Professional Documents
Culture Documents
O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
20687A
Configuring Windows 8
ii
Configuring Windows 8
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2012 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS MICROSOFT OFFICIAL COURSE Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. These license terms also apply to any updates, supplements, internet based services and support services for the Licensed Content, unless other terms accompany those items. If so, those terms apply. BY DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below. 1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft Learning Competency Member, Microsoft IT Academy Program Member, or such other entity as Microsoft may designate from time to time. b. Authorized Training Session means the Microsoft-authorized instructor-led training class using only MOC Courses that are conducted by a MCT at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that you own or control that meets or exceeds the hardware level specified for the particular MOC Course located at your training facilities or primary business location. d. End User means an individual who is (i) duly enrolled for an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. Licensed Content means the MOC Course and any other content accompanying this agreement. Licensed Content may include (i) Trainer Content, (ii) software, and (iii) associated media. f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program, and (iii) holds a Microsoft Certification in the technology that is the subject of the training session.
g. Microsoft IT Academy Member means a current, active member of the Microsoft IT Academy Program.
h. Microsoft Learning Competency Member means a Microsoft Partner Network Program Member in good standing that currently holds the Learning Competency status. i.
Microsoft Official Course or MOC Course means the Official Microsoft Learning Product instructorled courseware that educates IT professionals or developers on Microsoft technologies.
j.
Microsoft Partner Network Member or MPN Member means a silver or gold-level Microsoft Partner Network program member in good standing.
k. Personal Device means one (1) device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular MOC Course. l. Private Training Session means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer.
m. Trainer Content means the trainer version of the MOC Course and additional content designated solely for trainers to use to teach a training session using a MOC Course. Trainer Content may include Microsoft PowerPoint presentations, instructor notes, lab setup guide, demonstration guides, beta feedback form and trainer preparation guide for the MOC Course. To clarify, Trainer Content does not include virtual hard disks or virtual machines. 2. INSTALLATION AND USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content. 2.1 Below are four separate sets of installation and use rights. Only one set of rights apply to you.
a. If you are a Authorized Learning Center: i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on a dedicated, secure server located on your premises where the Authorized Training Session is held for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for access and use by one (1) End User attending the Authorized Training Session, or by one (1) MCT teaching the Authorized Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all Authorized Training Sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content,
5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of the Authorized Training Session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide.
b. If you are a MPN Member. i. If the Licensed Content is in digital format for each license you acquire you may either: 1. install one (1) copy of the Licensed Content in the form provided to you on (A) one (1) Classroom Device, or (B) one (1) dedicated, secure server located at your premises where the training session is held for use by one (1) of your employees attending a training session provided by you, or by one (1) MCT that is teaching the training session, or 2. install one (1) copy of the Licensed Content in the form provided to you on one (1) Classroom Device for use by one (1) End User attending a Private Training Session, or one (1) MCT that is teaching the Private Training Session. ii. You agree that: 1. you will acquire a license for each End User and MCT that accesses the Licensed Content, 2. each End User and MCT will be presented with a copy of this agreement and each individual will agree that their use of the Licensed Content will be subject to these license terms prior to their accessing the Licensed Content. Each individual will be required to denote their acceptance of the EULA in a manner that is enforceable under local law prior to their accessing the Licensed Content, 3. for all training sessions, you will only use qualified MCTs who hold the applicable competency to teach the particular MOC Course that is the subject of the training session, 4. you will not alter or remove any copyright or other protective notices contained in the Licensed Content, 5. you will remove and irretrievably delete all Licensed Content from all Classroom Devices and servers at the end of each training session, 6. you will only provide access to the Licensed Content to End Users and MCTs, 7. you will only provide access to the Trainer Content to MCTs, and 8. any Licensed Content installed for use during a training session will be done in accordance with the applicable classroom set-up guide. c. If you are an End User: You may use the Licensed Content solely for your personal training use. If the Licensed Content is in digital format, for each license you acquire you may (i) install one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install another copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content; or (ii) print one (1) copy of the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control.
d. If you are a MCT. i. For each license you acquire, you may use the Licensed Content solely to prepare and deliver an Authorized Training Session or Private Training Session. For each license you acquire, you may install and use one (1) copy of the Licensed Content in the form provided to you on one (1) Personal Device and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Licensed Content. You may not install or use a copy of the Licensed Content on a device you do not own or control. ii.
Use of Instructional Components in Trainer Content. You may customize, in accordance with the most recent version of the MCT Agreement, those portions of the Trainer Content that are logically associated with instruction of a training session. If you elect to exercise the foregoing rights, you agree: (a) that any of these customizations will only be used for providing a training session, (b) any customizations will comply with the terms and conditions for Modified Training Sessions and Supplemental Materials in the most recent version of the MCT agreement and with this agreement. For clarity, any use of customize refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content components are licensed as a single unit and you may not separate the components and install them on different devices.
2.3 Reproduction/Redistribution Licensed Content. Except as expressly provided in the applicable installation and use rights above, you may not reproduce or distribute the Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft.
2.4 Third Party Programs. The Licensed Content may contain third party programs or services. These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to that respective component and supplements the terms described in this Agreement. 3.
PRE-RELEASE VERSIONS. If the Licensed Content is a pre-release (beta) version, in addition to the other provisions in this agreement, then these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final version. We also may not release a final version. Microsoft is under no obligation to provide you with any further content, including the final release version of the Licensed Content.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them. These rights
c. Term. If you are an Authorized Training Center, MCT or MPN, you agree to cease using all copies of the beta version of the Licensed Content upon (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) sixty (60) days after the commercial release of the Licensed Content, whichever is earliest (beta term). Upon expiration or termination of the beta term, you will irretrievably delete and destroy all copies of same in the possession or under your control. 4. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content, which may change or be canceled at any time.
a. Consent for Internet-Based Services. The Licensed Content may connect to computer systems over an Internet-based wireless network. In some cases, you will not receive a separate notice when they connect. Using the Licensed Content operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for internet-based services.
b. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone elses use of it. You may not use the service to try to gain unauthorized access to any service, data, account or network by any means. 5. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: install more copies of the Licensed Content on devices than the number of licenses you acquired; allow more individuals to access the Licensed Content than the number of licenses you acquired; publicly display, or make the Licensed Content available for others to access or use; install, sell, publish, transmit, encumber, pledge, lend, copy, adapt, link to, post, rent, lease or lend, make available or distribute the Licensed Content to any third party, except as expressly permitted by this Agreement. reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation; access or use any Licensed Content for which you are not providing a training session to End Users using the Licensed Content; access or use any Licensed Content that you have not been authorized by Microsoft to access and use; or transfer the Licensed Content, in whole or in part, or assign this agreement to any third party.
6.
RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. You may not remove or obscure any copyright, trademark or patent notices that appear on the Licensed Content or any components thereof, as delivered to you.
7.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, End Users and end use. For additional information, see www.microsoft.com/exporting. LIMITATIONS ON SALE, RENTAL, ETC. AND CERTAIN ASSIGNMENTS. You may not sell, rent, lease, lend or sublicense the Licensed Content or any portion thereof, or transfer or assign this agreement. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8.
9. 10.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon any termination of this agreement, you agree to immediately stop all use of and to irretrievable delete and destroy all copies of the Licensed Content in your possession or under your control.
11.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates and support services are the entire agreement for the Licensed Content.
12.
13.
APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.
14.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES GIVE NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS UNDER OR IN RELATION TO THE LICENSED CONTENT. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT CORPORATION AND ITS RESPECTIVE AFFILIATES EXCLUDE ANY IMPLIED WARRANTIES OR CONDITIONS, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
16.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT CORPORATION AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO USD$5.00. YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM MICROSOFT CORPORATION AND ITS RESPECTIVE SUPPLIERS.
This limitation applies to o anything related to the Licensed Content, services made available through the Licensed Content, or content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas. Revised December 2011
Configuring Windows 8
Configuring Windows 8
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Andrew Warren has more than 25 years of experience in the IT industry, many of which he has spent teaching and writing. He has been involved as the subject matter expert (SME) for many of the Windows Server 2008 courses and the technical lead on a number of other courses. He also has been involved in developing TechNet sessions on Microsoft Exchange Server 2007. Based in the United Kingdom, he runs his own IT training and education consultancy.
David Susemiehl has worked as consultant, trainer, and courseware developer since 1996. David has extensive experience consulting on Microsoft Systems Management Server and Microsoft System Center Configuration Manager 2007, as well as Active Directory, Exchange Server, and Terminal Server/Citrix deployments. David has developed courseware development for Microsoft and Hewlett-Packard, and delivered those courses successfully in Europe, Central America, and across North America. For the last several years, David has been writing courseware for Microsoft Learning, and consulting on infrastructure transitions in Michigan.
Jason Kellington is a Microsoft Certified Trainer (MCT), Microsoft Certified IT Professional (MCITP), and a Microsoft Certified Solutions Expert (MCSE), as well as a consultant, trainer and author. He has experience working with a wide range of Microsoft technologies, focusing on the design and deployment of enterprise network infrastructures. Jason works in several capacities with Microsoft, as a SME for Microsoft Learning courseware titles, a senior technical writer for Microsoft IT Showcase, and an author for Microsoft Press.
Seth Dietz is a Microsoft Certified Technology Specialist (MCTS), Microsoft Certified Solutions Associate (MCSA), and MCITP, and he has more than 15 years of IT experience. He currently works as a Sr. Technical Account Manager with In-Touch Computer Services, Inc. in Charlotte, NC, where he focuses on implementing outsourced IT solutions for small and medium business. Seth has worked as a SME on several development projects for Microsoft certification exams since 2008. His specializations include virtualization, backup and disaster recovery, mobility and wireless, Remote Desktop Services, Microsoft Office 365, network infrastructure, and Microsoft Small Business Server. Seth has been a projectmanagement professional since 2004.
xii
Configuring Windows 8
Contents
Module 1: Installing and Deploying Windows 8
Lesson 1: Introducing Windows 8 Lesson 2: Preparing to Install Windows 8 Lesson 3: Installing Windows 8 Lab A: Installing Windows 8 Lesson 4: Automating the Installation of Windows 8 Lab B: Performing an Unattended Installation of Windows 8 Lesson 5: Activating Windows 8 1-2 1-7 1-14 1-18 1-21 1-32 1-35
Configuring Windows 8
xiv
Configuring Windows 8
Configuring Windows 8
Module 8 Lab C: Configuring and Testing UAC Module 9 Lab A: Configuring Internet Explorer Security Module 9 Lab B: Configuring AppLocker (Optional) Module 10 Lab A: Optimizing Windows 8 Performance Module 10 Lab B: Maintaining Windows Updates Module 11 Lab A: Configuring a Power Plan Module 11 Lab B: Implementing a VPN Module 11 Lab C: Implementing Remote Desktop Module 13 Lab: Recovering Windows 8
This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Note: This first release (A) MOC version of course 20687A has been developed on prerelease software (Release Preview (RP)). Microsoft Learning will release a B version of this course after the RTM version of the software is available.
This course will provide you with the knowledge and skills to install, manage, secure, and support Windows 8-based computers, devices, user accounts, and network resources. This course will teach you how to configure Windows 8 and troubleshoot various issues related to networking, data management, wireless connectivity and remote access. This course will also provide guidelines, best practices, and considerations that will help you optimize performance and minimize errors and security threats in Windows 8 client computers.
Audience
This course is intended for IT professionals, who have prior experience in configuring the Windows 8 operating system, and troubleshooting issues, and providing user support for Windows 8-based computers and devices. These IT professionals could be consultants, full-time desktop support technicians, or IT generalists who provide support for Windows 8 computers as part of their broader technical duties. IT professionals seeking certification in the 70-687 Windows 8 Configuring exam also may take this course.
Student Prerequisites
This course requires that you meet the following prerequisites: Experience managing computers running on the Windows 8 operating system.
Technical knowledge of networking fundamentals, including TCP/IP, User Datagram Protocol (UDP), and Domain Name System (DNS).
Familiarity with Active Directory Domain Services (AD DS) principles and the fundamentals of AD DS management. Understanding of the Public Key Infrastructure (PKI) components and working knowledge of the fundamentals of Active Directory Certificate Services (AD CS). Knowledge of Microsoft Windows Server 2008 or Windows Server 2008 R2 fundamentals.
Knowledge of Microsoft Windows client fundamentals; for example, working knowledge of Windows XP, Windows Vista, and/or Windows 7. Understanding of the fundamentals of management and experience using the Microsoft Office 2010 system or the Microsoft Office 2007 system. Knowledge of Windows Automated Installation Kit (WAIK) components including Windows PE, Windows System Image Manager (SIM), Volume Activation Management Tool (VAMT), ImageX, User State Migration Tool (USMT), and Deployment Image Servicing and Management (DISM) concepts and fundamentals.
xviii
Course Objectives
After completing this course, students will be able to: Plan and perform the installation of Windows 8. Install Windows 8 on computers that are running an existing operating system. Configure disks, partitions, volumes, and device drivers in a Windows 8 system. Configure network connectivity and troubleshoot connectivity issues. Install, configure, and maintain wireless network connections. Implement Windows 8 technologies to secure network connections. Share files and printers. Implement tools and technologies that can help secure Windows 8 desktops. Configure and control applications in Windows 8. Optimize and maintain Windows 8-based computers. Configure mobile computer settings and remote access. Describe Hyper-V for Windows 8, and describe how to use it to support legacy applications. Determine how to recover Windows 8 from various failures. Describe how to use Windows PowerShell to manage Windows 8.
Course Outline
This section provides an outline of the course:
Module 1, Installing Windows 8" describes the key features of Windows 8, and the differences between the various versions. This module also describes how to install and activate Windows 8 on a computer. Module 2, Upgrading and Migrating to Windows 8" describes how to install Windows 8 on computers that are running on other operating systems. The module describes the processes of upgrading or migrating to Windows 8, and discusses the differences between both.
Module 3, Managing Disks and Device Drivers" describes how to configure and manage disks, partitions, and volumes in a Windows 8 system. Additionally, this module describes how to install, configure, and troubleshoot device drivers. Module 4, Configuring and Troubleshooting Network Connections" compares IPv4 and IPv6 addresses, and describes how to configure both. The module also describes how to implement Automatic IP address Allocation and name resolution. The module concludes with a lab on troubleshooting network connectivity.
Module 5, Implementing Wireless Network Connections" provides an overview of wireless networks, and describes how to install, configure, and troubleshoot them. Module 6, Implementing Network Security" provides an overview of common network security threats, and how to mitigate them by configuring inbound and outbound firewall rules, connection security rules, Windows Defender, and host-based virus and malware protection.
Module 7, Configuring File Access and Printers on Windows 8 Clients" describes how to manage file access, and configure NTFS file-system permissions for files and folders. The module also provides an overview of shared folders, file compression, and the impact of moving and copying compressed files and folders. The module then goes on to describe how to create and share printers, and concludes with an overview of Windows Live SkyDrive. Module 8, Securing Windows 8 Desktops" describes new authentication and authorization features in Windows 8. The module also describes how to implement local Group Policy objects, secure data with Encrypting File Service (EFS) and BitLocker drive encryption, and configure User Account Control (UAC). Module 9, Configuring Applications" describes how to install and configure applications, application compatibility, and application restrictions in Windows 8. Additionally, the module describes how to configure and test Windows Internet Explorer security settings, and AppLocker rules that restrict the running of applications.
Module 10, Optimizing and Maintaining Windows 8 Client Computers" describes how to identify issues with performance and reliability, and use tools such as Resource Monitor, Data Collector Sets, and Performance Monitor. The module also describes how to optimize Windows 8 performance, and manage and maintain Windows updates. Additionally, the module describes how to manage Windows 8 reliability by using Windows diagnostic tools. Module 11, Configuring Mobile Computing and Remote Access" describes how to configure mobile computer settings and power plans, and provides an overview of mobile device sync partnerships and power-saving options. The module also describes how to enable and configure virtual private network (VPN) access, create and test a VPN, and configure remote desktop and remote assistance. The module concludes with an overview of DirectAccess, and how it works for internal and external clients.
Module 12, Implementing Hyper-V" describes the fundamentals of Hyper-V for Windows 8 and scenarios for using it. The module also describes how to create and configure virtual machines in Hyper-V, and how to manage virtual hard disks (VHDs) and snapshots. Module 13, Troubleshooting and Recovering Windows 8" describes how to back up data and use recovery options such as System Restore to recover Windows 8.
Appendix A, Using Windows PowerShell" describes the fundamentals of Windows PowerShell, and how to use Windows PowerShell cmdlets and remote commands.
xx
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site: Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Modules: Include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, and Microsoft Press.
Student Course files on the http://www.microsoft.com/learning/companionmoc Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
This section provides the information for setting up the classroom environment to support the business scenario of the course.
In this course, you will use Microsoft Hyper-V to perform the labs. Important At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK. The following table shows the role of each virtual machine used in this course: Virtual machine 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 20687A-LON-CL3 20687A-LON-CL4 Role Domain controller in the Adatum.com domain Domain member Domain member Domain member Blank with no operating system installed, but is linked to the Windows 8 Enterprise client ISO
Software Configuration
The following software is installed on each VM: Windows Server 8 Windows 8 Client (Windows 8 Enterprise) Microsoft Office 2010 On the server, possibly also Windows Automated Installation Kit (AIK)
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
xxii
*Striped
In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 x 768 pixels, 16-bit colors.
Module 1
Installing and Deploying Windows 8
Contents:
Module Overview Lesson 1: Introducing Windows 8 Lesson 2: Preparing to Install Windows 8 Lesson 3: Installing Windows 8 Lab A: Installing Windows 8 Lesson 4: Automating the Installation of Windows 8 Lab B: Performing an Unattended Installation of Windows 8 Lesson 5: Activating Windows 8 Module Review and Takeaways 1-1 1-2 1-7 1-14 1-18 1-21 1-32 1-35 1-39
Module Overview
Windows 8 is the latest Microsoft client operating system. With new features and capabilities, it builds on the strong core functionality of Windows 7 to provide a stable and feature rich client experience, across many form factors. This module will introduce you to some new features of Windows 8, provide guidance on installing Windows 8, and introduce you the Windows 8 licensing environment.
Objectives
After completing this module, you will be able to: Describe the different editions of Windows 8. Prepare a computer for Windows 8 installation. Install Windows 8. Automate the installation of Windows 8. Explain Windows 8 licensing and activation.
1-2
Lesson 1
Introducing Window W ws 8
Win ndows 8 is desi igned to meet t a large scope e of computing g needs, and e enable users to o perform tasks effic ciently. Windows 8 enables you y to take advantage of co omputing devic ces from tradit tional platform ms, and the latest tab blet and phone e platforms. Th his lesson will i ntroduce you to the key Win ndows 8 features and the different Windows 8 ed ditions that are e available. The e lesson also w will describe why and when y you mig ght select a spe ecific Windows s edition.
The design of Win ndows 8 enables it to support the unique w working styles s of many diffe erent people. T The new w user interface e and app mod del increases users u producti ivity, and the d design of the n new Start scree en mak kes it the centr ral hub of user r activity and data d integratio on.
Win ndows 8 repres sents Microsof fts most signif ficant change i in operating sy ystem design s since the 95 operating intro oduction of th he Microsoft Windows W o syste em. Therefore, Windows 8 co ontains more t than 300 new features. . The following g section highlights some of f the most imp portant feature es and changes s:
Start screen. The T Start scree en represents a significant sh hift in the way users find and d interact with h applications and a informatio on in Windows s 8. The Start S Screen is tile-b based, and its c configurable ti iles can display liv ve information n and provide an interactive hub experienc ce for users. W With its touchfriendly layou ut, it is significa antly different from the Start t button interf face that has b been implemented in Windows since s Windows s 95. Cloud integra ation. Window ws 8 provides in ncreased integ gration with clo oud-based ser rvices and information. Users signing in to a Window ws 8 desktop c computer can connect to the information and settings instantly that are im mportant to th hem. Windows s 8 ensures a consistent user r experience ac cross any computer, regardless of o the compute ers location.
C Configuring Windows s 8
Reset and refresh r your PC C. By using Res set and Refres h, users and IT T staff can retu urn a compute er to a specific def fault state, or recover r Windo ows 8 from erro ors or corrupt operating system files: o o
Reset your y PC remo oves all personal data, apps, and settings fr rom the PC, an nd reinstalls W Windows. Refresh your PC kee eps all persona al data, deskto op-style apps, a and other imp portant setting gs, and reinstalls Windows, retaining the user experience e and user dat ta.
ws To Go enables you to sup ply a fully func ctioning copy of Windows 8 that Windows To Go. Window can start an nd run from a universal seria al bus (USB) sto orage device. W When users bo oot from a Win ndows To Go-enab bled USB devic ce, they get a complete Win ndows 8 experi ience, along w with all of their applications, files, and set ttings.
Remote De esktop Services s. Windows 8 now n includes R Remote Deskto op Services (RD DS) capability, which enables mu ultiple users to connect remo otely to the sa me computing g infrastructure, each in an isolated session. You u can use Windows 8 in Virtual Desktop In nfrastructure (V VDI) scenarios to provide robust and univers sal access to Windows W 8 desktops. Hyper-V. Hyper-V on Windows W 8 prov vides a flexible e and high-per rforming client virtualization n environmen nt. You can tak ke advantage of this environ nment to test a applications an nd IT scenarios s in multiple op perating system m configuratio ons, by using a single compu uter. By using H Hyper-V, IT departments can provide e a consolidate ed and efficien nt virtual enviro onment through virtual mac chine compatibility with Windo ows Server 201 12.
Support for r multiple form m factors. Wind dows 8 is the f first Windows operating syst tem to provide e support for r both the x86 and the ARM platform. Win ndows 8 runs o on PCs, as well as tablets and d similar onment for us devices, pro oviding more ubiquitous u acc cess to the Win ndows 8 enviro sers.
Windows W 8 Editions E
Windows W 8 com mes in three separate edition ns on th he x86 platform m: Windows 8. This is the mo ost basic editio on available. It t contains the key features necessary for general hom me and smallbusiness us se. Windows 8 Pro. This edition is designed d to support the e needs of bus siness and tech hnical professiona als, and supports a broader set s of Window ws 8 technologies, including e encryption, virtualizatio on, computer management, m and domain c connectivity.
Windows 8 Enterprise. Th his edition supports the full s set of Window ws 8 functionality, and additio onally includes en nterprise-level security, mobi ility, and confi guration.
1-4
Understanding Windows RT
Windows 8 is the first Windows client operating system that supports the ARM processor architecture that is commonly found in mobile devices such as tablets and phones. Windows RT is designed specifically to run apps built on the Metro platform, and it is available only as a preinstalled operating system on tablets and similar devices with ARM processors. ARM provides a lightweight form factor with excellent battery life, specifically for mobile devices. Windows RT is preloaded with touch-optimized versions of Microsoft Office applications, and is limited to running apps built using the Metro style UI. Note: Further detail on Windows RT is outside of the scope of this course. It is mentioned here for reference only. Unless otherwise noted, all references to Windows 8 in this course are for the x86 and x64 editions.
C Configuring Windows s 8
Improved performance. p The T 64-bit processors can process s more data fo or each clock cycle, c enabling yo ou to scale you ur applications s to run faster or support mo ore users. How wever, to benef fit from this improv ved processor capacity, c you must m install a 6 64-bit edition of the operati ing system.
Enhanced memory. m A 64-bit operating system can m make more effic cient use of random access m memory (RAM), and it can address s memory abo ove 4 gigabyte es (GB). This is unlike all 32-b bit operating sy ystems, including all 32-bit editio ons of Window ws 8, which are e limited to 4 G GB of addressa able memory.
Improved device d support t. Although 64-bit processor rs have been available for so ome time, in th he past it nly used devic was difficult to obtain third-party drive ers for common ces, such as pri inters, scanner rs, and other comm mon office equ uipment. Since the re elease of the 64-bit 6 versions of Windows V Vista and Win ndows 7, the a availability of d drivers for these de evices has imp proved greatly. . Because Wind dows 8 is built t on the same kernel as Windows 7, most of the e drivers that work w with Wind dows 7 also w work with Wind dows 8.
Improved security. s The ar rchitecture of 64-bit process sors enables a more secure o operating syste em environmen nt through Kernel Patch Protection (KPP), mandatory ke ernel-mode dr river signing, and Data Execution Prevention P (DE EP). Support for r the Client Hy yper-V feature. This feature i is only support ted in the 64-b bit versions of f Windows 8. Hyper-V requ uires 64-bit pr rocessor archit tecture that supports second d level address s translation.
In n most cases, a computer will run the version of Window ws 8 that corres sponds to its p processor ar rchitecture. A computer c with h a 32-bit proc cessor will run the 32-bit ver rsion of Windo ows 8, and a co omputer with w a 64-bit pr rocessor will ru un the 64-bit version v of Wind dows 8. You ca an use the foll lowing list to de etermine whic ch version of Windows W 8 should be installe ed on a compu uter. You can ins stall 64-bit versions of Windo ows 8 only on computers wi ith 64-bit proc cessor architec cture.
You can ins stall 32-bit versions of Windo ows 8 on com puters with 32 2-bit or 64-bit processor architecture e. When you in nstall a 32-bit version of Win ndows 8 on a 32-bit process sor architectur re, the operating system s does no ot take advant tage of any 64 4-bit processor r architecture f features or functionalit ty. 32-bit drive ers will not wo ork in 64-bit ve ersions of Wind dows 8. If you have hardwar re that is suppo orted by 32-bit drivers only, you must use a 32-bit 3 version of Windows 8 8, regardless of f the compute ers processor architecture. a You can ins stall 32-bit versions of Windo ows 8 on 64-b bit architecture e computers to o support earli ier versions of applications or o for testing purposes. p
1-6
The 64-bit editions of Windows 8 do not support the 16-bit Windows on Windows (WOW) environment. If your organization requires earlier versions of 16-bit applications, they will not run natively in Windows 8. One solution is to run the application within a virtual environment by using Client Hyper-V.
C Configuring Windows s 8
Lesson n2
Th he first step in installing Win ndows 8 on a computer c is to o ensure that th he hardware a and software b being ru un on the computer will be compatible c wit th Windows 8.. As a part of p preparing for t the Windows 8 in nstallation proc cess, you need d to understand minimum ha ardware requir rements, ident tify problemat tic de evices, drivers, , and applications, and unde erstand the ins stallation meth hods available.
Th his lesson will introduce you to these conc cepts, and equ ip you with in formation that you need to plan a su uccessful Wind dows 8 installat tion.
Lesson Objectives
After completin ng this lesson, you y will be able to: Describe minimum m recom mmended hard dware requirem ments for insta alling Window ws 8. Explain how w to check for device and screen resolutio n compatibilit ty. Understand d and identify common application-compa atibility issues.. Identify me ethods for mitigating applica ation-compati bility issues. Describe th he options available for installing Windows s 8.
Th he Windows 8 kernel has be een refined and d improved fro om Windows 7 and, in many y cases, you may see im mprovements in i general perf formance on the t same comp puter in severa al different are eas.
1-8
In addition to the requirements s listed in the preceding p sect tion, Windows 8 contains sev veral features that requ uire a specific hardware configuration befo ore they will in nstall or run co orrectly:
The Windows s 8 secured bo oot process req quires a BIOS b based on Unified Extensible Firmware Interface EFI to prevent the launching (UEFI). The se ecured boot pr rocess takes ad dvantage of UE g of unknown or potentially un nwanted opera ating-system boot b loaders b between the sy ystems BIOS st tarting and the e Windows 8 operating system start.
While the sec cure boot proc cess is not man ndatory for Wi indow 8, it gre eatly increases the integrity o of the boot process. . Client Hyper-V requires a 64-bit 6 processo or architecture e that supports s second level address translation (SLAT). SLAT reduces the ov verhead incurr red during the e virtual-to-phy ysical address mapping proc cess performed fo or virtual mach hines. The BitLocker r feature requires a compute er that support ts Trusted Plat tform Module (TPM) to prov vide the most seam mless and secu ure BitLocker experience. e TP PM allows the s storage of BitL Locker encrypt tion keys within a microcontroller on a compu uters motherb board.
How wever, there ar re other device es and comput ter hard dware compon nents that mus st have drivers s load ded as well. Cr ritical system components, su uch as hard h drive cont trollers, chipse ets, graphics adapters, network k adapters, and d other import tant system de evices, must ha ave drivers to f function prope erly.
The Windows 8 se etup process will w check the installation com mputer autom matically for device and drive er com mpatibility. How wever, when an organization n is deploying multiple insta allations of Win ndows 8 at once, its best t to be sure that the comput ter hardware for f those comp puters is comp patible with Windows 8. Con nfirming hardw ware compatib bility enables a smoother inst tallation proce ess.
The Compatibility y Center for Windows 8 website on Micros soft.com provid des informatio on about Win ndows 8 progra am and device e compatibility y. The website contains a cat talog of programs and devic ces, and pertinent com mpatibility info ormation including: Device make and model Links to more e information about a the device Compatibility y status Driver version ns available (32 2-bit or 64-bit t)
C Configuring Windows s 8
Th he Compatibility Center for Windows 8 we ebsite also ena ables commun nity interaction n, where users can provide feedbac ck for devices to confirm compatibility.
A new requirem ment in Window ws 8 is that Me etro-style app plications should have a mini imum of 1024x x768 sc creen resolutio on, and 1366x7 768 for the sna ap feature. Thi s enables you to snap a Met tro app to the side of th he desktop, ma aking it viewab ble while you use u other Met ro or tradition nal apps. If you u attempt to la aunch a Metro M style app p with less than n this required d resolution, yo ou will receive an error mess sage. Th he maximum supported s reso olution for Win ndows 8 is 256 60x1440, allow wing for large f format traditio onal di isplays, or high h-pixel density y displays on smaller form-fa actor devices. Additiona al Reading: ht ttp://www.mic crosoft.com/en n-us/windows/ /compatibility/ /en-US /C CompatCenter r/Home.
During applicat tion setup and installation, an ap pplication mig ght try to copy files and shor rtcuts to fo olders that exis sted in a previo ous Windows operating syst tem, but no lo nger exist for the new opera ating sy ystem. This can n prevent the application a fro om installing p properly or eve en installing at t all.
User Account Control (UAC) adds a security to Windows by y controlling administrator-level access to the co omputer, and by restricting most users to run as standar rd users. When n users attemp pt to launch an n ap pplication that t requires adm ministrative per rmissions, the s system promp pts them to con nfirm their inte ention to o do so.
UAC also limits the context in n which a proce ess executes, t to minimize th he ability of use ers to inadvert tently ex xpose their computer to viru uses or other malware. m This c change affects s any applicatio on installer or update th hat requires ad dministrator pe ermissions to run, r performs u unnecessary a dministrator c checks or actio ons, or at ttempts to writ te to a nonvirt tualized registr ry location. ssues: However, UAC may m result in the t following compatibility c is Custom installers, uninsta allers, and upd daters may not t be detected a and elevated t to run as administrat tor.
Standard user application ns that require e administrativ ve privileges to o perform their r tasks may fai il or might not make m this task available to st tandard users..
Applications that attempt to perform tasks for which the current user does not have the necessary permissions may fail. How the failure manifests itself is dependent upon how the application was written. Control panel applications that perform administrative tasks and make global changes may not function properly and may fail.
Dynamic link library (DLL) applications that run using RunDLL32.exe may not function properly if they perform global operations. Standard user applications writing to global locations will be redirected to per-user locations through virtualization.
Windows Resource Protection (WRP) protects Windows resources, such as files, folders, and registries, in a read-only state. This affects specific files, folders, and registry keys only. WRP restricts updates to protected resources to the operating system trusted installers, such as Windows Servicing. This enables better protection for the components and applications that ship with the operating system from the impact of other applications and administrators. However, WRP may result in the following compatibility issues:
Application installers that attempt to replace, modify, or delete operating system files and/or registry keys that WRP protects may fail, with an error message indicating that the resource cannot be updated. This is because access to these resources is denied.
Applications that attempt to write new registry keys or values to protected registry keys may fail with an error message that indicates that the change failed because access was denied. Applications that attempt to write to protected resources may fail if they rely on registry keys or values.
64-Bit Architecture
Windows 8 fully supports the 64-bit architecture. The 64-bit version of Windows 8 can run all 32-bit applications with the help of the WOW64 emulator. Considerations for the 64-Bit Windows 8 include:
Applications or components that use 16-bit executables, 16-bit installers, or 32-bit kernel drivers will either fail to start or will function improperly on a 64-bit edition of Windows 8.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer manually adds a driver by editing the registry, the system will not load this driver, and this can cause a system failure. Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer manually adds a driver by editing the registry, the system will not load the driver during load time if it is not signed.
Windows Filtering Platform (WFP) is an application program interface (API) that enables developers to create code that interacts with the filtering that occurs at several layers in the networking stack and throughout the operating system. If you are using a previous version of this API in your environment, you may experience failures when running security-class applications, such as network scanning, antivirus programs, or firewall applications.
The operating system version number changes with each operating system release. For Windows 7, the internal version number is 6.1, whereas for Windows 8, the internal version number is 6.2. The GetVersion function returns this value when it is queried by an application. This change affects any application or application installer that specifically checks for the operating system version, and might prevent the installation from occurring or the application from running.
Co onfiguring Windows 8
Kernel-Mode K e Drivers
Ke ernel-mode dr rivers must sup pport the Wind dows 8 operat ting system or r be redesigned d to follow the e UserMode M Driver Fra amework (UMDF). UMDF is a device drive r developmen nt platform tha at was introduc ced in Windows W Vista.
Test your web w application ns and website es for compati bility with new w releases and security upda ates to Windows In nternet Explore er.
Mitigating M an application com mpatibility issu ue typically dep pends on vario ous factors, suc ch as the type of ap pplication and current suppo ort for the app plication.
Mitigation M Methods M
So ome of the mo ore common mitigation m met thods include t the following:
Modifying the t configurat tion of the exis sting applicatio on. There can be compatibil lity issues that require a modificat tion to the app plication config guration, such h as moving file es to different folders, modifying registry ent tries, or changing file or fold der permission s. tandard User A You can use e tools such as s the Compatib bility Administ trator or the St Analyzer (insta alled with ACT) to t detect and create c applicat tion fixes (also o called shims) to address compatibility issues. Contact the e software ven ndor for inform mation about a any additional compatibility solutions.
Applying updates or serv vice packs to th he application.. Updates or se ervice packs m may be available to address ma any of the com mpatibility issue es, and they he elp the applica ation to run w with the new op perating system environment. Afte er applying the e update or se ervice pack, ad dditional applic cation tests can ensure that t the compatib bility issue has been mitigate ed. Upgrading the applicatio on to a compat tible version. If f a newer, com mpatible versio on of the application exists, the best b long-term m mitigation is to upgrade to o the newer ve ersion. Using th his approach, y you must consid der both the cost c of the upg grade and any potential prob blems that ma ay arise with ha aving two different versions of the application.
t security co onfiguration. If f your compat tibility issues a ppear to be pe ermissions-rela ated, Modifying the a short-term m solution is to o modify the security s config guration of the e application. U Using this approach, you must conduct a full-r risk analysis an nd gain consen nsus from your organization ns security team regarding the t modificatio ons. For examp ple, you can m mitigate the Int ternet Explorer r Protected mo ode by adding the site to the tru usted site list or by turning o off Protected M Mode, which w we do not recommend.
Running the application a in a virtualized environment. e If f all other met thods are unav vailable, you m may be able to run n the applicati ion in an earlie er version of W Windows using g virtualization tools such as Hyper-V. Late er sections of this t course will l provide more e details about t Hyper-V.
Using applica ation-compatib bility features. You can mitig gate applicatio on issues, such as operatingsystem versio oning, by runni ing the applica ation in compa atibility mode. You can acce ess this mode b by right-clicking the shortcut or o .exe file, and d then applyin ng Windows Vista or Window ws XP compatibility mode from th he Compatibility tab. You also can use the Progra am Compatibility Wizard to assist in config guring an app plications compatibility mode. The Pr rogram Compa atibility Wizard d is in Control Panel, under Programs and Features.
Selecting ano other applicatio on that performs the same b business functi r compatible ion. If another application is available, con nsider switching to the comp patible applica ation. When us sing this appro oach, you must con nsider both the e cost of the application and d the cost of em mployee supp port and trainin ng.
You also can use an image to perform a clean c installati on. Upgrade insta s known as an allation. Perfor rm an upgrade e, which also is n in-place upgr rade, when you want to replace an existing version of Windows with W Windows 8 and you need to r retain all user applications, files, and settings.
To perform an in-place upg grade to Windows 8, run the e Windows 8 in nstallation pro ogram (setup.e exe), and select Up pgrade. You ca an run setup.e exe from the p roduct DVD or from a netwo ork share. Dur ring an in-place upgrade, the Windows W 8 insta allation progra am retains all u user settings, d data, hardware e device setting gs, applications, and other co onfiguration in nformation au utomatically. A Always back up p all of your important data before e performing an a upgrade.
Migration. Yo ou perform a migration m when you have a c computer alrea ady running W Windows 7, and d need to move e files and sett tings from you ur old operatin ng system (source computer) ) to the Windo ows 8based compu uter (destinatio on computer). Perform a mig gration by doing the following: o Back up the t users setti ings and data
Configuring Windows 8
o o o
Perform a clean installation Reinstall the applications Restore the users settings and data
There are two migration scenarios: side-by-side, and wipe and load. In side-by-side migration, the source computer and the destination computer are two different computers. In wipe and load migration, the target computer and the source computer are the same. To perform wipe-and-load migration, you perform a clean installation of Windows 8 on a computer that already has an operating system, by running the Windows 8 installation program, and then selecting Custom (advanced). Automated installation. You perform an automated installation when you use one of the above methods of installation in combination with an automation tool, to make the installation more seamless, or to remove repetitive tasks from the installation process.
Automated installations can take many forms, including pushing precreated images to computers, using an enterprise-level tool such as the Microsoft Deployment Toolkit (MDT), Windows Deployment Services (WDS) and the Windows Assessment and Deployment Kit, or even by creating an answer file manually to provide information directly to the installation process.
Lesson 3
Alth hough you can n perform Windows 8 installa ation by using a number of different meth hods, the imag gebase ed nature of th he installation process and the desired res sulta properly functioning Windows 8 etermining wh com mputerremai in consistent, regardless r of the method. De hich method to o use and how w to best t implement th hat method are important parts p of the pla anning proces ss for a Window ws 8 installatio on.
This s lesson will he elp you analyze e the reasons behind b using c certain methods, help you to o understand how you can implement those methods, and introduce the Wind dows To Go m method, which is new in Win ndows 8.
Configuring Windows 8
2.
If your computer does not currently have an operating system, start the computer by using the product DVD. If your computer already has an operating system, you also can start the computer with the old operating system, and then run the Windows 8 installation from the product DVD on that operating system. Complete the wizard.
3.
Instead of a DVD, you can store the Windows 8 installation files in a network share. Generally, the network source is a shared folder on a file server. Perform the following steps to install Windows 8 from a network share: 1. If your computer does not currently have an operating system, start the computer by using the Windows Preinstallation Environment (Windows PE). You can start Windows PE from bootable media, such as a DVD or a USB flash drive, or from a network PXE boot, by using WDS. If your computer already has an operating system, you can start the computer with the old operating system. Connect to the network share that contains the Windows 8 files. Run the Windows 8 installation program (setup.exe) from the network share. Complete the wizard.
2. 3. 4.
Install Windows 8 to a reference computer, and then prepare the reference computer for duplication. Create a WIM image of the reference computer by using ImageX. You can run ImageX from a command prompt or from Windows PE. ImageX captures a volume image to a WIM file. WIM files are not tied to a particular hardware configuration, and you can modify them after capture to add new drivers, patches, or applications.
Use one of the following tools to deploy the image: ImageX WDS MDT
Note: You typically use the deployment tools in the preceding list in enterprise environments. Discussion of these tools is outside the scope of this course.
Internal disks are offline. To o ensure data is i not disclosed d accidentally,, internal hard disks on the h host computer are e offline, by de efault, when bo ooted into a W Windows To Go o. Similarly, if a Windows To Go drive is insert ted into a runn ning system, Windows W Explo rer will not dis splay the Wind dows To Go dr rive.
TPM is not us sed. When you u use BitLocker r Drive Encryp tion, a preope erating system boot passwor rd will be used for se ecurity rather than the TPM. . This is becaus se the TPM is t tied to a specific computer, and Windows To Go drives will move between n computers. Windows Rec covery Environment is not av vailable. In the e rare case that t you need to recover your Windows To Go drive, you should reimag ge it with a fre sh image of W Windows. Push Button Reset R is not av vailable. Resett ting to the ma nufacturers st tandard for the e computer do oes not really app ply when running Windows To T Go, so the f feature was di isabled. Creating a Windows To Go USB drive is only o possible in n Windows 8 E Enterprise
You u can boot Win ndows To Go drives d on multiple computer rs. During the f first boot on a computer, Win ndows To Go will w detect all hardware h on th he computer, a and then insta ll drivers. Whe en returning to o that com mputer, Windows To Go will identify the co omputer, and t then load the correct drivers s automatically y. Users can do this on multiple co omputers with the same Win ndows To Go d drive, which en nables the abil lity to roam m between the em.
32GB or large er USB drive th hat you format t with NTFS file e system. This drive can be f flash memory or an external hard drive. A computer that t fulfills the minimum har rdware require ements for Win ndows 8. Windows 8 En nterprise license for creating g the drives.
Co onfiguring Windows 8
If the problem persists, p go back to step thre ee, and repeat t the process. Question: What potentia al issues might t you encounte er when install ling Windows? ?
Objectives
Determine that the target computer meets the requirements of the intended Windows 8 edition. Perform a clean installation of Windows 8. Verify the successful installation.
Lab Setup
Estimated Time: 40 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Adatum\Administrator Password: Pa$$w0rd
Requirements Overview We want to create a test environment for a new application that we are developing. Ideally, we would like to be able to test the application on a number of different operating systems, but we have only been provided one system. We have been told that Windows 8 supports the same virtualization as the servers in our production environment, so maybe we could do it that way?
Configuring Windows 8
The computer that we have been given has a quad core, 2.0GHz processor and 4 GB of RAM. The processor supports Intel VT, I was told that was important. It also has a 320 GB hard drive and a 512 MB graphics processing unit (GPU). The computer should be prepared for the development team as soon as possible.
The main tasks for this exercise are as follows: 1. 2. Determine whether the customers computers meet the minimum requirements for Windows 8. Select the appropriate Windows edition to install on LON-CL4.
Does the customers computer meet the minimum system requirements for Windows 8 in the following areas: a. Processor b. RAM c. Hard-disk space d. GPU
2.
Does the customers computer meet the requirements for the following features: a. Hyper-V
Results: After completing this exercise, you will have evaluated the installation environment, and then selected the appropriate Windows edition to install.
After confirming that LON-CL4 meets the requirements for Windows 8 installation, you have been asked to install Windows 8 on the computer. The main tasks for this exercise are as follows: 1. 2. 3. Attach the Windows 8 DVD image file to LON-CL4. Install Windows 8 on LON-CL4. Confirm the successful installation of Windows 8 on LON-CL4.
Results: After this exercise, you should have performed a clean installation of Windows 8.
Co onfiguring Windows 8
Lesson n4
Th he Windows 8 installation pr rocess is designed to be as f fast and efficie ent as possible. . However, inst talling Windows W 8 on multiple m comp puters can be a time-consum ming process if f you do it man nually on each h co omputer.
To o expedite the e Windows 8 in nstallation on multiple m comp puters, or to st tandardize the Windows 8 in nstallation proc cess, Windows s 8 is supported d by a numbe r of tools that enable autom mation through hout the in nstallation proc cess. Th his lesson will introduce you to the various s tools and tec chnologies tha at you can use to manage an nd au utomate installation of Wind dows 8.
Lesson Objectives
After completin ng this lesson, you y will be able to: Describe th he Windows Im maging (WIM) Format. Describe th he tools used to perform an image-based i installation. Understand d the image-ba ased installatio on process. Explain how w to use answe er files to auto omate the insta allation proces ss. Build an an nswer file by us sing Windows System Image e Manager (SIM M). Explain how w to build a reference installation by using g Sysprep. Describe Windows W PE. Create boo otable Window ws PE media. Explain how w to capture and apply insta allation images s by using Ima gex.
Understand d how to modi ify images by using u Deploym ment Image Se ervicing and M Management (D DISM).
WIM Heade er. Defines the e .wim file cont tent, such as m memory locatio on of key reso ources (metada ata sion, size, and compression type). resource, lo ookup table, an nd XML data) and .wim file a attributes (vers File Resourc ce. A series of packages that t contain captu ured data, such as source file es.
Metadata Resource. Stores information on how captured data is organized in the .wim file, including directory structure and file attributes. There is one metadata resource for each image in a .wim file. Lookup Table. Contains the memory location of resource files in the .wim file.
XML Data. Contains additional miscellaneous data about the WIM image, such as directory and file counts, total bytes, creation and modification times, and description information. The ImageX /info command displays information based on this resource.
Integrity Table. Contains security hash information used to verify the integrity of the image during an apply operation. This is created when you set the /check switch during an ImageX capture operation.
Benefits of WIM
WIM addresses many challenges experienced with other imaging formats. The benefits of WIM file format include the following: A single WIM file can address many hardware configurations. WIM does not require that the destination hardware match the source hardware. This helps you to reduce the number of images tremendously, and you have the advantage of only having one image to address the many hardware configurations. WIM can store multiple images in a single file. This is useful because you can store images with and without core applications, in a single image file. Another benefit is that you can mark one of the images as bootable, which allows you to start a machine from a disk image that a WIM file contains. WIM enables compression and single instancing. This reduces the size of image files significantly. Single instancing is a technique that enables multiple images to share a single copy of files that are common between the instances.
WIM enables you to service an image offline. You can add or remove certain operating system elements, files, updates, and drivers without creating a new image. For example, to add an update to a Windows XP image, you must start the master image, add the update, and then prepare the image again. With Windows 8, you can mount the image file, and then slipstream the update into the image file without the need to start or recapture the master image.
WIM enables you to install an image on a partition that is smaller, equal to, or larger than the original partition that was captured, as long as the target partition has sufficient space to store the image content. This is unlike sector-based image formats that require you to deploy a disk image to a partition that is the same size or larger than the source disk. Windows 8 provides an API for the WIM image format called WIMGAPI that developers can use to work with WIM image files.
WIM allows for nondestructive image deployment. Nondestructive image deployment means that you can leave data on the volume where you apply the image, because, when the image is applied, it does not delete the disks existing contents. WIM enables you to start Windows PE from a WIM file. The Windows 8 setup process uses Windows PE. The WIM file is loaded into a RAM disk, and run directly from memory.
Co onfiguring Windows 8
Answer File e. This is an XM ML file that stores the answers for r a series of GU UI dialog boxe es. The answer file for Windows Setup S is comm monly called U nattend.xml. Y You can create e and modify this answer file by using Wind dows System Image Manage er (Windows S IM). The Oobe e.xml answer fi ile is used to cus stomize Windo ows Welcome, which starts a after Windows Setup and du uring the first s system startup. Catalog. Th his binary file (. .clg) contains the t state of th e settings and d packages in a Windows ima age. There must t be a catalog for each Wind dows 8 version that the imag ge contains.
Windows Assessment A and d Deployment Kit (Windows s ADK) is a collection of tools s and docume entation that you ca an use to autom mate the deplo oyment of Win ndows operati ing systems, an nd assess vario ous operating systems. s The Windows W ADK replaces r the W Windows Autom mated Installation Kit for Windows 7. The core tools used in mos st Windows de eployment sce narios include e the following g: o Windows SIM. This to ool enables yo ou to create un nattended inst tallation answe er files and distribu ution shares, or o modify the files f that a con nfiguration set contains.
Windows PE. This is a minimal 32 or o 64-bit opera ating system w with limited services, built on n the Windows 8 kernel. Use Windows PE in Windows installation an nd deploymen nt.
Windows PE provides read and wri ite access to W Windows file sy ystems and sup pports a range e of hardwa are drivers, inc cluding networ rk connectivity y, which makes s it useful for t troubleshootin ng and system recovery. You can run Window ws PE from the CD/DVD, USB B flash drive, o or a network by y using the PX XE. The Windows ADK includ des several too ols that you can n use to build and configure e Windows PE. . o ImageX fies, and applies installation images for X. This comma and-line tool captures, modif deploy yment.
USMT. This tool enab bles you to mig grate user sett tings from a p revious Windo ows operating system to Windows 8. DISM. This T tool enab bles you to serv vice and mana age Windows i images. You ca an use it to ap pply update es, drivers, and d language pac cks to a Windo ows image, off fline or online.
System Preparation (Sysp prep). Sysprep prepares a Wi indows image for disk imagi ing, system tes sting, or delivery to a customer. Yo ou can use Sys sprep to remo ove any system m-specific data from a Windo ows image, such h as the security identifier (SID).
After remov ving unique sy ystem information from an i mage, you can n capture that Windows ima age, and then use it for deploymen nt on multiple e systems. You also can use S Sysprep to con nfigure the Win ndows operating system s to start t Windows We elcome the nex xt time that yo ou start the sys stem. Sysprep is available in n all installation ns of Windows s.
Diskpart. This s is a command d-line tool for hard-disk con nfiguration. Windows Dep ployment Serv vices (WDS). WDS W is a server-based deploy yment solution n that enables an administrator r to set up new w client compu uters over the network witho out having to v visit each clien nt. WDS is a built-in server role e that you can configure for r Windows Serv ver 2012.
VHD. The Mic crosoft .vhd file format and the t new .vhdx file format are e publicly avai ilable format specifications s that specify a VHD encapsu ulated in a sing gle file, capabl le of hosting n native file syste ems and supportin ng standard disk operations. VHD and VH DX files are us sed by Hyper-V V or as part of f the Windows 8 boot process.
You u use an answe er file to config gure Windows settings during installation. For example, you can configure the e default Intern net Explorer settings, networking configurations, and othe er cust tomizations. Additionally, A the answer file contains all of the e settings required for an unattended installation. During installation, you will not be promp pted with user interface page es. You u can use Wind dows SIM to as ssist in creating g an answer fil le, although in n principle you u can use any t text edit tor to create an answer file.
A re eference comp puter has a cus stomized installation of Wind dows that you u plan to duplic cate onto one or mor re destination computers. Yo ou can create a reference ins stallation by using the Wind dows product D DVD and an answer file e.
You u can create a bootable b Wind dows PE disk on o a CD/DVD b by using the C Copype.cmd sc cript. Windows s PE enables you to sta art a computer for the purpo oses of deploy yment and reco overy. Window ws PE starts the e com mputer directly y from memory y, enabling you to remove t he Windows P PE media after the computer r starts. After you st tart the compu uter in Window ws PE, you can n use the Imag geX tool to cap pture, modify, and app ply file-based disk d images.
Afte er you have an n image of you ur reference ins stallation, you can deploy th he image to th he destination from the netw com mputer. You can use the Disk kPart tool to fo ormat the hard d drive and co py the image f work shar re. Use ImageX X to apply the image to the destination co omputer. For h high-volume deployments, y you can store the imag ge of the new installation to o your distribut tion share and d deploy the im mage to destin nation com mputers by usin ng deploymen nt tools, such as a WDS or MD T.
Co onfiguring Windows 8
Use an answer file f to customize Windows in nstallations so that t the versio ons of Window ws deployed to o each destinat tion computer r are the same. There ar re two types of Windows ins stallations: atte ended and una attended: In attended d installations, you respond to t Windows Se etup prompts, selecting opti ions such as th he ws image to in partition to o which you wa ant to install and the Window nstall.
In unattend ded installation ns, which offer r many additio onal options, y you automate t this process to o avoid the installat tion prompts.
Be efore beginnin ng your deploy yment process s, identify all o of your environ nments require ements. Consider the fo ollowing possib ble requiremen nts: Hard drive partitions Support for r BitLocker or a recovery solu ution Additional out-of-box drivers Support for r multilingual configurations c s pplications Other post-installation modifications m to o Windows, su uch as installing g additional ap
Components C s
Th he component ts section of an n answer file contains c all the e component s settings that are applied du uring Window ws Setup. Comp ponents are or rganized into d different configuration passe es: windowsPE E, n pass of fflineServicing, generalize, sp pecialize, audit tSystem, audit tUser, and oob beSystem. Each h configuration re epresents a dif fferent phase of o Windows Se etup. Settings c can be applied d during one o or more passes s. If a se etting can be applied a in mor re than one co onfiguration pa ass, you can ch hoose the pass s in which to apply th he setting. For more informa ation about configuration pa asses, see Wind dows Setup Co onfiguration Passes.
Packages P
Microsoft M uses packages p to di istribute softw ware updates, s service packs, a and language packs. Packag ges also ca an comprise Windows W featur res. Yo ou can configu ure packages so s that you add them to a W Windows image e, remove them m from a Wind dows im mage, or chang ge the setting for features within w a packag ge. Yo ou can either enable e or disable features in n Windows. If y you enable a W Windows featu ure, the resources, ex xecutable files, and settings for that featur re are available e to users on t the system. If y you disable a
Win ndows feature, the package resources r are not n available, b but Windows does not remo ove the resour rces from m the system. features befor Som me Windows fe eatures may re equire that you u install other f re you can ena able the installed vers sion of Window ws. You must validate v your answer a file, and d then add an ny required pac ckages. For example, you can disable th he Windows Media M Player fe ature to preve ent end users f from running Win ndows Media Player. P Howeve er, because you disable the p package, Wind dows does not t remove those e reso ources from the Windows im mage. Win ndows applies packages in an n answer file to the Window ws image durin ng the offlineSe ervicing configuration pass. You also can n use Package Manager to a add packages t to an offline W Windows image.
While you can cre eate an answer r file manually by entering th he appropriate e XML code in nto the unattend.xml file, you typically create it by using a compon nent of the Win ndows ADK ca alled Windows SIM. Answer files that Windows W SIM creates are ass sociated with a particular W Windows image e. This enables you to validate the settings in th he answer file to the setting s available in t the Windows i image. Howev ver, because you can use u any answe er file to install any Windows s image, if ther re are settings s in the answer r file for components c that do not exist in the Wind dows image, W Windows ignore es those settin ngs.
You u can use Wind dows SIM to cr reate and edit answer files th hat should be used with Win ndows Setup. W While an answer a file may contain only y one or two se ettings, most a answer files co ontain all of the e information requ uired to complete the install lation without user intervent tion.
Dem monstration n Steps Bui ild an answe er file by us sing Window ws SIM
1. 2. 3. Use Windows s System Image Manager and open a WIM M file. Create a new answer file an nd modify image settings as needed. Save the file to t the Desktop p as autounattend.xml.
Configuring Windows 8
Configure the Windows operating system to start the Out-of-Box Experience (OOBE). Reset Windows product activation.
The following table lists some of the more common command-line options available for Sysprep. Option /audit Description
Restarts the computer in audit mode. Audit mode enables you to add drivers or applications to Windows. You also can test an installation of Windows before you send it to an end user. If you specify an unattended Windows setup file, the audit mode of Windows Setup runs the auditSystem and auditUser configuration passes.
/generalize
Prepares the Windows installation to be imaged. If you specify this option, Windows removes all unique system information from the installation. The SID resets, and Windows clears any system-restore points and deletes event logs. The next time that the computer starts, the specialize configuration pass runs. A new SID is created, and the clock for Windows activation resets, if the clock has not already been reset three times. Restarts the computer in Windows Welcome mode. Windows Welcome enables end users to customize their Windows operating system, create user accounts, name the computer, and other tasks. Any settings in the oobeSystem configuration pass in an answer file are processed immediately before Windows Welcome starts.
/oobe
Restarts the computer. Use this option to audit the computer and to verify that the first-run experience operates correctly. Shuts down the computer after the Sysprep command finishes running. Runs the Sysprep tool without displaying on-screen confirmation messages. Use this option if you automate the Sysprep tool. Closes the Sysprep tool after running the specified commands. Applies settings in an answer file to Windows during unattended installation. answerfile Specifies the path and file name of the answer file to use.
Win ndows PE is designed to mak ke large-scale, customized d eployments of f the new Windows 8 operat ting system distinctly more m simple by b addressing the t following t tasks: Installing Win ndows 8. Wind dows PE runs every e time you install Windows 8. The grap phical tools tha at collect config guration inform mation during the setup pha ase are running g within Windo ows PE.
Troubleshoot ting. Windows PE also is usef ful for automa atic and manua al troubleshoo oting. For exam mple, if Windows 8 fails to start because b of a co orrupted syste m file, Window ws PE can auto omatically star rt and launch the Windows W Recov very Environme ent. Recovery. Original Equipme ent Manufactu urers (OEMs) a nd Independe ent Software V Vendors (ISVs) c can use Windows s PE to build cu ustomized, aut tomated solut ions for recove ering and rebu uilding compu uters that are running Windows 8. 8
Optional supp port for WMI, Microsoft Dat ta Access Com ponent (MDA C), and HTML Application (H HTA). g CD, DVD, US Ability to star rt from a numb ber of media types, including SB flash drive ( (UFD), and a Remote Installation Services (RIS) server. Windows PE offline o sessions are supporte ed.
Co onfiguring Windows 8
Windows PE P includes all Hyper-V H drivers, except disp play drivers. Th his enables Win ndows PE to ru un in Hypervisor. . Supported features include e mass storage e, mouse integ ration, and ne etwork adapter rs. Question: What are some of the tasks in which you c can use Windo ows PE for troubleshoo oting?
Using U Imag geX to Cap pture and Apply A the Installatio on Image
Im mageX is a com mmand-line to ool that enable es you to o capture, mod dify, and apply y file-based WI IM im mages.
Im mageX task ks
Yo ou can use Ima ageX to perfor rm the following ta asks: View the co ontents of a WIM W file. Image eX provides th he ability to vie ew the content ts of a WIM file. Th his is useful to see which ima ages are availabl le that you can n deploy from within the WIM file.
Capture and apply image es. You can cap pture an imag e of a source c computer and save it as a W WIM file format. You u can save the image to a distribution shar re, from which h users can use e Windows 8 S Setup to install the image, or you can push the image out to t the desktop by y using various s deployment techniques. . You also can use ImageX to o apply the im mage to the destination computer. Mount images for offline image editing g. A common s scenario for Im mageX is custo omizing an exis sting image, inclu uding updatin ng files and folders. You can update and ed dit an offline image without t creating a new n image for r distribution.
Store multiple images in a single file. You can use ImageX to store multiple images in a single WIM file to take advantage of single instancing, which minimizes the size of the image file. This simplifies a users ability to deploy multiple images by using removable media or across a slower network connection. When you install Windows 8 by using a file with multiple images, users can select which image to apply. For example, you can have a WIM file that contains several role-based configurations, or images before and after certain updates. Compress the image files. ImageX supports two different compression algorithmsFast and Maximumto reduce the image size further. Implement scripts for image creation. You can use scripting tools to create and edit images.
The following table lists some of the more common command-line options available for ImageX. Command Flags EditionID Description Specifies the version of Windows that you need to capture. This is required if you plan to redeploy a custom Install.wim with Windows Setup. The quotation marks also are required. Display a list of files and folders within a volume image. Returns information about the .wim file. Information includes total file size, the image index number, the directory count, file count, and a description. Captures a volume image from a drive to a new .wim file. Captured directories include all subfolders and data.
dir info
capture apply
Applies a volume image to a specified drive. Note that you must create all hard disk partitions before beginning this process, and then run this option from Windows PE.
append
Adds a volume image to an existing .wim file. Creates a single instance of the file, comparing it against the resources that already exist in the .wim file, so you do not capture the same file twice. Removes the specified volume image from a .wim file. Exports a copy of a .wim file to another .wim file.
Mounts a .wim file with read or read/write permission. After you mount the file, you can view and modify all of the information that the directory contains. Unmounts a mounted image from a specified directory. If you have modified a mounted image, you must apply the /commit option to save your changes. Splits large .wim files into multiple read-only .wim files.
unmount
split
Co onfiguring Windows 8
DISM is a comm mand-line tool that combine es se eparate Windo ows platform te echnologies in nto a single, co ohesive tool fo or servicing Windows images s. DISM us ses the following technologi ies: Unattended d Installation Answer A File. When W an answe r file is applied d by using DIS SM, the update es that are specifie ed in the answe er file are impl lemented on t the Windows image or the running operat ting er system. Con nfigure default t Windows set ttings, add driv vers, packages s, software upd dates, and othe applications by using the e settings in an n answer file. Windows System Image Manager. M DISM M uses Window ws SIM to crea ate unattended d answer files that it uses, and also uses Windo ows SIM to cre eate distributio on shares and modify the files that are in a configuratio on set.
e to mount an ImageX. Th his is a command-line tool th hat you can use n image or to a apply an image to a drive so tha at you can modify it by using g the DISM co ommand-line u utility. After yo ou modify the image, use ImageX X to capture th he image, appe end the image e to a WIM, or export the im mage as a separ rate file. If there is no n need to cap pture, append, or export the image after yo ou modify it, u use DISM to m mount the image instead i of usin ng ImageX. OCSetup: OCSetup O is a co ommand-line tool that can b be used when you are apply ying updates to o an online Wind dows image. It t installs or rem moves Compo onent-Based Se ervicing (CBS) packages online by passing pac ckages to DISM M for installatio on or removal l. OCSetup ca an also be used d to install Mic crosoft System m Installer (.msi) files by callin ng the Windows Insta Windows In nstaller service e (MSIExec.exe) ) and passing W aller compone ents to it for installation or removal. Additionally, A yo ou can use OCS Setup to install packages tha at have custom m installers, su uch as .exe file es. Question: How does DISM use ImageX X technology?
You have been asked to modify the answer file that is being used for the A. Datum Windows 8 installation process. A. Datum would like to have specific information to be automatically added as part of the setup process on all of their computers: Your task is to modify the answer file accordingly, and use it to test an installation of Windows 8 on LON-CL4.
Objectives
Configure an answer file for the Windows 8 installation process. Use an answer file to install Windows 8.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1, 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Adatum\Administrator Password: Pa$$w0rd
5.
The main tasks for this exercise are as follows: 1. 2. Mount a virtual floppy drive on LON-CL1. Open the answer file using Windows SIM.
Configuring Windows 8
3. 4.
Make changes to the answer file. Save the answer file and remove the diskette drive.
In Settings, click the Diskette Drive, and attach the virtual floppy drive named Lab1BEx1.vfd found at C:\Program Files\Microsoft Learning\20687\Drives.
X Task 4: Save the answer file and remove the diskette drive
1. 2. 3. Save the answer file to A:\ Open the Settings page for 20687A-LON-CL1 in Hyper-V Manager. Configure the Diskette Drive to None.
Results: After completing this exercise, you should have modified an unattended answer file to use for automating the Windows 8 installation process.
X Task 1: Mount the diskette drive and the Windows 8 ISO on LON-CL4
1. 2. In Hyper-V Manager, open the Settings page for 20687A-LON-CL4. In Settings, click the Diskette Drive, and then attach Lab1BEx1.vfd found at C:\Program Files \Microsoft Learning\20687\Drives.
3.
In Settings, click the DVD Drive, and then attach the DVD image file found at C:\Program Files \Microsoft Learning\20687\Drives\Windows8.iso.
X Task 2: Start the virtual machine and confirm the unattended installation
Start 20687A-LON-CL4 and begin Windows Setup using default settings. During setup, confirm that you are not prompted for a product key.
Results: After completing this exercise, you will have tested installation of Windows 8 by using an answer file.
Co onfiguring Windows 8
Lesson n5
Be eyond a single e, interactive in nstallation, Win ndows activati ion is an impo ortant consider ration for IT professionals. You can manag ge and maintai in the activatio on of multiple copies of Win ndows by using g a set of f tools and tec chnologies des signed to manage Windows activation and d licensing.
Th his lesson will introduce you to Windows activation, a the key methods available, and some commo on issues an nd troubleshoo oting tips for dealing d with Windows W activa ation.
Lesson Objectives
After completin ng this lesson, you y will be able to: Describe Microsoft M Volum me Activation. Explain the Key Managem ment Service. Understand d common issu ues and troubleshooting tips s for Windows s activation.
Volume Activation provides tw wo main types s of models m that you u can use in en nterprise envir ronments, and you can use a any or all of th he options thes se two models, m depend ding upon you ur organization ns needs and n network infras structure: MAK activa ation uses prod duct keys that can activate a specific numb ber of comput ters. If you do not control the use of volume e-licensed med dia, excessive activations res sult in depletio on of the activation pool. You cannot c use MA AKs to install Windows W 8, but t rather to acti ivate it after in nstallation. You u can use MAKs to t activate any y Windows 8 vo olume licensed d edition.
The Key Ma anagement Se ervice (KMS) model allows or rganizations to o perform loca al activations fo or computers in a managed environment without conne ecting to Micr rosoft individually. By default, Windows 8 volume editio ons connect to o a system that t hosts the KM MS service, whic ch in turn requ uests activation. KMS usage is targeted t for managed m enviro onments wher re more than 2 25 physical and d/or virtual, com mputers connect consistently y to the organi izations netwo ork, or where t there are five s servers.
Th he Volume Act tivation Manag gement Tool (VAMT), ( includ ded with the W Windows ADK, is the applicat tion that yo ou can use to perform MAK Proxy Activation requests. Y You can use th e VAMT to ma anage and spe ecify a group of compu uters to be act tivated based upon u the follo owing: Active Directory Domain n Services (AD DS)
The VAMT receive es activation co onfirmation co odes, and then n re-distributes s them back to o the systems that requ uested activati ion. An MAK performs s a one-time activation of co omputers with Microsoft. On nce you activat te the comput ters, they y require no fu urther communication with Microsoft. M The e number of co omputers that you can activa ate with h a specific MA AK is based on the type and level of the or rganizations v volume license e agreement w with Microsoft. VAMT version 2.0 enables the follo owing function nality:
MAK Indepen ndent Activatio on. Each comp puter individua ally connects a and activates w with Microsoft either online or thro ough telephon ne MAK Proxy Activation. A Activ vation of mult tiple computer rs with one on line connectio on to Microsof ft
Activation Sta atus: ability to determine the e activation sta atus of Vista, W Windows 7, Wi indows 8, Windows Server 2008, Windows W Server 2008 R2, an nd Windows Se erver 2012 com mputers iated with a M Remaining MAK M activations s. The current remaining act ivations associ MAK key XML Import/E Export: allows for exporting and importing g of data in a w well- formed X XML format to o enable activation of system ms in disconnec cted environm ment scenarios Local reactiva ation. Enables reactivation of f computers b ased on saved d activation data stored in th he VAMT XML co omputer infor rmation list Configure for r KMS activatio on. Convert MA AK activated v volume edition ns of Vista, Win ndows 7, Windows 8, Windows W Serve er 2008, Windo ows Server 200 08 R2, and Win ndows Server 2012 to KMS activation
Co onfiguring Windows 8
To o enable KMS functionality, a KMS key is installed on the e KMS host, w which then is ac ctivated by usi ing an on nline web serv vice at Microso oft. Start the co ommand wind dow on the hos st computer b by using elevated privileges, and then t run the fo ollowing comm mand:
cs script C:\win ndows\system32\slmgr.vbs -ipk <KmsKe ey>
Yo ou can then ac ctivate the KM MS host by usin ng either onlin e or telephone e activation.
During installation, a KMS host automatical lly attempts to o publish its ex xistence in Serv vice Location ( (SRV) re esource record ds within Doma ain Name System (DNS). Thiis provides the e ability for both domain me embers an nd stand-alone e computers to o activate against the KMS i nfrastructure. Client computers locate the KMS K host dyna amically by usi ng the SRV rec cords found in n the DNS, or co onnection info ormation that the t registry specifies. The cli ent computers s then use info ormation obtained from the KMS host h to self-act tivate.
Client comp puters must re enew their activation by con necting to the e KMS host at least once eve ery 180 days to stay y activated. After activa ation, the client computers attempt to rene ew their activa ation every sev ven days. After r each successful connection, c the expiration is extended to t the full 180 da ays.
Client comp puters connect to the KMS host h for activat tion by using a anonymous re emote procedu ure call (RPC) over TCP/IP, and by y using default port 1688. Yo ou can configu ure this port in nformation. The connec ction is anonym mous, enabling g workgroup c computers to c communicate with the KMS host. You may ne eed to configu ure the firewall l and the route er network to pass commun nications for th he TCP port that yo ou want to use e.
A KMS host t and KMS clie ents must use volume v license e media.
If your com mputer will not activate over the Internet, e ensure that an Internet conn nection is available. You may also need to set t a proxy configuration from m your browser r. If the compu uter cannot co onnect to the Inter rnet, try teleph hone activation n.
If Internet and telephone activation both fail, you will need to contact the Microsoft Activation Call Center.
Verify the activation status. You can verify activation status by looking for the Windows is activated message in the Windows 8 Welcome Center. You can also run the slmgr.vbs -dli command.
Ensure that the KMS SRV record is present in DNS, and that DNS does not restrict dynamic updates. If DNS restrictions are intentional, you will have to provide the KMS host write access to the DNS database, or manually create the SRV records. Ensure that your routers do not block TCP port 1688.
If your computer will not activate, verify that the KMS host is contacted by the minimum number of clients required for activation. Until the KMS host has a count of 25, Windows 8 clients will not activate. Display the client Windows Application event log for event numbers 12288, 12289, and 12290 for possible troubleshooting information.
Configuring Windows 8
Tools
Tool Application Compatibility Toolkit Windows ADK Windows SIM ImageX Use to Check application compatibility for Windows 8 Assess and deploy Windows Create and edit answer files Create, modify, and apply WIM-based image files Migrate user settings Service WIM-based image files Manage volume windows activation Where to find it
Module 2
Upgrading and Migrating to Windows 8
Contents:
Module Overview Lesson 1: Upgrading to Windows 8 Lesson 2: Migrating to Windows 8 Lesson 3: Migrating User Data and Settings Lab: Migrating to Windows 8 Module Review and Takeaways 2-1 2-2 2-7 2-11 2-18 2-20
Module Overview
Deciding whether you want to upgrade or migrate from a previous version of the Windows operating system, and how to perform an upgrade or migration, often can be a complicated process. A large number of parameters can contribute to the upgrade decision. However, at the end of the process, the goal is always the same. You want to have your computer running the latest operating system, while retaining settings or data that existed in Windows prior to installing Windows 8.
This module examines the upgrade process, identifies different methods that you can use for upgrading and migrating your operating system, and introduces you to the tools and processes that you can use to perform an upgrade or migration.
Objectives
After completing this module, you will be able to: Describe the options and processes for upgrading to Windows 8. Describe the options and processes for migrating to Windows 8. Identify the important settings and data to migrate, and explain how to migrate them.
2-2
Lesson 1
Whe en you perform m a clean insta allation of Win ndows 8, the in nstallation process does not transfer user settings from the previous oper rating system. If a previous W Windows insta llation or othe er data exists o on the com mputers hard disk, d it is usually backed up and a erased pri ior to a clean i nstallation. If y you need to re etain user r settings, cons sider performing an upgrade or a migratio on to Window ws 8 instead. t be able to up Dep pending on the e version of yo our current operating system m, you may not pgrade directly y to Win ndows 8. If you ur current oper rating system does not supp port direct upg grade to Windows 8, you mu ust consider performi ing a clean ins stallation and migrating m user r settings and data by using migration too ols.
Configuring Windows 8
Does not take advantage of the opportunity to start fresh with standardized reference configurations Preserved applications may not work correctly after upgrading from an earlier Windows version
Remnant files or settings from in-place upgrade may contribute to performance and security issues Does not allow for edition changes Can be done only on supported operating systems
When you run an in-place upgrade, Windows 8 Setup automatically detects existing operating systems and their potential for upgrade. Depending on the version of the operating system, you may see any of the following options for retaining data from the previous Windows version: Windows settings. Windows settings, such as your desktop background, or Internet favorites and history, will be kept. Windows does not move all settings. Personal files. Anything that you save in the User folder is considered a personal file, such as the Documents and Desktop folders.
Apps. Some apps are compatible with Windows 8, and they will operate properly when you install Windows 8. However, you may have to install some apps after Windows 8 finishes installing, so be sure to find the installation discs and installers for apps that you want to keep. Nothing. Deletes everything and replaces your current version with a copy of Windows 8. Your personal files will be moved to a windows.old folder.
The following considerations may be critical in determining whether you choose an in-place upgrade:
Amount of interaction. An in-place upgrade does not require significant user interaction. You can use the answer file to minimize user interaction and effort when performing an in-place deployment. State of user data. An in-place upgrade does not require reinstallation of applications, or any of the user settings, data, hardware device settings, or other configuration information. However, you might have to reinstall some applications after you perform the upgrade.
2-4
You u cannot upgra ade previous Windows W versio ons that do no ot have the sam me feature set t as the edition n of Win ndows 8 that you are installin ng. The following table lists upgrade possi ibilities based on Windows Edit tion. Windows Versio on Windows W 7 Star rter, Home Bas sic, Home Premium m Windows W 7 Prof fessional, Ultimate Window ws 8 X Windows 8 P Pro X X
u path is supported, it t does not nec cessarily mean that you shou uld perform an n Even though an upgrade upg grade installation by followin ng that path. You Y should eva aluate considerations for bot th in-place upg grades and mig grations.
C Configuring Windows s 8
Ev valuate
Be efore starting the upgrade, you y must evalu uate whether y your compute er meets the re equirements ne eeded to o run Windows s 8. You should d consider usin ng the Applica ation Compatibility Toolkit (A ACT) and Micr rosoft Assessment and d Planning (MA AP) to assess your y organizat ions readiness s if you are up pgrading more e than on ne computer. Yo ou also must determine d whe ether any insta alled applicatio on programs w will have comp patibility proble ems while w running on o Windows 8. The Windows s Assessment a and Deployme ent Kit (ADK) fo or Windows 8 provides several tools that can assist with ev valuating pote ential compatibility problem ms.
Back B Up
To o protect against data loss during d the upg grade process, back up any d data and perso onal settings b before st tarting the upg grade. You can n back up data a to any appro opriate media, such as tape, r removable sto orage, er. writable w CD or DVD D disc media, or a network shared folde
Upgrade U
After evaluating g your comput ter requiremen nts, and backin ng up your dat ta and personal settings, you u are re eady to perform m the actual upgrade. u To pe erform the upg grade, run the Windows 8 in nstallation prog gram (setup.exe) from m the product DVD or a netw work share. If your compute er supports an in-place upgr rade to Windo ows 8, you can select Upgrad de during the in nstallation proc cess. The installation program m prevents yo ou from selecti ng the upgrad de option if an n in n-place upgrad de is not possib ble. This might t occur for sev veral reasons, s such as your co omputer may lack su ufficient disk sp pace or the Windows W version that you are e running does s not support a direct upgrad de to o the Windows s 8 edition that you select. If f that is the cas se, stop the up pgrade process, and resolve the in ndicated proble em before atte empting the upgrade again.. e attempting a Note: We e recommend that t you disab ble antivirus pr rograms before an upgrade.
Verify V
When W the upgra ade completes s, log on to yo our computer, and verify that all of the app plications an nd hardware devices d functio on correctly. If the Windows 8 Setup Comp patibility Report makes any re ecommendatio ons relating to program com mpatibility or d devices, follow those recomm mendations to co omplete the upgrade proces ss.
2-6
Update
Finally, determine whether there are any relevant updates to the Windows 8 operating system, and apply them to your computer. It is important to keep the operating system up to date to protect against security threats. You also can check for updates during the upgrade process. Dynamic Update is a feature of Windows 8 Setup that works with Windows Update to download any critical fixes and drivers that the setup process requires.
C Configuring Windows s 8
Lesson n2
When W you choo ose to migrate to Windows 8, 8 you have mo ore flexibility i n determining g how the migration gration offers an alternative process happen ns and what da ata needs to be e retained. Mig e to in-place up pgrades th hat can often meet m the requi irements of mo ore complex o or large-scale u upgrades. Th his lesson will introduce you to migration in Windows 8,, and help you u to understand the migratio on process.
Lesson Objectives
After completin ng this lesson, you y will be able to: Explain mig gration in Wind dows 8. Describe th he process for migrating to Windows W 8.
What W Is Migration?
When W you insta all Windows 8 using a migrat tion sc cenario, you must m first perform a clean in nstallation of Windows W 8, followed by migr ration of f user settings and data from m the earlier Windows W ve ersion to Wind dows 8. Depending on your bu usiness environment, you ca an use two mig gration sc cenarios: side-by-side migrat tion and in-pla ace migration. m
In n a migration scenario, s also known k as a ref fresh co omputer scena ario, the source e computer an nd the de estination com mputer is the sa ame computer, or inpl lace, whereas in i a side-by-sid de migration, the t so ource compute er and the des stination comp puter are two d different comp puters. Both m migration scena arios re equire a clean installation of Windows 8. When W you mig rate previous c configurations s from your old d op perating system, you basical lly are moving files and setti ngs to a clean n installation of the Windows s8 op perating system.
In n any potential l upgrade scen nario, there ma ay be certain v variables that f favor a migration. However, there also are disadva antages. Advantages A Offers the opportunity o to o clean up existing work stations and to crea ate more stable e and secure desk ktop environm ments. It takes advantage of the opportu unity for a fres sh nificant advant tage when crea ating start, a sign a managed d environment. . Avoids the performance degradation d is ssues w the in-pla ace upgrade associated with scenario, be ecause there are a no remnant files and setting gs. Disad dvantages
Re equires the use e of migration tools, such as indows Easy Tr Wi ransfer or User State Migration To ool (USMT), to save and resto ore user setting gs and da ta. equires reinstal llation of appli ications. Re
equires storage e space for use er settings and d files to Re be e migrated. ay have an imp pact on user p productivity be ecause Ma of the reconfiguration of appli ications and se ettings.
2-8
Advantages Allows for installation of any edition without concern for what edition was running previously on the workstations. Provides the opportunity to reconfigure hardware-level settings, such as disk partitioning, before installation. Exploits, such as virus, spyware, and other malicious software, do not migrate to the new installation of Windows, and security settings can be hardened by using Group Policy and Security Templates.
Disadvantages
Want a standardized environment for all users who are running Windows. A migration takes advantage of a clean installation. A clean installation ensures that all of your systems begin with the same configuration, and that all applications, files, and settings are reset. Migration ensures that you can retain user settings and data. Have storage space to store the user state. Typically, you will need storage space to store the user state when performing migration. USMT introduces hard-link migration, in which you do not need extra storage space. This is only applicable to wipe and load migration.
Plan to replace existing computer hardware. If you do not plan to replace the existing computers, you still can perform a migration by doing a wipe-and-load migration.
3.
Perform a clean installation of Windows 8. Run setup.exe, the Windows 8 installation program, and select Custom. The Custom option allows you to install Windows 8 on a partition that already has an operating system, such as earlier Windows versions. After the installation is done, the earlier Windows version is placed in a folder called Windows.old, along with the previous Program Files and Documents and Settings folders. Run setup.exe from the product DVD or from a network share. Alternatively, you can choose to format the partition by using a disk-management tool, such as Diskpart.exe, before performing a clean installation.
4. 5.
Reinstall applications. Before restoring your user settings and files, reinstall all applications so that migration will also restore application settings.
Restore user settings and data. You can use the same tool to restore user settings and data that you used to save them in Step 2. In addition, you can automate the migration process so that users do not have to interact with it.
C Configuring Windows s 8
Migration M Sc cenarios
Pe erform a migra ation when yo ou:
Want a stan ndardized environment for all a users runnin ng Windows. A migration takes advantage e of a clean installation. A clean n installation ensures that all of your system ms begin with the same configuratio on, and that all applications, , files, and sett tings are reset . Migration en nsures that you u can retain user settings and data. d Have storag ge space to sto ore the user st tate. Typically, you will need storage space e to store the u user state when performing migration. m USM MT introduces h hard-link migr ration, in which h you do not n need extra storag ge space. This is only applica able to wipe an nd load migration.
Plan to replace existing computer hardware. If you d o not plan to replace the ex xisting comput ters, you can still per rform a migrat tion by doing a wipe and loa ad migration. Question: You Y have a user who wants to upgrade a W computer to W Windows 8. Windows XP c The compu uter meets all of o the hardwar re requirement ts for Window ws 8, and the user wants to retain all of f the existing user u settings an nd use the sam me application ns. The user ha as no timerelated requirements, and d can be witho out the compu uter while you install Window ws 8. How should you perform the Windows W 8 ins stallation? Question: One of your users has been promoted to a new position n, and the user has been given a new w computer. The user would like to have t he new applic cations that the e job requires installed, as s well as the do ocuments and settings from m the old Wind ows 7 comput ter transferred to the new co omputer. How should you pe erform the Wi ndows 8 installation?
Back B Up
Be efore installing g the new operating system, you must bac ck up all user-r related setting gs and program m se ettings. You ca an use either WET W or the USM MT. Additional lly, you should d consider backing up the us ser data. ractice to back Although the in nstallation prog gram will not erase e user data a, it is good pr k up your data a to protect against accidental loss or damage during d installat tion.
Ru un the Window ws 8 installatio on program (se etup.exe) from m the product D DVD or a netw work share, and d pe erform a clean n installation by b selecting Cu ustom (advance ed) during the e installation p process. Then f follow th he on-screen in nstructions to complete the installation.
2-10
Update
If you chose not to check for updates during the installation process, it is important to do so after verifying the installation. Keep your computer protected by ensuring that you have the most current patches and updates.
Install Applications
Performing an upgrade by using a clean installation and migration process does not migrate the installed applications. When you complete the Windows 8 installation, you must reinstall all applications. Windows 8 may block the installation of any incompatible programs. To install any of these programs, contact the software vendor for an updated version that is compatible with Windows 8.
Restore
After installing your application, use WET or USMT to migrate your application settings and user-related settings.
Co onfiguring Windows 8
Lesson n3
While W the in-pla ace upgrade process p generally is self-cont ained in Wind dows Setup, mi igration is not. Migration M scena arios require to oolsets that en nable you to ca apture the nec cessary inform mation for migr ration, an nd ensure that t the informati ion moves successfully to the e new Window ws installation. .
Th his lesson will further explain n the migration process, and d give you an u understanding g of the tools t that you ne eed to perform m a migration installation of Windows 8 su uccessfully.
Lesson Objectives
After completin ng this lesson, you y will be able to: Identify the e tools for migrating user data and setting gs. Describe ho ow to migrate user settings by b using WET.. Describe ho ow to migrate user settings by b using the U USMT. Explain fold der redirection n.
Application n settings. You must determine and locate the applicatio on settings tha at you want to migrate. Yo ou can acquire e this informati ion when you are testing the e new applicat tions for comp patibility with the ne ew operating system. Operating-system setting gs. Operating-s system setting gs may include e appearance, mouse actions s such as click or double-click, d and keyboard settings, s Intern net settings, em mail-account s settings, dial-u up connections, accessibility settings, and fonts.
File types, files, f folders, an nd settings. When W you plan your migratio on, identify the e file types, files, folders, and d settings to migrate. m For exa ample, you ne eed to determi ine and locate the standard file locations on each compu uter, such as th he My Docume ents folder and d company-specified locatio ons. You also must determine d and locate the nonstandard file locations.
2-12
USMT. Use USMT to perform a side-by-si ide migration for many com mputers and to automate the e process as mu uch as possible e, or to perform a migration n on the same computer. USMT is available e as part of the Windows W ADK. A link to down nload the Wind dows ADK can n be found in t the Tools section at the end of this module.
Sto ore Window ws 8 WET File es to be Use ed on the So ource Comp puter
To store s Windows s 8 WET files so o that you can n use them on a source com puter that doe es not have WET, you must first star rt WET on the destination co omputer, and t then perform the following steps: 1. 2. 3. 4. 5. 6. Close all activ ve programs.
Click Start, click All Progra ams, click Acce essories, click System Tools, and then click Windows E Easy Transfer. The e Windows Eas sy Transfer win ndow opens. Click Next an nd select the method m to use to transfer file es and settings s from the source computer. . Click This is my m new comp puter. Click I need to t install it no ow. Select the des stination medi ia where you want w to store t the Windows E Easy Transfer w wizard files. A Browse to Folder F window w opens.
7. 8.
Type the path h and folder na ame where yo ou want to stor re the Window ws Easy Transfe er Wizard files, , and then click Ne ext. Restart the so ource compute er to install WE ET.
Note: If Win ndows Firewall is enabled on n your comput ter, a prompt w will appear ask king you to enable e an exce eption to allow w WET to work over the netw work. Acceptin g this prompt opens a prog gram exceptio on for %System mRoot%\Syst tem32\MigW Wiz\MigWiz.ex xe, the executa able for WET T.
Configuring Windows 8
Migrate Files and Settings from the Source Computer to the Destination Computer
When you use WET, you can select one of the following methods to transfer files and settings from a supported operating system to Windows 8: Use an Easy File Transfer cable (a WET cable). Use a network connection. Use removable media such as a USB flash drive or an external hard disk.
Start WET on the computer from which you want to migrate settings and files by browsing to the removable media or network drive that contains the wizard files. Double-click migsetup.exe. The program also may start automatically when you insert the removable media. If your computer already has WET, you can run it from the System Tools program group folder. Click Next. Click An Easy Transfer cable. Click This is my old computer, and then complete the WET wizard.
3. 4. 5.
2. 3. 4.
Click This is my old computer. WET creates a Windows Easy Transfer key. The Windows Easy Transfer key functions like a password to protect files and settings, and is used to link the source and destination computer.
5. 6. 7. 8.
Follow the steps to enter the Windows Easy Transfer key on your destination computer to enable the network connection. On your destination computer, after you enter the WET key, click Next. A connection is established, and then Windows Easy Transfer checks for updates and compatibility. Click Transfer to transfer all files and settings. You can determine which files must be migrated by selecting only the user profiles that you want to transfer, or by clicking Customize.
Click Close after WET has completed the migration of files and settings to the destination computer.
Method 3: Transfer Files and Settings by Using Removable Media or a Network Share
Copy files from the source computer 1. Start WET on the computer from which you want to migrate settings and files by browsing to the removable media or network drive that contains the wizard files, and then double-clicking migsetup.exe. If your computer already has WET, you can run it from the System Tools program group folder. Click Next. Click An external hard disk or USB flash drive. Click This is my old computer. WET scans the computer.
2. 3. 4.
2-14
5. 6. 7. 8.
Click Next. Yo ou can determ mine which files must be mig grated by selec cting only the user profiles that you want to transfer, t or by clicking Custo omize. Enter a passw word to protect t your Easy Tra ansfer file, or l eave the box b blank, and the en click Save. Browse to the e location on the t network or r the removab le media wher re you want to o save your Eas sy Transfer file, and a then click Save. Click Next. WET W displays th he file name an nd location of the Easy Trans sfer file that yo ou just created d.
Cop py files to the e destination computer c 1. 2. 3. 4. 5. 6. 7. 8. Connect the removable r me edia to the des stination comp puter. Start Window ws Easy Transfe er, and then cli ick Next. Click An exte ernal hard dis sk or USB flash drive. Click This is my m new comp puter. Click Yes, open the file. Click Browse e to locate whe ere the Easy Tr ransfer file was s saved. Click t the file name, a and then click k Open.
Click Transfe er to transfer all files and sett tings. You also o can determin ne which files m must be migra ated by selecting only o the user profiles p that yo ou want to tran nsfer, or by clic cking Custom mize. Click Close af fter WET has completed c moving your files s.
The MigApp p.xml file: Spec cify this file with both the Sc canState and L LoadState com mmands to mig grate application se ettings to com mputers that are running Win ndows 8.
The MigUser r.xml file: Spe ecify this file with both the Sc canState and L LoadState com mmands to mig grate user folders, files, f and file ty ypes to compu uters that are r running Windo ows 8. The MigDocs.xml file: Spe ecify this file with w both the S ScanState and LoadState too ols to migrate a all user folders and a files that are found by th he MigXmlHel per.GenerateD DocPatterns he elper function. . Custom .xml l files: You can n create custom m .xml files to customize the e migration for your unique needs. For example, you ma ay want to cre eate a custom f file to migrate e a line-of-business (LOB) application or to modify the default migr ration behavio or.
Configuring Windows 8
Config.xml: If you want to exclude components from the migration, you can create and modify the Config.xml file by using the /genconfig option with the ScanState tool.
Component manifests for Windows Vista, Windows 7, and Windows 8: When the source or destination computer is running Windows Vista, Windows 7, or Windows 8, the component-manifest files control which operating system settings are migrated and how they are migrated. Down-level manifest files: When the source computer is running a supported version of Windows XP, these manifest files control which operating-system and Windows Internet Explorer settings are migrated and how they are migrated.
USMT internal files: All other .dll, .xml, .dat, .mui, and .inf files that are included with USMT are for internal use.
The USMT is useful for administrators who are performing installations on many Windows computers, or administrators who need to customize the migration of user data. For example, you can automate the USMT by scripting it in the logon script. If you are only migrating the user states of a few computers, you can use WET.
The hard-link migration store is for use only in wipe-and-load migration. Hard-link migration stores are stored locally on the computer that is being refreshed, and can migrate user accounts, files, and settings in less time by using megabytes (MBs) of disk space instead of gigabytes (GBs).
The ScanState tool provides various options related to specific categories. These categories are explained in the following sections.
ScanState Options
The following table describes the most commonly used ScanState options. Option StorePath Description
Indicates the folder in which to save the files and settings. For example, in a network share, StorePath cannot be c:\. You must specify StorePath on the ScanState command line, except when using the /genconfig option. You cannot specify more than one StorePath.
/i:[Path\]Filename /hardlink
Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to specify all of your .xml files. Enables the creation of a hard-link migration store at the specified location. The /nocompress option must be specified with the /hardlink option. Additionally, the <HardLinkStoreControl> element can be used in the Config.xml file to change how the ScanState command creates hard-links to files that are locked by another application.
2-16
The LoadState too ol uses most of the same cat tegories and o options as the S ScanState tool l. The following cate egories and op ptions are spec cific to LoadSta ate.
Decrypts the store with h the specified d key. When yo ou use this opt tion, specify th he encryption key in one of the following ways: /key:KeyS String specifie s the encryptio on key. If there e is a space in KeyString g, you will nee ed to enclose it t in quotation marks. /keyfile:F FilePathAndNa ame specifies a .txt file that c contains the encryptio on key.
(local accoun nt create) Spec ifies that if a u user account is s a local (nondomain) account, and it does not ex xist on the dest tination comp puter, the USMT wil ll create the ac ccount on the destination co omputer but it t will be disabled. To T enable the account, you must also spec cify /lae. If /lac c is not specified, , any local use er accounts (that do not alrea ady exist on th he destination co omputer) will not be migrat ted. The passw word is the sam me password for the account y you just create ed. An empty p password is use ed by default. (local accoun nt enable) Enab bles the accou nt that was cre eated with /lac c. You must spe ecify /lac with this option.
/lae
Configuring Windows 8
When considering migration, putting folder redirection can expedite the migration process. If a users profile is redirected to a network folder, then you simply need to direct their profile on their new computer to the network location to apply their settings and data. Some reasons to use folder redirection include:
Ensuring My Documents folder content is backed up. Many users save documents in the My Documents folder, by default. If this is on the local hard drive, Windows 8 may never back up these files. However, you can redirect the contents of My Documents to a home folder or a shared network drive. Minimizing the size of roaming profiles. Redirecting folders takes them out of a roaming profile. This reduces the size of roaming profiles, which results in better logon performance.
You can configure folder redirection manually or by using a Group Policy Object (GPO). For example, for the My Documents folder, you can configure redirection on the Location tab in the properties of My Documents, or by using GPO.
When you redirect a folder, you have the option to copy the files from the current location to the new location. If you forget to copy the files, they are not available to the user. The files continue to exist in the old location, and users can copy them at a later time.
The most common issue that occurs when you configure folder redirection manually is that you might forget to reconfigure it when you assign a user to a new computer, or when you disable folder redirection by accident.
2-18
An A. datum Corporation user, Allie Bellew, has recently been assigned a new Windows 8 computer. You have been asked to assist her with the migration of her settings from her previous computer.
Objectives
Back up important user data and settings. Restore user data and settings to a target computer. Verify successful migration of user data and settings.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1. 20687A-LON-CL1, and 20687A-LON-CL3 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Results: After completing this exercise, you should have backed up important user data and settings.
Configuring Windows 8
In this exercise, you will use WET to restore the settings saved in \\LON-DC1\WET to Allies new Windows 8 computer, LON-CL1. The main task for this exercise is as follows: 1. Import the data and configuration settings on LON-CL1.
Results: After completing this exercise, you should have restored user data and settings to a Windows 8 computer by using WET.
Results: After completing this exercise, you should have confirmed the successful transfer of user data and settings.
2-20
Tools
Tool Windows Easy Transfer User State Migration Tool Use to Perform user data migration Perform user data migration Where to find it Start screen Windows ADK
Module 3
Managing Disks and Device Drivers
Contents:
Module Overview Lesson 1: Managing Disks, Partitions, and Volumes Lesson 2: Maintaining Disks, Partitions, and Volumes Lesson 3: Working with Virtual Hard Disks Lab A: Managing Disks Lesson 4: Installing and Configuring Device Drivers Lab B: Configuring Device Drivers Module Review and Takeaways 3-1 3-2 3-13 3-17 3-21 3-26 3-38 3-40
Module Overview
The Microsoft Windows 8 operating system simplifies common tasks for IT professionals who manage and deploy desktops, laptops, or virtual environments. It also helps IT professionals leverage tools and skills similar to those used with Windows 7.
Although most computers that are running Windows 8 have a single physical disk configured as a single volume, this is not always the case. For example, there may be times when you want to have multiple operating systems on a single computer, or to have virtual memory on a different volume. Therefore, it is important that you understand how to create and manage simple, spanned, and striped volumes. You can also use Windows 8 to create and access virtual hard disks (VHD) from within the operating system installed on the physical computer. To help optimize file-system performance, you must be familiar with file system fragmentation and the tools you can use to defragment a volume. Additionally, a good understanding of disk quotas is helpful if you are managing available disk space on installed volumes.
To ensure that previously installed devices continue to work in Windows 8, Microsoft is working to make the device drivers available directly from Windows Update or from device manufacturer websites.
Objectives
After completing this module, you will be able to: Describe the management of disks, partitions, and volumes. Describe the maintenance of disks, partitions, and volumes. Explain how to use VHDs. Describe how to manage disks. Describe the installation and configuration of device drivers. Explain how to configure device drivers.
3-2
Lesson 1
Befo ore you can us se a disk in Windows 8, you must prepare it for use. You u must partition the disk usin ng eith her the master boot record (M MBR) partition ning scheme o r the globally unique identif fier (GUID) par rtition tabl le (GPT) partiti ioning scheme e. After partitio oning the disk,, you must cre eate and forma at one or more e volu umes before th he operating system can use e the disk. You u can use disk management m to t perform dis sk-related task ks, such as crea ating and form matting partitio ons and volumes, assigning drive let tters, and resiz zing disks.
The MBR is stored d at a consisten nt location on a physical dis k, enabling the e computer BIOS to referenc ce it. Dur ring the startup p process, the computer exa amines the MB BR to determin ne which partit tion on the ins stalled disk ks is active. The e active partition contains th he operating-s ystem startup files.
Configuring Windows 8
Note: You can install the rest of the operating system on another partition or disk. In Windows 8, when you boot to an MBR disk, the active partition must contain the boot sector, boot manager, and related files.
The MBR partition scheme has been around for a long time, and it supports both current and early desktop operating systems, such as the MS-DOS and the Microsoft Windows NT Server 4.0 operating system. Consequently, the MBR partition scheme is supported widely. However, the MBR partition scheme imposes certain restrictions, including:
Four partitions on each disk: MBR-based disks are limited to four partitions. All of these can be primary partitions, or one can be an extended partition with logical volumes inside. You can configure the extended partition to contain multiple volumes. A 2 terabyte maximum partition size: A partition cannot be larger than 2 terabytes.
No redundancy provided: The MBR is a single point of failure, and if it becomes corrupt or incurs damage, it can render an operating system unbootable.
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on disk. Each GPT partition has a unique GUID and partition-content type. Also, each LBA that the partition table describes is 64 bits in length. The GPT format is specified by the Unified Extensible Firmware Interface (UEFI), but is not exclusive to UEFI systems. Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems. However, they cannot boot from them. The 64-bit Windows operating systems support GPT for boot disks on UEFI systems.
18 exabyte (EB) volume size: This is a theoretical maximum because hard-disk hardware is not yet available that supports such vast volume sizes. Redundancy: Cyclic Redundancy Checks (CRC) duplicates and protects the GPT.
You can implement GPT-based disks on Windows Server 2008, Windows Vista, Windows 7 and Windows 8. You cannot use the GPT partition style on removable disks.
GPT Architecture
A GPT partitioned disk defines the following sectors:
Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the entire disk: o
The protective MBR protects GPT disks from previously released MBR disk tools, such as Microsoft MS-DOS FDISK or Microsoft Windows NT Disk Administrator. These tools view a GPT disk as having a single encompassing (possibly unrecognized) partition by interpreting the protected MBR, rather than mistaking the disk for one that is not partitioned.
Legacy software that does not know about GPT interprets only the protected MBR when it accesses a GPT disk.
Sector 1 contains a partition table header. The partition table header contains the unique disk GUID, the number of partition entries (usually 128), and pointers to the partition table.
3-4
The partition table starts at t sector 2. Each h partition ent ry contains a u unique partitio on GUID, the partition offse et, length, type e (also a GUID D), attributes, a nd a 36-chara acter name.
The following table describes th he partitions th hat Windows 8 creates when n you install it on a GPT disk k. Pa artition A Ty ype EFI System Partition (ESP) Size 100 MB Des scription
Co ontains the boo ot manager, th he files that bo ooting an oper rating system r requires, the pla atform tools th hat run before an operating sys stem boot, or t the files that the boot mana ager mu ust access befo ore operating a system boot t. Th e ESP must be e the first parti ition on the disk, ecause it is imp possible to spa an volumes wh hen be e ESP is logica lly between what you are the att tempting to sp pan.
128 MB
Re eserved for Win ndows components. Th is partition is h hidden in Disk k Management t, and do oes not receive e a drive letter. . Us age example: When you con nvert a basic G GPT sk to dynamic, the system de ecreases the si ize of dis the e MSR partitio on, and uses th hat space to cre eate the e Logical Disk Manager (LDM M) Metadata pa rtition. Co ontains the OS and is the size e of the remaining dis sk.
Remainin ng disk
Diskpart.exe e: A scriptable command-line e tool, with fun nctionality that t is similar to Disk D Management t, and which in ncludes advanc ced features. Y You can create e scripts to automate disk-related tasks, such as creating volumes or conver rting disks to d dynamic. This t tool always runs locally. Windows Po owerShell version 3.0: Pow werShell is a sc cripting langua age used to ac ccomplish man ny tasks in the Windows W enviro onment. Starting with Powe rShell 3.0 disk management t commands ha ave been added for f use as stand-alone comm mands or as pa art of a script.
Note: Wind dows 8 does no ot support rem mote connectio ons in workgro oups. Both the e local com mputer and the e remote comp puter must be in a domain t to use Disk Ma anagement to manage a disk k remotely.
Configuring Windows 8
Note: Do not use disk-editing tools, such as DiskProbe, to make changes to GPT disks. Any change that you make renders the checksums invalid, which may cause the disk to become inaccessible. To make changes to GPT disks, use diskpart.exe or Disk Management.
With either tool, you can initialize disks, create volumes, and format the volume file system. Additional common tasks include moving disks between computers, changing disks between basic and dynamic types, and changing the partition style of disks. You can perform most disk-related tasks without restarting the system or interrupting users, and most configuration changes take effect immediately.
Disk Management
Using the Disk Management snap-in of the Microsoft Management Console (MMC), administrators quickly can manage standard, fault tolerant, and volume sets, and confirm the health of each volume. Disk Management in Windows 8 provides the same features with which you may be familiar, from previous versions, including: Simpler partition creation: When you right-click a volume, choose whether to create a basic, spanned, or striped partition directly from the menu.
Disk conversion options. When you add more than four partitions to a basic disk, you are prompted to convert the disk to dynamic or to the GPT partition style. You also can convert basic disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic is not possible without deleting all of the volumes first. Extend and shrink partitions: You can extend and shrink partitions directly from the Windows interface.
To open Disk Management: 1. 2. In the Start Screen, type d. This will display the Apps search window. Type diskmgmt.msc in the search box, and then click diskmgmt in the results list.
Diskpart.exe
Using Diskpart.exe, you can manage fixed disks and volumes by using scripts or direct input from the command line. At the command prompt, type diskpart, and then enter commands at the diskpart> prompt. The following are common diskpart actions: To view a list of diskpart commands, at the diskpart command prompt, type commands.
To create a diskpart script in a text file and then run the script, type a script similar to diskpart /s testscript.txt. To create a log file of the diskpart session, type diskpart /s testscript.txt > logfile.txt.
The following table shows several diskpart commands that you will use frequently in this scenario. Command list disk Description
Displays a list of disks and information about them, such as their size, amount of available free space, whether the disk is basic or dynamic, and whether the disk uses the MBR or GPT partition style. The disk marked with an asterisk (*) is the one that commands will be executed against. Selects the specified disk--where <disknumber> is the disk number--and gives it focus. Converts an empty, basic disk with the MBR partition style into a basic disk with the GPT partition style.
3-6
For additional information about diskpart.exe commands, start Disk Management, and then open the Help Topics from the Help menu.
PowerShell 3.0
In earlier versions of PowerShell, if you wanted to script disk-management tasks, you would have to make calls to Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. PowerShell 3.0 now includes commands for natively managing disks. The following table details some PowerShell commands: Command Get-Disk Description Returns information on all disks or disks that you specify with a filter. Additional parameters
-FriendlyName returns information about disks that have the specified friendly name. -Number returns information about a specific disk.
Clear-Disk Initialize-Disk
Cleans a disk by removing all partition information. Prepares a disk for use. By default, it creates a GPT partition. Updates the physical disk with the specified attributes. Returns information on all of the systems volumes, or those volumes that you specify with a filter.
-ZeroOutEntireDisk writes zeros to all sectors of the disk. -PartitionStyle<PartitionStyle> Specifies the type of the partition, either MBR or GPT.
Set-Disk
-PartitionStyle<PartitionStyle> Specifies the type of the partition, either MBR or GPT. You can use this to convert a disk that previously was initialized.
Get-Volume
-DriveLetter<Char> Gets information about the specified drive letter. -FileSystemLabel<String> returns information on NTFS or ReFS volumes.
Additional Reading: For more information, see Storage in Windows PowerShell: http://technet.microsoft.com/enus/library/hh848705.aspx.
When you add a new hard disk to a computer, and then start Disk Management, a wizard steps you through the initialization process, during which you select whether to have an MBR or a GPT partition style. Although you can change between partition styles at a later time, some of the operations are irreversible unless you reformat the drive. You should carefully consider the disk type and partition style that is most appropriate for your situation. Before you change the partition style, remember that you: Must be a member of the Backup Operators or Administrators group. Must back up the entire contents of the hard disk before making a change, which is true for any major change that you make to disk contents.
Must ensure that disks are online before you can initialize them, or create new partitions or volumes. To bring a disk online or take it offline in Disk Management, right-click the disk name, and then click the appropriate action. Can convert only from GPT to MBR if the disk does not contain any volumes or partitions. Should use Event Viewer to check the system log for disk-related messages.
C Configuring Windows s 8
Note: In a multiboot scenario, if you are in one ope erating system m, and you con nvert a basic MBR M disk that contains c an alte ernate operati ing system to a dynamic MB BR disk, you wi ill not be ab ble to boot int to the alternate operating sy ystem.
3-8
Most business users require a basic disk and one basic volume for storage, but do not require a computer with volumes that span multiple disks or that provide fault-tolerance. This is the best choice for those who require simplicity and ease of use.
If small business users want to upgrade their operating systems and reduce impact on their business data, they must store the operating system in a separate location from business data. This scenario requires a basic disk with two or more basic volumes. Users can install the operating system on the first volume, creating a boot volume or system volume, and use the second volume to store data. When a new version of the operating system is released, users can reformat the boot or system volume, and install the new operating system. The business data, located on the second volume, remains untouched.
A simple volume may provide better performance than striped data-layout schemes. For example, when serving multiple, lengthy, sequential streams, performance is best when a single disk services each stream. Also, workloads that are composed of small, random requests do not always result in performance benefits when you move them from a simple to a striped data layout.
Using diskpart
1. 2. Start diskpart. In the diskpart command prompt, run the following commands: o o o o select disk 3 create partition primary size=5103 list partition select partition 2
C Configuring Windows s 8
o o 3. .
Open Wind dows Explorer, and verify tha at the volumes s that you crea ated are visible e. Question: In what circum mstances will you y use less tha an all of the av vailable space on a new volumes di isk?
Ba asic disks supp port only prima ary partitions, ex xtended partitions, and logic cal drives. To use u sp panned or strip ped volumes, you y must conv vert the di isks to dynami ic volumes. Dy ynamic disks us se a da atabase to trac ck information n about the dis sks dy ynamic volumes and about the t computer s other dy ynamic disks. Because B each dynamic disk in i a computer r stores a replic ca of the dynamic disk datab base, Windows W can re epair a corrupt ted database on o one dynam mic disk by usin ng the databas se on another dy ynamic disk.
A spanned volume gives users the option to o gather nonc ontiguous free e space from o one or many d disks in nto the same volume. v A span nned volume does d not provid de any fault to olerance. Additionally, becau use the ar reas that you combine c are not necessarily equally distrib buted across th he participatin ng disks, there is no pe erformance be enefit to imple ementing span nned volumes. I/O performan nce is compara able to simple e vo olumes.
Yo ou can create a spanned volume either by y extending a s simple volume e to an area of f unallocated s space on a second disk, or o you can designate multipl le disks during g the volume-c creation proce ess. The benefit ts of us sing spanned volumes v includ de uncomplica ated capacity p planning and s straightforwar rd performance e an nalysis. If you are creati ing a new span nned volume, you must defi ne the same p properties as w when you creat te a simple volume in terms of size, file system, and drive lette er. It also is necessary to define how much h space to o allocate to th he spanned vo olume from eac ch physical dis sk. Yo ou can create only spanned volumes on dynamic disks. If you attempt t to create a sp panned volum me on ba asic disks, Win ndows prompts s you to conve ert the disk to dynamic after r you have def fined the volum mes properties, and confirmed the e choices.
It is possible to shrink a spann ned volume. However, H it is n not possible to remove an ar rea from a specific di isk. For examp ple, if a spanne ed volume consists of three 1 100 megabyte es (MB) partitio ons on each of f three di isks, you canno ot delete the third t element. Depending on n the space co onsumption in the volume, y you can re educe the volu umes total size e.
Note: When you shrink a spanned volume, no data loss occurs. However, the number of disks involved may decrease. If the spanned volume resides on a single disk, the spanned volume is converted into a simple volume. If there are empty dynamic disks that result from shrinking a spanned volume, the empty dynamic disks are converted to basic disks.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk limit for spanned volumes.
For most workloads, a striped data layout provides better performance than simple or spanned volumes, as long as you select the striped unit appropriately, based on workload and storage hardware characteristics. The overall storage load is balanced across all physical drives.
Striped volumes also are well suited for isolating the paging file. By creating a volume where PAGEFILE.SYS is the only file on the entire volume, the paging file is less likely to become fragmented, which helps improve performance. Redundancy normally is not required for the paging file. Striped volumes provide a better solution than RAID 5 for paging file isolation. This is because paging file activity is write-intensive, and RAID 5 is better suited for read performance than write performance.
Because no capacity is allocated for redundant data, RAID 0 does not provide data-recovery mechanisms, such as those in RAID 1 and RAID 5. The loss of any disk results in data loss on a larger scale than it would on a simple volume, because it disrupts the entire file system that spreads across multiple physical disks. The more disks that you combine, the less reliable the volume becomes. When you create a striped volume, define the file system, drive letter, and other standard volume properties. Additionally, you must define the disks from which to allocate free space. The allocated space from each disk must be identical. It is possible to delete a striped volume, but it is not possible to extend or to shrink the volume.
Configuration Changes
There are times when you may want to upgrade or in some way alter the configuration of computer hardware or software. For example: When the addition of functionality adds value to your organization. When a fault in software, hardware, or the combined architecture results in an application failing. When a change in the functionality or role of a server or workstation occurs.
There are other forms of volume management, with different types of fault tolerance and recovery that this module does not cover. These include using RAID-1 or RAID-5 volumes, hardware mirroring, and disk duplexing. You could consider using these forms of volume management in your enterprise.
Co onfiguring Windows 8
Complete the t New Spann ned Volume Wizard W using de efaults, except t for the follow wing information: o o o o Use 20 000 MB from Disk D 2 Use 15 500 MB from Disk D 3 Use 40 000 MB from Disk D 4 Name the volume Sp panVol
5. .
Read the Disk Manageme ent warning, and then click Y Yes.
Question: What is the ad dvantage of us sing striped vo olumes, and co onversely what t is the major disadvantag ge?
To o perform the shrink operati ion, ensure tha at the di isk is either un nformatted or formatted f with h the NTFS file system m, and that you u are part of th he Ba ackup Operato or or Administ trator group. When W yo ou shrink a volume, contiguo ous free space e relocates to t the end of the volume. There e is no need to o re eformat the dis sk, but to ensu ure that the ma aximum amou unt of space is available, mak ke sure you pe erform th he following ta asks before shr rinking: Defragmen nt the disk, if yo ou do not hav ve a regular sch hedule for def fragmentation. Reduce sha adow copy disk k-space consumption. Ensure that t no page files are stored on the volume th hat you are shrinking.
When you shrink a volume, unmovable files (the page file or the shadow-copy storage area) do not relocate automatically. It is not possible to decrease the allocated space beyond the point where the unmovable files are located. If you need to shrink the partition further, move the page file to another disk, delete the stored shadow copies, shrink the volume, and then move the page file back to the disk. To view shadow copy storage information, use the Volume Shadow Copy Service administrative command-line tool. Start an elevated command prompt, and then type vssadmin list shadowstorage. The used, allocated, and maximum shadow copy storage space is listed for each volume.
Defragmentation in Windows 8 improves upon defragmentation in previous Windows versions. You now can optimally replace some files that you could not relocate in Windows Vista or earlier versions. A later topic discusses additional information about defragmenting. Note: Please note that you may destroy or lose data if you shrink a raw partition, meaning a partition that does not have a file system, but does contain data. Remember to make a backup prior to extending or shrinking a partition or volume.
You can shrink simple and spanned dynamic disks, but not others. Here are a few ways in which you can increase the size of a simple volume: Extend the simple volume on the same disk. The volume remains a simple volume. Extend a simple volume to include unallocated space on other disks on the same computer. This creates a spanned volume.
This demonstration shows how to resize a volume with the diskpart tool. Then, the Disk Management tool is used to extend a simple volume.
Compare the size of the Simple2 volume with the size previously reported.
Co onfiguring Windows 8
Lesson n2
When W you first create a volum me, you typical lly are creating g new files and d folders on th he volumes av vailable free space, in co ontiguous bloc cks. This provid des an optimiz zed file-system m environment t. As the volum me be ecomes full, th he availability of o contiguous blocks diminis shes. This can lead to subpar performance e. This le esson explores file-system fra agmentation and a the tools t hat you can us se to reduce fr ragmentation.
As the volume fills f with data and a other files s, co ontiguous area as of free space are harder to o find. File deletion als so causes fragm mentation of available a free space. Additionally, when n you extend a file, th here may not be b contiguous free space following th he existing file blocks. This fo orces the I/O manager m to sav ve the remaind der of the file in n a noncontig uous area. Ov er time, contig guous free spa ace be ecomes harder to find, leading to fragmen ntation of new wly stored cont tent. The incidence and exte ent of fragmentation varies, v depend ding on availab ble disk capaci ty, disk consum mption, and usage patterns. . Although the NTFS N file system m is more efficient at handlin ng disk fragme entation than earlier file syst tems, th his fragmentation still presen nts a potential performance problem. Com mbined hardwa are and softwa are ad dvances in Win ndows help to mitigate the impact i of frag mentation and d deliver bette er responsiveness.
The Optimize Driv ves tool rearranges data and d reun nites fragment ted files. It run ns automaticall ly on a sc cheduled basis. However, you u can perform a man nual optimizat tion at any time. To manually y optimize a volume or drive, or to t change the auto omatic optimiz zation schedul le, right-click a volu ume in Window ws Explorer (w which you can open o with h the Windows s Key + E), click Properties, click the Tool s tab, and then click Optimize. You then can perf form the follow wing tasks: Change Settin ngs, which allo ows you to: o o o o Enable or disable the automated a opt timization. Specify th he automated optimization frequency. Set a not tification for th hree consecutiv ve missed opt imization runs s. Select wh hich volumes that t you want to optimize.
Analyze the disk d to determine whether it requires optim mization. Launch a man nual optimizat tion.
You u also can start t the Optimization process by b launching D Defragment and Optimize Dr rives form the Adm ministrative too ols.
To verify v that a disk requires de efragmentation n, in the Optim mize Drives too ol, select the disk that you w want to defr ragment, and then t click Ana alyze. Once Windows finishe es analyzing th he disk, check t the percentage of frag gmentation on the disk in the Current stat tus column. If f the number is s high, defragm ment the disk. . The Optimize Driv ves tool might t take from sev veral minutes t to a few hours s to finish defra agmenting, dep pending on the e size and degree of fragmen ntation of the disk or univer rsal serial bus ( (USB) device, s such as an a external har rd drive. You can use the com mputer during g the defragme entation proce ess.
You u can configure e and run disk defragmentat tion from an e elevated comm mand prompt b by using the d defrag com mmand-line tool. Use the De efrag /? at the command pro ompt for available options. There are several ways that you can help prev vent file-system m fragmentation: Partition the disk so that yo ose that are cr ou isolate static files from tho reated and deleted frequent tly, such as some e user-profile files and tempo orary Internet files.
Use the Disk Cleanup feature to free disk k space that is being consum med by each us sers preferences for console files that t the profile e is saving. Use the Optim mize Drives too ol to help redu uce the impact t of disk fragm mentation on d disk volumes, including USB B drives. The Optimize O Drive es tool rearrang ges fragmente ed data so that t disks and drives can work more efficiently.
Co onfiguring Windows 8
Additionally, yo ou can manage e quotas by using the fsutil quota and fsu util behavior commands fro om the co ommand prom mpt. Once O you create e a quota, you u can export it, , and then imp port it for a dif fferent volume e. In addition t to es stablishing quo ota settings on n an individual computer by y using these m methods, you c can also use Group Po olicy settings to t configure quotas. This lets s administrato ors configure m multiple compu uters with the same qu uota settings.
Over O time, the amount a of ava ailable disk spa ace inevitably b becomes less. So you must e ensure that you have a plan to increa ase storage cap pacity. Note: Quotas are tracke ed separately for f each volum me.
5.
Open a command prompt, and then run the following commands on the drive l: o o fsutil file createnew 2mb-file 2097152 fsutil file createnew 1kb-file 1024
6.
Co onfiguring Windows 8
Lesson n3
With W VHDs, you u can present a portion of a hard drive as a an independen nt hard drive t to the Window ws 8 op perating system. VHDs gene erally are assoc ciated with virt tual machines.. Beginning wi ith Windows 7 7, Windows W opera ating systems can c mount VHDs directly. In this lesson, yo ou will learn what a virtual hard disk is and how to mount m one in Windows W 8.
Windows W 8 supports both virt tual disk forma ats: VHD and V VHDX, and two o virtual hard disk types: fixe ed and dy ynamically exp panding. Both virtual hard disk formats su pport both ha ard disk types. Additionally, w when us sing diskpart.e exe, a differenc cing disk can be b created. A d differencing di isk lets you use e a base disk w without making m changes to the base disk. d All changes are written to the differencing disk. A d differencing di isk must be e a VHD and must m be dynam mically expand ding. VHD disks supp port up to 2 ter rabytes of stor rage, whereas the VHDX form mat is for virtu ual disks larger r than 2 TB B with a suppo orted maximum m of 64 teraby ytes. A fixed size virtu ual hard disk is allocated its maximum size e when you cre eate the virtua al disk. The fixe ed disk ty ype is the recommended typ pe for the VHD D virtual disk fo ormat for the f following reaso ons: The I/O per rformance is highest for fixed VHDs, becau use the file is n not dynamically expanded.
When a dyn namically expa anding disk is expanded, the e host volume could run out t of space and cause the write op perations to fa ail. The use of fixed VHDs en nsures that this s does not hap ppen.
The file data will w not becom me inconsistent due to lack o of storage spac ce or power lo oss. Dynamically expanding VH HDs depend on multiple write operations to expand the e file. The inter rnal-block allocation info ormation can become incon nsistent if all I/ O operations t to the VHD file e and the host t volume are not complete and persisted on o the physica l disk. This can n happen if the e computer suddenly lose es power.
The size of a dyna amically expan nding virtual ha ard disk is as la arge as the da ata that is writt ten to it. As mo ore data a is written to a dynamically expanding vir rtual hard disk k, the file incre ases to the configured maximum size. With the imp provements in the VHDX format, the dyna mically expand ding disk type e is recommend ded whe en creating VH HDX drives.
Attach. Attac ching a VHD activates the VH HD, so that it app pears on the ho ost computer as a a local hard d disk drive. If t the VHD already has a disk partition and file system vo olume when yo ou attach it, th e volume insid de the VHD is assigned a drive letter. The ass signed drive le etter is then av vailable for use e, similar to wh hen you insert a USB flash dr rive into a USB co onnector. All us sers (not just the t current use er) can use the e attached VHD D in the same way they use othe er volumes on local physical hard-disk driv ves, dependent on their secu urity permissio ons. Furthermore, because you can c attach a VHD V that is on a remote serv ver message block (SMB), you can manage your r images remotely. Detach. Deta aching a VHD stops s the VHD D from appeari ing on the hos st computer. W When you deta ach a VHD, you can n copy it to oth her locations.
You u only can use diskpart to cr reate VHD-formatted VHDs. To create a V VHD by using d diskpart, you u use the crea ate vdisk com mmand at the diskpart d promp pt. The followi ing table show ws the options the create vd disk com mmand suppor rts. Op ption file = (filename e) maximum m =(n) ty ype=(fixed|ex xpandable) Description
Specifies the e complete pa ath and filenam me of the virtu ual disk file. The file may be on a network sha re. The maximu um amount of f space that th e virtual disk e exposes, in megabytes. FIXED specifies a fixed siz e virtual disk f file. expandab ble specifies a es to accommo odate the alloc cated data. The e virtual disk file that resize xed. default is fix
Configuring Windows 8
Description Specifies a security descriptor in the security descriptor definition language (SDDL) format. By default, the security descriptor is taken from the parent directory.
parent=(filename)
Path to a parent virtual disk file to create a differencing disk. With the parent parameter, you should not specify maximum because the differencing disk gets the size from its parent. Also, do not specify type, because only expandable differencing disks can be created. Path to an existing virtual disk file to be used to prepopulate the new virtual disk file. When source is specified, data from the input virtual disk file is copied block for block from the input virtual disk file to the created virtual disk file. Be aware that this does not establish a parentchild relationship. For scripting only. When diskpart encounters an error, it continues to process commands as if the error did not occur.
sourcE=(filename)
noerr
To mount a virtual disk by using diskpart, you must first use the select vdisk command to specify the VHD file, and then use the attach vdisk command. The following table shows the options that the select vdisk command supports: Option file = (filename) noerr Description
Specifies the complete path and filename of the virtual disk file. The file may be on a network share. For scripting only. When diskpart encounters an error is encountered, it continues to process commands as if the error did not occur.
The following table shows the options the ATTACH VDISK command supports: Option readonly sd=(sddl string) usefilesd Description Attaches the virtual disk as read-only. Any write operation will return an input/output device error. Specifies a security descriptor in the SDDL format. By default, the security descriptor allows access like any physical disk.
Specifies that the security descriptor on the virtual file itself should be used on the virtual disk. If not specified, the disk will not have an explicit security descriptor unless specified with sd=(sddl string).
To unmount a virtual disk using diskpart, you first must use the select vdisk command to specify the virtual hard disk file, and then use the detach vdisk command. The detach vdisk command only supports the noerr option.
Disk Management provides a graphical interface for managing virtual disks. The Create VHD and Attach VHD options are available from the Action menu. When you create a virtual hard disk in Disk Management, you can create either VHD or VHDX files. The default selections for creating a virtual disk will create a VHD format drive with a fixed-disk type. You always must provide the path\file name and size of the file that you want to create. When you attach a VHD through Disk Management, you only need to specify the path\filename. When you attach a VHD, you have the option to make it read-only. When you want to unmount a virtual disk, you can right-click the disk, and then click Detach VHD.
Configuring Windows 8
You need to configure the hard drive configuration manually on some new desktop computers. Due to application requirements, you need to create several simple partitions, a spanned partition, and a striped partition. The client computers are shared, and require that you place a quota on the spanned drive. For certain instances, you plan on using virtual drives.
Objectives
Create simple, spanned, and striped volumes on the client computers. Create a quota on the client machines spanned volume.
Lab Setup
Estimated Time: 20 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL2 Adatum\Administrator and Adatum\Alan Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o User name: Adatum\Administrator Password: Pa$$w0rd Domain: Adatum
5.
Compare the size of the Simple2 volume with the size previously reported.
Configuring Windows 8
o o 4. 5.
Name the volume SpannedVol. Read the Disk Management warning, and then click Yes.
Results: After this exercise, you will have created several volumes on the client computer.
In this exercise, students configure a disk quota on one of the new volumes. Students enforce a quota limit, and then log on as standard users to test the quota limit. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create disk quotas on a volume. Create test files. Test the disk quota. Review quota alerts and logging.
Results: At the end of this exercise, you will have created and tested a disk quota.
Configuring Windows 8
Results: At the end of this exercise, you will have mounted an existing VHD file, and then used the virtual drive.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Lesson 4
Devices have changed from being single-function peripherals to complex, multifunction devices, with a large amount of local storage and the ability to run applications. They have evolved from a single type of connection, such as USB, to multi transport devices that support USB, Bluetooth, and WiFi. Many of todays devices are often integrated and sold with services that are delivered over the Internet, Internet delivery has simplified the delivery mechanism, which means that a computers ability to recognize and use devices has expanded to cover all possibilities. Microsoft has expanded the list of devices and peripherals that are being tested for compatibility with Windows 8.
The device experience in Windows 8 is designed on existing connectivity protocols and driver models to maximize compatibility with existing devices. The following are areas in Windows 8 that you can use to manage devices:
The Devices and Printers control panel gives users a single location to find and manage all the devices that connect to a Windows 8-based computer, and provides quick access to device status, product information, and key functions, such as faxing and scanning. This enhances and simplifies the customer experience with a Windows 8-connected device. Device Manager is used to view and update hardware settings and driver software for devices such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components.
Seamless user experiences begin with the ability to effortlessly connect devices. Additional drivers are retrieved automatically from Windows Update, and when appropriate, users are given an option to download and install additional applications for the device. These components all help reduce support calls and increase customer satisfaction.
Lesson Objectives
After completing this lesson, you will be able to: Describe device drivers in Windows 8. Describe the process for installing devices and drivers. Describe the process for installing drivers into the driver store. Describe the device driver management tools. Describe the options for updating drivers. Describe how to manage signed drivers. Discuss options for recovering from a driver issue. Manage drivers.
Co onfiguring Windows 8
Windows W 8 is av vailable in 32-bit and 64-bit versions. Drive ers developed d for the 32-bit t versions do n not work with w the 64-bit versions, and vice v versa. You u must make s sure that you o obtain the app propriate devic ce drivers before you y install Windows 8.
Driver D Signin ng
Th he device drive ers that are pa art of Windows s 8 have a Mic crosoft digital s signature that indicates whe ether a pa articular driver r or file has me et a certain lev vel of testing, i is stable and re eliable, and ha as not been alt tered since it was sign ned digitally. Windows W 8 che ecks for a drive ers digital sign nature during installation, an nd prompts the use er if no signatu ure is available e. Note: The e signature file e is stored as a .cat file in the e same location as the driver r file.
Th he driver store e is the driver repository r in Windows W 8. A d driver package e is a set of file es that make up a driver. It include es the .inf file, any files that the t .inf file refe ferences, and t the .cat file tha at contains the e digital signature for the device drive er. You can pre eload the drive er store with dr rivers for commonly used pe eripheral devic ces. The driver r store is locate ed in systemro oot\System32 2\DriverStore e.
In nstalling a driver is a two-stage process. Fir rst, you install the driver pac ckage into the driver store. Y You must m use admin nistrator credentials to install the driver pa ackage into the e driver store. The second st tep is to at ttach the devic ce and install the t driver. A st tandard user c an perform th his second step p. During hardwar re installation, if the appropr riate driver is n not available, W Windows 8 use es Windows Er rror Re eporting to report an unkno own device. Th his enables Orig ginal Equipme ent Manufactu urers (OEMs) to o work in n conjunction with w Microsoft t to provide ad dditional inform mation to the user, such as a statement of f no onsupport for a particular de evice, or a link k to a website w with additiona al support info ormation.
In n Windows 8, the t Device Metadata System m provides an e end-to-end pr ocess for defin ning and distributing de evice metadata packages. Th hese packages s contain devic ce experience X XML documen nts that repres sent the de evices propert ties and functi ions, together with applicati ons and servic ces that suppo ort the device. Th hrough these XML X documen nts, the Device es and Printers folder and De evice Stage pre esent users wit th an in nterface that is specific to the e device, which h the device m maker defines. Windows W Online Quality Services (Winqual) ) validates dev vice-experience e XML docume ents, and then n signs de evice metadata packages. Windows W Metad data and Inter rnet Services (W WMIS) distribu utes new or rev vised de evice-metadat ta packages th hat device mak kers submit thr rough Winqua al.
Win ndows 8 uses WMIS W to discov ver, index, and d match device e metadata pa ackages to specific devices th hat are connected to the computer. Device makers also can dis stribute device e-metadata packages directly y to the computer thro ough their own Setup applic cations. Note: You can c use the Pn nputil.exe tool to add a drive er to the Wind ows 8 driver st tore man nually.
Win ndows 8 reads this informatio on when the device d is attach hed to the com mputer, and th hen completes the configuration so that t the device e works properly with the ot ther installed d devices. Proper rly implemented, Plug g and Play pro ovides automat tic configuration of PC hardw ware and devi ices. The driver architecture for Win ndows support ts comprehens sive, operating system-contr rolled Plug and d Play. Plug an nd Play techno ologies are defined for Institute of Elect trical and Elect tronics Engine eers 1394 (IEEE E 1394), Periph heral Compone ent Inte erconnect (PCI) ), PC Card/Car rdBus, USB, Sm mall Computer System Interfa ace (SCSI), Adv vanced Techno ology Atta achment (ATA) ), Industry Stan ndard Architec cture (ISA), Lin ne Print Termin nal (LPT), and C Component O Object Mod del (COM). You can use Dev vice Manager to t install device e drivers manu ually that are n not compliant with Plug g and Play. Win ndows 8 introd duces several im mprovements to the way tha at users can di iscover and us se the devices that thei ir computers host h and which h connect to th heir computers s. Windows 8 c can detect nea arby devices in n the hom me, automatica ally making the em available for use. Windo ows 8 also can install a Metro o style device a app auto omatically from m the Window ws Store, when users connect t their device f for the first tim me. Metro style e device apps that are a companion ns to a device or PC have the e ability to lev verage the full range of func ctionality of th hat device or PC. P
Staging drive er packages in the protected driver store. A standard use er, without any y special privile eges or permission ns, can install a driver packag ge that is in th e driver store. Configuring client c compute ers to search a specified list o of folders auto omatically whe en a new devic ce attaches to th he computer. A network share can host the ese folders. W When a device d driver is access sible in this manne er, Windows do oes not need to t prompt the user to insert media.
Configuring Windows 8
Rebooting the system is rarely necessary when installing Plug and Play devices or software applications. This is true because of the following reasons: o
The Plug and Play Manager installs and configures drivers for Plug and Play devices when the operating system is running.
Applications can use side-by-side components instead of replacing shared, in-use dynamic-link libraries (DLLs).
These features improve the user experience and reduce help-desk support costs, because standard users can install approved driver packages without requiring additional permissions or the administrator assistance. These features also help increase computer security by ensuring that standard users only can install driver packages that you authorize and trust.
When a user inserts a device, Windows detects it, and then signals the Plug and Play service to make the device operational. Plug and Play queries the device for identification strings, and searches the driver store for a driver package that matches the identification strings. If a matching package is found, Plug and Play copies the device driver files from the driver store to their operational locations, typically %systemroot%\windows32\drivers, and then updates the registry as needed. Finally, Plug and Play starts the newly installed device driver. If a matching package is not found in the driver store, Windows searches for a matching driver package by looking in the following locations: Folders specified by the DevicePath registry entry. The Windows Update website. Media or a manufacturers website that is provided after the system prompts the user.
Windows also checks that the driver package has a valid digital signature. If the driver package is signed by a certificate that is valid, but which is not found in the Trusted Publishers store, Windows prompts the user for confirmation. Staging the device driver packages in this manner provides significant benefits. After a driver package is staged successfully, any user that logs on to that computer can install the drivers by simply plugging in the appropriate device.
Devices that are not compatible with Plug and Play are becoming increasingly rare as manufacturers stop producing them in favor of Plug and Play devices. The term non-Plug and Play typically applies to older pieces of equipment with devices that require manual configuration of hardware settings before use. To view non-Plug and Play devices, in Device Manager, click the View menu, click Show hidden devices, and then expand Non-Plug and Play Drivers.
To add a a driver, use the -a parameter to specify the path an nd name of the driver, for ex xample, pnput til -a <Pa athToDriver>/<Driver>.inf f. Windows validates that th he signature at ttached to the package is valid, the files are unmo odified, and the file thumbpr rints match the e signature. Afte er adding a dri iver, note the assigned a numb ber. Drivers ar re renamed oe em*.inf during g the addition. This is to o ensure uniqu ue naming. For r example, the file MyDriver1 1.inf may be re enamed oem0 0.inf. You can v view the published nam me by using th he -e paramete er, for example e pnputil -e. Typically, you do not need to uninstall a Plug and Play devi ice. Just discon nnect or unplu ug the device s so that t Windows doe es not load or use the driver r. The following table lists the opt tions available with pnputil.e exe: Op ption -a a <PathToDriv ver>/<Driver>. .inf -a a <PathToDriv ver>/*.inf -I a <PathToDr river>/<Driver r>.inf -e e -d d OEM<#>.inf f -f f -d OEM<#>.i inf Des scription Ad dd the driver p package specif fied by <PathToDriver P >/ store. /<Driver>.inf to the driver s Ad dd all the drive er packages in the path spec cified. Ad dd and install t the driver pack kage specified by <PathToDriver P >/ /<Driver>.inf to the driver s store. Enumerate all th hird party drive er packages. De elete the driver r package spec cified by OEM M<#>.inf. Force the deletio on of the drive er package spe ecified by EM<#>.inf. OE
Co onfiguring Windows 8
Windows W 8 intro oduces Metro style device apps. Metro sty yle device apps build on the plug-and-play y ex xperience from m Windows 7. Using these ap pps, device ma anufacturers ca an deliver an a app thats pair red with th heir device, and d automaticall ly downloaded d to the user t he first time th he device is co onnected. Prov viding a Metro M style dev vice app gives hardware deve elopers a uniq que opportunit ty to showcase e device functionality.
View a list of installed devices: d View all devices tha at are currently y installed based on their typ pe, by their conne er every ection to the co omputer, or by y the resource es they use. This device list is s recreated afte system rest tart or dynamic c change. Uninstall a device: Uninstall the device driver, and r remove the dri iver software f from the comp puter. Enable or disable d device es: If you want t a device to re emain attache ed to a computer without be eing enabled, yo ou can disable the device ins stead of uninst talling it. Disab ble is different from uninstall because on nly the drivers are disabled and the hardwa are configurat tion is not chan nged.
Troublesho oot devices: Determine D whe ether the hard dware on your computer is w working properly. If a device is no ot operating co orrectly, it may y be listed as U Unknown Device, with a yellow question m mark next to it. Update de evice drivers: If you have an updated drive er for a device e, you can use Device Manag ger to apply the updated u driver.
Roll back drivers: d If you experience sy ystem problem ms after updati ng a driver, yo ou can roll bac ck to the previous dr river by using driver d rollback k. Using this fe ature, you can n reinstall the last device driv ver that was functio oning before th he installation of the current t device driver r.
ou can use Device Manager to manage de evices only on a local compu uter. On a rem mote computer r, Device Yo Manager M works in read-only mode. m This me eans that you c can view, but n not change, th hat computers s ha ardware config guration. Device Manager is accessible in t the Hardware and Sound ca ategory in Control Pa anel.
Hidden Devices
The most common type of hidden device is for non-Plug and Play devices and network adapters. To view hidden devices in Device Manager, click View, and then click Show hidden devices.
All devices plugged into a USB port on the computer such as flash drives, webcams, keyboards, and mice. All printers, whether they are connected by USB cable, the network, or wirelessly. Bluetooth and Wireless USB devices. The computer itself. Network-enabled scanners or media extenders.
Devices and Printers do not include the following: Devices, such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components. Speakers connected to the computer with conventional speaker wires. Older devices, such as mice and keyboards that connect to the computer through a PS/2 or serial port.
In Devices and Printers, a multifunction printer shows and can be managed as one device instead of individual printer, scanner, or fax device. In Device Manager, each individual component of a multifunction printer is displayed and managed separately.
PC Settings
A new option with Windows 8 is the PC Settings tool on the Start menu. To access this tool, you open the Start menu from the right corner, and then click on More PC Settings. In the left pane of that tool, you can click Devices, and then add devices or remove already installed devices.
Device Stage
Device Stage provides users with a new way to access devices and advanced options for managing them. Devices in use are shown with a photo-realistic icon. This icon can include quick access to common device tasks and status indicators that let users quickly discern battery status, device synchronization status, remaining storage capacity, and other information. Device makers can customize this experience to highlight device capabilities and branding, and can include links to product manuals, additional applications, community information and help, or additional products and services. The entire Device Stage experience remains current. Graphics, task definitions, status information, and links to websites are distributed to computers by using the Windows Metadata Information Service (WMIS).
Co onfiguring Windows 8
Additiona al Reading: Fo or a list of device stage expe eriences, go to http://msdn.m microsoft.com/ /en-us/window ws /h hardware/br25 59108.
Dynamic Updat te is a feature that t works with Windows W Updat te to download any critical fixes f an nd device drivers that are required during the se etup process. Dynamic D Upda ate downloads new drivers for devic ces that are co onnected to the co omputer and are a required to o run Setup. Th his feature upd dates the requ uired Setup file es and improve es the process so that you can get st tarted successf fully with Wind dows 8. Dynamic Updat te downloads the t following types t of files:
Critical Up pdates: Dynam mic Update rep places files from m the Window ws 8 operating system DVD t that require critical fixes or up pdates. Dynam mic Update also o replaces DLL Ls that setup re equires. The on nly files that are downloaded are those that rep place existing f files. No new f files are downl loaded. Device driv vers: Dynamic c Update only downloads dr ivers that are n not included o on the operatin ng system CD or DVD. Dynamic Update do oes not update e existing driv vers, but you ca an obtain thes se by connecting to Windows Update U after se etup is comple ete.
When W updated device drivers s are required, Microsoft is w working to ens ure that you can get them d directly from Windows Update or from m device manufacturer Web b sites. Look up p Windows Up pdate first to u update drivers after the ey are installed d. If the update ed device drive er is not availa able through W Windows Upda ate, find th he latest versio on of the devic ce driver by any of the follow wing methods:: Visit the computer manufacturers web bsite for an upd dated driver. Visit the hardware manuf facturers webs site. Search the Internet by us sing the device e name.
Yo ou can perform m manual device updates in Device Manag ger. To manua ally update the e driver used for a de evice, follow th hese steps in Device D Manage er: 1. . 2. . 3. . Double-clic ck the type of device you wa ant to update. Right-click the device and d then click Up pdate Driver Software. Follow the instructions in n the Update Driver D Software e Wizard.
Windows W 8 also o includes seve eral enhancements to the up pgrade experie ence, including g a load driver feature. If an upgrade is s blocked due to incompatib ble or missing d drivers that ar e required for the system to o boot, yo ou can use this s feature to loa ad a new or up pdated driver from the Com mpatibility Repo ort, and contin nue with th he upgrade.
Adm ministrators an nd end users who w are installin ng Win ndows-based software s can use digital signa atures to verify y that a legitim mate publisher r has provided d the soft tware package. It is an electr ronic security mark m that indic cates the publisher of the so oftware and if som meone has changed the drive er packages original conten ts. If a publish her signs a driv ver, you can be e confident that the e driver comes s from that pub blisher and ha as not been alt tered.
A digital signature e uses the organization's dig gital certificate e to encrypt sp pecific details a about the pack kage. The encrypted inf formation in a digital signatu ure includes a thumbprint fo or each file inc cluded with the e package. A specia al cryptographic algorithm re eferred to as a hashing algorithm generates this thumbp print. The algorithm gen nerates a code e that only that files content ts can create. C Changing a sin ngle bit in the file changes the thum mbprint. After the t thumbprin nts are generat ted, they are c combined toge ether into a catalog, and then encrypte ed. Note: 64-bi it Windows 8 versions v requir re that all drive ers be signed.
our organizatio on has a Softw ware Publishing g Certificate, y you can use tha at to add your r own digital If yo sign nature to drive ers that you have tested and that you trust t. If you experi ence stability problems after you install a new hardware device, an a unsigned de evice driver m ight be the cause.
You u can use Sigve erif.exe to chec ck if unsigned device drivers s are in the sys stem area of a computer. Sigv verif.exe writes s the results of f the scan to a log file that in ncludes the sys stem file, the s signature file, a and the signature files publisher. Th he log file show ws any unsigne ed device driv vers as unsigne ed. You then ca an choose whether to o remove the unsigned drive ers. To remove r an uns signed device driver, follow these t steps: 1. 2. 3. 4. 5. Run Sigverif to scan for un nsigned drivers s and then rev iew the resulti ing log file. Create a temp porary folder for f the storage e of unsigned drivers. Manually move any unsigned drivers from m systemroot\ System32\Driv vers into the te emporary folder. Disable or uninstall the asso ociated hardw ware devices. Restart the co omputer.
If th his resolves the e problem, try to obtain a sig gned driver fro om the hardwa are vendor or replace the hard dware with a device d that is Windows W 8-cap pable.
You u can obtain a basic list of sig gned and unsig gned device d drivers from a c command pro ompt by runnin ng the driv verquery command with the e /si switch.
Co onfiguring Windows 8
Note: Som me hardware vendors v use th heir own digita al signatures so o that drivers c can have a va alid digital sign nature, even if f Microsoft has s not tested th hem. The Sigve erif report lists the vendors d by particular vendors. fo or each signed driver. This ca an help you ide entify problem m drivers issued
Be ecause device driver softwar re runs as a part of the opera ating system, i it is critical tha at only known and au uthorized devi ice drivers are permitted to run. r Signing an nd staging dev vice driver pac ckages on clien nt co omputers prov vide the follow wing benefits: Improved security: You can allow stan ndard users to o install approv ved device driv vers without compromis sing computer security or req quiring help-d desk assistance e.
Reduced support costs: : Users can onl ly install device es that your organization ha as tested and is prepared to o support. The erefore, you will maintain the e security of th he computer a as you simultan neously reduce the demands on the t help desk.
Better user experience: A driver package that is sta ged in the driv ver store work ks automatically when the user plu ugs in the device. Alternative ely, driver pack kages placed o on a shared ne etwork folder c can be discovered whenever the e operating sys stem detects a new hardware e device. In bo oth cases, the u user is not prompt ted before inst tallation.
On O each compu uter, Windows maintains a st tore for digital l certificates. A As the computer administrator, you ca an add certificates from trusted publishers s. If a package is received for r which a matc ching certificat te ca annot be found, Windows re equires confirm mation that the e publisher is t trusted. By pla acing a certifica ate in th he certificate st tore, you infor rm Windows th hat packages s signed by that t certificate are e trusted.
Yo ou can use Gro oup Policy to deploy d the cer rtificates to clie ent computers s. Using Group p Policy, you ca an have th he certificate automatically in nstalled to all managed com mputers in a do omain, organiz zational unit, o or site.
Note: Rolling back a driver can cause the loss of new functionality, and can reintroduce problems that the newer version addressed. Note: The Roll Back Driver button is available only if a previous version of the driver was installed. If the current driver for the device is the only one that was ever installed on the computer, then the Roll Back Driver button is not available.
System Restore
In rare cases, after you install a device or update a driver for a device, the computer may not start. This problem may occur in the following situations: The new device or the driver causes conflicts with other drivers that are installed on the computer. A hardware-specific issue occurs. The driver that is installed is damaged.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are unable to recover the computer by using driver rollback, consider using System Restore.
System Restore can be used when you want to retain all new data and changes to existing files, but still perform a restore of the system from when it was running well. Windows 8 lets you return your computer to the way that it was at a previous point in time, without deleting any personal files. System Restore is reversible, because an undo restore point is created before the restore operations are completed. During the restoration, a list of files appears showing applications that will be removed or added. To restore a computer to a previous configuration by using System Restore, you can use: Safe Mode. Windows Recovery Environment (RE).
Even the earliest versions of the Microsoft Windows NT operating system provided the Last Known Good Configuration option as a way of rolling the system back to a previous configuration. In Windows 8, some startup-related configuration and device-related configuration information is stored in the registry database, specifically, the HKLM\SYSTEM hive. A series of Control Sets are stored beneath this registry hive, most notably CurrentControlSet and LastKnownGood. The latter is located in the HKLM\SYSTEM\Select node. When you make a device configuration change to the computer, the change is stored in the CurrentControlSet key, in the appropriate registry folder and value. After you restart the computer, and successfully log on, Windows synchronizes the CurrentControlSet key and the LastKnownGood key.
However, if, after a device configuration change, you experience a startup problem, but do not log on, the two control sets are out of sync, and the LastKnownGood key contains the previous configuration set. To use Last Known Good Configuration, restart the computer without logging on, and press F8 during the boot sequence to access the Advanced Boot Options menu. Select Last Known Good Configuration (advanced) from the list. If you have a hardware problem, the cause could be hardware or a device driver. Fortunately, the process to update device drivers to a newer version is straightforward. Alternatively, you can roll back device drivers to an older version or reinstall them. Troubleshooting hardware problems often starts by troubleshooting device drivers. To identify a device driver problem, answer the following questions: Did you recently upgrade the device driver or other software related to the hardware? If so, roll back the device driver to the previous version.
Configuring Windows 8
Are you experiencing occasional problems, or is the device not compatible with the current version of Windows? If so, upgrade the device driver. Did the hardware suddenly stop working? If so, upgrade the device driver. If that does not solve the problem, reinstall the device driver. If the problem continues, try troubleshooting the hardware problem.
This demonstration shows how to update a device driver and then uninstall that driver update. You also will install a driver into the driver store. This demonstration requires two machine restarts.
Expand Keyboards and update the Standard PS/2 Keyboard driver to the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Reboot the computer when prompted.
Verify you have successfully uninstalled the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Close Computer Management.
You are going to test the users ability to install drivers, and then install a driver in the protected store so that users will be able to install it.
Objectives
Install and configure a new driver. Uninstall a driver.
Lab Setup
Estimated Time: 10 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL2 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
By default, standard users cannot install device drivers. When you know certain plug and play devices will be used in your environment, you can preload the device drivers so that users can use the devices. The main task for this exercise is as follows: Install a device driver into the protected store.
At the command prompt, type pnputil a E:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files \driver\point64\point64.inf, and then press Enter. Check the list of installed OEM drivers by typing pnputil e, and then press Enter.
Results: At the end of this exercise, you will have installed a driver into the protected driver store.
Configuring Windows 8
Expand Keyboards, and update the Standard PS/2 Keyboard driver to the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Reboot the computer when prompted.
Verify you have successfully uninstalled the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Close Computer Management.
Results: At the end of this exercise, you will have installed and uninstalled a device driver.
If you have a hardware problem, the hardware or a device driver may be causing it. Troubleshooting hardware problems often starts by troubleshooting device drivers.
Tools
The following table lists some of the tools available for managing hard disks and devices: Tool Defrag.exe Used for Performing disk defragmentation tasks from the command-line. Viewing and updating hardware settings, and driver software for devices, such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components. Helps users interact with devices, and use the full functionality of the devices. Where to find it Command prompt
Device Manager
Configuring Windows 8
Used for Provides users a single location to find and manage all the devices connected to their Windows 8-based computers. Also provides quick access to device status, product information, and key functions, such as faxing and scanning to enhance and simplify the customer experience with a Windows 8-connected device. Rearranging fragmented data so that disks and drives can work more efficiently. Managing disks and volumes, both basic and dynamic, locally or on remote computers. Managing disks, volumes, and partitions from the command-line or from Windows PE. Performing tasks that are related to FAT and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume. Adding drivers to and managing drivers in the protected device store.
In Windows Explorer, right-click a volume, click Properties, click the Tools tab, and then click Optimize. diskmgmt.msc
Disk Management
Diskpart.exe
Fsutil.exe
Pnputil.exe
Module 4
Configuring and Troubleshooting Network Connections
Contents:
Module Overview Lesson 1: Configuring IPv4 Network Connectivity Lesson 2: Configuring IPv6 Network Connectivity Lesson 3: Implementing Automatic IP Address Allocation Lab A: Configuring Network Connection Lesson 4: Implementing Name Resolution Lesson 5: Troubleshooting Network Connectivity Lab B: Troubleshooting Network Connectivity Module Review and Takeaways 1 2 9 16 22 25 28 33 36
Module Overview
Network connectivity is essential in todays business environment. An increasing number of computer users want to connect their computers to a network, whether they are part of a business network infrastructure, operate a home office, or need to share files and access the Internet.
The Windows 8 operating system provides enhanced networking functionality compared with earlier Microsoft Windows desktop-operating systems, and it provides support for newer technologies.
Windows 8 implements both TCP/IP version 4 and TCP/IP version 6, by default. An understanding of both IPv4 and IPv6, and the operating systems access capabilities, help you configure and troubleshoot Windows 8 networking features.
Objectives
After completing this module, you will be able to: Describe how to configure a local area network (LAN) connection with IPv4. Describe how to configure a LAN connection with IPv6. Explain the implementation of automatic IP address allocation. Explain how to configure network connections. Explain the methods for resolving computer names. Explain the troubleshooting process for network connectivity problems. Describe how to troubleshoot common network-related problems.
4-2
Lesson 1
IPv4 4 divides the address into four octets, as th he following ex xample shows s:
11 1000000.10101 1000.00000001 1.11001000
To make m the IP ad ddresses more readable, bina ary representa ation of the ad ddress typically y shows it in decimal form. For r example:
19 92.168.1.200
The address, in co onjunction with h a subnet mask, identifies: The compute ers unique identity, which is the host ID. The subnet on which the co omputer reside es, which is the e network ID.
This s enables a net tworked comp puter to comm municate with o other networke ed computers in a routed environment.
C Configuring Windows s 8
Th he Internet Assigned Numbe ers Authority (IANA) organiz zes IPv4 addresses into classe es, and a netw works nu umber of host ts determines the t required class of address ses. Class A thr rough Class E are the names s that IA ANA has specif fied for IPv4 ad ddress classes.
Classes A, B, and d C are IP addresses that you u can assign to o host comput ters as unique IP addresses, while yo ou can use Cla ass D for multic casting. Additionally, IANA r reserves Class E for experime ental use.
In n complex netw works, subnet masks might not n be simple combinations of 255 and 0. Rather, you m might su ubdivide one octet o with som me bits that are e for the netwo ork ID and som me for the host ID. If you do not use an n octet for sub bnetting, this is s known as cla assless address ing, or Classle ss InterDomain Routing (CID DR). You ei ither use more e or less of the octet, and this type of subn netting uses a d different notat tion, which the e fo ollowing example shows:
17 72.16.16.1/25 55.255.240.0
Th he following example shows s the more com mmon represe ntation of clas ssless IPv4 add dressing:
17 72.16.16.1/20 0
Th he /20 represe ents how many y subnet bits are in the mask k. This notation n style is called d Variable Length Su ubnet Masking g. Additiona al Reading: Fo or additional in nformation on n CIDR, go to http://go.micro h osoft.com/fwli nk/?LinkId=15 54437.
4-4
What Is a Subnet?
A subnet is a network segment, and single or multiple routers separate the subnet from the rest of the network. When your Internet service provider (ISP) assigns a network to a Class A, B, or C address range, you often must subdivide the range to match the networks physical layout. Subdividing enables you to break a large network into smaller, logical subnets.
When you subdivide a network into subnets, you must create a unique ID for each subnet, which you derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to the network ID. By doing so, you can create more networks. By using subnets, you can: Use a single Class A, B, or C network across multiple physical locations. Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome limitations of current technologies, such as exceeding the maximum number of hosts that each segment can have.
When you use more bits for the subnet mask, you can have more subnets, but fewer hosts on each subnet. Using more bits than you need allows you to have more subnets, but it limits how many hosts you can have. Conversely, using fewer bits than you need allows for a larger number of hosts, but limits how many subnets you can have. You can calculate the number of subnet bits that your network needs by using the formula 2^n, where n is the number of bits. The result is the number of subnets that your network requires. The following table indicates the number of subnets that you can create by using a specific number of bits. Number of bits 1 2 3 4 5 6 Number of subnets 2 4 8 16 32 64
The masks host bits determine how many bits the supporting hosts on a subnet require. You can calculate the number of host bits required by using the formula 2^n-2, where n is the number of bits. This result is the least number of hosts that your network needs, and it also is the maximum number of hosts that you can configure on that subnet.
Configuring Windows 8
The following table shows how many hosts a class C network has available based on the number of host bits. Number of bits 7 6 5 4 3 2 Number of hosts 126 62 30 14 6 2
To determine subnet addresses quickly, you can use the lowest value bit in the subnet mask. For example, if you choose to subnet the network 172.16.0.0 by using 3 bits, this means the subnet mask is 255.255.224.0. The decimal 224 is 11100000 in binary, and the lowest bit has a value of 32, so that is the increment between each subnet address. The following table shows examples of calculating subnet addresses. Binary network number 172.16.00000000.00000000 172.16.00100000.00000000 172.16.01000000.00000000 172.16.01100000.00000000 172.16.10000000.00000000 172.16.10100000.00000000 172.16.11000000.00000000 172.16.11100000.00000000 Decimal network number 172.16.0.0 172.16.32.0 172.16.64.0 172.16.96.0 172.16.128.0 172.16.160.0 172.16.192.0 172.16.224.0
4-6
The following table shows exam mples of calcula ating host add dresses. De ecimal networ rk number 17 72.16.64.0 17 72.16.96.0 17 72.16.128.0 Hos st range 172 2.16.64.1 - 172 2.16.95.254 172 2.16.96.1 - 172 2.16.127.254 172 2.16.128.1 - 17 72.16.159.254
Whe en a host deliv vers an IPv4 pa acket, it uses th he subnet mask to de etermine whet ther the destin nation host t is on the sam me network or on a remote network. n If the e destination host is on the same network, the loca al host delivers s the packet. If f the destinatio on host is on a different netw work, the host t transmits the packet to a router r for delivery. Note: The host h determine es the Media Access A Control (MAC) addres ss of the route er for delivery, and the initiating i host addresses the e router explici itly, at the med dia access laye er.
en a host on the network us ses IPv4 to tran nsmit a packet t to a destination subnet, IPv v4 consults the e Whe inte ernal routing ta able to determ mine the appro opriate router t to ensure the packet reache es the destinati ion subnet. If the rout ting table does not contain any a routing in nformation abo out the destina ation subnet, IPv4 forw wards the pack ket to the defa ault gateway. The T host assum mes that the de efault gateway y contains the requ uired routing information. i In most m cases, you u can use a Dy ynamic Host Co onfiguration P Protocol (DHCP P) server to ass sign the defau ult gate eway automatically to a DHC CP client. This is more straig htforward than manually assigning a defa ault gate eway on each host.
C Configuring Windows s 8
Th he pool of IPv4 4 addresses is becoming smaller, so IANA is reluctant to o allocate supe erfluous IPv4 ad ddresses. Tech hnologies such as Network Address A Transla ation (NAT) en nable administrators to use a re elatively small number of public IPv4 addre esses, and at t he same time,, enable local h hosts to conne ect to re emote hosts an nd services on the Internet. IA ANA defines th he following ad ddress ranges as private. Inte ernet-based ro outers do not forward packe ets or riginating from m, or destined to, these rang ges. Class C A B C Mask 10.0.0 0.0/8 172.16 6.0.0/12 192.16 68.0.0/16 Range 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255
Note: Req quest for Comments (RFC) 3330 defines th hese private ad ddress ranges. Question: Which of the following f is no ot a private IP address? a. 171.16.16 6.254 b. 192.16.18 8.5 c. 192.168.1 1.1 d. 10.255.255.254
Yo ou can configu ure IPv4 settings on a Windo ows 8 compute er by using the e Network and d Sharing Cent ter, the Netsh command-line tool, or Windows Pow werShell Cmd dlets. To o configure IPv v4 using Netsh h, you can use the following g example:
Ne etsh interfac ce ipv4 set address a name="Local Area a Connection" " source=stat tic ad ddr=172.16.16 6.3 mask=255.255.255.0 gateway=172.1 16.16.1
4-8
The following table describes some of the Windows PowerShell Cmdlets that you can use to view and configure IPv4 settings: Cmdlet Set-NetIPAddress Set-NetIPInterface Set-NetRoute Set-DNSClientServerAddresses Description of IPv4 configuration uses Modifies an existing IP address and sets the subnet mask Enables or disabled DHCP for an interface Modifies routing table entries, including the default gateway (0.0.0.0) Configures the DNS server that is used for an interface
Demonstration
This demonstration shows how to configure an IPv4 address manually using the Network and Sharing Center.
In Network and Sharing Center, view the Local Area Connections Status. This window shows the same configuration information for this adapter as the IPConfig command. View the IPv4 configuration for Local Area Connection. You can configure the IP address, subnet mask, default gateway, and Domain Name System (DNS) servers in this window.
View the Advanced settings. In the Advanced TCP/IP Settings window, you can configure additional settings, such as additional IP addresses, DNS settings, and Windows Internet Naming Service (WINS) servers for NetBIOS name resolution. Question: When might you need to change a computers IPv4 address?
C Configuring Windows s 8
Lesson n2
Th hough most networks to wh hich you conne ect Windows 8 8-based compu uters currently y provide IPv4 su upport, many also a support IP Pv6. To connec ct computers t that are runnin ng Windows 8 to IPv6-based d ne etworks, you must m understan nd the IPv6 ad ddressing sche me, and the d differences betw ween IPv4 and d IPv6.
Lesson Objectives
After completin ng this lesson, you y will be able to: Describe th he benefits of implementing IPv6. Describe ho ow Windows 8 supports IPv6 6. Describe th he IPv6 address s space. List IPv6 ad ddress types.
Stateless an nd stateful add dress configura ation: IPv6 has s auto-configu ure capability w without DHCP, , and it can discove er router inform mation so that t hosts can acc cess the Intern net. This is a sta ateless address s configuratio on. A stateful address a config guration is whe en you use the e DHCPv6 prot tocol. Stateful configuratio on has two additional config guration levels s: one in which h DHCP provid des all the information n, including the IP address and configurati ion settings, and another in which DHCP p provides just configu uration setting gs. c): The IPv6 sta andards require support for the Required su upport for Inte ernet Protocol Security (IPsec Authenticat tion Header (A AH) and Encap psulating Secur rity Payload (E ESP) headers th hat IPsec defin nes. Although IP Psec does not define suppor rt for its specif fic authenticati ion methods a and cryptograp phic algorithms, , IPsec is define ed from the st tart as the way y to protect IPv v6 packets.
Restored en nd-to-end com mmunication: The T global add dressing mode el for IPv6 traff fic means that t translation between diffe erent types of addresses a is no ot necessary, s such as the translation done by NAT devices for IPv4 traffic. Th his simplifies communication n because you u do not need to use NAT de evices for peer-to-peer applicat tions, such as video v conferen ncing.
Prioritized de elivery: IPv6 contains a field in i the packet t that lets netwo ork devices det termine that the packet should d be processed d at a specified d rate. This ena ables traffic pr rioritization. Fo or example, wh hen you are streaming video tra affic, it is critica al that the pac ckets arrive in a timely mann ner. You can se et this field to ensur re that network k devices dete ermine that the e packet delive ery is time-sen nsitive.
Support for single-subnet environments: e IPv6 has much h better suppo ort of automat tic configuratio on and operation n on networks s consisting of a single subne et. You can use e this to create e temporary ad-hoc networks thro ough which yo ou can connect t and share inf formation. Extensibility: IPv6 has been designed so that you can ex xtend it with m much fewer co onstraints than IPv4.
Additional Reading: For more information on IPv6, go g to http://go o.microsoft.co m/fwlink/?Link kId=154442.
Dire ectAccess enab bles remote us sers to access the t corp porate network anytime they y have an Inte ernet connectio on, because it does not requ uire a virtual private netw work (VPN). DirectAccess pro ovides a flexib ble corporate n network infrast tructure to hel lp you remotely man nage and upda ate user PCs both on and off f the network. DirectAccess makes the end d user experience of acce essing corpora ate resources over o an Interne et connection nearly indistin nguishable from m the experien nce of acce essing these re esources from a computer at t work. DirectA Access uses IPv v6 to provide g globally routable IP add dresses for rem mote access clie ents.
Win ndows 8 service es, such as File e Sharing and Remote Acces ss, use IPv6 fea atures, such as IPsec. This inc cludes VPN N Reconnect, which w uses Inte ernet Key Exch hange Version 2 (IKEv2), an a authentication n component o of IPv6 6. The Windows 8 operating system supports remote troubles shooting capabilities, such as Remote Assi istance and Re emote Desktop p. Remote Desktop enables a administrators s to connect to o multiple Win ndows Serv ver sessions for remote administration pur rposes. IPv6 ad ddresses can b be used to mak ke remote desk ktop connections. Both h Remote Assis stance and Rem mote Desktop uses the Remote Desktop P Protocol (RDP) to enable users to ac ccess files on their office com mputer from a nother compu uter, such as on ne located at t their hom me.
Co onfiguring Windows 8
Th he size of an address in IPv6 6 is four times larger l th han an IPv4 ad ddress. IPv6 addresses are expressed in n hexadecimal (hex), as the fo ollowing exam mple sh hows:
20 001:DB8:0:2F3 3B:2AA:FF:FE2 28:9C5A
Th his might seem m complex for end users, but t the assumpti ion is that use rs will rely on DNS names to o resolve ho osts, meaning they rarely will type IPv6 ad ddresses manu ally. The IPv6 address in hex x also is easier to co onvert to binary. This simplif fies working with w subnets, an nd calculating hosts and net tworks.
In n the Hexadeci imal Numberin ng System, som me letters repr resent number rs because in t the hex system m (b base16), there must be 16 un nique symbols for each posit tion. Because 1 10 symbols (0 through 9) alr ready ex xist, there mus st be six new sy ymbols for the e hex system. H Hence, A throu ugh F are used d. Note: Use e the Windows s calculator in Windows 8 to o work with he ex and binary. O Open the ca alculator, click the View men nu, and then click c Programm mer. Type 16, and then click k Hex. The ca alculator will display d 10. This s aspect of hex xadecimal can be complex. A After reaching hex 9, the ne ext number is hex A (decima al 10), and then B (decimal 1 11) up to F or ( (decimal 15). N Notice in the ca alculator that in i hex mode, the t buttons A through t F app pear along the e left of the number pad. In Hex mode, click k F, and then click c Dec. The result r is decim mal 15.
o convert an IP Pv6 binary add dress that is 12 28 bits in lengt th, break it int o eight groups of 16 bits. Co onvert To ea ach of these ei ight groups into four hex ch haracters. For e each of the 16 bits, evaluate four bits at a time to de erive each hex x number. You should number each set of four binary nu umbers 1, 2, 4, , and 8, startin ng from th he right and moving m left. The e first bit [0010] is assigned t the value of 1,, the second b bit [0010] is ass signed th he value of 2, the t third bit [0 0010] is assigne ed the valued of 4, and final lly, the fourth [0010] bit is as ssigned th he value of 8. To T derive the hexadecimal h value for this se ection of four bits, add up th he values that are as ssigned to each bit where th he bits are set to t 1. In the exa ample of 0010 0, the only bit t that is set to 1 is the bi it assigned the e 2 value. The rest are set to zero. The hex value of these e bits is 2.
Binary Values of each binary position Adding values where the bit = 1
The following example is a single IPv6 address in binary form. Note that the binary representation of the IP address is quite long. The following two lines of binary numbers is one IP address:
0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010
The 128-bit address is divided along 16-bit boundaries (eight blocks of 16 bits), as the example shows:
0010000000000001 0000001010101010 0000110110111000 0000000011111111 0000000000000000 1111111000101000 0010111100111011 1001110001011010
Each boundary is further broken into sets of four bits. Applying the methodology as previously described, convert the IPv6 address. The following table shows the binary and corresponding hexadecimal values for each set of four bits: Binary [0010][0000][0000][0001] [0000][1101][1011][1000] [0000][0000][0000][0000] [0010][1111][0011][1011] [0000][0010][1010][1010] [0000][0000][1111][1111] [1111][1110][0010][1000] [1001][1100][0101][1010] Hexadecimal [2][0][0][1] [0][D][B][8] [0][0][0][0] [2][F][3][B] [0][2][A][A] [0][0][F][F] [F][E][2][8] [9][C][5][A]
Each 16-bit block is expressed as four hex characters, and is then delimited with colons. The result is as follows:
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
You can simplify IPv6 representation further by removing the leading zeros within each 16-bit block. However, each block must have at least a single digit. With leading zero suppression, the address representation becomes the following:
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
Co onfiguring Windows 8
Compressing C g Zeros
When W multiple contiguous ze ero blocks occu ur, you can co mpress these, and then repr resent them in the ad ddress as a double-colon (::). This simplifie es the IPV6 not tation. The com mputer recogn nizes ::, and su ubstitutes it with the number of blocks nec cessary to mak ke the appropriate IPv6 address. In n the following g example, the address is exp pressed using z zero compress sion:
20 001:DB8::2F3B B:2AA:FF:FE28 8:9C5A
To o determine how many 0 bit ts are represen nted by the :: , you can cou nt the number of blocks in t the co ompressed add dress, subtract t this number from f eight, an nd then multip ly the result by y 16. Using the e previous examp ple, there are seven blocks. Subtract S seven from eight, an nd then multip ply the result ( (one) by 16 6. Thus, there are 16 bits or 16 zeros in the e address whe re the double colon is locate ed.
Yo ou can use zer ro compression n only once in a given addre ess. Otherwise,, you cannot d determine the number of f 0 bits represe ented by each instance of a double-colon (::). To o convert an address a into binary, use the reverse r of the method descr ribed previously: 1. . 2. . 3. . Add in zero os using zero compression. c Add leading g zeros. Convert eac ch hex numbe er into its binar ry equivalent.
Global Unicast Addre esses: These ar re equivalent to public IPv4 addresses. They are glo obally routable e and reachable on the IPv6 portion of the Internet. The fields in the glob bal unicast add dress are:
Fix xed portion set t to 001: The three t high-ord der bits are set to 001. The ad ddress prefix f for currently assigne ed global addr resses is 2000:::/3. Therefore, all global unic cast addresses s begin th 2 or 3. wit
Glo obal Routing Prefix: P This indicates the glob efix for a specific organizatio ons site. bal routing pre Th he combination n of the three fixed bits and the 45-bit Glo obal Routing P Prefix is used to o create a 48-bit 4 site pref fix, which is assigned to an o organizations individual site e. Once the ass signment occu urs, routers on the IPv6 Inter rnet forward IP Pv6 traffic that t matches the 4 48-bit pre efix to the org ganizations site e routers.
Subnet ID: Use this within an organizations site to identify subnets. This fields size is 16 bits. The organizations site can use these 16 bits within its site to create 65,536 subnets or multiple levels of addressing hierarchy and an efficient routing infrastructure. Interface ID: Indicates the interface on a specific subnet within the site. This fields size is 64 bits. This is either randomly generated or assigned by DHCPv6. In the past, it was based on the MAC address of the network interface card to which the address was bound.
Link-Local Addresses: Hosts use link-local addresses when communicating with neighboring hosts on the same link. For example, on a single-link IPv6 network with no router, hosts communicate by using link-local addresses. Link-local addresses are local-use unicast addresses with the following properties: Link-local addresses are used between on-link neighbors and for Neighbor Discovery processes. This enables a computer to request further IPv6 configuration information from IPv6 routers and IPv6 DHCP servers. Link-local is the equivalent to Automatic Private IP Addressing (APIPA) addresses in IPv4.
Link-local addresses always begin with FE8. With the 64-bit interface identifier, the prefix for link-local addresses is always FE80::/64. An IPv6 router never forwards link-local traffic beyond the link.
IPv6 link-local addresses are equivalent to IPv4 APIPA addresses. When a DHCP server fails, APIPA allocates addresses in the private range 169.254.0.1 to 169.254.255.254. Clients verify their address is unique on the LAN using ARP. When the DHCP server is able to service requests, clients update their addresses automatically. Other characteristics of link-local addresses include: Link-local addresses always begin with FE80. An APIPA address is assigned automatically to an IPv4 host. Use of this address restricts communication to the local subnet, and typically is used when other suitable addresses are not available.
Unique local unicast addresses: Unique local addresses provide an equivalent to the private IPv4 address space for organizations without the overlap in address space when organizations combine. The first seven bits have the fixed binary value of 1111110. All unique local addresses have the address prefix FC00::/7. The Local (L) flag is set to 1 to indicate a local address. The L flag value set to 0 has not yet been defined. Therefore, unique local addresses with the L flag set to 1 have the address prefix of FD::/8. The next 40 bits must be randomly assigned to give the resulting 48-bit unique local prefix relative uniqueness between organizations.
Multicast: An IPv6 multicast is equivalent to an IPv4 multicast address. You use this address type for one-to-many communication between computers that you define as using the same multicast address.
Anycast: An anycast address is an IPv6 unicast address that is assigned to multiple computers. When IPv6 addresses communication to an anycast address, only the closest host responds. You typically use this address type for locating services or the nearest router.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign multiple unicast addresses to each host. To verify communication processes on a network, you must know for what purposes IPv6 uses each of these addresses.
Configuring Windows 8
Interface Identifiers
The last 64-bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4 address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface identifier is unique to each interface, IPv6 uses the Interface Identifier rather than MAC addresses to identify hosts uniquely.
The Windows 8 environment uses Extended Unique Identifier (EUI)-64 addresses, which the Institute of Electrical and Electronics Engineers, Inc. (IEEE) defines. Gigabit adapters use an EIU-64 address in place of a MAC address. Network adapters using a MAC address generate a EUI-64 address by padding the 48-bit MAC address with additional information. To preserve privacy in network communication, generate an interface identifier rather than use the network adapters hardware address. To assign an interface identifier, IPv6 hosts can use the following: A randomly generated temporary identifier. A randomly generated permanent identifier. A manually assigned identifier.
Windows 8 uses randomly generated permanent interface identifiers by default, but you can disable this with the netsh tool. Additional Reading: For more information on IPv6 address types, go to http://go.microsoft.com/fwlink/?LinkId=154445.
As with IPv4, you can configure Windows 8 IPv6 settings by using the Network and Sharing Center, Netsh, or Windows PowerShell.
This demonstration shows how to configure an IPv6 address manually using Network and Sharing Center.
If necessary, log on to the computer as administrator, and then open a command prompt. View the current IPv6 configuration by using the IPConfig.exe /all command. This displays all network connections for the computer. Notice that a link-local IPv6 address has been assigned. In Network and Sharing Center, view the Local Area Connection properties, and then view the IPv6 settings for the selected network connection. You can configure the IPv6 address, subnet prefix length, default gateway, and DNS servers in this window.
2.
View the Advanced settings, and then close the open windows Question: Do you typically assign IPv6 addresses manually to a computer?
Lesson 3
Stat tic configuratio on requires tha at you visit eac ch computer a and input the I IPv4 configura ation. This met thod of computer c management is tim me-consuming g if your netwo ork has more t than 10 to 12 c computers. Add ditionally, making a large number of manu ual configurati ons heightens s the risk of mi istakes.
DH HCPv4
DHC CPv4 enables you y to assign automatic a IPv4 4 configuratio ns for large nu umbers of com mputers withou ut having to assign each e one indiv vidually. The DHCP service re eceives reques sts for IPv4 con nfiguration fro om com mputers that yo ou configure to obtain an IP Pv4 address au tomatically. It also assigns IP Pv4 informatio on from m scopes that you y define for r each of your networks sub bnets. The DHC CP service iden ntifies the subn net from m which the re equest originat ted, and assign ns IP configura ation from the e relevant scop pe. DHC CP helps to sim mplify the IP co onfiguration process, p but yo ou must be aw ware that if you u use DHCP to assign IPv4 inform mation and the e service is bus siness-critical, y you must do t the following:
Include resilie ence into your DHCP service e design so tha at the failure o of a single server does not pr revent the service fro om functioning. Configure the e scopes on th he DHCP server carefully. If y you make a mistake, it can af ffect the whole e network, and it can prevent t communication.
Co onfiguring Windows 8
When W you configure Window ws 8 computers s to obtain an IPv4 address f from DHCP, us se the Alternat te Configuration tab to control the t behavior if f a DHCP serve er is not availa able. By default, Windows 8 uses APIPA to assign n itself an IP ad ddress automatically from th he 169.254.0.0 to 169.254.25 55.255 address range. Th his enables you to use a DHC CP server at work w and the A PIPA address r range at home e without re econfiguring IP P settings. Add ditionally, this is useful for tro oubleshooting g DHCP. If the computer has s an ad ddress from th he APIPA range e, it is an indic cation that the computer can nnot communicate with a DHCP se erver.
Tentative: Verification V is occurring o to determine if the e address is un nique. Duplicate address det tection performs ve erification. A node n cannot re eceive unicast traffic to a ten ntative address s. Valid: The address a has be een verified as unique, and c can send and r receive unicast t traffic. Preferred: The T address en nables a node to send and re eceive unicast traffic. Deprecated d: The address is valid but its s use is discour raged for new w communication. Invalid: The e address no lo onger allows a node to send or receive un icast traffic.
A host also uses a sta ateful address configuration protocol whe en there are no o routers prese ent on the loc cal link. is based on rec Both: Configuration C ceipt of Route er Advertiseme ent messages a and DHCPv6.
When IPv6 attempts to communicate with a DHCP server, it uses multicast IPv6 addresses to communicate with the DHCP server. This is different from IPv4, which uses broadcast IPv4 addresses. When a host obtains an IPv6 address from a DHCPv6 server, the following occurs: The client sends a Solicit message to locate DHCPv6 servers. The server sends an Advertise message to indicate that it offers IPv6 addresses and configuration options.
The client sends a Request message to a specific DHCPv6 server to request configuration information. The selected server sends a Reply message to the client that contains the address and configuration settings. When a client requests configuration information only, the following occurs: o o The client sends an Information-request message.
A DHCPv6 server sends a Reply message to the client with the requested configuration settings.
Note: DHCPv6 is a service that provides stateful auto-configuration of IPv6 hosts. It can configure IPv6 hosts automatically with an IPv6 address and other configuration information such as DNS servers. This is equivalent to DHCPv4 for IPv4 networks.
Open the Local Area Connection properties, and then view the IPv4 settings for the selected network connection. Modify the connection to obtain an IPv4 configuration automatically. Verify these changes.
Co onfiguring Windows 8
This op ption displays all IP address c configuration information. If the computer c uses s DHCP, verify the DHCP Ser rver option in t the output. Th his indicat tes the server from f which the e client is attempting to obt tain an address. Also, ase Expires va verify the t Lease Obt tained and Lea alues to determ mine when the e client last ob btained an add dress. It some etimes is necessary to force the computer to release an IP address.
/release /renew
This op ption forces th he client comp uter to renew its DHCP lease e. This is usefu ul when you think that the DHCP-related is ssue is resolved d, and you wa ant to obtain a new lease without w restarting the compu uter. The IPv v6 version of the t /release co ommand. The IPv v6 version of the t /renew com mmand.
/release6 /renew6
Note: You u can use the IPConfig I /relea ase6 and /rene ew6 options to o perform thes se same tasks on n IPv6-configu ured computer rs.
The following are some troubleshooting examples. Problem The DHCP client does not have an IP address configured or indicates that its IP address is 0.0.0.0. Solution
Verify that the client computer has a valid functioning network connection. First, check that related client hardware (cables and network adapters) are working properly at the client end, using basic network and hardware troubleshooting steps. If the client hardware appears to be prepared and functioning properly, check that the DHCP server is available on the network by pinging it from another computer on the same network as the affected DHCP client.
The DHCP client appears to have automatically assigned itself an IP address that is incorrect for the current network.
First, use the ping command to test connectivity from the client to the server. Your next step is to either verify or manually attempt to renew the client lease. Depending on your network requirements, it might be necessary to disable IP autoconfiguration at the client. You can learn more about IP autoconfiguration and how it works prior to making this decision. For Microsoft DHCP clients, verify that the most commonly used and supported options have been configured at the server, scope, client, or class level of options assignment.
The DHCP client appears to be missing some network configuration details or is unable to perform related tasks, such as resolving names. The DHCP client appears to have incorrect or incomplete options, such as an incorrect or missing router (default gateway) configured for the subnet on which it is located.
Change the IP address list for the router (default gateway) option at the applicable DHCP scope and server. If you are configuring the router option as a Server Option at the affected DHCP server, remove it there and set the correct value in the Scope Options node for the applicable DHCP scope that services the client. In rare instances, you might have to configure the DHCP client to use a specialized list of routers different from other scope clients. In such cases, you can add a reservation, and then configure the router option list specifically for the reserved client. A DHCP server can only service requests for a scope that has a network ID that is the same as the network ID of its IP address. Completing the following steps might correct this problem:
Many DHCP clients are unable to get IP addresses from the DHCP server.
1. Configure a BOOTP/DHCP Relay Agent on the client subnet (that is, the same physical network segment). The relay agent can be located on the router itself; on a computer that is running Windows NT Server and the DHCP Relay Agent component; on a computer that is running Windows 2000 Server with the Routing and Remote Access service enabled and configured as a DHCP Relay Agent; or on a computer that is running a Windows Server 2003 operating system with the Routing and Remote Access service enabled and configured as a DHCP Relay Agent. 2. At the DHCP server, do the following: o Configure a scope to match the network address on the other side of the router where the affected clients are located.
o In the scope, make sure that the subnet mask is correct for the remote subnet.
Configuring Windows 8
Problem
Solution
o Use a default gateway on the network connection of the DHCP server in such a way that it is not using the same IP address as the router that supports the remote subnet where the clients are located.
o Do not include this scope, which is the one for the remote subnet, in superscopes configured for use on the same local subnet or segment where the DHCP server resides.
o Make sure there is only one logical route between the DHCP server and the remote subnet clients. Many DHCP clients are unable to get IP addresses from the DHCP server. Ensure that you do not configure multiple DHCP servers on the same LAN with overlapping scopes. You might want to rule out the possibility that one of the DHCP servers in question is a computer that is running Small Business Server. On a computer that is running Small Business Server, the DHCP Server service automatically stops when it detects another DHCP server on the LAN.
The DHCP client appears to be affected by another problem not described previously.
Search the Microsoft Web site for updated technical information that might relate to the problem you have observed. If necessary, you can obtain information and instructions that pertain to your current problem or issue.
Reference Links: See also: Test a TCP/IP configuration by using the ping command: http://go.microsoft.com/fwlink/?LinkId=154455 Verify, release, or renew a client address lease: http://go.microsoft.com/fwlink/?LinkId=154456 Configure TCP/IP for automatic addressing: http://go.microsoft.com/fwlink/?LinkId=154457 Disable automatic address configuration: http://go.microsoft.com/fwlink/?LinkId=154458 Manage Options and classes: http://go.microsoft.com/fwlink/?LinkId=154459 Assigning options: http://go.microsoft.com/fwlink/?LinkId=154460 DHCP Best Practices: http://go.microsoft.com/fwlink/?LinkId=154465 Using superscopes: http://go.microsoft.com/fwlink/?LinkId=154466 Configuring scopes: http://go.microsoft.com/fwlink/?LinkId=154467
Objectives
Modify the IPv4 settings for a LAN connection. Configure a LAN connection to use DHCP.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Configuring Windows 8
Results: After this exercise, you will have configured LON-CL1 to obtain an IPv4 configuration automatically from a DHCP server.
At the command prompt, run the following commands: o o o o o o o IPConfig /release IPConfig /renew IPConfig /all What is the current IPv4 address? What is the subnet mask? To which IPv4 network does this host belong? What kind of address is this?
Results: After this exercise, you will have tested various scenarios for dynamic IP address assignment, and then configured a static IP address.
Co onfiguring Windows 8
Lesson n4
Computers can communicate e over a network by using a n name in place of an IP addre ess. Name reso olution is used to find an a IP address that t correspon nds to a name, such as a host t name. This le esson focuses o on di ifferent types of o computer names n and the methods to re esolve them.
A host name is a user-friendly y name that is associated wit th a hosts IP a address and identifies it as a TCP/IP ho ost. A host nam me can be no more than 255 5 characters in n length, and m must contain a alphanumeric ch haracters, perio ods, and hyphens. A host nam me is an alias or a fully qualifi ied domain na ame (FQDN). An alias is a single name associated wit th an IP addres ss. The host na ame combines s an alias with a domain nam me to create th he FQDN.
The elemen nts of the name include perio ods as separat tors. Applicatio ons use the str ructured FQDN N on the Internet. An example e of an FQDN is payroll.cont toso.com.
App plications use the t 16-charact ter NetBIOS na ame to identify y a NetBIOS re esource on a n network. A Net tBIOS nam me represents a single computer or a group of computer rs. NetBIOS us ses the first 15 characters for ra spec cific computer rs name and the final sixteen nth character t to identify a re esource or serv vice on that com mputer. An exa ample of a Net tBIOS name is NYC-SVR2[20 h].
Win ndows support ts a number of f different met thods for resol ving compute er names, such as DNS, WINS S, and the host name res solution- proce ess.
WIN NS provides a centralized c database for registering dynam mic mappings of a networks s NetBIOS nam mes. Sup pport is retaine ed for WINS to o provide backw ward compati bility. In addition to usin ng WINS, you can resolve Ne etBIOS names by using the f following:
networks beca Broadcast me essages. Broadcast messages s do not work well on large n ause routers do o not propagate br roadcasts. Lmhosts file on o all compute ers. Using an Lmhosts L file for r NetBIOS nam me resolution i is a high maintenance solution because you must maintain the f file manually o on all compute ers.
Whe en an applicat tion specifies a host name an nd uses Windo ows Sockets, TC CP/IP uses the e DNS resolver cach he, DNS, and Link-Local L Mul lticast Name Resolution R (LLM MNR) when it attempts to re esolve the host t nam me. The hosts file f is loaded in nto the DNS re esolver cache. If NetBIOS ove er TCP/IP is en nabled, TCP/IP P also uses s NetBIOS nam me resolution methods m when n resolving sing gle-label, unq ualified host n names. Win ndows resolves s host names by b performing the following actions: 1. 2. 3. 4. Checking whe ether the host name is the sa ame as the loc cal host name.. Searching the e DNS resolver r cache. Searching the e Hosts file. Sending a DN NS request to its configured DNS servers.
Configuring Windows 8
Windows resolves hosts names that are single-label, unqualified names, by performing the following actions: 1. Using LLMNR on the local subnet.
Note: LLMNR enables hosts in a network to resolve one another's computer names without using a name server and without relying on broadcasting. 2. 3. 4. 5. Converting the host name to a NetBIOS name and checking the local NetBIOS name cache. Sending a DNS request to its configured WINS servers.
Broadcasting as many as three NetBIOS Name Query Request messages on the subnet that is directly attached. Searching the Lmhosts file.
Note: You can exert control over the precise order used to resolve names. For example, if you disable NetBIOS over TCP/IP, none of the NetBIOS name-resolution methods are attempted. Alternatively, you can modify the NetBIOS node type, which results in a change to the precise order in which the NetBIOS name resolution methods are attempted.
GlobalNames Zone
The GlobalNames Zone (GNZ) is a feature of Windows Server 2008. The GNZ provides single-label name resolution for large enterprise networks that do not deploy WINS. Some networks might require the ability to resolve static, global records with single-label names that WINS currently provides. These singlelabel names refer to well-known and widely used servers with statically assigned IP addresses. A GNZ is manually created and is not available for dynamic registration of records. GNZ is intended to help your customers migrate to DNS for all name resolution. The DNS Server role in Windows Server 2008 supports the GNZ feature. GNZ is intended to assist in the migration from WINS. However, it is not a replacement for WINS. GNZ is not intended to support the single-label name resolution of records that are registered in WINS dynamically and those that are not managed by IT administrators typically. Support for these dynamically registered records is not scalable, especially for larger customers with multiple domains and/or forests. The recommended GNZ deployment is by using an AD DSintegrated zone, named GlobalNames, which is distributed globally.
Instead of using GNZ, you can choose to configure DNS and WINS integration. Do this by configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The advantage of this approach is that you can configure client computers to only use a single name service, DNS, and still be able to resolve NetBIOS-compliant names. Additional Reading: To read more about understanding DNS client settings on TechNet, go to http://go.microsoft.com/fwlink/?LinkId=154441.
Lesson 5
The tools and utilities included in this lesson help h IT profess sionals better m manage comp puters and trou ubleshoot prob blems, enablin ng them to kee ep users produ uctive while wo orking to redu uce costs, main ntain com mpliance, and improve opera ational efficien ncy.
Event logs are file es that record significant s eve ents on a comp puter, such as when a proces ss encounters an erro or. IP conflicts will w be reflecte ed in the system log and mig ght prevent se ervices form starting. When t these events occur, Win ndows records the event in an appropriate e event log. Yo ou can use Even nt Viewer to re ead the log. When you u troubleshoot errors on Windows 8, view w the events in the Event Log gs to determine the cause of the prob blem. Event Viewer enab bles you to acc cess the Applic cation, Securit ty, Setup, and System logs under the Wind dows Logs node. When you select a lo og and then se elect an event , a preview pane under the e event list cont tains deta ails of the spec cified event. To o help diagnos se network pro oblems, look f for errors or warnings in the Syst tem log related d to network services. s
Configuring Windows 8
IPConfig
IPConfig displays the current TCP/IP network configuration. Additionally, you can use IPConfig to refresh DHCP and DNS settings as discussed in the previous Windows Network Diagnostics topic. For example you might need to flush the DNS cache.
Ping
Ping might verify IP-level connectivity to another TCP/IP computer. Ping sends and receives Internet Control Message Protocol (ICMP) Echo Request messages and displays the receipt of corresponding Echo Reply messages. Ping is the primary TCP/IP command used to troubleshoot connectivity. However firewalls might block the ICMP requests.
Tracert
Tracert determines the path taken to a destination computer by sending ICMP Echo Requests. The path displayed is the list of router interfaces between a source and a destination. This tool also determines which router has failed and what the latency, or speed, is. These results may not be accurate if the router is busy as the router assigns the packets a low priority.
Pathping
Pathping traces a route through the network in a manner similar to Tracert. However, Pathping provides more detailed statistics on the individual steps, or hops, through the network. Pathping can provide greater detail because it sends 100 packets for each router, which enables it to establish trends.
Nslookup
Nslookup displays information that you can use to diagnose the DNS infrastructure. You can use Nslookup to confirm connection to the DNS server and that the required records exist.
Unified Tracing
The unified tracing feature is intended to help you simplify the process of gathering relevant data to assist in troubleshooting and debugging network connectivity problems. Data is collected across all layers of the networking stack, and then grouped into activities across the following individual components: Configuration information State information Event or Trace Logs Network traffic packets
Win ndows Network Diagnostics either e complet tes the solutio on automatical lly or requires that the user perf form steps to resolve r the pro oblem. These steps s may requ uire the user to complete se everal configur ration y resolve netw changes to the co omputer. In ma any cases, this capability may work problems s without the u user requ uiring addition nal support.
If Windows W Netwo ork Diagnostic cs cannot fix th he problem, yo ou may need t to use addition nal diagnostic tools.
If the subnet mask is incorrect, the computer has an inc correct Netwo ork ID, and the erefore, transm mission fails, especially to remote su ubnets. If the default gateway is inc correct or miss sing, the comp puter cannot tr ransmit data w with remote subnets. If the DNS server is incorrec ct or missing, the t computer might not be able to resolve e names and communication can fail.
The Ping utility co onfirms two-way communica ation between n two compute ers. This means s that if the Pin ng utility fails, the loc cal computers s configuration n may not be t the cause of th he problem. Use Ping to ensure tran nsmission using g a logical pro ocess, such as: 1. 2. 3. 4. Ping the remo ote computer. . Ping the local gateway. Ping the local IP address. Ping the loop pback address 127.0.0.1.
Configuring Windows 8
When using the Ping utility, remember: You can ping both the name and the computers IP address. If you successfully ping the IP address, but not the name, name resolution is failing. If you successfully ping the computer name, but the response does not resolve the FQDN name, resolution has not used DNS. This means a process such as broadcasts or WINS has been used to resolve the name and applications that require DNS may fail.
Request Timed Out indicates that there is a known route to the destination computer, but one or more computers or routers along the path, including the source and destination, are not configured correctly.
Destination Host Unreachable indicates that the system cannot find a route to the destination system, and therefore, does not know where to transmit the packet on the next hop. Ping can be blocked by a firewall on the network or at a windows computer.
You can use Tracert to identify each hop between the source and destination systems. If communication fails, use Tracert to identify how many hops are successful and at which hop system communication fails.
Nslookup enables you to ensure that the DNS server is available and contains a record for the computer with which you are attempting to transmit data. This functionality is vital because even if the computer is available, if DNS is not working correctly, you might not be able to transmit using names. If you suspect that name resolution is the problem, add an entry to the hosts file and then retest name resolution. You must purge the host-name resolution cache by using IPConfig /flushdns before rerunning the nameresolution test.
Configuring Windows 8
An intern has been unsuccessful in attempts to resolve a network connectivity problem on a Windows 8 computer. The changes made to the computer have not been documented. You need to restore network connectivity for the computer.
Objectives
Create a simulated problem. Use Windows tools to determine the cause of the problem. Resolve the problem.
Lab Setup
Estimated Time: 30-60 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
What IP address is the computer using? What subnet mask is the computer using? What network is the computer on?
Results: After this exercise, you will have created a connectivity problem between LON-CL1 and LONDC1.
Configuring Windows 8
Results: After this exercise, you will have resolved the connectivity problem between LON-CL1 and LONDC1.
Question: After starting her computer, Amy notices that she is unable to access her normal resources. What tool can she use to determine if she has a valid IP address? Question: When transmitting Accounts Receivable updates to the billing partner in China, Amy notices that the files are being transmitted slowly. What tool can she use to determine the network path and latency of the network? Question: Amy notices that she cannot access normal Enterprise Web sites. She knows that she has a valid IP address but wants to troubleshoot the DNS access of her computer. What tool must she use? Question: What is the IPv6 equivalent of an IPv4 APIPA address? Question: You are troubleshooting a network-related problem, and you suspect a name resolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do you do that? Question: You are troubleshooting a network-related problem. The IP address of the host you are troubleshooting is 169.254.16.17. What is a possible cause of the problem?
Tools
You can use the following tools to troubleshoot network connectivity issues. Tool Network and Sharing Center Description
The Network and Sharing Center informs you about your network and verifies whether your PC can successfully access the Internet. Then, it summarizes this info in the form of a Network Map. A command that you can use to configure network properties from the command-line.
Netsh.exe
Pathping.exe
A command-line tool that combines the functionality of Ping and Tracert, and that you can use to troubleshoot network latency and provide information about path data.
Configuring Windows 8
Tool Nslookup.exe
Description
A command-line tool that you can use to test and troubleshoot DNS and name resolution issues. A general IP configuration and troubleshooting tool. A basic command-line tool that you can use for verifying IP connectivity.
IPConfig.exe Ping.exe
Tracert.exe
Similar to Pathping, which provides information about network routes. Cmdlets available to view and configure network settings.
Windows PowerShell
Module 5
Implementing Wireless Network Connections
Contents:
Module Overview Lesson 1: Overview of Wireless Networks Lesson 2: Implementing a Wireless Network Lab: Planning the Implementation of Wireless Network Connections Module Review and Takeaways 5-1 5-2 5-8 5-13 5-18
Module Overview
A wireless network can refer to any type of wireless devices that are interconnected between nodes, without using wires or cables. This module describes a wireless local area network (WLAN), which is a type of wireless network that uses radio waves instead of cables to transmit and receive data between computers. A wireless network enables you to access network resources from a computer that is not physically attached to the network by cables.
Wireless network technologies have evolved tremendously over the past few years. The security and speed of wireless networks have become so reliable that increasingly, more organizations prefer to use wireless networks rather than traditional wired networks. Windows 8 provides a simple, intuitive, and straightforward user interface for connecting to wireless networks.
Objectives
After completing this module, you will be able to: Describe the standards and technologies related to wireless network connections. Configure a wireless network connection.
5-2
Lesson 1
Incr reasingly, organizations prefe er wireless net tworks over tra aditional wired d networks. A w wireless netwo ork prov vides users wit th more flexibi ility and mobil lity, as users ca an attend internal meetings or conduct pres sentations while maintaining g connectivity and productiv vity. Additiona lly, a wireless n network enabl les you to create a pu ublic network that allows your guests to h ave an Interne et connection w without creating secu urity issues for your corporat te network. Wireless networ k technologies s have evolved d tremendousl ly during the past se everal years, an nd many mobile computers now have built-in wireless n network adapt ters that t support conn nections to wir reless networks with improve ed levels of sta ability and reliability.
Providing Inte ernet access in n public places s. You can crea ate a public ne etwork that enables your gue ests to have an Internet connection, without causing c possib ble security issu ues on your co orporate netwo ork. Making roam ming convenien nt, and enablin ng you to remo ove unsightly wires from you ur network.
How wever, wireless s networks also o can result in some disadva ntages, includ ding potential radio interfere ence, incr reased security y costs, and sec curity risks tha at may require you to spend time and mon ney to troubleshoot and mitigate.
Ad-hoc mo ode. In this mo ode, two wirele ess network ad dapters are con nnected direct tly to one anot ther. This enable es peer-to-pee er communicat tion, where com mputers and d devices are con nnected direct tly to each other, , instead of to a wireless router or a wirele ss access point (WAP).
You typically use ad-hoc networks to sh hare files, pres sentations, or a an Internet connection temp porarily among multiple compute ers and devices. To reach the e Internet or a another network, you must configure one o of the peer-to-peer com mputers as a ro outer that conn nects to the ne etwork.
Infrastructu ure mode. In th his mode, wire eless network a adapters conne ect only to spe ecial radio brid dges, or a WAP that t connects dire ectly to the wir red network. T To build an infrastructure wir reless network k, place WAPs throu ughout your organization. o
ect their comp puters, includin ng laptops, to the network b by connecting to the nearest t WAP. Users can conne ess environments typically would w use this m mode. Home or busine r (SSID)also known as the wireless netwo Re egardless of th he operating mode, m a Service e Set Identifier ork na ameidentifie es a specific wi ireless network k by name. Yo ou can configure the SSID on n the WAP for in nfrastructure mode, m or config gure the initial l wireless clien t for ad-hoc m mode. The WA AP or the initial l wireless w client periodically p adv vertises the SS SID so that oth her wireless no des can discov ver and join th he wireless w network.
802.11b 8
5-4
Advantages A High speed More simult taneous users Better signa al range Compatible with 802.11 b
Remarks
Widely y used, especia ally in pub blic places, such as airport ts and coffee shops. .
802 2.11n
Highest speed Not prone to t interference e Compatible with 802.11 a, b, g Best signal range r
Costs more than 802.11 1g Requi res N-capable e ork adapter netwo
Gainin ng popularity.
Note: Stand dard 802.11n is an amendme ent to the 802 .11 standard. T The operating frequency is in n both the 5 gigahertz (GHz) and 2.4 GHz bands, which p provides more e scope that en nables netw works to avoid d interference with w other wir reless devices. This standard supports a spe eed of up to 600 6 Mbps, with h a range of ap pproximately 300 3 meters. Win ndows 8 provid des built-in sup pport for all 80 02.11 wireless networks, but t the wireless c components of Win ndows are dependent upon the t following:
Capabilities of o the wireless network adapter. The install led wireless ne etwork adapter must suppor rt the wireless netw work or wireless s security standards that you u require.
Capabilities of o the wireless network adapter driver. To e enable you to configure wire eless network options, the driver d for the wireless w netwo ork adapter mu ust support the e reporting of all of its capab bilities to Windows.
Win ndows 8 provid des a driver-ba ased model for mob bile broadband d devices. Earlier Windows versions v requir re users of mobile broadban nd devices to in nstall third d-party softwa are. This can be difficult for IT professional ls to manage, because each mobile broadband device and provid der requires dif fferent software. Employees also have to b be trained to u use the software, and must have ad dministrative access to install it, which prev vents standard d users from ea asily adding a mob bile broadband d device. With h Windows 8, users u can simp ply connect a m mobile broadb band device an nd imm mediately begin using it. The e interface in Windows W 8 is th he same regar rdless of the m mobile broadba and
provider. You ca an connect to a wireless bro oadband just a s you connect t to any other w wireless netwo ork. This re educes the nee ed for training and managem ment efforts. Note: Ma any devices pro ovide built-in broadband b wi reless capabilities.
Th he sudden wid despread imple ementation of WLANs preceded any re eal security pla anning. Wirele ess de evices create many m opportunities for un nauthorized users to access private networks. Unlike the close ed cabling syst tem of an Ethe ernet ne etwork, which you can secur re physically, wireless w frames are sent as radio trans smissions that propagate beyo ond the physic cal confines of your of ffice or home. Any compute er within range e of the wireless w network can receive wireless w frame es and se end its own. Without W protect ting your wireless ne etwork, malicio ous users can use your wireless ne etwork to acce ess your privat te information or launch atta acks against yo our computers s or other com mputers ac cross the Internet. To o protect your r wireless netw work, you should configure a uthentication and encryptio on options:
Authenticat tion requires that computers s provide valid d account cred dentials, such a as a user name e and password, or o proof of con nfiguration wit th an authenti ication key, be efore you allow w them to send d data frames on your y wireless network. n Authe entication prev vents maliciou us users from jo oining your wireless network.
Encryption requires that the t content of f all wireless da ata frames be encrypted so that only the r receiver can interpre et its contents. Encryption prevents malici ous users from m capturing wi ireless frames sent on your wireless network and determining g sensitive data a. Encryption a also helps prev vent malicious users from sendin ng valid frame es and accessin ng your private e resources or the Internet, b because they w will not be able to connect c to you ur WAP.
WLAN W supports s the following g security stand dards: IEEE 802.11 1 IEEE 802.1X X Wi-Fi Prote ected Access (W WPA) Wi-Fi Prote ected Access 2 (WPA2)
IE EEE 802.11
Th he original IEEE 802.11 stand dard defined the open syste m and shared key authentic cation methods for au uthentication and a Wired Equ uivalent Privac cy (WEP) for en ncryption. WEP P can use eithe er 40-bit or 10 04-bit en ncryption keys s. However, the e original IEEE 802.11 securit ty standard is relatively weak and cumber rsome fo or widespread public and pri ivate deployment. Because o of its security f flaws, the IEEE has declared t that WEP W has been deprecated, d be ecause it fails to t meet securit ty goals. Howe ever, despite it ts shortcoming gs, WEP is still widely used.
To o establish WE EP encryption for f shared key y authenticatio on, you must in nstall the same e secret key in each of yo our enterprise s WAPs. You can c do this ind dividually for e each WAP or b by using manuf facturer-suppl lied
5-6
management software. Then, you must install that key in each client. There is no standard mechanism for distributing secret WEP keys to clients or WAPs. WAPs automatically deny access to any client that does not have the correct secret key, and prevent unauthorized users from connecting. Note: In the shared-key authentication mode, the WAP and the client go through a challenge-response cycle, similar to the NT LAN Manager (NTLM) authentication, which uses the WEP encryption key as the shared secret key.
IEEE 802.1X
IEEE 802.1X was a standard that existed for Ethernet switches, and was adapted to wireless LANs to provide much stronger authentication than the original 802.11 standard. IEEE 802.1X authentication is designed for medium and large wireless LANs that contain an authentication infrastructure consisting of Remote Authentication Dial-In User Service (RADIUS) servers and account databases, such as Active Directory Domain Service (AD DS).
IEEE 802.1X prevents a wireless node from joining a wireless network until the node performs a successful authentication. IEEE 802.1X uses the Extensible Authentication Protocol (EAP). Wireless network authentication can be based on different EAP authentication methods, such as those using user-name and password credentials or a digital certificate. The 802.1X requires clients to provide computer authentication when they connect to the network, and provides user authentication when a user logs on. If either authentication phase fails, the data-link layer access deviceincluding a WAP, bridge, or switchwill not forward packets to the network. This prevents an attacker from exploiting the network layer or reaching other network servers or clients. You must ensure that the client, the data-link device, and the authentication server all support the 802.1X protocol. The data-link device, which can be a WAP or a switch, detects new clients, passes the authentication to an authentication server, and locks out the client out if the authentication fails. The authentication server checks the clients credentials, and then reports the authentication status to the data-link device. Note: In the Windows Server 2012 operating system, the Network Policy and Access Services (NPAS) role enables secure wireless and wired solutions for which 802.1X enforcement is the basis. In Windows Server 2012, NPAS performs the role of a RADIUS server.
Although 802.1X addresses the weak authentication of the original 802.11 standard, it provides no solution to the disadvantages of WEP. While the IEEE 802.11i wireless LAN security standard was being finalized, the Wi-Fi Alliance, an organization of wireless equipment vendors, created an interim standard known as WPA. WPA replaces WEP with a much stronger encryption method known as the Temporal Key Integrity Protocol (TKIP). WPA also allows the optional use of the Advanced Encryption Standard (AES) for encryption. WPA is available in two different modes:
WPA-Enterprise. In the Enterprise mode, an 802.1X authentication server distributes individual keys to users that have a wireless designation, and is designed for medium- and large-infrastructure mode networks WPA-Personal. In the Personal mode, a preshared key (PSK) is used for authentication, and you provide the same key to each user. It is designed for small office/home office (SOHO) infrastructure mode networks.
Configuring Windows 8
The IEEE 802.11i standard formally replaces WEP and the other security features of the original IEEE 802.11 standard. WPA2 is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as being compatible with the IEEE 802.11i standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA. For example, WPA2 requires support for both TKIP and AES encryption. Similar to WPA, WPA2 is available in two different modes: WPA2-Enterprise and WPA2-Personal.
Because a WAP broadcasts its SSID on the network, it is inherently insecure and vulnerable to malicious attacks. For example, War Driving is a hacking technique in which users from outside your facility use wireless-client hardware and software to discover any WAPs that are broadcasting in the local area.
Therefore, in addition to implementing authentication and encryption, you can use the following methods to mitigate risks to your wireless network: Firewalls. You can address the WAP vulnerability by placing the WAPs outside your network firewalls. You then can force valid users to authenticate with the firewall or use virtual private network (VPN) connections to reach the internal network. This does not prevent unauthorized users from exploiting the WAPs for Internet access, but it does prevent them from exploiting the internal network. This method is commonly used by organizations to give Internet access to visitors.
Closed networks. Some WAPs support a closed network mode in which the WAP does not advertise its SSID. Users have to know the SSID to connect to the wireless network. Disabling SSID broadcasting does not stop hackers because although the SSID does not appear in a typical client, hackers still can detect the wireless signal and identify the SSID. SSID spoofing. You can use special software that generates numerous WAP packets that broadcast false SSIDs. This causes hackers to receive so many SSIDs that when they scan for a wireless network, they cannot separate the valid SSID from the false ones. Media access control (MAC) address filtering. Most WAPs support MAC address restrictions. These restrictions limit the clients with which the WAP can communicate by using their MAC address. This works well in smaller environments, but creates excessive administrative overhead in larger environments.
Additional Reading: For more information on WEP and its disadvantages, refer to: http://go.microsoft.com/fwlink/?LinkID=154212.
5-8
Lesson 2
In an organization n with a wirele ess network, us sers may choo se to use the w wireless netwo ork as the prim mary met thod of connecting to netwo ork resources. You should kn now how to cre eate and conn nect to a wirele ess netw work from a Windows W 8-bas sed computer. You also need d to know how w to improve the wireless sign nal strength for your users an nd how to trou ubleshoot com mmon wireless connection problems. This trou ubleshooting process p uses th he network dia agnostics inclu ded with Wind dows 7 and W Windows 8. You u need to be familia ar with networ rk diagnostics so that you ca an assist users.
To configure c a WA AP, you may need n to enter its SSID, and th hen configure a valid TCP/IP P address on yo our netw work. Typically y, a WAP has an a administrato or page that c an be accessed d by an Intern net browser by y using its default d IP addr ress. Dependin ng on the manufacturer, diffe erent WAPs ha ave different d default IP addr resses, and you can configure several WAPs W from a command c prom mpt by using t the Telnet com mmand-line to ool. W implem menting a wireless network, d do not use Note: Most WAPs have a default SSID. When the default SSID. Instead, I chang ge the SSID to something un nique, so that c client compute ers that connect automati ically will not have h conflicts with w other WA APs that are us sing their default SSID.
To connect c to a wireless w networ rk, attach a wir reless network k adapter to yo our computer, and then insta all its driv ver. These adap pters may be internal or exte ernal wireless a adapters. Man ny mobile computers have built-in adapters that you u can enable by y using a hardware switch. E External adapte ers are typically attached thr rough a un niversal serial bus b (USB) or other externally y accessible ha ardware port.
After attaching the hardware and installing the appropria ate hardware d device driver, y you can use th he fo ollowing metho ods to configu ure a Windows s 8-based clien nt to connect t to a wireless ne etwork:
Connect to o a Network dialog d box. This dialog box i s available from several loca ations in Windows 8 including th he Control Pan nel. The Conne ect to a Netw work dialog bo ox enables you u to see all wire eless networks in n your area to which you can n connect. Command line. The netsh h wlan commands in the ne etsh.exe tool e enable you to c configure wire eless networks and their settings manually. Additionally, A yo ou can use Wi indows PowerS Shell cmdlets s to configure wireless w network settings.
Group Polic cy. Network ad dministrators in an Active Di irectory enviro onment can us se Group Policy y to configure and a deploy wir reless network settings centr rally to domain n member com mputers. The W Wireless Network Po olicies Extensio on is a Group Policy P extensio on that you can use to autom mate configura ation of Wireless Ne etwork Group Policy settings s.
Additiona al Reading: Fo or more inform mation on how w to use netsh,, refer to: ttp://go.microsoft.com/fwlin nk/?LinkID=154213. ht Fo or more inform mation on how w to use Group p policy to man nage wireless network, refer r to: ht ttp://go.microsoft.com/fwlin nk/?LinkID=154214.
Yo ou can use the e Manage Wir reless Networ rks di ialog box to co onfigure wirele ess network co onnections. Yo ou can access t this window fro om the Netwo ork and Sh haring Center, which you can access from Control Panel or from the n network icon o on the System Tray. To view a wireless networks settings, from the Manage Wire eless Networks s windows, righ ht-click the wireless ne etwork profile, , and then click Properties.
General G Settings
Th he following se ettings are ma andatory for ev very wireless n network profile e:
SSID. Every y wireless netw work has an SSID. If you are c configuring the wireless netw work profile m manually, you must know k the exact t SSID of the wireless w networ rk to which you want to connect. Network Type T . There are e two options: : Access point t and Adhoc n network. Selec ct Access poin nt to connect to a WAP, which h means you ar re configuring the wireless n network to ope erate as the infrastructu ure mode. Sele ect Adhoc netw work to conne ect to another r wireless netw work adapter, w which means that t you are configuring the wir reless network k to operate in the ad-hoc m mode.
Connect to a more prefer rred network if available. If f you select th his option, whe en there are multiple wireless networks in range, the computer c will t try to connect t to one of the e others instead d of this particular r wireless netw work. Connect eve en if the network is not bro oadcasting its s name (SSID) ). Select this if the WAP is configured to o not advertise e its SSID.
The following sett tings determin ne the type of authentication n and encrypti ion used to co onnect to a wir reless netw work: No authentic cation (open) ). Typically, you select this se ecurity type wh hen connectin ng to a public wireless netw work. If you sele ect this securit ty type, two op ptions are avai ilable for the e encryption type: None and WE EP.
Shared. Selec ct this security type if the wir reless network k is using a sha ared network s security key. If you select this sec curity type, only WEP is avail lable for the e ncryption type e.
WPA (Person nal and Enter rprise). Select this option if t the wireless ne etwork is using g WPA authentication. In the perso onal mode, you provide the same network k security key t to each user. In the enterprise mo ode, an authen ntication serve er distributes a n individual ke ey to the users s. If you select this security type, two options are a available fo or the encrypt ion type: TKIP and AES.
WPA2 (Perso onal and Ente erprise). Select t this option if f the wireless n network is usin ng WPA2 authentication. It also has the Personal an nd Enterprise m mode and two o options for the encryption type: TKIP and AES S. 802.1X. Selec ct this security type if your wireless w networ rk is using 802 2.1X authentica ation. If you se elect this security type, t only WEP P is available fo or the encrypt ion type.
Co onfiguring Window ws 8
Tro oubleshooting g tips Ensure that yo our client com puter is as close as possible to the WAP.
ser to the WAP P, consider ins stalling an exte ernal If you are unable to get clos antenna to yo our wireless ne etwork adapter r.
ysical objects t hat may cause e interference, such as a thick wall Check for phy or metal cabin net, and consid der removing them or repos sitioning the W WAP or the client. ever applicable e. Add WAPs to the wireless n etwork whene Interference from f other signals Check for dev vices that may cause interference, such as c cordless phones, Bluetooth dev vices or any ot her wireless de evices. Turn th hem off or mov ve them farther away. a
Consider chan nging the WAP P settings to use a different w wireless chann nel, or ed automatica set the channe el to be selecte ally if it is set to o a fixed channel number.
In n cases where you y cannot see e the wireless network, cons sider the follow wing troublesh hooting steps: Check that your wireless network adapter has the cor rrect driver an nd is working p properly. Check your r computer for r an external sw witch for the w wireless netwo ork adapter. Check that the WAP is turned on and working w prope erly. Check whet ther the WAP is configured to t advertise its s SSID. Question: What devices can interfere with w a wireless s network signa al?
Attempt to connect to a wireless w netwo ork. Use the Co onnect to a n network dialog g box in Windo ows 8 to list each available wire eless network, and a then attem mpt network c connections. Y You can access the Connect to o a network dialog d box from m the Network k and Sharing Center or from m the network k icon on the System Tray. Run the Windows Network Diagnostics s tool. You can n run the tool b by right-clickin ng the Networ rk icon on the System Tray, and then t clicking Troubleshoot T t problems.
2. .
3. 4. 5.
Review the diagnostic information. The Windows Network Diagnostics tool in Windows 8 will attempt to correct any problems. If this is not possible, the tool provides a list of possible problems. Identify the problem from the list of problems found. Use the list from the Windows Network Diagnostic tool to help identify the problem. Resolve the problem that you identify. Use the information in the previous step to implement a resolution.
Configuring Windows 8
A. Datum Corporation is planning to implement a wireless network to enable certain employees to connect their laptops to the corporate network. Additionally, they would like to enable visitors to connect their laptops to a restricted network that provides Internet access only.
Objectives
Create an implementation plan for a wireless network. Troubleshoot issues arising from the wireless deployment plan. Configure a wireless network policy.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o User name: Administrator Password: Pa$$w0rd Domain: Adatum
Holly Dickson is the IT manager at A. Datum, and you have been working with her on the wireless networking project. Holly wants you to determine what you need to enable wireless access for employees and visitors. The A. Datum offices take up the entirety of a small building that spans two floors, with the employees mainly confined to the upper floor. The ground floor provides conferencing facilities and a reception area. Holly has produced the A. Datum Wireless Network Requirements document. You must consider each requirement, and then make a corresponding proposal that indicates how you will meet that requirement. Note: Your instructor may decide to run this exercise as a class discussion.
A. Datum Wireless Network Requirements Document reference: HD-29-04-12 Document author Date Holly Dickson April 29
Requirements Overview I want to deploy wireless networks throughout the London offices. Security is critical, and we must deploy the strongest security measures available. Some of our older computer equipment supports earlier wireless standards only. Cordless telephones are in use in some parts of the building. We are located in a busy trading district, with other commercial organizations located nearby. Again, it is important that our network is not compromised. Additional Information
Proposals
The main tasks for this exercise are as follows: 1. 2. Read the A. Datum Wireless Network Requirements document. Update the document with your proposed course of action.
Configuring Windows 8
1. What technical factors will influence the purchasing decision for the WAPs that Holly needs to consider? 2. How many WAPs does Holly need to purchase? 3. Where will you advise Holly to place the WAPs? 4. Which security measures will you recommend to Holly? 2. Complete the proposals section of the A. Datum Wireless Network Requirements document.
Results: After this exercise, you should have a proposal for the implementation of wireless networks in the London offices of A. Datum.
Holly has placed a call to you on the help desk. The A. Datum wireless network is a great success. However, there have been some ongoing problems with intermittent connections. Additionally, some staff members can connect to the A. Datum corporate network from the parking lot. Note: Your instructor may run this exercise as a class discussion. A. Datum Incident Record Incident number: 501235 Date and time of call User May 21 10:45am Holly Dickson
Incident Details Intermittent connection problems from computers connecting to the wireless network. Some users can connect to the wireless access points from the parking lot. Plan of Action
The main tasks for this exercise are as follows: 1. 2. Read help-desk incident record 501235. Update the plan of action section of incident record 501235.
2. What do you suspect is causing these problems? 3. How will you rectify these problems? 2. Update the plan of action section of incident record 501235 with your recommendations.
Results: After this exercise, you should have a completed action plan for resolution of the A. Datum issues.
In this exercise, you will configure a wireless network policy that supports the wireless network design that you planned. Note: Group Policy Objects (GPOs) and implementing GPOs is discussed in Module 8: Securing Windows 8 Desktops. The main tasks for this exercise are as follows: 1. 2. Open Group Policy Management Editor. Create a wireless network policy.
Select the Create A New Wireless Network Policy for Windows Vista and Later Releases option. Configure the policy with the following settings: o o o o Policy Name: A Datum Wireless Policy Profile Type: Infrastructure Profile Name: A Datum Wireless Profile Network Name(s) (SSID): A Datum 1, A Datum 2.
Configuring Windows 8
4.
5.
Confirm all your changes, and then close all open windows.
Results: After this exercise, you should have implemented a wireless network policy.
Windows is not configured to connect to the right type of network The router or WAP is busy
You are implementing wireless networking in your organization. Which wireless network technology standards and which type of security (authentication and encryption) will you choose? Your organization already has a wireless network in place. Your users are complaining that the performance of the wireless network is not as good as the wired network. What can you do to increase the performance of the wireless network?
Tools
Tool Network and Sharing Center Use to Configure network settings Where to find it Control Panel System Tray
Connect to a Network
Configure Windows 8-based client to connect to a wireless network Configure local or remote network settings Troubleshoot access to wireless networks
Module 6
Implementing Network Security
Contents:
Module Overview Lesson 1: Overview of Threats to Network Security Lesson 2: Configuring Windows Firewall Lab A: Configuring Inbound and Outbound Firewall Rules Lesson 3: Securing Network Traffic Lab B: Configuring Connection Security Rules Lesson 4: Configuring Windows Defender Lab C: Configuring Host-Based Virus and Malware Protection Module Review and Takeaways 6-1 6-2 6-8 6-16 6-18 6-28 6-30 6-33 6-35
Module Overview
When you connect your computers to a network, you may expose them to additional security threats. You need to formulate a strategy to protect your computers. User policies, antivirus software, encrypted network traffic, and other protective measures work together to shield your computers from security threats. It is also important to identify possible threats, and optimize the appropriate Windows network security features, such as Windows Firewall and Windows Defender, to help to eliminate them.
Objectives
After completing this module, you will be able to: Describe the threats to network security. Explain how to configure Windows firewall. Explain how to configure inbound and outbound firewall rules. Explain how to secure network traffic. Explain how to configure connection security rules. Explain how to configure Windows Defender. Explain how to configure host-based virus and malware protection.
6-2
Lesson 1
Secu urity is an integral part of an ny computer network, and yo ou must consi ider it from ma any perspectiv ves. You u must underst tand the natur re of network-based security y threats, and b be able to imp plement appro opriate secu urity measures s to mitigate th hese threats. In n this lesson, y you will learn a about some of f these threats and the Defense-in-De epth strategy that t helps you u lessen your v vulnerability to o them. Finally, , you will learn n abo out ways to mit tigate the vario ous network security threats s discussed.
Denial-of-service. This attac ck limits the fu unction of a ne etwork applica ation, or makes s the application or network resource unavailab ble. There are numerous n way ys in which hac ckers can initia ate a denial-of fservice attack k. However, hackers are often n aware of vul nerabilities in the target app plication that t they can exploit, to o render it una available.
Note: Hacking is a generic term that refers to the act t of trying to crack a comput ter prog cking is an imp gram or code. When talking g about network security, hac portant topic because malicious users will hack your network to atta ack it, your ext tended user ba ase, or you cac che of app plications and sensitive s intelle ectual propert ty.
Port scanning g. Applications s running on a computer usi ng the TCP/IP P protocol use TCP or User Datagram Pro otocol (UDP) ports p to identif fy themselves. One way that t attackers exp ploit your netw work is to query host ts for the ports s on which the ey listen for clie ent requests. T These ports are e said to be op pen. Once attackers identify an open o port, the ey can use othe er attack techn niques to attem mpt access to your network.
C Configuring Windows s 8
Man-in-the e-middle. The network attacker uses a com mputer to impe ersonate a legitimate host o on the network with which your computers are communicat ting. The attac cker intercepts all of the communica ations intended for the desti ination host. T The attacker m ay wish to view w the data in t transit between th he two hosts, but b also can mo odify the data in transit, bef fore forwarding the packets to the destination host.
Yo ou can mitigat te risks to your r computer ne etwork by prov viding security y at differing in nfrastructure la ayers. Th he term defense-in-depth ty ypically describ bes the use of multiple secur rity technologies at different t points th hroughout you ur organization n.
Ph hysical security y measures mu ust complement organizatio onal policies re egarding secur rity best practices. For ex xample, enforc cing a strong user u password policy is not h helpful if users s write their pa asswords down n on st ticky notes, and d then attach those notes to o their comput ter screens. Wh hen you are es stablishing a security fo oundation for your y organizat tions network k, it is a good id dea to start by y creating app propriate polici ies and procedures, and d making users s aware of them. Then you m may progress t to the other as spects of the d defensein n-depth model l. Ev ven when you implement rules to prevent security prob lems, users ca n circumvent t them, either by plan or r inadvertently y. Some ways that t users can compromise p policies and pr rocedures inclu ude: Users are unaware u of th he rules. When n users are una aware of the r rules, you cann not expect them to follow them m. Users view wing the rules as unnecessa ary. If you do not adequatel ly communicat te the reason f for rules, then some users will think of them m as unnecess sary.
Social engineering. Users and comput tors are vulner ter administrat rable to social engineering, where malicious users u manipula ate them into breaking b the ru ules or revealing sensitive da ata. An examp ple of this is when n you receive an a email that appears a to be from your ban nk, asking you to update you ur account inf formation by following a link k in the email t that resolves t to a website th hat does not ac ctually belong to your y banking system. s
Mitigation M
Yo ou should con nsider taking th he following ac ctions to mitig gate these thre eats: Create spec cific rules that help prevent social s enginee ering. Educate use ers on rules an nd their relevance. Implement compliance monitoring. m
6-4
Physical Security
Enterprise administrators commonly overlook physical security, with respect to securing their computer systems. If any unauthorized person can gain physical access to your computer, then most other security measures are of little consequence. Ensure that computers containing the most sensitive data, such as servers, are physically secure. In general, anyone that has physical access to computer systems can: Damage systems. This can be as simple as you store a server next to a desk, where a user may accidentally bump into it or knock over a drink onto it. Install unauthorized software on systems. Malicious users can utilize unauthorized software to attack systems. For example, there are utilities available to reset the administrator password on a Windows-based workstation or member server.
Steal hardware. Malicious users can steal laptops if you do not ensure that your users leave laptops secured. They even can steal servers, and their often sensitive data, that you do not secure properly.
Mitigation
Consider the following to help to mitigate physical security threats: Restrict physical access by locking doors. Monitor server room access. Install fire suppression equipment.
Perimeter
These days, no organization is an isolated enterprise. Organizations operate within a global community, and network resources must be available to service that global community. Perimeter layer security refers to the connectivity between your network and other untrusted networks. This might include building a website to describe your organizations services, or making internal services, such as web conferencing and email, accessible externally, so that users can work from home or from satellite offices. Perimeter networks mark the boundary between public and private networks. By providing specialist servers, such as reverse proxy servers, in your perimeter network, you can provide corporate services across the public network in a more secure manner. Note: A reverse proxy enables you to publish services from the corporate intranet, such as email or web services, without placing the email or web servers in the perimeter. There are other access issues that you need to consider, as well:
Remote access client. While you can control the conditions under which they can connect, these client computers are accessing your network from a remote location over which you have little or no control. Because of this, these types of clients have access to more data than your typical Internet client that connects to a web page.
Business partners. You do not control the networks of business partners, which means that you cannot ensure that they have appropriate security controls in place. Therefore, if a business partner is compromised, then the network links between your organization and that business partner pose a risk.
Configuring Windows 8
Mitigation
Consider the following to help to mitigate perimeter security threats: Implement firewalls at network boundaries. Implement network address translation (NAT). Use virtual private networks (VPNs), and implement encryption.
Internal Networks
As soon as you connect computers to a network, they are susceptible to a number of threats. Internal network layer security refers to services and processes on your internally controlled network, including local area networks (LANs) and wide area networks (WANs). The latter includes Multiprotocol Label Switching (MPLS) circuit, where you control all aspects of the network.
The security threats to the internal network include eavesdropping, spoofing, denial of service, and replay attacks. This is especially relevant when communication occurs over public networks because users are working from home, remote offices, or other locations such as coffee shops.
Mitigation
Here are some considerations for how you can mitigate these threats: Segment your network. Implement Internet Protocol Security (IPsec). Implement a Network Intrusion Detection System (NIDS).
Host
The host layer refers to the networks individual computers. This includes the operating system, but not application software. Host-layer security includes operating system services, such as a web server, and it can be compromised by: Operating system vulnerabilities. An operating system is complex. Consequently, there are often vulnerabilities that hackers can exploit. These vulnerabilities enable attackers to install malicious software or control hosts.
Default operating system configurations. Operating systems and their services include default configurations. In some cases, the default configuration may not include a password or may include sample files with vulnerabilities. Attackers use their knowledge of default configurations to compromise systems. Viruses that attack hosts. The virus uses operating system flaws or default configurations to infect and replicate itself.
Mitigation
Consider the following to help you to mitigate these threats: Harden operating systems. Implement a host-based intrusion detection system (HIDS). Use host-based antivirus/anti-malware and anti-spyware software, such as Windows Defender.
6-6
Application
The application layer refers to applications that are running on the hosts. This includes additional services, such as mail servers, and desktop applications, such as the Microsoft Office suite of tools. The risks to applications are similar to the risks that hosts face, and can include: Application vulnerabilities. Applications are complex programs that are likely to have vulnerabilities. Attackers can use these vulnerabilities to install malicious applications or remotely control a computer.
Default application configurations. Applications, such as databases, may have a default password or no password at all. Not securing the default configuration simplifies the work of attackers attempting to access a system.
Viruses that users introduce. In some cases, users introduce viruses by their actions rather than by flaws. In other cases, an application is actually a Trojan horse that contains malicious code embedded in what appears to be a useful application.
Mitigation
Consider the following to help you to mitigate these threats: Run applications lowest level of privileges possible. Install Microsoft and third-party application security updates. Enable only required features and functionality for operating systems and applications.
Data
The final layer of security is data security. This includes data files, application files, databases, and Active Directory Domain service (AD DS). When your data layer becomes compromised, it can result in:
Unauthorized access to data files. Unauthorized access to data files may result in unintended users reading data, such as users inadvertently viewing salaries for other staff members. It also may result in data modification, which could cause it to be inaccurate. Unauthorized access to AD DS. Malicious users could reset user passwords, and then attack your network by using the new passwords.
Modification of application files. When application files are modified, they may perform unwanted tasks such as data replication over the Internet, where an attacker can access it.
Mitigation
Consider the following to help you to mitigate these threats: Implement and configure suitable NTFS files system permissions. Implement encryption. Implement rights management.
C Configuring Windows s 8
Perimeter networks. n A pe erimeter netwo ork is an isolate ed area on your network to and from which you ble on the Inte can define network traffic c flow. When you y need to m make network s services availab ernet, it is not advis sable to connect the hosting servers direct tly to the Inter net. By placing g these servers s in a perimeter network, n you can c make them m available to Internet users,, without lettin ng those users gain access to yo our corporate intranet. Virtual private networks (VPNs). ( When your users mu ust connect to your corporat te intranet from m the Internet, it is important th hat they do so o as securely as s possible. The e Internet is a p public network k, and data in tran nsit across the Internet is sus sceptible to eav vesdropping o or man-in-the-middle attack ks. Utilizing VP PNs enables yo ou to authentic cate and encry ypt connection ns between yo our remote use ers and your corporate intranet, thereby t mitiga ating risk.
Server hard dening. By only y running the services that y you need, you can make you ur servers inherently more secur re. To determin ne what services you require e, you must est tablish a baseline of security y among your server rs. Because it is s sometimes difficult to dete ermine precisely which Wind dows Server services ur enterprise r you need to o support the functionality that t you or you requires, you c can use tools such as the Security y Configuratio on Wizard or th he Microsoft B Baseline Security Analyzer to help you. Intrusion de etection. Altho ough it is impo ortant to imple ement the preceding techniq ques to secure e your network, it also is sensible e to monitor your y network r regularly for si gns of attack. You can use intrusion-detection systems to do this, by implement ting them on d devices at the perimeter, suc ch as Internet-fac cing routers.
DNSSEC. DNSSEC provide es the ability for DNS servers s and resolvers to trust DNS responses by using digital signatures for valid dation. All sign natures genera ated are conta ained within th he DNS zone it tself in the new res source records s. When a reso olver issues a q query for a nam me, the accompanying digita al signature is s returned in th he response. Validation V of th he signature is s then perform med through th he use of a precon nfigured trust anchor. a Succes ssful validation n proves that t the data has no ot been modif fied or tampered with w in any way y.
6-8
Lesson 2
Win ndows has a bu uilt-in firewall that helps pro otect your com mputer from ac ccess attempts s by unauthoriz zed com mputers on the e network. The ese unauthorize ed attempts co ould be comin ng from the Internet or your r local LAN N. Firewalls work on the princ ciple of filterin ng network tra affic based on the traffics ch haracteristics, a and then n either allowing or blocking g the traffic, de epending on y your configura ation.
Private netw works: Network ks at home or work, where y you know and trust the peop ple and device es on the network. When you sele ect Home or work w (private e) networks, this turns on N Network Discov very. Computers on a home netw work can belon ng to a HomeG Group. Guest or pub blic networks: Networks in public places. This location keeps the com mputer from be eing visible to othe er computers. When you select the Public c place network location, Ho omeGroup is n not available, and d Network Disc covery is turne ed off.
You u can modify th he firewall sett tings for each type of netwo ork location fro om the main W Windows Firew wall pag ge. Click Turn Windows W Fire ewall on or of ff, select the n etwork locatio on, and then m make your sele ection. You u can also mod dify the following options: Block all inco oming connections, includ ding those in the list of allo owed program ms Notify me when w Windows Firewall blo ocks a new pro ogram
C Configuring Windows s 8
Note: You ur system adm ministrator can configure Win ndows Firewall settings by using Group Po olicy (to be covered in Modu ule 8).
Th he Public netw works location blocks certain programs and d services from m running, which protects yo our co omputer from unauthorized access that yo ou do not auth horize. If you c connect to a Public network, , and Windows W Firewa all is on, some programs or services might t ask you to al low them to co ommunicate t through th he firewall so that they can work w properly.
It generally is sa afer to add a program p to the e list of allowe d programs th han to open a port. If you op pen a po ort, you unlock and open the door, and it stays open un ntil you close it t, whether a program is usin ng it or no ot. If you add a program to the list of allow wed programs s, you are unlo ocking the doo or, but not ope ening it. Th he door is ope en only for com mmunication, as a and when a program or t the computer r requires it. To o add, change, or remove allowed program ms and ports, click Allow an n app or featu ure through Windows W Firew wall in the left pane of the Windows W Firew wall page, and d then click Ch hange setting gs. For ex xample, to view w performance e counters from a remote co omputer, you must enable the Performan nce Lo ogs and Alert ts firewall exce eption on the remote r compu uter. To o help decreas se security risk ks when you ar re opening com mmunications,, consider the following: Only allow a program or open a port when w necessary y. Remove pro ograms from the t allowed pr rograms or clo ose ports when n you do not re equire them. Never allow w a program th hat you do not t recognize to communicate e through the firewall.
Windows W 8 inclu udes multiple active firewall policies. Thes e firewall polic cies enable computers to ob btain an nd apply doma ain firewall pro ofile, regardles ss of the netwo orks that are a active on the computers. IT hose that conn professionals ca an maintain a single s set of ru ules for remote e clients and th nect physically y to the co orporate network. To set up or modify pro ofile settings fo or network loc cation, click Ch hange advanc ced sh haring setting gs in the left pane p of the Network and Sha aring Center.
You u also can display firewall notifications in th he taskbar. Cli ck Change no otification set ttings in the le eft pan ne of the Wind dows Firewall page, and the en for each net twork location n, check or clea ar the Notify me whe en Windows firewall f block ks a new app check c box.
Win ndows Firewall with Advance ed Security is an a example of a network-aw ware application. You can cre eate a prof file for each ne etwork locatio on type, with each profile con ntaining differ rent firewall po olicies. For exa ample, you can allow inco oming traffic for f a specific desktop d manag gement tool w when the comp puter is on dom main netw works, but block traffic when n the compute er connects to public or private networks. Network awarene ess enables you u to provide fle exibility on the e internal netw work without s sacrificing secu urity when use ers travel. A pu ublic network profile p must ha ave stricter fire ewall policies t to protect against unauthorized acce ess. A private network n profile might have less restrictive e firewall policies to allow file e and prin nt sharing or peer-to-peer di iscovery.
Win ndows Firew wall with Ad dvanced Sec curity Prope erties
Use the Windows s Firewall with Advanced Security S Prop perties dialog b ure basic firew wall box to configu properties for dom main, private, and a public net twork profiles.. A firewall pro ofile is a way of grouping set ttings, including firewall rules and connection security rules. Use th he IPsec Settings tab on the Windows Fire ewall with Adv vanced Secur rity Properties dialog box to o configure th he default values for IPsec configuration opt tions. Note: To ac ccess the Wind dows Firewall l with Advanc ced Security P Properties, pe erform one of the following procedures: p In the navigat tion pane, righ ht-click Windo ows Firewall w with Advance ed Security, an nd then click Properties. tion pane, sele ect Windows Firewall with Advanced Se ecurity, and th hen in the In the navigat Overview sec ction, click Windows Firewa all Properties s. tion pane, sele ect Windows Firewall with Advanced Se ecurity, and th hen in the In the navigat Actions pane e, click Proper rties.
Configuring Windows 8
The options that you can configure for each of the three network profiles are: Firewall State: Turn on or off independently for each profile.
Inbound Connections: Configure to block connections that do not match any active firewall rules, block all connections regardless of inbound rule specifications, or allow inbound connections that do not match an active firewall rule. Outbound Connections: Configure to allow connections that do not match any active firewall rules or block outbound connections that do not match an active firewall rule. Settings: Configure display notifications, unicast responses, local firewall rules, and local connection security rules. Logging: Configure the following logging options: o o Name. Use a different name for each network profiles log file. Size limit (KB). The default size is 4096. Adjust this if you find it to be necessary when troubleshooting. No logging occurs until you set one or both of following two options to Yes: Log dropped packets Log successful connections
Rules are a collection of criteria that define which traffic you will allow, block, or secure with the firewall. You can configure different types of rules: Inbound Outbound Connection Security
Inbound Rules
Inbound rules explicitly allow or block traffic that matches the rules criteria. For example, you can configure a rule to allow traffic secured by IPsec for Remote Desktop through the firewall, but block the same traffic if it is not secured by IPsec.
When you first install Windows, Windows Firewall blocks all unsolicited inbound traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For example, if you want to run a Web server, then you must create a rule that allows unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows Firewall with Advanced Security takes, which is whether to allow or block connections when no inbound rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic, unless a rule blocks it. Outbound rules explicitly allow or deny traffic originating from the computer that matches the rules criteria. For example, you can configure a rule to explicitly block outbound traffic to a computer (by IP address) through the firewall, but allow the same traffic for other computers.
Program rules: Control connections for a program. Use this type of firewall rule to allow a connection based on the program that is trying to connect. These rules are useful when you are not sure of the port or other required settings, because you only specify the path to the program executable (.exe) file.
Port rules: Control connections for a TCP or UDP port. Use this type of firewall rule to allow a connection based on the TCP or UDP port number over which the computer is trying to connect. You specify the protocol and individual or multiple local ports.
Predefined rules: Control connections for a Windows experience. Use this type of firewall rule to allow a connection by selecting one of the programs or experiences from the list. Network-aware programs that you install typically add their own entries to this list so that you can enable and disable them as a group. Custom rules: Configure as necessary. Use this type of firewall rule to allow a connection based on criteria that other types of firewall rules do not cover.
Consider the scenario in which you want to create and manage tasks on a remote computer by using the Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the predefined rule type on an inbound rule.
Alternatively, you may want to block all web traffic on the default TCP web server port 80. In this scenario, you create an outbound port rule that blocks the specified port. The next topic discusses well-known ports, such as port 80.
Firewall rules and connection security rules are complementary, and both contribute to a defense-indepth strategy to protect your computer. Connection security rules secure traffic by using IPsec as it crosses the network. Use connection security rules to specify that connections between two computers must be authenticated or encrypted. Connection security rules specify how and when authentication occurs, but they do not allow connections. To allow a connection, create an inbound or outbound rule. After a connection security rule is in place, you can specify that inbound and outbound rules apply only to specific users or computers. You can create the following connection security rule types:
Isolation rules: Isolate computers by restricting connections based on authentication criteria, such as domain membership or health status. Isolation rules allow you to implement a server or domain isolation strategy. Authentication exemption rules: Designate connections that do not require authentication. You can designate computers by specific IP address, an IP address range, a subnet, or a predefined group, such as a gateway.
You typically use this type of rule to grant access to infrastructure computers, such as Active Directory domain controllers, certification authorities, or Dynamic Host Configuration Protocol (DHCP) servers.
Server-to-server rules: Protect connections between specific computers. When you create this type of rule, you must specify the network endpoints between which you want to protect communications. Then, you designate requirements and the type of authentication that you want to use, such as Kerberos version 5 protocol. A scenario in which you might use this rule is to authenticate the traffic between a database server and a business-layer computer. Tunnel rules: Secure communications that are traveling between two computers, by using tunnel mode in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you route between two defined endpoints.
For each endpoint, specify a single computer that receives and consumes the sent network traffic, or specify a gateway computer that connects to a private network onto which the received traffic is routed after extracting it from the tunnel. Custom rules: Configure as necessary. Custom rules authenticate connections between two endpoints when you cannot set up authentication rules by using the other rule types.
Co onfiguring Windows 8
Monitoring M
Windows W Firewa all uses the mo onitoring inter rface to display y information about current t firewall rules, co onnection secu urity rules, and d security associations (SAs). The Monitori ing Overview w page displays s which profiles are activ ve (domain, private, or public), and the se ttings for the a active profiles. Th he Windows Firewall with Ad dvanced Secur rity events also o is available in n Event Viewer. For example e, the ConnectionSecu urity operation nal event log is s a resource th hat you can use to view IPsec c-related even nts. The op perational log is always on, and a it contains s events for co onnection secu urity rules.
Well-Known W Ports
Th he Internet Assigned Numbe ers Authority (IANA) assigns the well-know wn ports, and o on most system ms. Ty ypically, only system s process ses or program ms that privileg ged users exec cute can use th hese ports. Por rts re eceive a number between 0 and 65,535, an nd fall into thr ree ranges: Well-known n ports are tho ose from 0 thro ough 1,023. Registered ports are thos se from 1,024 through t 49,15 51. Dynamic an nd private ports are those fro om 49,152 thr rough 65,535.
To o view the current TCP/IP ne etwork connec ctions and liste ening ports, us se the netstat -a command.
IA ANA assigns we ell-known por rts to specific applications, a so o that client ap pplications can n locate them on re emote systems s. Therefore, to o the extent that is possible, use the same port assignme ents with TCP a and UDP. To view a list of well-kno own ports and d the associate ed services reco ognized by Windows 8, ope en the C:\Windows\Sy ystem32\driv vers\etc\Servi ices file. The fo ollowing table e identifies som me well-known n ports. Port 21 23 25 Protocol TCP TCP TCP Application n File Transfe er Protocol (FT TP)
Simple Mail Transfer Pro otocol (SMTP) t that email serv vers and client ts use to send em mail
Protocol UDP TCP TCP TCP TCP UDP TCP TCP TCP
Application Domain Name System (DNS) DNS Hypertext Transfer Protocol (HTTP) that a web server uses Post Office Protocol version 3 (POP3) that email clients use for email retrieval Internet Message Access Protocol (IMAP) used for email retrieval from email clients Simple Network Management Protocol (SNMP) Lightweight Directory Access Protocol (LDAP) Hypertext Transfer Protocol Secure (HTTPS) for secured web servers
Remote Desktop Protocol (RDP) is a proprietary protocol that provides a user with a graphical interface to another computer
Typically, it is not necessary to configure applications to use specific ports. However, you must be aware of the ports that applications are using, to ensure that the required ports are open through your firewall when you use a port rule. Remember, when you add a TCP or UDP port to the rules list, the port is open whenever Windows Firewall with Advanced Security is running, regardless of whether there is a program or system service listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic, create a program rule instead of a port rule. With a program rule, the port opens and closes dynamically as the program requires. You also do not need to be aware of the port number that the application is using. If you change the application port number, the firewall automatically continues communication on the new port.
Configuring Windows 8
Objectives
Test ping in the network. Create an inbound firewall rule. Create an outbound firewall rule. Test firewall rules.
Lab Setup
Estimated Time: 20 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o User name: Adatum\Administrator Password: Pa$$w0rd Domain: Adatum
5.
Configuring Windows 8
Results: At the end of this exercise, you will have configured and tested an inbound firewall rule.
Results: At the end of this exercise, you will have configured and tested an inbound firewall rule.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Lesson 3
IPse ec is a suite of protocols that t can protect data d in transit t through a netw work, by using g security servi ices and, optionally, digital certificat tes with public c and private k keys. Because o of its design, IP Psec helps pro ovide muc ch better security than previous protection n methods. Ne etwork administrators who u use it do not have to configure security y for individual programs. You u can use conn nection security y rules to conf figure IPsec set ttings for spec cific connections between your computer an nd others. Windows Firewall with Advance ed Security use es the rule to e evaluate netwo ork traff fic, and then blocks b or allow ws messages ba ased on the cri iteria that you establish in th he rule. In som me circumstances, Wi indows Firewall with Advanc ced Security w will block the co ommunication n. If you config gure settings that require security for a connection n (in either dire ection), and th he two comput ters cannot auth henticate each h other, then IP Psec blocks the e connection. Onc ce you enable and configure e IPsec, it is important that yo ou know how to monitor IPsec.
Benefits of IP Psec
You u can use IPsec c to ensure con nfidentiality, inte egrity, and auth hentication in data transport t acro oss insecure ch hannels. Thoug gh its original purpose was to se ecure traffic ac cross public netw works, many organizations o have h chosen to o imp plement IPsec to t address per rceived weakne esses in th heir own private networks th hat might be susc ceptible to exp ploitation. If yo ou implement it properly, IPsec provides a priv vate channel fo or sending and d exchanging pote entially sensitive or vulnerab ble data, wheth her it is email, FTP traffic, news feed ds, partner and d supply-chain data a, medical reco ords, or any other type of TC CP/IP-based da ata.
Co onfiguring Windows 8
IP Psec: Offers mutu ual authentication before an nd during com mmunications. Forces both h parties to ide entify themselv ves during the e communicati ion process. Enables con nfidentiality th hrough IP traffic encryption a and digital pac cket authentic cation.
IP Psec Modes s
IP Psec has two modes: m
Encapsulat ting Security Payload (ESP P): Encrypts da ta through on ne of several av vailable algorit thms. Authentica ation Header (AH): Signs tr raffic, but does s not encrypt i it.
ES SP and AH ver rify the integrit ty of all IP traff fic. If a packet has been mod dified, the digital signature w will no ot match, and IPsec will disc card the packet. ESP in tunne el mode encry pts the source e and destination ad ddresses as part of the paylo oad. In tunnel mode, a new I IP header is ad dded to the pa acket, specifyin ng the tu unnel endpoints source and destination ad ddresses. ESP c can make use of Data Encryption Standard d (DES), tr riple Data Encr ryption Standa ard DES (3DES) ), Advanced En ncryption Standard (AES), an nd DES encrypt tion algorithms in Windows W Server 2008 R2. As s a best practic ce, you should d avoid using D DES, unless the e clients ca annot support the stronger encryption e tha at AES or 3DES S offer.
ES SP and AH use e sequence numbers. So any packets that m malicious user rs attempt to c capture for late er re eplay are using g numbers out t of sequence. Using sequenc ced numbers e ensures that an attacker can nnot re euse or replay captured data a to establish a session or ga in information n illegally. Usin ng sequenced nu umbers also protects against attempts to intercept i a me essage and use e it to access resources illega ally, po ossibly months later.
Using U IPsec c
So ome network environments e are ideal for using u IP Psec as a security solution, while w others are e not. We W recommend d IPsec for the following uses: Packet filte ering: IPsec provides limited d firewall cap pabilities for en nd systems. Yo ou can use IPsec with the Ne etwork Addres ss Translation (NAT)/Basic Firewall F compo onent of the Rout ting and Remo ote Access Serv vice to permit or block b inbound or outbound traffic. t
Securing host-to-host h traffic t on spec cific paths: You can use IPsec to provide protection for traffic betw ween servers or o other static IP add dresses or sub bnets. For exam mple, IPsec can n secure traffic c between dom main controller rs in different sit tes, or between web servers and database servers.
Securing traffic to serve ers: You can re equire IPsec p rotection for a all client comp puters that acce ess a server. Add ditionally, you can c set restrict tions on which h computers ca an connect to a server that is running Wi indows Server 2008 R2.
Layer Two Tunneling Protocol (L2TP)/IPsec for VPN connections: You can use the combination of L2TP and IPsec (L2TP/IPsec) for all VPN scenarios. This does not require you to configure and deploy IPsec policies.
Site-to-site (gateway-to-gateway) tunneling: You can use IPsec in tunnel mode for site-to-site (gateway-to-gateway) tunnels, when you need interoperability with third-party routers, gateways, or end systems that do not support L2TP/IPsec or Point-to-Point Tunneling Protocol (PPTP) connections. Enforcing logical networks (server/domain isolation): In a Microsoft Windows-based network, you can isolate server and domain resources logically to limit access to authenticated and authorized computers. For example, you can create a logical network inside the existing physical network, where computers share common requirements for secure communications. To establish connectivity, each computer in this logically isolated network must provide authentication credentials to other computers.
This isolation prevents unauthorized computers and programs from gaining inappropriate access to resources. IPsec ignores requests from computers that are not part of the isolated network. Server and domain isolation can protect specific high-value servers and data, and protect managed computers from unmanaged or rogue computers and users. You can protect a network with two types of isolation:
Server isolation: To isolate a server, you configure specific servers to require IPsec policy to accept authenticated communications from other computers. For example, you might configure the database server to accept connections from the web application server only.
Domain isolation: To isolate a domain, you use Active Directory domain membership to ensure that computers that are domain members accept only authenticated and secured communications from other domain-member computers. The isolated network consists only of that domains member computers, and domain isolation uses IPsec policy to protect traffic that is sent between domain members, including all client and server computers.
Note: Because IPsec depends on IP addresses for establishing secure connections, you cannot specify dynamic IP addresses. It often is necessary for a server to have a static IP address in IPsec policy filters. In large network deployments, and in some mobile user cases, using dynamic IP addresses at both ends of the connection can increase the complexity of IPsec policy design.
Network management functions that must inspect the TCP, UDP, and protocol headers are less effective or cannot function at all due to IPsec encapsulation or IP payload encryption.
Co onfiguring Windows 8
Additionally, the e IPsec protoc col and implem mentation have e characteristic cs that require e special consid deration when w you perfo orm the following tasks: Protect tra affic over wire eless 802.11 LANs: L You can n use IPsec tra nsport mode t to protect traff fic that is sent over r 802.11 netwo orks. However, we do not rec commend IPse ec for providin ng security for corporate 802.11 8 wireless s local area networks (LANs) . Instead, we r recommend th hat you use Wi i-Fi Protected Access A (WPA) or o 802.11 WPA A2 encryption and Institute o of Electrical an nd Electronics Engineers, Inc. (IEEE) 802.1X authentica ation. Support for IPsec, conf figuration man nagement, and d trust are required on client com mputers and servers. s
Because ma any computers s on a network k do not suppo ort IPsec or th ey are not managed, it is no ot appropriate e to use IPsec alone to prote ect all 802.11 c corporate wire eless LAN traffi ic. Additionally y, IPsec tunnel mod de policies are not optimized d for mobile cl lients with dyn namic IP addre esses. IPsec tun nnel mode also does not supp port dynamic address a assign ment or user a authentication n, which are ne ecessary for remote access VPN sc cenarios. Use L2TP/IP Psec VPN conn nections to sec cure remote ac ccess traffic to o organizationa al networks, w when that traffic is sent over pu ublic wireless networks n that are connected d to the Internet.
Use IPsec in i tunnel mod de for remote e access VPN connections: We do not re ecommend tha at you use IPsec in n tunnel mode e for remote ac ccess VPN scen narios for Windows-based V VPN clients and d servers. Inst tead, use L2TP P/IPsec or PPTP P.
Using the IP P Security Policy MMC snap-in. This MMC snap-in s enable es you to configure IPsec po olicies that app ply to compute ers that are run nning earlier Wind dows versions and to compu uters that are r running the cu urrent Window ws version. This s MMC snap-in is useful u for envir ronments where computers that are running these Wind dows versions coexist. You cannot t use this snap-in to configure Windows Fi irewall with Ad dvanced Secur rity settings.
Netsh is a command-line c e tool that you u can use to co onfigure netwo ork componen nt settings. Win ndows Firewall wit th Advanced Security provides the netsh a advfirewall co ontext, which y you can use to o configure Windows W Firew wall with Advan nced Security s settings. You also ca an use the nets sh ipsec comm mands to conf figure connect tion security ru ules.
Usin ng PowerShell cmdlets: In Windows 8 you can use PowerShell to configure IPse ec with cmdlet ts like:
New-NetIPsecRule -DisplayName Req quire Inbound d Authenticat tion -Policy yStore Adatum.com\gpo_name
Authenticati ion Exemption: You can use e an authentic cation exempti ion to designa ate connection ns that do not requir re authentication. You can designate comp puters by a spe ecific IP addre ess, an IP addre ess range, a subn net, or a predefined group, such as a gatew way. Server to Ser rver: A server-to-server rule protects conn nections betwe een specific co omputers. This type of rule usually u protects connections between serve ers. When you u create the rule, you specify y the network endp points between which comm munications are e protected. Y You then designate requirem ments and the authe entication you u want to use. Tunnel: A tun nnel rule allow ws you to prote ect connection ns between ga ateway comput ters, and typic cally, you use it wh hen you are connecting across the Internet t between two o security gatew ways. Custom: Som metimes, you cannot set up authentication a n rules that you u need by usin ng the rules available in th he new Conne ection Security Rule Wizard. In such cases, you can use a custom rule to authenticate connections between b two endpoints.
How Firewall Rules R and Connection Security S Rul les Are Rela ated
Firewall rules allow w traffic through the firewall, but do not s secure that traffic. To secure traffic with IPsec, you can create co onnection secu urity rules. How wever, when yo ou create a connection security rule, this d does not allow the traff fic through the e firewall. You must create a firewall rule t to do this, if th he traffic is not t allowed by the firewalls default t behavior. Con nnection secur rity rules do no ot apply to pro ograms and serv vices, but rathe er apply betwe een the compu uters that are t the two endpo oints.
Co onfiguring Windows 8
Use the Reques st authenticat tion for inbou und an nd outbound connections option to specify th hat all inbound d and outboun nd traffic must authenticate, but that the c connection is a allowable if au uthentication fails. f However, , if authenticat tion succeeds, traffic is prote ected. You typically use this option in n either low-security environments or in an n environment t where compu uters must be able to conne ect, but ca annot perform m the types of authentication a n that are avail able with Windows Firewall with Advance ed Se ecurity.
Require R Auth hentication for Inbound Connectio ons, and Re equest Auth hentication f for Outbound O Co onnections
Use the Require e authenticat tion for inbou und connectio ons, and requ uest authentic cation for out tbound co onnections op ption if you wa ant to require that all inboun nd traffic eithe er is authentica ated or else blocked. Outbound O traffic can be authenticated, but t it is allowed if f authenticatio on fails. If auth hentication suc cceeds fo or outbound tr raffic, that traff fic is authentic cated. You typ pically use this option in mos st IT environme ents in which w the comp puters that nee ed to connect can perform t the authentication types that are available e with Windows W Firewa all with Advanced Security.
Require R Auth hentication for Inbound and Outb bound Conn nections
Use the Require e authenticat tion for inbou und and outb ound connec ctions option if you want to require th hat all inbound d and outboun nd traffic either is authentica ated or else blo ocked. You typ pically use this s option in n higher-securi ity IT environm ments where yo ou must prote ect and control traffic flow, a and in which th he co omputers that must be able to connect can perform the e authenticatio on types that a are available w with Windows W Firewa all with Advanced Security.
Default
Select the Default option to use the authentication method that you configured on the IPsec Settings tab of the Windows Firewall with Advanced Security Properties dialog box.
The User (Kerberos V5) method requests or requires the user to authenticate using the Kerberos version 5 authentication protocol. You can use the Kerberos version 5 authentication protocol only if the user is a domain member.
Computer Certificate
The Computer Certificate method requests or requires a valid computer certificate to authenticate and you must have at least one certificate authority (CA) to do this. Use this method if the computers are not part of the same AD DS domain.
The Only accept health certificates method requests or requires a valid health certificate to authenticate. Health certificates declare that a computer has met system health requirements, as determined by a Network Access Protections (NAP) health policy server, such as all software and other updates that network access requires. These certificates are distributed during the NAP health evaluation process. Use this method only for supporting NAP.
Advanced
You can configure any available method, and you can specify methods for First Authentication and Second Authentication. First Authentication methods include Computer Kerberos, computer certificate, and a preshared key (not recommended). Second Authentication methods include User Kerberos, User NTLM (Windows NT Challenge/Response protocol), user certificates, and computer health certificates. Second authentication methods are only supported by computers that are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.
Co onfiguring Windows 8
Monitoring M g IPsec
Windows W Firewa all with Advanced Security is a stateful, hos st-based firewa all that blocks in ncoming and outgoing o connections based on its s configuration n. Although a typical end-us ser co onfiguration fo or Windows Firewall still occurs via th he Windows Firewall Control l Panel tool, ad dvanced co onfiguration now occurs in an a MMC snap-in na amed Window ws Firewall with h Advanced Se ecurity.
Th he inclusion of f this snap-in not n only provid des an in nterface for configuring Wind dows Firewall locally, bu ut also for con nfiguring Wind dows Firewall on o re emote comput ters and throug gh Group Policy. Firewall functions now integra ate with IPsec protection set ttings, reducin ng the possibili ity of conflict b between th he two protect tion mechanism ms.
Yo ou can use the e Windows Fire ewall with Adv vanced Securit ty console to m monitor securit ty policies that t you cr reate in the Co onnection Secu urity Rules nod de. However, y you cannot vie ew the policies that you create by us sing the IP Sec curity Policy sn nap-in. These security s option ns are for use w with Windows Vista, Window ws 7, Windows W 8, Win ndows Server 2008, 2 Window ws Server 2008 R2 and Windo ows Server 201 12. For older op perating systems, such as Windows W XP and d Windows 20 000, you must use IP Security y Monitor to v view SAs an nd connection ns.
Th he Connection n Security folde er lists all of th he enabled con nnection secur rity rules with detailed inform mation ab bout their settings. Connecti ion security rules define whi ch authenticat tion, key excha ange, data inte egrity, or r encryption yo ou can use to form an SA. The SA defines the security th hat protects th he communication from the sender to the recipie ent.
Th he Security Ass sociations fold der lists all of the Main Mode e and Quick M Mode SAs, with h detailed infor rmation ab bout their settings and endp points.
Main M mode stat tistics provide data about the total numbe er of SAs create ed and invalid d packet inform mation.
Quick Q mode pro ovides more detailed inform mation about co onnections. If you are having issues with a an IPsec co onnection, quick mode statis stics can provide insight into o the problem .
IP P Security Monitor M
Yo ou can implem ment IP Securit ty Monitor as an a MMC snapudes enhancements that you can -in, and it inclu us se to view deta ails about an active a IPsec po olicy that the d domain applies s or which you u apply locally. . Additionally, yo ou can view qu uick mode and main mode st tatistics, and a active IPsec SA As. You also can n use IP Se ecurity Monito or to search for specific main n mode or quic ck mode filters s. To troublesh hoot complex IPsec po olicy designs, you y can use IP P Security Mon nitor to search for all matche es for filters of a specific traf ffic type.
Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note that there are some issues to consider when enabling DNS. For example, it works only in a specific filter view for quick mode and in SAs view for quick mode and main mode monitoring. There also is the possibility that you can affect the servers performance if several items in the view require name resolution. Finally, the DNS record name resolution requires a proper Pointer Record (PTR) in DNS.
You can monitor computers remotely from a single console, but you must modify a Registry value so that the remote system accepts a console connection. Setting the HKLM\system\currentcontrolset\services\policyagent\EnableRemoteMgmt Registry value to 1 prevents the IPsec service is not running error when you manage a computer remotely.
You can get basic information about the current IP security policy in the Active Policy node of the IP Security Monitoring MMC. This is useful during troubleshooting to identify which policy IPsec is applying to the server. Details such as the policy location and when it was modified last provide key details when you are determining the current policy in place. Additionally, use the following command to identify installed policies: netsh ipsec static show gpoassignedpolicy.
The Main Mode SA is the initial SA that is established between two computers. This negotiates a set of cryptographic protection suites between both hosts. This initial SA allows quick mode key exchange to occur in a protected environment. The Main Mode SA also is known as the Internet Security Association and Key Management Protocol (ISAKMP) or Phase 1 SA. Main Mode establishes the secure environment to other exchange keys, as required by the IPsec policy.
A Quick Mode SA depends on the successful establishment of a Main Mode SA. A Quick Mode SA also is known as an IPsec or Phase 2 SA. This process establishes keys based on the information that the policy specifies. Quick Mode SAs establish protected transmission channels for the actual application IP data that the policy specifies.
o o
Configuring Windows 8
o o
A. Datum uses many outside consultants. The enterprises management has a concern that if a consultant was on the company network, they may be able to connect to unauthorized computers.
Objectives
Create a connection security rule on one computer. Verify that connectivity is blocked from unauthorized computers. Create a connection security rule on a second computer. Verify the configured computers can communicate.
Lab Setup
Estimated Time: 20 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
Requirements: Require authentication for inbound connections and request authentication for outbound connections Authentication: Computer and user (Kerberos V5) Name: Authenticate all inbound connections
o o
Configuring Windows 8
Requirements: Require authentication for inbound connections and request authentication for outbound connections Authentication: Computer and user (Kerberos V5) Name: Authenticate all inbound connections
o o
Results: At the end of this lab, you will have created and tested connection security rules.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Lesson 4
Win ndows Defende er helps to pro otect your com mputer from sp pyware and other forms of m malicious softw ware. In Windows W 8, Windows Defend der has improv ved in several w ways. It integr rates with Actio on Center to prov vide a consiste ent means of alerting a you wh hen action is r required, and p provides an im mproved user experience when you are scanning for spywar re or manually y checking for updates. Addi itionally, in Win ndows 8, Windows Defender r has less impact on overall s system perform mance, though h it continues t to deliver continuous, real-time monitoring.
In Windows W Defen nder, run a quick, full, or cus stom scan n. If you suspect spyware has s infected a sp pecific area a of the compu uter, customize a scan by selecting specific c drives and fo olders. You also can configure the sche edule that Win ndows Defender will use. You u can choose to o have Window ws Defender exclude e proces sses in your sca an, while this c can make the s scan com mplete faster yo our computer will be less protected. When n Windows De efender detect ts potential spy yware activ vity, it stops th he activity, and d then raises an alert. Aler rt levels help you y determine how to respond to spyware e and unwante ed software. Yo ou can configu ure Win ndows Defende er behavior wh hen a scan identifies unwant ted software. Y You also are al lerted if softwa are atte empts to chang ge important Windows W settin ngs.
To help h prevent spyware and ot ther unwanted d software from m running on the computer, , turn on Wind dows Defender real-tim me protection.
Co onfiguring Windows 8
Th he following ta able identifies scanning options. Scanning S opti ion Quick Scan Full Scan Custom Scan Description Checks C the area as that malicio ous software, in ncluding viruses, spyware, and unwanted u softw ware, are most t likely to infec ct. Checks C all the files f on your h ard disk and a all running pro ograms. Enables E users to o scan specific c drives and fo olders.
We W recommend d that you sche edule a daily quick q scan. At a any time, if yo ou suspect that t spyware has infected th he computer, run r a full scan. When W you run a scan, the pro ogress displays s on the Windo ows Defender Home page. W When Window ws Defender detec cts a potentially y harmful file, it moves the f file to a quaran ntine area, and d does not allo ow it to run or allow w other proces sses to access it. Once the sc can is complet te, choose to remove or restore qu uarantined items and mainta ain the allowed list. A list of Quarantined i items is availab ble from the S Settings pa age. Click View w to see all ite ems. Review ea ach item, and i individually re move or restore each. Altern natively, if you want to remove all qua arantined items, click Remov ve All. oftware with se evere or high a alert ratings be ecause it can p put your Note: Do not restore so privacy and you ur computers security at risk k.
ware that has been detected d, stop Window ws Defender fr rom alerting y you to risks tha at the If you trust softw oftware might pose by addin ng it to the allo owed list. If yo ou decide to m monitor the sof ftware later, re emove it so from the allowe ed list.
Th he next time Windows W Defen nder alerts you u about softwa are that you w want to include e in the allowed list, in th he Alert dialog g box, on the Action A menu, click Allow, a nd then click A Apply actions s. Review and remove so oftware that yo ou have allowe ed from the Ex xcluded files an nd locations list on the Settings page.
Scan archiv ve files: Scann ning these loca ations might in ncrease the tim me required to o complete a s scan, but spyware an nd other unwan nted software can install itse elf and attemp pt to hide in these locations. Scan remo ovable drives: Use this optio on to scan the contents of re emovable drive es, such as USB B flash drives.
Create a system restore point: Use this option before applying actions to detected items. Because you can set Windows Defender to remove detected items automatically, selecting this option allows you to restore system settings.
Allow all users to view the full History results: Use this option to allow all users that log into this computer to see the scanning history. If you do not select this option, users will only see scan results that relate to their files. Remove quarantined files after <Time>: Removes quarantined files after a set period of time. When you enable this option, the default period is one month, but you can set it from one day to three months.
Configuring Windows 8
You are planning to use Window Defender to check for malicious files every day. You also want to ensure that Windows Defender will quarantine any files that it considers a severe risk to your systems security.
Objectives
Perform a quick scan. View the allowed items.
Lab Setup
Estimated Time: 10 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
You need to configure Windows Defender to perform a full scan every day at 2:00 AM. Before configuring Windows Defender, you plan on running a quick scan. Finally, you want to configure the default actions for Windows Defender to take and check the items that you do not want it to scan. The main tasks for this exercise are as follows: 1. 2. Perform a quick scan. View the allowed items.
Results: At the end of this lab, you will have configured and used Windows Defender.
Configuring Windows 8
Configure a local or remote computer by using either the Windows Firewall with Advanced Security snap-in or the netsh advfirewall command.
Configure Windows Firewall with Advanced Security settings by using the Group Policy Management Console (GPMC) or by using the netsh advfirewall command. If you are configuring the firewall by using Group Policy, you need to ensure that the Windows Firewall service has explicit write access by its service security identifier (SID) to the location that you specify. If you deploy Windows Firewall with Advanced Security by using Group Policy and then block outbound connections, ensure that you enable the Group Policy outbound rules, and do full testing in a test environment before deploying. Otherwise, you might prevent all of the computers that receive the policy from updating the policy in the future, unless you intervene manually. Best Practice: Implementing Defense-in-Depth
4.
Supplement or modify the following best practices for your own work situations: 1. 2. 3. 4.
Create specific rules that help prevent social engineering, and educate users on these rules and their relevance. Restrict physical access to servers by locking doors, and then monitor server room access. Implement antivirus and anti-spyware software. Implement host-based firewalls. Best Practice: Windows Defender
Supplement or modify the following best practices for your own work situations: 1. 2. When you use Windows Defender, you must have current definitions.
To help keep your definitions current, Windows Defender automatically installs new definitions as they are released. You also can set Windows Defender to check online for updated definitions before scanning. When you scan your computer, we recommend that you select the advanced option to Create a restore point before applying actions to detected items. Because you can set Windows Defender to remove detected items automatically, selecting this option allows you to restore system settings in case you want to use software that you did not intend to remove.
3.
Question: You need to ensure that traffic passing between a computer in the perimeter network and one deployed in the internal network is encrypted and authenticated. The computer in the perimeter is not a member of your AD DS forest. What authentication methods could you use if you attempted to establish a connection security rule between these two computers? Question: If you wanted to ensure that only domain computers can communicate with other domain computers, how could you achieve this easily with Windows Firewall? Question: You decide to deploy a third-party messaging application on your companys laptop computers. This application uses POP3 to retrieve email from the corporate mail server, and Simple Mail Transfer Protocol (SMTP) to send mail to the corporate email relay. Which ports must you open in Windows Firewall? Question: What does Windows Defender do to software that it quarantines?
Tools
Tool Ping Windows Firewall with Advanced Security Windows Defender Use for Testing network connectivity Managing inbound, outbound, and IPsec rules Anti-malware detection and removal Where to find it Command-line Control Panel Control Panel
Module 7
Contents:
Module Overview Lesson 1: Managing File Access Lesson 2: Managing Shared Folders Lesson 3: Configuring File Compression Lab A: Configuring File Access Lesson 4: Managing Printers Lab B: Configuring Printers Lesson 5: Overview of SkyDrive Module Review and Takeaways 7-1 7-2 7-12 7-20 7-24 7-27 7-30 7-32 7-35
Module Overview
This module provides the information and tools you need to manage access to shared folders and printers on a computer running the Windows 8 operating system. Specifically, the module describes how to share and protect folders, configure folder compression, and how to install, configure, and manage printers. Additionally, this module introduces the Windows Live SkyDrive functionality. To maintain network or local file and printer systems, it is essential to understand how to safeguard these systems and make them operate as efficiently and effectively as possible. This includes setting up NTFS file-system folder permissions, compressing and managing shared folders and files, and configuring printers.
Objectives
After completing this module, you will be able to: Describe file-access management. Describe management of shared folders. Describe the configuration of file compression. Explain how to configure file access. Describe the process of managing printers. Explain how to configure printers. Provide an overview of Windows Live SkyDrive.
7-2
Lesson 1
You u can use NTFS S file system pe ermissions to define d the leve el of access tha at users have t to files that are e avai ilable on your network or locally on your Windows W 8 co mputer. This le esson explores s NTFS file-system perm missions, as we ell as the effec ct of various file and folder a activities on these permission ns.
File and folder permissions define the type of f access that yo ou grant to a u user, group, or r computer. Fo or exam mple, you can let one user read a files con ntents, while y you let another user make ch hanges to that t file. You can set sim Or you y can prevent all other use ers from acces ssing that file. Y milar permissions on folders s. There are two leve els of permissions:
Shared folde er permissions: Allow security principals, s such as users, to access shar red resources f from across the network. Shared folder permissions only are in effect when n a user access ses a resource from the network. The next lesso on covers this topic t in greate er detail. NTFS file sys stem permissi ions: Are alwa ays in effect, w whether a user accesses the fi ile by connecting across the network or by lo ogging on to th he local machi ine on which t the resource is s located. You can grant NTFS permissions to a file or folder r for a named g group or user..
Configuring Windows 8
Each NTFS file and folder has an access control list (ACL) with a list of users and groups that are assigned permissions to the file or folder. Each entry in the ACL is an access control entry that identifies the specific permissions granted to a user or group.
User rights allow administrators to assign specific privileges and logon rights to groups or users. These rights authorize users to perform specific actions, such as logging on to a system interactively, or backing up files and directories. User rights are different from permissions, because user rights apply to user accounts, whereas permissions are attached to objects. Administrators can employ user rights to manage who has the authority to perform operations that span an entire computer, rather than a particular object. Administrators assign user rights, or privileges, to individual users or groups as part of the computers security settings. Although you can manage user rights centrally through Group Policy, they are applied locally. Users can, and usually do, have different user rights on different computers. Unlike permissions, which an objects owner (or user with the appropriate permission) grants, you assign user as part of the computers local security policy.
There are two types of user rights: privileges, such as the right to back up files and directories, and logon rights, such as the right to log on to a system locally.
Possible Scenarios
Conflicts between privileges and permissions typically occur only where the rights that are required to administer a system overlap the resource-ownership rights. When rights conflict, a privilege overrides a permission.
For example, to create a backup of files and folders, backup software must be able to traverse all folders in an NTFS volume, list the contents of each folder, read the attributes of every file, and read data in any file that has its archive attribute set. It is impractical to arrange this access by coordinating with the owner of every file and folder. Therefore, the required rights are included in the Back up files and directories privilege, which is assigned by default to two built-in groups: Administrators and Backup Operators. Any user who has this privilege can access all files and folders on the computer to back up the system. The same default permissions that allow Backup Operators to back up and restore files also enable them to use the groups permissions for other purposes, such as reading another users files or installing Trojan horse programs. Therefore, you should limit the backup operators group to highly trusted user accounts that require the ability to back up and restore computers. The ability to take ownership of files and other objects is another case where an administrators need to maintain the system, takes priority over an owners right to control access. Normally, you can take ownership of an object only if its current owner gives you permission to do so. Owners of NTFS objects can allow another user to take ownership by granting the other user Take Ownership permission. Owners of Active Directory Domain Services (AD DS) objects can grant another user the Modify Owner permission. A user who has this privilege can take ownership of an object without the current owners permission. By default, the privilege is assigned only to the built-in Administrators group. Administrators typically use this to take and reassign ownership of resources for which the current owner is no longer available.
7-4
The following table lists the standard NTFS file and folder permissions. You can choose whether to allow or deny each of the permissions. File permissions Full Control Modify Read and Execute Description Complete control of the file/folder and control of permissions. Read and write access. File can be read, and programs can be started. Folder content can be seen, and programs can be started. Read-only access. File content can be changed, and file can be deleted. Folder content can be changed, and files can be deleted. A custom configuration.
Read Write
Special permissions
Note: Groups or users granted Full Control on a folder can delete any files in that folder, regardless of the permissions protecting the file.
To modify NTFS permissions, you must be given the Full Control NTFS permission for a folder or file. The one exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions, even if they do not have any current NTFS permissions. Administrators can take ownership of files and folders to make modifications to NTFS permissions.
Special permissions give you a finer degree of control for assigning access to files and folders. However, special permissions are more complex to manage than standard permissions. The following table defines the special permissions for which you can provide custom configuration for each file and folder. File permissions Traverse Folder/Execute File Description
The Traverse Folder permission applies only to folders. This permission allows or denies the user from moving through folders to reach other files or folders, even if the user does not have permissions for the traversed folders. Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right. The Execute File permission allows or denies access to program files that are running. If you set the Traverse Folder permission on a folder, the Execute File permission is not automatically set on all files in that folder.
The List Folder permission allows or denies the user from viewing file names and subfolder names in the folder. The List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder on which you are setting the permission is listed in the folder list. The Read Data permission applies only to files, and allows or denies the user from viewing data in files.
Configuring Windows 8
Description
The Read Attributes permission allows or denies the user from viewing the attributes of a file or folder, such as read-only and hidden attributes. NTFS defines the attributes. The Read Extended Attributes permission allows or denies the user from viewing the extended attributes of a file or folder. Extended attributes are defined by programs, and they can vary by program.
The Create Files permission applies only to folders, and allows or denies the user from creating files in the folder. The Write Data permission applies only to files and allows or denies the user from making changes to the file and overwriting existing content by NTFS. The Create Folders permission applies only to folders and allows or denies the user from creating folders in the folder. The Append Data permission applies only to files and allows or denies the user from making changes to the end of the file but not from changing, deleting, or overwriting existing data.
Write Attributes
The Write Attributes permission allows or denies the user from changing the attributes of a file or folder, such as read-only or hidden. NTFS defines the attributes. The Write Attributes permission does not imply that you can create or delete files or folders. It includes only the permission to make changes to the attributes of a file or folder.
The Write Extended Attributes permission allows or denies the user from changing the extended attributes of a file or folder. Programs define the extended attributes, which can vary by program. The Write Extended Attributes permission does not imply that the user can create or delete files or folders. It includes only the permission to make changes to the attributes of a file or folder. The Delete Subfolders and Files permission applies only to folders and allows or denies the user from deleting subfolders and files, even if the Delete permission is not granted on the subfolder or file.
The Delete permission allows or denies the user from deleting the file or folder. If you have not been assigned Delete permission on a file or folder, you can still delete the file or folder if you are granted the Delete Subfolders and Files permission on the parent folder.
Read permissions allows or denies the user from reading permissions about the file or folder, such as Full Control, Read, and Write. Change Permissions allows or denies the user from changing permissions on the file or folder, such as Full Control, Read, and Write.
The Take Ownership permission allows or denies the user from taking ownership of the file or folder. The owner of a file or folder can change permissions on it, regardless of any existing permissions that protect the file or folder.
7-6
Con nditions
Win ndows 8 allows s you to assign n conditions th hat must be me et for a permis ssion to take e effect. Conditio ons can be based on group g membe erships or the device d with wh hich the user is s accessing the e file or folder. . Whe en viewing the e NTFS permissions for a file or folder, the applied cond itions are listed in the Cond dition colu umn in the Adv vanced Securit ty Settings for <file/folder n name>. When you use a Group con ndition. you can specify that the permissio on will apply to o the user base ed on the following group memb bership rules: o o o o Member r of Any of the e specified gro oup(s). Member r of Each of th he specified group(s). Not Mem mber of Any of o the specified group(s). Not mem mber of Each of the specifie ed group(s).
When you use a Device con ndition, you ca an specify that t the permissio on will apply if the user is accessing the e file from a sp pecified compu uter or comput ters.
You u can specify multiple m condit tions that must t all be met fo or the configur red permission n to be applied d. For exam mple, you can create a perm mission that wo ould give the F Financial group p full control p permissions if t they are also a membe er of the Managers group an nd are accessin ng the folder fr rom <comput tername>.
Perm missions inheritance allows the t NTFS perm missions that ar re set on a fold der to be appl lied automatic cally to files that users create in that folder and its subfolders. Th his means that you can set N NTFS permissio ons for an entire e folder st tructure at a single point. If you y have to m modify the perm missions, you t then only have e to perf form the change at that sing gle point. For example, whe en you create a folder called MyFolder, all subfolders and d files created within MyFold der auto omatically inhe erit that folder rs permissions s. Therefore, M MyFolder has e explicit permiss sions, while all subf folders and file es within it hav ve inherited pe ermissions.
You u also can add permissions to o files and fold ders below the e initial point o of inheritance, without modifying the original permissions assignm ment. This is do one to grant a specific user or group a dif fferent file acce ess than n the inherited d permissions.
Configuring Windows 8
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her file, even though he is a member of the Marketing group. She can exclude Bob by explicitly denying him permission to read the file. This is normally how explicit denies are used to exclude a subset (such as Bob) from a larger group (such as Marketing) that is given permission to perform an operation.
Note that use of explicit denials, while possible, increases the complexity of the authorization policy, which can create unexpected errors. For example, you might want to allow domain administrators to perform an action but deny domain users. If you attempt to implement this by explicitly denying domain users, you also deny any domain administrators who also are domain users. Though it is sometimes necessary, you should avoid the use of explicit denies in most cases.
In most cases, Deny overrides Allow unless a folder is inheriting conflicting settings from different parents. In that case, the setting inherited from the parent closest to the object in the sub tree will have precedence. Note: Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
Only inheritable permissions are inherited by child objects. When you set permissions on the parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the following steps to assign permissions that can be inherited: 1. 2. In Windows Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click Advanced. In the Advanced Security Settings for <file or folder> page, the Inherited From column lists from where the permissions are inherited. The Applies to column lists the folders, subfolders, or files to which the permissions are applied. Double-click the user or group for which you want to adjust permissions.
3. 4.
On the Permissions Entry for <name> page, click the Applies to field, and then select one of the following options: o o o o o o o This folder only This folder, subfolders, and files This folder and subfolder This folder and files Subfolders and files only Subfolders only Files only
7-8
5.
Click OK on the Permission Entry for <name> page, click OK on the Advanced Security Settings for <name> page, and then click OK on the Properties page.
If the Special Permissions entry in Permissions for <User or Group> is shaded, it does not imply that this permission is inherited. Rather, this means that a special permission is selected.
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit these permissions. You can block permission inheritance to restrict access to these files and subfolders. For example, all accounting users may be assigned Modify permission to the ACCOUNTING folder. On the subfolder WAGES, inherited permissions can be blocked with only a few specific users given access to the folder. Note: When permissions inheritance is blocked, you have the option to copy existing permissions, or begin with blank permissions. If you only want to restrict a particular group or user, then copying existing permissions simplifies the configuration process. To prevent a permission on a parent folder from being inherited by a child file or folder, select This folder only in the Applies to box when you set up permissions for the parent folder.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following steps: 1. 2. 3.
In Windows Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click Advanced. In the Advanced Security Settings for <file or folder> page, click Disable inheritance. In the Block Inheritance dialog box, select any of the following options: o o o Convert inherited permissions into explicit permissions on this object Remove all inherited permissions from this object Cancel
4.
Click OK on the Advanced Security Settings for <name> window, and then click OK on the Properties page.
C Configuring Windows s 8
Disable inh heritance for the t Adatum folder, and the en convert the e inherited per rmissions to ex xplicit permission ns. Apply the change. c Note the ch hange in the in nheritance column. Note the e contents of t the Applies to column.
Add the Ma anagers group, and then gr rant them Mod dify permissio ons to the Perm missionsTest file.
How H Does the Copying and Mo oving of F Files and Fo olders Affe ect Config gured Permission P s?
When W copying or o moving a file or folder, th he pe ermissions mig ght change, de epending on where w yo ou move the fi ile or folder. Therefore, when you co opy or move fi iles or folders, it is important t to un nderstand the impact on permissions.
When you copy a file or folder f within a single NTFS p partition, the c copy of the folder or file inhe erits the permissions s of the destination folder. When you copy a file or folder f to a diff ferent NTFS pa artition, the co opy of the fold der or file inher rits the permissions s of the destination folder.
When you copy a file or folder f to a non n-NTFS partitio on, such as a F FAT file system m partition, the e copy of the folde er or file loses its NTFS file sy ystem permiss ions because n non-NTFS part titions do not support NTFS file sy ystem permissi ions.
Note: Wh hen you copy a file or folder within a single e NTFS partitio on or between n NTFS pa artitions, you must m have Rea ad permission for the source e folder and W Write permission n for the de estination fold der.
Whe en moving a file or folder, permissions mig ght change, de epending on t the permission ns of the destin nation fold der. Moving a file f or folder has the followin ng effects on N NTFS file syste m permissions s: When you mo ove a file or fo older within an n NTFS partitio on, the file or f folder inherits the permission ns of the new parent folder. If the file or folder r has explicitly assigned perm missions, those e permissions a are retained in ad ddition to the newly inherite ed permissions s.
Note: Most files do not have explicitly assigned a perm missions. Instea d, they inherit t perm missions from their parent fo older. If you move m files that have only inhe erited permiss sions, they do not n retain thes se inherited pe ermissions during the move.
When you mo ove a file or fo older to a diffe erent NTFS par rtition, the fold der or file inhe erits the permis ssions of the destina ation folder. When W you move a folder or fi ile between pa artitions, Wind dows 7 copies the folder or file to t the new loc cation, and the en deletes it fro om the old loc cation. When you mo ove a file or fo older to a non-NTFS partition n, the folder o or file loses its NTFS file syste em permissions, because b non-N NTFS partitions do not supp ort NTFS file s system permiss sions.
Note: When n you move a file or folder within w an NTFS S partition or b between NTFS partitions, oth Write perm mission for the destination fo older, and Mod dify permission n for the you must have bo source file or folder. Modify per rmission is required to move e a folder or fil le, because Wi indows 8 dele etes the folder r or file from th he source folder after it copi ies it to the de estination folde er. The Copy command is not awar re of the secur rity settings on n folders or file es. However m more robust com mmands do, for Example: Xcopy has the e /o switch to include Owne ership and NTF FS Access Cont trol List (ACL) settings. Robocopy has several switc ches that will cause security i information to o be copied: o /Copy:co opyflag(s) the e default settin ng is the equiva alent of /Copy y:DAT where D D=Data, A=Attributes and T=Timestamps. You can add the S flag where S S=Security, i.e. NTFS ACLs. /Sec is th he equivalent of o /Copy:DATS S.
Co onfiguring Windows 8
Th he Effective Pe ermissions feat ture determine es the permiss ions a user or group has on an object, by ca alculating the permissions th hat are granted d to the user o or group. The c calculation tak kes into account the pe ermissions in effect e from gro oup membersh hip and any of f the permissio ons inherited f from the paren nt ob bject. It looks up all domain and local groups in which t he user or gro oup is a memb ber. e Effective Permissions featu ure always inclu udes the Every yone group wh hen Note: The ca alculating effec ctive permissio ons, as long as s the selected u user or group is not a memb ber of the Anonymous Log gon group.
he Effective Pe ermissions feat ture only produces an appro oximation of th he permissions s that a user ha as. The Th ac ctual permissio ons the user ha as may be different, since pe ermissions can n be granted o or denied based d on ho ow a user logs s on. This logon-specific info ormation canno ot be determin ned by the Effective Permiss sions fe eature, because e the user may y not log on. Therefore, T the effective perm missions it disp plays reflect on nly those pe ermissions spe ecified by the user u or group, and not the p permissions spe ecified by the logon. Fo or example, if a user is conne ected to a com mputer throug h a file share, then the logon for that user r is marked m as a Ne etwork Logon. Permissions ca an be granted or denied to the well-know wn security ID ( (SID) Network which the connected d user receives s. This way, a u user has differe ent permission ns when logged on lo ocally than whe en logged on over a network.
Ef ffective permis ssions can be viewed v on the Advanced Se ecurity Setting gs for <folde er> dialog box x. You ca an access this dialog d box from a folders Pr roperties Dialo og box, using t the Advanced button on the e Se ecurity tab, or r directly from the Share me enu on the ribb bon.
Scenario
User1 is a member of the Use ers group and the t Sa ales group. The graphic on the t slide, which h shows fo olders and files s on the NTFS partition, inclu udes th hree situations, each of which has a co orresponding discussion d que estion. Question: The Users group has Write permission, , and the Sales s group has Re ead permission n for Folder1. W What permissions does User1 have for Folder1? Question: The Users group has Read permission p for Folder1. The S Sales group ha as Write permission for Folder2. What W permissio ons does User1 1 have for File2 2? Question: The Users group has Modify y permission fo or Folder1. File e2 is accessible e only to the Sales group p, and they are e able to read File2 only. Wh hat do you do to ensure that t the Sales group has only o Read perm mission for File e2?
Lesson 2
Coll laboration is an important part of your job b. Your team m might create documents that t are shared only by its members, or o you may work with a remo ote team mem mber who need ds access to yo our teams files s. Because of collaboration requirements, you must m understan nd how to man nage shared fo olders in a net twork environment. Sharing folders gives users acce ess to those fol lders over a ne etwork. Users c can connect to o the shared fo older over the network to access the folders f and file es that the sha ared folder con ntains.
Shared folders can n contain appl lications, publi ic data, or a us sers personal data. Managin ng shared folders help ps you provide e a central loca ation for users to access com mmon files, and d it simplifies t the task of bac cking up data d that those e folders conta ain. This modu ule examines v various method ds of sharing f folders, along w with the effect this has s on file and fo older permissio ons when you create shared folders on a p partition forma atted with h the NTFS file e system.
Win ndows 8 uses the Public folde er to simplify file f sharing. W With Public fold der sharing ena abled, the pub blic fold ders and all the e folders within n the Public fo older are autom matically share ed with the name Public. You do not have to config gure file sharin ng on separate e folders. Just m move or copy the file or fold der that you w want to share on the ne etwork to the Public folder on o your Windo ows 8 client.
In Windows W 8, me embers of the Administrators, Power Users s, and Server O Operators grou ups can share fold ders. Other use ers who are gra anted the Crea ate Permanent t Shared Objec cts user right c can also share fold ders. If a folder r resides on an NTFS volume e, you must hav ve at least Rea ad permission to share the fo older. Whe en you share a folder, you must m decide the e permissions that a user or group will hav ve when they acce ess the folder through t the sh hare. This is ca alled sharing p ermissions.
Configuring Windows 8
Basic sharing permissions are greatly simplified in Windows 8, which offers two choices: Read: The look, but do not touch option. Recipients can open, but not modify or delete a file. Read/Write: The full control option. Recipients can open, modify, or delete a file.
There are several different ways in which you can share folders with others on the network: In the Microsoft Management Console (MMC) snap-in titled Shared Folders In Windows Explorer Through the command line Through computer management Using Windows PowerShell version 3.0 cmdlets
You can use the Microsoft Management Console (MMC) snap-in, Shared Folders, to manage all file shares centrally on a computer. Use this snap-in to create file shares and set permissions, and to view and manage open files and the users who are connected to the computers file shares. Additionally, you can view the properties for the folder, which would allow you to perform actions, such as specifying NTFS permissions. Using the Shared Folders snap-in presents the Create a Shared Folder Wizard when you are creating a new share. By default the share name will be the same as the folder name, and all users have read access share permissions.
Using the Share with Option from the Context Menu or Ribbon
The Share with option is a simple and fast way to share a folder. When you right-click a folder, and then select Share with, you get a fly-out menu that allows you to either Stop sharing the folder or share the folder with Specific people. When you are sharing with specific people, you can select Everyone or use Find people to share the folder for specific groups. After selecting who you want to share with, you can set either Read or Read\Write permissions. The wizard will set the Share permissions as Everyone Full Control and the NTFS permissions based on what you selected. The share name will be the same as the folder name.
Using the Properties dialog box provides two options. You can click the Share button, which then presents the same dialog box as Share with Specific people, or you can click the Advanced Sharing button. When you use advanced sharing, you can specify the share name. The default is the same as the folder name, and you can specify share permissions as Full Control, Change or Read. Additionally, since you are in the Properties dialog box, you can click the Security tab and set NTFS permissions.
You can share a folder through the command line by using the net share command, which the following example shows in its basic form:
Net Share name=drive:path
This will create a simple share, which uses the share name that you specify, and which grants all users Read permissions. Additional options include: Option /Grant:user permission /Users:number /Remark:text /Cache:option sharename /Delete Description
Allows you to specify Read, Change, or Full share permissions for the specified user. Allows you to limit the number of users that can connect to the share. Allows you to add a comment to the share. Allows you to specify the caching options for the share. Allows you to remove an existing share.
Additional PowerShell commands for managing shares include: Command Get-SmbShare Set-SmbShare Remove-SmbShare Get-SmbShareAccess Get-Acl Grant-SmbShareAccess Set-Acl Description Gets a list of the existing shares on the computer. Modify an existing share. Removes an existing share. Retrieves the share permissions for a share. Retrieves the NTFS ACL (this cmdlet is not new). Used to set share permissions on a share.
Used to set the NTFS ACL for a specified resource (this cmdlet is not new).
Co onfiguring Windows 8
Ba asic folder sharing is the sim mplest form of Any Folder sha aring, because e it enables use ers to share a folder qu uickly and simply. Basic folder shares are created c by usin ng the Window ws Explorer Sh hare with Wizard or th he Net share command c with hout any addit tional options.
Yo ou can use Advanced Sharin ng to exert more control ove er the Any Fold der sharing pro ocess. When y you use Advanced Sharing to share a folder, you mu ust specify the e following info ormation: A share na ame: The defau ult name is the e folder name.. The maxim mum number of concurren nt connection s to the folde er: The default t number is 20 0 concurrent connections.
Shared folder permissio ons: The defau ult permissions s are Read per rmissions for th he special grou up Everyone. The T permission ns set here are only share pe ermissions. This s does not mo odify the underlying NTFS permissions.
Caching op ptions: The de efault caching option allows user-selected files and prog grams to be av vailable offline. You u can disable offline o files and d programs, or r configure file es and program ms to be availa able offline auto omatically.
Yo ou can access Advanced Sha aring through the: Create a Sh hared Folder Wizard W from the Shared Folde er snap-in. Sharing tab b on the Prop perties dialog box. Command line, by using the optional settings.
When W you turn on Public fold der sharing in Windows W 8, an nyone with an account on yo our computer, or a PC on n your networ rk, can access the t contents of o these folders s. To share som mething, copy or move it int to one of f these public folders. By y default, Wind dows 8 provides the followin ng Public folde ers: Documents s Music Pictures Videos
You u can view thes se folders by clicking Windo ows Explorer f from the Start t screen, and th hen clicking Libr raries to expand the folders. By default, d Public folder sharing g is not enable ed. However, fi iles stored in t he Public folde er hierarchy ar re avai ilable to all use ers who have an a account on n a given comp puter and can log on to it locally. You can configure Window ws 8 to allow access a to the Public P folders f from the netwo ork in the Cha ange advance ed sharing settings link in the Net twork and Sha aring Center. Y You can either:: Turn on sharing, so that any yone with netw work access ca an read and w write files in the e Public folders. Turn off Public folder sharin ng (people log gged in to this computer can n still access th hese folders).
Pub blic folder sharing does not allow a you to fin ne-tune sharin ng permissions s, but it does p provide a simp ple way y to make your r files available e to others. Wh hen you enabl le public folde er sharing, the system group Everyone is grante ed full control permissions fo or the share an nd NTFS perm missions.
Users must ha ave the appropriate NTFS file system perm missions for each file and sub bfolder in a shared folderin addition to the appropriate a shared folder pe ermissionsto o access those resources.
When NTFS file system permissions and shared s folder p permissions ar re combined, t the resulting permission is the most restr rictive one of the t effective sh hared folder p permissions or the effective N NTFS file system pe ermissions. The share per rmissions on a folder apply to t that folder, to all files in t hat folder, to s subfolders, and d to all files in tho ose subfolders.
Note: If the e guest user ac ccount is enabl led on your co omputer, the E Everyone group includes ove the Everyo one group from m any permiss sion lists, and r replace it anyone. As a best practice, remo h the Authenticated Users gr roup. with
The following ana alogy can be helpful in unde erstanding wha at happens wh hen you combi ine NTFS and s share perm missions. When you are dealing with a sha ared folder, yo ou must always s go through t the shared fold der to acce ess its files ove er the network k. Therefore, yo ou can think of f the shared fo older permissio ons as a filter t that only y allows users to perform on nly those action ns that are acc ceptable to the e share permis ssions on the fold ders contents. All NTFS perm missions that ar re less restricti ive than the sh hare permissions are filtered out, so that only the sh hare permissio on remains.
Co onfiguring Windows 8
Fo or example, if the share perm mission is set to Read, then t the most that y you can do is read through the sh hared folder, even e if individu ual NTFS file pe ermission is se et to Full Contr rol. If you are c configuring th he share pe ermission to Modify, M then yo ou are allowed d to read or mo odify the share ed folder cont tents. If the NT TFS pe ermission is se et to Full Contr rol, then the sh hare permissio ons filter the ef ffective permis ssion to Modif fy. Question: If a user is assi igned Full Con ntrol NTFS perm mission to a fi le, but is acces ssing the file through a share s with Rea ad permission, what will be t he effective pe ermission the user will have on the e file? Question: If you want a user u to view al ll files in a shar red folder, but t can modify o only certain files in the folder, f what permissions do you give the u user? Question: Identify a scen nario at your organization o w where it might be necessary t to combine NTFS and Share S permissio ons. What is th he reason for c combining per rmissions?
Yo ou can custom mize the curren ntly active netw work connectio ons, and set u p a new conne ection. Use the e of graphical view of o your current network to optionally o chan nge the descri ption and icon n appearance o ne etwork compo onents to inclu ude more infor rmation. View and change network connec ction propertie es by clicking View St tatus on the right r side of th he connection listing. Yo ou can mainta ain the followin ng network connections in t his section: Connect to the Internet: Set S up a wirele ess, broadband d, or dial-up co onnection to t the Internet. Set up a Ne etwork: Config gure a new rou uter or access p point. Set up a Dial-up Connect tion: Connect to t the Internet t using a dial-u up connection n. Connect to a Workplace: Set up a dial-up or virtual p private network (VPN) conne ection to your workplace.
Note: You can change the network location profile between private and public. This changes firewall and visibility settings for that network connection.
The Network and Sharing Center includes a Change advanced sharing settings link that you can use to enable, disable, and change the way that various network services behave. The first time that you connect to a network, you must choose a network location. This automatically sets the appropriate firewall, security, and sharing settings for the type of network to which you connect. If you connect to networks in different locations, such as from your home network, at a local coffee shop, or at work, then choosing a network location can help ensure that your computer is always set to an appropriate security level. When users connects to a new network, they can select one of the following network locations in Windows 8:
Private: In a trusted private network, all computers on the network are in a private network, and you recognize them. Do not choose this network location for public places such as coffee shops and airports. Network discovery and file and printer sharing are turned on for private networks. This allows you to see and access other computers and devices on the network, and allows other network users to see and access your computer.
Guest or Public: If you do not recognize all the computers on the network (for example, you are in a coffee shop or airport, or you have mobile broadband), then this is a public network, and is not trusted. This location helps you to keep your computer from being visible to other computers around you, and helps to protect your computer from any malicious software from the Internet.
Also choose this option if you are connected directly to the Internet without using a router, or if you have a mobile broadband connection. Network discovery, and file and printer sharing, are turned off. Domain: The domain network location is used for domain networks such as those in corporate workplaces. Your network administrator typically controls this type of network location.
Windows 8 automatically applies the correct network settings based on the network location. For each of these network profiles, you can configure the network sharing settings found in the following table. Feature Network Discovery File and Printer sharing Settings On Off On Off Result
When network discovery is on, your computer can see other network computers and devices, and is visible to other network computers. When file and printer sharing is on, people on the network can access files and printers that you have shared from your computer.
Note: By default, Windows 8 uses Windows Firewall with Advanced Security. Therefore, using another firewall might interfere with the Network Discovery and file-sharing features.
Configuring Windows 8
All Networks: These settings apply regardless of the network profile. The all networks settings are described in the following table. Feature Public folder sharing Media streaming Setting On Off On Off Result
When Public folder sharing is on, people on the network, including home-group members, can access files in public folders
When media streaming is on, people and devices on the network can access pictures, music, and videos on your computer. Your computer also can find media on the network. Windows uses 128-bit encryption to help protect file sharing connections. Some devices dont support 128-bit encryption and must use 40- or 56-bit encryption.
Troubleshoot Problems
Use this feature to diagnose and repair network problems, and to get troubleshooting information for the following network components: Internet connections Shared folders Homegroup Network adapter Incoming connections Connection to a workplace by using Windows 8 DirectAccess Printers
Lesson 3
The compress sion state of a folder does not necessarily reflect the com mpression stat te of the files w within that folder. Fo or example, a folder can be compressed w without compre essing its cont tents, and som me or all of the files s in a compressed folder can n be uncompre essed. NTFS compre ession works with w NTFS-compressed files w without decom mpressing them m, because the ey are decompressed and recomp pressed withou ut user interven ntion: o o When a compressed c file is opened, Windows W autom matically deco ompresses it fo or you. When the e file closes, Windows W comp presses it again n.
in a different c NTFS-compre essed file and folder f names are a displayed i color to make them clearer t to identify. ey are stored o NTFS-compre essed files and folders only remain r compre essed while the on an NTFS Volume. An NTFS-com mpressed file ca annot be encrypted.
Co onfiguring Windows 8
The compre essed bytes of f a file are not accessible to a applications, w which see only the uncompre essed data: o o ations that ope en a compress sed file can op perate on it as if it were not c compressed. Applica These compressed c fil les cannot be copied c to ano other file system m. Note: You u can use the compact c command-line too ol to manage N NTFS compres ssion.
Discussion: D What Is the Impact t of Movin ng and Cop pying Com mpressed F Files and Folders s?
Moving M and cop pying compres ssed files and folders ca an change their compression n state. Th his discussion presents five situations s in wh hich yo ou are asked to identify the impact of cop pying an nd moving com mpressed files and folders. You Y and yo our classmates s will discuss th he possible sol lutions to o each situation. Question: What happens s to the compr ression state of a file or folder wh hen you copy it within an NTFS N partition? ? Question: What happens s to the compr ression state of a file or folder wh hen you move e it within an N NTFS partition? ? Question: What happens s to the compr ression state o of a file or fold er when you c copy or move it between NTFS partition ns? Question: What happens s to the compr ression state o of a file that yo ou copy or move between FAT and NT TFS volumes?
Files can be ope ened directly from f these co ompressed fold ders, and some programs ca an be run direc ctly from these e compressed folders withou ut un ncompressing them. Files in the compressed folders are compatible w with other file-c compression programs and files. f You also can c move thes se compressed d files and folders to any driv ve or folder on n your co omputer, the Internet, or you ur network.
Compressing folders by using Compressed (zipped) Folders does not affect your computers overall performance. CPU utilization increases only when Compressed (zipped) Folders is used to compress a file. Compressed files take up less storage space, and you can transfer them to other computers more quickly than uncompressed files. You can work with compressed files and folders the same way you work with uncompressed files and folders.
By using the Send To > Compressed (zipped) Folder command in Windows Explorer, you can quickly:
Alternatively, if a compressed folder is already created, and you need to add a new file or folder to it, you can drag the desired file to the compressed folder instead of using the Send To > Compressed (zipped) Folder command.
There are differences to be aware of between zipped folder compression and NTFS folder compression. A zipped folder is a single file inside of which Windows allows you to browse. Some applications can access data directly from a zipped folder, while other applications require that you first unzip the folder contents before the application can access the data. In contrast, individual files within a folder are compressed by NTFS compression. Therefore, NTFS compression does not experience the data access issues associated with zipped folders, because it occurs at the individual file system level and not the folder level. Additionally, zipped folders are useful for combining multiple files into a single email attachment, whereas NTFS compression is not.
File and folder compression that uses the Send To > Compressed (zipped) Folder command is different from NTFS file and folder compression discussed earlier: For selected files or folders, the Send To > Compressed (zipped) Folder command compresses the selected content into a portable zip file. The original file or folder is left unchanged, but a new, compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the size of the selected file, folder, or volume by compressing its content.
Note: Unlike NTFS-compressed folders and files, you can move or copy compressed (zipped) folders without change between volumes, drives, and file systems.
Configuring Windows 8
Compress a folder
1. 2. Compress the Windows8Docs folder. Examine the folder and files in the folder.
Objectives
Create a folder shared to all users. Create a folder shared to specific users.
Lab Setup
Estimated Time: 15 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator and Adatum\Ed Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 and 3 for 20687A-LON-CL1 and 20687A-LON-CL2. Do not log on until directed to do so.
Configuring Windows 8
Results: At the end of this lab, you will have created a folder and shared it for all users. Question: Why were you unable to create a file in the Adatum shared folder?
Results: At the end of this exercise, you will have created and shared a folder for the Marketing department. Question: Why was Adam able to create a file, whereas Ed was not?
Co onfiguring Windows 8
Lesson n4
his lesson exam mines the printing compone ents in a Windo ows 8 environment, includin ng printer port ts and Th drivers.
Th he instructor will w demonstrate how to install and share a printer, and y you will review w how to use t the Print Management M to ool to administer multiple pr rinters and pri nt servers.
Windows W 8 dete ects printers th hat you connect to your com mputer, and it installs the dri iver for the pri inter au utomatically, if f the driver is available a in the e driver store. However, Win ndows might n not detect prin nters th hat connect by y using older ports, p such as serial s or paralle el ports, or net twork printers. In these cases, you must m configure the printer po ort manually.
In nstalling a Driver D
Th he printer driv ver is a softwar re interface tha at enables you ur computer to o communicate e with the prin nter de evice. Without t a printer driv ver, the printer that connects s to your comp puter will not w work properly. The printer driver is responsible fo or converting the t print job in nto a page des scription langu uage (PDL) tha at the printer can use to print the jo ob. The most co ommon PDLs are PostScript t, printer contr rol language (P PCL), an nd XML Paper Specifications s (XPS). In n most cases, drivers d come with w the Windo ows application n, or you can f find them by g going to Windows Update in Control Panel and checking for updates. u If the Windows app plication does n not have the d driver yo ou need, you can c find it on the t disk that ca ame with the p printer, or on the manufactu urer's Web site e.
If th he Windows op perating system m does not rec cognize your p printer automa atically, you m must configure the prin nter type durin ng the installation process. Th he Printer Set tup Wizard pr resents you wit th an exhaustiv ve list of currently c installed printer typ pes. However, if i your printer is not listed, y you must obtain and install t the necessary driver. You u can preinstall l printer driver rs into the driv ver store, there eby making the em available in the printer list by usin ng the pnputil l.exe comman nd-line tool.
Whe en you connec ct a new printe er to your com mputer, the Wi ndows applica ation tries to fi ind and install a soft tware driver fo or the printer. Occasionally, O you y might see a notification that a driver is unsigned or e whether to install a driver that is unsigned or altered, or that Windows W canno ot install it. You u have a choice has been altered since s it was sig gned.
You u can use the Print P Managem ment MMC to perf form all the ba asic management tasks for a printer. You c can also manage printers fro om the Device es and Prin nters page in the t Control Pa anel.
Onc ce you initiate a print job, yo ou can view, pa ause, or cance l it through th he print queue. The print que eue show ws you what is s printing, or waiting w to print. It also displa ays information such as job status, who is prin nting what, and d how many unprinted page es remain. From m the print qu ueue, you can v view and main ntain the print jobs for each printer.
You u can access the print queue from the Print t Managemen nt MMC snap-i in through the e See whats prin nting option on o the Devices s and Printers s page in Cont trol Panel. Doc cuments that a are listed first w will be the first to print.
Configuring Windows 8
To cancel an individual print job, right-click the print job you want to remove, and then click Cancel. To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item currently printing might finish, but the remaining items will be cancelled.
To pause or resume an individual print job, right-click the print job, and then click Pause or Resume. To pause all print jobs, click the Printer menu, and then click Pause Printing. To resume printing, click Resume Printing.
If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the print queue: 1. 2. 3. Open the print queue for the specific printer by performing the steps outlined previously. Right-click the print job to be reordered, and then click Properties.
Click the General tab, and then drag the Priority slider left or right to change its print order. Items with higher priority print first.
Objectives
Create and share a local printer
Lab Setup
Estimated Time: 10 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator and Adatum\Ed Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 and 3 for 20687A-LON-CL1 and 20687A-LON-CL2. Do not log on until directed to do so.
Configuring Windows 8
Switch to LON-CL1, verify that the test page is in the ManagersPrinter queue, and Resume Printing.
Results: At the end of this exercise, you will have created, shared, and tested a printer.
Lesson 5
PDF and Ope en Document t Format (ODF F) Support: Yo ou can view PDF and ODF d documents sav ved in SkyDrive. Bing Integra ation: You can use the Micro osoft Bing Sav ve & Share fea ature to save search histories s in a SkyDrive folder
Additional Reading: For more information on SkyDrive features, se ee: http://wind dows.microsoft ft.com/en-US/s skydrive /home. cessing SkyDr rive Acc SkyDrive can be accessed a in sev veral different ways, includin ng: Windows Hot tmail Windows PC running Windows Vista Service Pack 2 (S SP2) or newer= =. Windows Serv ver 2008 SP2 and a the Platform Update for r Windows Ser rver 2008 or ne ewer.
Co onfiguring Windows 8
Mac OS X 10.7 1 (Lion). Windows Phone P app. An iPhone OS (iOS) app. An iPad app. A Windows s 8 Metro style e app.
Configuring C g SkyDrive e
Be efore you can use SkyDrive from f the Wind dows 8 Sk kyDrive tile, yo ou must conne ect your Doma ain (or lo ocal) account with w your MicrosoftAccount. To o begin the pr rocess, you sele ect the Setting gs ch harm from the e Start screen, and then click k More PC C Settings on the PC settin ngs screen, clic ck the Users section. Then, T click the Connect butt ton to st tart the wizard for synchronizing your acco ount with w your Micro osoft account. In the wizard, you ca an choose which features yo ou want to sy ynchronize: Personalize: Colors, back kground, lock screen, and your ac ccount picture e Desktop personalization: Themes, tas skbar, and mo re Ease of Access: High con ntrast, Narrato or, Magnifier a nd more Language preferences: Keyboards, other input met hods, display l language, and d more App Settin ngs: Certain se ettings in your apps Browser se ettings: Histor ry, bookmarks, , and favorites s Other Windows settings: Windows Ex xplorer and mo ouse settings Sign-in inf fo: For some apps, websites, networks, and d HomeGroup p
Yo ou can toggle the synchronization setting of these optio ons from the S Sync your sett tings menu on n the PC Se ettings menu. .
Configuring Windows 8
To simplify the assignment of permissions, you can grant the Everyone group Full Control share permission to all shares and use only NTFS permissions to control access. Restrict share permissions to the minimum required, to provide an extra layer of security in case NTFS permissions are configured incorrectly. When permissions inheritance is blocked, you have the option to copy existing permissions, or begin with blank permissions. If you only want to restrict a particular group or user, then copy existing permissions to simplify the configuration process.
Best Practice: Managing Shared Folders Supplement or modify the following best practices for your own work situations:
If the guest user account is enabled on your computer, the Everyone group includes anyone. In practice, remove the Everyone group from any permission lists and replace it with the Authenticated Users group. Using a firewall other than that supplied with Windows 8 can interfere with the Network Discovery and file-sharing features. Question: A. Datum is installing Microsoft Dynamics GP, and they have contracted with a vendor to provide some custom programming work. A. Datum asked Joseph, their senior IT desktop specialist, to configure the NTFS permissions for the GP planning files it will be accumulating. A. Datum has asked that all IT users be assigned Modify permissions to the GP Implementation Planning folder. However, A. Datum only wants the subfolder titled Vendor Contracts to be available for viewing by a select group of managers. How can Joseph accomplish this by taking into account permission inheritance? Question: Robin recently created a spreadsheet in which she explicitly assigned it NTFS file permissions that restricted file access to just herself. Following the system reorganization, the file moved to a folder on another NTFS partition and Robin discovered that other users were able to access the spreadsheet. What is the probable cause of this situation?
Tools
Use the following command prompt tools to manage file and printer sharing. Tool Net share Net use Cacls.exe Compact.exe Pnputil.exe Description Share folders from the command prompt. Connect to shared resources from the command prompt. Configure NTFS file and folder permissions from the command prompt. Compress NTFS files and folders from the command prompt. Preinstall printer drivers into the driver store.
Module 8
Securing Windows 8 Desktops
Contents:
Module Overview Lesson 1: Authentication and Authorization in Windows 8 Lesson 2: Implementing GPOs Lab A: Implementing Local GPOs Lesson 3: Securing Data with EFS and BitLocker Lab B: Securing Data Lesson 4: Configuring User Account Control Lab C: Configuring and Testing UAC Module Review and Takeaways 8-1 8-2 8-6 8-14 8-17 8-37 8-39 8-46 8-48
Module Overview
Users are becoming increasingly computer literate, and they expect more from the technology that they use at work. They expect to be able to work from home, from branch offices, and on the road, without a decrease in their productivity or access to the programs and applications that they need most. As the needs of users have changed, the demands on IT support professionals have increased. Today, support professionals are being asked to provide more capabilities and support greater flexibility, while continuing to minimize security risks. In this module, you will explore features of Windows 8 that help you maintain a secure computer desktop environment for your users.
Objectives
After completing this module, you will be able to: Describe authentication and authorization in Windows 8. Describe how to use local Group Policy Objects (GPOs) to configure security and other settings. Select a suitable disk encryption method. Configure User Account Control (UAC).
8-2
Lesson 1
Befo ore effectively defining Wind dows 8 security measures, su uch as NTFS fil le-system perm missions, and f file and folder sharing g properties, it t is essential th hat you unders stand the user account types s that are used d during security co onfiguration, and how the Ke erberos versio n 5 protocol a authenticates a and authorizes s user logo ons. This lesson examines the authenticatio on and author rization feature es, which prov vide the found dation for the t Windows security s infrast tructure.
Authorization allo ows a system to o determine whether w an aut thenticated user can access a and update se ecured system resources. Examples of authorized a per rmissions inclu ude file and file e-directory acc cess, hours of acce ess, amount of f allocated storage space, an nd other specif fications. Auth horization has t two facets: The system ad dministrator defines d permiss sions for system m resources in nitially.
The system or application verifies v users permission p valu ues when user rs attempt to a access or upda ate a system resource.
u can provide authorization a and a access wit thout impleme enting authent tication. This is s typically the case You whe en permissions s are granted for f anonymous s users who ar re not authent ticated. Usually y, these permis ssions are limited.
C Configuring Windows s 8
Standard. This T account allows you to us se most of the capa abilities of the computer. A person p that log gs in with a sta andard user ac ccount can use e most programs on o the comput ter and change e settings that t affect his or h her user account. However, th he user typically cannot install or uninstall l software and hardware, delete files that t the computer requires, r or cha ange settings that t affect oth her users or the e computers s security. The sy ystem may promp pt a standard user u for an adm ministrator pas ssword before he or she can n perform certa ain tasks.
Administrat tor. This accou unt allows you to make chan nges that affec ct other users. A Administrators s can change security settings, install softwar re and hardwa re, and access s all files on the e computer. Administrat tors also can make m changes to other user accounts.
Guest. This account allow ws another person to have te emporary acce ess to your com mputer. People e using the guest account cannot t install softwa are or hardwar re, change sett tings, or create e a password. Y You must enable this feature before your gu uests can use i it.
Note: Wh hen you set up p a computer, you y are requir red to create a n administrato or user ac ccount, which provides the ability a to set up p your compu ter and install any programs s that you want w to use. Aft ter setup is com mplete, you sh hould use a sta andard user ac ccount for you ur daily co omputing task ks. It is more se ecure to use a standard user account, rathe er than an adm ministrator mputer, ac ccount, becaus se it can preve ent making cha anges that affe ect anyone wh ho uses the com es specially if you ur user account logon creden ntials are stole en.
Users must be authenticated a to verify their identity when n they access fi iles over a netw work. Authent tication is performed du dows 8 operat uring the netw work logon pro ocess. The Wind ting system su upports the following au uthentication methods m for network logons s:
Kerberos ve ersion 5 protoc col. This is the main logon a uthentication method used by clients and d servers that are run nning Microsoft Windows operating o syste ems. It provide es authentication for user an nd computer accounts. a Windows NT N LAN Manag ger (NTLM). Th his method pro ovides backward compatibili ity with pre-W Windows 2000 opera ating systems and a some applications. How wever, it is less f flexible, efficie ent, and secure e than the Kerbero os version 5 pr rotocol. Certificate mapping. m This method is typ pically used in conjunction w with smart card ds. The certificate stored on a smart card is linked to a user account for r authenticatio on. A smart car rd reader is used to read the sm mart cards and authenticate the user.
8-4
Kerberos Authentication
For Windows 8 clients, the Kerberos authentication protocol provides the mechanism for mutual authentication between the client and a server before a network connection is opened between them. Note: Active Directory Domain Services (AD DS) implements Kerberos authentication. In a client/server application model: Windows 8 clients are programs that act on behalf of users who need to perform a task, such as opening a file, accessing a mailbox, querying a database, or printing a document.
Servers, such as Windows Server 2012, are programs that provide services to clients. Some examples of the services can include file storage, mail handling, query processing, print spooling, and a number of other specialized tasks.
Clients initiate an action and servers respond. Typically, this means that the server listens at a communications port, waiting for clients to connect and ask for service.
In the Kerberos security model, every client/server connection begins with authentication. The client and server, in turn, step through a sequence of actions that help parties on each end of the connection verify that the party on the other end is genuine. If authentication is successful, session setup completes, and the client/server application can start working.
Mutual authentication. Using NTLM, servers can verify the identities of their clients. However, clients cannot use NTLM to verify a servers identity, and servers cannot verify the identity of another server. NTLM authentication is ideal for a network environment in which servers are assumed to be genuine. The Kerberos protocol makes no such assumptions and enables parties at both ends of a network connection to identify and verify the party on the other end. Question: Which authentication method is used when a client computer running the Windows 8 operating system logs on to AD DS?
C Configuring Windows s 8
drive encryption and Windows BitLocker B a BitLocker T To Go. These e tools help mi itigate unauthorized data access s by rendering data inaccessible when you u decommissio on or recycle BitLocker-prote ected computers. BitLocker To Go provides si imilar protecti on for data on n removable data drives.
Windows AppLocker. A This tool enables administrator rs to specify ex xactly what pro ograms, applic cations, and service es can run on a users compu uter. Note: Mo odule 9: Config guring Applica ations discusse s AppLocker in n detail.
UAC. This tool enables us sers to run their computers a as standard us sers and perfor rm all necessar ry daily tasks. Windows Firewall with Advanced A Secu urity. Provides protection fro om malicious u users and prog grams that rely on n unsolicited in ncoming traffic c to attack com mputers. Windows Defender. Helps protect you u from spywar re and other fo orms of malicio ous software.
odule 6: Implem menting Netw work Security d describes Wind dows Defender r and Note: Mo Window W Firewall with Advanc ced Security.
8-6
Lesson 2
Befo ore we examin ne the importa ant security fea atures in Wind ows 8, it is imp portant that yo ou understand d the best ways in which w to config gure security-r related setting gs in Windows 8. Although y you can perform m com mputer-specific c administratio on and config guration tasks s, it can be more efficient to implement your planned con nfiguration sett tings by using GPOs, which p provide an inf frastructure for r centralized configuration management of the t operating system and ap pplications tha at run on the o operating syste em. This s lesson discusses Group Policy fundament tals, such as th he difference b between local a and domain-b based policy settings. Th his lesson also describes how w you can use G Group Policy t to simplify managing compu uters and users in an AD D DS environm ment.
Group Policy in Windows W 8 uses s XML-based templates t to d describe registr ry settings. Wh hen you enable e settings in these templates, t Gro oup Policy allow ws you to app ply computer a and user settings either on a local com mputer or through AD DS centrally. You u can use Group Policy to: Apply custom mized or specif fic configuratio ons. Deploy software application ns. Enforce secur rity settings. Enforce a stan ndardized desktop environm ment.
Configuring Windows 8
You can use Group Policy to restrict certain actions that may pose potential security risks. For example, you can restrict access to registry editing tools or restrict the use of removable storage devices. A GPO is a collection of Group Policy settings, and you can apply one GPO simultaneously to many different containers in AD DS. Conversely, you can apply multiple GPOs simultaneously to one container. In this case, users and computers receive the cumulative effect of all policy settings applied to them.
The local GPO is the least influential object in an AD DS environment because its settings can be overwritten by GPOs that are associated with sites, domains, and organizational units. In a non-networked environment, or in a networked environment that does not have a domain controller, the local GPO settings are more important because they are not overwritten by other GPOs. Stand-alone computers use only local GPOs to control the environment.
Each Windows 8 computer has one local GPO that contains default computer and user settings, regardless of whether the computer is part of an AD DS environment. In addition to this default local GPO, you can create custom local user GPOs. You can maintain these local GPOs by using the Group Policy Object Editor snap-in. Note: To access the Group Policy Management Editor, open a new management console window by running mmc.exe, and then add the Group Policy Management Editor to the console.
By using Group Policy, you can define the state of users' work environments once, and then rely on the system to enforce the policies that you define. With the Group Policy snap-in. you can specify policy settings for the following:
Registry-based policies include Group Policy for the Windows 8 operating system and its components, and for programs. To manage these settings, use the Administrative Templates node of the Group Policy Editor snap-in. Security options include options for local computer security settings. You can use the software installation and maintenance options to centrally manage program installation, updates, and removal. Scripts options include scripts for computer startup and shutdown, and user logon and logoff.
Computer Configuration. This section enables you to set policies that are applied to a computer, regardless of who logs on to the computers. Computer Configuration typically contains subitems for software settings, Windows settings, and administrative templates. User Configuration. This section enables you to set policies that apply to users, regardless of which computer they log on to. User Configuration typically contains subitems for software settings, Windows settings, and administrative templates.
To use the Group Policy Object Editor, perform the following steps: 1. 2. 3. 4. Expand the GPO that you want, such as Local Computer Policy. Expand the configuration item that you want, such as Computer Configuration. Expand the subitem that you want, such as Windows Settings.
Navigate to the folder that contains the policy setting that you want. The policy items are displayed in the right pane on the Group Policy Editor snap-in.
8-8
Note: If no policy is defined for the sele ected item, rig ht-click the fo older that you want, and then n on the shortcut menu that t appears, poin nt to All Tasks s and then clic ck the comman nd that you wan nt. The comma ands that are displayed d on th he All Tasks su ubmenu are co ontext-sensitiv ve. Only thos se commands that are applic cable to the se elected policy folder appear on the menu. . 5. g list, double-c click the policy y item that you u want. In the Setting
Note: When n you work wit th policy items s in the Admin nistrative Tem mplates folder r, click the Exte ended tab in the t right pane of the Micros soft Managem ent Console (M MMC) if you w want to view w more inform mation about th he selected po olicy item. 6. 7. Edit the settin ngs of the policy in the dialo og box that ap ppears, and the en click OK. When you are e finished, quit t the MMC.
maller networks s, it is likely tha at you will con nfigure all com mputers as part t of the Note: In sm defa ault AD DS site e object. There efore, you can disregard this s AD DS contai iner when plan nning GPO Os. 3. 4. l policy setting gs. Domain-level Organizational unit (OU) po olicy settings.
cally, you creat te an OU to co ontain objects, such as users and computers that you Note: Typic wish h to administer in a similar manner. m For ex xample, you m ight want to d delegate control of all thos se objects to a local adminis strator, or you might want al ll the objects in the OU to ha ave the sam me configured settings. In sm mall networks, you y can config gure most sett tings at the do omain-level, and then it is unnecessary to cre eate complex, nested OU str ructures for management pu urposes.
C Configuring Windows s 8
Po olicy settings applied a to high her level conta ainers pass thr ough to all su bcontainers in n that part of the AD DS tree. For r example, a po olicy setting ap pplied to an O OU also applies s to any child O OUs below it.
a multiple levels, the user o r computer re ceives the effe ects of all polic cy If policy settings are applied at se ettings. In case e of a conflict between b policy y settings, the policy setting applied last is s the effective policy, th hough you can n change this behavior b as ne ecessary. Note: You u can enforce individual policies, which en nsures that the e settings from m an enforced po olicy take prec cedence over other o settings further down the AD DS tree. It also is possible to block inheritance, altho ough blocking is applied to c containers rath her than to po olicies. In large e networks env vironments, with many cont tainers and po licies, it can so ometimes be are in force on di ifficult to determine which settings from which w policies a n a given computer or user. A domain administrator can use u the Group Policy Modeli ing and Group p Policy Results s nodes in th he Group Polic cy Managemen nt console to help h determine e the applicati ion of policies. .
In ntroduction n to MLGPO
Lo ocal Group Policy is a subset t of a broader technology kn nown as Group p Policy. Group p Policy is dom main ba ased while Loc cal Group Polic cy is specific to o the local com mputer. Both t technologies allow you to co onfigure sp pecific settings s in the operat ting system and then force t hose settings t to computers and users. Lo ocal Group Policy is not as ro obust as Group p Policy. For e example, you c can use Group Policy to conf figure an ny number of policies that might m affect so ome, all, or non ne of the users s of a domain-joined compu uter. Group Policy ev ven can apply policies to use ers that have sp pecific group m memberships.
However, prior to Windows Vista V , Local Gr roup Policy wa as only able to o apply one po olicy to a comp puter an nd all the local users of it, ev ven the local administrator. T This made it difficult to man nage stand-alo one co omputers effec ctively because e the same po olicy applied to o the both adm ministrators an nd the standard d users. Windows W 8 give es you the ability to apply different GPOs t to stand-alone e users. Windo ows 8 provides s this ab bility with thre ee layers of loc cal GPOs: Local Group p Policy Administrat tor and Non-A Administrators Group Policy User specifi ic Local Group p Policy
Each computer stores only one local GPO that contains the default computer and user settings. This policy is stored in the hidden %systemroot%\System32\GroupPolicy directory. Custom administrator, non-administrator, and user policies that you create are stored in: %systemroot%\System32\GroupPolicyUsers.
These layers of local GPOs are processed in order, starting with Local Group Policy, continuing with Administrators and Non-Administrators Group Policy, and finishing with user-specific Local Group Policy.
The Administrators and Non-Administrators Local GPOs do not exist by default. You must create them if you want to use them on your Windows 8 client. These GPOs act as a single layer and logically sort all local users into two groups when a user logs on to the computer: the user is either an administrator or a non-administrator. Users who are members of the administrators group receive policy settings assigned in the Administrators Local GPO. All other users receive policy settings assigned in the Non-Administrators Local GPOs.
Local administrators can use the last layer of the Local Group Policy object, Per-User Local Group Policy objects, to apply specific policy settings to a specific local user.
Processing Order
The benefits of MLGPOs come from the processing order of the three separate layers. The layers are processed as follows: 1. 2. The Local GPO applies first. This Local GPO may contain both computer and user settings. User settings contained in this policy apply to all users, including the local administrator. The Administrators and Non-Administrators Local GPOs are applied next. These two Local GPOs represent a single layer in the processing order, and the user receives one or the other. Neither of these Local GPOs contains computer settings. User-specific Local Group Policy is applied last. This layer of Local GPOs contains only user settings, and you apply it to one specific user on the local computer.
3.
Available user settings are the same between all Local GPOs. It is possible that a policy setting in one Local GPO contradicts the same setting in another Local GPO. Windows 8 resolves these conflicts by using the Last Writer Wins method. This method resolves the conflict by overwriting any previous setting with the last-read (most current) setting. The final setting is the one that Windows uses. For example, an administrator enables a setting in the Local GPO. The administrator then disables the same setting in a user-specific Local GPO. The user logging on to the computer is not an administrator. Windows reads the Local GPO first, followed by the Non-Administrators Local GPO, and then the userspecific Local GPO. The state of the policy setting is enabled when Windows reads the Local GPO. The policy setting is not configured in the Non-Administrators Local GPO. This has no effect on the state of the setting, so it remains enabled. The policy setting is disabled in the user-specific Local GPO. This changes the state of
Configuring Windows 8
the setting to disabled. Windows reads the user-specific Local GPO last. Therefore, it has the highest precedence. The Local Computer Policy has a lower precedence.
Stand-alone computers benefit the most from Multiple Local Group Policy objects because they are managed locally. Domain-based computers apply Local Group Policy first and then domain-based policy. Windows 8 continues to use the Last Writer Wins method for conflict resolution. Therefore, policy settings originating from domain Group Policy overwrite any conflicting policy settings found in any Local Group Policy to include administrative, non-administrative, and user-specific Local Group Policy.
You can disable the processing of local GPOs on clients that are running Windows 8 by enabling the Turn off Local Group Policy objects processing policy setting in a domain GPO. You can find this setting by expanding Computer Configuration, expanding Administrative Templates, expanding System, and then clicking Group Policy.
Select the object you for which you want to create a special GPO. You must add a separate instance of the snap-in for each instance of the local GPO that you want to create. Question: An administrator selects the Disable the Security page setting in the Local GPO. The administrator then enables the same setting in a user-specific Local GPO. The user logging on to the computer is not an administrator. Which policy setting will be applied to this Local GPO?
This demonstration shows how to create and verify settings of multiple local Group Policies in Windows 8.
Open management console, and add the Group Policy Object Editor snap-in to the console. Set the focus for the local computer. Add the Group Policy Object Editor snap-in to the console again, this time selecting the Administrators group as the focus.
Add the Group Policy Object Editor snap-in to the console for a third time, this time selecting the Non-administrators group as the focus. Save the console to the desktop.
A computer that belongs to an AD DS domain receives many of its security-related configuration settings through a GPO. You can use the Local Group Policy Editor to configure the same settings on a standalone workstation that is running Windows 8.
To configure local Group Policy, run gpedit.msc from the Run box with elevated privileges. You then can use the local Group Policy Object Editor to configure the security-related settings that the following table lists. Setting Password Policy Meaning A subcomponent of Account Policies that enables you to configure password history, maximum and minimum password age, password complexity, and password length. Note: This only applies to local accounts. Account Lockout Policy
A subcomponent of Account Policies that enables you to define settings related to the action that you want Windows 8 to take when a user enters an incorrect password at logon. Note: This only applies to local accounts.
Audit Policy
A subcomponent of Local Policies that enables you to define audit behavior for various system activities, including logon events and object access.
A subcomponent of Local Policies that enables you to configure user rights, including the ability to log on locally, access the computer from the network, and shut down the system. A subcomponent of Local Policies that enables you to configure many settings, including Interactive logon settings, User Account Control settings, and Shutdown settings. Enables you to configure the firewall settings. Enables you to configure user options for configuring new network locations. Include settings for Certificate Auto-Enrollment and the Encrypting File System (EFS) Data Recovery Agents. Enables you to identify and control which applications can run on the local computer.
Security Options
Windows Firewall with Advanced Security Network List Manager Policies Public Key Policies Software Restrictions Policies IP Security Policies
Enables you to create, manage, and assign Internet Protocol security (IPsec) polices.
Configuring Windows 8
Meaning Enables you to configure Automatic updating. Located under Administrative Templates\Windows Components.
Enables you to configure driver installation behavior. Located under Administrative Templates\System.
After you configure the local policy, you can export the security-related settings to a policy file, and then save them in a security template file with an .INF extension. You then can import the template into the Local Group Policy Editor to use these templates to configure additional computers.
This demonstration shows different security settings in the Windows 8 Local Group Policy Editor, and then reviews the changes to some of these settings.
Demonstration Steps
1. 2. 3. Log on as administrator. Open the Group Policy Editor management console snap-in.
Navigate to Computer Configuration, Windows Settings, Security Settings, and review the settings.
Holly Dickson is the IT manager at A. Datum Corp. She has expressed a concern that some of the laptop computers that are used outside of the A. Datum network are more susceptible to security breaches. She has asked that you investigate how best to configure security and other settings on these computers.
Objectives
Create multiple local GPOs. Apply the local GPOs.
Lab Setup
Estimated Time: 20 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1. Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Adatum
5.
Although you typically configure most security and other settings by using domain-based GPOs, you decide that for these laptop computers, implementing local GPOs would achieve Hollys goal of securing these roaming computers. You decide to implement multiple local GPOs to ensure that administrator and standard user accounts can have different settings: The default computer policy will be configured to display a warning dialog box. The non-administrators policy will be configured with certain security restrictions. The administrators policy will not be configured with the same security restrictions.
Configuring Windows 8
The main tasks for this exercise are as follows: 1. 2. 3. Create a management console for multiple local Group Policies. Configure the local computer settings. Configure Non-Administrators security settings.
Save the console to the Desktop with the name Multiple Local Group Policy Editor.
Results: After this exercise, you should have successfully created and configured multiple local GPOs.
Log on as Adatum\Holly with the password Pa$$w0rd, and then verify that the logon script runs on the desktop. Attempt to open Control Panel.
Results: After this exercise, you should have implemented and test multiple local GPOs successfully.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Co onfiguring Windows 8
Lesson n3
La aptops and de esktop hard dri ives can be sto olen, which po oses a risk for c confidential da ata. You can se ecure da ata against the ese risks by using a two-phased defensive strategy, one that incorpora ates both EFS and Windows W BitLoc cker Drive Encryption.
Th his lesson prov vides a brief ov verview of EFS S. However, IT professionals i interested in im mplementing EFS must m research this feature tho oroughly befor re making a de ecision on usin ng EFS. If you implement EFS without w implem menting proper r recovery ope erations or with hout understa anding how the e feature work ks, you ca an cause your data to be unnecessarily exp posed. To imp plement a secure and recoverable EFS polic cy, you must m have a mo ore comprehen nsive understa anding of EFS. Bi itLocker is ano other defensive e strategy that t complements s EFS. BitLocke er protects aga ainst data theft t or ex xposure on computers that are a lost or stolen, and offers more secure d data deletion when computers are de ecommissione ed. Data on a lo ost or stolen computer is vu lnerable to un nauthorized ac ccess, either by y ru unning a softw ware attack too ol against it or by transferring g the compute er's hard disk t to a different co omputer. BitLo ocker helps mitigate unautho orized data ac ccess on lost or r stolen compu uters by comb bining tw wo major data-protection pr rocedures: enc crypting the en ntire Windows operating sys stem volume o on the ha ard disk, and encrypting e multiple fixed volumes.
What W Is EFS S?
EF FS is the built-in file encryption tool for Windows W fil le systems. A component c of the NTFS file system, s EF FS enables tran nsparent encry yption and dec cryption of f files by using g advanced, sta andard cryptog graphic algorithms. Any y individual or program that does key no ot possess the appropriate cryptographic c ca annot read the e encrypted da ata. You can pr rotect en ncrypted files even e from tho ose who gain physical p po ossession of th he computer on o which the files are st toredeven people who are e authorized to o access th he computer and its file syste em cannot view the da ata.
You must understand that while encryption is a powerful addition to any defensive plan, you also must use other defensive strategies because encryption is not the correct countermeasure for every threat. Also, every defensive weapon, if you use it incorrectly, carries the potential for harm. The following are the basic EFS features:
EFS encryption does not occur at the application level, but rather, it occurs rather at the file-system level. Therefore, the encryption and decryption process is transparent to the user and the application. If you mark a folder for encryption, EFS will encrypt every file created in, or moved to, the folder. Applications do not have to understand EFS or manage EFS-encrypted files any differently than unencrypted files.
If a user attempts to open a file and possesses the necessary key, the file opens without additional effort on the user's part. If the user does not possess the key, he or she receives an "Access denied" message.
File encryption uses a symmetric key that is encrypted with the users public key and stored in the file header. A certificate with the users public and private keys (knows as asymmetric keys) is stored in the users profile. This key pair is bound to a user identity and made available to the user who has possession of the user ID and password. The users private key must be available for decryption of the file.
If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a recovery agent exists, the file may be recoverable. If you implement key archival, then you can recover the key, and decrypt the file. Otherwise, the file may be lost. This encryption system is commonly referred to as Public Key Infrastructure (PKI). The users certificate that contains his or her public and private keys can be archived, such as exported to a USB memory stick, and kept in a safe place to ensure recovery, if keys become damaged.
The users public and private keys are protected by the user's password. Any user who can obtain the user ID and password can log on as that user, and then decrypt that user's files. Therefore, a strong password policy and strong user education must be a component of each organization's security practices to ensure the protection of EFS-encrypted files.
EFS-encrypted files do not remain encrypted during transport if you save them to, or open them from, a folder on a remote server. The file is decrypted, and then traverses the network in plain text. EFS then encrypts it locally if you save it to a folder on the local drive that is marked for encryption. EFS-encrypted files can remain encrypted while traversing the network if you are saving them to a Web folder by using WebDAV. EFS is only supported on the NTFS file system. If a user moves or copies an encrypted file to a nonNTFS file system, like a universal serial bus (USB) memory stick that is formatted with the file allocation table 32-bit (FAT32) file system, the file will no longer be encrypted.
Support for AES 256-Bit Encryption. EFS supports industry-standard encryption algorithms including Advanced Encryption Standard (AES). AES uses a 256-bit symmetric encryption key and is the default EFS algorithm.
The following are additional important facts about implementing EFS on Windows 8: Support for Storing Private Keys on Smart Cards. Windows 8 includes full support for storing users private keys on smart cards. If a user logs on to Windows 8 with a smart card, EFS also can use the smart card for file encryption.
Configuring Windows 8
Administrators can store their domains recovery keys on a smart card. Recovering files is then as simple as logging on to the affected machine, either locally or by using Remote Desktop, and using the recovery smart card to access the files.
Encrypting File System Rekeying Wizard. The Encrypting File System Rekeying Wizard allows users to choose an EFS certificate, and then select and migrate existing files that will use the newly chosen EFS certificate. Administrators can use the wizard to migrate users in existing installations from software certificates to smart cards. The wizard also is helpful in recovery situations because it is more efficient than decrypting and re-encrypting files.
Group Policy Settings for EFS. You can use Group Policy to centrally control and configure EFS protection policies for the entire enterprise. For example, Windows 8 allows page file encryption through the local security policy or Group Policy.
Per-User Encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote servers. When this option is enabled, each file in the offline cache is encrypted with a public key from the user who cached the file. Thus, only that user has access to the file, and even local administrators cannot read the file without access to the user's private keys.
Note: When users encrypt files in remote shared folders, their keys are stored on the file server.
This method is more cumbersome than using a CA because there is no centralized management, and users become responsible for managing their own keys. Additionally, it is more difficult to manage for recovery. However, it is still a popular method because no setup is required.
EFS uses public key cryptography to allow the encryption of files. The keys are obtained from the users EFS certificate. Because the EFS certificates also may contain private key information, you must manage them correctly. Users can make encrypted files accessible to other users EFS certificates. If you grant access to another users EFS certificate, that user can, in turn, make the file available to other users EFS certificates. Note: You can issue EFS certificates only to individual users, not to groups.
Backing Up Certificates
CA administrators can archive and recover CA-issued EFS certificates. Users must back up their selfgenerated EFS certificates and private keys manually. To do this, they can export the certificate and private key to a Personal Information Exchange (PFX) file, which are password-protected during the export process. The password then is required to import the certificate into a users certificate store.
If you need to distribute only your public key, you can export the client EFS certificate without the private key to Canonical Encoding Rules (CER) files.
A users private key is stored in the users profile in the RSA folder, which is accessed by expanding AppData, expanding Roaming, expanding Microsoft, and then expanding Crypto. Because there is only one instance of the key, it is vulnerable to hard-disk failure or data corruption. The Certificate Manager MMC exports certificates and private keys. The Personal Certificates store contains the EFS certificates.
EFS users can share encrypted files with other users on file shares and in web folders. With this support, you can give individual users permission to access an encrypted file. The ability to add users is restricted to individual files. After you encrypt a file, you can enable file sharing through the user interface. You must first encrypt a file and then save it before adding more users. You can add users either from the local computer or from AD DS, if the user has a valid certificate for EFS. It is important that users electing to share encrypted files are aware of the following points:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over the network, a file share or Web folder is required. Alternatively, users can establish remote sessions with computers that store encrypted files by using Remote Desktop Services (RDS).
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting access is not limited to the file owner. Caution users to share files only with trusted accounts because those accounts can authorize other accounts. Removing the Write permission from a user or group of users can prevent this problem, but it also prevents the user or group from modifying the file. EFS sharing requires that the users who will be authorized to access the encrypted file have EFS certificates. These certificates can be located in roaming profiles or in the user profiles on the computer on which the file to be shared is stored, or they can be stored in and retrieved from AD DS. EFS sharing of an encrypted file often means that the file will be accessed across the network. It is best if web folders are used for encrypted file storage whenever possible.
If a user chooses to remotely access an encrypted file that is stored on a file share, and to authorize other users to access the file, the authorization process and requirements are the same as on the local computer. Additionally, EFS must impersonate the user to perform this operation, and all the requirements for remote EFS operations on files stored on file shares apply. If a user chooses to remotely access an encrypted file stored on a web folder, and to authorize other users to access the file, the file is automatically transmitted to the local computer in ciphertext. The authorization process takes place on the local computer with the same requirements as for encrypted files stored locally. You can authorize individual users to access encrypted files. Perform the following steps to share an encrypted file with other users: 1. 2. 3. In Windows Explorer, right-click the encrypted file, and then click Properties. On the General tab, select Advanced.
In the Advanced Attributes dialog box, under Compress or Encrypt Attributes, select Details.
Note: If you select an encrypted folder instead of an encrypted file, the Details button appears dimmed. You can add users to individual encrypted files, but not to folders. 4. 5. In the Encryption Details dialog box, click Add. Add a user from the local computer or from AD DS.
Co onfiguring Windows 8
What W Is BitLocker?
Bi itLocker provid des protection n for a comput ter op perating system and data sto ored on the op perating system volume. It ensures e that da ata st tored on a com mputer remains encrypted, even e if so omeone tampe ers with the co omputer when the op perating system is not running. BitLocker provides a close ely integrated solution in Windows W 8 to address a the thr reats of data th heft or ex xposure from lost, l stolen, or inappropriate ely de ecommissione ed personal computers.
Data on a lost or o stolen comp puter can beco ome vu ulnerable to un nauthorized ac ccess when a user u ei ither runs a software attack tool t against it or transfers th he computers hard disk to a different com mputer. Bi itLocker helps mitigate unau uthorized data access by enh hancing Windo ows file and sy ystem protectio ons. Bi itLocker also helps h render da ata inaccessible when BitLoc cker-protected d computers ar re decommissi ioned or r recycled.
BitLocker Drive Encryption performs two functions that provide both offline data protection and system integrity verification:
Encrypts all data stored on the Windows operating system volume (and configured data volumes). This includes the Windows operating system, hibernation and paging files, applications, and data that applications use. BitLocker also provides an umbrella protection for non-Microsoft applications, which benefits the applications automatically when they are installed on the encrypted volume.
Is configured by default to use a Trusted Platform Module (TPM) to help ensure the integrity of early startup components, which the operating system uses in the earlier stages of the startup process. It locks any BitLocker-protected volumes, so they remain protected even if someone tampers with the computer when the operating system is not running.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system volume. Locking the system when it is tampered with. If any monitored files have been tampered with, the system does not start. This alerts the user to the tampering since the system fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with the TPM, BitLocker verifies the integrity of early startup components, which helps prevent additional offline attacks, such as attempts to insert malicious code into those components. This functionality is important because the components in the earliest part of the startup process must be available unencrypted so that the computer can start. As a result, an attacker can change the code in those early startup components, and then gain access to the computer, even though the data on the disk was encrypted. Then, if the attacker gains access to confidential information, such as the BitLocker keys or user passwords, the attacker can circumvent BitLocker and other Windows security protections.
When a laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer asset. As more people use removable storage devices, they can lose data without losing a PC. BitLocker To Go provides enhanced protection against data theft and exposure by extending BitLocker drive encryption support to removable storage devices, such as USB flash drives, and you can manage it through Group Policy.
In Windows 8, users can encrypt their removable media by opening Windows Explorer, right-clicking the drive, and clicking Turn On BitLocker. They will then be asked to choose a method to unlock the drive. These options include: Password: This is a combination of letters, symbols, and numbers the user will enter to unlock the drive.
Smart card: In most cases, a smart card is issued by your organization and a user enters a smart card PIN to unlock the drive.
After choosing the unlock methods, users will be asked to print or save their recovery password. This is a 48-digit password that can also be stored in AD DS and used if other unlock methods fail such as when a
Co onfiguring Windows 8
pa assword is forg gotten. Finally, users will be asked to confi irm their unloc ck selections a and to begin en ncryption.
When W you inser rt a BitLocker-p protected driv ve into your co omputer, Wind dows will detec ct that the driv ve is en ncrypted automatically, and then prompt you to unlock k it.
Question: BitLocker prov vides full volum me encryption . What does th his mean?
rives Yo ou can use BitLocker to encr rypt operating system drives s, fixed data dr rives, and removable data dr in n Windows 8. When W you use BitLocker with h data drives, y you can forma at the drive wit th the exFAT, F FAT16, FA AT32, or NTFS file system, but b the drive must m have at le east 64 MB of a available disk s space. When y you use Bi itLocker with operating o syste em drives, you u must format the drive with h the NTFS file system.
Be ecause BitLock ker stores its own encryption n and decrypti on key in a ha ardware device e that is separa ate from th he hard disk, you must have one of the following: A computer with Trusted Platform Mod dule (TPM) ver rsion 1.2. A removable Universal Se erial Bus (USB) memory devi ce, such as a U USB flash drive e.
On O computers that t do not have TPM 1.2, yo ou can still use e BitLocker to encrypt the W Windows opera ating sy ystem volume. However, this s implementation requires th he user to inse ert a USB startu up key to start t the co omputer or res sume from hib bernation, and it does not pr rovide the prestartup system m integrity veri ification th hat BitLocker provides p when working with a TPM.
Add ditionally, BitLo ocker offers the option to lock the normal startup proce ess until the us ser supplies a P PIN or inse erts a removab ble USB device, , such as a flas sh drive, that c contains a start tup key. These e additional sec curity mea asures provide e multifactor au uthentication and assurance e that the computer will not start or resum me from m hibernation until the corre ect PIN or start tup key is pres sented.
To turn t on BitLocker Drive Encry yption, the computer's hard d drive must m meet the follow wing requireme ents:
Have the spac ce necessary fo or Windows 8 to create the two disk partit tions: one for the system volume and one for the operating system s volume e: o
v This pa artition include es the drive on n which you in nstall Windows s. BitLocker encrypts System volume. this drive e, which no lon nger needs a drive d letter. Operating system volume. A second partition is cre eated as neede ed, when you enable BitLock ker in Windows s 8. This partition must rema ain unencrypte ed so that you can start the c computer. This s partition must be 100 MB, M and you must m set it as t he active parti ition.
Have a BIOS that t is compat tible with TPM or supports U USB devices du uring compute er startup. The BIOS must be: o o o Trusted Computing C Gro oup (TCG) com mpliant. Set to sta art first from th he hard disk, and a not the US SB or CD drives. Able to read from a US SB flash drive during d startup..
BitL Locker does no ot require a TPM. However, only o a comput ter with a TPM M can provide t the additional secu urity of prestar rtup system-in ntegrity verifica ation. Perform m the following g steps to determine if a com mputer has a TPM version n 1.2 chip: 1. 2. Open Contro ol Panel, click System and Security S , and t then click BitL Locker Drive E Encryption.
In the lower left corner, clic ck TPM Admin nistration. The e Trusted Platf form Module (TPM) Manage ement on Local Com mputer console e opens. If the computer doe es not have the TPM 1.2 chip p, the Compa atible TPM cannot be b found mes ssage appears. .
This s topic provide es an in-depth examination of o thes se two BitLock ker modes.
The most secure implementatio on of BitLocker r leve erages the enh hanced security y capabilities of o TPM M 1.2. The TPM M is a hardware e component that t ith BitLocker t man nufacturers ins stall in many newer compute ers. It works wi to help protect t user data and d to ensu ure that a com mputer that is running r Windo ows 8 is not ta ampered with w while the syste em is offline.
Configuring Windows 8
BitLocker supports TPM v1.2, but it does not support older TPMs. Version 1.2 TPMs provide increased standardization, security enhancement, and improved functionality compared to previous versions. Windows 8 was designed with these TPM improvements in mind.
On computers that have a TPM 1.2, BitLocker uses the enhanced TPM security capabilities to help ensure that your data is accessible only if the computer's boot components appear unaltered and the encrypted disk is located in the original computer. If you enable BitLocker on a Windows 8 computer that has a TPM 1.2, you can add the following additional factors of authentication to the TPM protection:
BitLocker offers the option to lock the normal boot process until the user supplies a PIN or inserts a USB device, such as a flash drive, that contains a BitLocker startup key. Both the PIN and the USB device can be required.
In a scenario that uses a TPM with an advanced startup option, you can add a second factor of authentication to the standard TPM protection: a PIN or a startup key on a USB flash drive. To use a USB flash drive with a TPM, the computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). You can check your BIOS by running a hardware test near the end of the BitLocker setup wizard. These additional security measures provide multifactor authentication, and help ensure that the computer will not start or resume from hibernation until the user presents the correct authentication method.
On computers equipped with a TPM, each time the computer starts, each of the early startup components, such as the BIOS, the boot sector, and the boot manager code, examines the code that is about to run, calculates a hash value, and stores the value in the TPM. Once that value is stored in the TPM, it cannot be replaced until the user restarts the system. A combination of these values is recorded. You can use these recorded values to protect data by using the TPM to create a key that links to these values. When you create this type of key, the TPM encrypts it, and only that specific TPM can decrypt it. Each time the computer starts, the TPM compares the values generated during the current startup with the values that existed when the key was created. It decrypts the key only if those values match. This process is called sealing and unsealing the key.
As part of its system integrity verification process, BitLocker examines and seals keys to the measurements of the following: The Core Root of Trust (CRTM) The BIOS and any platform extensions Option read-only memory (ROM) code MBR code The NTFS boot sector The boot manager
If any of these items change unexpectedly, BitLocker locks the drive to prevent it from being accessed or decrypted.
By default, BitLocker is configured to look for and use a TPM. You can use Group Policy to allow BitLocker to work without a TPM and store keys on an external USB flash drive. However, BitLocker then cannot verify the early startup components.
You u can enable BitLocker on a computer c with hout a TPM 1.2 2, as long as th he BIOS has the ability to rea ad from m a USB flash drive d in the bo oot environme ent. This is beca ause BitLocker r will not unloc ck the protected volu ume until BitLo ocker's own vo olume master key k is first rele eased by either r the compute er's TPM or by a USB flash h drive contain ning the BitLoc cker startup ke ey for that com mputer. Howev ver, computers without TPM Ms will not be able to use e the system-in ntegrity verific cation that BitL Locker provide es. he startup key is located on a USB flash dri ive, your comp puter must hav ve a BIOS that can read USB B flash If th driv ves in the pre-o operating system environme ent (at startup) ). You can che eck your BIOS b by running the e hard dware test that is near the end of the BitLo ocker setup wi izard. To help h determine e whether a co omputer can read from a US SB device durin ng the boot pr rocess, use the e BitL Locker System Check as part of the BitLock ker setup proce ess. This system m check perfo orms tests to confirm that the computer c can read from the USB devices p properly at the e appropriate time and that the com mputer meets other o BitLocke er requirement ts. To enable e BitLock ker on a compu uter without a TPM, use Gro oup Policy to e enable the adv vanced BitLock ker user r interface. Wit th the advance ed options ena abled, the non n-TPM settings s appear in the e BitLocker set tup wiza ard. Question: What is a disadv vantage of running BitLocker r on a comput ter that does n not contain TPM 1.2?
In addition to reco overy passwor rds, you can us se Group Polic cy to configure e a domain-wide public key called a da ata recovery agent that will l permit an ad dministrator to o unlock any d drive encrypted d with BitLock ker. Befo ore you can us se a data recov very agent, you must add it from the Public Key Policies s item in either r the Group Policy Man nagement Con nsole (GPMC) or o the Local Gr roup Policy Ed ditor. To use u a data reco overy agent with BitLocker, you y must enab ble the approp priate Group P Policy setting fo or the driv ves that you are using with BitLocker. B These settings are: tected operating system driv ves can be rec overed. Choose how BitLocker-prot Choose how BitLocker-prot tected remova able data drive es can be recov vered. Choose how BitLocker-prot tected fixed da ata drives can be recovered.
Configuring Windows 8
When you enable the policy setting, select the Enable data recovery agent check box. There is a policy setting for each type of drive, so you can configure individual recovery policies for each type of drive on which you enable BitLocker.
You also must enable and configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is protected with BitLocker. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will manage and update data recovery agents only when an identification field is present on a drive and is identical to the value configured on the computer. Using these policy settings helps enforce standard deployment of BitLocker Drive Encryption in your organization. Group Policy settings that affect BitLocker are located in Computer Configuration \Administrative Templates\Windows Components\BitLocker Drive Encryption. Globally applied BitLocker Group Policy settings are located in this folder. Subfolders for fixed data drives, operating system drives, and removable drives support configuration of policy settings specific to those drives. Note: If you want to use BitLocker to protect an operating system drive on a computer that does not have a TPM, you must enable the Require additional authentication at startup Group Policy setting, and then within that setting, click Allow BitLocker without a compatible TPM.
The following table summarizes some of the key policy settings that affect Windows 8 client computers. Each setting includes the following options: Not Configured, Enabled, and Disabled. The default setting for each setting is Not Configured. Setting name Choose default folder for recovery password Location BitLocker Drive Encryption folder Description
This specifies a default location, which is shown to the user, to which the user can save recovery keys. This can be a local or network location. The user is free to choose other locations.
This allows you to configure the algorithm and cipher strength that BitLocker uses to encrypt files. If you enable this setting, you will be able to choose an encryption algorithm and key cipher strength. If you disable or do not configure this setting, BitLocker will use the default encryption method of AES 128-it with Diffuser, or the encryption method that the setup script specifies. This allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. BitLocker will manage and update data recovery agents only when the identification field on the drive matches the value that you configure in the identification field. This also applies to removable drives that you configure by using BitLocker to Go.
Description
This controls computer restart performance at the risk of exposing BitLocker secrets. BitLocker secrets include key material that you use to encrypt data. If you enable this setting, memory will not be overwritten when the computer restarts. This can improve restart performance, but does increase the risk of exposing BitLocker secrets. If you disable or do not configure this setting, BitLocker removes secrets from memory when the computer restarts. This determines whether BitLocker protection is required for fixed data drives to be writable on a computer. If you enable this setting, all fixed data drives that are not BitLockerprotected will be mounted as read-only. If the drive is BitLocker-protected, or if you disable or do not configure this setting, all fixed data drives will be mounted with read and write access.
This configures whether fixed data drives formatted with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, and Windows XP with Service Pack 3 (SP3) or Service Pack 2 (SP2) operating systems. This allows you to control how BitLockerprotected fixed data drives are recovered in the absence of the required credentials.
Choose how BitLockerprotected fixed drives can be recovered Require additional authentication at startup
This allows you to configure whether you can enable BitLocker on computers without a TPM, and whether you can use multifactor authentication on computers with a TPM. This allows you to control how BitLockerprotected operating system drives are recovered in the absence of the required startup key information.
Choose how BitLockerprotected operating system drives can be recovered Configure TPM platform validation profile Control use of BitLocker on removable drives Configure use of smart cards on removable data drives
Operating System Drive folder Removable Data Drives folder Removable Data Drives folder
This configures which of the TPM platform measurements stored in platform control registers (PCRs) are used to seal BitLocker keys. This controls the use of BitLocker on removable data drives.
This allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable drives on a computer.
Configuring Windows 8
Setting name Deny write access to removable drives not protected by BitLocker Allow access to BitLockerprotected removable drives from earlier versions of Windows
Description
This configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. This configures whether removable data drives formatted with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, and Windows XP with SP3 or SP2 operating systems. This specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length.
This allows you to control how BitLockerprotected removable data drives are recovered in the absence of the required startup key information.
None
This allows you to disable or enable specific TPM functions, but the next two settings can restrict which commands are available. Group Policy-based lists override local lists. You can configure local lists in the TPM Management console.
Ignore the default list of blocked TPM commands Ignore the local list of blocked TPM commands
Disabled
By default, BitLocker blocks certain TPM commands. To enable these commands, you must enable this policy setting. By default, a local administrator can block commands in the TPM Management console. You can use this setting to prevent that behavior.
Disabled
Co onfiguring BitLocker
In Windows W 8, you u can enable BitLocker B from eith her Control Pan nel or by right-clicking the volu ume that you want w to encryp pt. This initiate es the BitL Locker Setup Wizard, W and the e BitLocker Drive Prep paration tool validates v system requiremen nts. Dur ring the prepar ration phase, BitLocker B creat tes the second partition if it does not exist.
Administration n
You u can manage BitLocker by using u the BitLo ocker control panel. A command-line c management tool, manage-bde e.wsf, is also av vailable for IT Prof fessionals to perform p scriptin ng functionalit ty rem motely.
Afte er you encrypt and protect the volume by using BitLocke er, local and d domain admini istrators can use the Man nage Keys page in the BitLo ocker control panel p to duplic cate keys and reset the PIN.
The BitLocker con ntrol panel disp plays BitLocker's status, and provides the f functionality to o enable or disable BitL Locker. If BitLocker is actively y encrypting or decrypting d data due to a r recent installat tion or uninsta all requ uest, the progress status app pears. IT profes ssionals also ca an use the BitL Locker control l panel to acce ess the TPM M managemen nt MMC. Perf form the follow wing steps to turn t on BitLocker Drive Encr ryption: 1. 2. 3. In Control Panel, click Syste em and Secur rity, and then click BitLocke er Drive Encry yption.
If the User Ac ccount Control dialog box appears, confi irm that the ac ction it display ys is what you want and then click k Continue.
On the BitLocker Drive En ncryption page, click Turn O On BitLocker on the operating system vol lume. A message ap ppears, warnin ng that BitLock ker encryption might have a performance impact on you ur server. If your TPM is s not initialized d, the Initialize e TPM Security y Hardware wiz zard appears. Follow the directions to initialize the TPM, T and then restart or shut t down your computer.
4.
The Save the e recovery pas ssword page shows s the follo owing options s: o o Save the password on a USB drive: Sa aves the passw word to a USB flash drive. Save the password in a folder: Saves the password to a folder on n a network drive or other location. Print the password: Prints the passwo ord.
Use one or more m of these options o to pres serve the recov very password d. For each, sele ect the option n, and then follow th he wizard step ps to set the location for savi ing or printing g the recovery password. When you fin nish saving the e recovery pass sword, click Ne ext. 5. On the Encry ypt the selecte ed disk volum me page, confi irm that the Ru un BitLocker System Check check box is selected, s and then t click Continue.
Confirm that you want to re estart the com mputer by click king Restart N Now. The comp puter restarts, and then BitLocke er verifies whet ther the comp puter is BitLock ker-compatible e and ready fo or encryption. If it is not, an error message will alert a you to the e problem.
Configuring Windows 8
6.
If the computer is ready for encryption, the Encryption in Progress status bar displays. You can monitor the ongoing completion status of the disk-volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon, which is in the notification area at the bottom of your screen.
By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to this volume. The next time that you log on, you will see no change. If the TPM ever changes or BitLocker cannot access it, or if there are changes to key system files or someone tries to start the computer from a product CD or DVD to circumvent the operating system, the computer will switch to recovery mode until the user supplies the correct recovery password.
Use the following procedure to change your computer's Group Policy settings so that you can turn on BitLocker Drive Encryption without a TPM. Instead of a TPM, you will use a startup key to authenticate yourself. The startup key is on a USB flash drive that you insert into the computer before you turn it on.
For this scenario, you must have a BIOS that will read USB flash drives in the pre-operating system environment (at startup). You can check your BIOS by running the system check that is in the final step of the BitLocker wizard. Before you start: You must be logged on as an administrator. BitLocker must be installed on this server. You must have a USB flash drive to save the recovery password.
You should try using a second USB flash drive to store the startup key separate from the recovery password.
Perform the following steps to turn on BitLocker on a computer without a compatible TPM: 1. 2. 3. Run gpedit.msc.
If the User Account Control dialog box appears, confirm that the action it displays is the action that you want to occur, and then click Continue. In the Local Group Policy Editor console tree, click Computer Configuration, click Administrative Templates, click Windows Components, click BitLocker Drive Encryption, and then click Operating System Drives. Double-click the Require additional authentication at startup setting.
4. 5.
Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and then click OK. You have changed the policy setting so that you can use a startup key instead of a TPM.
6. 7. 8. 9.
To force Group Policy to apply immediately, from a command prompt, type gpupdate.exe /force, and then press Enter. From Control Panel, click System and Security, and then click BitLocker Drive Encryption.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
10. On the BitLocker Drive Encryption page, click Turn On BitLocker. This will only appear with the operating system volume.
11. On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every startup option. This is the only option available for non-TPM configurations. You must insert this key before you start the computer, each time you start it. 12. Insert your USB flash drive in the computer, if you have not done so already. 13. On the Save your Startup Key page, choose the location of your USB flash drive, and then click Save. 14. The following options are available on the Save the recovery password page: o o Save the password on a USB drive: Saves the password to a USB flash drive. Save the password in a folder: Saves the password to a folder on a network drive or other location. Print the password: Prints the password.
Use one or more of these options to preserve the recovery password. For each, select the option, and then follow the wizard steps to set the location for saving or printing the recovery password. Do not store the recovery password and the startup key on the same media. When you have finished saving the recovery password, click Next. 15. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts, and BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem before encryption starts.
16. If the computer is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk-volume encryption by dragging your mouse cursor over the BitLocker icon, which is in the notification area at the bottom of your screen. You also can click the Encryption icon to view the status. By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to that volume. The next time that you turn your computer on, you must plug in the USB flash drive with the startup key into one of the computers USB ports. If it is not, you will not be able to access data on your encrypted volume. If you do not have the USB flash drive containing your startup key, then you will need to use recovery mode. and supply the recovery password, to access data.
Forcing BitLocker into disabled mode keeps the volume encrypted, but the volume master key is encrypted with a symmetric key that it stores unencrypted on the hard disk. The availability of this unencrypted key disables the data protection that BitLocker offers, but ensures that subsequent computer startups succeed without further user input. When you reenable BitLocker, the unencrypted key is removed from the disk and BitLocker protection is turned on. Additionally, BitLocker identifies the volume master key, and encrypts it again.
Configuring Windows 8
Moving the encrypted volume, which is the physical disk, to another BitLocker-enabled computer requires that you turn off BitLocker temporarily. No additional steps are required, because the key protecting the volume master key is stored unencrypted on the disk. Note: Exposing the volume master key even for a brief period is a security risk, an attacker can access the volume master key and full volume encryption key when these keys were exposed by the clear key.
On unencrypted drives, data may remain readable even after the drive has been formatted. Enterprises often use multiple overwrites or physical destruction to reduce the risk of exposing data on decommissioned drives.
You can use BitLocker to create a simple, cost-effective decommissioning process. Leaving data encrypted by BitLocker, and then removing the keys, results in an enterprise permanently reducing the risk of exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all BitLocker keys, because this requires solving 128-bit or 256-bit AES encryption. Note: Perform the procedures that this section describes only if you do not want or need the data in the future. You cannot recover the data in the encrypted volume if you perform the procedures that this section details.
You can remove a volumes BitLocker keys by formatting that volume from Windows 8. The format command has been updated to support this operation. To format the operating system volume, you can open a command prompt by using the recovery environment that the Windows 8 installation DVD includes.
Alternatively, an administrator can create a script that effectively removes all BitLocker key protectors. Running such a script will leave all BitLocker-encrypted data unrecoverable when you restart the computer. As a safety measure, BitLocker requires that an encrypted volume have at least one key protector. Given this requirement, you can decommission the drive by creating a new external key protector, not saving the created external key information, and then removing all other key protectors on the volume After you remove the BitLocker keys from the volume, you need to perform follow-up tasks to complete the decommissioning process. For example, reset the TPM to its factory defaults by clearing the TPM, and discard saved recovery information for the volume, such as printouts, files stored on USB devices, and information stored in AD DS. Question: When turning on BitLocker on a computer with TPM 1.2, what is the purpose of saving the recovery password?
Co onfiguring BitLocker To Go
BitL Locker To Go protects p data on o removable data d driv ves. It allows yo ou to configure BitLocker Dr rive Encryption on USB flash drives and a external hard h driv ves. The option n is available by simply rightclick king on a drive e in Windows Explorer to enable BitL Locker protecti ion.
BitLocker To Go G Scenario
Con nsider the follo owing scenario o. An administr rator configures Group Policy to requ uire that users can save e data only on data volumes s protected by BitL Locker. Specific cally, the administrator enab bles the Deny write access to removable drives no ot prot tected by BitLo ocker policy, and a deploys it to the domain n.
he USB flash d Mea anwhile, an en nd user inserts a USB flash dr rive. Because th drive is not pro otected with BitL Locker, Window ws 8 displays an a information nal dialog box indicating tha at the device m must be encryp pted with h BitLocker. Fro om this dialog g, the user chooses to launch h the BitLocker r Wizard to en ncrypt the volu ume or continues working g with the dev vice as read-on nly. If th he user decides s to implemen nt the device as read-only an nd then attemp pts to save a d document to th he flash h drive, an acc cess denied err ror message ap ppears.
Afte er you configure the device to t use BitLocker, when the u user saves documents to the e external drive e, BitL Locker encrypts them. When the user inser rts the USB flas sh drive on a d different PC, th he computer dete ects that the portable p device e is BitLocker protected, p and d prompts the user to specify y the passphra ase. The user can spec cify to unlock the t volume automatically on n the second P PC. Note: In the e above scenario, the second d computer do oes not have to o be encrypted with BitL Locker.
If a user forgets th he passphrase for the device e, he or she can n use the I for rgot my passp phrase option n from m the BitLocke er Unlock wizard to recover it. i Clicking this s option displa ays a recovery password ID t that the user supplies to t an administ trator, who the en uses the pa assword ID to o obtain the dev vices recovery y pass sword. This rec covery passwo ord can be stor red in AD DS a and recovered with the BitLo ocker Recovery y Pass sword tool. ow do you ena able BitLocker To Go for a U SB flash drive? ? Question: Ho
Co onfiguring Windows 8
Th he recovery pa assword will be e required if th he encrypted d drive must be moved to ano other compute er, or ch hanges are ma ade to the system startup inf formation. This s password is s so important t that we recommend th hat you make additional a cop pies of the pass sword and sto re it in safe pla aces to ensure e access to you ur data.
Yo ou will need yo our recovery password p to un nlock the encry ypted data on n the volume if f BitLocker ent ters a lo ocked state. Th his recovery pa assword is uniq que to this par rticular BitLock ker encryption. You cannot u use it to re ecover encrypt ted data from any other BitL Locker encrypt tion session.
ique to a com puter name. Find the password ID A computer's pa assword ID is a 32-character r password uni un nder a computer's property settings, which you can use to locate pass swords stored in AD DS. To l locate a pa assword, the fo ollowing cond ditions must be e true: You must be b a domain ad dministrator or have delegat te permissions s. The client's s BitLocker reco overy information is configu ured to be stor red in AD DS. The clients s computer has s been joined to the domain n. on the client's BitLocker Drive D Encryptio on must have been b enabled o s computer.
Pr rior to searchin ng for and pro oviding a recov very password to a user, con nfirm that the person is the a account ow wner and is au uthorized to ac ccess data on the t computer in question. Se earch for the password p in Ac ctive Directory y Users and Co omputers by us sing either one e of the follow wing: Drive Label Password ID D
When W you searc ch by drive lab bel, after locati ing the compu uter, right-click k the drive lab bel, click Prope erties, an nd then click the BitLocker Recovery tab to view assoc iated passwor ds. To o search by pa assword ID, right-click the do omain contain ner, and then select Find BitLocker Recov very Pa assword. In th he Find BitLoc cker Recovery y Password di ialog box, ente er the first eigh ht characters o of the pa assword ID in the Password d ID field, and then click Sea arch.
Examine the returned recovery password to ensure it matches the password ID that the user provides. Performing this step helps to verify that you have obtained the unique recovery password.
Data recovery agent support allows you to dictate that all BitLocker protected volumes, such as operating system, fixed, and the new portable volumes, are encrypted with an appropriate data recovery agent. The data recovery agent is a new key protector that is written to each data volume so that authorized IT administrators will always have access to BitLocker protected volumes. Question: What is the difference between the recovery password and the password ID?
Configuring Windows 8
A user at A. Datum is working on a project that requires his data be restricted from other members of his project team. The data, stored in a shared folder, is accessible by all A. Datum personnel. You must select a method for providing data privacy for this users data files.
Objectives
Encrypt files and test access to these encrypted files.
Lab Setup
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
You decide that implementing encryption with EFS will enable the user to prohibit other team members from accessing his data files and maintain security of the file data. The main tasks for this exercise are as follows: 1. 2. 3. Create, share, and secure a data folder for the project team data. Create a sample data file. Encrypt the file and then test file access.
X Task 1: Create, share, and secure a data folder for the project team data
1. 2. 3. On LON-DC1, open Windows Explorer. Create a folder called C:\Sales-Data. Share the C:\Sales-Data folder with the following properties: o o o Share name: Sales-Data Share permissions: Authenticated Users, Full Control NTFS permissions: Authenticated Users, Full Control
Switch to LON-CL1, and log on as Dan with the password of Pa$$word. Dan is a member of the sales team. Map a network drive to \\LON-DC1\Sales-Data using drive S:. Create a new Microsoft Word document in S: called Team Briefing. Add the following text to the document, and then save the file: This is the team briefing
Note: In Word, if prompted to Help Protect and Improve Microsoft Office, click Dont make changes, and then click OK.
Results: After this exercise, you should have encrypted shared files successfully.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Co onfiguring Windows 8
Lesson n4
Many M users log on to their co omputers with a user accoun nt that has mor re rights than necessary to run their ap pplications and d access their data files. Usin ng an administ trative user acc count for day-to-day user ta asks po oses significan nt security risks s. In earlier Windows version ns, administrat ors were enco ouraged to use e an or rdinary user ac ccount for most tasks, and to o use the Run As feature of W Windows to ex xecute tasks th hat re equired additio onal rights. Windows 8 provides User Acco ount Control (U UAC) to simplify and secure the process of eleva ating your acco ount rights. Ho owever, unless s you know ho ow UAC works, , and its poten ntial im mpact, you mig ght have problems when you u attempt to c carry out typical desktop-sup pport tasks. Th his le esson introduce es how UAC works w and how w you can use U UAC-related desktop feature es.
What W Is UA AC?
UAC is a securit ty feature that provides a wa ay for ea ach user to ele evate their stat tus from a stan ndard us ser account to o an administra ator account without w lo ogging off, switching users, or o using Run as.
UAC is a collect tion of features s rather than just a prompt. These featureswhic f ch include File e and Re egistry Redirec ction, Installer Detection, the e UAC prompt, the Act tiveX Installer Service, and more m allow Windows users to run with w user accou unts th hat are not me embers of the Administrators A s group. Th hese accounts typically are referred r to as St tandard Users, and are broad dly described as a ru unning with lea ast privilege. The most important fact is th at when users run with Stan ndard User accounts, th he experience is typically mu uch more secure and reliable e. Windows W 8 redu uces the numb ber of operatin ng system app plications and t tasks that requ uire elevation, so st tandard users can c do more while w experienc cing fewer ele evation prompt ts. This improv ves the interac ction with w the UAC while w upholding g high security y standards. When W you need d to make chan nges to your computer c that require admin nistrator-level permission, UA AC no otifies you as follows: f If you are an a administrato or, click Yes to o continue.
If you are not n an adminis strator, someon ne with an adm ministrator acc count on the c computer will have to enter his or r her password d for you to co ontinue.
If you are a stan ndard user, pro oviding permis ssion tempora rily gives you administrator rights to complete th he task and the en your permissions are retu urned back to standard user when you are e finished. This ensures th hat even if you u are using an administrator account, chan nges cannot be e made to you ur computer without
you knowing about it. This help ps prevent malicious software e (malware) an nd spyware fro om being insta alled on, or making cha anges to, your computer.
Ho ow UAC Works W
There are two gen neral types of user groups in n Win ndows 8: stand dard users and administrative e user rs. UAC simplif fies users abili ity to run as stan ndard users and perform all their t necessary y daily tasks. Admin nistrative users s also benefit from m UAC because administrativ ve privileges are a avai ilable only afte er UAC requests permission from the user for that instance.
Whe en users have administrative e permissions to t their compu uters, they can n install additio onal software. Despite corporate e policies again nst installing unauthorized u s software, many y users still do it, which can m make thei ir systems less stable and drive up support t costs. Whe en you enable e UAC, and a user needs to perform p a task that requires administrative e permissions, UAC prompts the user for administra ative credentia als. In a corpor rate environme ent, the Help d desk can give t the user r temporary cr redentials that have local administrative pr rivileges to complete the tas sk. the following tasks without receiving a UA The default UAC setting s allows a standard use er to perform t AC prompt: Install update es from Windo ows Update. included with the operating system. Install drivers from Window ws Update or those that are i
View Window ws settings. Ho owever, a stand dard user is pro ompted for ele evated privileg ges when chan nging Windows sett tings. Pair Bluetooth devices with h the computer. Reset the network adapter and perform other o network diagnostic an nd repair tasks. .
Administrative e Users
Adm ministrative use ers automatica ally have: Read/Write/E Execute permis ssions to all res sources. All Windows privileges.
While it may seem m clear that all users will not be able to rea ad, alter, and d delete any Win ndows resource, man ny enterprise IT departments s that are runn ning earlier Wi indows version ns had no othe er option but t to assign all of their users to the lo ocal Administra ators group. One e of the benefi its of UAC is th hat it allows us sers with admi nistrative privi ileges to run a as standard use ers mos st of the time. When users with w administra ative privileges s perform a tas sk that require es administrativ ve
Configuring Windows 8
privileges, UAC prompts the user for permission to complete the task. When the user grants permission, the task in question is performed using full administrative rights, and then the account reverts to a lower level of privilege.
Many applications require users to be administrators by default, because they check administrator group membership before running the application. No user security model existed for Microsoft Windows 95 and Microsoft Windows 98. As a result, developers designed applications assuming that they will be installed and run by users with administrator permissions. A user security model was created for Microsoft Windows NT, but all users were created as administrators by default. Additionally, a standard user on a Windows XP computer must use Run as or log on with an administrator account to install applications and perform other administrative tasks. The following table details some of the tasks that a standard user can perform, and what tasks require elevation to an administrator account. Standard users Establish a Local Area Network connection Establish and configure a wireless connection Modify Display Settings Users cannot defragment the hard drive, but a service does this on their behalf Play CD/DVD media (configurable with Group Policy) Burn CD/DVD media (configurable with Group Policy) Change the desktop background for the current user Open the Date and Time Control Panel and change the time zone Use Remote Desktop to connect to another computer Change user's own account password Configure battery power options Configure Accessibility options Restore user's backed-up files Set up computer synchronization with a mobile device (smart phone, laptop, or PDA) Connect and configure a Bluetooth device Administrators Install and uninstall applications Install a driver for a device, such as a digital camera driver Install Windows updates Configure Parental Controls Install an ActiveX control Open the Windows Firewall Control Panel Change a user's account type
Modify UAC settings in the Security Policy Editor snap-in (secpol.msc) Configure Remote Desktop access Add or remove a user account Copy or move files into the Program Files or Windows directory Schedule Automated Tasks Restore system backed-up files Configure Automatic Updates Browse to another user's directory
When you enable UAC, members of the local Administrators group run with the same access token as standard users. Only when a member of the local Administrators group gives approval can a process use the administrators full access token.
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that require an administrator access token. When a standard user attempts to perform an administrative task, UAC prompts the user to enter valid credentials for an administrator account. This is the default for standard user-prompt behavior. The elevation prompt displays contextual information about the executable that is requesting elevation. The context is different depending on whether the application is signed by Authenticode technology. The elevation prompt has two variations: the consent prompt and the credential prompt. Elevation Prompt Consent Prompt Credential Prompt Description
Displayed to administrators in Admin Approval Mode when they attempt to perform an administrative task. It requests approval to continue from the user. Displayed to standard users when they attempt to perform an administrative task.
Note: Elevation entry points do not remember that elevation has occurred, such as when you return from a shielded location or task. As a result, the user must reelevate to enter the task again.
While the number of UAC elevation prompts for a standard user performing an everyday task has been reduced in Windows 8, there are times when it is appropriate for an elevation prompt to be returned. For example, viewing firewall settings does not require elevation; however, changing the settings does require elevation because the changes have a system wide impact.
When a permission or password is needed to complete a task, UAC will notify you with one of four different types of dialog boxes. The following table describes the different types of dialog boxes used to notify you and provides guidance on how to respond to them. Type of elevation prompt A setting or feature that is part of Windows needs your permission to start. Description This item has a valid digital signature that verifies that Microsoft is the publisher of this item. If you get this type of dialog box, it is usually safe to continue. If you are unsure, check the name of the program or function to decide if it is something you want to run. This program has a valid digital signature, which helps to ensure that the program is what it claims to be and verifies the identity of the publisher of the program. If you get this type of dialog box, make sure the program is the one that you want to run and that you trust the publisher.
This program does not have a valid digital signature from its publisher. This does not necessarily indicate danger, since many older, legitimate programs lack signatures. However, use extra caution, and only allow a program to run if you obtained it from a trusted source, such as the original CD or a publisher's Web site. If you
Co onfiguring Windows 8
Descriptio on
are unsur re, search the I Internet for the programs n name to determ mine if it is a kn nown program m or malicious software.
We W recommend d that most of the time that you log on to your compute er with a stand dard user acco ount. Yo ou can browse e the Internet, send email, an nd use a word processor, all without an ad dministrator ac ccount. When W you want t to perform an administrativ ve task, such a as installing a n new program or changing a setting th hat will affect other o users, yo ou do not have e to switch to a an administrat tor account; W Windows will pr rompt yo ou for permiss sion or an adm ministrator pass sword before p performing the e task. Anothe er recommendation is th hat that you cr reate standard user accounts s for all the pe eople that use your compute er. Question: What are the differences d between a conse ent prompt and a credential prompt?
makes a chang ge, a prompt appears, Whe n a program m but t the desktop is not dimmed. Otherwise, the e user is prompted. not p Whe n a program m makes a chang ge, a prompt appears, the desktop is dimmed to provide a visual l cue and t being attempt that installation is b ted. Otherwise e, the user is not prompted.
Always notify me
ecause you can configure th he user experie ence with Grou up Policy, ther e can be differ rent user expe eriences, Be made in your environment a de epending on policy p settings. . The configura ation choices m affect the prom mpts an nd dialog boxe es that standard users, administrators, or b both, can view w.
For example, you may require administrative permissions to change the UAC setting to Always notify me or Always notify me and wait for my response. With this type of configuration, a yellow notification appears at the bottom of the User Account Control Settings page, indicating the requirement. Question: Which two configuration options are combined to produce the end-user elevation experience?
Create a UAC group policy setting that prevents access elevation. Modify the User Account Control: Behavior of the elevation prompt for standard users setting to be Automatically deny elevation requests.
Modify the User Account Control: Behavior of the elevation prompt for standard users setting to be Prompt for credentials.
Configuring Windows 8
Holly, the IT manager, is concerned that staff are attempting to perform configuration changes on their computers for which they have no authorization. While Windows 8 does not allow the users to perform these tasks, Holly wants to ensure users are prompted properly about the actions that they are attempting.
Objectives
Modify the default UAC prompting behavior.
Lab Setup
For this lab, you will use the available virtual machine environment. The required virtual machines should be running from the preceding lab.
Enable the User Account Control: Only elevate executables that are signed and validated value.
3.
Results: After this exercise, you should have reconfigured UAC notification behavior and prompts.
Configuring Windows 8
Users should export their certificates and private keys to removable media, and then store the media securely when it is not in use. For the greatest possible security, the private key must be removed from the computer whenever the computer is not in use. This protects against attackers who physically obtain the computer and try to access the private key. When you must access the encrypted files, you can import the private key easily from the removable media. Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that the personal folder, where most documents are stored, is encrypted by default. Users should encrypt folders rather than individual files. Programs work on files in various ways. Encrypting files consistently at the folder level ensures that files are not decrypted unexpectedly. The private keys that are associated with recovery certificates are extremely sensitive. You must generate these keys either on a computer that you secure is physically secured, or you must export their certificates to a .pfx file, protect them with a strong password, and save them on a disk that is stored in a physically secure location. You must assign recovery agent certificates to special recovery agent accounts that you do not use for any other purpose. Do not destroy recovery certificates or private keys when recovery agents are changed. (Agents are changed periodically). Keep them all, until all files that may have been encrypted with them are updated.
Designate two or more recovery agent accounts per OU, depending on the size of the OU. Designate two or more computers for recovery, one for each designated recovery agent account. Grant permissions to appropriate administrators to use the recovery agent accounts. It is a good idea to have two recovery agent accounts to provide redundancy for file recovery. Having two computers that hold these keys provides more redundancy to allow recovery of lost data.
Implement a recovery agent archive program to ensure that you can recover encrypted files by using obsolete recovery keys. Recovery certificates and private keys must be exported and stored in a controlled and secure manner. Ideally, as with all secure data, archives must be stored in a controlled access vault, and you must have two archives: a master and a backup. The master is kept on site, while the backup is located in a secure, off-site location.
Configuring Windows 8
Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in an encrypted folder.
The Encrypting File System does take some CPU overhead every time a user encrypts and decrypts a file. Plan your server usage wisely. Load balance your servers when there are many clients that are using EFS.
UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the Local Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is preferred because it can be centrally managed and controlled. There are nine GPO settings that you can configure for UAC. Because the user experience can be configured with Group Policy, there can be different user experiences, depending on policy settings. The configuration choices made in your environment affect the prompts and dialog boxes that standard users, administrators, or both, can view.
For example, you may require administrative permissions to change the UAC setting to Always notify me or Always notify me and wait for my response. With this type of configuration, a yellow notification appears at the bottom of the User Account Control Settings page, indicating the requirement.
A removable USB memory device, such as a USB flash drive. If your computer does not have TPM 1.2 or newer, BitLocker stores its key on the memory device.
The most secure implementation of BitLocker leverages the enhanced security capabilities of TPM 1.2. On computers that do not have a TPM 1.2, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation and does not provide the prestartup-system integrity verification that BitLocker offers when it works with a TPM.
Module 9
Configuring Applications
Contents:
Module Overview Lesson 1: Install and Configure Applications Lesson 2: Managing Apps from the Windows Store Lesson 3: Configuring Internet Explorer Settings Lab A: Configuring Internet Explorer Security Lesson 4: Configuring Application Restrictions in the Enterprise Lab B: Configuring AppLocker (Optional) Module Review and Takeaways 9-1 9-2 9-11 9-15 9-21 9-23 9-30 9-32
Module Overview
Computer users require applications for every task they perform such as editing documents, querying databases, and generating reports. Supporting the installation and operations of applications is a critical part of desktop support.
Objectives
After completing this module, you will be able to: Install and configure applications. Install and manage applications from the Windows Store. Configure and secure Windows Internet Explorer. Configure application restrictions.
9-2
Configuring g Applications
Lesson 1
Afte er installing Windows 8, it is necessary to install applica ations that sup pport the busin ness needs of y your user rs. Modern applications may y install seamle essly on Windo ows 8, but olde er applications s may experien nce installation or run ntime problems. It is importa ant that you kn now how to install applicatio ons on Window ws 8, and how to troub bleshoot applic cation compatibility issues.
The installation pr rocess for the desktop app begins, b and the e application i is installed. If y you are logged d on as a standard user r, Windows 8 will w prompt yo ou to elevate y your privileges through User Account Cont trol (UA AC) to install th he application. Note: Appli ications installe ed across the network can b be installed aut tomatically wit thout user inte ervention, depe ending upon configuration c of o the applicat tion package.
C Configuring Windows s 8
After you install the desktop application, a wh hen you return n to the Start s screen, the loc cation of the in nstalled ap pplication is no ot obvious imm mediately. For r users familiar r with Window ws 7 and the St tart menu, the initial St tart screen can n be confusing. But this is on nly because a l imited degree e of customizat tion is necessa ary to op ptimize the Sta art screen. To o optimize the e Start screen for f a users nee eds, right-click k the Start scre een, and then click All apps s.
In n the All apps list, you can se ee the Window ws Store apps listed, togethe er with the des sktop app that t you ju ust installed. Th hese appear to o the right of the display. Rig ght-click each application th hat you would like to cu ustomize, and then select the appropriate action. For ex xample, if you w would like Mic crosoft Outloo ok 2010 to o appear on th he Start screen, right-click Microsoft Outlo ook 2010, and d then click Pi in to Start. When W you retur rn to the Start screen, you will w see Microso oft Outlook 20 010 listed on th he Start screen n. You ca an customize all a tiles on the Start screen in n the same wa y. Once O an app ap ppears on the Start screen, you also can dr rag it to where e you want it to appear. Note: Administrators ca an also use GP POs to configu re Start screen n-related settin ngs.
Windows W Install ler is the servic ce in Windows s 8 that perfor ms application n installations. You can use t the Windows W Install ler to install ap pplications. If the t application n is packaged as an .msi file, and is accessi ible from the target computer, yo ou can run msie exec.exe from an elevated command prom mpt to install a de esktop app. Fo or example, to install an application from a shared folde er, run the follo owing sample co ommand from m an elevated command c prom mpt:
Ms siexec.exe /i i \\lon-dc1\apps\app1.msi
Administrators can also use Windows W Installer to update a and repair inst talled desktop p apps.
Yo ou then can se elect an app from the Progra ams list, an nd configure for which file ty ypes it will be the default pr rogram. You ca an choose one e of the following two se ettings: Set this pro ogram as def fault. In this se etting, the sele ected program m is configured to open all file types and protocols that it can open by defau ult. Choose de efaults for this s program. By y selecting this s option, you c can choose spe ecifically which h file types and protocols p you want w to associ iate with the se elected app.
9-4
Configuring g Applications
AutoPlay settings determine wh hat Windows will w do when th he user mount ts a CD or DVD D, or attaches a rem movable drive. You Y can be ve ery specific. For r example, if th he drive that y your user attac ches contains v video files s, you can conf figure differen nt default actio ons: Play (Win ndows media Player), Take e no action, Open fold der to view fil les (Windows s Explorer), an nd Ask me eve ery time. The available actio ons vary based d on the type of device e and its conte ents.
You u use this optio on to determin ne which progr ram is used fo r certain user activities. For e example, if you wan nt to use a browser other tha an Internet Exp plorer for web browsing, you u can select th he Custom opt tion, and then select which w of your in nstalled browser programs y you want to us se. You u can configure e defaults for the t following functions: f Web browsing Email access Media playing g Instant messa aging Virtual machine for Java
c configure Default Progra am behavior b by selecting Co ontrol Panel > Note: You can Pro ograms > Defa ault Programs.
Configuring Windows 8
UAC adds security to Windows by limiting administrator-level access to the computer, and by restricting most users to run as standard users. When users attempt to launch an application that requires administrator permissions, the system prompts them to confirm their intention to do so. UAC also limits the context in which a process executes, which minimizes the ability of users to expose their computer inadvertently to viruses or other malware. This change affects any application installer or update that requires Administrator permissions to run, performs unnecessary Administrator checks or actions, or attempts to write to a nonvirtualized registry location. UAC may result in the following compatibility issues: Custom installers, uninstallers, and updaters may not be detected and elevated to run as administrator.
Standard user applications that require administrative privileges to perform their tasks may fail or not make this task available to standard users. Applications that attempt to perform tasks for which the current user does not have the necessary permissions may fail. How the failure manifests itself is dependent upon how the application was written. Control-panel applications that perform administrative tasks and make global changes may not function properly and may fail.
Dynamic link library (DLL) applications that run using RunDLL32.exe may not function properly if they perform global operations. Standard user applications writing to global locations will be redirected to per-user locations through virtualization.
Windows Resource Protection (WRP) is designed to protect Windows resources, such as files, folders, and registries, in a read-only state. This affects specific files, folders, and registry keys. Updates to protected resources are restricted to the operating systems trusted installers, such as Windows Servicing. This provides more protection for the components and applications that ship with the operating system from the impact of other applications and administrators. WRP may result in the following compatibility issues: Application installers that attempt to replace, modify, or delete operating system files and/or registry keys that are protected by WRP may fail with an error message that indicates that the resource cannot be updated. This is because access to these resources is denied.
Applications that attempt to write new registry keys or values to protected registry keys may fail with an error message that indicates that the change failed because access was denied. Applications that attempt to write to protected resources may fail if they rely on registry keys or values.
Internet Explorer Protected Mode helps to defend against elevation-of-privilege attacks by restricting the ability to write to any local computer zone resources other than temporary Internet files. This change affects any website or web application that attempts to modify user files or registry keys, or that attempts to open a new window in another domain. Internet Explorer Protected Mode reduces the ability of an attack to write, alter, or destroy data on the users machine or to install malicious code. It can help protect a user from malicious code installing itself without authorization.
9-6
Configuring Applications
Internet Explorer Protected Mode may result in the following compatibility issues: Applications that use Internet Explorer cannot write directly to the disk while in the Internet or intranet zone. Protected Mode builds on the new integrity mechanism to restrict write access to securable objects, such as processes, files, and registry keys with higher integrity levels.
When run in Protected Mode, Internet Explorer is a low-integrity process. It cannot gain write access to files and registry keys in a users profile or system locations. Low-integrity processes only can write to folders, files, and registry keys that have been assigned a low-integrity mandatory label. As a result, Internet Explorer and its extensions run in Protected Mode, which can only write to lowintegrity locations, such as the new low-integrity Temporary Internet Files folder, the History folder, the Cookies folder, the Favorites folder, and the Windows Temporary Files folders.
Applications may not know how to handle new prompts. The Protected Mode process runs with a low desktop-integrity level, which prevents it from sending specific window messages to higher integrity processes. Additionally, Internet Explorer enables Data Execution Prevention (DEP) (NX) by default. Plug-ins that have issues with DEP may cause Internet Explorer to crash.
64-Bit Architecture
Windows 8 fully supports the 64-bit architecture, and the 64-bit version of Windows 8 can run all 32-bit applications with the help of the WOW64 emulator. You should be aware of the following considerations for the 64-Bit Windows 8: Applications or components that use 16-bit executables, 16-bit installers, or 32-bit kernel drivers will either fail to start or will function improperly on a 64-bit edition of Windows 8.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer manually adds a driver by editing the registry, the system will not load this driver, and this action can cause the system to fail. Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer adds a driver manually by editing the registry, the system will not load the driver during load time if it is unsigned.
Windows Filtering Platform (WFP) is an application program interface (API) that enables developers to create code that interacts with the filtering that occurs at several layers in the networking stack and throughout the operating system. If you are using a previous version of this API in your environment, you may experience failures when running security-class applications, such as network scanning, antivirus programs, or firewall applications.
Kernel-Mode Drivers
Kernel-mode drivers must support the Windows 8 operating system or be redesigned to follow the UserMode Driver Framework (UMDF). UMDF is a device driver development platform that was introduced in Windows Vista. Additionally, kernel mode printer driver support has been removed from Windows 8. Note: For 64-bit versions of Windows 8, all drivers must be digitally signed by the vendor to be installed.
C Configuring Windows s 8
Test your web w application ns and website es for compati bility with new w releases and security upda ates to Internet Exp plorer
Mitigation M Methods M
So ome of the mo ore common mitigation m met thods include t the following:
Modifying the t configurat tion of the exis sting applicatio on. There can be compatibil lity issues that require a modificat tion to the app plication config guration, such h as moving file es to different folders, modifying registry ent tries, or changing file or fold der permission s. Using tools s such as the Compatibility Administrator A o or the Standar rd User Analyzer (installed w with ACT). You can c use these tools t to detect t and create ap pplication fixes, also called s shims, to addre ess the compatibility issues. Cont tact the softwa are vendor for r information a about any add ditional compatibility solutions.
Applying updates or serv vice packs to th he application.. Updates or se ervice packs m may be available to address ma any of the com mpatibility issue es and help th e application t to run in the n new operating system environmen nt. After apply ying the update or service pa ack, additional l application te ests can ensure e that the compat tibility issue ha as been mitiga ated. Upgrading the applicatio on to a compat tible version. If f a newer, com mpatible versio on of the application exists, the best b long-term m mitigation is to upgrade to o the newer ve ersion. Using th his approach, y you must consid der both the cost c of the upg grade and any potential prob blems that ma ay arise with ha aving two different versions of the application.
Modifying the t security co onfiguration. If f your compat tibility issues a ppear to be pe ermissions-rela ated, a short-term solution is to modify the ap pplications sec curity configur ration. Using th his approach, y you must be sure to conduct a full-risk analysis and gain consensus from your organizations secur rity team regarding the t modificatio ons. For examp ple, you can m mitigate the Int ternet Explorer r Protected mo ode by adding the site to the tru usted site list or by turning o off Protected M Mode (which w we do not recommend d). Running the application in i a virtualized d environment t: If all other m methods are un navailable, you u may be able to run r the applica ation in an ear rlier version of f Windows by using virtualiz zation tools, su uch as Hyper-V.
9-8
Configuring Applications
Note: You can install the Hyper-V feature in Windows 8 if your computer supports the required virtualization features and these features are enabled in your computers BIOS. For further information on running legacy applications in Hyper-V on Windows 8, see module 12 of this course.
There are several advantages of using a virtualized environment, such as the ability to support a large number of servers in a single host environment, and the ability to restore a virtualized configuration to a previous state. However, performance issues and the lack of support for hardware-specific drivers limit full production functionality for many organizations. Using application compatibility features. You can mitigate application issues, such as operating system versioning, by running the application in compatibility mode. You can access this mode by right-clicking the shortcut or .exe file, and then applying one of the following modes from the Compatibility tab: o o o o o o o o Windows 95 Windows 98 / Windows ME Windows XP (Service Pack 2) Windows XP (Service Pack 3) Windows Vista Windows Vista (Service Pack 1) Windows Vista (Service Pack 2) Windows 7
Additionally, you can run the application with reduced color mode, or with a 640 by 480 screen resolution. If you are uncertain which compatibility setting to use, you can run the compatibility troubleshooter to determine and resolve compatibility problems.
Selecting another application that performs the same business function. If another compatible application is available, consider switching to the compatible application. When using this approach, you must consider both the cost of the application and the cost of employee support and training.
Apply a program shim. A shim is a software program that you add to an existing application or other program to provide enhancement or stability. In the application compatibility context, shim refers to a compatibility fix, which is a small piece of code that intercepts API calls from applications, transforming them so Windows 8 will provide the same product support for the application as earlier Windows versions. This can mean anything from disabling a new feature in Windows 8 to emulating a particular behavior of an earlier version of Win32 API set. You can use the Compatibility Administrator Tool, installed with ACT, to create a new compatibility fix.
C Configuring Windows s 8
Small busin ness (P). Design ned for organizations with n no more than 5 50 users. Provides the found dation y to create and edit Word, Office 365 services: email l, calendar, website services, and the ability PowerPoint t, Excel, and OneNote files online. o Midsize bus sinesses and enterprises (E). Designed for any size organ nization that re equires the mo ore advanced features of Office 365, such as: a o o o o o Advanc ced IT configuration and con ntrol Office Professional Plus omain Services (AD DS) Active Directory Do Advanc ced archiving Dedica ated administra ator support
Note: The e midsize busin ness and enter rprises plan is available in fo our different su ubscription models, m each with different sp pecific features and attractin ng a different m monthly fee. Office O 365 cons sists of the follo owing online services: s
Microsoft Office O Professio onal Plus. Prov vides users with h access to the e latest version ns of all the Of ffice desktop applications. Com mbined with Office O Web Ap ps, users can a access their co ontent from alm most anywhere.
Microsoft Exchange E Onlin ne. Provides em mail, calendar,, and contacts. Users can con nnect with a v variety of mobile dev vices, or use eit ther Microsoft Office Outloo ok 2007 or Off fice Outlook 20 010. Exchange e Online also helps provide p a clean n message stre eam through t the use of clou ud-based anti-spam and antivirus software.
Microsoft SharePoint Online. Microsoft SharePoint Server technology is provided as an online service and enables users to share documents and information with colleagues and customers. Microsoft Lync Online. Enables your users to connect to their contacts with instant messaging (IM), video calls, and online meetings. Microsoft Office Web Apps. Enables users to view, share, and edit their Microsoft Office documents on the web. Users can use a wide variety of computing devices to access their content.
Note: In addition, organizations can implement Exchange Online Kiosk, Exchange Online Archiving (EOA) for Exchange Server, and Microsoft Dynamics CRM Online Professional within Office 365.
Co onfiguring Windows 8
Lesson n2
Windows W 8 supports a new ty ype of applicat tions known as s the Metro sty yle apps. These e Metro style a apps ar re small, light, and easily acc cessible. It is im mportant that y you know how w to manage u user access to t the Windows W Store, , which will enable you to co ontrol the insta allation and us se of these app ps.
Metro M Apps
Th he Windows Store is designe ed to enable users u to access and install Me etro Apps. The ese are not like e de esktop applica ations, such as Microsoft Office 2010. Rath her, they are fu ull-screen, imm mersive applica ations th hat can run on a number of device d types, including x86, x64, and ARM M platforms.
Th hese apps can communicate e with one ano other, and with h Windows 8, s so that it is eas sier to search f for and sh hare informatio on, such as photographs. When W an app is s installed, from m the Start screen, users can n see Live tiles that constantly update with live in nformation from the installed d apps.
Lo ocating App ps
When W users con nnect to the Windows W Store, the landing p pagethat is t he initial page e users see whe en ac ccessing the Windows W Store is designed to make apps easy to locate e. Apps are div vided into Stor re ca ategories, such h as Games, En ntertainment, Music M & Video os, and others.
Users can also use u the Windows 8 Search ch harm to search h the Windows s Store for spe ecific apps. For r ex xample, if a user was interest ted in an app that provided video-editing g capabilities, t they can bring up the Se earch charm, type t in their se earch text string, and then cl ick Store. The e Windows Sto ore returns suit table ap pps from which the user can n make a select tion.
Installing Apps
Installing apps is easy e for users. A single tap on o the appropr riate app in th he listing shoul ld be sufficient t to install the app. Th he app installs in the backgro ound, so that t the user can co ontinue brows sing the Windo ows Stor re. After the ap pp is installed, a tile for the app a appears o on the users St tart screen.
Updating App ps
Win ndows 8 checks the Windows s Store for upd dates to install led apps on a daily basis. Wh hen an update e for an installed app is s available, Windows update es the Store tile e in the Start s screen to display an indicatio on that t updates are available. a Whe en the user sele ects the Store tile and conne ects to the Win ndows Store, t the user r can choose to update one, several, or all of their instal led apps for w which updates are available.
Man ny users have multiple devic ces, such as both desktop an d laptop comp puters. Windows Store allow ws five installs of a single e app to enable e users to run the app on all l of their devic ces. If a user at ttempts to inst tall an app p on a sixth dev vice, they are prompted p to remove r the ap pp from anothe er device.
Whe en the Window ws Store is disa abled, users will see a messa age when they y attempt to ac ccess the Store e tile on the t Start screen. The messag ge advises them m that Windo ows Store isnt available on th his PC. c use domain-based GPO to disable the e Windows Sto ore for target c computers, Note: You can spec cific users, or groups g of user rs.
In addition to disa abling the Win ndows Store on n a computer, you also can use AppLocker to control w which app plications can be b installed.
Co onfiguring Windows 8
Managing M Updates
IT T administrator rs have limited d control over updates for in nstalled apps. It is not possib ble for you to co onfigure autom matic updates for apps. The user must init iate all app up pdates manually. Note: You u can use GPO O to download updates auto matically, but the user must t still initiate th he installation process. Yo ou also cannot t control which h updates are available.
Enabling Sideloading
To o enable sidelo oading, you must m configure the appropria ate GPO setting gs: 1. . 2. . Open the Group G Policy ed ditor (gpedit.m msc). Under Loca al Computer Po olicy in the lef ft pane, expand d Computer C Configuration n, expand Administra ative Templat tes, expand Windows W Com ponents, and then click App Package Deployment. In the results pane, double-click Allow all trusted ap pps to install. In the Allow w all trusted apps a to install dialog box, c click Enabled, and then click k OK.
3. . 4. .
In nstalling LO OB Apps
After you config gure GPOs, you can install yo our apps. App ps are packaged in .appx files s. To install a s single ap pp for a user, perform p the fo ollowing tasks: 1. . 2. . At the Wind dows PowerSh hell command prompt, type import-modu ule appx, and then press En nter. To install th he package, at the Windows PowerShell co ommand prom mpt, type add-appxpackage e C:\apps1.a appx, and then n press Enter.
To o add a package to a Windo ows image usin ng dism.exe, p erform the fol llowing tasks: Open an elevated comma and prompt, ty ype DISM /On nline /Add-Pr rovisionedAp ppxPackage /PackageP Path:C:\App1.appx /SkipLic cense, and the en press Enter..
Alternatively, use Windows PowerShell: At the Windows PowerShell command prompt, type Add-AppxProvisionedPackage -Online FolderPath C:\Appx, and then press Enter.
Note: Your LOB apps must be signed digitally and can be installed only on computers that trust the certification authority (CA) that provided the apps signing certificate.
If you must remove a provisioned app and prevent its installation for new users, run either of the following commands: Or
At the Windows PowerShell command prompt, type Remove-AppxProvisionedPackage -Online PackageName MyAppxPkg, and then press Enter.
Open an elevated command prompt, type DISM.exe /Online /Remove-ProvisionedAppxPackage /PackageName:microsoft.app1_1.0.0.0_neutral_en-us_ac4zc6fex2zjp, and then press Enter.
Co onfiguring Windows 8
Lesson n3
A browser is like e any other ap pplication. You u can either ma anage and sec cure it well, or manage it poo orly. If a browser is mana aged poorly, you y and your organization o ri isk spending m more time and money suppo orting us sers and dealin ng with securit ty infiltrations, malware, and d loss of produ uctivity.
Users can brows se more safely y by using Internet Explorer 1 10, which in tu urn helps main ntain customer r trust in th he Internet and d helps protect the IT enviro onment from th he evolving th hreats that the web presents. In nternet Explore er 10 specifical lly helps users maintain their r privacy with features such as InPrivate Br rowsing and In nPrivate Filtering. The Smart tScreen Filter provides prot tection against t social engine eering at ttacks by ident tifying malicious websites th hat try to trick people into pr roviding perso onal informatio on or in nstalling malicious software, blocking the download d of m malicious softw ware, and prov viding enhance ed an ntimalware sup pport. In nternet Explore er 10 helps pre event the brow wser from beco oming an attac ck agent, and it provides mo ore granular contro ol over installat tion of ActiveX X controls wit th per-site and d per-user Acti iveX features. T The Cross Site Script ting Filter prot tects against attacks against websites.
In nternet Explore er 10 provides a Compatibility View that u ses an earlier Internet Explo orer engine to display web w pages. This s helps improv ve compatibilit ty with applica ations written f for earlier Internet Explorer ve ersions. patibility View displays local intranet sites. Note: By default, Comp
Inte ernet Explorer 10 has a Comp patibility View w that helps dis splay a web pa age as it is mea ant to be view wed. This s view provides a straightforw ward way to fix display prob blems such as o out-of-place m menus, images s, and text t. The main fea atures in Comp patibility View are: Internet webs sites display in n Internet Explo orer 10 Standa ards Mode by default. Use th he Compatibility View button to t fix sites that t render differently than exp pected.
Internet Explo orer 10 remem mbers sites that t have been se et to Compatib bility View so t that the button n only needs to be pressed p once for a site. After r that, the site is always rend dered in Compatibility View u unless it is removed from the list. sites display in Compatibility y Mode by def fault. This mea ans that interna al websites cre eated Intranet webs for earlier Internet Explorer r versions will work. w You can use Group G Policy to set a list of websites w to be e rendered in C Compatibility V View.
Switching in and a out of Com mpatibility Vie ew occurs with hout requiring that the user restart the bro owser.
The Compatibility y View button only displays if is not clearly y stated how th he website is to be rendered d. In othe er cases, such as viewing intranet sites or viewing v sites w with a <META> > tag / HTTP h header indicati ing Inte ernet Explorer 7, Internet Exp plorer 8, Intern net Explorer 9, or Internet Ex xplorer 10 Stan ndards, the but tton is hidd den. Whe en Compatibility View is activated, the pag ge refresh will appear, depe nding on the c computers speed. A ba alloon tip indicates that the site is now run nning in Comp patibility View..
An entry e on the Tools T menu ena ables you to customize the C Compatibility View to meet enterprise requ uirements. For r example, you u can configure e it so that all Intranet sites d display in Com mpatibility View w (the defa ault), or you ca an configure it t so that all we ebsite are view wed in Compat tibility View.
InPr rivate Browsing g helps protec ct data and privacy by preve nting browsing history, temporary Interne et files s, form data, co ookies, usernames, and passwords from be eing stored or r retained locally by the brow wser. This s leaves virtually no evidence e of browsing or search histo ory as the brow wsing session does not store e sess sion data.
Configuring Windows 8
From the enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than using Delete Browsing History to maintain privacy, because there are no logs kept or tracks made during browsing. InPrivate Browsing is a proactive feature because it enables you to control what is tracked in a browsing session. You can use InPrivate Browsing by some in an attempt to conceal their tracks when browsing to prohibited or nonwork websites. However, you have full manageability control, and you can use Group Policy to configure how InPrivate Browsing is used in your organization.
Tracking Protection
Most websites today contain content from several different sites. The combination of these sites is sometimes referred to as a mashup. People begin to expect this type of integration, from something like an embedded map from a mapping site, to greater integration of ads or multimedia elements. Organizations try to offer more of these experiences because it draws potential customers to their site. This capability is making the web more robust, but it also provides an opportunity for malicious users to create and exploit vulnerabilities. Every piece of content that a browser requests from a website discloses information to that site, sometimes even if the user has blocked all cookies. Often, users are not fully aware that their web browsing activities are tracked by websites other than those they have consciously chosen to visit.
Tracking Protection monitors the frequency of all third-party content as it appears across all websites that the user visits. An alert or frequency level is configurable and is initially set to ten. Third-party content that appears with high incidence is blocked when the frequency level is reached. Tracking Protection does not discriminate between different types of third-party content. It blocks content only when it appears more than the predetermined frequency level. Note: Tracking protection lists provide information to the browser to enable it to implement tracking protection. There are tracking lists available worldwide from different groups. For example, the EasyList project is an open community effort that helps to filter unwanted content. It is available as a Tracking Protection List here. They have had over 250,000 subscriptions to their list. You can find other lists at www.iegallery.com.
Cookies and cookie protection are one aspect of online privacy. Some organizations write scripts to clean up cookies and browsing history at the end of a browsing session. This type of environment might be needed for sensitive data, regulatory or compliance reasons, or private data in the healthcare industry.
Delete Browsing History in Internet Explorer 10 enables users and organizations to selectively delete browsing history. For example, history can be removed for all websites except those in the users Favorites. You can switch this feature on and off in the Delete Browsing History dialog box, and it is called Preserve Favorites website data. You can configure Delete Browsing History options through Group Policy. You can also configure which sites are automatically included in favorites. This allows you to create policies that ensure security without impacting daily user interactions with his or her preferred and favorite websites. The Delete browsing history on exit check box in Internet Options allows you to delete the browsing history automatically when Internet Explorer 10 closes.
The SmartScreen Filter relies on n a web service e backed by a Microsoft-hos sted URL reput tation database. The SmartScreen Filters reputat tion-based ana alysis works al ongside other r signature-bas sed anti-malw ware tech hnologies, such h as Windows Defender, to provide p comp rehensive prot tection against t malicious soft tware.
With the SmartScreen Filter ena abled, Internet Explorer 10 p performs a deta ailed examinat tion of the ent tire URL L string and co ompares the string to a datab base of sites k nown to distributed malwar re, then the bro owser checks with the web w service. If the t website is known k to be u unsafe, it is blo ocked, and the e user is notifie ed with h a bold Smart tScreen blockin ng page that offers o clear lan nguage and gu uidance to help p avoid known n, unsa afe websites.
Acti iveX controls are a relatively st traightforward d to create and d deploy, and provide extra functionality beyond regular web w pages. Org ganizations can nnot control th he inclusion of f ActiveX controls or how they are writ tten. Therefore e, businesses need a browser r that provides s flexibility in d dealing with A ActiveX controls, so that t they are usab ble, highly secu ure, and pose as small a thre eat as possible e.
Configuring Windows 8
Per-User ActiveX
Internet Explorer 10 by default employs ActiveX Opt-In, which disables most controls on a user's machine. Per-user ActiveX makes it possible for standard users to install ActiveX controls in their own user profile, without requiring administrative privileges. This helps organizations realize the full benefit of UAC, giving standard users the ability to install ActiveX controls that are necessary in their daily browsing. In most situations if a user happens to install a malicious ActiveX control, the overall system remains unaffected because the control is only installed under the users account. Since installations are restricted to a user profile, the cost and risk of a compromise are lowered significantly. When a web page attempts to install a control, an Information Bar is displayed to the user. Users choose to install the control machine-wide or only for their user account. The options in the ActiveX menu vary depending on the users rights (as managed by Group Policy settings) and whether the control has been packaged to allow per-user installation. You can disable this feature in Group Policy.
Per-Site ActiveX
When a user navigates to a website containing an ActiveX control, Internet Explorer 10 performs a number of checks, including a determination of where a control is permitted to run. If a control is installed but is not permitted to run on a specific site, an Information Bar appears asking the users permission to run on the current website or on all websites. Use Group Policy to preset allowed controls and their related domains.
Most sites have a combination of content from local site servers, and content obtained from other sites or partner organizations. XSS attacks exploit vulnerabilities in web applications, and enable an attacker to control the relationship between a user and a website or web application that they trust. Cross-site scripting can enable attacks such as: Cookie theft, including session cookies, which can lead to account hijacking. Monitoring keystrokes. Performing actions on the victim website on behalf of the victim user. Cross-site scripting can use a victims website to subvert a legitimate website.
Internet Explorer 10 includes a filter that helps protect against XSS attacks. The XSS Filter has visibility into all requests and responses flowing through the browser. When the filter discovers likely XSS in a request, it identifies and neutralizes the attack if it is replayed in the servers response. The XSS filter helps protect users from website vulnerabilities. It does not ask difficult questions that users are unable to answer, nor does it harm functionality on the website.
Internet Explorer 7 introduced a Control Panel option to enable memory protection to help mitigate online attacks. DEP or No-Execute (NX). DEP/NX helps thwart attacks by preventing code from running in memory that is marked non-executable, such as a virus disguised as a picture or video. DEP/NX also makes it harder for attackers to exploit certain types of memory-related vulnerabilities, such as buffer overruns.
DEP/NX protection applies to both Internet Explorer and the add-ons it loads. No additional user interaction is required to activate this protection, and unlike Internet Explorer 7, this feature is enabled by default for Internet Explorer 10. Question: What is the XSS filter?
This demonstration shows how to configure security in Internet Explorer 10, including enabling the compatibility view, configuring browsing history, and InPrivate Browsing. The demonstration also shows the add-on management interface and how to use the Download Manager.
Download Manager lists the files you've downloaded from the Internet, shows where they're stored on the computer (C:\Users\_username_\Downloads by default), and makes it easy to pause downloads, open files, and take other actions.
Download a file
1. 2. 3. 4. Navigate to http://LON-DC1 and select the Download current projects link. View the current downloads. Open a downloaded file. Close Excel and other open windows.
Configuring Windows 8
Objectives
Configure security settings in Internet Explorer. Test the security settings.
Lab Setup
Estimated Time: 15 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1, 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o 5. User name: Administrator Password: Pa$$w0rd Domain: Adatum
In this exercise, you will implement some of the security and compatibility features in Internet Explorer 10.
Delete History, but retain Preserve Favorites website data. Remove selections for all other options.
10. Configure the Local intranet security settings to High. 11. Open the Current Projects link on the Intranet home page. This fails to load a required add-on. Close the newly opened tab. 12. Add the local intranet to the trusted sites. 13. Open the Current Projects link on the Intranet home page. This is successful. 14. Close all open windows. 15. Log off of LON-CL1.
Results: After completing this exercise, you will have successfully configured Internet Explorers security and compatibility settings.
When you are finished the lab, leave the virtual machines running, as they are needed for the next lab
Co onfiguring Windows 8
Lesson n4
Th he ability to co ontrol which applications a user, u or set of u users, can run offers significa ant increases i in the re eliability and se ecurity of ente erprise desktop ps. Overall, an application lo ockdown policy y can lower the total co ost of compute er ownership in an enterprise. AppLocker controls applic cation execution and simplif fies the ab bility to author an enterprise e application lo ockdown polic cy. AppLocker reduces administrative over rhead an nd helps administrators cont trol how users access and us se files, such as s .exe files, scri ipts, Windows In nstaller files (.m msi and .msp files), and .dll files.
What W Is Ap ppLocker?
To odays organiz zations face a number n of cha allenges in n controlling which w applicatio ons run on clie ent co omputers, including: The packag ged and custom m applications s that the user can access. Which user rs are allowed to install new software. Which versions of applica ations are allow wed to run, and for which users.
Users who run unauthorized u software s can ex xperience a hig gher incidence e of malware in nfections and generate g more e help desk calls. However, it t can be difficu ult for you to e ensure that use er de esktops are running only approved, licensed software.
Windows W Vista addressed this s issue by supp porting Softwa are Restriction Policy, which administrators s used to o define the lis st of applicatio ons that users were w allowed t to run. AppLoc cker builds upon this securit ty layer, providing you with w the ability y to control ho ow users run al ll types of app plications, such as executable es (.exe fil les), scripts, Windows Installe er files (.msi an nd .msp), and d dynamic link-l libraries (.dll).
AppLocker A Benefits B
Yo ou can use Ap ppLocker to spe ecify exactly what w is allowed d to run on use er desktops. Th his allows user rs to run th he applications s, installation programs, p and scripts that th hey require to be productive e, while still pro oviding th he security, operational, and compliance benefits b of app plication standa ardization. AppLocker can help organizations that wan nt to: Limit the nu umber and typ pe of files that are allowed to o run by preve enting unlicensed or malicio ous software fro om running, and by restricting the ActiveX X controls that t are installed.
Reduce the to otal cost of ow wnership by en nsuring that wo orkstations are e homogeneou us across their r enterprise and that users ar re running only the software e and applicati ions that the e enterprise approves. p of information leak ks from unauth horized softwa are. Reduce the possibility tes for you to apply an Question: What are some of o the applicat tions that are g good candidat AppLocker ru ule?
Ap ppLocker Rules R
Whe en you are dea aling with user rs in your work k environment, you can prevent many m problem ms by controlling c what applications a user can ru un. App pLocker lets yo ou do just this by creating ru ules that t specify exactly what applica ations a user is s allowed to run and which ones are resilient to o app plication updat tes. Because AppLocker is an additio onal Group Policy mechanism m, IT profession nals and system m adm ministrators need to be comf fortable with Group G Policy creation an nd deployment t. This makes App pLocker ideal for f organizatio ons that curren ntly use Group Policy to manage the eir Windows 8 computers or r have per-use er application i installations. To author a AppLoc cker rules, ther re is a new AppLocker Micro osoft Managem ment Console (MMC) snap-in in th he Group Polic cy Object Edito or that offers an a incredible im mprovement i in the process of creating App pLocker rules. There T is one wizard w that allo ows you to crea ate a single ru ule, and anothe er wizard that gen nerates rules au utomatically based on your rule r preferenc es and the fold der that you select.
You u can review th he files analyze ed, and then re emove them fr rom the list be efore rules are created for th hem. You u even can rece eive useful stat tistics about how often a file e has been blo ocked or test A AppLocker poli icy for a given computer r.
To access a AppLoc cker, run Gped dit.msc from th he Start screen n. Then naviga ate to Comput ter Configura ation, Win ndows Setting gs, Security Se ettings, and th hen Applicati on Control Po olicies. Expand d the Application Con ntrol Policies node, and highlight AppLoc cker. In AppLocker A you can configure e Executable Rules, R Windows s Installer Rule es, and Script R Rules. For exam mple, high hlight the Exec cutable Rules s node and right-click to sele ect Create Ne ew Rule. You then can create ea rule e that allows or r denies access s to an executa able, based on n such criteria as the file path or publisher. App pLocker also will w let you apply both default and automat tically generat ted rules.
Man ny organizatio ons implement standard user r policies, whic ch allow users to log on to th heir computer rs only as a standard user r. More indepe endent software vendors (ISV Vs) are creatin ng per-user applications that t do not require admin nistrative rights to be installe ed and that are e installed and d run in the us ser profile folder. As a re esult, standard users can install many applications, and c ircumvent the e application lo ockdown polic cy. With AppLocker, you y can prevent users from installing and running per-u user applicatio ons by creating g a set of default d AppLoc cker rules. The default rules also a ensure tha at the key ope erating system files are allow wed to run for all users.
Configuring Windows 8
Note: Before you create new rules manually or automatically generate rules for a specific folder, you must create the default AppLocker rules. Specifically, the default rules enable the following: All users to run files in the default Program Files directory. All users to run all files signed by the Windows operating system. Members of the built-in Administrators group to run all files.
Perform the following steps to create the default AppLocker rules: 1. 2. 3. To open the Local Security Policy MMC snap-in, run secpol.msc.
In the console tree, double-click Application Control Policies, and then double-click AppLocker. Right-click Executable Rules, and then click Create Default Rules.
By creating these rules, you also have automatically prevented all nonadministrator users from being able to run programs that are installed in their user profile directory. You can recreate the rules at any time. Note: Without the default rules, critical system files might not run. Once you have created one or more rules in a rule collection, only applications that are affected by those rules are allowed to run. If the default rules are not created and you are blocked from performing administrative tasks, restart the computer in safe mode, add the default rules, delete any deny rules that are preventing access, and then refresh the computer policy.
Once you create the default rules, you can create custom application rules. To facilitate creating sets or collections of rules, AppLocker includes a new Automatically Generate Rules wizard that is accessible from the Local Security Policy console. This wizard simplifies the task of creating rules from a user-specified folder. By running this wizard on reference computers, and specifying a folder that contains the .exe files for applications for which you want to create rules, you can quickly create AppLocker policies automatically. When you create a rule manually, you can choose whether it is an Allow or Deny rule. Allow rules enable applications to run while Deny rules prevent applications from running. The Automatically Generate Rules wizard creates only Allow rules. Note: After you create one or more rules in a rule collection, only applications that are affected by those rules are allowed to run. For this reason, always create the default AppLocker rules for a rule collection first. If you did not create the default rules and are prevented from performing administrative tasks, restart the computer in Safe Mode, add the default rules, delete any deny rules that are preventing access, and then refresh the computer policy.
You can create exceptions for .exe files. For example, you can create a rule that allows all Windows processes to run except regedit.exe, and then use audit-only mode to identify files that will not be allowed to run if the policy is in effect. You can create rules automatically by running the wizard and specifying a folder that contains the .exe files for applications for which to create rules.
Note: Do not select a folder that contains one or more user profiles. Creating rules to allow .exe files in user profiles might not be secure.
Before you create the rules at the end of the wizard, review the analyzed files and view information about the rules that will be created. After the rules are created, edit them to make them more or less specific. For example, if you selected the Program Files directory as the source for automatically generating the rules and also created the default rules, there is an extra rule in the Executable Rules collection.
In the console tree under Application Control Policies\AppLocker, right-click Executable Rules, and then click Automatically Generate Rules. On the Folder and Permissions page, click Browse. In the Browse for Folder dialog box, select the folder that contains the .exe files that you want to create the rules for.
Type a name to identify the rules, and then click Next. To help sort the rules in the MMC list view, the name that you provide is used as a prefix for the name of each rule that is created. On the Rule Preferences page, click Next without changing any of the default values. The Rule generation progress dialog box is displayed while the files are processed.
On the Review Rules page, click Create. The wizard closes, and the rules are added to the Executable Rules details pane.
After automatically generating rules based on your preferences, you can edit the rules to make them more detailed.
With the advent of new heuristic identification technologies in web browsers and operating systems, more ISVs are using digital signatures to sign their applications. These signatures simplify an organizations ability to identify applications as genuine, and to create a better and more trustworthy user experience. Creating rules based on the digital signature of an application helps make it possible to build rules that survive application updates. For example, an organization can create a rule to allow all versions greater than 9.0 of a program to run if it is signed by the software publisher. In this way, when the program is updated, IT professionals can safely deploy the application update without having to build another rule. Note: Before performing the following procedure, ensure that you have created the default rules. Perform the following steps to allow only signed applications to run: 1. 2. 3. 4. 5.
To open the Local Security Policy MMC snap-in, on the Start screen, type secpol.msc, and then press Enter. In the console tree, double-click Application Control Policies, and then double-click AppLocker. Right-click Executable Rules, and then click Create New Rule. On the Before You Begin page, click Next. On the Permissions page, click Next to accept the default settings.
Configuring Windows 8
6. 7. 8. 9.
On the Conditions page, click Next. On the Publisher page, note that the default setting is to allow any signed file to run, and then click Next. On the Exceptions page, click Next. On the Name and Description page, accept the default name or enter a custom name and description, and then click Create.
By using this rule and ensuring that all applications are signed within your organization, you are assured that users are running only applications from known publishers. Note: This rule prevents unsigned applications from running. Before implementing this rule, ensure that all of the files that you want to run in your organization are signed digitally. If any applications are not signed, consider implementing an internal signing process to sign unsigned applications with an internal signing key.
If you created the default rules, and then selected the Program Files folder as the source to automatically generate rules, there are one or more extraneous rules in the Executable Rules collection. When you create the default rules, a path rule is added to allow any .exe file in the entire Program Files folder to run. This rule is added to ensure that users are not prevented by default from running applications. Because this rule conflicts with rules that were automatically generated, delete this rule to ensure that the policy is more specific. The name of the default rule is (Default Rule) Microsoft Windows Program Files Rule. Perform the following steps to delete a rule: 1. 2. 3. 4. Ensure that the Local Security Policy MMC snap-in is open. In the console tree under Application Control Policies\AppLocker, click Executable Rules.
In the details pane, right-click (Default Rule) Microsoft Windows Program Files Rule, and then click Delete. In the AppLocker dialog box, click Yes.
To determine if any applications are excluded from the rule set, enable the Audit only enforcement mode. Question: When testing AppLocker, you must consider carefully how you will organize rules between linked GPOs. What do you do if a GPO does not contain the default AppLocker rules?
3. 4.
Navigate to Computer Configuration, Windows Settings, Security Settings, Application Control Policies, AppLocker. Create a new executable rule: o o o Permissions: Deny Group: Marketing Program: C:\Windows\Regedit.exe
Default setting. If linked GPOs contain a different setting, that setting is used. If any rules are present in the corresponding rule collection, they are enforced. Rules are enforced. Rules are audited, but not enforced.
To view information about applications that are affected AppLocker rules, use the Event viewer. Each event in the AppLocker operational log contains detailed information, such as the following: Which file was affected and the path of that file Whether the file was allowed or blocked The rule type: Path, File Hash, or Publisher The rule name The security identifier (SID) for the user that is targeted in the rule
Review the entries in the log to determine if any applications were not included in the rules. The following table identifies three events to use to determine which applications are affected. Event ID 8002 8003 Level Informational Warning Event Text Access to <file name> is allowed by an administrator. Access to <file name> is monitored by an administrator. Description
Specifies that the file is allowed by an AppLocker rule. Applied only when in the Audit only enforcement mode. Specifies that the file will be blocked if the Enforce rules enforcement mode is enabled.
Configuring Windows 8
Event ID 8004
Level Error
Description
Applied only when the Enforce rules enforcement mode is either directly or indirectly (through Group Policy inheritance) set. The file cannot run.
Demonstration
This demonstration will show the different enforcement options, and how to configure the enforcement for the rule that was created in the previous demonstration. The demonstration will then verify the enforcement with gpupdate.
Review the System log for event ID 1502. This tells us that the Group Policy settings were refreshed. Start the Application Identity service, required for AppLocker enforcement.
Attempt to run Regedit.exe from the command prompt. You are successful as the logged on user is not a member of the Marketing group. Switch to Event Viewer, and in the Application and Services Logs > Microsoft > Windows >AppLocker, select the EXE and DLL log.
Review the entries. They indicate that an attempt was made to run Regedit.exe, which was allowed to run. Note: AppLocker is not implemented in this prerelease version of the software.
4.
Close all open windows. Question: What is the command to update the computer's policy, and where is it run?
Holly is concerned that people in her department are spending time listening to music files. She wants a way to disable the Windows Media Player from running. You decide to implement AppLocker to prevent members of the IT group from running this program.
Objectives
Create AppLocker rules. Apply rules and test rules.
Lab Setup
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
Results: At the end of the exercise, you will have successfully created the required AppLocker rule.
Configuring Windows 8
In this exercise, you will confirm the executable rule, and then test it by logging on as a member of the IT group. The main tasks for this exercise are as follows: 1. 2. Confirm the Executable Rule Enforcement. Test the enforcement.
Note: AppLocker is not implemented in this prerelease version of the software. You are not prevented from running Windows Media Player. 3. 4. 5. 6. Log off. Log on as Adatum\Administrator with the password Pa$$w0rd. Open Event Viewer. Locate the Application and Services\Microsoft\Windows\AppLocker\EXE and DLL log.
Note: AppLocker is not implemented in this prerelease version of the software. Error 8008 displays indicating this fact. Usually, you would see error event ID 8004. The application was prevented from running. 7. Close all open windows, and log off.
Results: At the end of this exercise, you will have successfully verified the function of your executable AppLocker rule.
When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If a GPO does not contain the default rules, then either add the rules directly to the GPO or add them to a GPO that links to it. After creating new rules, you must configure enforcement for the rule collections, and then refresh the computer's policy. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators must maintain a current list of allowed applications.
If AppLocker rules are defined in a GPO, only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
When you set an AppLocker rule to Audit only, the rule is not enforced. When a user runs an application that is included in the rule, the application is opened and runs normally, and information about that application is added to the AppLocker event log.
Tools
Tool Windows PowerShell DISM Msiexec.exe Application Compatibility Toolkit Compatibility Administrator Tool GPupdate Use for Command line management tool Servicing and managing Windows images Managing installations Inventorying and analyzing organization application compatibility Creating application fixes Managing policy application Where to find it Windows 8 Windows 8 Command line Microsoft Download Center ACT Command line
Module 10
Contents:
Module Overview Lesson 1: Optimizing the Performance of Windows 8 Lab A: Optimizing Windows 8 Performance Lesson 2: Managing the Reliability of Windows 8 Lesson 3: Managing Windows 8 Updates Lab B: Maintaining Windows Updates Module Review and Takeaways 10-1 10-2 10-11 10-14 10-19 10-26 10-28
Module Overview
Users have high expectations of technology. Therefore, performance is a key issue in todays business environment, and it is important to consistently optimize and manage your systems performance.
The Windows 8 operating system includes several monitoring and configuration tools that you can use to obtain information about a computers performance.
To maintain and optimize system performance in Windows 8, you can use these performancemanagement tools. You can maintain the reliability of Windows 8 with the diagnostic tools, and configure Windows Update to ensure that you have optimized computer performance consistently.
Objectives
After completing this module, you will be able to: Describe the optimization of Windows 8 performance. Explain how to optimize Windows 8 performance. Describe the management of Windows 8 reliability. Describe the management of Windows 8 updates. Explain how to maintain Windows Updates.
Lesson 1
A co omputer system that perform ms at a low eff ficiency level c can cause prob blems in the w work environme ent, including the pote ential reduce user u productiv vity and conseq quently increa ase user frustra ation. Windows 8 help appropriate to ps you to determine the potential causes of o poor perfor mance and th en to use the a ools to help p to resolve these performan nce issues.
Reliability is a mea asure of how a system confo orms to expect ted behavior, a and a system t that often dev viates from m the behavior that you configure or expe ect indicates po oor reliability. Question: What factors can n influence computer-system m performance e? Question: What factors ma ay contribute to t reliability iss sues in a comp puter system?
Co onfiguring Windows 8
Open Disk k Cleanup: Pro ovides a calcula ation that disp plays how muc ch free space is s on the computer.
Use Advanced Tools T to obtain n additional pe erformance inf formation and d a list of curre ent performanc ce issues. You also can view the following f adva anced options about the com mputers perfo ormance: Clear all Windows W Expe erience Index scores and re e-rate the sys stem View Perfo ormance Deta ails in in Event log Open Perfo ormance Mon nitor Open Reso ource Monitor Open Task k Manager View advanced system details in Sys stem informat tion Adjust the e appearance and performa ance of Wind dows Open Disk k Defragmente er Generate a system health report
One O of the perf formance tools s is the Windows Experience e Index (WEI). W WEI lists your c computers ba ase sc core, which is a measuremen nt of the performance and o verall capability of your com mputer's hardw ware. ance and Information Tools. The WEI indic Check your com mputers WEI base b score from m the Performa cates th he capability of your comput ter's hardware e and software configuration n.
WEI W benchmark ks are optimize ed for Window ws 8, so that a system will have a different WEI score than if it was w running Wi indows 7.
WEI W measures each e of your co omputers key components. The following g table lists the e information t that WEI measures m and ra ates for each component. c Component C Processor Random Acce ess Memory (R RAM) Graphics What is rated Calcu ulations per sec cond Memory operation s per second Deskt top performan nce for Window ws Aero desk ktop experienc ce
What is rated Three-dimensional (3-D) business and gaming graphics performance Disk data-transfer rate
Each hardware component receives an individual subscore. Your computer's base score is determined by the lowest subscore. For example, if the lowest subscore of an individual hardware component is 2.6, then the base score is 2.6. A greater base score generally means that a computer runs better and faster than a computer that has a lower base score, especially when it performs more advanced and resource-intensive tasks. When you know your computers base score, you can confidently buy programs and other software that match the base score. Base scores currently range from 1 to 9.9. WEI accommodates advances in computer technology as hardware speed and performance improve. A computer that has a base score of 1 or 2 usually has sufficient performance to do most general computing tasks, such as run office-productivity applications and search the Internet. However, a computer that has this base score is generally not powerful enough to run Windows Aero, or the advanced multimedia experiences that are available with Windows 8.
A computer that has a base score of 3 can run Windows Aero and many new features of Windows 8 at a basic level. Some new Windows 8 advanced features might not have all the functionality available. For example, a computer that has a base score of 3 can display the Windows 8 theme at a resolution of 12801024, but might struggle to run the theme on multiple monitors. Or, it can play digital TV content, but might struggle to play HDTV content. A computer that has a base score of 4 or 5 can run all new Windows 8 features with full functionality, and it can support high-end, graphics-intensive experiences, such as multiplayer and three-dimensional gaming, and recording and playback of HDTV content. Computers that have a base score of 5 were the highest-performing computers available when Windows 7 was released. When you update or upgrade your computer hardware to optimize Windows 8, you must update the computer base score to check whether it has changed, too. Note: You also can use the winsat command-line tool to update the computer base score. Windows stores the WEI reports as XML files in the C:\Windows\Performance\WinSAT\DataStore folder.
Co onfiguring Windows 8
Monitoring M Tool T
Monitoring M Too ol contains the Performance Monitor, and it provides a v visual display o of built-in Win ndows pe erformance co ounters, either in real time or as historical d data. Th he Performanc ce Monitor inc cludes the follo owing features s: Multiple gr raph views Custom vie ews that you ca an export as data collector s ets
Pe erformance Monitor uses pe erformance counters to mea sure the syste ms state or ac ctivity, while th he OS or in ndividual applications may in nclude Perform mance Counter rs. Performanc ce Monitor req quests the curr rent va alue of perform mance counter rs at specified time intervals . Yo ou can add pe erformance cou unters to the Performance P M Monitor by dra agging and dro opping the counters or r by creating a custom data collector set. Pe erformance Monitor feature es multiple graph views that enable you to o have a visual review of pe erformance log data. You ca an create custo om views in Pe erformance Mo onitor that you u can export a as data co ollector sets fo or use with per rformance and d logging featu ures.
Th he data collect tor set is a custom set of per rformance cou unters, event tr races, and syst tem-configuration da ata.
After you create e a combinatio on of data collectors that de escribe useful s system informa ation, you can save th hem as a data collector set, and a then run and a view the re esults.
A data collector r set organizes s multiple data a-collection po oints into a single, portable c component. Yo ou can us se a data colle ector set on its own, group it t with other da ata collector se ets and incorporate it into lo ogs, or view it in the Pe erformance Mo onitor. You can configure a data collector set to generat te alerts when n it re eaches thresho olds, so that third-party applications can u se it. Yo ou also can co onfigure a data a collector set to run at a sch heduled time, for a specific length of time, , or un ntil it reaches a predefined size. s For examp ple, you can ru un the data co ollector set for 10 minutes ev very ho our during you ur working hours to create a performance e baseline. You u also can set the data collec ctor to re estart when set t limits are rea ached, so that a separate file will be create ed for each inte erval.
You can use data collector sets and Performance Monitor tools to organize multiple data-collection points into a single component that you can use to review or log performance. Performance Monitor also includes default data collector set templates to help system administrators begin the process of collecting performance data that is specific to a server role or monitoring scenario.
Reports
Use the Reports feature to view and generate reports from a set of counters that you create by using Data Collector Sets.
Resource Monitor
Use this view to monitor the use and performance of the central processing unit (CPU), disk, network, and memory resources in real time. This lets you identify and resolve resource conflicts and bottlenecks. By expanding the monitored elements, system administrators can identify which processes are using which resources. In previous Windows versions, Task Manager made this this real-time, process-specific data available, but only in a limited form. Question: A shortage of which resources can cause performance problems for your computer?
Demonstration Steps
1. 2. 3. Log on to LON-CL1 as administrator. Open Resource Monitor.
View the information on the Overview tab. This tab shows CPU usage, disk I/O, network usage, and memory usage information for each process. A bar above each section provides summary information.
4. 5.
View the information on the CPU tab. This tab has more detailed CPU information that you can filter, so that it is based on the process. View the information on the Memory tab. This tab provides detailed information about memory usage for each process. Notice that the process that you selected previously remains selected, so that you can review multiple kinds of information about a process as you switch between tabs. View the information on the Disk tab. This tab shows processes with recent disk activity. View the information in the Network tab. This tab provides information about all processes with current network activity. Question: How can you simplify monitoring the activity of a single process when it spans different tabs?
6. 7.
Demonstration: How to Analyze System Performance by Using Data Collector Sets and Performance Monitor
In this demonstration, you will show how to analyze system performance by using data collector sets and performance monitor.
Co onfiguring Windows 8
Ex xamine a Re eport
Examine a report r on the collected data a. Question: How can you use Performan nce Monitor fo or troubleshoo oting?
Fo or example, if you suspect high consumption of your CP PU processing capacity, you can view the C CPU ta ab, and then se ee exactly wha at processes ac ctually are exec cuting on your machine, how w many thread ds that th hey are executing, and how much m CPU use e is occurring. You also can v view your com mputers installe ed memory, m how much m the operating system can c use, how m much it is using g currently, an nd how much i is re eserved for har rdware. From the t Disk view, you can view all disk input/ /output (I/O) and detailed in nformation on disk activity. You Y can view processes p with network activ vity in the Netw work view, and d monitor m which processes are running and consuming c too o much bandw width.
Additionally, Re esource Monito or enables you u to investigate e which produ uct, which tool, or which app plication is currently runn ning and consuming CPU, disk, network, a and memory re esources.
Create C a Perf formance Baseline B by Using U Perfo ormance Mo onitor and D Data Collect tor Sets
Yo ou can set up a Baseline in Performance P Monitor M to help p you with the e following tasks: Evaluate yo our computers s workload. Monitor sys stem resources. Notice chan nges and trend ds in resource use.
By using data collector sets, you can establish a baseline to use as a standard for comparison. Create a baseline when you first configure the computer, at regular intervals of typical usage, and when you make any changes to the computers hardware or software configuration. If you have appropriate baselines, you can determine which resources are affecting your computers performance. You can monitor your system remotely. However, use of the counters across a network connection for an extended period of time can congest network traffic. If you have disk space on the server for the performance log files, we recommend that you record performance log information locally. Performance impacts can occur because of the number of counters being sampled and the frequency with which sampling occurs. Therefore, it is important to test the number of counters and the frequency of data collection. This lets you determine the right balance between your environments needs and the provision of useful performance information. For the initial performance baseline, however, we recommend that you use the highest number of counters possible and the highest frequency available. The following table shows the commonly used performance counters. Counter LogicalDisk\% Free Space Usage
This counter measures the percentage of free space on the selected logical disk drive. Take note if this falls below 15 percent, because you risk running out of free space for the OS to use to store critical files. One obvious solution is to add more disk space. This counter measures the percentage of time the disk was idle during the sample interval. If this counter falls below 20 percent, the disk system is saturated. You may consider replacing the current disk system with a faster one.
This counter measures the average time, in seconds, to read data from the disk. If the number is larger than 25 milliseconds (ms), that means the disk system is experiencing latency when it is reading from the disk.
This counter measures the average time, in seconds, it takes to write data to the disk. If the number is larger than 25 milliseconds (ms), the disk system experiences latency when it is writing to the disk. This counter indicates how many I/O operations are waiting for the hard drive to become available. If the value is larger than two times the number of spindles, it means that the disk itself may be the bottleneck.
Memory\Cache Bytes
This counter indicates the amount of memory that the file-system cache is using. There may be a disk bottleneck if this value is greater than 300 megabytes (MB). This counter measures the ratio of Committed Bytes to the Commit Limit, or in other words, the amount of virtual memory in use. If the number is greater than 80 percent, it indicates insufficient memory.
Configuring Windows 8
Usage
This counter measures the amount of physical memory, in megabytes, available for running processes. If this value is less than 5 percent of the total physical random access memory (RAM), that means there is insufficient memory, and that can increase paging activity.
This counter indicates the number of page table entries not currently in use by the system. If the number is less than 5,000, there may be a memory leak.
This counter measures the size, in bytes, of the nonpaged pool. This is an area of system memory for objects that cannot be written to disk, but instead must remain in physical memory as long as they are allocated. There is a possible memory leak if the value is greater than 175 MB (or 100 MB with a /3 gigabyte (GB) switch).
This counter measures the size, in bytes, of the paged pool. This is an area of system memory for objects that can be written to disk when they are not being used. There may be a memory leak if this value is greater than 250 MB (or 170 MB with the /3 GB switch). This counter measures the rate at which pages are read from, or written to, the disk to resolve hard-page faults. If the value is greater than 1,000, as a result of excessive paging, there may be a memory leak.
This counter measures the percentage of elapsed time that the processor spends executing a non-idle thread. If the percentage is greater than 85 percent, the processor is overwhelmed, and the server may require a faster processor. This counter measures the percentage of elapsed time that the processor spends in user mode. If this value is high, the server is busy with the application.
This counter measures the time that the processor spends receiving and servicing hardware interruptions during specific sample intervals. This counter indicates a possible hardware issue if the value is greater than 15 percent. This counter indicates the number of threads in the processor queue. The server does not have enough processor power if the value is more than two times the number of CPUs for an extended period of time. This counter measures the rate at which bytes are sent and received over each network adapter, including framing characters. The network is saturated if you discover that more than 70 percent of the interface is consumed.
This counter measures the length of the output packet queue, in packets. There is network saturation if the value is more than 2.
10-10
Usage
This counter measures the total number of handles that a process currently has open. This counter indicates a possible handle leak if the number is greater than 10,000.
Process\Thread Count
This counter measures the number of threads currently active in a process. There may be a thread leak if this number is more than 500 between the minimum and maximum number of threads. This counter indicates the amount of memory that this process has allocated that it cannot share with other processes. If the value is greater than 250 between the minimum and maximum number of threads, there may be a memory leak.
Process\Private Bytes
Configuring Windows 8
Users in A. Datum are about to receive their new Windows 8 computers. You must use Performance Monitor to establish a performance monitoring baseline and measure a typical computers responsiveness under a representative load. This will help to ensure that resources, such as RAM and CPU, are specified correctly for these computers.
Objectives
Create a performance monitoring baseline. Introduce a load. Measure system performance and analyze results.
Lab Setup
Estimated Time: 25 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Adatum
5.
10-12
Start the data collector set, and then start the following programs: o o o Microsoft Office Word 2010 Microsoft Office Excel 2010 Microsoft Office PowerPoint 2010
4.
Close all Microsoft Office applications, and in Performance Monitor, stop the Adatum Baseline data collector set.
In Performance Monitor, locate Reports > User Defined > Adatum Baseline. Click the report that has a name that begins with LON-CL1. Record the following values: o o o o o o Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length
Results: After this exercise, you should have created a performance monitoring baseline.
Configuring Windows 8
The main task for this exercise is as follows: Create a load on the computer.
Results: After this exercise, you should have generated additional load on the computer.
In this exercise, you compare the results that you collected during performance monitoring with those collected earlier when you created the baseline. The main task for this exercise is as follows: Identify performance bottlenecks in the computer.
After a few minutes, close the two instances of C:\Windows\System32\cmd.exe launched by the script. Switch to Performance Monitor, and then stop the Adatum Baseline data collector set.
In Performance Monitor, locate Reports > User Defined > Adatum Baseline. Click on the second report that has a name that begins with LON-CL1. View the data as a report. Record the component details: a. b. c. d. e. f. Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length
8. 9.
In your opinion, which components are the most seriously affected? Close all open windows and programs, and then revert to the Start screen.
Results: After this exercise, you should have identified the computers performance bottleneck.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
10-14
Lesson 2
The Windows Diagnostic Infrast tructure (WDI) is a set of dia gnostic tools t that performs the following tasks:
This s lesson explor res some of the ese tools and their t capabiliti ies.
Unreliable Memory
Mem mory problems are especially frustrating to o troubleshoo ot, because the ey frequently m manifest thems selves as application a issu ues. Failing me emory can cause application failures, opera ating-system f faults, and stop p erro ors, and it can be difficult to identify, becau use problems can be interm mittent. For exa ample, a memo ory chip p might functio on perfectly when w you test it t in a controlle ed environmen nt. However, it t can start to fa ail whe en you use it in n a hot compu uter. Faili ing memory chips return data that differs from what the e OS stored or riginally. This c can lead to seco ondary problems, such as co orrupted files. Frequently, F ad dministrators ta ake extreme st teps, such as rein nstalling applic cations or the OS, O to repair th he problem, o nly to have the failures pers sist.
Network errors fre equently cause e an inability to access netw work resources, and can be difficult to diag gnose. Network interface es that you do not configure e correctly, inco orrect IP addre esses, hardwar re failures, and d man ny other problems can affect t connectivity. OS features, s such as cached d credentials, e enable users to o log on as a domain use ers, even when a network con nnection is no ot present. This s feature can m make it appear r as if
us sers have logg ged on success sfully to the do omain, even wh hen they have e not. Although h this feature i is useful, it does add ano other layer to the process of troubleshootin ng network co onnections.
Diagnosing star rtup problems is especially difficult, d becau se you do not have access to o Windows 8 tr ter does not st roubleshooting g and monitoring tools when n your comput tart. Malfuncti ioning memor ry, in ncompatible or r corrupted de evice drivers, missing m or corrupted startup files, or a corr rupted disk data can all cause startup p failures.
If the Windows Memory Diag gnostics tool de etects any pro oblems with ph hysical memory, Microsoft O Online Crash Analysis automatically a prompts p you to run the tool .
Yo ou can decide whether to re estart your com mputer and ch eck for proble ems immediate ely, or to sched dule the to ool to run whe en the computer next restarts. When W the comp puter restarts, Windows Mem mory Diagnost tics tests the co omputers memory. When th his tool ru uns, it shows a progress bar that t indicates the status of t the test. It may y take several m minutes for the tool to o finish checkin ng your computer's memory y. When the te est finishes, Wi ndows restarts s again autom matically, an nd the tool pro ovides a clear report that de etails the probl lem. It also wr ites informatio on to the even nt log so th hat it can be an nalyzed.
Yo ou can also run the Window ws Memory Dia agnostics tool manually. You u have the sam me choices: to r run the to ool immediately or to schedu ule it to run when the comp puter restarts. A Additionally, you can start W Windows Memory M Diagno ostics from the e installation media. m
Advanced A Op ptions
To o access advan nced diagnosti ic options, pre ess F1 while the e test is runnin ng. Advanced options includ de the fo ollowing: Test mix: Select S what kin nd of test to ru un. Cache: Sele ect the cache setting s for each test. Pass Count t: Enter the nu umber of times s that the test mix should repeat the tests. .
10-16
Pres ss the Tab key to move betw ween the advan nced options. When you fini ish selecting your options, p press F10 to start the te est.
Connections to a Workplac ce Using Direct tAccess: Proble ems with conn necting to your workplace w when using DirectA Access Printer: Problems on printer connections. .
The Windows Net twork Diagnos stics tool runs automatically when it detects a problem. You can also d decide to run the tool ma anually by usin ng the Diagno ose option on the Local Area a Connections s Status proper rty shee et. If Windows W 8 dete ects a problem m that it can repair automatic cally, it will do o so. If Window ws 8 cannot rep pair the problem auto omatically, it di irects the user to perform sim mple steps to resolve the pro oblem without having to call sup pport.
Reliability R Monitor M
Th he Reliability Monitor M review ws the computers re eliability and problem p history y. You can use e the Re eliability Monitor to obtain several s kinds of o re eports and cha arts that can he elp you identif fy the so ource of reliability issues. Acc cess the Reliab bility Monitor M by click king View reli iability history y in the Maintenance M se ection of the Action A Center. Th he following to opics explain the t main featu ures of th he Reliability Monitor M in mor re detail.
Th he System Stab bility Report also provides in nformation abo out each even nt in the chart. These reports s include th he following ev vents: Software In nstalls Software Uninstalls Application n Failures Hardware Failures F Windows Failures Miscellaneo ous Failures
Th he Reliability Monitor M tracks key events ab bout the system m configuratio on, such as the e installation of new ap pplications, OS S patches, and drivers. It also o tracks the fol llowing events s, and helps yo ou identify the e re easons for relia ability issues: Memory pr roblems Hard-disk problems p Driver prob blems Application n failures Operating system s failures s
Th he Reliability Monitor M is a us seful tool that provides a tim meline of system m changes, an nd then reports the sy ystems reliabil lity. You can use this timeline e to determine e whether a pa articular system m change corr relates with w the start of f system instab bility.
10-18
If an n error occurs while an appli ication is running, Win ndows Error Re eporting Servic ces prompts th he user r to select whe ether to send error e informati ion to Microso oft over the Int ternet. If inform mation is avail lable that t can help the user resolve th his problem, Windows W displa ays a message to the user with a link to info ormation about how to resolve the issue. formation and You u can use the Problem P Repor rts and Solutio ons tool to trac ck resolving inf d to recheck an nd find d new solutions. You u can start the Problem Repo orts and Solutions tools from m the Reliability y Monitor. The e following too ols are available: Save reliabilit ty history View all problem reports Check for solutions to all pr roblems Clear the solu ution and prob blem history
Lesson n3
To o keep compu uters that are running Windo ows operating systems stable e and protecte ed, you must u update th hem regularly with w the latest t security upda ates and fixes. Windows Upd date enables yo ou to downloa ad and in nstall importan nt and recomm mended update es automatical lly, instead of v visiting the Windows Update website. w Yo ou must be aw ware of the con nfiguration op ptions that Win ndows Update has available, and you must t be ab ble to guide us sers on how to o configure the ese options.
Windows W Updat te downloads your compute ers updates in the backgrou und while you are online. If y your In nternet connec ction is interrupted before an n update dow nloads fully, th he download p process resumes when th he connection becomes available.
Configure C Se ettings
Th he Automatic Updates feature of Windows Update dow wnloads and ins stalls importan nt updates, inc cluding se ecurity and crit tical performance updates. However, H you have to select recommende ed and optiona al up pdates manually. Th he time of inst tallation depen nds on the con nfiguration op tions that you select. Most u updates occur se eamlessly, with h the following g exceptions: If an update requires a re estart to complete installatio on, you can sch hedule it for a specific time.
When a sof ftware update applies to a file that is in us e, Windows 8 can save the a applications data, close the ap pplication, upd date the file, and then restar rt the applicati ion. Windows 8 might prom mpt the user to acce ept Microsoft Software Licen nse Terms whe en the applicat tion restarts.
10-20
Whe en you configu ure Windows Update, U consid der the followi ing: Use the recom mmended sett tings to download and instal ll updates auto omatically. The recomme ended settings s download an nd install upda tes automatica ally at 03:00 daily. If the computer is turned t off, the installation will be done the e next time tha at the comput ter is turned on n. By using the recommended d settings, user rs do not have e to search for critical update es or worry tha at critical fixes may m be missing g from their co omputers. Use Windows s Server Updat te Services (WS SUS) in a corpo orate environm ment.
Use Microsoft t System Cente er 2012 Config guration Mana ager (SCCM) fo or larger environments that have more than 10 00 systems.
We recommend that you choos se to have upd dates installed automatically,, so that Windows will install imp portant update es as they beco ome available.
But if you do not want updates to be installed d or download ded automatically, you can s select instead t to be noti ified when upd dates apply to your compute er, so that you u can download and install them yourself. For exam mple, if you ha ave a slow Inte ernet connection or your wo ork is interrupt ted because of f automatic upd dates, you can have Windows check for up pdates, but dow wnload and install them you urself.
If an n update has been b installed that you would like to remo ove, then from the View Upd date History page, click k Installed Up pdates. You ca an then view all the installed updates, and where necessary, you can ri ightclick k an update, and then click Uninstall U .
Hide H Update es
If the update at ttempts to rein nstall at a later time, you can n hide the update. To hide an update that you do no ot wish to install, from Wind dows Update, click the link for the availab ble updates. Ri ight-click the u update th hat you do not t want to install, and then cli ick Hide upda ate.
If you have reso olved the unde erlying problem m with the upd date you uninstalled, and yo ou wish to install it, yo ou first must unhide u the upd date. From Win ndows Update e, click Restore e hidden updates.
If you enab ble this policy setting, s Install l Updates and d Shut Down w ar as a choice in the will not appea Shut Down n Windows dialog box, even n if updates ar re available for r installation w when the user selects the Shut Down option in n the Start me enu.
If you disab ble or do not configure c this policy p setting, the Install Up pdates and Sh hut Down opt tion will be available e in the Shut Down D Window ws dialog box x if updates are e available when the user selects the Shut Down option in n the Start me enu.
Do not adj just the defau ult option to Install I Update es and Shut D Down in the S Shut Down W Windows dialog box x. You can use e this policy se etting to mana age whether th he Install Upd dates and Shu ut Down optio on is allowed to be the default t choice in the Shut Down W Windows dialo og.
If you enab ble this policy setting, s the use er's last shut-d down choice (H Hibernate, Res start, etc) is the default opt tion in the Shu ut Down Wind dows dialog b box, regardless s of whether th he Install Upd dates and Shut Down D option is available in the t What do y you want the e computer to o do? list.
If you disab ble or do not configure c this policy p setting, the Install Up pdates and Sh hut Down opt tion will be the defa ault option in the t Shut Dow wn Windows d dialog box, if u updates are ava ailable for inst tallation when the user u selects the e Shut Down option o in the S Start menu. Enabling Windows W Upd date Power Management t o automatica ally wake up t the system to o install scheduled updates
This policy specifies whet ther the Windo ows Update w ill use the Win ndows Power M Management f features to wake up p your system automatically a from f hibernat ion if updates need to be installed. Windows Update U will wak ke up your sys stem automati cally only if yo ou configure W Windows Upda ate to install upda ates automatic cally. If the syst tem is in hiber rnation when t the scheduled install time oc ccurs,
10-22
and there are updates to be applied, then Windows Update will use the Windows power Management features to wake the system automatically to install the updates.
The system will not wake unless there are updates to be installed. If the system is on battery power, when Windows Update wakes it up, it will not install updates, and the system will automatically return to hibernation in two minutes. Configure Automatic Updates This setting specifies whether the computer will receive security updates and other important downloads through the Windows automatic updating service. This setting lets you specify if automatic updates are enabled on your computer. If the service is enabled, you must select one of the four options in the Group Policy Setting: o 2 = Notify before downloading any updates and notify again before installing them When Windows finds updates that apply to your computer, an icon appears in the status area, with a message that updates are ready to be downloaded.
Clicking the icon or message provides the option to select the specific updates that you want to download. Windows then downloads your selected updates in the background.
When the download is complete, the icon appears in the status area again, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install. o
3 = (Default setting) Download the updates automatically and notify when they are ready to be installed Windows finds updates that apply to your computer, and then downloads these updates in the background, so that the user is not notified or interrupted during this process. When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.
4 = Automatically download updates and install them on the schedule specified below
Specify the schedule using the options in the Group Policy setting. If no schedule is specified, the default schedule for all installations will be every day at 03:00.
If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart. o 5 = Allow local administrators to select the configuration mode that Automatic Updates must notify and install updates With this option, the local administrators will be allowed to use the Automatic Updates control panel to select a configuration option. For example, they can choose their own scheduled installation time. Local administrators will not be allowed to disable Automatic Updates configuration.
To use the Configure Automatic Updates setting, click Enabled, and then select one of the options (2, 3, 4, or 5). If you select 4, you can set a recurring schedule. If you do not specify a schedule, all installations will occur every day at 03:00. If the status is set to Enabled, Windows recognizes when the computer is online, and then uses its Internet connection to search Windows Update for updates that apply to your computer.
Configuring Windows 8
If the status is set to Disabled, you manually must download and install any updates that are available on Windows Update.
If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel. Specify intranet Microsoft update service location
This setting specifies an intranet server to host updates from Microsoft Update. You can then use this update service to update your networks computers automatically. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization do not have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.
If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. Automatic Updates detection frequency
This policy specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours that you specify in this policy, minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours. If the status is set to Enabled, Windows will check for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours. Allow non-administrators to receive update notifications This policy setting allows you to control whether non-administrative users will receive update notifications based on the Configure Automatic Updates policy setting.
If you enable this policy setting, Windows Automatic Update and Microsoft Update will include nonadministrators during the process of determining which logged-on user will receive update notifications.
Non-administrative users will be able to install all optional, recommended, and important content for which they received a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface, End User License Agreement, or Windows Update setting changes. If you disable or do not configure this policy setting, then only administrative users will receive update notifications. By default, this policy setting is disabled.
If the Configure Automatic Updates policy setting is disabled or is not configured, then the Elevate Non-Admin policy setting has no effect.
10-24
Turn on Software Notifications This policy setting allows you to control whether users can view detailed enhanced notification messages about featured software from the Microsoft Update service.
Enhanced notification messages convey the value of optional software, and promote its installation and use. This policy setting is intended for use in loosely managed environments in which you allow the end user access to the Microsoft Update service. If you enable this policy setting, a notification message will appear on the user's computer when featured software is available. The user can click the notification to open the Windows Update Application and get more information about the software, or install it. The user also can click Close this message or Show me later to defer the notification as appropriate. In Windows 8, this policy setting will only control detailed notifications for optional applications.
If you disable or do not configure this policy setting, Windows 8 users will not be offered detailed notification messages for optional applications. By default, this policy setting is disabled. If you are not using the Microsoft Update service, then the Software Notifications policy setting has no effect. If the Configure Automatic Updates policy setting is disabled or is not configured, then the Software Notifications policy setting has no effect. Let the service shut down when it is idle
This setting controls how many minutes the Windows Update service will wait before shutting down when there are no scans, downloads, or installs in progress. If configured to zero, the service will run always. Allow Automatic Updates immediate installation
This setting specifies whether Automatic Updates will automatically install certain updates that neither interrupt Windows services, nor restart Windows. If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install. If the status is set to Disabled, such updates will not be installed immediately. If the Configure Automatic Updates policy is disabled, this policy has no effect. Turn on recommended updates via Automatic Updates
This setting specifies whether Automatic Updates will deliver both important and recommended updates from the Windows Update service. When this policy is enabled, Automatic Updates will install recommended and important updates from Windows Update. When disabled or not configured, Automatic Updates will continue to deliver important updates if it is already configured to do so. No auto-restart with logged on users for Scheduled automatic updates installations This setting specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation, if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer. Re-prompt for restart with scheduled installations This setting specifies the amount of time for Automatic Updates to wait before prompting the user again to restart and complete the update process.
If the status is set to Enabled, a scheduled restart will occur in the specified number of minutes after the previous prompt for restart was postponed. If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
Configuring Windows 8
This setting specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.
If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished. If the status is set to Disabled or Not Configured, the default wait time is 15 minutes. Reschedule Automatic Updates scheduled installations
This setting specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.
If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started. If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled installation.
If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started. Enable client-side targeting
This setting specifies the target group name or names that will be used to receive updates from an intranet Microsoft update service.
If the status is set to Enabled, the specified target group information is sent to the Microsoft update service, an intranet that uses this information to determine which updates must be deployed to the computer. If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, you must specify a single group.
If the status is set to Disabled or Not Configured, no target group information will be sent to the intranet Microsoft update service. Allow signed updates from an intranet Microsoft update service location This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft, when the update is found on an intranet Microsoft update service location.
If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, if the updates are signed by a certificate found in the Trusted Publishers certificate store of the local computer. If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft. Note: This setting is sometimes used on a critical system that cannot be restarted or changed without first being scheduled. If you enable this setting, you must implement another method of update delivery to ensure that these systems are kept up to date. Question: What is the benefit of configuring Windows Update by using Group Policy rather than by using Control Panel?
10-26
When A. Datum received the first shipment of Windows 8 computers, Holly disabled automatic updates because she was concerned that they would cause problems with a custom application on these systems.
After extensive testing, you have determined that it is extremely unlikely that automatic updates will cause a problem with this application.
Objectives
Configure the local Windows Update settings.
Lab Setup
Estimated Time: 20 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
You have to confirm that automatic updates are disabled for your Windows 8 computers, and then enable automatic updates by implementing a Group Policy. The main tasks for this exercise are as follows: 1. 2. 3. Verify that automatic updates are disabled. Enable automatic updates in Group Policy. Verify that the automatic updates setting from the GPO is being applied.
Configuring Windows 8
X Task 3: Verify that the automatic updates setting from the GPO is being applied
1. 2. On LON-CL1, run gpupdate /force to update the Group Policy settings. Open Windows Update, and verify that the new settings have been applied.
Results: After this exercise, you should have configured Windows Update settings by using GPOs.
10-28
Tools
Tool Performance Information and Tools Performance Monitor Resource Monitor Use for List information for speed and performance Multiple graph views of performance Monitor use and performance for CPU, disk, network, and memory Measure the computers key components Performance monitoring Performance counters, event traces, and system configuration data Check your computer for memory problems Troubleshoot network problems Where to find it Control Panel Administrative Tools
Advanced tools in Performance Information and tools Performance Information and Tools Performance monitor Performance monitor
Module 11
Configuring Mobile Computing and Remote Access
Contents:
Module Overview Lesson 1: Configuring Mobile Computers and Device Settings Lab A: Configuring a Power Plan Lesson 2: Configuring VPN Access Lab B: Implementing a VPN Connection Lesson 3: Configuring Remote Desktop and Remote Assistance Lab C: Implementing Remote Desktop Lesson 4: Overview of DirectAccess Module Review and Takeaways 11-1 11-2 11-10 11-12 11-19 11-21 11-24 11-26 11-35
Module Overview
Mobile computers are available in many types and configurations. This module helps you identify and configure the appropriate mobile computer for your needs. It describes mobile devices, and how to synchronize them with a computer that is running the Windows 8 operating system. Additionally, this module describes various power options that you can configure in Windows 8.
Windows 8 helps end users become more productive, regardless of their location, or that of the data they need. For those users who want to use VPNs to connect to enterprise resources, the new features in the Windows 8 environment and in Windows Server 2012 create a seamless experience, because with VPN Reconnect, users do not need to log on to the VPN if the connection is lost temporarily. With DirectAccess, available in Windows 8 Enterprise, mobile users can access enterprise resources when they are out of the office. To improve connectivity for remote users, IT professionals can administer updates and patches remotely.
Objectives
After completing this module, you will be able to: Describe the configuration of mobile computers and device settings. Explain how to configure a power plan. Explain how to configure virtual private network (VPN) access. Explain how to implement a VPN connection. Explain how to configure Remote Desktop and Remote Assistance. Explain how to implement Remote Desktop. Provide an overview of DirectAccess.
Lesson 1
This s lesson define es common ter rminology for mobile compu uting, and provides an overv view of the rela ated configuration sett tings that you can modify in Windows 8. A Additionally, it provides guid delines for app plying thes se configuratio on settings to computers c tha at are running Windows 8.
Peo ople often use the terms lapt top and notebook interchan geably. Howev ver, the term n notebook com mputer refe ers to a compu uter that is ligh hter or smaller than a laptop . A laptop com mputer is a por rtable comput ter that t contains an integrated scre een, a battery, a keyboard, a nd a pointing device. A lapt top computer may also o contain a CD-ROM or DVD D-ROM drive. Many M organiza ations are issuing laptop com mputers to the eir emp ployees rather than desktop computers, so o that they can n work remote ely. Hardware m manufacturers s are resp ponding to this demand by producing p lapt tops with spec cifications that t are equivalen nt to, or better r than, man ny desktop com mputers.
Configuring Windows 8
Tablet PCs
The tablet PC is a fully functional laptop computer, with a sensitive screen designed to interact with a complementary pen-shaped stylus. Tablet PC screens turn and fold onto the keyboard, and you can use the stylus directly on the screen just as you use a mouse to select, drag, and open files. You also can use the stylus in place of a keyboard to hand-write notes and communications. Unlike a touch screen, the tablet PC screen only receives information from the stylus. It will not take information from your finger or your shirtsleeve. Therefore, you can rest your wrist on the screen, and write naturally. The tablet PC uses a digitizer device that interprets the movements of the stylus, and converts those into mouse or cursor movements. Many organizations are replacing traditional clipboards, jotters, and other forms of paper and pen input with the several applications that are now available for the tablet PC. For example, the Writing Tools option in Microsoft Office OneNote 2010 let you use any pointing device, such as a drawing pad stylus or a tablet PC pen, to add handwritten text or freehand drawings to your notes. The Windows 8 operating system provides a user interface that is optimized for devices that support a touch screen.
Netbook Computers
A typical netbook computer features a 7-inch diagonal display, weighs around 2 pounds or 1 kilogram (kg), has an integrated touch panel, and has both Wi-Fi and Bluetooth enabled. A netbook computer is approximately the size and shape of a paperback book. Manufacturers build specialized components for ultramobile computers, such as the ultra-low-voltage processors from Intel, which help to optimize battery life and minimize cooling requirements. Netbook computers are typically equipped with 1 gigabyte (GB) of random access memory (RAM), and often a solid-state hard disk drive. These netbook computers offer significant improvements in power consumption versus more-traditional laptops, and provide the necessary applications that mobile users require.
Ultrabook Computers
These thin, lightweight laptop computers provide more power and larger displays than netbooks, which enables users to perform multiple tasks with their computers. Typically, they weigh the same as a netbook, but are equipped with 4 gigabytes (GB) of random access memory (RAM), and high-speed Intel mobile processors. Display sizes are 13.3 inches diagonally.
Mobile Devices
You must be able to assist users with connecting their mobile devices to computers running Windows 8. A mobile device is a computing device optimized for specific mobile computing tasks. Mobile devices typically synchronize with desktop or mobile computers to obtain data. The following types of mobile devices are available: PDAs Windows Phone devices Portable media players Mobile phones
PDAs
A PDA is a handheld device that can range in functionality from a simple personal organizer to a fullfunction mobile computer. You usually use a stylus and touch screen to input information in a PDA, although you can also use a keyboard on some devices.
Win ndows Phone devices d are smartphones tha at feature an o perating syste em with the fam miliar Window ws user inte erface, and app plications that are part of the e Microsoft W Windows 8 oper rating system and Microsoft Office. Win ndows Phone devices d also include Window ws Media Play yer, and typica ally feature mo obile phone, Blue etooth, wireles ss broadband, and Wi-Fi cap pability. Althou ugh you can so ometimes use a keyboard on n thes se devices, the ey typically are touch-screen devices, which h means you c can use your fi inger to navigate the operating syst tem and to use e applications. . Additionally, the Windows Phone operat ting system supports voice commands. less communic cations protoc ol that uses sh hortwave radio o signals to Note: Bluetooth is a wirel repl lace cables and d still enable compatible c dev vices to comm municate with e each other. Blu uetooth uses s a low-powered radio signa al in the unlicensed 2.4 gigah hertz (GHz) to 2.485 GHz spectrum, also o known as the e Industrial, Sci ientific, and Medical M (ISM) b band. Blue etooth employ ys a technology called Adapt tive Frequency y Hopping, wh hich helps devi ices switch freq quencies within n the ISM band d. Bluetooth enables compa atible devices t to switch frequ uencies up to 1,600 1 times a second within the t ISM band, to maintain o optimal connec ctivity.
ther flash mem A po ortable media player is a sm mall, battery-po owered device containing eit mory or a hard d-disk driv ve on which yo ou can play dig gital media file es. Some of the ese devices have a screen. Th he computer t that is runn ning Windows s copies the media to the de evice, which me eans that you can use media a stored on yo our own n CD and DVD D collection, or buy and download media f from numerou s online media a services.
Mo obile Phone
A mobile m phone, also a known as a cellular pho one, is a portab ble telephone that uses a for rm of radio connectivity. Man ny mobile phon nes now have some PDA and d media playe er functionality y. You typically y use a nu umerical keypa ad as the input for this devic ce type.
Configuring Windows 8
Power Management
Windows 8 power management includes a simple-to-find battery meter that tells you at a glance how much battery life is remaining and what current power plan you are using. Use the battery meter to access and change the power plan to meet your needs. For example, you might want to conserve power by limiting the central processing unit (CPU) or configure when you hard drive will turn off so that you can conserve battery power. Power plans let you adjust your computers performance and power consumption. To access Power Plans in Windows 8, from Desktop, right-click the Battery Icon in the Taskbar and select Power Options. You can also choose the Battery Status in the Windows Mobility Center.
Computer manufacturers can customize the Windows Mobility Center to include other hardware-specific settings, such as Bluetooth or auxiliary displays. To access the Widows Mobility Center, in Control Panel, in the Hardware and Sound category, choose Adjust commonly used mobility settings.
Sync Center
The Windows 8 Sync Center provides a single interface from which you can manage data synchronization in several scenarios: between multiple computers, between corporate network servers and computers, and with devices that you connect to the computer, such as a PDA, a mobile phone, and a music player. Because different devices synchronize by using different procedures, depending on the data source, there is no easy way to manage all of the individual sync relationships in earlier Windows versions. The Sync Center enables you to initiate a manual synchronization, stop in-progress synchronizations, see the status of current synchronization activities, and receive notifications to resolve sync conflicts. A sync partnership is a set of rules that tells the Sync Center how and when to synchronize files or other information between two or more locations. A sync partnership typically controls how files are synchronized between your computer and mobile devices, network servers, or compatible programs.
For example, you might create a sync partnership that instructs the Sync Center to copy every new file in the My Documents folder to a universal serial bus (USB) hard disk each time that you plug the device into the computer. You might create a more complex sync partnership to keep a wide variety of files, folders, and other information synchronized between the computer and a network server. Access the Sync Center by choosing Sync Center from the Windows Mobility Center screen.
Win ndows Mobile Device Center r is a data sync chronization p rogram that yo ou can use wit th mobile devices. It pr rovides users of o Microsoft Windows W a way y to transport d documents, ca alendars, conta act lists, and em mail betw ween their des sktop compute er and a mobil le device that supports the M Microsoft Exch hange ActiveSy ync prot tocol.
Win ndows Mobile Device Center r provides over rall device man nagement features for Wind dows Mobile-b based devices in Window ws 8, including g smartphones s. To access a the Win ndows Mobile e Device Cent ter, go to the C Control Pane el.
Mob bile users often have to reco onfigure their computer c sett ings for meeti ngs or confere ence presentat tions, such h as changing the screen-sav ver timeouts or o desktop wal lpaper. To imp prove the end-user experien nce and avoid this inc convenience, Windows W 8 incl ludes a group of presentatio on settings tha at you can app ply whe en you are con nnecting to a display d device. To access a the Pres sentation Setti ings, choose Presentation P S Settings in the e Windows M Mobility Cente er in Con ntrol Panel. When W you finish h the presentation, return to o the previous settings by clicking the noti ification area icon. Question: As side from USB, how can you establish a co nnection for synchronizing a Windows Ph hone device?
Crea ating a sync pa artnership with h a portable media m player is straightforwa ard. The follow wing steps desc cribe how w to connect a portable med dia player to a computer tha t is running W Windows 8, crea ate a sync part tnership, and synchronize s media to the de evice: 1. Connect the device d to a computer runnin ng Windows 8,, and open Syn nc Center. Win ndows 8 includ des drivers for ma any common devices, d but yo ou can also ob btain drivers fro om the CD tha at came with the device or from m Microsoft Windows W Updat te. Set up a sync partnership by b clicking Set up for a med dia device Syn nc Partnership p. This opens Windows Media Player.
2. 3. 4.
Select some media m files or a playlist to synchronize to t the device. To select media, simply drag it onto the Sync dialog box on the e right side of Windows W Med dia Player. Click Start Sy ync. When you ur chosen med dia has transfer rred to the dev vice, disconnect the device f from the computer r, and close Windows Media a Player.
Co onfiguring Windows 8
Windows W Mobil le Device Cent ter is a data synchronization program for u use with mobile devices. It p provides us sers of Microso oft Windows a way to transp port document ts, calendars, c contact lists, an nd email betw ween th heir desktop co omputer and a mobile devic ce that support ts the Exchang ge ActiveSync protocol. Windows W Mobil le Device Cent ter provides ov verall device m management fe eatures for Windows Phone-based de evices in Wind dows 8.
Th he default options of Windo ows Mobile Device Center inc clude only cor re device conn nectivity components. Th hese compone ents enable the e operating sy ystem to identi ify that a Wind dows Phone-b based device is co onnected, and then load the e appropriate device d drivers and services. T The Windows Mobile Device e Center ba ase application n enables som me basic functio onality, includi ing the ability to browse the e devices cont tents, us se desktop pas ss-through to synchronize with w Microsoft Exchange Serv ver, and chang ge some gener ral co omputer and connection c set ttings.
By y using the CP PU speed optio on, you can lo ower the speed d of the compu uter processor r, thereby redu ucing its po ower consump ption. Screen brightness b requ uires power, a nd lowering th he brightness reduces power usage.
Power P Plans
In n Windows 8, power p plans he elp you maxim mize computer r and battery p performance. W With power pla ans, you ca an change a va ariety of system m settings to optimize o powe er or battery usage with a sin ngle click, dep pending on n the scenario. There are thr ree default pow wer plans: Power save er: This plan sav ves power on a mobile com puter by reducing system pe erformance. It ts primary purpose is to ma aximize battery y life.
High perfor rmance: This plan p provides the t highest lev vel of performa ance on a mob bile computer, , by adapting processor speed d to your work k or activity, an nd by maximiz zing system pe erformance. T plan balan nces energy co onsumption an nd system perf formance by adapting the Balanced: This computers s processor spe eed to your activity.
Th he balanced plan provides th he best balanc ce between po ower and perfo ormance. The p power saver plan re educes power usage by lowe ering the perfo ormance. The h high performa ance plan cons sumes more po ower by in ncreasing syste em performanc ce. Each plan provides p altern nate settings fo or AC or DC power.
You can customize or create additional power plans by using Power Options in Control Panel. Some hardware manufacturers supply additional power plans and power options. When you create additional power plans, be aware that the more power the computer consumes, the less time it runs on a single battery charge. By using Power Options, you can configure settings such as Choose what closing the lid does. In addition to considering power usage and performance, as a Windows 8 Technology Specialist, you also must consider the following three options for turning a computer on and off: Shut down Hibernate Sleep
Shut Down
When you shut down the computer, Windows 8 does the following: Saves all open files to the hard disk. Saves the memory contents to the hard disk or discards them as appropriate. Clears the page file. Closes all open applications.
Windows 8 then logs out the active user, and turns off the computer.
Hibernate
When you put the computer in Hibernate mode, Windows 8 saves the system state, along with the system memory contents to a file on the hard disk, and then shuts down the computer. This state requires no power, because the hard disk is storing the data. Windows 8 supports hibernation at the operating system level without any additional drivers from the hardware manufacturer. The hibernation data is stored on a hidden system file called Hiberfil.sys. This file is the same size as the physical memory contained in the computer and is typically located in the root of the system drive.
Sleep
Sleep is a power-saving state that saves work and open programs to memory. This provides fast resume capability, typically within several seconds. Sleep does consume a small amount of power.
Windows 8 automatically goes into Sleep mode when you press the power button on the computer. If the battery power of the computer is low, Windows 8 puts the computer in Hibernate mode.
Alternatively, you can enable hybrid sleep. With hybrid sleep, data is saved to hard disk and to memory. If a power failure occurs on a computer when it is in a hybrid sleep state, data is not lost. Use hybrid sleep as an alternative to hibernation. Hybrid sleep uses the same Hiberfil.sys hidden system file as hibernation.
Configuring Windows 8
11-10
Objectives
Create a new power plan. Configure basic and advanced power plan settings.
Lab Setup
Estimated Time: 15 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Adam Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: User name: Administrator Password: Pa$$w0rd Domain: Adatum
5.
Adam wants to ensure that his computers battery lasts as long as possible between charges while he is on his trip. He does not want to impose on his customers by asking to plug his computer into an electrical socket at their offices, and would rather charge his laptop in the evenings at his hotel. The main tasks for this exercise are as follows: 1. 2. Create a power plan on Adams laptop computer. Configure the power plan.
X Task 1: Create a power plan on Adams laptop computer 1. 2. 3. Log on to the LON-CL1 virtual machine as Adatum\Adam with the password Pa$$w0rd. Open the Control Panel. From System and Security in the Control Panel, select Power Options.
Configuring Windows 8
4.
Create a new power plan with the following properties: o o o Based on: Power saver Name: Adams power-saving plan Turn off the display: 3 minutes
Close all open windows and then log off from LON-CL1.
Results: After this exercise, you should have successfully created and configured a suitable power plan for Adams laptop computer.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
11-12
Lesson 2
To properly p imple ement and sup pport a VPN en nvironment wi ithin your orga anization, it is important tha at you und derstand how to t select a suitable tunneling g protocol, con nfigure VPN au uthentication, and configure e othe er settings to support s your chosen c configu uration.
To emulate e a private link, the da ata is encrypte ed to ensu ure confidentiality. Packets that t are interce epted on the s shared or public network are e indecipherab ble with hout encryptio on keys. The lin nk in which the e private data is encapsulate ed and encrypt ted is known a as a VPN N connection. There are two typ pes of VPN con nnections: Remote acces ss Site-to-site
From m the users pe erspective, the e VPN is a poin nt-to-point co nnection betw ween the comp puter, the VPN N clien nt, and your organizations server. s The exa act infrastructu ure of the shar red or public n network is irrelevant because it appear rs logically as if the data is se ent over a ded dicated private e link.
Configuring Windows 8
Site-to-Site VPN
Site-to-site VPN connections, which also are known as router-to-router VPN connections, enable your organization to have routed connections between separate offices or with other organizations over a public network, while maintaining secure communications.
A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. When networks connect over the Internet, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.
VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP) have the following properties:
Encapsulation: With VPN technology, private data is encapsulated with a header that contains routing information, which allows the data to traverse the transit network. Authentication: Authentication for VPN connections takes the following three different forms: o User-level authentication by using Point-to-Point Protocol (PPP) authentication
To establish the VPN connection, the VPN server authenticates the VPN client that is attempting the connection by using a PPP user-level authentication method, and verifying that the VPN client has the appropriate authorization. If you use mutual authentication, the VPN client also authenticates the VPN server, which provides protection against computers that are masquerading as VPN servers. o Computer-level authentication by using Internet Key Exchange (IKE)
To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to exchange either computer certificates or a pre-shared key. In either case, the VPN client and server authenticate each other at the computer level. We recommend computer-certificate authentication, because it is a much stronger authentication method. Computer-level authentication is only performed for L2TP/IPsec connections. o Data origin authentication and data integrity
To verify that the data sent on the VPN connection originated at the connections other end and was not modified in transit, the data contains a cryptographic checksum based on an encryption key known only to the sender and the receiver. Data origin authentication and data integrity are only available for L2TP/IPsec connections.
Data encryption: To ensure data confidentiality as it traverses the shared or public transit network, the sender encrypts the data, and the receiver decrypts it. The encryption and decryption processes depend on both the sender and the receiver using a common encryption key. Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone who does not have the common encryption key. The encryption keys length is an important security parameter. You can use computational techniques to determine the encryption key. However, such techniques require more computing power and computational time as the encryption keys get larger. Therefore, it is important to use the largest possible key size to ensure data confidentiality.
11-14
PPT TP
PPT TP enables you u to encrypt an nd encapsulate e mul ltiprotocol traf ffic in an IP header, and then n send d it across an IP I network or a public IP net twork, such as the Internet. Y You can use PPTP for remot te acce ess and site-to o-site VPN connections. Whe en using the In nternet as the V VPN public ne etwork, the PPT TP serv ver is a PPTP-e enabled VPN se erver, with one e interface on the Internet a and a second in nterface on the intra anet:
Encapsulation n: PPTP encaps sulates PPP fra ames in IP data agrams for net twork transmis ssion. PPTP uses a Transmission Control Proto ocol (TCP) conn nection for tun nnel managem ment and a mo odified version of Generic Routing Encapsulat tion (GRE) to encapsulate e PP PP frames for t tunneled data. Payloads of t the encapsulated PPP frames ca an be encrypte ed, compresse ed, or both. Encryption: The PPP frame is encrypted with w Microsoft Point-to-Poin nt Encryption (MPPE), by using encrypt tion keys. Thes se keys are gen nerated from t the Microsoft version of the ChallengeHandshake Authentication A Protocol v2 (M MS-CHAPv2), o or the Extensib ble Authentication ProtocolTransport Lay yer Security (EA AP-TLS) authentication proc cess. VPN clien nts must use th he MS-CHAPv2 2 or EAP-TLS auth hentication pro otocol so that the t payloads o of PPP frames are encrypted d. PPTP is takin ng advantage of f the underlyin ng PPP encrypt tion and encap psulating a pre eviously encrypted PPP fram me.
L2T TP
L2TP enables you to encrypt mu ultiprotocol tra affic to send o over any mediu um that suppo orts point-to-p point data agram delivery y, such as IP or r asynchronous transfer mod de (ATM). L2TP P is a combina ation of PPTP a and Laye er 2 Forwardin ng (L2F). L2TP represents the e best features of PPTP and L L2F.
Unli ike PPTP, the Microsoft M impl lementation of L2TP does no ot use MPPE to o encrypt PPP datagrams. L2 2TP relie es on IPsec in Transport T Mod de for encryption services. T he combinatio on of L2TP and d IPsec is know wn as L2TP/IPsec.
Both the VPN clie ent and server must support L2TP and IPse ec. Client support for L2TP is s built in to the e Win ndows XP, Windows Vista, and a Windows 8 remote acc cess clients, and VPN server support for L2 2TP is built in to membe ers of the Wind dows Server 2008 2 and Win dows Server 2003 family. Encapsulation n: Encapsulatio on for L2TP/IPs sec packets co onsists of two l layers: o First layer: L2TP encaps sulation A PPP fra ame (an IP datagram) is wrap pped with an L L2TP header a and a User Dat tagram Protocol (UDP) he eader. o Second la ayer: IPsec enc capsulation
The resul lting L2TP mes ssage is wrapp ped with an Int ternet Protoco ol security (IPse ec) Encapsulating Security Payload (ESP) header and tra ailer, an IPsec Authentication trailer that p provides messa age cation, and a final IP header. The IP header contains the source and integrity and authentic on IP address that correspon nds to the VPN N client and se erver. destinatio
Encryption: : The L2TP message is encryp pted with eithe er Advanced E Encryption Standard (AES) or Triple Data Encryp ption Standard d (3DES) by using encryption n keys that the e IKE negotiati ion process ge enerates.
SSTP
SS STP is a tunnel ling protocol that t uses the Secure S Hyperte ext Transfer Pr rotocol (HTTPS S) protocol ove er TCP po ort 443 to pass traffic throug gh firewalls an nd web proxies s that might bl lock PPTP and d L2TP/IPsec traffic. SS STP provides a mechanism to encapsulate PPP traffic ov ver the Secure Sockets Layer (SSL) channel of the HTTPS protocol l. The use of PPP allows supp port for strong g authenticatio on methods, su uch as EAP-TLS S. SSL provides transport-level secur rity with enhan nced key nego otiation, encryp ption, and inte egrity checking g.
When W a client tries to establis sh an SSTP-bas sed VPN conne ection, SSTP first establishes a bidirectiona al HTTPS la ayer with the SSTP server. Ov ver this HTTPS layer, the prot tocol packets flow as the data payload. ion: SSTP enca apsulates PPP frames f in IP da atagrams for transmission ov ver the network. SSTP Encapsulati nagement and uses a TCP connection (o over port 443) for tunnel man d as PPP data f frames. Encryption: : The SSTP mes ssage is encryp pted with the SSL channel of the HTTPS protocol.
IK KEv2
In nternet Key Exc change version n 2 (IKEv2) use es the IPsec Tu unnel Mode pr rotocol over UDP port 500. B Because of f its support fo or mobility (MO OBIKE), IKEv2 is much more resilient to ch hanging netwo ork connectivit ty. This makes m it a good d choice for mobile users wh ho move betwe een access points and even switch betwee en wired ce to the VPN client when th an nd wireless con nnections. An IKEv2 VPN pro ovides resilienc he client move es from on ne wireless hotspot to anoth her, or when it switches from m a wireless to a wired conne ection. This ab bility is a re equirement of VPN Reconne ect. thentication a nd encryption Th he use of IKEv2 2 and IPsec en nables support t for strong aut n methods.
Encapsulati ion: IKEv2 enca apsulates data agrams by usin ng IPsec Encap psulating Secur rity Payload (E ESP) or Authenticat tion Header (A AH) headers fo or transmission n over the netw work.
Encryption: : The message is encrypted with w one of the e following pr rotocols by using encryption n keys that are generated from the t IKEv2 nego otiation proce ess: Advanced Encryption Sta andard (AES) 2 256, AES 192, AES 12 28, and 3DES encryption e algorithms. IKEv2 is sup pported only on o computers that t are runnin ng Windows 7 7, Windows 8, W Windows Serv ver 2008 R2, and Win ndows Server 2012.
11-16
VPN Reconnect uses the Internet Key Exchange version 2 (IKEv2) technology to provide seamless and consistent VPN connectivity. VPN Reconnect automatically reestablishes a VPN connection when Internet connectivity is available again. Users who connect with a wireless mobile broadband benefit most from this capability. Consider a user with a laptop that is running Windows 8. When the user travels to work in a train, he or she connects to the Internet with a wireless mobile broadband card, and then establishes a VPN connection to the companys network. When the train passes through a tunnel, the Internet connection is lost. After the train emerges from the tunnel, the wireless mobile broadband card reconnects to the Internet automatically. With Windows Vista and earlier client operating systems, VPN did not reconnect automatically. Therefore, the user needed to manually repeat the multistep process of connecting to the VPN. This was time-consuming for mobile users with intermittent connectivity.
With VPN Reconnect, Windows 7 and Windows 8 automatically reestablish active VPN connections when the Internet connectivity is re-established. Even though the reconnection might take several seconds, users stay connected and have uninterrupted access to internal network resources. The system requirements for using the VPN Reconnect feature are: Windows Server 2008 R2 or Windows Server 2012 as a VPN server Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012 client
Public Key Infrastructure (PKI), because a computer certificate is required for a remote connection with VPN Reconnect. Certificates issued by either an internal or public Certificate Authority (CA) can be used.
Connect to LON-DC1 with the HQ VPN and authenticate using the Adatum\Administrator account.
Th he CMAK is a tool t that you can c use to cust tomize the rem mote connecti on experience e for users on y your ne etwork by crea ating predefine ed connection ns to remote se ervers and net tworks. Use the e CMAK Wizar rd to cr reate and custo omize a conne ection for your r users. CMAK is an opt tional compon nent that is not t installed by d default. You m must install CMA AK to create co onnection prof files that your users can install and use to access remote e networks.
11-18
Display Custom Support Information Include Connection Manager Software with the Connection Profile Display a Custom License Agreement Install Additional Files with the Connection Profile Build the Connection Profile and its Installation Program Make Advanced Customizations Your Connection Profile is Complete and Ready to Distribute
Use Windows Explorer to examine the contents of the folder created by the CMAK Wizard to create the connection profile. Normally, you would now distribute this profile to your users.
Configuring Windows 8
Adams sales trip starts next week. He is keen to be able to access corporate data files while he is on the road. You decide to create a VPN on his laptop computer to facilitate this requirement.
Objectives
Create a VPN. Test the VPN.
Lab Setup
Estimated Time: 30 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab.
You decide to create a VPN to connect to LON-DC1. You then will establish a connection to LON-DC1, and attempt to open a shared data folder across the VPN link. The main tasks for this exercise are as follows: 1. 2. 3. Create the VPN connection. Modify the VPN configuration settings. Test the connection.
11-20
Map a network drive to \\lon-dc1\data. Verify your IP configuration by using IPConfig. What IPv4 address has your computer been assigned over the PPP adapter connection? Disconnect the VPN. Click back to the Start screen.
Results: After this exercise, you should have successfully connected to the Adatum HQ with your VPN.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Lesson n3
Many M organizat tions use remo ote manageme ent and troubl eshooting, so that they can reduce tr roubleshooting g time and red duce travel cos sts for support staff. Remote troubleshooti ing allows sup pport st taff to operate effectively fro om a central lo ocation.
Re emote Desktop uses the Rem mote Desktop Protocol (RDP P) to allow use ers to access files on their off fice co omputer from another comp puter, such as one located at t their home. Additionally, R Remote Deskto op allows administrators to conn nect to multiple e Windows Se rver sessions f for remote adm ministration pu urposes. While W a Remote e Desktop sess sion is active, Remote R Deskto op locks the ta arget compute er, prohibiting in nteractive logo ons for the sess sions duration n.
Remote R Assistance
Re emote Assistan nce allows a us ser to request help from a re emote adminis strator. To acc cess Remote Assistance, run the Windows Remote Assistance tool. Usin ng this tool, yo ou can do the following: Invite some eone who is tru ustworthy to help h you. Offer to help someone. View the re emote users desktop. Chat with the remote use er with text cha at. Send a file to the remote computer. If permissio ons allow, requ uest to take rem mote control o of the remote desktop.
11-22
Users can send Re emote Assistan nce invitations through emai il, or by saving g a request to a file that the rem mote administra ator can read and a act upon.
2.
o 3. 4. 5. 6.
Click Select Users U . If you are prompted for f an administ trator passwor rd or confirma ation, type the password or provide p confirmation.
If you are an administrator on the compu uter, your curre ent user accou unt will be add ded automatically to the list of rem mote users, and d you can skip p the next two steps. In the Remot te Desktop Us sers dialog bo ox, click Add. In the Select Users or Grou ups dialog box, do the follo owing: a. b. To specif emote user, click Locations, and then sele fy the location in which to se earch for the re ect the location you want to t search. Enter the e object names s to select, type the name of f the user that you want to a add as a remot te user, and d then click OK K.
Configuring Windows 8
On the source computer, you need to perform the following to access the remote computer: 1. 2. Start Remote Desktop.
Before connecting, enter the logon credentials on the General tab, and make desired changes to the options in the Display, Local Resources, Programs, Experience, and Advanced tabs. o Display: Choose the Remote desktop display size. You have the option of running the remote desktop in full-screen mode.
Local Resources: Configure local resources for use by the remote computer, such as clipboard and printer access.
o o o 3. 4.
Programs: Specify which programs you want to start when you connect to the remote computer. Experience: Choose connection speeds and other visual options. Advanced: Provide security credentialed options.
Save these settings for future connections by clicking Save on the General tab. Click Connect to connect to the remote computer.
This demonstration shows how to enable and use Remote Assistance. Adam needs help with a Microsoft Office Word feature. He requests assistance, and you provide guidance on the feature by using Remote Assistance.
Open Remote Settings, and then specify administrative credentials when prompted by User Account Control. Verify that remote access is allowed to this computer. Run msra.exe, and then request remote assistance. Save the invite to a shared folder location accessible by your invitee.
11-24
Adam has a desktop computer in his office in London that he may wish to use while he travels around the UK between his customers.
Objectives
Configure Remote Desktop. Test a Remote Desktop connection.
Lab Setup
Estimated Time: 15 minutes 20687A-LON-DC1 20687A-LON-CL1 20687A-LON-CL2 Adatum\Administrator and Adatum\Adam Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should already be running from the preceding lab. You will also need to start and connect to 20687A-LON-CL2. Do not log on until directed to do so.
You decide to enable Remote Desktop on his desktop computer so that Adam can access it to work on his data files should the need arise. Before Adam leaves, you decide to test the remote-desktop connection to his desktop computer from his laptop. The main tasks for this exercise are as follows: 1. 2.
Enable Remote Desktop through the firewall and enable Remote Desktop on Adams office computer. Connect to the remote computer with Remote Desktop.
X Task 1: Enable Remote Desktop through the firewall and enable Remote Desktop on Adams office computer
1. 2. On LON-CL1, open Windows Firewall, and enable Remote Desktop through the firewall for all network location profiles (Domain, Private, and Public).
In Control Panel, in System and Security, select Allow remote access, and then select the following options: o o Select Allow remote connections to this computer. Add Adatum\Adam as a Remote Desktop user.
3. 4.
Confirm your changes, and then close all open windows. Log on to LON-CL2 as Adatum\Administrator with the password Pa$$w0rd, and then open Remote Desktop Connection.
Configuring Windows 8
5. 6.
Specify the computer to connect to as LON-CL1, and then click Show Options. Configure the following setting: Advanced tab, select: If server authentication fails: Connect and dont warn me.
Results: After this exercise, you should have successfully verified that Remote Desktop is functional.
11-26
Lesson 4
Org ganizations often rely on VPN N connections to provide rem mote users wit th secure acce ess to data and d reso ources on the corporate c netw work. VPN con nnections are e easy to configu ure, and are su upported by diffe erent clients. However, H VPN connections must m be first in nitiated by the user and coul ld require add ditional configu uration on the corporate fire ewall. Also, VP N connections s usually enable remote acce ess to the entire corporate network k. Moreover, organizations c annot effectiv ely manage re emote comput ters unle ess they are co onnected. To overcome o such h limitations in VPN connections, organizations can imp plement DirectAccess, availab ble in Window ws Server 2008 R2, Windows Server 2012, W Windows 7 Ente erprise edition n, and Window ws 8 Enterprise edition, to pro ovide a seamle ess connection n between the inte ernal network and a the remot te computer on the Internet.. With DirectA Access, organizations can effo ortlessly manag ge remote com mputers, becau use they are al ways connecte ed.
Organizations O benefit b from DirectAccess be ecause remote computers ca an be managed d as if they are e local co omputersusi ing the same management m and a update se erversto ensu ure they are always up-to-da ate and in n compliance with w security an nd system hea alth policies. Yo ou also can de efine more det tailed access co ontrol po olicies for remote access, as compared to defining acces ss control polic cies in VPN so olutions. DirectAccess ha as the following g features: Connects automatically to o corporate in ntranet when c connected to t the Internet.
Uses variou us protocols, in ncluding HTTPS, to establish IPv6 connecti ivity. HTTPS is typically allow wed through fire ewalls and pro oxy servers.
Supports se elected server access and end-to-end IPse c authenticatio on with intranet network ser rvers. Supports en nd-to-end aut thentication an nd encryption with intranet network serve ers. Supports management m of remote client computers. Allows remote users to co onnect directly y to intranet se ervers.
Always-on connectivity: Whenever W the user connects s the client com mputer to the Internet, the c client computer is connected to les remote clie o the intranet also. This conn nectivity enabl ent computers to access and update applic cations more easily. It also m makes intranet resources alwa ays available, a and enables use ers to connect to the corpora ate intranet fro om anywhere,, anytime. This s improves use er productivity y, satisfaction, and performa ance.
Seamless co onnectivity: DirectAccess pro ovides a consis stent connectiv vity experience, whether the e client computer is local or remo ote. This allows users to focu us more on pro oductivity and d less on conne ectivity options and d processes. Th his consistency y can reduce tr raining costs f for users, with fewer support t incidents.
Bidirectiona al access: You can configure DirectAccess so that DirectA Access clients not only have access to intranet resources, but t you also can have access fr rom the intranet to those DirectAccess clie ents. Thus, DirectAccess can be e bidirectional so that users have access to o intranet reso ources, and you u can have access s to DirectAcce ess clients whe en they are con nnecting over a public netw work. This ensures that the client computers alwa ays are update ed with recent security patch hes, that doma ain Group Policy is enforced, and that there is no differenc ce whether use ers are on the corporate intr ranet or the pu ublic network.
11-28
This bidirectio onal access als so results in: o o o o Decrease ed update time e. Increased d security. Decrease ed update miss s rate. Improved d compliance monitoring.
Improved sec curity: Unlike traditional VPN Ns, DirectAcces ss offers many y levels of acce ess control to network resources. This tigh hter degree of f control allow ws security arch hitects to preci isely control re emote users who acc cess specified resources. IPse ec encryption is used for pro otecting Direct tAccess traffic so that users can n ensure that their t communi ication is safe. You can use a granular poli icy to define w who can use Direc ctAccess, and from f where. Integrated so olution: DirectA Access fully int tegrates with S Server and Dom main Isolation and Network Access Protec ction (NAP) solutions, resulting in the seam mless integration of security, , access, and h health requirement policies betwe een the intrane et and remote computers.
Co omponents s of DirectAccess
To deploy d and configure DirectA Access, your orga anization must support the following f infra astructure com mponents.
Have at least two physical network n adapt ters installed: o one connected d to the Internet and the oth her to the intranet. The server mu ust have at lea ast two consecutive static, pu ublic IPv4 addresses assigned to the netwo ork adapter that is connected to t the Internet. The server should not be placed behind a NAT.
Gen nerally installed d in the perimeter network, the DirectAcce ess servers pro ovide intranet connectivity fo or Dire ectAccess clien nts on the Internet.
Configuring Windows 8
DirectAccess Clients
To deploy DirectAccess, you also need to ensure that the client meets certain requirements: The client must be joined to an AD DS domain.
The client must be running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, Windows 8 Enterprise Edition, Windows Server 2008 R2, or Windows Server 2012. Internal network resources must be available through IPv6. For clients that are connected to the Internet, you can use IPv6 transition technologies, such as 6to4 and Teredo.
Note: Clients that are running Windows Vista, Windows Server 2008, or earlier versions of Windows operating systems do not support DirectAccess.
DirectAccess clients use the Network Location Server (NLS) to determine their location. If the client can connect with HTTPS, then the client assumes it is on the intranet and disables DirectAccess components. If the NLS is not contactable, the client assumes it is on the Internet. The NLS server is installed with the web server role. Note: The URL for the NLS is distributed by using Group Policy Object (GPO).
You must deploy at least one AD DS domain with at least one Windows Server 2012 or Windows Server 2008 R2-based domain controller.
Group Policy
Group Policy is required for centralized administration and deployment of DirectAccess settings. The DirectAccess Setup Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess server, and selected servers.
PKI
You must implement PKI to issue computer certificates for authentication, and where desirable, health certificates when using NAP. You need not implement public certificates.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use Windows Server 2012, Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix (http://go.microsoft.com /fwlink/?LinkID=159951), Windows Server 2008 Service Pack 2 (SP2) or newer, or a third-party DNS server that supports DNS message exchanges over ISATAP.
11-30
If a name query re equest does no ot match a namespace that is listed in the e NRPT, the req quest is sent to o the DNS servers th hat are configured in the TC CP/IP settings. For a remote c client, the DNS S servers will typically be the In nternet DNS se ervers that are configured th hrough the Inte ernet service p provider (ISP). For a Di irectAccess clie ent on the intr ranet, the DNS S servers will ty ypically be the e intranet DNS servers that are configured throug gh Dynamic Host Configurat tion Protocol ( (DHCP).
Sing gle-label name esfor examp ple, http://inter rnalwill typic cally have conf figured DNS search suffixes that are appended to the t name befo ore they are ch hecked against t the NRPT.
If no o DNS search suffixes s are co onfigured and the t single-labe el name does not match any y other single-label nam me entry in the e NRPT, the req quest will be sent to the DN S servers that are specified in the clients TCP P/IP settings.
Nam mespacesfor r example, inte ernal.contoso.c comare ente ered into the N NRPT, followed d by the DNS serv vers to which requests r match hing that name espace should be directed. If an IP address is entered fo or the DNS S server, all DN NS requests will be sent direc ctly to the DN S server over t the DirectAcce ess connection n. You need not specify any a additional security for su uch configurat tions. However, if a name is specified for the DNS le when the client S server, such as a dns.contoso o.com in the NRPT, N the nam e must be pub blicly resolvabl que eries the DNS servers s that are e specified in its TCP/IP settiings.
The NRPT allows DirectAccess clients c to use in ntranet DNS se ervers for nam me resolution o of internal reso ources and Internet DNS servers for na ame resolution n of other reso urces. Dedicat ted DNS servers are not requ uired for name resolutio on. DirectAcce ess helps to pre event the expo osure of your i intranet name espace to the Inte ernet. Som me names need d to be treated d differently with w regard to n name resolutio on, and these names should not be resolved r by using intranet DNS servers. To o ensure that th hese names ar re resolved wit th the DNS ser rvers that t are specified in the clients TCP/IP setting gs, you must a dd them as N RPT exemptions. NRP PT is controlled d through Gro oup Policy. When the compu uter is configur red to use NRP PT, the name reso olution mechanism first tries to use the loc cal name cache e, which includ des the entries s in the hosts f file, then n NRPT, and finally sends the e query to the e DNS servers t that are specif fied in the TCP P/IP settings.
The DirectA Access client ac ccesses the HT TTPS-based UR RL of the netw work location se erver, during w which process it obtains o the cer rtificate of the network locat tion server.
Based on th he Certificate Revocation R List (CRL) Distrib ution Points fi ield of the network location servers certificate, the t DirectAcce ess client checks the CRL rev vocation files in n the CRL distr ribution point to determine if the network k location serve ers certificate has been revo oked. Based on an HTTP 200 Su uccess of the network n locatio on server URL (successful access and certif ficate authenticat tion and revoc cation check), the t DirectAcce ess client remo oves the Direct tAccess rules in n the NRPT. The DirectA Access client co omputer attem mpts to locate and log on to o the AD DS do omain using its computer account. a
4. .
5. .
Because the ere are no longer any Direct tAccess rules in n the NRPT, al l DNS queries are sent throu ugh interface-co onfigured DNS S servers (intra anet DNS serve ers). 6. .
Based on th he successful computer c logo on to the doma ain, the Direct tAccess client a assigns the Do omain profile to th he attached ne etwork.
Because the e DirectAccess s connection se ecurity tunnel rules are scop ped for the Pub blic and Privat te profiles, the ey are removed from the list t of active Con nnection Secur rity rules. The DirectA Access client has successfully y determined t that it is conne ected to its intranet and doe es not use DirectA Access settings (NRPT rules or o Connection Security tunne el rules). It can n access intrane et resources normally. n It also o can access In nternet resourc ces through normal means, such as a prox xy server (not shown).
11-32
Dir rectAccess Client C Attem mpts to Acce ess the e Network Location L Ser rver
1.
The client trie es to resolve th he FQDN of th he network locat tion server URL. Because the e FQDN of the network locat tion server URL L corresponds to t an exemptio on rule in the NRPT, the Dir rectAccess clie ent sends the DNS D query to a locally-config gured DNS ser rver (an Intern netbased DNS se erver). The Inte ernet DNS serv ver cannot reso olve the name e. The DirectAcc cess client keeps the DirectA Access rules in the NRPT. Because the network n locatio on server was not found, the e DirectAccess s client applies s the Public or Private profile e to the attach hed network. The Connection Security tunnel rules for DirectAccess, scoped for the e Public and Private profiles, , remain.
2. 3. 4.
nd Connection Security rules s to access intranet resources s The DirectAccess client has the NRPT rules an acro oss the Interne et through the DirectAccess server.
Afte er starting up and a determining its network k location, the DirectAccess c client attempts to locate and d log on to t a domain co ontroller. This process create es the infrastru ucture tunnel t to the DirectAc ccess server. 1.
The DNS nam me for the dom main controller r matches the intranet name espace rule in t the NRPT, which specifies the IPv6 address of o the intranet DNS server. Th he DNS client service constr ructs the DNS name query that is addressed to the t IPv6 addre ess of the intra anet DNS serve er, and hands i it off to the TC CP/IP stack for send ding. Before sendin ng the packet, the TCP/IP sta ack checks to d determine whe ether there are e Windows Fir rewall outgoing rule es or Connection Security rules for the pac cket.
2. 3.
Because the destination d IPv v6 address in the DNS name query matche es a Connectio on Security rule e that corresponds with w the infras structure tunne el, the DirectA Access client us ses AuthIP and d IPsec to nego otiate and authentic cate an encryp pted IPsec tunn nel to the Dire ectAccess serve er. The DirectA Access client authenticates s itself with its installed comp puter certificat te and its NTLM credentials. The DirectAcc cess client sends the DNS na ame query thro ough the infra astructure tunn nel to the DirectAccess server. The DirectAcc cess server forw wards the DNS S name query to the intrane et DNS server, which respond ds. The DNS nam me query respo onse is sent back to the Dire ctAccess serve er, and then ba ack through th he infrastructure e tunnel to the e DirectAccess client.
4. 5.
Sub bsequent doma ain logon traff fic goes throug gh the infrastru ucture tunnel. When the use er on the Dire ectAccess clien nt logs on, the domain logon n traffic goes t through the infrastructure tu unnel.
Configuring Windows 8
Before sending the packet, the TCP/IP stack checks to determine whether there are Windows Firewall outgoing rules or Connection Security rules for the packet.
Because the destination IPv6 address matches the Connection Security rule that corresponds with the intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess server. The DirectAccess client authenticates itself with its installed computer certificate and the user accounts Kerberos credentials. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
4. 5.
The DirectAccess server forwards the packet to the intranet resources, which responds. The response is sent back to the DirectAccess server, and then back through the intranet tunnel to the DirectAccess client.
Subsequent intranet access traffic, which does not match an intranet destination in the infrastructure tunnel Connection Security rule, goes through the intranet tunnel.
When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an Internet web server), the following occurs: 1. The DNS Client service passes the DNS name for the Internet resource through the NRPT. There are no matches. The DNS Client service constructs the DNS name query that is addressed to the IP address of an interface-configured Internet DNS server, and then hands it off to the TCP/IP stack for sending.
2. 3.
Before sending the packet, the TCP/IP stack checks to determine whether there are Windows Firewall outgoing rules or Connection Security rules for the packet. Because the destination IP address in the DNS name query does not match the Connection Security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query normally. The Internet DNS server responds with the IP address of the Internet resource.
4. 5.
The user application or process constructs the first packet to send to the Internet resource. Before sending the packet, the TCP/IP stack checks to determine whether there are Windows Firewall outgoing rules or Connection Security rules for the packet.
6.
Because the destination IP address in the DNS name query does not match the Connection Security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Subsequent Internet resource traffic, which does not match a destination in either the infrastructure intranet tunnel Connection Security rules, is sent and received normally.
11-34
3. 4.
Create the ce ertificate templ late and config gure security s settings on the e template so t that Authentic cated Users can enr roll the certific cate. Distribute the e computer certificates. You can use Group p Policy to do this by enabling autoenrollment.
Tas sk 3: Config gure the Dire ectAccess clients and t test Intranet t access
1. 2. Verify that DirectAccess clie ents have the computer c cert tificate that is r required for DirectAccess authentication. This should have been dis stributed with Group Policy. Verify that the client can co onnect to intra anet resources..
To prepare p the Di irectAccess clie ents and test the DirectAcce ss environmen nt, complete th he following ta asks:
Configuring Windows 8
To verify the DirectAccess functionality, move DirectAccess clients to the Internet, and then verify connectivity to intranet resources. Question: Why is it important that the DirectAccess client should have access to a CRL distribution point?
11-36
Module 12
Implementing Hyper-V
Contents:
Module Overview Lesson 1: Overview of Hyper-V Lesson 2: Creating Virtual Machines Lesson 3: Managing Virtual Hard Disks Lesson 4: Managing Snapshots Module Review and Takeaways 12-1 12-2 12-5 12-10 12-13 12-16
Module Overview
Hyper-V is the primary platform for infrastructure virtualization. By interacting with hardware components in a more direct manner, Hyper-V enables multiple, isolated operating systems to share the same physical platform. This module will introduce you to Client Hyper-V in Windows 8, and explain the fundamentals of working with virtual machines in the Client Hyper-V environment.
Objectives
After completing this module, you will be able to: Describe Hyper-V. Explain the process for creating and working with virtual machines. Identify key aspects of working with virtual disks. Understand and manage snapshots with Hyper-V.
Lesson 1
Hyp per-V virtualiza ation technolo ogy has been providing p virtu alized environ nments on Win ndows Server er-V. com mputers since Windows W Serve er 2008. Windo ows 8 is the fir rst Windows client version to o include Hype Hyp per-V supports s a large range e of virtualization capabilities s, many of whi ich are include ed in Windows s 8 in a ne ew feature called Client Hyper-V. This lesso on will introdu uce you to the Client Hyper-V functionality y in Win ndows 8, and in ntroduce scenarios that may y benefit from a virtual envir ronment. Clien nt Hyper-V is a new feat ture in Window ws 8 that enab bles the same core c virtualizat tion technolog gy as found in Windows Serv ver 2012.
Virtual machines are a configured d to share phys sical reso ources from the host machin ne, and represe ent thos se virtualized resources r as us sable components to the virtual mac chines operating system. For r exam mple, one com mputer with on ne network adapter may y have five diff ferent virtual machines m that are runn ning in Hyper-V. In each of those t virtual mac chines, a virtua alized network k adapter is ass sociated with t the single phy sical network a adapter, enabling five virtual machin nes to have ind dividual MAC addresses, be assigned indiv vidual IP addre esses, and gain n netw work access. The same virtua alization happens with other r hardware com mponents, suc ch as the proce essor, mem mory, and hard d disks.
Client Hyper-V is a feature that enables virtua alization within n the Windows s 8 environme ent. Client Hyp per-V uses s the same virt tualization eng gine as Hyper-V in Windows s Server 2012, and contains t the same core feat ture set. Client Hyper-V repla aces the Virtua al PC feature p previously avai ilable in Windo ows 7, and has s som me significant differences d in functionality: f
Compatibility y with Hyper-V V on Windows Server. Client Hyper-V supp ports the same e standard functionality as Hyper-V on n Windows Ser rver. You can i mport and exp port virtual ma achines and virtual hard disks (VH HDs) between Hyper-V and Client Hyper-V V in most situa ations, without any requirem ment for conversion or modificat tion. Support for 64-bit 6 guest vir rtual machines s. Client Hyper r-V can provide both a 32-bit and 64-bit virtualized ha ardware enviro onment for gue est virtual mac chines. Virtual PC supported d only 32-bit virtualized ha ardware.
Configuring Windows 8
No application-level virtualization. In Windows 7, Windows XP-mode in Virtual PC enabled a user to run an application in a virtualized Windows XP environment, while still making the rest of the Windows 7 environment available. In Windows 8, Client Hyper-V provides a complete virtualization solution.
The processor in the host computer must support Single Level Address Translation (SLAT). You may need to enable this feature in your computers BIOS. The host computer must have at least 4 gigabytes (GB) of RAM.
Note: You can install the Hyper-V management tools (Hyper-V Manager and the Hyper-V Module for Windows PowerShell) even if the preceding requirements are not met. You can do this to remotely manage a Hyper-V installation on another computer.
The primary tool for management within the Client Hyper-V environment is Hyper-V Manager. Hyper-V Manager is a console that is based on Microsoft Management Console (MMC). It provides complete access to Client Hyper-V functionality in Windows 8. Windows Server 2012 Hyper-V also uses Hyper-V Manager, so any experience in either operating system will directly correspond to the other.
The other tool installed with Client Hyper-V is the Hyper-V Virtual Machine Connection (VMC) tool. You can use the VMC to connect to a virtual machine with an interface and level of interaction very similar to Remote Desktop Protocol (RDP). The VMC tool does not require you to use a Hyper-V console to connect to a virtual machine.
You can creat te a Client Hyp per-V virtual machine, and d use it as a pre eproduction environment for application n testing. You may be prepa aring to migrat te your Windo ows client infrastructure e to Windows 8 and require testing t of all li ine-of-busines ss (LOB) applic cations. You ca an employ a virtual machine th hat is running Windows 8 to o test the appl ication, and th hen reset the v virtual machine back k to its default t state to test other o applicati ons.
You can creat te several virtu ual machines, each e with a dif fferent installe ed version of W Windows, to te est a new application. For examp ple, you could install Window ws 8 on the fir rst virtual mach hine, install Windows 7 on the second, and install Windows XP, con ntinuing this v ariance as much as you wan nt. You can configure cifications, and e each virtual machine m to your testing spec d reset the ma achines after te esting is complete so o that the mac chines are imm mediately read dy for the next testing task.
If you encoun nter problems with a virtual machine in yo our production n Hyper-V environment on Windows Serv ver 2012, you can export tha at virtual mach hine from your production e environment, import it into Client Hyper-V, perfo orm the requir red troublesho ooting, and the en export it ba ack into the production environment. With Client Hyper-V, H you ca an use Hyper-V virtualizatio n, wireless net twork adapters s, and sleep states on your deskt top computer. . For example, if you run Clie ent Hyper-V o on a laptop and d close the lid, , the virtual machin nes that are ru unning go into o a saved state e, and resume w when the mac chine wakes.
Virtual machine manageme ent (VMM) and d other tools c created for Hyper-V in Wind dows Server, su uch as VMM P2V or Sysinternals Disk2VHD D tools s, also will wor rk in Client Hyper-V.
Using virtual-machine netw working, you ca an create a mu ultimachine en nvironment for test, develop pment, and demonst tration, which is i secure and which w does no ot affect the pr roduction netw work. You also can mount and bo oot a Windows s operating sys stem by using VHDs from a USB storage d drive. You would us se these VHDs as a virtual machine by usin ng Client Hype er-V, if you are e running Wind dows 8 Enterprise.
You also can use VHDs that t have been pr reconfigured t to test new Microsoft softwa are. Microsoft.c com hosts a large number of rea ady-to-use .vhd files that yo u can simply i mport into Hy yper-V or Clien nt Hyper-V. Afte er you import a file, the VHD Ds provide a fu unctional test v version of the specific produ uct for evaluation. With W VHD files, there is no ne eed to upgrade e or configure operating sys stems, or down nload and install ap pplications. It is s all ready to go g in the VHD file at first boo ot.
Co onfiguring Windows 8
Lesson n2
By y creating and d configuring virtual v machine es, you can run n various oper rating systems and environm ments within w your Hyp per-V infrastructure. You can n configure eac ch virtual mac chine with its o own virtual har rdware in nfrastructure and connectivit ty. Th his lesson will describe the process p for crea ating and man naging virtual machines with hin Client Hype er-V.
Virtual ma achine locatio on. By default, the virtual machine is created d and located on the computers s system drive. If your compu uter has multip ple physical ha ard disks, you t typically can in ncrease the perform mance of your virtual machin ne by placing i it on a disk sep parate from th he system disk. . For computers with solid stat te disks (SSDs), , this is not as effective. Memory. The T amount of f memory that you specify w will be assigned d to the virtual machine from m the available ph hysical memor ry on your hos st computer.
Network connection. Yo our virtual mac chine can have e one or more e virtual netwo ork adapters. By default, a new n virtual mac chine is create ed with a single e network ada apter that is co onnected to a v virtual network. Yo ou can create virtual v networks that will con nnect virtual m machines to th he external net twork through the e host-computer network ad dapter, or you can create a s self-contained virtual network to connect the vi provide an isolated netwo ork environme ent. Alternative ely, you may c choose not to c irtual machine to o any network. Virtual har rd-disk locatio on. By default, a single VHD D is created is t the same direc ctory specified for the virtual machine m location. You also may m choose to o use a preexis sting VHD that t has already b been created. For example, ma any Microsoft products p are a available for tri ial purposes in n preconfigure ed VHD files.
Operating sy ystem installa ation media. Unless U you are e attaching a V VHD file that al lready has an operating sys stem installed, you will need to install an o operating syste em on your vir rtual machine. You can specify an n .iso CD/DVD D image file to use as installa tion media, or r you can attac ch the physical CD/DVD drive e from the hos st machine to the virtual ma achine, and the en install the o operating syste em from that me edia.
On the Specify Name and Location pag ge, in the Nam me field, type t the name of yo our virtual mac chine. Select where the virtual ma achine and its associated a VH Ds will be stor red. On the Assign Memory pa age, in the Me emory field, sp pecify the amo ount of memor ry to assign the virtual machin ne, and then click c Next. On the Confi igure Networ rking page, in the Connectio on list, select t the appropriat te network, an nd then click Ne ext.
On the Connect Virtual Ha ard Disk page e, either create e a new VHD, o or use an exist ting VHD file that has already been b created, and a then click Next. On the Comp pleting the Ne ew Virtual Ma achine Wizard d page, click F Finish.
Description D Use to configu ure settings su uch as Num Lo ock or startup o order. Use to configu ure the memo ory assigned to o the virtual ma achine. Use to configu ure the proces ssor settings fo or the virtual m machine. Depending on n the virtual m machine operat ting system an nd the host capacity, you can configure multiple proc cessors, and then configure t the physical resou urces that the v virtual machin ne can consum me. Use to connec ct IDE virtual d disks to the virt tual machine.
ID DE controllers
Co onfiguring Windows 8
Description
Use to conn nect virtual dis ks of a small c computer syste em interface (S SCSI) to the virtual machine. m You c cannot use the ese disks for th he operating sy ystem boot partitio on. Use to specify the networ rk connection t that the virtua al machine has s with tworks. external net
Use to confi igure the virtu ual COM port t to communica ate with the ph hysical computer th hrough a nam ed pipe. Use to conn nect virtual flop ppy disks to th he virtual mach hine.
Use to specify the services s that Hyper-V V will provide f for the virtual machine. Integration serv vices enables a virtual machin ne to make mo ore e use of f the host mac chines hardwa are and interfa ace direct and effective devices. Use to specify whether to restart the vir rtual machine if the physical computer re estarts.
Use to specify the state in n which you wa ant to place th he virtual mach hine hysical compu uter shuts down. when the ph
Yo ou can connec ct to a virtual machine m by selecting th he virtual mach hine, and then n clicking the Connect C bu utton on the toolbar, or righ ht-clicking the virtual machine, m and th hen clicking Co onnect in the right-click me enu. What is di isplayed in the e virtual machi ine window w will dep pend on the st tate of the virt tual machine. I In Client Hype er-V, a virtual m machine can be in five di ifferent states: Stopped. A virtual machi ine that is stop pped does not t consume any y resources on the host mach hine, and exists in a state simila ar to a physica al computer be eing powered off.
Starting. When W a virtual machine is firs st started, it re emains in the s starting state fo or a brief mom ment, during whic ch required resources are ch hecked and ass signed to the v virtual machin ne. After this ch heck and assignm ment occurs, the starting sta ate changes. Running. A virtual machi ine is in its nor rmal operable state when Ru unning is displ layed. A runnin ng virtual machine responds s to keyboard and a mouse inp put, and show ws whatever inf formation is be eing sent to the virtual machin nes display ad dapter when yo ou are connected to the virtual machine.
Paused. When a virtual machine is paused, it still maintains its allocation of host-computer resources, but places the virtual machines operating system in a temporary sleep state. Saved. When a virtual machine is in the saved state, its current operating state is saved to the hard disk, and it stops consuming host computer resources until you start it and place it into the running state. When a Client Hyper-V computer that supports hibernate and sleep modes enters one of these modes, virtual machines that are running will enter the saved state.
You can export and import virtual machines between computers that are running Client Hyper-V or Hyper-V on Windows Server. Exporting and importing virtual machines enables multiple troubleshooting and testing scenarios that may be impossible in a physical computing environment.
You can move virtual machines between Hyper-V servers by exporting and importing them through the Hyper-V manager window. The import option is located in the Actions window. Right-click the virtual machine to access the export function, which is available only if the virtual machine is in a saved state or is shut down. Note: You cannot just copy the virtual machine files from one host to another. If you do, you will need to create a new virtual machine by using the VHD, because all of your virtual machine changes will be lost, and the network settings in the virtual machine will be reset.
Exporting
When you export a virtual machine, this exports all components that comprise the virtual machine to the path that you specify. There are four parts to each exported virtual machine:
The Virtual Machines folder contains an .exp file, which contains the globally unique identifier (GUID) of the exported file. The Virtual Hard Disks folder contains copies of each of VHD that is associated with the virtual machine. If the VHD is a differencing hard disk, all base images associated with the VHD will be copied to the export folder.
The Snapshots folder contains a file with an .exp extension for each snapshot of the virtual machine. Config.xml is a configuration file that the import process uses.
Importing
When you import a virtual machine, Hyper-V reads the configuration file (config.xml), and then creates a virtual machine by using the configuration information. During this process, Hyper-V does not move the virtual machine files. Hyper-V launches the virtual machine by using the files that are in the exported location. As part of the import process, Hyper-V deletes all of the .exp files, which prevents importing the virtual machine a second time, and then replaces them with .xml files. Additionally, Hyper-V deletes the config.xml file.
Configuring Windows 8
Import Options
When you import a virtual machine, you have the following options:
Move or restore the virtual machine. When you select this option, Hyper-V creates a virtual machine that uses the same unique identifier (ID) as the exported virtual machine. Every Hyper-V machine has a unique ID. The unique ID of a virtual machine is a volume GUID, which generates automatically when you create the virtual machine. The GUID identifies each virtual machine uniquely, much the same way a security identifier (SID) identifies Active Directory objects. The Hyper-V console does not display the GUID. Copy the virtual machine. When you select this option, Hyper-V replaces the unique ID for the virtual machine with a new ID.
You also have the option of duplicating the virtual machine files when you import the files. If you choose this option, copies of all virtual machine files are created so that you can import the virtual machine again.
12-10
Implementing Hyper-V
Lesson 3
Virtual hard disks provide the data and storag ge capability fo or Client Hype er-V virtual ma achines. VHDs are stor red as flat files in the host op perating system m, but provide e a complete s torage compo onent for their asso ociated virtual machine. This s lesson will int troduce you to o the VHD form mat, and then identify mana agement tasks in Hyper-V Man nager that are associated wit th VHDs.
IDE. The Hype er-V IDE contr roller is an emu ulated or synth hetic device th hat allows for d disks up to 2,0 048 GB and provides performan nce that is only y slightly less t than a SCSI co ntroller. The ID DE controller c can support fixed-disk and dynamic VHDs, an nd pass-throug gh disks. You c can configure as many as four IDE disks on a virt tual machine (two ( controller rs with two dis sks each). Hyper-V must use a disk attached to the emulated IDE controller as t the boot disk. Booting from SCSI is not supported because a SCSI controlle er is a syntheti c device, and y you must add it only after y you install the inte egration servic ces on the virtual machine.
SCSI. The Hyp per-V SCSI con ntroller is a syn nthetic device. You can confi igure as many y as four SCSI controllers pe er virtual mach hine, and each controller can n support 64 d disks. Therefore e, you would h have 256 total disk ks per virtual machine. m There e is no disk size e limitation for disks attache ed to SCSI controllers. Th he physical sto orage configur ration is the on nly factor that restricts the size.
Virtual machines also can connect directly to iSCSI stor rage over an iS SCSI network, t thereby bypas ssing the Hyper-V server. s All that t is required is the proper co onfiguration of f an iSCSI initia ator in the virtual machine and an iSCSI targe et available on the network. There is no lim mit to how many iSCSI disks a virtual machin ne can suppor rt. However, a virtual machin ne cannot boo ot from an iSCS SI disk.
Understandi U ng VHDX
Th he new .vhdx format f for VHD Ds is available in Windows 8 and Windows Server 2012. VHDX-based VHDs ad ddress some limitations of th he previous VH HD format, and d have several l important ne ew features: Support for r VHD storage capacity up to o 64 terabytes s.
ures by loggin Protection against data corruption during power failu ng updates to t the VHDX met tadata structures. Improved alignment a of th he VHD forma at to work well on large-sect tor disks.
Dynamically exp panding VHDs s start off very small, typically y a few megab bytes (MBs) in size, and grow w as da ata is written to t them. By de efault, Hyper-V V creates dyna mically expand ding VHDs.
When W you creat te a dynamically expanding VHD, you spe cify a maximu m file size. The e maximum siz ze that yo ou specify at creation restricts how large the VHD file siz ze can grow. F For example, if f you create a 1 127 GB dy ynamically exp panding VHD, the initial size e of the .VHD f file is about 3 M MB. As the virt tual machine u uses the VHD, the size of the .VHD file e grows as data a is written to the VHD, up t o 127 GB. If yo ou hit the limit t, you ca an expand the size through the t Hyper-V Disk D Wizard.
Dynamic D VH HD Benefits
Efficient: Dy ynamically exp panding VHDs grow dynami cally as the vir rtual machine needs more st torage. This is an ex xcellent option n for portabilit ty.
Deferred st torage allocatio on. Suppose you create 10 v virtual machine es with a maxi imum size of 1 100 GB each, and you y place these e on a 500 GB disk. These 10 0 virtual machines may all fit t within 500 G GB when you create them. Howeve er, over time, as a those disks increase in size, it is possible e that they out tgrow storage bec cause the disk resources are not allocated upfront. Fragmentat tion and possibly slight perfo ormance impa act. Because dy ynamically exp panding VHDs s increase in size only when n necessary, th hey tend to fra agment easily. Additionally, w when the VHD Ds increase in size, the NTFS S file system au utomatically se ets the new allocation to zer ro for security purposes, which w has a very small perfor rmance overhe ead.
12-12
Implementing Hyper-V
Hard drive recommendations: 1. 2. 3. Use hard drives that are at least 10,000 revolutions per minute (RPM). Use solid state drives where possible. Consider using a storage area network (SAN) for virtual machine storage. SANs provide several benefits such as very high performance and high availability. As well, it is easy to assign additional space for virtual machines as long as the SAN has storage available. iSCSI SANs can provide relatively inexpensive storage for virtual machines. Using iSCSI also enables you to configure virtual machines with direct access to storage.
4. 5.
On the host computer, configure antivirus software to exclude all .vhd, .avhd, .vfd, .vsv, and .xml files stored on the hard drives that are hosting the virtual machines.
Creating a VHD
You can create a VHD outside of the new virtual machine wizard in Hyper-V, by following the instructions for either of the following tasks.
On the Specify Name and Location page, in the Name field, type the name of the VHD file, and in the Location field, type an appropriate location, and then click Next. On the Configure Disk page, do not change the default values, and then click Next. On the Completing the New Virtual Disk Wizard page, click Finish.
On the Specify Name and Location page, in the Name field, type the name of the VHD file, and in the Location field, type an appropriate location, and then click Next. On the Configure Disk page, change the Create a new blank virtual disk size to an appropriate size, in GB, and then click Next. On the Completing the New Virtual Disk Wizard page, click Finish.
Lesson n4
Sn napshots provide the means s to capture a virtual v machin nes state at a s specific point i in time. You ca an use sn napshots in Client Hyper-V to perform a number of task ks, and also to provide failback and a struc ctured hould conside te esting environm ment. Howeve er, there also are several fact ors that you sh er about using sn napshots, whic ch can have po otential drawba acks. Th his lesson will introduce you to snapshots, how to mana ge them, and things to watc ch out for whe en im mplementing snapshots s in yo our Client Hyp per-V installatio on on Window ws 8.
What W Is a Snapshot? S
In n Client Hyper-V, a snapshot is point-in-tim me im mage of a virtu ual machine. Yo ou can take a sn napshot of a vi irtual machine e that is runnin ng any gu uest operating g system, regar rdless of whether it is ru unning or stop pped. You can take a snapsho ot of a sa aved virtual ma achine, but no ot when the vir rtual machine m is paus sed. A snapsho ot does not change th he virtual mach hines state. Yo ou can take a snapshot by using the Hype er-V Manager. M To take a snapshot, , select the virt tual machine, m and th hen select Sna apshot from th he Action A menu. You Y also can right-click the virtual v machine, m and se elect Snapsho ot.
Yo ou can use sna apshots to save e the state of virtual v machin ne prior to inst talling or testin ng an applicati ion, so th hat you can provide a rollbac ck point should any aspect o of the installat ion or testing process fail.
If memory activ vity resumes in nside the virtua al machine wh ile the memor ry copy proces ss is running, a and if th he activity invo olves memory that has not yet been writte en to the differ rencing disk, H Hyper-V interce epts th hat write activity, and then holds it until th he original con ntents are copied.
12-14
Implementing Hyper-V
If th he virtual mach hine is running g when the sna apshot is taken n, users will no ot experience a any server outage. Crea ating a snapsh hot can take a considerable amount a of tim me, depending on what is run nning on the v virtual mac chine. Howeve er, the process masks the pro ocess from use ers that connec ct to the virtua al machine.
A sn napshot consis sts of several fi iles that are sto ored in a Snap pshots director ry associated w with the virtual mac chine. The path h to that direc ctory is a prope erty of the virt tual machine, a and you can se ee it in the virt tual mac chines settings. Afte er the snapsho ot is complete, the following files will be in n the Snapshot ts folder: Virtual machine configurati ion file (*.xml). . Virtual machine saved state e files (*.vsv). Virtual machine memory co ontents (*.bin). . Snapshot diff ferencing disks s (*.avhd).
Settings. Opening the Settings tab enables you to o open the Vir rtual Machine e Settings dialog box with the settings th hat the virtual machine had when Hyper-V V took the sna apshot. All of these settings are a disabled be ecause a snapshot is read-o nly. The only s settings that yo ou can change e are the snaps shot name and d the notes ass sociated with t the snapshot.
Apply. Applying A a snap pshot to a virtual machine e essentially mea ans that you ar re copying the e complete e virtual machi ine state from the selected s snapshot to the active virtua al machine. Wh hen you apply a snapshot, any a unsaved data d in the virt ual machine th hat is active cu urrently will be e lost as you ap pply a new state to the virtua al machine. W When you apply y a snapshot, H Hyper-V prom mpts you as to o whether you want to create e a snapshot o of your current t active virtual machine befo ore you apply the selected snapshot or ju ust apply the s snapshot. Export. You Y can use th his tab to expo ort a virtual ma achine, which i is the same as clicking Export from the Actions pane. .
Renam me. You can us se this quick sh hortcut to rena ame a snapsho ot without hav ving to open th he Virtual Machine Setti ings.
e Snapshot. De eleting a snapshot means th hat you can no o longer restor re the virtual m machine Delete to that point in time. . It is importan nt to understan nd that if the s snapshot is not currently app plied, deletin ng a snapshot will w never affec ct any other sn napshots, nor will it affect th he virtual mach hines current t state. The on nly thing that will w disappear i is the selected d snapshot. If the snapshot you delete d is the cu urrently applie ed snapshot, w which is indicated in the Snap pshots pane by b the green he ead of an arro ow, the change es in the snaps shot will merge e with the pare ent virtual hard drive when the virtual machine next shuts down.
Delete e Snapshot Su ubtree. Deletes s the selected snapshot and any snapshots that reside u under it. If the la ast snapshot in n the current snapshot s subtr ree is the curre ently applied s snapshot, all snapsh hots in the subt tree will merge into the pare ent VHD upon n the next shut tdown of the v virtual machin ne.
Revert t. This returns a virtual mach hine to the last t snapshot that t Hyper-V took or applied, a and then deletes s any changes made since th hat snapshot.
Hyper-V vir rtual machine snapshots hav ve multiple use es in your netw work, predomi inately in a tes st lab. You can use e snapshots in n a developmental lab for tes sting a new de eployment. Wh hen creating a new environment, you can server, you can use snaps shots for each phase of a ser rvers creation.. In a training e use snapsho ots to revert a server to the previous lab. If you are going g to use sn napshots for te esting or traini ing, the primary consideratio on is hard-driv ve space. Snap pshots can use e an inordinate e amount of ha ard-drive spac ce quickly, espe ecially if you c create multiple snapshots of the e same virtual machine. Be aware of the results of f deleting snap pshots. If you c create multiple e snapshots of f the same virt tual machine, yo ou must be aw ware of what happens when you delete a s snapshot. If the e snapshot is t the current run nning version of o the virtual machine, m deleti ing the snapsh hot will merge the snapshot with the original VHD. If you have h created multiple m subtre ees of snapsho ots, deleting sn napshots may h have unexpected d results if user rs do not have e a clear under rstanding of ho ow snapshots work.
12-16
Implementing Hyper-V
Tools
Tool Hyper-V Manager Hyper-V Virtual Machine Connection Tool Description Management console for Client Hyper-V Connect directly to local or remote virtual machines without opening Hyper-V Manager Where to Find It Start screen Start screen
Module 13
Troubleshooting and Recovering Windows 8
Contents:
Module Overview Lesson 1: Backing Up and Restoring Files in Windows 8 Lesson 2: Recovery Options in Windows 8 Lab: Recovering Windows 8 Module Review and Takeaways 13-1 13-2 13-5 13-17 13-21
Module Overview
It is important to protect the data on your computer systems from accidental loss or corruption. Additionally, to recover from a problem, it typically is easier to restore system settings rather than reinstall the operating system and applications.
Windows 8 provides a number of tools that you can use to back up important data files, as well as tools that can help you to recover a computer that will not start or that starts with errors. To support your users, it is important that you understand how to use these file-backup and system-recovery tools.
Objectives
After completing this module, you will be able to: Describe how to back up and restore files in Windows 8. Describe how to recover a Windows 8 computer.
13-2
Lesson 1
Alth hough you mig ght implement t a file-recover ry strategy for user data that t is stored on network file se ervers or network-access n sible storage devices, d you sh hould rememb ber that users o often save thei ir work to loca al stor rage. Consequently, it is important that you provide som me method of local file recov very, so that if these data a files become e corrupt or are e deleted accid dentally, you c can recover them.
A co omputer that is i running Win ndows 8 stores s thes se files in several locations, so s you need to o ensu ure that you protect p all of th hem. That way, if a compute r problem occ curs, no data is s lost. You can help our to protect p these data d files and settings s by per rforming regul lar backups, ei ither by manually copying yo files s to other med dia, or by using g Windows 8 fi ile-recovery to ools.
File e History
File history enable es you to save copies of your files auto omatically to either e a remov vable local driv ve or to a network shared folder.
Configuring Windows 8
After you enable File History, it saves a copy of your files every hour to the designated location, and these saved versions are stored forever, by default. However, you can configure the interval at which the save occurs and how long the versions are saved. Windows 8 File History backs up the following folders: Contacts Desktop Favorites
Note: You cannot add additional folders to this list, although you can define exceptions from this list, for files and data that you do not want to back up.
To recover files, you can click Restore personal files from within File History, and then select the file from the folders or libraries in your backup. Alternatively, you can recover files directly from Windows Explorer. Navigate to the folder that contained a deleted file, and then click the History button on the ribbon. The File History opens, and lists the recoverable files.
Also accessible from within File History is a shortcut to Windows 7 File Recovery. This link opens a window, from which you can access the backup and restore tools that Windows 7 included. From within Windows 7 File Recovery, you can access the following tools: Windows Backup Create a system image Create a system repair disc
Windows Backup
Windows Backup provides access to backup-related setup procedures and tasks. This includes managing backup space for both file and system-image backups. Windows Backup lets you make copies of data files for all people who use the computer. You can let Windows select what to back up, or you can select the individual folders, libraries, and drives that you want to back up. By default, your backups are created on a regular schedule. You can change the schedule, and manually create a backup at any time. Once you set up Windows Backup, Windows keeps track of the files and folders that are new or changed, and adds them to your backup.
You can back up files to an external hard disk, to a writeable DVD, or to a network location. However, you must have elevated or administrative permissions to perform a backup. If something goes wrong that requires restoring data from a backup, you can select whether to restore individual files, selected folders, or all personal files.
13-4
To back up your files, locate Windows 7 File Recovery, click Set up backup, specify the destination drive to back up, and then select the file types that you want to back up. Windows scans your computer for the file types that you specify, and then backs them up on the target media in a series of compressed folders and related catalog files.
System Image
The Windows Backup option does not back up system files, program files, files that are on File Allocation Table (FAT) volumes, temporary files, and user profile files. If you want to protect these file types, you must use a system image. A system image is an exact copy of a drive. By default, a system image includes the drives required for Windows to run. It also includes Windows and your system settings, programs, and files.
You can use a system image to restore the contents of your computer if your hard drive or computer ever stops working. When you restore your computer from a system image, it is a complete restoration. You cannot choose individual items to restore, and all of your current programs, system settings, and files are replaced with the contents of the system image. Note: A system image is created, by default, if you enable Windows Backup, and specify that Windows Backup should select the files and folders to backup automatically.
The system repair disc is a disc that you create to repair your computer if you experience serious errors on your computer.
System recovery options can help you repair Windows if a serious error occurs. To use system recovery options, you will need a Windows installation disc or access to the recovery options that your computer manufacturer provides. If you do not have either of those choices, you can create the system repair disc to access system recovery options.
Open Windows 7 File Recovery and configure a network location of \\lon-dc1\data for backups. Accept the defaults, and initiate a Windows Backup. Switch to LON-DC1 and view the contents of the DATA shared folder (E:\labfiles\Mod04\data).
Co onfiguring Windows 8
Lesson n2
Corruptions in the t system reg gistry or issues with device d rivers or system m services ofte en cause startu upre elated problem ms. Therefore, systematic s troubleshooting is essential so that you can d determine the un nderlying caus se of the probl lem quickly an nd efficiently.
Th his module describes how to o identify and troubleshoot i issues that affe ect the operating systems ability to st tart, and how to t identify problematic services that are ru unning on the operating syst tem. It also de escribes ho ow to use the Windows 8 op perating system m advanced tr roubleshooting g tools, collect tively known as the Windows W Recov very Environme ent (Windows RE).
As the compute er starts, Bootm mgr.exe loads first, and then reads the BCD D, which is a d database of sta artup co onfiguration in nformation tha at the hard disk stores in a fo ormat similar t to the registry.
13-6
Note: The BCD provides a firmware-independent mechanism for manipulating boot environment data for any type of Windows system. Windows Vista and newer Windows versions use the BCD to load the operating system or to run boot applications, such as memory diagnostics. Its structure is very similar to a registry key, although you should not manage it with the registry editor.
Bootmgr.exe replaces much of the functionality of the NTLDR bootstrap loader that Windows XP and earlier versions of the Windows operating system use. Bootmgr.exe is a separate entity, and it is unaware of other startup operations of the operating system. Bootmgr.exe switches the processor into 32-bit or 64-bit protected mode, prompts the user for which operating system to load (if multiple operating systems are installed), and starts NTLDR if you have Windows XP or earlier installed.
Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads the operating system kernel (ntoskrnl.exe) and (BOOT_START) device drivers, which, combined with Bootmgr.exe, makes it functionally equivalent to NTLDR. Winload.exe initializes memory, loads drivers that should start, and then transfers control to the kernel.
If the BCD contains information about a current hibernation image, Bootmgr.exe passes that information to Winresume.exe. Bootmgr.exe then exits, and Winresume.exe takes over. Winresume.exe reads the hibernation image file, and uses it to return the operating system to its prehibernation running state.
When you switch on a computer, the startup process loads the BIOS. When it loads the BIOS, the system accesses the boot disks Master Boot Record (MBR), followed by the drives boot sector. The Windows 8 startup process has seven steps: 1. The BIOS performs a Power On Self-Test (PoST). From a startup perspective, the BIOS enables the computer to access peripherals, such as hard disks, keyboards, and the computer display, prior to loading the operating system.
2.
The computer uses information in the BIOS to locate an installed hard disk, which should contain an MBR. The computer calls and loads Bootmgr.exe, which then locates an active drive partition on sector 0 of the discovered hard disk. Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines installed operating systems, and then displays a boot menu, if necessary. Bootmgr.exe transfers control to winload.exe, or it calls winresume.exe for a resume operation. If winload.exe selects a down-level operating system, such as Windows XP Professional, Bootmgr.exe transfers control to NTLDR.
3. 4.
5.
Otherwise, winload.exe initializes memory and loads drivers that are set to begin at startup. These drivers are for fundamental hardware components, such as disk controllers and peripheral bus drivers. Winload.exe then transfers control to the kernel of the operating system, ntoskrnl.exe. The kernel initializes, and then higher-level drivers, except BOOT_START and services, are loaded. During this phase, you will see the screen switch to graphical mode as the Windows subsystem is initialized by the session manager (Smss.exe). The operating system displays the logon splash screen, and a user logs on to the computer.
6.
7.
Co onfiguring Windows 8
Accessing A Windows W RE
To o access Windows RE: 1. . 2. . 3. . Insert the Windows W 8 DVD, and then st tart the compu uter. When prom mpted, run the e Windows 8 DVD D Setup pro gram.
After you configure langu uage and keyb board settings,, select the Re epair your com mputer option n, which scans the co omputer for Windows W installations, and th hen presents you with a trou ubleshooting to ools menu.
Automatic A Fa ailover
Windows W 8 prov vides an on-di isk Windows RE. R A computer ng Windows 8 can fail over r that is runnin au utomatically to o the on-disk Windows W RE if f it detects a st tartup failure.
en the boot process starts. T During startup, the Windows loader sets a status s flag that t indicates whe The Windows W loader clears this fla ag before it dis splays the Win ndows logon sc creen. If the st tartup fails, the e loader do oes not clear the t flag. Conse equently, the next n time the c computer start ts, Windows lo oader detects t the flag, as ssumes that a startup failure has occurred, , and then laun nches Window ws RE instead o of Windows 8. Th he advantage of automatic failover f to Win ndows RE Start tup Repair is th hat you may n not need to check the problematic com mputer when a startup prob blem occurs. Note that the co omputer must t start successf fully for the W indows loader r to remove th he flag. If the co omputers pow wer is interrupt ted during the e startup seque ence, the flag is not removed d, and automa atic St tartup Repair is initiated.
Be ear in-mind th hat this automa atic failover re equires the pre esence of both h the Windows s boot manage er and th he Windows lo oader. If either of these elements of the sta artup environm ment is missing g or corrupt, au utomatic failov ver cannot fun nction, and you u must initiate e a manual dia gnosis and rep pair of the com mputers st tartup environment.
Windows W 8 prov vides advanced boot options that you can n use to start t he operating s system in adva anced tr roubleshooting g modes, including: Repair your r computer Safe mode Safe mode with networking
13-8
Safe mode with command prompt Enable log bo ooting Enable low re esolution video o (640 X 480) Debugging Mode M Disable autom matic restart on system failure Disable Driver Signature En nforcement Start Window ws normally
Win ndows 8 also creates them: Once daily. Manually, whenever you ch hoose to create e them. Automatically y, if you choos se to use System Restore to r restore to a pr revious restore e point.
In th his instance, Sy ystem Restore creates a new w restore point t before it resto ores the system m to a previou us state. This provide es you with a recovery r optio on should the r restore operat ion fail or resu ult in issues. Win ndows RE does s not create a restore r point for f the current t state if you a re in Safe mod de and you res store to a previous state e.
You u may use Syste em Restore wh hen you install l a device drive er that results in a computer r that is unstab ble or that t fails to opera ate entirely. Earlier Windows versions had a mechanism f for driver rollb back, but it req quired the computer to start s successfully from Safe mode. m With Windows 8 computers, c you can use Syst tem Restore to o perform drive er rollback by accessing the restore points, eve en when the computer does s not start succ cessfully.
Syst tem Restore also provides pr rotection again nst accidental deletion of pr rograms. Syste em Restore cre eates restore points when you add or r remove programs, and it ke eeps copies of f application p programs (file n names with h an .exe or .dl ll extension). If f you accidenta ally delete an .exe file, you c can use System m Restore to re ecover the file by selectin ng a recent res store point prio or to when yo ou deleted the program.
Co onfiguring Windows 8
Th hese paramete ers were previo ously in the Bo oot.ini file (in B BIOS-based op perating system ms) or in the no onvolatile RAM M (NVRAM) en ntries in operat ting systems b based on an Ex xtensible Firmw ware Interface (EFI)).
However, Windows 8 replaces s the boot.ini file f and NVRA M entries with h the BCD. This s file is more v versatile th han boot.ini, an nd it can apply y to computer r platforms tha at do not use t the BIOS to sta art the comput ter. You also can apply it to firmware models, m such as a computers t that are based d on EFI. Windows W 8 stor res the BCD as a registry hive e. For BIOS-ba ased systems, t the BCD registry file is in the e active pa artition \Boot directory. For EFI-based syst tems, the BCD registry file is s on the EFI sys stem partition. .
Safe boot: Minim mal. On startup p, opens the W Windows graph hical user inter rface (GUI), known as de, which mea ans it runs only y critical system m services. Windows Explorer, in safe mod etworking is di isabled. Ne Safe boot: Altern nate shell. On startup, s opens s the Windows s command pr rompt in safe m mode nning only crit tical system se ervices. Networ rking and the GUI are disabl led. run
Safe boot: Active e Directory rep pair. On startu p, opens the W Windows GUI i in safe mode, running ervices and Act tive Directory Domain Ser rvices (AD DS). . critical system se
13-10
o o o o
Safe boot: Network. On startup, opens the Windows GUI in safe mode, running only critical system services. Networking is enabled.
Boot log. Records startup information into a log file. No GUI boot. Does not display the Windows Welcome screen when starting. Base video. Uses a generic video display adapter driver. Number of processors. Limits the number of processors used on a multiprocessor system.
BCDEdit.exe. You can use BCDEdit.exe, a command-line tool, to change the BCD, such as removing entries from the list that displays operating systems. This advanced tool is for administrators and IT professionals. BCDEdit.exe is a command-line tool that replaces Bootcfg.exe in Windows 8. BCDEdit.exe currently enables you to: o o o o o o o o o Add entries to an existing BCD store. Modify existing entries in a BCD store. Delete entries from a BCD store. Export entries to a BCD store. Import entries from a BCD store. List currently active settings. Query a particular type of entry. Apply a global change (to all entries). Change the default time-out value.
Typical reasons to manipulate the BCD with BCDEdit.exe include: o o Adding a new hard disk to your Windows 8 computer, changing the logical drive numbering. Installing additional operating systems on your Windows 8 computer, to create a multiboot configuration.
Deploying Windows 8 to a new computer with a blank hard disk, requiring you to configure the appropriate boot store. Performing a backup of the BCD. Restoring a corrupted BCD.
o o
The following table provides additional information about the command-line syntax for BCDEdit.exe. Command Description
Commands that operate on a store /createstore /export /import Creates a new empty BCD store Exports the contents of the system BCD store to a specified file Restores the state of the system BCD store from a specified file
Commands that operate on boot entries in a store /copy /create Makes copies of boot entries Creates new boot entries
Configuring Windows 8
Command /delete
Commands that operate on element /deletevalue /set Deletes elements from a boot entry Creates or modifies a boot entrys elements
Commands that control output /enum Lists the boot entries in a store
Commands that control Boot Manager /bootsequence /default /displayorder /toolsdisplayorder /timeout Specifies a one-time boot sequence Specifies the default boot entry Specifies the order in which Boot Manager displays its menu
Specifies the order in which Boot Manager displays the tools menu Specifies the Boot Manager Timeout value
Commands that control debugging /bootdebug /dbgsettings /debug Enables or disables boot debugging for a boot application Specifies global debugger parameters
Commands that modify other commands /store /v Specifies the BCD store upon which a command acts
Displays boot entry identifiers in full, rather than using well-known identifiers
Enables or disables Emergency Management Services (EMS) for a specified boot application Enables or disables EMS for an operating system boot entry Specifies global EMS parameters
BootRec.exe. Use the bootrec.exe tool with the /rebuildbcd option in Windows RE to rebuild the BCD. You must run bootrec.exe in Windows RE. If rebuilding the BCD does not resolve the startup issue, you can export and delete the BCD, and then run this option again. By doing this, you ensure that the BCD rebuilds completely.
13-12
Safe mode with command prompt. Starts s Windows in S Safe mode wit th a command d-prompt wind dow rather than th he usual Windows interface. You typically use this when other startup options do no ot work. Enable log bo ooting. Creates s the ntbtlog.t txt file, which c can be useful f for advanced t troubleshootin ng. This file lists all a drivers that Windows installs during sta rtup. Enable low re esolution video o (640 X 480). Starts Window ws using your c current video driver, and low w resolution and refresh rate settings. Use this t mode to re eset your disp play settings. Debugging Mode. M Starts Windows W in an advanced a trou ubleshooting m mode intended d for IT professionals and system ad dministrators. Debugging en nables you to e examine the b behavior of the e operating sys stems device drivers. d This is especially usef ful when Wind dows stops une expectedly, as it may provide additional info ormation for driver d develope ers. Disable autom matic restart on system failure. Prevents W Windows from restarting auto omatically if an n error causes Windows W to fail. Choose this s option only if f the compute er loops throug gh the startup process repea atedly by failin ng to start corr rectly, and the n attempting another restar rt.
Disable Driver Signature En nforcement. Allows you to in nstall drivers th hat contain imp proper signatu ures. Start Window ws normally. Starts Windows in normal mo de.
Refresh R your r PC
Th his option enables you to retain your pe ersonal data, apps, a and settings but replac ces th he Windows 8 operating syst tem. This is use eful when w it is important to retain user-related files f an nd settings, bu ut you do not have the time to de etermine the specific s cause of o a startup pr roblem or r resolve it. cause it is quite likely that us ser settings ma ay have create ed the startup problem Note: Bec ut which from which you u are attemptin ng to recover, the Refresh yo our PC option is careful abou se ettings to resto ore. For instanc ce, file associations, display s settings, and W Windows Firew wall settings ar re not restored d during the re efresh process. . Note: It is s possible to use the recimg g.exe comman nd-line tool to create a refres sh image, e. en nabling you to o refresh your PC to a specifi ic point in time
Reset R your PC P
Th his option rem moves all user data d and settin ngs, and apps, and then rein nstalls Window ws. You should select our th his option whe en there is no need n to retain user data or s settings. By usi ing this setting g, you revert yo co omputer to the e deployment defaults.
Windows W 8 prov vides System Restore R capabi ilities that you can access fro om the System m Tools folder. If you ha ave a system failure or anoth her significant problem with h your comput ter, you can use System Restore to re eturn your com mputer to an earlier e state. Th he primary benefit of System m Restore is that it restores y your system to o a workable st tate without re einstalling the operating syst tem or causing g data loss. Ad dditionally, if th he computer d does not start su uccessfully, you u can use Syste em Restore by y booting Wind dows RE from the product D DVD. Note: You u can create Sy ystem Restore points by usin ng the System Restore link in n Recovery in Control Panel. First, F you must t enable System m Protection. Y You can do so o by performing these st teps: open Icon n View in Cont trol Panel, clic ck Recovery, c click Advance ed Tools, click Configure Sy ystem Restore e, on the System Protection tab, click Co onfigure, and then click Tur rn On Sy ystem Protection.
Sy ystem Image Recovery R replaces your comp puters current t operating sys stem with a co omplete computer ba ackup that you u created prev viously, and wh hich you stored d as a system image. You ca an use this tool only if yo ou have made a recovery drive of your com mputer. You s hould use this s tool only if ot ther methods of re ecovery are un nsuccessful, bec cause it is a ve ery intrusive re ecovery metho od that overwrites everything g on the co omputer.
13-14
Automatic Repair
The Automatic Repair tool in Windows RE provides a simple and effective way for you to resolve most common startup problems. The following sections describe Automatic Repair tool functions:
Replace or Repair Disk Metadata. Disk metadata consists of several components, including the boot sector and the MBR. If these files are missing or corrupt, the startup process fails. If you suspect that an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk metadata. Automatic Repair automatically checks and, if necessary, repairs the disk metadata. Damage to the disk metadata often occurs because of unsuccessful attempts to install multiple operating systems on a single computer. Another possible cause of metadata corruption is a virus infection.
Repair Boot Configuration Settings. Windows XP and earlier Windows operating system versions stored the boot configuration information in Boot.ini, a simple text file. However, Windows 8 uses a configuration store that is in the C:\Boot. If the boot configuration data is damaged or deleted, the operating system fails to start. The Startup Repair tool checks and, if necessary, rebuilds the BCD, by scanning for Windows installations on the local hard disks, and then storing the necessary BCD.
Resolve Incompatible Driver Issues. Installing a new hardware device and its associated device driver often causes Windows to start incorrectly. The Automatic Repair tool performs device driver checks as part of its analysis of your computer. If Automatic Repair detects a driver problem, it uses System Restore points to attempt a resolution, by rolling back configuration to a known working state.
Note: Even if you do not create restore points manually in Windows 8, installing a new device driver automatically causes Windows 8 to create a restore point prior to the installation.
Command Prompt
Windows 8 uses a Command Prompt tool from the Windows RE tool set as its command-line interface. The Command Prompt tool is more powerful than the Recovery Console from early Windows versions, and its features are similar to the command prompt that is available when Windows 8 is running normally:
Resolve Problems with a Service or Device Driver. If a computer that is running Windows 8 experiences problems with a device driver or Windows service, use the Command Prompt tool to attempt a resolution. For example, if a device driver fails to start, use the command prompt to install a replacement driver, or disable the existing driver from the registry. If the Netlogon service fails to start, type Net Start Netlogon at the command prompt. You also can use the SC tool (SC.exe) command-line tool to start and stop services. Recover Missing Files. The Command Prompt tool also enables you to copy missing files to your computers hard disk from original source media, such as the Windows 8 product DVD or USB memory stick. Access and Configure the BCD. Windows 8 uses a BCD store to retain information about the operating systems that you install on the local computer. You can access this information by using the BCDEdit.exe tool at the command prompt. You also can reconfigure the store, if necessary. For example, you can reconfigure the default operating system on a dual-boot computer with the BCDEdit.exe /default id command. Repair the Boot Sector and MBR. If the boot sector or MBR on the local hard disk is damaged or missing, a computer that is running Windows 8 will fail to start successfully. You can launch the Bootrec.exe program at the command prompt to resolve problems with the disk metadata.
Configuring Windows 8
Run Diagnostic and Troubleshooting Tools. The Command Prompt tool provides access to many programs that you can access from Windows 8 during normal operations. These programs include several troubleshooting and diagnostics tools, such as the registry editor (Regedit.exe), a disk and partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe, Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can use to determine which programs and services are running currently.
Note: Windows PE is not a complete operating system. Therefore, when you use the Command Prompt tool in Windows RE, remember that not all programs that work in Windows will work at the command prompt. Additionally, because there are no logon requirements for Windows PE and Windows RE, Windows restricts the use of some programs for security reasons, including many that administrators typically run.
This command scans disks for installations compatible with Windows 8. This option displays installations not listed by bcdedit /enum. You can use the /RebuildBcd to add the missing installations to the boot store. o 5. Diskpart
In diskpart, type the following commands to view information about disks and volumes installed in LON-CL1: o o List disk List volume
6. 7. 8.
Close diskpart, and then close the command prompt. Perform an automatic startup repair from the Windows RE Troubleshoot menu. Restart your computer normally.
On LON-CL1, log on with as Adatum\administrator with the password of Pa$$w0rd and open an elevated command prompt
Create a duplicate boot entry by running the following command in the elevated command prompt: o bcdedit /copy {current} /d Duplicate boot entry
13-16
3.
Verify the presence of Duplicate boot entry in the store with the following command, and then restart the computer: o Bcdedit /enum
4.
When Windows restarts, wait until the Choose an operating system menu appears, and then click Change defaults or choose other options. Select the following options in turn: o o o o o Choose other options Troubleshoot Advanced options Startup Settings Restart
5.
Start Windows in Safe Mode, and then log on as Adatum\Administrator with the password Pa$$w0rd.
Configuring Windows 8
You have been asked to recover the Windows 8 computer of one of the employees in A. Datum. To do this you will first examine the recovery options available in Windows 8. You then will attempt to resolve a startup issue, and you will document the solution used to resolve the issue.
Objectives
Recover Windows 8 from a startup problem.
Lab Setup
Estimated Time: 30-60 minutes Virtual Machine (s) User Name Password 20687A-LON-DC1, 20687A-LON-CL1 Adatum\Administrator Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687A-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Log on using the following credentials: o o o User name: Administrator Password: Pa$$w0rd Domain: Adatum
In this exercise, you will explore the startup-recovery options, including accessing the Advanced Startup Options. The main tasks for this exercise are as follows: 1. 2. 3. Access Windows RE tools. Create a duplicate boot entry in the boot store. Enable advanced boot options.
13-18
4.
Select Command Prompt, and run the following commands to view the startup environment: o o o Bcdedit /enum Bootrec /scanos Diskpart
5.
In diskpart, type the following commands to view information about disks and volumes installed in LON-CL1: o o List disk List volume
6. 7. 8.
Close diskpart, and then close the command prompt. Perform an automatic startup repair from the Windows RE Troubleshoot menu. Restart your computer normally.
Create a duplicate boot entry by running the following command in the elevated command prompt: o bcdedit /copy {current} /d Duplicate boot entry
3.
Verify the presence of Duplicate boot entry in the store with the following command, and then restart the computer: o Bcdedit /enum
Start Windows in Safe Mode, and then log on as Adatum\Administrator with the password Pa$$w0rd. Revert and restart the 20687A-LON-CL1 virtual machine in preparation for the next exercise.
Results: After this exercise, you will have used various Windows 8 startup-recovery tools.
Configuring Windows 8
In this exercise, you will attempt to fix a computer that is running Windows 8. The computer does not start successfully. You have an open help-desk ticket so that you can determine the likely cause of the problem. A. Datum Incident Record Incident number: 601237 Date and time of call User May 25 10:45am Adam Carter
Incident Details Adam Carter has reported that his computer will not start properly. Additional information Adam has been trying to install an additional operating system on his computer so that he can run a specific line-of-business (LOB) application. He abandoned the installation after getting only partly through the process. Since then, his computer displays the following error message when it starts: Windows Boot Manager. File: \Boot\BCD Status: 0xc0000034 Info: The Windows Boot Configuration Data (BCD) file is missing required information. Plan of Action
The main tasks for this exercise are as follows: 1. 2. 3. Read the help-desk Incident Record for Incident 601237. Update the Plan of Action section of the Incident Record. Simulate the problem.
13-20
Open Windows Explorer and run the e:\Labfiles\Mod13\Scenario1.vbs script, and then wait while LON-CL1 restarts.
Results: After this exercise, you should have reproduced the reported startup problem on Adams computer.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Results: After this exercise, you should have resolved the startup problem, and documented your solution.
Configuring Windows 8
Tools
Tool BCDEdit.exe sc.exe MSConfig.exe Windows RE Safe Mode Bootrec.exe Use for Viewing and configuring the BCD store Managing services Managing services and the startup environment Troubleshooting Windows 8 computers Troubleshooting startup Managing the boot environment Where to find it Command-line Command-line Windows
Elements available on hard disk (automatic failover) and the product DVD Accessible from the Advanced Boot Options menu Command-line
13-22
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
Appendix A
Using Windows PowerShell
Contents:
Module Overview Lesson 1: Introduction to Windows PowerShell 3.0 Lesson 2: Windows PowerShell Remoting Lesson 3: Using Windows PowerShell Cmdlets Module Review and Takeaways A-1 A-2 A-11 A-18 A-25
Module Overview
Windows PowerShell 3.0 enables IT professionals to automate repetitive tasks, and thereby increase consistency and productivity. For example, remoting capabilities enable IT professionals to connect with multiple remote computers simultaneously to run commands. With Windows 8, IT professionals can use Windows PowerShell, and its graphical user interface (GUI) and scripting editor to write comprehensive scripts that access underlying technologies.
Objectives
After completing this module, you will be able to: Describe the basic features of Windows PowerShell 3.0. Describe Windows PowerShell Remoting. Describe the use of Windows PowerShell cmdlets.
A-2
Lesson 1
Win ndows PowerSh hell is a task-b based, comman nd-line shell d esigned espec cially for script ting and system m adm ministration. Bu uilt on the Mic crosoft .NET Framework, F W Windows Power rShell helps IT professionals and user rs control and automate the e administratio on of the Wind dows operating g system and t the application ns that run on it. You u can use built-in Windows PowerShell P com mmands, called d cmdlets, to m manage comp puters in the ente erprise from th he command line. Windows PowerShell pr roviders enable e access to dat ta stores, such h as the registry and certificate store e, in the same way that the f file system is accessed. Addit tionally, Windo ows Pow ed scripting la werShell has a rich expression n parser and a fully develope anguage.
Cmdlets for performing p com mmon system administratio n tasks, such a as using Windo ows Managem ment Instrumentati ion (WMI), and d managing th he registry, serv vices, processe es, and event l logs. Cmdlets a are not case-sens sitive. A task-based scripting lang guage, and sup pport for existi ng scripts and d command-lin ne tools.
Shared data between b cmdle ets, which enables the outpu ut from one cm mdlet to be us sed as the inpu ut to another cmdl let.
Configuring Windows 8
Command-based navigation of the operating system, which lets consumers navigate the registry and other data stores by using the same techniques that they use to navigate the file system. Object manipulation capabilities that enable Windows PowerShell to accept and return .NET objects, which can be directly manipulated or sent to other tools or databases.
An extensible interface, which enables independent software vendors (ISVs) and enterprise developers to build custom tools and utilities to administer their software.
Some of the more advanced features of Windows PowerShell are: Remote management: Commands can be run on one or multiple computers by establishing an interactive session from a single computer. Additionally, you can establish a session that receives remote commands from multiple computers.
Background jobs: Run commands asynchronously and in the background while continuing to work in your session. You can run background jobs on a local or remote computer, and also store the results locally or remotely. Debugger: The Windows PowerShell debugger helps you debug functions and scripts. You can set and remove breakpoints, step through code, check the values of variables, and display a call-stack trace.
Modules: Use Windows PowerShell modules to organize your Windows PowerShell scripts and functions into independent, self-contained units and package them for distribution to other users. Modules can include audio files, images, Help files, and icons. To avoid name conflicts, modules run in a separate session. Transactions: Transactions enable you to manage a set of commands as a logical unit. A transaction can be committed, or it can be completely undone so that the affected data is not changed by the transaction.
Events: The new event infrastructure helps you create events, and subscribe to system and application events. You can then listen, forward, and act on events synchronously and asynchronously.
Windows PowerShell includes cmdlets, providers, and tools that you can add to Windows PowerShell to manage other Windows technologies, such as: Client Hyper-V Windows Backup Active Directory Domain Services Windows BitLocker Drive Encryption Dynamic Host Configuration Protocol (DHCP) Server service Group Policy Remote Desktop Services
A-4
Delegated Ad dministration. Users with limited permissio ons can be give en delegated a access to specified commands. This T enables yo ou to limit the user permissio ons to only cer rtain commands that users n need. Show-Command. This is a cmdlet c and a Windows W Powe erShell ISE add d-on, which pr rovides a GUI t to help view valid parameters for other cmd dlets.
New Cmdlets s. Windows 8 in ncludes Windo ows PowerShe ell cmdlets to m manage netwo ork settings, fir rewall settings, and many other ne ew features. Many M tools and d commands u used in previou us Windows ve ersions now have Pow werShell equiv valents. The following table s shows several examples of the previous to ools and commands, and their new n PowerShe ell equivalents. Old comma and ipconfig /a a Shutdown.exe Net Start Net Stop Net Use Netstat Netsh advf firewall add Route Prin nt Pow werShell equiv valent Ge et-NetIPConfi iguration Re estart-Compu uter Sta art-Service (R Restart-Servic ce) Sto op-Service (R Restart-Service) Ne ew-SmbMapp ping Ge et-NetTCPCon nnection Ne ew-NetFirewa allRule Ge et-NetRoute
C Configuring Windows s 8
Optionally, O you can use one or o more param meters with a c mdlet, to mod dify its behavio or or specify se ettings. Pa arameters are written after the t cmdlet. Ea ach parameter used is separa ated by a spac ce, and begins with a hy yphen. Not all cmdlets use the same param meters. Some cmdlets have parameters th hat are unique to its fu unctionality. Fo or example, the Move-Item cmdlet has th he -Destination n parameter to o specify the lo ocation to o move the obj bject, whereas the t Get-ChildItem cmdlet h has the -Recurs rse switch para ameter. There a are se everal types of f parameters, including the following: f
Named. Na amed parameters are most common. c They y are paramete ers that can be e specified and d require a value or modifier. m For example, e by using the Move e-Item cmdlet,, you would sp pecify the -Des stination parameter along with the e exact destina ation to move the item. Switch. Switch parameter rs modify the behavior b of the e cmdlet, but do not require e any additional modifiers or o values. For example, e you can c specify the e -Verbose para ameter withou ut specifying a value of $True.
Positional. Positional para ameters are pa arameters that t can be omitte ed, and can still accept value es based on where w the infor rmation is spec cified in the co ommand. For e example, you c could run GetEventLog -EventLog Sys stem to retriev ve information n from the Sys stem event log g. However, be ecause the -EventL Log positional parameter accepts values fo or the first pos sition, you can n also run GetEventLog System S to get t the same resu ults. When the e -EventLog pa arameter is no ot present, the cmdlet still accepts s the value of System, S because it is the first t item after th e cmdlet name.
Ex xamples of Parameters s
Pa arameters that t are common to many cmdlets include op ptions to test t the actions of the cmdlet, or r to ge enerate verbose information n about the execution of the e cmdlet. Common paramete ers include:
-Verbose. This T parameter displays detai iled informatio on about the p performed com mmand. You sh hould use this par rameter to obt tain more info ormation about t the executio n of the comm mand.
-WhatIf. Th his parameter displays d the ou utcome of run ning the comm mand, without t actually running it. This is helpful when you are a testing a new n cmdlet or script, and yo u do not want t the cmdlet to o run. -Confirm. This T parameter r displays a con nfirmation pro ompt before ex xecuting the command. This s is helpful whe en you are run nning scripts, and a you would d like to promp pt the user bef fore executing a specific step in the script. .
A-6
All cmdlets c suppo ort a set of parameters that are a called com mmon paramet ters. This feature provides a consistent interfac ce to Windows s PowerShell. When W a cmdle et supports a c common param meter, the use of the parameter does not cause an a error. Howe ever, the param meter might no ot have any ef ffect in some cmd dlets. Additional Reading: To read r about Cm mdlet Verbs, go o to http://msd dn.microsoft.c com/en-us/libr rary/windows/ /desktop /ms s714428(v=vs.8 85).aspx. There are many cmdlets availab ble that perform m a variety of tasks. Althoug gh cmdlets foll d low a standard nam ming conventio on, it still may be difficult to discover new cmdlets. You c can use the Ge et-Command d cmd dlet to search for f cmdlets ba ased on functio on, name, and parameters. Onc ce you have discovered a cm mdlet, you need d to know how w to use it. Eac ch cmdlet has help doc cumentation th hat you can access by using the Get-Help cmdlet. To ge et detailed help for a particu ular cmd dlet, type the following: f
Get-Help <Cmdlet-Name> -Detailed
The detailed view w of the cmdlet t help file inclu udes a descript tion of the cm mdlet, the comm mand syntax, desc criptions of the parameters, and an examp ple that demon nstrates the us se of the cmdlet. In the help p text, optional parameter names appe ear in square brackets, b such as:
Get-Help [[-Name] <string>]
Note: Wind dows PowerShe ell 3.0 is fully backward-com b mpatible. Cmdl ets, providers, snap-ins, scrip pts, functions, and profiles designed d for Windows W Powe rShell 1.0 and Windows Pow werShell 2.0 wor rk on Windows s PowerShell 3.0, 3 without changes.
Configuring Windows 8
Add-on Tools: The ISE supports extending the interface through the use of Windows Presentation Foundation (WPF) controls that are displayed in either a horizontal or vertical pane. You can add as many as 20 tools at a time, each of which will display in a separate tab. The Commands add-on is an example add-on that is installed and enabled by default to provide help for each cmdlet.
Multiple sessions: Simultaneously use up to 32 independent sessions (PowerShell tabs) within the ISE. This enables IT professionals to manage multiple servers, each in its own environment, from within one instance of ISE. Script Editor: Use the script editor to compose, edit, debug and run functions, scripts, and script cmdlets. The script editor includes tab completion, automatic indenting, line numbers, search-andreplace, and go-to line, among other features.
Debugging: The integrated visual script debugger enables the user to set breakpoints, step through the script, check the call stack, and hover over variables to inspect their value.
Object model: The ISE comes with a complete object model, which enables the user to write Windows PowerShell scripts to manipulate the ISE. Customizability: The ISE is customizable, from the size and placement of the panes, to the text size and the background colors.
Windows PowerShell ISE has its own Windows PowerShell profile: Microsoft.PowerShell_ISE_profile.ps1. Use this profile to store functions, aliases, variables, and commands that you use in Windows PowerShell ISE.
Items in the Windows PowerShell AllHosts profiles <CurrentUser\AllHosts and AllUsers\AllHosts> are available in Windows PowerShell ISE, just as they are in any Windows PowerShell host program. However, items in the Windows PowerShell console profiles are not available in Windows PowerShell ISE. Instructions for moving and reconfiguring profiles are available in Windows PowerShell ISE Help and about_profiles.
In this demonstration you will see how to use Windows PowerShell ISE to perform basic tasks, such as:
A-8
Win ndows PowerSh hell is an objec ct-based environment. This s means that th he inputs and outp puts of the cm mdlets are obje ects that you ca an man nipulate. In som me instances, you y may want t to take the output of one cmdle et and pass it to another a cmdlet t for additiona al actions. For exam mple, when yo ou need to ena able all disable ed AD DS accounts in n the domain, you could man nually list each h user by using g the Get-ADU User cmd dlet. Then, you u can use the Windows W Pow werShell cmdle et Enable-ADA Account for ea ach lock ked user accou unt. To make this easier, you can pass s the output data directly fro om one cmdle et into another r cmdlet, which h is called pipi ing. Piping is acco omplished sim mply by placing g the pipe (|) character betwe een cmdlets. E Each cmdlet is executed from m the ample, you can get a list of all left to the right, each e passing its s output to the e next cmdlet in line. For exa user rs in the doma ain, and then pipe p the list to the Enable-A ADAccount cm mdlet, by runni ing the followi ing com mmand:
Get-ADUser Filter * | Enable-ADAccount t
You u can use pipin ng extensively in Windows Po owerShell, as i t is in other sh hells. Windows s PowerShell differs from m typical shells s, because the data in the pipeline is an ob bject rather tha an just simple text. Having a an obje ect in the pipe eline enables you to easily pe ersist all prope erties of the re turned data. T The data in the e pipe eline is assigne ed to a special variable name ed $_, which o only exists while the pipeline is executing. For exam mple, if you want to only en nable accounts s that are disab bled, you can u use the Where e-Object cmdlet to retu urn only disabled accounts. To T do this, run the following g command:
Get-ADUser | Where-Object {$_.Enabled eq $false} | Enable-ADA Account
By piping p an obje ect with a list of o all users, you u are able to u se the Where e-Object cmdle et to filter the acco ounts that are disabled base ed on the Enab bled property o of the account t. e is for teaching purp poses only. It e enables all of t he disabled ac ccounts in Note: This example the domain, and you y should no ot use it in a pr roduction envi ronment. This can enable ac ccounts that t should remai in disabled.
C Configuring Windows s 8
Ex xecution Po olicy
By y default, the execution e policy does not allow Windows PowerShell sc cripts to be exe ecuted automa atically. Th his safeguards the computer r by preventing g unattended scripts from ru unning withou ut the administ trators kn nowledge. The ere are four execution policie es that you can n set, which in nclude:
Restricted. This is the de efault policy for Windows Se rver 2012. It does not allow configuration files to load, nor do oes it allow scripts to be run n. The Restrict ted execution policy is perfe ect for any com mputer n scripts only rarely. Keep in for which you y do not run n scripts, or for r which you run n mind that you could always man nually open the shell with a less l restrictive execution pol licy.
es be signed b AllSigned. This policy req quires that all scripts and co onfiguration file by a trusted pu ublisher, including sc cripts created on your local computer. Thi is execution po olicy is useful f for environme ents where you do not want to o run any scrip pt accidentally y, unless is has an intact, trus sted digital signature. This policy is less conveni ient because it t requires you to digitally sig gn every script t you write, and resign each script every tim me that you ma ake any chang ges to it. RemoteSig nd configurati gned. This poli icy requires that all scripts an ion files downloaded from the Internet be signed by a tr rusted publisher. This execut tion policy is u useful because e it assumes that se local scripts s are ones that t you create yo ourself, and th hat you trust th hem. It does no ot require thos scripts to be signed. Scrip pts that are do ownloaded from m the Internet t or received v via email, howe ever, are not trus sted, unless they carry an int tact, trusted di igital signature e. You could certainly still ru un those scriptsby y running the shell s under a le esser execution n policy, for ex xample, or eve en by signing t the script yours self. But those are additional l steps that yo u have to take e, so it is unlike ely that you would be able to run r such a scri ipt accidentally y or unknowin ngly. Unrestricte ed. This policy y loads all conf figuration files and runs all s cripts. If you run a script tha at was downloade ed from the Int ternet, you are e warned abou ut potential da angers and mu ust give permis ssion for the scrip pt to run. The Unrestricted execution pol icy typically is not appropria ate for produc ction environmen nts, because it provides little e protection ag gainst accidentally or unkno owingly running untrusted scripts. s
Bypass. This policy loads all configurat tion files and r uns all scripts. If you run a sc cript that was downloade ed from the Int ternet, the script will run wit hout any warn nings. This exe ecution policy t typically is not appro opriate for pro oduction environments, beca ause it provide es no protectio on against accidentally y or unknowin ngly running untrusted script ts.
Yo sing the Get-E ou can view th he execution policy p for the computer by us ExecutionPoli icy cmdlet. To co onfigure the ex xecution policy, you must op pen an elevate ed Windows P owerShell window, and then n run th he Set-ExecutionPolicy cmd dlet. Once you u configure the e execution po olicy, you can r run a script by y typing th he entire name e of the script.
A-10
Simple Scripts
Scripts are text files that have a .PS1 filename extension. These files contain one or more commands that you want the shell to execute in a particular order. You can edit scripts by using Windows Notepad, but the Windows PowerShell ISE provides a better editing experience. In it, you can type commands interactively, obtain hints on the proper command syntax, and see the results immediately. You then can paste those results into a script for long-term use. Or, you can type your commands directly into a script, highlight each command, and press F8 to execute only the highlighted command. If you like the results, you simply save the script, and you are done. Generally, there are very few differences between what you can do in a script and what you would do on the command line. Commands work in the same way in a script, meaning that a script can literally be created by pasting commands that you have already tested at the command line. The following is a simple script in a text file named Get-LatestLogon.ps1:
# This script will return the last user that has logged on to the domain. Get-ADUser -Filter * -Properties lastLogon | ` Sort-Object -Property lastLogon -Descending| ` Select-Object -first 5 | ` Format-Table name, ` @{Label="LastLogon";Expression={[datetime]::FromFileTime($_.lastLogon)}}` -AutoSize
Although this script contains a single pipeline statement, it has been broken up using the backtick (`) character. You can break up long lines of code and make the script easier to read by using the backtick character. Notice that the first line of this script starts with a hash mark (#). A line that begins with a hash mark will not be processed. Therefore, you can use start a line with a hash mark, and write notes and comments about the script. To run a script, you must type either the full or the relative path name to the script. For example, to run the Get-LatestLogon.ps1 script you can use either of the following options, if the script is in your current directory or search path:
.\Get-LatestLogon.ps1 E:\ModXA\Democode\Get-LatestLogon.ps1
If the script name or path has spaces in it, you will need to enclose the name single or double quotation marks and echo the name to the console by using an ampersand (&) character. The example below shows how to do this using both the relative and a full path:
& .\Get Latest Logon.ps1 & E:\ModXA\Democode\Get Latest Logon.ps1
Co onfiguring Windows 8
Lesson n2
In n the past, man naging a remo ote computer meant m having to connect to it using Remo ote Desktop. This made m large-scale or automate ed manageme ent difficult. W Windows Power rShell addresse es with remote e ad dministration, also known as s remoting. Rem moting lets yo ou run Window ws PowerShell commands fo or au utomated or in nteractive rem mote Group Policy managem ent by using W Windows Remo ote Managem ment (W WinRM). WinRM is Microsoft ts implementa ation of Web S Services for Ma anagement (W WS-MAN) proto ocol, an nd enables you u to: Create scrip pts that run on n one or many y remote comp puters.
Take contro ol of a remote Windows Pow werShell sessio on to run comm mands directly y on that comp puter. Create a Sy ystem Restore point to restor re the comput ter to a previo us state, if nec cessary. Collect relia ability data acr ross the netwo ork. Change fire ewall rules to protect p compu uters from a ne ewly discovere ed vulnerability y.
One-to-One remoting: In n this scenario, you connect t to a single rem mote compute er and run shel ll commands on it, exactly as if you had logged into th he console and d opened a Windows PowerS Shell window.
A-12
One-to-Many remoting, or Fan-Out remoting: In this scenario, you issue a command that will be executed on one or more remote computers in parallel. You are not working with each remote computer interactively. Rather, your commands are issued and executed in a batch, and the results are returned to your computer for your use.
Many-to-One remoting, or Fan-In remoting: In this scenario, multiple administrators make remote connections to a single computer. Typically, those administrators will have differing permissions on the remote computer, and might be working in a restricted session within the shell. This scenario usually requires custom development of the restricted session, and will not be covered further in this course.
Remoting Requirements
Remoting requires both that both Windows PowerShell and WinRM be installed on your local computer and on any remote computers to which you want to connect. WinRM is a Microsoft implementation of Web Services for Management (WS-MAN), which is a set of protocols that has been widely adopted across different operating systems. As the name implies, WS-MANand WinRMuse Web-based protocols. An advantage to these protocols is that they use a single, definable port, making them easier to pass through firewalls than older protocols that randomly selected a port. WinRM communicates via the Hypertext Transport Protocol (HTTP). By default, WinRM and PowerShell Remoting uses TCP port 5985 for incoming connections that are not encrypted and TCP port 5986 for incoming encrypted connections. Applications that use WinRM, such as Windows PowerShell, can also apply their own encryption to the data that is passed to the WinRM service. WinRM supports authentication and, by default, uses Active Directorys native Kerberos protocol in a domain environment. Kerberos does not pass credentials across the network, and it supports mutual authentication to ensure that incoming connections are coming from valid computers. To work remotely, the local and remote computers must have the following installed: Windows PowerShell 2.0 or higher Microsoft .NET Framework 2.0 or higher WinRM service
After installing the required software, Windows PowerShell remoting must also be enabled. PowerShell remoting is enabled by default in Windows Server 2012, but you must enable it manually on Windows 8. Any files and other resources that are needed to run a particular command must be on the remote computer, because the remoting commands do not copy any resources. IT professionals must have permission to: Connect to the remote computer. Run Windows PowerShell. Access data stores and the registry on the remote computer.
Windows Server 2012 provides another option for using remoting with Windows PowerShell Web Access. This role provides access to a remote Windows PowerShell session to a client using just a web browser, which can run a smartphone, tablet, slate, or a non-domain joined computer.
Co onfiguring Windows 8
All of the local input i to a rem mote command d is co ollected before e any of it is se ent to the remote co omputer. How wever, the outp put is returned to th he local compu uter as it is gen nerated. When n you co onnect to a rem mote compute er, the system uses the user name and pas ssword credentials on the loc cal co omputer to au uthenticate you u to the remot te computer. B By default, the Kerberos vers sion 5 protocol is used to o perform the authorization and authentic cation. Therefo ore, an Active D Directory dom main is expected. In n cases where the t remote computer is not in a domain, o or in an untrus sted domain, a client compu uter can be e allowed to connect by def fining it as a trusted host. Ad dditionally, in u untrusted envi ironments the remote co omputer must also enable a WinRM listener encrypted w with a valid sec cure sockets la ayer (SSL) certi ificate. Th his enables the e Windows Pow werShell client t to connect w with the -UseSS SL parameter o of the InvokeCommand, New w-PSSession, and Enter-PS SSession cmdl ets. This param meter uses Hyp pertext Transfe er Pr rotocol Secure e (HTTPS) inste ead of HTTP, and is designed d for use with basic authentication, where pa asswords migh ht be delivered d in plain text. To o support remoting, the follo owing new cm mdlets have be een added: Invoke-Com mmand Enter-PSSes ssion Exit-PSSession Disconnect-PSSession Receive-PSSession Connect-PS SSession
When W you are running r comm mands on multi iple computers f differences be etween the rem mote s, be aware of co omputers, such h as difference es in operating g systems, file s system structu ures, and the sy ystem registrie es. Fo or example, the default hom me folder is diff ferent, depend ding on the ve ersion of Windo ows that is installed. nd the Window Th his location is stored in the %homepath% % environment v variable ($env v:homepath) an ws Po owerShell $home variable. If f no home fold der is assigned d, the system a assigns a defau ult local home folder to o the user acco ount (on the ro oot directory where w the ope rating system files are installed as the initi ial ve ersion).
A-14
Tem mporary conne ections are mad de by specifyin ng the name of the remote compu uter (or its NetBIOS nam me or IP address). Persistent connections are mad de by opening g a Windows PowerShell sess sion on the t remote computer, and th hen connectin ng to it.
For a temporary connection, c yo ou start the ses ssion, run the c commands, an nd then end th he session. Variables or functions defin ned within com mmands are no o longer availa able after you c close the conn nection. This is s an effic cient method for f running a single s command or several u unrelated com mmands, even o on a large num mber of re emote computers. To create e a temporary connection, us se the Invoke-Command cmdlet with the e Co omputerName parameter to o specify the re emote comput ters, and use th he ScriptBlock k parameter t to spec cify the comm mand. For exam mple, the follow wing command d runs Get-Ev ventLog on the e Client01 com mputer:
Invo oke-Command ComputerName Client01 ScriptBlock {Get-EventLo og}
Use the Enter-PSSession cmdle et to connect to, t and start, a an interactive s session. For example, after a new sess sion is opened on Client01, the t following command c star rts an interactiv ve session with h the compute er:
Ente er-PSSession Client01
Onc ce you enter a session, the Windows W Powe erShell comma nd prompt on n your local computer chang ges to indicate the connection, for exa ample:
[Cli ient01]: PS C:\> C
The interactive session remains open until you u close it. This enables you t to run as many y commands a as requ uired. To end the t interactive e session, type Exit-PSSessio on.
Beg ginning with Windows W Power rShell 3.0, pers sistent sessions s are saved on n the remote computer. You can use the Disconne ect-PSSession cmdlet to disc connect your c client connect tion and leave the persistent t sess sion active. To retrieve a list your y persistent sessions on C Client01, you c can run the following:
Get-PSSession C ComputerName Client01.
You u can retrieve the t results of your y disconnec cted session by y using the Re eceive-PSSession cmdlet. Yo ou also o can reconnec ct to a disconn nected session by using the C Connect-PSSe ession cmdlet. .
Co onfiguring Windows 8
Yo ou can establis sh a One-to-O One remoting session s by usin ng Windows P owerShell ISE, and clicking t the New Remote Power rShell Tab opt tion on the File menu. You a also can establish a remote P PowerShell ses ssion by us sing the Enter r-PSSession cm mdlet. For example, to open n a remote Win ndows PowerS Shell session on na co omputer name ed LON-DC1, you y would use e the following g syntax:
En nter-PSSessio on ComputerN Name LON-DC1
One-to-many O re emoting is prim marily done by y using the Inv voke-Comma and cmdlet. To o run the GetEv ventLog cmdlet against the computers na amed LON-SV R1 and LON-D DC1, use the fo ollowing comm mand:
Be ecause the ses ssion uses a pe ersistent conne ection, you can n run another command in t the same sessio on, and us se the $p varia able. The follow wing command counts the n number of pro ocesses saved i in $p:
In nvoke-Command d -Session $s s -ScriptBlock {$p.count t}
To o interrupt a command, pres ss Ctrl+C. The interrupt requ uest is passed t to the remote computer, wh here it te erminates the remote r command.
Se everal cmdlets s have a ComputerName par rameter that le ets you retrieve e objects from m remote comp puters. Be ecause these cmdlets c do not t use Windows s PowerShell re emoting to co ommunicate, y you can use the e l. The ComputerName e parameter of f these cmdlets on any comp puter that is ru unning Windows PowerShell co omputers do not n have to be configured fo or Windows Po owerShell remo oting or fulfill the system re equirements fo or remoting.
A-16
The following table provides more information about the ComputerName parameter. Command
Get-Help * -parameter ComputerName
Determine whether the ComputerName parameter requires Windows PowerShell remoting. Result: You see a statement similar to This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if your computer is not configured to run remote commands.
You can run commands on more than one remote computer at a time. For temporary connections, the Invoke-Command accepts multiple computer names. For persistent connections, the Session parameter accepts multiple PSSessions. The number of remote connections is limited by the resources of the computers, and their capacity to establish and maintain multiple network connections. To run a remote command on multiple computers, include all computer names in the ComputerName parameter of the Invoke-Command, and separate the names with commas:
Invoke-Command -ComputerName Server01, Server02, Server03 -ScriptBlock {Get-Culture}
You can also run a command in multiple PSSessions. The following commands create PSSessions on Server01, Server02, and Server03, and then run a Get-Culture command in each PSSession:
$s = New-PsSession -ComputerName Server01, Server02, Server03 Invoke-Command -Session $s -ScriptBlock {Get-Culture}
To include the local computer in the list of computers, type the name of the local computer, a dot (.) or localhost. To help manage resources on the local computer, Windows PowerShell includes a per-command throttling feature that limits the number of concurrent remote connections established for each command. The default is 32 or 50 connections depending on the cmdlet. You can use the ThrottleLimit parameter to set a custom limit. The throttling feature is applied to each command and not to the entire session or to the computer. When you are running commands concurrently in several temporary or persistent connections, the number of concurrent connections is the sum of the concurrent connections in all sessions. To find cmdlets with a ThrottleLimit parameter, use the following script:
Get-Help * -Parameter ThrottleLimit
The results of the script are returned to the local computer. By using the FilePath parameter, you do not need to copy any files to the remote computers. Some tasks performed by IT professionals that use Windows PowerShell include:
Configuring Windows 8
Running a command on all computers to check if the anti-virus software service is stopped, and to automatically restart it, if necessary. Modifying the security rights on files or shares.
Opening a data file and passing the contents into a preformatted output file, like an HTML page or Microsoft Office Excel spreadsheet. Searching output specific information from Event Logs. Remotely creating a System Restore point prior to troubleshooting. Remotely querying for installed updates. Editing the registry using transactions. Remotely examining system stability data from the reliability database.
A-18
Lesson 3
IT professionals p ne eed to repeate edly perform a variety of tas sks, such as cre eating and mo odifying Group p Policy Objects (GP POs) and user accounts. To reduce r the wo rkload, you ca an perform ma any common tasks usin ng Windows Po owerShell. For example, you can now man nage GPOs, Wi indows Firewall rules, and netw work settings by b using Wind dows PowerShe ell. You also m may need to cre eate scripts that others within your company can n use. Window ws 8 and Windows PowerShe ell 3.0 provide cmdlets and f features that h help you address these e issues. In th erShell scriptin his lesson, you u will learn abo out advanced Windows W Powe ng and manag ging GPOS.
There are several PowerShell co onstructs that use u Boolean co omparisons to o control the ex xecution of co ode with hin a script. These constructs s are if, switch h, for, while, a and foreach.
Configuring Windows 8
The if Statement
You can use the if statement to execute a block of code, if the specified criteria are met. The basic functionality of an if statement is shown here:
if (Boolean comparison) { Code to complete if test expression is true }
Another option available to accommodate additional possibilities is using else and elseif statements. In a case where you wish to execute special code if a condition exists or execute other code if it does not exist, you can use the else statement. If there are additional conditions you wish to test, you could use the elseif statement. See the example below:
$Today = Get-Date if ($Today.DayOfWeek eq Monday) { Write-Host Today is Monday } elseif ($Today.DayOfWeek eq Thursday) { Write-Host Today is Thursday } else { Write-Host Today is not Monday or Thursday }
The switch statement is closely related to how ifelse statements work. The statement enables a single condition statement to have multiple options for execution. The switch statement has the following syntax:
switch (Value Testing) { Value 1 { Code run if value 1 condition exists} Value 2 { Code run if value 2 condition exists} Value 3 { Code run if value 3 condition exists} default { Code run if no other condition exists} }
Using the previous example, you can achieve the same functionality with less work, as shown in the following example:
switch ($Today.DayOfWeek) { Monday { Write-Host Today is Monday } Thursday { Write-Host Today is Thursday } default { Write-Host Today is not Monday or Thursday } }
In cases where a larger number of ifelse statements are needed, the switch statement may be an easier option to use and debug.
A-20
You can use the for loop to execute a block of code a specific number of times. This can be when multiple items need to be requested, or created. The for statement syntax is:
for (setup loop variables ; Boolean comparison ; action after each loop) { Code to complete while Boolean comparison is true }
The for loop begins with settings to configure variables, the Boolean comparison, and an action to complete after each loop.
The while loop can be used to execute a block of code while a specific condition exists. It is very similar to the for loop, except that it does not have built-in mechanisms to setup variables and actions to run after each loop. This enables the while statement to continue executing until a condition is met, rather than execute a set number of times. The while statement syntax is:
while (Boolean comparison) { Code to complete while Boolean expression is true }
Also available is the do/while loop, which works like the while loop. However, the Boolean expression is evaluated at the end of the loop, instead of the beginning. This means that the code block in a do/while loop will always be executed at least once. The value of $i does not need to be set prior to the do/while loop, because it is evaluated at the end of the loop. The following example shows a do/while loop:
do { Code to complete while Boolean expression is true } while Boolean comparison)
The foreach statement iterates through an array (collection), item by item, assigning a specifically named variable to the current item of the collection. It then runs the code block for that element, as the following example shows.
foreach (item in collection) { Code to complete for each item in the collection. }
Using the foreach statement can make batch modifications easier. Consider, for example, setting a description for all users that are members of a specific group, as the following example shows.
# Get a list of the members of the Domain Admins group $DAdmins = Get-ADGroupMember "Domain Admins" # Go through each member and set the Description foreach ($user in $DAdmins) { Set-ADUser $user -Description In the Domain Admins Group }
Co onfiguring Windows 8
Variables V
Windows W PowerShell enables you to retriev ve, modify, and d filter data fro om a variety of f sources. In so ome ca ases, you may want to store data for comp parison or use.. For example, you may wish h to retrieve a list of th he members of f a particular security s group and then mod dify the descri ption field of e each of the users. Variables are us sed to store an nd retrieve data in memory d during a Wind dows PowerShe ell session. A v variable always begins with w a dollar ($ $) sign and the en can be nam ed with descri iptive text or n numbers, such as $V Variable1, $x, and a $Member rList. Windows PowerShell va ariables are typ ped, meaning that they are created to o store a specif fic type of data a whether it is text, numbers s, objects, time e, arrays, or other defined ob bject. Yo ou can declare e a variable in one of two wa ays, the first of f which is using g the Set-Vari iable cmdlet. For ex xample, to dec clare a variable e named $ADD DS and assign it the object re eturned from Get-ADDoma ain by us sing the Set-V Variable cmdle et, use the follo owing comma and:
Se et-Variable Name ADDS V Value (Get-ADDomain)
Yo ou will notice you y do not specify the $ sym mbol when usi ng the Set-Va ariable cmdlet t to declare variables. Th he second way y to create a va ariable is by de eclaring it and d assigning a v value to it. To d do this, start th he co ommand with the name of the variable, fo ollowed by an equal sign, an d then the com mmand, comm mands, or r value to assig gn. For example to declare a variable nam med $ADDS and d assign it the object returne ed from Get-ADDomain n, use the follo owing command:
$A ADDS = Get-AD DDomain
Th he $ADDS vari iable now hold ds a copy of th he object outp put by the Get-ADDomain c cmdlet. The ou utput ob bject takes on the type defin ned in the rele evant class, and d the variable maintains that t structure. You can no ow read and manipulate m the e variable as similar to how y you would a .N NET object. To obtain inform mation ab bout the prope erties or to run n methods, you can use dott ted notation o on the variable e. For example, to de etermine the domain d functio onal level repo orted by the D DomainMode property of Get-ADDomain n, you ca an use the follo owing comma and:
> $ADDS.Domain nMode Wi indows2008R2D Domain
A-22
The following are eventing exam mples that you u can use: Create a scrip pt that perform ms directory management w hen files are added to, or re emoved from, a specific locati ion.
when a specific event is add Create a scrip pt that perform ms a managem ment task only w ded multiple times, or if different t events occur within a specif fied amount o of time. Create scripts s that respond to events produced by inte rnal applicatio ons, and perform manageme ent tasks specific to organizatio onal requireme ents.
Eventing supports s WMI and .NE ET Framework events that pr rovide more d etailed notifications than those avai ilable in the standard event logs.
To run r Windows PowerShell P Gro oup Policy cmdlets on a Win ndows 8 client t computer, yo ou must use the Imp port-Module GroupPolicy G command c to import the Gro oup Policy mo odule. This mus st be imported d befo ore you use the cmdlets at the beginning of every script t that is using t them, and at t the beginning of every Windows Po owerShell session. The following table displays som me of the Grou up Policy settin ngs for Windo ows PowerShell. These Group p Policy settings ena able you to sp pecify whether Windows Pow werShell scripts s run before non-Windows Pow werShell scripts s during user computer c start tup and shutdo own, and user r logon and log goff. By default, Win ndows PowerSh hell scripts run n after non-Windows PowerS Shell scripts. Se etting name Ru un Windows Po owerShell sc cripts first at co omputer st tartup, sh hutdown Location Computer r Configura ation\ Administr rative Templates s\ System\Sc cripts\ Default D value Not Configured Possible v value Not Configured, enable ed, disabled
olicy setting de etermines whe ether This po Windo ows PowerShell scripts will ru un before e non-PowerSh hell scripts dur ring compu uter startup an nd shutdown. B By default t, PowerShell s scripts run afte er non-Po owerShell scrip pts. If you enable this po olicy setting, w within each a applicable Grou up Policy obje ect cripts will run (GPO),, PowerShell sc before e non-PowerSh hell scripts dur ring compu uter startup an nd shutdown.
Ru un Windows
Computer r
Not
Configuring Windows 8
Possible value
This policy setting determines whether Windows PowerShell scripts will run before non-PowerShell scripts during user logon and logoff. By default, PowerShell scripts run after nonPowerShell scripts. If you enable this policy setting, within each applicable Group Policy object (GPO), PowerShell scripts will run before non-PowerShell scripts during user logon and logoff.
Computer Configuration\ Windows Settings\ Scripts (Startup /Shutdown)\ Computer Configuration\ Policies\ Windows Settings\ Scripts (Startup /Shutdown)\ User Configuration\ Policies\ Windows Settings\ Scripts (Logon/Logoff)\ User Configuration\ Policies\ Windows Settings\ Scripts (Logon/Logoff)\
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
Not Configured
Not Configured, Run Windows PowerShell scripts first, Run Windows PowerShell scripts last
A-24
Fu unction Maintain M GPOs: GPO manage ement, remova al, backup, and d im mport.
Cmdlets s Backup p-GPO Restore e-GPO Import-GPO Remove-GPO GPO Copy-G Get-GP PO New-G PLink Set-GPL Link Remove-GPLink Get-GP PInheritance Set-GPI Inheritance Get-GP PRegistryValue RegistryValue Set-GPR e Remove-GPRegistry yValue New-G PO New-G PStarterGPO Get-GP PPermission Permission Set-GPP
Associate GPOs with Active Directory D containers: Group olicy link creat tion, update, and removal. Po
Se et inheritance flags and perm missions on Ac ctive Directory y or rganizational units u and dom mains. Co onfigure registry-based policy settings and d Group Policy y Pr references Reg gistry settings: Update, retrie eval, and re emoval. Create and edit new and Start ter GPOs.
u can use the Get-GPRegistr G ryValue and the t Set-GPRe egistryValue cmdlets to ch hange registryYou base ed policy settings, and the Get-GPPrefRe G gistryValue a and Set-GPPre efRegistryValue cmdlets to change registry preference item ms. Other valua able Group Po licy cmdlets in nclude: Backup-GPO O and Restore-GPO Copy-GPO Import-GPO Set-GPOLink k
Configuring Windows 8
Make a goal to spend time learning how to use Windows PowerShell for your common tasks. This makes you more comfortable while working with Windows PowerShell, and will equip you for using it to solve more complicated problems. Save the commands that you have used to solve problems in a script file for later reference. Use Windows PowerShell ISE for help with writing scripts and to ensure that you have the proper syntax.
Question: Which cmdlet will display the content of a text file? Question: Which cmdlet will move a file to another directory? Question: Which cmdlet will rename a file? Question: Which cmdlet will create a new directory? Question: Which cmdlet do you think would retrieve information from the Event Log? Question: Which cmdlet do you think would start a stopped virtual machine?
A-26
Tools
You can use the following tools to work with Windows PowerShell: Tool Windows PowerShell Integrated Script Editor (ISE) Microsoft Visual Studio Workflow Designer Powershell.exe Active Directory Administrative Center Description
Windows PowerShell ISE provides a simple, yet powerful interface to create and test scripts, and discover new cmdlets. This is a development tool used to create Windows PowerShell workflows. This is the Windows PowerShell executable.
This tool enables you to perform common Active Directory management tasks, such as creating and modifying user and computer accounts. All of the changes made by using this management tool are logged in the Windows PowerShell History pane.
Results: After completing this exercise, you will have evaluated the installation environment, and then selected the appropriate Windows edition to install.
On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click Administrative Tools, and then click Hyper-V Manager. In the Hyper-V Manager console, right-click 20687A-LON-CL4, and then click Settings.
In the Settings for 20687A-LON-CL4 windows, click DVD Drive in the left-hand column, under IDE Controller 1. In the details pane, select Image file, and then click Browse.
In the Open window, navigate to C:\Program Files\Microsoft Learning\20687\Drives, and then double-click the Windows8.iso file Click OK to close the Settings for 20687A-LON-CL4 window.
6. 7. 8. 9.
On the License terms page, click the I accept the license terms check box, and then click Next. On the Which type of installation do you want? page, click Custom: Install Windows only (advanced).
On the Where do you want to install Windows page, click Next. Wait for Windows 8 to install. This process will take 5-10 minutes. On the Personalize screen, type LON-CL4 in the PC name field, and then click Next.
10. On the Settings page, click Use express settings. 11. On the Sign in to your PC page, click Sign in without a Microsoft account. 12. On the Sign in to your PC page, click Local account. 13. In the User name field, type User. 14. In the Password field and the Reenter password field, type Pa$$w0rd. 15. In the Password hint field, type Forgot already? 16. Click Finish, and wait for the installation to complete.
Results: After this exercise, you should have performed a clean installation of Windows 8.
On the host computer, double-click the Hyper-V Manager icon on the desktop or click Start, click Administrative Tools, and then click Hyper-V Manager. In the Hyper-V Manager console, right-click 20687A-LON-CL1, and then click Settings. In the Settings for 20687A-LON-CL1 window, click Diskette Drive. In the Details pane, select Virtual floppy disk (.vfd) file, browse to C:\Program Files \Microsoft Learning\20687\Drives, and then double-click Lab1BEx1.vfd. Click OK.
In Windows SIM, place the cursor in the Windows Image Section, right-click, and then click Select Windows Image. Browse to E:\labfiles\Mod01\Sources, and double-click install.wim. Click Windows 8 Release Preview, and then click OK. In Windows System Image Manager, click File, and then click Open Answer File. Browse to Floppy Disk Drive (A:) and double-click Autounattend.xml.
In the Windows Image section, expand Components, scroll down, right-click amd64_MicrosoftWindows- Setup_6.2.8400.0_neutral, and then click Add Setting to Pass 1 windowsPE. In the Answer File pane, expand amd64_Microsoft-Windows-Setup_neutral, and then click UserData.
In the UserData Properties pane, double-click AcceptEula, and then from the drop-down menu, select true. Double-click the FullName setting, type Adatum, and then press Enter. Double-click the Organization setting, type Adatum, and then press Enter. In the Answer File pane, expand UserData and then click ProductKey.
In the Properties pane, double-click the Key setting, type TK8TP-9JN6P-7X7WW-RFFTV-B7QPF, and then press Enter. Double-click WillShowUI, and then from the drop-down menu, select OnError.
X Task 4: Save the answer file and remove the diskette drive
1. 2. 3. In Windows System Image Manager, click File, and then click Save Answer File. Close Windows System Image Manager.
On the host computer, double-click the Hyper-V Manager icon on the desktop or click Start, click Administrative Tools, and then click Hyper-V Manager.
4. 5. 6. 7.
In the Hyper-V Manager console, right-click 20687A-LON-CL1, and then click Settings. In the Settings for 20687A-LON-CL1 window, click Diskette Drive. In the Details pane, select None. Click OK.
Results: After completing this exercise, you should have modified an unattended answer file to use for automating the Windows 8 installation process.
X Task 2: Start the virtual machine and confirm the unattended installation
1. 2. 3. 4. 5. 6. In Hyper-V Manager, right-click 20687A-LON-CL4, and then click Connect. In the 20687A-LON-CL4 on localhost window, click Actions, and then click Start. In the Windows Setup dialog box, click Next. On the Select the operating system you want to install page, click Next. On the Where do you want to install Windows page, click Next.
Observe the Windows 8 installation process, confirming that you are not prompted for a product key.
Results: After completing this exercise, you will have tested installation of Windows 8 by using an answer file.
On the Checking to see what can be transferred page, wait for scanning to complete, deselect all objects except for ADATUM\Allie, and then click Next. On the Save your files and settings for transfer page, type Pa$$w0rd into both fields, and then click Save. In the Save your Easy Transfer file window, click in the address bar, type \\LON-DC1, and then press Enter. Double-click the WET shared folder, and then click Save.
Wait for the files to save. You can scroll down on the Saving files and settings page to monitor the progress.
10. When the save is complete, click Next. 11. Click Next, and then click Close to close the Windows Easy Transfer Window. 12. Log off LON-CL3.
Results: After completing this exercise, you should have backed up important user data and settings.
On the What do you want to use to transfer items to your new PC page, click An external hard disk or USB flash drive. When prompted Which PC are you using now?, click This is my new PC. When asked if the files have already been saved from your old PC, click Yes.
In the Open an Easy Transfer File window, navigate to \\LON-DC1\WET, and then double-click the Windows Easy Transfer file. Enter the password Pa$$w0rd, and then click Next. On the Choose what to transfer to this PC, click Transfer.
9.
Results: After completing this exercise, you should have restored user data and settings to a Windows 8 computer by using WET.
Results: After completing this exercise, you should have confirmed the successful transfer of user data and settings.
Log on to the LON-CL2 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click Next. On the Specify Volume Size page, change the Simple volume size in MB value to 5103, and then click Next. On the Assign Drive Letter or Path page, click Next.
On the Format Partition page, in the Volume label text box, type Simple1, and then click Next. On the Completing the New Simple Volume Wizard page, click Finish.
10. When the New Simple Volume Wizard is complete, close Disk Management and any open windows.
In the Extend Volume Wizard, on the Welcome to the Extend Volume Wizard page, click Next.
On the Select Disks page, select Disk 2, in the Select the amount of space in MB text box, type 50, and then click Next. On the Completing the Extend Volume Wizard page, click Finish. When the Extend Volume Wizard is complete, close Disk Management.
When the shrink command is complete, at the DISKPART> prompt, type list volume, and then press Enter. Compare the reported size of the Simple2 volume as reported now with the value from the previous list volume command. Close the command prompt.
In the New Spanned Volume Wizard, on the Welcome to the New Spanned Volume Wizard page, click Next. On the Select Disks page, select Disk 3. Hold down the Shift key, select Disk 4, and then click Add. On the Select Disks page, select Disk 2, and in the Select the amount of space in MB text box, type 2000. On the Select Disks page, select Disk 3, and in the Select the amount of space in MB text box, type 1500.
On the Select Disks page, with Disk 4 selected, in the Select the amount of space in MB text box, type 4000, and then click Next. On the Assign Drive Letter or Path page, click Next.
10. On the Format Partition page, in the Volume label text box, type SpannedVol, and then click Next. 11. On the Completing the New Spanned Volume Wizard page, click Finish. 12. Review the Disk Management warning, and then click Yes.
On the Select Disks page, in the Select the amount of space in MB text box, type 2000, and then click Next. On the Assign Drive Letter or Path page, click Next.
On the Format Partition page, in the Volume label text box, type StripedVol, and then click Next.
7. 8.
On the Completing the New Striped Volume Wizard page, click Finish. Close Disk Management and any open windows.
Results: After this exercise, you will have created several volumes on the client computer.
10. In the Disk Quota dialog box, review the message, and then click OK. 11. Close all open windows.
9.
In the file list, right-click 1kb-file, drag it to Alans files, and then click Copy here.
10. Double-click Alans files. 11. Right-click 2mb-file, and then click Copy. 12. Press Ctrl+V. 13. Right-click 2mb-file, and then click Copy. 14. Press Ctrl+V. 15. In the Copy Item dialog box, review the message, and then click Cancel. 16. Open the Start Screen, and then click Alan Steiner. 17. Click Sign out.
10. Close Quota Entries for StripedVol (I:). 11. Close Striped Volume (I:) Properties. 12. Close Windows Explorer. 13. Open the Start Screen, type eventvwr, and then press Enter. 14. Maximize the Event Viewer program. 15. In the Event Viewer (Local) list, expand Windows Logs, and then click System. 16. Right-click System, and then click Filter Current Log. 17. In the <All Events IDs> box, type 36, and then click OK. 18. Examine the listed entry. 19. Close all open windows.
Results: At the end of this exercise, you will have created and tested a disk quota.
Results: At the end of this exercise, you will have mounted an existing VHD file, and then used the virtual drive.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
At the Command Prompt, type pnputil a E:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files \driver\point64\point64.inf, and then press Enter.
In the Command Prompt, type pnputil e, and then press Enter. Take note of the published name for the driver you just installed into the store. Close the command prompt.
Results: At the end of this exercise, you will have installed a driver into the protected driver store.
Expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update Driver Software.
In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer for driver software. On the Browse for driver software on your computer page, click Let me pick from a list of device drivers on my computer.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key) and then click Next. Click Close.
10. In the System Settings Change dialog box, click Yes to restart the computer.
6. 7. 8. 9.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab. Click Uninstall. In the Confirm Device Uninstall dialog box, click OK. In the System Settings Change dialog box, click Yes to restart the computer.
10. Log on to the LON-CL2 virtual machine as Adatum\Administrator with the password Pa$$w0rd. 11. Type comp and then right-click Computer in the results section. 12. Click Manage from the context menu at the bottom of the screen. 13. In Computer Management, click Device Manager.
14. Expand Keyboards, right-click Standard PS/2 Keyboard, verify you have successfully uninstalled the driver. 15. Close Computer Management.
Results: At the end of this exercise, you will have installed and uninstalled a device driver.
Log on to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click Local Area Connection. In the Local Area Connection Status window, click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
Click Obtain an IP address automatically, click Obtain DNS server address automatically, and then click OK.
When does the DHCP lease expire? Eight days from now.
2.
Results: After this exercise, you will have configured LON-CL1 to obtain an IPv4 configuration automatically from a DHCP server.
On the LON-DC1 virtual machine, log on as Adatum\Administrator with the password Pa$$w0rd.
Clear the Validate settings, if changed, upon exit checkbox, and then click OK to save the settings. In the Local Area Connection Properties window, click Close. At the command prompt, type ipconfig /release and then press Enter. At the command prompt, type ipconfig /renew, and then press Enter. At the command prompt, type ipconfig /all, and then press Enter. o What is the current IPv4 address? 172.16.16.10 o What is the subnet mask? 255.255.0.0 o To which IPv4 network does this host belong? 172.16.0.0/16 o What kind of address is this? An alternate configuration address
9.
Click OK. In the Local Area Connection Properties window, click Close. Close all open windows.
Results: After this exercise, you will have tested various scenarios for dynamic IP address assignment, and then configured a static IP address.
10. In the list of Hard Drives, double-click Allfiles (E:). 11. Double-click Labfiles, double-click Mod04, and then double-click Mod4-Script.bat.
6.
7.
8.
Results: After this exercise, you will have created a connectivity problem between LON-CL1 and LON-DC1.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click Local Area Connection. In the Local Area Connection Status window, click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Subnet mask box, type 255.255.0.0. Click OK.
3. 4. 5. 6. 7. 8. 9.
In Control Panel, click Network and Internet. In Network and Internet, click View network status and tasks. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Local Area Connection. In the Local Area Connection Status window, click Properties. In the Local Area Connection Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Preferred DNS server box, type 172.16.0.10. Clear the Alternate DNS Server setting and then click OK.
Results: After this exercise, you will have resolved the connectivity problem between LON-CL1 and LON-DC1.
Requirements Overview I want to deploy wireless networks throughout the London offices. Security is critical, and we must deploy the strongest security measures available. Some of our older computer equipment supports earlier wireless standards only. Cordless telephones are in use in some parts of the building. We are located in a busy trading district, with other commercial organizations located nearby. Again, it is important that our network is not compromised. Additional Information
Proposals
Answer: Answers will vary, but typically should include the strongest possible security measures
2.
Complete the proposals section of the A. Datum Wireless Network Requirements document. Answer: Answers will vary, but here is a suggested proposal: o
Deploy only WAPs that support WPA2-Enterprise authentication, and use additional infrastructure to provide this authentication. This will involve deploying additional server roles on Windows Server 2012. Specifically, the NPAS role (including the NPS Role Service). WAPs must support 802.11b because of the legacy hardware deployed in some parts of the building.
Interference from cordless telephones might be an issue, so the choice of WAP should consider the ability to support a range of channels and, depending on 802.11 modes, the 802.11n frequency might be indicated.
The proximity of other businesses does pose a risk, and you must ensure accurate placement of hubs, and directionality of antennae to mitigate this. So long as appropriate security is in place, the risk should be low. Again, support of enterprise (802.1X) authentication is critical here.
Results: After this exercise, you should have a proposal for the implementation of wireless networks in the London offices of A. Datum.
Incident Details Intermittent connection problems from computers connecting to the wireless network. Some users can connect to the wireless access points from the parking lot. Plan of Action
2.
Update the plan of action section of incident record 501235 with your recommendations. Answer: Answers will vary, but here is a suggested proposal:
Check the placement of all WAPs to ensure that they are not adjacent to any forms of interference.
Results: After this exercise, you should have a completed action plan for resolution of the A. Datum issues.
In Group Policy Management, Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then click on Wireless Network (IEEE 802.11) Policies. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Wireless Network Policy for Windows Vista and Later Releases.
2. 3. 4. 5. 6. 7. 8. 9.
In the New Wireless Network Policy Properties dialog box, in the Policy Name box, type A Datum Wireless Policy. Click Add, and then click Infrastructure.
In the New Profile properties dialog box, in the Profile Name box, type A Datum Wireless Profile. In the Network Name(s) (SSID) box, type A Datum 1, and then click Add. In the Network Name(s) (SSID) box, type A Datum 2, and then click Add. Click the Security tab.
Verify that the Authentication method is WPA2-Enterprise and that the Encryption method is AES. Click OK.
10. In the A Datum Wireless Policy Properties dialog box, click OK. 11. Close Group Policy Management Editor. 12. Close Group Policy Management.
Results: After this exercise, you should have implemented a wireless network policy.
Verify that ping reported four request time out responses. Leave the command prompt open for a later step.
Log on to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
Verify that ping generated 4 Reply from 172.16.0.50: bytes=32 time=xms TTL=128 messages. Close the command prompt and open windows.
Results: At the end of this exercise, you will have configured and tested an inbound firewall rule.
Results: At the end of this exercise, you will have configured and tested an inbound firewall rule.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
On the Requirements page, select Require authentication for inbound connections and request authentication for outbound connections, and then click Next. On the Authentication Method page, select Computer and user (Kerberos V5), and then click Next.
11. On the Name page, in the Name text box, type Authenticate all inbound connections, and then click Finish. 12. Close the Windows Firewall with Advanced Security window.
On the Requirements page, select Require authentication for inbound connections and request authentication for outbound connections, and then click Next. On the Authentication Method page, select Computer and user (Kerberos V5), and then click Next. On the Profile page, click Next.
10. On the Name page, in the Name text box type Authenticate all inbound connections, and then click Finish. 11. Minimize the Windows Firewall with Advanced Security window.
Verify that the ping generated 4 Reply from 172.16.0.50: bytes=32 time=xms TTL=128 messages. On the task bar, click the Windows Firewall with Advanced Security window. In the left pane, expand Monitoring, and then expand Security Associations. Click Main Mode, and then examine the information in the center pane. Click Quick Mode, and then examine the information in the center pane.
Results: At the end of this lab, you will have created and tested connection security rules.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
Results: At the end of this lab, you will have configured and used Windows Defender.
Log on to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
Results: At the end of this lab, you will have created a folder and shared it for all users.
10. In the Marketing Properties dialog box, click OK. 11. Close all open windows, and then log off LON-CL1.
Results: At the end of this exercise, you will have created and shared a folder for the Marketing department.
While on the Start screen, type the letter c, and then click Control Panel in the Apps search results. In the Control Panel, click the View devices and printers link. In Devices and Printers, click the Add a printer link. In the Add Printer Wizard, click The printer that I want isnt listed. On the Find a printer by other options page, select the Add a local printer or network printer with manual settings option, and then click Next. On the Choose a printer page, select the drop down for Use an existing port, select nul: (Local Port), and then click Next. On the Install the printer driver page, in the Manufacturer list, select Microsoft. In the Printers list, select Microsoft OpenXPS Class Driver, and then click Next.
10. On the Type a printer name page, in the Printer name field, type ManagersPrinter, and then click Next. 11. Review the Printer Sharing page, and then click Next. 12. Review the Youve successfully added ManagersPrinter page, and then click Finish.
4. 5. 6. 7. 8. 9.
In Devices and Printers, click the Add a printer link. In the Add Printer Wizard, click The printer that I want isnt listed.
On the Find a printer by other options page, select the Select a shared printer by name option, and then click Browse. In the Printer field, type \\LON-CL1, and then press Enter. Double-click ManagersPrinter. On the Find a printer by other options page, click Next.
10. Review the Youve successfully added ManagersPrinter on LON-CL1 page, and then click Next.
11. On the Youve successfully added ManagersPrinter on LON-CL1 page, click the Print a test page button. 12. Review the ManagersPrinter on LON-CL1 dialog box, and then click Close. 13. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Finish. 14. Close Devices and Printers.
15. On LON-CL1, in the Printer Management app, verify that the Jobs In Queue column displays 1 for ManagersPrinter. 16. Right-click ManagersPrinter, and then select Resume Printing. 17. Close all open windows.
Results: At the end of this exercise, you will have created, shared, and tested a printer.
10. In the Browse for a Group Policy Object dialog box, click the Users tab.
11. In the Local Users and Groups compatible with Local Group Policy list, click Administrators, and then click OK. 12. In the Select Group Policy Object dialog box, click Finish. 13. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy Object Editor, and then click Add. 14. In the Select Group Policy Object dialog box, click Browse. 15. In the Browse for a Group Policy Object dialog box, click the Users tab.
16. In the Local Users and Groups compatible with Local Group Policy list, click Non-Administrators, and then click OK. 17. In the Select Group Policy Object dialog box, click Finish. 18. In the Add or Remove Snap-ins dialog box, click OK. 19. In Console1 [Console Root], on the menu, click File and then click Save. 20. In the Save As dialog box, click Desktop. 21. In the File name box, type Multiple Local Group Policy Editor, and then click Save.
Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff). In the results pane, double-click Logon. In the Logon Properties dialog box, click Add.
5. 6. 7. 8. 9.
In the Add a Script dialog box, click Browse. In the Browse dialog box, right-click in the empty folder, point to New, click Text Document, and then press Enter. Right-click New Text Document, and then click Edit. Type msgbox Warning. You are not connected to the A Datum Domain. Click File, click Save As.
10. Type RoamingScript.vbs, change Save as type: to All Files, and then click Save. 11. Close RoamingScript.vbs. 12. In the Browse dialog box, click the RoamingScript file, and then click Open. 13. In the Add a Script dialog box, click OK. 14. In the Logon Properties dialog box, click OK.
Results: After this exercise, you should have successfully created and configured multiple local GPOs.
Log off LON-CL1. To log off, on your host computer, in the 20687A-LON-CL1 on localhost Virtual Machine Connection window, click the Action menu, click Ctrl+Alt+Delete, and then click Sign out. Log on to LON-CL1 as Adatum\Holly with the password Pa$$w0rd. To log on as a different user, click Other user, enter the required credentials, and then press Enter. On the Start screen, click Desktop. Click OK when prompted by the message box. Pause the mouse pointer in the lower right corner of the task bar. Click Settings, and then click Control Panel. In the Restrictions dialog box, click OK.
Results: After this exercise, you should have implemented and test multiple local GPOs successfully.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
10. Click Permissions, and in the Permissions for Sales-Data dialog box, click Add.
11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Authenticated Users, and then click OK.
12. In the Permissions for Sales-Data dialog box, in the Group or user names list, click Authenticated Users, and then in the Permissions for Authenticated Users list, select the Allow Full Control check box, and then click OK. 13. In the Advanced Sharing dialog box, click OK. 14. In the Sales-Data Properties dialog box, click the Security tab. 15. Click Edit. 16. In the Permissions for Sales-Data dialog box, click Add.
17. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Authenticated Users, and then click OK.
18. In the Permissions for Sales-Data dialog box, in the Group or user names list, click Authenticated Users, and then in the Permissions for Authenticated Users list, select the Allow Full Control check box, and then click OK. 19. In the Sales-Data Properties dialog box, click Close.
7. 8. 9.
Right-click an area of free space in Windows Explorer, point to New, and then click Microsoft Word Document. Type Team Briefing, and then press Enter. In Windows Explorer, double-click Team Briefing.
11. In Word, if prompted to Help Protect and Improve Microsoft Office, click Dont make changes, and then click OK. 12. In Word, type This is the team briefing. 13. Press Ctrl+S, and then close Microsoft Word.
In Windows Explorer, in the navigation pane, click Computer, and then in the details pane, doubleclick sales-data (\\lon-dc1) (S:). In Windows Explorer, right-click Team Briefing, and then click Properties. In the Team Briefing Properties dialog box, click Advanced.
In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box, and then click OK. In the Team Briefing Properties dialog box, click OK. On LON-CL1, log on as Adatum\Vivian with the password Pa$$w0rd. On the Start screen, click Desktop, and on the Taskbar, click Windows Explorer.
In Windows Explorer, in the navigation pane, right-click Computer, and then click Map network drive. In the Map Network Drive dialog box, in the Folder box, type \\LON-DC1\Sales-Data.
10. In the Drive list, click S:, and then click Finish.
11. In Windows Explorer, in the navigation pane, click Computer, and then in the details pane, doubleclick sales-data (\\lon-dc1) (S:). 12. In Windows Explorer, double-click Team Briefing. 13. In the User Name dialog box, click OK.
14. In Word, if prompted to Help Protect and Improve Microsoft Office, click Dont make changes, and then click OK. 15. You are denied access. 16. Click OK and close Word. 17. Log off of LON-CL1.
Results: After this exercise, you should have encrypted shared files successfully.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
In the results pane, double-click User Account Control: Only elevate executables that are signed and validated.
In the User Account Control: Only elevate executables that are signed and validated dialog box, click Enabled, and then click OK. In the results pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. In the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode dialog box, click Prompt for consent on the secure desktop. Click OK, close Local Group Policy Editor, and then log off.
10. Right-click the Start screen, and then click All Apps. 11. In the Apps list, click Control Panel. 12. In Control Panel, click System and Security.
13. In System and Security, click Change User Account Control settings. 14. Verify that the slide bar is configured for Always notify.
Results: After this exercise, you should have reconfigured UAC notification behavior and prompts.
10. Click the General tab. Under Browsing History, click Delete.
11. In the Delete Browsing History dialog box, clear Preserve Favorites website data, select Temporary Internet files and website files, Cookies and website data, History, and then click Delete. 12. Click OK to close Internet Options.
13. Confirm that there are no addresses stored in the Address bar by clicking on the down arrow next to the Address bar. 14. On the Tools menu, click InPrivate Browsing. 15. Type http://LON-DC1 into the Address bar, and then press Enter.
16. Confirm the address you typed in is not stored by clicking on the down arrow next to the Address bar. 17. Close the InPrivate Browsing window. 18. Close Internet Explorer. 19. On LON-CL1, click the Internet Explorer icon on the taskbar.
20. Type http://LON-DC1 into the Address bar, and then press Enter. 21. In Internet Explorer, click the Tools, and then click Internet Options. 22. On the Security tab, click Local intranet, and then under Security levels for this zone, slide the slide bar to High. 23. Click OK. 24. On the A Datum Intranet home page, click Current Projects. 25. Close the new tab. 26. In Internet Explorer, click the Tools, and then click Internet Options. 27. On the Security tab, click Trusted Sites. 28. Click Sites. 29. In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this zone check box. 30. Click Add, and then click Close. 31. In the Internet Options dialog box, click OK. 32. On the A Datum Intranet home page, click Current Projects. 33. Close Internet Explorer and all open Windows. 34. Log off LON-CL1.
Results: After completing this exercise, you will have successfully configured Internet Explorers security and compatibility settings.
Configuring Applications
In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, and then expand Security Settings. Expand Application Control Policies, and then double-click AppLocker. Click Executable Rules, and then right-click and select Create New Rule. Click Next. On the Permissions screen, select Deny, and then click the Select button.
In the Select User or Group dialog box, in the Enter the object names to select (examples) box, type IT, click Check Names, and then click OK. Click Next.
10. On the Conditions screen, select Path, and then click Next.
11. Click the Browse Files button, and then in the File name box, type C:\Program Files\Windows Media Player\wmplayer.exe, and then click Open. 12. Click Next. 13. Click Next again, and then click Create. 14. Click Yes when prompted to create default rules.
On the Enforcement tab, under Executable rules, click the Configured check box, and then select Enforce rules. Click OK. Close the Local Group Policy Editor. Pause the pointer in the lower-right of the display, and then click Start. On the Start screen, type cmd.exe, and then press Enter.
In the Command Prompt window, type gpupdate /force, and then press Enter. Wait for the policy to be updated.
Results: At the end of the exercise, you will have successfully created the required AppLocker rule.
Note: AppLocker is not implemented in this prerelease version of the software. You are not prevented from running Windows Media Player. 4. 5. 6. 7. 8. 9. Log off. Log on as Adatum\Administrator with the password Pa$$w0rd. Right-click the Start screen, and then click All apps. In the Apps list, right-click Computer, and click Manage. In the Event Viewer, expand Application and Services Logs, and then expand Microsoft. Expand Windows, expand AppLocker, and then click EXE and DLL.
10. Review the entries in the results pane. Note: AppLocker is not implemented in this prerelease version of the software. Error 8008 displays indicating this fact. Usually, you would see error event ID 8004. The application was prevented from running. 11. Close Computer Management. 12. Log off.
Results: At the end of this exercise, you will have successfully verified the function of your executable AppLocker rule.
Configuring Applications
L10-51
Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
In the Create new Data Collector Set Wizard, on the How would you like to create this new data collector set? page, in the Name box, type Adatum Baseline.
11. On the What type of data do you want to include? page, select the Performance counter check box, and then click Next. 12. On the Which performance counters would you like to log? page, in the Sample interval box, type 1, and then click Add. 13. In the Available counters list, expand Memory, select Pages/sec, and then click Add.
14. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add. 15. In the Available counters list, expand Physical Disk, select % Disk Time, and then click Add. 16. Under Physical Disk, select Avg. Disk Queue Length, and then click Add. 17. In the Available counters list, expand Processor, select % Processor Time, and then click Add.
18. In the Available counters list, expand System, select Processor Queue Length, click Add, and then click OK. 19. On the Which performance counters would you like to log? page, click Next. 20. On the Where would you like the data to be saved? page, click Next. 21. On the Create the data collector set page, click Finish.
22. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start. 23. Pause the mouse pointer over the lower-right corner of the desktop, and then click Start. 24. Right-click the Start screen and then click All Apps, and then click Microsoft Word 2010. 25. In the User Name dialog box, click OK.
26. In Word, if prompted to Help Protect and Improve Microsoft Office, click Dont make changes, and then click OK.
L10-52
Configuring Windows 8
27. Pause the mouse pointer over the lower-right corner of the desktop, and then click Start. 28. Right-click the Start screen and then click All Apps, and then click Microsoft Excel 2010. 29. Pause the mouse pointer over the lower-right corner of the desktop, and then click Start. 30. Right-click the Start screen and then click All Apps, and then click Microsoft PowerPoint 2010. 31. Close all open Microsoft Office applications, and then switch to Performance Monitor. 32. In the navigation pane, right-click Adatum Baseline, and then click Stop.
Results: After this exercise, you should have created a performance monitoring baseline.
Results: After this exercise, you should have generated additional load on the computer.
After a few minutes, click OK at the prompt and close the instance of C:\Windows\System32\cmd.exe that the script launched.
L10-53
5. 6. 7. 8. 9.
Switch to Performance Monitor. In the navigation pane, right-click Adatum Baseline, and then click Stop.
In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand Adatum Baseline, and then click on the second report that has a name that begins with LON-CL1. View the chart. On the menu bar, click the drop-down arrow, and then click Report. Record the component details: a. b. c. d. e. f. Memory Pages per second Network Interface Packets per second Physical Disk % Disk Time Physical Disk Avg. Disk Queue Length Processor % Processor Time System Processor Queue Length
Answer: The script is affecting the memory, and the disk. However, no resources are approaching limits, although paging is becoming excessive. 11. Close all open windows and programs, and then go back to the Start screen.
Results: After this exercise, you should have identified the computers performance bottleneck.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
L10-54
Configuring Windows 8
10. In the Configure Automatic Updates window, click Enabled. 11. In the Configure automatic updating box, click 4 Auto download and schedule the install. 12. Click OK, and then close the Group Policy Management Editor window. 13. Close the Group Policy Management window.
X Task 3: Verify that the automatic updates setting from the GPO is being applied
1. 2. 3. 4. 5. 6. 7. 8. Switch to LON-CL1. Pause the pointer in the lower-right corner of the display, and then click Start. Right-click the Start screen, and then click All apps. In the Apps list, click Command Prompt. In the command prompt, type gpupdate /force, and then press Enter. Close the command prompt. Switch to Windows Update. Notice that your computer is now configured for automatic updates.
Results: After this exercise, you should have configured Windows Update settings by using GPOs.
L10-55
L11-57
On the Change settings for the plan: Adams power-saving plan page, click Change advanced power settings. Configure the following properties for the plan, and then click OK. o o o Turn off hard disk after: 3 minutes Wireless Adapter Settings, Power Saving Mode: Maximum Power Saving Power buttons and lid, Power button action: Shut down
4. 5. 6.
On the Change settings for the plan: Adams power-saving plan page, click Cancel. Close Power Options. Log off from LON-CL1.
Results: After this exercise, you should have successfully created and configured a suitable power plan for Adams laptop computer.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
L11-58
Configuring Windows 8
In the Network and Sharing Center window, under Change your networking settings, click Set up a new connection or network. In the Choose a connection option dialog box, click Connect to a workplace and then click Next. In the Connect to a workplace dialog box, select the Use my Internet connection (VPN) option. When prompted, select Ill set up an Internet connection later. In the Type the Internet address to connect to dialog box, specify an Internet address of 172.16.0.10 and a Destination name of Adatum, and then click Create.
The VPN connects. On LON-CL1, on the taskbar, click Windows Explorer. In the navigation pane, right-click Computer, and then click Map network drive. In the Drive box, click P:. In the Folder box, type \\LON-DC1\Data, and then click Finish.
6. 7. 8.
In the address bar, type cmd.exe and then press Enter. At the command prompt, type ipconfig /all, and then press Enter. What IPv4 address has your computer been assigned over the PPP adapter connection?
L11-59
9.
10. Right-click Adatum, and click Connect/Disconnect. 11. Click Adatum and click Disconnect. 12. Close all open windows. 13. Click back to the Start screen.
Results: After this exercise, you should have successfully connected to the Adatum HQ with your VPN.
When you are finished the lab, leave the virtual machines running as they are needed for the next lab.
L11-60
Configuring Windows 8
X Task 1: Enable Remote Desktop through the firewall and enable Remote Desktop on Adams office computer
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL1, right-click the Start screen, and then click All apps. In the Apps list, click Control Panel. Click System and Security. Under Windows Firewall, click Allow an app through Windows Firewall.
In the Name list, select Remote Desktop and enable the application for each of the network profiles: Domain, Private, and Public. Click OK. In System and Security, click Allow remote access.
In System Properties, under Remote Desktop, click Allow remote connections to this computer. Click Select Users, click Add.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box, type Adam, click Check Names, and then click OK.
10. In the Remote Desktop Users dialog box, click OK. 11. In the System Properties dialog box, click OK. 12. Close all open windows. 13. Switch to the LON-CL2 virtual machine, and then log on as Adatum\Administrator with the password Pa$$w0rd. 14. On the Start screen, type mstsc, and then in the Apps list, click Remote Desktop Connection.
15. In the Remote Desktop Connection dialog box, in the Computer box, type lon-cl1, and then click Show Options. 16. Click the Advanced tab. 17. Under Server authentication, in the If server authentication fails list, click Connect and dont warn me.
L11-61
8. 9.
In the Apps list, right-click Computer, and then click Properties. Notice the computer name.
10. Close the Remote Desktop session. In the Remote Desktop Connection dialog box, click OK. 11. Close all open windows. 12. Switch to the LON-CL1 virtual machine. 13. Notice that you have been logged off.
Results: After this exercise, you should have successfully verified that Remote Desktop is functional.
L13-63
In the Open dialog box, in the File name box, type C:\Program Files\Microsoft Learning\20687 \Drives\Windows8.iso, and then click Open. On the Action menu, click Start.
When you see the Press any key to boot from CD or DVD message, press Spacebar. Setup loads. When prompted, in the Windows Setup dialog box, click Next. On the Windows Setup page, click Repair your computer. On the Choose an option page, click Troubleshoot. On the Troubleshoot page, click Advanced options. On the Advanced options page, click Command Prompt.
10. At the command prompt, type bcdedit /enum, and then press Enter. 11. At the command prompt, type Bootrec /scanos, and then press Enter. 12. At the command prompt, type diskpart, and then press Enter. 13. At the command prompt, type list disk, and then press Enter. 14. At the command prompt, type list volume, and then press Enter. 15. At the command prompt, type exit, and then press Enter. 16. At the command prompt, type exit, and then press Enter. 17. On the Choose an option page, click Troubleshoot. 18. On the Troubleshoot page, click Advanced options. 19. On the Advanced options page, click Automatic Repair. 20. On the Automatic Repair page, click Windows 8. Automatic repair starts. 21. On the Automatic Repair page, click Advanced options. 22. On the Choose an option page, click Continue. Windows starts normally.
At the command prompt, type bcdedit /copy {current} /d Duplicate boot entry, and then press Enter.
L13-64
Configuring Windows 8
5. 6.
At the command prompt, type bcdedit /enum, and then press Enter. At the command prompt, type shutdown /r, and then press Enter.
10. On your host computer, switch to Hyper-V Manager. 11. In the Virtual Machines list, right-click 20687A-LON-CL1, and then click Revert. 12. In the Revert Virtual Machines prompt, click Revert. 13. In the Virtual Machines list, right-click 20687A-LON-CL1, and then click Start. 14. In the Virtual Machines list, right-click 20687A-LON-CL1, and then click Connect.
Results: After this exercise, you will have used various Windows 8 startup-recovery tools.
Incident Details Adam Carter has reported that his computer will not start properly.
Additional information Adam has been trying to install an additional operating system on his computer so that he can run a specific line-of-business (LOB) application. He abandoned the installation after getting only partly through the process. Since then, his computer displays the following error message when it starts: Windows Boot Manager. File: \Boot\BCD Status: 0xc0000034 Info: The Windows Boot Configuration Data (BCD) file is missing required information. Plan of Action Visit with the user, and view the error on his computer. Insert product DVD, and restart the computer. Use Microsoft Windows Recovery Environment (RE) to recover the startup environment by using Command Prompt tool, and then running Bootrec.exe /RebuildBCD to repair the boot store.
Results: After this exercise, you should have reproduced the reported startup problem on Adams computer.
L13-66
Configuring Windows 8
10. On the Troubleshoot page, click Advanced options. 11. On the Advanced options page, click Command Prompt. 12. At the command prompt, type Bootrec /Scanos, and then press Enter. 13. At the command prompt, type Bootrec /RebuildBCD, and then press Enter. 14. At the command prompt, type A, and then press Enter. 15. Restart LON-CL1, and then log on by using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
17. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Results: After this exercise, you should have resolved the startup problem, and documented your solution.