keep them all, until all files that may have been encrypted with them are updated.
Designate two or more recovery agent accounts per OU, depending on the size of the OU. Designate two or more computers for recovery, one for each designated recovery agent account. Grant permissions to appropriate administrators to use the recovery agent accounts. It is a good idea to have two recovery agent accounts to provide redundancy for file recovery. Having two computers that hold these keys provides more redundancy to allow recovery of lost data.
Implement a recovery agent archive program to ensure that you can recover encrypted files by using obsolete recovery keys. Recovery certificates and private keys must be exported and stored in a controlled and secure manner. Ideally, as with all secure data, archives must be stored in a controlled access vault, and you must have two archives: a master and a backup. The master is kept on site, while the backup is located in a secure, off-site location.
Configuring Windows 8
Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in an encrypted folder.
The Encrypting File System does take some CPU overhead every time a user encrypts and decrypts a file. Plan your server usage wisely. Load balance your servers when there are many clients that are using EFS.
UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the Local Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is preferred because it can be centrally managed and controlled. There are nine GPO settings that you can configure for UAC. Because the user experience can be configured with Group Policy, there can be different user experiences, depending on policy settings. The configuration choices made in your environment affect the prompts and dialog boxes that standard users, administrators, or both, can view.
For example, you may require administrative permissions to change the UAC setting to Always notify me or Always notify me and wait for my response. With this type of configuration, a yellow notification appears at the bottom of the User Account Control Settings page, indicating the requirement.
A removable USB memory device, such as a USB flash drive. If your computer does not have TPM 1.2 or newer, BitLocker stores its key on the memory device.
The most secure implementation of BitLocker leverages the enhanced security capabilities of TPM 1.2. On computers that do not have a TPM 1.2, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation and does not provide the prestartup-system integrity verification that BitLocker offers when it works with a TPM.
Module 9
Configuring Applications
Contents:
Module Overview Lesson 1: Install and Configure Applications Lesson 2: Managing Apps from the Windows Store Lesson 3: Configuring Internet Explorer Settings Lab A: Configuring Internet Explorer Security Lesson 4: Configuring Application Restrictions in the Enterprise Lab B: Configuring AppLocker (Optional) Module Review and Takeaways 9-1 9-2 9-11 9-15 9-21 9-23 9-30 9-32
Module Overview
Computer users require applications for every task they perform such as editing documents, querying databases, and generating reports. Supporting the installation and operations of applications is a critical part of desktop support.
Objectives
After completing this module, you will be able to: Install and configure applications. Install and manage applications from the Windows Store. Configure and secure Windows Internet Explorer. Configure application restrictions.
9-2
Configuring Applications g
Lesson 1
Afte installing Windows 8, it is necessary to install applica er ations that sup pport the busin ness needs of y your user Modern applications may install seamle rs. y essly on Windo 8, but olde applications may experien ows er s nce installation or run ntime problems. It is importa that you kn ant now how to install applicatio on Window 8, ons ws and how to troub bleshoot applic cation compatibility issues.
The installation pr rocess for the desktop app begins, and the application i installed. If y are logged on b e is you d as a standard user Windows 8 will prompt yo to elevate y r, w ou your privileges through User Account Cont trol (UA to install th application. AC) he Note: Appli ications installe across the network can b installed aut ed be tomatically wit thout user inte ervention, depe ending upon configuration of the applicat c o tion package.
C Configuring Windows 8 s
After you install the desktop application, wh you return to the Start s a hen n screen, the loc cation of the in nstalled ap pplication is no obvious imm ot mediately. For users familiar with Window 7 and the St menu, the initial r r ws tart St screen can be confusing. But this is on because a l imited degree of customizat tart n nly e tion is necessa to ary op ptimize the Sta screen. art To optimize the Start screen for a users nee right-click the Start scre o e f eds, k een, and then click All apps s.
In the All apps list, you can se the Window Store apps listed, togethe with the des n ee ws er sktop app that you t ju installed. Th ust hese appear to the right of the display. Rig o ght-click each application th you would like to hat cu ustomize, and then select the appropriate action. For ex xample, if you w would like Mic crosoft Outloo 2010 ok to appear on th Start screen, right-click Microsoft Outlo 2010, and then click Pi to Start. o he ook d in When you retur to the Start screen, you will see Microso Outlook 20 listed on th Start screen You W rn w oft 010 he n. ca customize all tiles on the Start screen in the same wa y. an a n Once an app ap O ppears on the Start screen, you also can dr it to where you want it to appear. rag e Note: Administrators ca also use GP to configu re Start screen an POs n-related settin ngs.
Windows Install is the servic in Windows 8 that perfor ms application installations. You can use t W ler ce s n the Windows Install to install ap W ler pplications. If the application is packaged as an .msi file, and is accessi t n ible from the target computer, yo can run msie ou exec.exe from an elevated command prom to install a mpt de esktop app. Fo example, to install an application from a shared folde run the follo or er, owing sample co ommand from an elevated command prom m c mpt:
Ms siexec.exe /i \\lon-dc1\apps\app1.msi i
Administrators can also use Windows Installer to update a repair inst W and talled desktop apps. p
Yo then can se ou elect an app from the Progra ams list, an configure for which file ty nd ypes it will be the default pr rogram. You ca choose one of the following two an e se ettings: Set this pro ogram as def fault. In this se etting, the sele ected program is configured to open all file types m and protocols that it can open by defau ult. Choose de efaults for this program. By selecting this option, you c choose spe s y s can ecifically which file h types and protocols you want to associ p w iate with the se elected app.
9-4
Configuring Applications g
AutoPlay settings determine wh Windows will do when th user mount a CD or DVD or attaches a hat w he ts D, rem movable drive. You can be ve specific. For example, if th drive that y Y ery r he your user attac ches contains v video files you can conf s, figure differen default actio Play (Win nt ons: ndows media Player), Take no action, Open e fold to view fil (Windows Explorer), an Ask me eve time. The available actio vary based on der les s nd ery ons d the type of device and its conte e ents.
You use this optio to determin which progr u on ne ram is used fo r certain user activities. For e example, if you wan to use a browser other tha Internet Exp nt an plorer for web browsing, you can select th Custom opt u he tion, and then select which of your in w nstalled browser programs y want to us you se. You can configure defaults for the following functions: u e t f Web browsing Email access Media playing g Instant messa aging Virtual machine for Java
c am by ontrol Panel > Note: You can configure Default Progra behavior b selecting Co Pro ograms > Defa ault Programs.
Configuring Windows 8
UAC adds security to Windows by limiting administrator-level access to the computer, and by restricting most users to run as standard users. When users attempt to launch an application that requires administrator permissions, the system prompts them to confirm their intention to do so. UAC also limits the context in which a process executes, which minimizes the ability of users to expose their computer inadvertently to viruses or other malware. This change affects any application installer or update that requires Administrator permissions to run, performs unnecessary Administrator checks or actions, or attempts to write to a nonvirtualized registry location. UAC may result in the following compatibility issues: Custom installers, uninstallers, and updaters may not be detected and elevated to run as administrator.
Standard user applications that require administrative privileges to perform their tasks may fail or not make this task available to standard users. Applications that attempt to perform tasks for which the current user does not have the necessary permissions may fail. How the failure manifests itself is dependent upon how the application was written. Control-panel applications that perform administrative tasks and make global changes may not function properly and may fail.
Dynamic link library (DLL) applications that run using RunDLL32.exe may not function properly if they perform global operations. Standard user applications writing to global locations will be redirected to per-user locations through virtualization.
Windows Resource Protection (WRP) is designed to protect Windows resources, such as files, folders, and registries, in a read-only state. This affects specific files, folders, and registry keys. Updates to protected resources are restricted to the operating systems trusted installers, such as Windows Servicing. This provides more protection for the components and applications that ship with the operating system from the impact of other applications and administrators. WRP may result in the following compatibility issues: Application installers that attempt to replace, modify, or delete operating system files and/or registry keys that are protected by WRP may fail with an error message that indicates that the resource cannot be updated. This is because access to these resources is denied.
Applications that attempt to write new registry keys or values to protected registry keys may fail with an error message that indicates that the change failed because access was denied. Applications that attempt to write to protected resources may fail if they rely on registry keys or values.
Internet Explorer Protected Mode helps to defend against elevation-of-privilege attacks by restricting the ability to write to any local computer zone resources other than temporary Internet files. This change affects any website or web application that attempts to modify user files or registry keys, or that attempts to open a new window in another domain. Internet Explorer Protected Mode reduces the ability of an attack to write, alter, or destroy data on the users machine or to install malicious code. It can help protect a user from malicious code installing itself without authorization.
9-6
Configuring Applications
Internet Explorer Protected Mode may result in the following compatibility issues: Applications that use Internet Explorer cannot write directly to the disk while in the Internet or intranet zone. Protected Mode builds on the new integrity mechanism to restrict write access to securable objects, such as processes, files, and registry keys with higher integrity levels.
When run in Protected Mode, Internet Explorer is a low-integrity process. It cannot gain write access to files and registry keys in a users profile or system locations. Low-integrity processes only can write to folders, files, and registry keys that have been assigned a low-integrity mandatory label. As a result, Internet Explorer and its extensions run in Protected Mode, which can only write to lowintegrity locations, such as the new low-integrity Temporary Internet Files folder, the History folder, the Cookies folder, the Favorites folder, and the Windows Temporary Files folders.
Applications may not know how to handle new prompts. The Protected Mode process runs with a low desktop-integrity level, which prevents it from sending specific window messages to higher integrity processes. Additionally, Internet Explorer enables Data Execution Prevention (DEP) (NX) by default. Plug-ins that have issues with DEP may cause Internet Explorer to crash.
64-Bit Architecture
Windows 8 fully supports the 64-bit architecture, and the 64-bit version of Windows 8 can run all 32-bit applications with the help of the WOW64 emulator. You should be aware of the following considerations for the 64-Bit Windows 8: Applications or components that use 16-bit executables, 16-bit installers, or 32-bit kernel drivers will either fail to start or will function improperly on a 64-bit edition of Windows 8.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer manually adds a driver by editing the registry, the system will not load this driver, and this action can cause the system to fail. Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer adds a driver manually by editing the registry, the system will not load the driver during load time if it is unsigned.
Windows Filtering Platform (WFP) is an application program interface (API) that enables developers to create code that interacts with the filtering that occurs at several layers in the networking stack and throughout the operating system. If you are using a previous version of this API in your environment, you may experience failures when running security-class applications, such as network scanning, antivirus programs, or firewall applications.
Kernel-Mode Drivers
Kernel-mode drivers must support the Windows 8 operating system or be redesigned to follow the UserMode Driver Framework (UMDF). UMDF is a device driver development platform that was introduced in Windows Vista. Additionally, kernel mode printer driver support has been removed from Windows 8. Note: For 64-bit versions of Windows 8, all drivers must be digitally signed by the vendor to be installed.
C Configuring Windows 8 s
Test your web application and website for compati bility with new releases and security upda w ns es w ates to Internet Exp plorer
Mitigation Methods M M
So ome of the mo common mitigation met ore m thods include t following: the
Modifying the configurat t tion of the exis sting applicatio There can be compatibil issues that require on. lity a modificat tion to the app plication config guration, such as moving file to different folders, modifying h es registry ent tries, or changing file or fold permission s. der Using tools such as the Compatibility Administrator o the Standar User Analyzer (installed w s A or rd with ACT). You can use these tools to detect and create ap c t t pplication fixes, also called s shims, to addre the ess compatibility issues. Cont tact the softwa vendor for information a are r about any add ditional compatibility solutions.
Applying updates or serv packs to th application.. Updates or se vice he ervice packs m be available to may address ma of the com any mpatibility issue and help th e application t run in the n es to new operating system environmen After apply nt. ying the update or service pa additional application te can ensure that ack, l ests e the compat tibility issue ha been mitiga as ated. Upgrading the applicatio to a compat on tible version. If a newer, com f mpatible versio of the application on exists, the best long-term mitigation is to upgrade to the newer ve b m o ersion. Using th approach, y his you must consid both the cost of the upg der c grade and any potential prob blems that ma arise with ha ay aving two different versions of the application.
Modifying the security co t onfiguration. If your compat f tibility issues a ppear to be pe ermissions-rela ated, a short-term solution is to modify the ap pplications sec curity configur ration. Using th approach, y his you must be sure to conduct a full-risk analysis and gain consensus from your organizations secur team rity regarding the modificatio For examp you can m t ons. ple, mitigate the Int ternet Explorer Protected mo by r ode adding the site to the tru usted site list or by turning o Protected M off Mode (which w do not we recommend d). Running the application in a virtualized environment If all other m i d t: methods are un navailable, you may u be able to run the applica r ation in an ear rlier version of Windows by using virtualiz f zation tools, su as uch Hyper-V.
9-8
Configuring Applications
Note: You can install the Hyper-V feature in Windows 8 if your computer supports the required virtualization features and these features are enabled in your computers BIOS. For further information on running legacy applications in Hyper-V on Windows 8, see module 12 of this course.
There are several advantages of using a virtualized environment, such as the ability to support a large number of servers in a single host environment, and the ability to restore a virtualized configuration to a previous state. However, performance issues and the lack of support for hardware-specific drivers limit full production functionality for many organizations. Using application compatibility features. You can mitigate application issues, such as operating system versioning, by running the application in compatibility mode. You can access this mode by right-clicking the shortcut or .exe file, and then applying one of the following modes from the Compatibility tab: o o o o o o o o Windows 95 Windows 98 / Windows ME Windows XP (Service Pack 2) Windows XP (Service Pack 3) Windows Vista Windows Vista (Service Pack 1) Windows Vista (Service Pack 2) Windows 7
Additionally, you can run the application with reduced color mode, or with a 640 by 480 screen resolution. If you are uncertain which compatibility setting to use, you can run the compatibility troubleshooter to determine and resolve compatibility problems.
Selecting another application that performs the same business function. If another compatible application is available, consider switching to the compatible application. When using this approach, you must consider both the cost of the application and the cost of employee support and training.
Apply a program shim. A shim is a software program that you add to an existing application or other program to provide enhancement or stability. In the application compatibility context, shim refers to a compatibility fix, which is a small piece of code that intercepts API calls from applications, transforming them so Windows 8 will provide the same product support for the application as earlier Windows versions. This can mean anything from disabling a new feature in Windows 8 to emulating a particular behavior of an earlier version of Win32 API set. You can use the Compatibility Administrator Tool, installed with ACT, to create a new compatibility fix.
C Configuring Windows 8 s
Small busin ness (P). Design for organizations with n more than 5 users. Provides the found ned no 50 dation y Office 365 services: email calendar, website services, and the ability to create and edit Word, l, PowerPoint Excel, and OneNote files online. t, o Midsize bus sinesses and enterprises (E). Designed for any size organ nization that re equires the mo ore advanced features of Office 365, such as: a o o o o o Advanc IT configuration and con ced ntrol Office Professional Plus omain Services (AD DS) Active Directory Do Advanc archiving ced Dedica ated administra ator support
Note: The midsize busin e ness and enter rprises plan is available in fo different su our ubscription models, each with different sp m pecific features and attractin a different m ng monthly fee. Office 365 cons O sists of the follo owing online services: s
Microsoft Office Professio O onal Plus. Prov vides users with access to the latest version of all the Of h e ns ffice desktop applications. Com mbined with Office Web Ap ps, users can a O access their co ontent from alm most anywhere.
Microsoft Exchange Onlin Provides em calendar,, and contacts. Users can con E ne. mail, nnect with a v variety of mobile dev vices, or use eit ther Microsoft Office Outloo 2007 or Off ok fice Outlook 20 010. Exchange Online e also helps provide a clean message stre p n eam through t use of clou the ud-based anti-spam and antivirus software.
Microsoft SharePoint Online. Microsoft SharePoint Server technology is provided as an online service and enables users to share documents and information with colleagues and customers. Microsoft Lync Online. Enables your users to connect to their contacts with instant messaging (IM), video calls, and online meetings. Microsoft Office Web Apps. Enables users to view, share, and edit their Microsoft Office documents on the web. Users can use a wide variety of computing devices to access their content.
Note: In addition, organizations can implement Exchange Online Kiosk, Exchange Online Archiving (EOA) for Exchange Server, and Microsoft Dynamics CRM Online Professional within Office 365.
Co onfiguring Windows 8
Lesson 2 n
Windows 8 supports a new ty of applicat W ype tions known as the Metro sty apps. These Metro style a s yle e apps ar small, light, and easily acc re cessible. It is im mportant that y know how to manage u you w user access to t the Windows Store, which will enable you to co W , ontrol the insta allation and us of these app se ps.
Metro Apps M
Th Windows Store is designe to enable users to access and install Me he ed u etro Apps. The are not like ese e de esktop applica ations, such as Microsoft Office 2010. Rath they are fu her, ull-screen, imm mersive applica ations th can run on a number of device types, including x86, x64, and ARM platforms. hat d M
Th hese apps can communicate with one ano e other, and with Windows 8, s that it is eas to search f and h so sier for sh hare informatio such as photographs. on, When an app is installed, from the Start screen, users can see Live tiles that constantly update with live W s m n in nformation from the installed apps. d
Lo ocating App ps
When users con W nnect to the Windows Store, the landing p W pagethat is t he initial page users see whe e en ac ccessing the Windows Store designed to make apps easy to locate Apps are div W is e. vided into Stor re ca ategories, such as Games, En h ntertainment, Music & Video and others. M os,
Users can also use the Windows 8 Search ch u harm to search the Windows Store for spe h s ecific apps. For r ex xample, if a user was interest in an app that provided video-editing capabilities, t ted g they can bring up the Se earch charm, type in their se t earch text string, and then cl ick Store. The Windows Sto returns suit e ore table ap from which the user can make a select pps n tion.
Installing Apps
Installing apps is easy for users. A single tap on the appropr e o riate app in th listing shoul be sufficient to he ld t install the app. Th app installs in the backgro he ound, so that t user can co the ontinue brows sing the Windo ows Stor After the ap is installed, a tile for the app appears o the users St screen. re. pp a on tart
Updating App ps
Win ndows 8 checks the Windows Store for upd s dates to install apps on a daily basis. Wh an update for led hen e an installed app is available, Windows update the Store tile in the Start s s es e screen to display an indicatio on that updates are available. Whe the user sele the Store tile and conne to the Win t a en ects ects ndows Store, t the user can choose to update one, several, or all of their instal led apps for w r which updates are available.
Man users have multiple devic such as both desktop an d laptop comp ny ces, puters. Windows Store allow five ws installs of a single app to enable users to run the app on all of their devic If a user at e e l ces. ttempts to inst an tall app on a sixth dev p vice, they are prompted to remove the ap from anothe device. p r pp er
Whe the Window Store is disa en ws abled, users will see a messa when they attempt to ac age y ccess the Store tile e on the Start screen. The messag advises them that Windo Store isnt available on th PC. t ge m ows his c e ore computers, Note: You can use domain-based GPO to disable the Windows Sto for target c spec cific users, or groups of user g rs.
In addition to disa abling the Win ndows Store on a computer, you also can use AppLocker to control w n which app plications can be installed. b
Co onfiguring Windows 8
Managing Updates M
IT administrator have limited control over updates for in T rs d nstalled apps. It is not possib for you to ble co onfigure autom matic updates for apps. The user must init iate all app up pdates manually. Note: You can use GPO to download updates auto matically, but the user must still initiate u O t th installation process. he Yo also cannot control which updates are available. ou t h
Enabling Sideloading
To enable sidelo o oading, you must configure the appropria GPO setting m ate gs: 1. . 2. . Open the Group Policy ed G ditor (gpedit.m msc). Under Loca Computer Po al olicy in the lef pane, expand Computer C ft d Configuration expand n, Administra ative Templat expand Windows Com ponents, and then click App Package tes, W Deployment. In the results pane, double-click Allow all trusted ap to install.. pps In the Allow all trusted apps to install dialog box, c w a click Enabled,, and then click OK. k
3. . 4. .
In nstalling LO Apps OB
After you config gure GPOs, you can install yo apps. App are packaged in .appx files To install a s our ps s. single ap for a user, perform the fo pp p ollowing tasks: 1. . 2. . At the Wind dows PowerSh command prompt, type import-modu appx, and then press En hell ule nter. To install th package, at the Windows PowerShell co he ommand prom type addmpt, -appxpackage e C:\apps1.a appx, and then press Enter. n
To add a package to a Windo image usin dism.exe, p erform the fol o ows ng llowing tasks: Open an elevated comma prompt, ty DISM /On and ype nline /Add-Pr rovisionedAp ppxPackage /PackageP Path:C:\App1.appx /SkipLic cense, and the press Enter.. en
Alternatively, use Windows PowerShell: At the Windows PowerShell command prompt, type Add-AppxProvisionedPackage -Online FolderPath C:\Appx, and then press Enter.
Note: Your LOB apps must be signed digitally and can be installed only on computers that trust the certification authority (CA) that provided the apps signing certificate.
If you must remove a provisioned app and prevent its installation for new users, run either of the following commands: Or
At the Windows PowerShell command prompt, type Remove-AppxProvisionedPackage -Online PackageName MyAppxPkg, and then press Enter.
Open an elevated command prompt, type DISM.exe /Online /Remove-ProvisionedAppxPackage /PackageName:microsoft.app1_1.0.0.0_neutral_en-us_ac4zc6fex2zjp, and then press Enter.
Co onfiguring Windows 8
Lesson 3 n
A browser is like any other ap e pplication. You can either ma u anage and sec cure it well, or manage it poo orly. If a browser is mana aged poorly, you and your organization ri spending m y o isk more time and money suppo orting us sers and dealin with securit infiltrations, malware, and loss of produ ng ty d uctivity.
Users can brows more safely by using Internet Explorer 1 which in tu helps main se y 10, urn ntain customer trust in r th Internet and helps protect the IT enviro he d onment from th evolving th he hreats that the web presents. In nternet Explore 10 specifical helps users maintain their privacy with features such as InPrivate er lly r Filter provides prot Br rowsing and In nPrivate Filtering. The Smart tScreen tection against social engine t eering at ttacks by ident tifying malicious websites th try to trick people into pr hat roviding perso onal informatio or on in nstalling malicious software, blocking the download of m d malicious softw ware, and prov viding enhance ed an ntimalware sup pport. In nternet Explore 10 helps pre er event the brow wser from beco oming an attac agent, and it provides mo ck ore granular contro over installat ol tion of ActiveX controls wit per-site and per-user Acti X th d iveX features. T The Cross Site Script ting Filter prot tects against attacks against websites.
In nternet Explore 10 provides a Compatibility View that u ses an earlier Internet Explo engine to display er orer web pages. This helps improv compatibilit with applica w s ve ty ations written f earlier Internet Explorer for ve ersions. patibility View displays local intranet sites. Note: By default, Comp
Inte ernet Explorer 10 has a Comp patibility View that helps dis w splay a web pa as it is mea to be view age ant wed. This view provides a straightforw s ward way to fix display prob blems such as o out-of-place m menus, images and s, text The main fea t. atures in Comp patibility View are: Internet webs sites display in Internet Explo 10 Standa n orer ards Mode by default. Use th Compatibility he View button to fix sites that render differently than exp t t pected.
Internet Explo 10 remem orer mbers sites that have been se to Compatib t et bility View so t that the button only n needs to be pressed once for a site. After that, the site is always rend p r dered in Compatibility View u unless it is removed from the list. sites display in Compatibility Mode by def y fault. This mea that interna websites cre ans al eated Intranet webs for earlier Internet Explorer versions will work. r w You can use Group Policy to set a list of websites to be rendered in C G w e Compatibility V View.
Switching in and out of Com a mpatibility Vie occurs with ew hout requiring that the user restart the bro owser.
The Compatibility View button only displays if is not clearly stated how th website is to be rendered In y y he d. othe cases, such as viewing intranet sites or viewing sites w a <META> tag / HTTP h er v with > header indicati ing Inte ernet Explorer 7, Internet Exp plorer 8, Intern Explorer 9, or Internet Ex net xplorer 10 Stan ndards, the but tton is hidd den. Whe Compatibility View is activated, the pag refresh will appear, depe nding on the c en ge computers speed. A ba alloon tip indicates that the site is now run nning in Comp patibility View..
An entry on the Tools menu ena e T ables you to customize the C Compatibility View to meet enterprise requ uirements. For example, you can configure it so that all Intranet sites d r u e display in Com mpatibility View (the w defa ault), or you ca configure it so that all we an t ebsite are view in Compat wed tibility View.
InPr rivate Browsing helps protec data and privacy by preve nting browsing history, temporary Interne g ct et files form data, co s, ookies, usernames, and passwords from be eing stored or retained locally by the brow r wser. This leaves virtually no evidence of browsing or search histo as the brow s e ory wsing session does not store e sess sion data.
Configuring Windows 8
From the enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than using Delete Browsing History to maintain privacy, because there are no logs kept or tracks made during browsing. InPrivate Browsing is a proactive feature because it enables you to control what is tracked in a browsing session. You can use InPrivate Browsing by some in an attempt to conceal their tracks when browsing to prohibited or nonwork websites. However, you have full manageability control, and you can use Group Policy to configure how InPrivate Browsing is used in your organization.
Tracking Protection
Most websites today contain content from several different sites. The combination of these sites is sometimes referred to as a mashup. People begin to expect this type of integration, from something like an embedded map from a mapping site, to greater integration of ads or multimedia elements. Organizations try to offer more of these experiences because it draws potential customers to their site. This capability is making the web more robust, but it also provides an opportunity for malicious users to create and exploit vulnerabilities. Every piece of content that a browser requests from a website discloses information to that site, sometimes even if the user has blocked all cookies. Often, users are not fully aware that their web browsing activities are tracked by websites other than those they have consciously chosen to visit.
Tracking Protection monitors the frequency of all third-party content as it appears across all websites that the user visits. An alert or frequency level is configurable and is initially set to ten. Third-party content that appears with high incidence is blocked when the frequency level is reached. Tracking Protection does not discriminate between different types of third-party content. It blocks content only when it appears more than the predetermined frequency level. Note: Tracking protection lists provide information to the browser to enable it to implement tracking protection. There are tracking lists available worldwide from different groups. For example, the EasyList project is an open community effort that helps to filter unwanted content. It is available as a Tracking Protection List here. They have had over 250,000 subscriptions to their list. You can find other lists at www.iegallery.com.
Cookies and cookie protection are one aspect of online privacy. Some organizations write scripts to clean up cookies and browsing history at the end of a browsing session. This type of environment might be needed for sensitive data, regulatory or compliance reasons, or private data in the healthcare industry.
Delete Browsing History in Internet Explorer 10 enables users and organizations to selectively delete browsing history. For example, history can be removed for all websites except those in the users Favorites. You can switch this feature on and off in the Delete Browsing History dialog box, and it is called Preserve Favorites website data. You can configure Delete Browsing History options through Group Policy. You can also configure which sites are automatically included in favorites. This allows you to create policies that ensure security without impacting daily user interactions with his or her preferred and favorite websites. The Delete browsing history on exit check box in Internet Options allows you to delete the browsing history automatically when Internet Explorer 10 closes.
The SmartScreen Filter relies on a web service backed by a Microsoft-hos n e sted URL reput tation database. The SmartScreen Filters reputat tion-based ana alysis works al ongside other signature-bas anti-malw r sed ware tech hnologies, such as Windows Defender, to provide comp rehensive prot h p tection against malicious t soft tware.
With the SmartScreen Filter ena abled, Internet Explorer 10 p performs a deta ailed examinat tion of the ent tire URL string and co L ompares the string to a datab base of sites k nown to distributed malwar then the bro re, owser checks with the web service. If the website is known to be u w t k unsafe, it is blo ocked, and the user is notifie e ed with a bold Smart h tScreen blockin page that offers clear lan ng o nguage and gu uidance to help avoid known p n, unsa websites. afe
Acti iveX controls are relatively st a traightforward to create and deploy, and provide extra functionality d d beyond regular web pages. Org w ganizations can nnot control th inclusion of ActiveX controls or how they are he f writ tten. Therefore businesses need a browser that provides flexibility in d e, r s dealing with A ActiveX controls, so that they are usab highly secu and pose as small a thre as possible t ble, ure, eat e.
Configuring Windows 8
Per-User ActiveX
Internet Explorer 10 by default employs ActiveX Opt-In, which disables most controls on a user's machine. Per-user ActiveX makes it possible for standard users to install ActiveX controls in their own user profile, without requiring administrative privileges. This helps organizations realize the full benefit of UAC, giving standard users the ability to install ActiveX controls that are necessary in their daily browsing. In most situations if a user happens to install a malicious ActiveX control, the overall system remains unaffected because the control is only installed under the users account. Since installations are restricted to a user profile, the cost and risk of a compromise are lowered significantly. When a web page attempts to install a control, an Information Bar is displayed to the user. Users choose to install the control machine-wide or only for their user account. The options in the ActiveX menu vary depending on the users rights (as managed by Group Policy settings) and whether the control has been packaged to allow per-user installation. You can disable this feature in Group Policy.
Per-Site ActiveX
When a user navigates to a website containing an ActiveX control, Internet Explorer 10 performs a number of checks, including a determination of where a control is permitted to run. If a control is installed but is not permitted to run on a specific site, an Information Bar appears asking the users permission to run on the current website or on all websites. Use Group Policy to preset allowed controls and their related domains.
Most sites have a combination of content from local site servers, and content obtained from other sites or partner organizations. XSS attacks exploit vulnerabilities in web applications, and enable an attacker to control the relationship between a user and a website or web application that they trust. Cross-site scripting can enable attacks such as: Cookie theft, including session cookies, which can lead to account hijacking. Monitoring keystrokes. Performing actions on the victim website on behalf of the victim user. Cross-site scripting can use a victims website to subvert a legitimate website.
Internet Explorer 10 includes a filter that helps protect against XSS attacks. The XSS Filter has visibility into all requests and responses flowing through the browser. When the filter discovers likely XSS in a request, it identifies and neutralizes the attack if it is replayed in the servers response. The XSS filter helps protect users from website vulnerabilities. It does not ask difficult questions that users are unable to answer, nor does it harm functionality on the website.
Internet Explorer 7 introduced a Control Panel option to enable memory protection to help mitigate online attacks. DEP or No-Execute (NX). DEP/NX helps thwart attacks by preventing code from running in memory that is marked non-executable, such as a virus disguised as a picture or video. DEP/NX also makes it harder for attackers to exploit certain types of memory-related vulnerabilities, such as buffer overruns.
DEP/NX protection applies to both Internet Explorer and the add-ons it loads. No additional user interaction is required to activate this protection, and unlike Internet Explorer 7, this feature is enabled by default for Internet Explorer 10. Question: What is the XSS filter?
This demonstration shows how to configure security in Internet Explorer 10, including enabling the compatibility view, configuring browsing history, and InPrivate Browsing. The demonstration also shows the add-on management interface and how to use the Download Manager.
Download Manager lists the files you've downloaded from the Internet, shows where they're stored on the computer (C:\Users\_username_\Downloads by default), and makes it easy to pause downloads, open files, and take other actions.
Download a file
1. 2. 3. 4. Navigate to http://LON-DC1 and select the Download current projects link. View the current downloads. Open a downloaded file. Close Excel and other open windows.
Configuring Windows 8
Objectives
Configure security settings in Internet Explorer. Test the security settings.
Lab Setup
Estimated Time: 15 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1, 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o 5. User name: Administrator Password: Pa$$w0rd Domain: Adatum
In this exercise, you will implement some of the security and compatibility features in Internet Explorer 10.
Delete History, but retain Preserve Favorites website data. Remove selections for all other options.
10. Configure the Local intranet security settings to High. 11. Open the Current Projects link on the Intranet home page. This fails to load a required add-on. Close the newly opened tab. 12. Add the local intranet to the trusted sites. 13. Open the Current Projects link on the Intranet home page. This is successful. 14. Close all open windows. 15. Log off of LON-CL1.
Results: After completing this exercise, you will have successfully configured Internet Explorers security and compatibility settings.
When you are finished the lab, leave the virtual machines running, as they are needed for the next lab
Co onfiguring Windows 8
Lesson 4 n
Th ability to co he ontrol which applications a user, or set of u u users, can run offers significa increases i the ant in re eliability and se ecurity of ente erprise desktop Overall, an application lo ps. ockdown policy can lower the total y co of compute ownership in an enterprise. AppLocker controls applic ost er cation execution and simplif the fies ab bility to author an enterprise application lo e ockdown polic AppLocker reduces administrative over cy. rhead an helps administrators cont how users access and us files, such as .exe files, scri nd trol se s ipts, Windows In nstaller files (.m and .msp files), and .dll files. msi
What Is Ap W ppLocker?
To odays organiz zations face a number of cha n allenges in controlling which applicatio run on clie n w ons ent co omputers, including: The packag and custom applications that ged m s the user can access. Which user are allowed to install new rs software. Which versions of applica ations are allow to wed run, and for which users.
Users who run unauthorized software can u s ex xperience a hig gher incidence of malware e in nfections and generate more help desk calls. However, it can be difficu for you to e g e t ult ensure that use er de esktops are running only approved, licensed software.
Windows Vista addressed this issue by supp W s porting Softwa Restriction Policy, which administrators used are s to define the lis of applicatio that users were allowed t run. AppLoc o st ons w to cker builds upon this securit layer, ty providing you with the ability to control ho users run al types of app w y ow ll plications, such as executable (.exe es fil les), scripts, Windows Installe files (.msi an .msp), and d er nd dynamic link-l libraries (.dll).
AppLocker Benefits A B
Yo can use Ap ou ppLocker to spe ecify exactly what is allowed to run on use desktops. Th allows user to run w d er his rs th applications installation programs, and scripts that th require to be productive while still pro he s, p hey e, oviding th security, operational, and compliance benefits of app he b plication standa ardization. AppLocker can help organizations that wan to: nt Limit the nu umber and typ of files that are allowed to run by preve pe o enting unlicensed or malicio ous software fro running, and by restricting the ActiveX controls that are installed. om X t
Reduce the to cost of ow otal wnership by en nsuring that wo orkstations are homogeneou across their e us r enterprise and that users ar running only the software and applicati re e ions that the e enterprise approves. p ks horized softwa are. Reduce the possibility of information leak from unauth tes Question: What are some of the applicat o tions that are g good candidat for you to apply an AppLocker ru ule?
Ap ppLocker Rules R
Whe you are dea en aling with user in your work rs k environment, you can prevent many problem m ms by controlling what applications a user can ru c un. App pLocker lets yo do just this by creating ru ou ules that specify exactly what applica t ations a user is s allowed to run and which ones are resilient to o app plication updat tes. Because AppLocker is an additio onal Group Policy mechanism IT profession and system m, nals m adm ministrators need to be comf fortable with Group G Policy creation an deployment This makes nd t. App pLocker ideal for organizatio that curren f ons ntly use Group Policy to manage the Windows 8 computers or have per-use application i eir r er installations. To author AppLoc a cker rules, ther is a new AppLocker Micro re osoft Managem ment Console (MMC) snap-in in th Group Polic Object Edito that offers an incredible im he cy or a mprovement i the process of creating in App pLocker rules. There is one wizard that allo you to crea a single ru and anothe wizard that T w ows ate ule, er gen nerates rules au utomatically based on your rule preferenc es and the fold that you select. r der
You can review th files analyze and then re u he ed, emove them fr rom the list be efore rules are created for th hem. You even can rece useful stat u eive tistics about how often a file has been blo e ocked or test A AppLocker poli for icy a given computer r.
To access AppLoc a cker, run Gped dit.msc from th Start screen Then naviga to Comput Configura he n. ate ter ation, Win ndows Setting Security Se gs, ettings, and th Applicati on Control Po hen olicies. Expand the Application d Con ntrol Policies node, and highlight AppLoc cker. In AppLocker you can configure Executable Rules, Windows Installer Rule and Script R A e R s es, Rules. For exam mple, high hlight the Exec cutable Rules node and right-click to sele Create Ne Rule. You then can create a s ect ew e rule that allows or denies access to an executa e r s able, based on such criteria as the file path or publisher. n App pLocker also will let you apply both default and automat w tically generat rules. ted
Man organizatio implement standard user policies, whic allow users to log on to th computer only ny ons r ch heir rs as a standard user More indepe r. endent software vendors (ISV are creatin per-user applications that do Vs) ng t not require admin nistrative rights to be installe and that are installed and run in the us profile folder. As ed e d ser a re esult, standard users can install many applications, and c ircumvent the application lo e ockdown polic cy. With AppLocker, you can prevent users from installing and running per-u y user applicatio by creating a set ons g of default AppLoc d cker rules. The default rules also ensure tha the key ope a at erating system files are allow to wed run for all users.
Configuring Windows 8
Note: Before you create new rules manually or automatically generate rules for a specific folder, you must create the default AppLocker rules. Specifically, the default rules enable the following: All users to run files in the default Program Files directory. All users to run all files signed by the Windows operating system. Members of the built-in Administrators group to run all files.
Perform the following steps to create the default AppLocker rules: 1. 2. 3. To open the Local Security Policy MMC snap-in, run secpol.msc.
In the console tree, double-click Application Control Policies, and then double-click AppLocker. Right-click Executable Rules, and then click Create Default Rules.
By creating these rules, you also have automatically prevented all nonadministrator users from being able to run programs that are installed in their user profile directory. You can recreate the rules at any time. Note: Without the default rules, critical system files might not run. Once you have created one or more rules in a rule collection, only applications that are affected by those rules are allowed to run. If the default rules are not created and you are blocked from performing administrative tasks, restart the computer in safe mode, add the default rules, delete any deny rules that are preventing access, and then refresh the computer policy.
Once you create the default rules, you can create custom application rules. To facilitate creating sets or collections of rules, AppLocker includes a new Automatically Generate Rules wizard that is accessible from the Local Security Policy console. This wizard simplifies the task of creating rules from a user-specified folder. By running this wizard on reference computers, and specifying a folder that contains the .exe files for applications for which you want to create rules, you can quickly create AppLocker policies automatically. When you create a rule manually, you can choose whether it is an Allow or Deny rule. Allow rules enable applications to run while Deny rules prevent applications from running. The Automatically Generate Rules wizard creates only Allow rules. Note: After you create one or more rules in a rule collection, only applications that are affected by those rules are allowed to run. For this reason, always create the default AppLocker rules for a rule collection first. If you did not create the default rules and are prevented from performing administrative tasks, restart the computer in Safe Mode, add the default rules, delete any deny rules that are preventing access, and then refresh the computer policy.
You can create exceptions for .exe files. For example, you can create a rule that allows all Windows processes to run except regedit.exe, and then use audit-only mode to identify files that will not be allowed to run if the policy is in effect. You can create rules automatically by running the wizard and specifying a folder that contains the .exe files for applications for which to create rules.
Note: Do not select a folder that contains one or more user profiles. Creating rules to allow .exe files in user profiles might not be secure.
Before you create the rules at the end of the wizard, review the analyzed files and view information about the rules that will be created. After the rules are created, edit them to make them more or less specific. For example, if you selected the Program Files directory as the source for automatically generating the rules and also created the default rules, there is an extra rule in the Executable Rules collection.
In the console tree under Application Control Policies\AppLocker, right-click Executable Rules, and then click Automatically Generate Rules. On the Folder and Permissions page, click Browse. In the Browse for Folder dialog box, select the folder that contains the .exe files that you want to create the rules for.
Type a name to identify the rules, and then click Next. To help sort the rules in the MMC list view, the name that you provide is used as a prefix for the name of each rule that is created. On the Rule Preferences page, click Next without changing any of the default values. The Rule generation progress dialog box is displayed while the files are processed.
On the Review Rules page, click Create. The wizard closes, and the rules are added to the Executable Rules details pane.
After automatically generating rules based on your preferences, you can edit the rules to make them more detailed.
With the advent of new heuristic identification technologies in web browsers and operating systems, more ISVs are using digital signatures to sign their applications. These signatures simplify an organizations ability to identify applications as genuine, and to create a better and more trustworthy user experience. Creating rules based on the digital signature of an application helps make it possible to build rules that survive application updates. For example, an organization can create a rule to allow all versions greater than 9.0 of a program to run if it is signed by the software publisher. In this way, when the program is updated, IT professionals can safely deploy the application update without having to build another rule. Note: Before performing the following procedure, ensure that you have created the default rules. Perform the following steps to allow only signed applications to run: 1. 2. 3. 4. 5.
To open the Local Security Policy MMC snap-in, on the Start screen, type secpol.msc, and then press Enter. In the console tree, double-click Application Control Policies, and then double-click AppLocker. Right-click Executable Rules, and then click Create New Rule. On the Before You Begin page, click Next. On the Permissions page, click Next to accept the default settings.
Configuring Windows 8
6. 7. 8. 9.
On the Conditions page, click Next. On the Publisher page, note that the default setting is to allow any signed file to run, and then click Next. On the Exceptions page, click Next. On the Name and Description page, accept the default name or enter a custom name and description, and then click Create.
By using this rule and ensuring that all applications are signed within your organization, you are assured that users are running only applications from known publishers. Note: This rule prevents unsigned applications from running. Before implementing this rule, ensure that all of the files that you want to run in your organization are signed digitally. If any applications are not signed, consider implementing an internal signing process to sign unsigned applications with an internal signing key.
If you created the default rules, and then selected the Program Files folder as the source to automatically generate rules, there are one or more extraneous rules in the Executable Rules collection. When you create the default rules, a path rule is added to allow any .exe file in the entire Program Files folder to run. This rule is added to ensure that users are not prevented by default from running applications. Because this rule conflicts with rules that were automatically generated, delete this rule to ensure that the policy is more specific. The name of the default rule is (Default Rule) Microsoft Windows Program Files Rule. Perform the following steps to delete a rule: 1. 2. 3. 4. Ensure that the Local Security Policy MMC snap-in is open. In the console tree under Application Control Policies\AppLocker, click Executable Rules.
In the details pane, right-click (Default Rule) Microsoft Windows Program Files Rule, and then click Delete. In the AppLocker dialog box, click Yes.
To determine if any applications are excluded from the rule set, enable the Audit only enforcement mode. Question: When testing AppLocker, you must consider carefully how you will organize rules between linked GPOs. What do you do if a GPO does not contain the default AppLocker rules?
3. 4.
Navigate to Computer Configuration, Windows Settings, Security Settings, Application Control Policies, AppLocker. Create a new executable rule: o o o Permissions: Deny Group: Marketing Program: C:\Windows\Regedit.exe
Default setting. If linked GPOs contain a different setting, that setting is used. If any rules are present in the corresponding rule collection, they are enforced. Rules are enforced. Rules are audited, but not enforced.
To view information about applications that are affected AppLocker rules, use the Event viewer. Each event in the AppLocker operational log contains detailed information, such as the following: Which file was affected and the path of that file Whether the file was allowed or blocked The rule type: Path, File Hash, or Publisher The rule name The security identifier (SID) for the user that is targeted in the rule
Review the entries in the log to determine if any applications were not included in the rules. The following table identifies three events to use to determine which applications are affected. Event ID 8002 8003 Level Informational Warning Event Text Access to <file name> is allowed by an administrator. Access to <file name> is monitored by an administrator. Description
Specifies that the file is allowed by an AppLocker rule. Applied only when in the Audit only enforcement mode. Specifies that the file will be blocked if the Enforce rules enforcement mode is enabled.
Configuring Windows 8
Event ID 8004
Level Error
Description
Applied only when the Enforce rules enforcement mode is either directly or indirectly (through Group Policy inheritance) set. The file cannot run.
Demonstration
This demonstration will show the different enforcement options, and how to configure the enforcement for the rule that was created in the previous demonstration. The demonstration will then verify the enforcement with gpupdate.
Review the System log for event ID 1502. This tells us that the Group Policy settings were refreshed. Start the Application Identity service, required for AppLocker enforcement.
Attempt to run Regedit.exe from the command prompt. You are successful as the logged on user is not a member of the Marketing group. Switch to Event Viewer, and in the Application and Services Logs > Microsoft > Windows >AppLocker, select the EXE and DLL log.
Review the entries. They indicate that an attempt was made to run Regedit.exe, which was allowed to run. Note: AppLocker is not implemented in this prerelease version of the software.
4.
Close all open windows. Question: What is the command to update the computer's policy, and where is it run?
Holly is concerned that people in her department are spending time listening to music files. She wants a way to disable the Windows Media Player from running. You decide to implement AppLocker to prevent members of the IT group from running this program.
Objectives
Create AppLocker rules. Apply rules and test rules.
Lab Setup
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
Results: At the end of the exercise, you will have successfully created the required AppLocker rule.
Configuring Windows 8
In this exercise, you will confirm the executable rule, and then test it by logging on as a member of the IT group. The main tasks for this exercise are as follows: 1. 2. Confirm the Executable Rule Enforcement. Test the enforcement.
Note: AppLocker is not implemented in this prerelease version of the software. You are not prevented from running Windows Media Player. 3. 4. 5. 6. Log off. Log on as Adatum\Administrator with the password Pa$$w0rd. Open Event Viewer. Locate the Application and Services\Microsoft\Windows\AppLocker\EXE and DLL log.
Note: AppLocker is not implemented in this prerelease version of the software. Error 8008 displays indicating this fact. Usually, you would see error event ID 8004. The application was prevented from running. 7. Close all open windows, and log off.
Results: At the end of this exercise, you will have successfully verified the function of your executable AppLocker rule.
When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If a GPO does not contain the default rules, then either add the rules directly to the GPO or add them to a GPO that links to it. After creating new rules, you must configure enforcement for the rule collections, and then refresh the computer's policy. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators must maintain a current list of allowed applications.
If AppLocker rules are defined in a GPO, only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
When you set an AppLocker rule to Audit only, the rule is not enforced. When a user runs an application that is included in the rule, the application is opened and runs normally, and information about that application is added to the AppLocker event log.
Tools
Tool Windows PowerShell DISM Msiexec.exe Application Compatibility Toolkit Compatibility Administrator Tool GPupdate Use for Command line management tool Servicing and managing Windows images Managing installations Inventorying and analyzing organization application compatibility Creating application fixes Managing policy application Where to find it Windows 8 Windows 8 Command line Microsoft Download Center ACT Command line
Module 10
Contents:
Module Overview Lesson 1: Optimizing the Performance of Windows 8 Lab A: Optimizing Windows 8 Performance Lesson 2: Managing the Reliability of Windows 8 Lesson 3: Managing Windows 8 Updates Lab B: Maintaining Windows Updates Module Review and Takeaways 10-1 10-2 10-11 10-14 10-19 10-26 10-28
Module Overview
Users have high expectations of technology. Therefore, performance is a key issue in todays business environment, and it is important to consistently optimize and manage your systems performance.
The Windows 8 operating system includes several monitoring and configuration tools that you can use to obtain information about a computers performance.
To maintain and optimize system performance in Windows 8, you can use these performancemanagement tools. You can maintain the reliability of Windows 8 with the diagnostic tools, and configure Windows Update to ensure that you have optimized computer performance consistently.
Objectives
After completing this module, you will be able to: Describe the optimization of Windows 8 performance. Explain how to optimize Windows 8 performance. Describe the management of Windows 8 reliability. Describe the management of Windows 8 updates. Explain how to maintain Windows Updates.
Lesson 1
A co omputer system that perform at a low eff ms ficiency level c cause prob can blems in the w work environme ent, including the pote ential reduce user productiv and conseq u vity quently increa user frustra ase ation. Windows 8 help you to determine the potential causes of poor perfor mance and th en to use the a appropriate to to ps o ools help to resolve these performan issues. p nce
Reliability is a mea asure of how a system confo orms to expect behavior, a a system t ted and that often dev viates from the behavior that you configure or expe indicates po reliability. m ect oor Question: What factors can influence computer-system performance n m e? Question: What factors ma contribute to reliability iss ay t sues in a comp puter system?
Co onfiguring Windows 8
Open Disk Cleanup: Pro k ovides a calcula ation that disp plays how muc free space is on the computer. ch s
Use Advanced Tools to obtain additional pe T n erformance inf formation and a list of curre performanc d ent ce issues. You also can view the following adva f anced options about the com mputers perfo ormance: Clear all Windows Expe W erience Index scores and re e-rate the sys stem View Perfo ormance Deta in in Event log ails Open Perfo ormance Mon nitor Open Reso ource Monitor Open Task Manager k View advanced system details in Sys stem informat tion Adjust the appearance and performa e ance of Wind dows Open Disk Defragmente k er Generate a system health report
One of the perf O formance tools is the Windows Experience Index (WEI). W lists your c s e WEI computers ba ase sc core, which is a measuremen of the performance and o verall capability of your com nt mputer's hardw ware. ance and Information Tools. The WEI indic Check your com mputers WEI base score from the Performa b m cates th capability of your comput he ter's hardware and software configuration e n.
WEI benchmark are optimize for Window 8, so that a system will have a different WEI score than if it W ks ed ws was running Wi w indows 7.
WEI measures each of your co W e omputers key components. The following table lists the information t g e that WEI measures and ra m ates for each component. c Component C Processor Random Acce Memory (R ess RAM) Graphics What is rated Calcu ulations per sec cond Memory operation s per second Deskt performan for Window Aero desk top nce ws ktop experienc ce
What is rated Three-dimensional (3-D) business and gaming graphics performance Disk data-transfer rate
Each hardware component receives an individual subscore. Your computer's base score is determined by the lowest subscore. For example, if the lowest subscore of an individual hardware component is 2.6, then the base score is 2.6. A greater base score generally means that a computer runs better and faster than a computer that has a lower base score, especially when it performs more advanced and resource-intensive tasks. When you know your computers base score, you can confidently buy programs and other software that match the base score. Base scores currently range from 1 to 9.9. WEI accommodates advances in computer technology as hardware speed and performance improve. A computer that has a base score of 1 or 2 usually has sufficient performance to do most general computing tasks, such as run office-productivity applications and search the Internet. However, a computer that has this base score is generally not powerful enough to run Windows Aero, or the advanced multimedia experiences that are available with Windows 8.
A computer that has a base score of 3 can run Windows Aero and many new features of Windows 8 at a basic level. Some new Windows 8 advanced features might not have all the functionality available. For example, a computer that has a base score of 3 can display the Windows 8 theme at a resolution of 12801024, but might struggle to run the theme on multiple monitors. Or, it can play digital TV content, but might struggle to play HDTV content. A computer that has a base score of 4 or 5 can run all new Windows 8 features with full functionality, and it can support high-end, graphics-intensive experiences, such as multiplayer and three-dimensional gaming, and recording and playback of HDTV content. Computers that have a base score of 5 were the highest-performing computers available when Windows 7 was released. When you update or upgrade your computer hardware to optimize Windows 8, you must update the computer base score to check whether it has changed, too. Note: You also can use the winsat command-line tool to update the computer base score. Windows stores the WEI reports as XML files in the C:\Windows\Performance\WinSAT\DataStore folder.
Co onfiguring Windows 8
Monitoring Tool M T
Monitoring Too contains the Performance Monitor, and it provides a v M ol visual display o built-in Win of ndows pe erformance co ounters, either in real time or as historical d data. Th Performanc Monitor inc he ce cludes the follo owing features s: Multiple gr raph views Custom vie that you ca export as data collector s ets ews an
Pe erformance Monitor uses pe erformance counters to mea sure the syste ms state or ac ctivity, while th OS or he in ndividual applications may in nclude Perform mance Counter Performanc Monitor req rs. ce quests the curr rent va alue of perform mance counter at specified time intervals . rs Yo can add pe ou erformance cou unters to the Performance M P Monitor by dra agging and dro opping the counters or by creating a custom data collector set. r Pe erformance Monitor feature multiple graph views that enable you to have a visual review of es o pe erformance log data. You ca create custo views in Pe an om erformance Mo onitor that you can export a data u as co ollector sets fo use with per or rformance and logging featu d ures.
Th data collect set is a custom set of per he tor rformance cou unters, event tr races, and syst tem-configuration da ata.
After you create a combinatio of data collectors that de e on escribe useful s system informa ation, you can save th hem as a data collector set, and then run and view the re a a esults.
A data collector set organizes multiple data r s a-collection po oints into a single, portable c component. Yo can ou us a data colle se ector set on its own, group it with other da collector se and incorporate it into lo or t ata ets ogs, view it in the Pe erformance Mo onitor. You can configure a data collector set to generat alerts when it te n re eaches thresho olds, so that third-party applications can u se it. Yo also can co ou onfigure a data collector set to run at a sch a heduled time, for a specific length of time, or , un it reaches a predefined size. For examp you can ru the data co ntil s ple, un ollector set for 10 minutes ev very ho during you working hours to create a performance baseline. You also can set the data collec our ur e u ctor to re estart when set limits are rea t ached, so that a separate file will be create for each inte ed erval.
You can use data collector sets and Performance Monitor tools to organize multiple data-collection points into a single component that you can use to review or log performance. Performance Monitor also includes default data collector set templates to help system administrators begin the process of collecting performance data that is specific to a server role or monitoring scenario.
Reports
Use the Reports feature to view and generate reports from a set of counters that you create by using Data Collector Sets.
Resource Monitor
Use this view to monitor the use and performance of the central processing unit (CPU), disk, network, and memory resources in real time. This lets you identify and resolve resource conflicts and bottlenecks. By expanding the monitored elements, system administrators can identify which processes are using which resources. In previous Windows versions, Task Manager made this this real-time, process-specific data available, but only in a limited form. Question: A shortage of which resources can cause performance problems for your computer?
Demonstration Steps
1. 2. 3. Log on to LON-CL1 as administrator. Open Resource Monitor.
View the information on the Overview tab. This tab shows CPU usage, disk I/O, network usage, and memory usage information for each process. A bar above each section provides summary information.
4. 5.
View the information on the CPU tab. This tab has more detailed CPU information that you can filter, so that it is based on the process. View the information on the Memory tab. This tab provides detailed information about memory usage for each process. Notice that the process that you selected previously remains selected, so that you can review multiple kinds of information about a process as you switch between tabs. View the information on the Disk tab. This tab shows processes with recent disk activity. View the information in the Network tab. This tab provides information about all processes with current network activity. Question: How can you simplify monitoring the activity of a single process when it spans different tabs?
6. 7.
Demonstration: How to Analyze System Performance by Using Data Collector Sets and Performance Monitor
In this demonstration, you will show how to analyze system performance by using data collector sets and performance monitor.
Co onfiguring Windows 8
Ex xamine a Re eport
Examine a report on the collected data r a. Question: How can you use Performan Monitor fo troubleshoo nce or oting?
Fo example, if you suspect high consumption of your CP processing capacity, you can view the C or PU CPU ta and then se exactly wha processes ac ab, ee at ctually are exec cuting on your machine, how many thread that w ds th are executing, and how much CPU use is occurring. You also can v hey m e view your com mputers installe ed memory, how much the operating system can use, how m m m c much it is using currently, an how much i g nd is re eserved for har rdware. From the Disk view, you can view all disk input/ t /output (I/O) and detailed in nformation on disk activity. You can view processes with network activ in the Netw Y p vity work view, and d monitor which processes are running and consuming too much bandw m c o width.
Additionally, Re esource Monito enables you to investigate which produ which tool, or which app or u e uct, plication is currently runn ning and consuming CPU, disk, network, a memory re and esources.
Create a Perf C formance Baseline by Using Perfo B U ormance Mo onitor and D Data Collect tor Sets
Yo can set up a Baseline in Performance Monitor to help you with the following tasks: ou P M p e Evaluate yo computers workload. our s Monitor sys stem resources. Notice chan nges and trend in resource use. ds
By using data collector sets, you can establish a baseline to use as a standard for comparison. Create a baseline when you first configure the computer, at regular intervals of typical usage, and when you make any changes to the computers hardware or software configuration. If you have appropriate baselines, you can determine which resources are affecting your computers performance. You can monitor your system remotely. However, use of the counters across a network connection for an extended period of time can congest network traffic. If you have disk space on the server for the performance log files, we recommend that you record performance log information locally. Performance impacts can occur because of the number of counters being sampled and the frequency with which sampling occurs. Therefore, it is important to test the number of counters and the frequency of data collection. This lets you determine the right balance between your environments needs and the provision of useful performance information. For the initial performance baseline, however, we recommend that you use the highest number of counters possible and the highest frequency available. The following table shows the commonly used performance counters. Counter LogicalDisk\% Free Space Usage
This counter measures the percentage of free space on the selected logical disk drive. Take note if this falls below 15 percent, because you risk running out of free space for the OS to use to store critical files. One obvious solution is to add more disk space. This counter measures the percentage of time the disk was idle during the sample interval. If this counter falls below 20 percent, the disk system is saturated. You may consider replacing the current disk system with a faster one.
This counter measures the average time, in seconds, to read data from the disk. If the number is larger than 25 milliseconds (ms), that means the disk system is experiencing latency when it is reading from the disk.
This counter measures the average time, in seconds, it takes to write data to the disk. If the number is larger than 25 milliseconds (ms), the disk system experiences latency when it is writing to the disk. This counter indicates how many I/O operations are waiting for the hard drive to become available. If the value is larger than two times the number of spindles, it means that the disk itself may be the bottleneck.
Memory\Cache Bytes
This counter indicates the amount of memory that the file-system cache is using. There may be a disk bottleneck if this value is greater than 300 megabytes (MB). This counter measures the ratio of Committed Bytes to the Commit Limit, or in other words, the amount of virtual memory in use. If the number is greater than 80 percent, it indicates insufficient memory.
Configuring Windows 8
Usage
This counter measures the amount of physical memory, in megabytes, available for running processes. If this value is less than 5 percent of the total physical random access memory (RAM), that means there is insufficient memory, and that can increase paging activity.
This counter indicates the number of page table entries not currently in use by the system. If the number is less than 5,000, there may be a memory leak.
This counter measures the size, in bytes, of the nonpaged pool. This is an area of system memory for objects that cannot be written to disk, but instead must remain in physical memory as long as they are allocated. There is a possible memory leak if the value is greater than 175 MB (or 100 MB with a /3 gigabyte (GB) switch).
This counter measures the size, in bytes, of the paged pool. This is an area of system memory for objects that can be written to disk when they are not being used. There may be a memory leak if this value is greater than 250 MB (or 170 MB with the /3 GB switch). This counter measures the rate at which pages are read from, or written to, the disk to resolve hard-page faults. If the value is greater than 1,000, as a result of excessive paging, there may be a memory leak.
This counter measures the percentage of elapsed time that the processor spends executing a non-idle thread. If the percentage is greater than 85 percent, the processor is overwhelmed, and the server may require a faster processor. This counter measures the percentage of elapsed time that the processor spends in user mode. If this value is high, the server is busy with the application.
This counter measures the time that the processor spends receiving and servicing hardware interruptions during specific sample intervals. This counter indicates a possible hardware issue if the value is greater than 15 percent. This counter indicates the number of threads in the processor queue. The server does not have enough processor power if the value is more than two times the number of CPUs for an extended period of time. This counter measures the rate at which bytes are sent and received over each network adapter, including framing characters. The network is saturated if you discover that more than 70 percent of the interface is consumed.
This counter measures the length of the output packet queue, in packets. There is network saturation if the value is more than 2.
10-10
Usage
This counter measures the total number of handles that a process currently has open. This counter indicates a possible handle leak if the number is greater than 10,000.
Process\Thread Count
This counter measures the number of threads currently active in a process. There may be a thread leak if this number is more than 500 between the minimum and maximum number of threads. This counter indicates the amount of memory that this process has allocated that it cannot share with other processes. If the value is greater than 250 between the minimum and maximum number of threads, there may be a memory leak.
Process\Private Bytes
Configuring Windows 8
Users in A. Datum are about to receive their new Windows 8 computers. You must use Performance Monitor to establish a performance monitoring baseline and measure a typical computers responsiveness under a representative load. This will help to ensure that resources, such as RAM and CPU, are specified correctly for these computers.
Objectives
Create a performance monitoring baseline. Introduce a load. Measure system performance and analyze results.
Lab Setup
Estimated Time: 25 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Adatum
5.
10-12
Close all Microsoft Office applications, and in Performance Monitor, stop the Adatum Baseline data collector set.
In Performance Monitor, locate Reports > User Defined > Adatum Baseline. Click the report that has a name that begins with LON-CL1. Record the following values: o o o o o o Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length
Results: After this exercise, you should have created a performance monitoring baseline.
Configuring Windows 8
The main task for this exercise is as follows: Create a load on the computer.
Results: After this exercise, you should have generated additional load on the computer.
In this exercise, you compare the results that you collected during performance monitoring with those collected earlier when you created the baseline. The main task for this exercise is as follows: Identify performance bottlenecks in the computer.
After a few minutes, close the two instances of C:\Windows\System32\cmd.exe launched by the script. Switch to Performance Monitor, and then stop the Adatum Baseline data collector set.
In Performance Monitor, locate Reports > User Defined > Adatum Baseline. Click on the second report that has a name that begins with LON-CL1. View the data as a report. Record the component details: a. b. c. d. e. f. Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length
8. 9.
In your opinion, which components are the most seriously affected? Close all open windows and programs, and then revert to the Start screen.
Results: After this exercise, you should have identified the computers performance bottleneck.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
10-14
Lesson 2
The Windows Diagnostic Infrast tructure (WDI) is a set of dia gnostic tools t that performs the following tasks:
This lesson explor some of the tools and their capabiliti s res ese t ies.
Unreliable Memory
Mem mory problems are especially frustrating to troubleshoo because the frequently m o ot, ey manifest thems selves as application issu Failing me a ues. emory can cause application failures, opera ating-system f faults, and stop p erro and it can be difficult to identify, becau problems can be interm ors, use mittent. For exa ample, a memo ory chip might functio perfectly when you test it in a controlle environmen However, it can start to fa p on w t ed nt. t ail whe you use it in a hot compu en n uter. Faili memory chips return data that differs from what the OS stored or ing e riginally. This c lead to can seco ondary problems, such as co orrupted files. Frequently, ad F dministrators ta extreme st ake teps, such as rein nstalling applic cations or the OS, to repair th problem, o nly to have the failures pers O he sist.
Network errors fre equently cause an inability to access netw e work resources, and can be difficult to diag gnose. Network interface that you do not configure correctly, inco es e orrect IP addre esses, hardwar failures, and re d man other problems can affect connectivity. OS features, s ny t such as cached credentials, e d enable users to log o on as domain use even when a network con a ers, nnection is no present. This feature can m ot s make it appear as if r
us sers have logg on success ged sfully to the do omain, even wh they have not. Although this feature i useful, hen e h is it does add ano other layer to the process of troubleshootin network co ng onnections.
Diagnosing star rtup problems is especially difficult, becau se you do not have access to Windows 8 d o tr ter roubleshooting and monitoring tools when your comput does not st g n tart. Malfuncti ioning memor ry, in ncompatible or corrupted de r evice drivers, missing or corrupted startup files, or a corr m rupted disk data can all cause startup failures. p
If the Windows Memory Diag gnostics tool de etects any pro oblems with ph hysical memory, Microsoft O Online Crash Analysis automatically prompts you to run the tool . a p
Yo can decide whether to re ou estart your com mputer and ch eck for proble ems immediate or to sched ely, dule the to to run whe the computer next restarts. ool en When the comp W puter restarts, Windows Mem mory Diagnost tests the co tics omputers memory. When th tool his ru it shows a progress bar that indicates the status of t test. It may take several m uns, t the y minutes for the tool to finish checkin your computer's memory When the te finishes, Wi ndows restarts again autom o ng y. est s matically, an the tool pro nd ovides a clear report that de etails the probl lem. It also wr ites informatio to the even log so on nt th it can be an hat nalyzed.
Yo can also run the Window Memory Dia ou ws agnostics tool manually. You have the sam choices: to r the u me run to immediately or to schedu it to run when the comp ool ule puter restarts. A Additionally, you can start W Windows Memory Diagno M ostics from the installation media. e m
Advanced Op A ptions
To access advan o nced diagnosti options, pre F1 while the test is runnin Advanced options includ the ic ess e ng. de fo ollowing: Test mix: Select what kin of test to ru S nd un. Cache: Sele the cache setting for each test. ect s Pass Count Enter the nu t: umber of times that the test mix should repeat the tests. s .
10-16
Pres the Tab key to move betw ss ween the advan nced options. When you fini selecting your options, p ish press F10 to start the te est.
Connections to a Workplac Using Direct ce tAccess: Proble ems with conn necting to your workplace w when using DirectA Access Printer: Problems on printer connections. .
The Windows Net twork Diagnos stics tool runs automatically when it detects a problem. You can also d decide to run the tool ma anually by usin the Diagno option on the Local Area Connections Status proper ng ose a s rty shee et. If Windows 8 dete a problem that it can repair automatic W ects m cally, it will do so. If Window 8 cannot rep o ws pair the problem auto omatically, it di irects the user to perform sim mple steps to resolve the pro oblem without having to call sup pport.
Reliability Monitor R M
Th Reliability Monitor review the computers he M ws re eliability and problem history You can use the p y. e Re eliability Monitor to obtain several kinds of s o re eports and cha that can he you identif the arts elp fy so ource of reliability issues. Acc cess the Reliab bility Monitor by click M king View reli iability history in the y Maintenance se M ection of the Action Center. A Th following to he opics explain the main featu t ures of th Reliability Monitor in mor detail. he M re
Th System Stab he bility Report also provides in nformation abo each even in the chart. These reports include out nt s th following ev he vents: Software In nstalls Software Uninstalls Application Failures n Hardware Failures F Windows Failures Miscellaneo Failures ous
Th Reliability Monitor tracks key events ab he M bout the system configuratio such as the installation of new m on, e ap pplications, OS patches, and drivers. It also tracks the fol S o llowing events and helps yo identify the s, ou e re easons for relia ability issues: Memory pr roblems Hard-disk problems p Driver prob blems Application failures n Operating system failures s s
Th Reliability Monitor is a us he M seful tool that provides a tim meline of system changes, an then reports the m nd sy ystems reliabil lity. You can use this timeline to determine whether a pa e e articular system change corr m relates with the start of system instab w f bility.
10-18
If an error occurs while an appli n ication is running, Win ndows Error Re eporting Servic prompts th ces he user to select whe r ether to send error informati to Microso over the Int e ion oft ternet. If inform mation is avail lable that can help the user resolve th problem, Windows displa a message to the user with a link to t his W ays info ormation about how to resolve the issue. formation and to recheck an You can use the Problem Repor and Solutio tool to trac resolving inf u P rts ons ck d nd find new solutions. d You can start the Problem Repo and Solutions tools from the Reliability Monitor. The following too u orts m y e ols are available: Save reliabilit history ty View all problem reports Check for solutions to all pr roblems Clear the solu ution and prob blem history
Lesson 3 n
To keep compu o uters that are running Windo operating systems stable and protecte you must u ows e ed, update th hem regularly with the latest security upda w t ates and fixes. Windows Upd date enables yo to downloa and ou ad in nstall importan and recomm nt mended update automatical instead of v es lly, visiting the Windows Update website. w Yo must be aw ou ware of the con nfiguration op ptions that Win ndows Update has available, and you must be t ab to guide us ble sers on how to configure the options. o ese
Windows Updat downloads your compute updates in the backgrou while you are online. If y W te ers und your In nternet connec ction is interrupted before an update dow nloads fully, th download p n he process resumes when th connection becomes available. he
Configure Se C ettings
Th Automatic Updates feature of Windows Update dow he wnloads and ins stalls importan updates, inc nt cluding se ecurity and crit tical performance updates. However, you have to select recommende and optiona H ed al up pdates manually. Th time of inst he tallation depen on the con nds nfiguration op tions that you select. Most u updates occur se eamlessly, with the following exceptions: h g If an update requires a re estart to complete installatio you can sch on, hedule it for a specific time.
When a sof ftware update applies to a file that is in us e, Windows 8 can save the a applications data, close the ap pplication, upd date the file, and then restar the applicati rt ion. Windows 8 might prom the mpt user to acce Microsoft Software Licen Terms whe the applicat ept nse en tion restarts.
10-20
Whe you configu Windows Update, consid the followi en ure U der ing: Use the recom mmended sett tings to download and instal updates auto ll omatically. The recomme ended settings download an install upda tes automatica at 03:00 daily. If the s nd ally computer is turned off, the installation will be done the next time tha the comput is turned on t e at ter n. By using the recommended settings, user do not have to search for critical update or worry tha d rs e es at critical fixes may be missing from their co m g omputers. Use Windows Server Updat Services (WS s te SUS) in a corpo orate environm ment.
Use Microsoft System Cente 2012 Config t er guration Mana ager (SCCM) fo larger environments that have or more than 10 systems. 00
We recommend that you choos to have upd se dates installed automatically,, so that Windows will install imp portant update as they beco es ome available.
But if you do not want updates to be installed or download automatically, you can s d ded select instead t be to noti ified when upd dates apply to your compute so that you can download and install them yourself. For er, u exam mple, if you ha a slow Inte ave ernet connection or your wo is interrupt because of automatic ork ted f upd dates, you can have Windows check for up pdates, but dow wnload and install them you urself.
If an update has been installed that you would like to remo n b ove, then from the View Upd date History page, click Installed Up k pdates. You ca then view all the installed updates, and where necessary, you can ri an ightclick an update, and then click Uninstall. k U
Hide Update H es
If the update at ttempts to rein nstall at a later time, you can hide the update. To hide an update that you do n no wish to install, from Wind ot dows Update, click the link for the availab updates. Ri , ble ight-click the u update th you do not want to install, and then cli Hide upda hat t ick ate.
If you have reso olved the unde erlying problem with the upd m date you uninstalled, and yo wish to install it, ou yo first must unhide the upd ou u date. From Win ndows Update click Restore hidden updates. e, e
If you enab this policy setting, Install Updates and Shut Down w not appea as a choice in the ble s l d ar will Shut Down Windows dialog box, even if updates ar available for installation w n n re r when the user selects the Shut Down option in the Start me n enu.
If you disab or do not configure this policy setting, the Install Up ble c p pdates and Sh Down opt hut tion will be available in the Shut Down Window dialog box if updates are available when the user selects e D ws x e the Shut Down option in the Start me n enu.
Do not adj just the defau option to Install Update and Shut D ult I es Down in the S Shut Down W Windows dialog box x. You can use this policy se e etting to mana whether th Install Upd age he dates and Shu Down optio is ut on allowed to be the default choice in the Shut Down W t Windows dialo og.
If you enab this policy setting, the use last shut-d ble s er's down choice (H Hibernate, Res start, etc) is the default opt tion in the Shu Down Wind ut dows dialog b box, regardless of whether th Install Upd s he dates and Shut Down option is available in the What do y D t you want the computer to do? list. e o
If you disab or do not configure this policy setting, the Install Up ble c p pdates and Sh Down opt hut tion will be the defa option in the Shut Dow Windows d ault t wn dialog box, if u updates are ava ailable for inst tallation when the user selects the Shut Down option in the S u e o Start menu. Enabling Windows Upd W date Power Management t o automatica wake up t system to install ally the o scheduled updates
This policy specifies whet ther the Windo Update w ill use the Win ows ndows Power M Management f features to wake up your system automatically from hibernat ion if updates need to be installed. p a f Windows Update will wak up your sys U ke stem automati cally only if yo configure W ou Windows Upda to ate install upda ates automatic cally. If the syst tem is in hiber rnation when t scheduled install time oc the ccurs,
10-22
and there are updates to be applied, then Windows Update will use the Windows power Management features to wake the system automatically to install the updates.
The system will not wake unless there are updates to be installed. If the system is on battery power, when Windows Update wakes it up, it will not install updates, and the system will automatically return to hibernation in two minutes. Configure Automatic Updates This setting specifies whether the computer will receive security updates and other important downloads through the Windows automatic updating service. This setting lets you specify if automatic updates are enabled on your computer. If the service is enabled, you must select one of the four options in the Group Policy Setting: o 2 = Notify before downloading any updates and notify again before installing them When Windows finds updates that apply to your computer, an icon appears in the status area, with a message that updates are ready to be downloaded.
Clicking the icon or message provides the option to select the specific updates that you want to download. Windows then downloads your selected updates in the background.
When the download is complete, the icon appears in the status area again, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install. o
3 = (Default setting) Download the updates automatically and notify when they are ready to be installed Windows finds updates that apply to your computer, and then downloads these updates in the background, so that the user is not notified or interrupted during this process. When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.
4 = Automatically download updates and install them on the schedule specified below
Specify the schedule using the options in the Group Policy setting. If no schedule is specified, the default schedule for all installations will be every day at 03:00.
If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart. o 5 = Allow local administrators to select the configuration mode that Automatic Updates must notify and install updates With this option, the local administrators will be allowed to use the Automatic Updates control panel to select a configuration option. For example, they can choose their own scheduled installation time. Local administrators will not be allowed to disable Automatic Updates configuration.
To use the Configure Automatic Updates setting, click Enabled, and then select one of the options (2, 3, 4, or 5). If you select 4, you can set a recurring schedule. If you do not specify a schedule, all installations will occur every day at 03:00. If the status is set to Enabled, Windows recognizes when the computer is online, and then uses its Internet connection to search Windows Update for updates that apply to your computer.
Configuring Windows 8
If the status is set to Disabled, you manually must download and install any updates that are available on Windows Update.
If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel. Specify intranet Microsoft update service location
This setting specifies an intranet server to host updates from Microsoft Update. You can then use this update service to update your networks computers automatically. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization do not have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.
If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. Automatic Updates detection frequency
This policy specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours that you specify in this policy, minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours. If the status is set to Enabled, Windows will check for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours. Allow non-administrators to receive update notifications This policy setting allows you to control whether non-administrative users will receive update notifications based on the Configure Automatic Updates policy setting.
If you enable this policy setting, Windows Automatic Update and Microsoft Update will include nonadministrators during the process of determining which logged-on user will receive update notifications.
Non-administrative users will be able to install all optional, recommended, and important content for which they received a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface, End User License Agreement, or Windows Update setting changes. If you disable or do not configure this policy setting, then only administrative users will receive update notifications. By default, this policy setting is disabled.
If the Configure Automatic Updates policy setting is disabled or is not configured, then the Elevate Non-Admin policy setting has no effect.
10-24
Turn on Software Notifications This policy setting allows you to control whether users can view detailed enhanced notification messages about featured software from the Microsoft Update service.
Enhanced notification messages convey the value of optional software, and promote its installation and use. This policy setting is intended for use in loosely managed environments in which you allow the end user access to the Microsoft Update service. If you enable this policy setting, a notification message will appear on the user's computer when featured software is available. The user can click the notification to open the Windows Update Application and get more information about the software, or install it. The user also can click Close this message or Show me later to defer the notification as appropriate. In Windows 8, this policy setting will only control detailed notifications for optional applications.
If you disable or do not configure this policy setting, Windows 8 users will not be offered detailed notification messages for optional applications. By default, this policy setting is disabled. If you are not using the Microsoft Update service, then the Software Notifications policy setting has no effect. If the Configure Automatic Updates policy setting is disabled or is not configured, then the Software Notifications policy setting has no effect. Let the service shut down when it is idle
This setting controls how many minutes the Windows Update service will wait before shutting down when there are no scans, downloads, or installs in progress. If configured to zero, the service will run always. Allow Automatic Updates immediate installation
This setting specifies whether Automatic Updates will automatically install certain updates that neither interrupt Windows services, nor restart Windows. If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install. If the status is set to Disabled, such updates will not be installed immediately. If the Configure Automatic Updates policy is disabled, this policy has no effect. Turn on recommended updates via Automatic Updates
This setting specifies whether Automatic Updates will deliver both important and recommended updates from the Windows Update service. When this policy is enabled, Automatic Updates will install recommended and important updates from Windows Update. When disabled or not configured, Automatic Updates will continue to deliver important updates if it is already configured to do so. No auto-restart with logged on users for Scheduled automatic updates installations This setting specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation, if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer. Re-prompt for restart with scheduled installations This setting specifies the amount of time for Automatic Updates to wait before prompting the user again to restart and complete the update process.
If the status is set to Enabled, a scheduled restart will occur in the specified number of minutes after the previous prompt for restart was postponed. If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
Configuring Windows 8
This setting specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.
If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished. If the status is set to Disabled or Not Configured, the default wait time is 15 minutes. Reschedule Automatic Updates scheduled installations
This setting specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.
If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started. If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled installation.
If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started. Enable client-side targeting
This setting specifies the target group name or names that will be used to receive updates from an intranet Microsoft update service.
If the status is set to Enabled, the specified target group information is sent to the Microsoft update service, an intranet that uses this information to determine which updates must be deployed to the computer. If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, you must specify a single group.
If the status is set to Disabled or Not Configured, no target group information will be sent to the intranet Microsoft update service. Allow signed updates from an intranet Microsoft update service location This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft, when the update is found on an intranet Microsoft update service location.
If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, if the updates are signed by a certificate found in the Trusted Publishers certificate store of the local computer. If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft. Note: This setting is sometimes used on a critical system that cannot be restarted or changed without first being scheduled. If you enable this setting, you must implement another method of update delivery to ensure that these systems are kept up to date. Question: What is the benefit of configuring Windows Update by using Group Policy rather than by using Control Panel?
10-26
When A. Datum received the first shipment of Windows 8 computers, Holly disabled automatic updates because she was concerned that they would cause problems with a custom application on these systems.
After extensive testing, you have determined that it is extremely unlikely that automatic updates will cause a problem with this application.
Objectives
Configure the local Windows Update settings.
Lab Setup
Estimated Time: 20 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
You have to confirm that automatic updates are disabled for your Windows 8 computers, and then enable automatic updates by implementing a Group Policy. The main tasks for this exercise are as follows: 1. 2. 3. Verify that automatic updates are disabled. Enable automatic updates in Group Policy. Verify that the automatic updates setting from the GPO is being applied.
Configuring Windows 8
Task 3: Verify that the automatic updates setting from the GPO is being applied
1. 2. On LON-CL1, run gpupdate /force to update the Group Policy settings. Open Windows Update, and verify that the new settings have been applied.
Results: After this exercise, you should have configured Windows Update settings by using GPOs.
10-28
Tools
Tool Performance Information and Tools Performance Monitor Resource Monitor Use for List information for speed and performance Multiple graph views of performance Monitor use and performance for CPU, disk, network, and memory Measure the computers key components Performance monitoring Performance counters, event traces, and system configuration data Check your computer for memory problems Troubleshoot network problems Where to find it Control Panel Administrative Tools
Advanced tools in Performance Information and tools Performance Information and Tools Performance monitor Performance monitor
Module 11
Configuring Mobile Computing and Remote Access
Contents:
Module Overview Lesson 1: Configuring Mobile Computers and Device Settings Lab A: Configuring a Power Plan Lesson 2: Configuring VPN Access Lab B: Implementing a VPN Connection Lesson 3: Configuring Remote Desktop and Remote Assistance Lab C: Implementing Remote Desktop Lesson 4: Overview of DirectAccess Module Review and Takeaways 11-1 11-2 11-10 11-12 11-19 11-21 11-24 11-26 11-35
Module Overview
Mobile computers are available in many types and configurations. This module helps you identify and configure the appropriate mobile computer for your needs. It describes mobile devices, and how to synchronize them with a computer that is running the Windows 8 operating system. Additionally, this module describes various power options that you can configure in Windows 8.
Windows 8 helps end users become more productive, regardless of their location, or that of the data they need. For those users who want to use VPNs to connect to enterprise resources, the new features in the Windows 8 environment and in Windows Server 2012 create a seamless experience, because with VPN Reconnect, users do not need to log on to the VPN if the connection is lost temporarily. With DirectAccess, available in Windows 8 Enterprise, mobile users can access enterprise resources when they are out of the office. To improve connectivity for remote users, IT professionals can administer updates and patches remotely.
Objectives
After completing this module, you will be able to: Describe the configuration of mobile computers and device settings. Explain how to configure a power plan. Explain how to configure virtual private network (VPN) access. Explain how to implement a VPN connection. Explain how to configure Remote Desktop and Remote Assistance. Explain how to implement Remote Desktop. Provide an overview of DirectAccess.
Lesson 1
This lesson define common ter s es rminology for mobile compu uting, and provides an overv view of the rela ated configuration sett tings that you can modify in Windows 8. A Additionally, it provides guid delines for app plying thes configuratio settings to computers tha are running Windows 8. se on c at
Peo ople often use the terms lapt and notebook interchan geably. Howev the term n top ver, notebook com mputer refe to a compu that is ligh or smaller than a laptop . A laptop com ers uter hter mputer is a por rtable comput ter that contains an integrated scre t een, a battery, a keyboard, a nd a pointing device. A lapt computer may top also contain a CD-ROM or DVD o D-ROM drive. Many organiza M ations are issuing laptop com mputers to the eir emp ployees rather than desktop computers, so that they can work remote Hardware m o n ely. manufacturers are s resp ponding to this demand by producing lapt p tops with spec cifications that are equivalen to, or better than, t nt r man desktop com ny mputers.
Configuring Windows 8
Tablet PCs
The tablet PC is a fully functional laptop computer, with a sensitive screen designed to interact with a complementary pen-shaped stylus. Tablet PC screens turn and fold onto the keyboard, and you can use the stylus directly on the screen just as you use a mouse to select, drag, and open files. You also can use the stylus in place of a keyboard to hand-write notes and communications. Unlike a touch screen, the tablet PC screen only receives information from the stylus. It will not take information from your finger or your shirtsleeve. Therefore, you can rest your wrist on the screen, and write naturally. The tablet PC uses a digitizer device that interprets the movements of the stylus, and converts those into mouse or cursor movements. Many organizations are replacing traditional clipboards, jotters, and other forms of paper and pen input with the several applications that are now available for the tablet PC. For example, the Writing Tools option in Microsoft Office OneNote 2010 let you use any pointing device, such as a drawing pad stylus or a tablet PC pen, to add handwritten text or freehand drawings to your notes. The Windows 8 operating system provides a user interface that is optimized for devices that support a touch screen.
Netbook Computers
A typical netbook computer features a 7-inch diagonal display, weighs around 2 pounds or 1 kilogram (kg), has an integrated touch panel, and has both Wi-Fi and Bluetooth enabled. A netbook computer is approximately the size and shape of a paperback book. Manufacturers build specialized components for ultramobile computers, such as the ultra-low-voltage processors from Intel, which help to optimize battery life and minimize cooling requirements. Netbook computers are typically equipped with 1 gigabyte (GB) of random access memory (RAM), and often a solid-state hard disk drive. These netbook computers offer significant improvements in power consumption versus more-traditional laptops, and provide the necessary applications that mobile users require.
Ultrabook Computers
These thin, lightweight laptop computers provide more power and larger displays than netbooks, which enables users to perform multiple tasks with their computers. Typically, they weigh the same as a netbook, but are equipped with 4 gigabytes (GB) of random access memory (RAM), and high-speed Intel mobile processors. Display sizes are 13.3 inches diagonally.
Mobile Devices
You must be able to assist users with connecting their mobile devices to computers running Windows 8. A mobile device is a computing device optimized for specific mobile computing tasks. Mobile devices typically synchronize with desktop or mobile computers to obtain data. The following types of mobile devices are available: PDAs Windows Phone devices Portable media players Mobile phones
PDAs
A PDA is a handheld device that can range in functionality from a simple personal organizer to a fullfunction mobile computer. You usually use a stylus and touch screen to input information in a PDA, although you can also use a keyboard on some devices.
Win ndows Phone devices are smartphones tha feature an o perating syste with the fam d at em miliar Window user ws inte erface, and app plications that are part of the Microsoft W e Windows 8 oper rating system and Microsoft Office. Win ndows Phone devices also include Window Media Play and typica feature mo d ws yer, ally obile phone, Blue etooth, wireles broadband, and Wi-Fi cap ss pability. Althou you can so ugh ometimes use a keyboard on n thes devices, the typically are touch-screen devices, which means you c use your fi se ey h can inger to navigate the operating syst tem and to use applications. Additionally, the Windows Phone operat e . ting system supports voice commands. less communic cations protoc ol that uses sh hortwave radio signals to o Note: Bluetooth is a wirel repl lace cables and still enable compatible dev d c vices to comm municate with e each other. Blu uetooth uses a low-powered radio signa in the unlicensed 2.4 gigah s al hertz (GHz) to 2.485 GHz spectrum, also known as the Industrial, Sci o e ientific, and Medical (ISM) b M band. Blue etooth employ a technology called Adapt ys tive Frequency Hopping, wh y hich helps devi ices switch freq quencies within the ISM band Bluetooth enables compa n d. atible devices t switch frequ to uencies up to 1,600 times a second within the ISM band, to maintain o 1 t optimal connec ctivity.
ther flash mem A po ortable media player is a sm battery-po mall, owered device containing eit mory or a hard d-disk driv on which yo can play dig ve ou gital media file Some of the devices have a screen. Th computer t es. ese he that is runn ning Windows copies the media to the de s evice, which me eans that you can use media stored on yo a our own CD and DVD collection, or buy and download media f n D from numerou s online media services. a
Mo obile Phone
A mobile phone, also known as a cellular pho m a one, is a portab telephone that uses a for of radio ble rm connectivity. Man mobile phon now have some PDA and media playe functionality You typically use ny nes d er y. y a nu umerical keypa as the input for this devic type. ad ce
Configuring Windows 8
Power Management
Windows 8 power management includes a simple-to-find battery meter that tells you at a glance how much battery life is remaining and what current power plan you are using. Use the battery meter to access and change the power plan to meet your needs. For example, you might want to conserve power by limiting the central processing unit (CPU) or configure when you hard drive will turn off so that you can conserve battery power. Power plans let you adjust your computers performance and power consumption. To access Power Plans in Windows 8, from Desktop, right-click the Battery Icon in the Taskbar and select Power Options. You can also choose the Battery Status in the Windows Mobility Center.
Computer manufacturers can customize the Windows Mobility Center to include other hardware-specific settings, such as Bluetooth or auxiliary displays. To access the Widows Mobility Center, in Control Panel, in the Hardware and Sound category, choose Adjust commonly used mobility settings.
Sync Center
The Windows 8 Sync Center provides a single interface from which you can manage data synchronization in several scenarios: between multiple computers, between corporate network servers and computers, and with devices that you connect to the computer, such as a PDA, a mobile phone, and a music player. Because different devices synchronize by using different procedures, depending on the data source, there is no easy way to manage all of the individual sync relationships in earlier Windows versions. The Sync Center enables you to initiate a manual synchronization, stop in-progress synchronizations, see the status of current synchronization activities, and receive notifications to resolve sync conflicts. A sync partnership is a set of rules that tells the Sync Center how and when to synchronize files or other information between two or more locations. A sync partnership typically controls how files are synchronized between your computer and mobile devices, network servers, or compatible programs.
For example, you might create a sync partnership that instructs the Sync Center to copy every new file in the My Documents folder to a universal serial bus (USB) hard disk each time that you plug the device into the computer. You might create a more complex sync partnership to keep a wide variety of files, folders, and other information synchronized between the computer and a network server. Access the Sync Center by choosing Sync Center from the Windows Mobility Center screen.
Win ndows Mobile Device Center is a data sync r chronization p rogram that yo can use wit mobile devices. ou th It pr rovides users of Microsoft Windows a way to transport d o W y documents, ca alendars, conta lists, and em act mail betw ween their des sktop compute and a mobil device that supports the M er le Microsoft Exch hange ActiveSy ync prot tocol.
Win ndows Mobile Device Center provides over device man r rall nagement features for Wind dows Mobile-b based devices in Window 8, including smartphones ws g s. To access the Win a ndows Mobile Device Cent go to the C e ter, Control Pane el.
Mob users often have to reco bile onfigure their computer sett ings for meeti ngs or confere c ence presentat tions, such as changing the screen-sav timeouts or desktop wal lpaper. To imp h ver o prove the end-user experien nce and avoid this inc convenience, Windows 8 incl W ludes a group of presentatio settings tha you can app on at ply whe you are con en nnecting to a display device. d To access the Pres a sentation Setti ings, choose Presentation S P Settings in the Windows M e Mobility Cente in er Con ntrol Panel. When you finish the presentation, return to the previous settings by clicking the W h o noti ification area icon. Question: As side from USB, how can you establish a co nnection for synchronizing a Windows Ph hone device?
Crea ating a sync pa artnership with a portable media player is straightforwa The follow h m ard. wing steps desc cribe how to connect a portable med player to a computer tha t is running W w dia Windows 8, crea a sync ate part tnership, and synchronize media to the de s evice: 1. Connect the device to a computer runnin Windows 8,, and open Syn Center. Win d ng nc ndows 8 includ des drivers for ma common devices, but yo can also ob any d ou btain drivers fro the CD tha came with the om at device or from Microsoft Windows Updat m W te. Set up a sync partnership by clicking Set up for a med device Syn Partnership This opens b dia nc p. Windows Media Player.
2. 3. 4.
Select some media files or a playlist to synchronize to t device. To select media, simply drag it onto m the the Sync dialog box on the right side of Windows Med Player. e W dia Click Start Sy ync. When you chosen med has transfer ur dia rred to the dev vice, disconnect the device f from the computer and close Windows Media Player. r, a
Co onfiguring Windows 8
Windows Mobil Device Cent is a data synchronization program for u with mobile devices. It p W le ter use provides us sers of Microso Windows a way to transp oft port document calendars, c ts, contact lists, an email betw nd ween th desktop co heir omputer and a mobile devic that support the Exchang ActiveSync protocol. ce ts ge Windows Mobil Device Cent provides ov W le ter verall device m management fe eatures for Windows Phone-based de evices in Wind dows 8.
Th default options of Windo Mobile Device Center inc he ows clude only cor device conn re nectivity components. Th hese compone ents enable the operating sy e ystem to identi that a Wind ify dows Phone-b based device is co onnected, and then load the appropriate device drivers and services. T Windows Mobile Device Center e d The e ba application enables som basic functio ase n me onality, includi the ability to browse the devices cont ing e tents, us desktop pas se ss-through to synchronize with Microsoft Exchange Serv and chang some gener w ver, ge ral co omputer and connection set c ttings.
By using the CP speed optio you can lo y PU on, ower the speed of the compu d uter processor thereby redu r, ucing its po ower consump ption. Screen brightness requ b uires power, a nd lowering th brightness reduces power usage. he
Power Plans P
In Windows 8, power plans he you maxim computer and battery p n p elp mize r performance. W power pla you With ans, ca change a va an ariety of system settings to optimize powe or battery usage with a sin m o er ngle click, dep pending on the scenario. There are thr default pow plans: n ree wer Power save This plan sav power on a mobile com puter by reducing system pe er: ves erformance. It ts primary purpose is to ma aximize battery life. y
High perfor rmance: This plan provides the highest lev of performa p t vel ance on a mob computer, by bile , adapting processor speed to your work or activity, an by maximiz d k nd zing system pe erformance. T nces energy co onsumption an system perf nd formance by adapting the Balanced: This plan balan computers processor spe to your activity. s eed
Th balanced plan provides th best balanc between po he he ce ower and perfo ormance. The p power saver plan re educes power usage by lowe ering the perfo ormance. The h high performa ance plan cons sumes more po ower by in ncreasing syste performanc Each plan provides altern em ce. p nate settings fo AC or DC power. or
You can customize or create additional power plans by using Power Options in Control Panel. Some hardware manufacturers supply additional power plans and power options. When you create additional power plans, be aware that the more power the computer consumes, the less time it runs on a single battery charge. By using Power Options, you can configure settings such as Choose what closing the lid does. In addition to considering power usage and performance, as a Windows 8 Technology Specialist, you also must consider the following three options for turning a computer on and off: Shut down Hibernate Sleep
Shut Down
When you shut down the computer, Windows 8 does the following: Saves all open files to the hard disk. Saves the memory contents to the hard disk or discards them as appropriate. Clears the page file. Closes all open applications.
Windows 8 then logs out the active user, and turns off the computer.
Hibernate
When you put the computer in Hibernate mode, Windows 8 saves the system state, along with the system memory contents to a file on the hard disk, and then shuts down the computer. This state requires no power, because the hard disk is storing the data. Windows 8 supports hibernation at the operating system level without any additional drivers from the hardware manufacturer. The hibernation data is stored on a hidden system file called Hiberfil.sys. This file is the same size as the physical memory contained in the computer and is typically located in the root of the system drive.
Sleep
Sleep is a power-saving state that saves work and open programs to memory. This provides fast resume capability, typically within several seconds. Sleep does consume a small amount of power.
Windows 8 automatically goes into Sleep mode when you press the power button on the computer. If the battery power of the computer is low, Windows 8 puts the computer in Hibernate mode.
Alternatively, you can enable hybrid sleep. With hybrid sleep, data is saved to hard disk and to memory. If a power failure occurs on a computer when it is in a hybrid sleep state, data is not lost. Use hybrid sleep as an alternative to hibernation. Hybrid sleep uses the same Hiberfil.sys hidden system file as hibernation.
Configuring Windows 8
11-10
Objectives
Create a new power plan. Configure basic and advanced power plan settings.
Lab Setup
Estimated Time: 15 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Adam Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Adatum
5.
Adam wants to ensure that his computers battery lasts as long as possible between charges while he is on his trip. He does not want to impose on his customers by asking to plug his computer into an electrical socket at their offices, and would rather charge his laptop in the evenings at his hotel. The main tasks for this exercise are as follows: 1. 2. Create a power plan on Adams laptop computer. Configure the power plan.
Configuring Windows 8
4.
Create a new power plan with the following properties: o o o Based on: Power saver Name: Adams power-saving plan Turn off the display: 3 minutes
Close all open windows and then log off from LON-CL1.
Results: After this exercise, you should have successfully created and configured a suitable power plan for Adams laptop computer.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
11-12
Lesson 2
To properly imple p ement and sup pport a VPN en nvironment wi ithin your orga anization, it is important tha you at und derstand how to select a suitable tunneling protocol, con t g nfigure VPN au uthentication, and configure e othe settings to support your chosen configu er s c uration.
To emulate a private link, the da is encrypte to e ata ed ensu confidentiality. Packets that are interce ure t epted on the s shared or public network are indecipherab e ble with hout encryptio keys. The lin in which the private data is encapsulate and encrypt is known a a on nk e ed ted as VPN connection. N There are two typ of VPN con pes nnections: Remote acces ss Site-to-site
From the users pe m erspective, the VPN is a poin e nt-to-point co nnection betw ween the comp puter, the VPN N clien and your organizations server. The exa infrastructu of the shar or public n nt, s act ure red network is irrelevant because it appear logically as if the data is se over a ded rs ent dicated private link. e
Configuring Windows 8
Site-to-Site VPN
Site-to-site VPN connections, which also are known as router-to-router VPN connections, enable your organization to have routed connections between separate offices or with other organizations over a public network, while maintaining secure communications.
A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. When networks connect over the Internet, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.
VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP) have the following properties:
Encapsulation: With VPN technology, private data is encapsulated with a header that contains routing information, which allows the data to traverse the transit network. Authentication: Authentication for VPN connections takes the following three different forms: o User-level authentication by using Point-to-Point Protocol (PPP) authentication
To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the connection by using a PPP user-level authentication method, and verifying that the VPN client has the appropriate authorization. If you use mutual authentication, the VPN client also authenticates the VPN server, which provides protection against computers that are masquerading as VPN servers. o Computer-level authentication by using Internet Key Exchange (IKE)
To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to exchange either computer certificates or a pre-shared key. In either case, the VPN client and server authenticate each other at the computer level. We recommend computer-certificate authentication, because it is a much stronger authentication method. Computer-level authentication is only performed for L2TP/IPsec connections. o Data origin authentication and data integrity
To verify that the data sent on the VPN connection originated at the connections other end and was not modified in transit, the data contains a cryptographic checksum based on an encryption key known only to the sender and the receiver. Data origin authentication and data integrity are only available for L2TP/IPsec connections.
Data encryption: To ensure data confidentiality as it traverses the shared or public transit network, the sender encrypts the data, and the receiver decrypts it. The encryption and decryption processes depend on both the sender and the receiver using a common encryption key. Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone who does not have the common encryption key. The encryption keys length is an important security parameter. You can use computational techniques to determine the encryption key. However, such techniques require more computing power and computational time as the encryption keys get larger. Therefore, it is important to use the largest possible key size to ensure data confidentiality.
11-14
PPT TP
PPT enables you to encrypt an encapsulate TP u nd e mul ltiprotocol traf in an IP header, and then ffic n send it across an IP network or a public IP net d I twork, such as the Internet. Y can use PPTP for remot You te acce and site-to ess o-site VPN connections. Whe using the In en nternet as the V VPN public ne etwork, the PPT TP serv is a PPTP-e ver enabled VPN se erver, with one interface on the Internet a a second in e and nterface on the intra anet:
Encapsulation PPTP encaps n: sulates PPP fra ames in IP data agrams for net twork transmis ssion. PPTP uses a Transmission Control Proto ocol (TCP) conn nection for tun nnel managem ment and a mo odified version of Generic Routing Encapsulat tion (GRE) to encapsulate PP frames for t e PP tunneled data. Payloads of t the encapsulated PPP frames ca be encrypte compresse or both. an ed, ed, Encryption: The PPP frame is encrypted with Microsoft Point-to-Poin Encryption (MPPE), by w nt using encrypt tion keys. Thes keys are gen se nerated from t Microsoft version of the Challengethe Handshake Authentication Protocol v2 (M A MS-CHAPv2), o the Extensib Authentication Protocolor ble Transport Lay Security (EA yer AP-TLS) authentication proc cess. VPN clien must use th MS-CHAPv2 or nts he 2 EAP-TLS auth hentication pro otocol so that the payloads o PPP frames are encrypted PPTP is takin t of d. ng advantage of the underlyin PPP encrypt f ng tion and encap psulating a pre eviously encrypted PPP fram me.
L2T TP
L2TP enables you to encrypt mu ultiprotocol tra affic to send o over any mediu that suppo point-to-p um orts point data agram delivery such as IP or asynchronous transfer mod (ATM). L2TP is a combina y, r de P ation of PPTP a and Laye 2 Forwardin (L2F). L2TP represents the best features of PPTP and L er ng e L2F.
Unli PPTP, the Microsoft impl ike M lementation of L2TP does no use MPPE to encrypt PPP datagrams. L2 ot o 2TP relie on IPsec in Transport Mod for encryption services. T he combinatio of L2TP and IPsec is know as es T de on d wn L2TP/IPsec.
Both the VPN clie and server must support L2TP and IPse Client support for L2TP is built in to the ent ec. s e Win ndows XP, Windows Vista, and Windows 8 remote acc a cess clients, and VPN server support for L2 is 2TP built in to membe of the Wind ers dows Server 2008 and Win dows Server 2003 family. 2 Encapsulation Encapsulatio for L2TP/IPs packets co n: on sec onsists of two l layers: o First layer: L2TP encaps sulation A PPP fra ame (an IP datagram) is wrap pped with an L L2TP header a a User Dat and tagram Protocol (UDP) he eader. o Second la ayer: IPsec enc capsulation
The resul lting L2TP mes ssage is wrapp with an Int ped ternet Protoco security (IPse Encapsulating ol ec) Security Payload (ESP) header and tra ailer, an IPsec Authentication trailer that p provides messa age cation, and a final IP header. The IP header contains the source and integrity and authentic on nds N erver. destinatio IP address that correspon to the VPN client and se
Encryption: The L2TP message is encryp : pted with eithe Advanced E er Encryption Standard (AES) or Triple Data Encryp ption Standard (3DES) by using encryption keys that the IKE negotiati process ge d n e ion enerates.
SSTP
SS is a tunnel STP ling protocol that uses the Secure Hyperte Transfer Pr t S ext rotocol (HTTPS protocol ove TCP S) er po 443 to pass traffic throug firewalls an web proxies that might bl ort gh nd s lock PPTP and L2TP/IPsec traffic. d SS provides a mechanism to encapsulate PPP traffic ov the Secure Sockets Layer (SSL) channel of the STP ver HTTPS protocol The use of PPP allows supp l. port for strong authenticatio methods, su as EAP-TLS SSL g on uch S. provides transport-level secur with enhan rity nced key nego otiation, encryp ption, and inte egrity checking g.
When a client tries to establis an SSTP-bas VPN conne W sh sed ection, SSTP first establishes a bidirectiona HTTPS al la ayer with the SSTP server. Ov this HTTPS layer, the prot ver tocol packets flow as the data payload. ion: SSTP enca apsulates PPP frames in IP da f atagrams for transmission ov the network. SSTP ver Encapsulati nagement and as PPP data f uses a TCP connection (o over port 443) for tunnel man d frames. Encryption: The SSTP mes : ssage is encryp pted with the SSL channel of the HTTPS protocol.
IK KEv2
In nternet Key Exc change version 2 (IKEv2) use the IPsec Tu n es unnel Mode pr rotocol over UDP port 500. B Because of its support fo mobility (MO f or OBIKE), IKEv2 is much more resilient to ch hanging netwo connectivit This ork ty. makes it a good choice for mobile users wh move betwe access points and even switch betwee wired m d ho een en ce an wireless con nd nnections. An IKEv2 VPN pro ovides resilienc to the VPN client when th client move from he es on wireless hotspot to anoth or when it switches from a wireless to a wired conne ne her, m ection. This ab bility is a re equirement of VPN Reconne ect. thentication a nd encryption methods. Th use of IKEv2 and IPsec en he 2 nables support for strong aut t n
Encapsulati ion: IKEv2 enca apsulates data agrams by usin IPsec Encap ng psulating Secur Payload (E rity ESP) or Authenticat tion Header (A headers fo transmission over the netw AH) or n work.
Encryption: The message is encrypted with one of the following pr : w e rotocols by using encryption keys n that are generated from the IKEv2 nego t otiation proce Advanced Encryption Sta ess: andard (AES) 2 256, AES 192, AES 12 and 3DES encryption algorithms. 28, e IKEv2 is sup pported only on computers that are runnin Windows 7 Windows 8, W o t ng 7, Windows Serv 2008 ver R2, and Win ndows Server 2012.
11-16
VPN Reconnect uses the Internet Key Exchange version 2 (IKEv2) technology to provide seamless and consistent VPN connectivity. VPN Reconnect automatically reestablishes a VPN connection when Internet connectivity is available again. Users who connect with a wireless mobile broadband benefit most from this capability. Consider a user with a laptop that is running Windows 8. When the user travels to work in a train, he or she connects to the Internet with a wireless mobile broadband card, and then establishes a VPN connection to the companys network. When the train passes through a tunnel, the Internet connection is lost. After the train emerges from the tunnel, the wireless mobile broadband card reconnects to the Internet automatically. With Windows Vista and earlier client operating systems, VPN did not reconnect automatically. Therefore, the user needed to manually repeat the multistep process of connecting to the VPN. This was time-consuming for mobile users with intermittent connectivity.
With VPN Reconnect, Windows 7 and Windows 8 automatically reestablish active VPN connections when the Internet connectivity is re-established. Even though the reconnection might take several seconds, users stay connected and have uninterrupted access to internal network resources. The system requirements for using the VPN Reconnect feature are: Windows Server 2008 R2 or Windows Server 2012 as a VPN server Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012 client
Public Key Infrastructure (PKI), because a computer certificate is required for a remote connection with VPN Reconnect. Certificates issued by either an internal or public Certificate Authority (CA) can be used.
Connect to LON-DC1 with the HQ VPN and authenticate using the Adatum\Administrator account.
Th CMAK is a tool that you can use to cust he t c tomize the rem mote connecti on experience for users on y e your ne etwork by crea ating predefine connection to remote se ed ns ervers and net tworks. Use the CMAK Wizar to e rd cr reate and custo omize a conne ection for your users. r CMAK is an opt tional compon nent that is not installed by d t default. You m must install CMA to create AK co onnection prof files that your users can install and use to access remote networks. e
11-18
Display Custom Support Information Include Connection Manager Software with the Connection Profile Display a Custom License Agreement Install Additional Files with the Connection Profile Build the Connection Profile and its Installation Program Make Advanced Customizations Your Connection Profile is Complete and Ready to Distribute
Use Windows Explorer to examine the contents of the folder created by the CMAK Wizard to create the connection profile. Normally, you would now distribute this profile to your users.
Configuring Windows 8
Adams sales trip starts next week. He is keen to be able to access corporate data files while he is on the road. You decide to create a VPN on his laptop computer to facilitate this requirement.
Objectives
Create a VPN. Test the VPN.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
You decide to create a VPN to connect to LON-DC1. You then will establish a connection to LON-DC1, and attempt to open a shared data folder across the VPN link. The main tasks for this exercise are as follows: 1. 2. 3. Create the VPN connection. Modify the VPN configuration settings. Test the connection.
11-20
Map a network drive to \\lon-dc1\data. Verify your IP configuration by using IPConfig. What IPv4 address has your computer been assigned over the PPP adapter connection? Disconnect the VPN. Click back to the Start screen.
Results: After this exercise, you should have successfully connected to the Adatum HQ with your VPN.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Lesson 3 n
Many organizat M tions use remo manageme and troubl eshooting, so that they can reduce ote ent tr roubleshooting time and red g duce travel cos for support staff. Remote troubleshooti allows sup sts ing pport st to operate effectively fro a central lo taff om ocation.
Re emote Desktop uses the Rem mote Desktop Protocol (RDP to allow use to access files on their off P) ers fice co omputer from another comp puter, such as one located at their home. Additionally, R t Remote Deskto op allows administrators to conn nect to multiple Windows Se rver sessions f remote adm e for ministration pu urposes. While a Remote Desktop sess W e sion is active, Remote Deskto locks the ta R op arget compute prohibiting er, in nteractive logo for the sess ons sions duration n.
Remote Assistance R
Re emote Assistan allows a us to request help from a re nce ser emote adminis strator. To acc cess Remote Assistance, run the Windows Remote Assistance tool. Usin this tool, yo can do the following: ng ou Invite some eone who is tru ustworthy to help you. h Offer to help someone. View the re emote users desktop. Chat with the remote use with text cha er at. Send a file to the remote computer. If permissio allow, requ ons uest to take rem mote control o the remote desktop. of
11-22
Users can send Re emote Assistan invitations through emai or by saving a request to a file that the nce il, g rem mote administra ator can read and act upon. a
2.
o 3. 4. 5. 6.
Click Select Users. If you are prompted for an administ U f trator passwor or confirma rd ation, type the password or provide confirmation. p
If you are an administrator on the compu uter, your curre user accou will be add automatically to ent unt ded the list of rem mote users, and you can skip the next two steps. d p In the Remot Desktop Us te sers dialog bo click Add. ox, In the Select Users or Grou dialog box, do the follo ups owing: a. b. To specif the location in which to se emote user, click Locations, and then sele fy earch for the re ect the location you want to search. t Enter the object names to select, type the name of the user that you want to a as a remot e s f add te user, and then click OK d K.
Configuring Windows 8
On the source computer, you need to perform the following to access the remote computer: 1. 2. Start Remote Desktop.
Before connecting, enter the logon credentials on the General tab, and make desired changes to the options in the Display, Local Resources, Programs, Experience, and Advanced tabs. o Display: Choose the Remote desktop display size. You have the option of running the remote desktop in full-screen mode.
Local Resources: Configure local resources for use by the remote computer, such as clipboard and printer access.
o o o 3. 4.
Programs: Specify which programs you want to start when you connect to the remote computer. Experience: Choose connection speeds and other visual options. Advanced: Provide security credentialed options.
Save these settings for future connections by clicking Save on the General tab. Click Connect to connect to the remote computer.
This demonstration shows how to enable and use Remote Assistance. Adam needs help with a Microsoft Office Word feature. He requests assistance, and you provide guidance on the feature by using Remote Assistance.
Open Remote Settings, and then specify administrative credentials when prompted by User Account Control. Verify that remote access is allowed to this computer. Run msra.exe, and then request remote assistance. Save the invite to a shared folder location accessible by your invitee.
11-24
Adam has a desktop computer in his office in London that he may wish to use while he travels around the UK between his customers.
Objectives
Configure Remote Desktop. Test a Remote Desktop connection.
Lab Setup
Estimated Time: 15 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator and Adatum\Adam Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab. You will also need to start and connect to 20687A-LON-CL2. Do not log on until directed to do so.
You decide to enable Remote Desktop on his desktop computer so that Adam can access it to work on his data files should the need arise. Before Adam leaves, you decide to test the remote-desktop connection to his desktop computer from his laptop. The main tasks for this exercise are as follows: 1. 2.
Enable Remote Desktop through the firewall and enable Remote Desktop on Adams office computer. Connect to the remote computer with Remote Desktop.
Task 1: Enable Remote Desktop through the firewall and enable Remote Desktop on Adams office computer
1. 2. On LON-CL1, open Windows Firewall, and enable Remote Desktop through the firewall for all network location profiles (Domain, Private, and Public).
In Control Panel, in System and Security, select Allow remote access, and then select the following options: o o Select Allow remote connections to this computer. Add Adatum\Adam as a Remote Desktop user.
3. 4.
Confirm your changes, and then close all open windows. Log on to LON-CL2 as Adatum\Administrator with the password Pa$$w0rd, and then open Remote Desktop Connection.
Configuring Windows 8
5. 6.
Specify the computer to connect to as LON-CL1, and then click Show Options. Configure the following setting: Advanced tab, select: If server authentication fails: Connect and dont warn me.
Results: After this exercise, you should have successfully verified that Remote Desktop is functional.
11-26
Lesson 4
Org ganizations often rely on VPN connections to provide rem N mote users wit secure acce to data and th ess d reso ources on the corporate netw c work. VPN con nnections are e easy to configu and are su ure, upported by diffe erent clients. However, VPN connections must be first in H m nitiated by the user and coul require ld add ditional configu uration on the corporate fire ewall. Also, VP N connections usually enable remote acce s ess to the entire corporate network Moreover, organizations c annot effectiv ely manage re k. emote comput ters unle they are co ess onnected. To overcome such limitations in VPN connections, organizations can o h imp plement DirectAccess, availab in Window Server 2008 R2, Windows Server 2012, W ble ws Windows 7 Ente erprise edition and Window 8 Enterprise edition, to pro n, ws ovide a seamle connection between the ess n inte ernal network and the remot computer on the Internet.. With DirectA a te Access, organizations can effo ortlessly manag remote com ge mputers, becau they are al ways connecte use ed.
Organizations benefit from DirectAccess be O b ecause remote computers ca be managed as if they are local an d e co omputersusi the same management and update se ing m a erversto ensu they are always up-to-da and ure ate in compliance with security an system hea policies. Yo also can de n w nd alth ou efine more det tailed access co ontrol po olicies for remote access, as compared to defining acces control polic in VPN so ss cies olutions. DirectAccess ha the following features: as g Connects automatically to corporate in o ntranet when c connected to t Internet. the
Uses variou protocols, in us ncluding HTTPS, to establish IPv6 connecti ivity. HTTPS is typically allow wed through fire ewalls and pro servers. oxy
Supports se elected server access and end-to-end IPse c authenticatio with intranet network ser on rvers. Supports en nd-to-end aut thentication an encryption with intranet network serve nd ers. Supports management of remote client computers. m Allows remote users to co onnect directly to intranet se y ervers.
Always-on connectivity: Whenever the user connects the client com W s mputer to the Internet, the c client computer is connected to the intranet also. This conn les o nectivity enabl remote clie computers to ent access and update applic cations more easily. It also m makes intranet resources alwa available, a ays and enables use to connect to the corpora intranet fro anywhere,, anytime. This improves use ers ate om s er productivity satisfaction, and performa y, ance.
Seamless co onnectivity: DirectAccess pro ovides a consis stent connectiv experience, whether the client vity e computer is local or remo This allows users to focu more on pro ote. us oductivity and less on conne d ectivity options and processes. Th consistency can reduce tr d his y raining costs f users, with fewer support for t incidents.
Bidirectiona access: You can configure DirectAccess so that DirectA al Access clients not only have access to intranet resources, but you also can have access fr t rom the intranet to those DirectAccess clie ents. Thus, DirectAccess can be bidirectional so that users have access to intranet reso e o ources, and you can u have access to DirectAcce clients whe they are con s ess en nnecting over a public netw work. This ensures that the client computers alwa are update with recent security patch that doma Group Policy is ays ed hes, ain enforced, and that there is no differenc whether use are on the corporate intr ce ers ranet or the pu ublic network.
11-28
This bidirectio onal access als results in: so o o o o Decrease update time ed e. Increased security. d Decrease update miss rate. ed s Improved compliance monitoring. d
Improved sec curity: Unlike traditional VPN DirectAcces offers many levels of acce control to Ns, ss y ess network resources. This tigh degree of control allow security arch hter f ws hitects to preci isely control re emote users who acc cess specified resources. IPse encryption is used for pro ec otecting Direct tAccess traffic so that users can ensure that their communi n t ication is safe. You can use a granular poli to define w icy who can use Direc ctAccess, and from where. f Integrated so olution: DirectA Access fully int tegrates with S Server and Dom main Isolation and Network Access Protec ction (NAP) solutions, resulting in the seam mless integration of security, access, and h , health requirement policies betwe the intrane and remote computers. een et
Co omponents of DirectAccess s
To deploy and configure DirectA d Access, your orga anization must support the following f infra astructure com mponents.
Have at least two physical network adapt n ters installed: o connected to the Internet and the oth to one d her the intranet. The server mu have at lea two consecutive static, pu ust ast ublic IPv4 addresses assigned to the netwo ork adapter that is connected to the Internet. t The server should not be placed behind a NAT.
Gen nerally installed in the perimeter network, the DirectAcce servers pro d ess ovide intranet connectivity fo or Dire ectAccess clien on the Internet. nts
Configuring Windows 8
DirectAccess Clients
To deploy DirectAccess, you also need to ensure that the client meets certain requirements: The client must be joined to an AD DS domain.
The client must be running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, Windows 8 Enterprise Edition, Windows Server 2008 R2, or Windows Server 2012. Internal network resources must be available through IPv6. For clients that are connected to the Internet, you can use IPv6 transition technologies, such as 6to4 and Teredo.
Note: Clients that are running Windows Vista, Windows Server 2008, or earlier versions of Windows operating systems do not support DirectAccess.
DirectAccess clients use the Network Location Server (NLS) to determine their location. If the client can connect with HTTPS, then the client assumes it is on the intranet and disables DirectAccess components. If the NLS is not contactable, the client assumes it is on the Internet. The NLS server is installed with the web server role. Note: The URL for the NLS is distributed by using Group Policy Object (GPO).
You must deploy at least one AD DS domain with at least one Windows Server 2012 or Windows Server 2008 R2-based domain controller.
Group Policy
Group Policy is required for centralized administration and deployment of DirectAccess settings. The DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess server, and selected servers.
PKI
You must implement PKI to issue computer certificates for authentication, and where desirable, health certificates when using NAP. You need not implement public certificates.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use Windows Server 2012, Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix (http://go.microsoft.com /fwlink/?LinkID=159951), Windows Server 2008 Service Pack 2 (SP2) or newer, or a third-party DNS server that supports DNS message exchanges over ISATAP.
11-30
If a name query re equest does no match a namespace that is listed in the NRPT, the req ot e quest is sent to o the DNS servers th are configured in the TC hat CP/IP settings. For a remote c client, the DNS servers will S typically be the In nternet DNS se ervers that are configured th hrough the Inte ernet service p provider (ISP). For a Di irectAccess clie on the intr ent ranet, the DNS servers will ty S ypically be the intranet DNS servers that are e configured throug Dynamic Host Configurat gh tion Protocol ( (DHCP).
Sing gle-label name esfor examp http://inter ple, rnalwill typic cally have conf figured DNS search suffixes that are appended to the name befo they are ch t ore hecked against the NRPT. t
If no DNS search suffixes are co o s onfigured and the single-labe name does not match any other singlet el y -label nam entry in the NRPT, the req me e quest will be sent to the DN S servers that are specified in the clients TCP settings. P/IP
Nam mespacesfor example, inte r ernal.contoso.c comare ente ered into the N NRPT, followed by the DNS d serv vers to which requests match r hing that name espace should be directed. If an IP address is entered fo the or DNS server, all DN requests will be sent direc to the DN S server over t DirectAcce connection You S NS ctly the ess n. need not specify any additional security for su configurat a uch tions. However, if a name is specified for the DNS server, such as dns.contoso le S a o.com in the NRPT, the nam e must be pub N blicly resolvabl when the client que eries the DNS servers that are specified in its TCP/IP settiings. s e
The NRPT allows DirectAccess clients to use in c ntranet DNS se ervers for nam resolution o internal reso me of ources and Internet DNS servers for na ame resolution of other reso urces. Dedicat DNS servers are not requ n ted uired for name resolutio DirectAcce helps to pre on. ess event the expo osure of your i intranet name espace to the Inte ernet. Som names need to be treated differently with regard to n me d d w name resolutio and these names should not on, be resolved by using intranet DNS servers. To ensure that th r o hese names ar resolved wit the DNS ser re th rvers that are specified in the clients TCP/IP setting you must a dd them as N RPT exemptions. t gs, NRP is controlled through Gro Policy. When the compu PT d oup uter is configur to use NRP the name red PT, reso olution mechanism first tries to use the loc name cache which includ the entries in the hosts f cal e, des s file, then NRPT, and finally sends the query to the DNS servers t n e e that are specif fied in the TCP settings. P/IP
The DirectA Access client ac ccesses the HT TTPS-based UR of the netw RL work location se erver, during w which process it obtains the cer o rtificate of the network locat tion server.
Based on th Certificate Revocation List (CRL) Distrib ution Points fi he R ield of the network location servers certificate, the DirectAcce client checks the CRL rev t ess vocation files in the CRL distr n ribution point to determine if the network location serve certificate has been revo k ers oked. Based on an HTTP 200 Su uccess of the network locatio server URL (successful access and certif n on ficate authenticat tion and revoc cation check), the DirectAcce client remo t ess oves the Direct tAccess rules in the n NRPT. The DirectA Access client co omputer attem mpts to locate and log on to the AD DS do o omain using its computer account. a
4. .
5. .
Because the are no longer any Direct ere tAccess rules in the NRPT, al l DNS queries are sent throu n ugh interface-co onfigured DNS servers (intra S anet DNS serve ers). 6. .
Based on th successful computer logo to the doma the Direct he c on ain, tAccess client a assigns the Do omain profile to th attached ne he etwork.
Because the DirectAccess connection se e s ecurity tunnel rules are scop for the Pub and Privat ped blic te profiles, the are removed from the list of active Con ey t nnection Secur rules. rity The DirectA Access client has successfully determined t y that it is conne ected to its intranet and doe not es use DirectA Access settings (NRPT rules or Connection Security tunne rules). It can access intrane o el n et resources normally. It also can access In n o nternet resourc through normal means, such as a prox ces xy server (not shown).
11-32
Dir rectAccess Client Attem C mpts to Acce ess the Network Location Ser e L rver
1.
The client trie to resolve th FQDN of th es he he network locat tion server URL. Because the e FQDN of the network locat tion server URL L corresponds to an exemptio rule in the t on NRPT, the Dir rectAccess clie sends the DNS query to a locally-config ent D gured DNS ser rver (an Intern netbased DNS se erver). The Inte ernet DNS serv cannot reso ver olve the name e. The DirectAcc cess client keeps the DirectA Access rules in the NRPT. Because the network locatio server was not found, the DirectAccess client applies the Public or n on e s s Private profile to the attach network. e hed The Connection Security tunnel rules for DirectAccess, scoped for the Public and Private profiles, e , remain.
2. 3. 4.
nd s s The DirectAccess client has the NRPT rules an Connection Security rules to access intranet resources acro the Interne through the DirectAccess server. oss et
Afte starting up and determining its network location, the DirectAccess c er a k client attempts to locate and log d on to a domain co t ontroller. This process create the infrastru es ucture tunnel t the DirectAc to ccess server. 1.
The DNS nam for the dom me main controller matches the intranet name r espace rule in t NRPT, which the specifies the IPv6 address of the intranet DNS server. Th DNS client service constr o he ructs the DNS name query that is addressed to the IPv6 addre of the intra t ess anet DNS serve and hands i off to the TC er, it CP/IP stack for send ding. Before sendin the packet, the TCP/IP sta checks to d ng ack determine whe ether there are Windows Fir e rewall outgoing rule or Connection Security rules for the pac es cket.
2. 3.
Because the destination IPv address in the DNS name query matche a Connectio Security rule that d v6 es on e corresponds with the infras w structure tunne the DirectA el, Access client us AuthIP and IPsec to nego ses d otiate and authentic cate an encryp pted IPsec tunn to the Dire nel ectAccess serve The DirectA er. Access client authenticates itself with its installed comp s puter certificat and its NTLM credentials. te The DirectAcc cess client sends the DNS na ame query thro ough the infra astructure tunn to the nel DirectAccess server. The DirectAcc cess server forw wards the DNS name query to the intrane DNS server, which respond S et ds. The DNS nam query respo me onse is sent back to the Dire ctAccess serve and then ba through th er, ack he infrastructure tunnel to the DirectAccess client. e e
4. 5.
Sub bsequent doma logon traff goes throug the infrastru ain fic gh ucture tunnel. When the use on the er Dire ectAccess clien logs on, the domain logon traffic goes t nt n through the infrastructure tu unnel.
Configuring Windows 8
Before sending the packet, the TCP/IP stack checks to determine whether there are Windows Firewall outgoing rules or Connection Security rules for the packet.
Because the destination IPv6 address matches the Connection Security rule that corresponds with the intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess server. The DirectAccess client authenticates itself with its installed computer certificate and the user accounts Kerberos credentials. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
4. 5.
The DirectAccess server forwards the packet to the intranet resources, which responds. The response is sent back to the DirectAccess server, and then back through the intranet tunnel to the DirectAccess client.
Subsequent intranet access traffic, which does not match an intranet destination in the infrastructure tunnel Connection Security rule, goes through the intranet tunnel.
When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an Internet web server), the following occurs: 1. The DNS Client service passes the DNS name for the Internet resource through the NRPT. There are no matches. The DNS Client service constructs the DNS name query that is addressed to the IP address of an interface-configured Internet DNS server, and then hands it off to the TCP/IP stack for sending.
2. 3.
Before sending the packet, the TCP/IP stack checks to determine whether there are Windows Firewall outgoing rules or Connection Security rules for the packet. Because the destination IP address in the DNS name query does not match the Connection Security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query normally. The Internet DNS server responds with the IP address of the Internet resource.
4. 5.
The user application or process constructs the first packet to send to the Internet resource. Before sending the packet, the TCP/IP stack checks to determine whether there are Windows Firewall outgoing rules or Connection Security rules for the packet.
6.
Because the destination IP address in the DNS name query does not match the Connection Security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Subsequent Internet resource traffic, which does not match a destination in either the infrastructure intranet tunnel Connection Security rules, is sent and received normally.
11-34
3. 4.
Create the ce ertificate templ late and config gure security s settings on the template so t e that Authentic cated Users can enr the certific roll cate. Distribute the computer certificates. You can use Group Policy to do this by enabling autoe p enrollment.
Tas 3: Config sk gure the Dire ectAccess clients and t test Intranet access t
1. 2. Verify that DirectAccess clie ents have the computer cert c tificate that is r required for DirectAccess authentication. This should have been dis stributed with Group Policy. Verify that the client can co onnect to intra anet resources..
To prepare the Di p irectAccess clie ents and test the DirectAcce ss environmen complete th following ta nt, he asks:
Configuring Windows 8
To verify the DirectAccess functionality, move DirectAccess clients to the Internet, and then verify connectivity to intranet resources. Question: Why is it important that the DirectAccess client should have access to a CRL distribution point?
11-36
Module 12
Implementing Hyper-V
Contents:
Module Overview Lesson 1: Overview of Hyper-V Lesson 2: Creating Virtual Machines Lesson 3: Managing Virtual Hard Disks Lesson 4: Managing Snapshots Module Review and Takeaways 12-1 12-2 12-5 12-10 12-13 12-16
Module Overview
Hyper-V is the primary platform for infrastructure virtualization. By interacting with hardware components in a more direct manner, Hyper-V enables multiple, isolated operating systems to share the same physical platform. This module will introduce you to Client Hyper-V in Windows 8, and explain the fundamentals of working with virtual machines in the Client Hyper-V environment.
Objectives
After completing this module, you will be able to: Describe Hyper-V. Explain the process for creating and working with virtual machines. Identify key aspects of working with virtual disks. Understand and manage snapshots with Hyper-V.
Lesson 1
Hyp per-V virtualiza ation technolo has been providing virtu alized environ ogy p nments on Win ndows Server er-V. com mputers since Windows Serve 2008. Windo 8 is the fir Windows client version to include Hype W er ows rst o Hyp per-V supports a large range of virtualization capabilities many of whi are include in Windows 8 in s e s, ich ed s a ne feature called Client Hyper-V. This lesso will introdu you to the Client Hyper- functionality in ew on uce -V y Win ndows 8, and in ntroduce scenarios that may benefit from a virtual envir y ronment. Clien Hyper-V is a new nt feat ture in Window 8 that enab the same core virtualizat ws bles c tion technolog as found in Windows Serv gy ver 2012.
Virtual machines are configured to share phys a d sical reso ources from the host machin and represe ne, ent thos virtualized resources as us se r sable components to the virtual mac chines operating system. For r exam mple, one com mputer with on network adapter ne may have five diff y ferent virtual machines that are m runn ning in Hyper- In each of those virtual -V. t mac chines, a virtua alized network adapter is ass k sociated with t single phy sical network a the adapter, enabling five virtual machin to have ind nes dividual MAC addresses, be assigned indiv vidual IP addre esses, and gain n netw work access. The same virtua alization happens with other hardware com r mponents, suc as the proce ch essor, mem mory, and hard disks. d
Client Hyper-V is a feature that enables virtua alization within the Windows 8 environme Client Hyp n s ent. per-V uses the same virt s tualization eng gine as Hyper- in Windows Server 2012, and contains t same core -V s the feat ture set. Client Hyper-V repla aces the Virtua PC feature p al previously avai ilable in Windo 7, and has ows s som significant differences in functionality: me d f
Compatibility with Hyper-V on Windows Server. Client Hyper-V supp y V ports the same standard e functionality as Hyper-V on Windows Ser n rver. You can i mport and exp port virtual ma achines and virtual hard disks (VH HDs) between Hyper-V and Client Hyper-V in most situa V ations, without any requirem ment for conversion or modificat tion. Support for 64-bit guest vir 6 rtual machines Client Hyper can provide both a 32-bit and 64-bit s. r-V virtualized ha ardware enviro onment for gue virtual mac est chines. Virtual PC supported only 32-bit d virtualized ha ardware.
Configuring Windows 8
No application-level virtualization. In Windows 7, Windows XP-mode in Virtual PC enabled a user to run an application in a virtualized Windows XP environment, while still making the rest of the Windows 7 environment available. In Windows 8, Client Hyper-V provides a complete virtualization solution.
The processor in the host computer must support Single Level Address Translation (SLAT). You may need to enable this feature in your computers BIOS. The host computer must have at least 4 gigabytes (GB) of RAM.
Note: You can install the Hyper-V management tools (Hyper-V Manager and the Hyper-V Module for Windows PowerShell) even if the preceding requirements are not met. You can do this to remotely manage a Hyper-V installation on another computer.
The primary tool for management within the Client Hyper-V environment is Hyper-V Manager. Hyper-V Manager is a console that is based on Microsoft Management Console (MMC). It provides complete access to Client Hyper-V functionality in Windows 8. Windows Server 2012 Hyper-V also uses Hyper-V Manager, so any experience in either operating system will directly correspond to the other.
The other tool installed with Client Hyper-V is the Hyper-V Virtual Machine Connection (VMC) tool. You can use the VMC to connect to a virtual machine with an interface and level of interaction very similar to Remote Desktop Protocol (RDP). The VMC tool does not require you to use a Hyper-V console to connect to a virtual machine.
You can creat a Client Hyp te per-V virtual machine, and use it as a pre d eproduction environment for application testing. You may be prepa n aring to migrat your Windo client te ows infrastructure to Windows 8 and require testing of all li e t ine-of-busines (LOB) applic ss cations. You ca an employ a virtual machine th is running Windows 8 to test the appl ication, and th reset the v hat o hen virtual machine back to its default state to test other applicati ons. k t o
You can creat several virtu machines, each with a dif te ual e fferent installe version of W ed Windows, to te a est new application. For examp you could install Window 8 on the fir virtual mach ple, ws rst hine, install Windows 7 on the second, and install Windows XP, con ntinuing this v ariance as much as you wan You nt. can configure each virtual machine to your testing spec cifications, and reset the ma e m d achines after te esting is complete so that the mac o chines are imm mediately read for the next testing task. dy
If you encoun problems with a virtual machine in yo production Hyper-V environment on nter our n Windows Serv 2012, you can export tha virtual mach ver at hine from your production e environment, import it into Client Hyper-V, perfo the requir troublesho orm red ooting, and the export it ba into the en ack production environment. With Client Hyper-V, you ca use Hyper-V virtualizatio n, wireless net H an twork adapters and sleep states s, on your deskt computer. For example, if you run Clie Hyper-V o a laptop and close the lid, the top . ent on d , virtual machin that are ru nes unning go into a saved state and resume w o e, when the mac chine wakes.
Virtual machine manageme (VMM) and other tools c ent d created for Hyper-V in Wind dows Server, su as uch VMM P2V or Sysinternals Disk2VHD tools also will wor in Client Hyper-V. D s, rk
Using virtual-machine netw working, you ca create a mu an ultimachine en nvironment for test, develop pment, and demonst tration, which is secure and which does no affect the pr i w ot roduction netw work. You also can mount and bo a Windows operating sys oot s stem by using VHDs from a USB storage d drive. You would us these VHDs as a virtual machine by usin Client Hype se ng er-V, if you are running Wind e dows 8 Enterprise.
You also can use VHDs that have been pr t reconfigured t test new Microsoft softwa Microsoft.c to are. com hosts a large number of rea ady-to-use .vhd files that yo u can simply i mport into Hy yper-V or Clien nt Hyper-V. Afte you import a file, the VHD provide a fu er Ds unctional test v version of the specific produ for uct evaluation. With VHD files, there is no ne to upgrade or configure operating sys W eed e stems, or down nload and install ap pplications. It is all ready to go in the VHD file at first boo s g ot.
Co onfiguring Windows 8
Lesson 2 n
By creating and configuring virtual machine you can run various oper y d v es, n rating systems and environm ments within your Hyp w per-V infrastructure. You can configure eac virtual mac n ch chine with its o own virtual har rdware in nfrastructure and connectivit ty. Th lesson will describe the process for crea his p ating and man naging virtual machines with Client Hype hin er-V.
Virtual ma achine locatio By default, the on. virtual machine is created and located on the d computers system drive. If your compu has multip physical ha disks, you t s uter ple ard typically can in ncrease the perform mance of your virtual machin by placing i on a disk sep ne it parate from th system disk. For he . computers with solid stat disks (SSDs), this is not as effective. te , Memory. The amount of memory that you specify w be assigned to the virtual machine from the T f will d m available ph hysical memor on your hos computer. ry st
Network connection. Yo virtual mac our chine can have one or more virtual netwo adapters. By e e ork default, a new virtual mac n chine is create with a single network ada ed e apter that is co onnected to a v virtual network. Yo can create virtual networks that will con ou v nnect virtual m machines to th external net he twork through the host-computer network ad e dapter, or you can create a s self-contained virtual network to connect the vi provide an isolated netwo environme Alternative you may c ork ent. ely, choose not to c irtual machine to any network. o Virtual har rd-disk locatio By default, a single VHD is created is t same direc on. D the ctory specified for the virtual machine location. You also may choose to use a preexis m m o sting VHD that has already b t been created. For example, ma Microsoft products are a any p available for tri purposes in preconfigure ial n ed VHD files.
Operating sy ystem installa ation media. Unless you are attaching a V U e VHD file that al lready has an operating sys stem installed, you will need to install an o operating syste on your vir em rtual machine. You can specify an .iso CD/DVD image file to use as installa tion media, or you can attac the physical n D r ch CD/DVD drive from the hos machine to the virtual ma e st achine, and the install the o en operating syste em from that me edia.
On the Specify Name and Location pag in the Nam field, type t name of yo virtual mac ge, me the our chine. Select where the virtual ma achine and its associated VH Ds will be stor a red. On the Assign Memory pa age, in the Me emory field, sp pecify the amo ount of memor to assign the ry virtual machin and then click Next. ne, c On the Confi igure Networ rking page, in the Connectio list, select t appropriat network, an on the te nd then click Ne ext.
On the Connect Virtual Ha Disk page either create a new VHD, o use an exist ard e, e or ting VHD file that has already been created, and then click Next. b a On the Comp pleting the Ne Virtual Ma ew achine Wizard page, click F d Finish.
Description D Use to configu settings su as Num Lo or startup o ure uch ock order. Use to configu the memo assigned to the virtual ma ure ory o achine. Use to configu the proces ure ssor settings fo the virtual m or machine. Depending on the virtual m n machine operat ting system an the host nd capacity, you can configure multiple proc cessors, and then configure t the physical resou urces that the v virtual machin can consum ne me. Use to connec IDE virtual d ct disks to the virt tual machine.
ID controllers DE
Co onfiguring Windows 8
Description
Use to conn nect virtual dis ks of a small c computer syste interface (S em SCSI) to the virtual machine. You c m cannot use the disks for th operating sy ese he ystem boot partitio on. Use to specify the networ connection t rk that the virtua machine has with al s tworks. external net
Use to confi igure the virtu COM port t communica with the ph ual to ate hysical computer th hrough a nam ed pipe. Use to conn nect virtual flop disks to th virtual mach ppy he hine.
Use to specify the services that Hyper-V will provide f the virtual s V for machine. Integration serv vices enables a virtual machin to make mo ne ore e f chines hardwa and interfa are ace direct and effective use of the host mac devices. Use to specify whether to restart the vir rtual machine if the physical computer re estarts.
Use to specify the state in which you wa to place th virtual mach n ant he hine hysical compu uter shuts down. when the ph
Yo can connec to a virtual machine by selecting ou ct m th virtual mach he hine, and then clicking the Connect n C bu utton on the toolbar, or righ ht-clicking the virtual machine, and th clicking Co m hen onnect in the right-click me enu. What is di isplayed in the virtual machi e ine window will dep w pend on the st tate of the virt tual machine. I Client Hype In er-V, a virtual m machine can be in five di ifferent states: Stopped. A virtual machi that is stop ine pped does not consume any resources on the host mach t y hine, and exists in a state simila to a physica computer be ar al eing powered off.
Starting. When a virtual machine is firs started, it re W st emains in the s starting state fo a brief mom or ment, during whic required resources are ch ch hecked and ass signed to the v virtual machin After this ch ne. heck and assignm ment occurs, the starting sta changes. ate Running. A virtual machi is in its nor ine rmal operable state when Ru unning is displ layed. A runnin ng virtual machine responds to keyboard and mouse inp and show whatever inf s a put, ws formation is be eing sent to the virtual machin display ad nes dapter when yo are connected to the virtual machine. ou
Paused. When a virtual machine is paused, it still maintains its allocation of host-computer resources, but places the virtual machines operating system in a temporary sleep state. Saved. When a virtual machine is in the saved state, its current operating state is saved to the hard disk, and it stops consuming host computer resources until you start it and place it into the running state. When a Client Hyper-V computer that supports hibernate and sleep modes enters one of these modes, virtual machines that are running will enter the saved state.
You can export and import virtual machines between computers that are running Client Hyper-V or Hyper-V on Windows Server. Exporting and importing virtual machines enables multiple troubleshooting and testing scenarios that may be impossible in a physical computing environment.
You can move virtual machines between Hyper-V servers by exporting and importing them through the Hyper-V manager window. The import option is located in the Actions window. Right-click the virtual machine to access the export function, which is available only if the virtual machine is in a saved state or is shut down. Note: You cannot just copy the virtual machine files from one host to another. If you do, you will need to create a new virtual machine by using the VHD, because all of your virtual machine changes will be lost, and the network settings in the virtual machine will be reset.
Exporting
When you export a virtual machine, this exports all components that comprise the virtual machine to the path that you specify. There are four parts to each exported virtual machine:
The Virtual Machines folder contains an .exp file, which contains the globally unique identifier (GUID) of the exported file. The Virtual Hard Disks folder contains copies of each of VHD that is associated with the virtual machine. If the VHD is a differencing hard disk, all base images associated with the VHD will be copied to the export folder.
The Snapshots folder contains a file with an .exp extension for each snapshot of the virtual machine. Config.xml is a configuration file that the import process uses.
Importing
When you import a virtual machine, Hyper-V reads the configuration file (config.xml), and then creates a virtual machine by using the configuration information. During this process, Hyper-V does not move the virtual machine files. Hyper-V launches the virtual machine by using the files that are in the exported location. As part of the import process, Hyper-V deletes all of the .exp files, which prevents importing the virtual machine a second time, and then replaces them with .xml files. Additionally, Hyper-V deletes the config.xml file.
Configuring Windows 8
Import Options
When you import a virtual machine, you have the following options:
Move or restore the virtual machine. When you select this option, Hyper-V creates a virtual machine that uses the same unique identifier (ID) as the exported virtual machine. Every Hyper-V machine has a unique ID. The unique ID of a virtual machine is a volume GUID, which generates automatically when you create the virtual machine. The GUID identifies each virtual machine uniquely, much the same way a security identifier (SID) identifies Active Directory objects. The Hyper-V console does not display the GUID. Copy the virtual machine. When you select this option, Hyper-V replaces the unique ID for the virtual machine with a new ID.
You also have the option of duplicating the virtual machine files when you import the files. If you choose this option, copies of all virtual machine files are created so that you can import the virtual machine again.
12-10
Implementing Hyper-V
Lesson 3
Virtual hard disks provide the data and storag capability fo Client Hype ge or er-V virtual ma achines. VHDs are stor as flat files in the host op red perating system but provide a complete s torage compo m, e onent for their asso ociated virtual machine. This lesson will int s troduce you to the VHD form and then identify mana o mat, agement tasks in Hyper-V Man nager that are associated wit VHDs. th
IDE. The Hype er-V IDE contr roller is an emu ulated or synth hetic device th allows for d hat disks up to 2,0 048 GB and provides performan that is only slightly less t nce y than a SCSI co ntroller. The ID controller c DE can support fixed-disk and dynamic VHDs, an pass-throug disks. You c configure as many as four IDE nd gh can disks on a virt tual machine (two controller with two dis each). ( rs sks Hyper-V must use a disk attached to the emulated IDE controller as t boot disk. Booting from SCSI the is not supported because a SCSI controlle is a syntheti c device, and y must add it only after y er you you install the inte egration servic on the virtual machine. ces
SCSI. The Hyp per-V SCSI con ntroller is a syn nthetic device. You can confi igure as many as four SCSI y controllers pe virtual mach er hine, and each controller can support 64 d n disks. Therefore you would h e, have 256 total disk per virtual machine. There is no disk size limitation for disks attache to SCSI ks m e e ed controllers. Th physical sto he orage configur ration is the on factor that restricts the size. nly
Virtual machines also can connect directly to iSCSI stor rage over an iS SCSI network, t thereby bypas ssing the Hyper-V server. All that is required is the proper co s t onfiguration of an iSCSI initia f ator in the virtual machine and an iSCSI targe available on the network. There is no lim to how many iSCSI disks a et mit virtual machin can suppor However, a virtual machin cannot boo from an iSCS disk. ne rt. ne ot SI
Understanding VHDX U
Th new .vhdx format for VHD is available in Windows 8 and Windows Server 2012. VHDX-based VHDs he f Ds ad ddress some limitations of th previous VH format, and have several important ne features: he HD d l ew Support for VHD storage capacity up to 64 terabytes r o s.
ures by loggin updates to t VHDX met Protection against data corruption during power failu ng the tadata structures. Improved alignment of th VHD forma to work well on large-sect disks. a he at tor
Dynamically exp panding VHDs start off very small, typically a few megab s y bytes (MBs) in size, and grow as w da is written to them. By de ata t efault, Hyper-V creates dyna mically expand V ding VHDs.
When you creat a dynamically expanding VHD, you spe cify a maximu m file size. The maximum siz that W te e ze yo specify at creation restricts how large the VHD file siz can grow. F example, if you create a 1 GB ou ze For f 127 dy ynamically exp panding VHD, the initial size of the .VHD f is about 3 M As the virt e file MB. tual machine u uses the VHD, the size of the .VHD file grows as data is written to the VHD, up t o 127 GB. If yo hit the limit you e a ou t, ca expand the size through the Hyper-V Disk Wizard. an t D
Dynamic VH Benefits D HD
Efficient: Dy ynamically exp panding VHDs grow dynami cally as the vir rtual machine needs more st torage. This is an ex xcellent option for portabilit n ty.
Deferred st torage allocatio Suppose you create 10 v on. virtual machine with a maxi es imum size of 1 GB 100 each, and you place these on a 500 GB disk. These 10 virtual machines may all fit within 500 G when y e 0 t GB you create them. Howeve over time, as those disks increase in size, it is possible that they out er, a e tgrow storage bec cause the disk resources are not allocated upfront. Fragmentat tion and possibly slight perfo ormance impa Because dy act. ynamically exp panding VHDs s increase in size only when necessary, th tend to fra n hey agment easily. Additionally, w when the VHD Ds increase in size, the NTFS file system au S utomatically se the new allocation to zer for security ets ro purposes, which has a very small perfor w rmance overhe ead.
12-12
Implementing Hyper-V
Hard drive recommendations: 1. 2. 3. Use hard drives that are at least 10,000 revolutions per minute (RPM). Use solid state drives where possible. Consider using a storage area network (SAN) for virtual machine storage. SANs provide several benefits such as very high performance and high availability. As well, it is easy to assign additional space for virtual machines as long as the SAN has storage available. iSCSI SANs can provide relatively inexpensive storage for virtual machines. Using iSCSI also enables you to configure virtual machines with direct access to storage.
4. 5.
On the host computer, configure antivirus software to exclude all .vhd, .avhd, .vfd, .vsv, and .xml files stored on the hard drives that are hosting the virtual machines.
Creating a VHD
You can create a VHD outside of the new virtual machine wizard in Hyper-V, by following the instructions for either of the following tasks.
On the Specify Name and Location page, in the Name field, type the name of the VHD file, and in the Location field, type an appropriate location, and then click Next. On the Configure Disk page, do not change the default values, and then click Next. On the Completing the New Virtual Disk Wizard page, click Finish.
On the Specify Name and Location page, in the Name field, type the name of the VHD file, and in the Location field, type an appropriate location, and then click Next. On the Configure Disk page, change the Create a new blank virtual disk size to an appropriate size, in GB, and then click Next. On the Completing the New Virtual Disk Wizard page, click Finish.
Lesson 4 n
Sn napshots provide the means to capture a virtual machin state at a s s v nes specific point i time. You ca use in an sn napshots in Client Hyper-V to perform a number of task and also to provide failback and a struc ks, ctured hould conside about using te esting environm ment. Howeve there also are several fact ors that you sh er, er sn napshots, whic can have po ch otential drawba acks. Th lesson will introduce you to snapshots, how to mana ge them, and things to watc out for whe his ch en im mplementing snapshots in yo Client Hyp s our per-V installatio on Window 8. on ws
What Is a Snapshot? W S
In Client Hyper- a snapshot is point-in-tim n -V, me im mage of a virtu machine. Yo can take a ual ou sn napshot of a vi irtual machine that is runnin any e ng gu uest operating system, regar g rdless of whether it is ru unning or stop pped. You can take a snapsho of a ot sa aved virtual ma achine, but no when the vir ot rtual machine is paus m sed. A snapsho does not change ot th virtual mach he hines state. Yo can take a snapshot by using the Hype ou er-V Manager. To take a snapshot, select the virt M , tual machine, and th select Sna m hen apshot from th he Action menu. You also can right-click the virtual A Y v machine, and se m elect Snapsho ot.
Yo can use sna ou apshots to save the state of virtual machin prior to inst e v ne talling or testin an applicati ng ion, so th you can provide a rollbac point should any aspect o the installat ion or testing process fail. hat ck of
If memory activ resumes in vity nside the virtua machine wh ile the memor copy proces is running, a if al ry ss and th activity invo he olves memory that has not yet been writte to the differ en rencing disk, H Hyper-V interce epts th write activity, and then holds it until th original con hat he ntents are copied.
12-14
Implementing Hyper-V
If th virtual mach he hine is running when the sna g apshot is taken users will no experience a server outage. n, ot any Crea ating a snapsh can take a considerable amount of tim depending on what is run hot a me, nning on the v virtual mac chine. Howeve the process masks the pro er, ocess from use that connec to the virtua machine. ers ct al
A sn napshot consis of several fi that are sto sts iles ored in a Snap pshots director associated w the virtual ry with mac chine. The path to that direc h ctory is a prope of the virt erty tual machine, a you can se it in the virt and ee tual mac chines settings. Afte the snapsho is complete, the following files will be in the Snapshot folder: er ot n ts Virtual machine configurati file (*.xml). ion . Virtual machine saved state files (*.vsv). e Virtual machine memory co ontents (*.bin). . Snapshot diff ferencing disks (*.avhd). s
Settings. Opening the Settings tab enables you to open the Vir o rtual Machine Settings dialog e box with the settings th the virtual machine had when Hyper-V took the sna hat V apshot. All of these settings are disabled be a ecause a snapshot is read-o nly. The only s settings that yo can change are ou e the snaps shot name and the notes ass d sociated with t snapshot. the
Apply. Applying a snap A pshot to a virtual machine e essentially mea that you ar copying the ans re e complete virtual machi state from the selected s e ine snapshot to the active virtua machine. Wh al hen you apply a snapshot, any unsaved data in the virt ual machine th is active cu a d hat urrently will be lost e as you ap pply a new state to the virtua machine. W al When you apply a snapshot, H y Hyper-V prom mpts you as to whether you want to create a snapshot o your current active virtual machine befo o e of t ore you apply the selected snapshot or ju apply the s ust snapshot. Export. You can use th tab to expo a virtual ma Y his ort achine, which i the same as clicking Export is from the Actions pane. .
Renam You can us this quick sh me. se hortcut to rena ame a snapsho without hav ot ving to open th he Virtual Machine Setti ings.
e eleting a snapshot means th you can no longer restor the virtual m hat o re machine Delete Snapshot. De to that point in time. It is importan to understan that if the s . nt nd snapshot is not currently app plied, deletin a snapshot will never affec any other sn ng w ct napshots, nor will it affect th virtual mach he hines current state. The on thing that will disappear i the selected snapshot. t nly w is d If the snapshot you delete is the cu d urrently applie snapshot, w ed which is indicated in the Snap pshots pane by the green he of an arro the change in the snaps b ead ow, es shot will merge with the pare e ent virtual hard drive when the virtual machine next shuts down.
Delete Snapshot Su e ubtree. Deletes the selected snapshot and any snapshots that reside u s under it. If the la snapshot in the current snapshot subtr is the curre ast n s ree ently applied s snapshot, all snapsh hots in the subt tree will merge into the pare VHD upon the next shut ent n tdown of the v virtual machin ne.
Revert This returns a virtual mach t. hine to the last snapshot that Hyper-V took or applied, a then t t and deletes any changes made since th snapshot. s hat
Hyper-V vir rtual machine snapshots hav multiple use in your netw ve es work, predomi inately in a tes lab. st You can use snapshots in a developmental lab for tes e n sting a new de eployment. Wh creating a new hen environment, you can server, you can use snaps shots for each phase of a ser rvers creation.. In a training e use snapsho to revert a server to the previous lab. ots If you are going to use sn g napshots for te esting or traini ing, the primary consideratio is hard-driv on ve space. Snap pshots can use an inordinate amount of ha e e ard-drive spac quickly, espe ce ecially if you c create multiple snapshots of the same virtual machine. e Be aware of the results of deleting snap f pshots. If you c create multiple snapshots of the same virt e f tual machine, yo must be aw ou ware of what happens when you delete a s snapshot. If the snapshot is t e the current run nning version of the virtual machine, deleti the snapsh will merge the snapshot with o m ing hot the original VHD. If you have created multiple subtre of snapsho deleting sn h m ees ots, napshots may h have unexpected results if user do not have a clear under d rs e rstanding of ho snapshots work. ow
12-16
Implementing Hyper-V
Tools
Tool Hyper-V Manager Hyper-V Virtual Machine Connection Tool Description Management console for Client Hyper-V Connect directly to local or remote virtual machines without opening Hyper-V Manager Where to Find It Start screen Start screen
Module 13
Troubleshooting and Recovering Windows 8
Contents:
Module Overview Lesson 1: Backing Up and Restoring Files in Windows 8 Lesson 2: Recovery Options in Windows 8 Lab: Recovering Windows 8 Module Review and Takeaways 13-1 13-2 13-5 13-17 13-21
Module Overview
It is important to protect the data on your computer systems from accidental loss or corruption. Additionally, to recover from a problem, it typically is easier to restore system settings rather than reinstall the operating system and applications.
Windows 8 provides a number of tools that you can use to back up important data files, as well as tools that can help you to recover a computer that will not start or that starts with errors. To support your users, it is important that you understand how to use these file-backup and system-recovery tools.
Objectives
After completing this module, you will be able to: Describe how to back up and restore files in Windows 8. Describe how to recover a Windows 8 computer.
13-2
Lesson 1
Alth hough you mig implement a file-recover strategy for user data that is stored on network file se ght t ry t ervers or network-access n sible storage devices, you sh d hould rememb that users o ber often save thei work to loca ir al stor rage. Consequently, it is important that you provide som method of local file recov me very, so that if these data files become corrupt or are deleted accid a e e dentally, you c recover them. can
A co omputer that is running Win i ndows 8 stores s thes files in several locations, so you need to se s o ensu that you protect all of th ure p hem. That way, if a compute r problem occ curs, no data is lost. You can help s our to protect these data files and settings by per p d s rforming regul backups, ei lar ither by manually copying yo files to other med or by using Windows 8 fi s dia, g ile-recovery to ools.
File History e
File history enable you to save copies of your files es auto omatically to either a remov e vable local driv or ve to a network shared folder.
Configuring Windows 8
After you enable File History, it saves a copy of your files every hour to the designated location, and these saved versions are stored forever, by default. However, you can configure the interval at which the save occurs and how long the versions are saved. Windows 8 File History backs up the following folders: Contacts Desktop Favorites
Note: You cannot add additional folders to this list, although you can define exceptions from this list, for files and data that you do not want to back up.
To recover files, you can click Restore personal files from within File History, and then select the file from the folders or libraries in your backup. Alternatively, you can recover files directly from Windows Explorer. Navigate to the folder that contained a deleted file, and then click the History button on the ribbon. The File History opens, and lists the recoverable files.
Also accessible from within File History is a shortcut to Windows 7 File Recovery. This link opens a window, from which you can access the backup and restore tools that Windows 7 included. From within Windows 7 File Recovery, you can access the following tools: Windows Backup Create a system image Create a system repair disc
Windows Backup
Windows Backup provides access to backup-related setup procedures and tasks. This includes managing backup space for both file and system-image backups. Windows Backup lets you make copies of data files for all people who use the computer. You can let Windows select what to back up, or you can select the individual folders, libraries, and drives that you want to back up. By default, your backups are created on a regular schedule. You can change the schedule, and manually create a backup at any time. Once you set up Windows Backup, Windows keeps track of the files and folders that are new or changed, and adds them to your backup.
You can back up files to an external hard disk, to a writeable DVD, or to a network location. However, you must have elevated or administrative permissions to perform a backup. If something goes wrong that requires restoring data from a backup, you can select whether to restore individual files, selected folders, or all personal files.
13-4
To back up your files, locate Windows 7 File Recovery, click Set up backup, specify the destination drive to back up, and then select the file types that you want to back up. Windows scans your computer for the file types that you specify, and then backs them up on the target media in a series of compressed folders and related catalog files.
System Image
The Windows Backup option does not back up system files, program files, files that are on File Allocation Table (FAT) volumes, temporary files, and user profile files. If you want to protect these file types, you must use a system image. A system image is an exact copy of a drive. By default, a system image includes the drives required for Windows to run. It also includes Windows and your system settings, programs, and files.
You can use a system image to restore the contents of your computer if your hard drive or computer ever stops working. When you restore your computer from a system image, it is a complete restoration. You cannot choose individual items to restore, and all of your current programs, system settings, and files are replaced with the contents of the system image. Note: A system image is created, by default, if you enable Windows Backup, and specify that Windows Backup should select the files and folders to backup automatically.
The system repair disc is a disc that you create to repair your computer if you experience serious errors on your computer.
System recovery options can help you repair Windows if a serious error occurs. To use system recovery options, you will need a Windows installation disc or access to the recovery options that your computer manufacturer provides. If you do not have either of those choices, you can create the system repair disc to access system recovery options.
Open Windows 7 File Recovery and configure a network location of \\lon-dc1\data for backups. Accept the defaults, and initiate a Windows Backup. Switch to LON-DC1 and view the contents of the DATA shared folder (E:\labfiles\Mod04\data).
Co onfiguring Windows 8
Lesson 2 n
Corruptions in the system reg t gistry or issues with device d rivers or system services ofte cause startu m en upre elated problem Therefore, systematic troubleshooting is essential so that you can d ms. s determine the un nderlying caus of the probl se lem quickly an efficiently. nd
Th module describes how to identify and troubleshoot i his o issues that affe the operating systems ability to ect st tart, and how to identify problematic services that are ru t unning on the operating syst tem. It also de escribes ho to use the Windows 8 op ow perating system advanced tr m roubleshooting tools, collect g tively known as the Windows Recov W very Environme (Windows RE). ent
As the compute starts, Bootm er mgr.exe loads first, and then reads the BCD which is a d D, database of sta artup co onfiguration in nformation tha the hard disk stores in a fo at ormat similar t the registry. to
13-6
Note: The BCD provides a firmware-independent mechanism for manipulating boot environment data for any type of Windows system. Windows Vista and newer Windows versions use the BCD to load the operating system or to run boot applications, such as memory diagnostics. Its structure is very similar to a registry key, although you should not manage it with the registry editor.
Bootmgr.exe replaces much of the functionality of the NTLDR bootstrap loader that Windows XP and earlier versions of the Windows operating system use. Bootmgr.exe is a separate entity, and it is unaware of other startup operations of the operating system. Bootmgr.exe switches the processor into 32-bit or 64-bit protected mode, prompts the user for which operating system to load (if multiple operating systems are installed), and starts NTLDR if you have Windows XP or earlier installed.
Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads the operating system kernel (ntoskrnl.exe) and (BOOT_START) device drivers, which, combined with Bootmgr.exe, makes it functionally equivalent to NTLDR. Winload.exe initializes memory, loads drivers that should start, and then transfers control to the kernel.
If the BCD contains information about a current hibernation image, Bootmgr.exe passes that information to Winresume.exe. Bootmgr.exe then exits, and Winresume.exe takes over. Winresume.exe reads the hibernation image file, and uses it to return the operating system to its prehibernation running state.
When you switch on a computer, the startup process loads the BIOS. When it loads the BIOS, the system accesses the boot disks Master Boot Record (MBR), followed by the drives boot sector. The Windows 8 startup process has seven steps: 1. The BIOS performs a Power On Self-Test (PoST). From a startup perspective, the BIOS enables the computer to access peripherals, such as hard disks, keyboards, and the computer display, prior to loading the operating system.
2.
The computer uses information in the BIOS to locate an installed hard disk, which should contain an MBR. The computer calls and loads Bootmgr.exe, which then locates an active drive partition on sector 0 of the discovered hard disk. Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines installed operating systems, and then displays a boot menu, if necessary. Bootmgr.exe transfers control to winload.exe, or it calls winresume.exe for a resume operation. If winload.exe selects a down-level operating system, such as Windows XP Professional, Bootmgr.exe transfers control to NTLDR.
3. 4.
5.
Otherwise, winload.exe initializes memory and loads drivers that are set to begin at startup. These drivers are for fundamental hardware components, such as disk controllers and peripheral bus drivers. Winload.exe then transfers control to the kernel of the operating system, ntoskrnl.exe. The kernel initializes, and then higher-level drivers, except BOOT_START and services, are loaded. During this phase, you will see the screen switch to graphical mode as the Windows subsystem is initialized by the session manager (Smss.exe). The operating system displays the logon splash screen, and a user logs on to the computer.
6.
7.
Co onfiguring Windows 8
Accessing Windows RE A W
To access Windows RE: o 1. . 2. . 3. . Insert the Windows 8 DVD, and then st the compu W tart uter. When prom mpted, run the Windows 8 DVD Setup pro gram. e D
After you configure langu uage and keyb board settings,, select the Re epair your com mputer option which n, scans the co omputer for Windows installations, and th presents you with a trou W hen ubleshooting to ools menu.
Automatic Fa A ailover
Windows 8 prov W vides an on-di Windows RE. A computer that is runnin Windows 8 can fail over isk R ng r au utomatically to the on-disk Windows RE if it detects a st o W f tartup failure.
en During startup, the Windows loader sets a status flag that indicates whe the boot process starts. T s t The Windows loader clears this fla before it dis W ag splays the Win ndows logon sc creen. If the st tartup fails, the loader e do not clear the flag. Conse oes t equently, the next time the c n computer start Windows lo ts, oader detects t flag, the as ssumes that a startup failure has occurred, and then laun , nches Window RE instead o Windows 8. ws of Th advantage of automatic failover to Win he f ndows RE Start Repair is th you may n need to check the tup hat not problematic com mputer when a startup prob blem occurs. Note that the co omputer must start successf t fully for the W indows loader to remove th flag. If the r he co omputers pow is interrupt during the startup seque wer ted e ence, the flag is not removed and automa d, atic St tartup Repair is initiated.
Be in-mind th this automa failover re ear hat atic equires the pre esence of both the Windows boot manage and h s er th Windows lo he oader. If either of these elements of the sta artup environm ment is missing or corrupt, g au utomatic failov cannot fun ver nction, and you must initiate a manual dia gnosis and rep of the com u e pair mputers st tartup environment.
Windows 8 prov W vides advanced boot options that you can use to start t he operating s n system in adva anced tr roubleshooting modes, including: g Repair your computer r Safe mode Safe mode with networking
13-8
Safe mode with command prompt Enable log bo ooting Enable low re esolution video (640 X 480) o Debugging Mode M Disable autom matic restart on system failure Disable Driver Signature En nforcement Start Window normally ws
Win ndows 8 also creates them: Once daily. Manually, whenever you ch hoose to create them. e Automatically if you choos to use System Restore to r y, se restore to a pr revious restore point. e
In th instance, Sy his ystem Restore creates a new restore point before it resto w t ores the system to a previou m us state. This provide you with a recovery optio should the r es r on restore operat ion fail or resu in issues. ult Win ndows RE does not create a restore point for the current state if you a re in Safe mod and you res s r f t de store to a previous state e.
You may use Syste Restore wh you install a device drive that results in a computer that is unstab or u em hen l er r ble that fails to opera entirely. Earlier Windows versions had a mechanism f driver rollb t ate for back, but it req quired the computer to start successfully from Safe mode. s m With Windows 8 computers, you can use Syst c tem Restore to perform drive rollback by accessing the o er restore points, eve when the computer does not start succ en s cessfully.
Syst tem Restore also provides pr rotection again accidental deletion of pr nst rograms. Syste Restore cre em eates restore points when you add or remove programs, and it ke r eeps copies of application p f programs (file n names with an .exe or .dl extension). If you accidenta delete an .exe file, you c use System Restore to re h ll f ally can m ecover the file by selectin a recent res ng store point prio to when yo deleted the program. or ou
Co onfiguring Windows 8
Th hese paramete were previo ers ously in the Bo oot.ini file (in B BIOS-based op perating system or in the ms) no onvolatile RAM (NVRAM) en M ntries in operat ting systems b based on an Ex xtensible Firmw ware Interface (EFI)).
However, Windows 8 replaces the boot.ini file and NVRA M entries with the BCD. This file is more v s f h s versatile th boot.ini, an it can apply to computer platforms tha do not use t BIOS to sta the comput You han nd y r at the art ter. also can apply it to firmware models, such as computers t m a that are based on EFI. d Windows 8 stor the BCD as a registry hive For BIOS-ba W res e. ased systems, t BCD registry file is in the active the e pa artition \Boot directory. For EFI-based syst tems, the BCD registry file is on the EFI sys s stem partition. .
Safe boot: Minim On startup opens the W mal. p, Windows graph hical user inter rface (GUI), known as de, ans y m Windows Explorer, in safe mod which mea it runs only critical system services. etworking is di isabled. Ne Safe boot: Altern nate shell. On startup, opens the Windows command pr s s s rompt in safe m mode nning only crit tical system se ervices. Networ rking and the GUI are disabl led. run
Safe boot: Active Directory rep e pair. On startu p, opens the W Windows GUI i safe mode, running in ervices and Act tive Directory Domain Ser rvices (AD DS). . critical system se
13-10
Safe boot: Network. On startup, opens the Windows GUI in safe mode, running only critical system services. Networking is enabled. o o o o Boot log. Records startup information into a log file. No GUI boot. Does not display the Windows Welcome screen when starting. Base video. Uses a generic video display adapter driver. Number of processors. Limits the number of processors used on a multiprocessor system.
BCDEdit.exe. You can use BCDEdit.exe, a command-line tool, to change the BCD, such as removing entries from the list that displays operating systems. This advanced tool is for administrators and IT professionals. BCDEdit.exe is a command-line tool that replaces Bootcfg.exe in Windows 8. BCDEdit.exe currently enables you to: o o o o o o o o o Add entries to an existing BCD store. Modify existing entries in a BCD store. Delete entries from a BCD store. Export entries to a BCD store. Import entries from a BCD store. List currently active settings. Query a particular type of entry. Apply a global change (to all entries). Change the default time-out value.
Typical reasons to manipulate the BCD with BCDEdit.exe include: o o Adding a new hard disk to your Windows 8 computer, changing the logical drive numbering. Installing additional operating systems on your Windows 8 computer, to create a multiboot configuration.
Deploying Windows 8 to a new computer with a blank hard disk, requiring you to configure the appropriate boot store. Performing a backup of the BCD. Restoring a corrupted BCD.
o o
The following table provides additional information about the command-line syntax for BCDEdit.exe. Command Description
Commands that operate on a store /createstore /export /import Creates a new empty BCD store Exports the contents of the system BCD store to a specified file Restores the state of the system BCD store from a specified file
Commands that operate on boot entries in a store /copy /create Makes copies of boot entries Creates new boot entries
Configuring Windows 8
Command /delete
Commands that operate on element /deletevalue /set Deletes elements from a boot entry Creates or modifies a boot entrys elements
Commands that control output /enum Lists the boot entries in a store
Commands that control Boot Manager /bootsequence /default /displayorder /toolsdisplayorder /timeout Specifies a one-time boot sequence Specifies the default boot entry Specifies the order in which Boot Manager displays its menu
Specifies the order in which Boot Manager displays the tools menu Specifies the Boot Manager Timeout value
Commands that control debugging /bootdebug /dbgsettings /debug Enables or disables boot debugging for a boot application Specifies global debugger parameters
Commands that modify other commands /store /v Specifies the BCD store upon which a command acts
Displays boot entry identifiers in full, rather than using well-known identifiers
Enables or disables Emergency Management Services (EMS) for a specified boot application Enables or disables EMS for an operating system boot entry Specifies global EMS parameters
BootRec.exe. Use the bootrec.exe tool with the /rebuildbcd option in Windows RE to rebuild the BCD. You must run bootrec.exe in Windows RE. If rebuilding the BCD does not resolve the startup issue, you can export and delete the BCD, and then run this option again. By doing this, you ensure that the BCD rebuilds completely.
13-12
Safe mode with command prompt. Starts Windows in S s Safe mode wit a command th d-prompt wind dow rather than th usual Windows interface. You typically use this when other startup options do no he ot work. Enable log bo ooting. Creates the ntbtlog.t file, which c be useful f advanced t s txt can for troubleshootin ng. This file lists all drivers that Windows installs during sta rtup. a Enable low re esolution video (640 X 480). Starts Window using your c o ws current video driver, and low w resolution and refresh rate settings. Use this mode to re t eset your disp play settings. Debugging Mode. Starts Windows in an advanced trou M W a ubleshooting m mode intended for IT d professionals and system ad dministrators. Debugging en nables you to e examine the b behavior of the e operating sys stems device drivers. This is especially usef when Wind d ful dows stops une expectedly, as it may provide additional info ormation for driver develope d ers. Disable autom matic restart on system failure. Prevents W Windows from restarting auto omatically if an n error causes Windows to fail. Choose this option only if the compute loops throug the startup W s f er gh process repea atedly by failin to start corr ng rectly, and the n attempting another restar rt.
Disable Driver Signature En nforcement. Allows you to in nstall drivers th contain imp hat proper signatu ures. Start Window normally. Starts Windows in normal mo de. ws
Refresh your PC R r
Th option enables you to retain your his pe ersonal data, apps, and settings but replac a ces th Windows 8 operating syst he tem. This is use eful when it is important to retain user-related files w f an settings, bu you do not have the time to nd ut de etermine the specific cause of a startup pr s o roblem or resolve it. r cause it is quite likely that us settings ma have create the startup problem ser ay ed Note: Bec ut from which you are attemptin to recover, the Refresh yo PC option is careful abou which u ng our se ettings to resto For instanc file associations, display s ore. ce, settings, and W Windows Firew settings wall ar not restored during the re re d efresh process. . Note: It is possible to use the recimg s g.exe comman nd-line tool to create a refres image, sh e. en nabling you to refresh your PC to a specifi point in time o ic
Reset your PC R P
Th option rem his moves all user data and settin and apps, and then rein d ngs, nstalls Window You should select ws. our th option whe there is no need to retain user data or s his en n settings. By usi this setting you revert yo ing g, co omputer to the deployment defaults. e
Windows 8 prov W vides System Restore capabi R ilities that you can access fro the System Tools folder. If you om m ha a system failure or anoth significant problem with your comput you can use System Restore to ave her h ter, re eturn your com mputer to an earlier state. e Th primary benefit of System Restore is that it restores y he m your system to a workable st o tate without re einstalling the operating syst tem or causing data loss. Ad g dditionally, if th computer d he does not start su uccessfully, you can use Syste Restore by booting Wind u em y dows RE from the product D DVD. Note: You can create Sy u ystem Restore points by usin the System Restore link in Recovery in ng n Control Panel. First, you must enable System Protection. Y can do so by performing these F t m You o st teps: open Icon View in Cont n trol Panel, clic Recovery, c ck click Advance Tools, click Configure ed Sy ystem Restore on the System Protection tab, click Co e, onfigure, and then click Tur On rn Sy ystem Protection.
Sy ystem Image Recovery replaces your comp R puters current operating sys t stem with a co omplete computer ba ackup that you created prev u viously, and wh hich you stored as a system image. You ca use this tool only if d an yo have made a recovery drive of your com ou mputer. You s hould use this tool only if ot s ther methods of re ecovery are un nsuccessful, bec cause it is a ve intrusive re ery ecovery metho that overwrites everything on the od g co omputer.
13-14
Automatic Repair
The Automatic Repair tool in Windows RE provides a simple and effective way for you to resolve most common startup problems. The following sections describe Automatic Repair tool functions:
Replace or Repair Disk Metadata. Disk metadata consists of several components, including the boot sector and the MBR. If these files are missing or corrupt, the startup process fails. If you suspect that an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk metadata. Automatic Repair automatically checks and, if necessary, repairs the disk metadata. Damage to the disk metadata often occurs because of unsuccessful attempts to install multiple operating systems on a single computer. Another possible cause of metadata corruption is a virus infection.
Repair Boot Configuration Settings. Windows XP and earlier Windows operating system versions stored the boot configuration information in Boot.ini, a simple text file. However, Windows 8 uses a configuration store that is in the C:\Boot. If the boot configuration data is damaged or deleted, the operating system fails to start. The Startup Repair tool checks and, if necessary, rebuilds the BCD, by scanning for Windows installations on the local hard disks, and then storing the necessary BCD.
Resolve Incompatible Driver Issues. Installing a new hardware device and its associated device driver often causes Windows to start incorrectly. The Automatic Repair tool performs device driver checks as part of its analysis of your computer. If Automatic Repair detects a driver problem, it uses System Restore points to attempt a resolution, by rolling back configuration to a known working state.
Note: Even if you do not create restore points manually in Windows 8, installing a new device driver automatically causes Windows 8 to create a restore point prior to the installation.
Command Prompt
Windows 8 uses a Command Prompt tool from the Windows RE tool set as its command-line interface. The Command Prompt tool is more powerful than the Recovery Console from early Windows versions, and its features are similar to the command prompt that is available when Windows 8 is running normally:
Resolve Problems with a Service or Device Driver. If a computer that is running Windows 8 experiences problems with a device driver or Windows service, use the Command Prompt tool to attempt a resolution. For example, if a device driver fails to start, use the command prompt to install a replacement driver, or disable the existing driver from the registry. If the Netlogon service fails to start, type Net Start Netlogon at the command prompt. You also can use the SC tool (SC.exe) command-line tool to start and stop services. Recover Missing Files. The Command Prompt tool also enables you to copy missing files to your computers hard disk from original source media, such as the Windows 8 product DVD or USB memory stick. Access and Configure the BCD. Windows 8 uses a BCD store to retain information about the operating systems that you install on the local computer. You can access this information by using the BCDEdit.exe tool at the command prompt. You also can reconfigure the store, if necessary. For example, you can reconfigure the default operating system on a dual-boot computer with the BCDEdit.exe /default id command. Repair the Boot Sector and MBR. If the boot sector or MBR on the local hard disk is damaged or missing, a computer that is running Windows 8 will fail to start successfully. You can launch the Bootrec.exe program at the command prompt to resolve problems with the disk metadata.
Configuring Windows 8
Run Diagnostic and Troubleshooting Tools. The Command Prompt tool provides access to many programs that you can access from Windows 8 during normal operations. These programs include several troubleshooting and diagnostics tools, such as the registry editor (Regedit.exe), a disk and partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe, Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can use to determine which programs and services are running currently.
Note: Windows PE is not a complete operating system. Therefore, when you use the Command Prompt tool in Windows RE, remember that not all programs that work in Windows will work at the command prompt. Additionally, because there are no logon requirements for Windows PE and Windows RE, Windows restricts the use of some programs for security reasons, including many that administrators typically run.
This command scans disks for installations compatible with Windows 8. This option displays installations not listed by bcdedit /enum. You can use the /RebuildBcd to add the missing installations to the boot store. o 5. Diskpart
In diskpart, type the following commands to view information about disks and volumes installed in LON-CL1: o o List disk List volume
6. 7. 8.
Close diskpart, and then close the command prompt. Perform an automatic startup repair from the Windows RE Troubleshoot menu. Restart your computer normally.
On LON-CL1, log on with as Adatum\administrator with the password of Pa$$w0rd and open an elevated command prompt
Create a duplicate boot entry by running the following command in the elevated command prompt: o bcdedit /copy {current} /d Duplicate boot entry
13-16
3.
Verify the presence of Duplicate boot entry in the store with the following command, and then restart the computer: o Bcdedit /enum
4.
When Windows restarts, wait until the Choose an operating system menu appears, and then click Change defaults or choose other options. Select the following options in turn: o o o o o Choose other options Troubleshoot Advanced options Startup Settings Restart
5.
Start Windows in Safe Mode, and then log on as Adatum\Administrator with the password Pa$$w0rd.
Configuring Windows 8
You have been asked to recover the Windows 8 computer of one of the employees in A. Datum. To do this you will first examine the recovery options available in Windows 8. You then will attempt to resolve a startup issue, and you will document the solution used to resolve the issue.
Objectives
Recover Windows 8 from a startup problem.
Lab Setup
Estimated Time: 30-60 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1, 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o User name: Administrator Password: Pa$$w0rd Domain: Adatum
In this exercise, you will explore the startup-recovery options, including accessing the Advanced Startup Options. The main tasks for this exercise are as follows: 1. 2. 3. Access Windows RE tools. Create a duplicate boot entry in the boot store. Enable advanced boot options.
13-18
4.
Select Command Prompt, and run the following commands to view the startup environment: o o o Bcdedit /enum Bootrec /scanos Diskpart
5.
In diskpart, type the following commands to view information about disks and volumes installed in LON-CL1: o o List disk List volume
6. 7. 8.
Close diskpart, and then close the command prompt. Perform an automatic startup repair from the Windows RE Troubleshoot menu. Restart your computer normally.
Create a duplicate boot entry by running the following command in the elevated command prompt: o bcdedit /copy {current} /d Duplicate boot entry
3.
Verify the presence of Duplicate boot entry in the store with the following command, and then restart the computer: o Bcdedit /enum
Start Windows in Safe Mode, and then log on as Adatum\Administrator with the password Pa$$w0rd. Revert and restart the 20687A-LON-CL1 virtual machine in preparation for the next exercise.
Results: After this exercise, you will have used various Windows 8 startup-recovery tools.
Configuring Windows 8
In this exercise, you will attempt to fix a computer that is running Windows 8. The computer does not start successfully. You have an open help-desk ticket so that you can determine the likely cause of the problem. A. Datum Incident Record Incident number: 601237 Date and time of call User May 25 10:45am Adam Carter
Incident Details Adam Carter has reported that his computer will not start properly. Additional information Adam has been trying to install an additional operating system on his computer so that he can run a specific line-of-business (LOB) application. He abandoned the installation after getting only partly through the process. Since then, his computer displays the following error message when it starts: Windows Boot Manager. File: \Boot\BCD Status: 0xc0000034 Info: The Windows Boot Configuration Data (BCD) file is missing required information. Plan of Action
The main tasks for this exercise are as follows: 1. 2. 3. Read the help-desk Incident Record for Incident 601237. Update the Plan of Action section of the Incident Record. Simulate the problem.
13-20
Open Windows Explorer and run the e:\Labfiles\Mod13\Scenario1.vbs script, and then wait while LON-CL1 restarts.
Results: After this exercise, you should have reproduced the reported startup problem on Adams computer.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Results: After this exercise, you should have resolved the startup problem, and documented your solution.
Configuring Windows 8
Tools
Tool BCDEdit.exe sc.exe MSConfig.exe Windows RE Safe Mode Bootrec.exe Use for Viewing and configuring the BCD store Managing services Managing services and the startup environment Troubleshooting Windows 8 computers Troubleshooting startup Managing the boot environment Where to find it Command-line Command-line Windows
Elements available on hard disk (automatic failover) and the product DVD Accessible from the Advanced Boot Options menu Command-line
13-22
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
Appendix A
Using Windows PowerShell
Contents:
Module Overview Lesson 1: Introduction to Windows PowerShell 3.0 Lesson 2: Windows PowerShell Remoting Lesson 3: Using Windows PowerShell Cmdlets Module Review and Takeaways A-1 A-2 A-11 A-18 A-25
Module Overview
Windows PowerShell 3.0 enables IT professionals to automate repetitive tasks, and thereby increase consistency and productivity. For example, remoting capabilities enable IT professionals to connect with multiple remote computers simultaneously to run commands. With Windows 8, IT professionals can use Windows PowerShell, and its graphical user interface (GUI) and scripting editor to write comprehensive scripts that access underlying technologies.
Objectives
After completing this module, you will be able to: Describe the basic features of Windows PowerShell 3.0. Describe Windows PowerShell Remoting. Describe the use of Windows PowerShell cmdlets.
A-2
Lesson 1
Win ndows PowerSh is a task-b hell based, comman nd-line shell d esigned espec cially for script ting and system m adm ministration. Bu on the Mic uilt crosoft .NET Framework, W F Windows Power rShell helps IT professionals and user control and automate the administratio of the Wind rs e on dows operating system and t application that g the ns run on it. You can use built- Windows PowerShell com u -in P mmands, called cmdlets, to m d manage comp puters in the ente erprise from th command line. Windows PowerShell pr he roviders enable access to dat stores, such as e ta h the registry and certificate store in the same way that the f system is accessed. Addit e, file tionally, Windo ows Pow ed werShell has a rich expression parser and a fully develope scripting la n anguage.
Cmdlets for performing com p mmon system administratio n tasks, such a using Windo Managem as ows ment Instrumentati (WMI), and managing th registry, serv ion d he vices, processe and event l es, logs. Cmdlets a are not case-sens sitive. A task-based scripting lang guage, and sup pport for existi ng scripts and command-lin tools. d ne
Shared data between cmdle which enables the outpu from one cm b ets, ut mdlet to be us as the inpu to sed ut another cmdl let.
Configuring Windows 8
Command-based navigation of the operating system, which lets consumers navigate the registry and other data stores by using the same techniques that they use to navigate the file system. Object manipulation capabilities that enable Windows PowerShell to accept and return .NET objects, which can be directly manipulated or sent to other tools or databases.
An extensible interface, which enables independent software vendors (ISVs) and enterprise developers to build custom tools and utilities to administer their software.
Some of the more advanced features of Windows PowerShell are: Remote management: Commands can be run on one or multiple computers by establishing an interactive session from a single computer. Additionally, you can establish a session that receives remote commands from multiple computers.
Background jobs: Run commands asynchronously and in the background while continuing to work in your session. You can run background jobs on a local or remote computer, and also store the results locally or remotely. Debugger: The Windows PowerShell debugger helps you debug functions and scripts. You can set and remove breakpoints, step through code, check the values of variables, and display a call-stack trace.
Modules: Use Windows PowerShell modules to organize your Windows PowerShell scripts and functions into independent, self-contained units and package them for distribution to other users. Modules can include audio files, images, Help files, and icons. To avoid name conflicts, modules run in a separate session. Transactions: Transactions enable you to manage a set of commands as a logical unit. A transaction can be committed, or it can be completely undone so that the affected data is not changed by the transaction.
Events: The new event infrastructure helps you create events, and subscribe to system and application events. You can then listen, forward, and act on events synchronously and asynchronously.
Windows PowerShell includes cmdlets, providers, and tools that you can add to Windows PowerShell to manage other Windows technologies, such as: Client Hyper-V Windows Backup Active Directory Domain Services Windows BitLocker Drive Encryption Dynamic Host Configuration Protocol (DHCP) Server service Group Policy Remote Desktop Services
A-4
Delegated Ad dministration. Users with limited permissio can be give delegated a ons en access to specified commands. This enables yo to limit the user permissio to only cer T ou ons rtain commands that users n need. Show-Command. This is a cmdlet and a Windows Powe c W erShell ISE add d-on, which pr rovides a GUI t to help view valid parameters for other cmd dlets.
New Cmdlets Windows 8 in s. ncludes Windo PowerShe cmdlets to m ows ell manage netwo settings, fir ork rewall settings, and many other ne features. Many tools and commands u ew M d used in previou Windows ve us ersions now have Pow werShell equiv valents. The following table s shows several examples of the previous to ools and commands, and their new PowerShe equivalents. n ell Old comma and ipconfig /a a Shutdown.exe Net Start Net Stop Net Use Netstat Netsh advf firewall add Route Prin nt Pow werShell equiv valent Ge et-NetIPConfi iguration Re estart-Compu uter Sta art-Service (R Restart-Servic ce) Sto op-Service (R Restart-Service) Ne ew-SmbMapp ping Ge et-NetTCPCon nnection Ne ew-NetFirewa allRule Ge et-NetRoute
C Configuring Windows 8 s
Optionally, you can use one or more param O o meters with a c mdlet, to mod its behavio or specify se dify or ettings. Pa arameters are written after the cmdlet. Ea parameter used is separa t ach ated by a spac and begins with a ce, hy yphen. Not all cmdlets use the same param meters. Some cmdlets have parameters th are unique to its hat fu unctionality. Fo example, the Move-Item cmdlet has th -Destination parameter to specify the lo or he n o ocation to move the obj o bject, whereas the Get-ChildItem cmdlet h the -Recurs switch para t has rse ameter. There a are se everal types of parameters, including the following: f f
Named. Na amed parameters are most common. They are paramete that can be specified and require c y ers e d a value or modifier. For example, by using the Move m e e-Item cmdlet,, you would sp pecify the -Des stination parameter along with the exact destina e ation to move the item. Switch. Switch parameter modify the behavior of the cmdlet, but do not require any additional rs b e e modifiers or values. For example, you can specify the -Verbose para o e c e ameter withou specifying a value ut of $True.
Positional. Positional para ameters are pa arameters that can be omitte and can still accept value t ed, es based on where the infor w rmation is spec cified in the co ommand. For e example, you c could run GetEventLog -EventLog Sys stem to retriev information from the Sys ve n stem event log However, be g. ecause the -EventL Log positional parameter accepts values fo the first pos or sition, you can also run Getn EventLog System to get the same resu When the -EventLog pa S t ults. e arameter is no present, the cmdlet ot still accepts the value of System, because it is the first item after th e cmdlet name. s S t
Ex xamples of Parameters s
Pa arameters that are common to many cmdlets include op t ptions to test t actions of the cmdlet, or to the r ge enerate verbose information about the execution of the cmdlet. Common paramete include: n e ers
-Verbose. This parameter displays detai T iled informatio about the p on performed com mmand. You sh hould use this par rameter to obt tain more info ormation about the executio n of the comm t mand.
-WhatIf. Th parameter displays the ou his d utcome of run ning the comm mand, without actually running it. t This is helpful when you are testing a new cmdlet or script, and yo u do not want the cmdlet to run. a n t o -Confirm. This parameter displays a con T r nfirmation pro ompt before ex xecuting the command. This is s helpful whe you are run en nning scripts, and you would like to promp the user bef a d pt fore executing a specific step in the script. .
A-6
All cmdlets suppo a set of parameters that are called com c ort a mmon paramet ters. This feature provides a consistent interfac to Windows PowerShell. When a cmdle supports a c ce s W et common param meter, the use of the parameter does not cause an error. Howe a ever, the param meter might no have any ef ot ffect in some cmd dlets. Additional Reading: To read about Cm r mdlet Verbs, go to http://msd o dn.microsoft.c com/en-us/libr rary/windows/ /desktop /ms s714428(v=vs.8 85).aspx. There are many cmdlets availab that perform a variety of tasks. Althoug cmdlets foll ble m gh d low a standard nam ming conventio it still may be difficult to discover new cmdlets. You c use the Ge on, can et-Command d cmd to search for cmdlets ba dlet f ased on functio name, and parameters. on, Onc you have discovered a cm ce mdlet, you need to know how to use it. Eac cmdlet has help d w ch doc cumentation th you can access by using the Get-Help cmdlet. To ge detailed help for a particu hat et ular cmd dlet, type the following: f
Get-Help <Cmdlet-Name> -Detailed
The detailed view of the cmdlet help file inclu w t udes a descript tion of the cm mdlet, the comm mand syntax, desc criptions of the parameters, and an examp that demon ple nstrates the us of the cmdlet. In the help text, se p optional parameter names appe in square brackets, such as: ear b
Get-Help [[-Name] <string>]
Note: Wind dows PowerShe 3.0 is fully backward-com ell b mpatible. Cmdl ets, providers, snap-ins, scrip functions, and profiles designed for Windows Powe rShell 1.0 and Windows Pow pts, d W werShell 2.0 wor on Windows PowerShell 3.0, without changes. rk s 3
Configuring Windows 8
Add-on Tools: The ISE supports extending the interface through the use of Windows Presentation Foundation (WPF) controls that are displayed in either a horizontal or vertical pane. You can add as many as 20 tools at a time, each of which will display in a separate tab. The Commands add-on is an example add-on that is installed and enabled by default to provide help for each cmdlet.
Multiple sessions: Simultaneously use up to 32 independent sessions (PowerShell tabs) within the ISE. This enables IT professionals to manage multiple servers, each in its own environment, from within one instance of ISE. Script Editor: Use the script editor to compose, edit, debug and run functions, scripts, and script cmdlets. The script editor includes tab completion, automatic indenting, line numbers, search-andreplace, and go-to line, among other features.
Debugging: The integrated visual script debugger enables the user to set breakpoints, step through the script, check the call stack, and hover over variables to inspect their value.
Object model: The ISE comes with a complete object model, which enables the user to write Windows PowerShell scripts to manipulate the ISE. Customizability: The ISE is customizable, from the size and placement of the panes, to the text size and the background colors.
Windows PowerShell ISE has its own Windows PowerShell profile: Microsoft.PowerShell_ISE_profile.ps1. Use this profile to store functions, aliases, variables, and commands that you use in Windows PowerShell ISE.
Items in the Windows PowerShell AllHosts profiles <CurrentUser\AllHosts and AllUsers\AllHosts> are available in Windows PowerShell ISE, just as they are in any Windows PowerShell host program. However, items in the Windows PowerShell console profiles are not available in Windows PowerShell ISE. Instructions for moving and reconfiguring profiles are available in Windows PowerShell ISE Help and about_profiles.
In this demonstration you will see how to use Windows PowerShell ISE to perform basic tasks, such as:
A-8
Win ndows PowerSh is an objec hell ct-based environment. This means that th inputs and s he outp puts of the cm mdlets are obje that you ca ects an man nipulate. In som instances, you may want me y t to take the output of one cmdle and pass it et to another cmdlet for additiona actions. For a t al exam mple, when yo need to ena ou able all disable ed AD DS accounts in the domain, you could n man nually list each user by using the Get-ADU h g User cmd dlet. Then, you can use the Windows u W Pow werShell cmdle Enable-ADA et Account for ea ach lock user accou To make this easier, you can ked unt. pass the output data directly fro one cmdle into another cmdlet, which is called pipi s om et r h ing. Piping is acco omplished sim mply by placing the pipe (|) character betwe cmdlets. E g een Each cmdlet is executed from the m ample, you can get a list of all left to the right, each passing its output to the next cmdlet in line. For exa e s e user in the doma and then pipe the list to the Enable-A rs ain, p ADAccount cm mdlet, by runni the followi ing ing com mmand:
Get-ADUser Filter * | Enable-ADAccount t
You can use pipin extensively in Windows Po u ng owerShell, as i t is in other sh hells. Windows PowerShell differs s from typical shells because the data in the pipeline is an ob m s, bject rather tha just simple text. Having a an an obje in the pipe ect eline enables you to easily pe ersist all prope erties of the re turned data. T data in the The e pipe eline is assigne to a special variable name $_, which o ed ed only exists while the pipeline is executing. For exam mple, if you want to only en nable accounts that are disab s bled, you can u the Where use e-Object cmdlet to retu only disabled accounts. To do this, run the following command: urn T g
Get-ADUser | Where-Object {$_.Enabled eq $false} | Enable-ADA Account
By piping an obje with a list of all users, you are able to u se the Where p ect o u e-Object cmdle to filter the et acco ounts that are disabled base on the Enab ed bled property o the account of t. e poses only. It e enables all of t he disabled ac ccounts in Note: This example is for teaching purp the domain, and you should no use it in a pr y ot roduction envi ronment. This can enable ac ccounts that should remai disabled. t in
C Configuring Windows 8 s
Ex xecution Po olicy
By default, the execution policy does not allow Windows PowerShell sc y e cripts to be exe ecuted automa atically. Th safeguards the computer by preventing unattended scripts from ru his r g unning withou the administ ut trators kn nowledge. The are four execution policie that you can set, which in ere es n nclude:
Restricted. This is the de . efault policy for Windows Se rver 2012. It does not allow configuration files to load, nor do it allow scripts to be run The Restrict execution policy is perfe for any com oes n. ted ect mputer n for which you do not run scripts, or for which you run scripts only rarely. Keep in mind that you could y n r n always man nually open the shell with a less restrictive execution pol l licy.
es AllSigned. This policy req quires that all scripts and co onfiguration file be signed b a trusted pu by ublisher, including sc cripts created on your local computer. Thi execution po is olicy is useful f environme for ents where you do not want to run any scrip accidentally unless is has an intact, trus o pt y, sted digital signature. This policy is less conveni ient because it requires you to digitally sig every script you write, and ret gn t sign each script every tim that you ma any chang to it. me ake ges RemoteSig nd gned. This poli requires that all scripts an configurati files downloaded from the icy ion Internet be signed by a tr rusted publisher. This execut tion policy is u useful because it assumes that e se local scripts are ones that you create yo s t ourself, and th you trust th hat hem. It does no require thos ot scripts to be signed. Scrip that are do pts ownloaded from the Internet or received v email, howe m t via ever, are not trus sted, unless they carry an int tact, trusted di igital signature You could certainly still ru those e. un scriptsby running the shell under a le y s esser execution policy, for ex n xample, or eve by signing t en the script yours self. But those are additional steps that yo u have to take so it is unlike that you would l e, ely be able to run such a scri accidentally or unknowin r ipt y ngly. Unrestricte This policy loads all conf ed. y figuration files and runs all s cripts. If you run a script tha was at downloade from the Int ed ternet, you are warned abou potential da e ut angers and mu give permis ust ssion for the scrip to run. The Unrestricted execution pol icy typically is not appropria for produc pt ate ction environmen because it provides little protection ag nts, e gainst accidentally or unkno owingly running untrusted scripts. s
Bypass. This policy loads all configurat tion files and r uns all scripts. If you run a sc cript that was downloade from the Int ed ternet, the script will run wit hout any warn nings. This exe ecution policy t typically is not appro opriate for pro oduction environments, beca ause it provide no protectio against es on accidentally or unknowin y ngly running untrusted script ts.
Yo can view th execution policy for the computer by us sing the Get-E ou he p ExecutionPoli cmdlet. To icy co onfigure the ex xecution policy, you must op an elevate Windows P owerShell window, and then run pen ed n th Set-ExecutionPolicy cmd he dlet. Once you configure the execution po u e olicy, you can r a script by typing run y th entire name of the script. he e
A-10
Simple Scripts
Scripts are text files that have a .PS1 filename extension. These files contain one or more commands that you want the shell to execute in a particular order. You can edit scripts by using Windows Notepad, but the Windows PowerShell ISE provides a better editing experience. In it, you can type commands interactively, obtain hints on the proper command syntax, and see the results immediately. You then can paste those results into a script for long-term use. Or, you can type your commands directly into a script, highlight each command, and press F8 to execute only the highlighted command. If you like the results, you simply save the script, and you are done. Generally, there are very few differences between what you can do in a script and what you would do on the command line. Commands work in the same way in a script, meaning that a script can literally be created by pasting commands that you have already tested at the command line. The following is a simple script in a text file named Get-LatestLogon.ps1:
# This script will return the last user that has logged on to the domain. Get-ADUser -Filter * -Properties lastLogon | ` Sort-Object -Property lastLogon -Descending| ` Select-Object -first 5 | ` Format-Table name, ` @{Label="LastLogon";Expression={[datetime]::FromFileTime($_.lastLogon)}}` -AutoSize
Although this script contains a single pipeline statement, it has been broken up using the backtick (`) character. You can break up long lines of code and make the script easier to read by using the backtick character. Notice that the first line of this script starts with a hash mark (#). A line that begins with a hash mark will not be processed. Therefore, you can use start a line with a hash mark, and write notes and comments about the script. To run a script, you must type either the full or the relative path name to the script. For example, to run the Get-LatestLogon.ps1 script you can use either of the following options, if the script is in your current directory or search path:
.\Get-LatestLogon.ps1 E:\ModXA\Democode\Get-LatestLogon.ps1
If the script name or path has spaces in it, you will need to enclose the name single or double quotation marks and echo the name to the console by using an ampersand (&) character. The example below shows how to do this using both the relative and a full path:
& .\Get Latest Logon.ps1 & E:\ModXA\Democode\Get Latest Logon.ps1
Co onfiguring Windows 8
Lesson 2 n
In the past, man n naging a remo computer meant having to connect to it using Remo Desktop. This ote m ote made large-scale or automate manageme difficult. W m ed ent Windows Power rShell addresse with remote es e ad dministration, also known as remoting. Rem s moting lets yo run Window PowerShell commands fo ou ws or au utomated or in nteractive rem mote Group Policy managem ent by using W Windows Remo Managem ote ment (W WinRM). WinRM is Microsoft implementa ts ation of Web S Services for Ma anagement (W WS-MAN) proto ocol, an enables you to: nd u Create scrip that run on one or many remote comp pts n y puters.
Take contro of a remote Windows Pow ol werShell sessio to run comm on mands directly on that comp y puter. Create a Sy ystem Restore point to restor the comput to a previo us state, if nec re ter cessary. Collect relia ability data acr ross the netwo ork. Change fire ewall rules to protect compu p uters from a ne ewly discovere vulnerability ed y.
One-to-One remoting: In this scenario, you connect t a single rem n to mote compute and run shel er ll commands on it, exactly as if you had logged into th console and opened a Windows PowerS he d Shell window.
A-12
One-to-Many remoting, or Fan-Out remoting: In this scenario, you issue a command that will be executed on one or more remote computers in parallel. You are not working with each remote computer interactively. Rather, your commands are issued and executed in a batch, and the results are returned to your computer for your use.
Many-to-One remoting, or Fan-In remoting: In this scenario, multiple administrators make remote connections to a single computer. Typically, those administrators will have differing permissions on the remote computer, and might be working in a restricted session within the shell. This scenario usually requires custom development of the restricted session, and will not be covered further in this course.
Remoting Requirements
Remoting requires both that both Windows PowerShell and WinRM be installed on your local computer and on any remote computers to which you want to connect. WinRM is a Microsoft implementation of Web Services for Management (WS-MAN), which is a set of protocols that has been widely adopted across different operating systems. As the name implies, WS-MANand WinRMuse Web-based protocols. An advantage to these protocols is that they use a single, definable port, making them easier to pass through firewalls than older protocols that randomly selected a port. WinRM communicates via the Hypertext Transport Protocol (HTTP). By default, WinRM and PowerShell Remoting uses TCP port 5985 for incoming connections that are not encrypted and TCP port 5986 for incoming encrypted connections. Applications that use WinRM, such as Windows PowerShell, can also apply their own encryption to the data that is passed to the WinRM service. WinRM supports authentication and, by default, uses Active Directorys native Kerberos protocol in a domain environment. Kerberos does not pass credentials across the network, and it supports mutual authentication to ensure that incoming connections are coming from valid computers. To work remotely, the local and remote computers must have the following installed: Windows PowerShell 2.0 or higher Microsoft .NET Framework 2.0 or higher WinRM service
After installing the required software, Windows PowerShell remoting must also be enabled. PowerShell remoting is enabled by default in Windows Server 2012, but you must enable it manually on Windows 8. Any files and other resources that are needed to run a particular command must be on the remote computer, because the remoting commands do not copy any resources. IT professionals must have permission to: Connect to the remote computer. Run Windows PowerShell. Access data stores and the registry on the remote computer.
Windows Server 2012 provides another option for using remoting with Windows PowerShell Web Access. This role provides access to a remote Windows PowerShell session to a client using just a web browser, which can run a smartphone, tablet, slate, or a non-domain joined computer.
Co onfiguring Windows 8
All of the local input to a rem i mote command is d co ollected before any of it is se to the remote e ent co omputer. How wever, the outp is returned to put th local compu as it is gen he uter nerated. When you n co onnect to a rem mote compute the system uses the user name and pas er, ssword credentials on the loc cal co omputer to au uthenticate you to the remot computer. B default, the Kerberos vers u te By sion 5 protocol is used to perform the authorization and authentic o cation. Therefo an Active D ore, Directory dom main is expected. In cases where the remote computer is not in a domain, o in an untrus n t or sted domain, a client compu can uter be allowed to connect by def e fining it as a trusted host. Ad dditionally, in u untrusted envi ironments the remote co omputer must also enable a WinRM listener encrypted w a valid sec with cure sockets la ayer (SSL) certi ificate. Th enables the Windows Pow his e werShell client to connect w the -UseSS parameter o the Invoket with SL of Command, New w-PSSession, and Enter-PS SSession cmdl ets. This param meter uses Hyp pertext Transfe er Pr rotocol Secure (HTTPS) inste of HTTP, and is designed for use with basic authentication, where e ead d pa asswords migh be delivered in plain text. ht d To support remoting, the follo o owing new cm mdlets have be added: een Invoke-Com mmand Enter-PSSes ssion Exit-PSSession Disconnect-PSSession Receive-PSSession Connect-PS SSession
When you are running comm W r mands on multi iple computers be aware of differences be f etween the rem mote s, co omputers, such as difference in operating systems, file s h es g system structu ures, and the sy ystem registrie es. Fo example, the default hom folder is diff or me ferent, depend ding on the ve ersion of Windo that is installed. ows nd Th location is stored in the %homepath% environment v his % variable ($env v:homepath) an the Window ws Po owerShell $home variable. If no home fold is assigned the system a f der d, assigns a defau local home folder ult to the user acco o ount (on the ro directory where the ope rating system files are installed as the initi oot w ial ve ersion).
A-14
Tem mporary conne ections are mad by specifyin de ng the name of the remote compu (or its NetBIOS uter nam or IP address). Persistent connections are me mad by opening a Windows PowerShell sess de g sion on the remote computer, and th connectin to t hen ng it.
For a temporary connection, yo start the ses c ou ssion, run the c commands, an then end th session. Variables nd he or functions defin within com ned mmands are no longer availa o able after you c close the conn nection. This is an s effic cient method for running a single command or several u f s unrelated com mmands, even o a large num on mber of re emote computers. To create a temporary connection, us the Invoke-Command cmdlet with the e se e Co omputerName parameter to specify the re o emote comput ters, and use th ScriptBlock parameter t he k to spec the comm cify mand. For exam mple, the follow wing command runs Get-Ev d ventLog on the Client01 e com mputer:
Invo oke-Command ComputerName Client01 ScriptBlock {Get-EventLo og}
Use the Enter-PSSession cmdle to connect to, and start, a interactive s et t an session. For example, after a new sess sion is opened on Client01, the following command star an interactiv session with the compute t c rts ve h er:
Ente er-PSSession Client01
Onc you enter a session, the Windows Powe ce W erShell comma nd prompt on your local computer chang to n ges indicate the connection, for exa ample:
[Cli ient01]: PS C:\> C
The interactive session remains open until you close it. This enables you t run as many commands a u to y as requ uired. To end the interactive session, type Exit-PSSessio t e on.
Beg ginning with Windows Power W rShell 3.0, pers sistent sessions are saved on the remote computer. You can s n use the Disconne ect-PSSession cmdlet to disc connect your c client connect tion and leave the persistent t sess sion active. To retrieve a list your persistent sessions on C y Client01, you c run the following: can
Get-PSSession C ComputerName Client01.
You can retrieve the results of your disconnec u t y cted session by using the Re y eceive-PSSession cmdlet. Yo ou also can reconnec to a disconn o ct nected session by using the C Connect-PSSe ession cmdlet. .
Co onfiguring Windows 8
Yo can establis a One-to-O remoting session by usin Windows P owerShell ISE, and clicking t New ou sh One s ng the Remote Power rShell Tab opt tion on the File menu. You a also can establish a remote P PowerShell ses ssion by us sing the Enter r-PSSession cm mdlet. For example, to open a remote Win n ndows PowerS Shell session on a n co omputer name LON-DC1, you would use the following syntax: ed y e g
En nter-PSSessio ComputerN on Name LON-DC1
One-to-many re O emoting is prim marily done by using the Inv y voke-Comma and cmdlet. To run the Geto Ev ventLog cmdlet against the computers na amed LON-SV R1 and LON-D DC1, use the fo ollowing comm mand:
Be ecause the ses ssion uses a pe ersistent conne ection, you can run another command in t same sessio and n the on, us the $p varia se able. The follow wing command counts the n number of pro ocesses saved i $p: in
In nvoke-Command -Session $s -ScriptBlock {$p.count d s t}
To interrupt a command, pres Ctrl+C. The interrupt requ o ss uest is passed t the remote computer, wh to here it te erminates the remote command. r
Se everal cmdlets have a ComputerName par s rameter that le you retrieve objects from remote comp ets e m puters. Be ecause these cmdlets do not use Windows PowerShell re c t s emoting to co ommunicate, y can use the you e l. ComputerName parameter of these cmdlets on any comp e f puter that is ru unning Windows PowerShell The co omputers do not have to be configured fo Windows Po n or owerShell remo oting or fulfill the system re equirements fo remoting. or
A-16
The following table provides more information about the ComputerName parameter. Command
Get-Help * -parameter ComputerName
Determine whether the ComputerName parameter requires Windows PowerShell remoting. Result: You see a statement similar to This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured to run remote commands.
You can run commands on more than one remote computer at a time. For temporary connections, the Invoke-Command accepts multiple computer names. For persistent connections, the Session parameter accepts multiple PSSessions. The number of remote connections is limited by the resources of the computers, and their capacity to establish and maintain multiple network connections. To run a remote command on multiple computers, include all computer names in the ComputerName parameter of the Invoke-Command, and separate the names with commas:
Invoke-Command -ComputerName Server01, Server02, Server03 -ScriptBlock {Get-Culture}
You can also run a command in multiple PSSessions. The following commands create PSSessions on Server01, Server02, and Server03, and then run a Get-Culture command in each PSSession:
$s = New-PsSession -ComputerName Server01, Server02, Server03 Invoke-Command -Session $s -ScriptBlock {Get-Culture}
To include the local computer in the list of computers, type the name of the local computer, a dot (.) or localhost. To help manage resources on the local computer, Windows PowerShell includes a per-command throttling feature that limits the number of concurrent remote connections established for each command. The default is 32 or 50 connections depending on the cmdlet. You can use the ThrottleLimit parameter to set a custom limit. The throttling feature is applied to each command and not to the entire session or to the computer. When you are running commands concurrently in several temporary or persistent connections, the number of concurrent connections is the sum of the concurrent connections in all sessions. To find cmdlets with a ThrottleLimit parameter, use the following script:
Get-Help * -Parameter ThrottleLimit
The results of the script are returned to the local computer. By using the FilePath parameter, you do not need to copy any files to the remote computers. Some tasks performed by IT professionals that use Windows PowerShell include:
Configuring Windows 8
Running a command on all computers to check if the anti-virus software service is stopped, and to automatically restart it, if necessary. Modifying the security rights on files or shares.
Opening a data file and passing the contents into a preformatted output file, like an HTML page or Microsoft Office Excel spreadsheet. Searching output specific information from Event Logs. Remotely creating a System Restore point prior to troubleshooting. Remotely querying for installed updates. Editing the registry using transactions. Remotely examining system stability data from the reliability database.
A-18
Lesson 3
IT professionals ne to repeate p eed edly perform a variety of tas such as cre sks, eating and mo odifying Group p Policy Objects (GP POs) and user accounts. To reduce the wo rkload, you ca perform ma common tasks r an any usin Windows Po ng owerShell. For example, you can now man nage GPOs, Wi indows Firewall rules, and netw work settings by using Wind b dows PowerShe You also m need to cre ell. may eate scripts that others within your company can use. Window 8 and Windows PowerShe 3.0 provide cmdlets and f n ws ell features that h help you address these issues. e In th lesson, you will learn abo advanced Windows Powe erShell scriptin and manag his u out W ng ging GPOS.
There are several PowerShell co onstructs that use Boolean co u omparisons to control the ex o xecution of co ode with a script. These constructs are if, switch for, while, a hin s h, and foreach.
Configuring Windows 8
The if Statement
You can use the if statement to execute a block of code, if the specified criteria are met. The basic functionality of an if statement is shown here:
if (Boolean comparison) { Code to complete if test expression is true }
Another option available to accommodate additional possibilities is using else and elseif statements. In a case where you wish to execute special code if a condition exists or execute other code if it does not exist, you can use the else statement. If there are additional conditions you wish to test, you could use the elseif statement. See the example below:
$Today = Get-Date if ($Today.DayOfWeek eq Monday) { Write-Host Today is Monday } elseif ($Today.DayOfWeek eq Thursday) { Write-Host Today is Thursday } else { Write-Host Today is not Monday or Thursday }
The switch statement is closely related to how ifelse statements work. The statement enables a single condition statement to have multiple options for execution. The switch statement has the following syntax:
switch (Value Testing) { Value 1 { Code run if value 1 condition exists} Value 2 { Code run if value 2 condition exists} Value 3 { Code run if value 3 condition exists} default { Code run if no other condition exists} }
Using the previous example, you can achieve the same functionality with less work, as shown in the following example:
switch ($Today.DayOfWeek) { Monday { Write-Host Today is Monday } Thursday { Write-Host Today is Thursday } default { Write-Host Today is not Monday or Thursday } }
In cases where a larger number of ifelse statements are needed, the switch statement may be an easier option to use and debug.
A-20
You can use the for loop to execute a block of code a specific number of times. This can be when multiple items need to be requested, or created. The for statement syntax is:
for (setup loop variables ; Boolean comparison ; action after each loop) { Code to complete while Boolean comparison is true }
The for loop begins with settings to configure variables, the Boolean comparison, and an action to complete after each loop.
The while loop can be used to execute a block of code while a specific condition exists. It is very similar to the for loop, except that it does not have built-in mechanisms to setup variables and actions to run after each loop. This enables the while statement to continue executing until a condition is met, rather than execute a set number of times. The while statement syntax is:
while (Boolean comparison) { Code to complete while Boolean expression is true }
Also available is the do/while loop, which works like the while loop. However, the Boolean expression is evaluated at the end of the loop, instead of the beginning. This means that the code block in a do/while loop will always be executed at least once. The value of $i does not need to be set prior to the do/while loop, because it is evaluated at the end of the loop. The following example shows a do/while loop:
do { Code to complete while Boolean expression is true } while Boolean comparison)
The foreach statement iterates through an array (collection), item by item, assigning a specifically named variable to the current item of the collection. It then runs the code block for that element, as the following example shows.
foreach (item in collection) { Code to complete for each item in the collection. }
Using the foreach statement can make batch modifications easier. Consider, for example, setting a description for all users that are members of a specific group, as the following example shows.
# Get a list of the members of the Domain Admins group $DAdmins = Get-ADGroupMember "Domain Admins" # Go through each member and set the Description foreach ($user in $DAdmins) { Set-ADUser $user -Description In the Domain Admins Group }
Co onfiguring Windows 8
Variables V
Windows PowerShell enables you to retriev modify, and filter data fro a variety of sources. In so W ve, d om f ome ca ases, you may want to store data for comp parison or use.. For example, you may wish to retrieve a list of h th members of a particular security group and then mod the descri ption field of e he f s dify each of the users. Variables are us to store an retrieve data in memory d sed nd during a Wind dows PowerShe session. A v ell variable always begins with a dollar ($ sign and the can be nam ed with descri w $) en iptive text or n numbers, such as $V Variable1, $x, and $Member a rList. Windows PowerShell va ariables are typ ped, meaning that they are created to store a specif type of data whether it is text, numbers objects, time arrays, or other defined ob o fic a s, e, bject. Yo can declare a variable in one of two wa the first of which is using the Set-Vari ou e ays, f g iable cmdlet. For ex xample, to dec clare a variable named $ADD and assign it the object re e DS eturned from Get-ADDoma by ain us sing the Set-V Variable cmdle use the follo et, owing comma and:
Se et-Variable Name ADDS V Value (Get-ADDomain)
Yo will notice you do not specify the $ sym ou y mbol when usi ng the Set-Va ariable cmdlet to declare variables. t Th second way to create a va he y ariable is by de eclaring it and assigning a v d value to it. To d this, start th do he co ommand with the name of the variable, fo ollowed by an equal sign, an d then the com mmand, comm mands, or value to assig For example to declare a variable nam $ADDS and assign it the object returne from r gn. med d ed Get-ADDomain use the follo n, owing command:
$A ADDS = Get-AD DDomain
Th $ADDS vari he iable now hold a copy of th object outp by the Getds he put -ADDomain c cmdlet. The ou utput ob bject takes on the type defin in the rele ned evant class, and the variable maintains that structure. You can d t no read and manipulate the variable as similar to how y would a .N object. To obtain inform ow m e you NET mation ab bout the prope erties or to run methods, you can use dott notation o the variable For example, to n ted on e. de etermine the domain functio d onal level repo orted by the D DomainMode property of Get-ADDomain you n, ca use the follo an owing comma and:
> $ADDS.Domain nMode Wi indows2008R2D Domain
A-22
The following are eventing exam mples that you can use: u Create a scrip that perform directory management w hen files are added to, or re pt ms emoved from, a specific locati ion.
when a specific event is add multiple times, Create a scrip that perform a managem pt ms ment task only w ded or if different events occur within a specif t fied amount o time. of Create scripts that respond to events produced by inte rnal applicatio and perform manageme s ons, ent tasks specific to organizatio onal requireme ents.
Eventing supports WMI and .NE Framework events that pr s ET rovide more d etailed notifications than those avai ilable in the standard event logs.
To run Windows PowerShell Gro Policy cmdlets on a Win r P oup ndows 8 client computer, yo must use the t ou Imp port-Module GroupPolicy command to import the Gro Policy mo G c oup odule. This mus be imported st d befo you use the cmdlets at the beginning of every script that is using t ore t them, and at t beginning of the every Windows Po owerShell session. The following table displays som of the Grou Policy settin for Windo PowerShell. These Group me up ngs ows p Policy settings ena able you to sp pecify whether Windows Pow werShell scripts run before non-Windows s Pow werShell scripts during user computer start and shutdo s c tup own, and user logon and log r goff. By default, Win ndows PowerSh scripts run after non-Windows PowerS hell n Shell scripts. Se etting name Ru Windows un Po owerShell sc cripts first at co omputer st tartup, sh hutdown Location Computer r Configura ation\ Administr rative Templates s\ System\Sc cripts\ Default value D Not Configured Possible v value Not Configured, enable disabled ed,
olicy setting de etermines whe ether This po Windo PowerShell scripts will ru ows un before non-PowerSh scripts dur e hell ring compu uter startup an shutdown. B nd By default PowerShell s t, scripts run afte er non-Po owerShell scrip pts. If you enable this po olicy setting, w within each a applicable Grou Policy obje up ect cripts will run (GPO),, PowerShell sc before non-PowerSh scripts dur e hell ring compu uter startup an shutdown. nd
Ru Windows un
Computer r
Not
Configuring Windows 8
Possible value
This policy setting determines whether Windows PowerShell scripts will run before non-PowerShell scripts during user logon and logoff. By default, PowerShell scripts run after nonPowerShell scripts. If you enable this policy setting, within each applicable Group Policy object (GPO), PowerShell scripts will run before non-PowerShell scripts during user logon and logoff.
Computer Configuration\ Windows Settings\ Scripts (Startup /Shutdown)\ Computer Configuration\ Policies\ Windows Settings\ Scripts (Startup /Shutdown)\ User Configuration\ Policies\ Windows Settings\ Scripts (Logon/Logoff)\ User Configuration\ Policies\ Windows Settings\ Scripts (Logon/Logoff)\
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
A-24
Fu unction Maintain GPOs: GPO manage M ement, remova backup, and al, d im mport.
Cmdlets s Backup p-GPO Restore e-GPO Import-GPO Remove-GPO GPO Copy-G Get-GP PO New-G PLink Set-GPL Link Remove-GPLink Get-GP PInheritance Set-GPI Inheritance Get-GP PRegistryValue RegistryValue Set-GPR e Remove-GPRegistry yValue New-G PO New-G PStarterGPO Get-GP PPermission Permission Set-GPP
Associate GPOs with Active Directory containers: Group D olicy link creat tion, update, and removal. Po
Se inheritance flags and perm et missions on Ac ctive Directory y or rganizational units and dom u mains. Co onfigure registry-based policy settings and Group Policy d y Pr references Reg gistry settings: Update, retrie eval, and re emoval. Create and edit new and Start GPOs. ter
u G ryValue and the Set-GPRe t egistryValue cmdlets to ch hange registryYou can use the Get-GPRegistr base policy settings, and the Get-GPPrefRegistryValue a Set-GPPre ed G and efRegistryValue cmdlets to change registry preference item Other valua ms. able Group Po licy cmdlets in nclude: Backup-GPO and Restore-GPO O Copy-GPO Import-GPO Set-GPOLink k
Configuring Windows 8
Make a goal to spend time learning how to use Windows PowerShell for your common tasks. This makes you more comfortable while working with Windows PowerShell, and will equip you for using it to solve more complicated problems. Save the commands that you have used to solve problems in a script file for later reference. Use Windows PowerShell ISE for help with writing scripts and to ensure that you have the proper syntax.
Question: Which cmdlet will display the content of a text file? Question: Which cmdlet will move a file to another directory? Question: Which cmdlet will rename a file? Question: Which cmdlet will create a new directory? Question: Which cmdlet do you think would retrieve information from the Event Log? Question: Which cmdlet do you think would start a stopped virtual machine?
A-26
Tools
You can use the following tools to work with Windows PowerShell: Tool Windows PowerShell Integrated Script Editor (ISE) Microsoft Visual Studio Workflow Designer Powershell.exe Active Directory Administrative Center Description
Windows PowerShell ISE provides a simple, yet powerful interface to create and test scripts, and discover new cmdlets. This is a development tool used to create Windows PowerShell workflows. This is the Windows PowerShell executable.
This tool enables you to perform common Active Directory management tasks, such as creating and modifying user and computer accounts. All of the changes made by using this management tool are logged in the Windows PowerShell History pane.
Results: After completing this exercise, you will have evaluated the installation environment, and then selected the appropriate Windows edition to install.
On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click Administrative Tools, and then click Hyper-V Manager. In the Hyper-V Manager console, right-click 20687A-LON-CL4, and then click Settings.
In the Settings for 20687A-LON-CL4 windows, click DVD Drive in the left-hand column, under IDE Controller 1. In the details pane, select Image file, and then click Browse.
In the Open window, navigate to C:\Program Files\Microsoft Learning\20687\Drives, and then double-click the Windows8.iso file Click OK to close the Settings for 20687A-LON-CL4 window.
6. 7. 8. 9.
On the License terms page, click the I accept the license terms check box, and then click Next. On the Which type of installation do you want? page, click Custom: Install Windows only (advanced).
On the Where do you want to install Windows page, click Next. Wait for Windows 8 to install. This process will take 5-10 minutes. On the Personalize screen, type LON-CL4 in the PC name field, and then click Next.
10. On the Settings page, click Use express settings. 11. On the Sign in to your PC page, click Sign in without a Microsoft account. 12. On the Sign in to your PC page, click Local account. 13. In the User name field, type User. 14. In the Password field and the Reenter password field, type Pa$$w0rd. 15. In the Password hint field, type Forgot already? 16. Click Finish, and wait for the installation to complete.
Results: After this exercise, you should have performed a clean installation of Windows 8.
On the host computer, double-click the Hyper-V Manager icon on the desktop or click Start, click Administrative Tools, and then click Hyper-V Manager. In the Hyper-V Manager console, right-click 20687A-LON-CL1, and then click Settings. In the Settings for 20687A-LON-CL1 window, click Diskette Drive. In the Details pane, select Virtual floppy disk (.vfd) file, browse to C:\Program Files \Microsoft Learning\20687\Drives, and then double-click Lab1BEx1.vfd. Click OK.
In Windows SIM, place the cursor in the Windows Image Section, right-click, and then click Select Windows Image. Browse to E:\labfiles\Mod01\Sources, and double-click install.wim. Click Windows 8 Release Preview, and then click OK. In Windows System Image Manager, click File, and then click Open Answer File. Browse to Floppy Disk Drive (A:) and double-click Autounattend.xml.
In the Windows Image section, expand Components, scroll down, right-click amd64_MicrosoftWindows- Setup_6.2.8400.0_neutral, and then click Add Setting to Pass 1 windowsPE. In the Answer File pane, expand amd64_Microsoft-Windows-Setup_neutral, and then click UserData.
In the UserData Properties pane, double-click AcceptEula, and then from the drop-down menu, select true. Double-click the FullName setting, type Adatum, and then press Enter. Double-click the Organization setting, type Adatum, and then press Enter. In the Answer File pane, expand UserData and then click ProductKey.
In the Properties pane, double-click the Key setting, type TK8TP-9JN6P-7X7WW-RFFTV-B7QPF, and then press Enter. Double-click WillShowUI, and then from the drop-down menu, select OnError.
Task 4: Save the answer file and remove the diskette drive
1. 2. 3. In Windows System Image Manager, click File, and then click Save Answer File. Close Windows System Image Manager.
On the host computer, double-click the Hyper-V Manager icon on the desktop or click Start, click Administrative Tools, and then click Hyper-V Manager.
4. 5. 6. 7.
In the Hyper-V Manager console, right-click 20687A-LON-CL1, and then click Settings. In the Settings for 20687A-LON-CL1 window, click Diskette Drive. In the Details pane, select None. Click OK.
Results: After completing this exercise, you should have modified an unattended answer file to use for automating the Windows 8 installation process.
Task 2: Start the virtual machine and confirm the unattended installation
1. 2. 3. 4. 5. 6. In Hyper-V Manager, right-click 20687A-LON-CL4, and then click Connect. In the 20687A-LON-CL4 on localhost window, click Actions, and then click Start. In the Windows Setup dialog box, click Next. On the Select the operating system you want to install page, click Next. On the Where do you want to install Windows page, click Next.
Observe the Windows 8 installation process, confirming that you are not prompted for a product key.
Results: After completing this exercise, you will have tested installation of Windows 8 by using an answer file.
On the Checking to see what can be transferred page, wait for scanning to complete, deselect all objects except for ADATUM\Allie, and then click Next. On the Save your files and settings for transfer page, type Pa$$w0rd into both fields, and then click Save. In the Save your Easy Transfer file window, click in the address bar, type \\LON-DC1, and then press Enter. Double-click the WET shared folder, and then click Save.
Wait for the files to save. You can scroll down on the Saving files and settings page to monitor the progress.
10. When the save is complete, click Next. 11. Click Next, and then click Close to close the Windows Easy Transfer Window. 12. Log off LON-CL3.
Results: After completing this exercise, you should have backed up important user data and settings.
On the What do you want to use to transfer items to your new PC page, click An external hard disk or USB flash drive. When prompted Which PC are you using now?, click This is my new PC. When asked if the files have already been saved from your old PC, click Yes.
In the Open an Easy Transfer File window, navigate to \\LON-DC1\WET, and then double-click the Windows Easy Transfer file. Enter the password Pa$$w0rd, and then click Next. On the Choose what to transfer to this PC, click Transfer.
9.
Results: After completing this exercise, you should have restored user data and settings to a Windows 8 computer by using WET.
Results: After completing this exercise, you should have confirmed the successful transfer of user data and settings.
Log on to the LON-CL2 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click Next. On the Specify Volume Size page, change the Simple volume size in MB value to 5103, and then click Next. On the Assign Drive Letter or Path page, click Next.
On the Format Partition page, in the Volume label text box, type Simple1, and then click Next. On the Completing the New Simple Volume Wizard page, click Finish.
10. When the New Simple Volume Wizard is complete, close Disk Management and any open windows.
In the Extend Volume Wizard, on the Welcome to the Extend Volume Wizard page, click Next.
On the Select Disks page, select Disk 2, in the Select the amount of space in MB text box, type 50, and then click Next. On the Completing the Extend Volume Wizard page, click Finish. When the Extend Volume Wizard is complete, close Disk Management.
When the shrink command is complete, at the DISKPART> prompt, type list volume, and then press Enter. Compare the reported size of the Simple2 volume as reported now with the value from the previous list volume command. Close the command prompt.
In the New Spanned Volume Wizard, on the Welcome to the New Spanned Volume Wizard page, click Next. On the Select Disks page, select Disk 3. Hold down the Shift key, select Disk 4, and then click Add. On the Select Disks page, select Disk 2, and in the Select the amount of space in MB text box, type 2000. On the Select Disks page, select Disk 3, and in the Select the amount of space in MB text box, type 1500.
On the Select Disks page, with Disk 4 selected, in the Select the amount of space in MB text box, type 4000, and then click Next. On the Assign Drive Letter or Path page, click Next.
10. On the Format Partition page, in the Volume label text box, type SpannedVol, and then click Next. 11. On the Completing the New Spanned Volume Wizard page, click Finish. 12. Review the Disk Management warning, and then click Yes.
On the Select Disks page, in the Select the amount of space in MB text box, type 2000, and then click Next. On the Assign Drive Letter or Path page, click Next.
On the Format Partition page, in the Volume label text box, type StripedVol, and then click Next.
7. 8.
On the Completing the New Striped Volume Wizard page, click Finish. Close Disk Management and any open windows.
Results: After this exercise, you will have created several volumes on the client computer.
10. In the Disk Quota dialog box, review the message, and then click OK. 11. Close all open windows.
9.
In the file list, right-click 1kb-file, drag it to Alans files, and then click Copy here.
10. Double-click Alans files. 11. Right-click 2mb-file, and then click Copy. 12. Press Ctrl+V. 13. Right-click 2mb-file, and then click Copy. 14. Press Ctrl+V. 15. In the Copy Item dialog box, review the message, and then click Cancel. 16. Open the Start Screen, and then click Alan Steiner. 17. Click Sign out.
10. Close Quota Entries for StripedVol (I:). 11. Close Striped Volume (I:) Properties. 12. Close Windows Explorer. 13. Open the Start Screen, type eventvwr, and then press Enter. 14. Maximize the Event Viewer program. 15. In the Event Viewer (Local) list, expand Windows Logs, and then click System. 16. Right-click System, and then click Filter Current Log. 17. In the <All Events IDs> box, type 36, and then click OK. 18. Examine the listed entry. 19. Close all open windows.
Results: At the end of this exercise, you will have created and tested a disk quota.
Results: At the end of this exercise, you will have mounted an existing VHD file, and then used the virtual drive.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
At the Command Prompt, type pnputil a E:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files \driver\point64\point64.inf, and then press Enter.
In the Command Prompt, type pnputil e, and then press Enter. Take note of the published name for the driver you just installed into the store. Close the command prompt.
Results: At the end of this exercise, you will have installed a driver into the protected driver store.
Expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update Driver Software.
In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer for driver software. On the Browse for driver software on your computer page, click Let me pick from a list of device drivers on my computer.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key) and then click Next. Click Close.
10. In the System Settings Change dialog box, click Yes to restart the computer.
6. 7. 8. 9.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab. Click Uninstall. In the Confirm Device Uninstall dialog box, click OK. In the System Settings Change dialog box, click Yes to restart the computer.
10. Log on to the LON-CL2 virtual machine as Adatum\Administrator with the password Pa$$w0rd. 11. Type comp and then right-click Computer in the results section. 12. Click Manage from the context menu at the bottom of the screen. 13. In Computer Management, click Device Manager.
14. Expand Keyboards, right-click Standard PS/2 Keyboard, verify you have successfully uninstalled the driver. 15. Close Computer Management.
Results: At the end of this exercise, you will have installed and uninstalled a device driver.
Log on to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click Local Area Connection. In the Local Area Connection Status window, click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
Click Obtain an IP address automatically, click Obtain DNS server address automatically, and then click OK.
When does the DHCP lease expire? Eight days from now.
2.
Results: After this exercise, you will have configured LON-CL1 to obtain an IPv4 configuration automatically from a DHCP server.
On the LON-DC1 virtual machine, log on as Adatum\Administrator with the password Pa$$w0rd.
Clear the Validate settings, if changed, upon exit checkbox, and then click OK to save the settings. In the Local Area Connection Properties window, click Close. At the command prompt, type ipconfig /release and then press Enter. At the command prompt, type ipconfig /renew, and then press Enter. At the command prompt, type ipconfig /all, and then press Enter. o What is the current IPv4 address? 172.16.16.10 o What is the subnet mask? 255.255.0.0 o To which IPv4 network does this host belong? 172.16.0.0/16 o What kind of address is this? An alternate configuration address
9.
Click OK. In the Local Area Connection Properties window, click Close. Close all open windows.
Results: After this exercise, you will have tested various scenarios for dynamic IP address assignment, and then configured a static IP address.
10. In the list of Hard Drives, double-click Allfiles (E:). 11. Double-click Labfiles, double-click Mod04, and then double-click Mod4-Script.bat.
6.
7.
8.
Results: After this exercise, you will have created a connectivity problem between LON-CL1 and LON-DC1.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click Local Area Connection. In the Local Area Connection Status window, click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Subnet mask box, type 255.255.0.0. Click OK.
3. 4. 5. 6. 7. 8. 9.
In Control Panel, click Network and Internet. In Network and Internet, click View network status and tasks. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Local Area Connection. In the Local Area Connection Status window, click Properties. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Preferred DNS server box, type 172.16.0.10. Clear the Alternate DNS Server setting and then click OK.
Results: After this exercise, you will have resolved the connectivity problem between LON-CL1 and LON-DC1.
Requirements Overview I want to deploy wireless networks throughout the London offices. Security is critical, and we must deploy the strongest security measures available. Some of our older computer equipment supports earlier wireless standards only. Cordless telephones are in use in some parts of the building. We are located in a busy trading district, with other commercial organizations located nearby. Again, it is important that our network is not compromised. Additional Information
Proposals
Answer: Answers will vary, but typically should include the strongest possible security measures
2.
Complete the proposals section of the A. Datum Wireless Network Requirements document. Answer: Answers will vary, but here is a suggested proposal: o
Deploy only WAPs that support WPA2-Enterprise authentication, and use additional infrastructure to provide this authentication. This will involve deploying additional server roles on Windows Server 2012. Specifically, the NPAS role (including the NPS Role Service). WAPs must support 802.11b because of the legacy hardware deployed in some parts of the building.
Interference from cordless telephones might be an issue, so the choice of WAP should consider the ability to support a range of channels and, depending on 802.11 modes, the 802.11n frequency might be indicated.
The proximity of other businesses does pose a risk, and you must ensure accurate placement of hubs, and directionality of antennae to mitigate this. So long as appropriate security is in place, the risk should be low. Again, support of enterprise (802.1X) authentication is critical here.
Results: After this exercise, you should have a proposal for the implementation of wireless networks in the London offices of A. Datum.
Incident Details Intermittent connection problems from computers connecting to the wireless network. Some users can connect to the wireless access points from the parking lot. Plan of Action
2.
Update the plan of action section of incident record 501235 with your recommendations. Answer: Answers will vary, but here is a suggested proposal:
Check the placement of all WAPs to ensure that they are not adjacent to any forms of interference.
Results: After this exercise, you should have a completed action plan for resolution of the A. Datum issues.
In Group Policy Management, Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click on Wireless Network (IEEE 802.11) Policies. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Wireless Network Policy for Windows Vista and Later Releases.
2. 3. 4. 5. 6. 7. 8. 9.
In the New Wireless Network Policy Properties dialog box, in the Policy Name box, type A Datum Wireless Policy. Click Add, and then click Infrastructure.
In the New Profile properties dialog box, in the Profile Name box, type A Datum Wireless Profile. In the Network Name(s) (SSID) box, type A Datum 1, and then click Add. In the Network Name(s) (SSID) box, type A Datum 2, and then click Add. Click the Security tab.
Verify that the Authentication method is WPA2-Enterprise and that the Encryption method is AES. Click OK.
10. In the A Datum Wireless Policy Properties dialog box, click OK. 11. Close Group Policy Management Editor. 12. Close Group Policy Management.
Results: After this exercise, you should have implemented a wireless network policy.
Verify that ping reported four request time out responses. Leave the command prompt open for a later step.
Log on to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
Verify that ping generated 4 Reply from 172.16.0.50: bytes=32 time=xms TTL=128 messages. Close the command prompt and open windows.
Results: At the end of this exercise, you will have configured and tested an inbound firewall rule.
Results: At the end of this exercise, you will have configured and tested an inbound firewall rule.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
On the Requirements page, select Require authentication for inbound connections and request authentication for outbound connections, and then click Next. On the Authentication Method page, select Computer and user (Kerberos V5), and then click Next.
11. On the Name page, in the Name text box, type Authenticate all inbound connections, and then click Finish. 12. Close the Windows Firewall with Advanced Security window.
On the Requirements page, select Require authentication for inbound connections and request authentication for outbound connections, and then click Next. On the Authentication Method page, select Computer and user (Kerberos V5), and then click Next. On the Profile page, click Next.
10. On the Name page, in the Name text box type Authenticate all inbound connections, and then click Finish. 11. Minimize the Windows Firewall with Advanced Security window.
Verify that the ping generated 4 Reply from 172.16.0.50: bytes=32 time=xms TTL=128 messages. On the task bar, click the Windows Firewall with Advanced Security window. In the left pane, expand Monitoring, and then expand Security Associations. Click Main Mode, and then examine the information in the center pane. Click Quick Mode, and then examine the information in the center pane.
Results: At the end of this lab, you will have created and tested connection security rules.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Results: At the end of this lab, you will have configured and used Windows Defender.
Log on to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
Results: At the end of this lab, you will have created a folder and shared it for all users.
10. In the Marketing Properties dialog box, click OK. 11. Close all open windows, and then log off LON-CL1.
Results: At the end of this exercise, you will have created and shared a folder for the Marketing department.
While on the Start screen, type the letter c, and then click Control Panel in the Apps search results. In the Control Panel, click the View devices and printers link. In Devices and Printers, click the Add a printer link. In the Add Printer Wizard, click The printer that I want isnt listed. On the Find a printer by other options page, select the Add a local printer or network printer with manual settings option, and then click Next. On the Choose a printer page, select the drop down for Use an existing port, select nul: (Local Port), and then click Next. On the Install the printer driver page, in the Manufacturer list, select Microsoft. In the Printers list, select Microsoft OpenXPS Class Driver, and then click Next.
10. On the Type a printer name page, in the Printer name field, type ManagersPrinter, and then click Next. 11. Review the Printer Sharing page, and then click Next. 12. Review the Youve successfully added ManagersPrinter page, and then click Finish.
4. 5. 6. 7. 8. 9.
In Devices and Printers, click the Add a printer link. In the Add Printer Wizard, click The printer that I want isnt listed.
On the Find a printer by other options page, select the Select a shared printer by name option, and then click Browse. In the Printer field, type \\LON-CL1, and then press Enter. Double-click ManagersPrinter. On the Find a printer by other options page, click Next.
10. Review the Youve successfully added ManagersPrinter on LON-CL1 page, and then click Next.
11. On the Youve successfully added ManagersPrinter on LON-CL1 page, click the Print a test page button. 12. Review the ManagersPrinter on LON-CL1 dialog box, and then click Close. 13. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Finish. 14. Close Devices and Printers.
15. On LON-CL1, in the Printer Management app, verify that the Jobs In Queue column displays 1 for ManagersPrinter. 16. Right-click ManagersPrinter, and then select Resume Printing. 17. Close all open windows.
Results: At the end of this exercise, you will have created, shared, and tested a printer.
10. In the Browse for a Group Policy Object dialog box, click the Users tab.
11. In the Local Users and Groups compatible with Local Group Policy list, click Administrators, and then click OK. 12. In the Select Group Policy Object dialog box, click Finish. 13. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy Object Editor, and then click Add. 14. In the Select Group Policy Object dialog box, click Browse. 15. In the Browse for a Group Policy Object dialog box, click the Users tab.
16. In the Local Users and Groups compatible with Local Group Policy list, click Non-Administrators, and then click OK. 17. In the Select Group Policy Object dialog box, click Finish. 18. In the Add or Remove Snap-ins dialog box, click OK. 19. In Console1 [Console Root], on the menu, click File and then click Save. 20. In the Save As dialog box, click Desktop. 21. In the File name box, type Multiple Local Group Policy Editor, and then click Save.
Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff). In the results pane, double-click Logon. In the Logon Properties dialog box, click Add.
5. 6. 7. 8. 9.
In the Add a Script dialog box, click Browse. In the Browse dialog box, right-click in the empty folder, point to New, click Text Document, and then press Enter. Right-click New Text Document, and then click Edit. Type msgbox Warning. You are not connected to the A Datum Domain. Click File, click Save As.
10. Type RoamingScript.vbs, change Save as type: to All Files, and then click Save. 11. Close RoamingScript.vbs. 12. In the Browse dialog box, click the RoamingScript file, and then click Open. 13. In the Add a Script dialog box, click OK. 14. In the Logon Properties dialog box, click OK.
Results: After this exercise, you should have successfully created and configured multiple local GPOs.
Log off LON-CL1. To log off, on your host computer, in the 20687A-LON-CL1 on localhost Virtual Machine Connection window, click the Action menu, click Ctrl+Alt+Delete, and then click Sign out. Log on to LON-CL1 as Adatum\Holly with the password Pa$$w0rd. To log on as a different user, click Other user, enter the required credentials, and then press Enter. On the Start screen, click Desktop. Click OK when prompted by the message box. Pause the mouse pointer in the lower right corner of the task bar. Click Settings, and then click Control Panel. In the Restrictions dialog box, click OK.
Results: After this exercise, you should have implemented and test multiple local GPOs successfully.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
10. Click Permissions, and in the Permissions for Sales-Data dialog box, click Add.
11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Authenticated Users, and then click OK.
12. In the Permissions for Sales-Data dialog box, in the Group or user names list, click Authenticated Users, and then in the Permissions for Authenticated Users list, select the Allow Full Control check box, and then click OK. 13. In the Advanced Sharing dialog box, click OK. 14. In the Sales-Data Properties dialog box, click the Security tab. 15. Click Edit. 16. In the Permissions for Sales-Data dialog box, click Add.
17. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Authenticated Users, and then click OK.
18. In the Permissions for Sales-Data dialog box, in the Group or user names list, click Authenticated Users, and then in the Permissions for Authenticated Users list, select the Allow Full Control check box, and then click OK. 19. In the Sales-Data Properties dialog box, click Close.
7. 8. 9.
Right-click an area of free space in Windows Explorer, point to New, and then click Microsoft Word Document. Type Team Briefing, and then press Enter. In Windows Explorer, double-click Team Briefing.
11. In Word, if prompted to Help Protect and Improve Microsoft Office, click Dont make changes, and then click OK. 12. In Word, type This is the team briefing. 13. Press Ctrl+S, and then close Microsoft Word.
In Windows Explorer, in the navigation pane, click Computer, and then in the details pane, doubleclick sales-data (\\lon-dc1) (S:). In Windows Explorer, right-click Team Briefing, and then click Properties. In the Team Briefing Properties dialog box, click Advanced.
In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and then click OK. In the Team Briefing Properties dialog box, click OK. On LON-CL1, log on as Adatum\Vivian with the password Pa$$w0rd. On the Start screen, click Desktop, and on the Taskbar, click Windows Explorer.
In Windows Explorer, in the navigation pane, right-click Computer, and then click Map network drive. In the Map Network Drive dialog box, in the Folder box, type \\LON-DC1\Sales-Data.
10. In the Drive list, click S:, and then click Finish.
11. In Windows Explorer, in the navigation pane, click Computer, and then in the details pane, doubleclick sales-data (\\lon-dc1) (S:). 12. In Windows Explorer, double-click Team Briefing. 13. In the User Name dialog box, click OK.
14. In Word, if prompted to Help Protect and Improve Microsoft Office, click Dont make changes, and then click OK. 15. You are denied access. 16. Click OK and close Word. 17. Log off of LON-CL1.
Results: After this exercise, you should have encrypted shared files successfully.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
In the results pane, double-click User Account Control: Only elevate executables that are signed and validated.
In the User Account Control: Only elevate executables that are signed and validated dialog box, click Enabled, and then click OK. In the results pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. In the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode dialog box, click Prompt for consent on the secure desktop. Click OK, close Local Group Policy Editor, and then log off.
10. Right-click the Start screen, and then click All Apps. 11. In the Apps list, click Control Panel. 12. In Control Panel, click System and Security.
13. In System and Security, click Change User Account Control settings. 14. Verify that the slide bar is configured for Always notify.
Results: After this exercise, you should have reconfigured UAC notification behavior and prompts.
10. Click the General tab. Under Browsing History, click Delete.
11. In the Delete Browsing History dialog box, clear Preserve Favorites website data, select Temporary Internet files and website files, Cookies and website data, History, and then click Delete. 12. Click OK to close Internet Options.
13. Confirm that there are no addresses stored in the Address bar by clicking on the down arrow next to the Address bar. 14. On the Tools menu, click InPrivate Browsing. 15. Type http://LON-DC1 into the Address bar, and then press Enter.
16. Confirm the address you typed in is not stored by clicking on the down arrow next to the Address bar. 17. Close the InPrivate Browsing window. 18. Close Internet Explorer. 19. On LON-CL1, click the Internet Explorer icon on the taskbar.
20. Type http://LON-DC1 into the Address bar, and then press Enter. 21. In Internet Explorer, click the Tools, and then click Internet Options. 22. On the Security tab, click Local intranet, and then under Security levels for this zone, slide the slide bar to High. 23. Click OK. 24. On the A Datum Intranet home page, click Current Projects. 25. Close the new tab. 26. In Internet Explorer, click the Tools, and then click Internet Options. 27. On the Security tab, click Trusted Sites. 28. Click Sites. 29. In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this zone check box. 30. Click Add, and then click Close. 31. In the Internet Options dialog box, click OK. 32. On the A Datum Intranet home page, click Current Projects. 33. Close Internet Explorer and all open Windows. 34. Log off LON-CL1.
Results: After completing this exercise, you will have successfully configured Internet Explorers security and compatibility settings.
Configuring Applications
In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, and then expand Security Settings. Expand Application Control Policies, and then double-click AppLocker. Click Executable Rules, and then right-click and select Create New Rule. Click Next. On the Permissions screen, select Deny, and then click the Select button.
In the Select User or Group dialog box, in the Enter the object names to select (examples) box, type IT, click Check Names, and then click OK. Click Next.
10. On the Conditions screen, select Path, and then click Next.
11. Click the Browse Files button, and then in the File name box, type C:\Program Files\Windows Media Player\wmplayer.exe, and then click Open. 12. Click Next. 13. Click Next again, and then click Create. 14. Click Yes when prompted to create default rules.
On the Enforcement tab, under Executable rules, click the Configured check box, and then select Enforce rules. Click OK. Close the Local Group Policy Editor. Pause the pointer in the lower-right of the display, and then click Start. On the Start screen, type cmd.exe, and then press Enter.
In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to be updated.
Results: At the end of the exercise, you will have successfully created the required AppLocker rule.
Note: AppLocker is not implemented in this prerelease version of the software. You are not prevented from running Windows Media Player. 4. 5. 6. 7. 8. 9. Log off. Log on as Adatum\Administrator with the password Pa$$w0rd. Right-click the Start screen, and then click All apps. In the Apps list, right-click Computer, and click Manage. In the Event Viewer, expand Application and Services Logs, and then expand Microsoft. Expand Windows, expand AppLocker, and then click EXE and DLL.
10. Review the entries in the results pane. Note: AppLocker is not implemented in this prerelease version of the software. Error 8008 displays indicating this fact. Usually, you would see error event ID 8004. The application was prevented from running. 11. Close Computer Management. 12. Log off.
Results: At the end of this exercise, you will have successfully verified the function of your executable AppLocker rule.
Configuring Applications
L10-51
Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
In the Create new Data Collector Set Wizard, on the How would you like to create this new data collector set? page, in the Name box, type Adatum Baseline.
11. On the What type of data do you want to include? page, select the Performance counter check box, and then click Next. 12. On the Which performance counters would you like to log? page, in the Sample interval box, type 1, and then click Add. 13. In the Available counters list, expand Memory, select Pages/sec, and then click Add.
14. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add. 15. In the Available counters list, expand Physical Disk, select % Disk Time, and then click Add. 16. Under Physical Disk, select Avg. Disk Queue Length, and then click Add. 17. In the Available counters list, expand Processor, select % Processor Time, and then click Add.
18. In the Available counters list, expand System, select Processor Queue Length, click Add, and then click OK. 19. On the Which performance counters would you like to log? page, click Next. 20. On the Where would you like the data to be saved? page, click Next. 21. On the Create the data collector set page, click Finish.
22. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start. 23. Pause the mouse pointer over the lower-right corner of the desktop, and then click Start. 24. Right-click the Start screen and then click All Apps, and then click Microsoft Word 2010. 25. In the User Name dialog box, click OK.
26. In Word, if prompted to Help Protect and Improve Microsoft Office, click Dont make changes, and then click OK.
L10-52
Configuring Windows 8
27. Pause the mouse pointer over the lower-right corner of the desktop, and then click Start. 28. Right-click the Start screen and then click All Apps, and then click Microsoft Excel 2010. 29. Pause the mouse pointer over the lower-right corner of the desktop, and then click Start. 30. Right-click the Start screen and then click All Apps, and then click Microsoft PowerPoint 2010. 31. Close all open Microsoft Office applications, and then switch to Performance Monitor. 32. In the navigation pane, right-click Adatum Baseline, and then click Stop.
Results: After this exercise, you should have created a performance monitoring baseline.
Results: After this exercise, you should have generated additional load on the computer.
After a few minutes, click OK at the prompt and close the instance of C:\Windows\System32\cmd.exe that the script launched.
L10-53
5. 6. 7. 8. 9.
Switch to Performance Monitor. In the navigation pane, right-click Adatum Baseline, and then click Stop.
In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand Adatum Baseline, and then click on the second report that has a name that begins with LON-CL1. View the chart. On the menu bar, click the drop-down arrow, and then click Report. Record the component details: a. b. c. d. e. f. Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length
Answer: The script is affecting the memory, and the disk. However, no resources are approaching limits, although paging is becoming excessive. 11. Close all open windows and programs, and then go back to the Start screen.
Results: After this exercise, you should have identified the computers performance bottleneck.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
L10-54
Configuring Windows 8
10. In the Configure Automatic Updates window, click Enabled. 11. In the Configure automatic updating box, click 4 Auto download and schedule the install. 12. Click OK, and then close the Group Policy Management Editor window. 13. Close the Group Policy Management window.
Task 3: Verify that the automatic updates setting from the GPO is being applied
1. 2. 3. 4. 5. 6. 7. 8. Switch to LON-CL1. Pause the pointer in the lower-right corner of the display, and then click Start. Right-click the Start screen, and then click All apps. In the Apps list, click Command Prompt. In the command prompt, type gpupdate /force, and then press Enter. Close the command prompt. Switch to Windows Update. Notice that your computer is now configured for automatic updates.
Results: After this exercise, you should have configured Windows Update settings by using GPOs.
L10-55
L11-57
On the Change settings for the plan: Adams power-saving plan page, click Change advanced power settings. Configure the following properties for the plan, and then click OK. o o o Turn off hard disk after: 3 minutes Wireless Adapter Settings, Power Saving Mode: Maximum Power Saving Power buttons and lid, Power button action: Shut down
4. 5. 6.
On the Change settings for the plan: Adams power-saving plan page, click Cancel. Close Power Options. Log off from LON-CL1.
Results: After this exercise, you should have successfully created and configured a suitable power plan for Adams laptop computer.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
L11-58
Configuring Windows 8
In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace and then click Next. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, select Ill set up an Internet connection later. In the Type the Internet address to connect to dialog box, specify an Internet address of 172.16.0.10 and a Destination name of Adatum, and then click Create.
The VPN connects. On LON-CL1, on the taskbar, click Windows Explorer. In the navigation pane, right-click Computer, and then click Map network drive. In the Drive box, click P:. In the Folder box, type \\LON-DC1\Data, and then click Finish.
6. 7. 8.
In the address bar, type cmd.exe and then press Enter. At the command prompt, type ipconfig /all, and then press Enter. What IPv4 address has your computer been assigned over the PPP adapter connection?
L11-59
9.
10. Right-click Adatum, and click Connect/Disconnect. 11. Click Adatum and click Disconnect. 12. Close all open windows. 13. Click back to the Start screen.
Results: After this exercise, you should have successfully connected to the Adatum HQ with your VPN.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
L11-60
Configuring Windows 8
Task 1: Enable Remote Desktop through the firewall and enable Remote Desktop on Adams office computer
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL1, right-click the Start screen, and then click All apps. In the Apps list, click Control Panel. Click System and Security. Under Windows Firewall, click Allow an app through Windows Firewall.
In the Name list, select Remote Desktop and enable the application for each of the network profiles: Domain, Private, and Public. Click OK. In System and Security, click Allow remote access.
In System Properties, under Remote Desktop, click Allow remote connections to this computer. Click Select Users, click Add.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box, type Adam, click Check Names, and then click OK.
10. In the Remote Desktop Users dialog box, click OK. 11. In the System Properties dialog box, click OK. 12. Close all open windows. 13. Switch to the LON-CL2 virtual machine, and then log on as Adatum\Administrator with the password Pa$$w0rd. 14. On the Start screen, type mstsc, and then in the Apps list, click Remote Desktop Connection.
15. In the Remote Desktop Connection dialog box, in the Computer box, type lon-cl1, and then click Show Options. 16. Click the Advanced tab. 17. Under Server authentication, in the If server authentication fails list, click Connect and dont warn me.
L11-61
8. 9.
In the Apps list, right-click Computer, and then click Properties. Notice the computer name.
10. Close the Remote Desktop session. In the Remote Desktop Connection dialog box, click OK. 11. Close all open windows. 12. Switch to the LON-CL1 virtual machine. 13. Notice that you have been logged off.
Results: After this exercise, you should have successfully verified that Remote Desktop is functional.
L13-63
In the Open dialog box, in the File name box, type C:\Program Files\Microsoft Learning\20687 \Drives\Windows8.iso, and then click Open. On the Action menu, click Start.
When you see the Press any key to boot from CD or DVD message, press Spacebar. Setup loads. When prompted, in the Windows Setup dialog box, click Next. On the Windows Setup page, click Repair your computer. On the Choose an option page, click Troubleshoot. On the Troubleshoot page, click Advanced options. On the Advanced options page, click Command Prompt.
10. At the command prompt, type bcdedit /enum, and then press Enter. 11. At the command prompt, type Bootrec /scanos, and then press Enter. 12. At the command prompt, type diskpart, and then press Enter. 13. At the command prompt, type list disk, and then press Enter. 14. At the command prompt, type list volume, and then press Enter. 15. At the command prompt, type exit, and then press Enter. 16. At the command prompt, type exit, and then press Enter. 17. On the Choose an option page, click Troubleshoot. 18. On the Troubleshoot page, click Advanced options. 19. On the Advanced options page, click Automatic Repair. 20. On the Automatic Repair page, click Windows 8. Automatic repair starts. 21. On the Automatic Repair page, click Advanced options. 22. On the Choose an option page, click Continue. Windows starts normally.
At the command prompt, type bcdedit /copy {current} /d Duplicate boot entry, and then press Enter.
L13-64
Configuring Windows 8
5. 6.
At the command prompt, type bcdedit /enum, and then press Enter. At the command prompt, type shutdown /r, and then press Enter.
10. On your host computer, switch to Hyper-V Manager. 11. In the Virtual Machines list, right-click 20687A-LON-CL1, and then click Revert. 12. In the Revert Virtual Machines prompt, click Revert. 13. In the Virtual Machines list, right-click 20687A-LON-CL1, and then click Start. 14. In the Virtual Machines list, right-click 20687A-LON-CL1, and then click Connect.
Results: After this exercise, you will have used various Windows 8 startup-recovery tools.
Incident Details Adam Carter has reported that his computer will not start properly.
Additional information Adam has been trying to install an additional operating system on his computer so that he can run a specific line-of-business (LOB) application. He abandoned the installation after getting only partly through the process. Since then, his computer displays the following error message when it starts: Windows Boot Manager. File: \Boot\BCD Status: 0xc0000034 Info: The Windows Boot Configuration Data (BCD) file is missing required information. Plan of Action Visit with the user, and view the error on his computer. Insert product DVD, and restart the computer. Use Microsoft Windows Recovery Environment (RE) to recover the startup environment by using Command Prompt tool, and then running Bootrec.exe /RebuildBCD to repair the boot store.
Results: After this exercise, you should have reproduced the reported startup problem on Adams computer.
L13-66
Configuring Windows 8
10. On the Troubleshoot page, click Advanced options. 11. On the Advanced options page, click Command Prompt. 12. At the command prompt, type Bootrec /Scanos, and then press Enter. 13. At the command prompt, type Bootrec /RebuildBCD, and then press Enter. 14. At the command prompt, type A, and then press Enter. 15. Restart LON-CL1, and then log on by using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
17. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Results: After this exercise, you should have resolved the startup problem, and documented your solution.