This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Professor Messer’s
Microsoft 70-680Configuring Windows 7 Study Guide
http://www.ProfessorMesser.comWindows 7 Editions
Windows 7 Hardware Requirements
Windows 7 Installation SourcesDVD-ROM• Available as an ISO file• Doesn’t scale very well
USB Drive• Faster than a DVD-ROM• Need at least 4 GB of space for OS files• Doesn’t scale well
Network Share• Copy Windows 7 Installation Media to a share• Boot with Windows PE• Still has scaling problems, but the installation
media can be easily updated
Windows Deployment Services (WDS)• Automated deployment• Requires a network, Server 2008, Active Directory• Uses multicast• Install on many computers simultaneously• Scales extremely well
Microsoft Assessment and Planning Toolkit• Large-scale upgrade assessment• Integrates with Active Directory• Scans the network to find computers• Inventories computers, servers, and virtual machines• Many different operating systems• Doesn’t require any agent software
Windows 7 MigrationSide-by-side• Two computers• Move information from one to the other
Wipe-and-load• Export data, nuke and install, and import• Exported data can be deleted afterwards• Profiles copied to external device• USB storage, network share
Windows Easy Transfer• Migrate from Windows XP, Windows Vista, or Windows 7• Useful when moving to a new computer• Supports both side-by-side and wipe-and-load
User State Migration ToolUSMT• Included with the Windows Automated Installation Kit (AIK)• Very scalable
• Built for large enterprises• Works at the command line
• Migrate from Windows XP and Windows Vista to Windows 7• Migrate from Windows 7 to Windows Vista
Two-step process• Can be completely automated
• Take advantage of the command line• ScanState
• Compiles and stores the migration data• Must run in an elevated prompt (Vista, 7)
• Folder options, fonts, wallpaper settings, etc.• MigUser.xml - Migrate user folders, files, and file types• MigDocs.xml - Location of user documents• Config.xml - Exclude migration features
Storing the migrated data• Uncompressed
• Stored in folders, view using Windows Explorer• Compressed
• Uses less space, can’t be viewed in Windows Explorer• Hardlink
• Creates links to the user data• Links are followed when performing wipe-and-load
• Doesn’t duplicate files• Can save a lot of time
• You’ll need a minimum of 250 MB freeWindows Automated Installation Kit
• Windows SIM (System Image Manager)• Manages image distribution
• ImageX• Create and modify Windows images (WIM)
• DISM (Deployment Image Servicing and Management)• Modify an image with updates and drivers
• Windows PE (Preinstallation Environment)• A minimal boot OS
• OSCDIMG• Command line creation of ISO files
• USMT (User State Migration Tool)• Migrate user information between OS versions
Building and distributing a Windows 7 image
• Run audit mode (Shift-Ctrl-F3)• Bypass Windows Welcome• Tweak your reference image, load apps and drivers
• Sysprep• Clear unique names• Set Windows Welcome - Out-of-box-experience (OOBE)• c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown
• Reset the 30-day activation up to three times
• Plan Windows 7 installation on reference PC• Build an answer file
• Validate and save the answer file• Save Autounattend.xml to the root
• Perform Windows 7 installation• Use Sysprep to generalize and set oobe (out of box experience)
• Create bootable Windows PE disk or USB flash drive• Create image and store on network share• Deploy the image
Capturing an image
Sysprep and other prep
Create a Windows PE boot disk• You’ll want to add ImageX to the disk• It doesn’t come in the default configurationBoot to PE and create an image• This is why you added ImageX
• Have a destination ready for the image• Have your computer Sysprep’d prior to the imaging
• Your image should be ready for the first user• The final image is a WIM file
• Can be integrated with Microsoft Deployment Toolkit (MDT) 2010 for ZTI
• Command line control• Software installation and updates• Domain management• Restart computers• Partition disks• Manage user state information• Image computers• Driver management
WDS images SCCM
Make a VHD SCCM features and capabilities• Use Disk Management to attach and detach• Use diskpart to create vdisk• Ideally, the VHD would be in a separate disk
• Or at least a different partition• Apply an existing WIM with ImageX
Boot from the VHD• bcdedit
• Modify your boot entries• Can only boot to a Windows 7 or
Windows 2008 R2 VHD• Change the “device“ and “osdevice“ to the VHD• Enable the hardware abstraction layer (HAL)• Can‘t use BitLocker or hibernation
• Not a great choice for laptops
Service your VHD• Microsoft System Center Virtual Machine Manager
• MSCVMM 2007 or MSCVMM 2008• Manage many VHDs and virtual machines• Windows Hyper-V Server• Physical to virtual migrations• Manage virtual workloads
• Update and maintain VHDs• Integrate with System Center Configuration Manager (SCCM)
• View compatibility fixes for 3rd-party apps• Analyze your applications, create your own shim
• Internet Explorer Compatibility Test Tool• Demo/LabTesting IE8• Internet Explorer Compatibility Test Tool• Start the tool / Start IE8
• Surf and watchApp Compatibility Group Policies• Recover from problems or block issues when they occur• Computer Configuration\Administrative Templates\ System\Troubleshooting and Diagnostics\ Application Compatibility Diagnostics
Windows XP Mode• Run Windows XP as a virtual machine
• Windows 7 Professional, Windows 7 Ultimate, Windows 7 Enterprise• Integrates with the Windows 7 desktop• Uses a lot of disk space and memory resources
Software Restriction PoliciesGroup Policy• Use Group Policy to restrict application use - gpedit.msc
• A bit of overlap with AppLocker• Works for Windows XP, Windows Vista, and Windows 7• Computer Configuration \ Windows Settings \ Security Settings \ Software Restriction Policies
Enforcement properties• Include/exclude DLLs• Include/exclude local administrators• Enforce/ignore certificatesWhich policy wins?• Most specific first, then more general
• If AppLocker is in use, AppLocker always wins
• Hash Rules (most specific)• Certificate Rules• Path Rules• Network Zone Rules• Default Rules (most general)Hash rules• Unique identifier - You can’t fool the hash• Advantages
• Control very specific applications• Down to the version number
• Disadvantages• Must be created for every executable• Must be updated for each version
Certificate rules• Control application usage by publisher• Advantages
• Cryptographically improbable to beat• Disadvantages
• One certificate rule can affect many applications from the same publisher
• Application must be signed• Resource intensive
Path rules• Control application use based on files or folders• Advantages
• Can control specific areas or files• Disadvantages
• Can be circumvented by moving the file
Network zone rules• Control applications based on download location• Advantages
• Limits security risk from the outside• Disadvantages
• Only applies to .msi (installer) files• Not .exe files• Only applies to downloads from Internet Explorer
Configuring software restriction policies in Group Policy Editor
Configuring Internet ExplorerCompatibility view• The browser is the new application environment• Browser versions are very different
• Can dramatically impact applications• Compatibility View turns back the clock
• Run Internet Explorer as an “older” version• Tools / Compatibility View Settings• Configured in Group Policy• Administrative Templates \ Windows Components \Internet Explorer \ Compatibility View
Security Settings• Categorize web sites into zones
• Internet• Local intranet• Trusted sites• Restricted sites
• Tools / Internet Options / SecuritySearch providers and add-ons• Configure in Tools / Manage Add-onsInPrivate policies• Administrative Templates \ Windows Components \Internet Explorer \ InPrivate
Managing certificates• Validate the source
• Trust the site• Encrypt the data
• Surf safelyCertificate problems• This website’s security certificate has been revoked
• Don’t trust this website• This website’s address doesn’t match the address in the security certificate
• Website is using a digital certificate that was issued to a different web address• This website’s security certificate is out of date
• Current date is either before or after the time period of the certificate• This website’s security certificate isn’t from a trusted source
• Certificate has been issued by a CA that isn’t recognized by Internet Explorer• Internet Explorer has found a problem with this website’s certificate
• There’s a problem with a certificate that doesn’t fit any other error conditions.
DNS• Domain Name System• Converts names to IP addresses• www.professormesser.com = 74.208.221.234DHCP• Dynamic Host Configuration Protocol• Automatically assign IP address, subnet mask, gateway, and moreAPIPA• Automatic Private IP addressing• Connect an entire network without any configuration• 169.254.0.1 through 169.254.255.254 (subnet mask of 255.255.0.0)
fe80::5d18:652:cffd:8f52
fe80:0000:0000:0000:5d18:0652:cffd:8f52fe80
11111110100000000000
0000000000000000::
00000000000000000000
::
00000000000000000000
::
5d180101110100011000
::
06520000011001010010
::
cffd1100111111111101
::
8f521000111101010010
::
16 bits 2 bytes=
128 bits = 16 bytes
2 octets=
Address types• Unicast – one to one• Multicast – one to many• Broadcast – one to all (IPv4)• Anycast – one to nearest (IPv6)IPv6 Unicast Addresses• Global – Routable everywhere• Local – Used in the local network (no Internet) – fc00::/7• Link-local - Used in the local network segment only - fe80::/10
Teredo• Tunnel IPv6 through NATed IPv4
• End-to-end IPv6 through an IPv4 network• No special IPv6 router needed
• Addresses start with 2001::/32
IPv4 Addressing
RFC 1918 Private Addresses
IPv6 Addressing
Nework Address Translation (NAT)
ISATAP (Intra-Site Automatic Tunnel Addressing Protocol)• Automatically configures addressing to connect two IPv6
devices over a local IPv4 network • Not designed for site-to-site communication
• fe80::5efe:192.168.0.16
Integrating IPv4 and IPv6
• Convert from one IP address to another
• Commonly used to convert private internal addresses to be routed across the Internet
• Also used to advertise services with an external address, but the server actually resides on the inside of the network with a private address
• Are the lights blinking?• View your configuration• ipconfig /all• Did you get an IP address from the DHCP server?• Is it an APIPA address (169.254.0.1 – 169.254.255.254)?• Try to ipconfig /release and ipconfig /renew
• Connect to everything• ping your address, your gateway, a remote device• tracert to an external address
Configuring IPv6Connecting to an IPv6 network• Local Area Connection Properties
• Control Panel / Network and Sharing Center / Change Adapter Settings / Right-Click on adapter / Properties
• netsh interface ipv6 set address• netsh interface ipv6 show address• DNS
• Are the lights blinking?• netsh interface ipv6 show neighbors
• View your configuration• ipconfig /all• netsh interface ipv6 show address
• Connect to everything• Windows 7 network utilities are IPv6 aware (with the -6 flag)• ping your address, your gateway, a remote device• tracert to an external address
Adding a network device• Control Panel / Network and Sharing Center / Set up a connection or network
• Change advanced sharing settings• Network discovery• File and printer sharing• Public folder sharing
Professor Messer Exam TipMicrosoft has a reputation for
tough certification exams. Make sure you know your material very well
802.11a• One of the initial wireless standards - October 1999• Operates in the 5 GHz range• 54 megabits per second (Mbit/s)• Smaller range than 802.11b
• Higher frequency is absorbed by objects in the way• Today, only seen in very specific cases
Remote ManagementRemote Assistance• User-initiated help
• End-user is in control• Send a file, an email, or Easy Connect• Control Panel / System / Remote Tab
• Advanced tab• Start / All Programs / Maintenance / Windows Remote Assistance
Remote Desktop• Initiated by the remote user
• Host computer is always waiting for a connection• Start / All Programs / Accessories / Remote Desktop Connection
• Only available in Windows 7 Professional, Ultimate, and Enterprise• Control Panel / System / Remote tab• Automatically configures Windows Firewall rules
• Host user cannot see desktop• You are logging on as a user
Windows PowerShell• Super-awesome powerful scripting
• Run PowerShell instead of your normal shell• Extends Windows functionality into the shell• Windows 7 includes PowerShell 2.0
• Over 240 cmdlets (command-lets)• Extensive use of pipelines
Executing remote commands• Windows Remote Shell (WinRS)
• Run shell command on a remote computer• Remote desktop not required• This is why we’ve been learning all those command line options
• Requires the Windows Remote Management Service • Set it up: WinRM quickconfig• Starts the service and configures the firewall
Elevating user privileges• Use rights and permissions of another user
• Without logging out• GUI: Hold down Shift and right-click
• Run as different user• Command line: Use the “runas” command• RUNAS [ [/noprofile] [/profile] [/env] [/savecred | /netconly] ] /user:<UserName> program
Resolving authentication issues• Password reset disk or USB key
• Create this before you forget your password• Domain users are reset from the domain administration
• User Accounts / Manage Accounts• Access to EFS-encrypted information is lost• Unless you restore the EFS certificate
BranchCacheBranchCache overview• Caching for branch offices
• Without additional hardware or external services• Conserve bandwidth over slower links
• Windows 7 / Windows Server 2008 R2• Won’t work with older operating systems
• Seamless to the end-user• Same protocols• Same network connection• Same authentication methods• Activates when round-trip latency exceeds 80 milliseconds
Network infrastructure requirements• Hosted Cache Server
• Required at each remote location• Run distributed mode if cache server not local• Windows Server 2008 R2• Create SSL Certificate• Clients must trust the Certificate Authority
• Clients• Windows 7 Ultimate or Enterprise• May need to import the Certificate Authority• Use Group Policy
• Command line• netsh Branchcache set service mode=distributed• netsh Branchcache set service mode=hostedclient location=hostedserver
• Enables BranchCache and configures Windows Firewall rules• Check the PeerDistSvc
• Service status: Started• Startup type: Manual
BitLocker and BitLocker To GoBitLocker overview• Encrypt an entire volume• Protects all of your data and the operating system• Lose you laptop? Your data is safe.• Data is always protected
• Even if the physical drive is moved to another computer• Windows 7 Ultimate and EnterpriseTPM (Trusted Platform Module)• Securely generates and stores cryptographic keys• Hardware-based pseudo-random number generator• Hash-key summary of the hardware and software• Platform authenticationBitLocker modes• BitLocker with a TPM
• No additional authentication factors• BitLocker with a TPM and a PIN
• Input your PIN during startup• BitLocker with a TPM and a USB startup key
• Where’s your USB key?• BitLocker without a TPM
• Must boot with a startup key on a USB flash drive • BitLocker with a TPM, a USB startup key, and a PIN
• Very secure. Used in high-security environmentsTroubleshooting BitLocker• Don’t forget your password!• Recovery Mode
• Use your USB drive with the recovery key• manage-bde -status c:• manage-bde -unlock c: -cert -ct <certificate_thumbprint>
• There is no “backdoor” or recovery process
Data Recovery Agents• Computer Configuration\Windows Settings\Security Settings\
Public Key Policies\BitLocker Drive Encryption• Configure the different drive recovery options
• Include the Data Recovery Agent for each• Configure the unique identifiers
• Computer Configuration\Administrative Templates\ Windows Components\BitLocker Drive Encryption\ Operating System Drives
• What if a computer already is using BitLocker?• manage-bde -setidentifier• manage-bde –protectors –get
Enabling BitLocker• Backup your computer• Control Panel / BitLocker - must be a local Administrator• Pick a startup process - Choose a PIN, create a startup key• No TPM? No problem! - Remember to configure the policyBitLocker To Go• Encrypt portable drives• Set Group Policies on “Removable Data Drives”
Professor Messer Exam Tip
The Microsoft 70-680 exam expects you to have a solid understanding
of the command line. Get as much hands-on work as you can!
• Did the Group Policy take?• netsh interface 6to4 show relay• netsh interface ipv6 show teredo• netsh interface httpstunnel show interfaces
Windows 7 mobilityMobility overview• Optimize your time on battery power• Offline file access and synchronization• Access files on a network share and cache locally• Power optimization
Offline files• Make files available, even when you’re not online
• Automatically sync when back online• Built-in sync conflict management
• Mark files• “Always available offline”
• Online mode• Write to the server, read from the cache
• Auto offline mode• If server goes away, converts to local cache operations• When server returns (check every 2 minutes),
revert to online mode• Manual offline mode
• Force yourself into offline mode - “Work offline”• Slow-link mode
• Kicks in when speeds drop below 64 kbps• Uses file cache, auto sync doesn’t run
Offline file Group Policy• Computer Configuration\ Administrative Templates\
Network\Offline Files• Administratively configure offline files, set slow-link speeds, change
sync processes
Enabling Tranparent caching• Increase file performance across WAN links - caching only; no sync• More flexible than BranchCache
• Works with Windows 7 Professional, no Domain Services required, files are not distributed across multiple systems or on Windows Server 2008 R2
• Kicks in when round-trip exceeds a configured latency• “Enable Transparent Caching” Group Policy
Managing Power• Control Panel / Power Options• Power down modes
• Sleep• Processor is turned off, memory is still active• Mouse and keyboard remains powered
• Hybrid Sleep• Processor is turned off, memory is active, copy is written to disk• Similar to Sleep mode
• Hibernate• All devices are turned off, memory is written to disk
Updating Windows 7 (continued)Hidden updates, history, and uninstall• Hide an update
• You won’t be asked to update that patch again• You can unhide it later, if necessary• Standard users can’t hide updates
• View update history• What was that update, again?
• Uninstall any of your updates• Control panel / Programs and Features• Standard users can’t uninstall updates
Proxies and manual updates• Windows Update does NOT use Internet Explorer settings
• Use Web Proxy Auto Detect (WPAD) through DHCP or DNS• Import the proxy settings from Internet Explorer using netsh• netsh winhttp import proxy source=ie
• Install manually if you have the .msu files• Windows Update Stand-alone Installer (Wusa.exe)• Standard users can install updates• Wusa.exe d:\windows6.1-kb7654321-x64.msu /quiet /norestart
Windows Server Update Services (WSUS)• Central configuration
• Save bandwidth• Administrators determine the rollout schedule
• Group computers together for logical organization• Central rollback management
• Whoops. Can we take that back?• Managed through Group Policy
Windows Update policies• Computer Configuration\Administrative Templates\
Windows Components\Windows Update• Specify Intranet Microsoft Update Service Location
• Your internal update server• Enable Client-Side Targeting
• Group computers together for coordinated updates• Allow Signed Updates From an intranet Microsoft Update
Service Location• Rollout your own updates
Managing DisksManaging disk volumes• Two partition types• MBR (Master Boot Record)
• Four partitions per disk• Maximum 2 TB disk size
• GPT (GUID Partition Table)• 128 partitions per disk• Maximum 256 TB disk size
• Convert using Disk Manager or diskpart• DISKPART> convert gpt
Basic and dynamic disks• Basic disks
• MBR partitioned disks• Dynamic disks
• Logical Disk Manager (LDM) database instead of an MBR• LDM is replicated to other dynamic disks
• Moving disks between computers• Basic disks are independent
No problem!• Dynamic disks should all be moved at the same time• You may not be able to move the disks back
• The disk group name might be duplicated
Moving disks• Is everyone healthy?
• Don’t move disks with a non-healthy status• Uninstall the disks you want to move
• You’ll have to confirm this• For dynamic disks, Remove Disk• Move the disks to the new computer
• Move all disks in an array at the same time• Disk Management / Rescan Disks
• Import the Foreign Disks
Dynamic disk advantages• Simple
• Single disk• Spanned volumes
• Many disks look like one big disk• RAID in Windows 7 software
System \ Removable Storage Access• Time (In Seconds) To Force Reboot• CD And DVD: Deny Execute, Read, or Write Access• Custom Classes: Deny Read or Write Access• Floppy Drives: Deny Execute, Read, or Write Access• Removable Disks: Deny Execute, Read, or Write Access• Does not include CD, DVD, or Floppy disks• All Removable Storage Classes: Deny All Access• All Removable Storage: Allow Direct Access In Remote Sessions• Tape Drives: Deny Execute, Read, or Write Access• WPD Devices: Deny Execute, Read, or Write Access
• Windows Portable Device
Monitoring Windows 7
The results of an Error-Checking scan
Event Viewer• Control Panel / Administrative Tools / Event Viewer• View log information
Event subscriptions• Centralize your event logs on a collector
• Instead of looking at every workstation manually• Collector-initiated subscriptions
• The collector asks for the event log information• Doesn’t scale very well• Every computer is listening for instructions
• Source-initiated subscriptions• The collector is always listening• Used in large environments• Much more flexible
Collector-initiated setup• Uses the Windows Remote Management Service on the
source computer• winrm quickconfig
• Add the collector computer to the source computer’s “Event Log Readers” group• Security Log must be read by a Local Administrator
• On the collector computer, run Windows Event Collector utility• wecutil quick-config
Source-initiated setup - collector computer• Configure Windows Remote Management Service on the collector• winrm quickconfig
• On the collector computer, run Windows Event Collector utility• wecutil quick-config
• Create a subscription to forward events from the event log of a remote computer• This is easy in Event Viewer• wecutil create-subscription subscription.xml
• Computer Configuration\Administrative Templates\ Windows Components\Event Forwarding\Configure...
• Add the Windows Remote Management Service on the source computer• winrm quickconfig
Performance Monitor• Control Panel / Performance Information and Tools /
Advanced Tools / Open Performance Monitor• perfmon
• Real-time performance information• Many different metrics
• Data Collector Sets• Store performance information to disk
• Create reports• Compile long-term information into a concise view