Curs Microsoft

MCT USE ONLY.
STUDENT USE PROHIBITED
O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
20687C
Configuring Windows 8.1
MCT USE ONLY. STUDENT USE PROHIBITED
ii Configuring Windows 8.1
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2014 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty /Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners
Product Number: 20687C Part Number: X19-17700 Released: 1/2014
MICROSOFT LICENSE TERMS MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which includes the media on which you received it, if any. These license terms also apply to Trainer Content and any updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms apply. BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT. If you comply with these license terms, you have the rights below for each license you acquire. 1. DEFINITIONS. a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center. c.
Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee. e. Licensed Content means the content accompanying this agreement which may include the Microsoft Instructor-Led Courseware or Trainer Content. f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware. h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy Program. i. j.
Microsoft Learning Competency Member means an active member of the Microsoft Partner Network program in good standing that currently holds the Learning Competency status. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
l.
Personal Device means one (1) personal computer, device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware. These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer. n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional supplemental content designated solely for Trainers use to teach a training session using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard disks or virtual machines. 2.
USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content. Below are five separate sets of use rights. Only one set of rights apply to you.
2.1
a. If you are a Microsoft IT Academy Program Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Authorized Training Sessions, viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training Session that uses a MOC title, and ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Authorized Training Session and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provided, or 2. provide one (1) End User attending the Authorized Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or 3. you will provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training Sessions, viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.
c.
If you are a MPN Member: i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. ii. For each license you acquire on behalf of an End User or Trainer, you may either: 1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Private Training Session, and only immediately prior to the commencement of the Private Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or 2. provide one (1) End User who is attending the Private Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or 3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv. you will ensure that each End User attending an Private Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session, v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Private Training Session, vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions, viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Private Training Sessions using MOC, ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User: For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control. e. If you are a Trainer. i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training Session or Private Training Session, and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not install or use a copy of the Trainer Content on a device you do not own or control. You may also print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training Session or Private Training Session.
ii.
You may customize the written portions of the Trainer Content that are logically associated with instruction of a training session in accordance with the most recent version of the MCT agreement. If you elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of customize refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft. 2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included for your information only. 2.5 Additional Terms. Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also apply to your use of that respective component and supplements the terms described in this agreement. 3.
LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of the Microsoft technology. The technology may not work the way a final version of the technology will and we may change the technology for the final version. We also may not release a final version. Licensed Content based on the final version of the technology may not contain the same information as the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you with any further content, including any Licensed Content based on the final version of the technology. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its technology, technologies, or products to third parties because we include your feedback in them. These rights survive this agreement. c.
Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term). Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the Licensed Content in your possession or under your control.
4.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not: access or allow any individual to access the Licensed Content if they have not acquired a valid license for the Licensed Content, alter, remove or obscure any copyright or other protective notices (including watermarks), branding or identifications contained in the Licensed Content, modify or create a derivative work of any Licensed Content, publicly display, or make the Licensed Content available for others to access or use, copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or distribute the Licensed Content to any third party, work around any technical limitations in the Licensed Content, or reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content. 6.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.
7. 8.
SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement. Upon termination of this agreement for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in your possession or under your control. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites. Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites. Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and supplements are the entire agreement for the Licensed Content, updates and supplements.
9.
10. 11.
APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply. 12.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
13.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
14.
This limitation applies to o anything related to the Licensed Content, services, content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law. It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et. les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas. Revised July 2013
Configuring Windows 8.1 xi
xii Configuring Windows 8.1
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution toward developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Slavko Kukrika Content Developer
Slavko Kukrika is Microsoft Certified Trainer (MCT) for more than 15 years. He holds many technical certifications and he is honored to be one of the Microsoft Most Valuable Professionals (MVP). Slavko specializes in Windows operating system, Active Directory and virtualization. He works with Windows 8 since it was first publicly available and he helped several mid-size customers to migrate to Windows 8. Slavko regularly presents at technical conferences, and he is author of several Microsoft Official Courses. In his private life, Slavko is the proud father of two sons and he tries to extend each day to at least 25 hours.
Jason Kellington Content Developer
Jason Kellington is a Microsoft Certified Trainer (MCT), Microsoft Certified IT Professional (MCITP), and a Microsoft Certified Solutions Expert (MCSE), as well as a consultant, trainer and author. He has experience working with a wide range of Microsoft technologies, focusing on the design and deployment of enterprise network infrastructures. Jason works in several capacities with Microsoft, as a SME for Microsoft Learning courseware titles, a senior technical writer for Microsoft IT Showcase, and an author for Microsoft Press.
Andrew Bettany Subject Matter Expert
Andrew Bettany is a published author, MVP (Windows ExpertIT Pro) and holds numerous Microsoft certifications and has been a Microsoft trainer since 2005. Based in York, England he manages the University of York IT Academy and often participates in worldwide conferences and events. Most recently Andrew visited Haiti for the second time to deliver an intensive boot camp focusing on Windows technologies to help the local community rebuild key IT skills following the earthquake in 2010.
Elias Mereb Technical Reviewer
Elias Mereb is a highly experienced infrastructure architect, consultant, trainer and international speaker. He currently holds more than 30 Microsoft certifications including: MCP, MCSA: Security, MCTS, MCITP, and MCT. He is also a six-time winner of Microsofts Most Valuable Professional (MVP) award in the Windows Expert-IT Pro technical expertise and Charter Springboard Series Technical Experts Program (STEP) Member. Elias has been invited several times to speak at TechEd North America, TechEd Europe & Microsoft Management Summit (MMS). He has participated as a SME, trainer, Technical Writer and Technical Reviewer in the design and development process of Microsofts certification exams and courses, recently including the Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 7, Windows 8 and Windows 8.1 exams and courses for Microsoft Learning.
Configuring Windows 8.1 xiii
Contents
Module 1: Windows 8.1 in an Enterprise Environment
Lesson 1: Managing Windows 8.1 in an Enterprise Environment Lesson 2: Overview of Windows 8.1 1-2 1-7
Module 2: Installing and Deploying Windows 8.1

Lesson 1: Preparing to Install and Deploy Windows 8.1 Lesson 2: Installing Windows 8.1 Lab A: Installing Windows 8.1 Lesson 3: Customizing and Preparing a Windows 8.1 Image for Deployment Lab B: Customizing and Capturing a Windows 8.1 Image Lesson 4: Volume Activation for Windows 8.1 Lab C: Deploying a Windows 8.1 Image 2-2 2-12 2-24 2-27 2-39 2-44 2-52
Module 3: Managing Profiles and User State in Windows 8.1

Lesson 1: Managing User Profiles Lesson 2: Configuring User State Virtualization Lab A: Configuring Profiles and User State Virtualization Lesson 3: Migrating User State and Settings Lab B: Migrating User State by Using USMT 3-2 3-8 3-21 3-27 3-34
Module 4: Tools Used for Configuring and Managing Windows 8.1

Lesson 1: Tools Used to Perform Local and Remote Management of Windows 8.1 Lesson 2: Using Windows PowerShell to Configure and Manage Windows 8.1 Lesson 3: Using Group Policy to Manage Windows 8.1 Lab: Using Management Tools to Configure Windows 8.1 Settings 4-2 4-9 4-16 4-22
Module 5: Managing Disks and Device Drivers

Lesson 1: Managing Disks, Partitions, and Volumes Lesson 2: Maintaining Disks, Partitions, and Volumes Lesson 3: Working with Virtual Hard Disks Lab A: Managing Disks Lesson 4: Installing and Configuring Device Drivers Lab B: Configuring Device Drivers 5-2 5-17 5-24 5-29 5-34 5-47
xiv Configuring Windows 8.1
Module 6: Configuring Network Connectivity

Lesson 1: Configuring IPv4 Network Connectivity Lesson 2: Configuring IPv6 Network Connectivity Lesson 3: Implementing Automatic IP Address Allocation Lab A: Configuring a Network Connection Lesson 4: Implementing Name Resolution Lab B: Resolving Network Connectivity Issues Lesson 5: Implementing Wireless Network Connectivity 6-2 6-9 6-14 6-21 6-25 6-30 6-33
Module 7: Configuring Resource Access for Domain-Joined and Non-Domain Joined Devices
Lesson 1: Configuring Domain Access for Windows 8.1 Devices Lesson 2: Configuring Resource Access for Non-Domain Devices Lesson 3: Configuring Workplace Join Lesson 4: Configuring Work Folders Lab: Configuring Resource Access for Non-Domain Joined Devices 7-2 7-8 7-16 7-21 7-29
Module 8: Implementing Network Security

Lesson 1: Overview of Threats to Network Security Lesson 2: Configuring Windows Firewall Lab A: Configuring Inbound and Outbound Firewall Rules Lesson 3: Securing Network Traffic by Using IPsec Lab B: Configuring IPsec Rules Lesson 4: Guarding Windows 8.1 Against Malware Lab C: Configuring Malware Protection 8-2 8-8 8-17 8-20 8-28 8-30 8-33
Module 9: Configuring File Access and Printers on Windows 8.1 Clients

Lesson 1: Managing File Access Lesson 2: Managing Shared Folders Lesson 3: Configuring File Compression Lab A: Configuring File Access Lesson 4: Overview of SkyDrive Lesson 5: Managing Printers Lab B: Configuring Printers 9-2 9-16 9-25 9-29 9-32 9-37 9-41
Module 10: Securing Windows 8.1 Devices

Lesson 1: Authentication and Authorization in Windows 8.1 Lesson 2: Implementing Local Policies Lab A: Implementing Local GPOs Lesson 3: Securing Data with EFS and BitLocker Lab B: Securing Data by Using BitLocker Lesson 4: Configuring UAC Lab C: Configuring and Testing UAC 10-2 10-11 10-20 10-23 10-45 10-47 10-54
Configuring Windows 8.1 xv
Module 11: Configuring Applications for Windows 8.1

Lesson 1: Application Deployment Options in Windows 8.1 Lesson 2: Managing Windows Store Apps Lesson 3: Configuring Internet Explorer Settings Lab A: Configuring Internet Explorer Security Lesson 4: Configuring Application Restrictions Lab B: Configuring AppLocker 11-2 11-14 11-19 11-29 11-32 11-40
Module 12: Optimizing and Maintaining Windows 8.1 Computers

Lesson 1: Optimizing Performance in Windows 8.1 Lab A: Optimizing Windows 8.1 Performance Lesson 2: Managing the Reliability of Windows 8.1 Lesson 3: Managing Software Updates in Windows 8.1 Lab B: Maintaining Windows Updates 12-2 12-10 12-14 12-19 12-25
Module 13: Configuring Mobile Computing and Remote Access

Lesson 1: Configuring Mobile Computers and Device Settings Lab A: Configuring a Power Plan Lesson 2: Overview of DirectAccess Lab B: Implementing DirectAccess by Using the Getting Started Wizard Lesson 3: Configuring VPN Access Lesson 4: Configuring Remote Desktop and Remote Assistance Lab C: Implementing Remote Desktop 13-2 13-9 13-11 13-22 13-26 13-35 13-39
Module 14: Recovering Windows 8.1

Lesson 1: Backing Up and Restoring Files in Windows 8.1 Lesson 2: Recovery Options in Windows 8.1 Lab: Recovering Windows 8.1 14-2 14-5 14-18
Module 15: Configuring Client Hyper-V

Lesson 1: Overview of Client Hyper-V Lesson 2: Creating Virtual Machines Lesson 3: Managing Virtual Hard Disks Lesson 4: Managing Checkpoints Lab: Configuring Client Hyper-V 15-2 15-6 15-13 15-19 15-24
xvi Configuring Windows 8.1
Lab Answer Keys

Module 2 Lab A: Installing Windows 8.1 Module 2 Lab B: Customizing and Capturing a Windows 8.1 Image Module 2 Lab C: Deploying a Windows 8.1 Image Module 3 Lab A: Configuring Profiles and User State Virtualization Module 3 Lab B: Migrating User State by Using USMT Module 4 Lab: Using Management Tools to Configure Windows 8.1 Settings Module 5 Lab A: Managing Disks Module 5 Lab B: Configuring Device Drivers Module 6 Lab A: Configuring a Network Connection Module 6 Lab B: Resolving Network Connectivity Issues Module 7 Lab: Configuring Resource Access for Non-Domain Joined Devices Module 8 Lab A: Configuring Inbound and Outbound Firewall Rules Module 8 Lab B: Configuring IPsec Rules Module 8 Lab C: Configuring Malware Protection Module 9 Lab A: Configuring File Access Module 9 Lab B: Configuring Printers Module 10 Lab A: Implementing Local GPOs Module 10 Lab B: Securing Data by Using BitLocker Module 10 Lab C: Configuring and Testing UAC Module 11 Lab A: Configuring Internet Explorer Security Module 11 Lab A: Configuring AppLocker Module 12 Lab A: Optimizing Windows 8.1 Performance Module 12 Lab B: Maintaining Windows Updates Module 13 Lab A: Configuring a Power Plan Module 13 Lab B: Implementing DirectAccess by Using the Getting Started Wizard Module 14 Lab: Recovering Windows 8.1 Module 15 Lab: Configuring Client Hyper-V L2-1 L2-5 L2-13 L3-15 L3-25 L4-31 L5-37 L5-45 L6-47 L6-51 L7-55 L8-61 L8-63 L8-65 L9-67 L9-70 L10-73 L10-76 L10-78 L11-81 L11-83 L12-85 L12-89 L13-91 L13-92 L14-99 L15-107

xvii
About This Course
About This Course

Course Description
This section provides a brief description of the course, audience, suggested prerequisites, and course objectives.
This course is intended for IT professionals who administer and support Windows 8.1 PCs, devices, users and associated network and security resources. The networks with which these professionals typically work are configured as a Windows Server domain-based environment with managed access to the Internet and cloud services. The course is also intended for students who seek certification in the 70-687 Windows 8.1 Configuring exam. NOTE: This course is based on Windows 8.1 Enterprise Edition with domain services provided by Windows Server 2012 R2.
Audience
This course is intended for IT professionals who administer and support Windows 8.1 PCs, devices, users, and associated network and security resources. The networks with which these professionals typically work are configured as Windows Server domain-based environments with managed access to the Internet and cloud services. This course is also intended to provide foundation configuration skills for Enterprise Desktop/Device Support Technicians (EDSTs) who provide Tier 2 support to users who run Windows desktops and devices within a Windows domain environment in medium to large enterprise organizations. Students who seek certification in the 70-687 Windows 8.1 Configuring exam will also benefit from this course.
Student Prerequisites
This course requires that you meet the following prerequisites: At least two years of experience in the IT field
Knowledge of networking fundamentals, including Transmission Control Protocol /Internet Protocol (TCP/IP), User Datagram Protocol (UDP), and Domain Name System (DNS)
Knowledge of Microsoft Active Directory Domain Services (AD DS) principles and fundamentals of AD DS management Understanding of the certificate security and working knowledge of the fundamentals of Active Directory Certificate Services (AD CS) Understanding of Windows Server 2008 R2 or Windows Server 2012 fundamentals
Understanding of Microsoft Windows Client essentials; for example, working knowledge of Windows XP, Windows Vista, Windows 7 and/or Windows 8 Basic understanding of Windows PowerShell syntax
Basic awareness of Windows deployment tools (Windows ADK components: Windows PE, Windows SIM, VAMT, ImageX, USMT, and DISM concepts and fundamentals) but no actual prerequisite skills with the specific tools are assumed.
xviii
About This Course
Course Objectives
After completing this course, students will be able to: Describe solutions and features related to managing Windows 8.1 in an enterprise network environment. Determine requirements and perform the tasks for installing and deploying Windows 8.1. Manage profiles and user state between Windows devices. Determine the most appropriate management tools to configure Windows 8.1 settings. Configure disks, partitions, volumes, and device drivers in a Windows 8.1 system. Configure network connectivity. Configure resource connectivity for both domain-joined and non-domain joined PCs and devices. Implement Windows 8.1 technologies to secure network connections. Configure file, folder, and printer access. Implement tools and technologies that can help secure Windows 8.1 PCs and devices. Configure and control desktop apps and Windows Store apps Optimize and maintain Windows 8.1 PCs and devices. Configure mobile computer settings and to enable remote access. Determine how to recover Windows 8.1 from various failures. Describe Hyper-V for Windows 8.1 and describe how to use it to support legacy applications.
Course Outline
The course outline is as follows:
Module 1, Windows 8.1 in an Enterprise Network Environment" describes solutions and features related to managing Windows 8.1 in an enterprise network environment. Students will identify how to use Windows 8.1 features and related solutions to support intranet, Internet, and non-domain joined Windows 8.1 clients. They will also learn how to identify changes to the Windows 8.1 user interface and perform customizations of the desktop and Start screen.
Module 2, Installing and Deploying Windows 8.1" describes how to identify hardware, software, and infrastructure readiness for installing and deploying Windows 8.1, and also describes the different options for installing Windows 8.1 on a computer. It also explains how students can customize a Windows 8.1 image file and deploy it using appropriate installation tools. This module also describes the methods students can use to manage volume activation in Windows 8.1.
Module 3, Managing Profiles and User State in Windows 8.1" describes how to manage profiles and user state between Windows devices. Students will learn about managing user accounts and profiles in Windows 8.1, configuring User State Virtualization using Microsoft UE-V and Windows 8.1, and migrating user state and settings when migrating to Windows 8.1. Module 4, Tools Used for Configuring and Managing Windows 8.1 explains how to determine the most appropriate management tools to configure Windows 8.1 settings. It describes tools used for local and remote management of Windows 8.1, and the use of Group Policy and Windows PowerShell in managing Windows 8.1 settings.

xix
About This Course
Module 5, Managing Disks and Device Drivers" explains how to configure, partitions, volumes, and device drivers in a Windows 8.1 system. It also explains how to manage virtual hard disks in the Windows 8.1 file system. Module 6, Configuring Network Connectivity" provides an overview of common network security threats, and how to mitigate them by configuring inbound and outbound firewall rules, connection security rules, Windows Defender, and host-based virus and malware This module explains how to configure network connectivity using IPv4 and IPv6. It also describes how to implement automatic IP address allocation and name resolution.
Module 7, Configuring Resource Access for Domain-Joined and Non-Domain Joined Devices" explains how to configure resource connectivity for both domain-joined and non-domain joined devices. It also explains how to configure workplace join for non-domain joined computers, and configure work folders. Module 8, Implementing Network Security" explains how to secure network connections by implementing Windows 8.1 technologies. It explains how to configure Windows firewall, Windows SmartScreen, and Windows Defender. It also explains how to implement connection security rules to secure network traffic.
Module 9, Configuring File, Folder, and Printer Access " explains how to manage secure file and folder access, create and manage shared folders, and configure file and folder compression. It also explains how to enable and configure SkyDrive access, and create and configure shared printers. Module 10, Securing Windows 8.1 Devices" explains how to implement tools and technologies that can help secure Windows 8.1 desktops. It describes methods used for authentication and authorization in Windows 8.1. It also describes how to use local Group Policy objects to configure security and other settings, and explains the use of file encryption methods and User Account Control.
Module 11, Configuring Applications for Windows 8.1" explains how to configure and control applications in Windows 8.1. It describes application deployment methods, and explains how to install and manage Windows Store apps. It also explains how to configure and secure Internet Explorer, and configure application restrictions with AppLocker. Module 12, Optimizing and Maintaining Windows 8.1 Computers" explains how to optimize and maintain Windows 8.1 based computers. It also explains how to manage reliability, and configure and manage software updates in Windows 8.1.
Module 13, Configuring Mobile Computing and Remote Access" explains how to configure Windows 8.1 settings that are applicable to mobile computing devices. It also describes DirectAccess, and how it can be used to provide remote access. This module also explains how to enable and configure VPN access, Remote Desktop, and Remote Assistance. Module 14, Recovering Windows 8.1" explains how to recover Windows 8.1 from failures. It describes how to provide for file and folder recovery, and identify when and how to recover Windows 8.1,
Module 15, Configuring Hyper-V" describes Hyper-V for Windows 8.1, and explains how to create and configure virtual machines in Hyper-V for Windows 8.1. It also explains the use of virtual hard disks, and the creation and implementation of virtual machine checkpoints.
xx
About This Course
Course Materials
The following materials are included with your kit: Course Handbook: a succinct classroom learning guide that provides the critical technical information in a crisp, tightly-focused format, which is essential for an effective in-class learning experience.
Lessons: guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: provide step-by-step lab solution guidance.

xxi
About This Course
Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site: searchable, easy-to-browse digital content with integrated premium online resources that supplement the Course Handbook. Modules: include companion content, such as questions and answers, detailed demo steps and additional reading links, for each lesson. Additionally, they include Lab Review questions and answers and Module Reviews and Takeaways sections, which contain the review questions and answers, best practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios with answers.
Resources: include well-categorized additional resources that give you immediate access to the most current premium content on TechNet, MSDN, or Microsoft Press.
Student Course files on the http://www.microsoft.com/learning/companionmoc Site: includes the Allfiles.exe, a self-extracting executable file that contains all required files for the labs and demonstrations. Course evaluation: at the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor. To provide additional comments or feedback on the course, send an email to support@mscourseware.com. To inquire about the Microsoft Certification Program, send an email to mcphelp@microsoft.com.
xxii
About This Course
Virtual Machine Environment

Virtual Machine Configuration
This section provides the information for setting up the classroom environment to support the business scenario of the course.
In this course, you will use Microsoft Hyper-V to perform the labs. Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine (VM) without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK. The following table shows the role of each virtual machine that is used in this course: Virtual machine 20687C-LON-DC1 20687C-LON-CL1 20687C-LON-CL2 20687C-LON-CL3 20687C-LON-CL4 20687C-LON-REF1 20687C-LON-SVR1 20687C-LON-SVR2 Role Domain controller in the Adatum.com domain Windows 8.1 computer in the Adatum.com domain Windows 8.1 computer in the Adatum.com domain Windows 7 computer in the Adatum.com domain Windows 8.1 computer for non-domain member scenarios Blank virtual machine used for the reference machine imaging and capture scenario AD FS server in the Adatum.com domain Web server in the Adatum.com domain
Software Configuration
The following software is installed on each VM: Windows Server 8.1 Windows 8.1 Client (Windows 8 Enterprise) Microsoft Office 2010 On the server, possibly also Windows Automated Installation Kit (AIK)
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.

xxiii
About This Course
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware is taught. Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better* 8 GB RAM DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers
*Striped
In addition, the instructor computer must be connected to a projection display device that supports SVGA 1024 x 768 pixels, 16-bit colors.
Navigation in Windows Server 2012 R2 or Windows 8.1

If you are not familiar with the user interface in Windows Server 2012 R2 or Windows 8.1 then the following information will help orient you to the new interface. Sign in and Sign out replace Log in and Log out. Administrative tools are found in the Tools menu of Server Manager. Move your mouse to the lower right corner of the desktop to open a menu with: Settings: This includes Control Panel and Power Start menu: This provides access to some applications Search: This allows you to search applications, settings, and files
You may also find the following shortcut keys useful: Windows: Opens the Start menu Windows+C: Opens the same menu as moving the mouse to the lower right corner Windows+I: Opens Settings Windows+R: Opens the Run window

1-1
Module 1
Windows 8.1 in an Enterprise Environment
Contents:
Module Overview Lesson 1: Managing Windows 8.1 in an Enterprise Environment Lesson 2: Overview of Windows 8.1 Module Review and Takeaways 1-1 1-2 1-7 1-14
Module Overview
Windows client operating systems are essential to the functionality of almost every enterprise environment. Most users perform the bulk of their computing tasks in the Windows client interface, including editing documents, sending email, interacting with applications, and numerous other tasks. Managing these clients, then, is an important task for enterprise information technology (IT) administrators. You must manage Windows clients to ensure that operating systems and any applications are operating properly. Providing adequate security measures, deploying new clients when required, maintaining an inventory, and monitoring Windows clients in your environment are all essential tasks for IT administrators. This module introduces you to Windows 8.1 and provides an overview of how you can manage Windows 8.1 computers in your environment to meet common enterprise IT challenges.
Objectives
After completing this module, you will be able to: Explain the different options for managing Windows 8.1 in an enterprise environment. Describe Windows 8.1 and its UI.
1-2
Lesson 1
Managing Windows 8.1 in an Enterprise Environment

Managing Windows clients in an enterprise environment can provide a variety of challenges. Windows computers that come from outside your environment or that connect through the Internet to your network are often outside the scope of many central configuration management tools. Moreover, even central configuration management tools have limitations that provide challenges, depending on your environment. This lesson highlights some of the most common challenges facing administrators in the client environment and the solutions that are available for Windows 8.1 devices.
Lesson Objectives
After completing this lesson, you will be able to: Describe challenges of managing devices in todays enterprise environment. Identify solutions for managing Windows 8.1 on an internal network. Identify solutions for managing Internet-based Windows 8.1 devices. Identify solutions for managing resource access for devices that are not domain-joined. Explain how to manage Windows 8.1 devices by using enterprise management systems.
Challenges of Managing Devices in Todays Enterprise Environment

Managing devices in an enterprise environment consists of many different challenges. Some of these challenges center around the configuration of the network environment, while others are based on the type and configuration of clients in the environment. Device management can be placed into several different categories:
Network Configuration Challenges

Network configuration challenges primarily relate to how a client is connected to the enterprise, or if it is connected at all. Some examples of network configuration challenges include: Virtual private network (VPN) clients cannot connect to a network with the same functionality as internal clients. Clients that are not connected to a network do not have access to resources.
A remotely connected client does not have enough network bandwidth available to run applications that are hosted on enterprise servers.
Client Configuration Challenges
Challenges related to client configuration typically involve not being able to enforce a configurations standard, or being forced to perform the tedious task of manually configuring devices on an unplanned basis:

1-3
Client computers that are not managed centrally might have different, potentially conflicting configurations. Centralized configuration management might not reach all clients in an enterprise network, and typically cannot configure clients outside of an enterprise network. Mobile devices that require specific configuration are left misconfigured or are unaccounted for.
Security and Privacy Challenges

When assessing security and privacy-related challenges, you should consider several scenarios:
Clients do not have consistent and current protection from malware and other malicious content. Permissions and access to client settings might be different from client to client. Users who bring their own devices and connect to an enterprise network could potentially compromise enterprise security standards.
Resource Access Challenges
Users need access to resources on a network. Missing or misconfigured access to files and printers can have a significant negative impact on business activity in an organization. Access to files and shared folders differs from client to client. Installed printers are not consistent from client to client. Files stored on an enterprise network are not available when a client is disconnected. Access to profile and user data differs from client to client. User profile data gets corrupted.
Solutions for Managing Windows 8.1 on an Internal Network

The most robust management environment for a Windows 8.1 client is when it is connected to an internal network. You can use a number of serverbased configuration mechanisms to configure Windows 8.1 clients.
Group Policy
You can configure Windows 8.1 devices effectively by using centralized configuration management. In the Active Directory Domain Services (AD DS) environment common to most Windows-based networks, you can use Group Policy to provide centralized configuration management for Windows client computers. When a Windows 8.1 client joins an AD DS domain, you can use Group Policy to specify configuration settings for a client computer, including UI elements, security settings, available applications and features, and operating system functionality. You also can use Group Policy to distribute common settings to client computers, such as mapped drives, printers, or environment variables. You can set Group Policy to affect as narrow or broad a scope of client devices as you determine, provided that the clients are connected to the domain where you implement the Group Policy.
1-4
User Experience Virtualization
You can use Microsoft User Experience Virtualization (UE-V) to provide consistent and synchronized user settings configuration for Windows 8.1 computers. With UE-V, user profile information is stored remotely for users and synchronizes to client computers when users log on and when users make changes to the environment. UE-V enables a consistent user environment.
Solutions for Managing Internet-based Windows 8.1 Devices

Clients that connect from the Internet can provide unique challenges for administrators. Windows 8.1 and Windows Server 2012 R2 provide several options for enabling greater management control of Windows 8.1 computers that are connected to the Internet, but are not directly connected to your internal network.
VPN
VPN connectivity has been a long-standing connectivity option for Internet-based clients. VPN enables a client to connect to an internal network by using a VPN server, which typically is located in a perimeter network. Through VPN, a client user authenticates to a network environment and can gain access to network resources. VPN connections provide a very limited scope of management. Common configuration management methods like Group Policy typically do not function over a VPN connection.
DirectAccess
DirectAccess takes the concept of VPN and uses Windows Server 2012 R2 technology to enable an Internet-based client to connect to a domain controller on an internal network, authenticate a client computer account, and accept sign-ins from users as if the client computer is connected to the internal network. Because the appropriate authentication has been performed, you can manage DirectAccess clients by using Group Policy, and they appear to other enterprise management systems as if they were connected to the internal network.
Solutions for Managing Resource Access for Non-Domain Devices

Windows 8.1 provides several features that enable computers that are not joined to a domain to function as you require. These devices are becoming more common and important to the overall client management process as organizations adopt policies that enable users to bring their own devices into the workplacea scenario known as Bring Your Own Device (BYOD).
Workplace Join
Workplace Join enables a device to be neither completely joined to a domain, nor be completely isolated from it. With Workplace Join, users can work on a device of their choosing and still have access to enterprise network resources. IT administrators

1-5
can control access to resources and provide a finer level of control over devices that register through Workplace Join.
Work Folders
Work Folders enable users to synchronize their data from their user folder on a network to their own device. When you implement Work Folders, locally created files also are synchronized back to a network folder location. You can configure Work Folders to synchronize network files without having a client joined to a domain. In versions prior to Windows 8.1 and before Work Folders were introduced, domain membership was required for this type of synchronization, and the client had to be connected to a corporate network to initialize synchronization.
Remote Business Data Removal
With Windows 8.1 and Windows Server 2012 R2, you can use remote business data removal to classify and flag corporate files and to differentiate between these files and user files. With this classification, the remote wipe of a Windows 8.1 device will not remove user-owned data when securing or removing corporate data on the device.
Managing Windows 8.1 Devices by Using Enterprise Management Systems

In addition to the management capabilities native to Windows 8.1 and Windows Server 2012 R2, Microsoft also provides centralized configuration management tools that you can use to provide more comprehensive management of Windows devices both inside and outside of your enterprise network.
System Center 2012 R2 Configuration Manager
Microsoft System Center 2012 R2 Configuration Manager is an on-premises solution for managing desktop computers and mobile devices. To manage computers with Configuration Manager, you need to install the Configuration Manager agent. Configuration Manager has the following capabilities:
Deploy applications. Configuration Manager enables you to deploy packaged applications to devices in your environment. Manage Endpoint Protection. Managing Microsoft System Center 2012 Endpoint Protection from within Configuration Manager allows you to use a single console to manage desktop computers and devices. Deploy software updates. Configuration Manager uses the basic infrastructure of Windows Server Update Services (WSUS) to provide software updates.
Deploy operating systems. Configuration Manager expands the capabilities of Windows Deployment Services. Inventory hardware and software. Configuration Manager includes hardware and software inventory capabilities. Track license compliance for software. You can use the Asset Intelligence and software metering features in Configuration Manager to track license compliance.
1-6
Windows Intune
Windows Intune is a cloud service that you can use to secure and manage Windows client computers and mobile devices. It uses a subscription-based model that does not require any on-premises infrastructure to manage supported Windows client computers. Windows Intune can manage clients irrespective of whether they are workgroup or domain members and without regard for their network settings, as long as they are accessible over the Internet.
After you install Windows Intune client software, a computer account is created in Windows Intune, and you now can manage that computer centrally. You can install the Windows Intune client in various ways, such as by using Group Policy, by including it in a desktop image, or through the Windows Intune company portal. An administrator also can deploy the client manually on a per-computer basis. Windows Intune provides several benefits, including:
Updates. Windows Intune ensures that updates are installed on client computers. All updates through Windows Update are available with Windows Intune, and you also can deploy other, non-Microsoft updates by using Windows Intune. Endpoint Protection. Windows Intune includes Windows Intune Endpoint Protection, which provides real-time protection against malware such as viruses and spyware. Software deployment. You can use Windows Intune for deploying software such as Windows client operating systems or apps from Microsoft or third parties. Monitoring and alerting. Windows Intune can monitor client computers and raise an alert when certain criteria is met.
Reporting. Windows Intune provides several reports, such as detected software on client computers, client computer inventory, and update reports on company use of licenses.
Integrating Configuration Manager and Windows Intune
The Configuration Manager 2012 R2 console now includes interoperability features that enable administrators to view all client devices irrespective of whether they are managed by Windows Intune or Configuration Manager 2012 R2. This enables you to add any mobile devices that you manage with Windows Intune into the Configuration Manager 2012 R2 console. You then can manage all the devices through a single administrative tool.
If your company does not have System Center 2012 R2 Configuration Manager you can still use Windows Intune to manage mobile devices and Windows client computers. However, if you already have Configuration Manager 2012 R2 installed, Windows Intune enables you to extend the reach of your management infrastructure to include mobile devices through cloud services. Configuration Manager 2012 R2 still has more client computer management features than Windows Intune. However, Configuration Manager 2012 R2 only includes a limited set of mobile device management features because it relies on Windows Intune for those tasks.

1-7
Lesson 2
Overview of Windows 8.1
Windows 8.1 is the latest version of the Windows client operating system. It includes the same core functionality as Windows 8, along with several important enhancements and functionality improvements that impact an enterprise environment. This lesson introduces you to Windows 8.1, demonstrates changes to the UI, and shows you how to customize the interface and other Windows 8.1 settings.
Lesson Objectives
After completing this lesson, you will be able to: Describe the user experience. Describe the Windows desktop versus the Start screen. Describe how to customize the Windows 8.1 UI. Describe Start screen control. Explain how to customize Windows 8.1 settings. Describe Windows Store apps.
Overview of the User Experience

Windows 8.1 is designed for navigation and functionality for touch-enabled devices, and for devices that are equipped with a keyboard and mouse. When you sign in to Windows 8.1, you are presented with a series of interfaces: 1.
Sign-in screen. At the sign-in screen, you must click or swipe to the top of the screen to access the credentials screen. From here, you can provide your credentials to sign in to the computer. These can be for a local user account or a domain user account, provided that the computer is joined to an AD DS domain. You also can adjust Ease of Access features, change network connections, and shut down or restart the computer.
2. 3.
Start screen. After signing in to Windows 8.1, you are presented with the Start screen. The Start screen contains tiles that represent apps installed on the computer. Desktop. By clicking on the Desktop tile from the Start screen, you can access the desktop, which appears whenever you run desktop apps.
Important Windows 8.1 Navigation Shortcuts
You can access Windows 8.1 interface elements with several convenient touch gestures, mouse gestures, and keyboard shortcuts: Start screen. Click the Start button on the taskbar or press the Windows logo key on the keyboard.
1-8
Display Charms menu. Point to the upper-right or lower-right corner or press Windows logo key+C on the keyboard.
Get commands and shortcut menus. On the Start screen or in Windows Store apps, right-click the screen or press Windows logo key+Z. You also can swipe up from the bottom of the screen to access these commands and menus on a touch-screen device. Switch between recently used apps. Point to the upper-left corner with the mouse and then click or swipe in from the left on a touch-screen device. Close an app. With Windows Store open, move the mouse to the top of the screen, click, and then pull down. You also can swipe down from the top on a touch-screen device or press Alt+F4 on the keyboard.
Display the Quick Link menu. Right-click the Start button or press Windows logo key+X on the keyboard to display a menu of commonly used shortcuts to Windows interface components such as the Shutdown menu, Task Manager, Command Prompt, and Control Panel.
Other Touch-Enabled Gestures

You can navigate the Windows 8.1 interface by using the following gestures on touch-screen devices: Pinch to zoom. You can pinch to zoom. You can reverse the pinching gesture to zoom out in many apps and on the Start screen.
Press, hold, drag and drop. You can use this gesture to move interface elements around in Windows Store apps or to move and edit tiles on the Start Screen.
Other Keyboard Shortcuts

The following keyboard shortcuts provide access to other Windows 8.1 interface components: Windows logo key+D. Display and hide the desktop. Windows logo key+E. Open File Explorer. Windows logo key+F. Open the Search charm to search files. Windows logo key+H. Open the Share charm. Windows logo key+I. Open the Settings charm. Windows logo key+J. Switch between the main app and a snapped app. Windows logo key+K. Open the Devices charm. Windows logo key+L. Lock the computer or switch users. Windows logo key+O. Lock the screen orientation for accelerometer-enabled devices. Windows logo key+P. Choose a presentation mode for multiple monitors. Windows logo key+Q. Open the Search charm to search for apps. Windows logo key+R. Open the Run dialog box. Windows logo key+W. Open the Search charm to search settings. Windows logo key+Spacebar. Switch input language and keyboard layout. Windows logo key+Tab. Cycle through Windows Store apps. Windows logo key+Page Up or Page Down. Move the Start screen and apps to the next monitor.

1-9
For more information on the keyboard shortcuts in Windows 8.1, refer to: Microsoft Accessibility: Keyboard Shortcuts http://go.microsoft.com/fwlink/?LinkId=356124&clcid=0x409
Windows Desktop vs. the Start Screen

Windows 8.1 supports the following two app types: Desktop apps. These run in the context of the desktop in the same way they did in previous versions of Windows operating systems. Windows Store apps. These are full-screen, touch-optimized apps that run in the context of the Start screen.
The Windows desktop has been the traditional starting point in Windows client operating systems for almost 20 years. In Windows 8 and Windows 8.1, the Start screen provides a new startup experience for the end user. The Start screen contains tiles, which represent apps that are installed on the computer. These tiles can be static, or they can provide live information from the application. For example, the tile for a weather app might provide the current temperature in your area. The Start screen is designed to provide quick access to commonly used apps on your computer.
Starting Windows 8.1 to the Desktop

If your organization does not use any Windows Store apps, or if it has the majority of its applications hosted in the desktop environment, you might want to start Windows 8.1 computers to the desktop rather than the Start screen. To configure a Windows 8.1 computer to start to the desktop, use the following procedure: 1. 2. On the desktop, right-click the taskbar, and then click Properties.
On the Navigation tab, in the Start screen section, select the Go to the desktop instead of Start when I sign in check box.
Demonstration: Customizing the Windows 8.1 UI

In this demonstration, you will see how to customize the Windows 8.1 UI.
Demonstration Steps
1. 2. 3. 4. 5. Sign in to LON-CL1 as Adatum\Adam with password Pa$$w0rd. Open and close the Photos app. Change the size of the Photos tile to Wide. Move the Photos app. Unpin the Photos app from the Start screen.
1-10 Windows 8.1 in an Enterprise Environment
6. 7. 8. 9.
Open the Applications screen by clicking the down arrow at the bottom of the Start screen. Pin the Calculator tile to the Start screen. Open the desktop. Open the Quick Links menu, and then open Command Prompt.
10. Configure Windows 8.1 to start to the desktop instead of the Start screen.
Overview of Start Screen Control

Windows 8.1 enables you to control the layout of the Start screen by using the Windows PowerShell command-line interface and Group Policy in AD DS. You can use this functionality to configure a Windows 8.1 computer with a Start screen that is representative of what your end users should have, export the configuration to an XML file, and then use Group Policy to enforce the Start screen layout for your users.
Configuring Start Screen Control

To configure Start screen control, follow this procedure: 1. 2. Configure the Start screen layout on a Windows 8.1 computer. Run the Export-StartLayout Windows PowerShell cmdlet and specify the output file. For example, Export-StartLayout -path C:\path\StartLayout.xml -As XML. 3. 4. Store the StartLayout.xml file in a network location where users have read permission.
Edit the local policy on a Windows 8.1 computer or create or edit a Group Policy Object (GPO) with an appropriate Group Policy setting to specify the location of the StartLayout.xml file: o Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar \Start Screen Layout User Configuration\Policies\Administrative Templates\Start Menu and Taskbar \Start Screen Layout
o 5.
Link the GPO in the Group Policy Management Console if you use Group Policy.
Note: When you use Start screen control to set the layout of the Windows 8.1 Start screen, users cannot customize or make changes to the Start screen.

1-11
Customizing Windows 8.1 Settings

Windows 8.1 has a large number of computer settings that you can configure to provide the optimal interface for your users. You can configure most of the Windows 8.1 settings in one of two locations: the PC Settings screen, or Control Panel.
PC Settings
The PC Settings screen contains configuration options that you can apply to the Windows Start screen interface. It also provides a touch-screen optimized configuration interface for Windows 8.1 settings that you can configure elsewhere in Windows 8.1. You can access the PC Settings screen by opening the Charms menu, clicking Settings, and then clicking PC Settings at the bottom of the menu .The following settings are available within the PC Settings screen: Activate Windows. You can activate your version of Windows 8.1 from this screen.
PC & devices. The PC & devices screen contains a large number of configuration settings for the look and feel of Windows 8.1, such as: lock screen view; display resolution and orientation; and mouse, touchpad, and other input device behavior. It also contains sections for adding and removing peripheral devices, such as printers. Accounts. You can configure both local and Microsoft-based accounts from this screen, including sign-in options like account picture and picture passwords. SkyDrive. You can view and configure your online storage space from SkyDrive from this screen. Search & apps. You can use this screen to control your search experience in Windows 8.1 and the default settings for tasks such as notifications and default apps.
Privacy. You can control the behavior of devices like cameras and location-based behavior from this screen. Network. You can use the Network screen to manipulate network settings and connect to new networks. Time & language. You can use this screen to configure local and regional settings for time and language display and input.
Ease of Access. The Ease of Access screen contains settings that enable the customization of input and display methods. Update & recovery. The Update & recovery screen presents options for updating your computer, recovering previous versions of files, or enabling advanced recovery modes for Windows 8.1.
Demonstration: Customizing Windows 8.1 Settings

In this demonstration, you will see how to customize Windows 8.1 settings.
Demonstration Steps
1. 2. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Open the Change PC Settings screen.
3. 4. 5. 6. 7.
Open the PC & devices screen. Add the Weather app to the Lock screen display options. Open the Accounts screen, and then view available options. Open the Search & apps screen. Configure the Recent apps list to display 10 apps.
Understanding Windows Store Apps

Windows Store provides a convenient, single location for you to access and download apps. You can access the Windows Store from the Start screen without navigating to Control Panel. Note: To access the store, users must sign in to Windows 8.1 by using a Microsoft account. Users can create this account during the Windows 8.1 installation, or they can define it after installation.
Windows Store Apps
Windows Store enables users to access and install Windows Store apps. These apps are not like desktop applications such as Microsoft Office 2010. Rather, they are full-screen apps that can run on a number of device types, including x86, x64, and ARM platforms. However, not all Windows Store apps are compatible with all platforms. These apps can communicate with one another and with Windows 8 so that it is easier to search for and share information such as photographs. When an app is installed, from the Start screen, users can see live tiles that constantly update with live information from the installed apps.
Locating Apps
When users connect to the Windows Store, the landing pagethat is, the initial page users see when accessing the Windows Storeis designed to make apps easy to locate. Apps are divided into categories such as Games, Entertainment, Music & Videos, and others. Users also can use the Windows 8.1 Search charm to search the Windows Store for specific apps. For example, if a user is interested in an app that provides video-editing capabilities, he or she can bring up the Search charm, type in a search string, and then click Store. The Windows Store returns suitable apps from which the user can make a selection.
Installing Apps
A single tap or click on the appropriate app in the listing should be sufficient to install the app. The app installs in the background so that a user can continue to browse the Windows Store. After the app is installed, a tile for the app appears on the users Start screen.

1-13
Updating Apps
Windows 8.1 checks the Windows Store for updates to installed apps on a daily basis. When an update for an installed app is available, the Windows operating system updates the Store tile in the Start screen to display an indication that updates are available. When a user selects the Store tile and connects to the Windows Store, the user can choose to update one, several, or all of the installed apps for which updates are available.
Installing Apps on Multiple Devices
Many users have multiple devices, such as desktop and laptop computers. Windows Store allows five installations of a single app to enable users to run the app on all of their devices. If users attempt to install an app on a sixth device, they are prompted to remove the app from another device.
Module Review and Takeaways

Review Question
Question: What is the advantage of implementing both Windows Intune and System Center 2012 R2 Configuration Manager?

2-1
Module 2
Installing and Deploying Windows 8.1
Contents:
Module Overview Lesson 1: Preparing to Install and Deploy Windows 8.1 Lesson 2: Installing Windows 8.1 Lab A: Installing Windows 8.1 Lesson 3: Customizing and Preparing a Windows 8.1 Image for Deployment Lab B: Customizing and Capturing a Windows 8.1 Image Lesson 4: Volume Activation for Windows 8.1 Lab C: Deploying a Windows 8.1 Image Module Review and Takeaways 2-1 2-2 2-12 2-24 2-27 2-39 2-44 2-52 2-54
Module Overview
The Windows 8.1 operating system builds on the core functionality of Windows 8 and Windows 7 to provide a stable client experience across many device form factors and processor architectures. In this module, you will learn about the features available in different Windows 8.1 editions. This module introduces planning considerations and hardware requirements for Windows 8.1 installation. You also will learn about the importance of device driver compatibility and application compatibility during installation.
This module describes how you can perform a clean installation of Windows 8.1. It also describes how you can upgrade or migrate to Windows 8.1 and the upgrade paths that are supported. You will learn about the tools and technologies that you can use to customize an installation. You also will learn about Windows 8.1 activation and the different activation options.
Objectives
After completing this module, you will be able to: Prepare to install and deploy Windows 8.1. Install Windows 8.1. Customize and prepare a Windows 8.1 image for deployment. Describe volume activation for Windows 8.1.
2-2
Lesson 1
Preparing to Install and Deploy Windows 8.1
Before you install Windows 8.1 on a computer, you must ensure that the hardware and software on that computer is compatible with it. As you prepare for the installation, you must understand the minimum hardware requirements and the installation methods that you can use.
In this lesson, you will learn about the planning process for a successful Windows 8.1 installation and deployment. You will learn how to identify problematic devices, drivers, and apps, and you will determine methods for mitigating compatibility issues. By doing so, you can minimize or eradicate the problems you might face during or after installation.
Lesson Objectives
After completing this lesson, you will be able to: Describe how to plan for a Windows 8.1 installation. Identify considerations for deploying Windows 8.1 in an enterprise environment. Identify hardware requirements for installing Windows 8.1. Describe how to determine device driver compatibility. Describe common application compatibility issues. Describe methods for mitigating common application compatibility issues.
Planning for a Windows 8.1 Installation

You can install Windows 8.1 as an upgrade to an existing and supported Windows operating system, such as Windows 7 or Windows 8. You also can install it on a new computer that does not have an operating system. When you are planning for a Windows 8.1 installation, you should consider the following factors: Windows 8.1 is available in three editions: Windows 8.1, Windows 8.1 Pro, and Windows 8.1 Enterprise. You should select the edition that includes features that you need while minimizing licensing costs. You can perform a clean Windows 8.1 installation or upgrade an existing operating system. An upgrade retains files, apps, and settings from the operating system that you upgraded. A clean installation includes only default settings and apps from the Windows 8.1 installation. You also can perform a clean installation and load the saved user settings from the previous environment.
All Windows 8.1 editions are available in 32-bit or 64-bit versions. Both versions include the same features, but 64-bit versions support more memory and provide better security because they require digitally signed device drivers. Verify that your computer and devices are compatible with Windows 8.1 and that device drivers for all components are available.
Verify that apps that you plan to use are compatible with Windows 8.1 and that they are supported on that platform.
You can deploy Windows 8.1 by using different methods. You should select a deployment method based on the existing environment and the number of computers that you must deploy. The deployment methods you can use include the following: o o o o Running setup from DVD media. Performing an installation from a network share. Using Windows Deployment Services (DS).
Using software deployment solutions such as Microsoft System Center 2012 R2 Configuration Manager (Configuration Manager).

2-3
Windows 8.1 Editions

Windows 8.1 is available in three separate editions:
Windows 8.1. This edition contains only the key operating system features. It can run apps such as the Microsoft Office System, and it is appropriate for use in home environments, which do not require features such as BitLocker Drive Encryption and DirectAccess. From a planning perspective, it is important to note that you cannot join computers running this edition of Windows 8.1 to a Microsoft Active Directory Domain Services (AD DS) domain. Also important to note is that you can activate this edition of Windows 8.1 only with a retail license key.
Windows 8.1 Pro. This edition includes features such as BitLocker, Client Hyper-V, Domain Join, Group Policy, and Native Boot from virtual hard disk. This edition of Windows 8.1 is suitable for smalland medium-sized businesses that do not require technologies such as AppLocker, BranchCache, DirectAccess, and Windows To Go to meet business objectives. You can use Windows 8.1 Pro with retail license keys and with volume licensing options such as multiple activation keys (MAKs) and Key Management Service (KMS) keys. Windows 8.1 Enterprise. This is the edition of Windows 8.1 that you are most likely to deploy in large business environments. This edition includes all the features that are available in the Windows 8.1 operating system, from being able to join an AD DS domain, to edition-specific features such as AppLocker, BranchCache, DirectAccess, Windows To Go, and the ability to sideload Windows Store apps. You can activate Windows 8.1 Enterprise only by using a volume license key.
The following table represents the key features available in each edition of Windows 8.1. Feature Maximum physical CPU Maximum memory (x86) Maximum memory (x64) Workplace Join Work Folders Remote Desktop Domain Join Group Policy Windows 8.1 1 4 GB 128 GB X X Client only Windows 8.1 Pro 2 4 GB 512 GB X X X X X Windows 8.1 Enterprise 2 4 GB 512 GB X X X X X
2-4
Feature Boot from virtual hard disk BitLocker and BitLocker To Go Encrypting File System Client Hyper-V AppLocker BranchCache DirectAccess Windows To Go
Windows 8.1
Windows 8.1 Pro X X X Only on x64
Windows 8.1 Enterprise X X X Only on x64 X X X X
Understanding Windows RT
The Windows RT operating system is designed to run apps built on the Windows RT platform, and it is available only as a preinstalled operating system on tablets and similar devices with ARM processors. ARM provides a lightweight form factor with excellent battery life specifically for mobile devices. Windows RT is preloaded with touch-optimized versions of Microsoft Office apps and is otherwise limited to running Windows Store apps. Devices running Windows RT cannot be members of AD DS domains, but they can use Workplace Join and Work Folders. Advantages of 64-bit Windows 8.1 Versions
Each Windows 8.1 edition is available in 32-bit and 64-bit versions. The 64-bit versions of Windows 8.1 are designed to work with computers that utilize the 64-bit processor architecture. Although the 64-bit versions are similar in features to their 32-bit counterparts, there are several advantages to using a 64-bit version of Windows 8.1, including the following: Improved performance. 64-bit processors can process more data for each clock cycle, and therefore, you can scale your apps to run faster. However, to benefit from this improved processor capacity, you must install a 64-bit edition of the operating system. Enhanced memory. A 64-bit operating system can use random access memory (RAM) more efficiently, and it can address memory above 4 gigabytes (GB). This is unlike all 32-bit operating systems, including all 32-bit editions of Windows 8.1, which are limited to 4 GB of addressable memory.
Improved device support. Although 64-bit processors have been available for some time, in the past, it was difficult to obtain third-party drivers for commonly used devices such as printers, scanners, and other common office equipment. Since the release of the 64-bit versions of Windows 7, the availability of drivers for these devices has improved greatly. Because Windows 8.1 is built on the same kernel as Windows 7, most of the drivers that work with Windows 7 also work with Windows 8 and Windows 8.1. Improved security. The architecture of 64-bit processors enables a more secure operating system environment through Kernel Patch Protection, mandatory kernel-mode driver signing, and Data Execution Prevention.
Support for the Client Hyper-V feature. This feature is supported only in the 64-bit versions of Windows 8.1. Client Hyper-V requires 64-bit processor architecture that supports second level address translation (SLAT).
The 64-bit versions of Windows 8.1 do not support the 16-bit Windows on Windows environment. If your organization requires older versions of 16-bit apps, they will not run natively on 64-bit versions of Windows 8.1. One solution is to run the app within a virtual environment by using Client Hyper-V.

2-5
Choosing Windows 8.1 Versions for Installation
In most cases, a computer will run the version of Windows 8.1 that corresponds to its processor architecture. A computer with a 32-bit processor will run the 32-bit version of Windows 8.1, and a computer with a 64-bit processor will run the 64-bit version of Windows 8.1. You can use the following list to determine which version of Windows 8.1 you should install on a computer: You can install 64-bit versions of Windows 8.1 only on computers with 64-bit processor architectures.
You can install 32-bit versions of Windows 8.1 on computers with 32-bit or 64-bit processor architectures. When you install a 32-bit version of Windows 8.1 on a 64-bit processor architecture, the operating system does not take advantage of any 64-bit processor architecture features or functionality. 32-bit drivers will not work on 64-bit versions of Windows 8.1. If you have hardware that is supported by 32-bit drivers only, you must use a 32-bit version of Windows 8.1, regardless of the computers processor architecture. You can install 32-bit versions of Windows 8.1 on 64-bit architecture computers to support older 16-bit versions of apps or for testing purposes. Question: Can you use Microsoft Office 2013 on Windows RT?
Considerations for Deploying Windows 8.1 in the Enterprise Environment
You must consider several important differences if you are considering Windows 8.1 deployment for several computers in a small company versus deployment in an enterprise environment. In a small company, you can use Windows Setup and deploy Windows 8.1 individually on each computer. However, such an approach is not appropriate for an enterprise environment that already has AD DS and infrastructures in place for management, updating, and deployment. In an enterprise environment, Windows 8.1 is deployed on several client computers at once. Deployment solutions such as Windows DS, Microsoft Deployment Toolkit (MDT), or Configuration Manager typically are used, and a high level of automation is necessary. You can use Windows DS to deploy Windows 8.1 to multiple client computers at once by using multicast. You also can use Configuration Manager to deploy Windows 8.1 without any user interaction. This type of deployment is called zero-touch installation (ZTI). Because you typically use Windows 8.1 to upgrade an existing environment, users already have their accounts and settings. You need to preserve user state during the deployment, which means that you must perform either an upgrade or a migration. In an enterprise environment, you usually would use migration because it provides a clean and standardized environment, and it removes all the legacy files that might exist on computers. You also can control what is migrated from a previous environment. In many cases, enterprises use Folder Redirection and roaming profiles (both technologies are referred to as
2-6
user state virtualization), which means that user state is not stored locally, and you do not need to migrate it at all. In such cases, when users sign in to a Windows 8.1 computer, their settings will be applied, and they will have access to their documents.
The default Windows 8.1 installation image often is customized to include specific requirements for an enterprise. For example, apps that are used on all clients, such as Microsoft Office 2013, are included in the installation image, in addition to language packs, additional device drivers, and updates. Apps that are used in an enterprise must be verified for compatibility with Windows 8.1, and when a customized installation image is built, it must pass extensive testing. All these factors and the large number of clients to which Windows 8.1 must be deployed make Windows 8.1 deployment in an enterprise environment a lengthy project that requires extensive planning, preparation, and testing. Question: Why do enterprises not use the default Windows 8.1 DVD media to perform installations?
Hardware Requirements for Installing Windows 8.1

Windows 8.1 can run on older computer configurations, and many computers in enterprises today can meet the minimum hardware requirements easily. The Windows 8.1 kernel has been refined and improved from Windows 7, and in many cases, you might see general performance improvements on a computer in several different areas. Windows 8.1 installation might be successful if some of the minimum recommended hardware requirements are not met. However, user experience and operating system performance might be compromised if the computer does not meet or exceed recommended specifications. The following list outlines the minimum recommended hardware requirements for Windows 8.1: 1 gigahertz (GHz) or faster processor. 1 GB RAM (32-bit) or 2 GB RAM (64-bit). 16 GB available hard disk space (32-bit) or 20 GB available hard disk space (64-bit). A DirectX 9 graphics device with a device driver that supports Windows Display Driver Model (WDDM) 1.0 or newer.
In addition to these hardware requirements, Windows 8.1 includes several features that require a specific hardware configuration before they will install or run correctly. These features are as follows:
The Windows 8.1 secured boot process requires a pre-boot environment that is based on Unified Extensible Firmware Interface (UEFI). The secured boot process takes advantage of UEFI to prevent starting unknown or potentially unwanted operating system boot loaders between the systems BIOS start and the Windows 8.1 operating system start. The secure boot process is not mandatory for Windows 8.1, but it greatly increases the integrity of the boot process. Client Hyper-V requires a 64-bit processor architecture that supports SLAT. SLAT reduces the overhead incurred during the virtual-to-physical address mapping process performed for virtual machines.

2-7
The BitLocker and Virtual Smart Card features require a computer that supports Trusted Platform Module (TPM) to provide the most seamless and secure experience. TPM allows the storage of BitLocker encryption keys and Virtual Smart Cards within a microcontroller on a computers motherboard.
Miracast is a Windows 8.1 feature that you can use to share your display with a Miracast-enabled display or projector over a wireless connection. This feature requires a display adapter that supports Miracast and uses a device driver that is designed for Windows 8.1.
To use touch and gestures as an input method, a tablet or monitor must support multitouch. If your device does not support such input, you can still use a mouse and keyboard. Windows Store apps require a minimum of 1366 x 768 screen resolution for the Snap feature. This feature enables you to use Windows 8.1 apps side by side, making the app viewable while you use other Windows Store apps. You cannot use Windows Store apps with resolution that is lower than 1024 x 768 because you will receive an error message if you start it in such a configuration.
Windows 8.1 includes support for three-dimensional (3-D) printing, but you should have a supported 3-D printer device to be able to use 3-D printing. Question: Do you have to create a virtual machine with at least 1 GB of memory if you want to install Windows 8.1 Pro on that virtual machine?
Determining Device Driver Compatibility

Besides minimum hardware requirements, you also must determine the compatibility of other computer hardware. You should check devices such as printers, wireless keyboards, and wireless mice to ensure that they are compatible with Windows 8.1 and that they have functioning device drivers for Windows 8.1.
Importance of Device Drivers
A device driver is a component that the Windows operating system uses to communicate with a device. It contains device-specific code that enables the Windows operating system to use the device. Device drivers are critical for system stability, and without them, the Windows operating system cannot communicate with devices. However, other devices and computer hardware components also must have loaded drivers. Critical system components such as hard drive controllers, chipsets, graphics adapters, and network adapters must have drivers to function properly. If the specific driver for a device is not found, the Windows operating system can use a more generic driver for a compatible device, if it is present. Windows 8.1 includes device drivers for tens of thousands of devices, and you can add additional drivers during or after a Windows 8.1 operating system installation. Note: All device drivers that are included with Windows 8.1 are digitally signed, and Windows 8.1 requires all device drivers and other kernel components to be digitally signed. You can disable this requirement, but we strongly discourage it.
2-8
A digital signature does not change the driver functionalityit only confirms that the device driver was not modified. Remember that 64-bit versions of Windows 8.1 require 64-bit drivers, and they cannot use 32-bit drivers (and vice versa).
Checking Hardware Compatibility
The Windows 8.1 setup process automatically checks the installation computer for device and driver compatibility. However, when an organization deploys multiple installations of Windows 8.1 at once, it is a best practice to ensure that the hardware for those computers is compatible with Windows 8.1. Confirming hardware compatibility enables a smoother installation process.
Windows Compatibility Center for Windows 8.1
The Windows Compatibility Center for Windows 8.1 website provides information about Windows 8.1 program and device compatibility. The website contains a catalog of programs and devices, and pertinent compatibility information, including: Device maker and model Links to more information about the device Compatibility status Available driver versions (32-bit or 64-bit)
The Windows Compatibility Center for Windows 8.1 website also enables community interaction, where users can provide feedback for devices to confirm compatibility. Windows Compatibility Center http://go.microsoft.com/fwlink/?LinkId=266551&clcid=0x409 Question: Can you use a device driver from a 64-bit version of Windows 8 with a 32-bit version of Windows 8.1?
Common Application Compatibility Issues

An application written for a specific operating system can cause problems for several reasons when you install it on a computer with a different operating system. Generally, applications and hardware that work on Windows 7 will continue to work on Windows 8.1. To troubleshoot and address any compatibility issues effectively, it is important to be aware of the general areas that typically cause the most issues.
Setup and Installation of Applications
During application setup and installation, an app might try to copy files and shortcuts to folders that existed in a previous Windows operating system, but no longer exist in Windows 8.1. This can prevent the app from installing properly or even installing at all.
UAC
User Account Control (UAC) adds security to the Windows operating system by controlling administratorlevel access to a computer and by restricting most users to run as standard users. When users attempt to
launch an app that requires administrative permissions, the system prompts them to confirm their consent to do so. UAC also limits the context in which a process executes to minimize the ability of users to inadvertently expose their computer to viruses or other malware. This change affects any application installer or update that requires administrator permissions to run, that performs unnecessary administrator checks or actions, or that attempts to write to a non-virtualized registry location. However, UAC might cause the following compatibility issues: Custom installers, uninstallers, and updaters might not be detected and elevated to run as administrator.
Standard user apps that require administrative privileges to perform their tasks might fail or might not make this task available to standard users. Apps that attempt to perform tasks for which the current user does not have the necessary permissions might fail. How the failure manifests itself depends on how the app was written.
Control Panel apps that perform administrative tasks and make global changes might not function properly and might fail.
Dynamic-link library (DLL) apps that run by using RunDLL32.exe might not function properly if they perform global operations. Standard user apps writing to global locations will be redirected to per-user locations through virtualization.

2-9
WRP
Windows Resource Protection (WRP) protects Windows resources such as files, folders, and registry keys in a read-only state. This affects specific files, folders, and registry keys only. WRP limits updates to protected resources to the trusted operating system installers, such as Windows Servicing. This enables better protection for components and apps that ship with the operating system from the impact of other apps and administrators. However, WRP might cause the following compatibility issues: Application installers that attempt to replace, modify, or delete operating system files or registry keys that WRP protects might fail with an error message that indicates that the resource cannot be updated. This is because access to these resources is denied. Applications that attempt to write new registry keys or values to protected registry keys might fail with an error message that indicates that the change failed because access was denied. Applications that attempt to write to protected resources might fail if they rely on registry keys or values.
64-Bit Architecture
All Windows 8.1 editions are available as 32-bit and 64-bit versions. The 64-bit version of Windows 8.1 can run all 32-bit apps with the help of the Windows 32-bit on Windows 64-bit subsystem. Considerations for the 64-bit Windows 8.1 include: Apps or components that use 16-bit executable files, 16-bit installers, or 32-bit kernel drivers will fail to start or will function improperly on a 64-bit version of Windows 8.1.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer manually adds a driver by editing the registry, the system will not load this driver, and this can cause a system failure. Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer manually adds a driver by editing the registry, the system will not load the driver during load time if it is not signed.
2-10 Installing and Deploying Windows 8.1
WFP
Windows Filtering Platform (WFP) is an application programming interface (API) that enables developers to create code that interacts with the filtering that occurs at several layers in the networking stack and throughout the operating system. If you are using a previous version of this API in your environment, you might experience failures when running security-class apps, such as network scanning, antivirus programs, or firewall apps.
Operating System Version Changes
The operating system version number changes with each operating system release. For Windows 7, the internal version number is 6.1; for Windows 8, the internal version is 6.2; for Windows 8.1, the internal version is 6.3. The GetVersion function returns this value when it is queried by an app. This change affects any app or application installer that specifically checks for the operating system version, and this change might prevent the installation from occurring or the app from running.
Kernel-Mode Drivers
Kernel-mode drivers must support the Windows 8.1 operating system or be redesigned to follow the User-Mode Driver Framework (UMDF). UMDF is a device driver development platform that the Windows operating system uses. Deprecated components
Windows 8.1 does not include several deprecated APIs and DLLs that were available in the legacy Windows XP and Windows Vista operating systems. Windows 8.1 also uses credential provider framework and service isolation, which was not available in legacy Windows operating systems. Apps that use deprecated APIs, DLLs, old credential providers, or do not support service isolation will have compatibility issues on Windows 8.1. Some of these apps will have reduced functionality, and some might fail to start. Understanding Application Compatibility http://go.microsoft.com/fwlink/?LinkID=378172&clcid=0x409 Question: Can you run a program that was developed for Windows XP on Windows 8.1?
Methods for Mitigating Common Application Compatibility Issues

You can use the Application Compatibility Toolkit (ACT) to determine if your applications are compatible with Windows 8.1. ACT also helps you determine how an update to a new version will affect your applications. You can use ACT features to: Verify the compatibility of your application, device, and computer with a new version of the Windows operating system. Verify the compatibility of a Windows update. Become involved in the ACT community and share your risk assessment with other ACT users.
Test your web applications and websites for compatibility with new releases and security updates to Internet Explorer.

2-11
Mitigating an application compatibility issue typically depends on various factors, such as the type of application and the current support for an application.
Mitigation Methods
Some of the more common mitigation methods include the following: Modifying the configuration of an existing application. Compatibility issues might require a modification to an application configuration, such as moving files to different folders, modifying registry entries, or changing file or folder permissions. You can use tools such as Compatibility Administrator to detect and create application fixes, called shims, to address compatibility issues. Contact software vendors for information about any additional compatibility solutions.
Applying updates or service packs to an application. Updates or service packs might be available to address many compatibility issues, and they help an application to run on a new operating system environment. After applying an update or service pack, additional application tests can ensure that compatibility issues have been mitigated.
Upgrading an application to a compatible version. If a newer, compatible version of an application exists, the best long-term mitigation is to upgrade to the newer version. By using this approach, you must consider both the cost of the upgrade and any potential problems that might arise with having two different versions of an application. Modifying the security configuration. If your compatibility issues appear to be permissions-related, a short-term solution is to modify the security configuration of an application. By using this approach, you must conduct a full risk analysis and gain consensus from your organizations security team regarding the modifications. For example, you can mitigate Internet Explorer Protected Mode by adding a site to the trusted site list. Running an application in a virtualized environment. If all other methods are unavailable, you might be able to run an application in an older version of the Windows operating system by using virtualization tools such as Client Hyper-V.
Using application compatibility features. You can mitigate application issues, such as operating system versioning, by running an application in compatibility mode. You can access this mode by right-clicking the shortcut or .exe file, and then selecting compatibility mode from the Compatibility tab. Selecting another application that performs the same business function. If another compatible application is available, consider switching to it. When using this approach, you must consider both the cost of the application and the cost of employee support and training. Download Windows Assessment and Deployment Toolkit (Windows ADK) http://go.microsoft.com/fwlink/?LinkId=378203&clcid=0x409 Application Compatibility Toolkit (ACT) Technical Reference http://go.microsoft.com/fwlink/?LinkId=378204&clcid=0x409
Lesson 2
Installing Windows 8.1
Although you can perform a Windows 8.1 installation by using a number of different methods, the imagebased nature of the installation process and the desired resulta properly functioning Windows 8.1 computerremain consistent, regardless of the method. Determining which method to use and how to best implement that method are important parts of the planning process for a Windows 8.1 installation. This lesson will help you analyze the reasons behind using certain methods, and it will help you understand how you can implement those methods. Also, this lesson will introduce you to Windows To Go and native boot virtual hard disk methods.
Lesson Objectives
After completing this lesson, you will be able to: Explain the options for installing Windows 8.1. Describe the methods for performing a clean installation. Explain how to upgrade to Windows 8.1. Identify the supported Windows 8.1 upgrade paths. Explain how to migrate to Windows 8.1. Describe Windows To Go. Explain how to boot from a native boot virtual hard disk.
Options for Installing Windows 8.1

You can install Windows 8.1 in a number of different ways, including the following: Clean installation. A clean installation of Windows 8.1 occurs when the hard disk on which you are installing the Windows operating system contains no previous Windows installation, or when you erase the disk prior to installation. To perform a clean installation on a computer without an operating system, start the computer directly from the DVD. If the computer already has an operating system, run Setup.exe to start the installation. You can run Setup.exe from the following sources: o o o DVD Network share USB drive
You also can use an image to perform a clean installation. Note: If you perform a clean installation on a hard disk partition that contains a Windows operating system, the existing Windows files are moved to a \Windows.old directory. This includes files in the Users and Program Files folders and the Windows directory.

2-13
Upgrade installation. Perform an upgrade, which also is known as an in-place upgrade, when you want to replace an existing version of Windows with Windows 8.1, and you need to retain all user applications, files, and settings. To perform an in-place upgrade to Windows 8.1, run the Windows 8.1 Setup.exe installation program, and then click Upgrade. You can run Setup.exe from the product DVD or from a network share. During an in-place upgrade, the Windows 8.1 installation program automatically retains all user settings, data, hardware device settings, apps, and other configuration information. Always back up all of your important data before performing an upgrade.
Migration. You perform a migration when you have a computer that is already running Windows 7, and you need to move files and settings from your old operating system (the source computer) to the Windows 8.1 computer (the destination computer). Perform a migration by doing the following: o o o o Back up user settings and data Perform a clean installation Reinstall the apps Restore user settings and data
There are two migration scenarios: side-by-side, and wipe-and-load, which also is called refresh. In side-byside migration, the source computer and the destination computer are two different computers. In wipeand-load migration, the target computer and the source computer are the same. To perform wipe-andload migration, you perform a clean installation of Windows 8.1 on a computer that already has an operating system by running the Windows 8.1 installation program, and then clicking Custom (advanced). You can perform an automated installation when you use any of the above installation methods in combination with an automation tool, such as MDT, to make the installation more seamless or to remove repetitive tasks from the installation process. Automated installations can take many forms, including pushing premade images to computers by using an enterprise-level tool, such as MDT, Windows DS, and Windows ADK, or even by creating an answer file manually to provide information directly to the installation process. Question: What is the main difference between a clean installation of Windows 8.1 and migration to Windows 8.1?
Methods for Performing a Clean Installation

The most common form of deployment in medium-sized and large environments is a clean installation. Clean installations involve deploying an operating system to new hardware that has no existing operating system, or wiping an existing operating system and installing a new operating system. Compared to performing an upgrade, a clean installation has some benefits and drawbacks, which are outlined in the following table.
Benefits Clean installation Can be automated Quickest form of deployment Supported in all scenarios Upgrade Existing data and applications are retained
Drawbacks Existing applications are not retained Must use a special procedure to retain user state data Difficult to automate Only supported in certain scenarios
You can perform a clean deployment of the Windows 8.1 operating system by using the following methods:
Install from DVD. To use this method, the computer you are installing on must have a connected optical drive. You can use the installation media provided with a retail copy of the operating system or a copy of the installation media that is obtained from the Microsoft volume licensing service and then written to optical media. You can use a customized image with optical media, but the size of the image is constrained by the maximum amount of data that can be stored on a DVD. This installation method also is slower than installing from a USB device. Install from USB. Retail versions of Windows 8.1 are available in this form. The drawback of this method is that one USB device can install the operating system only on one computer at a time. You can use customized images for this installation method. Installation from a USB device is quicker than an installation from a DVD, but it requires you to modify BIOS or UEFI settings on the target computer to allow boot from USB. You can perform an unattended installation if an unattended installation file is located on the USB device.
Install from Windows DS. To use this method, you must deploy Windows DS and Dynamic Host Configuration Protocol on Windows-based servers on the LAN. Another requirement is that target computers must have a Pre-Boot Execution Environment (PXE) network card, or you must configure a boot device to allow network communication. You can use this installation method with an unattended installation file configured on a Windows DS server, with multiple operating system images, and to deploy Windows 8.1 to multiple computers at once by using multicast.
Perform an image-based installation. You can use the Windows Preinstallation Environment (PE) to start a computer and then use Deployment Image Servicing and Management (DISM) to apply the Windows 8.1 image. You also can use deployment solutions such as MDT and Configuration Manager to automatically deploy Windows 8.1 and apps across networks. By using MDT and Configuration Manager, you can configure light-touch installation (LTI) and ZTI. During the deployment, LTI requires minimal user interaction, whereas ZTI requires no user interaction. Install from a shared network folder. This method involves starting the computer by using Windows PE and connecting to a copy of the installation files stored on a shared network folder. This method is no longer commonly used because other methods are more efficient, such as installation from USB devices, Windows DS, MDT, or Configuration Manager.
The method that you use to perform a clean installation depends on your organizations business requirements. An organization performing a small number of Windows 8.1 deployments that do not require substantial customization should use either the installation from DVD or installation from USB method. An organization that performs a large number of Windows 8.1 deployments should consider using MDT or Configuration Manager.

2-15
Question: What happens with user settings, data, and installed apps if you perform a clean installation of Windows 8.1 on a computer that has Windows 7 installed?
Upgrading to Windows 8.1
When you perform an upgrade installation of Windows 8.1, it replaces the existing version of the Windows operating system, but it retains user settings and applications. When you use this method, you directly upgrade computers that run older versions of the Windows operating system to Windows 8.1. The Windows 8.1 installation program runs with minimal user interaction, and it automatically retains all user settings, data, hardware device settings, applications, and other configuration information. You also can specify additional settings by using unattended-setup answer files. All previously installed applications remain installed. You typically perform an upgrade when you do not want to reinstall all of your applications. Additionally, consider performing an upgrade when you: Are upgrading from a recent version of the Windows operating system that has compatible applications. Do not have the storage space to store your user state. Are not replacing existing computer hardware. Plan to upgrade the Windows operating system on a few computers only.
Evaluating an Upgrade Scenario
In any potential upgrade scenario, there might be certain variables that favor an upgrade. However, there also are disadvantages. Advantages Retains user settings, application settings, and files with no additional effort Preserves installed applications and typically does not require reinstallation of the applications Does not require additional storage space for migration files Impacts user productivity minimally and preserves user settings and data Provides a more simple setup process Disadvantages
Does not take advantage of the opportunity to start fresh with standardized reference configurations
Preserved applications might not work correctly after upgrading from an earlier version of the Windows operating system Remnant files or settings from an in-place upgrade might contribute to performance and security issues Does not allow Windows operating system edition changes Can be done only on supported operating systems
Data Retention in a Windows 8.1 Upgrade

When you run an upgrade, Windows Setup automatically detects existing operating systems and their potential for upgrade. Depending on the version of the operating system, you might see the following options for retaining data from the previous version of the Windows operating system: Windows settings. Windows settings, such as your desktop background or Internet favorites and history, will be kept. Windows Setup does not move all settings. Personal files. Anything that you save in the User folder is considered a personal file, such as the Documents and Desktop folders.
Desktop apps. Some apps are compatible with Windows 8.1, and they will operate properly when you install Windows 8.1. However, you may have to install some desktop apps after Windows 8.1 finishes installing, so be sure to find the installation discs and installers for desktop apps that you want to keep. Nothing. Deletes everything and replaces your current version with a copy of Windows 8.1. Your personal files will be moved to a Windows.old folder.
Upgrade Considerations
The following considerations might be critical in determining whether you choose to upgrade: Amount of interaction. An upgrade does not require significant user interaction. You can use an answer file to further minimize user interaction and effort when performing an upgrade.
State of user data. An upgrade does not require reinstallation of apps or any of the user settings, data, hardware device settings, or other configuration information. However, you might have to reinstall some apps after you perform an upgrade.
Note: You can perform an upgrade only if you run Setup.exe from the existing Windows installation. You cannot perform an upgrade if you start a computer from Windows installation media. Question: Can you upgrade Windows 7 Pro to Windows 8.1 Pro if you start a computer from Windows 8.1 DVD installation media?
Supported Windows 8.1 Upgrade Paths

Performing an upgrade to Windows 8.1 can save time and enable you to retain user and computers settings from a previous version of the Windows operating system. However, the version of the Windows operating system from which you are upgrading will dictate what options are available for the upgrade process.
Windows 8.1 Upgrade Paths

The following table lists operating systems and upgrade path restrictions for upgrading to Windows 8.1.

2-17
Upgrading to Windows 8.1 Windows XP SP3 Windows Vista SP2 Windows 7 Windows 8 Windows 8.1
Keep Windows settings, personal files, and apps
Keep Windows settings and personal files (data and system settings)
Keep personal files only (data only) Yes
Yes Yes Yes Yes
Yes Yes Yes Yes
Note: You cannot preserve Windows settings and apps if you perform a cross-language installation of Windows 8.1.
Upgrade Paths for Windows Operating System Editions

You cannot upgrade previous versions of the Windows operating system that do not have the same features as the edition of Windows 8.1 that you are installing. The following table lists upgrade possibilities based on the editions of Windows 7 and Windows 8.1. Windows 7 edition Enterprise Ultimate Professional Home Premium Home Basic Starter Yes Yes Yes Yes Yes Yes Yes Yes Yes Windows 8.1 Windows 8.1 Pro
Windows 8.1 Enterprise Yes
Even though an upgrade path is supported, it does not necessarily mean that you should perform an upgrade installation by following that path. You should evaluate considerations for both upgrades and migrations. Windows 8 and Windows 8.1 upgrade paths http://go.microsoft.com/fwlink/?LinkId=378205&clcid=0x409 Question: Can you upgrade the 32-bit version of Windows 8 Pro to the 64-bit version of Windows 8.1 Pro?
Migrating to Windows 8.1
When you install Windows 8.1 by using a migration scenario, you first must perform a clean installation of Windows 8.1, followed by the migration of user settings and data from the older version of the Windows operating system to Windows 8.1. Depending on your business environment, you can use two migration scenarios: side-by-side migration and in-place migration. In a migration scenario known as a refresh computer scenario or in-place migration, the source computer and the destination computer are the same, whereas in a side-by-side migration scenario, the source computer and the destination computer are different. Both migration scenarios require a clean installation of Windows 8.1. When you migrate previous configurations from an old operating system, you are moving files and settings to a clean installation of a Windows 8.1 operating system.
Evaluating a Migration Scenario
In any potential upgrade scenario, there might be certain variables that favor a migration. However, there also are disadvantages. Advantages Offers the opportunity to clean up existing workstations and to create more stable and secure desktop environments. It takes advantage of the opportunity for a fresh start, which is a significant advantage when creating a managed environment. Avoids the performance degradation issues associated with an in-place upgrade scenario because there are no remnant files and settings. Allows for the installation of any edition without concern for what edition was running previously. Provides the opportunity to reconfigure hardware-level settings, such as disk partitioning, before installation. Prevents the migration of viruses, spyware, and other malicious software to the new installation of the Windows operating system. Security settings can be hardened by using Group Policy and security templates. Disadvantages Requires the use of migration tools, such as Windows Easy Transfer or the User State Migration Tool (USMT), to save and restore user settings and data. Requires the reinstallation of applications. Requires storage space for the user settings and files to be migrated. Might have an impact on user productivity because of the reconfiguration of applications and settings.
Steps for Performing a Migration

Typical steps in a migration scenario include: 1. 2. Back up a computers entire hard disk. Save user settings and data for migration.

2-19
3. 4. 5.
Perform a clean installation of Windows 8.1. Reinstall applications. Restore user settings and data.
Migration Scenarios
When planning a migration, you have to determine how you will move existing data to the newly deployed operating system. The method that you use depends on the tools and resources that you have available. In enterprise environments, you can use Configuration Manager to automate the migration process. Migration strategies also depend on whether users will be moving to new computers, or whether they will use existing computers with a new operating system. You can perform the following types of migration:
Side-by-side migration. In a side-by-side migration, data and settings are moved from the original operating system on one computer to the destination operating system on another computer. In most automated side-by-side migrations, migration data is transmitted across a network. You also can transfer migration data by using removable storage devices, although this is only practical when the migration is performed manually. Wipe-and-load migration. In a wipe-and-load migration, migration data is captured and moved to a location off of the computer, usually a network shared folder. After this, the source operating system is wiped from the host. The destination operating system replaces the source operating system and the migration data is then restored from the safe location.
Operating system refresh. This migration type is similar to a wipe-and-load migration. However, in this type of migration, the source and destination operating systems are the same. You might perform this type of migration when upgrading to a new operating system service pack, or if the original operating system deployment suffers some type of corruption that makes a refresh operation more practical than an attempt to resolve the fault manually.
Choosing When to Perform a Migration

Perform a migration when you:
Want a standardized environment for all users who are running a Windows operating system. A migration takes advantage of a clean installation. A clean installation ensures that all of your systems begin with the same configuration and that all applications, files, and settings are reset. With a migration, you also can ensure that you retain user settings and data. Have storage space to store the user state. Typically, you will need storage space to store the user state when performing migration. USMT introduces hard-link migration, in which case you do not need extra storage space. This is only applicable to wipe-and-load migrations.
Plan to keep existing computer hardware. If you do not plan to replace existing computers, you still can perform a migration by performing a wipe-and-load migration.
Windows 8.1 also includes built-in functions that allow a refresh of the operating system. These are called Reset your PC and Refresh your PC. PC refresh keeps all personal data and Windows Store apps, but you must reinstall other software. PC reset returns the operating system to its original state, removing any installed applications, settings, and user data. PC refresh and PC reset must be performed locally. If you wanted to perform an operating system refresh across multiple computers, you would automate the task with Configuration Manager. Question: You have a user who wants to upgrade a Windows XP computer to Windows 8.1. The computer meets all of the hardware requirements for Windows 8.1. The user wants to retain all of the existing user settings and applications. The user has no time-related requirements and can be without the computer while you install Windows 8.1. How should you perform the Windows 8.1 installation?
What Is Windows To Go?
Windows To Go is a special deployment option that is available in the Windows 8.1 Enterprise edition. You can use Windows To Go to deploy the Windows 8.1 Enterprise edition to a specially prepared USB storage device. You then can use this USB storage device to start any compatible computer. When a Windows To Go device is started on a new computer, the boot process detects the computers hardware and installs appropriate drivers. When the same Windows To Go device is used to start the same computer again, the appropriate drivers are loaded automatically and Windows To Go starts normally. Windows To Go can store the hardware configurations of multiple computers.
Windows To Go Restrictions
Windows To Go functions in a way that is very similar to a traditional Windows 8.1 desktop deployment, but with the following restrictions:
By default, sleep and hibernation are disabled in Windows To Go. Though it is possible to enable this functionality by configuring Group Policy, this can lead to data corruption. Fixed internal disks on the host computer are offline. This is a security measure to ensure that third parties do not gain access to files on the host computers file system by booting computers using Windows To Go.
BitLocker uses a boot password rather than a TPM password because the Windows To Go device will be used across multiple computers. Windows Recovery Environment (RE) and push-button reset are disabled. Only Windows 8.1 Enterprise edition is licensed to be installed on Windows To Go devices.
A USB storage device prepared with an x86 version of Windows To Go can be used with a computer with an x86 or an x64 processor.
A computer prepared with an x64 version of Windows To Go only can be used with a computer that has an x64-compatible processor. Windows RT devices cannot be used with Windows To Go. The Windows Store is disabled by default in Windows To Go.
The USB storage device with the Windows To Go deployment can be removed from the computer for up to 60 seconds. If the USB device is not reconnected in that time, the computer will restart.
Windows To Go Requirements
Windows To Go only works with specific USB storage devices that are certified by Microsoft. One of the requirements for Windows To Go is that the operating system recognizes the USB device as a fixed disk. You create Windows To Go devices by using the Windows To Go Wizard. This wizard only is available on computers that are running the Enterprise edition of Windows 8.1. You can start a computer from a Windows To Go device if it is connected to a USB 2.0 or USB 3.0 port.

2-21
Comparing Windows To Go and Traditional Windows 8.1 Deployments
Windows To Go and traditional deployments differ in several ways, and both methods have their benefits and drawbacks. Some of the key differences are as follows:
To use Windows To Go, you must configure the computer to boot from a USB device. Enabling boot from USB poses a security risk because it can allow access to a computers volumes if technologies such as BitLocker are not in use. Organizations should be wary of allowing non-administrative users to boot from USB devices. In a traditional deployment, BitLocker can be configured to use TPM. Windows To Go does not have this security and only allows BitLocker to use a passphrase. The Windows To Go boot environment might be modified by malicious software. On Windows To Go, the Windows Store is disabled by default. You can change this by editing the Allow Store to install apps on the Windows To Go workspaces policy setting, located in the Computer Configuration\Administrative Templates\Windows Components\Store node of the Group Policy Management Editor. Windows Store is enabled by default on a traditionally deployed computer running Windows 8.1. Sleep and hibernation are disabled by default in Windows To Go and enabled on traditionally deployed Windows 8.1 systems. If a user accidentally leaves his or her Windows To Go device in a running computer, the computer will not shut down.
In a traditional installation, data is stored locally on hard disks. In Windows To Go, data is stored on a USB device. USB devices are more likely to fail, which means that local data is more likely to be lost. Users also are more likely to misplace a USB device than a portable computer. Windows To Go allows users to take their apps and data with them. As long as they have compatible hardware, they can access their apps and data.
Windows To Go assists information technology (IT) departments that want to allow users to use their own devices, but also want to ensure that only securely managed operating systems can interact with sensitive services on a network.
Note: A computer must be compatible with Windows 8.1 if you want to use it with Windows To Go. Windows To Go feature overview http://go.microsoft.com/fwlink/?LinkId=378206&clcid=0x409 Question: When would you use Windows To Go in your company?
Booting from a Native Boot Virtual Hard Disk

You can configure Windows 8.1 Pro and Enterprise editions for native boot from a virtual hard disk, which can have a .vhd or .vhdx extension. You can configure a computer to start from a single virtual hard disk or from different virtual hard disks. Booting from a virtual hard disk is advantageous compared to configuring traditional dual boot because it is not necessary to create a new volume when deploying an additional operating system. You can configure a computer to boot between multiple virtual hard disk files stored on the same volume.
Planning for Virtual Hard Disk with Native Boot
Configuring a virtual hard disk with native boot includes creating and preparing the virtual hard disk, installing or applying the Windows image, adding the virtual hard disk native boot option to the startup menu, and restarting the computer. You can create a virtual hard disk by using Disk Management or Diskpart.exe. Deploy Windows images by using Dism.exe, and add the boot option by using Bcdboot.exe. Some of the main points to consider when planning for virtual hard disk with native boot are volume size, deployment options, and operating systems that can be used for native boot.
Volume size
You must configure a virtual hard disk to have a smaller maximum size than the volume that hosts the virtual hard disk. For example, if you have a 200 GB volume and a virtual hard disk that represents a 500 GB volume, the computer will be unable to boot, even if the virtual hard disk only consumes 100 GB of the possible 500 GB. Multiple virtual hard disk files can reside on the same volume, although it is necessary to keep volume size restrictions in mind when placing more than one virtual hard disk on a volume. For example, you can create a 15 GB virtual hard disk, create a simple volume, and format it by running the following commands:
diskpart create vdisk file=C:\windows81.vhdx maximum=15000 type=fixed select vdisk file=C:\windows81.vhdx attach vdisk create partition primary assign letter=F format quick exit
Deployment options
You can deploy a virtual hard disk to a new computer in a preconfigured state, with apps already installed and operating system settings already configured. You can copy a prepared virtual hard disk file to a new computer and then configure the computer to boot from that virtual hard disk. You also can configure Windows DS to deploy virtual hard disks as operating system images, just as you can configure Windows DS to deploy operating system images in .wim file format. You can apply the first image from the Install.wim file by running the following command:
Dism /Apply-Image /ImageFile:Install.wim /Index:1 /ApplyDir:F:\

2-23
Operating system
Computers that run Windows 8.1 Pro and Enterprise editions can use native boot from virtual hard disk. After an image is applied to a virtual hard disk, you can add the native boot from virtual hard disk option by running the following commands:
cd F:\Windows\System32 bcdboot F:\Windows
After you run these commands, the option for native boot is added to the startup menu, and you can select it after you restart the computer. Deploy Windows on a virtual hard disk with native boot http://go.microsoft.com/fwlink/?LinkId=378207&clcid=0x409 Question: Do you need to enable the Client Hyper-V feature if you want to use native boot from a virtual hard disk that contains Windows 8.1 Pro?
Lab A: Installing Windows 8.1

Scenario
A. Datum Corporation is considering the use of Windows 8.1 as its client operating system. You have been provided with a testing environment and asked to install Windows 8.1 to evaluate the new environment. For the initial installation on a single computer, you will use default Windows 8.1 DVD media.
Objectives
After completing this lab, you will be able to: Plan to install Windows 8.1. Perform a clean installation of Windows 8.1.
Lab Setup
Estimated Time: 40 minutes Virtual machine: 20687C-LON-REF1 User name: Adatum\Administrator Password: Pa$$w0rd
Only LON-REF1 is used for this lab. You do not need to sign in to any virtual machine to perform this lab.
Exercise 1: Planning to Install Windows 8.1

Scenario
Prior to installing Windows 8.1, establish an installation plan by reading the request. A. Datum Wireless Network Requirements Document reference: HD-02-05-13 Document author Date Holly Dickson Dec 2, 2013
Requirements Overview
A. Datum Corporation wants to create a test environment for a new app that was developed internally. Ideally, we would like to be able to test the app on several different operating systems, but we have been provided with only one system. We have been told that Windows 8.1 supports the same virtualization as the servers in our production environment with Hyper-V, so maybe we could do it that way? We also need to be able to create Windows To Go UFD media. The computer that we have been given has a quad-core, 2 gigahertz (GHz) processor and 4 gigabytes (GB) of RAM. The processor supports Intel VT. It also has a 320 GB hard drive and a 512-megabyte (MB) graphics processing unit (GPU). The computer should be prepared for the Development team as soon as possible.
The main tasks for this exercise are as follows: 1. 2. Determine whether the customers computers meet the minimum requirements for Windows 8.1. Select the appropriate Windows operating system edition to install on LON-REF1.

2-25
Task 1: Determine whether the customers computers meet the minimum requirements for Windows 8.1
Answer the following questions: Questions 1. Does the customers computer meet the minimum system requirements for Windows 8.1 in the following areas: a. b. c. d. Processor RAM Hard-disk space GPU
2.
Does the customers computer meet the requirements for the following features: Client Hyper-V
Task 2: Select the appropriate Windows operating system edition to install on LON-REF1
Given the hardware that you are using and the features that you require, which edition and version of Windows 8.1 should you install on LON-REF1?
Results: After completing this exercise, you should have evaluated the installation environment, and then selected the appropriate Windows operating system edition to install.
Exercise 2: Performing a Clean Installation of Windows 8.1

Scenario
You have confirmed that LON-REF1 meets the installation requirements for Windows 8.1. Your next step is to install the Windows 8.1 operating system on LON-REF1 and to confirm the success of the installation. The main tasks for this exercise are as follows: 1. 2. 3. Attach the Windows 8.1 DVD image file to LON-REF1. Install Windows 8.1 on LON-REF1. Confirm the successful installation of Windows 8.1 on LON-REF1.
Task 1: Attach the Windows 8.1 DVD image file to LON-REF1

1.
Open the Hyper-V Manager console on the host computer, and then open the Settings page for 20687C-LON-REF1.
2.
On the Settings page, click DVD Drive, and then attach the image file located at D:\Program Files\Microsoft Learning\20687\Drives\Win81Ent_Eval.iso.
Task 2: Install Windows 8.1 on LON-REF1

1. 2. Start the 20687C-LON-REF1 virtual machine. When the Windows Setup screen appears, select the appropriate regional settings, and then click Next. Perform the installation of Windows 8.1 by using the following information: o o o o o o o Installation type: Custom Location: Drive 0 PC name: LON-REF1 Settings: Express settings Account: Local account User name: User Password: Pa$$w0rd
Task 3: Confirm the successful installation of Windows 8.1 on LON-REF1

1. Confirm that the Windows 8.1 Start screen appears. Open System properties, and verify that: o o o 2. Windows 8.1 Enterprise Evaluation is installed The computer name is LON-REF1 The computer is a member of a workgroup
Sign out.
Results: After completing this exercise, you should have performed a clean installation of Windows 8.1.
To prepare for the next lab

When you are finished with the lab, revert all virtual machines back to their initial state: 1. 2. 3. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-REF1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.

2-27
Lesson 3
Customizing and Preparing a Windows 8.1 Image for Deployment
The Windows 8.1 installation process is designed to be as fast and efficient as possible. However, installing Windows 8.1 on multiple computers can be a time-consuming process if you do it manually on each computer. To expedite Windows 8.1 installation on multiple computers, or to standardize the Windows 8.1 installation process, Windows 8.1 deployment can be customized and automated. This lesson will introduce you to the various tools and technologies that you can use to manage and automate installation of Windows 8.1.
Lesson Objectives
After completing this lesson, you will be able to: Describe the Windows image file format. Describe tools for performing an image-based installation. Explain the image-based installation process. Describe how to use answer files to automate an installation process. Build an answer file by using Windows System Image Manager (SIM). Explain how to prepare a reference installation by using the System Preparation Tool (Sysprep). Describe Windows PE. Create bootable Windows PE media. Explain how to use DISM to capture and apply an installation image. Explain how to modify and maintain Windows images.
The Windows Image File Format

The Windows Image File Format is a public, filebased disk image format that was developed by Microsoft. Windows image files are compressed packages that can contain several related files. All Windows 8.1 installations use the .wim file format. When installing Windows 8.1, you apply an image to the hard disk. This process occurs at a file level instead of at a hard-disk sector level.
Windows Image File Structure

A Windows image file structure contains up to six types of resources:
Header. Defines the Windows image file content, such as memory, location of key resources (metadata resource, lookup table, and XML data), and Windows image file attributes (version, size, and compression type). File Resource. A series of packages that contain captured data, such as source files.
Metadata Resource. Stores information on how captured data is organized in the Windows image file, including directory structure and file attributes. There is one metadata resource for each image in a Windows image file. Lookup Table. Contains the memory location of resource files in the Windows image file.
XML Data. Contains additional miscellaneous data about the Windows image, such as directory and file counts, total bytes, creation and modification times, and description information. Integrity Table. Contains security hash information that is used to verify the integrity of the image during an apply operation. This is created when you set the /check switch during a capture operation.
Benefits of the .wim File Format
The .wim file format addresses many challenges that can be experienced with other imaging formats. The benefits of the .wim file format include the following:
A single .wim file can address many hardware configurations. The .wim file format does not require the destination hardware to match the source hardware. This helps you reduce the number of images tremendously, and you have the advantage of only having one image to address the many hardware configurations. A Windows image file can store multiple images in a single file. This is useful because you can store images with or without core apps in a single image file. Another benefit is that you can mark one of the images as bootable, which allows you to start a machine from a disk image that a .wim file contains. The .wim file format enables compression and single instancing. This reduces the size of image files significantly. Single instancing is a technique that enables multiple images to share a single copy of files that are common between the instances.
The .wim file format enables you to service an image offline. You can add or remove certain operating system elements, files, updates, and drivers without creating a new image. For example, to add an update to a Windows XP image, you must deploy and start the master image, install the update, and then generalize and capture the image again. With Windows 8.1, you can mount an image file and then perform an integrated installation of the update (also known as a slipstreamed installation) into the image file without needing to deploy or recapture the master image.
The .wim file format enables you to install an image on a partition that is smaller, equal to, or larger than the original partition that was captured, as long as the target partition has sufficient space to store the image content. This is different from sector-based image formats that require you to deploy a disk image to a partition that is the same size or larger than the source disk. Windows 8.1 includes the DISM tool, Dism.exe, which you can use for capturing, managing, and deploying Windows image files. It also includes the DISM Windows PowerShell module with cmdlets for managing Windows image files. Developers can use an API for the .wim file format, called WIMGAPI, to work with Windows image files.
The .wim file format allows for nondestructive image deployment. Nondestructive image deployment means that you can leave data on the volume where you apply the image because, when the image is applied, it does not delete the disks existing contents. The .wim file format enables you to start Windows PE from a Windows image file. The Windows 8.1 setup process uses Windows PE. The Windows image file is loaded into a RAM disk and is run directly from memory. Windows image file format http://go.microsoft.com/fwlink/?LinkId=378208&clcid=0x409

2-29
Windows image file format white paper http://go.microsoft.com/fwlink/?LinkId=92227&clcid=0x409 Question: Why is the size of a single Windows image file that contains images of Windows 8.1 and Windows 8.1 Pro considerably smaller than the combined size of two Windows image files, where one contains a Windows 8.1 image and the other contains a Windows 8.1 Pro image?
Tools for Performing an Image-Based Installation

You can use several tools and technologies to perform an image-based installation of Windows 8.1. The following list describes these tools and where to use them in deployment situations: Windows Setup (Setup.exe). This is the program that installs the Windows operating system or upgrades previous versions of the Windows operating system. Windows Setup supports both interactive installations and unattended installations.
Answer file. This is an XML file that stores the answers for a series of GUI dialog boxes. The answer file for Windows Setup commonly is called Unattend.xml. You can create and modify this answer file by using Windows SIM. The Oobe.xml answer file is used to customize Windows Welcome, which starts after Windows Setup and during the first system startup.
Catalog. This binary file (.clg) contains the state of the settings and packages in a Windows image. The catalog file is not required for a Windows operating system deployment, and it is not included on the Windows 8.1 DVD media. The catalog file is required if you want to create an answer file by using Windows SIM, and it can be created by using this tool. Windows ADK is a collection of tools and documentation that you can use to automate the deployment of Windows operating systems and to assess deployed systems. Windows ADK tools are used in most Windows deployment scenarios and include the following: o
Windows SIM. You can use this tool to create unattended installation answer files and distribution shares, or to modify the files that a configuration set contains. Windows PE. This is a minimal 32-bit or 64-bit operating system with limited services, which is built on the Windows 8.1 kernel. You can use Windows PE for capturing Windows images, installing or deploying Windows, and for troubleshooting the deployment. Windows PE provides read and write access to Windows file systems and supports a range of hardware drivers, including network connectivity, which makes it useful for system recovery. You can run Windows PE from a CD or DVD, USB flash drive (UFD), or on a network by using PXE. Windows ADK includes several tools that you can use to build and configure Windows PE. USMT. You can use this tool to migrate user settings and data files from a previous Windows operating system to Windows 8.1.
DISM. You can use this tool to service and manage Windows images, and also to apply updates, drivers, and language packs to a Windows image, offline or online.
Sysprep. Sysprep prepares a Windows image for disk imaging, system testing, or delivery to a customer. You can use Sysprep to remove any system-specific data from a Windows image, such as the security identifier (SID). After removing unique system information from an image, you can capture that Windows image and then use it for deployment on multiple computers. You also can use Sysprep to configure a Windows operating system to start the out-of-box experience (OOBE) the next time you start the system. Sysprep is available in all Windows operating systems since Windows Vista. DiskPart. This is a command-line tool for hard disk configuration.
Windows DS. Windows DS is a server-based deployment solution that enables an administrator to set up new client computers over a network without having to visit each client. Windows DS is a server role that you can configure for Windows Server 2012 or Windows Server 2012 R2. Virtual hard disk. The Microsoft .vhd file format and the new .vhdx file format are publicly available format specifications that specify a virtual hard disk encapsulated in a single file, which is capable of hosting native file systems and supporting standard disk operations. You can deploy Windows 8.1 to .vhd or .vhdx files and start a computer from such files. Deployment walkthroughs http://go.microsoft.com/fwlink/?LinkId=378209&clcid=0x409 Question: Can you set up Windows DS on a Windows 8.1 computer?
The Image-Based Installation Process

Windows Setup for Windows 8.1 uses an Install.wim file to deploy the default Windows 8.1 installation. You can use the same .wim file or create and deploy a custom Windows 8.1 installation image. The image-based installation process consists of the following high-level steps: 1.
Build an answer file. By default, a Windows 8.1 installation requires some user interaction. For example, you might have to enter a product key, select an installation type, and specify where you want to install the Windows operating system. You can use an answer file to configure all of these and many more Windows settings that are applied during installation. For example, you can configure how to partition and format a hard drive, networking configuration, computer name, whether the computer should be joined to the domain, and other customizations. Additionally, an answer file can contain all of the settings required for an unattended installation, in which case you will not be prompted during an installation. You can use Windows SIM to create an answer file, although the answer file is an XML document that you can create and customize by using any text editor.
2.
Build a reference installation. A reference computer has a customized installation of Windows 8.1 that you plan to duplicate on one or more destination computers. You can create a reference installation by using Windows 8.1 installation media and an answer file. After the installation, you can perform additional customizations. For example, you can install apps that are required on all destination computers. After you configure a reference installation, you must generalize it by using Sysprep. Create bootable Windows PE media. You can create a Windows PE environment by using the CopyPE.cmd script, customizing it, and writing it to bootable media such as Universal Disk Format,
3.

2-31
CD, or DVD by using the MakeWinPEMedia.cmd script. Windows PE enables you to start a computer for purposes of deployment and recovery. Windows PE starts a computer directly from memory, enabling you to remove the Windows PE media after the computer starts. After you start a computer in Windows PE, you can use the DISM tool to capture, modify, and apply file-based disk images. 4. Capture an installation image. You can capture an image of your reference computer by using Windows PE and the DISM tool. You can store the image that you capture locally on removable media or on a network share.
5.
Modify an installation image. Optionally, you can use DISM or the Windows PowerShell commandline interface to modify Windows images when required. If additional drivers or Windows features are required, or if image configuration requirements changes, you can use DISM to modify an image offline by mounting it to an empty folder and injecting drivers and updates or by modifying the operating system settings. You can modify the .wim file without having to deploy the Windows 8.1 image first. Deploy an installation image. After you have an image of your reference installation, you can deploy the image to destination computers. You can use the DiskPart tool to format the hard drive and copy the image from the network share. Use DISM to apply the image to the destination computer. For high-volume deployments, you can store an image of the new installation to your distribution share and deploy the image to destination computers by using deployment tools such as Windows DS, MDT, or Configuration Manager. Question: Can you create a customized Windows 8.1 installation image only by using tools that are included in Windows 8.1?
6.
Using Answer Files to Automate an Installation Process

An answer file is an XML file that contains information that is passed to the Windows Setup process. For example, an answer file can contain information on how to partition disks, the location of the Windows image to install, and the product key to apply. It also can contain values that apply to the Windows installation, such as the names of user accounts, display settings, and Internet Explorer favorites. The answer file for Windows Setup typically is named Unattend.xml.
Using an Answer File
Use an answer file to customize Windows installations so that the versions of Windows operating systems deployed to each destination computer are configured in the same way. The two types of Windows installations are attended and unattended: In attended installations, you respond to Windows Setup prompts, selecting options such as the partition to which you want to install and the Windows image to install.
In unattended installations, which offer many additional options, you automate this process to avoid installation prompts.
Before beginning your deployment process, identify all the requirements of your environment. Consider the following possible requirements: Hard drive partitions Computer name and domain membership
Support for BitLocker or a recovery solution Additional out-of-box drivers Support for multilingual configurations Other post-installation modifications to Windows, such as installing additional apps
What Is in an Answer File?

Settings in an answer file are organized into two sections: components and packages.
Components
The components section of an answer file contains all the component settings that Windows applies during Windows Setup. You can configure components in different configuration passes: windowsPE, offlineServicing, generalize, specialize, auditSystem, auditUser, and oobeSystem. Each configuration pass represents a different phase of Windows Setup, and not all phases happen during Windows installation. For example, generalize, auditSystem, and auditUser do not happen during Windows Setup. Settings can be applied during one or more passes. If a setting can be applied in more than one configuration pass, you can choose the pass in which to apply the setting.
Packages
Microsoft uses packages to distribute software updates, service packs, and language packs. Packages also can comprise Windows features. You can configure packages so that you add them to a Windows image, remove them from a Windows image, or change the settings for features within a package. You can either enable or disable features in Windows. If you enable a Windows feature, the resources, executable files, and settings for that feature are available to users on the system. If you disable a Windows feature, the package resources are not available, but the Windows operating system does not remove the resources from the system. Some Windows features might require that you install other features before you can enable the installed version of the Windows operating system. You must validate your answer file and then add any required packages. For example, you can disable the Windows Media Player feature to prevent end users from running it. However, disabling the package does not remove those resources from the Windows image. The Windows operating system applies packages in an answer file to the Windows image during the offlineServicing configuration pass.
Creating an Answer File
While you can create an answer file manually by entering the appropriate XML code into the Unattend.xml file, you typically create it by using the component of Windows ADK called Windows SIM. Windows SIM requires a catalog of the Windows image before you can use it to create an answer file. Windows 8.1 does not include a catalog file for the Windows images in Install.wim, but Windows SIM can create the catalog dynamically. Answer files that Windows SIM creates are associated with a particular Windows image. This enables you to validate the settings in an answer file to the settings available in the Windows image. However, because you can use any answer file to install a Windows image, if there are settings in the answer file for components that do not exist in the Windows image, then Windows ignores those settings. Note: An answer file can include destructive actions like deleting disk content and formatting disk partitions. If you want Windows Setup to use an answer file automatically, and if the answer file includes settings in the windowsPE and offlineServicing configuration passes, you must rename the answer file Autounattend.xml. Understanding answer files http://go.microsoft.com/fwlink/?LinkID=386288&clcid=0x409

2-33
Methods for running Windows Setup http://go.microsoft.com/fwlink/?LinkId=378210&clcid=0x409 Question: What must you do before you can create an answer file for a Windows 8.1 installation?
Demonstration: Building an Answer File by Using Windows SIM

In this demonstration, you will see how to build an answer file by using Windows SIM.
Demonstration Steps
1.
In the Components section of Windows SIM, add the following components, and then configure their properties with following values in the answer file: o o o o o o o o o o o o o amd64_Microsoft-Windows-Setup\DiskConfiguration\Disk DiskID: 0 WillWipeDisk: True amd64_Microsoft-Windows-Setup\DiskConfiguration\Disk\CreatePartitons\CreatePartition Extend: True Order: 1 Type: Primary amd64_Microsoft-Windows-Setup_neutral\ImageInstall\OSImage\InstallTo DiskID: 0 PartitionID: 1 amd64_Microsoft-Windows-Setup_neutral\UserData AcceptEULA: True Organization: Adatum
2.
You can configure the property values by using the following process: a. b. c. d. Expand the component referenced in the table in the Components section. Right-click the component, and then click the appropriate Add Setting to Pass choice. In the Answer File pane, locate and then click the added component. In the corresponding Properties pane, double-click the setting, and then set the value.
3.
Save the answer file on the desktop. Open the answer file in Internet Explorer, and then verify that the settings that you configured in Windows SIM are saved in the answer file.
Preparing a Reference Installation by Using Sysprep

The Sysprep tool prepares an installation of the Windows operating system for duplication, auditing, and end-user delivery. Duplication enables you to capture a customized Windows image that you can reuse throughout an organization. The Sysprep tool is part of a Windows installation, and you can find it in the C:\Windows\System32\Sysprep folder. Sysprep Tasks You can use Sysprep to: Remove system-specific data from the Windows operating system, which is known as generalizing the computer. Uninstall computer-specific drivers. Configure the Windows operating system to start OOBE or in audit mode. Add an answer file to an existing installation.
Note: Only use Sysprep to configure reference Windows installations. Remember that Sysprep can delete existing system configurations. Do not use Sysprep to reconfigure an existing Windows installation that is deployed already. Sysprep Command-Line Options Sysprep tool uses the following syntax:
sysprep.exe [/oobe | /audit] [/generalize] [/reboot | /shutdown | /quit] [/quiet] [/unattend:answerfile] [/mode:<mode>]
In Windows 8.1, the /mode:vm command-line option for Sysprep generalizes a virtual hard disk. You can use this parameter if you will deploy the virtual hard disk on the same virtualization platform. Note: You can run virtual machine mode only from inside a virtual machine. Common command-line options available for Sysprep http://go.microsoft.com/fwlink/?LinkId=378211&clcid=0x409 Sysprep technical reference http://go.microsoft.com/fwlink/?LinkId=378212&clcid=0x409 Question: Why should you not run Sysprep on a Windows 8.1 computer that is deployed and being used already?

2-35
What Is Windows PE?
Windows PE is the core deployment foundation for Windows 8.1. Windows PE is a compact, special-purpose Windows operating system that prepares and initiates a computer for Windows Setup, maintenance, or imaging tasks, and it recovers operating systems such as Windows 8.1. With Windows PE, you can start a subset of Windows 8.1 from a network or removable media, which provides network and other resources necessary to install and troubleshoot Windows 8.1. Windows PE is not a general-purpose operating system, but you can use it to start a computer that has no functional operating system installed, and it can act as a replacement for startup disks. Windows PE is designed to make customized Windows 8.1 deployments simpler by addressing the following tasks: Installing Windows 8.1. Windows PE runs every time you install Windows 8.1. The graphical tools that collect configuration information during the setup phase are running within Windows PE.
Troubleshooting. Windows PE is useful for automatic and manual troubleshooting. For example, if Windows 8.1 fails to start because of a corrupted system file, Windows PE can start automatically and launch Windows RE. Recovery. OEMs and IT pros can use Windows PE to build customized, automated solutions for recovering and rebuilding computers that run Windows 8.1.
Benefits of Windows PE
Microsoft developed Windows PE as the primary tool for starting computers that do not have a functional operating system. After a computer starts in Windows PE, you can prepare it for Windows installation and then initiate Windows Setup from a network or local source. You also can service an existing Windows installation or recover data. Because Windows PE is based on the Windows 8.1 kernel, it provides the following capabilities: Native support for the NTFS 5.x file system, including dynamic volume creation and management.
Native support for TCP/IP networking and file sharing. Windows PE can connect to network shares onlyyou cannot share folders in Windows PE. Native support for 32-bit or 64-bit Windows device drivers. Native support for a subset of the Win32 API. Optional support for Windows Management Instrumentation (WMI), Microsoft Data Access Component, and HTML Application.
Ability to start from a number of media types, including CD, DVD, UFD, and a Remote Installation Services server. Windows PE offline sessions are supported. Windows PE images can be serviced offline.
Windows PE includes all Hyper-V drivers, except display drivers. This enables Windows PE to run in a hypervisor. Supported features include mass storage, mouse integration, and network adapters.
Windows PE is available as part of Windows ADK. You can create a custom Windows PE environment by running the CopyPE.cmd script. After that, you can customize the environment. For example, you can add support for Windows PowerShell, database connectivity, or scripting. You also can copy additional drivers
and programs to Windows PE. You can write a customized Windows PE environment to bootable media by running the MakeWinPEMedia.cmd script. Windows PE overview http://go.microsoft.com/fwlink/?LinkId=378213&clcid=0x409 Question: What are some of the tasks in which you can use Windows PE for troubleshooting? Question: How you can customize Windows PE?
Demonstration: Creating Bootable Windows PE Media

In this demonstration, you will see how to create bootable Windows PE media.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. Open the Deployment and Imaging Tools Environment. Use CopyPE.cmd to copy the base amd64 Windows PE files to C:\winpe.
Use DISM to view the properties of the Windows PE image, and then mount the image file located at c:\winpe\media\sources\boot.wim to C:\winpe\mount folder. Use File Explorer to verify that that there are three subfolders in C:\winpe\mount folder. Create subfolder with your name. Use DISM to dismount and commit the image. Use File Explorer to verify that that there are no subfolders in the C:\winpe\mount folder. Create an .iso file from the image to be copied to a CD or DVD.
Using DISM to Capture and Apply an Installation Image

Windows 8.1 installation media includes default Windows installation images, which are contained in the Install.wim file. You can use Windows Setup to deploy the default images, but you also can use it to deploy custom images when you provide an answer file. If you need to create a custom Windows 8.1 imagefor example, from the reference installationyou can capture the image by using Dism.exe. Dism.exe is a command-line tool that is included in Windows 8.1, and it also is available as part of Windows ADK. DISM is the main tool for managing Windows image files, which includes operations such as creating, mounting, updating, and applying the image. Note: In the past, the ImageX tool often was used for creating, mounting, and applying Windows image files. This tool is still available as part of the Windows ADK, but it is deprecated since Windows 8. All of its functionality is included in DISM, and you should avoid using ImageX.

2-37
Although you can create an image that includes a single folder or folder hierarchy, you often will create an image of the entire volume. You cannot add files that are opened exclusively by any process in the image, and because of that, you cannot capture an image of the running operating system. You will need to restart the computer to another operating system, such as Windows PE, before you can capture the image of the Windows 8.1 installation. When capturing the image, you can specify additional options, such as the file types to exclude from the image and the compression type to usecompression type can be defined only when capturing the first image in the Windows image file. You can capture the content of the volume C: to the file D:\Custom.wim by running the following command:
Dism /Capture-Image /ImageFile:D:\Custom.wim /CaptureDir:C:\ /Name:"Captured Windows 8.1 installation"
You cannot create and format a volume by using DISM, which means that the volume already must be created and formatted before you can apply the image to it. For example, you can create and format a volume by using Dism.exe. After the volume is prepared, you can deploy the first Windows image contained in file D:\Custom.wim to volume C: by running the following command:
Dism /apply-image /imagefile:D:\Custom.wim /index:1 /ApplyDir:C:\
Besides capturing and applying Windows images, you can use DISM to service and manage Windows images. DISM technical reference http://go.microsoft.com/fwlink/?LinkId=378214&clcid=0x409 Question: What must you do before you can capture an image of a Windows 8.1 computer by using Dism.exe?
Modifying and Maintaining Windows Images

DISM is a command-line tool that combines separate Windows platform technologies into a single, cohesive tool for servicing Windows images. By using DISM, IT pros can view components of an applied or mounted operating system image and add or remove packages, software updates, and drivers. You can use DISM to service Windows images offline before deployment or to prepare a Windows PE image. Some of the most common tasks that you can perform by using DISM include: Mount, unmount, and commit modifications Apply updates, drivers, and language packs Add, remove, and enumerate packages and drivers Enable or disable Windows features Apply changes based on the offlineServicing section of an answer file Configure international settings Upgrade a Windows image to a different edition
Prepare and customize Windows PE images Service online and offline Windows images
DISM Command-Line Options

DISM has two main sets of commands: imaging commands, and servicing commands.
Imaging commands
Imaging commands enable image management tasks such as mounting an image file or enumerating images in a file. You can use the following syntax for imaging commands:
Dism.exe [dism_global_options] {servicing_option} [<servicing_argument>]
Servicing commands
Servicing commands enable tasks that involve modifying a Windows image, such as injecting drivers, adding packages, and modifying Windows configurations. You can use the following syntax for servicing commands:
Dism.exe {/Image:<path_to_image> | /Online} [dism_global_options] {servicing_option} [<servicing_argument>]
DISM command-line options http://go.microsoft.com/fwlink/?LinkId=378215&clcid=0x409 You also can manage Windows image files by using Windows PowerShell cmdlets. You can get a list of available DISM cmdlets by running the following cmdlet:
Get-Command Module dism
Question: Can you use Dism.exe to modify only Windows install images in a .wim file?

2-39
Lab B: Customizing and Capturing a Windows 8.1 Image

Scenario
You have been asked to modify the answer file that is being used for the A. Datum Windows 8.1 installation process. A. Datum is deploying a test group of Windows 8.1 computers, and it would like to have a standard installation that requires no user input as part of the setup process. Your task is to create a new answer file that automates the installation accordingly. Use it to test an installation of Windows 8.1 on LON-REF1.
Objectives
After completing this lab, you will be able to: 1. 2. Create an answer file and perform an unattended Windows 8.1 installation. View Windows image information and capture a Windows 8.1 image.
Lab Setup
Estimated Time: 60 minutes Virtual machine: 20687C-LON-DC1, 20687C-LON-CL1, and 20687C-LON-REF1 User name: Adatum\Administrator Password: Pa$$w0rd Start the 20687C-LON-DC1 and 20687C-LON-CL1 virtual machines, and sign in as Adatum\Administrator with password Pa$$w0rd.
Exercise 1: Creating an Answer File and Performing an Unattended Windows 8.1 Installation
Scenario
In this exercise, you have been asked to configure an answer file to use with Windows 8.1 installations at A. Datum. To modify this answer file, you have been given the following information by your IT administrator to assist you in the process. Component amd64_Microsoft-Windows-International-CoreWinPE_neutral Property InputLocale SystemLocale UILanguage UserLocale UILanguage DiskID WillWipeDisk Extend Order Type Value en-US en-US en-US en-US en-US 0 True True 1 Primary
amd64_Microsoft-Windows-International-CoreWinPE_neutral\SetupUILanguage amd64_Microsoft-Windows-Setup_neutral \DiskConfiguration\Disk amd64_Microsoft-Windows-Setup_neutral \DiskConfiguration\Disk\Create Partitions\CreatePartition
Component amd64_Microsoft-Windows-Setup_neutral \DiskConfiguration\Disk\ModifyPartitions \ModifyPartition
Property Active Format Order PartitionID Key Value
Value True NTFS 1 1
amd64_Microsoft-Windows-Setup_neutral \ImageInstall\OSImage\InstallFrom\Metadata
/IMAGE/NAME Windows 8.1 Enterprise Evaluation 0 1
amd64_Microsoft-Windows-Setup_neutral \ImageInstall\OSImage\InstallTo amd64_Microsoft-Windows-Setup_neutral\UserData
DiskID PartitionID AcceptEULA FullName Organization SkipMachineOOBE SkipUserOOBE Description DisplayName Group Name Value
True Adatum User Adatum True True
amd64_Microsoft-Windows-Shell-Setup_neutral\OOBE
amd64_Microsoft-Windows-Shell-Setup_neutral \UserAccounts\LocalAccounts\LocalAccount
Local Admin Administrator Administrators Administrator Pa$$w0rd
amd64_Microsoft-Windows-Shell-Setup_neutral \UserAccounts\LocalAccounts\LocalAccount\Password
The main tasks for this exercise are as follows: 1. 2. 3. 4. Mount a virtual floppy drive on LON-CL1. Create an answer file. Save the answer file and remove the diskette drive. Configure LON-REF1 and start the Windows 8.1 unattended installation.
Task 1: Mount a virtual floppy drive on LON-CL1

1. 2. Use the Hyper-V Manager console on the host computer to open the Settings page for 20687C-LON-CL1.
In Settings, click Diskette Drive, and then attach the virtual floppy drive named Lab2BEx1.vfd found at D:\Program Files\Microsoft Learning\20687\Drives.

2-41
Task 2: Create an answer file
In the Components section of Windows SIM, modify the appropriate parameters in the preceding table by using the following process: a. e. f. g. Expand the component referenced in the table in the Components section. Right-click the component, and then click the appropriate Add Setting to Pass choice. In the Answer File section, locate and then click the added component. In the corresponding Properties page, double-click the setting, and then set the value.
Task 3: Save the answer file and remove the diskette drive
1. 2. 3. Save the answer file to A:\Autounattend.xml. Open the Settings page for 20687C-LON-CL1 in Hyper-V Manager. Configure the Diskette Drive to None.
Task 4: Configure LON-REF1 and start the Windows 8.1 unattended installation
1. 2. 3. 4. In Hyper-V Manager, open the Settings page for 20687C-LON-REF1. In Settings, click Diskette Drive, and then attach Lab2BEx1.vfd found at D:\Program Files \Microsoft Learning\20687\Drives. In Settings, click DVD Drive, and then attach the DVD image file found at D:\Program Files \Microsoft Learning\20687\Drives\Win81Ent_Eval.iso.
Start 20687C-LON-REF1, and then begin Windows Setup. Confirm that you are not prompted for any information during installation. While Windows 8.1 is installing, continue with the next exercise.
Note: During installation LON-REF1 will restart two times. Do not press any key to start it from DVD.
Results: After completing this exercise, you should have modified an unattended answer file to use for automating the Windows 8.1 installation process.
Exercise 2: Viewing Install.wim Information and Capturing a Windows 8.1 Image

Scenario
One of your tasks is to capture a Windows 8.1 image. Before performing the task, you need to view the content of the existing Windows image file and explore the benefits of using the .wim file format. The main tasks for this exercise are as follows: 1. 2. 3. 4. View the information of the Windows 8.1 image in the Install.wim file. Capturing an image. Modifying an offline image. Capturing Windows 8.1 image.
Task 1: View the information of the Windows 8.1 image in the Install.wim file
1. 2. 3. 4. Add Windows 8.1 DVD media to LON-CL1 by attaching the DVD image file found at D:\Program Files\Microsoft Learning\20687\Drives\Win81Ent_Eval.iso.
Use File Explorer to view the properties of the Install.wim file in the Sources folder on the DVD drive. Use Dism.exe with the Get-ImageInfo parameter to view the content of the Install.wim file.
Use Dism.exe with the Get-WimInfo parameter to view the information about the first image in the Install.wim file.
Task 2: Capturing an image

1. 2. 3. 4. 5. 6. Use Dism.exe with the Capture-Image parameter to capture the content of the C:\Windows\Inf folder to a file named C:\image.wim, and then name the image First image. Use File Explorer to view the properties of the C:\Windows\Inf folder. View the size of the C:\image.wim file, and then consider the benefits of Windows image compression.
Use Dism.exe with the Append-Image parameter to add the content of C:\Windows\Inf folder as second image to C:\image.wim file and name the image Second Image. View the size of C:\image.wim, and then consider the benefits of single instancing when multiple images in the same .wim file have the same files. Use Dism.exe with the Get-ImageInfo parameter to view which images are contained in the C:\image.wim file.
Task 3: Modifying an offline image

1. 2. 3. 4. 5. 6. 7. Use File Explorer to view the properties of the C:\image.wim file, including its size and date of last modification.
Create a folder named C:\mount and use Dism.exe with the Mount-Wim parameter to mount the second image in the C:\Image.wim file to the C:\mount folder. Use File Explorer to view the properties of the C:\mount folder. Create a subfolder named Folder1, and then delete three files in the C:\mount folder. Use Dism.exe with the Unmount-Wim and Commit parameters to unmount the image. View the properties of C:\image.wim.
Use Dism.exe with the Get-WimInfo parameter to view and compare the properties of the second and first image in the C:\image.wim file.

2-43
Task 4: Capturing Windows 8.1 image

1. 2. 3. 4. 5. 6. Sign in to LON-REF1 as user Admin with the password Pa$$w0rd. Verify that Windows 8.1 is installed. Add Windows PE media to LON-REF1 by attaching the DVD image file found at D:\Program Files\Microsoft Learning\20687\Drives\WindowsPE.iso. On LON-REF1, run Sysprep.exe as an Administrator to generalize the computer. Start LON-REF1 from DVD media.
On LON-REF1, use Adatum\Administrator credentials to connect the G: drive to \\lon-cl1\share.
Use Dism.exe with the Capture-Image parameter to capture the C: drive to the G:\Win81.wim file and name the image CustomImage. Note: You can continue with the lecture while the capture is in progress.
Results: After completing this exercise, you should have viewed Windows image information and captured a Windows 8.1 image.
Lesson 4
Volume Activation for Windows 8.1
Product activation is a requirement of the Windows 8.1 operating system. It requires validation for each Windows 8.1 license through an online activation service at Microsoft, by phone, through KMS, or through AD DS. Activation enhances protection from software piracy, and it helps you to manage operating system and application instances within an environment. This lesson describes how activation works and the volume activation models to consider for an effective Windows 8.1 desktop deployment.
Lesson Objectives
After completing this lesson, you will be able to: Describe activation. Describe volume activation technologies. Describe how KMS activation works. Describe how Active Directory-based activation works. Describe tools to manage activation. Explain how to troubleshoot volume activation.
What Is Activation?
All editions of Windows 8.1 require activation. Activation confirms the status of a Windows product and ensures that the product key has not been compromised. The activation process links the softwares product key to a particular installation of that software on a device. If the device hardware changes considerably, you need to activate the software again. Activation assures software integrity and provides you access to Microsoft support and a full range of updates. Activation also is necessary if you want to comply with licensing requirements.
Unlike Windows 7, Windows 8.1 does not have a grace period. You must activate Windows 8.1 immediately upon installation. Failure to activate a Windows operating system will prevent users from completing customization. In earlier versions of the Windows operating system, activation and validation by using the Windows Genuine Advantage tool occurred separately. This caused confusion for users who thought the terms were interchangeable. In Windows 8, activation and validation occur at the same time. If you wish to evaluate Windows 8.1, Microsoft provides a separate evaluation edition that is available as an ISO image file to MSDN subscribers and Microsoft partners. There are three main methods for activation:
Retail. Any Windows 8.1 product purchased at a retail store comes with one unique product key that you type in during product installation. Use the product key to complete activation after installing the operating system. OEM. OEM system builders typically sell computer systems that include a customized build of Windows 8.1. You can perform OEM activation by associating the operating system to the computer system BIOS.

2-45
Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software licensing programs that are tailored to the size and purchasing methods of your organization. Volume customers set up volume licensing agreements with Microsoft. These agreements include Windows upgrade benefits and other benefits related to value-added software and services. Microsoft Volume Licensing customers use Volume Activation Services to assist in activation tasks, which consist of Active Directory-based activation, KMS, and MAK models.
You can view the Windows 8.1 activation status on the System properties page or by running the following command:
cscript C:\windows\system32\slmgr.vbs -dli
Question: What is activation?
Volume Activation Technologies

Volume activation provides a simple, securityenhanced activation experience for enterprise organizations, while addressing issues associated with generic volume license keys (VLKs). Volume activation provides administrators the ability to manage and protect product keys centrally, and it also provides several flexible deployment options that activate enterprise computers, regardless of the organizations size.
Volume Activation Keys
Three main types of volume activation models are used in enterprise environments. You can use any or all of the options associated with these models, depending on your organizations needs and network infrastructure:
Volume Activation Services is a server role in Windows Server 2012 and Windows Server 2012 R2. This role service enables you to activate Windows 7, Windows Server 2008, and newer Windows operating systems automatically, without having to contact Microsoft product activation servers. With Volume Activation Services, you can configure KMS and enable Active Directory-based activation: o KMS allows organizations to perform local activation for computers in a management environment without connecting to Microsoft individually. By default, Windows 8.1 and Windows Server 2012 R2 volume editions connect to a system that hosts the KMS service, which in turn requests activation. KMS usage is targeted for managed environments where more than 25 client computers or more than five servers use KMS activation.
Active Directory-based activation is a role service that allows you to use AD DS to store activation objects, which can greatly simplify the task of maintaining volume activation services for a network. You can use Active Directory-based activation to activate only AD DS-joined computers, and activation requests are processed during client computer startup. Any computer running Windows 8, Windows Server 2012, or a newer Windows operating system with a generic VLK that is joined to the domain will activate automatically and without user interaction. Computers will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the licensing service starts.
MAK activation uses product keys that can activate only a specific number of computers. If the use of volume licensing media is not controlled, excessive activations can be tried and after the depletion of
the activation pool no further computers can be activated. You do not use MAKs to install Windows 8.1, but rather to activate it after installation. You can use MAKs to activate any Windows 8.1 edition. Plan for volume activation http://go.microsoft.com/fwlink/?LinkId=378216&clcid=0x409 Licensing and volume activation http://go.microsoft.com/fwlink/?LinkId=378217&clcid=0x409 Question: How can you determine if Windows 8.1 is activated? How you can activate Windows 8.1?
How KMS Activation Works

With KMS, organizations can perform local activations for computers in a managed environment without connecting to Microsoft individually. You can enable KMS functionality on a physical or virtual system that runs Windows 7, Windows Server 2008, or a newer Windows operating system.
Windows 8, Windows Server 2012, and newer Windows operating systems include KMS. After you initialize KMS, the KMS activation infrastructure is self-maintaining. The KMS service does not require dedicated computers and can be cohosted with other services. A single KMS host can support several thousand KMS clients. Most organizations probably will be able to operate with just two KMS hosts for their entire infrastructureone main KMS host, and a backup host for redundancy. Implementing KMS Activation To enable KMS functionality, you install a KMS key on the KMS host and then activate it by using an online web service at Microsoft. Start the Command Prompt window and then run the following command:
cscript C:\windows\system32\slmgr.vbs -ipk <KmsKey>
You then can activate the KMS host by using online or phone activation.
During installation, a KMS host automatically attempts to publish its existence in service (SRV) resource record locations within the Domain Name System (DNS). This provides the ability for both domain members and stand-alone computers to activate against the KMS infrastructure. Client computers locate the KMS host dynamically by using the SRV records found in DNS or the connection information specified in the registry. Client computers then use information obtained from the KMS host to activate. KMS Activation Considerations If you decide to implement KMS activation, consider the following: Client computers that are not activated attempt to connect with the KMS host every two hours.

2-47
To stay activated, client computers must renew their activation by connecting to the KMS host at least once every 180 days. After activation, client computers attempt to renew their activation every seven days. After each successful connection, the expiration extends to the full 180 days.
Client computers connect to the KMS host for activation by using anonymous remote procedure calls (RPCs) over TCP/IP and by using default port 1688. You can configure this port information. The connection is anonymous, enabling workgroup computers to communicate with the KMS host. You might need to configure the firewall and the router network to pass communications for the TCP port that will be used.
To use KMS activation with Windows 8, Windows Server 2012, or newer Windows operating systems, the computer must contain a Windows marker in the BIOS, and must have a qualifying operating system license, which often is obtained through OEMs as part of a new computer purchase. Volume activation overview http://go.microsoft.com/fwlink/?LinkId=286471&clcid=0x409 Question: Can a Windows 8.1 computer be a KMS host?
How Active Directory-Based Activation Works

Active Directory-based activation simplifies the process of activating clients that are running Windows 8, Windows Server 2012, or newer Windows operating systems. If you implement Active Directory-based activation, your Windows operating system is activated automatically when you join the computer to the domain, as long as a generic VLK is used on the computer. This activation method requires that the AD DS schema is extended to at least the Windows Server 2012 level.
You cannot edit activation objects directly in AD DS. However, an administrator can use advanced AD DS tools to view each activation object. Administrators also can configure security access control lists for activation objects to restrict access as needed, and if necessary, they can delete activation objects. On a local client, a user with read/write permission for the activation object can use a command prompt to perform these functions.
Main Considerations
Many organizations have complex volume licensing infrastructures to support KMS and Microsoft Office installations. To add Active Directory-based activation to these environments, administrators must assess their current implementations and determine what role Active Directory-based activation will play in their environment. Some considerations include how to upgrade operating systems and applications to versions that support Active Directory-based activation. For environments that will run only Windows 8, Windows Server 2012 and newer Windows operating systems, Active Directory-based activation is a suitable option for activating all clients and servers, and you might be able to remove any KMS hosts. If an environment will continue to contain older volume-licensed operating systems and applications, administrators need a KMS host to maintain activation status in addition to enabling Active Directorybased activation.
Planning considerations when working with Active Directory-based activation include the following: You do not need an additional host server with Active Directory-based activation. Your existing domain controllers can support activation clients with the following limitations: o o o You cannot configure Active Directory-based activation on read-only domain controllers. You cannot use Active Directory-based activation with non-Microsoft directory services. The AD DS schema must be at the Windows Server 2012 or higher level to store activation objects.
Domain controllers that run older versions of Windows Server can activate clients after the AD DS schema has been extended to Windows Server 2012 or higher level.
Active Directory-based activation is forest-wide, and you only need to implement it once, even if the forest contains multiple domains. There are no threshold limits that must be met before computers can be activated by using Active Directory-based activation.
Volume Activation Process
In an environment that uses Active Directory-based activation, the volume activation process takes place in the following steps: 1. An enterprise administrator installs the Active Directory-based activation role service on a domain controller. After that, the administrator activates the KMS host key with Microsoft-hosted activation services. Administrators can complete this installation from any computer that has a VAMT console.
2.
When a domain-joined computer that is running Windows 8, Windows Server 2012, or a newer Windows operating system with a generic VLK starts, the licensing service on the client automatically queries the domain controller for licensing information. Lightweight Directory Access Protocol (LDAP) is used for the authentication.
Note: You cannot use Active Directory-based activation to license computers that are not members of the domain. 3.
If a valid activation object is found, then the activation will continue silently and will not require user intervention. For Active Directory-based activation, the same renewal guidelines are applicable as for KMS activation. If volume licensing information is not found in AD DS, computers that are running Windows 8, Windows Server 2012, or a newer Windows operating system will try to find a KMS host and try activation by using the KMS activation process. Active Directory-based activation overview http://go.microsoft.com/fwlink/?LinkId=378218&clcid=0x409 Active Directory-based activation versus KMS http://go.microsoft.com/fwlink/?LinkId=378219&clcid=0x409 Question: What type of connection is established between a Windows 8.1 computer and a Windows Server 2012 R2 domain controller when Active Directory-based activation is performed?
4.

2-49
Tools to Manage Activation
If you need to manage activation on a Windows 8.1 computer on a network, you probably will use VAMT. If VAMT is not deployed in your environment, you can still use Slmgr.vbs as the software licensing configuration tool. Slmgr.vbs is part of Windows 8.1, and you can use it for viewing activation information, installing product keys, activating Windows operating systems, and performing additional actions. You can get a list of all available actions by running slmgr -?. Slui.exe also is available in Windows 8.1, but its functionality is reduced in Windows 8.1. You can use it only for changing product keys, activating Windows 8.1, or displaying a list of telephone numbers for activation.
VAMT
You can use VAMT to automate and centrally manage the volume and retail-activation process of Windows operating systems, Microsoft Office software, and certain other Microsoft products. VAMT manages volume activation by using MAK or KMS. VAMT is a standard Microsoft Management Console (MMC) snap-in, and it is available as part of Windows ADK. You can install VAMT on a computer that is running Windows 7, Windows Server 2008, or a newer version of the Windows operating system. You can use VAMT to manage and specify a group of computers to activate based on the following: AD DS Workgroup names IP addresses LDAP queries
Note: VAMT cannot be used to manage volume activation for legacy Windows XP or Windows Server 2003 operating systems. However, you can still manage Microsoft Office 2010 or Microsoft Office 2013 on those two operating systems by using VAMT.
VAMT provides a single console for managing activations and for performing other activation-related tasks, such as the following:
Adding and removing computers. VAMT can discover computers in a local environment by querying AD DS and workgroups, by the computer name or IP address, or by using LDAP. Discovering products. VAMT can discover Windows operating systems, Microsoft Office programs, and other products installed on client computers. It uses a Microsoft SQL Server database for storing discovery information and activation data.
Monitoring activation status. You can use VAMT to gather product activation information such as the last five characters of a product key. You also can determine a product edition and whether the product has a licensed, grace, or unlicensed licensing state. Managing product keys. You can store multiple product keys and use VAMT to install these keys for remote client products. You also can determine the number of activations remaining for MAKs.
Managing activation data. VAMT uses an SQL database to store activation data, and it can export this data to other VAMT hosts or to an archive in XML format.
Reporting on volume licensing. VAMT can provide the licensing status of every computer in the database.
Performing proxy authentication. If you are on a network that requires a user name and password to reach the Internet, VAMT enables you to sign in and perform proxy activation. Deploying Active Directory-based activation. VAMT can online-activate or proxy-activate an Active Directory-based activation object. When Active Directory-based activation is deployed, any new qualifying machines joined to the domain are activated automatically. VAMT technical reference http://go.microsoft.com/fwlink/?LinkId=378220&clcid=0x409
Volume Activation Services
You can use the Volume Activation Services server role to issue and manage Microsoft software volume licenses in a simplified, automated manner, and to install and activate a KMS host key, and to configure KMS. After this service is installed, you can use it to issue, monitor, and manage volume licenses for Microsoft products that support volume activation based on computer account information in AD DS. You can configure Active Directory-based activation and KMS activation when installing the Volume Activation Services server role. This server role also includes the Volume Activation Tools console, which you can use to activate and manage one or more volume activation license keys in AD DS or on a KMS host. Question: What is the main benefit that VAMT provides for an environment without direct Internet connectivity?
Troubleshooting Volume Activation

The steps you take to troubleshoot volume activation are dependent on whether the problem is associated with MAK activation or KMS activation.
MAK Activation Troubleshooting

Use the following list to troubleshoot common issues with MAK activation: Verify the activation status. You can verify activation status by looking for the Windows is activated message in the System properties. You also can run the slmgr.vbs dli command.
If your computer will not activate over the Internet, ensure that an Internet connection is available and that the computer is configured with the correct TCP/IP settings. You also might need to set a proxy configuration from your browser. If the computer cannot connect to the Internet, try telephone activation. If Internet and telephone activation both fail, you will need to contact the Microsoft Product Activation Center.

2-51
KMS Activation Troubleshooting

Use the following list to troubleshoot common issues with KMS activation:
Verify the activation status. You can verify activation status by looking for the Windows is activated message in the System properties. You also can run the slmgr.vbs -dli command.
Ensure that the KMS SRV record is present in DNS and that DNS does not restrict dynamic updates. If DNS restrictions are intentional, you will have to provide the KMS host write permission to the DNS database, or you will have to create the SRV records manually. Ensure that firewalls and routers do not block TCP port 1688.
If your computer will not activate, verify that the KMS host is contacted by the minimum number of clients required for activation. Until the KMS host has a count of 25, it will not activate Windows clients, including Windows 8.1. Display the client Windows Application event log for event numbers 12288, 12289, and 12290 for possible troubleshooting information.
Active Directory-Based Activation Troubleshooting

Use the following list to troubleshoot common issues with Active Directory-based activation:
Verify the activation status. You can verify activation status by looking for the Windows is activated message in the System properties. You also can run the slmgr.vbs -dli command.
Ensure that computers can communicate with domain controllers. This includes network connectivity and DNS name resolution.
Ensure that there is at least one activation object in the AD DS configuration partition. If there are two activation objectsone for client and one for server operating systemsthe client object can be safely deleted because the server object will activate both clients and servers. Active Directory-based activation is available only for domain-joined computers. If you remove a computer from the domain, activation will fail on the next activation attempt. Volume activation troubleshooting http://go.microsoft.com/fwlink/?LinkId=378221&clcid=0x409 Question: Will the user be notified immediately if a Windows 8.1 computer cannot reactivate by using a KMS host?
Lab C: Deploying a Windows 8.1 Image

Scenario
A. Datum has captured a reference Windows 8.1 image. You have been asked to perform the offline update of the image by injecting the driver and enabling the Telnet Client feature. You also will deploy the updated image and test the changes.
Objectives
After completing this lab, you will be able to: Perform offline servicing and deploy a Windows 8.1 image.
Estimated Time: 40 minutes Virtual machine: 20687C-LON-DC1, 20687C-LON-CL1, and 20687C-LON-REF1 User name: Adatum\Administrator Password: Pa$$w0rd
Exercise 1: Performing Offline Servicing and Deploying a Windows 8.1 Image

Scenario
Students will mount a Windows 8.1 image and perform offline servicing of the image by injecting the driver. They then will unmount the image and apply it to the LON-REF1 computer. The main tasks for this exercise are as follows: 1. 2. Perform offline servicing of the Windows image. Use Deployment Image Servicing and Management (DISM) to deploy a Windows image.
Task 1: Perform offline servicing of the Windows image

1. 2. 3. Sign in to LON-CL1 as Adatum\Administrator. Use File Explorer to verify that the C:\Mount folder is empty.
Use Dism.exe to mount the image E:\labfiles\mod02\share\Win81.wim in the C:\Mount folder by using image index 1.
Note: If image Win81.wim is not yet captured or you didnt capture it in Lab B, you can use E:\labfiles\mod02\sources\install.wim instead. 4. 5. 6. 7. 8. 9. Use the dir command to view driver packages in the mounted Windows 8.1 image. Use Dism.exe to inject the driver C:\Labfiles\drivers\dc3dh.inf into the mounted image. Use the dir command to confirm that the folder for the driver package has been created in the C:\mount\Windows\System32\DriverStore\FileRepository folder. Use Dism.exe with the Get-Features parameter to list the Windows 8.1 features and their states in the mounted image. Use Dism.exe to enable the Telnet Client feature in the mounted image.
Use Dism.exe with the Unmount-Wim parameter to unmount the image and commit the changes.

2-53
Task 2: Use Deployment Image Servicing and Management (DISM) to deploy a Windows image
1. 2. 3. 4. On LON-REF1, use Diskpart to clean Disk 0.
Create a primary partition on the disk, format it with the NTFS file system, and then assign drive letter C to the volume. Use Dism.exe to apply the image win81.wim, located on drive G to volume C. Use the dir command to verify that the Windows 8.1 image has been applied to drive C.
Results: After completing this exercise, you should have updated a Windows 8.1 installation image.
Prepare for the next module

When you are finished the lab, revert all virtual machines back to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. In the Revert Virtual Machines dialog box, click Revert. Repeat steps 2 to 3 for 20687C-LON-DC1 and 20687C-LON-REF1.

Review Questions
Question: Can you use the Client Hyper-V feature on 32-bit versions of Windows 8.1 Enterprise? Question: One of your users has been promoted to a new position and has been given a new computer. The user needs the new apps that the job requires. The user also needs to have the documents and settings from the old Windows 7 computer transferred to the new computer. How should you perform the Windows 8.1 installation?

3-1
Module 3
Managing Profiles and User State in Windows 8.1
Contents:
Module Overview Lesson 1: Managing User Profiles Lesson 2: Configuring User State Virtualization Lab A: Configuring Profiles and User State Virtualization Lesson 3: Migrating User State and Settings Lab B: Migrating User State by Using USMT Module Review and Takeaways 3-1 3-2 3-8 3-21 3-27 3-34 3-38
Module Overview
User profiles store user settings and data. For users working on a single computer, profiles can be stored locally. However, for users who roam between multiple computers, the user profile, or at least some parts of it, should be available on the network. This module describes the different user profile types. It also describes Microsoft User Experience Virtualization (UE-V), which you can use to synchronize settings between computers without using roaming user profiles. The operating system itself provides user profiles, whereas UE-V is a separate product that is part of the Microsoft Desktop Optimization Pack. In this module, you will learn about UE-V features and how to deploy UE-V and configure it on your network. You also will learn how to migrate user state and settings to computers running Windows 8.1 operating systems.
Objectives
After completing this module, you will be able to: Manage user profiles. Configure User State Virtualization. Migrate user state and settings.
3-2
Lesson 1
Managing User Profiles
A user who signs in to the Windows operating system must have his or her user profile, which stores user settings such as the desktop theme, data such as the files stored in the Documents folder, screen saver settings, and desktop icons. This lesson introduces each user profile type, explains how to configure user profiles, and explains when to use a user profile type. It also describes how you can use Group Policy for managing user profiles and the differences between roaming user profiles and redirected folders.
Lesson Objectives
After completing this lesson, you will be able to: Describe user profiles in Windows 8.1. Describe user profile types. Explain how to manage user profiles by using Group Policy. Configure roaming user profiles and Folder Redirection. Explain how to use the Primary Computer setting to control profiles.
User Profiles in Windows 8.1
For security reasons, Windows 8.1 requires that each user who signs in has a user profile. A user profile is created when a user signs in for the first time. The initial user profile is based on the default user profile, and it is used for all subsequent sign-ins. User profiles contain details of the user environment, such as Start screen settings, desktop settings, user documents, Start screen tiles and their layout, and the user hive of the registry. By default, the user profile is stored on the same drive as the Windows operating system in the Users folder. The user profile is used only when the user signs in to the same computer, but you can change the location and the user profile type.
Elements in a User Profile

A user profile contains the following elements: User part of the registry. User profiles contain the NTuser.dat file, which is the user part of the registry. When the user signs in, this file is loaded by the system, and it is mapped to the HKEY_CURRENT_USER registry subtree. NTuser.dat contains user settings such as desktop background and screen saver settings.
Set of folders. For each user who signs in, a separate subfolder with his or her name is created in the Users folder. This folder is a container for applications, user settings, and data that are organized in various subfolders, such as AppData, Desktop, Downloads, and Documents.

3-3
Advantages of User Profiles

User profiles provide the following advantages:
User settings are persistent. With user profiles, users have the same settings as when they signed out the last time. If multiple users are sharing the same computer, individual users have their own customized environment when they sign in.
Settings in the user profile are unique to each user. When users change settings in their user profiles, this does not affect other users whose profiles are on the same computer. Customizing the Start screen http://go.microsoft.com/fwlink/?LinkId=378222&clcid=0x409 Customize the Default User Profile by Using CopyProfile http://go.microsoft.com/fwlink/?LinkId=378223&clcid=0x409 Question: By default, where is the local user profile stored in Windows 8.1?
User Profile Types

Windows 8.1 requires each user to have a user profile. User profiles are created during a users first sign-in and are stored in the Users folder. User profiles are created based on the content in the default profile in the Users folder. There are three different types of user profiles: Local. Available only on a single computer. Roaming. Can roam between domain-joined computers. Mandatory. Special type of preconfigured user profile that does not store user changes between sign-ins.
Local User Profiles
When a user signs in to a computer for the first time, the operating system automatically creates a local user profile that will be used for all subsequent sign-ins to the same computer. The local user profile is used only when a user signs in to the computer where the profile was created, and it is useful when a user is using a single computer. If a user roams between multiple computers, then by default, separate local user profiles will be created on each computer. This means that modifications and documents that the user created on one computer will not be used or available on other computers. Therefore, local profiles should be avoided if a user signs in to multiple devices.
Roaming User Profiles
In a domain environment, administrators can configure a user with a roaming user profile by configuring his or her profile path. With roaming user profiles, user settings and data are stored on a network location and locally on the computer where the user signs in. When a user signs in, the local copy of the user profile is compared to the copy that is stored on the network location, and only new files are copied locally. The user can change settings and create data files, which are stored in the local user profile copy.
3-4
When the user signs out, these changes are copied to the network location. If users roam between multiple computers, their documents and settings will follow them.
If a user profile contains a lot of data, or if the user stores large files on the desktop, then the process of signing in to the computer might take a long time. If a user signs in to multiple computers at the same time, changes performed on one computer will override changes performed on a second computer because user profile changes are copied to the network location only when the user signs out. Some parts of the user profile, such as Temporary Internet Files or AppData\Local, are never copied to the network location, even if roaming user profiles are used.
Mandatory User Profiles

A mandatory user profile is a type of roaming user profile that administrators can configure users with. With mandatory user profiles, user changes are stored in the local copy of the user profile, but are not preserved after a user signs out from the computer. When the user signs in again, the mandatory user profile is downloaded from the network location, and it overrides the local user profile copy. The two types of mandatory user profiles are normal mandatory profiles and super-mandatory profiles.
Administrators can configure users with mandatory user profiles first by configuring them with roaming user profiles and then by renaming the NTuser.dat file in their profiles to NTuser.man. The .man extension causes user modifications to the profile to be discarded at the next sign-in and user profiles to behave as read-only.
Super-Mandatory User Profiles
User profiles become super-mandatory when the administrator adds the .man extension to a users roaming user profile folder name. For example, if a roaming user profile is stored in the \\Server\Profiles\User1.V2 folder, the administrator can add the .man extension to the folder and store the roaming user profile at \\Server\Profiles\User1.man.V2. Mandatory and super-mandatory user profiles behave similarly; both do not preserve user modifications. If a user is configured with a super-mandatory profile, he or she will not be able to sign in if the network copy of the profile is not available. In such cases, users with a normal mandatory profile would still be able to sign in, and they would get temporary profiles, which could be against company policy. Question: When would you configure users with roaming user profiles?
Managing User Profiles by Using Group Policy

You can use Group Policy to manage user environments centrally, including many of the user profile settings. Group Policy includes many user profilerelated settings that can be configured for users and computers. Some of the user profile settings that can be configured by using Group Policy include: Limit the size of a user profile Exclude user profile directories from roaming Prevent users from sharing files in their profiles Set roaming profile paths for users Prevent roaming profile changes from propagating to a server Set the schedule for a background upload of a roaming user registry file
Folder Redirection is a Group Policy setting that is most often used for configuring user profiles. Administrators can use Folder Redirection to redirect individual folders from a user profile to a new location. For example, an administrator can redirect the Documents folder from a local or roaming user profile to a separate network location. The contents of a redirected folder are available from any computer on the network and are not copied to the computer on which a user signs in, as with roaming user profiles. Folder Redirection also provides users with access to the same configuration and data on multiple domain computers without copying user profiles locally, as with roaming user profiles. You can configure Folder Redirection by modifying Policies/Windows Settings/Folder Redirection settings in the User Configuration part of the Group Policy.
Redirected folders are stored only on a network share, and users access them transparently in the same way as when they are stored in a local user profile. The Offline Files feature, which is enabled by default when redirected folders are used, provides users with access to content in redirected folders even if there is no network connectivity. The administrator configures Folder Redirection by using user settings in Group Policy, and by doing so, can redirect individual folders in a user profile. In Windows 8.1, an administrator can redirect 13 folders in user profiles, including Desktop, Start Menu, and Documents. Administrators can redirect predefined folders and folders in a user profile only. For each user with redirected folders, a new subfolder with the users sign-in name will be created, and folders can be redirected to the same location or to a different location based on user group membership. When you configure Folder Redirection, you can configure what will happen if Folder Redirection is no longer effective. Options are to leave the redirected content on the network location or to move the content to the original location to a users profile. Folder Redirection can redirect many parts of a user profile, but settings stored in NTuser.dat cannot be redirected. Because of this, some administrators use roaming user profiles together with Folder Redirection. Folder Redirection provides several advantages: Contents of redirected folders are available from any computer in the domain.
Contents of redirected folders are not copied to local computers, which minimizes network traffic during user sign-in.
Administrators can set quotas (limiting disk space) and permissions on redirected folders. By doing so, administrators can control how much space a user can utilize and whether the user can modify contents of that part of the folderfor example, Desktop. Redirected folders are stored on network locations (network shares) and not on local computers. If a local hard drive fails, users can still access data in redirected folders from a different computer.

3-5
Contents of redirected folders can be backed up centrally because they are not stored locally on user computers. If Shadow Copies for Shared Folders is configured on a network location, users can access previous versions of their redirected files. Folder Redirection Overview http://go.microsoft.com/fwlink/?LinkId=378224&clcid=0x409 Question: What is the main difference between roaming user profiles and redirected folders?
Demonstration: Configuring Roaming User Profiles and Folder Redirection

In this demonstration, you will see how to configure roaming user profiles and Folder Redirection.
3-6
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. 8. 9.
On LON-DC1, in Active Directory Users and Computers, show the Profile Path property of user Adam Barr, who is located in the Marketing organizational unit (OU). On LON-DC1, in the Group Policy Management Console (GPMC), show how the Documents folder is redirected to \\LON-DC1\Redirected in the Folder Redirection Group Policy. On LON-DC1, verify that the Profiles and Redirected folders are empty. Sign in to LON-CL1 as Adatum\Adam.
On Adam Barrs desktop, create a folder named Presentations, add a shortcut to Local Disk (C:), and then add the This PC icon. In Notepad, create a file with your name, and then save it in the Documents library.
Verify that the file is stored in the \\LON-DC1\redirected\Adam\Documents folder, and that it is not stored inside the Adam local profile. Sign out of LON-CL1.
On LON-DC1, verify that the Profiles and Redirected folders are no longer empty. The Profiles folder contains the Adam Barr roaming user profile (Adam.V2), whereas the Redirected folder contains the Adam redirected Documents folder.
10. Sign in to LON-CL2 as Adatum\Adam. 11. Verify that the This PC icon is on the desktop, in addition to the Presentations folder and the Local Disk (C:) shortcut. 12. Verify that you can access the file transparently with your name that you created in Notepad.
Using the Primary Computer Setting to Control Profiles
When an administrator configures users with roaming user profiles and Folder Redirection, these settings apply to users irrespective of the domain computer they sign in to. But, sometimes you might want to restrict roaming user profiles and Folder Redirection to be available only when a user signs in to specific computers. This could be because you do not want a user to leave any personal or company data when he or she signs out, or you do not want to roam the users settings and data between 32-bit and 64-bit client computers. For computers running Windows 8.1 in domain environments, you can apply this restriction by using the Primary Computer feature. By using the Primary Computer feature, an administrator can specify a list of computers, known as primary computers, for each domain user. Folder Redirection, roaming user profiles, or both features are used only when a user signs in to a computer on his or her primary computer list. To use the Primary Computer feature, the Microsoft Active Directory Domain Services (AD DS) schema must be extended to at least the Windows Server 2012 level. A Windows Server 2012 domain controller is not required, but the AD DS schema must be extended. The Primary Computer feature will work only when a user signs in to a Windows 8, Windows Server 2012, or a newer Windows operating system because older versions of Windows operating systems will ignore the Primary Computer setting. The Group Policy settings that configure the Primary Computer feature require Windows 8, Windows
Server 2012, or a newer operating system. Older clients and servers will not understand these settings, so they will simply ignore the settings. An administrator can configure the primary computers list for a user in one of two ways: By configuring the msDS-Primary Computer user attribute, for example, in Active Directory Administrative Center. By running the Set-ADUser Windows PowerShell cmdlet.
After configuring the list of primary computers for a user, an administrator also should enable the Redirect folders on primary computers only and Download roaming profiles on primary computers only Group Policy settings. Deploy Primary Computers for Folder Redirection and roaming user profiles http://go.microsoft.com/fwlink/?LinkID=291264&clcid=0x409 Question: Do you need Windows Server 2012 or newer domain controllers in your network to limit where Folder Redirection and roaming user profiles will be available?

3-7
3-8
Lesson 2
Configuring User State Virtualization
UE-V is an enterprise-scale user state virtualization solution that synchronizes application and operating system settings across many devices in a domain environment. It requires an agent on each client device, and it stores configuration data on a shared folder. An administrator can use Group Policy to configure UE-V settings and control which application settings will synchronize. Before you can use UE-V, you first must first deploy the UE-V agent to each computer on which you want to use UE-V for settings synchronization. You also must create and share the folder for the settings storage location. If you want to synchronize more than just default settings, you also must create custom settings location templates, store them to the settings template catalog, and configure clients with the settings template catalog location.
Lesson Objectives
After completing this lesson, you will be able to: Describe UE-V. Explain how UE-V works. Explain how UE-V synchronizes settings. Compare roaming user profiles, Microsoft account, and UE-V. Explain how to prepare the environment for deploying UE-V. Explain how to deploy UE-V. Explain how to manage UE-V by using Group Policy. Explain how to create and edit UE-V templates.
Overview of UE-V
For users who are working on multiple computers, you can use roaming user profiles and Folder Redirection to make their settings and data available on every domain computer that they sign in to. An administrator can configure a user's primary computers list to control which computers will use Folder Redirection and roaming user profiles. However, roaming user profiles and Folder Redirection include all user profile settings and data.
UE-V is an enterprise solution that enables synchronization of operating system settings, desktop apps settings, and Windows Store apps settings between computers in the same AD DS domain environment. Administrators can precisely control to which computers settings will roam, and which settings will roam. In contrast to roaming user profiles where everything in the profile roams, with UE-V, nothing roams unless specifically enabled. UE-V provides several default settings location templates that define where each application stores its settings. Administrators can create additional settings location templates, and UE-V will synchronize only those settings that are defined and enabled in the settings location templates.

3-9
Note: For Windows Store apps, you only can control if UE-V will synchronize its settings or not. You cannot control which Windows Store app settings will be synchronized.
UE-V stores settings on network location as soon as a user closes an application, and those settings can synchronize on other computers without the user having to sign out. Computers periodically synchronize their settings with a network location, and if computers have permanent connectivity to a network location, you can configure them to use those settings immediately. Note: If a user links a Microsoft account with his or her domain account, UE-V only synchronize settings for desktop apps. Users can synchronize other settings such as operating system settings and the settings of Windows Store apps by using Microsoft SkyDrive.
UE-V synchronizes settings between apps on different platforms, as long as they are stored in the same location. Regardless of how an app is deployed, UE-V can synchronize settings between locally installed apps on one computer, Microsoft Application Virtualization (App-V) apps on another computer, and RemoteApp programs on another Remote Desktop Session Host computer. UE-V also can synchronize settings between Windows Store apps and between physical and virtual computers, such as the virtual desktops used in Virtual Desktop Infrastructure (VDI) implementations. Note: UE-V is not part of the Windows operating system. It is available as a part of Microsoft Desktop Optimization Pack, which is available to customers with an appropriate agreement with Microsoft. Before you can use UE-V, you must install the UE-V agent on each computer on which you want to synchronize settings by using UE-V. Note: UE-V can synchronize settings only, not user data. To make user data available from multiple domain computers, use Folder Redirection.
You can use UE-V to synchronize operating system settings, apps settings, and Windows Store apps settings between computers that are running supported operating systems and are members of the AD DS domain. The following table lists the operating systems and system requirements for using UE-V. Operating system Windows 7 Service Pack 1 (SP1) Windows Server 2008 R2 SP1 Edition Ultimate, Enterprise, or Professional Standard, Enterprise, Data Center, or Web Server Pro or Enterprise Standard or Datacenter Architecture 32-bit or 64-bit Microsoft .NET Framework .NET Framework 4 or newer
64-bit
.NET Framework 4 or newer
Windows 8 and Windows 8.1 Windows Server 2012 and Windows Server 2012 R2
32-bit or 64-bit 64-bit
.NET Framework 4.5 .NET Framework 4.5
3-10 Managing Profiles and User State in Windows 8.1
Besides the requirements for supported operating systems, there are no additional RAM requirements for UE-V. Administrator user rights are required for installing the UE-V agent, and you must restart the computer to make the UE-V agent operational.
UE-V Windows PowerShell Prerequisites
You must install .NET Framework 4 or newer and Windows PowerShell 3.0 or newer before you can install the UE-V agent. A default installation of Windows 8 or Windows 8.1 meets those requirements. However, on Windows 7 SP1, you first need to install Windows PowerShell 3.0 before you can install the UE-V agent. Computer Clock Synchronization
UE-V compares local time on a client computer with the time stamp of the stored settings on a network location to decide if settings synchronization is required. Because of that, computer clocks on UE-V client computers should be synchronized, which is the default behavior in an AD DS environment. If computer clocks are not synchronized, older settings can overwrite newer settings, or newer settings might not be stored to the network location. Question: Can you synchronize user documents between computers by using UE-V?
How UE-V Works

To better understand the workings of UE-V, you should be familiar with its high-level architecture and the components that enable synchronization of settings between computers. The following sections describe the elements that are part of a standard UE-V deployment.
UE-V Agent
You must install the UE-V agent on every computer that will synchronize settings. The UE-V agent monitors changes to settings and synchronizes them between computers. It stores settings on a network location called the settings storage location, and it periodically synchronizes the local cache with the settings storage location. When you start an app, the UE-V agent applies settings from the local cache, and when you close an app, the UE-V agent stores the app settings to the settings storage location. This means that app settings are available for synchronization as soon as you close an app. However, remember that when you start an app, by default, settings from the local cache are used, not settings from the setting storage location on the network. In an environment where a computer has permanent network connectivity, you can modify this behavior and always use the settings from the settings storage location on the network. Operating system settings are applied at sign-in, when a computer is unlocked, or when a user connects remotely to a computer. The UE-V agent saves settings when a user signs out, when a computer is locked, or when a remote session is disconnected.
Settings Storage Location
A settings storage location is the network location where the UE-V agent stores the settings that are synchronized. Administrators can specify this location during UE-V agent installation, in AD DS as a user's home folder, or by using Group Policy. The settings storage location can be on any file share where users have read and write access. The UE-V agent verifies the location and creates a hidden system folder named SettingsPackages into which it stores settings.

3-11
Settings Location Template
A settings location template is an XML file that specifies the settings locations where values are stored on a computer, not the settings values. Only settings defined in the settings location templates are captured and applied on UE-V client computers. Several settings location templates such as Microsoft Office 2010, Microsoft Office 2007, Windows Internet Explorer 8, Windows Internet Explorer 9, Internet Explorer 10, and desktop settings are included with UE-V. Administrators can create additional settings location templates by using UE-V Generator.
Settings Template Catalog
A settings template catalog is a folder that stores settings location templates. This usually is a shared folder, although a settings template catalog also can be a local folder. By default, a UE-V agent reads new or updated settings location templates from this folder once per day. This is done by a scheduled task named Template Auto Update, which runs daily at 3:30 A.M., and it applies the changes (modified, added, or removed templates) to the UE-V agent. If only the default settings location templates are used, then the settings template catalog is not used.
Settings Packages
Desktop app settings, Windows settings, and Windows Store app settings are stored in settings packages, which are created by a UE-V agent in the settings storage location. A settings package is a collection of settings that are defined in the settings location templates. A UE-V agent that is running on one computer reads and writes to a settings storage location independently of UE-V agents that are running on other computers. The most recent settings and values are applied when the next UE-V agent synchronizes with the settings storage location.
UE-V Generator
UE-V includes several operating system and application settings location templates. When you need to synchronize settings of additional applications, you can use the UE-V Generator to create additional, custom settings location templates. UE-V Generator monitors the registry (the HKEY_CURRENT_USER registry subtree) and file system (the AppData\Roaming and AppData\Local folders in user profiles) to discover where application settings are stored. Administrators can modify a generated template and include it in the settings template catalog. You also can use the UE-V Generator for editing existing templates or for validating templates that were created in another XML editor. Question: How often is the settings template catalog checked for changes?
How UE-V Synchronizes Settings

When you sign in to a Windows operating system, UE-V synchronizes settings from a network settings storage location with the local cache. After that, the local cache is synchronized periodically with the settings storage location every 30 minutes by default. Synchronization is triggered by a scheduled task named Sync Controller Application, which is created when you install a UE-V agent. You also can trigger synchronization manually by using Company Settings Center, which is installed automatically during a UE-V agent installation.
When you start an app, UE-V applies settings to the app from the local cache. App settings are saved to a network settings storage location when the app is closed. This means that a user does not have to sign
out and then sign in to another computer to synchronize app settings, like when roaming user profiles are used. When using UE-V to synchronize settings, the user can be signed in to multiple computers at the same time. When you configure app settings and close an app, the app settings are written to the settings storage location in a settings package. When the user starts the application on another computer, the UEV agent reads and applies app settings from the local cache on that computer. If the local cache has not yet synchronized with the settings storage location, you can wait for synchronization to occur, trigger synchronization manually, or modify the UE-V configuration to always use the settings from the settings storage location on the network. The user experience with UE-V is similar to having app settings roam with a user. Note: If computers have permanent connections to a settings storage location, you can configure the UE-V agent to always apply the settings from the network settings storage location. You can do so by setting the synchronization method (SyncMethod) to none, for example, when installing a UE-V agent or by running the Set-UevConfiguration cmdlet.
Desktop background and Ease of Access settings are applied when a user signs in, when a computer is locked, or when a remote connection is established. To optimize the sign-in experience, these settings are not synchronized by default. You can enable desktop background and Ease of Access settings by using Company Settings Center, Group Policy, the Windows PowerShell cmdlet Enable-UevTemplate, or Windows Management Instrumentation (WMI). Like synchronizing app settings, a user does not have to sign out to store Windows settings to the settings storage location. The UE-V agent saves settings when a user signs out, when a computer is locked, or when a remote connection is disconnected. Users sometimes accidentally modify settings. UE-V provides the capability to restore application or operating system settings to the initial values that were on a computer before the first UE-V synchronization of settings. UE-V can restore settings on a per-application or per-operating system setting basis. The settings are restored the next time a user starts the application or when a user signs in to an operating system. You can restore settings only by using Windows PowerShell or WMIthere is no graphical interface for it. UE-V provides the Restore-UevUserSetting Windows PowerShell cmdlet, which you can use to restore user settings for an application or a group of Windows settings. Question: Does a user have to sign out to synchronize application settings when using UE-V?
Comparing Roaming User Profiles, Microsoft Account, and UE-V

When you want to synchronize settings between the different computers that a user signs in to, you can use different solutions such as roaming user profiles, Microsoft account, or UE-V. Microsoft account is the only solution that can synchronize settings even if computers are not domain-joined, but it requires Internet connectivity because it stores settings in the cloud. You can synchronize Windows Store apps configurations only when signing in by using Microsoft account or if UE-V is used. When a user has Microsoft account linked to his or her domain account, UE-V will synchronize desktop app settings only. You can use Microsoft account and SkyDrive synchronization to synchronize other settings.

3-13
Note: Microsoft account provides you with a unified identity, which you can use for accessing Microsoft and non-Microsoft cloud services. You can link your domain or workgroup account with your Microsoft account, and you can also use it for transparent access to Microsoft Store, SkyDrive or for signing in to Windows 8.1.
Roaming user profiles can synchronize only the entire profile, including the settings and data that are stored in the profile. You cannot control which settings you want to synchronize, but in Windows 8 and Windows 8.1, you can control which computers you want to synchronize settings on by configuring the Primary Computer user Active Directory attribute. Roaming user profiles are copied to a file server only when users sign out, and they are not synchronized periodically. When you configure Folder Redirection, redirected folders are exempt from this copying.
If you use UE-V, to be able to synchronize settings, you must install a UE-V agent on the computer. UE-V can synchronize only those settings which are defined in settings location templates, and it is the only solution that can synchronize settings between physical and virtual applications. UE-V also is the only solution that applies settings periodically, and not only when the user signs in. UE-V is not included in the operating system, and it must be obtained and licensed separately. On the other hand, roaming user profiles is a feature of domain-joined computers that run any version of the Windows operating system. Microsoft account is freely available, and you can use it to sign in on any computer that runs Windows 8 or Windows 8.1. Question: Can you use Microsoft account to synchronize settings between computers that are running Windows 7 and computers that are running Windows 8.1?
Preparing the Environment for Deploying UE-V

Before deploying UE-V, you first should prepare the environment for the deployment. This includes the following steps: 1.
Configure the settings storage location where UE-V will store settings packages, which are the settings that will be synchronized between computers. This can be either the user home directory, if you have it configured in AD DS, or the network share that is available from each computer. If the user home directory is to be used as the settings storage location, you should ensure that the user has the home folder configured and that it is set on the Profile page of the user properties in Active Directory Users and Computers. If a network share is to be used as the settings storage location, you should create and share the folder with the permissions shown in the following tables. Account Administrators Security group of UE-V users Share permissions Full Control Full Control
Account Administrators Creator/owner Security group of UE-V users
NTFS permissions Full Control Full Control List Folder/Read Data, Create Folders/Append Data
Apply to This folder, subfolders, and files Subfolders and files only This folder only
You can configure the UE-V agent with the settings storage location by using an installation parameter, a Windows PowerShell cmdlet, or Group Policy settings. If users have a home directory defined and you configure a network share as the settings storage location, UE-V will store settings packages on a network share, and not in the user home directory. 2.
Configure the settings template catalog. The settings template catalog is not required, and it will be used only if you want to use UE-V to synchronize additional application settings in addition to the ones that are provided by default. The settings template catalog is a network share where custom settings location templates are stored. If your UE-V deployment will use the settings template catalog, you should create and share a folder with the permissions shown in the following tables. Account Everyone Domain computers Administrators Share permissions No permissions Read permission Read/write permission
Account Creator/owner Domain computers Everyone Administrators
NTFS permissions Full Control List Folder Contents and Read No Permissions Full Control
Apply to This folder, subfolders, and files This folder, subfolders, and files
You can configure the UE-V agent with the settings template catalog location by using an installation parameter, a Windows PowerShell cmdlet, or Group Policy settings. 3.
Add UE-V Group Policy administrative templates. You can configure UE-V by using Group Policy, but before doing so, you must add UE-V administrative templates, which are .admx and .adml files, to the appropriate location. This could be either the local %SystemRoot%\PolicyDefinitions folder on each computer from where you will configure Group Policy, or the central store on the domain controller, %SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions, if your domain environment is configured

3-15
to use it. After you copy UE-V Group Policy administrative templates to this location, the Microsoft User Experience Virtualization node appears under Policies\Administrative Templates \Windows Components in the Computer Configuration and User Configuration parts of Group Policy settings. Microsoft Desktop Optimization Pack Administrative templates download page http://go.microsoft.com/fwlink/?LinkId=378225&clcid=0x409 Question: What must you do before you can use Group Policy to configure UE-V?
Deploying UE-V
You must install the UE-V agent on each computer that will use UE-V to synchronize settings. The UE-V installation file supports various command-line parameters such as SettingStoragePath, SettingsTemplateCatalogPath, and SyncMethod, which you can use for initial UE-V configuration. All command-line parameters are documented in the UE-V administrator's guide on the Microsoft TechNet website.
You can deploy the UE-V agent by using almost any software or operating system deployment tool, such as manual installation or Group Policy, or by including it in the standard desktop image. The following table lists various deployment methods and when to use them. Method Group Policy Use this method when You deployed software already by using Group Policy. You want to deploy the UE-V agent to existing computers. You want to deploy the UE-V agent after operating system images are deployed.
You are configuring the UE-V agent by using Group Policy and not by using command-line options. Computers have high-speed, persistent connections to the shared folder containing the installation files. Microsoft Deployment Toolkit 2012
You use the Microsoft Deployment Toolkit (MDT) for operating system deployment. You want to deploy the UE-V agent as part of an operating system deployment.
Windows Intune
You used Windows Intune already for client management. You want to deploy the UE-V agent without requiring additional infrastructure. You have computers in multiple locations with limited connectivity between locations.
Method Microsoft System Center 2012 R2 Configuration Manager
Use this method when You used System Center 2012 R2 Configuration Manager already for application and operating system deployment.
You want to use one deployment tool to deploy the UE-V agent to existing computers and during operating system deployment. Computers have high-speed, persistent connections to the distribution points where the UE-V agent installation files are located. You want to manage and maintain your applications deployment centrally. Scripted installation You want to script the installation as part of an operating system installation, and you are not using MDT or System Center 2012 R2 Configuration Manager. You want to deploy the UE-V agent by using a third-party Electronic Software Distribution system.
Computers might not have high-speed, persistent connections to the enterprise network, and installation from local media is required.
After the UE-V agent is installed, you must restart the computer to make the UE-V agent operational. After the installation, a new service named User Experience Virtualization is installed. Also, the following six scheduled tasks are added: Collect CEIP data Monitor Application Settings Sync Controller Application Synchronize Settings at Logoff Template Auto Update Upload CEIP data
These tasks periodically synchronize the local cache with the settings storage location, check for updates in the UE-V settings location templates, and upload data if you joined the Customer Experience Improvement Program (CEIP). UE-V agent installation also installs the Company Settings Center, which you can use to control what settings UE-V should synchronize, to manually trigger the synchronization, and to view the synchronization status of UE-V. UE-V Administrator's Guide http://go.microsoft.com/fwlink/?LinkId=378226&clcid=0x409 Question: Where can users see UE-V synchronization status and manually trigger UE-V synchronization?

3-17
Managing UE-V by Using Group Policy

You can manage the UE-V agent by using Group Policy. By default, Group Policy does not include settings related to UE-V, so you must first download and install UE-V ADMX templates. You can download the templates from the Microsoft Download Center and copy them to the local PolicyDefinitions folder or the central Group Policy store. The .admx file must be placed in the PolicyDefinitions folder. The .adml file must be placed in the PolicyDefinitions\en-US folder.
After you install the UE-V Group Policy ADMX files, the Microsoft User Experience Virtualization node appears under Policies\Administrative Templates\Windows Components in the Group Policy Management Editor window. You can configure some UE-V Group Policy settings only for computers, some only for users, and some for both. The following table lists the policy settings that you can configure for UE-V. Policy setting name Use User Experience Virtualization (UE-V) Settings storage path Settings template catalog path Target Computers and Users Computers and Users Computers Only Policy setting description
This policy setting allows you to enable or disable UE-V.
This policy setting configures where the user settings will be stored.
This policy setting configures where custom settings location templates are stored. This policy setting also configures whether the catalog will be used to replace the default Microsoft templates that are installed with the UE-V agent. This policy setting allows you to configure whether UE-V will use the Sync Provider feature. This policy setting also allows you to enable notification to occur when the import of user settings is delayed. This policy setting configures the number of milliseconds that the computer waits before a timeout when retrieving user settings from the remote settings location. If the remote storage location is unavailable, the application launch is delayed by that many milliseconds.
Do not use the Sync Provider
Computers and Users
Synchronization timeout
Computers and Users
Package size warning threshold First Use Notification
Computers and Users Computers Only
This policy setting allows you to configure the UE-V agent to report when a settings package file size reaches a defined threshold. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. This policy setting enables the User Experience Virtualization (UE-V) tray icon.
Tray Icon
Computers Only
Policy setting name Do not synchronize Windows 8 Apps
Target Computers and Users
Policy setting description
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows Store apps. This is a multiple policy setting to configure the roaming of user settings of each individual application. This policy setting configures the roaming of Windows settings.
Roam Applications settings Roam Windows settings
Users Only
Users Only
UE-V settings that can be configured in different places have the following order of precedence: 1. 2. 3. 4. User-targeted settings managed by Group Policy Computer-targeted settings managed by Group Policy Configuration settings defined by the current user who is using Windows PowerShell or WMI Configuration settings defined for the computer that is using Windows PowerShell or WMI
This means that if the same UE-V settings are configured in multiple places, configuration in the user part of Group Policy has precedence over configuration in the computer part of Group Policy. Group Policy has precedence over locally configured settings. Question: When will a UE-V setting that is configured through Group Policy be effective on a UE-V client?
Creating and Editing UE-V Templates

UE-V only synchronizes settings that are defined in the locations specified by the settings location templates. Settings location templates are .xml files that specifyfor each applicationwhere in the registry and where on the file system it stores its settings. UE-V includes several predefined settings location templates, and administrators can create additional templates for third-party applications. Not all application settings can safely roam between computers. Settings that synchronize by using UE-V should meet the following criteria:
Settings must be stored in an accessible location. UE-V can synchronize settings only in the HKEY_CURRENT_USER registry subtree and the AppData\Roaming or AppData\Local folders in a user profile. If an application stores its settings in other locations, you cannot synchronize its settings by using UE-V.
Settings should not be specific to a particular computer. Some settings such as network configuration are relevant only for a certain computer and should not be synchronized with other computers.

3-19
Settings must be synchronized without the risk of corrupting data. For example, if settings are stored in a database file, these settings should not be synchronized by using UE-V. You should consider some other solution, such as storing the database file with configuration settings on a network location.
When you install a UE-V agent, it includes settings location templates for operating system settings and common Microsoft applications. You can view the list of registered settings location templates by running the Get-UevTemplate cmdlet. These templates are stored in the Microsoft User Experience Virtualization\Templates folder and include the desktop apps and Windows settings in the following table. Application category or Windows settings Microsoft Office 2007 Microsoft Office 2010 Browser options (Windows Internet Explorer 8, Windows Internet Explorer 9, and Internet Explorer 10) Windows accessories Desktop background Ease of Access Desktop settings Description Applications from the Microsoft Office 2007 family Applications from the Microsoft Office 2010 family Favorites, home page, tabs, and toolbars
Calculator, Notepad, WordPad Currently active desktop background Accessibility and input settings, Magnifier, Narrator, and on-screen keyboard
Start menu and taskbar settings, folder options, default desktop icons, additional clocks, and region and language settings
Microsoft Office 2013 uses its own synchronization mechanism and is not synchronized by UE-V.
UE-V also synchronizes Windows Store app settings. Settings location templates are not used for Windows Store apps, because they synchronize only the settings that were configured to synchronize by the app developer. You can run the Windows PowerShell cmdlet Get-UevConfiguration to view the list of Windows Store apps for which settings are synchronized. If you want to synchronize app settings that are not covered by default settings location templates, then you must create additional settings location templates. If the settings location template for your app has been developed already, you can obtain it online. TechNet Gallery - resources for IT professionals http://go.microsoft.com/fwlink/?LinkId=378227&clcid=0x409
You also can use UE-V Generator to create custom settings location templates and store them in a settings template catalog. You do not need to copy the default settings location templates to the settings template catalog. To provide UE-V with a custom settings location template, you must perform the following steps: 1. Install the UE-V Generator. The UE-V Generator is a part of UE-V, and it is used for creating and editing custom settings location templates. The UE-V Generator monitors an app to discover and capture the locations where the app stores its settings. The monitored app must be a traditional
desktop app because UE-V Generator does not create templates for virtualized applications, applications offered through Remote Desktop Services, Java applications, and Windows Store apps. UE-V Generator requires .NET Framework 4 or newer. 2.
Create a custom settings location template by using the UE-V Generator. You can do this by running UE-V Generator and pointing it to the application for which you want to create the settings location template. UE-V Generator will start the application and monitor the registry and file system to discover the locations where the application stores its settings. UE-V Generator monitors the HKEY_CURRENT_USER registry subtree and the AppData\Roaming and AppData\Local folders in a user profile. After the application opens, you can close it and UE-V Generator will capture the locations that it accessed. You can review the locations, edit the template, and store it as a settings location template .xml file.
3.
Deploy the custom settings location template to the catalog. Because the settings template catalog is a network share, you simply can copy the .xml file that was created by UE-V Generator to that network share. Each UE-V client computer has a Template Auto Update scheduled task that runs once daily and updates settings location templates on a client. You can force the UE-V agent to apply custom settings location templates from a catalog immediately by running ApplySettingsTemplateCatalog.exe or by using the Windows PowerShell cmdlet RegisterUevTemplate.
To enable UE-V to use custom settings location templates, you also must create a settings template catalog on a file server and configure the settings template catalog path for the UE-V agentall of which you can perform as part of UE-V environment preparation. Question: How can you use UE-V to synchronize the settings of third-party applications?

3-21
Lab A: Configuring Profiles and User State Virtualization

Scenario
The marketing department at A. Datum Corporation has many users who often use different computers. You have been asked to evaluate different solutions that would enable user settings and data to roam with users when they use one of the computers on which UE-V is installed, and from which UE-V will synchronize settings.
Objectives
After completing this lab, you will be able to: Configure roaming user profiles and Folder Redirection. Implement and configure UE-V.
Lab Setup
Estimated Time: 60 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-SVR1, 20687C-LON-CL1, and 20687C-LON-CL2 User name: Adatum\Administrator Password: Pa$$w0rd
Start 20687C-LON-DC1, 20687C-LON-SVR1, 20687C-LON-CL1, and 20687C-LON-CL2. Sign in as Adatum\Administrator with Pa$$w0rd as password to LON-DC1 and LON-SVR1, but to not sign in to LON-CL1 and LON-CL2.
Exercise 1: Configuring Roaming User Profiles and Folder Redirection

Scenario
As you evaluate different solutions, the first step is to explore user data and settings solutions that are provided by Windows 8.1. You plan to implement roaming user profiles and Folder Redirection. Because user profile content should be available only on approved computers, you also will implement Primary Computer settings. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Create folders for roaming user profiles and Folder Redirection. Configure roaming user profiles. Configure Folder Redirection. Verify roaming user profiles and Folder Redirection. Configure primary computers for user Adam Barr. Verify Primary Computer setting for user Adam Barr.
Task 1: Create folders for roaming user profiles and Folder Redirection
1. On LON-DC1, open File Explorer, and on drive C, create a folder named Profiles. Grant Domain Users Full Control permissions to the folder, and then share it with Full Control permissions for Everyone.
2.
On drive C, create a folder named Redirected. Grant Domain Users Full Control permissions to the folder, and then share it with Full Control permissions for Everyone.
Task 2: Configure roaming user profiles

Configure Adam Barr, which is located in the Marketing OU, with Profile settings that point to \\LON-DC1\Profiles\%username%.
Task 3: Configure Folder Redirection

1. 2. Create a Group Policy Object named Folder Redirection, and then link it to Marketing.
Configure the Folder Redirection group policy setting to redirect the Documents folder to \\LONDC1\Redirected.
Task 4: Verify roaming user profiles and Folder Redirection

1. 2. 3. 4. 5. 6. 7. On LON-DC1, verify that the Profiles and Redirected folders are empty. Sign in to LON-CL1 as Adatum\Adam with password Pa$$w0rd. On Adams desktop, create a folder named Presentations, add a shortcut to Local Disk (C:), and then add the This PC icon. In Notepad, create a file with your name, and then save it in the Documents library. Verify that file is stored in the \\LON-DC1\redirected\adam\Documents folder and is not stored inside the adam local profile. Sign out from LON-CL1.
On LON-DC1, verify that the Profiles and Redirected folders are no longer empty. The Profiles folder contains the adam roaming user profile (Adam.V2), whereas the Redirected folder contains the adam redirected Documents folder. Sign in to LON-CL2 as Adatum\Adam.
8. 9.
Verify that the This PC icon is on the desktop, in addition to the Presentations folder and the Local Disk (C:) shortcut.
10. Verify that you can access the file with your name transparently in Notepad. 11. Sign out of LON-CL2.
Task 5: Configure primary computers for user Adam Barr

1. 2. 3. Copy the value of the distinguishedName attribute of LON-CL1 to the msDS-PrimaryComputer attribute of Adam Barr. Add the value of the distinguishedName attribute of LON-CL2 to the msDS-PrimaryComputer attribute of Adam Barr.
Enable the Computer Configuration\Policies\Administrative Templates\System\User Profiles\ Download roaming profiles on primary computers only setting and the User Configuration \Policies\Administrative Templates\System\Folder Redirection\Redirect folders on primary computers only setting in Default Domain Policy.
Task 6: Verify Primary Computer setting for user Adam Barr

1. 2. 3. Switch to LON-SVR1, and then update Group Policy. Sign out of LON-SVR1.
Sign in to LON-SVR1 as Adatum\Adam, and then verify that the This PC icon, Presentations folder, and the Local Disk (C:) shortcut are not on the desktop. Also, verify in Notepad that the file with your name is not available in the Documents library. Sign out of LON-SVR1.

3-23
4. 5.
On LON-DC1, edit the value of the msDS-PrimaryComputer attribute of Adam Barr and replace LON-CL2 with LON-SVR1.
Sign in to LON-SVR1 as Adatum\Adam and verify that the Presentations folder is on the desktop, in addition to the Local Disk (C:) shortcut and the Computer icon. Also verify in Notepad that the file with your name is available in the Documents library. Because you configured LON-SVR1 as Adam Barrs Primary Computer, redirected folders are now available. Sign out of LON-SVR1.
6.
Results: After completing this exercise, you should have configured roaming user profiles and Folder Redirection. You also should have configured the user Adam Barr with the Primary Computer setting.
Exercise 2: Implementing and Configuring UE-V

Scenario
You have demonstrated to your management the benefits of roaming user profiles, Folder Redirection, and Primary Computer settings. Because A. Datum has an enterprise agreement with Microsoft and access to the Microsoft Desktop Optimization Pack, you have been asked to implement a pilot deployment of UE-V. You will demonstrate how UE-V can synchronize additional apps. Based on the results of your demonstration, management will decide whether to deploy UE-V in production. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Prepare the environment for deploying Microsoft User Experience Virtualization (UE-V). Configure UE-V Group Policy settings. Install UE-V agents. Configure UE-V to synchronize settings immediately. Use UE-V to synchronize settings. Restore app settings. Create UE-V settings location template. Using UE-V to synchronize custom app settings.
Task 1: Prepare the environment for deploying Microsoft User Experience Virtualization (UE-V)
1. 2.
On LON-DC1, create a folder named UEVdata. Grant Domain Users Full Control permissions to the folder, and then share it with Full Control permissions for Everyone. On LON-DC1, create a folder named UEVTemplates. Grant Domain Users Full Control permissions to the folder, and then share it with Full Control permissions for Everyone.
Task 2: Configure UE-V Group Policy settings

1.
On LON-DC1, verify that there is no Microsoft User Experience Virtualization node available in Group Policy Object under User Configuration\Policies\Administrative Templates \Windows Components. Copy the UserExperienceVirtualization.admx file from E:\Labfiles\Mod03 to the C:\Windows\PolicyDefinitions folder, and then copy the UserExperienceVirtualization.adml file to the C:\Windows\PolicyDefinitions\en-US folder. Create a Group Policy named UE-V, and then link it to the Adatum.com domain.
2.
3.
4.
In UE-V Group Policy, under User Configuration\Policies\Administrative Templates \Windows Components\ Microsoft User Experience Virtualization, enable the Settings storage path setting, and then configure it to point to \\LON-DC1\UEVData\%username%.
5.
In UE-V Group Policy, under Computer Configuration\Policies\Administrative Templates \Windows Components\Microsoft User Experience Virtualization, enable the Settings template catalog path setting, and then configure it to point to \\LON-DC1\UEVTemplates.
Task 3: Install UE-V agents

1. 2. 3. 4. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Install the UE-V agent by running AgentSetup.exe in the E:\Labfiles\Mod03 folder. Restart LON-CL1 after completing the installation. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. Install the UE-V agent by running the following command:
E:\Labfiles\Mod03\AgentSetup.exe SyncMethod=None
Task 4: Configure UE-V to synchronize settings immediately

1. 2. 3. On LON-DC1, verify that the C:\UEVdata folder is empty. Sign in to LON-CL1 and LON-CL2 as Adatum\Brad with password Pa$$w0rd.
On LON-CL1, use the Get-UevConfiguration cmdlet to verify that UE-V configuration is effective. You will see that values for SettingsStoragePath and SettingsTemplateCatalogPath are configured as you set them in Group Policy. You also will see that current SyncMethod is set to SyncProvider. On LON-CL2, run Calculator and choose the Date calculation view. Close Calculator. On LON-CL1, run Calculator and verify that it is not extended with options for date calculation. On LON-CL1, synchronize UE-V settings by using Company Settings Center. On LON-CL1, run Calculator and verify that it is extended with options for date calculation.
4. 5. 6. 7. 8. 9.
On LON-CL1, use the Set-UevConfiguration cmdlet with the SyncMethod parameter to disable use of local cache. Sign out of LON-CL1.
Task 5: Use UE-V to synchronize settings

1. 2. 3. 4. 5. 6. 7.
On LON-CL2, run WordPad, and then clear the Ruler and Status bar check boxes on the View tab. Close WordPad. Create a shortcut to Local Disk (C:) on the desktop. In Notepad, select Font Size 20, type your name, and then save the file in the Documents library. Close Notepad. On LON-DC1, verify that the UEVdata folder now has a brad subfolder. On the View tab, click Hidden items. Double-click the brad folder and verify that it contains a SettingsPackages subfolder.
Double-click the SettingsPackages folder, and then verify that it contains multiple subfolders for the applications and Windows settings that are synchronized by UE-V. Sign in to LON-CL1 as Adatum\Brad with password Pa$$w0rd. Run Calculator, and then verify that is extended with options for date calculation, as you configured it on LON-CL2. On the View menu, click Programmer, click Unit Conversion, and then close Calculator.

3-25
8. 9.
On LON-CL1, run WordPad, and then verify that the Ruler and Status bar check boxes are not selected, exactly as you configured it on LON-CL2. Close WordPad. On LON-CL1, verify that shortcut to Local Disk (C:) is not present on the desktop.
Note: Contents of the desktop are not synchronized by UE-V. Instead, you should use Folder Redirection or roaming user profiles to do so.
10. Verify in Notepad that File Size 20 is configured, but that the file with your name is not available in the Documents library.
Task 6: Restore app settings

1. 2. 3. 4. 5.
On LON-CL1, run Calculator, and then verify that it is in Programmer view and extended with Unit Conversion. Close Calculator. Use the Get-UevTemplate cmdlet to view which settings location template is used for Calculator. Use the Restore-UevUserSetting cmdlet to restore initial Calculator settings.
Run Calculator, and then verify that is in default, Standard mode, in which it was before the first UEV synchronization. Sign out of LON-CL1 and LON-CL2.
Task 7: Create UE-V settings location template

1. 2. 3. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Install UE-V Generator by running ToolsSetup.exe in the E:\Labfiles\Mod03 folder. Run Microsoft User Experience Virtualization Generator. Click Create a settings location template and point to C:\Program files (x86)\Remote Desktop Connection Manager \RDCMan.exe. In Remote Desktop Connection Manager, modify one of the available Options and then close Remote Desktop Connection Manager.
4. 5.
Include nonstandard File locations in the settings location template and save the settings location template to \\LON-DC1\UEVTemplates\RDCMan.xml.
Task 8: Using UE-V to synchronize custom app settings

1. 2. 3. 4. 5. On LON-CL1, use the Get-UevTemplate cmdlet to verify that no settings location template that contains string rdc is registered.
Use the Register-UevTemplate cmdlet to register the \\LON-DC1\UEVTemplates\RDCMan.xml settings location template. Use the Get-UevTemplate cmdlet to verify that the Remote-Desktop-RDCMan-v-2-2 settings location template is registered. Sign in to LON-CL2 as Adatum\Administrator and use the Register-UevTemplate cmdlet to register the \\LON-DC1\UEVTemplates\RDCMan.xml settings location template. On LON-CL1, run Remote Desktop Connection Manager, configure Auto save interval to 3 Minute(s), and then close Remote Desktop Connection Manager.
6.
On LON-CL2, run Remote Desktop Connection Manager, and then verify that Auto save interval is selected and configured to 3 Minute(s).
Results: After completing this exercise, you should have successfully implemented and configured UE-V for synchronizing apps and Windows settings.
Prepare for the next lab

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 through 3 for 20687C-LON-CL1, 20687C-LON-CL2, and 20687C-LON-SVR1.

3-27
Lesson 3
Migrating User State and Settings
Many users spend a significant amount of time configuring their Windows-based environment. They might customize items such as desktop wallpaper, the appearance of user interface elements, or other operating system and application components. This grouping of specific settings is referred to as user state. User state is an important part of the migration process when you replace a computer, or when you install a new operating system on a computer. This lesson introduces you to user state migration and also to the tools and methods you can use in planning and implementing a user state migration in a Windowsbased environment.
Lesson Objectives
After completing this lesson, you will be able to: Describe the tools for migrating user data and settings. Explain how to migrate user settings by using Windows Easy Transfer. Explain how to migrate user settings and data by using the User State Migration Tool (USMT). Explain how to capture user state by using ScanState. Explain how to restore user state by using LoadState.
Tools for Migrating User Data and Settings

A user state migration captures all of the custom settings on a group of existing computers, known as source computers, and restores these settings on a group of newly deployed computers, known as destination computers. Typically, you would perform a user state migration during or after the deployment of a new operating system. A user state migration enables users to be more productive because they do not have to spend time reconfiguring settings or looking for personal data after a deployment.
User State Migration Elements

User state migration includes the following elements:
User preferences. These include user profile features, web browser settings, and mail settings. Consider which user accounts, operating system settings, and user preferences you want to migrate or standardize: o
User accounts. Computers might have settings related to domain and local user accounts. You must determine whether local user accounts should be migrated. You also should consider if you must enable the accounts on the destination computers and how you will deal with password requirements. Operating system settings. Identify which operating system settings to migrate and to what extent you want to create a new standard environment on the destination computers. Operating system settings can include appearance, mouse actions such as single-click or double-click, keyboard settings, Internet settings, email account settings, dial-up connections, accessibility settings, and fonts.
User data. This includes data that is stored on local hard drives. Typically, critical data is stored on file servers. However, users sometimes store data on local hard drives.
Application settings. These include application-specific configuration settings, preferences, and data files. User state migration does not include migration of actual applications. Determine and locate the application settings that you want to migrate. You can acquire this information when you are testing new applications for compatibility with a new operating system. You should consider whether the destination version of an application is newer than the source version and where the specific application settings are stored. Settings might be stored in the registry, .ini files, or in text or binary files. To determine the location of an application setting, review the applications documentation or relevant websites.
Windows 8.1 provides two options for performing user state migration: Windows Easy Transfer and USMT.
Windows Easy Transfer
Windows 8.1 includes the Windows Easy Transfer tool, which provides a wizard-based process for migrating user data and files from one Windows-based computer to another. Windows Easy Transfer can transfer the data from a source computer to a number of different intermediary media types, and then it can restore that data on a destination computer. Windows Easy Transfer is used primarily by end users, and it is designed to perform migrations with a small number of computers. The Windows Easy Transfer process cannot be automated, and it is not an appropriate solution if you need to migrate data for a large number of users. Note: This tool is deprecated and has reduced functionality compared to Windows Easy Transfer in Windows 8. However, it is still a part of Windows 8.1, and it can be used in Windows 8.1.
USMT
USMT is a set of command-line tools that gives administrators more control over user data migrations. You can use USMT in large environments where you need to migrate the data of multiple users on multiple machines. The command-line interface for USMT helps administrators incorporate USMT into enterprise environments and automated processes. USMT uses tools to capture and store user data in the first phase of the migration, and then restore the data to another operating system from the captured data. USMT is included in the Windows Assessment and Deployment Kit (ADK) for Windows 8.1. Question: You have been asked to upgrade 10 computers in a small branch office from Windows 7 to Windows 8.1. You also have been asked to perform a clean installation of Windows 8.1 and to show the local manager how to migrate user files and other data after installing Windows 8.1. The manager will perform the Windows 8.1 installation and user state migration for the rest of the computers. Which tool should you demonstrate to the manager?

3-29
Migrating User Settings by Using Windows Easy Transfer
Windows Easy Transfer is deprecated in Windows 8.1. The tool is still available and you can use it for gathering and transferring data and settings from previous Windows operating systems, but you cannot use it to transfer data and settings between Windows 8.1 computers. If you have used Windows Easy Transfer in the past, you will notice that in Windows 8.1, you can transfer the data only by using removable media, local storage, and network shares. You can no longer use a network connection or an Easy Transfer cable for transferring data. If you need to transfer data between Windows 8.1 computers, you should use SkyDrive to synchronize settings among devices.
You can use the Windows Easy Transfer tool when you need to migrate settings and data for a limited number of users and you do not need to customize and automate the migration process. You can use Windows Easy Transfer to transfer user accounts and settings, files and folders, email settings, contacts and messages, application settings, Internet settings, and favorites. You cannot use Windows Easy Transfer to transfer installed apps or advanced configurations such as custom registry keys. Apps must be installed already on a Windows 8.1 computer before you can transfer the app settings by using Windows Easy Transfer. You can use Windows Easy Transfer to transfer data and settings to Windows 8.1 only from Windows 8, Windows RT, or Windows 7 source computers. Question: Can you use Windows Easy Transfer to migrate user settings and data between two Windows 8.1 computers?
Migrating User Settings and Data by Using USMT

You can use USMT in many user state migration scenarios. USMT offers a comprehensive set of features and capabilities that enables you to address your environments migration needs. Benefits of USMT USMT provides the following benefits to organizations that deploy Windows operating systems: It safely migrates user accounts, operating system settings, and application settings. It is customizable and highly scriptable, which increases automation in large-deployment scenarios.
It reduces the cost of deploying Windows operating systems by preserving user states. This reduces the time needed for users to become familiar with new operating systems, and this reduces the time required to customize desktops and locate missing files and settings.
It reduces end-user downtime, which reduces help desk calls and increases employee satisfaction with the migration experience.
It minimizes migration storage by using hard-link migration. For use in the computer refresh scenario, hard-link migration stores are saved locally on the computer that is being refreshed. It drastically
improves migration performance, significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios. Hard-link migration store differs from other migration store types in that hard links are used to keep files stored on a source computer during the migration. Keeping files in place on a source computer eliminates the redundant work of duplicating files to an external storage location, which enables performance benefits and reduces disk utilization. It can perform migration from alternate locations (offline migration). This enables you to collect data from offline Windows operating systems by using the ScanState tool in the Windows Preinstallation Environment. In addition, USMT supports migrations from previous operating system installations contained in Windows.old directories.
Components of USMT The following list defines the USMT components:
ScanState. This tool scans a source computer, collects the files and settings, and then creates a store. ScanState does not modify the source computer. By default, it compresses the files and saves them as a migration store. ScanState copies files into a temporary location and then to the migration store.
LoadState. This tool migrates files and settings, one at a time, from the store to a temporary location on the destination computer. Files are decompressed, and decrypted if necessary, during this process.
LoadState then transfers files to their correct locations, deletes their temporary copies, and begins migrating more files. Compression improves performance by reducing network bandwidth usage and the space required for the store. You can turn off compression with the /nocompress option.
USMTUtils. This tool can perform several functions related to compression, encryption, and validation of a migration store. USMTUtils also can manage USMT files manually in the event of a corrupted data store or a locked hard-link store. Migration XML files. These are the XML files that USMT uses for migrations. They include the MigApp.xml, MigUser.xml, or MigDocs.xml files, and any custom .xml files that you create: o o MigApp.xml. This file contains rules for migrating application settings.
MigDocs.xml. This file contains rules for the MigXmlHelper.GenerateDocPatterns helper function, which can find user documents on a computer automatically without creating extensive custom migration .xml files. MigUser.xml. This file contains rules for migrating user profiles and data.
Config.xml. To exclude data from a migration, you can create and modify the Config.xml file by using the /genconfig option with the ScanState tool. This optional file has a different format from the migration .xml files because it does not contain migration rules. The Config.xml file lists the elements that can be migrated. Specify migrate=no for the elements that you want to exclude from the migration. You also can use this file to control some migration options for USMT. Component manifests. The component-manifest files control which operating system settings are migrated and how they are migrated, and you cannot modify them. If you want to exclude certain operating system settings, you need to create and modify a Config.xml file.
USMT internal files. All other files included with USMT are for USMT internal use, and you should not modify these files. Question: Do you need to install Windows ADK on the source computer from which you plan to migrate user settings?

3-31
Capturing User State by Using ScanState

ScanState is a tool that is included in USMT. When you use USMT to migrate user settings and data, the first step in the migration process is to collect files and settings from the source computer that has the ScanState tool.
Collect Files and Settings from the Source Computer

To collect files and settings from the source computer: 1. 2. Close all applications on the source computer. Run the ScanState tool on the source computer to collect files and settings. Specify all of the .xml files that you want ScanState to use.
Understanding User State
USMT controls what data to migrate by using migration .xml filesMigApp.xml, MigDocs.xml, and MigUser.xmland any custom .xml files that you create. The user state consists of several components: user data, operating system elements, and supported applications settings.
User Data
ScanState uses rules in the MigUser.xml file to collect everything in a users profile. ScanState then performs a file extensionbased search on most of the system for other user data. By default, USMT migrates the following user data and access control lists (ACLs) by using the MigUser.xml file:
Folders from each user profile. USMT migrates everything in a users profile, including My Documents, My Video, My Music, My Pictures, Desktop files, Start menu, Quick Launch settings, and Favorites. Folders from the All Users and Public profiles. USMT also migrates the following from the All Users profile or the Public profile: Shared Documents, Shared Video, Shared Music, Shared Desktop files, Shared Pictures, Shared Start menu, and Shared Favorites.
File types. The ScanState tool searches the fixed drives and collects and migrates files that have any of the following file name extensions: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp, .one*, .oqy, .or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, .xls*. ACL. USMT migrates the ACL for specified files and folders from source computers.
The following data does not migrate by using the MigUser.xml file:
Files outside of a user profile that do not match one of the file name extensions in the MigUser.xml file. ACLs for folders outside of a user profile.
Operating System Elements

By default, USMT migrates most standard operating system features to destination computers. Some settings such as fonts are not available for an offline migration until after the destination computer is restarted.
Supported Applications Settings
We recommend installing all applications on a destination computer before restoring the user state to ensure that migrated settings are preserved. The versions of installed applications must match the application version on the source computer. USMT only migrates the settings that were used or changed by a user. If an application setting on the source computer was not used, it will not migrate.
Creating and Using a Custom XML File

Config.xml is an optional USMT file that you can create by using the /genconfig option with the ScanState tool. To include all of the default elements without changing the default store-creation or profile-migration behaviors, you do not need to create a Config.xml file.
However, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigUser.xml, and MigDocs.xml files, but you want to exclude certain elements, you can create and modify the Config.xml file and leave the other .xml files unchanged. For example, you must create and modify the Config.xml file to exclude any of the operating system settings that are migrated. You must create and modify this file to change any of the default store-creation or profile-migration behaviors. The Config.xml file has a different format compared to other migration .xml files because it does not contain any migration rules. It only contains a list of the operating system features, applications, and user documents that can be migrated, in addition to user-profile and error-control policies. For this reason, excluding features by using the Config.xml file is easier than modifying migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in this file. How to include files and settings http://go.microsoft.com/fwlink/?LinkId=378228&clcid=0x409
Example of ScanState Syntax

Scanstate \\LON-SRV1\DesktopMigration /i:migapp.xml /i:miguser.xml /config:config.xml /o /ui:DBService /ue:Adatum\Don
The following syntax provides an example of how you can configure ScanState to scan a source computer.
What USMT Does Not Migrate

USMT does not migrate the following settings: Application settings. USMT does not migrate settings from older versions of an application. It also does not migrate application settings and some operating system settings when a local account is created. Installed applications. USMT does not migrate installed applications. You have to reinstall all applications on a destination computer before restoring application settings. Operating system settings. USMT does not migrate the following operating system settings: o
Mapped network drives, local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, dynamic-link library files, or other executable files. Shared folder permissions. Files and settings that are migrating between operating systems with different languages. Customized icons for shortcuts. Taskbar settings when a source computer is running Windows XP.
o o o o

3-33
What does USMT migrate? http://go.microsoft.com/fwlink/?LinkId=378229&clcid=0x409 Question: Why would you use additional XML configuration files with ScanState.exe?
Restoring User State by Using LoadState

You can use the LoadState tool to restore files and settings from a migration store to a destination computer. Remember that you can restore only the settings and data that were captured on the source computer. Similar to ScanState, the LoadState tool supports many parameters, and you can use them in any order. You can consult documentation to view the parameters that ScanState supports. LoadState syntax http://go.microsoft.com/fwlink/?LinkId=3782 30&clcid=0x409
Prepare and Restore Files and Settings on the Destination Computer

To prepare a destination computer: 1. 2. Install an operating system on the destination computer. Install all applications that were on the source computer.
To restore files and settings on a destination computer: 1.
Run the LoadState tool on the destination computer. Specify the same set of .xml files that you specified when you used the ScanState tool. However, you do not have to specify the Config.xml file unless you want to exclude some files and settings that you migrated to the store. Sign out after running the LoadState tool. Some settings, such as fonts, wallpaper, and screen saver, will not take effect until the next time the user signs in.
2.
LoadState Syntax Example

The following syntax provides an example of how to configure LoadState to migrate user states to a destination computer:
Loadstate \\LON-SRV1\DesktopMigration /i:migapp.xml /i:miguser.xml /ue:Adatum\Don /ui:DBService /lac:Pa$$w0rd /lae
Question: How can you ensure that user data is safe during a migration?
Lab B: Migrating User State by Using USMT

Scenario
You have been asked to implement the upgrade of 10 new computers that are being deployed to the Research department at A. Datum. Max Stevens, the IT manager from the Research department, has sent you an email outlining the requirements for the upgrade.
Objectives
After completing this lab, you will be able to: Create and customize USMT XML files. Capture and restore user state to a target computer.
Lab Setup
Estimated Time: 45 minutes Virtual machines: LON-DC1, LON-CL1, and LON-CL3 User name: Adatum\Administrator Password: Pa$$w0rd
Start the virtual machines LON-DC1, LON-CL1 and LON-CL3 if they are not running already. You do not need to sign in to any computer.
Exercise 1: Creating and Customizing USMT XML Files

Scenario Supporting Documentation
Email from Max Stevens: Ed Meadows From: Sent: To: Subject: Hi Ed, We have 10 new Windows 8.1 computers that are being deployed within the Research department. We need to ensure that no user data stored on the old computers is lost in the migration, and that all user data is migrated to the new computers. What I want you to do is use USMT to help with the user state migration. Here are some additional things to consider: The old computers have Windows 7 installed. All computers have Microsoft Office 2010 installed. Max Stevens [Max@adatum.com] 10 January 2014 08:01 Ed@adatum.com User State Migration for the new Windows 8.1 computers in the Research department
The contents of the Shared Video, Shared Music, and Shared Pictures folders should not be migrated from Windows 7 to the new Windows 8.1 computers.
We have a custom folder named ResearchApps that has to be migrated from all the old computers to the new Windows 8.1 computers. All domain profiles that are on each existing computer should be migrated to the new systems.

3-35
You can use \\LON-DC1\Data as a location to store the data store during the migration. The data store should be compressed to minimize space. Because there is no confidential information on these specific computers, we do not need the migration store to be encrypted.
Thanks, Max
Your user state migration information states that several operating system features should not be migrated. You also have to migrate an additional folder from the old computers to the new Windows 8.1 computers. Your first task is to create the custom XML files that address these requirements. The main tasks for this exercise are as follows: 1. 2. 3. Read the supporting documentation. Create a Config.xml file. Modify a custom migration XML file.
Task 1: Read the supporting documentation

Read the supporting documentation provided in the lab scenario.
Task 2: Create a Config.xml file

1. 2. 3. 4. 5. Sign in to LON-CL3 as Adatum\Don with password Pa$$w0rd.
Verify that Don has black desktop and that the Computer and Don Funk folders are shown on the desktop. Create a new text document named your name on the desktop. Sign out and sign in to LON-CL3 as Adatum\Administrator with password Pa$$w0rd. Open a command prompt, and then map a network drive located on LON-DC1 by using the following command:
Net Use F: \\LON-DC1\USMT
6.
Change to drive F, and then create a Config.xml file by using the following command.
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
7. 8.
At the command prompt, type notepad config.xml to view the Config.xml file. Modify the XML code to exclude the following from the migration: o o o Shared Video Shared Music Shared Pictures
Note: For each of the folders, look for component displayname, and then change the migrate attribute to no.
Task 3: Modify a custom migration XML file

1. 2. At a command prompt, type notepad folders.xml, and then press Enter. Maximize the Notepad window. This is a custom XML file that is used to migrate a specific folder named ResearchApps to the new workstation.
3.
Change the variable <Foldername> to ResearchApps. The entire line should read as follows:
<pattern type= File>C:\ResearchApps\* [*]</pattern>
4. 5.
Verify that there is a C:\ResearchApps folder on the disk and that it contains multiple files. Create a new text document with your name in the C:\ResearchApps folder.
Results: After completing this exercise, you should have created and customized XML files to use with the User State Migration Tool (USMT).
Exercise 2: Capturing and Restoring User State to a Target Computer

Scenario
Now that you have the required custom XML files, you can perform the USMT migration task. Use USMT to capture the current user state on LON-CL3 by using ScanState and the custom migration files. Then, restore the user state to LON-CL1 and confirm the migration. The main tasks for this exercise are as follows: 1. 2. 3. Capture user state on the source computer. Restore user state on the destination computer. Verify the user state migration.
Task 1: Capture user state on the source computer

1. 2. 3. On LON-CL3, switch to the command prompt. Verify that the \\LON-DC1\Data shared folder is empty. Capture user state by using the following command:
F:\Scanstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml /config:config.xml /o /efs:copyraw
4.
Verify that the \\LON-DC1\Data shared folder stores the USMT.MIG captured user state.
Task 2: Restore user state on the destination computer

1. 2. 3. 4. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Verify that C:\Users does not contain a subfolder with name Ed or Don. Verify that there is no ResearchApps folder on drive C.
Open the Command Prompt window, and then map network drive F to \\LON-DC1\USMT. Use the following command.
5.
Change to drive F, and then restore user state on the destination computer by using the following command.
Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
6. 7.
Verify that the C:\Users folder contains subfolders named Ed and Don. Sign out of LON-CL1.

3-37
Task 3: Verify the user state migration

1. 2. 3. Sign in to LON-CL1 as Adatum\Don with password Pa$$w0rd.
Verify that the Computer and Don Funk folders, in addition to a text document with your name are located on the desktop. Verify that the C:\ResearchApps folder with all its content has migrated successfully, including the file with your name.
Results: After completing this exercise, you should have captured and restored user states by using USMT.

When you are finished with the lab, revert all virtual machines back to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat the steps for 20687C-LON-CL1 and 20687C-LON-CL3.

Review Questions
Question: After you created a user account in AD DS, you noticed that the domain user does not have a user profile yet. Why? Question: Can you use UE-V to synchronize application settings for a user who is already configured with Folder Redirection? Question: You have been asked to retain user settings for 200 users who are having their Windows 7 desktop computers replaced with new Windows 8.1 computers. Which tool should you use to migrate user settings?

4-1
Module 4
Tools Used for Configuring and Managing Windows 8.1
Contents:
Module Overview Lesson 1: Tools Used to Perform Local and Remote Management of Windows 8.1 Lesson 2: Using Windows PowerShell to Configure and Manage Windows 8.1 Lesson 3: Using Group Policy to Manage Windows 8.1 Lab: Using Management Tools to Configure Windows 8.1 Settings Module Review and Takeaways 4-1 4-2 4-9 4-16 4-22 4-27
Module Overview
The Windows 8.1 operating system provides several methods to configure operating system components while signed in locally or connected remotely. This module describes the primary management tools in Windows 8.1 and the scenarios for using them.
Objectives
After completing this module, you will be able to: Identify the tools used to perform local and remote management of Windows 8.1. Use Windows PowerShell to configure and manage Windows 8.1. Use Group Policy to manage Windows 8.1.
4-2
Lesson 1
Tools Used to Perform Local and Remote Management of Windows 8.1
This lesson describes Windows 8.1 management tools and how to use them. To simplify remote management of computers that are running Windows 8.1, you can use many of the administrative tools to connect to a remote computer. However, you need to configure Windows 8.1 properly to allow remote administration. You also can use Remote Desktop and Windows Remote Assistance for remote administration on computers that run Windows 8.1. This lesson also describes Remote Server Administration Tools (RSAT), which is a collection of server administration tools that you can install on computers that run Windows 8.1.
Lesson Objectives
After completing this lesson, you will be able to: Describe Windows 8.1 administrative tools. Explain how to create custom Microsoft Management Console (MMC) configurations. Describe the functionality of Windows PowerShell. Describe remote management in Windows 8.1. Describe RSAT in Windows 8.1.
Windows 8.1 Administrative Tools

Windows 8.1 contains many administrative tools that you can use to configure and manage a Windows 8.1 computer. The Administrative Tools item in the Control Panel provides access to the key tools you can use to manage Windows 8.1. The following tools are included in the Administrative Tools item in the Control Panel: Component Services. Use to configure Microsoft Component Services (COM+) and Distributed Component Object Model (DCOM) applications. In most cases, you do not use this tool unless a vendor directs you to do so to resolve an application issue.
Computer Management. Contains a number of commonly used tools in a single console: Task Scheduler, Event Viewer, Shared Folders, Local Users and Groups, Performance, Device Manager, Disk Management, Services, and WMI Control.
Defragment and optimize your drives. Use to defragment hard disks to increase overall disk performance. Normally, you do not need to run this tool because defragmentation is scheduled once per week by default. Disk Cleanup. Use to scan your hard disks for temporary files and other files that can be removed without impacting the performance of Windows 8.1 or your apps. You can use this tool to free up disk space quickly without removing data or apps.

4-3
Event Viewer. Use to view and search event logs to diagnose and troubleshoot app, service, and operating system issues.
iSCSI Initiator. Use to connect Windows 8.1 to an Internet SCSI (iSCSI) target and use the iSCSI target as storage. Local Security Policy. Use to configure local security settings in Windows 8.1. In most cases, you will use Group Policy to configure computers that run Windows 8.1 instead of the local security settings. ODBC Data Sources (32-bit). Use to configure Open Database Connectivity (ODBC) connection to data sources for 32-bit apps. ODBC Data Sources (64-bit). Use to configure ODBC connections to data sources for 64-bit apps. Performance Monitor. Use to view real-time performance data, and to record and view historical performance and configuration data. Print Management. Use to configure local printers and remote print servers in a single console.
Resource Monitor. Use to view real-time CPU, memory, hard disk, and network resource utilization.
Services. Use to configure the startup type for services and the credentials that are used by services.
System Configuration. Use to control the startup process for Windows 8.1 by disabling programs or services that run at startup. You also can set some boot options, such as the default operating system on a multiboot system.
System Information. Use to view information about the hardware and software configuration of a computer that runs Windows 8.1. The information that is displayed includes drivers, startup programs, and hardware resources. Task Scheduler. Use to create scheduled tasks. You also can review the scheduled tasks created during the installation of Windows 8.1. Windows Firewall with Advanced Security. Use to create and manage rules for Windows Firewall. Windows Memory Diagnostic. Use to identify problems with physical memory. Windows PowerShell (x86). Use to open a command prompt in the Windows PowerShell command-line interface (CLI) that you can use to manage Windows 8.1.
Windows PowerShell ISE. Use to simplify the development of Windows PowerShell scripts. This tool provides color-coded error checking as you enter Windows PowerShell Integrated Scripting Environment (ISE) commands. Windows PowerShell ISE also provides a list of available parameters for cmdlets.
4-4
Creating Custom Management Console Configurations

The MMC is an environment for loading snap-ins that provides administrative functionality. The MMC provides the basic framework for building an administrative tool, and snap-ins provide the specific functionality that is required to perform an administrative tasks. Most of the administrative tools in Windows 8.1 are snap-ins that are loaded into the MMC. The Computer Management administrative tool is a combination of multiple snap-ins that are loaded into the MMC. The snap-ins for managing Windows 8.1 are included as part of a Windows 8.1 installation. Snap-ins for managing specific apps typically are included as part of an installation for that app. For example, the snap-in for managing Microsoft Exchange Server 2010 is installed as an option from the Exchange 2010 installation media.
Not all snap-ins have a corresponding administrative tool. To use a snap-in that is not part of an existing administrative tool, you need to create a custom management console that includes the snap-in. Snap-ins that are not part of an administrative tool include: Certificates. Use this snap-in to manage certificates for users and the local computer.
NAP Client Configuration. Use this snap-in to manage the client for Network Access Protection (NAP) to ensure computer health before network access is granted. Resultant Set of Policy. Use this snap-in to view reports on Group Policy application.
You also can create customized MMC configurations with snap-ins that you commonly use. Customized MMC configurations increase your productivity by eliminating the need to open multiple administrative tools. After you create a custom management console, you can save it as a .msc file. Once the .msc file is saved, you can reuse it later or share it with other administrators.
Creating a Custom Management Console

To create a custom management console, perform the following procedure: 1. 2. 3. 4. From the Start screen, type MMC, and then click the mmc tile or press Enter. From the MMC window, click File, and then click Add/Remove Snap-in. Choose one or more snap-ins from the list of available snap-ins, and then click OK. When you close the console window, click Yes when prompted to save the custom management console, and then save the file to a convenient location.
After these steps are complete, you can double-click the saved console app to open the MMC with the snap-ins that you specified in step 3 already loaded.

4-5
Overview of Windows PowerShell

Windows PowerShell is an integrated shell environment that enables scriptable, flexible, and comprehensive management of Windows 8.1. Windows PowerShell has several important characteristics that make it ideal for both local and remote management of one or more Windows 8.1 computers:
Windows operating system integration. Windows PowerShell 1.0 was introduced as an installable option for Windows Vista and as a feature for Windows Server 2008. Windows PowerShell 2.0 was part of Windows 7 and Windows Server 2008 R2. Windows PowerShell 3.0 is part of Windows 8 and Windows Server 2012. Windows PowerShell 4.0, the most recent version, is part of Windows 8.1 and Windows Server 2012 R2. So, for every Windows operating system version since Windows 7 and Windows Server 2008 R2, Windows PowerShell is supported natively. Remote management capability. You can use Windows PowerShell to manage remote computers, provided that remote management is enabled and the user who is performing the remote management has the proper authorization.
Script-based execution. You can use Windows PowerShell scripts to build automation and complex logic into management tasks.
Windows PowerShells main functionality is provided by commands. These come in many varieties: cmdlets (pronounced command-lets), functions, workflows, and more. These commands are building blocks, designed to be pieced together to implement complex and customized processes and procedures. Windows PowerShell provides a CLI that you can use to enter cmdlets interactively. However, Windows PowerShell is not restricted to the command-line. For example, the Active Directory Administrative Center in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 is a GUI that uses Windows PowerShell to perform all of its tasks.
This architecture and the ability to use Windows PowerShell directly as a CLI, or to use it through a GUI that embeds the shell, is intended to help increase consistency and coverage for administrative capabilities. For example, an administrator might rely completely on a GUI app to perform tasks. However, if the administrator must perform some task or implement some process that the GUI does not explicitly support, the administrator instead can use the shell directly. When correctly implemented, this architecture helps ensure that anything that can be done in the GUI also can be done in the CLI, with the CLI offering the additional ability to customize processes and procedures.
4-6
Overview of Remote Management

Many of the tools that you use to manage a local computer that is running Windows 8.1 also can be used to remotely manage a computer that is running Windows 8.1. By using Remote management of Windows 8.1, you can manage computers that are running Windows 8.1 without physically accessing the computer or interrupting a user who is already signed in and working.
Administrative tools perform remote management of Windows 8.1 through remote procedure calls (RPCs) or by using Windows Remote Management (WinRM). The method used varies based on the administrative tools and is not configurable. By default, remote management is not enabled on computers that are running Windows 8.1. You need to allow remote access to computers that are running Windows 8.1. The method for allowing remote access is different for RPC and WinRM. In a domain environment, you typically configure remote management settings by using Group Policy.
RPC
Remote management by using RPC requires the RPC and RPC endpoint mapper services to be running. These two services are configured to start automatically. You also need to configure Windows Firewall to allow remote management. There are predefined rules in Windows Firewall that you can enable to allow remote management for specific parts of Windows 8.1, such as: Event logs Scheduled tasks Services Volumes Window Firewall
WinRM
WinRM is a web service that provides remote management access to Windows 8.1. Remote management by using WinRM requires you to start the Windows Remote Management (WS-Management) service and to configure a listener. By default, this service is configured as a manual startup type. You also need to configure a listener for WinRM. A WinRM listener configures the web service to listen on a specific port. The default port for WinRM is 5985. In most cases, you will want to configure WinRM with the default configuration that is expected by apps. To configure WinRM manually with the default configuration, run winrm /quickconfig. The /quickconfig option configures the service to start automatically, creates a listener on port 5985, and configures Windows Firewall to allow remote communication on port 5985. In large organizations, manually configuring WinRM on each computer is not feasible because it is too time-consuming. Instead, you can use Group Policy to perform all of the necessary actions.
Remote Desktop
Remote Desktop allows you to connect to a remote computer and have the desktop of that remote computer displayed locally. When you connect, you sign in just as you would if you were sitting in front of the computer. This allows you to sign in and run apps just as a user would for troubleshooting.
Some organizations also provide remote access for users by using Remote Desktop and the Remote Desktop Gateway on Windows Server 2012 R2. This allows users to control their own desktop computer remotely and have access to all of their data and apps.
When users connect remotely, you can allow the redirection of printers and local drives. Printer redirection allows you to print from an app on a remote computer and have it print on a local printer. Drive redirection allows you to save files from a remote computer on a local computer. By default, Remote Desktop is not enabled. You can enable and configure Remote Desktop in the System Properties or by using Group Policy. Any necessary firewall rules for Windows Firewall are configured when you enable Remote Desktop. By default, local Administrators are allowed to connect remotely, but you can add any users or groups that are required. When you add users or groups, they are made members of the Remote Desktop Users local group that has rights to connect by using Remote Desktop.

4-7
Windows Remote Assistance
When you use Remote Desktop, you need to sign in to the remote computer. This creates a session for your user account and disconnects a user that is signed in. You cannot view what the user is doing. You can use Windows Remote Assistance to view the desktop of a computer when a user is signed in, and see what the user sees. You also can request to take control of the mouse and keyboard to perform troubleshooting. The ability to connect to an existing user session is useful for troubleshooting problems that might be related to user-specific configurations, such as permissions or settings in the user profile.
You can offer remote assistance to a user on a remote computer, or a user on a remote computer can request assistance. When you offer remote assistance, you connect to a remote computer by name or IP address, and the user is prompted to allow remote assistance. When users request remote assistance, they can generate an invitation file that you open to connect, or you can use Easy Connect. Easy Connect requires you to enter a 12-character password that is selected by the user. Easy Connect works over the Internet if Peer Name Resolution Protocol is allowed through all firewalls. By default, Windows Remote Assistance is not enabled. You enable Windows Remote Assistance in the System Properties. There are no permissions to configure for Windows Remote Assistance because it is allowed based on the currently signed-in user who is allowing it.
Overview of RSAT
RSAT is a collection of server administration tools that can be installed on a computer that is running Windows 8.1. RSAT includes Server Manager, MMC snap-ins, Windows PowerShell providers, and command-line tools for managing Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and some Windows Server 2003 roles and features. RSAT for Windows 8.1 includes management tools for the following Windows roles and features: Active Directory Certificate Services (AD CS) Active Directory Domain Services (AD DS) BitLocker Drive Encryption
4-8
Dynamic Host Configuration Protocol (DHCP) Server DirectAccess Domain Name System (DNS) Server Failover clustering File and Storage Services IP Address Management NIC Teaming Network Load Balancing Remote Desktop Services Simple Mail Transfer Protocol (SMTP) server Windows System Resource Manager Windows Server Update Services

4-9
Lesson 2
Using Windows PowerShell to Configure and Manage Windows 8.1
You can use Windows PowerShell for system administration as an alternative to more complex scripting languages such as Microsoft Visual Basic, Scripting Edition (VBScript). You can perform relatively complex administrative tasks by using scripts or the Windows PowerShell pipeline. To simplify creating and editing scripts, you can use Windows PowerShell ISE. You also can perform remote administration by using Windows PowerShell. This module will introduce you to the important concepts of Windows PowerShell and explain how to use Windows PowerShell for local and remote management of Windows 8.1 computers.
Lesson Objectives
After completing this lesson, you will be able to: Describe Windows PowerShell. Identify the new features in Windows PowerShell 4.0. Describe Windows PowerShell ISE. Use Windows PowerShell ISE. Use Windows PowerShell scripts to manage Windows 8.1. Describe Windows PowerShell remoting. Use Windows PowerShell remoting.
Overview of Windows PowerShell

Windows PowerShell is a command-line shell that is designed for system administration. You can use Windows PowerShell to run individual cmdlets that perform actions or scripts that use cmdlets. Using Windows PowerShell is much simpler than other scripting languages such as VBScript. Windows PowerShell uses Windows PowerShell drives to provide access to data stores. These drives present data in a format similar to a file system. Some common Windows PowerShell drives are as follows: The C: drive is the local file system C: drive. The cert: drive is the local certificate store. The Env: drive contains environmental variables that are stored in memory. The HKCU: drive is the HKEY_CURRENT_USER portion of the registry. The HKLM: drive is the HKEY_LOCAL_MACHINE portion of the registry. The Variable: drive contains the variables that are stored in memory.
4-10
Cmdlets
Cmdlets use a naming convention of a verb or action, followed by a noun or a subject. For example, to retrieve a list of services, you would use the Get-Service cmdlet. This standardization helps you to more easily learn how to accomplish administrative tasks. Some common cmdlet verbs are: Get retrieves data. Set establishes or modifies data. New creates a new object.
Each cmdlet has options called parameters. Some parameters are required, and some parameters are optional. The parameters vary for each cmdlet.
The following example shows how to start the Application Identity service by using the Name parameter.
Start-Service Name Application Identity
Note: The cmdlets that are available for use on a computer system varies depending on the version of Windows PowerShell that has been installed and the snap-ins with cmdlets that have been installed.
Compatibility with Command-Line Tools
You can run batch files and executable files at a Windows PowerShell command prompt. For example, you can run Ipconfig.exe at a Windows PowerShell command prompt, and it behaves exactly the same as if you ran it from a command prompt. This allows you to start using Windows PowerShell as your default command-line environment for administration. In some cases, commands or options for commands contain reserved words or characters for Windows PowerShell. In such a case, you can enclose the command in single quotation marks to prevent Windows PowerShell from evaluating the reserved word or combination of words. You also can use the grave accent (`) character to prevent the evaluation of a single character. In rare cases, an executable file does not run correctly at a Windows PowerShell command prompt. You should test batch files to ensure that they work properly at a Windows PowerShell command prompt.
Key Features in Windows PowerShell 4.0

Windows PowerShell 4.0 includes several new features that improve Windows PowerShell functionality and enable greater management capability for Windows 8.1 PCs. Windows PowerShell 4.0 is backward compatible with previous versions of Windows PowerShell and includes several new features, such as: Windows PowerShell Desired State Configuration. This features enables you to deploy and manage configuration data for the Windows environment and software services. With Desired State Configuration,

4-11
you can create a variable containing configuration data, and pass that variable to the StartDscConfiguration cmdlet to carry out the configuration.
Save-Help cmdlet. The Save-Help cmdlet enables you to save help for installed modules present on remote computers. The new default setting for execution policy in Windows Server 2012 R2 is RemoteSigned. Support for Windows PowerShell Workflow debugging and remote script debugging.
Windows PowerShell Workflow will reconnect to managed node automatically s after an unexpected crash or restart. You can disconnect from and connect to an existing sessions in Windows PowerShell Web Access. You can open multiple Windows PowerShell Web Access windows in a single browser session.
For more information, see the following webpage on the Microsoft TechNet website. What's New in Windows PowerShell http://go.microsoft.com/fwlink/?LinkId=378231&clcid=0x409
What Is Windows PowerShell ISE?

You can create Windows PowerShell scripts by using a simple text editor. However, you can reduce the amount of troubleshooting that you perform for your scripts if you use Windows PowerShell ISE. Windows PowerShell ISE provides additional features that make it easier to create scripts: Windows PowerShell ISE provides color coding of cmdlets, parameters, and variables. This helps you visually identify syntax errors as you are typing or editing a script.
Microsoft IntelliSense provides suggestions as you type. When you type a cmdlet or parameter, IntelliSense provides similar information to that provided by tab completion. This helps you minimize typographical errors and speeds up the entry of the script. Line numbers and column numbers are displayed. This simplifies troubleshooting because error messages display the line number and column number where the error occurred.
Ability to run selective code. You can select a specific portion of a script to run just those lines. This allows you to test parts of a script as you create it.
Debugging tools. You can set break points in a script and then query variable values to identify why errors are occurring, or you confirm that the values are correct. A command toolbar. This provides a list of cmdlets and parameters that are available for those cmdlets. In some cases, this prevents the need to view help documentation for a cmdlet. Multiple tabs for multiple scripts. You can have multiple scripts open at the same time, each contained on its own tab. This allows you to move content from one script to another.
4-12
Demonstration: Using Windows PowerShell ISE

In this demonstration, you will see how to: Prepare the computer to run scripts. Open and review a script. Modify and test a script. Run a script from the Windows PowerShell command prompt.
Demonstration Steps Prepare the computer to run scripts

1. 2. On LON-CL1, open the Administrative Tools, and then open Windows PowerShell ISE. In Windows PowerShell ISE, at the Windows PowerShell command prompt, use the GetExecutionPolicy cmdlet to view the current execution policy for scripts.
Open and review a script

1. 2. In Windows PowerShell ISE, open E:\Labfiles\Mod04\Services.ps1. Read the script, and then explain what the script is doing. Note the following: o o o o Comments are green Variables are red Cmdlets are bright blue Text in quotation marks is dark red
Modify and test a script

1. 2. 3. 4. 5. 6. 7. 8. Select line 3 in the script, and then run the selection. In the Console pane, view the contents of the $services variable. Run the script, and then read the output. Notice that it does not have multiple colors. At the end of line 14, type ForegroundColor $color.
Run the script, and then read the output. Notice that running services are green and services that are not running are red. On line 16, type Write-Host A total of $services.count services were evaluated Run the script. In the Commands pane, build a Write-Host command with the following options: a. b. c. BackgroundColor: Gray ForegroundColor: Black Object: Script execution is complete
9.
Copy the command, and then paste it on line 17 of the script.
10. Run the script. 11. Save the script.

4-13
Run a script from the Windows PowerShell command prompt

1. 2. 3. Open a Windows PowerShell command prompt. At the Windows PowerShell command prompt, type Set-Location E:\Labfiles\Mod04, and then press Enter. Type .\Services.ps1, and then press Enter.
Using Windows PowerShell Scripts

You can accomplish several tasks by using a pipeline and multiple cmdlets. There might be times where you need to run multiple cmdlets, make choices, wait for tasks to complete, or run the same code repeatedly. In these cases, you can use a Windows PowerShell script to put all of the steps together. A script is a text-based file that includes at least one Windows PowerShell command and is saved with a .ps1 extension. You can create scripts to take input from the command line, thereby enabling you to customize how a script executes.
Execution Policy
By default, the execution policy does not allow Windows PowerShell scripts to be executed automatically. This safeguards a computer by preventing unattended scripts from running without an administrators knowledge. There are five execution policies that you can set, which include:
Restricted. This is the default policy for Windows 8.1. It does not allow configuration files to load, nor does it allow scripts to be run. The Restricted execution policy is perfect for any computer on which you do not run scripts, or on which you run scripts only rarely. Keep in mind that you could open the shell manually with a less restrictive execution policy. AllSigned. This policy requires that a trusted publisher sign all scripts and configuration files, including scripts that are created on your local computer. This execution policy is useful for environments where you do not want to run any script unless it has a trusted digital signature. This policy needs additional effort because it requires you to digitally sign every script that you write, and then resign each script every time that you make any changes to it.
RemoteSigned. This policy requires that a trusted publisher sign all scripts and configuration files downloaded from the Internet. This execution policy is useful because it assumes that local scripts are ones that you create yourself and that you trust them. It does not require those scripts to be signed. Scripts that are downloaded from the Internet or received through email, however, are not trusted unless they carry an intact, trusted digital signature. You could still run those scripts by running the shell under a lesser execution policy, for example, or even by signing the script yourself. However, those are additional steps that you have to take, so it is unlikely that you would be able to run such a script accidentally or unknowingly.
Unrestricted. This policy loads all configuration files and runs all scripts. If you run a script that was downloaded from the Internet, you are warned about potential dangers and must give permission for the script to run. The Unrestricted execution policy typically is not appropriate for production environments because it provides little protection against accidentally or unknowingly running untrusted scripts.
4-14
Bypass. This policy loads all configuration files and runs all scripts. If you run a script that was downloaded from the Internet, the script will run without any warnings. This execution policy typically is not appropriate for production environments because it provides no protection against accidentally or unknowingly running untrusted scripts.
You can view the execution policy for a computer by using the Get-ExecutionPolicy cmdlet. To configure the execution policy, you must open an elevated Windows PowerShell command prompt and then run the Set-ExecutionPolicy cmdlet. After you configure the execution policy, you can run a script by typing the entire name of the script.
Running a Script
When you run a script, you cannot provide just the name of the scriptyou need to provide the path to the script as well. If the file is not in the current directory, you can provide a complete path, such as C:\scripts\Myscript.ps1. You also can specify a relative path such as .\Myscript.ps1, which runs the script from the current directory. The following script displays a list of files on drive C that have been modified in the last seven days.
$date=(Get-Date).AddDays(-7) Get-ChildItem C:\ -Recurse | Where-Object {$_.LastWriteTime gt $date}
The first line of this script gets the date seven days prior to the current date and puts it in a variable named $date. The second line of the script obtains a list of all of the files on drive C and uses WhereObject to filter the list of files to include only those that have a LastWriteTime that is greater than the value of $date.
Overview of Windows PowerShell Remoting

You use Windows PowerShell to connect to computers remotely and run scripts or query information. Some cmdlets use the ComputerName parameter to specify a remote computer that should be contacted. When you use the ComputerName parameter, you can provide a single computer name, a commaseparated list, or a variable that contains multiple computer names. You need to review the documentation for a cmdlet to determine whether it supports using the ComputerName parameter. This example shows how to query a list of processes from a remote computer.
Get-Process ComputerName LON-DC1.adatum.com
Windows PowerShell Remoting
You can use Windows PowerShell remoting to run cmdlets or scripts on remote computers, regardless of whether the cmdlets support the ComputerName parameter. You also can use Windows PowerShell remoting to create a remote session at a Windows PowerShell command prompt or in Windows PowerShell ISE.
To enable Windows PowerShell remoting, you need to use the Enable-PSRemoting cmdlet. The EnablePSRemoting cmdlet configures WinRM if it is not already configured and configures all of the necessary permissions. You also can use Group Policy to enable Windows PowerShell remoting.

4-15
This example shows how to retrieve a directory listing from a remote computer.
Invoke-Command ComputerName LON-DC1.adatum.com ScriptBlock {Get-ChildItem C:\}
This example shows how to run a script on a remote computer.

Invoke-Command ComputerName LON-DC1.adatum.com FilePath E:\Scripts\MyScript.ps1
Note: When you run a script on a remote computer, the script does not need to exist on the remote computer. The script is copied from the local computer to the remote computer. This example shows how to create a remote session at a Windows PowerShell command prompt.
Enter-PSSession ComputerName LON-DC1.adatum.com
Demonstration: Using Windows PowerShell Remoting
In this demonstration, you will see how to enable Windows PowerShell remoting on a client computer and how to use Windows PowerShell remoting in several basic scenarios.
Demonstration Steps
1. 2. 3. 4. 5. 6. 7. Ensure that you are signed in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Ensure that you have the correct execution policy in place by runnning the command Set-ExecutionPolicy RemoteSigned. Enable Windows PowerShell remoting. Open a one-to-one connection to LON-DC1. Get a list of processes that are running on LON-DC1. Close the LON-DC1 connection. Get a list of the most recent 10 Security event log entries from LON-CL1 and LON-DC1.
4-16
Lesson 3
Using Group Policy to Manage Windows 8.1
Group Policy is an effective way to manage the configuration of Windows 8.1 computers. You can configure thousands of settings and enforce them on desktop computers. In addition to Group Policy settings, you can use Group Policy Preferences to configure the user environment with options such as printers and drive mappings. To ensure that you can implement Group Policy for your organization, you need to understand how Group Policy Objects (GPOs) are processed. You also should be aware of the tools that you can use to troubleshoot application of Group Policy.
Lesson Objectives
After completing this lesson, you will be able to: Describe GPOs and Group Policy settings. Describe how to configure Group Policy settings. Describe Group Policy Preferences. Describe how to configure GPOs in a domain environment. Configure domain-based GPOs. Determine how GPOs are processed and applied.
What Are GPOs and Group Policy Settings?

Group Policy is a system for applying configuration settings to Windows clients and servers. You create GPOs that contain Group Policy settings. Domain-joined Windows 8.1 computers download and apply the settings in GPOs.
GPOs
A GPO is an object that contains one or more policy settings that apply configuration setting for users, computers, or both. GPOs in AD DS are stored in the SYSVOL share on domain controllers, and you can manage them by using the Group Policy Management Console (GPMC). Within the GPMC, you can open and edit a GPO by using the Group Policy Management Editor window. GPOs are logically linked to AD DS containers to apply settings to the objects in those containers. Note: GPOs can be linked to AD DS sites, domains, and organizational units (OUs). GPOs cannot be linked to the default Computers or Users containers.
Group Policy Settings
A Group Policy setting is the most specific component of Group Policy. It defines a specific configuration change to apply to an object (a computer, a user, or both) within AD DS. Group Policy has thousands of configurable settings. These settings can affect nearly every area of the computing environment. Not all

4-17
settings can be applied to all older versions of Windows Server and Windows operating systems. Each new version introduces new settings and capabilities that only apply to that specific version. If a computer has a Group Policy setting applied that it cannot process, it simply ignores it. Most policy settings have three states:
Not Configured. The GPO will not modify the existing configuration of the particular setting for the user or computer. Enabled. The policy setting will be applied. Disabled. The policy setting is specifically reversed.
By default, most settings are set to Not Configured. Note: Some settings are multivalued or have text string values. These typically are used to provide specific configuration details to applications or operating system components. For example, a setting might provide the URL of the home page for Internet Explorer or for blocked applications.
The effect of the configuration change depends on the policy setting. For example, if you enable the Prohibit Access to Control Panel policy setting, users will be unable to open Control Panel. If you disable the policy setting, you ensure that users can open Control Panel. Notice the double negative in this policy setting: you disable a policy setting that prevents an action, thereby allowing the action.
Group Policy Settings Structure

There are two distinct areas of Group Policy settings: User settings. These are settings that modify the HKey_Current_User hive of the registry. Computer settings. These are settings that modify the HKEY_Local_Machine hive of the registry.
User and computer settings each have three areas of configuration, as described in the following table. Section Software settings Description
Contains software settings that can be deployed to either the user or the computer. Software that is deployed or published to a user is specific to that user. Software that is deployed to a computer is available to all users of that computer.
Windows operating system settings Administrative templates
Contains script settings and security settings for both user and computer, and Internet Explorer maintenance for the user configuration. Contains hundreds of settings that modify the registry to control various aspects of the user and computer environment. New administrative templates might be created by Microsoft or other vendors. You can add these new templates to the GPMC. For example, Microsoft has Office 2010 templates that are available for download that you can add to the GPMC.
Group Policy Management Editor
The Group Policy Management Editor window displays the individual Group Policy settings that are available in a GPO. These are displayed in an organized hierarchy that begins with the division between computer settings and user settings, and then expands to show the Computer Configuration node and the User Configuration node. All Group Policy settings and preferences are configured in the Group Policy Management Editor window.
4-18
Group Policy Preferences
In addition to the Group Policy sections shown in the preceding table, a Preferences node is present under both the Computer Configuration and User Configuration nodes in the Group Policy Management Editor window. Preferences provide even more capabilities with which to configure the environment. Group Policy Preferences are discussed later in this module.
Demonstration: Configuring Group Policy Settings

In this demonstration, you will see how to: Edit the local GPO to restrict the use of registry editing tools. Edit the local GPO to allow administrators to use registry editing tools.
Demonstration Steps Edit the local GPO to restrict the use of registry editing tools
1. 2. 3. On LON-CL1, open the Local Group Policy Editor. In User Configuration\ Administrative Templates\System, configure the Prevent access to registry editing tools policy setting as Enabled. Attempt to run Regedit.exe, and then review the error message.
Edit the local GPO to allow administrators to use registry editing tools
1.
Open the Microsoft Management Console, add the Group Policy Object Editor snap-in, and then select the Administrators GPO. In the Browse for a Group Policy Object window, click the Users tab, click Administrators, and then click OK. In User Configuration\ Administrative Templates\System, configure the Prevent access to registry editing tools policy setting as Disabled. Run Regedit.exe, and then verify that it starts successfully.
2. 3.
Overview of Group Policy Preferences

Group Policy Preferences are a set of Group Policy extensions that expand the range of configurable settings in a GPO. Like Group Policy settings, Group Policy Preferences are available for both users and computers. However, unlike Group Policy settings, preferences are not enforced. Users can change the configurations that are applied. Also, by default, Group Policy Preferences remain even when the GPO that contains the preferences is no longer applicable. Some of the more common uses for Group Policy Preferences are: Map network drives for users Configure desktop shortcuts for users or computers Set environment variables

4-19
Install printers Set power options Configure Start menus Configure data sources (ODBC connections) Configure Internet options Schedule tasks
Many of the tasks that you can perform by using Group Policy Preferences would have otherwise required scripting to perform. In some cases, Group Policy Preferences can be used in place of logon scripts.
Targeting
You can use targeting for individual Group Policy Preferences in a GPO. By using targeting, you can specify the criteria that must be met for a Group Policy preference to be applied. Security group membership is a commonly used criteria for targeting. For example, you can map drive M to the marketing share only for users who are members of the Marketing security group. Other criteria for targeting include: IP address range Operating system Computer name A battery is preset AD DS site Note: Group Policy Preferences are not present in local GPOs.
Configuring GPOs in a Domain Environment

You can use Group Policy in an AD DS environment to provide centralized configuration management. Domain-based GPOs are created and linked to objects within an AD DS infrastructure. The computers and users that are within those objects then are affected by the settings in the GPO, depending on how the application of GPO is configured. Domain-based GPOs have several characteristics that do not apply to local GPOs policy objects.
GPO Storage
AD DS GPOs are stored as two components: a Group Policy container and a Group Policy template.
The Group Policy container is an AD DS object that is stored in the Group Policy Objects container in the AD DS database. The Group Policy container defines basic attributes of a GPO, but it does not contain any of the settings. The settings are contained in the Group Policy template, a collection of files that are stored in the SYSVOL of each domain controller in the %SystemRoot%\SYSVOL\Domain\Policies\ path.
4-20
This method of storage means that domain-based GPOs are stored and synchronized across all domain controllers in the domain.
GPO Linking
AD DS GPOs can be applied to an AD DS infrastructure by linking the GPO. A GPO can be linked to an AD DS site, an AD DS domain, or to an AD DS OU. This enables you to apply GPO settings to specific computers within an AD DS structure, or to the entire domain.
GPO Inheritance
GPO settings are inherited from parent objects in AD DS so that GPOs applied at a higher level are passed down to computers and users in child objects in AD DS. This behavior ensures that settings applied at a high levellike the domainare applied to all computers. In special cases, inheritance can be modified or blocked to provide a very specific configuration environment for certain computers or users.
GPO Application
By default, AD DS GPOs apply to all users and computers within the parent object where the GPO is linked. This application can be modified by filtering the application of GPOs by Windows Management Instrumentation (WMI) filters or security groups.
Demonstration: Configuring Domain-Based GPOs

In this demonstration, you will see how to: Use the GPMC to create a new GPO. Configure domain-based Group Policy settings.
Demonstration Steps Use the GPMC to create a new GPO

1. 2. 3. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd. Open the Group Policy Management Console. Create a new GPO called Desktop.
Configure domain-based Group Policy settings

1. 2. 3. 4. Open the new Desktop policy for editing.
In Computer Configuration, prevent the last logon name from displaying, and then prevent Windows Installer from running.
In User Configuration, remove the Search link from the Start menu, and then hide the display settings tab. Close all open windows.

4-21
Group Policy Processing

GPOs are applied in a consistent order that allows you to predict which settings are effective when there are conflicting settings in GPOs that apply to a user or computer. GPOs that are applied later in the process of applying GPOs overwrite any conflicting policy settings that were applied earlier. GPOs are applied in the following order: 1. Local GPOs. Each operating system that is running Windows 2000 or newer potentially has a local Group Policy configured already. Site GPOs. Policies that are linked to sites are processed next.
2. 3. 4.
Domain GPOs. Policies that are linked to the domain are processed next. There often are multiple polices at the domain level. These policies are processed in order of preference.
OU GPOs. Policies linked to OUs are processed next. These policies contain settings that are unique to the objects in that OU. For example, Sales users might have special required settings. You can link a policy to the Sales OU to deliver those settings. Child OU policies. Any policies that are linked to child OUs are processed last.
5.
Objects in the containers receive the cumulative effect of all polices in their processing order. In the case of a conflict between settings, the last policy applied takes effect. For example, a domain-level policy might restrict access to registry editing tools, but you could configure an OU-level policy and link it to the Information Technology (IT) OU to reverse that policy. Because the OU-level policy is applied later in the process, access to registry tools would be available to users in the IT OU. If multiple policies are applied at the same level, an administrator can assign a preference value to control the order of processing. The default preference order is the order in which the policies were linked. You also can disable the user or computer configuration of a particular GPO. If one section of a policy is known to be empty, then you should disable the empty section to speed up policy processing. For example, if you have a policy that only delivers user desktop configuration, you could disable the computer side of the policy.
Options for Modifying Group Policy Processing

You can modify the default processing of GPOs by using:
Security filtering. You can use security filtering to specify specific users, computers, or groups that are able or not able to process a GPO. For example, you could specify that members of the Technical Support group have special security settings. Enforcement. You can use enforcement to ensure that settings in a specific GPO apply regardless of any lower-level GPOs that would normally override this GPO. For example, you could specify standardized security settings at the domain level. Block inheritance. You can use block inheritance to prevent settings from a higher-level OU from being inherited by a lower-level OU. For example, settings applied at the domain level could be blocked from impacting users in the IT OU.
Note: When a link is enforced and a lower-level OU blocks inheritance, the settings in the enforced GPO are applied.
4-22
Lab: Using Management Tools to Configure Windows 8.1 Settings

Scenario
You have been asked to configure the Windows 8.1 computers in A. Datum Corporations London location. There are 100 computers used by internal departments that have varying configuration requirements:
Computers on the machine floor require that Windows Updates be disabled. These computers are not updated until the equipment manufacturer verifies that the updates are compatible with the applications that run on the equipment. Computers on the machine floor should not allow remote management. This is done to ensure that changes are not made remotely that might impact the equipment. All computers not on the machine floor should be managed remotely. Remote Desktop should be allowed on all computers that are not on the machine floor. Windows PowerShell remoting should be enabled for all computers that are not on the machine floor.
Servers and domain controllers should not be affected by configurations that are applied to desktop computers.
You should implement these configuration settings and then test the configuration with LON-CL1, a computer on the machine floor, and LON-CL2, a computer in the Finance department.
Objectives
After completing this lab, you will be able to: Plan the management of Windows 8.1 computers. Manage Windows 8.1 by using Group Policy. Implement Windows PowerShell remoting.
Lab Setup
Estimated Time: 30 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1, 20687C-LON-CL2 User name: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687C-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Sign in by using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 to 4 for 20687C-LON-CL1 and 20687C-LON-CL2.

4-23
Exercise 1: Planning Management of Windows 8.1 Computers

Scenario
You need to determine the best way to manage computers that are running Windows 8.1 for A. Datum Corporation. There are 100 internal computers that are used by various departments. Some departments have different needs than others:
Computers on the machine floor require that Windows Updates be disabled. These computers are not updated until the equipment manufacturer verifies that the updates are compatible with the apps that run the equipment. Computers on the machine floor should not allow remote management. This is done to ensure that changes are not made remotely that might impact the equipment. All computers not on the machine floor should be managed remotely. Remote Desktop should be allowed on all computers that are not on the machine floor. Windows PowerShell remoting should be enabled for all computers that are not on the machine floor.
Servers and domain controllers should not be affected by configurations that are applied to desktop computers.
The main task for this exercise is as follows: 1. Plan the management of Windows 8.1 computers.
Task 1: Plan the management of Windows 8.1 computers

Answer the following questions: 1. 2. 3. What tool will you use to apply the configuration changes to domain-joined computers?
Are there any OU structure requirements to meet the management needs on the internal network? Could you use security filtering as an alternative to a new OU structure?
Results: After completing this exercise, you will have planned the management of Windows 8.1 computers.
Exercise 2: Managing Windows 8.1 by Using Group Policy

Scenario
After completing your plan, you need to begin implementing it. The implementation process includes setting up GPOs and OUs to allow for the separate management of client computers and machine floor computers.
You will create two OUs, named MachineFloor and CorpComputers. Computers from the machine floor will be placed into the MachineFloor OU, and the rest of the Windows 8.1 computers will be placed into the CorpComputers OU. The main tasks for this exercise are as follows: 1. 2. 3. Create an OU structure for managing computers. Configure Group Policy for computers on the machine floor. Verify the application of Windows Update settings to LON-CL2.
4-24
4. 5.
Configure Group Policy for other client computers. Verify that remote administration is functional.
Task 1: Create an OU structure for managing computers

1. 2. 3. 4. 5. 6. On LON-DC1, open Active Directory Administrative Center. In the Adatum.com domain, create a new OU named MachineFloor. In the Adatum.com domain, create a new OU named CorpComputers. Move LON-CL1 from the Computers container to the CorpComputers OU. Move LON-CL2 from the Computers container to the MachineFloor OU.
Restart LON-CL1 and LON-CL2, and then log on to both as Adatum\Administrator with password Pa$$w0rd.
Task 2: Configure Group Policy for computers on the machine floor

1. 2. 3. 4. 5. On LON-DC1, open the Group Policy Management console. Block inheritance at the MachineFloor OU. Create a new GPO named MachineFloor, and then link it to the MachineFloor OU. Edit the MachineFloor GPO and browse to Computer Configuration\Policies \Administrative Templates\Windows Components\Windows Update. Disable the Configure Automatic Updates setting.
Task 3: Verify the application of Windows Update settings to LON-CL2

1. 2. 3. 4. 5. On LON-CL2, open Windows PowerShell, and then run gpupdate. Run gpresult /h C:\results.htm. Open C:\results.htm. In Internet Explorer, read the Summary and verify that Inheritance is blocking all non-enforced GPOs linked above Adatum.com/MachineFloor. In Computer Details\Settings, verify that Configure Automatic Updates is Disabled.
Task 4: Configure Group Policy for other client computers

1. 2. 3. 4. 5. On LON-DC1, in Group Policy Management, create a new GPO named CorpComputers, and then link it to the CorpComputers OU. Edit the CorpComputers GPO, and then browse to Computer Configuration\Policies \Administrative Templates\Windows Components\Windows Update. Enable the Configure Automatic Updates setting.
Browse to Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules. Create a new inbound rule: o o o Predefined: COM+ Remote Administration Allow the connection Leave other settings with default values

4-25
6.
Create a new inbound rule: o o o Predefined: Remote Event Log Management Allow the connection Leave other settings with default values
7.
On LON-CL1, open Windows PowerShell, and then run gpupdate.
Task 5: Verify that remote administration is functional

1. 2. 3. On LON-DC1, open Computer Management.
In Computer Management, connect to LON-CL1, and then verify that you can access Event Viewer.
Connect to LON-CL2. This connection fails because remote management has not been configured for the computers in the MachineFloor OU.
Results: After completing this exercise, you should have implemented an OU structure and GPO structure to support remote management of computers.
Exercise 3: Implementing Windows PowerShell Remoting

Scenario
As part of implementing your management plan for Windows 8.1, you need to configure Windows PowerShell remoting for all computers except those on the machine floor. You need to configure a GPO that is linked to the domain to configure Windows PowerShell remoting and test the functionality of your configuration. The main tasks for this exercise are as follows: 1. 2. 3. Configure Windows PowerShell remoting manually. Configure Windows PowerShell remoting by using Group Policy. Verify the configuration of Windows PowerShell remoting.
Task 1: Configure Windows PowerShell remoting manually

1. 2. 3. 4. 5. On LON-DC1, open Windows PowerShell, and then run Enable-PSRemoting.
On LON-CL1, open Windows PowerShell, and then run Get-ADUser. This command is not recognized because the cmdlets for AD DS administration are not installed on LON-CL1. At the Windows PowerShell command prompt, create a remote session by running Enter-PSSession ComputerName LON-DC1. Run Get-ADUser and use the filter *. Exit the remote session.
Task 2: Configure Windows PowerShell remoting by using Group Policy

1. 2. On LON-DC1, open Group Policy Management. Create a new GPO named Enable PS Remoting, and then link it to Adatum.com.
4-26
3.
Edit the Enable PS Remoting GPO, and then browse to Computer Configuration\Policies \Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service. Enable the setting Allow remote server management through WinRM. o o IPv4 filter: * IPv6 filter: *
4.
5. 6. 7. 8.
Browse to Computer Configuration\Policies\Windows Settings\Security Settings \System Services.
Configure the Windows Remote Management (WS-Management) service to start automatically. Browse to Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules. Create a new inbound rule: o o Predefined: Windows Remote Management Allow the connection
9.
Close the Group Policy Management Editor window.
Task 3: Verify the configuration of Windows PowerShell remoting

1. 2. 3. 4. 5. On LON-CL1, open Windows PowerShell, and then run gpupdate. Run Get-Service Winrm to verify that the WinRM service is now running.
On LON-DC1, open Windows PowerShell, and then run Get-Service Winrm ComputerName LONCL1. To view the execution policy on LON-CL1, run Invoke-Command ComputerName LON-CL1 {GetExecutionPolicy}. To update the execution policy on LON-CL1, run Invoke-Command ComputerName LON-CL1 {Set-ExecutionPolicy AllSigned}.
Results: After completing this exercise, you will have implemented Windows PowerShell remoting in the Adatum.com domain.
To prepare for the next module

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 through 3 for 20687C-LON-CL1 and 20687C-LON-CL2.

4-27

Review Questions
Question: Recently, your organization has added Windows 8.1 computers to the network. You have tried to connect to a remote computer that is running Windows 8.1 by using Event Viewer, but you cannot connect. You know that the remote computer is turned on. Why is this problem occurring, and how can you resolve it? Question: One of the server administrators is complaining that you need to use Remote Desktop and connect to a domain controller to manage user accounts. What alternative can you use to administer user accounts from a computer that is running Windows 8.1? Question: You have configured a public-use computer in the lobby for visiting clients. This computer is not part of the AD DS domain. How can you secure this computer to prevent visiting clients from making changes to it and still allow administrators to have full access?

5-1
Module 5
Managing Disks and Device Drivers
Contents:
Module Overview Lesson 1: Managing Disks, Partitions, and Volumes Lesson 2: Maintaining Disks, Partitions, and Volumes Lesson 3: Working with Virtual Hard Disks Lab A: Managing Disks Lesson 4: Installing and Configuring Device Drivers Lab B: Configuring Device Drivers Module Review and Takeaways 5-1 5-2 5-17 5-24 5-29 5-34 5-47 5-49
Module Overview
The Windows 8.1 operating system simplifies common tasks for information technology (IT) professionals who manage and deploy desktops and laptops, devices, or virtual environments. It also helps IT professionals take advantage of the tools and skills similar to those that they use in Windows 7 and Windows 8. Although most computers that are running Windows 8.1 have a single physical disk that is configured as a single volume, this is not always the case. For example, there might be times when you want to have multiple operating systems on a single computer, or you might want to have virtual memory on a different volume. Therefore, it is important that you understand how to create and manage simple, spanned, and striped volumes. You also may be interested in implementing the Storage Spaces feature. In addition to traditional storage, you can use Windows 8.1 to create and access virtual hard disks from within the operating system installed on a physical computer. To help maintain and optimize file system performance, you must be familiar with file system fragmentation and the tools that you can use to defragment a volume. Additionally, a good understanding of disk quotas is helpful if you are managing available disk space on installed volumes. To ensure that previously installed devices continue to work in Windows 8.1, Microsoft is working to make device drivers available directly from Windows Update or from device manufacturer websites.
Objectives
After completing this module, you will be able to: Manage disks, partitions, and volumes. Maintain disks, partitions, and volumes. Explain how to use virtual hard disks. Install and configure device drivers.
5-2
Lesson 1
Managing Disks, Partitions, and Volumes
Before you can use a disk in Windows 8.1, you must prepare it for use. You must partition the disk by using the master boot record (MBR) partitioning scheme or the GUID partition table (GPT) partitioning scheme. After partitioning the disk, you must create and format one or more volumes before an operating system can use the disk. You can use disk management tools to perform disk-related tasks, such as creating and formatting partitions and volumes, assigning drive letters, and resizing disks.
Lesson Objectives
After completing this lesson, you will be able to: Compare MBR and GPT disks. Describe the tools available for managing disks. Convert a basic disk to a dynamic disk. Describe a simple volume. Create a simple volume. Describe mirrored, spanned, and striped volumes. Create spanned and striped volumes. Describe the purpose of resizing volumes. Resize a volume. Describe Storage Spaces.
Comparing MBR and GPT Disks

MBR Disks
The MBR contains the partition table for a disk and a small amount of executable code called the master boot code. A bootable hard disk that contains an MBR is known as an MBR disk. The MBR is created when a disk is partitioned initially, and it is located on the first sector of the hard disk. The MBR contains a four-partition entry table that describes the size and location of a disk partition by using 32-bit logical block addressing (LBA) fields. Most Windows 8.1 platforms, such as 32-bit and 64-bit versions that are running on motherboards with BIOS firmware, require an MBRpartitioned system disk and are not bootable with a larger capacity disk. Newer Unified Extensible Firmware Interface (UEFI)enabled motherboards can read MBR and the newer GPT disks discussed later. Note: Disk partitioning is the process of dividing a physical disks storage into manageable pieces to support the operating system requirements.

5-3
How MBR-Based Disks Work
The MBR is stored at a consistent location on a physical disk, enabling a computers BIOS to reference it. During the startup process, a computer examines the MBR to determine which partition is active on the installed disks. The active partition contains the operating system startup files. Note: You can install the rest of an operating system on another partition or disk. In Windows 8.1, when you boot to an MBR disk, the active partition must contain the boot sector, Windows Boot Manager, and related files.
Features of MBR-Based Disks

The MBR partition scheme has been around for a long time, and it supports both current and early desktop operating systems, such as the MS-DOS and Microsoft Windows NT Server 4.0 operating systems. Consequently, the MBR partition scheme is supported widely. However, the MBR partition scheme imposes certain restrictions, including:
Four partitions on each disk. MBR-based disks are limited to four partitions. All of these can be primary partitions, or one can be an extended partition with logical volumes inside. You can configure the extended partition to contain multiple volumes. A 2 terabyte (TB) maximum partition size. A partition cannot be larger than 2 TB.
No redundancy provided. The MBR is a single point of failure, and if it becomes corrupted or incurs damage, it can render an operating system unbootable.
MBR disks can be either basic or dynamic disk types. Dynamic disks support additional options that are not available on a basic disk, including volumes that are able to span multiple disks and fault tolerant volumes.
GPT Disks
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on a disk. Each GPT partition has a unique GUID and partition-content type. Also, each LBA that the partition table describes is 64 bits in length. The UEFI specifies the GPT format, but it is not exclusive to UEFI systems. Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems. However, they cannot boot from them. 64-bit Windows operating systems support GPT for boot disks on UEFI systems.
Features of GPT Disks

GPT-based disks address the limitations of MBR-based disks and provide support for the following: 128 partitions per disk. This is a vast improvement over MBR-based disks.
18 exabyte volume size. This is a theoretical maximum because hard-disk hardware that can support such vast volume sizes is not yet available. Redundancy. Cyclic redundancy check duplicates and protects the GPT.
You can implement GPT-based disks on Windows Server 2008 and newer versions, Windows Vista, Windows 7, Windows 8, and Windows 8.1. You cannot use the GPT partition style on removable disks.
5-4
GPT Architecture
A GPT-partitioned disk defines the following sectors:
Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the entire disk: o The protective MBR protects GPT disks from previously released MBR disk tools, such as MS-DOS Fdisk or Windows NT Disk Administrator.
These tools view a GPT disk as having a single encompassing (possibly unrecognized) partition by interpreting the protected MBR, rather than mistaking the disk for one that is not partitioned. Legacy software that does not know about GPT interprets only the protected MBR when it accesses a GPT disk.
Sector 1 contains a partition table header. The partition table header contains the unique disk GUID, the number of partition entries (usually 128), and pointers to the partition table. The partition table starts at sector 2. Each partition entry contains a unique partition GUID, the partition offset, length, type (also a GUID), attributes, and a 36-character name.
The following table describes the partitions that Windows 8.1 creates when you install it on a GPT disk. Partition A Type EFI system partition (ESP) Size 100 megabytes (MB) Description
Contains the Windows Boot Manager, the files that booting an operating system requires, the platform tools that run before an operating system boot, or the files that the Windows Boot Manager must access before operating a system boot. The ESP must be the first partition on the disk because it is impossible to span volumes when the ESP is logically between what you are attempting to span.
Microsoft Reserved (MSR) partition
128 MB
Reserved for Windows components. This partition is hidden in Disk Management and does not receive a drive letter. Usage example: When you convert a basic GPT disk to dynamic, the system decreases the size of the MSR partition and uses that space to create the Logical Disk Manager (LDM) Metadata partition. Contains the operating system and is the size of the remaining disk.
Operating system
Remaining disk

5-5
Disk Management Tools

You can use the following tools to manage disks and the volumes or partitions that they contain on Windows 8.1: Disk Management. A GUI for managing disks and volumes, both basic and dynamic, locally or on remote computers. After you select the remote computer that you want to manage, you can perform the same tasks that you typically perform when you use a local computer.
DiskPart. A scriptable command-line tool with functionality that is similar to Disk Management, which also includes advanced features. You can create scripts to automate disk-related tasks, such as creating volumes or converting disks to dynamic. This tool always runs locally.
Note: The Storage module cmdlets contained in the Windows PowerShell 4.0 commandline interface replace DiskPart.
Windows PowerShell 4.0. Windows PowerShell is a scripting language that is used to accomplish many tasks in the Windows environment. Starting with Windows PowerShell 3.0, disk management commands have been added for use as stand-alone commands or as part of a script.
Note: Windows 8.1 does not support remote connections in workgroups. Both the local computer and the remote computer must be in a domain to use Disk Management to manage a disk remotely. Note: Do not use disk-editing tools such as DskProbe.exe to make changes to GPT disks. Any change that you make renders the checksums invalid, which may cause the disk to become inaccessible. To make changes to GPT disks, use Windows PowerShell, DiskPart, or Disk Management. With either tool, you can initialize disks, create volumes, and format a volume file system. Additional common tasks include moving disks between computers, changing disks between basic and dynamic types, and changing the partition style of disks. You can perform most disk-related tasks without restarting a system or interrupting users, and most configuration changes take effect immediately.
Disk Management
Using the Disk Management snap-in to the Microsoft Management Console (MMC), administrators quickly can manage standard, fault tolerant volume sets, and can confirm the health of each volume. Disk Management in Windows 8.1 provides the same features with which you may be familiar from previous versions, including: Simpler partition creation. When you right-click a volume, you can choose whether to create a basic, spanned, or striped partition directly from the menu. Disk conversion options. When you try to add more than four partitions to a basic disk, you are prompted to convert the disk to dynamic or to the GPT partition style. You also can convert basic
5-6
disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic is not possible without first deleting all of the volumes. Extend and shrink partitions. You can extend and shrink partitions directly from the Windows interface.
To open Disk Management, use this procedure: 1. 2. In the Start screen, type disk. This will display the Everywhere search screen. Type diskmgmt.msc in the search box, and then click diskmgmt in the results list.
DiskPart
Using DiskPart, you can manage fixed disks and volumes by using scripts or direct input from the command line. At the command prompt, type DiskPart, and then enter commands at the DiskPart command prompt. The following are common DiskPart actions: To view a list of DiskPart commands, at the DiskPart command prompt, type commands. To create a DiskPart script in a text file and then run the script, type a script similar to DiskPart /s testscript.txt. To create a log file of the DiskPart session, type DiskPart /s testscript.txt > logfile.txt.
The following table shows several DiskPart commands that you will use frequently in this scenario. Command list disk Description
Displays a list of disks and related information, including disk size, the amount of available free space on the disks, whether the disks are basic or dynamic, and whether the disks use the MBR or GPT partition style. The disks marked with an asterisk (*) are the ones against which the commands will execute.
select disk <disknumber> convert gpt
Selects the specified diskwhere <disknumber> is the disk numberand gives it focus. Converts an empty, basic disk with the MBR partition style Sto a basic disk with the GPT partition style.
For additional information about DiskPart commands, start Disk Management, and then open the Help Topics from the Help menu. Note: You can abbreviate many, but not all of the DiskPart commands. For example, use SEL instead of SELECT and PART instead of PARTITION.

5-7
Windows PowerShell 4.0
Prior to Windows 8, if you wanted to script disk management tasks, you would have to make calls to Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. Windows PowerShell 3.0 and 4.0 now includes commands for natively managing disks. The following table details some Windows PowerShell commands. Command Get-Disk Description Returns information on all disks or disks that you specify with a filter. Additional parameters
-FriendlyName returns information about disks that have the specified friendly name. -Number returns information about a specific disk.
Clear-Disk Initialize-Disk
Cleans a disk by removing all partition information. Prepares a disk for use. By default, it creates a GPT partition. Updates a physical disk with the specified attributes.
-ZeroOutEntireDisk writes zeros to all sectors of a disk. -PartitionStyle<PartitionStyle> Specifies the type of the partition, either MBR or GPT.
Set-Disk
-PartitionStyle<PartitionStyle> Specifies the type of the partition, either MBR or GPT. You can use this to convert a disk that previously was initialized.
Get-Volume
Returns information on all of a systems volumes, or those volumes that you specify with a filter.
-DriveLetter <Char> Gets information about the specified drive letter. -FileSystemLabel<String> returns information on NTFS file systems or Resilient File System (ReFS) volumes.
For more information, see: Storage Cmdlets in Windows PowerShell http://go.microsoft.com/fwlink/?LinkId=266556
Converting to Dynamic Disk

When you add a new hard disk to a computer and then start Disk Management, a wizard guides you through the initialization process, during which you select whether to have an MBR or a GPT partition style. Although you can change between partition styles at a later time, some disk conversions require you to reformat the drive. You should carefully consider the disk type and partition style that is most appropriate for your situation. Before you change the partition style, remember that you: Must be a member of the Backup Operators or Administrators group.
5-8
Must back up the entire contents of the hard disk before making a change, which is true for any major change that you make to disk contents.
Must ensure that disks are online before you can initialize them or create new partitions or volumes. To bring a disk online or take it offline in Disk Management, right-click the disk name, and then click the appropriate action. Can convert only from GPT to MBR if the disk does not contain any volumes or partitions. Should use Event Viewer to check the system log for disk-related messages.
All MBR disks are configured initially as basic disks, which then can be converted to dynamic disks. Dynamic disks can be useful when fault tolerance or spanning of disks is required. Dynamic disks support the following features: Ability to be extended. Creation of simple, spanned, striped, mirrored, and redundant array of independent disks (RAID)-5 volumes. Repair mirrored or RAID-5 volumes. Reactivating missing or offline disks.
Note: In a multiboot scenario, if you are in one operating system, and you convert a basic MBR disk that contains an alternate operating system to a dynamic MBR disk, you will not be able to boot in the alternate operating system.
What Is a Simple Volume?

By far the most commonly used disk arrangement is a simple volume. This volume is a contiguous, unallocated area of a physical hard disk that you format to create a file system. You then can assign a drive letter to it or mount it in an existing volume by using a volume mount point.
Simple Volume Characteristics
A simple volume is a dynamic volume that encompasses available free space from a single, basic, or dynamic hard-disk drive. It is a portion of a physical disk that functions as though it were a physically separate unit. A simple volume can consist of a single region on a disk or multiple regions of the same disk that are linked together. Simple volumes have the following characteristics: Not fault tolerant. Disk failure leads to volume failure. Volume I/O performance is the same as disk I/O performance.

5-9
Simple Volume Scenarios

The following table contains example scenarios for disks and volumes. Scenario Business desktop computer with one disk Business desktop computer with one disk and more than one volume Description Most business users require a basic disk and one basic volume for storage, but do not require a computer with volumes that span multiple disks or that provide fault-tolerance. This is the best choice for those who require simplicity and ease of use. If small business users want to upgrade their operating systems and reduce the impact on their business data, they must store an operating system in a separate location from business data. This scenario requires a basic disk with two or more basic volumes. Users can install an operating system on the first volume, creating a boot volume or system volume, and use the second volume to store data. When a new version of an operating system is released, users can reformat the boot or system volume, and then install the new operating system. The business data, located on the second volume, remains untouched.
A simple volume may provide better performance than striped data-layout schemes. For example, when serving multiple, lengthy, sequential streams, performance is best when a single disk services each stream. Also, workloads that are composed of small, random requests do not always result in performance benefits when you move them from a simple to a striped data layout. The emergence of solid-state drives (SSDs), which offer extremely fast data transfer rates, offer the Windows 8.1 user another decision related to storing data. SSDs currently are more expensive and have smaller capacities compared to traditional magnetic hard disk drives (HDDs). This combination of performance, size, and cost is an acceptable compromise when used in small form factor devices; however, a desktop PC may benefit from a combination of an SSD for Windows system files and a large capacity HDD for business data.
Demonstration: Creating a Simple Volume
This demonstration shows how to create a simple volume. First, you create a volume by using the Disk Management snap-in, and then you will use Windows PowerShell.
Demonstration Steps Using Disk Management

1. 2. 3. 4. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. Open the Start screen, and then start Disk Management. Create a new simple volume on Disk 2. Complete the New Simple Volume Wizard by using the following settings: Use 5103 MB to create the volume. Name the volume Simple1.
5-10 Managing Disks and Device Drivers
Using Windows PowerShell

1. 2. Start Windows PowerShell as administrator. At the Windows PowerShell command prompt, run the following commands: o o o o o Get-Disk -Number 3 New-Partition Size 5350879232 Format-Volume -Confirm:$false FileSystem NTFS NewFileSystemLabel Simple2
Get-Partition (Note the partition number you just created on disk 3, as you will use that in the next step) Set-Partition -DiskNumber 3 -PartitionNumber x -NewDriveLetter G
o 3.
In File Explorer, verify that the volumes that you created are visible. Question: In what circumstances will you use less than all of the available space on a new volumes disk?
What Are Mirrored, Spanned, and Striped Volumes?

A mirrored volume presents two disks to the operating systems as a single logical volume. A mirrored volume always consists of exactly two disks. Each disk has an identical copy of the data that is on the logical volume. A spanned volume joins areas of unallocated space on at least two, and at most 32 disks, into a single logical disk. Similar to a spanned volume, a striped volume also requires two or more disks. However, striped volumes map stripes of data cyclically across the disks.
Basic disks support only primary partitions, extended partitions, and logical drives. To use mirrored, spanned, or striped volumes, you must convert the disks to dynamic volumes as described previously. Dynamic disks use a database to track information about the disks dynamic volumes and about the computers other dynamic disks. Because each dynamic disk on a computer stores a replica of the dynamic disk database, the Windows operating system can repair a corrupted database on one dynamic disk by using the database on another dynamic disk.
Characteristics of Mirrored Volumes
A mirrored volume also is known as a RAID-1 volume. A striped volume combines equal-sized areas of unallocated space from multiple disks. You use a mirrored volume when you wish to provide redundancy for your system partition. Both spanned volumes and striped volumes require a Windows operating system to be running to recognize the volumetherefore, neither of those solutions can be used to provide protection against disk failures for a system partition. When creating a mirrored volume, the disk for the shadow volume must be at least the same size as the volume being mirrored. Once the mirror is established, you cannot resize the mirrored volume.

5-11
There are two main benefits of using mirrored volumes. Recovering from a disk failure is very quick as there is no data to rebuild. Additionally, read operations have a slight performance boost because you can read from both disks simultaneously. Also, there are two main disadvantages of using mirrored volumes. Write operations are slightly slower as every write needs to be written to both disks. Also, using mirrored volumes is the least efficient use of space compared to other RAID configurations.
Characteristics of Spanned Volumes
A spanned volume gives users the option to gather noncontiguous free space from one or many disks into the same volume. A spanned volume does not provide any fault tolerance. Additionally, because the areas that you combine are not necessarily equally distributed across the participating disks, there is no performance benefit to implementing spanned volumes. I/O performance is comparable to simple volumes. You can create a spanned volume by extending a simple volume to an area of unallocated space on a second disk, or you can designate multiple disks during the volume-creation process. The benefits of using spanned volumes include uncomplicated capacity planning and straightforward performance analysis.
If you create a new spanned volume, you must define the same properties as when you create a simple volume in terms of size, file system, and drive letter. Also, you must define how much space to allocate to the spanned volume from each physical disk. You can create spanned volumes on dynamic disks only. If you attempt to create a spanned volume on basic disks, the Windows operating system prompts you to convert the disk to dynamic after you have defined the volumes properties and confirmed the choices.
It is possible to shrink a spanned volume. However, it is not possible to remove an area from a specific disk. For example, if a spanned volume consists of three 100 MB partitions on each of three disks, you cannot delete the third element. Depending on the space consumption on the volume, you can reduce the volumes total size. Note: When you shrink a spanned volume, no data loss occurs. However, the number of disks involved may decrease. If the spanned volume resides on a single disk, the spanned volume is converted to a simple volume. If there are empty dynamic disks that result from shrinking a spanned volume, the empty dynamic disks are converted to basic disks.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk limit for spanned volumes.
Characteristics of Striped Volumes

A striped volume also is known as a RAID-0 volume. A striped volume combines equal-sized areas of unallocated space from multiple disks.
You should create a striped volume when you want to improve the I/O performance of a computer. Striped volumes provide for higher throughput by distributing I/O across all disks configured as part of the set. The more physical disks that you combine, preferably across several disk controllers, the faster the potential throughput. For most workloads, a striped data layout provides better performance than simple or spanned volumes, as long as you select the striped unit appropriately based on workload and storage hardware characteristics. The overall storage load is balanced across all physical drives. Striped volumes also are well suited for isolating the paging file. By creating a volume where Pagefile.sys is the only file on the entire volume, the paging file is less likely to become fragmented, which helps
improve performance. Redundancy is not required for the paging file normally. Striped volumes provide a better solution than RAID-5 for paging file isolation. This is because the paging file activity is writeintensive, and RAID-5 is better suited for read performance than write performance. Because no capacity is allocated for redundant data, RAID-0 does not provide data-recovery mechanisms such as those in RAID-1 and RAID-5. The failure of any disk results in data loss on a larger scale than it would on a simple volume because it disrupts the entire file system that spreads across multiple physical disks. The more disks that you combine in RAID-0, the less reliable the volume becomes.
When you create a striped volume, you will define the file system, drive letter, and other standard volume properties. Additionally, you must define the disks from which to allocate free space. The allocated space from each disk must be identical in size. It is possible to delete a striped volume, but it is not possible to extend or to shrink the volume.
Configuration Changes
There are times when you may want to upgrade or in some way alter the configuration of computer hardware or software. For example: When the addition of functionality adds value to an organization. When a fault in software, hardware, or the combined architecture results in app(s) failing to run. When a change in the functionality or role of a device or workstation occurs.
There are other forms of volume management with different types of fault tolerance and recovery that are available. These include using RAID-1 or RAID-5 volumes, hardware mirroring, and disk duplexing. You could consider using these forms of volume management in your enterprise if the standard Windows 8.1 tools are not sufficient for your needs. Question: How will the emergence of solid-state drives (SSDs) in enterprise workstations, devices, and enterprise storage arrays change the storage landscape?
Demonstration: Creating Spanned and Striped Volumes

In this demonstration, you will see how to create spanned and striped volumes.
Demonstration Steps Creating a spanned volume

1. 2. 3. 4. If necessary, sign in to LON-CL2 as Adatum\Administrator. Open the Start screen, and then start Disk Management. Right-click the unallocated space on Disk 2, and then start the New Spanned Volume Wizard.
Complete the New Spanned Volume Wizard by using defaults, except for the following information: o o o o o Use 2000 MB from Disk 2 Use 1500 MB from Disk 3 Use 4000 MB from Disk 4 Name the volume SpanVol Select the Perform a quick format check box
5.
Read the Disk Management warning, and then click Yes.

5-13
Creating a striped volume

1. 2. Right-click the unallocated space on Disk 2, and then start the New Striped Volume Wizard. Complete the New Striped Volume Wizard by using the defaults, except for the following information: o o o Use 2000 MB from each disk. Name the volume StripedVol Select the Perform a quick format check box
Question: What is the advantage of using striped volumes, and conversely what is the major disadvantage?
Purpose of Resizing a Volume

Windows 8.1 allows you to resize a volume by using the Shrink Volume or Extend Volume options within the provided disk tools. You can shrink existing volumes to allow space to create additional, unallocated space to use for data or apps on a new volume. On the new volume, you can: Install another operating system, and then perform a dual-boot. Save data separate from the operating system.
To perform a shrink operation, ensure that the disk either is formatted with NTFS or unformatted and that you are part of the Backup Operator or Administrators group. When you shrink a volume, contiguous free space relocates to the end of the volume. There is no need to reformat the disk, but to ensure that the maximum amount of space is available, make sure you perform the following tasks before shrinking: Defragment the disk. This rearranges the disk sector so that unused space is at the end of the disk.
Reduce shadow copy disk space consumption. Shadow copies can consume a large amount of space because they maintain a record of changes so that previous versions of files can be restored. Ensure that no page files are stored on the volume that you are shrinking.
When you shrink a volume, unmovable files, for example, a page file or the shadow-copy storage area, do not relocate automatically. It is not possible to decrease the allocated space beyond the point where the unmovable files are located. If you need to shrink a partition further, move the page file to another disk, delete the stored shadow copies, shrink the volume, and then move the page file back to the disk. To view shadow copy storage information, use the Volume Shadow Copy Service administrative command-line tool. Start an elevated command prompt from the Administrative menu by pressing the Windows logo key+X, clicking Command Prompt (Admin), and then typing vssadmin list shadowstorage. If configured, the used, allocated, and maximum shadow copy storage space is listed for each volume. Defragmentation in Windows 8.1 improves on previous versions of the Windows operating system. You now can optimally replace some files that you could not relocate in Windows Vista or earlier versions.
Note: Please note that you may destroy or lose data if you shrink a raw partition, meaning a partition that does not have a file system, but does contain data. Remember to make a backup prior to extending or shrinking a partition or volume.
You can shrink simple and spanned dynamic disks, but not others. Here are a few ways in which you can increase the size of a simple volume: Extend the simple volume on the same disk. The volume remains a simple volume. Extend a simple volume to include unallocated space on other disks on the same computer. This creates a spanned volume.
Demonstration: Resizing a Volume
This demonstration shows how to shrink a volume with the DiskPart tool. Then, the Disk Management tool is used to extend a simple volume.
Demonstration Steps Using DiskPart

1. 2. 3. If necessary, sign in to LON-CL2 as Adatum\Administrator. Start DiskPart. At the DiskPart command prompt, run the following commands: o o o 4. list volume (note the volume number associated with Simple2) select volume <n> (where n is the volume number noted) shrink desired=50
Compare the size of the Simple2 volume with the size previously reported.
Using Disk Management

1. 2. 3. Open the Start screen, and then start Disk Management. Click the spanned volume on Disk 3. Start the Extend Volume Wizard, and then extend the spanned volume with 50 MB from Disk 3. Question: When might you need to reduce the system partitions size?

5-15
Overview of Storage Spaces

Storage Spaces is a new feature built into both Windows 8.1 and Windows Server 2012 R2 that you can use to add additional storage to your system and to pool storage devices in a resilient arrangement. The operating system manages all disks added to a storage pool, and you can configure these disks to ensure that the data stored in a pool is protected from data loss. You create a storage pool by adding drives to a system. You then configure Storage Spaces to use some or all of the available pooled space and define the drive resiliency, name, and size. Storage Spaces offers the types of resiliency listed in the following table. Type Simple (none) Two-way mirror Resiliency description No mirroring. All data is lost if a drive fails.
All files stored in the pool are maintained on at least two different physical drives, mirroring your data. Similar to a two-way mirror, but stored on three drives. At least three drives are used to store the data and parity bit. This is the most efficient storage option, but also, potentially the poorest performance as the parity information needs to be calculated.
Three-way mirror Parity
Note: Notice the change to modern and familiar terminology when discussing types of disk redundancy compared to the traditional RAID-0, RAID-1, and RAID-5 nomenclature seen earlier in the module.
The Storage Spaces feature allows the addition of disparate disk types, such as internal/external, USB drives, Serial ATA, and other types. During the addition of the storage, a drive is formatted and configured as a new storage pool. Note: Ensure that you have made a backup or removed any data before adding a drive, as Windows 8.1 will format any drive that is added to a storage pool as part of the configuration.
After you configure a storage space, you can modify the storage space name and size and even delete the space completely, which will return the space back to the storage pool. Note: Deleting a storage space will permanently delete all the files that it contains. Ensure that you move or back up any data before deleting a storage space.
Question: Discuss scenarios when you would use Storage Spaces in a client workstation environment.

5-17
Lesson 2
Maintaining Disks, Partitions, and Volumes
When you first create a volume, you typically create new files and folders on a volumes available free space in contiguous blocks. This provides an optimized file system environment. As the volume becomes full, the availability of contiguous blocks diminishes. This can lead to suboptimal performance. This lesson explores file system fragmentation and the tools that you can use to reduce fragmentation. You also will see how Windows 8.1 automatically checks and fixes most file system issues and how you can configure disk quotas to monitor and control how disks are filled.
Lesson Objectives
After completing this lesson, you will be able to: Describe file system fragmentation. Explain how to defragment a disk on a Windows 8.1 client computer. Describe how to check for disk errors. Describe disk quotas and how they manage storage. Configure disk maintenance tasks.
What Is Disk Fragmentation?

Fragmentation of a file system occurs over time as you save, change, and delete files. Initially, the Windows I/O manager saves files in contiguous areas on a given volume. This is efficient for the physical disk as the read/write heads are able to access these contiguous blocks most quickly.
As the volume fills with data and other files, contiguous areas of free space become harder to find. File deletion also causes fragmentation of available free space. Additionally, when you extend and save a file, such as editing a document or spreadsheet, there may not be contiguous free space following the existing file blocks. This forces the I/O manager to save the remainder of the file in a noncontiguous area. Over time, contiguous free space becomes harder to find, leading to fragmentation of newly stored content. The incidence and extent of fragmentation varies depending on available disk capacity, disk consumption, and usage patterns.
Although NTFS is more efficient at handling disk fragmentation than earlier file systems, this fragmentation still presents a potential performance problem. Combined hardware and software advances in the Windows operating system help to mitigate the impact of fragmentation and deliver better responsiveness. Question: How does the increasing storage capacity of HDDs affect file fragmentation?
Defragmenting a Disk
When you optimize a disk, files are relocated optimally. This ability to relocate files is beneficial when you are shrinking a volume because it lets the system free up space that you can later reclaim. Windows 8.1 defragments drives automatically on a scheduled basis, running weekly in the background to rearrange data and reunite fragmented files. You can check the status of a defragmentation or perform a manual optimization at any time by launching the Optimize Drives tool.
To optimize a volume or drive manually, or to change the automatic optimization schedule, right-click a volume in File Explorer, click Properties, click the Tools tab, and then click Optimize. You then can perform the following tasks: Change settings, which allows you to: o o o o Enable or disable the automated optimization. Specify the automated optimization frequency. Set a notification for three consecutive missed optimization runs. Select which volumes that you want to optimize.
Analyze the disk to determine whether it requires optimization. Launch a manual optimization.
You also can start the optimization process by launching Defragment and Optimize Drives from the Administrative Tools section within Control Panel\System and Security.
To verify that a disk requires defragmentation, in the Optimize Drives tool, select the disk that you want to defragment, and then click Analyze. After Windows finishes analyzing the disk, check the percentage of fragmentation on the disk in the Current status column. If the number is high, you should defragment the disk. The Optimize Drives tool might take from several minutes to a few hours to finish defragmenting, depending on the size and degree of fragmentation of the disk or USB device, such as an external hard drive. You can use the computer during the defragmentation process, although disk access may be slower and the defragmentation may take longer. You can configure and run disk defragmentation from an elevated command prompt by using the defrag command-line tool. Use Defrag /? at the command prompt for available options. You can minimize file system fragmentation: Partition the disk so that you isolate static files from those that are created and deleted frequently, such as some user-profile files and temporary Internet files.
Use the Disk Cleanup feature (Cleanmgr.exe) to free disk space that is being consumed by each users preferences for console files that the profile is saving. Use the Optimize Drives tool to help reduce the impact of disk fragmentation on disk volumes, including USB drives. The Optimize Drives tool rearranges fragmented data so that disks and drives can work more efficiently.

5-19
Newer drives such as SSDs do not need to be defragmented in the same way as HDDs because files are not accessed mechanically. If a SSD or USB flash drive becomes fragmented, only a small amount of performance benefit will be gained by optimizing the drive because all files are accessed at equal high speed, regardless of the location or level of fragmentation. Due to the volume of read/write operations that are required during the optimization process, SSDs should not be defragmented. Note: Defragmenting an SSD or a USB flash drive can decrease the life span of a drive significantly.
Checking for Disk Errors

Earlier versions of the Windows operating system include automatic scheduling for several disk maintenance activities. Windows 8.1 introduces new feature enhancements to NTFS, including self-healing abilities that provides online corruption scanning, and repair capabilities to resolve many NTFS issues. At 3 A.M. local time, Windows 8.1 automatically performs a scan of hard drives by using the improved Check Disk tool (Chkdsk), which fixes file errors and NTFS inconsistencies within volumes on a disk. In an enterprise environment, if preferred, you could use Group Policy to schedule this task to take place during lunchtime or other periods of low activity.
Unlike previous versions of Chkdsk, Windows can now repair a volume while the Windows operating system is still running. Windows can take the volume offline temporarily while it carries out repairs. For all boot and system drive repairs, the Windows operating system cannot be running, and these actions will be performed at the next system restart. Note: The computer or device must be connected to AC power during the 3 A.M. automated maintenance window for this procedure to take place. Alternatively, if the maintenance window is missed, the task is carried over until the next time that AC power is connected and the operating system is idle.
In addition to automatic scanning, you can manage disk health manually by using the Chkdsk command from an elevated command prompt or within Windows PowerShell with one of the following commands. Command /? volume Filename /F Description Displays the available command options.
Specifies the drive letter (followed by a colon), mount point, or volume name. The FAT file system or FAT32 only: specifies the files to check for fragmentation. Fixes errors on a disk.
Command /V /R /L:size /X /I /C /B /scan /forceofflinefix
Description
On FAT or FAT32: displays the full path and name of every file on a disk. On NTFS: displays cleanup messages, if any. Locates bad sectors and recovers readable information. Implies /F when /scan is not specified.
NTFS only: changes the log file size to the specified number of kilobytes (KB). If size is not specified, displays the current size. Forces the volume to dismount first if necessary. All opened handles to the volume would then be invalid. Implies /F. NTFS only: performs a less vigorous check of index entries. NTFS only: skips checking of cycles within the folder structure. NTFS only: re-evaluates bad clusters on the volume. Implies /R. NTFS only: runs an online scan on the volume. NTFS only: bypass all online repair; all defects found are queued for offline repair (i.e. Chkdsk /spotfix). Must be used with /scan.
/perf
NTFS only: uses more system resources to complete a scan as fast as possible. This may have a negative performance impact on other tasks that are running on a system. Must be used with /scan. NTFS only: runs spot fixing on a volume.
/spotfix /sdcleanup /offlinescanandfix
NTFS only: garbage collect unneeded security descriptor data. Implies /F. Runs an offline scan and fix on a volume.
Question: In addition to the automatic scheduled maintenance that Windows performs, what other options could be considered to prevent unexpected data loss?
What Are Disk Quotas?

It is important to manage the storage space that Windows 8.1 computers consume locally. With ever-increasing demands on available storage, you must consider methods that can help you manage these demands. A disk quota is a way for you to limit each persons use of disk space on a volume. Using disk quotas, you can track and restrict disk consumption. You can enable quotas on any NTFS-formatted volume, including local volumes, Storage pools, and removable storage.

5-21
You can use quotas to track disk space consumption and to determine who is consuming available space. By default, disk quotas are disabled and users are not prevented from writing to disk volumes unless this requirement is specified. Note: The Administrator user account is exempt from any warnings or disk space limitations. There are several different methods available to the user for managing disk quotas:
Disk properties. From the File Explorer window, view the properties of a selected disk or volume. You can use the Quota tab to enable and manage quotas on individual drives. You can use the GUI to configure the same settings that are available to the disk quota Group Policy Object (GPO). Additionally, you can manage and view individual quota entries. When you manage individual quota settings, you can perform the following tasks: Create a new quota entry. You can configure settings that override the default values for specific users.
Delete a quota entry. You can remove a quota entry that was previously created and allow the default settings to apply to the user. Export and import. You can export settings that are configured on a specific volume, and you can import the settings on another volume for ease of management.
Over time, the amount of available disk space inevitably becomes less. Therefore, you should ensure that you have a contingency plan to increase storage capacity. Fsutil. You can manage quotas by using the fsutil quota command from an elevated command prompt or from within Windows PowerShell with one of the following commands: Disable <volumePath> Disables quota tracking on the specified volume. Enforce <volumePath> Enforces quota usage on the specified volume.
Modify <volumePath> <Threshold> <Limit> <UserName>. Modifies an existing quota or creates a new quota entry on the specified volume. Query <volumePath> Lists existing quotas on the specified volume. Track <volumePath> Tracks disk usage on the specified volume. Violations. Queries the application and system logs for quota violations.
Group Policy. In either a local or domain-based GPO, you can add the Administrative Templates, System, and Disk Quotas section. The policy settings available within this GPO are: Enable disk quotas Enforce disk quota limit Specify default quota limit and warning level Log event when quota limit is exceeded Log event when quota warning level is exceeded Apply policy to removable media
Note: Quotas are tracked separately for each volume. When restricting disk space limits, each user shares the same limit per volume. By contrast, Windows Server 2012 and newer versions allow administrators more detailed restrictions, including the ability to set different limits for each user. Question: Will quota management be useful in your organization?
Demonstration: Configuring Disk Maintenance Tasks
This demonstration shows how to configure drive defragmentation, check a volume for errors, and create a disk quota.
Demonstration Steps Configure drive defragmentation

1. 2. 3. If necessary, sign in to LON-CL2 as Adatum\Administrator. Analyze drive I: and then defragment the drive. Open an administrative Windows PowerShell window, and then run the following command on drive l: o 4. Defrag I: /A
Defragment drive I: by typing the following command: o Defrag I: /H /U /V
5. 6.
View the verbose results of the operation. Sign out from LON-CL2.
Check a volume for errors

1. Open an administrative Windows PowerShell window, and then run the following command on drive l: o 2. Chkdsk /scan I:
If the tool finds errors, you can attempt to repair them by typing the following command on drive l: o Chkdsk /spotfix I:
3.
Sign out from LON-CL2.
Create a disk quota

1. 2. 3. Open File Explorer, and then navigate to This PC. Open the StripedVol (I:) Properties. Click the Quota tab, and then enable quotas with the following settings: o o o o 4. Deny disk space to users exceeding quota limit Limit disk space to 6 MB Set warning level to 4 MB Log event when a user exceeds their warning level
Close all open windows.

5-23
5.
Open an administrative command prompt, and then run the following commands on drive l: o o fsutil file createnew 2mb-file 2097152 fsutil file createnew 1kb-file 1024
6.
Lesson 3
Working with Virtual Hard Disks

With virtual hard disks, you can present a portion of a hard drive as an independent hard drive to the Windows 8.1 operating system. Virtual hard disks generally are associated with virtual machines. Beginning with Windows 7, Windows operating systems can mount virtual hard disks directly. In this lesson, you will learn what a virtual hard disk is and how to mount one in Windows 8.1.
Lesson Objectives
After completing this lesson, you will be able to: Describe the tools used to create, delete, and mount virtual hard disks in Windows 8.1. Manage virtual hard disk files in the Windows 8.1 file system.
Virtual Hard Disks in Windows 8.1

Windows 8.1 fully supports virtual hard disks. The virtual hard disk (.vhd) file format specifies a virtual hard disk, which is encapsulated in a single file and is capable of hosting native file systems and supporting standard disk operations. Virtual hard disks are not used solely with virtual machine environments such as with Client HyperV, which is discussed later in this course. You can use virtual hard disks in any scenario where a physical hard disk might be used. If you plan on using a virtual hard disk in place of a physical disk, consider the following advantages and disadvantages.
Advantages of Using Virtual Hard Disks

Portability. VHD files may be easier to move between systems, particularly when shared storage is used. Backup. A VHD file represents a single file for backup purposes.
Disadvantages of Using Virtual Hard Disks

Performance. In high I/O scenarios, the additional overhead of using a virtual hard disk can affect performance.
Physical failures. A VHD file does not protect against cluster failure on the underlying physical disks.
Some of the usage scenarios for virtual hard disks include: Multiboot. Windows 7 and Windows 8.1 support native boot from virtual hard disk. This can allow you to start a system from multiple VHD files to support different applications without the need to install them in the same operating system.
Managing desktop image deployment. You can use virtual hard disks as reference images for either physical or virtual machines to ensure each system starts with a common image.
Physical disk virtualization. You can use virtual hard disks in conjunction with underlying storage that is configured for resiliency.

5-25
Supporting Virtual Disk Formats
Windows 8.1 supports both virtual disk formats: .vhd and .vhdx. The .vhdx format has a metadata structure that is aimed at reducing data corruption and improving alignment on large sector disks. Virtual hard disks are limited to 2 TB of storage, whereas the new .vhdx format is suitable for virtual disks up to a supported maximum size of 64 TB. For more information on the .vhdx format, go to: Hyper-V Virtual Hard Disk Format Overview http://go.microsoft.com/fwlink/?LinkId=266557 You can configure virtual hard disks as three types: fixed, dynamically expanding, or differencing.
Fixed size
A fixed-size virtual hard disk is allocated its maximum size when you create a virtual disk. The fixed size disk type is the recommended type of virtual disk in the following scenarios: When using the .vhd format.
When I/O performance is required to be as high as possible. Because the file is not dynamically expanded as data is created within it or copied to the virtual disk, fixed-size virtual disks typically are only 6 percent slower than the underlying physical drive. When a dynamically expanding disk increases in size, the host physical drive could run out of space and cause write operations to fail. The use of fixed virtual disks ensures that this does not happen because the full drive size has already been committed to the virtual disk.
The file data will not become inconsistent due to a lack of storage space or power loss. Dynamically expanding virtual disks depend on multiple write operations to expand the file. The internal-block allocation information can become inconsistent if all I/O operations to the virtual disk file and the host volume are not complete and persisted on the physical disk. This can happen if the computer suddenly loses power.
Dynamically expanding
The size of a dynamically expanding virtual hard disk starts off very small in size and grows as large as the data that is written to it. As more data is written to a dynamically expanding virtual hard disk, the file increases to the configured maximum size. For example, a 50 gigabyte (GB) dynamically expanding virtual hard disk that has 10 GB of data files copied to it will occupy approximately 10 GB space on the physical hard drive and can accommodate a further 40 GB of data. With the improvements in the .vhdx format, the dynamically expanding disk type is recommended when creating .vhdx drives. Note: The .vhdx format is not backward compatible with Windows 7.
Differencing disk
A differencing disk tracks the changes made from another virtual disk. Creating a parent/child relationship between virtual disks can save significant disk space. Because this disk type lets you use the contents of a base disk (parent) without making changes to the base disk, all changes are made to the differencing (child) disk. You should configure base disks as read-only to prevent changes being made to them. All changes made when using the virtual machine then are written to the differencing disk. A differencing disk must be a dynamically expanding disk. Note: You can create differencing disks only by using DiskPart or Windows PowerShell.
Managing VHD files in the Windows 8.1 File System

Virtual disks are supported fully by Windows 8.1, and you should understand the tools that are available to create, mount, and delete virtual disks. Several methods are available for managing virtual disks in Windows 8.1, which are using Disk Management, DiskPart, and by using Windows PowerShell 4.0.
Disk Management
The Disk Management snap-in for the MMC provides a familiar GUI where a user can create, attach, and detach virtual disks within a Windows operating system.
After you create a new virtual disk, a new disk appears in the console, and you need to initialize this disk so that the Windows operating system can manage the drive. After it is initialized, you can treat the drive like any other drive. For example, you can format it, assign a drive letter to it, or the system can create a mount point and use the drive. After a virtual disk is allocated a drive letter, it is mounted and you can access the drive by using File Explorer to carry out normal activitiesit behaves just like a physical drive. Note: A virtual disk appears in the Disk Management console with a light blue drive icon to indicate to the user that it is a virtual disk.
If you wish to remove a virtual hard disk from your system, for example, to make it portable or to connect it to a virtual machine, you first must return to Disk Management to detach the disk. While a virtual disk is online and managed by Disk Management, it is not possible to delete the virtual disk from within File Explorer, as the file is marked as an open file by the system. If the virtual disk is external to the system, for example, if it resides on a USB drive, disconnecting the USB drive without first detaching the virtual disk can corrupt the .vhd file and make it unusable. Note: Take care when placing virtual hard disks on portable drivesthey can become corrupted easily if they are in use when you disconnect the portable drive.
Managing VHD Files by Using DiskPart
Although Disk Management allows users the ability to configure virtual disks from a GUI, there are some limitations, such as the inability to create differencing virtual disks. To access more powerful options, consider using DiskPart and Windows PowerShell, which provide more control of virtual disks from the command-line and with cmdlets. To create a virtual hard disk by using DiskPart, you use the create vdisk command at the DiskPart command prompt. You can create and manage virtual disks by using one of the following commands within DiskPart: Create vdisk Detach vdisk Expand vdisk Select vdisk

5-27
The following table shows the available options that the create vdisk command supports. Option file=<filename> maximum=<n> type=<fixed|expandable> Description
Specifies the complete path and filesaname of the virtual disk file. The file may be on a network share.
The maximum amount of space that the virtual disk exposes, in megabytes. The fixed option specifies a fixed-size virtual disk file. The expandable option specifies a virtual disk file that resizes to accommodate the allocated data. The default option is fixed. Specifies a security descriptor in the security descriptor definition language (SDDL) format. By default, the security descriptor is taken from the parent directory.
sd=<sddl string>
parent=<filename>
Path to a parent virtual disk file to create a differencing disk. With the parent parameter, you should not specify maximum because the differencing disk gets the size from its parent. Also, do not specify type, because only expandable differencing disks can be created.
source=<filename>
Path to an existing virtual disk file to be used to prepopulate the new virtual disk file. When source is specified, data from the input virtual disk file is copied block for block from the input virtual disk file to the created virtual disk file. Be aware that this does not establish a parent/child relationship. For scripting only. When DiskPart encounters an error, it continues to process commands as if the error did not occur.
noerr
To create a differencing virtual disk from an existing parent virtual disk you would use the following command:
CREATE VDISK FILE=i:\newdiffdisk.vhdx PARENT=i:\parentdisk.vhdx
To mount a virtual disk by using DiskPart, you first must use the select vdisk command to specify the VHD file, and then use the attach vdisk command. The following table shows the available options that the select vdisk command supports. Option file = <filename> noerr Description
Specifies the complete path and file name of the virtual disk file. The file may be on a network share.
For scripting only. When DiskPart encounters an error, it continues to process commands as if the error did not occur.
The following table shows the available options that the attach vdisk command supports. Option readonly Description Attaches the virtual disk as read-only. Any write operation will return an I/O device error.
Option sd=<sddl string> usefilesd
Description Specifies a security descriptor in the SDDL format. By default, the security descriptor allows access like any physical disk.
Specifies that the security descriptor on the virtual file itself should be used on the virtual disk. If not specified, the disk will not have an explicit security descriptor unless specified with sd=<sddl string>.
To unmount a virtual disk by using DiskPart, you first must use the select vdisk command to specify the virtual hard disk file, and then use the detach vdisk command. The detach vdisk command only supports the noerr option.
Managing VHD files by Using Windows PowerShell 4.0

Windows PowerShell 4.0 and 3.0 contain native disk management cmdlets that you can use to script or manage virtual disks in an enterprise environment.
Windows PowerShell includes commands that you can use to manipulate existing disk image files, which can be .iso, .vhd, or .vhdx files. You can use the following commands with existing disk image files. Cmdlet Dismount-DiskImage Get-DiskImage Mount-DiskImage Description
Dismounts a disk image (virtual hard disk or ISO image) so that it can no longer be accessed as a disk. Returns information about one or more disk images (virtual hard disk or ISO image) for the specific location. Mounts a disk image (virtual hard disk or ISO image), making it appear as a normal disk.
Note: Use the VirtualDisk cmdlet within Windows PowerShell to manage the virtual disks found in Storage Spaces. To mount an existing .iso, .vhd, or .vhdx file, you use the following command:
Mount-DiskImage ImagePath <Path>\<FileName>
Note: To view all the cmdlets available in the Storage module for Windows PowerShell, run the following cmdlet: Get-Command Module Storage To view the cmdlets for working with disk images, run the following cmdlet: Get-Command Module Storage *DiskImage*

5-29
Lab A: Managing Disks

Scenario
A. Datum Corporation has purchased additional hard drives for the laptop computers used by the Marketing department. You need to modify the hard drive configuration manually. Due to application requirements, you need to create several simple partitions, a spanned partition, and a striped partition. The laptop computers are shared and require that you place a quota on the spanned drive. For certain instances, you plan to use virtual hard drives.
Objectives
After you complete this lab, you will be able to: Create and manage volumes in Windows 8.1. Create disk quotas to manage volume usage. Manage virtual hard disks.
Lab Setup
Estimated Time: 30 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL2 User names: Adatum\Administrator and Adatum\Alan Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687C-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Sign in by using the following credentials: o o o User name: Adatum\Administrator Password: Pa$$w0rd Domain: Adatum
5.
Repeat steps 2 to 4 for 20687C-LON-CL2.
Exercise 1: Creating Volumes

Scenario
A. Datum Corporation has purchased additional hard drives for the laptop computers used by the Marketing department. To ensure that the new disks can be used for storing corporate Microsoft Office PowerPoint presentations and media, you need to create and manage the volumes on the newly installed hard disks. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a simple volume by using Disk Management. Create a simple volume by using Windows PowerShell 4.0. Resize a simple volume by using Disk Management. Resize a simple volume by using Windows PowerShell version 4.0.
5. 6.
Create a spanned volume by using Disk Management. Create a striped volume by using Disk Management.
Task 1: Create a simple volume by using Disk Management

1. 2. 3. 4. Sign in to LON-CL2 as Adatum\Administrator. Start Disk Management. Create a new simple volume on Disk 2. Complete the New Simple Volume Wizard by using the following settings: o o 5. Volume Size: 5103 MB Name the volume Simple1
Close Disk Management and any open windows.
Task 2: Create a simple volume by using Windows PowerShell 4.0

1. 2. Start Windows PowerShell as administrator. At the Windows PowerShell command prompt, run the following commands: o Get-Disk -Number 3 | New-Partition Size (5GB) | Format-Volume -Confirm:$false FileSystem NTFS NewFileSystemLabel Simple2
Get-Partition (Note the partition number you just created on Disk 3. You will use that in the next step.) Set-Partition -DiskNumber 3 -PartitionNumber x -NewDriveLetter H , (where x is the results of the previous step.)
o 3. 4. 5.
Minimize the Windows PowerShell Command Prompt window. In File Explorer, verify that the volume that you created are visible. Close File Explorer and then minimize the PowerShell command prompt window.
Task 3: Resize a simple volume by using Disk Management

1. 2. 3. Open the Start screen, and then start Disk Management. Start the Extend Volume Wizard, and then extend Simple1 with 500 MB from Disk 2. Close Disk Management.
Task 4: Resize a simple volume by using Windows PowerShell version 4.0

1. 2. 3. 4. Restore the Windows PowerShell Command Prompt window. At the Windows PowerShell command prompt, run the Get-Partition command. Note the disk number, partition number, and size for the H: drive.
At the Windows PowerShell command prompt, run the following command, and then substitute the DiskNumber and PartitionNumber information with the information you recorded in the previous step: o Resize-Partition -DiskNumber 3 PartitionNumber 1 Size (5.5GB)
5. 6. 7.
At the Windows PowerShell command prompt, run the Get-Partition command. Compare the size of the Simple2 volume with the size previously reported. Minimize the Windows PowerShell Command Prompt window.

5-31
Task 5: Create a spanned volume by using Disk Management

1. 2. 3. Open the Start screen, and then start Disk Management. Right-click the unallocated space on Disk 2, and then start the New Spanned Volume Wizard.
Complete the New Spanned Volume Wizard by using defaults, except for the following information: o o o o o Use 2000 MB from Disk 2 Use 1500 MB from Disk 3 Use 4000 MB from Disk 4 Name the volume SpannedVol Select the Perform a quick format check box.
4.
Read the Disk Management warning, and then click Yes.
Task 6: Create a striped volume by using Disk Management

1. 2. Right-click the unallocated space on Disk 2, and then start the New Striped Volume Wizard.
Complete the New Striped Volume Wizard by using defaults, except for the following information: o o o Use 2000 MB from each disk. Name the volume StripedVol. Select the Perform a quick format check box.
3.
Close Disk Management and any open windows.
Results: After completing this exercise, you should have created several volumes on a client computer.
Exercise 2: Configuring Disk Quotas

Scenario
In this exercise, you will configure a disk quota on one of the new volumes. You will enforce a quota limit, and then sign in as a standard user to test the quota limit. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create disk quotas on a volume. Create test files. Test the disk quota. Review quota alerts and logging.
Task 1: Create disk quotas on a volume

1. 2. 3. On LON-CL2, open File Explorer, and then navigate to This PC. Open the StripedVol (I:) Properties. Click the Quota tab, and then enable quotas with the following settings: o o Deny disk space to users exceeding quota limit Limit disk space to 6 MB
o o 4.
Set warning level to 4 MB Log event when a user exceeds their warning level
Close all open windows.
Task 2: Create test files

1. Open a Command Prompt window, and then run the following commands on the I: drive: o o 2. fsutil file createnew 2mb-file 2097152 fsutil file createnew 1kb-file 1024
Task 3: Test the disk quota

1. 2. 3. 4. 5. 6. 7. 8. Sign in to LON-CL2 as Adatum\Alan. Open File Explorer to the StripedVol (I:) drive. Create a new folder called Alans files. Copy the 1kb-file and 2mb-file files to Alans files. Make a copy of the 2mb-file. Make another copy of 2mb-file. Review the message that appears when you make the second copy, and then click Cancel. Sign out from LON-CL2.
Task 4: Review quota alerts and logging

1. 2. 3. 4. 5. 6. 7. Sign in to LON-CL2 as Adatum\Administrator. Open File Explorer, and then navigate to This PC. Open the StripedVol (I:) Properties. Click the Quota tab, and then open the Quota Entries. Review the entries for Alan Steiner in the Quota Entries for StripedVol (I:) dialog box, and then close all open windows. Open the Event Viewer, and then look for events with an Event ID of 36. Review the event or events found, and then close all open windows.
Results: After completing this exercise, you should have created and tested a disk quota.
Exercise 3: Managing Virtual Hard Disks

Scenario
In this exercise, you will create, mount, and then delete a virtual hard disk The main tasks for this exercise are as follows: 1. 2. Create a virtual hard disk. Mount the VHD file, browse to the VHD file, and create files on the drive.

5-33
3.
Remove a mounted VHD file.
Task 1: Create a virtual hard disk

1. 2. 3. If necessary, sign in to LON-CL2 as Adatum\Administrator. Open the Start screen, and then start Disk Management. Complete the Create and Attach Virtual Hard Disk Wizard by using the following settings: o o o o 4. 5. Name the volume I:\DemoDisk.VHDX. Use 100 MB as the disk size Use .vhdx format Dynamically expanding disk type
Open an Administrative Command Prompt window, and then open DiskPart. Create a virtual hard drive by using the following settings: o o o o Name the VHD file I:\virtualdisk2.vhdx Use 1048 MB as the disk size Use .vhdx format Dynamically expanding disk type
Task 2: Mount the VHD file, browse to the VHD file, and create files on the drive
1. 2. 3. 4. 5. 6. 7. 8.
Using the Virtual Hard Disk I:\DemoDisk.VHDX created previously, bring the disk online, and then format the unallocated space, naming the drive SimpleVHD1. In File Explorer, verify that a new drive named SimpleVHD1 has been created. Create a new folder named Test on the new drive. Create a new Notepad document named Test.txt, and then save it on the new drive.
Using the Virtual Hard Disk I:\virtualdisk2.vhdx created previously, bring the disk online, and then format the unallocated space, naming the drive SimpleVHD2. In File Explorer, verify that a new drive named SimpleVHD1 has been created. Create a new folder named Test on the new drive. Open the Test folder, and then create a new Notepad document named Test.txt.
Task 3: Remove a mounted VHD file

1. 2. 3. 4. 5. If necessary, sign in to LON-CL2 as Adatum\Administrator. Open the Start screen, and then start Disk Management. Detach the virtual disk SimpleVHD1. Open an Administrative Command Prompt window, and then open DiskPart. Detach the mounted virtual disk I:\virtualdisk2.vhdx.
Results: After completing this exercise, you should have created, mounted and then deleted a VHD file.
When you have finished the lab, leave the virtual machines running as they are needed for the next lab.
Lesson 4
Installing and Configuring Device Drivers
Devices have changed from being single-function peripherals to complex, multifunction devices with a large amount of local storage and the ability to run many apps. They have evolved from a single type of connection, such as USB 1.0, to multi-transport devices that support USB 3.0, Bluetooth, and Wi-Fi. Newer connection methods such as near field communication and Miracast wireless display capabilities are emerging technologies that have built-in support within Windows 8.1. Many of todays devices often are integrated and sold with services that are delivered over the Internet. Internet delivery has simplified the delivery mechanism, which means that a computers ability to recognize and use devices has expanded to cover several possibilities. Microsoft constantly expands the list of devices and peripherals that are being tested for compatibility with Windows 8.1.
The device experience in Windows 8.1 is designed on existing connectivity protocols and driver models to maximize compatibility with existing devices. You can use the following areas in Windows 8.1 to manage devices:
The Devices and Printers control panel item gives users a single location to find and manage all the devices that connect to a Windows 8.1based computer, and it provides quick access to device status, product information, and key functions such as faxing and scanning. This enhances and simplifies the customer experience with a Windows 8.1connected device. Device Manager is used to view and update hardware settings and driver software for devices such as internal hard drives, network cards, sound cards, video or graphics cards, memory, processors, and other internal computer components.
Building on the Plug and Play concept, seamless user experiences begin with the ability to effortlessly connect devices to a Windows 8.1 device. Up-to-date and newly released drivers are retrieved automatically from Windows Update, and when appropriate, users are given an option to download and install additional applications for the device. These components all help reduce support calls and increase customer satisfaction.
Lesson Objectives
After completing this lesson, you will be able to: Describe device drivers in Windows 8.1. Describe the process for installing devices and drivers. Describe the process for installing drivers into the Driver Store. Describe the device driver management tools. Describe the options for updating drivers. Describe how to manage signed drivers. Discuss options for recovering from a driver issue. Manage drivers on a Windows 8.1 computer.

5-35
Overview of Device Drivers in Windows 8.1

A driver is a small software application that the operating system uses to communicate with hardware or devices. Generally, they are specific to an operating system or a family of operating systems. Without drivers, the hardware that you connect to a computer does not work properly. Windows supports most devices without needing additional downloads. With Windows 8.1, additional drivers and device support are available online through Windows Update. If the Windows operating system does not have a required driver, look for it on the disc that came with the hardware or device, or on the manufacturer's website.
32-Bit and 64-Bit Drivers
Windows 8.1 is available in 32-bit and 64-bit versions. Drivers that were developed for the 32-bit version do not work with the 64-bit version, and the vice versa. You must make sure that you obtain appropriate device drivers before you install Windows 8.1.
Driver Signing
The device drivers that are included with Windows 8.1 have a Microsoft digital signature that indicates whether a particular driver or file has met a certain level of testing, is stable and reliable, and has not been altered since it was digitally signed. Windows 8.1 checks for a drivers digital signature during installation and prompts the user if no signature is available. Note: The signature file is stored as a .cat file in the same location as the driver file.
Driver Store and Driver Packages
The driver store is the driver repository in Windows 8.1. A driver package is a set of files that make up a driver. It includes the .inf file, any files that the .inf file references, and the .cat file that contains the digital signature for the device driver. You can preload the driver store with drivers for commonly used peripheral devices. The driver store is located in %SystemRoot%\System32\DriverStore.
Installing a driver is a two-stage process. First, you install the driver package into the driver store. You must use administrator credentials to install the driver package into the driver store. The second step is to attach the device and install the driver. A standard user can perform this second step. During hardware installation, if the appropriate driver is not available, Windows 8.1 uses Windows Error Reporting to report an unknown device. This enables OEMs to work with Microsoft to provide additional information to users, such as a statement of nonsupport for a particular device, or a link to a website with additional support information.
In Windows 8.1, the Device Metadata Retrieval Client provides an end-to-end process for defining and distributing device metadata packages. These packages contain device-experience XML documents that represent a devices properties and functions, together with applications and services that support the device. Through these XML documents, the Devices and Printers control panel category page, and Device Stage, users are presented with an interface that is specific to the device, which the device maker defines. Windows 8.1 uses WMIS to discover, index, and match device metadata packages to specific devices that are connected to a computer. Device makers also can distribute device metadata packages directly to a computer through their own setup applications.
Note: You can use the Pnputil.exe tool to add a driver to the Windows 8.1 driver store manually.
Installing Devices and Drivers

Windows operating systems have supported Plug and Play for device and driver installation since the Microsoft Windows 95 operating system. When you install a new device, typically Windows 8.1 recognizes and configures it. To support Plug and Play, devices contain configuration and driver information. Each Plug and Play device must: Be uniquely identified. State the services it provides and resources that it requires. Identify the driver that supports it. Allow software to configure it.
Windows 8.1 reads this information when a device is attached to the computer and then completes the configuration so that the device works properly with the other installed devices. When properly implemented, Plug and Play provides automatic configuration of PC hardware and devices. The driver architecture for Windows supports comprehensive, operating systemcontrolled Plug and Play. Plug and Play technologies are defined for Institute of Electrical and Electronics Engineers 1394 (IEEE 1394), Peripheral Component Interconnect (PCI) cards, PC Card/CardBus, USB, SCSI, Advanced Technology Attachment (ATA), Industry Standard Architecture (ISA), LPT, and Component Object Model (COM). You can use Device Manager to install device drivers manually that are not compliant with Plug and Play.
Windows 8.1 introduces several improvements to the way that users can discover and use the devices that their computers host and which connect to their computers. Windows 8.1 can detect nearby devices in the home, automatically making them available for use. Windows 8.1 also can install a Windows 8.1 device app automatically from the Windows Store, when users connect their device for the first time. The Windows 8.1 device apps that are companions to a device or PC have the ability to leverage the full range of functionality of that device or PC.
Improved End-User Experience
The success of a driver installation depends on several factors. Two key factors are whether a device is supported by a driver package that is included with a Windows operating system, available on Windows Update, or available from the Windows Store, and whether the user has media with the driver package that the vendor provides. Windows 8.1 includes several features that help an administrator make device driver installation more straightforward for users:
Staging driver packages in the protected Driver Store. A standard user without any special privileges or permissions can install a driver package that is in the Driver Store. Configuring client computers to search a specified list of folders automatically when a new device attaches to the computer. A network share can host these folders. When a device driver is accessible in this manner, the Windows operating system does not need to prompt the user to insert media.

5-37
Rebooting the system is rarely necessary when installing Plug and Play devices or software applications. This is true because of the following reasons: o
The Plug and Play Manager installs and configures drivers for Plug and Play devices when the operating system is running.
Applications can use side-by-side components instead of replacing shared, in-use dynamic-link libraries (DLLs).
These features improve the user experience and reduce help-desk support costs because standard users can install approved driver packages without requiring additional permissions or administrator assistance. These features also help increase computer security by ensuring that standard users only can install driver packages that you authorize and trust.
Driver Detection Process
When a user inserts a device, the Windows operating system detects it and then signals the Plug and Play service to make the device operational. Plug and Play queries the device for identification strings and searches the driver store for a driver package that matches the identification strings. If a matching package is found, Plug and Play copies the device driver files from the driver store to their operational locations, typically %SystemRoot%\System32\Drivers, and then updates the registry as needed. Finally, Plug and Play starts the newly installed device driver. If a matching package is not found in the driver store, the Windows operating system searches for a matching driver package by looking in the following locations: Folders specified by the DevicePath registry entry. The Windows Update website. Media or a manufacturers website that is provided after the system prompts the user.
A Windows operating system also checks that the driver package has a valid digital signature. If the driver package is signed by a certificate that is valid but is not found in the trusted publisher store, the Windows operating system prompts the user for confirmation.
Staging device driver packages in this manner provides significant benefits. After a driver package is staged successfully, any user who logs on to that computer can install the drivers by simply plugging in an appropriate device.
Non-Plug and Play Devices
Devices that are not compatible with Plug and Play are becoming increasingly rare as manufacturers stop producing them in favor of Plug and Play devices. The term non-Plug and Play typically applies to older pieces of equipment with devices that require manual configuration of hardware settings before use. To view non-Plug and Play devices, in Device Manager, click the View menu, click Show hidden devices, and then expand Non-Plug and Play Drivers.
Staging Drivers in the Driver Store

Typically, standard users cannot install device drivers. However, you can use the Plug and Play utility (Pnputil.exe) to stage drivers to the driver store. After the signed driver package is in the driver store, a Windows operating system considers the package trusted. Note: Run the pnputil.exe tool from an elevated command prompt. The tool cannot invoke the User Account Control dialog box. If you attempt to use the pnputil.exe tool from a command prompt that is not running as administrator, the commands fail.
To add a driver, use the -a parameter to specify the path and name of the driver, for example, pnputil -a <PathToDriver>/<Driver>.inf. The Windows operating system validates that the signature attached to the package is valid, the files are unmodified, and the file thumbprints match the signature.
After adding a driver, note the assigned number. Drivers are renamed oem*.inf during the addition. This is to ensure unique naming. For example, the file MyDriver1.inf may be renamed oem0.inf. You can view the published name by using the -e parameter, for example, pnputil -e. Typically, you do not need to uninstall a Plug and Play device. Just disconnect or unplug the device so that the Windows operating system does not load or use the driver. The following table lists the options available with pnputil.exe. Option -a <PathToDriver>/<Driver>.inf -a <PathToDriver>/*.inf -I a <PathToDriver>/<Driver>.inf -e -d OEM<#>.inf -f -d OEM<#>.inf Description Add the driver package specified by <PathToDriver>/<Driver>.inf to the Driver Store. Add all the driver packages in the path specified. Add and install the driver package specified by <PathToDriver>/<Driver>.inf to the driver store. Enumerate all third-party driver packages. Delete the driver package specified by OEM<#>.inf. Force the deletion of the driver package specified by OEM<#>.inf.

5-39
Device Driver Management Tools

There are several areas in Windows 8.1 from which you can manage devices and their related drivers: Windows 8.1 device apps Device Manager Devices and Printers Device Stage The Pnputil tool run from an elevated command prompt or Windows PowerShell
Windows 8.1 Apps
Windows 8.1 introduces the Windows 8.1 device apps, which build on the Plug and Play experience from Windows 7. Using these apps, device manufacturers can deliver an app that is paired with their device and is downloaded automatically to the user the first time the device is connected. Providing a Windows 8.1 device app gives hardware developers a unique opportunity to highlight device functionality.
Device Manager
Device Manager helps you install and update the drivers for hardware devices, change the hardware settings for those devices, and troubleshoot problems. You can perform the following tasks in Device Manager:
View a list of installed devices. View all devices that are installed currently based on their type, by their connection to the computer, or by the resources they use. This device list is recreated after every system restart or dynamic change. Uninstall a device. Uninstall the device driver and remove the driver software from the computer. Enable or disable devices. If you want a device to remain attached to a computer without being enabled, you can disable the device instead of uninstalling it. Disable is different from uninstall because only the drivers are disabled, and the hardware configuration is not changed.
Troubleshoot devices. Determine whether the hardware on a computer is working properly. If a device is not operating correctly, it may be listed as an Unknown Device with a yellow question mark (?) next to it. Update device drivers. If you have an updated driver for a device, you can use Device Manager to apply the updated driver.
Roll back drivers. If you experience system problems after updating a driver, you can roll back to a previous driver. Using this feature, you can reinstall the last device driver that was functioning before the installation of the current device driver.
You can use Device Manager to manage devices on a local computer only. On a remote computer, Device Manager works in read-only mode. This means that you can view but not change that computers hardware configuration. Device Manager is accessible in the Hardware and Sound category in Control Panel.
View the Status of a Device
The status of a device shows whether a device has drivers installed and whether the Windows operating system is able to communicate with the device. To view the status of a device, follow this procedure in Device Manager: 1. 2. Right-click the device, and then click Properties. On the General tab, the Device status area shows a description of the current status.
Hidden Devices
The most common type of hidden device is for non-Plug and Play devices, storage volumes, and internal network adapters. To view hidden devices in Device Manager, click View, and then click Show hidden devices.
Devices and Printers
The Hardware and Sound category in Control Panel provides an additional place to manage devices, such as Devices and Printers. Wizards guide you through the setup process, which reduces complex configuration tasks. Windows 8.1 recognizes new devices and automatically attempts to download and install any drivers that are required for a device. After a device is connected, it appears in the Devices and Printers control panel category page. Devices that display in this location usually are external ones that you connect to or disconnect from a computer through a port or network connection. These devices include, but are not limited to, the following: Portable devices, such as mobile phones, music players, and digital cameras. All devices plugged into a USB port on a computer, such as flash drives, webcams, keyboards, and mice. All printers, whether they are connected by USB cable, the network, or wirelessly. Bluetooth and wireless devices. The computer itself. Network-enabled scanners or media extenders. Internal card readers. Monitors and other displays.
Devices and Printers do not include the following: Devices such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components. Speakers that are connected to a computer with conventional speaker wires.
Older devices, such as mice and keyboards that connect to a computer through a PS/2 or serial port.
In Devices and Printers, a multifunction printer shows and can be managed as one device instead of individual printer, scanner, or fax devices. In Device Manager, each individual component of a multifunction printer is displayed and managed separately.
PC Settings
A new option with Windows 8.1 is PC settings. To access PC settings, you click the Settings charm from the bottom right corner of the Start screen, and then click Change PC settings. In the left pane, you can click PC and devices and then click Devices and then add devices or remove already installed devices, or you can search for recommended apps for the device.

5-41
Device Stage
Device Stage provides users with a new way to access devices and advanced options for managing them. Devices in use are shown with a photorealistic icon. This icon can include quick access to common device tasks and status indicators that let users quickly discern battery status, device synchronization status, remaining storage capacity, and other information. Device makers can customize this experience to highlight device capabilities and branding, and they can include links to product manuals, additional applications, community information and help, or additional products and services. The entire Device Stage experience remains current. Graphics, task definitions, status information, and links to websites are distributed to computers by using WMIS. For a list of device-stage experiences, go to: Windows 8.1 device experience http://go.microsoft.com/fwlink/?LinkId=266558
Options for Updating Drivers

A newer version of a device driver often adds functionality and fixes problems that were discovered in earlier versions, and you can resolve many hardware problems by installing updated device drivers. Also, device driver updates often help resolve security problems and improve performance.
Dynamic Update is a feature that works with Windows Update to download any critical fixes and device drivers that are required during the setup process. Dynamic Update downloads new drivers for devices that are connected to a computer and are required to run Setup. This feature updates the required setup files and improves the Windows 8.1 process. Dynamic Update downloads the following types of files:
Critical updates. Dynamic Update replaces files from the Windows 8.1 operating system DVD that require critical fixes or updates. Dynamic Update also replaces DLLs that setup requires. The only files that are downloaded are those that replace existing files. No new files are downloaded.
Device drivers. Dynamic Update only downloads drivers that are not included on an operating system installation CD or DVD. Dynamic Update does not update existing drivers, but you can obtain these by connecting to Windows Update after setup is complete.
When updated device drivers are required, Microsoft tries to ensure that you can get them directly from Windows Update or from device manufacturer websites. Look up Windows Update first to update drivers after they are installed. If an updated device driver is not available through Windows Update, find the latest version of a device driver by any of the following methods: Visit the computer manufacturers website for an updated driver. Visit the hardware manufacturers website. Search the Internet by using the device name.
Note: Exercise care and caution when searching the Internet for device drivers because malware and viruses frequently masquerade on driver download websites. Wherever possible, only download drivers from Microsoft or a manufacturers website.
You can perform manual device updates in Device Manager. To update a device driver manually, follow this procedure in Device Manager: 1. 2. 3. Double-click the type of device you want to update. Right-click the device, and then click Update Driver Software. Follow the instructions in the Update Driver Software Wizard.
Windows 8.1 also includes several enhancements to the upgrade experience, including a load driver feature. If an upgrade is blocked due to incompatible or missing drivers that are required for the system to start, you can use this feature to load a new or updated driver from the Compatibility Report and continue with the upgrade.
Managing Signed Drivers

Because device drivers run with system-level privileges and can access anything on a computer, it is critical to trust device drivers that are installed. Trust, in this context, includes two main principles: Authenticity. A guarantee that the package came from its claimed source. Integrity. An assurance that the package is completely intact and has not been modified after its release.
Administrators and end users who install Windows-based software can use digital signatures to verify that a legitimate publisher has provided the software package. It is an electronic security mark that indicates the publisher of the software and if someone has changed the driver packages original contents. If a publisher signs a driver, you can be confident that the driver comes from that publisher and has not been altered.
A digital signature uses an organization's digital certificate to encrypt specific details about the package. The encrypted information in a digital signature includes a thumbprint for each file that is included with the package. A special cryptographic algorithm referred to as a hash algorithm generates this thumbprint. The algorithm generates a code that only that files contents can create. Changing a single bit in the file changes the thumbprint. After the thumbprints are generated, they are combined together into a catalog and then encrypted. Note: 64-bit versions of Windows 8.1 require that all drivers be digitally signed.
If your organization has a Software Publishing Certificate, you can use that to add your own digital signature to drivers that you have tested and that you trust. If you experience stability problems after you install a new hardware device, an unsigned device driver might be the cause.

5-43
Note: To disable the enforcement of driver signatures, access the Advanced Boot Options menu and select Disable driver signature enforcement. The procedure for accessing the Advanced Boot Options menu is described in the next topic.
Signature Verification Tool
You can use Sigverif.exe to check if unsigned device drivers are in the system area of a computer. Sigverif.exe writes the results of a scan to a log file that includes the system file, the signature file, and the signature files publisher. The log file shows any unsigned device drivers as unsigned. You then can choose whether to remove the unsigned drivers. To remove an unsigned device driver, follow this procedure: 1. 2. 3. 4. 5. Run sigverif to scan for unsigned drivers, and then review the resulting log file. Create a temporary folder for the storage of unsigned drivers. Manually move any unsigned drivers from %SystemRoot%\System32\Drivers into the temporary folder. Disable or uninstall the associated hardware devices. Restart the computer.
If this resolves the problem, try to obtain a signed driver from the hardware vendor, or replace the hardware with a device that is compatible with Windows 8.1.
You can obtain a basic list of signed and unsigned device drivers at a command prompt by running the driverquery command with the /si switch. Note: Some hardware vendors use their own digital signatures, so drivers can have a valid digital signature even if Microsoft has not tested them. The Sigverif report lists the vendors for each signed driver. This can help you identify problem drivers that were issued by particular vendors.
Benefits of Signing and Staging Driver Packages
Because device driver software runs as a part of an operating system, it is critical that only known and authorized device drivers are permitted to run. Signing and staging device driver packages on client computers provide the following benefits: Improved security. You can allow standard users to install approved device drivers without compromising computer security or requiring help-desk assistance.
Reduced support costs. Users only can install devices that your organization has tested and is prepared to support. Therefore, you maintain the security of computers as you simultaneously reduce the demands on the help desk. Better user experience. A driver package that is staged in driver store works automatically when the user plugs in a device. Alternatively, driver packages placed on a shared network folder can be discovered whenever an operating system detects a new hardware device. In both cases, a user is not prompted before installation.
Configuring the Certificate Store to Support an Unknown Certification Authority
On each computer, the Windows operating system maintains a store for digital certificates. As the computer administrator, you can add certificates from trusted publishers. If a package is received for which a matching certificate cannot be found, a Windows operating system requires confirmation that the
publisher is trusted. By placing a certificate in a certificate store, you inform a Windows operating system that packages that are signed by a certificate are trusted.
You can use Group Policy to deploy certificates to client computers. By using Group Policy, you can install a certificate automatically to all managed computers in a domain, organizational unit, or site.
Discussion: Options for Recovering from a Driver Issue

You can use driver rollback to recover from a device problem if your computer can start successfully, using safe mode if necessary. This is most useful in cases where a device driver update has created a problem. Driver rollback reconfigures a device to use a previously installed driver, overwriting a more recent driver. To roll back a driver, restart the computer, using safe mode if necessary. Accessing safe mode has changed in Windows 8.1. Perform the following procedure to access safe mode: 1. 2. 3. 4. Hold down the Shift key, and then press F8 during startup. This starts the recovery mode. On the recovery page, click See advanced repair options, click Troubleshoot, and then click Advanced options. From the Advanced options menu, click Windows Startup Settings, and then click Restart.
On the subsequent restart, you can access the Advanced Boot Options menu. You then select Safe Mode from the list.
Alternatively, you can use the Msconfig.exe tool to enable safe mode for the next restart from within Windows 8.1. Note: To ensure that the function keys operate properly, you should use full-screen mode when using safe mode. After you have started a computer successfully in safe mode, as an administrative user, follow this procedure to roll back a device driver: 1. 2. 3. 4. Open Device Manager. Right-click the device to rollback, and then click Properties. In the Properties dialog box, click the Drivers tab, and then click Roll Back Driver. In the Driver Package rollback dialog box, click Yes.
Note: Rolling back a driver can cause the loss of new functionality and can reintroduce problems that the newer version addressed.

5-45
Note: The Roll Back Driver button is available only if a previous version of the driver was installed. If the current driver for the device is the only one that was ever installed on the computer, then the Roll Back Driver button is not available.
System Restore
In rare cases, after you install a device or update a driver for a device, the computer may not start. This problem may occur in the following situations: The new device or the driver causes conflicts with other drivers that are installed on the computer. A hardware-specific issue occurs. The driver that is installed is damaged.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are unable to recover a computer by using a driver rollback, consider using System Restore.
You can use System Restore when you want to retain all new data and changes to existing files, but still perform a restoration of the system from when it was running well. Windows 8.1 lets you return a computer to the way it was at a previous point in time, without deleting any personal files. System Restore is reversible because an undo restore point is created before the restore operations are completed. During the restoration, a list of files appears that shows applications that will be removed or added. To restore a computer to a previous configuration by using System Restore, you can use: Safe mode. Windows Recovery Environment.
At the Start screen, type recovery in the Everywhere search screen, select Recovery, and then select Open System Restore.
Last Known Good Configuration
Even the earliest versions of the Windows NT operating system provided the Last Known Good Configuration startup option as a way of rolling a system back to a previous configuration. In Windows 8.1, some startup-related configuration and device-related configuration information is stored in the registry database, specifically, the HKLM\SYSTEM hive. A series of control sets are stored beneath this registry hive, most notably CurrentControlSet and LastKnownGood. The latter is located in the HKLM\SYSTEM\Select node. When you make a device configuration change to a computer, the change is stored in the CurrentControlSet key in the appropriate registry folder and value. After you restart a computer and successfully sign in, the Windows operating system synchronizes the CurrentControlSet key and the LastKnownGood key.
However, if, after a device configuration change, you experience a startup problem but do not sign in, the two control sets are out of synchronization, and the LastKnownGood key contains the previous configuration set. To use the Last Known Good Configuration startup option, restart the computer without logging on, and then press F8 during the boot sequence to access the Advanced Boot Options menu. Select Last Known Good Configuration (advanced) from the list.
If you have a hardware problem, the cause could be hardware or a device driver. Fortunately, the process to update device drivers to newer versions is straightforward. Alternatively, you can roll back device drivers to older versions or reinstall them. Troubleshooting hardware problems often starts by troubleshooting device drivers. To identify a device driver problem, answer the following questions: Did you recently upgrade a device driver or other software related to the hardware? If so, roll back the device driver to the previous version.
Are you experiencing occasional problems, or is the device not compatible with the current version of the Windows operating system? If so, upgrade the device driver. Did the hardware suddenly stop working? If so, upgrade the device driver. If that does not solve the problem, reinstall the device driver. If the problem continues, try troubleshooting the hardware problem.
Demonstration: Managing Drivers
This demonstration shows how to update a device driver and then roll back that driver update. You also will install a driver into the Driver Store. This demonstration requires two machine restarts.
Demonstration Steps Update a device driver

1. 2. 3. 4. If necessary, sign in to LON-CL2 as Adatum\Administrator. Start Device Manager.
Expand Keyboards, and then update the Standard PS/2 Keyboard driver to the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Restart the computer when prompted.
Roll back a device driver

1. 2. 3. 4. 5. 6. 7. 8. Sign in to LON-CL2 as Adatum\Administrator. Start Device Manager.
Expand Keyboards, and then roll back the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Restart the computer when prompted. Sign in to LON-CL2 as Adatum\Administrator. Start Device Manager. Verify that you have successfully rolled back the Standard PS/2 Keyboard driver. Close Device Manager.
Install a driver into the Driver Store

1. 2. 3. Open an elevated command prompt. Use pnputil a E:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files\driver \point64\point64.inf to install a driver into the Driver Store. Check the list of installed OEM drivers by typing the pnputil e command, and then press Enter. Question: If your computer does not start normally due to a device driver issue, what options are there for performing a driver roll back?

5-47
Lab B: Configuring Device Drivers

Scenario
A. Datum recently purchased new laptop computers for the Sales department. The Sales manager has reported an error with one of the laptop drivers that is causing problems. You have identified the issue and determined that you need to install an updated driver. Also, you must ensure that members of the Sales department are able to roll back the driver if it causes errors.
Objectives
After you complete this lab, you will be able to: Install and configure a new driver. Manage device drivers.
Lab Setup
Estimated Time: 30 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL2 User names: Adatum\Administrator Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Verify that the following virtual machines are running: o o 20687C-LON-DC1 20687C-LON-CL2
Exercise 1: Installing Device DriversInstalling Device DriversInstalling Device Drivers

Scenario
By default, standard users cannot install device drivers. When you know certain plug and play devices will be used in your environment, you can preload the device drivers so that users can use the devices. The main task for this exercise is as follows: 1. Install a device driver into the protected store.
Task 1: Install a device driver into the protected store

1. 2. 3. 4. Sign in to LON-CL2 as Adatum\Administrator. Open an elevated command prompt.
At the command prompt, type pnputil a E:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files \driver\point64\point64.inf, and then press Enter. Check the list of installed OEM drivers by typing pnputil e, and then press Enter.
Results: After completing this exercise, you should have installed a driver into the protected Driver Store.
Exercise 2: Managing Device Drivers

Scenario
Several A. Datum users in the Sales department would like to update a poorly performing wireless network device driver on their new laptop computers. You have been asked to demonstrate to these users how they update a device driver and also how they can roll back a device driver if the updated does not provide acceptable performance gains. The main tasks for this exercise are as follows: 1. 2. Install a device driver. Roll back a device driver.
Task 1: Install a device driver

1. 2. 3. Start Device Manager.
Expand Keyboards, and then update the Standard PS/2 Keyboard driver to the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Restart the computer when prompted.
Task 2: Roll back a device driver

1. 2. 3. 4. 5. 6. 7. 8. Sign in to LON-CL2 as Adatum\Administrator. Start Device Manager.
Expand Keyboards, and then roll back the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver. Restart the computer when prompted. Sign in to LON-CL2 as Adatum\Administrator. Start Device Manager. Verify that you have successfully rolled back the Standard PS/2 Keyboard driver. Close Device Manager.
Results: After completing this exercise, you should have installed and rolled back a device driver.

When you have finished the lab, revert all virtual machines back to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL2, and then click Revert. In the Revert Virtual Machines dialog box, click Revert. Repeat steps 2 to 3 for 20687C-LON-DC1.

5-49

Common Issues and Troubleshooting Tips
Common Issue Configuring disk quotas on multiple volumes Troubleshooting Tip
Exceeding the quota allowance If you have a hardware problem, the hardware or a device driver may be causing it. Troubleshooting hardware problems often starts by troubleshooting device drivers.
Review Questions
Question: You are implementing 64-bit Windows 8.1 and need to partition the disk to support 25 volumes, some of which will be larger than 2 terabytes (TB). Can you implement this configuration by using a single hard disk? Question: You have created a volume on a newly installed hard disk by using DiskPart. Now, you want to continue using DiskPart to perform the following tasks: Format the volume for NTFS. Assign the next available drive letter. Assign a volume label of sales-data.
What two commands must you use for these tasks? Question: You recently upgraded to Windows 8.1 and are experiencing occasional problems with the shortcut keys on your keyboard. Describe the first action you might take to the resolve the issue, and then list the steps to perform the action.
Tools
The following table lists some of the tools that are available for managing hard disks and devices. Tool Defrag.exe Device Manager Used for Performing disk defragmentation tasks from the command-line. Viewing and updating hardware settings and driver software for devices, such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components. Helps users interact with devices and use the full functionality of devices. Where to find it Command prompt Devmgmt.msc or Embedded in Computer Management
Windows 8.1 device apps
Start screen or Taskbar Control Panel
Devices and Printers
Provides users a single location to find and manage all the devices connected to their Windows 8.1based computers. Also, provides quick access to device status, product information, and key functions such as faxing and scanning to enhance and simplify the customer experience with a Windows 8.1 connected device. Rearranging fragmented data so that disks and drives can work more efficiently. Managing disks and volumes, both basic and dynamic, locally or on remote computers. Managing disks, volumes, and partitions from the command-line or from the Windows Preinstallation Environment. Performing tasks that are related to FAT and NTFS, such as managing reparse points, managing sparse files, or dismounting a volume. Adding drivers to and managing drivers in the protected device store.
The Optimize Drives tool Disk Management
In File Explorer, right-click a volume, click Properties, click the Tools tab, and then click Optimize. Diskmgmt.msc
DiskPart
At a command prompt, type DiskPart. Elevated command prompt
Fsutil.exe
Pnputil.exe
Elevated command prompt

6-1
Module 6
Configuring Network Connectivity
Contents:
Module Overview Lesson 1: Configuring IPv4 Network Connectivity Lesson 2: Configuring IPv6 Network Connectivity Lesson 3: Implementing Automatic IP Address Allocation Lab A: Configuring a Network Connection Lesson 4: Implementing Name Resolution Lab B: Resolving Network Connectivity Issues Lesson 5: Implementing Wireless Network Connectivity Module Review and Takeaways 6-1 6-2 6-9 6-14 6-21 6-25 6-30 6-33 6-39
Module Overview
Network connectivity is essential in todays business environment. An increasing number of computer users want to connect their computers to a network. These users might be part of a business network infrastructure, a home office, or they might need to share files and access the Internet.
The Windows 8.1 operating system provides enhanced networking functionality compared with earlier Windows client operating systems, and it provides support for newer technologies. By default, Windows 8.1 implements both TCP/Internet Protocol version 4 (IPv4) and TCP/Internet Protocol version 6 (IPv6). Understanding IPv4, IPv6, and the operating systems access capabilities will help you configure and troubleshoot Windows 8.1 networking features.
Objectives
After completing this module, you will be able to: Describe how to configure IPv4 network connectivity. Describe how to configure IPv6 network connectivity. Implement automatic IP address allocation. Implement name resolution. Implement wireless network connectivity.
6-2
Lesson 1
Configuring IPv4 Network Connectivity
IPv4 uses a specific addressing scheme and name-resolution mechanism to transmit data between connected nodes. To connect and configure computers that are running Windows 8.1 to a network, you must understand the concepts of the IPv4 addressing scheme.
Lesson Objectives
After completing this lesson, you will be able to: Describe the use of IPv4 in network connectivity. Describe how to define network IDs with subnet masks. Describe the purpose of the default gateway. Describe public and private IPv4 addresses. Configure a network connection with an IPv4 address. Describe how to verify IPv4 network connectivity.
Network Connectivity Using IPv4

To troubleshoot network connectivity problems, you must be familiar with IPv4 addresses and how they work. Communication between computers can happen only if they can identify each other on the network. When you assign a unique IPv4 address to each networked computer, the IPv4 address identifies the computer to the other computers on the network. That IPv4 address, combined with the subnet mask also identifies the computers location on the network, much like the combination of a number and a street name identify the location of a house. Overview of Connecting With Another Network Host
In a typical situation, communication starts with a request to connect to another host by its computer name. However, to communicate, the requesting host needs to know the media access control (MAC) address of the network interface of the receiving host. Conversely, the receiving host needs to know the MAC address of the sender. Once discovered, that MAC information is cached locally. A MAC address is a hard-coded, unique identifier assigned to network interfaces by the manufacturers of network adapters. Before the requesting host can find the MAC address of the receiving host, a number of steps occur. A high-level overview of these steps is: 1. 2. 3. A request is sent from a host to connect to Server1. The name Server1 must be resolved to an IPv4 address. There are a number of methods to accomplish this.
Once the sender knows the IPv4 address of the recipient, the IPv4 address is determined to be either remote or on the local subnet. The subnet mask is used for this purpose.

6-3
4. 5. 6.
If local, an Address Resolution Protocol (ARP) request is broadcast on the local subnet. If remote, an ARP request is sent to the default gateway and routed to the correct subnet. The host that owns that IPv4 address will respond with its MAC address and a request for the MAC address of the sender.
Once MAC addresses are exchanged, IPv4 communication negotiation can occur, and IP data packets can be exchanged.
Components of an IPv4 Address

IPv4 uses 32-bit addresses. If you view the address in its binary format, it has 32 characters, as the following example shows:
11000000101010000000000111001000
IPv4 divides the address into four octets, as the following example shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in decimal form. For example:
192.168.1.200
In conjunction with a subnet mask, the address identifies: The computers unique identity, which is the host ID. The subnet on which the computer resides, which is the network ID.
This enables a networked computer to communicate with other networked computers in a routed environment.
IPv4 Address Classes
The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes, and a networks number of hosts determines the required class of addresses. Class A through Class E are the names that IANA has specified for IPv4 address classes.
Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses, whereas you can use Class D for multicasting. Additionally, IANA reserves Class E for experimental use.
Defining Network IDs Using Subnet Masks

A subnet mask specifies which parts of an IPv4 address are the network ID and which parts are the host ID. A subnet mask has four octets, similar to an IPv4 address.
Simple IPv4 Networks

In simple IPv4 networks, the subnet mask defines full octets as part of the network and host IDs. A 255 represents an octet that is part of the network ID, and a 0 represents an octet that is part of the host ID. Class A, B, and C networks use default subnet masks. The following table lists the
6-4
characteristics of each IP address class. Class A B C First octet 1 to 127 128 to 191 192 to 223 Default subnet mask 255.0.0.0 255.255.0.0 255.255.255.0 Number of networks 126 16,384 2,097,152
Number of hosts per network 16,777,214 65,534 254
Complex IPv4 Networks
In complex networks, subnet masks might not be simple combinations of 255 and 0. Rather, you might subdivide one octet with some bits that are for the network ID and some for the host ID. If you do not use an octet for subnetting, this is known as classless addressing, or Classless Interdomain Routing (CIDR). You either use more or less of the octet, and this type of subnetting uses a different notation, which the following example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many leftmost subnet bits are set to 1 in the mask. This notation style is called CIDR. This subnet mask in binary notation would look like this: 11111111.11111111.11110000.00000000 The first 20 bits are set to 1 and indicate the subnet ID and the last 12 zero placeholders represent how many bits are used to identify the host.
For more information, see Planning Supernetting and Classless Interdomain Routing (CIDR) on the Microsoft TechNet website. http://go.microsoft.com/fwlink/?LinkId=154437&clcid=0x409
What Is a Subnet?
A subnet is a network segment, and single or multiple routers separate the subnet from the rest of the network. When your Internet service provider (ISP) assigns a network to a Class A, B, or C address range, you often must subdivide the range to match the networks physical layout. Subdividing enables you to break a large network into smaller, logical subnets.
When you subdivide a network into subnets, you must create a unique ID for each subnet, which you derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to the network ID. By doing so, you can create more networks. By using subnets, you can: Use a single Class A, B, or C network across multiple physical locations. Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome the limitations of current technologies, such as exceeding the maximum number of hosts that each segment can have.

6-5
Configuring Connectivity to Other Subnets

A default gateway is a device on a TCP/IP internetwork, usually a router, which forwards IP packets to other subnets. A router connects groups of subnets to create an intranet. In an intranet, any given subnet might have several routers that connect it to other local and remote subnets. You must configure one of the routers as the default gateway for local hosts so that the local hosts can communicate with hosts on remote networks.
When a host delivers an IPv4 packet, it performs an internal calculation by using the subnet mask to determine whether the destination host is on the same network or on a remote network. If the destination host is on the same network, the local host delivers the packet. If the destination host is on a different network, the host transmits the packet to a router for delivery. Note: The host determines the MAC address of the router for delivery, and the initiating host addresses the router explicitly, at the media access layer.
When a host on the network uses IPv4 to transmit a packet to a destination subnet, IPv4 consults the internal routing table to determine the appropriate router to ensure that the packet reaches the destination subnet. If the routing table does not contain any routing information about the destination subnet, IPv4 forwards the packet to the default gateway. The host assumes that the default gateway contains the required routing information.
In most cases, you can use a Dynamic Host Configuration Protocol (DHCP) server to assign the default gateway automatically to a DHCP client. This is more straightforward than manually assigning a default gateway on each host.
Public vs. Private IPv4 Addresses

Devices and hosts that connect directly to the Internet require a public IPv4 address. However, hosts and devices that do not connect directly to the Internet do not require a public IPv4 address.
Public IPv4 Addresses

Public IPv4 addresses, which IANA assigns, must be unique. Usually, your ISP allocates you one or more public addresses from its address pool. The number of addresses that your ISP allocates to you depends upon how many devices and hosts that you have to connect to the Internet.
Private IPv4 Addresses

The pool of IPv4 addresses is becoming smaller, so IANA is reluctant to allocate superfluous IPv4 addresses. Technologies such as network address translation (NAT) enable administrators to use a
6-6
relatively small number of public IPv4 addresses, and at the same time, enable local hosts to connect to remote hosts and services on the Internet. IANA defines the following address ranges as private. Internet-based routers do not forward packets originating from, or destined to, these ranges. Class A B C Mask 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 Range 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
In todays network environments, it is most common for organizations to have one or more public, routable IP addresses from an ISP assigned to the external interfaces of their firewall appliance, and to then use the designated private IP subnets internally. Note: Request For Comments (RFC) 3330 defines these private address ranges. Question: Which of the following is not a private IP address? a. 171.16.16.254 b. 192.16.18.5 c. 192.168.1.1 d. 10.255.255.254
Demonstration: Configuring an IPv4 Address

You can configure IPv4 settings on a Windows 8.1 computer by using the Network and Sharing Center, the Netsh command-line tool, or the Windows PowerShell command-line interface. To configure IPv4 by using Netsh, you can use the following example:
Netsh interface ipv4 set address name="Local Area Connection" source=static addr=172.16.16.3 mask=255.255.255.0 gateway=172.16.16.1
The following table describes some of the Windows PowerShell cmdlets that you can use to view and configure IPv4 settings. Cmdlet Set-NetIPAddress Set-NetIPInterface Set-NetRoute Set-DNSClientServerAddresses Description of IPv4 configuration uses Modifies an existing IP address and sets the subnet mask Enables or disables DHCP for an interface Modifies routing table entries, including the default gateway (0.0.0.0) Configures the Domain Name System (DNS) server that is used for an interface

6-7
Demonstration
This demonstration shows how to configure an IPv4 address manually by using the Network and Sharing Center.
Demonstration Steps View the current network connection configuration

1. 2. Sign in to LON-CL1 as administrator.
Open a Command Prompt window, and then use ipconfig /all to view the current IPv4 configuration. This displays the configuration for all network connections on the computer.
View the IPv4 configuration

1. 2. 3.
In Network and Sharing Center, view the Ethernet Status. This window shows the same configuration information for this adapter as the IPConfig command. View the IPv4 configuration for Ethernet. You can configure the IP address, subnet mask, default gateway, and DNS servers in this window.
View the Advanced settings. In the Advanced TCP/IP Settings window, you can configure additional settings, such as additional IP addresses, DNS settings, and Windows Internet Name Service (WINS) servers for NetBIOS name resolution. Question: When might you need to change a computers IPv4 address?
Verifying IPv4 Network Connectivity

One of the first steps in troubleshooting connection issues is verifying connectivity at the IPv4 level. For example, if a user cannot connect to the Internet or shared network drives, you should ensure that basic IPv4 connectivity exists between the client computer and the network resource. There are a number of tools you can use to verify IPv4 connectivity, including: IPConfig Ping Tracert Windows PowerShell cmdlets
IPConfig
IPConfig is a command-line tool that is used to display basic IPv4 configurations. IPConfig supports a number of parameters including: All. Displays all the TCP/IP configuration information for all network adapters. Release. Sends a DHCPRELEASE message to the DHCP server which will release the current DHCP configuration of all network adapters or a specific network adapter.
Renew. Renews the DHCP configuration for all network adapters or a specific network adapter that are configured to use DHCP.
When you run IPConfig without any parameters, it will display the current IP address, subnet mask, and default gateway.
6-8
Ping
Ping is a command-line tool used to verify connectivity to another computer by sending four Internet Control Message Protocol (ICMP) Echo Request messages. The receiving computer will respond with a reply to each request along with the round-trip time of the packets. Ping has a number of parameters including:
-t. Specifies that ping continues sending echo request messages to the destination until interrupted by pressing CTRL+BREAK. -a. Specifies that reverse name resolution is performed on the destination IP address. If this is successful, ping displays the corresponding host name.
Note: Most Internet sites and firewalls block ICMP traffic. This makes the Ping tool less useful outside of your own LAN.
Tracert
Tracert is a command-line tool used to display the routing path and measuring the delays of packets while in transit. This can help determine incorrect entries in routing tables that are affecting the routing of IP traffic.
Windows PowerShell Cmdlets
There are many cmdlets available for the configuration and testing of IPv4. The following table describes some of the common cmdlets: Cmdlet Get-NetIPAddress Get-NetIPv4Protocol Get-NetRoute New-NetIPAddress New-NetRoute Remove-NetIPAddress Remove-NetRoute Set-NetIPAddress Set-NetRoute Test-connection Description Gets information about IP address configuration Gets information about the IPv4 Protocol configuration Gets the IP routing table
Creates an IP address and the configuration properties of that IP address Creates an entry in the IP routing table
Deletes an IP address and the configuration properties of that IP address Deletes an entry or entries (IP routes) from the IP routing table Modifies IP address configuration properties of an existing IP address Modifies an entry or entries in the IP routing table Runs similar connectivity tests to that used by the ping command

6-9
Lesson 2
Configuring IPv6 Network Connectivity
Though most networks to which you connect Windows 8.1based computers currently provide IPv4 support, many also support IPv6. To connect computers that are running Windows 8.1 to IPv6-based networks, you must understand the IPv6 addressing scheme and the differences between IPv4 and IPv6.
Lesson Objectives
After completing this lesson, you will be able to: Describe the benefits of implementing IPv6. Describe how Windows 8.1 supports IPv6. Describe IPv6 addresses. Describe the connection process using IPv6
Benefits of Implementing IPv6

The IPv6 protocol provides the following benefits: Large address space. A 32-bit address space can have 2^32 or 4,294,967,296 possible addresses; and a 128-bit address space can have 2^128 or 340,282,366,920,938,463,463,374,607,431,768, 211,456 (or 3.4x10^38 or 340 undecillion) possible addresses. Hierarchical addressing and routing infrastructure. The IPv6 address space is more efficient for routers, which means that even though there are many more addresses, routers can process data much more efficiently because of address optimization.
Stateless and stateful address configuration. IPv6 has autoconfiguration capability without DHCP, and it can discover router information so that hosts can access the Internet. This is a stateless address configuration. A stateful address configuration is when you use the Dynamic Host Configuration Protocol version 6 (DHCPv6) protocol. Stateful configuration has two additional configuration levels: one in which DHCP provides all the information, including the IP address and configuration settings, and another in which DHCP provides just configuration settings. Required support for Internet Protocol security (IPsec). The IPv6 standards require support for the Authentication Header (AH) and Encapsulating Security Payload (ESP) headers that IPsec defines. Although IPsec does not define support for its specific authentication methods and cryptographic algorithms, IPsec is defined from the start as the way to protect IPv6 packets.
Note: IPsec provides for authentication and optionally, encryption for communications between hosts.
6-10 Configuring Network Connectivity
Restored end-to-end communication. The global addressing model for IPv6 traffic means that translation between different types of addresses is not necessary, such as the translation done by NAT devices for IPv4 traffic. This simplifies communication because you do not need to use NAT devices for peer-to-peer applications, such as video conferencing. Prioritized delivery. IPv6 contains a field in the packet that lets network devices determine that the packet should be processed at a specified rate. This enables traffic prioritization. For example, when you are streaming video traffic, it is critical that the packets arrive in a timely manner. You can set this field to ensure that network devices determine that the packet delivery is time-sensitive. Support for single-subnet environments. IPv6 has much better support of automatic configuration and operation on networks consisting of a single subnet. You can use this to create temporary, adhoc networks through which you can connect and share information. Extensibility. IPv6 has been designed so that you can extend it with less constraint than IPv4.
For more information, see TCP/IP v4 and v6 on the Microsoft TechNet website. http://go.microsoft.com/fwlink/?LinkId=154442&clcid=0x409
IPv6 in Windows 8.1

Windows 8.1 uses IPv6 by default, and includes several features that support IPv6.
Windows 8.1 Dual Stack
Both IPv6 and IPv4 are supported in a dual stack configuration. The dual IP stack provides a shared transport and framing layer, shared filtering for firewalls and IPsec, and consistent performance, security, and support for both IPv6 and IPv4. These features help reduce maintenance costs. When you connect to a new network that advertises IPv6 routability, Windows 8.1 tests IPv6 connectivity, and it will only use IPv6 if IPv6 connectivity is actually functioning. Windows 8.1 also supports a functionality called address sorting. This functionality helps the Windows 8.1 operating system determine which protocol to use when applications that support both IPv4 and IPv6 and addresses are configured for both protocol stacks.
DirectAccess Use of IPv6
DirectAccess enables remote users to access a corporate network anytime they have an Internet connection because it does not require a virtual private network (VPN). DirectAccess provides a flexible corporate network infrastructure to help you remotely manage and update user PCs on and off a network. DirectAccess makes the end-user experience of accessing corporate resources over an Internet connection nearly indistinguishable from the experience of accessing these resources from a computer at work. DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients.
Windows Services Can Use IPv6
Windows 8.1 services such as file sharing and remote access use IPv6 features such as IPsec. This includes VPN Reconnect, which uses Internet Key Exchange version 2, an authentication component of IPv6. The Windows 8.1 operating system supports remote troubleshooting capabilities such as Windows Remote Assistance and Remote Desktop. Remote Desktop enables administrators to connect to multiple Windows Server sessions for remote administration purposes. You can use IPv6 addresses to make

6-11
remote desktop connections. Windows Remote Assistance and Remote Desktop uses the Remote Desktop Protocol to enable users to access files on their office computer from another computer, such as one located at their home.
IPv6 Addresses
The most obvious, distinguishing feature of IPv6 is its use of much larger addresses. IPv4 addresses are expressed in four groups of decimal numbers, such as 192.168.1.1. Each grouping of numbers represents a binary octet. In binary, the preceding number is as follows:
11000000.10101000.00000001.00000001 (4 octets = 32 bits)
The size of an address in IPv6 is four times larger than an IPv4 address. IPv6 addresses are expressed in hexadecimal, as the following example shows:
2001:DB8::2F3B:2AA:FF:FE28:9C5A
This might seem complex for end users, but the assumption is that users will rely on DNS names to resolve hosts, meaning they rarely will type IPv6 addresses manually. The IPv6 address in hexadecimal also is easier to convert to binary. This simplifies working with subnets and in calculating hosts and networks.
IPv6 Address Types

IPv6 address types are similar to IPv4 address types. The IPv6 address types are:
Unicast. An IPv6 unicast address is equivalent to an IPv4 unicast address. You can use this address type for one-to-one communication between hosts. Each IPv6 host has multiple unicast addresses. There are three types of unicast addresses: o Global unicast addresses. These are equivalent to public IPv4 addresses. They are globally routable and reachable on the IPv6 portion of the Internet.
Link-local addresses. Hosts use link-local addresses when communicating with neighboring hosts on the same link. For example, on a single-link IPv6 network with no router, hosts communicate by using link-local addresses. Link-local addresses are local-use unicast addresses with the following properties: IPv6 link-local addresses are equivalent to IPv4 Automatic Private IP Addressing (APIPA) addresses. Link-local addresses always begin with FE80.
Unique local unicast addresses. Unique local addresses provide an equivalent to the private IPv4 address space for organizations without the overlap in address space when organizations combine.
Multicast. An IPv6 multicast is equivalent to an IPv4 multicast address. You use this address type for one-to-many communication between computers that you define as using the same multicast address.
Anycast. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When IPv6 addresses communicate to an anycast address, only the closest host responds. You typically use this address type for locating services or the nearest router.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign multiple unicast addresses to each host. To verify communication processes on a network, you must know for what purposes IPv6 uses each of these addresses.
Interface Identifiers
The last 64-bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4 address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface identifier is unique to each interface, IPv6 uses interface identifiers rather than MAC addresses to identify hosts uniquely. For more information, see IPv6 Address Types on the Microsoft TechNet website. http://go.microsoft.com/fwlink/?LinkId=154445&clcid=0x409
Network Connectivity Using IPv6

The connection process for IPv6 is similar to IPv4 in that names must still be resolved to addresses and MAC addresses must be discovered. However, the underlying protocols and methods used for IPv6 are different. Neighbor Discovery Protocol The Neighbor Discovery protocol gathers and maintains information about routes and hosts on the local link. It performs many of the tasks that ARP provides in IPv4, including what is described in the following table. Task Router discovery Description IPv6 hosts can locate default routers on the link automatically by using the following two ICMPv6 messages: o Router solicitation. When it is first coming online, an IPv6 host multicasts a router solicitation message.
o Router advertisement. Each router on the active link that hears the solicitation message will respond with a router advertisement message that contains the address of the router. Prefix discovery
Router advertisement messages carry IPv6 prefix information that represents which IPv6 prefixes are reachable on the local link. Because multiple prefixes might be available on the same link, a router message might contain multiple prefixes. Once an IPv6 host is aware of which prefixes are reachable on the local link, they can communicate directly with hosts on the local link without going through the router. IPv6 hosts can configure themselves with an address automatically based on the prefix learned from the router prefix discovery. This allows the host to perform stateless configuration.
Address autoconfiguration

6-13
Task Address resolution
Description Address resolution functions much like router discovery. The ICMPv6 protocol uses two message types:
o Neighbor solicitation. The sender requests the MAC address of a neighbor node on the local link. o Neighbor advertisement. The recipient responds with its MAC address. Next-hop determination
Next-hop determination is a process for using the local routing table to determine whether to send the packet to a router, or send it on the local link. A routing table is present on each IPv6 host and stores information about network prefixes and whether they can be reached directly or indirectly. When a host first comes online on the link, it broadcasts neighbor solicitation messages for its own IPv6 address to determine if that address is already in use on the link. If the host receives a response, it will know not to use that address.
Duplicate address detection
The first step in establishing communication is still name resolution, as in IPv4. For example, if an IPv6 host wants to communicate with a host named Server1, it must first resolve that name to an IPv6 address. In DNS, host names are mapped to IPv6 addresses by AAAA resource records. When the DNS server returns the IPv6 address of the host, the prefix of the IPv6 address is used to determine whether the destination host is local or remote. If the destination is on the local link, then the next-hop address is the direct address of the recipient on the local link. If the destination is not on the local link, then the next-hop address of the packet is the router. For more information, see How IPv6 Works: IPv6 Routing on the Microsoft TechNet website. http://go.microsoft.com/fwlink/?LinkId=378232&clcid=0x409
Lesson 3
Implementing Automatic IP Address Allocation

Lesson Objectives
After completing this lesson, you will be able to: Describe the autoconfiguration process for IPv4. Describe the autoconfiguration process for IPv6. Configure a Windows 8.1 computer to obtain an IPv4 configuration automatically. Describe the process with which to troubleshoot and resolve IPv4 autoconfiguration problems,
Windows 8.1 enables both the IPv4 and IPv6 protocols to obtain configuration automatically. This means that you can efficiently deploy IP-based computers that are running Windows 8.1.
Automatic IPv4 Configuration

It is important that you know how to assign static IP addresses manually and be able to support computers that use DHCP to assign IP addresses dynamically.
Static Configuration
You can configure static IPv4 configuration manually for each of your networks computers. When you perform IPv4 configuration, you must configure the: IPv4 address Subnet mask Default gateway DNS server
Static configuration requires that you visit each computer and input the IPv4 configuration. This method of computer management is time-consuming if your network has more than 10 to 12 computers. Additionally, making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign IPv4 configurations automatically for a large numbers of computers without having to assign each one individually. The DHCP service receives requests for IPv4 configuration from computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4 information from scopes that you define for each of your networks subnets. The DHCP service identifies the subnet from which the request originated and assigns IP configuration from the relevant scope. DHCP helps simplify the IP configuration process, but you must be aware that if you use DHCP to assign IPv4 information and the service is business-critical, you must do the following:
Include resilience into your DHCP service design so that the failure of a single server does not prevent the service from functioning. Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole network, and it can prevent communication.

6-15
IPv4 Alternate Configuration
If you use a laptop to connect to multiple networks, such as at work and at home, each network might require a different IP configuration. Windows 8.1 supports the use of APIPA and an alternate static IP address for this scenario.
When you configure Windows 8.1 computers to obtain IPv4 addresses from DHCP, use the Alternate Configuration tab to control the behavior if a DHCP server is not available. By default, Windows 8.1 uses APIPA to assign itself an IP address automatically from the 169.254.0.0 to 169.254.255.255 address range. This enables you to use a DHCP server at work and the APIPA address range at home without reconfiguring IP settings. Additionally, this is useful for troubleshooting DHCP. If the computer has an address from the APIPA range, it is an indication that the computer cannot communicate with a DHCP server.
Automatic IPv6 Configuration

An IPv6 host can proceed through several states as it goes through the autoconfiguration process, and there are several ways to assign an IPv6 address and other configuration settings. Based on how the router is set up, a client might use a stateless configuration with no DHCPv6 service or a stateful configuration with a DHCPv6 server involved, to either assign an IP address and other configuration settings, or just assign other configuration settings. The other configuration settings can include DNS servers and domain names.
Autoconfigured Address States

Autoconfigured addresses are in one or more of the following states:
Tentative. Verification occurs to determine if the address is unique. Duplicate address detection performs verification by using Neighbor Discovery protocol. A node cannot receive unicast traffic to a tentative address. Valid. The address has been verified as unique and can send and receive unicast traffic. Preferred. The address enables a node to send and receive unicast traffic. Deprecated. The address is valid but its use is discouraged for new communication. Invalid. The address no longer allows a node to send or receive unicast traffic.
Types of Autoconfiguration
Types of autoconfiguration include: Stateless. Address configuration is based only on the receipt of router advertisement messages. Stateful. Configuration is based on the use of a stateful address configuration protocol, such as DHCPv6, to obtain addresses and other configuration options: o A host uses stateful address configuration when it receives instructions to do so in router advertisement messages.
A host also uses a stateful address configuration protocol when there are no routers present on the local link. Both. Configuration is based on the receipt of router advertisement messages and DHCPv6.
Why Use Stateful Configuration?

By using stateful configuration, organizations can control how IPv6 addresses are assigned by using DHCPv6. If there are any specific scope options that you need to configure, such as the IPv6 addresses of DNS servers, then a DHCPv6 server is necessary.
Communication with DHCP Server
When IPv6 attempts to communicate with a DHCP server, it uses multicast IPv6 addresses to communicate with the DHCP server. This is different from IPv4, which uses broadcast IPv4 addresses. When a host obtains an IPv6 address from a DHCPv6 server, the following occurs: The client sends a solicitation message to locate DHCPv6 servers.
The server sends an advertisement message to indicate that it offers IPv6 addresses and configuration options. The client sends a request message to a specific DHCPv6 server to request configuration information. The selected server sends a reply message to the client that contains the address and configuration settings. When a client requests configuration information only, the following occurs: o o The client sends an information-request message.
A DHCPv6 server sends a reply message to the client with the requested configuration settings.
Note: DHCPv6 is a service that provides stateful autoconfiguration of IPv6 hosts. It can configure IPv6 hosts automatically with an IPv6 address and other configuration information such as DNS servers. This is equivalent to DHCPv4 for IPv4 networks.
Demonstration: Configuring a Windows 8.1 Computer to Obtain an IPv4 Configuration Automatically

This demonstration shows how to configure a Windows 8.1 computer to obtain an IPv4 address automatically.
Demonstration Steps View the current IPv4 configuration

Sign in to LON-CL1 as administrator, and then verify the current IPv4 configuration.
Reconfigure the IPv4 configuration

1. 2. 3. Modify the connection to obtain an IPv4 configuration automatically. Verify these changes.
Open the Ethernet properties, and then view the IPv4 settings for the selected network connection.

6-17
Resolving Client-Side IPv4 Autoconfiguration Issues

IPConfig is the primary client-side DHCP troubleshooting tool.
Using IPConfig
If the computer is experiencing connectivity problems, you can use IPConfig to determine the computers IP address. If the address is in the range 169.254.0.1 to 169.254.255.254, the computer is using an APIPA address. This might indicate a DHCP-related problem. From the client computer, open an elevated command prompt, and then use the IPConfig options in the following table to diagnose the problem. Note: An elevated command prompt provides a context for running command-line tools and programs with administrative rights. To open an elevated command prompt, right-click the Command Prompt shortcut, and then click Run as administrator, providing administrative credentials if prompted. Option /all Description
This option displays all IP address configuration information. If the computer uses DHCP, verify the DHCP Server Option in the output. This indicates the server from which the client is attempting to obtain an address. Also, verify the Lease Obtained and Lease Expires values to determine when the client last obtained an address. It sometimes is necessary to force the computer to release an IP address.
/release /renew
This option forces the client computer to renew its DHCP lease. This is useful when you think that the DHCP-related issue is resolved, and you want to obtain a new lease without restarting the computer. The IPv6 version of the /release command. The IPv6 version of the /renew command.
/release6 /renew6
Note: You can use the IPConfig /release6 and /renew6 options to perform these same tasks on IPv6-configured computers.
The following are some troubleshooting examples. Problem The DHCP client does not have an IP address configured or indicates that its IP address is 0.0.0.0. Solution
Verify that the client computer has a valid and functioning network connection. First, check that related client hardware (cables and network adapters) are working properly at the client end by using basic network and hardware troubleshooting steps. If the client hardware appears to be prepared and functioning properly, check that the DHCP server is available on the network by pinging it from another computer on the same network as the affected DHCP client.
The DHCP client appears to have assigned itself an IP address automatically that is incorrect for the current network.
First, use the ping command to test connectivity from the client to the server. To force ping to use IPv6, use the -6 parameter. An example is the command ping -6 Server1.Adatum.com. Your next step is to either verify or manually attempt to renew the client lease. Depending on your network requirements, it might be necessary to disable IP autoconfiguration at the client. You can learn more about IP autoconfiguration and how it works prior to making this decision. For DHCP clients, verify that the most commonly used and supported options have been configured at the server, scope, client, or class level of options assignment.
The DHCP client appears to be missing some network configuration details or is unable to perform related tasks, such as resolving names. The DHCP client appears to have incorrect or incomplete options, such as an incorrect or missing router (default gateway), configured for the subnet on which it is located.
Change the IP address list for the router (default gateway) option at the applicable DHCP scope and server. If you configure the router option as a Server Option at the affected DHCP server, remove it there and set the correct value in the Scope Options node for the applicable DHCP scope that services the client. In rare instances, you might have to configure the DHCP client to use a specialized list of routers that is different from other scope clients. In such cases, you can add a reservation and then configure the router option list specifically for the reserved client.

6-19
Problem Many DHCP clients are unable to get IP addresses from the DHCP server.
Solution
A DHCP server can only service requests for a scope that has a network ID that is the same as the network ID of its IP address. Completing the following steps might correct this problem: 1.
Configure a BOOTP/DHCP relay agent on the client subnetthat is, the same physical network segment. The relay agent can be located on the router itself; on a computer that is running Microsoft Windows NT Server and the DHCP relay agent component; on a computer that is running Windows 2000 Server with the Routing and Remote Access Service enabled and configured as a DHCP relay agent; or on a computer that is running a Windows Server 2003 operating system with the Routing and Remote Access Service enabled and configured as a DHCP relay agent. At the DHCP server, do the following: o Configure a scope to match the network address on the other side of the router where the affected clients are located.
2.
o In the scope, make sure that the subnet mask is correct for the remote subnet. o Use a default gateway on the network connection of the DHCP server in such a way that it is not using the same IP address as the router that supports the remote subnet where the clients are located.
o Do not include this scope, which is the one for the remote subnet, in superscopes configured for use on the same local subnet or segment where the DHCP server resides. Make sure there is only one logical route between the DHCP server and the remote subnet clients. Many DHCP clients are unable to get IP addresses from the DHCP server.
Ensure that you do not configure multiple DHCP servers on the same LAN with overlapping scopes. You might want to rule out the possibility that one of the DHCP servers in question is a computer that is running Small Business Server (SBS). On a computer that is running Windows SBS, the DHCP Server service automatically stops when it detects another DHCP server on the LAN.
Problem The DHCP client appears to be affected by another problem not described previously.
Solution
Search the Microsoft website for updated technical information that might relate to the problem you observed. If necessary, you can obtain information and instructions that pertain to your current problem or issue.
Test a TCP/IP configuration by using the ping command http://go.microsoft.com/fwlink/?LinkId=154455&clcid=0x409 Verify, release, or renew a client address lease http://go.microsoft.com/fwlink/?LinkId=154456&clcid=0x409 Configure TCP/IP for automatic addressing http://go.microsoft.com/fwlink/?LinkId=154457&clcid=0x409 Disable automatic address configuration http://go.microsoft.com/fwlink/?LinkId=154458&clcid=0x409 Manage Options and classes http://go.microsoft.com/fwlink/?LinkId=154459&clcid=0x409 Assigning options http://go.microsoft.com/fwlink/?LinkId=154460&clcid=0x409 DHCP Best Practices http://go.microsoft.com/fwlink/?LinkId=154465&clcid=0x409 Using superscopes http://go.microsoft.com/fwlink/?LinkId=154466&clcid=0x409 Configuring scopes http://go.microsoft.com/fwlink/?LinkId=154467&clcid=0x409

6-21
Lab A: Configuring a Network Connection

Scenario
A. Datum Corporation is introducing new laptop computers for some of its managers. You need to test how the IPv4 configuration will behave when the managers are away from the office and a DHCP server is unavailable.
Objectives
After completing this lab, you will be able to: Enable automatic IPv4 configuration. Configure IPv4 manually.
Lab Setup
Estimated Time: 30 minutes Virtual machines: 20687C-LON-DC1 and 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd
5.
Exercise 1: Enabling Automatic IPv4 Configuration

Scenario
You need to determine how the Windows 8.1 client operating system currently receives its IPv4 address. You need to provide an automated way for client computers to receive IPv4 configuration. You will configure a Windows 8.1 client to receive IPv4 configuration from a DHCP server and then verify the configuration. The main tasks for this exercise are as follows: 1. 2. 3. Verify the current IPv4 configuration. Configure the computer to obtain an IPv4 address automatically. Verify the new IPv4 configuration.
Task 1: Verify the current IPv4 configuration

1. 2. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Open a Command Prompt window, and then run the command ipconfig /all. o o o o What is the current IPv4 address? What is the subnet mask? To which IPv4 network does this host belong? Is DHCP enabled?
Task 2: Configure the computer to obtain an IPv4 address automatically

1. 2. Use Network Connections to view the properties of Ethernet. Modify TCP/IPv4 to: o o Obtain an IP address automatically. Obtain a DNS server address automatically.
Task 3: Verify the new IPv4 configuration

In the Ethernet Status window, view the Details. o o o o o What is the current IPv4 address? What is the subnet mask? To which IPv4 network does this host belong? Is DHCP enabled? When does the DHCP lease expire?
Results: After completing this exercise, you should have configured LON-CL1 to obtain an IPv4 configuration automatically from a DHCP server.
Exercise 2: Configuring IPv4 Manually

Scenario
As the network administrator, you need to test various scenarios for assigning IPv4 addresses to client computers. You will deactivate the current DHCP scope and renew that address on the Windows 8.1 client operating system to see what address is assigned. You will configure an alternate address to be assigned when DHCP is not available. Finally, you will assign a static IPv4 address to the Windows 8.1 client operating system. The main tasks for this exercise are as follows: 1. 2. 3. 4. Deactivate the DHCP scope. Obtain a new IPv4 address. Configure an alternate IPv4 address. Configure a static IPv4 address.

6-23
Task 1: Deactivate the DHCP scope

1. 2. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd. Use the DHCP management console to deactivate the IPv4 scope named A Datum Scope: a. b. c. In Server Manager, open the DHCP management console. Deactivate the [172.16.0.0] A Datum Scope. Close the DHCP window.
Task 2: Obtain a new IPv4 address

Note: This process can take some minutes to complete. 1. 2. 3. On LON-CL1, at the command prompt, run the command ipconfig /release. Run the command ipconfig /renew. Run the command ipconfig /all. o o o o What is the current IPv4 address? What is the subnet mask? To which IPv4 network does this host belong? What kind of address is this?
Task 3: Configure an alternate IPv4 address

1. In the TCP/IPv4 properties for Ethernet, use the Alternate Configuration tab to configure the following: o o o o 2. 3. 4. IP address: 172.16.16.10 Subnet mask: 255.255.0.0 Preferred DNS server: 172.16.0.10 Do not validate settings
At the command prompt, type ipconfig /release, and then press Enter. At the command prompt, type ipconfig /renew, and then press Enter. At the command prompt, type ipconfig /all, and then press Enter: o o o o What is the current IPv4 address? What is the subnet mask? To which IPv4 network does this host belong? What kind of address is this?
Task 4: Configure a static IPv4 address

1. 2. In the Ethernet Status window, view the Properties. In the properties for TCP/IPv4 for Ethernet, configure the following: o o o IP address: 172.16.16.10 Subnet mask: 255.255.0.0 Preferred DNS server: 172.16.0.10
Results: After completing this exercise, you should have tested various scenarios for dynamic IP address assignment and then configured a static IP address.
When you have finished the lab, leave the virtual machines running, as they are needed for the next lab.

6-25
Lesson 4
Implementing Name Resolution
Computers can communicate over a network by using a name in place of an IP address. Name resolution is used to find an IP address that corresponds to a name, such as a host name. This lesson focuses on different types of computer names and the methods to resolve them.
Lesson Objectives
After completing this lesson, you will be able to: Describe the types of names used by IPv4 computers. Describe the methods for resolving computer names into IP addresses. Describe the tools you can use to resolve name resolution issues.
Types of Computer Names

Name resolution is the process of converting computer names to IP addresses. Name resolution is an essential part of computer networking because it is easier for users to remember names than abstract numbers, such as an IPv4 address. The application developer determines an applications name. In Windows operating systems, applications can request network services through Winsock, Winsock Kernel, or NetBIOS. If an application requests network services through Windows Sockets or Winsock Kernel, it uses host names. If an application requests services through NetBIOS, it uses a NetBIOS name. Note: NetBIOS is a session management protocol that was used in older versions of Microsoft server operating systems. Windows 8.1 provides support for NetBIOS.
Host Name
A host name is a user-friendly name that is associated with a hosts IP address and identifies it as a TCP/IP host. A host name can be no more than 255 characters in length and must contain alphanumeric characters, periods, and hyphens. A host name is an alias or a fully qualified domain name (FQDN). An alias is a single name associated with an IP address. The host name combines an alias with a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the Internet. An example of an FQDN is payroll.contoso.com.
NetBIOS Name
Applications use the 16-character NetBIOS name to identify a NetBIOS resource on a network. A NetBIOS name represents a single computer or a group of computers. NetBIOS uses the first 15 characters for a specific computers name and the final sixteenth character to identify a resource or service on that computer. An example of a NetBIOS name is NYC-SVR2[20h].
Windows supports a number of different methods for resolving computer names, such as DNS, WINS, and the host name resolution-process.
Methods for Resolving Computer Names

Many current apps, including Internet apps, use Windows Sockets to access network services. Newer apps that are designed for Windows 8.1 use Winsock Kernel. Older applications use NetBIOS.
Name Resolution Process

DNS is the Microsoft standard for resolving host names to IP addresses. Applications also use DNS to do the following: Locate domain controllers and global catalog servers. This is used when you log on to Active Directory Domain Services (AD DS). Resolve IP addresses to host names. This is useful when a log file contains only a hosts IP address. Locate a mail server for email delivery. This is used for the delivery of all Internet email.
WINS provides a centralized database for registering dynamic mappings of a networks NetBIOS names. Support is retained for WINS to provide backward compatibility. While you can use WINS, you also can resolve NetBIOS names by using the following:
Broadcast messages. Broadcast messages do not work well on large networks because routers do not propagate broadcasts. Lmhosts file on all computers. Using an Lmhosts file for NetBIOS name resolution is a high-maintenance solution because you must maintain the file manually on all computers.
Host-Name Resolution Process

When an application specifies a host name and uses Windows Sockets, TCP/IP uses the DNS resolver cache, DNS, and Link-Local Multicast Name Resolution when it attempts to resolve the host name. The Hosts file is loaded into the DNS resolver cache. If NetBIOS over TCP/IP is enabled, TCP/IP also uses NetBIOS name resolution methods when resolving single-label, unqualified host names.
Depending on the configuration, Windows 8.1 resolves host names by performing the following actions: 1. 2. 3. 4. Checking whether the host name is the same as the local host name. Searching the DNS resolver cache. Searching the Hosts file. Sending a DNS request to its configured DNS servers.

6-27
Windows resolves hosts names that are single-label, unqualified names by performing the following actions: 1. 2. 3. 4. Converting the host name to a NetBIOS name and checking the local NetBIOS name cache. Sending a DNS request to its configured WINS servers.
Broadcasting as many as three NetBIOS name query request messages on the subnet that is directly attached. Searching the Lmhosts file.
Note: Windows 8.1 can use Link-Local Multicast Name Resolution for networks that do not have a DNS server. For example, if a Windows 8.1 computer must resolve a single-label name, it first will try to petition a DNS server. If there is no DNS server or no response from the DNS server, Windows 8.1 will use. If this is unsuccessful, Windows 8.1 will attempt resolution by using the NetBIOS methods explained above. Note: You can exert control over the precise order used to resolve names. For example, if you disable NetBIOS over TCP/IP, none of the NetBIOS name-resolution methods are attempted.
GlobalNames Zone
GlobalNames Zone is a feature in Windows Server 2008 and newer versions. GlobalNames Zone provides single-label name resolution for large enterprise networks that do not deploy WINS. Some networks might require the ability to resolve static, global records with the single-label names that WINS currently provides. These single-label names refer to well-known and widely used servers with statically assigned IP addresses. A GlobalNames Zone is created manually and is not available for dynamic registration of records. GlobalNames Zone is intended to help your customers migrate to DNS for all name resolution. The DNS Server role in Windows Server 2008 and newer versions supports the GlobalNames Zone feature.
GlobalNames Zone is intended to assist in the migration from WINS. However, it is not a replacement for WINS. GlobalNames Zone is not intended to support the single-label name resolution of records that are registered in WINS dynamically and those that are not managed by IT administrators typically. Support for these dynamically registered records is not scalable, especially for larger customers with multiple domains and forests. The recommended GlobalNames Zone deployment is to use an AD DSintegrated zone, named GlobalNames, which is distributed globally.
Instead of using GlobalNames Zone, you can choose to configure DNS and WINS integration. Do this by configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The advantage of this approach is that you can configure client computers to only use a single name service (DNS) and still be able to resolve NetBIOS-compliant names. Understanding DNS Client Settings http://go.microsoft.com/fwlink/?LinkId=154441&clcid=0x409
Tools Used to Resolve Name Resolution Issues

Windows 8.1 includes a number of tools that you can use to diagnose name-resolution problems, including: Event Viewer Windows Network Diagnostics IPConfig Ping NSlookup Windows PowerShell Microsoft Message Analyzer
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an error. IP conflicts will be reflected in the System log and might prevent services form starting. When these events occur, a Windows operating system records the event in an appropriate event log. You can use Event Viewer to read the log. When you troubleshoot errors in Windows 8.1, view the events in the event logs to try and determine the cause of the problem. Event Viewer enables you to access the Application, Security, Setup, and System logs under the Windows Logs node. When you select a log and then select an event, a preview pane under the event list contains details of the specified event. To help diagnose network problems, look for errors or warnings in the System log related to network services.
Windows Network Diagnostics
Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a Windows 8.1 networking problem, the Diagnose Connection Problems option helps diagnose and repair the problem. A possible description of the problem and a potential remedy are presented. The solution might require manual intervention from the user.
IPConfig
IPConfig displays the current TCP/IP network configuration. Additionally, you can use IPConfig to refresh DHCP and DNS settings as discussed in the previous Windows Network Diagnostics topic. For example, you might need to flush the DNS cache.
Ping
Ping might verify IP-level connectivity to another TCP/IP computer. Ping sends and receives Internet Control Message Protocol (ICMP) echo request messages and displays the receipt of corresponding echo reply messages. Ping is the primary TCP/IP command used to troubleshoot connectivity. Ping is more useful on an internal network because firewalls on the Internet commonly block ICMP requests.
NSlookup
NSlookup displays information that you can use to diagnose a DNS infrastructure. You can use NSlookup to confirm connection to a DNS server and that the required records exist. You can use NSlookup in the following two modes: Interactive. To use NSlookup in interactive mode, type NSlookup at the command prompt and press Enter. By default, NSlookup will query against the local DNS server. Interactive mode provides many options for NSlookup, such as setting a specific DNS server to be queried. You can view the available

6-29
options by typing Help at the interactive command prompt. A common use for NSlookup in interactive mode is to query for a specific type of record. For example, to query for Mail Exchanger MX records from the interactive mode command prompt, you would type set q=mx and press Enter, and then type the name of the domain you are looking for and press Enter again. The query will return only the MX records for that domain. Noninteractive. The noninteractive mode is useful for quick lookups of names. For example, to discover the IP address of a computer named Server1 in the Contoso.com domain, you can type the query NSlookup Server1.Contoso.com directly at the command prompt, and the local DNS server will respond with a reply to the query.
Windows PowerShell
You also can use Windows PowerShell cmdlets for configuring and troubleshooting network settings. The following table lists some of these cmdlets and their purposes. Cmdlet Clear-DnsClientCache Get-DnsClient Get-DnsClientCache Get-DnsClientGlobalSetting Get-DnsClientServerAddress Register-DnsClient Set-DnsClient Set-DnsClientGlobalSetting Set-DnsClientServerAddress Purpose
Similar to the IPConfig /flushdns command, this cmdlet clears a clients resolver cache. Retrieves configuration details specific to the different network interfaces on a specified computer. Similar to the IPConfig /displaydns command, this cmdlet retrieves the contents of the local DNS client cache.
Retrieves global DNS client settings like the suffix search list.
Gets one or more DNS server IP addresses associated with the interfaces on a computer. Registers all of the IP addresses on a computer onto the configured DNS server. Sets the interface-specific DNS client configurations on a computer.
Configures global DNS client settings like the suffix search list. Configures one or more DNS server IP addresses associated with the interfaces on a computer.
Microsoft Message Analyzer
Microsoft Message Analyzer is the replacement for Network Monitor, which Microsoft last released as version 3.4. The Microsoft Message Analyzer provides more capabilities than Network Monitor for determining network issues. It can capture, display, and analyze live network traffic in multiple viewing formats such as grids, charts, and timeline views. It also allows you to import, aggregate, and analyze data from log and trace files. Key capabilities include: Integrated event and message capture at different system levels and endpoints Parsing and validation of protocol messages and sequences Automatic re-assembly of packets and the ability to render the payloads Microsoft Message Analyzer Operating Guide http://go.microsoft.com/fwlink/?LinkId=378233&clcid=0x409
Lab B: Resolving Network Connectivity Issues

Scenario
An intern has been unsuccessful in attempts to resolve a network connectivity problem on a Windows 8.1 computer. The changes made to the computer have not been documented. You need to restore network connectivity for the computer.
Objectives
After completing this lab, you will be able to: Create a simulated network connectivity problem. Resolve a network connectivity problem.
Lab Setup
Estimated Time: 30 to 60 minutes Virtual machines: 20687C-LON-DC1 and 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment.
Exercise 1: Creating a Simulated Network Connectivity Problem

Scenario
Windows 8.1 clients are experiencing issues when connecting to network resources. As the network administrator, you must resolve these issues by performing troubleshooting steps to identify and resolve the issues. The main tasks for this exercise are as follows: 1. 2. 3. 4. Verify connectivity to LON-DC1. Simulate the problem. Test connectivity to LON-DC1. Gather information about the problem.
Task 1: Verify connectivity to LON-DC1

On LON-CL1, map the drive letter P to \\LON-DC1\Data.
Task 2: Simulate the problem

1. 2. In the properties of Local Area Connection, disable the IPv6 protocol. Run the file E:\LabFiles\Mod06\ Mod6-Script.bat.
Task 3: Test connectivity to LON-DC1

Access drive letter P by using File Explorer. Are you able to access the mapped drive P?

6-31
Task 4: Gather information about the problem

Use the techniques and tools from this module to determine the following information: o o o What IP address is the computer using? What subnet mask is the computer using? What network should the computer be on?
Results: After completing this exercise, you should have created a connectivity problem between LONCL1 and LON-DC1.
Exercise 2: Resolving a Network Connectivity Problem

Scenario
You must use troubleshooting tools and techniques to resolve and test the resolution of the connectivity issue. The main tasks for this exercise are as follows: 1. 2. 3. Resolve the first problem. Test the resolution. Resolve the DNS problem.
Task 1: Resolve the first problem

Use the tools and techniques from this module to resolve the problem.
Task 2: Test the resolution

1. 2. Access drive letter P by using File Explorer. Are you able to access mapped drive P? Open a Command Prompt window, and at the command prompt, run the following commands : o o o ping lon-dc1 ping 172.16.0.10 ipconfig /all
What DNS servers is the computer using?
Task 3: Resolve the DNS problem

Use the tools and techniques from this module to resolve the problem.
Results: After completing this exercise, you should have resolved the connectivity problem between LONCL1 and LON-DC1.

When you have finished the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-DC1.

6-33
Lesson 5
Implementing Wireless Network Connectivity
An increasing number of devices use wireless connections as the main method for accessing corporate intranets and the Internet. Also, many users have come to expect a wireless infrastructure in a corporate workplace. As a result, a strong knowledge of wireless connectivity is a requirement for todays networking environment. This lesson discusses the various wireless standards and the configuration and support of Windows 8.1 wireless clients.
Lesson Objectives
After completing this lesson, you will be able to: Describe wireless network technologies. Describe Windows 8.1 support for wireless broadband. Explain how to configure wireless network settings. Describe considerations for improving wireless signal strength. Explain how to resolve wireless network connection issues.
Wireless Network Technologies

Wireless networking uses radio waves to connect wireless devices to other network devices. Wireless networks generally consist of wireless network devices, wireless access points (WAPs), and wireless bridges that conform to 802.11x wireless standards.
Wireless Network Topologies

There are two types of wireless topologies:
Infrastructure. Infrastructure wireless networks consist of wireless LANs and cellular networks. They require the use of a device like a WAP to allow communication between client wireless devices. Infrastructure wireless networks are managed centrally. Ad hoc. Ad hoc networks can connect wireless devices dynamically in a peer-to-peer configuration without the use of any infrastructure devices.
802.11x Wireless Standards
The 802.11 standard has been evolving since 1997. There have been many improvements in transmission speed and security of the 802.11 technology since then. Each new standard is designated by a letter of the alphabet, as described in the following table. Specification 802.11a Description
This is the first extension to the original 802.11 specification. It provides up to 54 megabits per second (Mbps) and operates in the 5 gigahertz (GHz) range. It is not compatible with 802.11b. This specification provides 11 Mbps and operates in the 2.4 GHz range.
802.11b
Specification 802.11e 802.11g 802.11n
Description This specification defines Quality of Service and multimedia support.
This specification is used for transmission over short distances at speeds up to 54 Mbps. It is backward-compatible with 802.11b, and operates in the 2.4 GHz range.
This specification adds multiple-input and multiple-output, thereby providing increased data throughput at speeds up to 100 Mbps. It vastly improves speed over previous specifications, and it supports both 2.4GHz and 5 GHz ranges. This specification builds on 802.11n to attain data rates of 433 Mbps. 802.11ac operates only in the 5 GHz frequency range.
802.11ac
Wireless Security
Wireless security has been the biggest consideration by organizations planning a wireless implementation. Because wireless traffic travels across open airwaves, it is susceptible to interception by attackers. Several security technologies have been employed to address these concerns. Most Wi-Fi devices support multiple security standards. The following table describes the current security methods available for wireless networks: Security method Wired Equivalent Privacy (WEP) Description
WEP is the oldest form of wireless security. Some devices support different versions: WEP 64-bit key WEP 128-bit key WEP 256-bit key
The security issues surrounding WEP are well-documented, and WEP should no longer be used unless it is the only alternative. Wi-Fi Protected Access (WPA)
Developed to replace WEP, WPA has two variations: WPA-Personal. WPA-Personal was designed for home and small business networks and is easier to implement than WPA-Enterprise. It involves providing a security password, and it uses a technology called Temporal Key Integrity Protocol. The password and the network service set identifier (SSID) are used to generate constantly changing encryption keys for each wireless client. WPA-Enterprise. WPA-Enterprise is designed for corporate networks. It involves the use of a RADIUS server for authentication.
WPA2
This is an improved version of WPA that has become the Wi-Fi security standard. WPA2 employs Advanced Encryption Standard (AES), which employs larger encryption key sizes.
The security methods that are supported by a given wireless device depend on the vendor and the age of the device. All modern wireless devices should support WPA2.

6-35
Windows 8.1 Support for Wireless Broadband

Mobile broadband is the term used to describe a wireless wide area network that provides wireless Internet access by using mobile devices from any location where cellular service is available. This ability requires a mobile broadband subscription to a data service from a provider. In previous versions of Windows operating systems, custom drivers were required along with a mobile data card, which might be in the form of a PC Card, USB dongle, or an internal laptop module. Microsoft has worked with broadband providers and hardware vendors to design a new mobile broadband driver that is supported by certified broadband devices and is built into Windows 8 and Windows 8.1, making the broadband connection experience as simple as plugging in a device.
Broadband Management
Most mobile broadband devices came with some type of connection management software that had to be installed on the PC and configured by the end user. Depending on the provider, this software might be difficult for an end user to configure, and it sometimes interfered with Windows internal connection management functions. In Windows 8 and Windows 8.1, you can use the network settings to manage individual Wi-Fi, broadband, or Bluetooth devices to turn them off or on. You do not have to install extra software. Windows 8.1 also supports airplane mode, which allows all radio devices to be disabled at once. Windows 8.1 also gives priority to available preferred Wi-Fi networks over broadband connections by default. When you are out of range of a preferred Wi-Fi network, the broadband connection is restored automatically. Many data plans have limits on how much data you can use before extra charges come into play. To track data usage, each individual wireless network provides information on the current amount of data that you have used. You have the ability to reset the counter when you choose, so you can track data usage the way you wantfor example, on a monthly basis or even by session.
Plan Purchase
If you already have a subscription to a data plan with a provider, you just need to plug in your device. If you want to purchase a subscription, you can go to the Networks Settings pane, and click Connect next to an advertised providers icon. This will direct you to the providers website where you can purchase a data plan. After purchasing your plan, your PC can be provisioned automatically for that providers network. In the background, the Windows operating system uses an access point name database to gather information to provision your system to connect to the providers network.
Broadband Tethering
Windows 8.1 supports broadband tethering for up to 10 devices. Now, any computer or device can use a broadband-enabled Windows 8.1 device as a wireless hotspot. To set up tethering, you only have to share the network connection from the Network item in Control Panel. Once shared, a network name and password are required. The password must be eight characters long.
Configuring Wireless Network Settings

The first time you connect to a wireless network, you must provide a Windows operating system with the correct information to make a successful connection. There are a number of ways to connect to existing wireless networks in Windows 8 or Windows 8.1.
Connecting to a Wireless Network from Control Panel

The method of connecting from Control Panel has not significantly changed from Windows 7. To connect to a wireless network from Control Panel, perform the following procedure: 1. 2. 3. 4. In Control Panel, view by icons and open the Network and Sharing Center. In the Network and Sharing Center window, click Set up a new connection or network.
In the Set up a Connection or Network window, click Manually connect to a wireless network, and then click Next. This option will only appear if a wireless device is installed. In the Manually connect to a wireless network window, enter the following details: a. b. c. d. Network name. A friendly name to identify the network. Security type. WEP, WPA-Personal, WPA-Enterprise, WPA2-Personal, or WPA2-Enterprise. Encryption key. Temporal Key Integrity Protocol or AES. Security key. The password configured for the wireless network.
5.
You also have the option to Start the connection automatically and Connect even if the network is not broadcasting.
After the initial configuration of the network, you can open the properties to change settings or to further configure the wireless network to: Connect automatically when in range. Connect to a more preferred network if available. Connect even if the network is not broadcasting its name (SSID).
Connecting to a Wireless Network from the Network Settings Pane

In Windows 8 or Windows 8.1, you can use the Network Settings pane from the Start screen settings to configure wireless network settings by performing the following procedure: 1. 2. 3. 4. 5. Access the Charms bar, and then click Settings. Click the wireless network Available icon. If no wireless networks are in range, the icon will say Unavailable. The Networks pane will appear with a list of available wireless networks. Click the name of the wireless network you want to connect to, and then click Connect. Enter the password for your wireless network. Choose whether you want to share your files with others on the network.
Windows will remember the settings and automatically reconnect when you are in range. If you need to change the configuration, you can right-click the wireless network name in the Network pane and then click View connection properties.

6-37
Considerations for Improving Wireless Signal Strength

When you design your wireless network, you can take a number of steps to optimize the wireless signal strength in your environment. A poorly designed wireless network will cause frustration and result in multiple help desk calls. By following best practices for wireless networking, you can provide your users with a better wireless experience. The first step is to analyze the requirements for the wireless network. Two major considerations are: What is the size and design of the physical area for which you need wireless coverage? What channel or frequency does you wireless network operate in?
Considerations for the Physical Environment
The building layout and construction material can significantly affect signal interference. Buildings with a lot of brick or steel construction pose issues with signal availability. When placing WAPs, you should avoid physical obstructions as much as possible. Even objects such as metal cabinets can cause signal blockage. Try to avoid placing WAPs near reflective surfaces. Signals can bounce off mirrors and windows, thereby reducing signal range. Avoid installing WAPs close to electrical equipment such as motors and fluorescent lights. Consider using Wi-Fi repeaters to extend the range of the WAP to provide better coverage.
Considerations for the Wireless Channel and Frequency
Interference can come from other networks. If you are in a small area with many competing wireless networks, such as in large office buildings, you might be able to get better performance by changing the Wi-Fi channel. WAPs operate on specific channels and usually come preconfigured for a certain channel. There are non-Microsoft tools available that you can use to analyze your environment and see which channels are the most populated by other wireless networks. Choose the channel with the least traffic for your network. The 2.4 GHz frequency and the 5 GHz frequency support different channels. Other considerations to improve your wireless environment include: Update your firmware to the latest versions for both WAPs and client network adapters.
On Windows 8.1, you can adjust the Advanced Power Options for the wireless network adapter to use maximum power. Consider using Wi-Fi repeaters to extend the range of the WAP to provide better coverage.
Consider upgrading the antenna of the WAP, and consider the use of hi-gain and omnidirectional antennas to increase signal distance and coverage.
Resolving Wireless Network Connection Issues

A wireless connection might fail for many reasons. The following table describes some of the common issues, and the methods you can use to resolve these issues.
Issue Wireless adapters are not enabled on the laptop Security type or passwords are incorrectly configured Drivers are corrupted or outdated Firmware updates are missing Wireless connection settings are incorrectly configured Hardware issues
Resolution Laptops that have built-in wireless adapters have a physical switch that can enable or disable the wireless adapter. Each vendor will be different, but make sure that the wireless adapter is enabled. Make sure that the wireless password is entered correctly. In smaller wireless networks, this information can be found on the administration page of the wireless router. Make sure that the wireless adapter has the proper drivers. You might have to go to the vendor site to obtain the latest version of drivers. As with drivers, make sure the wireless adapter firmware is current. You might have to go to the vendor site to obtain the latest version.
Make sure the correct SSID is configured. Make sure the wireless adapter is configured to use the proper encryption protocol, such as WPA or WPA2. Make sure that the wireless adapter is supported by the Windows operating system. You can perform this check at the Windows Compatibility Center.
Windows Compatibility Center http://go.microsoft.com/fwlink/?LinkId=378234&clcid=0x409
You also can use the Windows automated troubleshooter in Windows 8.1. Right-click the network icon in the notification area of your taskbar, and then click Troubleshoot problems.

6-39

Common Issue Windows 8.1 host cannot connect to a Microsoft SharePoint 2010 site. Troubleshooting Tip
Windows 8.1 host cannot access the database server.
Windows 8.1 host cannot connect to the Internet.
DNS server is not resolving FQDNs correctly.
Review Questions
Question: After starting her computer, Amy notices that she is unable to access her normal resources. What tool can she use to determine if she has a valid IP address? Question: When transmitting accounts receivable updates to a billing partner in China, Amy notices that the files are being transmitted slowly. What tool can she use to determine the network path and latency of the network? Question: Amy notices that she cannot access normal enterprise websites. She knows that she has a valid IP address but wants to troubleshoot the DNS access of her computer. What tool must she use? Question: What is the IPv6 equivalent of an IPv4 APIPA address? Question: You are troubleshooting a network-related problem, and you suspect a nameresolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do you do that? Question: You are troubleshooting a network-related problem. The IP address of the host you are troubleshooting is 169.254.16.17. What is a possible cause of the problem?
Tools
You can use the following tools to troubleshoot network connectivity issues. Tool Network and Sharing Center Description
The Network and Sharing Center informs you about your network and verifies whether your computer can access the Internet successfully. Then, it summarizes this information in the form of a network map. Netsh.exe is a command-line tool that you can use to configure network properties. Pathping.exe is a command-line tool that combines the functionality of Ping and Tracert, which you can use to troubleshoot network latency and provide information about path data.
Netsh.exe Pathping.exe
NSlookup.exe IPConfig.exe Ping.exe Tracert.exe Windows PowerShell
NSlookup.exe is a command-line tool that you can use to test and troubleshoot DNS and name-resolution issues. IPConfig.exe is a general IP configuration and troubleshooting tool. Ping.exe is a basic command-line tool that you can use for verifying IP connectivity. Tracert.exe is similar to Pathping, which provides information about network routes. Windows PowerShell is a command-line shell and scripting language that provides cmdlets to view and configure network settings.

7-1
Module 7
Configuring Resource Access for Domain-Joined and Non-Domain Joined Devices
Contents:
Module Overview Lesson 1: Configuring Domain Access for Windows 8.1 Devices Lesson 2: Configuring Resource Access for Non-Domain Devices Lesson 3: Configuring Workplace Join Lesson 4: Configuring Work Folders Lab: Configuring Resource Access for Non-Domain Joined Devices Module Review and Takeaways 7-1 7-2 7-8 7-16 7-21 7-29 7-34
Module Overview
Before you can start working on a computer with the Windows 8.1 operating system, you first must sign in. Signing in to a computer is a mandatory step, and based on your computer membership, you can sign in with a local account, a domain account, or a Microsoft account. In an Active Directory Domain Services (AD DS) environment, you typically would use a domain account exclusively because it has many benefits. But in todays world, users are not restricted to using company-owned computers only. They commonly use their own devices for accessing company data. Windows 8.1 and Windows Server 2012 R2 have several new features such as Workplace Join, Work Folders, and Remote Business Data Removal that are useful in such Bring Your Own Device (BYOD) scenarios. In this module, you will learn about the benefits of domain accounts and Windows 8.1 features that are useful when administrators need to control resource access for non-domain devices. You also will learn how to configure and use Workplace Join and Work Folders.
Objectives
After completing this module, you will be able to: Configure domain access for Windows 8.1 devices. Configure resource access for non-domain devices. Configure the Workplace Join feature in Windows 8.1. Configure the Work Folders feature in Windows 8.1.
7-2
Lesson 1
Configuring Domain Access for Windows 8.1 Devices
A domain environment offers many advantages over workgroups, but it also has some specific requirements. One of the requirements of a domain environment is that a device must be joined to the domain before you can sign in to the device with a domain account. When you use a domain account, you can access resources such as network shares and printers without entering your credentials again. Single sign-on (SSO) provides you transparent access to domain resources. Windows 8 and newer versions enable you to connect your Windows account with your Microsoft account and transparently access cloud-based services, such as SkyDrive and Outlook.com.
Lesson Objectives
After completing this lesson, you will be able to: Compare the features of local accounts and domain accounts. Describe the benefits of a domain-based environment. Describe the methods for adding a computer to a domain. Add a computer to a domain. Explain how to use a Microsoft account in Windows 8.1.
Local Accounts vs. Domain Accounts

When you want to sign in, you have to present some form of authentication. You typically sign in by providing a user name and a password, although you can use other forms of authentication, such as a picture password or a smart card. Authentication is the process that confirms your identity and provides you with credentials after the authentication is successful.
Windows 8.1 stores a list of local users in the part of the registry called the Security Accounts Manager database. If a Windows 8.1 computer is a member of a workgroup, only local users can sign in. If a Windows 8.1 computer is a member of an AD DS domain, you can sign in either as a local user or as a domain user. A list of domain users is stored in AD DS, and authentication is performed by one of the domain controllers, which is a Windows-based server that has the AD DS role service installed. After users authenticate and they are allowed to log on locally, their logon process is provided with user credentials, also called a security token, and the Start screen or desktop is displayed.
When you sign in as a local user, you are authenticated by the computer to which you sign in. If you sign in as a domain user, you are authenticated by a domain controller, which is trusted by the computer on which you entered your credentials, because the computer is a domain member. If you sign in to a Windows 8.1 computer as a local user and want to access a shared folder on a file server, there is an immediate problem: the server does not trust the credentials you presented to it because you have been authenticated by an unknown or untrusted computer. A file server only trusts its own identity store, its own Security Accounts Manager, or AD DS if the file server is a domain member. Therefore, if you want to access a file server, you must be signed in as a domain user, or the file server must have your user account in its local Security Accounts Manager. If your local user name and password are identical on the file
server and the Windows 8.1 computer, the authentication process that occurs is transparent. This type of authentication is called pass-through authentication. If, however, the logon names or passwords do not match, you will be prompted to enter credentials that are valid for the file server that you attempt to access.
The challenges of using local accounts are solved by centralizing the account store and making sure that this store is trusted by all computers. AD DS provides a centralized account store that is trusted by all computers that are domain members. If you sign in with a domain account, you can access other domain computers, without providing your user name and password again, by using SSO. Question: Can you create a domain account on a Windows 8.1 computer?

7-3
Benefits of a Domain-Based Environment
A Windows 8.1 computer can be a workgroup member or a member of a domain. If a computer is a workgroup member, you can sign in only by using a local account. In a workgroup, each user must have a local user account on each computer to which he or she needs to gain access. For example, if five users are using five computers in a workgroup, and each user needs access to resources on all five computers, you would need to create 25 user accounts. When a change is made to a user account in a workgroup, such as when a user changes their password, you must make the change to all the accounts for that user on every computer in the workgroup so that the user continues to have access to all necessary resources.
You can set up a workgroup easily, and no server infrastructure is required for that. But when you need to manage more than just a few computers, you should not use a workgroup environment. A domain-based environment has significant advantages. It provides centralized authentication services and management for all domain-joined computers and domain users. If you need to set up a domain-based environment, you must use Windows servers as domain controllers, and you also need additional infrastructure such as Domain Name System (DNS) servers. A domain-based environment provides many benefits when you need to manage more than a few computers and users. The following sections describe some of the benefits that are provided by a domain-based environment.
Better Scalability
Domains are more scalable and can store and use billions of objects, such as domain users and computer accounts. The key component of a Windows-based domain is AD DS. In AD DS, computers, similar to users and groups, have accounts in the domain and are security principals. This means that computer accounts have security IDs (SIDs, can belong to groups, and can be given or denied access to resources. All security principal accounts are treated as AD DS objects, and along with other objects are stored in the AD DS database. The database resides on a domain controller. Domains can have any number of domain controllers, and the AD DS database is replicated to all domain controllers in the domain. To provide redundancy and fault tolerance, even the smallest domains should have at least two domain controllers.
Central Administration
An AD DS database is stored on every domain controller. Any domain controller can perform authentication, and you can modify domain objects on any writable domain controller. Consider a scenario where, as an administrator, you connect to a domain controller and modify an AD DS object by creating, modifying, or deleting domain users. You can perform these changes on any domain controller,
7-4
and the changes to the AD DS database are replicated automatically from the domain controller on which you performed the change to all other domain controllers.
Delegation of Control
In a domain environment, you can control permissions for every object in AD DS. Every AD DS object has associated security settings, and by modifying the security of AD DS objects, you can delegate control in a domain environment. For example, you can allow members of the Help Desk group to reset user account passwords or site administrators to manage only AD DS objects at their site. You can delegate control at different levels. For example, you can delegate permissions for the whole domain, for an organizational unit (OU), or for a single computer account and can be specific, up to a property level.
Better Control and Event Logging
A domain environment allows you to be very specific and to control which computers or folders a specific account can access and to log its actions. This is something that cannot be done in a workgroup. SSO enables you to enter credentials only once and then access resources on different domain computers without entering credentials again. Actions that you perform, such as printing a document or reading a document from a file share can be logged on the system where the action happened and then forwarded to a single location.
Managing the Environment by Using Domain-Based GPOs
In a domain environment, you can use domain-based Group Policy Object (GPO) policies and preferences that you can apply to many users and computers at once. You can use a GPO to set any setting that is applicable to a user or computer, such as ensuring that computers get important security updates or that users get mapped drives and printers prepopulated on their devices. Question: How can you enable help desk employees to reset user passwords in a domain environment? Which tool should you use?
Methods Used to Add a Computer to a Domain
When a computer joins a domain, it delegates the task of authenticating users to the domain. When a user logs on to a computer with a domain account, the user is authenticated by a domain controller rather than the local Security Accounts Manager. In other words, the computer now trusts another authority to validate a user's identity. Trust between a domain member computer and its domain is established when you join the computer to the domain. Because all domain member computers trust the domain, they also trust each account that is authenticated by that domain. This allows users with a domain account to access resources on all domain computers with a single account, and by entering their credentials only once, because a domain environment provides the SSO capability. Before you can add a computer to a domain, several conditions must be met:
A domain must exist before you can add a computer to it. If you add a computer to a workgroup, a new workgroup is created when you add the first computer to it. But before you can add a computer to a domain, the AD DS domain must already exist and at least one domain controller must be reachable.
The computer must be able to locate the domain controller. A DNS server typically is used to resolve and locate a domain controller, which means that the computer must have the correct TCP/IP settings. You must have local administrator permissions for the computer. Only members of the local Administrators group can add a computer to a domain.

7-5
You must have permissions to create a computer account in the domain, or a computer account must be created already, and you must have permissions to modify that account.
There are several different ways to add a computer to a domain. First, you can create a computer account in a domain, which is called prestaging a computer account, and then add the computer to a domain. You also can add a computer to a domain, and a computer account is created automatically during that step. Prestaging a computer account has two benefits. You can control the part of the AD DS domain in which a computer object is created, and you can delegate control of who has permissions to add that computer to a domain. If you add a computer to a domain and create its account in the same step, all computer accounts are created in the same location of AD DS. By default, new computer accounts are created in the Computers container. Note: You can change the default AD DS location where new computer accounts are created by using the redircmp.exe command.
As an administrator, you can prestage a computer account by using Active Directory tools such as Active Directory Users and Computers or Active Directory Administrative Center, which are installed on a domain controller by default. You can add a computer to a domain by configuring the computers System Properties dialog box or by using the Windows PowerShell command-line interface. Use the following cmdlet to add a computer to a domain by using Windows PowerShell.
Add-Computer -Credential adatum\administrator -DomainName adatum.com
When you use the Add-Computer cmdlet, you also can specify the AD DS location where the computer account should be created. For example, you could use the following cmdlet.
Add-Computer -Credential adatum\administrator -DomainName adatum.com -OUPath "OU=NewComputerOU,DC=adatum,DC=com"
After you add a computer to the domain, you should restart it. You can restart a computer by using the Restart-Computer cmdlet or the Power options on the Settings charm. Question: Can a local administrator add a Windows 8.1 computer to a domain?
Demonstration: Adding a Computer to a Domain

In this demonstration, you will see how you can add a computer to a domain by modifying its system properties and by using Windows PowerShell.
Demonstration Steps Join a computer to a domain by using the UI

1. 2. On LON-DC1, use Active Directory Users and Computers to verify that the LON-CL1 computer account is not present in the Computers container. Sign in to LON-CL1 as Admin with password Pa$$w0rd.
7-6
3. 4. 5. 6.
Navigate to the System Properties Computer Name tab, and then join LON-CL1 to the Adatum.com domain by using the adatum\administrator credentials. Restart LON-CL1. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On LON-DC1, use Active Directory Users and Computers to verify that the LON-CL1 computer account is created in the Computers container.
Join a computer to a domain by using Windows PowerShell

1. 2. 3. Sign in to LON-CL2 as admin with password Pa$$w0rd. Open Windows PowerShell with Administrator credentials. Type the following command.
Add-Computer -Credential adatum\administrator -DomainName adatum.com -OUPath "OU=NewComputerOU,DC=adatum,DC=com"
4. 5. 6.
Restart LON-CL2. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. On LON-DC1, use Active Directory Users and Computers to verify that the LON-CL2 computer account is created in the NewComputerOU organizational unit.
Using a Microsoft Account in Windows 8.1

Microsoft account, known as Windows Live ID or Microsoft Passport in earlier versions, provides you with a unified identity, which you can use for authenticating to Microsoft and other cloudbased services. You can use this account regardless of where you are, or what organization you might be part of. Your Microsoft account is made up of an email address and a password that you use to sign in to different services. You already have a Microsoft account if you sign in to services such as SkyDrive, Xbox LIVE, Outlook.com, or Windows Phone. Even if you have a Microsoft account, you can sign up for a new one. Note: All Microsoft account credentials are passed back to the Microsoft authentication server through a Secure Sockets Layer (SSL) connection by using the Hypertext Transfer Protocol Secure (HTTPS) protocol.
Windows 8.1 is highly integrated with Microsoft account functionality. You can sign in to Windows 8.1 as a local user or a domain user, but you also can sign in by using a Microsoft account if your computer has Internet connectivity and the account is associated with either a local or a domain account. When you use a Microsoft account, you can synchronize some of the Windows 8.1 settings between devices. You can control these settings in the PC Settings app. To access the PC Settings app, click the Settings charm, and then click Change PC settings at the bottom of the Settings charm. In the PC Settings app, you can set your account picture and desktop background, among other settings. After you set up Windows once,

7-7
your settings will be synchronized between every computer you sign in to by using your Microsoft account.
When you connect a Microsoft account with your local or domain account, you can access Microsoft cloud services such as SkyDrive, and the Mail and Calendar apps. You can browse the Windows Store even if you do not have a Microsoft account, but to download and install an app from a Windows Store app, you must sign up for a Microsoft account. Note: Your domain account or Group Policy settings might not allow you to connect a Microsoft account or sync some settings. You can disconnect your Microsoft account from your account whenever you want. To do so, click Change PC settings on the Settings charm, click Accounts, and then click Disconnect your Microsoft account.
Signing Up for a Microsoft Account
You also can use your Microsoft account to access Windows Intune, Microsoft Office 365, Windows Azure, and other Microsoft cloud services. You can create a new Microsoft account at Outlook.com, or you can use an address that you already have as your Microsoft account. To sign up for a Microsoft account at the Microsoft account sign-up webpage, perform the following procedure: 1. 2. Go to the Microsoft account sign-up webpage (http://go.microsoft.com/fwlink/?LinkID=291262).
To use your own email address for your Microsoft account, enter it. If your email provider supports Post Office Protocol version 3, you can even manage your existing address in Windows Live Hotmail or Outlook.com. If you want to create a Hotmail account, click Sign up now, and then create a new email address for your Microsoft account. Provide the rest of the information, and then read the Microsoft service agreement and the privacy statement. If you agree to the terms, click I accept. If you used an existing email address to sign up, you will need to verify it to prove that it is yours. Question: Can you sign in to a Windows 8.1 computer by using a Microsoft account if the computer does not have Internet connectivity?
3. 4.
7-8
Lesson 2
Configuring Resource Access for Non-Domain Devices
Domain-joined devices trust an AD DS domain. You can sign in to such devices by using domain credentials, and you can access domain resources without entering your credentials again. Non-domain devices are not trusted by domain controllers, and you do not have SSO benefits when you want to access domain resources from such devices. The Open Mobile Device Management protocol enables you to enroll and manage Windows 8.1 devices regardless of their domain membership. Because Windows 8.1 mobile devices can have different form factors and are not necessarily domain-joined, it is important to ensure that locally stored data is secure and that you can remotely wipe company data if the device is lost or stolen. Workplace Join is one of the new Windows 8.1 features that provide this capability, but you can manage non-domain Windows 8.1 devices also by using Windows Intune or Microsoft System Center 2012 R2 Configuration Manager.
Lesson Objectives
After completing this lesson, you will be able to: Describe the challenges of managing non domain devices. Explain how to manage data and settings on non-domain joined devices. Describe the features of Open Mobile Alliance device management. Describe the security features for non-domain joined devices. Explain the purpose of the Remote Business Data Removal feature. Describe how to manage non-domain joined devices by using Windows Intune and Configuration Manager.
Challenges of Managing Non-Domain Joined Devices

In the past, users could use only computers that were connected to a companys LAN to access company data. But with the evolution of mobile technology and changing business demands, users today expect to be able to work at any location and have access to all their work resources. Wireless access is available almost everywhere, and traditional desktops and laptop computers often are replaced with new types of devices, such as convertible laptops, tablets, and smart phones. Users often use their own devices for accessing company data, and a BYOD scenario is common. Therefore, users still expect to use company apps and data on their devices. Having local copies of company data on user devices is a challenge for an Information Technology (IT) department because care must be taken that the data and access to it complies with company policy.
All these changes and the rapid adoption of new types of devices are changing the standards-based approach to managing a companys infrastructure. When a device is domain-joined, a company can control it because the device has an account in AD DS. Authentication is performed by a domain controller, company policies can be enforced by Group Policy, and products such as Configuration Manager can be used for collecting device inventories and managing devices. When a device is not domain-joined, company has limited or no control over it because authentication is performed locally and
the domain has no knowledge of who is using the device. Domain accounts cannot sign in to a device and cannot be used for managing a device or deploying apps. You also cannot apply domain Group Policy to devices that are not domain-joined. Question: Your company uses a client/server-based accounting app that cannot be installed on the third-party operating system that is running on a users device. How can the user still use the company accounting app from his device?

7-9
Managing Data and Settings on Non-Domain Joined Devices

With the consumerization of IT, people often use their own devices for accessing company resources. Such BYOD initiatives often are encouraged by a company. Windows 8.1 and Windows Server 2012 R2 include several features that make using devices that are not companyowned easier and more secure. These features include:
Windows To Go. Windows To Go is a Windows 8.1 Enterprise feature that enables you to install Windows 8.1 on the USB flash media and start the device from that USB flash media . You can customize and domain-join Windows To Go to provide the same environment as when Windows 8.1 is installed locally. You can start your device with Windows To Go and work from a company-approved environment while personal data on the device remains intact.
Virtual Desktop Infrastructure (VDI). VDI is implemented in the Windows Server 2012 R2 Remote Desktop Services role. VDI hosts multiple virtual desktops, which can be Windows 8.1 virtual machines, to which you can connect from any device and have an experience similar to using a local installation of Windows 8.1. You can use company apps and access company data from a virtual desktop, but you must have network connectivity from your device to a virtual desktop.
Workplace Join. Traditionally, devices either could be joined to a domain or be a workgroup member. You could access company resources from domain-joined devices, but you could not access them from a workgroup device without entering domain credentials. Workplace Join was introduced in Windows 8.1 and requires that a domain has at least one Windows Server 2012 R2 member server.. When you join a device to a workplace, you get a certificate to access company resources, such as internal websites and business apps. You also can allow apps and services on your device to be enabled for Workplace Join by an IT administrator.
Open MDM protocol. You can use this protocol to manage mobile devices after they are enrolled into the management system. Microsoft implemented Open MDM support in Windows 8.1, and you can use it for managing tablets and other BYOD devices with third-party mobile device management products. The Open MDM protocol supports capabilities such as inventory collection, settings management, application management, certificate provisioning, Wi-Fi, virtual private network (VPN) profile management, and data protection.
Web Application Proxy. You can use Web Application Proxy for publishing web applications from a company network to an external network. This enables users who are connected to an external network to access and use a companys web applications from any device. Web Application Proxy also enables Workplace Join for devices that are not connected to a company network. Work Folders. You can use Work Folders to synchronize data from a companys Windows Server 2012 R2 file server to your device. Work Folders functionality is similar to Offline Files, which
7-10 Configuring Resource Access for Domain-Joined and Non-Domain Joined Devices
means that you can access and modify Work Folders content without network connectivity and changes will synchronize back when network connectivity is restored. You can access Work Folders from an external network if Web Application Proxy is implemented and domain membership is not requiredthe device can be enabled for Workplace Join. Remote Business Data Removal. In a BYOD scenario, users access company data from devices that also contain their personal data. One of the Remote Business Data Removal features is to treat company data differently than personal data. An administrator can configure company data to be encrypted on a device, and if a user leaves the company, company data stored on the device automatically becomes inaccessible or is removed completely, while personal data is left intact. Question: How does the Remote Business Data Removal feature enable you to comply with a company security policy?
Overview of Open Mobile Alliance Device Management

The Device Management Working Group is part of the Open Mobile Alliance (OMA), and it specifies the protocols and mechanisms for managing mobile devices, services access, and software on various devices. The OMA has developed a client/server protocol that you can use to deliver configuration and management commands from a device management server to the devices that it manages. Before you can manage a device, you first must enroll it in the management system. A device presents its features to a management server as a hierarchical device management tree named the DM Tree, and the management of a device feature consists of the management of the DM Tree. Microsoft is a member of the OMA, and it has implemented the Open MDM protocol in Windows 8.1. Open MDM is a client/server protocol that you can use to manage mobile devices that are already enrolled in a management service. It does not require a domain environment, but you first must assign the device to the management server, and the device must trust the managed server before the device can be managed. Open MDM uses the HTTPS protocol between the server and the managed devices, which means that a public key infrastructure (PKI) must be in place. Features that can be managed by Open MDM depend on the implementation and on the device features. Open MDM supports the following features: Inventory collection Settings management Application management Certificate provisioning Wi-Fi and VPN profile management Data protection
The Windows 8.1 Workplace Join feature is implemented by using the Open MDM protocol. You also can manage Windows 8.1 devices by using mobile device management products such as MobileIron or AirWatch. For more information, see the OMA device management working group website.

7-11
Device Management http://go.microsoft.com/fwlink/?LinkId=378235&clcid=0x409 [MS-MDM]: Mobile Device Management Protocol http://go.microsoft.com/fwlink/?LinkId=378236&clcid=0x409 Question: Which Windows 8.1 feature is based on the Open MDM protocol? How can you benefit from the Open MDM implementation in Windows 8.1?
Security Features for Non-Domain Joined Devices

Windows 8.1 includes various security features that you can use in a domain or non-domain environment. Some security features are new or improved in Windows 8.1 and can be especially beneficial on non-domain joined devices. These security features include: Mandatory sign-in. Before users can start working on a Windows 8.1 device, they first must sign in. Sign-in is mandatory and by signing in, users prove their identity. Based on the sign-in, users get different permissions and access to data. You can sign in to Windows 8.1 by using a local account, a Microsoft account, or a domain account.
Biometrics. You can authenticate users in all Windows 8.1 editions by using biometrics such as a fingerprint. You also can use biometric authentication when you are signed in already, such as when you want to establish a remote access connection, authenticate in a User Account Control dialog box, or access Windows Store apps, their features, a certificate release, and more.
Pervasive device encryption. By default, Windows RT and Windows 8 encrypt all locally stored data on a device. A similar feature is included in all Windows 8.1 editions, and it can be further enhanced with additional BitLocker Drive Encryption protection in the Pro and Enterprise editions. Windows 8.1 supports Encrypted Hard Drives, which are hard drives that are self-encrypting at a hardware level and perform full disk hardware encryption.
Malware resistance. Windows 8.1 includes Windows Defender, which is an antivirus and antimalware solution. Windows Defender scans for thumbprints of known malicious software (also called malware), but it also includes network behavior monitoring, which detects unusual and suspicious behavior and stops the execution of unknown malware. Internet Explorer 11 uses Windows Defender to scan downloaded content (for example, ActiveX controls) before potentially harmful content is run. Assigned access. Assigned access is included in all Windows 8.1 editions and in Windows RT 8.1. By configuring assigned access, you can enable a single Windows Store app experience on a device. Such a restricted and locked-down environment was previously known as the kiosk mode, and you can use assigned access to limit user accounts to a single app that you select. You can sign out of assigned access by quickly pressing the Windows logo key five times. You can use assigned access only with standard user accounts. Remote Business Data Removal. When you access company data from Windows 8.1 and a local copy of the data is stored on a device, you can configure such data as company data, encrypt it, and then
remotely wipe it if the device is lost or stolen. The Remote Business Data Removal feature can remove the local copy of company data while user data on the device remains intact. Work Folders support this feature, and you can implement this in other client apps. If you want to wipe data remotely or make it inaccessible, the device must be managed by Windows Intune, Configuration Manager, or a similar product. Internet Explorer 11. Internet Explorer 11 is included in Windows 8.1 and it provides many improvements, such as faster webpage loads, side-by-side browsing, enhanced pinned site notifications, and synchronization of app settings such as favorites and tabs across all your Windows 8.1 devices. Internet Explorer 11 also uses an antimalware app on your device to scan downloaded content before it is run.
Remote Business Data Removal

The Remote Business Data Removal feature enables you to selectively wipe data on a device without user interaction. In the past, you could wipe all the data on a managed device and set it into its initial state. Windows 8.1 can differentiate between company and personal data and can prevent access to company data or wipe it on a device while personal data is left intact. If you want to benefit from the feature, local apps on a Windows 8.1 device must support the Remote Business Data Removal feature, and the device must be managed by Windows Intune or Configuration Manager.
Windows 8.1 includes Work Folders, which can be used with the Remote Business Data Removal feature. When you use Work Folders, a local copy of the files is stored on the device, and you can configure device policies to protect the local copy of the files by encrypting them and to require a password on the device. But in BYOD scenarios, devices can use different form factors, and with an increase in device mobility, devices can sometimes be lost or stolen. You typically want to remove company data from such devices and from all other user devices if a user leaves the company. Note: The Work Folders feature only can store company data safely on a user device by encrypting it, but it cannot wipe the company data remotely. If a user device is lost or stolen, the user can initiate a remote wipe for his or her device from Windows Intune Company Portal if the device is managed by Windows Intune. An administrator can initiate a remote wipe for any managed device from the Windows Intune Administrator Console or from the Configuration Manager console. For more information, refer to:
Protecting Corporate Data on Mobile Devices by using Configuration Manager and Windows Intune http://go.microsoft.com/fwlink/?LinkId=378237&clcid=0x409

7-13
For more information about data removal by using Windows Intune, see to the following webpage at the Windows Intune Help website. What Happens if You Remove or Reset a Device Using the Company Portal http://go.microsoft.com/fwlink/?LinkId=378238&clcid=0x409 Question: Can you use Remote Business Data Removal to wipe company data selectively and remotely from a lost Windows 8 device that is managed by Windows Intune?
Managing Non-Domain Joined Devices by Using Windows Intune and Configuration Manager
In a domain environment, you can manage computers centrally by using Group Policies. Managing non-domain joined computers and devices is challenging because they are not listed in AD DS and domain settings do not apply to them. You can manage non-domain joined devices by using different solutions, including Windows Intune and Configuration Manager. Windows Intune
Windows Intune is a cloud-based system for securing, managing, and monitoring devices that are running Windows and operating systems that are not based on Windows. You can use Windows Intune to manage domain-joined devices and devices that are not domain members. This makes Windows Intune well suited to: Manage devices in remote locations that are not part of the domain. Manage devices that are out of the office for extended periods of time. Manage devices that are purchased by users but used to access company resources.
Windows Intune does not require any on-premises infrastructure to manage supported devices and only requires Internet connectivity. After you configure a device to be managed by Windows Intune, the devices account is created in Windows Intune, and you can now manage that device centrally.
Benefits of Windows Intune

Windows Intune provides several benefits, including:
Updates. Windows Intune ensures that updates are installed on client computers. All updates through Windows Update are available with Windows Intune, and you also can deploy other, non-Microsoft updates by using Windows Intune. You can control which updates are approved for installation on specific computers. You can approve updates manually or create automatic approval rules. These rules approve updates automatically when they become available, based on the product that they update and the update classification. You also can review updates that clients require and generate update reports. Endpoint Protection. Windows Intune includes Windows Intune Endpoint Protection, which provides real-time protection against malware such as viruses and spyware. Endpoint Protection also can scan files and running programs periodically to mitigate detected threats and provide you with notifications. Endpoint Protection replaces Windows Defender, which is included in Windows 8.1 by default, but does not provide central management.
Software deployment. You can use Windows Intune for deploying software on Windows devices and devices that are not based on Windows. You can add software by uploading it to Windows Intune, configuring its properties, and then deploying it to target devices or user groups.
Monitoring and alerting. Windows Intune can monitor client computers and raise an alert when certain criteria is met, such as when event log is full, free disk space is low, or a Microsoft Office app is using a large amount of memory. Alerts display in the Windows Intune administrator console, and you also can configure them to be sent to a specified email recipient. Reporting. Windows Intune provides several reports, such as detected software on client computers, client computer inventory, and update reports on a companys use of licenses. You can generate and view reports based on a set of report criteria, such as update classification, update status, device group, or available disk space.
For more information, refer to: Enable users to work anywhere on the device of their choice http://go.microsoft.com/fwlink/?LinkId=378239&clcid=0x409 System Center 2012 R2 Configuration Manager
Configuration Manager is an on-premises solution for managing computers and devices. You can use it to manage domain-joined devices and devices that are not domain members. Configuration Manager includes Windows Intune connector, which enables you to manage Windows Intune clients in the Configuration Manager console to provide an integrated solution. Benefits of System Center 2012 R2 Configuration Manager Configuration Manager provides many benefits, including: Deploy applications. You can target applications to users rather than devices, and Configuration Manager determines the best way to deliver that application to the user from a specific device whether the device is mobile, a remote desktop, or a PC. You can track and monitor application deployment.
Manage Endpoint Protection. Managing Microsoft System Center 2012 R2 Endpoint Protection from within Configuration Manager allows you to use a single console to manage PCs and devices. Deploy software updates. Configuration Manager uses the basic infrastructure of Windows Server Update Services (WSUS) to provide software updates. Without Configuration Manager, WSUS is limited to distributing software updates from Microsoft. Configuration Manager extends the capabilities of WSUS to include third-party product updates.
Inventory hardware and software. Configuration Manager includes hardware and software inventory capabilities. You can use the inventory to identify which PCs in your organization are capable of running specific software or operating systems. Track license compliance for software. You can use the Asset Intelligence and software metering features in Configuration Manager to track license compliance. In Asset Intelligence, you import licensing information and correlate it with the software inventory. Software metering tracks when applications are used.
For more information, see System Center 2012 R2 on the Microsoft website. System Center 2012 R2 Configuration Manager http://go.microsoft.com/fwlink/?LinkId=378240&clcid=0x409

7-15
Question: What must you first do before you can manage a Windows 8.1 device by using Windows Intune?
Lesson 3
Configuring Workplace Join
When a device is domain-joined, you can access company resources without entering credentials each time. You can get a similar experience from a device that is enabled for Workplace Join, but without requiring that it is a domain member. Workplace Join provides an SSO experience when accessing internal company websites and company apps. Users with domain accounts can implement Workplace Join on their devices if their company has the appropriate infrastructure in place.
Lesson Objectives
After completing this lesson, you will be able to: Describe the purpose and benefits of the Workplace Join feature. Describe the scenarios for using Workplace Join. Describe the components of the Workplace Join feature. Explain how to register and enroll devices. Enroll devices to the Workplace Join feature.
Overview of Workplace Join
Traditionally, if users want to access data transparently from their devices, the devices must be joined to the domain. If the devices are not domain-joined, users can use them to access company data, but they have to enter their domain credentials each time they want to access company resources. Windows 8.1 introduces the Workplace Join feature, which enables users to access internal company websites and company apps from devices that are enabled for Workplace Join, without entering user credentials each time. Workplace Join also enables administrators to have some control over the devices, such as controlling the web apps that users can access from devices that are enabled for Workplace Join.
The Workplace Join feature is especially useful when users use their own devices to access company data. Many organizations implement BYOD scenarios. If you enable Workplace Join, you can register and enroll your devices in the company network. After you enroll a device, the device is associated with your user account in the company directory, the device object is created in AD DS, and the user certificate is installed on the device. The device object in AD DS establishes a link between the user and the device. Further communication with company resources that support claims-based authentication from a device enabled for Workplace Join includes information about the device and the user. When an app is configured properly, you do not need to enter credentials again. After the device is enabled for Workplace Join, it is used as a second form of authentication. If multiple users use the same device, each user can enable a device for Workplace Join independently. Administrators can configure apps that users can access from a device enabled for Workplace Join without entering credentials, and they can then ensure that company policies and security applies to those devices by configuring a device policy. You should be aware that a company Group Policy applies only to domain-joined devices and not to devices enabled for Workplace Join. If a device enabled for Workplace Join is compromised or a device owner

7-17
leaves the company, an administrator can remove the device object from the domain, and by doing so, the administrator revokes the devices ability to access domain resources. For more information, see the following webpage on the Microsoft TechNet website. Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications http://go.microsoft.com/fwlink/?LinkId=378241&clcid=0x409 Question: What is the difference in accessing company resources from domain-joined devices and devices that are enabled for Workplace Join?
Scenarios for Using Workplace Join
Employees use different devices for accessing company data. Many devices are company-owned and those devices usually are domain-joined. Users also might access company data by using their own devices from inside the company network and over the Internet. The companys IT department can closely monitor and manage domain-joined PCs, but non-domain joined devices can be an issue. Users typically use these devices not only for accessing virtual desktops, but also for running company apps and accessing other company resources. Such environments, which adopt the BYOD scenario, are particularly suitable for the Workplace Join feature. Users can access company resources from devices enabled for Workplace Join with SSO, and administrators can control access to resources and the compliance of local copies of company data on such devices while a device is not domain-joined.
A device that is enabled for the Workplace Join feature is used as a second authentication factor when accessing claims-based company apps. For such apps, administrators can control not only who can access them, but also from which devices they can be accessed, and if they can be accessed only from the company network or also from the Internet. Devices enabled for Workplace Join trust the company certification authority (CA), which makes it easier to configure them for additional features, such as Work Folders. Question: Can you enable the Workplace Join feature for a Windows 8 tablet?
Workplace Join Components

Workplace Join enables users to access company resources from their own devices by using SSO and without adding devices to the domain. Workplace Join is a simple process, and any user can perform it, but you first must configure a companys infrastructure to allow Workplace Join. There are several prerequisites that must be in place before you can enable Workplace Join your devices:
AD DS environment. Workplace Join requires that you implement a domain environment. At least one domain controller must be running Windows Server 2012 or a newer operating system, and the schema must be extended to the Windows Server 2012 R2 level.
PKI. The Workplace Join feature requires that PKI is deployed and properly configured. Devices must trust the CA, which is true by default for domain-joined devices, but requires manual configuration on non-domain joined devices. Certificates must include information on where the list of revoked certificates are available, such as the CRL distribution point (CDP), and where up-to-date certificates for the CA are available, such as authority information access (AIA). Devices must be able to access certificate revocation list (CRL), delta CRL, and AIA before they can use Workplace Join.
Note: Delta CRL is published in a file, which includes the Plus Sign character (+) in its name by default. Internet Information Services (IIS) Web server does not allow access to files with special characters in their names by default, and you must enable double escaping to allow it. You can verify that CRL, delta CRL, and AIA can be accessed by running Pkiview.msc on the server where Active Directory Certificate Services (AD CS) is installed.
Active Directory Federation Services (AD FS). A company must set up AD FS before users can use the Workplace Join feature on their devices. AD FS must be configured with an SSL certificate from a trusted CA, and the SSL certificate must have properly configured Subject Name and Subject Alternative Name attributes.
Device Registration Service. Device Registration Service registers a device in AD DS when you perform Workplace Join. It also provides the certificate to users who enabled their device for Workplace Join. A DNS record for the host named Enterpriseregistration. The name Enterpriseregistration is mandatory and cannot be changed. The DNS server must resolve this name to the IP address of the AD FS server, and the AD FS server must use it as one of its Subject Alternative Name attributes in the SSL certificate.
Web Application Proxy. This is an optional component that is not required when you enable Workplace Join on devices that are connected to the company network. If you want to enable Workplace Join on devices that are not connected to the company network but are connected to the Internet, you must set up Web Application Proxy. A supported operating system on the device. The device that you want to enable for Workplace Join must be running a supported operating system. Currently you can enable Workplace Join only on devices that are running Windows 8.1, Windows RT 8.1, and iOS operating system.
When users enable Workplace Join on their devices, they can access a companys internal web applications and company apps without entering credentials again. To use SSO, administrators must

7-19
configure claims-based web applications and create a relying party trust between the AD FS server to the web server on which the web application is running. For more information, the following Microsoft TechNet website: Set up the lab environment for AD FS in Windows Server 2012 R2 http://go.microsoft.com/fwlink/?LinkId=378242&clcid=0x409 Question: What must you configure on a device before you can enable the Workplace Join feature on it?
Registering and Enrolling Devices

After all the prerequisites are met, you can enable Workplace Join on a device. Any user with domain credentials can enroll a device, and each device can be enrolled multiple times, once per user who uses that device. If you want to enroll the device, you must perform the following procedure: 1. 2. 3. 4. Click the Settings charm, and then select Change PC settings. On the PC settings page, click Network. On the Network page, click Workplace.
On the Workplace page, enter the user ID with which you want to Workplace Join the device. User ID looks the same as a users email address and is composed from the users logon name, the at sign (@), and a domain suffix. Domain administrators refer to user ID as the user principal name (UPN). When performing a Workplace Join, a computer tries to resolve the Enterpriseregistration.<domain suffix> name, and verifies that the SSL certificate is trusted and that it is still valid. You need to enter user domain credentials. The device can be a workgroup member, but the user must have a domain account to enable Workplace Join on the device.
5. 6.
The device is enabled for Workplace Join. The Device Registration Service creates a domain object for the joined device in the RegisteredDevices AD DS container, and the user is provided with a certificate for client authentication.
Note: You must configure a device that you want to Workplace Join with network settings to resolve company server names. You also must configure the device to trust the company CA. For more information, see the following Microsoft TechNet website: Walkthrough Guide: Workplace Join with a Windows Device http://go.microsoft.com/fwlink/?LinkId=378243&clcid=0x409 Question: What information must you enter when you want to enable the Workplace Join feature on a device?
Demonstration: Enrolling Devices
In this demonstration, you will see how a user can enable the Workplace Join feature on a Windows 8.1 device. The entire company infrastructure has been set up already. Because the Windows 8.1 device is not a domain member, you first must configure it to trust the company CA and then perform Workplace Join.
Demonstration Steps
1. 2. 3. 4. 5. 6. On LON-CL4, use Internet Explorer to connect to the company internal web app on following URL: https://lon-svr2.adatum.com/claimapp. Use Adatum\adam and Pa$$w0rd as the credentials. Close Internet Explorer. Open Internet Explorer, and then navigate to the same URL: https://lon-svr2.adatum.com /claimapp. Verify that you are again asked for your credentials. Close Internet Explorer.
On the PC settings page, navigate to Network and then Workplace. Join the device to Workplace as adam@adatum.com and by using Pa$$w0rd as his password.
On LON-DC1, use Active Directory Users and Computers to verify that the RegisteredDevices container contains an object of type msDS-Device, which represents the LON-CL4 computer that you enabled for Workplace Join. Make note of the name of the msDS-Device object. On LON-CL4, use Internet Explorer to verify that the user has one certificate. This is the certificate that Device Registration Service provided to the user when the device was enabled for Workplace Join. Verify that GUID is the same as the name of the msDS-Device object from Active Name Directory Users and Computers. Use Internet Explorer to navigate to the internal web app by entering following URL: https://lon-svr2.adatum.com/claimapp. Use adatum\adam and Pa$$w0rd as the credentials.
7.
8. 9.
Verify that Claim Type http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier has the same value as the name of the msDS-Device object from Active Directory Users and Computers.
10. Close Internet Explorer.
11. Use Internet Explorer to navigate to the internal web app by entering following URL: https://lon-svr2.adatum.com/claimapp. Verify that this time, a webpage opens without asking for credentials. You were not asked for credentials because you accessed it from the device that was enabled for Workplace Join. Close Internet Explorer.

7-21
Lesson 4
Configuring Work Folders
Work Folders is a new Windows 8.1 feature that enables users to have their local copy of files in sync with files on a Windows Server 2012 R2 file server. Users can use Work Folders even if their Windows 8.1 device is not joined to the domain, and an administrator can configure policy for the local copy of the files. For example, a local copy can be encrypted, and if a device is lost or an employee has left the company, the local copy of the data in a Work Folder can be wiped remotely while user data on the device is left intact.
Lesson Objectives
After completing this lesson, you will be able to: Describe the features of Work Folders. Describe Work Folders components. Explain how to configure Work Folders. Describe how to integrate Workplace Join and Work Folders. Describe how to use GPOs to manage Work Folders. Configure Work Folders. Explain how to troubleshoot Work Folders. Compare Work Folders with other file synchronization technologies.
Overview of Work Folders
Company files traditionally are stored on file servers. This approach has many advantages, such as central access control and auditing, central backup, quotas, reporting, and availability from any domain-joined and network-attached device. However, users also need to access and modify company data when they are not connected to a company network and from non-domain joined devices because the BYOD scenario is implemented in many environments. There are several solutions that you can use for such scenarios, such as Folder Redirection, Offline Files, and by using synchronization with SkyDrive or SkyDrive Pro. Windows 8.1 introduces an additional solution, Work Folders, which can be useful in scenarios where users are using multiple devices for accessing company data, they need to synchronize data between the devices, and some of the devices are not domain-joined. Work Folders allow home and office users to access their individual data, regardless of whether their devices are connected to a company network or whether their devices are domain-joined or not. Work Folders only store users individual files, and users can access their own Work Folders only. Work Folders data is stored on a traditional file server, but devices also keep a local copy of the users subfolders in a sync share, which is a user work folder. Users can access a local copy of their Work Folders even without network connectivity, and any modifications they make are synchronized with their Work Folders on a file server immediately or after connectivity to the file server is restored. Users can access and use Work Folders from various devices, irrespective of their domain membership. Work Folders are currently
supported on Windows 8.1 and Windows RT 8.1 devices, but support for Windows 7 and iPad has been announced. If users are using multiple devices that are configured with Work Folders, changes they make on one device are synchronized with their other devices automatically. Because Work Folders content is stored on a file server, you can use all the features that are available on a file server, such as dynamic access control, auditing, quotas, file classification infrastructure, and protecting content with Rights Management Services. You can define a policy for devices that access Work Folders. For example, you can create a policy that requires that the local copy of the Work Folders data is encrypted on a device. You also can use the Remote Business Data Removal feature to prevent access or remotely wipe the local copy of Work Folders data on a device if the device is lost or if the employee leaves the company. For more information, see the following webpage on the Microsoft TechNet website Work Folders Overview http://go.microsoft.com/fwlink/?LinkId=378244&clcid=0x409 Question: Can you share your Work Folders content with your coworkers?
Work Folders Components

If you want to use Work Folders, several components must be available in your environment:
Work Folders server. You need a file server that is running Windows Server 2012 R2 to host Work Folders because previous versions of Windows Server do not support the Work Folders feature. The file server must be joined to an AD DS domain and must have the Work Folder role service installed, which is part of File and Storage Services role. When you install the role service, an additional access protocol is added and Server Manager is extended. You can use Server Manager to create and manage sync shares, which contain users Work Folders. You also can use Server Manager to view who can access sync shares, when and from which devices users accessed it, and to perform other tasks, such as setting quotas and managing volumes. Users can access and synchronize their Work Folders by using the HTTPS encapsulated access protocol. Because synchronization uses HTTPS encryption, the file server must have an installed SSL certificate, and that certificate must be trusted by devices from where Work Folders are accessed.
Sync share. A sync share is a unit of synchronization between the Work Folders server and client devices. You can create multiple sync shares on a Work Folders server, and each sync folder maps to the physical folder on the file server. For each user who uses Work Folders, a personal subfolder is created inside the sync share, and users can access and synchronize the content of their subfolders only. You can configure who can access a sync share and specify a device policy, such as specifying that the local copy of Work Folders data on client devices must be encrypted. Although users can have permissions to access multiple sync shares, they are limited to a single sync share. You can access a sync share only by using the Work Folders feature by default, but an administrator also can create a Server Message Block (SMB) share that uses the same folder as a sync share. If users can access sync share content by using SMB access also, you can view synced content from devices that do not use Work Folders. Because the sync share is stored on a file server, you can use features such as dynamic access control, quotas, and file screening when managing its content.

7-23
User devices. These are the devices from which you can access, modify, and synchronize content that is stored in Work Folders. You can access Work Folders from workgroup devices, devices that are workplace-joined, or from domain member devices. The devices must be running one of the supported operating systems, which currently are Windows 8.1 and Windows RT 8.1. Support for Windows 7 and iPad devices has been announced. Devices also must trust the SSL certificate that the Work Folders server is using. If devices are configured to use Work Folders, changes to local copies of data are detected in real time and synchronized with the server. By default, devices check the Work Folders server every 10 minutes and synchronize changes with local copies of the Work Folders data.
When you configure Work Folders on a device, you establish a Work Folders sync partnership between the device and the file server. During initialization, the data directory, version database, and download staging directory are created on a device. Version database helps to keep a local copy of the data in sync with the data on file server. On the server side, when a user first synchronizes, similar structures are created. The server Work Folders are provisioned only once per user, while the client side is provisioned for each device on which the user is using Work Folders. When users modify their Work Folders content, the following process takes place: 1. 2. When users modify local Work Folders content, the change is detected on the client in real-time, the client device initiates a sync session with the Work Folders server, and then uploads the changes.
After the upload is complete, the Work Folders server applies uploaded changes to the users Work Folders content. By default, the server is configured so that it can perform all modifications to the users data. If there is an error, for example, when the server permissions are modified and the server cannot apply the modifications, the user is notified about the problem. If the file is changed on multiple user devices at the same time in the same synchronization cycle, based on the time stamp, the latest version of the file keeps the original file name. The other copies of the file are preserved in the same directory, but their name is extended with the name of the device on which the conflict occurred, and a number is added if there are multiple conflicts for the same file. The Work Folders server keeps 100 conflict files and after that, Work Folders synchronization stops for the user until the user manually resolves the problem. Synchronization is initiated by the second client device. This can happen for two reasons: data is modified also on the second client device, and the second client device initiates synchronization of those modifications. Alternatively, if there are no local changes, the second device initiates synchronization based on the pooling interval, which is 10 minutes by default. The second client downloads changes from the Work Folders server and applies them to the local copy of the data.
3.
When you use Work Folders, you should be aware of following:
In this first release of Work Folders, synchronization is limited to one partnership per user per device. If multiple users use the same device, all users can have their own partnership with the sync folder on the same or on different Work Folders servers, but the same user cannot create a sync partnership with a second sync share on the same or different Work Folders servers. Clients always initiate synchronization. A Work Folders server is passive and only responds to sync requests.
Clients synchronize only with the Work Folders server. If users are using multiple devices and they are all configured with Work Folders, devices do not synchronize changes between themselves, but only with the server. After one device synchronizes changes with a server, other devices get the changes from the server.
The system that applies the change, which can be either the user device or the Work Folders server, is responsible for conflict resolution. Conflicts are resolved automatically by renaming the conflicting files with older time stamps. Question: Can users access multiple Work Folders?
Configuring Work Folders

A server administrator has to create Work Folders on a Windows Server 2012 R2 file server before you can configure and use Work Folders on a Windows 8.1 computer. To create Work Folders on a Windows Server 2012 R2, you must perform the following two steps: 1. Install the Work Folders role service. Before you can configure a file server to host Work Folders, you first must install the Work Folders role service. This is a new role service in Windows Server 2012 R2, and you can install it from Server Manager or by running the following cmdlet:
Install-WindowsFeature FS-SyncShareService
2.
Create a sync share for Work Folders. A sync share is the unit of synchronization that can be synchronized with a user device. You can create a sync share by using Server Manager or by using the New-SyncShare cmdlet. A sync share can be an existing SMB share, or you can point it to a new folder. Multiple users can have access to the same sync share and because of that, you need to specify the naming syntax for the user subfolders, which can be either user_alias or user_alias@domain. The first syntax maintains compatibility with existing user folders that use aliases for their names, while the second syntax eliminates conflicts between identical user aliases in multiple domains in the same AD DS forest. By default, users synchronize their whole Work Folders structure, but you can limit the synchronization to specific subfolders. You also can configure who has permissions to access the sync folder and device policy, in which you define requirements that must be met on a device that will be used for accessing sync shares.
After you configure Work Folders on a Windows Server 2012 R2 file server, you can deploy Work Folders to client devices. Based on the client device type and whether it is domain-joined or not, you have different options for deploying Work Folders:
Manual. You can configure Work Folders by using the Manage Work Folders option in Control Panel. If the device is a domain member or is workplace-joined, you can enter a users email address, which is used to automatically discover the Work Folders server where the users sync shares are located. If the device is a member of a workgroup, you need to enter the Work Folders URL instead, as the user email cannot be resolved. Opt-in. You can configure Work Folders settings by using domain-based Group Policy, Windows Intune, or Configuration Manager. But those settings are not mandatory. Users can decide if they want to use those settings and configure Work Folders on the device or not.
Mandatory. You can use the same three methods, domain-based Group Policy, Windows Intune, or Configuration Manager, to deliver Work Folders settings to a device. However, these settings are mandatory and users cannot modify them. Work Folders are configured transparently on devices without user interaction. Question: Can you use Group Policy to deploy Work Folders centrally to devices that are not domain-joined?

7-25
Integrating Workplace Join and Work Folders

The Workplace Join feature primarily is targeted for non-domain joined devices because you already can use SSO from domain-joined devices to access domain resources. If you use the Workplace Join feature on a device, you can get a similar SSO experience when accessing company resources that support claims-based authentication.
The Work Folders feature is targeted to all devices that support Work Folders, regardless of their domain membership and whether they are enabled for Workplace Join or not. You can use the Work Folders feature to synchronize content across all those devices, but one of the requirements is that devices must trust a company CA. Domain-joined devices trust a company CA by default because the domain-based Group Policy adds a CA public key in the trusted root CA certificate store of all domain computers. But a domain-based Group Policy does not apply to workgroup devices or to devices that are enabled for Workplace Join. Because of that, workgroups and devices that are enabled for Workplace Join do not trust a company CA by default. But one of the requirements to enable a Workplace Join device is that it trusts a company CA. If the device is enabled for Workplace Join, it is a bit easier to set up Work Folders because it already trusts the company CA. However, you can set up Work Folders on a device regardless of whether it is enabled for Workplace Join or not. Note: Use Windows Intune or Configuration Manager to manage Work Folders centrally on non-domain computers, regardless of whether they are enabled for Workplace Join or not. Question: Is it required to enable a device for the Workplace Join feature before you can set up Work Folders on that device?
Using GPOs to Manage Work Folders

You can deploy Work Folders by using Group Policy. By using Group Policy, you can specify the Work Folders configuration but still allow users to decide if they want to use Work Folders on their devices, because they have to use the Work Folders control panel item to configure Work Folders, such as in the opt-in scenario. You also can use Group Policy to make the Work Folders configuration mandatory. This configures devices to use Work Folders transparently and without user interaction, but prevents user from changing the Work Folder configuration or specifying where a local copy of sync folder data is stored.
Work Folderrelated settings are located in the user and computer parts of Group Policy. In the user part of Group Policy, you can enable Work Folders, specify a Work Folders URL, and force automatic setup of Work Folders. In the computer part of Group Policy, you can force all users of the device to which Group Policy applies to use Work Folders automatically.
Note: If you configure the Work Folder settings in a domain-based Group Policy, those settings can apply only to the domain-joined devices and to the users who sign in with domain accounts. Those settings do not apply to devices that are members of a workgroup or are enabled for Workplace Join. If you need to configure Work Folders automatically on devices that are not domain members, you should use Windows Intune. Question: Can you configure Work Folders settings in the user or computer part of Group Policy?
Demonstration: Configuring Work Folders

In this demonstration, you will see how you can deploy Work Folders on a domain-joined Windows 8.1 device by using Group Policy and how to manually deploy Work Folders on workgroup Windows 8.1 devices.
Demonstration Steps
1. 2. 1. On LON-CL1, sign out, and then sign in as user adatum\adam with Pa$$w0rd. Use File Explorer to create a new text document named On LON-CL1.txt in Work Folders. On LON-CL4, use Work Folders to Set up Work Folders. Use following settings: o o 2. Work Folders URL: https://lon-dc1.adatum.com Credentials: adatum\adam with Pa$$w0rd as the password
Verify that file On LON-CL1.txt is available in Work Folders on the LON-CL4 computer.
Troubleshooting Work Folders

Work Folders use a client/server architecture. You can set up Work Folders and then use them from any supported device, regardless of its domain membership. If a device is domain-joined, it usually is already configured correctly to be able to use Work Folders. If a device is not a member of a domain, additional configuration steps must be taken before you can use Work Folders successfully.
If there is a problem with accessing and using Work Folders, you can use several troubleshooting tools. You first should verify that Work Folders are available on a Windows Server 2012 R2 file server and that users have synchronization access. You can use Server Manager to verify the configuration, to determine if users have ever connected to their sync share, when the last connection was, and from which devices users connected to their sync shares. You also can use the Get-SyncUserStatus cmdlet on the server to verify all that information. Based on the problem that user has, there are several tools you could use for troubleshooting, including the following: Standard networking troubleshooting tools such as Ipconfig.exe, Ping.exe and Nslookup.exe Active Directory Users and Computers Server Manager

7-27
File Explorer Certificates snap-in Events Viewer (WorkFolders logs) Windows PowerShell, especially cmdlets from the SyncShare module
Note: Active Directory Users and Computers, Server Manager, and the SyncShare module for Windows PowerShell are not included in the default Windows 8.1 installation. If you want to use them on a Windows 8.1 computer, you need to install Remote Server Administration Tools. The following list explains some of the potential issues and troubleshooting steps that you should be aware of:
Network connectivity and name resolution. Before you can configure Work Folders on a device, the device must be able to connect to a Work Folders server and be configured with a DNS server, which is used for resolving the Work Folders server URL and user email addresses.
Users must have a domain account that has synchronization access to a sync share on a Work Folders server. If users do not have domain accounts or access to sync share, they will not be able to connect to Work Folders. The device from which users want to use Work Folders must be running a supported operating system and must be able to comply with the sync folder device policy. For example, if the sync folder device policy requires encryption of Work Folders, the device must be able to encrypt a local copy of the Work Folders content.
The device must trust the SSL certificate of the Work Folders server. In a domain environment with an enterprise CA, domain-joined devices trust the enterprise CA by default. If the device is not domainjoined, you must configure the device manually to trust a Work Folders server SSL certificate.
Users must have NTFS file system permissions to a sync share. When you create a sync share, users have appropriate NTFS file system permissions by default. If the NTFS file system permissions are later modified, it is possible that users can no longer synchronize changes. If users change their domain passwords, they need to enter the latest password for accessing Work Folders on a non-domain joined device.
If users use multiple devices with Work Folders and modify the content on one device, modified content is not immediately synchronized with other devices. Content is synchronized with the server, but other devices synchronize based on the pooling interval, which is 10 minutes by default. You can decrease the pooling interval or manually trigger the synchronization from the device.
Multiple files with similar names. If the same file is modified on multiple devices before the synchronization happens, for example when devices do not have connectivity to a Work Folders server, conflicts will happen during synchronization. Conflicts will be resolved automatically, and there will be multiple copies of the file with a similar namethe names of the additional copies will be extended with the device name. You must review the copies manually, merge the changes, and then decide if additional copies can be removed. Question: Can you use the Work Folders Windows PowerShell cmdlets or Server Manager on Windows 8.1 by default?
Comparing Work Folders with Other File Synchronization Technologies

Before implementing Work Folders, you should be aware that there are other file synchronization technologies available. You should be familiar with their features and then decide which file synchronization technology is most appropriate for your environment. Some of them require that the device is domain-joined, that additional servers are deployed, or that files that synchronize are used by a single user, while others can be used on any Windows 8.1 device. File Synchronization solutions that are provided by Microsoft include SkyDrive, SkyDrive Pro, Work Folders and Folder Redirection with Offline files.
If you want a solution for synchronizing data that is used for collaboration and is shared between team members, you should consider SkyDrive Pro. SkyDrive Pro is available as part of Microsoft SharePoint Server 2013 and Microsoft SharePoint Online, and you can access it if your company uses on-premise SharePoint or if SharePoint is available as part of an Microsoft Office 365 subscription. You should be aware that depending on what the company is using, shared data is hosted either in the company data center or in the cloud. You also should note that SkyDrive Pro support is not included in Windows 8.1. You can deploy it as part of Microsoft Office 2013 or as a separate SkyDrive Pro client. You can access SkyDrive Pro from PCs and Windows Phone devices. Other file synchronization technologies are intended for single-user access, although files that you store on SkyDrive often are shared with others. Work Folders, and Folder Redirection store data on servers in a company data center. However, Work Folders require that servers that store data are running Windows Server 2012 R2, while folders can be redirected on file server irrespective of the Windows Server version it is running. Windows 8.1 includes support for both technologies, but Folder Redirection can be used only on domain-joined devices. Work Folders are available regardless of whether the device is joined to the domain or not. Work Folders can be used on Windows 8.1, Windows 8, Windows 7, and iPad devices, while Folder Redirection is available on Windows XP and newer domain-joined computers. SkyDrive is a publicly available cloud storage service. Data that you save on SkyDrive is stored in the public cloud, and you do not need any local server infrastructure; you only need Internet connectivity. SkyDrive support is integrated in Windows 8.1, and you can access SkyDrive from various devices regardless of their operating system and domain membership. SkyDrive is intended for personal data. For more information, see the link on the Microsoft TechNet website Work Folders Compared to Other Sync Technologies http://go.microsoft.com/fwlink/?LinkId=378244&clcid=0x409 Question: A user has three Windows 8.1 devices and needs to keep files synchronized among all three devices. Two devices are domain-joined Windows 8.1 computers, and the user also has a Windows 8.1 tablet, which is enabled for Workplace Join. The users company has deployed two Windows Server 2012 R2 file servers. Which synchronization technology should the user use?

7-29
Lab: Configuring Resource Access for Non-Domain Joined Devices

Scenario
A. Datum Corporation uses the AD DS environment, and all users access company data by using company owned computers. Many users bring their own devices to work and would like to access company data from them. These users complain that they must enter their credentials every time they access company resources. Users with their own tablets complain that when they copy data locally, it is challenging to keep it synchronized with files on the companys file servers. IT administrators complain that they do not have an overview of user devices that are used for accessing company data, and that they cannot enforce company security policies on data that is stored locally on such devices. A few weeks ago, a security incident occurred because one of the managers lost his tablet, which contained confidential company files.
Objectives
After completing this lab, you will be able to: Implement Workplace Join. Configure Work Folders.
Lab Setup
Estimated Time: 30 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-SVR1, 20687C-LON-SVR2, 20687C-LON-CL1, 20687C-LON-CL4 User name: Adatum\Administrator Password: Pa$$w0rd
5. 6.
Repeat steps 2 to 4 for 20687C-LON-SVR1, 20687C-LON-SVR2, and 20687C-LON-CL1 Repeat steps 2 and 3 for 20687C-LON-CL4. Do not sign in until directed to do so.
Exercise 1: Implementing Workplace Join

Scenario
The IT department has decided that it will enable Workplace Join for the company. It has set up the required infrastructure, and you have been asked to test the Workplace Join feature in Windows 8.1. You decided to use your own Windows 8.1 device to perform the Workplace Join, and also to test if you can use the internal company website by providing credentials only once to use SSO functionality.
The main tasks for this exercise are as follows: 1. 2. 3. Verify Workplace Join prerequisites. Workplace Join a Windows 8.1 computer. Explore Workplace Join effects.
Task 1: Verify Workplace Join prerequisites

1. 2. 3. 4. On LON-DC1, configure Active Directory Users and Computers to show Advanced Features. Verify that user Adam Barr is in the Marketing OU and that his User logon name is Adam@Adatum.com. Verify that the RegisteredDevices container is empty.
Use Pkiview.msc to verify that status of all locations is OK and that AIA Location #2, CDP Location #2, and DeltaCRL Location #2 are accessible over http protocol.
Note: CDP Location and Delta CRL Location have short validity period and their status could be shown as Expiring. You can ignore their value in Status column. 5. 6.
Use DNS Manager to verify that Adatum.com zone has an Enterpriseregistration CNAME record that points to LON-SVR1.adatum.com.
On LON-SVR1, use AD FS Management to verify that the Enable device authentication check box is selected and that the Service communications certificate has following attributes: o Subject Alternative Name: DNS Name=LON-SVR1.adatum.com, DNS Name=Enterpriseregistration.adatum.com CRL Distribution Points: One of the URLs is accessible over http protocol. Authority Information Access: One of the URLs is accessible over http protocol.
o o
Task 2: Workplace Join a Windows 8.1 computer

1. 2. 3. 4. 5. 6. 7. 8. On LON-CL4, sign in as Admin with the password of Pa$$w0rd. On LON-CL4, use nslookup command to verify that it can resolve enterpriseregistration.adatum.com name. Connect to \\LON-DC1\certificate as user adatum\adam with Pa$$w0rd. Install the Root-CA certificate in the Trusted Root Certification Authorities certificates store.
Use Internet Explorer to connect to the internal company web app with the following URL: https://LON-SVR2.adatum.com/claimapp. Use adatum\adam with Pa$$w0rd as the credentials.
Verify that no Claim Type starts with http://schemas.microsoft.com/2012/01/devicecontext, and then close Internet Explorer. Open Internet Explorer, and then navigate to the same URL: https://LON-SVR2.adatum.com /claimapp. Verify that you are again asked for your credentials. Close Internet Explorer.
On the PC settings page, navigate to Network and then Workplace. Join the device to Workplace as adam@adatum.com, by using adam@adatum.com with Pa$$w0rd as the credentials.

7-31
Task 3: Explore Workplace Join effects

1.
On LON-DC1, use Active Directory Users and Computers to verify that the RegisteredDevices container contains an object of type msDS-Device, which represents the LON-CL4 computer that you enabled for Workplace Join. Make note of the name of the msDS-Device object. On LON-CL4, use Internet Explorer to verify that the user has one certificate. This is the certificate that Device Registration Service provided to the user when device was enabled for Workplace Join. Verify that the GUID is the same as the name of the msDS-Device object from Active Directory Users and Computers. Use Internet Explorer to navigate to the internal web app by entering following URL: https://LON-SVR2.adatum.com/claimapp. Use adatum\adam with Pa$$w0rd as the credentials.
2.
3. 4.
Verify that Claim Type http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier has the same value as the name of the msDS-Device object from Active Directory Users and Computers. Close Internet Explorer.
5. 6.
Use Internet Explorer to navigate to an internal web app by entering following URL: https://LON-SVR2.adatum.com/claimapp. Verify that this time, a webpage opens without asking you for credentials. You were not asked for credentials because you accessed it from the device that was enabled for Workplace Join.
Results: After completing this exercise, you should have successfully implemented and tested the Workplace Join feature.
Exercise 2: Configuring Work Folders

Scenario
Users currently are using Offline Files to keep local copies of data in sync with data on a file server. But many users are using devices that are not domain-joined, and they complain that they cannot use Offline Files. The IT department is considering implementing Work Folders, but it must confirm that users with non-domain devices will be able to use it, and that Work Folders will be configured automatically on domain-joined devices. You were asked to implement a proof-of-concept deployment of Work Folders, and based on the results, the IT department will decide if Work Folders meet the companys needs. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install the Work Folders feature and create a sync share. Bind an SSL certificate for Work Folders. Configure Group Policy to deploy Work Folders. Deploy Work Folders on a non-domain device. Use Work Folders to synchronize files.
Task 1: Install the Work Folders feature and create a sync share
1. 2. Use Server Manager to create New Sync Share. Use following data: o o Local path: C:\syncshare1 Structure for user folders: User alias
On LON-DC1, install the FS-SyncShareService feature by using the Install-WindowsFeature cmdlet.
o o 3.
Grant sync access to groups: Marketing Device policies: No policy is selected
Use Server Manager to verify that Syncshare1 is listed in the WORK FOLDERS section and that user Adam Barr is listed in the USERS section.
Task 2: Bind an SSL certificate for Work Folders

1. On LON-DC1, use Internet Information Services (IIS) Manager to add https Site Bindings to the Default Web Site. Use LON-DC1.adatum.com as a Secure Sockets Layer (SSL) certificate.
Task 3: Configure Group Policy to deploy Work Folders

1. 2.
On LON-DC1, use Group Policy Management to create and link a Group Policy named Deploy Work Folders to the Marketing OU. In the Deploy Work Folders Group Policy, under User Configuration\Policies \Administrative Templates\Windows Components\Work Folders, enable the Specify Work Folder settings setting, configure it with https://lon-dc1.adatum.com as Work Folders URL, and then select the Force automatic setup check box. On LON-CL1, sign out, and then sign in as adatum\adam with Pa$$w0rd. Use File Explorer to create a New Text Document named On LON-CL1 in Work Folders.
3. 4.
Task 4: Deploy Work Folders on a non-domain device

1. On LON-CL4, use Work Folders to Set up Work Folders. Use following settings: o o 2. Work Folders URL: https://lon-dc1.adatum.com Credentials: adatum\adam with Pa$$w0rd as the password
Verify that file On LON-CL1.txt is available in Work Folders on the LON-CL4 computer.
Task 5: Use Work Folders to synchronize files

1. 2. On LON-CL4, use File Explorer to create a New Text Document named On LON-CL4.txt in WorkFolders. On LON-CL1, verify that only the On LON-CL1.txt file is displayed in Work Folders.
Note: Work Folders synchronizes every 10 minutes automatically. You have also option to manually trigger synchronization. 3. 4. 5. 6. 7. 8. 9. Use File Explorer to Sync the Work Folders on LON-CL1. Use File Explorer to verify that both files, On LON-CL1 and On LON-CL2 are displayed in Work Folders.
Disable the Ethernet network connection by using Administrator and Pa$$w0rd as the credentials. Modify the file On LON-CL1.txt in Work Folders by adding following content: Modified offline. Create a New Text Document named Offline LON-CL1.txt in Work Folders. On LON-CL4, modify the file On LON-CL1.txt in Work Folders by adding the following content: Online modification. On LON-CL1, enable the Ethernet network connection. Use Administrator and Pa$$w0rd as the credentials.

7-33
10. On LON-CL1, verify that four files are displayed in Work Folders, including On LON-CL1.txt and On LON-CL1-LON-CL1.txt. Because the file was modified at two locations, a conflict occurred and one of the copies was renamed.
Results: After completing this exercise, you should have successfully configure the Work Folders feature.

When you have finished the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-SVR1, 20687C-LON-SVR2, 20687C-LON-CL1, and 20687C-LON-CL4.

Review Questions
Question: Do you need to grant domain users additional permissions to enable Workplace Join on their devices? Question: Can you access Work Folders content on a computer without network connectivity?

8-1
Module 8
Implementing Network Security
Contents:
Module Overview Lesson 1: Overview of Threats to Network Security Lesson 2: Configuring Windows Firewall Lab A: Configuring Inbound and Outbound Firewall Rules Lesson 3: Securing Network Traffic by Using IPsec Lab B: Configuring IPsec Rules Lesson 4: Guarding Windows 8.1 Against Malware Lab C: Configuring Malware Protection Module Review and Takeaways 8-1 8-2 8-8 8-17 8-20 8-28 8-30 8-33 8-35
Module Overview
When computers are connected to a network, they are exposed to potential security threats. You need to formulate a strategy to protect your computers. User policies, antivirus software, encrypted network traffic, and other protective measures work together to help shield your Windows 8.1 computers from security threats. It also is important to identify possible threats and to optimize appropriate Windowsbased network security features, such as Windows Firewall and Windows Defender, to help eliminate them.
Objectives
After completing this module, you will be able to: Describe the threats to network security. Configure Windows Firewall. Secure network traffic by using Internet Protocol security (IPsec). Guard Windows 8.1 against malware.
8-2
Lesson 1
Overview of Threats to Network Security
Security is an integral part of any computer network, and you must consider it from many perspectives. You must understand the nature of network-based security threats and be able to implement appropriate security measures to mitigate these threats. In this lesson, you will learn about some of the network security threats and the defense-in-depth strategy that helps you lessen your vulnerability to them. Finally, you will learn about ways to mitigate the various network security threats that are discussed.
Lesson Objectives
After completing this lesson, you will be able to: Describe defense-in-depth. Identify common network security threats. Describe options for mitigation of network security threats.
What Is Defense-in-Depth?
You can mitigate risks to your computer network by providing security at different infrastructure layers. The term defense-in-depth typically describes the use of multiple security technologies at different points throughout your organization.
Policies, Procedures, and Awareness

Physical security measures must complement organizational policies regarding security best practices. For example, enforcing a strong user password policy is not helpful if users write their passwords down on sticky notes and then attach those notes to their computer screens. When you establish a security foundation for your organizations network, it is a good idea to start by creating appropriate policies and procedures, and make users aware of them. Then, you might progress to the other aspects of the defense-in-depth model. Even when you implement policies to prevent security problems, users can circumvent them, either by plan or inadvertently. Some ways that users can compromise policies and procedures include: Users are unaware of the policies. When users are unaware of policies, you cannot expect them to follow them. Users view the policies as unnecessary. If you do not adequately communicate the reasons for policies, some users will think of them as unnecessary.
Social engineering. Users and computer administrators are vulnerable to social engineering, where hackers manipulate them into violating policies or revealing sensitive data. An example of this is when you receive an email that appears to be from your bank, asking you to update your account information by following a link in the email that resolves to a website that does not belong to your actual banking system.

8-3
Mitigation
You should consider taking the following actions to mitigate these threats: Create specific policies that help prevent social engineering. Educate users on policies and their relevance. Implement compliance monitoring.
Physical Security
With respect to securing computer systems, enterprise administrators commonly overlook physical security. If any unauthorized person can gain physical access to a computer, then most other security measures are of little consequence. Make sure that computers that contain the most sensitive data, such as servers, are physically secure. In general, anyone who has physical access to computer systems can: Damage systems. This can be as simple as storing a server next to a desk, where a user might accidentally bump into it or spill a drink on it.
Install unauthorized software on systems. Hackers can use unauthorized software to attack systems. For example, there are tools available to reset the administrator password on a Windows-based workstation or member server.
Steal hardware. Hackers can steal laptops if you do not ensure that users secure them. They even can steal servers, which often include extremely sensitive data and intellectual property, if you do not secure them properly.
Mitigation
You should consider taking the following actions to mitigate these threats: Restrict physical access by locking doors. Monitor server room access. Install fire suppression equipment.
Perimeter
No organization is an isolated enterprise. Organizations operate within a global community, and network resources must be available to service that global community. Perimeter layer security refers to the connectivity between your network and other untrusted networks. This might include building a website to describe your organizations services or making internal services such as web conferencing and email accessible externally, so that users can work from home or from satellite offices.
Perimeter networks mark the boundary between public and private networks. By providing specialized servers such as reverse proxy servers in your perimeter network, you can provide corporate services across a public network in a more secure manner. Note: You can use a reverse proxy server to publish services such as email or web services from a corporate intranet without placing email or Web servers in the perimeter. You also need to consider the following access issues:
Remote access client. Though you can control the conditions under which they can connect, these client computers access your network from a remote location over which you have little or no control. Because of this, these types of clients have access to more data than a typical Internet client that connects to a webpage.
8-4
Business partners. You do not control the networks of business partners, which means that you cannot ensure that they have appropriate security controls in place. Therefore, if a business partner is compromised, the network links between your organization and that partner pose a risk.
Mitigation
You should consider taking the following actions to mitigate these threats: Implement firewalls at network boundaries. Implement network address translation (NAT). Use virtual private networks (VPNs) and implement encryption.
Internal Networks
As soon as you connect computers to a network, they are susceptible to a number of threats. Internal network layer security refers to services and processes on your internally controlled network, including LANs and wide area networks (WANs). The latter includes Multiprotocol Label Switching circuit, where you control all aspects of the network. Security threats to an internal network include eavesdropping, spoofing, denial-of-service (DoS) attacks, and replay attacks. This is especially relevant when communication occurs over public networks because users are working from home, remote offices, or other locations, such as coffee shops.
Mitigation
You should consider taking the following actions to mitigate these threats: Segment your network. Implement IPsec. Implement a network-based intrusion-detection system.
Host
The host layer refers to a networks individual computers. This includes the operating system, but not application software. Host-layer security includes operating system services such as a Web server, and hackers can compromise it by:
Operating system vulnerabilities. An operating system is complex. Consequently, there are vulnerabilities that hackers often can exploit. Attackers can use these vulnerabilities to install malware (malicious software) or to control hosts. Default operating system configurations. Operating systems and their services include default configurations. In some cases, the default configuration might not include a password or might include sample files with vulnerabilities. Attackers use their knowledge of default configurations to compromise systems.
Viruses that attack hosts. A virus uses operating system flaws or default configurations to infect a host and replicate itself.
Mitigation
You should consider taking the following actions to mitigate these threats: Harden operating systems. Implement a host-based intrusion-detection system. Use host-based antivirus, antimalware, and antispyware software, such as Windows Defender.

8-5
Application
The application layer refers to apps that run on hosts. This includes additional services such as mail servers, and desktop apps such as the Microsoft Office system. The risks to apps are similar to the risks that hosts face, which can include: App vulnerabilities. Apps are complex programs that are likely to have vulnerabilities. Attackers can use these vulnerabilities to install malicious apps or remotely control a computer.
Default app configurations. Apps such as databases might have a default password or no password at all. Not securing the default configuration simplifies the work of attackers who attempt to access a system.
Viruses that users introduce. In some cases, users introduce viruses by their actions rather than by flaws. In other cases, an app actually is a Trojan horse that contains malicious code embedded in what appears to be a useful app.
Mitigation
You should consider taking the following actions to mitigate these threats: Run apps at the lowest level of permissions possible. Install Microsoft and third-party app security updates. Enable only required features and functionality for operating systems and apps.
Data
The final layer of security is the data security layer. This includes data files, app files, databases, and Active Directory Domain Services (AD DS). When your data layer becomes compromised, it can result in:
Unauthorized access to data files. Unauthorized access to data files might result in unauthorized users reading data, such as users inadvertently viewing salaries for other staff members. It also might result in data modification, which could cause it to be inaccurate. Unauthorized access to AD DS. Hackers could reset user passwords and then attack your network by using the new passwords. Modification of app files. When app files are modified, they might perform unwanted tasks such as data replication over the Internet, where an attacker can access it.
Mitigation
You should consider taking the following actions to mitigate these threats: Implement and configure suitable NTFS files system permissions. Implement encryption. Implement rights management.
8-6
Common Network Security Threats

There are a variety of network security threats that fall into many categories. Common networkbased security threats include: Eavesdropping. An eavesdropping attack occurs when a hacker captures network packets that workstations connected to your network send and receive. Eavesdropping attacks might result in the compromise of sensitive data such as passwords, which can lead to other, more damaging attacks.
Note: Eavesdropping also is known as network sniffing. DoS attack. This type of attack limits the function of a network app, or it makes the app or network resource unavailable. Hackers can initiate a DoS attack in several ways and often are aware of vulnerabilities in the target app that they can exploit to render it unavailable. DoS attacks often are performed by overloading a service that replies to network requestslike Domain Name System (DNS)with a large number of fake requests in an attempt to overload and shut down a service or the server that hosts the service.
Note: Hacking is a generic term that refers to the act of trying to crack a computer program or code. When talking about network security, hacking is an important topic because hackers will hack your network to attack it, your extended user base, or your cache of apps and sensitive intellectual property.
Port scanning. Apps that run on a computer using the TCP/IP protocol use Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports to identify themselves. One way that attackers exploit a network is to query hosts for the ports on which they listen for client requests. These ports are said to be open. Once attackers identify an open port, they can use other attack techniques to access a network.
Man-in-the-middle (MITM) attack. The network attacker uses a computer to impersonate a legitimate host on the network with which your computers are communicating. The attacker intercepts all of the communications intended for a destination host. The attacker might wish to view the data in transit between the two hosts, but also can modify the data in transit before forwarding the packets to the destination host.

8-7
Options for Mitigation of Network Security Threats

Attackers look for access into your network by using a variety of tools and techniques. Once they have found a way in, however minor and apparently innocuous, they can exploit that success and take the attack further. For this reason, it is important to implement a comprehensive approach to network security to ensure that one loophole or omission does not result in another. You can use any or all of the following defense mechanisms to protect your network from malicious attacks:
IPsec. IPsec provides a way to authenticate IP-based communications between two hosts and, where desirable, encrypt that network traffic. Firewalls. Firewalls allow or block network traffic based on the type of traffic.
Perimeter networks. A perimeter network is an isolated area on your network to and from which you can define network traffic flow. When you need to make network services available on the Internet, it is not advisable to connect hosting servers directly to the Internet. By placing these servers in a perimeter network, you can make them available to Internet users without letting those users gain access to your corporate intranet. VPNs. When users must connect to an organizations intranet from the Internet, it is important that they do so as securely as possible. The Internet is a public network, and data in transit across the Internet is susceptible to eavesdropping or MITM attacks. By using VPNs, you can authenticate and encrypt connections between remote users and your organizations intranet, thereby mitigating risk.
Server hardening. By only running the services that you need, you can make servers inherently more secure. To determine what services you require, you must establish a baseline of security among your servers. It is sometimes difficult to determine precisely which Windows Server services you need to support the functionality that you or your enterprise requires. Therefore, you can use tools such as the Security Configuration Wizard or the Microsoft Baseline Security Analyzer to help you. Intrusion detection. Although it is important to implement the preceding techniques to secure your network, it also is sensible to monitor your network regularly for signs of attack. You can use intrusion-detection systems to do this by implementing them on devices at the perimeter, such as Internet-facing routers.
Domain Name System Security Extensions (DNSSEC). DNSSEC provides the ability for DNS servers and resolvers to trust DNS responses by using digital signatures for validation. All signatures generated are contained within the DNS zone itself in the new resource records. When a resolver issues a query for a name, the accompanying digital signature is returned in the response. Validation of the signature then is performed through the use of a preconfigured trust anchor. Successful validation proves that no data modification or tampering has occurred.
8-8
Lesson 2
Configuring Windows Firewall
Windows Firewall provides built-in functionality that you can use to protect Windows 8.1 computers from unauthorized access attempts or other unwanted incoming or outgoing traffic on a network. Unwanted traffic often comes from Internet-based sources, but the network security of any computer also can be compromised from a LAN or WAN. You can use Windows Firewall to filter incoming and outgoing traffic based on the traffics characteristics and the type of network to which a Windows 8.1 computer is connected.
Lesson Objectives
After completing this lesson, you will be able to: Describe network location profiles. Explain how to configure basic firewall settings. Explain how to configure Windows Firewall with Advanced Security. Explain how to identify well-known ports. Configure inbound and outbound rules.
Understanding Network Location Profiles

The first time that you connect a computer to a network, you must select a network location, which sets appropriate firewall and security settings automatically. When you connect to networks in different locations, choosing a network location can help you ensure that your computer is set to an appropriate security level at all times. Windows 8.1 uses network location awareness (NLA) to uniquely identify networks to which a computer is connected. NLA collects information from networks, including IP address and media access control (MAC) address data from important network components like routers and gateways to identify a specific network. There are three network location types:
Domain networks. These are networks at a workplace that attach to a domain. Use this option for any network that allows communication with a domain controller. Network discovery is on by default, and you cannot create or join a HomeGroup. Private networks. These are networks at home or work where you know and trust the people and devices on the network. When you select Home or work (private) networks, this turns on network discovery. Computers on a home network can belong to a HomeGroup.
Guest or public networks. These are networks in public places. This location keeps the computer from being visible to other computers. When you select the Public place network location, HomeGroup is not available and network discovery is turned off.
You can modify the firewall settings for each type of network location from the main Windows Firewall page. Click Turn Windows Firewall on or off, select the network location, and then make your selection. You also can modify the following options: Block all incoming connections, including those in the list of allowed programs. Notify me when Windows Firewall blocks a new program.

8-9
Note: A system administrator can configure Windows Firewall settings by using Group Policy.
The Public networks location blocks certain programs and services from running, which protects a computer from unauthorized access. If you connect to a Public network and Windows Firewall is on, some programs or services might ask you to allow them to communicate through the firewall so that they can work properly.
Configuring Basic Firewall Settings

Windows 8.1 centralizes basic firewall information in Control Panel, in the Network and Sharing Center and System and Security items. In System and Security, you can configure basic Windows Firewall settings and access the Action Center to view notifications for firewall alerts. In the Network and Sharing Center, you can configure all types of network connections, such as changing the network location profile.
Firewall Exceptions
When you add a program to the list of allowed programs or open a firewall port, you are allowing that program to send information to or from your computer. Allowing a program to communicate through a firewall is like poking a hole in the firewall. Each time you make another hole, the computer becomes less secure.
Generally, it is safer to add a program to the list of allowed programs than to open a port for the app. If you open a port without scoping the port to a specific app, you make a hole in the firewall, and it stays open until you close the portwhether a program is using it or not. If you add a program to the list of allowed programs, you are allowing the app itself to poke a hole in the firewall, but only when necessary. The holes are open for communication only, as and when required by an allowed program or computer. To add, change, or remove allowed programs and ports, click Allow an app or feature through Windows Firewall in the left pane of the Windows Firewall page, and then click Change settings. For example, to view performance counters from a remote computer, you must enable the Performance Logs and Alerts firewall exception on the remote computer. To help decrease security risks when you open communications, consider the following: Only allow a program or open a port when necessary.
Remove programs from the list of allowed programs, or close ports when you do not require them. Never allow a program that you do not recognize to communicate through the firewall.
8-10 Implementing Network Security
Multiple Active Firewall Policies
Windows 8.1 includes multiple active firewall policies. These firewall policies enable computers to obtain and apply a domain firewall profile, regardless of the networks that are active on the computers. Information technology (IT) professionals can maintain a single set of rules for remote clients and those that physically connect to an organizations network. To set up or modify profile settings for a network location, click Change advanced sharing settings in the left pane of the Network and Sharing Center.
Windows Firewall Notifications
You also can display firewall notifications in the taskbar. Click Change notification settings in the left pane of the Windows Firewall page, and then for each network location, check or clear the Notify me when Windows Firewall blocks a new app check box.
Configuring Windows Firewall with Advanced Security

Although typical end-user configuration still occurs via Windows Firewall in Control Panel, you now can perform advanced configuration in Windows Firewall with Advanced Security. This snap-in is accessible in Control Panel from the Windows Firewall page by clicking Advanced settings in the left pane. The snap-in provides an interface for configuring Windows Firewall locally, on remote computers, and by using Group Policy.
Windows Firewall with Advanced Security is an example of a network-aware app. You can create a profile for each network location type, and each profile can contain different firewall policies. For example, you can allow incoming traffic for a specific desktop management tool when a computer is on a domain network, but block traffic when the computer connects to public or private networks. Network awareness enables you to provide flexibility on an internal network without sacrificing security when users travel. A public network profile must have stricter firewall policies to protect against unauthorized access. A private network profile might have less restrictive firewall policies to allow file and print sharing or peer-to-peer discovery.
Windows Firewall with Advanced Security Properties
Use the Windows Firewall with Advanced Security Properties dialog box to configure basic firewall properties for domain, private, and public network profiles. A firewall profile is a way of grouping settings, including firewall rules and IPsec rules. Use the IPsec Settings tab on the Windows Firewall with Advanced Security Properties dialog box to configure the default values for IPsec configuration options. Note: To access the global profile settings in Windows Firewall with Advanced Security Properties, perform one of the following procedures: In the navigation pane, right-click Windows Firewall with Advanced Security, and then click Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Overview section, click Windows Firewall Properties.

8-11
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Actions pane, click Properties.
The options that you can configure for each of the three network profiles are: Firewall state. Turn on or off independently for each profile.
Inbound connections. Configure to block connections that do not match any active firewall rules, block all connections regardless of inbound rule specifications, or allow inbound connections that do not match an active firewall rule.
Outbound connections. Configure to allow connections that do not match any active firewall rules, or block outbound connections that do not match an active firewall rule. Settings. Configure display notifications, unicast responses, local firewall rules, and local IPsec rules. Logging. Configure the following logging options: o o o Name. Use a different name for each network profiles log file. Size limit (KB). The default size is 4096. Adjust this if necessary when troubleshooting. No logging occurs until you set one or both of following two options to Yes: Log dropped packets Log successful connections
Windows Firewall with Advanced Security Rules
Rules are a collection of criteria that define what traffic you will allow, block, or secure with a firewall. You can configure the following types of rules: Inbound Outbound IPsec
Inbound Rules
Inbound rules explicitly allow or block traffic that matches the rules criteria. For example, you can configure a rule to allow traffic that is secured by IPsec for Remote Desktop through the firewall, but block the same traffic if it is not secured by IPsec. You must use a separately configured IPsec rule to secure the traffic.
When you first install the Windows operating system, Windows Firewall blocks all unsolicited inbound traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that describes that traffic. For example, if you want to run a Web server, you must create a rule that allows unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows Firewall with Advanced Security takes, which is whether to allow or block connections when no inbound rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or deny traffic originating from a computer that matches a rules criteria. For example, you can configure a rule to explicitly block outbound traffic to a computer by IP address through the firewall, but allow the same traffic for other computers.
Inbound and Outbound Rule Types

There are four different types of inbound and outbound rules:
Program rules. These control connections for a program. Use this type of firewall rule to allow a connection based on the program that is trying to connect. These rules are useful when you are not sure of the port or other required settings, because you only specify the path to the programs executable (.exe) file.
Port rules. These control connections for a TCP or UDP port. Use this type of firewall rule to allow a connection based on the TCP or UDP port number over which the computer is trying to connect. You specify the protocol and the individual or multiple local ports to which the rule applies.
Predefined rules. These control connections for a Windows-based experience. Use this type of firewall rule to allow a connection by selecting one of the programs or experiences from the list. Networkaware programs that you install typically add their own entries to this list so that you can enable and disable them as a group. Custom rules. Configure these as necessary. Use this type of firewall rule to allow a connection based on criteria that other types of firewall rules do not cover.
Consider the scenario in which you want to create and manage tasks on a remote computer by using the Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the predefined rule type on an inbound rule. Alternatively, you might want to block all web traffic on the default TCP Web server port 80. In this scenario, you create an outbound port rule that blocks the specified port. The next topic discusses wellknown ports, such as port 80.
IPsec Rules
Firewall rules and IPsec rules are complementary, and both contribute to a defense-in-depth strategy to protect a computer. IPsec rules secure traffic as it crosses a network by using IPsec. Use IPsec rules to specify that connections between two computers must be authenticated or encrypted. IPsec rules specify how and when authentication occurs, but they do not allow connections. To allow a connection, create an inbound or outbound rule. After an IPsec rule is in place, you can specify that inbound and outbound rules apply only to specific users or computers. You can create the following IPsec rule types: Isolation rules. These isolate computers by restricting connections based on authentication criteria, such as domain membership or health status. Isolation rules allow you to implement a server or domain isolation strategy.
Authentication exemption rules. These designate connections that do not require authentication. You can designate computers by specific IP address, an IP address range, a subnet, or a predefined group, such as a gateway. You typically use this type of rule to grant access to infrastructure computers, such as Active Directory domain controllers, certification authorities (CAs), or Dynamic Host Configuration Protocol servers. Server-to-server rules. These protect connections between specific computers. When you create this type of rule, you must specify the network endpoints between which you want to protect communications. Then, you designate requirements and the type of authentication that you want to use, such as the Kerberos version 5 protocol. A scenario in which you might use this rule is to authenticate the traffic between a database server and a business-layer computer.
Tunnel rules. These secure communications that travel between two computers by using tunnel mode in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you route between two defined endpoints.

8-13
For each endpoint, specify a single computer that receives and consumes the sent network traffic, or specify a gateway computer that connects to a private network onto which the received traffic is routed after extracting it from the tunnel. Custom rules. Configure these as necessary. Custom rules authenticate connections between two endpoints when you cannot set up authentication rules by using the other rule types.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules, IPsec rules, and security associations (SAs). The Monitoring page displays which profiles are active (domain, private, or public), and the settings for the active profiles.
The Windows Firewall with Advanced Security events also is available in Event Viewer. For example, the ConnectionSecurity operational event log is a resource that you can use to view IPsec-related events. The operational log is always on, and it contains events for IPsec rules.
Identifying Well-Known Ports

Before you configure either inbound or outbound firewall rules, you must understand how apps communicate on a TCP/IP network. At a high level, when an app wants to establish communications with an app on a remote host, it creates a connection to a defined TCP or UDP socket. The combination of the following three parts defines a socket: The transport protocol that the app uses, either TCP or UDP.
The Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) address of the source and destination hosts.
The TCP or UDP port number that the apps are using. TCP or UDP communications use ports to name the ends of logical connections that transfer data.
Well-Known Ports
The Internet Assigned Numbers Authority (IANA) assigns the well-known ports, and on most systems. Typically, only system processes or programs that privileged users execute can use these ports. Ports receive a number between 0 and 65,535 and fall into three ranges: Well-known ports are those from 0 through 1,023. Registered ports are those from 1,024 through 49,151. Dynamic and private ports are those from 49,152 through 65,535.
To view the current TCP/IP network connections and listening ports, use the netstat -a command or the Get-NetTCPConnection Windows PowerShell command-line interface cmdlet. IANA assigns well-known ports to specific apps so that client apps can locate them on remote systems. Therefore, to the extent that is possible, use the same port assignments with TCP and UDP. To view a list of well-known ports and the associated services recognized by Windows 8.1, open the C:\Windows\System32\drivers\etc\Services file. The following table identifies some well-known ports.
Port 21 23 25 53 53 80 110 143 161 389 443 3389
Protocol TCP TCP TCP UDP TCP TCP TCP TCP UDP TCP TCP TCP
Application File Transfer Protocol (FTP) Telnet provides access to a command-line interface on a remote host Simple Mail Transfer Protocol (SMTP) that email servers and clients use to send email DNS DNS Hypertext Transfer Protocol (HTTP) that a Web server uses Post Office Protocol version 3 (POP3) that email clients use for email retrieval Internet Message Access Protocol (IMAP) used for email retrieval from email clients Simple Network Management Protocol (SNMP) Lightweight Directory Access Protocol (LDAP) Hypertext Transfer Protocol Secure (HTTPS) for secured Web servers Remote Desktop Protocol (RDP) is a proprietary protocol that provides a user with a graphical interface to another computer
Typically, it is not necessary to configure applications to use specific ports. However, you must be aware of the ports that applications use to ensure that the required ports are open through your firewall when you use a port rule. Remember that when you add a TCP or UDP port to the rules list, the port is open whenever Windows Firewall with Advanced Security is running, regardless of whether there is a program or system service listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic, create a program rule instead of a port rule. With a program rule, the port opens and closes dynamically as the program requires. You also do not need to be aware of the port number that the application uses. If you change the application port number, the firewall automatically continues communication on the new port.

8-15
Demonstration: Configuring Inbound and Outbound Rules
In this demonstration, you will see how to configure inbound and outbound firewall rules for Windows Firewall.
Demonstration Steps Test Remote Desktop connectivity

1. 2. 3. 4. Sign in to LON-CL2 as Adatum\Administrator with a password of Pa$$w0rd. Open the Start screen, and then start the Remote Desktop Connection program. Connect to LON-CL1, and sign in as Adatum\Administrator with a password of Pa$$w0rd. After verifying the connection, sign out of LON-CL1.
Configure an inbound rule

1. 2. 3. 4. Switch to LON-CL1. Sign in to LON-CL1 as Adatum\Administrator. Open Control Panel, and then open Windows Firewall. Create the following Inbound Rule: o o o Rule type: Predefined Rule Name: Remote Desktop Predefined Rules: o Remote Desktop Shadow (TCP-in) Remote Desktop User Mode (TCP-In) Remote Desktop User Mode (UDP-In)
Action: Block the connection
Test the inbound rule

1. 2. 3. Connect to LON-CL1. Verify that the connection attempt fails.
Switch to LON-CL2, open the Start screen, and then start the Remote Desktop Connection program.
Test outbound Remote Desktop connectivity

1. 2. 3. 4. Switch to LON-CL1. Open the Start screen, and then start the Remote Desktop Connection program. Connect to LON-DC1, and then sign in as Adatum\Administrator. After verifying the connection, sign out of LON-DC1.
Configure an outbound rule

1. 2. On LON-CL1, restore the Windows Firewall with Advanced Security window. Create a new Program rule with the following properties: a. 3. Block connections from the C:\Windows\System32\mstsc.exe program.
Name the rule Block Outbound RDP to LON-DC1.
4. 5.
Open the properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab. Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.
Test outbound Remote Desktop connectivity

1. 2. 3. Open the Start screen, and then start the Remote Desktop Connection program. Attempt to connect to LON-DC1, which should fail immediately. Close all open windows.

8-17
Lab A: Configuring Inbound and Outbound Firewall Rules

Scenario
Remote Desktop is enabled on all client systems through a Group Policy Object (GPO). However, as part of your infrastructure security plan, you must configure certain desktops systems, such as the Human Resources department systems, for limited exposure to remote connections. Before implementing firewall rules in a GPO, you want to validate your plan by manually configuring the rules on local systems. You decide to control this through local firewall rules that block traffic on the client systems, using LON-CL1 as a test computer.
Objectives
After completing this lab, you will be able to: Create an inbound Windows Firewall rule. Create an outbound Windows Firewall rule.
Lab Setup
Estimated Time: 20 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1, 20687C-LON-CL2 User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 through 4 for 20687C-LON-CL1 and 20687C-LON-CL2.
Exercise 1: Creating an Inbound Windows Firewall Rule

Scenario
To prevent incoming Remote Desktop connections, you must implement an inbound firewall rule on LON-CL1 to block all incoming RDP traffic. The main tasks for this exercise are as follows: 1. 2. 3. Test Remote Desktop connectivity. Configure an inbound firewall rule. Test the inbound firewall rule.
Task 1: Test Remote Desktop connectivity

1. 2. 3. 4. Sign in to LON-CL2 as Adatum\Administrator. Open the Start screen, and then start the Remote Desktop Connection program. Connect to LON-CL1, and then sign in as Adatum\Administrator. After verifying the connection, sign out of LON-CL1.
Task 2: Configure an inbound firewall rule

1. 2. 3. Sign in to LON-CL1 as Adatum\Administrator. Open Control Panel, and then open Windows Firewall. Create the following Inbound Rule: o o o Rule type: Predefined Rule Name: Remote Desktop Predefined Rules: o 4. Remote Desktop Shadow (TCP-in) Remote Desktop User Mode (TCP-In) Remote Desktop User Mode (UDP-In)
Action: Block the connection
Minimize the Windows Firewall with Advanced Security window.
Task 3: Test the inbound firewall rule

1. 2. 3. Connect to LON-CL1, and then sign in as Adatum\Administrator. Verify that the connection attempt fails.
Switch to LON-CL2, open the Start screen, and then start the Remote Desktop Connection program.
Results: After completing this exercise, you should have created an inbound Windows Firewall rule.
Exercise 2: Create an Outbound Firewall Rule

Scenario
You must implement a firewall rule on LON-CL1 that prevents in from connecting to LON-DC1 using the Remote Desktop Connection app. The main tasks for this exercise are as follows: 1. 2. 3. Test Remote Desktop connectivity. Configure an outbound rule. Test the outbound rule.

1. 2. Switch to LON-CL1. Open the Start screen, and then start the Remote Desktop Connection program.

8-19
3. 4.
Connect to LON-DC1, and then sign in as Adatum\Administrator. After verifying the connection, sign out of LON-DC1.
Task 2: Configure an outbound rule

1. 2. On LON-CL1, restore the Windows Firewall with Advanced Security window. Create a new Outbound Rule with the following properties: o o o o o 3. 4. Rule Type: Program Program: C:\Windows\System32\mstsc.exe Action: Block the connection Profile: Domain, Private, and Public Name: Block Outbound RDP to LON-DC1
Open the Properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab. Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.
Task 3: Test the outbound rule

1. 2. 3. Open the Start screen, and then start the Remote Desktop Connection app. Attempt to connect to LON-DC1, which should fail immediately. Close all open windows.
Results: After completing this exercise, you should have configured and tested an outbound firewall rule.

When you finish the lab, leave the virtual machines running, as they are needed for the next lab.
Lesson 3
Securing Network Traffic by Using IPsec
IPsec is a suite of protocols that can protect data in transit through a network by using security services and, optionally, digital certificates with public and private keys. Because of its design, IPsec helps provide much better security than previous protection methods. Network administrators who use IPsec do not have to configure security for individual programs. You can use IPsec rules to configure IPsec settings for specific connections between your computer and other computers. Windows Firewall with Advanced Security uses IPsec rules to evaluate network traffic, and then it blocks or allows messages based on the criteria that you establish in the rule. In some circumstances, Windows Firewall with Advanced Security will block the communication. If you configure settings that require security for a connection (in either direction), and the two computers cannot authenticate each other, then IPsec blocks the connection. Once you enable and configure IPsec, it is important that you know how to monitor IPsec.
Lesson Objectives
After completing this lesson, you will be able to: Identify the benefits of IPsec. Identify tools for configuring IPsec. Describe IPsec rules. Explain how to configure authentication. Explain how to choose an authentication method. Explain how to monitor connection security. Configure IPsec rules.
Benefits of IPsec
You can use IPsec to ensure confidentiality, integrity, and authentication in data transport across insecure channels. Though its original purpose was to secure traffic across public networks, many organizations have chosen to implement IPsec to address perceived weaknesses in their own private networks that might be susceptible to exploitation. If you implement it properly, IPsec provides a private channel for sending and exchanging potentially sensitive or vulnerable data, whether it is email, FTP traffic, news feeds, partner and supply-chain data, medical records, or any other type of TCP/IP-based data. IPsec: Offers mutual authentication before and during communications. Forces both parties to identify themselves during the communication process. Enables confidentiality through IP traffic encryption and digital packet authentication.

8-21
IPsec Modes
IPsec has two modes: Encapsulating security payload (ESP). Encrypts data through one of several available algorithms. Authentication Header (AH). Signs traffic, but does not encrypt it.
Providing IP Traffic Integrity by Rejecting Modified Packets
ESP and AH verify the integrity of all IP traffic. If a packet has been modified, the digital signature will not match, and IPsec will discard the packet. ESP in tunnel mode encrypts the source and destination addresses as part of the payload. In tunnel mode, a new IP header is added to the packet that specifies the tunnel endpoints source and destination addresses. ESP can make use of Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and DES encryption algorithms in Windows Server 2012 R2. As a best practice, you should avoid using DES unless clients cannot support the stronger encryption that AES or 3DES offer.
Providing Protection from Replay Attacks
ESP and AH use sequence numbers. As a result, any packets that hackers attempt to capture for later replay use numbers that are out of sequence. Using sequenced numbers ensures that an attacker cannot reuse or replay captured data to establish a session or gain information illegally. Using sequenced numbers also protects against attempts to intercept a message and use it to access resources illegally, possibly months later.
Tools for Configuring IPsec

Some network environments are ideal for using IPsec as a security solution, while others are not. We recommend IPsec for the following uses: Packet filtering. IPsec functions in a limited capacity as a firewall for protected computers. You can combine IPsec with the NAT and Basic Firewall functionality of the Routing and Remote Access Service to allow or block inbound or outbound traffic.
Securing host-to-host traffic. You can use IPsec to encrypt traffic between servers, other devices with static IP addresses, or network subnets. For example, you can use IPsec to secure traffic between domain controllers in different sites, or between an application server and the database server that hosts the applications database. Securing traffic to servers. You can implement IPsec for all client computers that access a server. You also can configure restrictions on the server, specifying which clients can connect.
Layer Two Tunneling Protocol (L2TP)/IPsec for VPN connections. You can combine the L2TP tunneling protocol with IPsec, known as L2TP/IPsec, to provide additional data protection for VPN connections.
Site-to-site (gateway-to-gateway) tunneling. You can use IPsec to create site-to-site tunnels when you need to connect to routers, gateways, or other network nodes that do not support L2TP/IPsec or Point-to-Point Tunneling Protocol (PPTP) connections. Enforcing logical networks (server/domain isolation). In a Windows-based network, you can isolate server and domain resources logically to limit access to authenticated and authorized computers. For example, you can create a logical network inside an existing physical network, where computers share
common requirements for secure communications. To establish connectivity, each computer in this logically isolated network must provide authentication credentials to other computers. This isolation prevents unauthorized computers and programs from gaining inappropriate access to resources. IPsec ignores requests from computers that are not part of the isolated network. Server and domain isolation can protect specific high-value servers and data, and it can protect managed computers from unmanaged or rogue computers and users. You can protect a network with two types of isolation:
Server isolation. To isolate a server, you configure specific servers to require an IPsec policy to accept authenticated communications from other computers. For example, you might configure the database server to accept connections from a web application server only. Domain isolation. To isolate a domain, you use Active Directory domain membership to ensure that computers that are domain members accept only authenticated and secured communications from other domain-member computers. The isolated network consists only of that domains member computers, and domain isolation uses an IPsec policy to protect traffic that is sent between domain members, including all client and server computers.
Note: IPsec depends on IP addresses for establishing secure connections. Using dynamic IP addresses for both clients and servers, or at either end of an IPsec connection, can introduce significant complexity to the design of an IPsec policy.
Considering IPsec for Special Scenarios

If you perform the following tasks when using IPsec, you must consider additional configuration requirements:
Protect traffic over wireless 802.11 LANs. You can use IPsec to encrypt traffic that is sent over 802.11 networks. However, you should not use IPsec for securing organizational 802.11 wireless LANs. You should use Wi-Fi Protected Access 2 encryption and Institute of Electrical and Electronics Engineers, Inc. (IEEE) 802.1X authentication instead. You also can use L2TP/IPsec VPN connections to protect remote access traffic sent over the Internet between organizational networks.
Use IPsec in tunnel mode for remote access VPN connections. You should not use IPsec only for Windows-based VPN clients and servers. Rather, use L2TP/IPsec or PPTP.
What Are IPsec Rules?

An IPsec rule forces authentication between two peer computers before they can establish a connection and transmit secure information. Windows Firewall with Advanced Security uses IPsec to enforce the rules listed below. The configurable rules are: Isolation. An isolation rule isolates computers by restricting connections that are based on credentials, such as domain membership or health status. Isolation rules allow you to implement an isolation strategy for servers or domains.

8-23
Authentication exemption. You can use an authentication exemption to designate connections that do not require authentication. You can designate computers by a specific IP address, an IP address range, a subnet, or a predefined group, such as a gateway.
Server-to-server. A server-to-server rule protects connections between specific computers. This type of rule usually protects connections between servers. When you create the rule, you specify the network endpoints between which communications are protected. You then designate requirements and the authentication that you want to use. Tunnel. A tunnel rule allows you to protect connections between gateway computers, and typically, you use it when you are connecting across the Internet between two security gateways.
Custom. Sometimes, you cannot set up authentication rules that you need by using the rules available in the New Connection Security Rule Wizard. In such cases, you can use a custom rule to authenticate connections between two endpoints.
How Firewall Rules and IPsec Rules Are Related
Firewall rules allow traffic through the firewall, but do not secure that traffic. To secure traffic with IPsec, you can create connection security rules. However, when you create a connection security rule, this does not allow the traffic through the firewall. You must create a firewall rule to do this if the traffic is not allowed by the firewalls default behavior. Connection security rules do not apply to programs and services, but rather, they apply between the computers that are the two endpoints.
Configuring Authentication
When you use the New Connection Security Rule Wizard to create a new rule, you can use the Requirements page to specify how you want authentication to apply to inbound and outbound connections. If you request authentication, this enables communications when authentication fails. If you require authentication, this causes the connection to drop if authentication fails.
Request Authentication for Inbound and Outbound Connections
Use the Request authentication for inbound and outbound connections option to specify that all inbound and outbound traffic must authenticate, but that the connection is allowable if authentication fails. However, if authentication succeeds, traffic is protected. You typically use this option in low-security environments or in an environment where computers must be able to connect, but cannot perform the types of authentication that are available with Windows Firewall with Advanced Security.
Require Authentication for Inbound Connections and Request Authentication for Outbound Connections
Use the Require authentication for inbound connections and request authentication for outbound connections option if you want to require that all inbound traffic either is authenticated or else blocked. Outbound traffic can be authenticated, but it is allowed if authentication fails. If authentication succeeds for outbound traffic, that traffic is authenticated. You typically use this option in most IT environments in which the computers that need to connect can perform the authentication types that are available with Windows Firewall with Advanced Security.
Require Authentication for Inbound and Outbound Connections
Use the Require authentication for inbound and outbound connections option if you want to require that all inbound and outbound traffic either is authenticated or else blocked. You typically use this option in higher-security IT environments where you must protect and control traffic flow, and in which the computers that must be able to connect can perform the authentication types that are available with Windows Firewall with Advanced Security.
Choosing an Authentication Method

The New Connection Security Rule Wizard has a page on which you can set up the authentication method to configure the authentication credentials that you want clients to use. If the rule exists already, you can use the Authentication tab in the Properties dialog box of the rule that you wish to edit.
Default
Select the Default option to use the authentication method that you configured on the IPsec Settings tab of the Windows Firewall with Advanced Security Properties dialog box.
Computer and User (Kerberos V5)
The Computer and user (Kerberos V5) method uses both computer and user authentication, which means that you can request or require both the user and the computer to authenticate before communications continue. You can use the Kerberos V5 authentication protocol only if both computers and users are domain members.
Computer (Kerberos V5)

The Computer (Kerberos V5) method requests or requires the computer to authenticate by using the Kerberos V5 authentication protocol. You can use the Kerberos V5 authentication protocol only if both computers are domain members.
User (Kerberos V5)
The User (Kerberos V5) method requests or requires the user to authenticate by using the Kerberos V5 authentication protocol. You can use the Kerberos V5 authentication protocol only if the user is a domain member.
Computer Certificate
The Computer certificate method requests or requires a valid computer certificate to authenticate, and you must have at least one CA to do this. Use this method if the computers are not part of the same AD DS domain.
Only Accept Health Certificates
The Only accept health certificates method requests or requires a valid health certificate to authenticate. Health certificates declare that a computer has met system health requirements, as determined by a Network Access Protection (NAP) health policy server, such as all software and other updates that network access requires. These certificates are distributed during the NAP health evaluation process. Use this method only for supporting NAP.

8-25
Advanced
You can configure any available method, and you can specify methods for first authentication and second authentication. First authentication methods include Computer (Kerberos V5), computer certificate, and a Preshared key (not recommended). Second authentication methods include User (Kerberos V5), User NTLM (Windows NT Challenge/Response protocol), user certificates, and computer certificates. Second authentication methods are supported only by computers that are running Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.
Monitoring Connection Security

Windows Firewall with Advanced Security is a stateful, host-based firewall that blocks incoming and outgoing connections based on its configuration. Although a typical end-user configuration for Windows Firewall still occurs via the Windows Firewall control panel item, advanced configuration now occurs in the Microsoft Management Console (MMC) snap-in named Windows Firewall with Advanced Security.
The inclusion of this snap-in not only provides an interface for configuring Windows Firewall locally, but also for configuring Windows Firewall on remote computers and through Group Policy. You also can use Windows PowerShell to configure Windows Firewall policies throughout your environment. Windows Firewall functions now integrate with connection security protection settings, reducing the possibility of conflict between the two protection mechanisms.
Monitoring Options for Windows Firewall with Advanced Security
You can use the Windows Firewall with Advanced Security console to monitor security policies that you create in the Connection Security Rules node. However, you cannot view the policies that you create by using the IP Security Policy Management snap-in. These security options are for use with Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. For older operating systems, such as Windows XP and Windows 2000, you must use Connection Security Rules node to view SAs and connections.
Monitoring Connection Security Rules
The Connection Security Rules node lists all of the enabled IPsec rules with detailed information about their settings. Connection security rules define which authentication, key exchange, data integrity, or encryption you can use to form an SA. The SA defines the security that protects the communication from the sender to the recipient.
Implementing Connection Security Monitor
You can implement Connection Security Monitor as an MMC snap-in. It includes enhancements that you can use to view details about an active connection security policy that the domain applies or that you apply locally. Additionally, you can view Quick Mode and Main Mode statistics, and active connection security SAs. You also can use Connection Security Monitor to search for specific Main Mode or Quick Mode filters. To troubleshoot complex connection security policy designs, you can use Connection Security Monitor to search for all matches for filters of a specific traffic type.
Changing Default Settings

You can change the Connection Security Monitor default settings, such as automatic refresh and DNS name resolution. For example, you can specify the time that elapses between IPsec data refreshes.
Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note that there are some issues to consider when enabling DNS. For example, it only works in a specific filter view for Quick Mode and in SAs view for Quick Mode and Main Mode monitoring. There also is the possibility that you can affect a servers performance if several items in the view require name resolution. Finally, the DNS record name resolution requires a proper pointer (PTR) resource record in DNS.
Adding a Computer to Monitor
You can monitor computers remotely from a single console, but you must modify a registry value so that the remote system accepts a console connection. Setting the HKLM\system\currentcontrolset\services\policyagent\EnableRemoteMgmt registry value to 1 prevents the IPsec service is not running error when you manage a computer remotely.
Obtaining Information About the Active Policy

You can get basic information about the current IP security policy in the Active Policy node of the IP Security Monitoring snap-in to the MMC. During troubleshooting, this is useful to identify which policy IPsec is applying to the server. Details such as the policy location and when it was modified last provide key details when you are determining the current policy in place. To view the IPsec rules in the active policy store, you can use the following Windows PowerShell command:
Show-NetIPsecRule PolicyStore ActiveStore
Main Mode SA and Quick Mode SA
The Main Mode SA is the initial SA that is established between two computers. This negotiates a set of cryptographic protection suites between both hosts. This initial SA allows Quick Mode key exchange to occur in a protected environment. The Main Mode SA also is known as the Internet Security Association Key Management Protocol or Phase 1 SA. Main Mode establishes the secure environment to other exchange keys, as required by the IPsec policy.
A Quick Mode SA depends on the successful establishment of a Main Mode SA. A Quick Mode SA also is known as an IPsec or Phase 2 SA. This process establishes keys based on the information that the policy specifies. Quick Mode SAs establish protected transmission channels for the actual application IP data that the policy specifies.
Monitoring SAs
The Security Associations folder lists all of the Main Mode and Quick Mode SAs with detailed information about their settings and endpoints.
Main Mode Quick Mode
Main Mode statistics provide data about the total number of SAs created and invalid packet information.
Quick Mode provides more detailed information about connections. If you are having issues with an IPsec connection, Quick Mode statistics can provide insight into the problem.

8-27
Demonstration: Configuring an IPsec Rule

In this demonstration, you will see how to configure and monitor IPsec rules.
Demonstration Steps Create a connection rule

1. 2. Create a connection Security rule that allows traffic on LON-CL1 with the following settings: o o Rule: Isolation
On LON-CL1, open Control Panel, open Windows Firewall, and then open the Advanced settings.
Requirements: Require authentication for inbound connections and request authentication for outbound connections Authentication: Computer and user (Kerberos V5) Name: Authenticate all inbound connections
o o
Test connectivity between LON-CL2 and LON-CL1

1. 2. Switch to LON-CL2, open a Command Prompt window, and then ping LON-CL1. Close the Command Prompt window.
Create a connection rule by using Windows PowerShell

Open an Administrator: Windows PowerShell window, and then run the following cmdlet:
New-NetIPsecRule DisplayName Authenticate all inbound connections InboundSecurity Require OutboundSecurity Request -Phase1AuthSet ComputerKerberos -Phase2AuthSet UserKerberos
Test connectivity between LON-CL2 and LON-CL1

1. 2. 3. Ping LON-CL1. Open Control Panel, open Windows Firewall, and then open the Advanced settings. Examine the Security Associations monitoring.
Examine the security associations on LON-CL1 by using Windows PowerShell

1. 2. To examine the Main Mode Security Associations, run the following cmdlet:
Get-NetIPsecMainModeSA
Switch to LON-CL1, and open a Administrator: Windows PowerShell Command Prompt window.
3.
To examine the Quick Mode Security Associations, run the following cmdlet:
Get-NetIPsecQuickModeSA
Lab B: Configuring IPsec Rules

Scenario
A. Datum Corporation uses many outside consultants. The enterprises management has a concern that if consultants were on the company network, they might be able to connect to unauthorized computers.
Objectives
After completing this lab, you will be able to: Create and configure an IPsec rule on one computer.
Lab Setup
For this lab, you will use the available virtual machine environment. The required virtual machines should be running already from the preceding lab.
Exercise 1: Creating and Configuring IPsec Rules

Scenario
You have decided to test using secured connections between computers on sensitive segments of your network. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create an Internet Protocol security (IPsec) rule on LON-CL1. Test connectivity between LON-CL2 and LON-CL1. Create a IPsec rule on LON-CL2 by using the Windows PowerShell command-line interface. Test connectivity between LON-CL2 and LON-CL1.
Task 1: Create an Internet Protocol security (IPsec) rule on LON-CL1

1. 2. On LON-CL1, open Control Panel, and then open Windows Firewall. Create a connection Security rule that allows traffic on LON-CL1 with the following settings: o o Rule: Isolation
Requirements: Require authentication for inbound connections and request authentication for outbound connections Authentication: Computer and user (Kerberos V5) Name: Authenticate all inbound connections
o o
Task 2: Test connectivity between LON-CL2 and LON-CL1

1. 2. Switch to LON-CL2, open a Command Prompt window, and then ping LON-CL1. Close the Command Prompt window.

8-29
Task 3: Create a IPsec rule on LON-CL2 by using the Windows PowerShell command-line interface
1.
On LON-CL2, open an Administrator: Windows PowerShell window, and then run the following cmdlet:
Note: The monitoring component for the newly created Connections Security Rule might not be created in a timely fashion. To force the creation of the monitoring component, perform the following steps: 1. 2. 3.
Open the Control Panel, open Windows Firewall, and then navigate to the Advanced Security page.
Under the Connection Security Rules node, double-click Authenticate all inbound connections. In the Description field, type Requires inbound authentication, and then click OK.

1. 2. 3. 4. 5. Ping LON-CL1. Open Control Panel, open Windows Firewall, and then open the Advanced settings. Examine the Security Associations monitoring. Switch to LON-CL1, and then open a Windows PowerShell Command Prompt window in Administrator mode. To examine the Main Mode Security Associations, run the following cmdlet:
6.
To examine the Quick Mode Security Associations, run the following cmdlet:
Results: After completing this exercise, you should have created and tested IPsec rules.

Lesson 4
Guarding Windows 8.1 Against Malware
Malware might show up on computers and devices in your organization, despite your efforts to prevent it. When this occurs, you must investigate it immediately and take appropriate action. Windows 8.1 includes components that can help you identify and remove malware from computers in your environment.
Lesson Objectives
After completing this lesson, you will be able to: Describe Windows 8.1 protection against malware. Explain how to adjust Windows SmartScreen settings. Explain how to configure scanning options in Windows Defender.
Windows 8.1 Protection Against Malware

Windows 8.1 contains two important features that help protect your computer against malware. These two features are Windows SmartScreen and Windows Defender, which are described in the sections below.
Windows SmartScreen
The Windows SmartScreen safety feature in Windows 8.1 helps protect against apps that might contain malware or perform unwanted operations on your computer. When an app is executed, SmartScreen takes advantage of the Microsoft SmartScreen online databases to determine whether an app has been identified as malicious. Windows SmartScreen then will warn you prior to executing a potentially malicious app.
The SmartScreen filter that is built into Internet Explorer scans incoming files, in addition to visited sites to determine the possibility that content might compromise your computer. If content poses a risk, SmartScreen will provide a warning to the user that the content or site might be unsafe.
Windows Defender
Windows Defender helps protect your computer from spyware, malware, and viruses. Windows Defender also is Hyper-V aware, meaning that it detects if Windows 8.1 is running as a virtual machine. Windows Defender uses definitions to determine if software it detects is unwanted, and to alert you to potential risks. To help keep definitions up-to-date, Windows Defender automatically installs new definitions as they are released.
In Windows Defender, you can run a Quick, Full, or Custom scan. If you suspect spyware has infected a specific area of a computer, you can customize a scan by selecting specific drives and folders. You also can configure the schedule that Windows Defender will use. You can choose to have Windows Defender exclude processes in your scan. Doing so can make the scan complete faster, but your computer will be less protected. When Windows Defender detects potential spyware activity, it stops the activity and then raises an alert.

8-31
Alert levels help you determine how to respond to spyware and unwanted software. You can configure Windows Defender behavior when a scan identifies unwanted software. You also are alerted if software attempts to change important Windows operating system settings. To help prevent spyware and other unwanted software from running on a computer, turn on Windows Defender real-time protection.
Adjusting Windows SmartScreen Settings

Depending on the requirements of your organization, you can adjust Windows SmartScreen settings to alter its functionality. You can configure Windows SmartScreen to treat unrecognized apps in one of three ways by selecting one of the below options: Get administrator approval before running an unrecognized app from the Internet (recommended) Warn before running an unrecognized app, but dont require administrator approval Dont do anything (turn off Windows SmartScreen)
Configuring Windows SmartScreen Settings

You can configure Windows SmartScreen settings by following this procedure: 1. 2. 3. From the Start screen, type SmartScreen. In the Action Center window, click Change Windows SmartScreen settings.
In the Windows Smartscreen window, select the appropriate action you would like Smartscreen to take when an unrecognized app is downloaded.
Configuring Scanning Options in Windows Defender

Windows Defender includes automatic scanning options that provide regular scanning and ondemand scanning for malware. The following table identifies scanning options.
Scan options Quick Full Custom
Description Checks the areas that malware, including viruses, spyware, and unwanted software, are most likely to infect. Checks all the files on your hard disk and all running programs. Enables users to scan specific drives and folders.
As a best practice, you should schedule a daily quick scan. At any time, if you suspect that spyware has infected a computer, run a full scan. When you run a scan, the progress displays on the Windows Defender Home page. When Windows Defender detects a potentially harmful file, it moves the file to a quarantine area and does not allow it to run or allow other processes to access it. Once the scan is complete, choose to Remove or Restore Quarantined items and to maintain the Allowed list. A list of Quarantined items is available from the Settings page. Click View to see all items. Review each item and individually Remove or Restore each. Alternatively, if you want to remove all Quarantined items, click Remove All. Note: Do not restore software with severe or high alert ratings because it can put your privacy and your computers security at risk.
If you trust software that has been detected, stop Windows Defender from alerting you to risks that the software might pose by adding it to the Allowed list. If you decide to monitor the software later, remove it from the Allowed list. The next time Windows Defender alerts you about software that you want to include in the Allowed list, in the Alert dialog box, on the Action menu, click Allow, and then click Apply actions. Review and remove software that you have allowed from the Excluded files and locations list on the Settings page.
Advanced Scanning Options

When you scan the computer, you can choose from five additional options: Scan archive files. Scanning these locations might increase the time that is required to complete a scan, but spyware and other unwanted software can install itself and attempt to hide in these locations. Scan removable drives. Use this option to scan the contents of removable drives, such as USB flash drives.
Create a system restore point. Use this option before applying actions to detected items. Because you can set Windows Defender to remove detected items automatically, selecting this option allows you to restore system settings. Allow all users to view the full History results. Use this option to allow all users that sign into this computer to see the scanning history. If you do not select this option, users will only see scan results that relate to their files. Remove quarantined files after: <Time>. Removes quarantined files after a set period of time. When you enable this option, the default period is one month, but you can set it from one day to three months.

8-33
Lab C: Configuring Malware Protection

Scenario
You are planning to use Window Defender to check for malware every day. You also want to ensure that Windows Defender will quarantine any files that it considers a severe risk to your systems security.
Objectives
After completing this lab, you will be able to: Configure Windows Defender.
Lab Setup
Exercise 1: Configuring Windows Defender

Scenario
You need to configure Windows Defender to perform a full scan every day at 2:00 A.M. Before configuring Windows Defender, you plan on running a quick scan. Finally, you want to configure the default actions for Windows Defender to take and to check the items that you do not want it to scan. The main tasks for this exercise are as follows: 1. 2. 3. Perform a quick scan. Test malware detection. Examine the Windows Defender history.
Task 1: Perform a quick scan

1. 2. 3. On LON-CL1, open Control Panel, and then open Windows Defender. On the Home page, perform a quick scan, and then review the results. Close Windows Defender.
Task 2: Test malware detection

1. 2. 3. 4. 5. Open File Explorer, and then browse to E:\Labfiles\Mod08\Malware.
In the Malware folder, open sample.txt in Notepad. The sample.txt file contains a text string that is used to test malware detection. In the sample.txt file, delete both instances of <remove>, including the brackets. Save and close the file. Immediately, Windows Defender detects a potential threat. Shortly thereafter, the sample.txt will be removed from the Malware folder.
Task 3: Examine the Windows Defender history

1. 2. 3. 4. Open Control Panel, and then open Windows Defender. On the History tab, click View Details, and then review the results. Remove any quarantined files. Close Windows Defender.
Results: After completing this exercise, you should have configured and used Windows Defender.

When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL2, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-CL1 and 20687C-LON-DC1.

8-35

Best Practice: Configuration Guidelines for Windows Firewall with Advanced Security You can configure Windows Firewall with Advanced Security in the following ways: 1. 2. 3. 4.
Configure a local or remote computer by using either the Windows Firewall with Advanced Security snap-in to the MMC or the cmdlets in the NetSecurity module for Windows PowerShell.
Configure Windows Firewall with Advanced Security settings by using the Group Policy Management Console or the cmdlets in the NetSecurity module. If you configure the firewall by using Group Policy, you need to ensure that the Windows Firewall service has explicit write access by its service security identifier to the location that you specify.
If you deploy Windows Firewall with Advanced Security by using Group Policy and then block outbound connections, ensure that you enable the Group Policy outbound rules, and do full testing in a test environment before deploying. Otherwise, you might prevent all of the computers that receive the policy from updating the policy in the future, unless you intervene manually.
Best Practice: Implementing Defense-in-Depth Supplement or modify the following best practices for your own work situation:
Create specific rules that help prevent social engineering, and educate users on these rules and their relevance. Restrict physical access to servers by locking doors, and then monitor server room access. Implement antivirus and antispyware software. Implement host-based firewalls.
Best Practice: Windows Defender Supplement or modify the following best practices for your own work situation: 1. 2. When you use Windows Defender, you must have current definitions.
To help keep your definitions current, Windows Defender automatically installs new definitions as they are released. You also can set Windows Defender to check online for updated definitions before scanning.
3.
When you scan your computer, before applying actions to detected items, you should select the advanced option to Create a system restore point. Because you can set Windows Defender to remove detected items automatically, selecting this option allows you to restore system settings in case you want to use software that you did not intend to remove.
Review Questions
Question: You need to ensure that traffic passing between a computer in the perimeter network and one deployed in the internal network is encrypted and authenticated. The computer in the perimeter is not a member of your AD DS forest. What authentication methods could you use if you attempted to establish an IPsec rule between these two computers? Question: If you wanted to ensure that only domain computers can communicate with other domain computers, how could you achieve this with Windows Firewall? Question: What does Windows Defender do to software that it quarantines?

9-1
Module 9
Configuring File Access and Printers on Windows 8.1 Clients
Contents:
Module Overview Lesson 1: Managing File Access Lesson 2: Managing Shared Folders Lesson 3: Configuring File Compression Lab A: Configuring File Access Lesson 4: Overview of SkyDrive Lesson 5: Managing Printers Lab B: Configuring Printers Module Review and Takeaways 9-1 9-2 9-16 9-25 9-29 9-32 9-37 9-41 9-43
Module Overview
This module provides the information and tools that you need to manage access to shared folders and printers on a computer that is running the Windows 8.1 operating system. Specifically, the module describes how to share and protect folders, configure folder compression, and how to install, configure, and manage printers. Additionally, this module introduces SkyDrive functionality.
To maintain network or local file and printer systems, it is essential to understand how to safeguard these systems and make them operate as efficiently and effectively as possible. This includes setting up NTFS folder permissions, compressing and managing shared folders and files, and configuring printers.
Objectives
After completing this module, you will be able to: Implement file access management in Windows 8.1. Configure management of shared folders. Configure file compression in Windows 8.1. Describe the purpose and functionality of SkyDrive. Manage printers.
9-2
Lesson 1
Managing File Access
One of the most common way that users access data is from network file shares. You can control access to file shares with file share permissions and NTFS permissions. Understanding how to determine effective permissions is essential to securing your files. You can use NTFS permissions to define the level of access that users have to files that are available on a network or locally on a Windows 8.1 computer. This lesson explores NTFS permissions and describes the tools for managing files and folders, in addition to the effect of various file and folder activities on these permissions.
Lesson Objectives
After completing this lesson, you will be able to: Describe local security permissions. Describe the concept of permission inheritance. Describe the tools for managing files and folder access. Configure NTFS permissions. Determine effective permissions. Describe how copying and moving files and folders affects NTFS permissions. Describe effective permissions. Implement conditions to limit file and folder access.
Configuring Local Security Permissions

Permission is the authorization to perform an operation on a specific object, such as a file. The objects owners, or anyone with authority to grant permissions, can do so. This typically includes system administrators. If you own an object, you can grant any user or security group any permission on that object, including the permission to take ownership.
Every container and object on a network has a set of access-control information attached to it. Known as a security descriptor, this information controls the type of access allowed to users and groups. You can define permissions within an objects security descriptor and then associate them with or assign them to specific users and groups. File and folder permissions define the type of access that you grant to a user, group, or computer. For example, you can let one user read a files contents, while you let another user make changes to that file. Alternatively, you can prevent all other users from accessing that file. You can set similar permissions on folders.

9-3
There are two levels of permissions:
Shared folder permissions. These allow security principals such as users to access shared resources from across a network. Shared folder permissions only are in effect when a user accesses a resource from a network. The next lesson covers this topic in detail.
NTFS permissions. These always are in effect, irrespective of whether a user accesses a file by connecting across a network or by logging on to the local machine where the resource is located. You can grant NTFS permissions to a file or folder for a named group or user.
Each NTFS file and folder has an access control list (ACL) with a list of users and groups who have permissions on the file or folder. Each entry in the ACL is an access control entry that identifies the specific permissions granted to a user or group.
Conflicts Between User Rights and Permissions
User rights allow administrators to assign specific privileges and logon rights to groups or users. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissionsuser rights apply to user accounts, whereas permissions are attached to objects.
Administrators can employ user rights to manage who has the authority to perform operations that span an entire computer, rather than a particular object. Administrators assign user rights, to individual users or groups as part of a computers security settings. Although you can manage user rights centrally through Group Policy, Windows 8.1 applies user rights locally. Users can, and usually do, have different user rights on different computers. Unlike permissions, which an objects owner (or a user with appropriate permissions) grants, you assign users rights as part of a computers local security policy.
There are two types of user rights: privileges, such as the right to back up files and directories, and logon rights, such as the right to log on to a system locally.
Possible Scenarios
Conflicts between rights and permissions typically occur only where the rights that are required to administer a system overlap with resource-ownership rights. When there is a conflict, rights override permissions.
For example, to create a backup of files and folders, backup software must be able to traverse all folders in an NTFS volume, list the contents of each folder, read the attributes of every file, and read data in any file that has its archive attribute set. It is impractical to arrange this access by coordinating with the owner of every file and folder. Therefore, the required rights are included in the Back up files and directories right, which is assigned by default to two built-in groups: Administrators and Backup Operators. Any user who has this right can access all files and folders on the computer to back up the system. The same default permissions that allow members of the Backup Operators group to back up and restore files also enables them to use the groups permissions for other purposes, such as reading another users files or installing Trojan horse programs. Therefore, you should limit the Backup Operators group to highly trusted user accounts that require the ability to back up and restore computers. The ability to take ownership of files and other objects is another case where an administrators need to maintain a system takes priority over an owners right to control access. Normally, you can take ownership of an object only if its current owner grants you permission to do so. Owners of NTFS objects can allow another user to take ownership by granting the other user Take Ownership permission. Owners of Active Directory Domain Services (AD DS) objects can grant another user the Modify Owner permission. A user who has this right can take ownership of an object without the current owners permission. By default, the right is assigned only to the built-in Administrators group. Administrators typically use this to take and reassign ownership of resources for which the current owner is no longer available.
9-4
Types of NTFS Permissions

The two types of NTFS permissions are standard and special: Standard permissions are the most commonly used permissions. Special permissions provide a finer degree of control for assigning access to files and folders. However, special permissions are more complex to manage than standard permissions.
Standard File and Folder Permissions
The following table lists the standard NTFS file and folder permissions. You can choose whether to allow or deny each of the permissions. File permissions Full Control Modify Description Complete control of the file or folder and control of permissions.
Read and write permissionthis applies to an object and any child objects by default. The specific permissions that make up Modify permissions are Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete, and Read Permissions. With this permission, you can see folder content, read files, and start programsthis applies to an object and any child objects by default. The specific permissions that make up Read and Execute permissions are Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, and Read Permissions. Read-only permissionthis applies to an object and any child objects by default. The specific permissions that make up Read permissions are List Folder/Read Data, Read Attributes and Read Extended Attributes.
Read and Execute
Read
Write
With this permission, you can change folder and file contentthis applies to an object and any child objects by default. The specific permissions that make up Write permissions are Create Files/Write Data, Create Folders/Append Data, Write Attributes, and Write Extended Attributes. A custom configuration.
Special permissions
Note: Groups or users that are granted Full Control on a folder can delete any files in that folder, regardless of the permissions protecting the file.
To modify NTFS permissions, you must have the Full Control NTFS permission for a folder or file. The one exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions, even if they do not have any current NTFS permissions. Administrators can take ownership of files and folders to make modifications to NTFS permissions.
Special File and Folder Permissions
Special permissions give you a finer degree of control for assigning access to files and folders. However, special permissions are more complex to manage than standard permissions. The following table defines the special permissions for which you can provide custom configuration for each file and folder.

9-5
File permissions Traverse Folder/Execute File
Description
The Traverse Folder permission applies only to folders and allows or denies a user permission to move through folders to reach other files or folders even if the user does not have permissions for the traversed folders. Traverse Folder takes effect only when you do not grant the Bypass Traverse Checking user right to a group or user. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right. The Execute File permission allows or denies access to program files that are running. If you set the Traverse Folder permission on a folder, the Execute File permission is not set automatically on all files in that folder. The List Folder permission allows or denies a user permission to view file names and subfolder names in a folder. The List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder on which you are setting the permission is listed in the folder list. The Read Data permission applies only to files, and it allows or denies a user from viewing data in files. The Read Attributes permission allows or denies a user from viewing the attributes of a file or folder, such as read-only and hidden attributes. NTFS defines the attributes. The Read Extended Attributes permission allows or denies a user from viewing the extended attributes of a file or folder. Extended attributes are defined by programs, and they can vary by program.
List Folder/Read Data
Read Attributes
Read Extended Attributes Create Files/Write Data
The Create Files permission applies only to folders, and it allows or denies a user from creating files in a folder. The Write Data permission applies only to files and allows or denies the user from making changes to a file and overwriting existing content by NTFS.
Create Folders/Append Data
The Create Folders permission applies only to folders and allows or denies a user from creating folders in the folder. The Append Data permission applies only to files and allows or denies a user from making changes to the end of the file but not from changing, deleting, or overwriting existing data. The Write Attributes permission allows or denies a user from changing the attributes of a file or folder, such as read-only or hidden. NTFS defines the attributes. The Write Attributes permission does not imply that you can create or delete files or folders. It includes only the permission to make changes to the attributes of a file or folder. The Write Extended Attributes permission allows or denies a user from changing the extended attributes of a file or folder. Programs define the extended attributes, which can vary by program. The Write Extended Attributes permission does not imply that a user can create or delete files or folders. It includes only the permission to make changes to the attributes of a file or folder.
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
The Delete Subfolders and Files permission applies only to folders and allows or denies a user from deleting subfolders and files even if you do not
9-6
File permissions
Description grant Delete permission on the subfolder or file.
Delete
The Delete permission allows or denies a user from deleting the file or folder. If you do not have the Delete permission on a file or folder, you can still delete the file or folder if you have the Delete Subfolders and Files permission on the parent folder.
Read Permissions Change Permissions Take Ownership
Read permissions allows or denies a user from reading permissions about a file or folder, such as Full Control, Read, and Write.
Change Permissions allows or denies a user from changing permissions on a file or folder, such as Full Control, Read, and Write. The Take Ownership permission allows or denies a user from taking ownership of a file or folder. The owner of a file or folder can change permissions on it regardless of any existing permissions that protect the file or folder.
Conditions
In Windows 8.1, you can assign conditions that must be met for a permission to take effect. You can base conditions on group memberships or the device with which a user accesses a file or folder. When viewing the NTFS permissions for a file or folder, the applied conditions are listed in the Condition column in the Advanced Security Settings for <file/foldername>.
When you use a Group condition, you can specify that the permission will apply to the user based on the following group membership rules: o o o o Member of Any of the specified groups. Member of Each of the specified groups. Not Member of Any of the specified groups. Not Member of Each of the specified groups.
When you use a Device condition, you can specify that the permission will apply if a user accesses the file from a specified computer or computers. The following topic explains this condition further.
You can specify multiple conditions that must be met for the configured permission to apply. For example, you can create a permission that would give members of the Financial group Full Control permissions if they also are members of the Managers group and are accessing the folder from <computername>.

9-7
Overview of Permission Inheritance

There are two types of permissions: Explicit permissions. Permissions that are set by default on nonchild objects when an object is created, or by user action on nonchild, parent, or child objects. Inherited permissions. Permissions that propagate to an object from a parent object. Inherited permissions ease the task of managing permissions and ensure the consistency of permissions among all objects within a given container.
Permission inheritance allows the NTFS permissions that are set on a folder to apply automatically to files that users create in that folder and its subfolders. This means that you can set NTFS permissions for an entire folder structure at a single point. If you have to modify the permissions, you then only have to perform the change at that single point. For example, when you create a folder called MyFolder, all subfolders and files created within MyFolder automatically inherit that folders permissions. Therefore, MyFolder has explicit permissions, while all subfolders and files within it have inherited permissions.
You also can add permissions to files and folders below an initial point of inheritance without modifying the original permissions assignment. This grants a specific user or group different access than the inherited permissions.
Inheritance for All Objects
If the Allow or Deny check boxes that are associated with each of the permissions appear shaded, a file or folder has inherited permissions from its parent folder. There are three ways to make changes to inherited permissions: Make changes to a parent folder, and then the file or folder will inherit these permissions. Select the opposite permission (Allow or Deny) to override the inherited permission. Choose not to inherit permissions from a parent object. You then can make changes to the permissions or remove a user or group from the permissions list of the file or folder.
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her file even though he is a member of the Marketing group. She can exclude Bob by explicitly denying him permission to read the file. Normally, this is how you use explicit denial to exclude a subset (such as Bob) from a larger group (such as Marketing) that is given permission to perform an operation. Note that while possible, the use of explicit denials increases the complexity of the authorization policy, which can create unexpected errors. For example, you might want to allow domain administrators to perform an action but deny domain users. If you attempt to implement this by explicitly denying domain users, you also deny any domain administrators who also are domain users. Though it is sometimes necessary, you should avoid the use of explicit denials. In most cases, Deny overrides Allow unless a folder inherits conflicting settings from different parents. In that case, the setting inherited from the parent closest to the object in the subtree will have precedence. Note: Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions even inherited Deny permissions.
9-8
Child objects only inherit permissions that they are capable of inheriting. When you set permissions on a parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the following procedure to assign permissions that can be inherited: 1. 2.
In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click Advanced.
In the Advanced Security Settings for <file or folder> dialog box, the Inherited From column lists from where the permissions are inherited. The Applies To column lists the folders, subfolders, or files to which the permissions are applied. Double-click the user or group for which you want to adjust permissions. In the Permissions Entry for <name> dialog box, click the Applies to drop-down list, and then select one of the following options: o o o o o o o This folder only This folder, subfolders, and files This folder and subfolder This folder and files Subfolders and files only Subfolders only Files only
3. 4.
5.
Click OK in the Permission Entry for <name> dialog box, click OK on the Advanced Security Settings for <name> page, and then click OK on the Properties page. If the Special permissions entry in Permissions for <User or Group> box is shaded, it does not imply that this permission is inherited. Rather, this means that a special permission is selected.
Preventing Permission Inheritance
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit these permissions. You can block permission inheritance to restrict access to these files and subfolders. For example, you can assign all Accounting users the Modify permission to the ACCOUNTING folder. On the subfolder WAGES, you can block inherited permissions and grant only a few specific users access to the folder. Note: When permission inheritance is blocked, you have the option to copy existing permissions or begin with blank permissions. If you only want to restrict a particular group or user, then copying existing permissions simplifies the configuration process.
To prevent a child file or folder from inheriting a permission from a parent folder, select This folder only in the Applies to drop-down list when you set up permissions for the parent folder. To prevent a folder or file from inheriting permissions from a parent folder, perform the following procedure: 1. 2.
In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click Advanced. In the Advanced Security Settings for <file or folder> page, click Disable inheritance.

9-9
3.
In the Block Inheritance dialog box, select any of the following options: o o o Convert inherited permissions into explicit permissions on this object Remove all inherited permissions from this object Cancel
4.
Click OK in the Advanced Security Settings for <name> dialog box, and then click OK on the Properties page.
Forcing Permission Inheritance
The Advanced Security dialog box for folders includes a check box labeled Replace all child object permission entries with inheritable entries from this object. Selecting this check box will replace the permissions on all child objects that you have the ability to change permissions on, including child objects that had Block inheritance configured. This can be particularly useful if you need to change permissions on a large number of subfolders and files, especially when the original permissions were set incorrectly.
Tools for Managing File and Folder Access

File access is based on NTFS permissions set in ACLs. To use permissions to control access, you need a way to set permissions on files and folders. A number of tools are available for managing access to files and folders. This topic will describe the following tools: File Explorer, formerly known as Windows Explorer The Windows PowerShell command-line interface Icacls
File Explorer
File Explorer provides a simple interface that is familiar to most Windows users. You can perform several functions by using File Explorer, including: Creating files and folders Accessing files and folders Managing properties of files and folders Searching for content in files and folders Previewing contents of files and folders
File Explorer is pinned to the taskbar by default in Windows 8.1. You can use File Explorer to access the properties of any file or folder that is attached to a local computer, provided that you have the rights to do so. You can manage the attributes and local security (NTFS) permissions of those files and folders.
The toolbar in File Explorer is context sensitive such that when you click a particular type of object, like a document or a bitmap image, the toolbar presents actions that you can perform on that type of object.
9-10 Configuring File Access and Printers on Windows 8.1 Clients
Windows PowerShell
Windows PowerShell provides cmdlets to manage files and folders. To manage NTFS permissions, you can use the Get-ACL and Set-ACL cmdlets. For example, to see the current ACL on the C:\Perflogs directory with the output in list format, you would run the following command:
Get-ACL C:\perflogs | Format-List
To modify the ACL of a file or folder, use the Set-ACL cmdlet in conjunction with the Get-ACL cmdlet. The Get-ACL cmdlet provides the input by getting the object that represents the ACL of the file or folder. Then the Set-ACL cmdlet changes the ACL of the target file or folder to match the values supplied by the Get-ACL cmdlet. For example, to set the ACL on the folder C:\Qtr1_Sales to match the permissions, including inheritance settings, on a folder named C:\Qrt2_Sales, you would run the following command:
Get-ACL C:\Qrt1_Sales | Set-ACL C:\Qrt2_Sales
You also can create variables and arguments to modify existing ACLs. For more information on the Set-ACL cmdlet, refer to: Set-ACL http://go.microsoft.com/fwlink/?LinkId=378245&clcid=0x409
Icacls
Icacls is a command-line utility that you can use to display or modify ACLs. It can grant standard permissions such as Modify or Full Control, or specific permissions such as Write Data/Add File or Delete, and it can modify inheritance settings. For example, to disable inheritance, remove the inherited ACLs, and set new permissions for the Adatum\Sales group to be Modify and the Administrators group to be Full Control on the folder C:\Data and all the objects in the folder, you would run the following command:
Icacls C:\data /inheritance:r /grant Adatum\Sales:(oi)M /grant Administrators:(oi)F
Where (oi) instructs Icacls to have objects in the folder inherit the Modify permission.
Demonstration: Configuring Local Security Permissions for Files and Folders

In this demonstration, you will see how to configure NTFS permissions.
Demonstration Steps Create a new folder

1. 2. 3. 4. Sign in to LON-CL1 as Adatum\Administrator. Start File Explorer. Open the E:\Labfiles\Mod09 folder. Create a folder named Adatum.
Disable inherited permissions on the Adatum folder

1. 2. Open the Advanced security settings for the Adatum folder. Disable inheritance for the Adatum folder, and then convert the inherited permissions to explicit permissions.

9-11
3. 4.
Apply the change. Note the change in the inheritance column. Note the contents of the Applies To column.
Create a file in the Adatum folder

1. 2. In the Advanced Security Settings for Adatum dialog box, click OK. Open the Adatum folder, and then create a new file named PermissionsTest.txt.
Examine the permissions on the PermissionsTest file

1. 2. Open the Advanced security settings for the PermissionsTest file. Review the permissions on the PermissionsTest file.
Grant managers Modify permissions on the PermissionsTest file

1. 2. 3. 4. Note the Managers permission and from where it is inherited. Close all open windows. Keep the virtual machines running for the next demonstration
Add the Managers group, and then grant them Modify permissions to the PermissionsTest file.
Determining Effective Access for a File or Folder

Each file and folder contains user and group permissions. Windows 8.1 determines a file or folders effective permissions by combining its user and group permissions. For example, if you assign the Read permission to a user and assign the Modify permission to a group that the user is a member of, the effective permissions of the user are Modify. Note: When you combine permissions, a Deny permission takes precedence and overrides an Allow permission.
Effective Permissions Feature
The Effective Permissions feature determines the permissions a user or group has on an object by calculating the permissions that are granted to the user or group. The calculation takes into account the permissions in effect from group membership and any of the permissions inherited from the parent object. It looks up all domain and local groups in which the user or group is a member. Note: The Effective Permissions feature always includes the Everyone group when calculating effective permissions, as long as the selected user or group is not a member of the Anonymous Logon group.
The Effective Permissions feature only produces an approximation of the permissions that a user has. The actual permissions a user has might be different because permissions can be granted or denied based on how a user logs on. The Effective Permissions feature cannot determine this logon-specific information,
because the user might not log on. Therefore, the effective permissions it displays reflect only those permissions that are specified by a user or group, and not the permissions specified by the logon.
For example, if a user connects to a computer through a file share, the logon for that user is marked as a Network Logon. You then can grant or deny permissions to the well-known security identifier Network that the connected user receives. This way, a user has different permissions when logged on locally than when logged on over a network.
You can view effective permissions in the Advanced Security Settings for <folder> dialog box. You can access this dialog box from a folders Properties dialog box by using the Advanced button on the Security tab, or directly from the Share menu on the ribbon.
How Does Copying and Moving Files and Folders Affect Access?
When copying or moving a file or folder, the permissions might change, depending on where you move the file or folder. Therefore, when you copy or move files or folders, it is important to understand the impact on permissions.
Effects of Copying Files and Folders

When you copy a file or folder from one folder to another, or from one partition to another, permissions for the files or folders might change. Copying a file or folder has the following effects on NTFS permissions:
When you copy a file or folder within a single NTFS partition, the copy of the folder or file inherits the permissions of the destination folder. When you copy a file or folder to a different NTFS partition, the copy of the folder or file inherits the permissions of the destination folder. When you copy a file or folder to a non-NTFS partition, such as a FAT file system partition, the copy of the folder or file loses its NTFS permissions because non-NTFS partitions do not support NTFS permissions.
Note: When you copy a file or folder within a single NTFS partition or between NTFS partitions, you must have Read permission for the source folder and Write permission for the destination folder.
Effects of Moving Files and Folders
When moving a file or folder, permissions might change, depending on the permissions of the destination folder. Moving a file or folder has the following effects on NTFS permissions: When you move a file or folder within an NTFS partition, the file or folder inherits the permissions of the new parent folder. If the file or folder has explicitly assigned permissions, those permissions are retained in addition to the newly inherited permissions.
Note: Most files do not have explicitly assigned permissions. Instead, they inherit permissions from their parent folder. If you move files that have only inherited permissions, they do not retain these inherited permissions during the move.

9-13
When you move a file or folder to a different NTFS partition, the folder or file inherits the permissions of the destination folder. When you move a folder or file between partitions, Windows 8.1 copies the folder or file to the new location and then deletes it from the old location. When you move a file or folder to a non-NTFS partition, the folder or file loses its NTFS permissions because non-NTFS partitions do not support NTFS permissions.
Note: When you move a file or folder within an NTFS partition or between NTFS partitions, you must have both Write permission for the destination folder and Modify permission for the source file or folder. Modify permission is required to move a folder or file because Windows 8.1 deletes the folder or file from the source folder after it copies it to the destination folder.
The Copy command is not aware of the security settings on folders or files. However, commands that are more robust have this awareness. For example: Xcopy has the /o switch to include Ownership and NTFS ACL settings. Robocopy has several switches that will cause security information to be copied: o /Copy:copyflag(s) the default setting is the equivalent of /Copy:DAT where D=Data, A=Attributes and T=Timestamps. You can add the S flag where S=Security, i.e. NTFS ACLs /Sec is the equivalent of /Copy:DATS.
Discussion: Determining Effective Permissions

This discussion includes a scenario and three underlying situations in which you are asked to apply NTFS permissions. You and your classmates will discuss possible solutions for each situation.
Scenario
User1 is a member of the Users group and the Sales group. The graphic on the slide, which shows folders and files on an NTFS partition, includes three situations, each of which has a corresponding discussion question. Question: The Users group has Write permission, and the Sales group has Read permission for Folder1. What permissions does User1 have for Folder1? Question: The Users group has Read permission for Folder1. The Sales group has Write permission for Folder2. What permissions does User1 have for File2? Question: The Users group has Modify permission for Folder1. The files in Folder 2 should only be accessible to the Sales group, and they should only have read permissions to the files. What do you need to do to ensure that the members of the Sales group only have Read permission to the files in Folder 2?
Implementing Conditions to Limit File and Folder Access

Windows authorization and access control technologies allow Windows Server 2012 R2 and Windows 8.1 to employ Dynamic Access Control, which provides detailed access to resources by basing access decisions on conditions. The following table lists the server-based features.
Feature Central access rules
Description
Conditions based on criteria such as group membership, user claims, device claims, or resource properties are used to create authorization rules. You then can implement rules to limit access to resources. Central access policies use conditional expressions to restrict access to certain types of information, such as financial or medical information. You can add policies to central access rules and then apply the rules to files that contain sensitive data.
Central access policies
Claims based authentication
A claim is a piece of information that uniquely identifies a user or device or resource. Claims take the form of authentication tokens and might contain different types of information, such as group memberships, security state of a computer, or classification of a file. Windows Server 2012 R2 and Windows 8.1 support the following types of claims: User claims. AD DS attributes of the user. Device claims. AD DS attributes of the computer.
Resource attributes. Resource properties published in AD DS. Conditional expressions
Conditional expressions allow or deny access to resources when conditions such as group membership are met. You can configure expressions in the properties of the file or folder, on the Security tab, in Advanced Security Settings when you add a new permission entry or edit an existing permission entry, or you can use the Active Directory Administrative Center.
Advanced Security Settings
Both Windows Server 2012 R2 and Windows 8.1 provide Advanced Security Settings in the ACL Editor. You can access these settings by opening the Security Properties of the file or folder and clicking Advanced. In the Advanced Security Settings dialog box, adding a security principal displays the Permission Entry screen where you can configure conditions to limit access. For example, you might set a condition that specifies that only computers in the HR computer group can access the HR shared folder. You also can specify conditions that have been defined by file classification properties, such as a files business impact value. You can define multiple conditions by using the AND or OR operators to provide granular access.

9-15
Lesson 2
Managing Shared Folders
Collaboration is an important part of an administrators job. Your team might create documents that only team members can share, or you might work with a remote team member who needs access to your teams files. Because of collaboration requirements, you must understand how to manage shared folders in a network environment. Sharing folders enable users to connect to a shared folder over a network and to access the folders and files that the shared folder contains.
Shared folders can contain applications, public data, or a users personal data. Managing shared folders helps you provide a central location for users to access common files, and it simplifies the task of backing up data that those folders contain. This module examines various methods of sharing folders, along with the effect this has on file and folder permissions when you create shared folders on an NTFS-formatted partition.
Lesson Objectives
After completing this lesson, you will be able to: Describe shared folders. Describe methods for sharing folders. Describe the effect of combining NTFS and share permissions. Describe the Network and Sharing Center. Describe how to configure a HomeGroup for resource access.
What Are Shared Folders?

Sharing a folder makes it available to multiple users simultaneously over a network. When you share a folder, you can identify specific users with whom you want to share the folder, or you can share it with all users on the network. Sharing is limited to folders. You cannot share specific files within a folder that is not shared. Most organizations deploy dedicated file servers to host shared folders. You can store files in shared folders according to categories or functions. For example, you can put shared files for the Sales department in one shared folder, and shared files for executives in another.
Windows 8.1 uses the Public folder to simplify file sharing. With Public folder sharing enabled, the Public folders and all the folders within the Public folder are shared automatically with the name Public. You do not have to configure file sharing on separate folders. Just move or copy a file or folder that you want to share on the network to the Public folder on your Windows 8.1 client.
In Windows 8.1, members of the Administrators, Power Users, and Server Operators groups can share folders. Other users who are granted the Create Permanent Shared Objects user right also can share folders. If a folder resides on an NTFS volume, you must have at least Read permission to share the folder.
When you share a folder, you must decide the permissions that a user or group will have when they access the folder through the share. This is called sharing permissions. Basic sharing permissions are simplified greatly in Windows 8.1, which offers two choices: Read. The look but do not touch option. Recipients can open, but not modify or delete a file. Read/Write. The full control option. Recipients can open, modify, or delete a file.
You can share folders with others on a network in several different ways: In the Shared Folders snap-into the Microsoft Management Console (MMC) In File Explorer Through the command line Through the Computer Management tool By using Windows PowerShell 4.0 cmdlets
Sharing Through Shared Folders
You can use Shared Folders to manage all file shares centrally on a computer. Use this snap-in to create file shares, set permissions, and to view and manage open files and the users who are connected to a computers file shares. Additionally, you can view the properties for the folder, which would allow you to perform actions such as specifying NTFS permissions. Using the Shared Folders snap-in presents the Create a Shared Folder Wizard when you create a new share. By default, the share name is the same as the folder name, and all users have Read access share permissions.
Sharing Through File Explorer

You can share a folder through File Explorer by using two options: Using the Share with option from the shortcut menu or ribbon. From the Sharing tab on the Properties dialog box.
Note: When sharing a folder through File Explorer the default permission gives the Everyone group Full Control permission. For all other methods of sharing, the default permission gives the Everyone group Read permission.
Using the Share with Option from the Shortcut Menu or Ribbon
The Share with option is a simple and fast way to share a folder. When you right-click a folder and then select Share with, you get a submenu that allows you to either stop sharing the folder or share the folder with specific people. When you share with specific people, you can select Everyone or use Find people to share the folder with specific groups. After selecting who you want to share with, you can set either Read or Read/Write permissions. The wizard will set the Share permissions as Everyone Full Control and the NTFS permissions based on what you selected. The share name will be the same as the folder name.
Using the Sharing Tab on the Properties Dialog Box
Using the Properties dialog box provides two options. You can click the Share button, which then presents the same dialog box as Share with Specific people, or you can click the Advanced Sharing button. When you use Advanced Sharing, you can specify the Share name. The default is the same as the folder name, and you can specify share permissions as Full Control, Change, or Read. Additionally, because you are in the Properties dialog box, you can click the Security tab and set NTFS permissions.

9-17
Sharing Through the Command Line
You can share a folder through the command line by using the net share command, which the following example shows in its basic form:
Net Share name=drive:path
This will create a simple share, which uses the share name that you specify and grants all users Read permissions. Additional options include: Option /Grant:user permission /Users:number /Remark:text /Cache:option sharename /Delete Description Allows you to specify Read, Change, or Full share permissions for the specified user. Allows you to limit the number of users who can connect to the share. Allows you to add a comment to the share. Allows you to specify the caching options for the share. Allows you to remove an existing share.
Sharing Through Computer Management
The Computer Management tool is a collection of MMC snap-ins that includes the Shared Folders snapin.
Sharing by Using Windows PowerShell 4.0 Cmdlets
Windows PowerShell 4.0 introduces several cmdlets that you can use to manage shares in Windows 8.1. The command for creating a share by using Windows PowerShell 4.0 is:
New-SmbShare Name ShareName Path C:\LocalFolder
Additional Windows PowerShell commands for managing shares include: Command Get-SmbShare Set-SmbShare Remove-SmbShare Get-SmbShareAccess Get-Acl Grant-SmbShareAccess Set-Acl Description Gets a list of the existing shares on the computer. Modify an existing share. Removes an existing share. Retrieves the share permissions for a share. Retrieves the NTFS ACL (this cmdlet is not new). Used to set share permissions on a share.
Used to set the NTFS ACL for a specified resource (this cmdlet is not new).
Methods for Sharing Folders

Windows 8.1 provides two methods for sharing folders directly from your computer: Folder sharing. Enables sharing of music, photos, and other files from any folder on your computer, without having to move them from their current location. There are two types of folder sharing: basic and advanced. Public folder sharing. Public folders serve as open locations for sharing files. Copying a file into a public folder makes it immediately available to other users on a computer or network.
Basic Folder Sharing
Basic folder sharing is the simplest form of folder sharing because it enables users to share a folder quickly and simply. You can create basic folder shares by using the File Explorer Share with Wizard or the net share command without any additional options.
Advanced Folder Sharing

You can use Advanced Sharing to exert more control over the folder sharing process. When you use Advanced Sharing to share a folder, you must specify the following information: A share name. The default name is the folder name.
The maximum number of concurrent connections to the folder. The default number is 20 concurrent connections. Shared folder permissions. The default permissions are Read permissions for the special group Everyone. The permissions that are set here are only share permissions. This does not modify the underlying NTFS permissions.
Caching options. The default caching option allows user-selected files and programs to be available offline. You can disable offline files and programs, or you can configure files and programs to be available offline automatically.
You can access Advanced Sharing by using the: Shared Folder Wizard from the Shared Folder snap-in. Sharing tab on the Properties dialog box. Command line with optional settings.
Public Folder Sharing
When you turn on Public folder sharing in Windows 8.1, anyone with an account on your computer or a PC on your network can access the contents of these folders. To share something, copy or move it into one of the public folders. By default, Windows 8.1 provides the following Public folders: Documents Music Pictures Videos

9-19
You can view these folders by clicking File Explorer from the Start screen, and then clicking Libraries to expand the folders.
By default, Public folder sharing is not enabled. However, files stored in the Public folder hierarchy are available to all users who have an account on a given computer and can log on to it locally. You can configure Windows 8.1 to allow access to Public folders from a network in the Change advanced sharing settings link in the Network and Sharing Center in the All Networks section. You can: Turn on sharing so that anyone with network access can read and write files in the Public folders.
Turn off Public folder sharing. Users who are logged on to this computer can still access these folders.
Public folder sharing does not allow you to fine-tune sharing permissions, but it does provide a simple way to make your files available to others. When you enable public folder sharing, the system group Everyone is granted Full Control permissions for the share and NTFS permissions.
Discussion: Combining NTFS and Share Permissions

When you create a shared folder on a partition that is formatted with NTFS, both the shared folder permissions and the NTFS permissions are combined to protect file resources. NTFS permissions apply whether users access a resource locally or over a network, but they are filtered against the shared folder permissions. When you grant shared folder permissions on an NTFS volume, the following rules apply: Except when using the Share with Wizard, the Everyone group is granted the Read shared folder permission.
Users must have the appropriate NTFS permissions for each file and subfolder in a shared folderin addition to the appropriate shared folder permissionsto access those resources. When you combine NTFS permissions and shared folder permissions, the resulting permission is the most restrictive one of the effective shared folder permissions or the effective NTFS permissions.
The share permissions on a folder apply to that folder, to all files in that folder, to subfolders, and to all files in those subfolders when the content is accessed through the share.
Note: If the Guest user account is enabled on your computer, the Everyone group includes anyone. As a best practice, remove the Everyone group from any permission lists, and replace it with the Authenticated Users group.
The following analogy can be helpful in understanding what happens when you combine NTFS and share permissions. When you are dealing with a shared folder, you must always go through the shared folder to access its files over a network. Therefore, you can think of the shared folder permissions as a filter that only allows users to perform those actions that are acceptable to the share permissions. All NTFS permissions that are less restrictive than the share permissions are filtered out so that only the most restrictive permissions remain.
For example, if a share permission is set to Read, the most that you can do is read through the share, even if individual NTFS file permission is set to Full Control. If you configure the share permission to Modify,
you are allowed to read or modify the share. If the NTFS permission is set to Full Control, the share permissions filter the effective permission to Modify. Question: If you assign a user Full Control NTFS permission to a file, but the user accesses the file through a share with Read permission, what will be the effective permission that the user will have on the file? Question: If you want a user to be able to view all files in a shared folder but only be able to modify certain files in that folder, what permissions do you give the user? Question: Identify a scenario at your organization where it might be necessary to combine NTFS and Share permissions. What is the reason for combining permissions?
The Network and Sharing Center

With older versions of Windows operating systems, many different graphical interfaces and commands were required to configure networking and network sharing. Windows 8.1 makes this significantly easier by providing all of the required tools in one central location, the Network and Sharing Center. You can access the Network and Sharing Center through Control Panel.
It is important to be familiar with all aspects of the Network and Sharing Center and be able to use it to configure all types of network connections. This topic focuses on the network sharing aspect of the Network and Sharing Center. The Networking module, which is Module 6 in this course, covers networkconfiguration topics. The Network and Sharing Center provides the following tools: Set up a new connection or network Change advanced sharing settings Troubleshoot problems
Set Up a New Connection or Network
You can customize currently active network connections and set up a new connection. Use the graphical view of your current network to change the description and icon appearance of network components to include more information. View and change network connection properties by clicking View Status on the right side of the connection listing. You can maintain the following network connections in this section: Connect to the Internet. Set up a wireless, broadband, or dial-up connection to the Internet. Set up a new network. Configure a new router or access point. Set up a dial-up connection. Connect to the Internet by using a dial-up connection. Connect to a workplace. Set up a dial-up or virtual private network connection to your workplace.
Note: You can change the network location profile between private and public. This changes firewall and visibility settings for that network connection.

9-21
Change Advanced Sharing Settings
The Network and Sharing Center includes a Change advanced sharing settings link that you can use to enable, disable, and change the way that various network services behave. The first time that you connect to a network, you must choose a network location. This automatically sets the appropriate firewall, security, and sharing settings for the type of network to which you connect. If you connect to networks in different locations, such as from your home network, at a local coffee shop, or at work, then choosing a network location can help ensure that your computer is always set to an appropriate security level. When users connects to a new network, they can select one of the following network locations in Windows 8.1: Private. In a trusted private network, all computers on a network are in a private network, and you recognize them. Do not choose this network location for public places such as coffee shops and airports.
Network discovery and file and printer sharing are turned on for private networks. This allows you to see and access other computers and devices on a network and allows other network users to see and access your computer
Guest or Public. If you do not recognize all the computers on a network (for example, you are in a coffee shop or airport, or you have mobile broadband), then this is a public network and is not trusted. This location helps you keep your computer from being visible to other computers around you and helps protect your computer from any malware from the Internet. Also, choose this option if you connect directly to the Internet without using a router or if you have a mobile broadband connection. Network discovery and file and printer sharing are turned off. Domain. The domain network location is used for domain networks such as those in corporate workplaces. Your network administrator typically controls this type of network location. All Networks. These settings apply regardless of the network profile.
Windows 8.1 automatically applies correct network settings based on the network location. For each of these network profiles, you can configure the network sharing settings found in the following table. Feature Network discovery File and printer sharing Settings On Off On Off Result
When network discovery is on, your computer can see other network computers and devices and is visible to other network computers. When file and printer sharing is on, people on the network can access files and printers that you have shared from your computer.
Note: By default, Windows 8.1 uses Windows Firewall with Advanced Security. Therefore, using another firewall might interfere with the network discovery and file sharing features. The following table describes the All Networks settings. Feature Public folder sharing Setting On Off Result
When Public folder sharing is on, people on the network, including HomeGroup members, can access files in public folders.
Feature Media streaming
Setting On Off
Result
When media streaming is on, people and devices on the network can access pictures, music, and videos on your computer. Your computer also can find media on the network.
File sharing connections
128-bit encryption 40- or 56-bit encryption
Windows uses 128-bit encryption to help protect file sharing connections. Some devices do not support 128-bit encryption and must use 40- or 56-bit encryption.
Note: When a Server Message Block (SMB) client connects to a Windows share, the systems negotiate their highest level of encryption, and the server will transfer an encryption key to the client. This encryption key is used to generate an encrypted hash of the connecting users password. This hash is then sent to the server with the user name. The server then will decrypt the hash and validate the user. This ensures that the users password is never transmitted. If you are using older client systems, you might need to allow 40-bit or 56-bit encryption.
Troubleshoot Problems
Use this feature to diagnose and repair network problems and to get troubleshooting information for the following network components: Internet connections Shared folders HomeGroup Network adapter Incoming connections Connection to a workplace by using Windows 8.1 DirectAccess Printers
Configuring a HomeGroup for Resource Access

A HomeGroup allows you to connect multiple computers and share devices and libraries on your home network if the systems are running Windows 7 or newer. When you set up your first home computer with the basic version of Windows 8.1, a HomeGroup is created automatically. HomeGroups are password protected automatically by a system-generated password. You can change the system-generated password to one of your choosing in the HomeGroup settings.

9-23
When you add a second Windows 8.1 computer, you will be asked to join an existing HomeGroup instead of creating a new one. To join an existing HomeGroup, you need to perform the following procedure: 1. 2. 3. Locate the password for your HomeGroup by going to HomeGroup settings on the first PC. Note the password from the Membership section. You will need to enter it on the new computer. On the new Windows 8.1 PC, go to the HomeGroup settings and locate the Membership section. Windows will detect the HomeGroup automatically and prompt you for the password. Enter the password of the HomeGroup and click Join.
The HomeGroup settings screen allows you to select which libraries or devices and printers you wish to share with other users in the HomeGroup. The default permission for shared libraries is Read, but you can change this. You also can exclude specific files from sharing. You can choose to share resources such as individual files or devices with specific people or with everyone in the HomeGroup. The HomeGroup will show up in File Explorer in the left pane and is named HomeGroup. Expanding the HomeGroup folder will display the resources that are available on the network by the user name of the owner of the device or library. HomeGroups have the following restrictions: A computers network location must be set to Private to join a HomeGroup. Network sharing must be turned on.
Computers that are running Professional or Enterprise versions of Windows operating systems cannot create HomeGroups, but they can join them.
Devices that are running Windows RT 8.1 can join a HomeGroup, but they cannot create one or share content in one.
You cannot delete HomeGroups, but if nothing is shared and no computers have joined the HomeGroup, it effectively does not exist.
Lesson 3
Configuring File Compression

Lesson Objectives
After completing this lesson, you will be able to: Describe how NTFS file compression works. Describe the impact of moving or copying compressed files and folders. Describe how to create a compressed folder. Compress files and folders.
The primary focus of this lesson is to examine the two methods in Windows 8.1 for compressing files and folders to consume less disk space: NTFS file compression and compressed files and folders.
Compressing Content to Save Disk Space

NTFS supports file compression on an individualfile basis. The file compression algorithm is a lossless compression algorithm. This means that no data is lost when compressing and decompressing a file, as opposed to other types of compression algorithms, where some data is lost each time data compression and decompression occur. NTFS compression, which is available on volumes that use NTFS, has the following features and limitations: Compression is an attribute of a file or folder. Volumes, folders, and files on an NTFS volume are either compressed or uncompressed. New files that are created in a compressed folder are compressed by default.
The compression state of a folder does not necessarily reflect the compression state of the files within that folder. For example, you can compress a folder without compressing its contents, and you can compress some or all of the files in a compressed folder. NTFS compression works with NTFS-compressed files without decompressing them because they are decompressed and recompressed without user intervention: o
When you open a compressed file, the Windows operating system automatically decompresses it for you. When the file closes, the Windows operating system compresses it again.
NTFS-compressed file and folder names display in a different color to make them easier to identify.
NTFS-compressed files and folders only remain compressed while they are stored on an NTFS volume. You cannot encrypt an NTFS-compressed file. The compressed bytes of a file are not accessible to applications, which see only the uncompressed data:

9-25
Applications that open a compressed file can perform tasks on it as if the file was not compressed. You cannot copy compressed files to another file system. Note: You can use the compact command-line tool to manage NTFS compression.
Discussion: What Is the Impact of Moving and Copying Compressed Files and Folders?
Moving and copying compressed files and folders can change their compression state. This discussion presents five situations in which you are asked to identify the impact of copying and moving compressed files and folders. You and your classmates will discuss the possible solutions for each situation. Question: What happens to the compression state of a file or folder when you copy it within an NTFS partition? Question: What happens to the compression state of a file or folder when you move it within an NTFS partition? Question: What happens to the compression state of a file or folder when you copy or move it between NTFS partitions? Question: What happens to the compression state of a file that you copy or move between FAT32 and NTFS volumes?
Creating a Compressed (Zipped) Folder

In Windows 8.1, you can combine several files and folders into a single compressed folder by using the Compressed (zipped) Folder feature. Use this feature to share a group of files and folders with others, without being concerned about sending individual files and folders. Files and folders that you compress by using the Compressed (zipped) Folder feature can be compressed on FAT and NTFS drives. A zipper icon identifies files and folders that are compressed by using this feature.
You can open files directly from these compressed folders, and you can run some of these programs directly from compressed folders without uncompressing them. Files in compressed folders are compatible with other file compression programs and files. You also can move compressed files and folders to any drive or folder on your computer, the Internet, or your network.
Compressing folders by using Compressed (zipped) Folder does not affect a computers overall performance. CPU utilization increases only when you use Compressed (zipped) Folder to compress a file. Compressed files take up less storage space, and you can transfer them to other computers more quickly than uncompressed files. You can work with compressed files and folders the same way you work with uncompressed files and folders.
Send To Compressed (zipped) Folder

By using the Send To Compressed (zipped) Folder command in File Explorer, you can quickly: Create a compressed version of a file. Send a file to a compressed (zipped) folder.
Alternatively, if a compressed folder has been created already, and you need to add a new file or folder to it, you can drag the desired file to the compressed folder instead of using the Send To Compressed (zipped) Folder command.
Comparing Zipped Folder Compression and NTFS Folder Compression
You should be aware of the differences between zipped folder compression and NTFS folder compression. A zipped folder is a single file inside of which Windows allows you to browse. Some applications can access data directly from a zipped folder, while other applications require that you first unzip the folder contents before the application can access the data. In contrast, individual files within a folder are compressed by NTFS compression. Therefore, NTFS compression does not experience the data access issues that are associated with zipped folders because it occurs at the individual file system level and not the folder level. Additionally, zipped folders are useful for combining multiple files into a single email attachment, whereas NTFS compression is not. File and folder compression that uses the Send To > Compressed (zipped) Folder command is different from the NTFS file and folder compression that was discussed earlier: For selected files or folders, the Send To > Compressed (zipped) Folder command compresses the selected content into a portable zip file. The original file or folder is left unchanged, but a new, compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the size of the selected file, folder, or volume by compressing its content.
Note: Unlike NTFS-compressed folders and files, you can move or copy compressed (zipped) folders without change between volumes, drives, and file systems.
Demonstration: Compressing Files and Folders

In this demonstration, you will see how to compress files and folders.
Demonstration Steps Compress a file

1. 2. 3. 4. 5. Sign in to LON-CL1 as Adatum\Administrator. Start File Explorer. Open the E:\Labfiles\Mod09\Windows8Docs folder. Compress the largest document in the folder. Examine the file attributes.

9-27
Compress a folder
1. 2. 3. Compress the Windows8Docs folder. Examine the folder and files in the folder. Keep the virtual machines running for the next demonstration.
Lab A: Configuring File Access

Scenario
You have users in the Marketing department that need to share files between users. You will create a shared folder on the network and configure permissions such that the Marketing users have Modify permission to the shared folder and all other users have Read permission. You will also test the access to the shared folder.
Objectives
After completing this lab, you will be able to: Create a folder shared to all users. Create a folder shared to specific users.
Lab Setup
Estimated Time: 15 Minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1, 20687C-LON-CL2 User names: Adatum\Administrator and Adatum\Ed Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687B-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Sign in by using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 and 3 for 20687C-LON-CL1 and 20687C-LON-CL2. Do not sign in until directed to do so.
Exercise 1: Creating a Shared Folder for the Marketing Group

Scenario
You need to create a shared folder for the Marketing Department. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Create a Marketing folder. Share the Marketing folder for Everyone. Configure NTFS permissions for the Marketing folder. Attempt to access the Marketing folder as Ed. Sign in to LON-CL2 as Adam. Attempt to access the Marketing folder as Adam.

9-29
Task 1: Create a Marketing folder

1. 2. Sign on to LON-CL1 as Adatum\Administrator. Create a new folder in the E:\Labfiles\Mod09 folder named Marketing.
Task 2: Share the Marketing folder for Everyone

Share the Marketing folder so that Everyone can read it.
Task 3: Configure NTFS permissions for the Marketing folder

1. 2. Configure the Marketing folder so that the Marketing security group has Modify permission. Close all open windows.
Task 4: Attempt to access the Marketing folder as Ed

1. 2. 3. 4. On LON-CL2, sign in as Adatum\Ed with password Pa$$w0rd. Open the \\Lon-CL1\Marketing folder. Attempt to create a file in the Marketing folder. Sign out of LON-CL2.
Task 5: Sign in to LON-CL2 as Adam

Sign in to LON-CL2 as Adatum\Adam.
Task 6: Attempt to access the Marketing folder as Adam

1. 2. 3. 4. Start File Explorer. Open the \\LON-CL1\Marketing folder. Attempt to create a file in the Marketing folder. Close all windows, and then sign out.
Results: After completing this exercise, you should have created and shared a folder for the Marketing department.
Exercise 2: Configuring File and Folder Compression

Scenario
In an effort to save space on your hard disk, you will compress a folder that contains documents. The main tasks for this exercise is as follows: 1. Compress a folder.
Task 1: Compress a folder

1. 2. 3. Switch to LON-CL1. Compress the E:\Labfiles\Mod09\Windows8Docs folder. Examine the folder and files in the folder.
Results: After completing this exercise, you will have compressed a folder.


9-31
Lesson 4
Overview of SkyDrive
In this lesson, you will learn about Microsofts SkyDrive service and its integration with Windows 8.1.
Lesson Objectives
After completing this lesson, you will be able to: Describe how to use SkyDrive for storing and sharing files. Describe how to configure SkyDrive. Describe how to share files in SkyDrive. Describe how to synchronize and recover SkyDrive files.
Using SkyDrive for Storing and Sharing Files

SkyDrive is Microsofts cloud-based file service for Microsoft account. The SkyDrive service allows for 7 gigabytes (GB) of free cloud storage. You can use SkyDrive to save documents in a private store and a public store so that you can share files with anyone. Note: You also can purchase more storage space by clicking on the Buy more storage link in the Storage space screen.
Features
SkyDrive offers many features that enable users to access and use SkyDrive as best fits their needs, such as: Microsoft Office. You can use Microsoft Office to save documents to SkyDrive by clicking the File menu in Office 2013, clicking Save (or Save As), and then selecting SkyDrive as the save location.
Microsoft Office Web Apps. You can use Office Web Apps to view and edit documents that are stored in SkyDrive. PDF and OpenDocument Format (ODF) Support. You can view PDF and ODF documents that are saved in SkyDrive.
Bing integration. You can use the Bing Save & Share feature to save search histories in a SkyDrive folder
For more information on SkyDrive features, refer to: SkyDrive http://go.microsoft.com/fwlink/?LinkId=266561
Accessing SkyDrive
SkyDrive can be accessed in several different ways, including: A web browser at http://www.SkyDrive.com
Microsoft Office 365 Outlook Web Access A Windows PC that is running Windows Vista Service Pack 2 (SP2) or newer Windows Server 2008 SP2 and the Windows Platform Update for Windows Server 2008 or newer Mac OS X 10.7 (Lion) Windows Phone app An iOS app An iPad app Windows 8.1
SkyDrive Privacy
The Microsoft Online Privacy Statement specifies the terms of use of the personal information that you provide when you use SkyDrive. Before you use Microsoft online services, you must read and understand the privacy statement. The main points in the privacy statement include the following: Microsoft collects personal information from you when you register, and may combine this information with data that other companies and Microsoft services collect.
To personalize your experience, Microsoft tracks your interaction with their sites by using cookies and other technologies. Microsoft does not share your personal information with third parties, but may provide this information to companies that work on behalf of Microsoft. Microsoft uses your personal information to provide services such as personalized content and advertising to inform you about Microsoft products and services, and to invite you to surveys of Microsoft services.
Terms of Service
The SkyDrive terms of service specify how the information you post on SkyDrive will be used. Some of the main terms of service are:
Ownership of Content. You own content such as documents, videos, photos, and email that you upload to the services store. The same is true of content that you store on the services, or transfer through it. Microsoft does not claim ownership of your content, except for Microsoft material, such as clip art, that Microsoft licenses to you, and that you may use in your content. Access of Content. You can choose who you share your content with. You can choose not to share your content, to share your content publicly, or choose other users with whom you want to share your content. If you share your content with other users, they may use, reproduce, distribute, or display your content for free.
Microsoft Use of Content. Microsoft may use, modify, adapt, save, reproduce, distribute, and display your content to protect you, and to improve Microsoft services. In such cases, Microsoft protects your privacy by taking necessary steps. Examples of such usage of your content include isolation of information from content to prevent and protect you from spam and malware. Removal of Content. Microsoft may ask you to remove content that is in violation of the anti-spam policy, the Microsoft Code of Conduct, or your local law, or if you infringe on a third partys intellectual property. If you fail to comply, you may lose access to your account, or your account may be cancelled. In such cases, Microsoft may also remove your content without asking you.

9-33
Configuring SkyDrive Access

Before you can use SkyDrive from the Windows 8.1 SkyDrive tile, you must connect your domain or local account with your Microsoft account. To begin the process, click the SkyDrive tile from the Start screen. You then will be prompted to sign in with your Microsoft account or to create an account if you do not have one. If you want to configure your synchronization settings, you will need to connect your domain account to your Microsoft account by performing the following procedure: 1. 2. 3. From the Start screen, open the Computer menu, and then select the Settings charm. Click Change PC Settings, and then click the Accounts section. To start the wizard for synchronizing your domain account with your Microsoft account, click Connect your Microsoft account.
In the wizard, you can choose which features you want to synchronize, including: Start screen. Colors and background. Desktop personalization. Themes, taskbar, and more. Ease of Access. High contrast, Narrator, Magnifier, and more. Language preferences. Keyboards, other input methods, display language, and more. App data. Certain settings in your apps. Browser settings. History, bookmarks, and favorites. Other Windows settings. File Explorer and mouse settings. Passwords. For some apps, websites, networks, and HomeGroup.
You can toggle the synchronization setting of these options from the Sync your settings menu on the PC Settings page.
Sharing Files in SkyDrive

You can use SkyDrive to share files as publicly accessible folders or folders that you secure by using your Microsoft account contacts. The Windows 8.1 SkyDrive app lets you use SkyDrive directly from your desktop. By using the SkyDrive app, you can access and manage all your folders from your computers desktop. A new, updated version of the SkyDrive app is integrated into Windows 8.1.
Sharing Folders in SkyDrive
When you first create a SkyDrive account, you have three folders by default: Documents, Pictures, and Public. By default, the share folder setting for the Documents and Pictures folders are set to This folder is not shared, which means that you are the only one who can access it. The Public folder is shared as Everyone Can view, which means anybody can see, but not edit, any documents in that folder. When you create a new folder in SkyDrive, you can choose how you want to share it.
Synchronizing and Recovering SkyDrive Files with Windows 8.1

In Windows 8, SkyDrive was available as an app; in Windows 8.1, SkyDrive is integrated fully. During setup, if you create a new Microsoft account or use an existing one, you are prompted to accept the default SkyDrive settings. The default SkyDrive settings are: Camera roll and PC settings will automatically be backed up to the cloud. New documents you create can be saved to the cloud by default.
You have the option to turn off SkyDrive integration. If you enable it, you will see a SkyDrive folder in the File Explorer folder tree. You can use the SkyDrive folder to save, copy, or paste files in the same way you would use any network folder or folder on a local disk.
Synchronization
Windows 8.1 provides a redesigned synchronization model for SkyDrive that is more efficient. The files in the SkyDrive folder appear to be stored on the local hard disk, but the files are stored as placeholders that take a small amount of space. Placeholder files contain a thumbnail and basic information about the file. Files are downloaded to your local computer when you open them. This is beneficial for tablets, smartphones, and other devices that have limited disk space. You also can control whether synchronization and backup to SkyDrive will occur when you are on a metered connection, such tethered to a smartphone. Synchronization happens automatically and cannot be triggered manually. Note: If you have Apple devices, pictures that you store in the Camera Roll folder can be configured to upload to SkyDrive automatically.
Support for Offline Files
You also can choose to make some files or folders available offline in the same way as with network-based files. Simply right-click the file or folder in SkyDrive, and click Make available offline. This will keep a synchronized copy on the local hard disk. If you edit or add a file to SkyDrive while you are offline, it is kept on the local hard drive until you connect to the Internet. Then it synchronizes across all your SkyDrive-enabled devices. If you are offline, you cannot edit files unless they have been cached to the local disk previously.
Conflict Resolution
If you edit a cached file on one of your offline devices and then edit the same file from a different device that is online, when synchronization occurs, you will get two versions of the file on the device that was offline. The one that was modified while offline will be appended with the name of the device. For

9-35
example, if you edit a cached version of File1.txt on an offline device named Client1 and then modify File1.txt from an online device before synchronization occurs, when the offline device connects to the internet, a new file named File1.txt-Client1 will be created and synchronized to all devices.
Recovering Files
Occasionally, users might accidentally delete files. When users delete a file from a SkyDrive folder, it goes to the Recycle Bin on the local machine and also to the Recycle Bin on all other Windows computers where SkyDrive is enabled. You can restore a file or folder to SkyDrive from any of the Recycle Bins in which it appears.
Lesson 5
Managing Printers
To set up a shared printing strategy to meet your users needs, you must understand Windows 8.1 printing components and how to manage them. This lesson examines printing components in a Windows 8.1 environment, including printer ports and drivers.
The instructor will demonstrate how to install and share a printer, and you will review how to use the Print Management tool to administer multiple printers and print servers.
Lesson Objectives
After completing this lesson, you will be able to: Describe the new printing features in Windows 8.1 Describe the components of a printer. Install and share a printer. Describe how to manage client-side printing. Describe how to manage print server properties.
Windows 8.1 Printer Features

Windows 8.1 supports two new features for printing: Near field communication (NFC) printing, also known as tap-to-pair printing. Three-dimensional printing
NFC Printing
Windows 8.1 supports NFC printing. Users can tap their handheld device against a printer that is equipped with an NFC tag and print directly. These tags are inexpensive and can be purchased and programmed for any existing printer. Information Technology (IT) departments now can provide printing support for a wide variety of handheld devices. NFC currently is available for smartphones as a way to transfer files simply by touching the devices together. That technology is expanding and becoming available for other purposes, such as printing.
3-D Printing
3-D printing is an emerging technology. Microsoft has worked closely with software and hardware partners to build on this technology. Because 3-D printing is based on traditional two-dimensional printing, there are familiar management abilities, such as print queue management. Now, companies that design virtual models have the capability to print physical versions of those models at reasonable costs. 3-D printing has existed for some time, but it has been cost prohibitive for all but the largest organizations. Desktop 3-D printers are making headway and soon will be within reach of small and medium-size businesses.

9-37
Overview of Printing Components

When you install and share a printer in Windows 8.1, you must define the relationship between the printer and two printer components: the printer port and the printer driver. Typically, Plug and Play devices install automatically. However, when you add a wireless device or printer in Devices and Printers by using the Add devices and printers button, Windows 8.1 must be able to communicate with the device to complete the wizard. To specify all the connection information for a printer manually, use the Advanced printer setup button.
Defining the Printer Port
Windows 8.1 detects printers that you connect to your computer, and it installs the driver for the printer automatically if the driver is available in the driver store. However, a Windows operating system might not detect printers that connect by using older ports, such as serial or parallel ports, or network printers. In these cases, you must configure a printer port manually.
Installing a Driver
A printer driver is a software interface that enables a computer to communicate with a printer device. Without a printer driver, the printer that connects to a computer will not work properly. A printer driver is responsible for converting a print job into a page-description language (PDL) that the printer can use to print a job. The most common PDLs are PostScript, Printer Control Language, and XML Paper Specification (XPS). In most cases, drivers are included with the Windows operating system, or you can find them by checking for updates with Windows Update in Control Panel. If the Windows operating system does not have the driver you need, you can find it on the disc that came with the printer or on the manufacturer's website. If the Windows operating system does not recognize your printer automatically, you must configure the printer type during the installation process. The Printer Setup Wizard presents you with an exhaustive list of currently installed printer types. However, if your printer is not listed, you must obtain and install the necessary driver. You can preinstall printer drivers in the driver store, thereby making them available in the printer list by using the pnputil.exe command-line tool.
When you connect a new printer to your computer, the Windows operating system tries to find and install a software driver for the printer. Occasionally, you might see a notification that a driver is unsigned or altered, or that the Windows operating system cannot install it. You have a choice whether to install a driver that is unsigned or has been altered since it was signed.
Demonstration: Installing and Sharing a Printer

In this demonstration, you will see how to create and share a printer.
Demonstration Steps
1. 2. Sign in to LON-CL1 as Adatum\Administrator, and then open Control Panel. Open the Add Printer Wizard.
3.
Create and share a Microsoft OpenXPS printer named AdatumPrinter.
Managing Client-Side Printing

Print Management provides a single interface to administer multiple printers and print servers. You can access the Print Management console through the Administrative Tools folder in Control Panel or you can open the Print Management console directly by typing Printmanagement.msc in the Search dialog box. You can use Print Management to perform all the basic management tasks for a printer. You also can manage printers from the Devices and Printers page in Control Panel.
View the Print Queue
After you initiate a print job, you can view, pause, or cancel it through the print queue. The print queue shows you what is printing or waiting to print. It also displays information such as job status, who is printing what, and how many unprinted pages remain. From the print queue, you can view and maintain the print jobs for each printer.
You can access the print queue from the Print Management console through the See whats printing option on the Devices and Printers page in Control Panel. Documents that are listed first will be the first to print.
Cancel Print Jobs

If you start a print job by mistake, it is simple to cancel the print job even if printing is underway. To cancel a print job: 1. 2. 3. Open the print queue for the specific printer by performing the steps outlined previously.
To cancel an individual print job, right-click the print job you want to remove, and then click Cancel. To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item that is printing currently might finish, but the remaining items will be cancelled.
Pause or Resume a Print Job

You can pause and resume a single print job or multiple jobs in the queue. To pause or resume a print job: 1. 2. 3. Open the print queue for the specific printer by performing the steps outlined previously.
To pause or resume an individual print job, right-click the print job, and then click Pause or Resume. To pause all print jobs, click the Printer menu, and then click Pause Printing. To resume printing, click Resume Printing.
Restart a Print Job

If a print job is printing in the wrong color ink or wrong size paper, you can start over. To restart a print job: 1. 2. Open the print queue for the specific printer by performing the steps outlined previously. Right-click the print job to be reprinted, and then click Restart.

9-39
Reorder the Print Queue
If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the print queue: 1. 2. 3. Open the print queue for the specific printer by performing the steps outlined previously. Right-click the print job to be reordered, and then click Properties.
Click the General tab, and then drag the Priority slider left or right to change its print order. Items with higher priority print first.
Managing Print Server Properties

Windows 8.1 includes Print and Document Services. Windows 8.1 can act as a print server or connect to Windows-based print servers through the Print Management console and manage them remotely. The Print Management console is included in the built-in administration tools in Windows 8.1. It allows administrators to perform management tasks such as: Install printer drivers and print devices Manage print queues View the status of printers
Installing Printer Drivers and Print Devices
You might need to support both 32-bit printer drivers and 64-bit printer drivers. The Print Management console allows you to add printer drivers to the printer driver store that is found in the Windows\System32\spool\drivers folder. You can use the Add Printer Driver Wizard to add drivers.
You also can add print devices by using the Network Printer Installation Wizard. The wizard allows you to: Search a network for printers. Add a TCP/IP or Web Service Printer by IP address or host name. Add a new printer by using an existing port. Create a new port and add a new printer.
Managing Print Queues
You can view all installed printers in the Printer node. You can view the printers queue by right-clicking the printer and selecting Open Printer Queue from the shortcut menu.
View the Status of Printers
The Printer node shows information about each printer, including the queue status, number of jobs in the queue, name and version of the printer driver, and the driver type.
Lab B: Configuring Printers

Scenario
A. Datum Corporation wants to use shared printers in its environment.
Objectives
After you complete this lab, you will be able to create and share a local printer.
Lab Setup
Estimated Time: 10 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1, 20687C-LON-CL2 User names: Adatum\Administrator and Adatum\Ed Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
5.
Repeat steps 2 and 3 for 20687C-LON-CL1 and 20687C-LON-CL2. Do not sign in until directed to do so.
Exercise 1: Creating and Sharing a Local Printer

Scenario
You need to create and share a printer on one of the local systems and then test connectivity to it. The main tasks for this exercise are as follows: 1. 2. 3. 4. Add and share a local printer. Configure printer security. Sign in to LON-CL2 as Ed. Connect to a network printer.
Task 1: Add and share a local printer

1. 2. 3. Sign in to LON-CL1 as Adatum\Administrator, and then open Control Panel. Open the Add Printer Wizard. Create and Share a Microsoft OpenXPS printer named ManagersPrinter by using the Nul port.
Task 2: Configure printer security

1. 2. 3. Open the Print Management console. Configure the ManagersPrinter so that Managers can print to it, and not Everyone. Pause the ManagersPrinter.

9-41
Task 3: Sign in to LON-CL2 as Ed

Sign in to LON-CL2 as Adatum\Ed.
Task 4: Connect to a network printer

1. 2. 3. On LON-CL2, open the Add Printer Wizard. Connect to ManagersPrinter.
Switch to LON-CL1, verify that the test page is in the ManagersPrinter queue, and then click Resume Printing.
Results: After completing this exercise, you should have created, shared, and tested a printer.

When you have finished the lab, revert all virtual machines back to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL2, and then click Revert. In the Revert Virtual Machines dialog box, click Revert. Repeat steps 2 to 3 for 20687C-LON-CL1 and 20687C-LON-DC1.

Best Practice: NTFS Permissions Supplement or modify the following best practices for your own work situations:
To simplify the assignment of permissions, you can grant the Everyone group Full Control share permission to all shares and use only NTFS permissions to control access. Restrict share permissions to the minimum required, to provide an extra layer of security in case NTFS permissions are configured incorrectly. When permission inheritance is blocked, you have the option to copy existing permissions or begin with blank permissions. If you only want to restrict a particular group or user, then copy existing permissions to simplify the configuration process.
Best Practice: Managing Shared Folders Supplement or modify the following best practices for your own work situations:
If the guest user account is enabled on your computer, the Everyone group includes anyone. In practice, remove the Everyone group from any permission lists and replace it with the Authenticated Users group.
Using a firewall other than that supplied with Windows 8.1 can interfere with the network discovery and file sharing features.
Review Questions
Question: A. Datum is installing Microsoft Dynamics GP and has contracted with a vendor to provide some custom programming work. Joseph, a senior IT desktop specialist at A. Datum, has been asked to configure the NTFS permissions for the GP planning files that the company will be accumulating. A. Datum has asked that all IT users be assigned Modify permissions to the GP Implementation Planning folder. However, A. Datum only wants the subfolder titled Vendor Contracts to be available for viewing by a select group of managers. How can Joseph accomplish this by taking into account permission inheritance? Question: Robin recently created a spreadsheet in which she explicitly assigned it NTFS file permissions that restricted file access to herself only. Following the system reorganization, the file moved to a folder on another NTFS partition, and Robin discovered that other users were able to access the spreadsheet. What is the probable cause of this situation?

9-43
Tools
Use the following command-line tools to manage file and printer sharing. Tool Net share Net use lcacls.exe Compact.exe Pnputil.exe Description Share folders at the command prompt. Connect to shared resources at the command prompt. Configure NTFS file and folder permissions at the command prompt. Compress NTFS files and folders at the command prompt. Preinstall printer drivers in the driver store.

10-1
Module 10
Securing Windows 8.1 Devices
Contents:
Module Overview Lesson 1: Authentication and Authorization in Windows 8.1 Lesson 2: Implementing Local Policies Lab A: Implementing Local GPOs Lesson 3: Securing Data with EFS and BitLocker Lab B: Securing Data by Using BitLocker Lesson 4: Configuring UAC Lab C: Configuring and Testing UAC Module Review and Takeaways 10-1 10-2 10-11 10-20 10-23 10-45 10-47 10-54 10-56
Module Overview
Users are becoming increasingly computer-literate, and they expect more from the technology that they use at work. They expect to be able to work from home, from branch offices, and on the road without a decrease in their productivity or a loss of access to the programs and applications that they need most. As the needs of users have changed, the demands on information technology (IT) support professionals have increased. Today, support professionals need to provide more capabilities and to support greater flexibility while continuing to minimize security risks. In this module, you will explore features of the Windows 8.1 operating system that you can use to maintain a secure computer environment for your users by using Encrypting File System (EFS), BitLocker Drive Encryption, and User Account Control (UAC).
Objectives
After completing this module, you will be able to: Implement authentication and authorization features in Windows 8.1. Use GPOs to configure local policies. Describe how to secure data with EFS and BitLocker Drive Encryption. Describe how to configure UAC.
10-2 Securing Windows 8.1 Devices
Lesson 1
Authentication and Authorization in Windows 8.1
Windows 8.1 provides a number of security technologies for devices, including authentication and authorization, volume-based encryption for files and disks, and UAC. Some of these security technologies strengthen the overall Windows infrastructure, and others are useful in controlling your system and your data. Before effectively defining Windows 8.1 security measures such as NTFS file system permissions and file and folder sharing properties, it is essential that you understand the user account types that are used during security configuration and how the Kerberos Version 5 (V5) protocol authenticates and authorizes user logons. This lesson examines the authentication and authorization features that provide the foundation for the Windows security infrastructure.
Lesson Objectives
After completing this lesson, you will be able to: Describe authentication and authorization. Describe process of authentication and authorization. Identify and describe important security features in Windows 8.1. Describe how to use biometrics for authentication. Describe how to configure a picture password or PIN for authentication. Describe how to integrate Virtual Smart Cards into the authentication process.
What Are Authentication and Authorization?

Authentication is the process that confirms a users identity when he or she accesses a computer system or a system resource. In private and public computer networks, including the Internet, the most common authentication method that controls access to resources is the verification of a users credentialstypically, user name and password. However, for certain critical transactions such as payment processing, user name and password authentication has an inherent weakness because passwords can be stolen or revealed inadvertently. Because of this weakness, most Internet businesses implement digital certificates that a certification authority (CA) issues and verifies. Authentication logically precedes authorization.
Authorization allows a system to determine whether an authenticated user can access and update secured system resources. Examples of authorized permissions include file and file-directory access, hours of access, amount of allocated storage space, and other specifications. Authorization has two facets: A system administrator initially defines permissions for system resources. A system or application verifies users permission values when users attempt to access or update a system resource.

10-3
You can provide authorization and access without implementing authentication. Typically, this is the case when permissions are granted for anonymous users who are not authenticated. Usually, these permissions are limited.
The Process of Authentication and Authorization

To understand the authentication and authorization process, you first must understand the role of user accounts. A user account is a collection of information that the Windows operating system uses to determine the user rights and access permissions a person has on a computer. A user account records the user name, password, and a unique number that identifies that account.
User Account Types and Rights

Windows 8.1 has three different user account types, all of which offer users varying degrees of access. The different user account types are:
Standard. Users with this account type can use most of the capabilities of a computer. A person who logs on with a standard user account can use most apps on the computer and can change settings that affect his or her user account. However, the user typically cannot install or uninstall software and hardware, delete files that the computer requires, or change settings that affect other users or the computers security. The system might prompt a standard user for an administrator password before he or she can perform certain tasks.
Administrator. Users with this account type can make changes that affect other users. Administrators can change security settings, install software and hardware, and access all files on a computer. Administrators also can make changes to other user accounts. Guest. Users with this account type have temporary access to another users computer. People who use guest user accounts cannot install software or hardware, change settings, or create a password. You must enable this feature before your guests can use it.
Note: When you set up a computer, you are required to create an administrator user account, which provides the ability to set up your computer and install any device-wide apps that you want. After setup is complete, you should use a standard user account for your daily computing tasks. Users then can use Windows Store to install user-specific apps. It is more secure to use a standard user account than an administrator account. When you use a standard account, you can prevent accidental changes that affect anyone who uses the computer, especially if your user account credentials are stolen.
Windows Authentication Methods
Users must authenticate to verify their identity when they access files over a network. Authentication is performed during the network logon process. The Windows 8.1 operating system supports the following authentication methods for network logons: Kerberos protocol. This is the main logon authentication method that is used by clients and servers that are running Windows operating systems. It provides authentication for user and computer accounts.
NTLM. This method provides backward compatibility with pre-Windows 2000 operating systems and some applications. However, it is less flexible, less efficient, and not as secure as the Kerberos protocol. Certificate mapping. Typically, this method is used in conjunction with smart cards. The certificate stored on a smart card is linked to a user account for authentication. A smart card reader is used to read a smart card and authenticate a user.
Kerberos Authentication
For Windows 8.1 clients, the Kerberos authentication protocol provides the mechanism for mutual authentication between a client and a server before a network connection is opened between them. Note: Active Directory Domain Services (AD DS) implements Kerberos authentication. In a client/server application model:
Windows 8.1 clients are apps that act on behalf of users who need to perform a task such as opening a file, accessing a mailbox, querying a database, or printing a document. Servers, such as Windows Server 2012, are apps that provide services to clients. Some examples of services can include file storage, mail handling, query processing, print spooling, and a number of other specialized tasks.
Clients initiate an action and servers respond. Typically, this means that a server listens to a communications port, waiting for clients to connect and ask for service.
In the Kerberos security model, every client/server connection begins with authentication. The client and server, in turn, step through a sequence of actions that helps parties on each end of the connection verify that the party on the other end is genuine. If authentication is successful, session setup completes, and the client/server application can start working.
Benefits of Kerberos Authentication for Windows 8.1 Clients
The Kerberos protocol allows you to turn off NTLM authentication once all network clients are capable of Kerberos authentication. The Kerberos protocol is more flexible, efficient, and secure than NTLM. The benefits of using Kerberos authentication are:
Faster connections. With NTLM authentication, an application server must connect to a domain controller to authenticate each client. With Kerberos authentication, a server does not need to connect to a domain controller. It can authenticate a Windows 8.1 client by examining the credentials that a client presents. Clients can obtain credentials for a particular server once and then reuse them throughout a network logon session. Mutual authentication. By using NTLM, servers can verify the identities of their clients. However, clients cannot use NTLM to verify a servers identity, and servers cannot verify the identity of another server. NTLM authentication is ideal for a network environment in which servers are assumed to be genuine. The Kerberos protocol makes no such assumptions, and it enables parties at both ends of a network connection to identify and verify the party on the other end.

10-5
Question: Which authentication method is used when a client computer that is running Windows 8.1 logs on to AD DS?
Important Security Features in Windows 8.1

The Windows 8.1 operating system improves platform security by including a number of apps that help simplify the balancing of security and usability. To diagnose, troubleshoot, and resolve any security-related issues quickly and effectively, you must understand how the new Windows 8.1 security features work. The Windows 8.1 operating system provides the following assortment of tools and features that maximize platform and client security while balancing security and usability:
Windows 8.1 Action Center. This is the starting point for diagnosing and solving system issues. It also is a central location for users to address messages about their local computer. EFS. This is a built-in encryption tool for Windows-based file systems.
BitLocker and BitLocker To Go. These tools help mitigate unauthorized data access by rendering data inaccessible when you decommission or recycle BitLocker-protected computers. BitLocker To Go provides similar protection for data on removable data drives. AppLocker. Administrators can use this tool to specify exactly what apps and services can run on a users computer.
UAC. Users can use this tool to run their computers as standard users and perform all necessary daily tasks. Windows Firewall with Advanced Security (WFAS). This snap-in provides protection from malicious users and apps that rely on unsolicited incoming traffic to attack computers. Windows Defender. This feature helps protect your computer from spyware and other forms of malicious software.
Using Biometrics for Authentication

The Windows Biometric Framework (WBF) was first introduced in Windows 7. However, different types of advanced hardware that take full advantage of the WBF only became available in Windows 8 and Windows 8.1. Biometrics is another example of two-factor authentication, which is an authentication method that requires two authentication methods. These authentication methods may include something the user provides, such as certificates; something the user knows, such as user names, passwords, or pass phrases; physical attributes, such as a thumbprint;
or personal attributes, such as a personal signature. Biometrics allows for validation of user credentials in a growing number of ways, including fingerprint recognition, retinal scanning, and facial recognition. Biometrics is becoming the preferred method of authentication on mobile devices. The Windows Biometrics Service is set to manual start by default. In Windows 8.1, this service: Captures the input data from a biometric scan and stores it in a template. Securely stores and manages the biometric template for future use. Can be mapped to a unique identifier such as a GUID or a security identifier. Allows additional templates to be created. Can be extended by developers by using the WBF application programming interface (API).
In addition to the low-level framework support, Windows 8.1 offers users the following management features that support biometrics: A fingerprint management application within PC settings. Support for installed biometric devices within Device Manager. Group Policy Objects (GPOs) for configuring system-wide biometric options. Credential Provider support that allows biometric data to be used to log on to a local or domain-joined computer.
Note: Although the WBF is built into Windows 8.1, you must install a biometric device to take advantage of the framework. Installed devices will appear in Device Manager and the Control Panel.
Biometric Fingerprints
Currently, the WBF in Windows 8.1 only supports the fingerprint biometric factor. All versions of Windows 8.1 support biometrics, allowing users to acknowledge a multitude of requests such as Windows sign-in, remote access, and UAC by using their fingerprints. You can record your fingerprint by using biometrics in Windows 8.1 by following the steps below: 1. 2. On the Start screen, type Fingerprint. Browse to PC Settings, click Accounts, and then click Sign-in options.
Note: The fingerprint option will only be available if there is a WBF-supported fingerprint reader installed on the Windows 8.1 device.
When the biometric scanning process uses a fingerprint, the actual fingerprint picture is not itself stored. Biometrics converts the scan into information that is required by the template. The sign-in process then uses this information in a similar manner as the use of a password for authentication.
Credential Management UI Integration
After you configure fingerprint-based authentication, you can use it as an alternative way to authenticate at a Windows password prompt. Whenever the Windows operating system requires a specific user to authenticate, the Credential Management UI (CredUI) interface will display the option to authenticate via a fingerprint.

10-7
Note: Windows 8 provided a biometric devices Control Panel item. Windows 8.1 does not include this item, but provides additional support through independent software vendors or directly via the application that uses the fingerprint biometric feature.
Picture Passwords
Windows 8.1 is designed to be operated in both touch and traditional PC scenarios. The touch interface offers a new way for users to log on and authenticate. Windows 8 introduced the option to use a picture password or PIN as a logon option. For touch users, the use of a picture password or PIN is more intuitive and quicker than the use of an on-screen keyboard to type a complex password. For your picture password, you can choose a picture that came with Windows 8.1, or you can add your own picture and then create gestures to create your own personal logon. When selecting an appropriate picture, use one that has several points of interest, as this will increase the complexity of the password.
Gestures
By selecting a personal picture and drawing gestures in a way that is meaningful only to the user, a picture password can be extremely secure and difficult for a hacker to crack. When you add gestures to your picture password, you can choose from the gestures below: A tap A small clockwise circle A small counterclockwise circle A larger clockwise circle A larger counterclockwise circle A straight line drawn between any two points of interest on your picture
Microsoft has increased the security of the picture password feature by introducing two safeguards against repeated attacks:
When you enter your picture password incorrectly five times, the system will prevent you from using the feature again until you log on with your plain text password. To mitigate network attacks, the picture password is disabled in remote and network scenarios.
PIN Authentication
The option to use a four-digit PIN to sign in to Windows 8.1 offers users a simple, familiar, and quick way to unlock their devices. Domain users are restricted from using a PIN password. However, an administrator can override this restriction by configuring the Turn on PIN sign-in GPO within the Computer Configuration\Administrative Templates\System\Logon container. For more information, see Signing in with a picture password on the MSDN Blogs website. http://go.microsoft.com/fwlink/?LinkId=378246&clcid=0x409 Note: Although a PIN might not be suitable in situations where complex passwords are required, both the picture password and PIN sign-in options are attractive to users in low-risk environments such as home users and those on personal devices.
Demonstration: Configuring a Picture Password or PIN for Authentication

In this demonstration, you will see how to: Create a picture password to sign in with gestures Create a PIN password to sign in
Demonstration Steps Create a picture password to sign in with gestures

1. 2. 3. 4. Sign in to LON-CL4 as Admin with password Pa$$w0rd. On the Start screen, type Picture Password, and then click Set up picture password. Click Choose picture, and then draw three gestures on your picture. Click Finish, and then close the Sign-in account app.
Create a PIN password to sign in

1. 2. On the Start screen, type PIN, and then click Set up PIN sign-in. In the Sign-in options window, under the PIN option, click Add, and then create a PIN.
Integrating Virtual Smart Cards into the Authentication Process

Windows 8.1 builds on the features of Windows 7 and offers enhanced support for smart cards. System administrators can use smart cards to protect the security of an organizations computers and devices. Smart card technology offers significant advantages in the protection of business assets. However, with the exception of large and medium-sized organizations, there has not been a widespread adoption of smart card technology. Reasons include the additional cost of hardware devices and the complexity of smart card management and control.
To address these issues, Windows 8.1 introduces Virtual Smart Card technology. Network administrators can bring this technology to end users without the previous hardware requirements of card readers and the cards themselves. At the same time, Virtual Smart Cards still take advantage of the Personal Identity Verification benefits that the smart card feature provides. Note: Smart cards are another example of a multifactor authentication. The user must have access to a smart card reader and knowledge of the password or PIN to be able to authenticate and gain access to a system.
Many Windows 8.1 devices now ship with a Trusted Platform Module (TPM) that meets specification version 1.2. A Virtual Smart Card takes advantage of a devices tamper-proof TPM security chip to store certificates that are used to authenticate each user account. Because a TPM is an internal component of a device, you configure a Virtual Smart Card to protect a device in an environment that is domain-joined or is not domain-joined.

10-9
Being virtual, once you configure a device to use TPM, you do not require any further hardware or cards. Effectively, the device acts as a smart card reader, and users supply an unlock PIN that is personal to them. A TPM chip can store up to six Virtual Smart Cards. Note: If a TPM is present, it might need to be turned on in the system BIOS/Unified Extensible Firmware Interface (UEFI) firmware. Note: You must run the Tpmvscmgr.exe command-line utility with local administrator permissions to gain access to a TPM and generate a Virtual Smart Card.
Tpmvscmgr.exe
Windows 8.1 provides the Tpmvscmgr.exe Virtual Smart Card management tool that administrators can use to provision Virtual Smart Cards on a device. The syntax of Tpmvscmgr.exe is as follows:
tpmvscmgr.exe
create /name NameofVSC /pin prompt /puk prompt /adminkey random /generate
Notice that the command is configured to ask the user for a PIN. The user also is asked for a PIN unlock key (PUK), which can be used to unlock a Virtual Smart Card and reset the PIN if it is forgotten. The default PIN and PUK must be at least eight characters long. Once the command has completed, you will be notified of the device instance ID for the NameofVSC. You should record this device instance ID so that if required, you will be able to delete a Virtual Smart Card from a device. You also are able to configure an administrator key, which provides an alternative method of unlocking a card for a PIN reset. In the above example, Tpmvscmgr.exe will generate a random 48-hexadecimal digit administrator key. In Windows 8.1, the process to enroll TPM-enabled devices to be used as a Virtual Smart Card device has improved. The high-level process for using a Virtual Smart Card is as follows: 1. 2. 3. 4. Enable TPM 1.2 in BIOS/UEFI firmware. Create and install a Virtual Smart Card by using the Virtual Smart Card management tool, Tpmvscmgr.exe. Enroll for a logon certificate (protected by the TPM). Sign in to the device with the smart card PIN.
The default PIN policy for a Virtual Smart Card that is generated by Windows 8.1 is as follows: Minimum length of 8 Maximum length of 127 Uppercase characters allowed Lowercase characters allowed Digits allowed Special characters allowed Note: The lower and upper boundaries for PIN length are 4 and 127 respectively.
In a corporate AD DS environment, you likely have a CA configured already. Once your device has created a Virtual Smart Card, you then will enroll for a logon certificate from your Windows CA by using the Certificate Enrollment Wizard, which can be found in the Certificates Microsoft Management Console (MMC) snap-in, which is accessed by typing Certmgr.msc at the Start screen.
10-10
Note: A PIN typically is a secret numeric password. However, a Virtual Smart Card allows a PIN to include digits, alphabetic and special characters, and not just numbers. The term PIN has been retained because legacy smart cards used simple numeric PINs. For more information, see Understanding and Evaluating Virtual Smart Cards at the Microsoft Download Center. http://go.microsoft.com/fwlink/?LinkId=378248&clcid=0x409

10-11
Lesson 2
Implementing Local Policies
Before learning about the important security features in Windows 8.1, it is important that you understand the best ways in which to configure security-related settings in Windows 8.1. Although you can perform computer-specific administration and configuration tasks manually, it can be more efficient to implement your planned configuration settings by using GPOs. GPOs provide an infrastructure for centralized configuration management of operating systems and the applications that run on operating systems. This lesson discusses Group Policy fundamentals such as the difference between local and domain-based policy settings. It also describes how you can use Group Policy to simplify managing computers and users in an AD DS environment.
Lesson Objectives
After completing this lesson, you will be able to: Describe Group Policy. Describe how to apply GPOs. Describe how multiple local GPOs work. Describe how to create multiple local GPOs. Describe how to configure local security policy settings. Describe Microsoft Security Compliance Manager.
Overview of Group Policy

Group Policy is a technology that you can use to manage a large number of computer and user accounts efficiently through a centralized model. GPOs commonly are used in corporate environments in which several computers and users are part of the same domain. By using GPOs, you can impose certain behaviors on several features for the computers and users that belong to the AD DS domain. GPOs can define computer settings ranging from the computer desktops to screen saver timeouts. You configure Group Policy changes on a server, which then propagates to each client computer in the domain.
Group Policy in Windows 8.1 uses XML-based templates to describe registry settings. When you enable settings in these templates, you can use Group Policy to apply computer and user settings either on local computers or centrally through AD DS. You can use Group Policy to: Apply customized or specific configurations. Deploy software applications. Enforce security settings. Enforce a standardized desktop environment.
10-12
Local Group Policy in Windows 8.1
A local GPO is the least influential object in an AD DS environment because its settings can be overwritten by GPOs that are associated with sites, domains, and organizational units (OUs). In an environment that is not networked, or in a networked environment that does not have a domain controller, local GPO settings are important because they are not overwritten by other GPOs. Stand-alone computers only use local GPOs to control the environment.
Each Windows 8.1 computer has one local GPO that contains default computer and user settings regardless of whether the computer is part of an AD DS environment. In addition to this default local GPO, you can create custom local user GPOs. You can maintain these local GPOs by using the Local Group Policy Editor snap-in. Note: To access the Local Group Policy Editor, open a new Microsoft Management Console (MMC) by running Mmc.exe, and then add the Group Policy Object Editor snap-in to the MMC. By using Group Policy, you can define the state of users' work environments once and then rely on the system to enforce the policies that you define. With the Group Policy snap-in, you can specify policy settings for the following:
Registry-based policies include Group Policy for the Windows 8.1 operating system, its components, and for apps. To manage these settings, use the Administrative Templates node of the Group Policy Editor snap-in. Security options include options for local computer security settings.
You can use software installation and maintenance options to centrally manage program installation, updates, and removal. Script options include scripts for computer startup and shutdown, and user sign-in and sign-out.
Using the Group Policy Object Editor

The Group Policy Object Editor contains the following major nodes:
Computer Configuration. This section enables you to set policies that are applied to a computer regardless of who logs on to the computers. Computer Configuration typically contains subitems for software settings, Windows settings, and administrative templates. User Configuration. This section enables you to set policies that apply to users regardless of which computer they sign in to. User Configuration typically contains subitems for software settings, Windows settings, and administrative templates.
To use the Group Policy Object Editor, perform the following steps: 1. 2. 3. 4. Expand the GPO that you want, such as Local Computer Policy. Expand the configuration item that you want, such as Computer Configuration. Expand the subitem that you want, such as Windows Settings.
Navigate to the folder that contains the policy setting that you want. The policy settings are displayed in the right pane on the Group Policy Editor snap-in.
Note: If no policy is defined for the selected item, right-click the folder that you want. On the shortcut menu that appears, point to All Tasks, and then click the command that you want. The commands that are displayed on the All Tasks submenu are context-sensitive. Only those commands that are applicable to the selected policy folder appear on the menu.

10-13
5.
In the Setting list, double-click the policy setting that you want.
Note: When you work with policy settings in the Administrative Templates folder, if you want to view more information about the selected policy setting, click the Extended tab in the right pane of the MMC. 6. 7. Edit the settings of the policy in the dialog box that appears, and then click OK. When you are finished, quit the MMC.
Note: If you need to maintain domain-level GPOs from a Windows 8.1 client computer without initiating an interactive session, you first must install Remote Server Administration Tools (RSAT) on your Windows 8.1 client computer, and then install the Group Policy Management Console (GPMC). This provides remote access to the domain-level GPOs on Windows Server 2008 and newer servers.
For more information, see Remote Server Administration Tools for Windows 8.1 Preview at the Microsoft Download Center. http://go.microsoft.com/fwlink/?LinkId=378249&clcid=0x409
How Do You Apply GPOs?

Client components known as Group Policy clientside extensions initiate Group Policy by requesting GPOs from the domain controller that authenticated them. Group Policy client-side extensions interpret and apply policy settings. Windows 8.1 applies computer settings when a computer starts, and it applies user settings when a user signs in to a computer. Both computer and user settings are refreshed at regular, configurable intervals. The default refresh interval is every 90 minutes. Group Policy is processed in the following order: 1. 2. Local Computer Policy settings. Site-level policy settings.
Note: In smaller networks, you likely will configure all computers as part of a default AD DS site object. Therefore, you can disregard the site-level AD DS container when planning GPOs. 3. 4. Domain-level policy settings. OU policy settings.
Note: Typically, you create an OU to contain objects such as users and computers that you wish to administer in a similar manner. For example, you might want to delegate control of all
10-14
those objects to a local administrator, or you might want all the objects in an OU to have the same configured settings. In small networks, you can configure most settings at the domain-level, and then it is unnecessary to create complex, nested OU structures for management purposes.
Policy settings that are applied to higher-level containers pass through to all subcontainers in that part of the AD DS tree. For example, a policy setting applied to an OU also applies to any child OUs below it. If policy settings are applied at multiple levels, a user or computer receives the effects of all policy settings. In case of a conflict between policy settings, the policy setting that is applied last is the effective policy, though you can change this behavior as necessary. Note: You can enforce individual policies, which ensures that the settings from an enforced policy take precedence over other settings further down the AD DS tree. It also is possible to block inheritance, although blocking is applied to containers rather than to policies. In large network environments with many containers and policies, it sometimes can be difficult to determine which settings from which policies are in force on a given computer or user. A domain administrator can use the Group Policy Modeling and Group Policy Results nodes in the GPMC to help determine the application of policies.
How Multiple Local GPOs Work

Securing computers and users' devices is an important responsibility of a network administrator. Given the plethora of configurable settings, most domain administrators manage these settings by using domain-based GPOs. For stand-alone Windows 8.1 client computers, you can address this issue through Multiple Local Group Policy Objects (MLGPOs). MLGPOs improve previous Local Group Policy technology by allowing you to apply different levels of Local Group Policy to local users on a stand-alone computer. This technology is ideal for shared computing environments where domain-based management is not available, such as shared library computers or public Internet kiosks.
Introduction to MLGPO
Local Group Policy is a subset of the broader Group Policy technology. Group Policy is domain-based, whereas Local Group Policy is specific to a local computer. Both technologies allow you to configure specific settings in the operating system and then force those settings to computers and users.
Local Group Policy is not as robust as Group Policy. For example, you can use Group Policy to configure any number of policies that might affect some, all, or none of the users of a domain-joined computer. You can even use Group Policy to apply policies to users that have specific group memberships.
Local Group Policy
The Local Group Policy layer is the topmost layer in the list of MLGPOs. Local Group Policy, which also is known as the Local Computer Policy, is the only Local GPO that allows computer settings. Besides computer settings, you can select user settings. User settings that are contained in the Local Group Policy apply to all users of the computereven the local administrator. Local Group Policy behaves the same as it did in previous versions of the Windows operating system.

10-15
Administrators and Non-Administrators Local Group Policy
The Administrators and Non-Administrators Local GPOs do not exist by default. You must create them if you want to use them on your Windows 8.1 client. These GPOs act as a single layer and logically sort all local users into two groups when a user signs in to the computer: a user is either an administrator or a non-administrator. Users who are members of the Administrators group receive policy settings assigned in the Administrators Local Group Policy. All other users receive policy settings assigned in the NonAdministrators Local Group Policy.
User-Specific Group Policy
Local administrators can use the last layer of the Local GPO, Per-User Local GPOs, to apply specific policy settings to a specific local user.
Processing Order
The benefits of MLGPOs come from the processing order of the three separate layers. The layers are processed as follows: 1. 2. The Local GPO applies first. This Local GPO might contain both computer and user settings. User settings contained in this policy apply to all users, including the local administrator.
The Administrators and Non-Administrators Local GPOs are applied next. These two Local GPOs represent a single layer in the processing order, and the user receives one or the other. Neither of these Local GPOs contains computer settings.
3.
User-specific Local Group Policy is applied last. This layer of Local GPOs contains only user settings, and you apply it to one specific user on a local computer.
Conflict Resolution Between Policy Settings
Available user settings are the same between all Local GPOs. It is possible that a policy setting in one Local GPO contradicts the same setting in another Local GPO. Windows 8.1 resolves these conflicts by using the Last Writer Wins method. This method resolves conflicts by overwriting any previous setting with the lastread (most current) setting. The final setting is the one that the Windows operating system uses. For example, an administrator enables a setting in a Local GPO. The administrator then disables the same setting in a user-specific Local GPO. When a non-administrator user signs in to the computer, the Windows operating system reads the Local GPO first, followed by the Non-Administrators Local GPO, and then the user-specific Local GPO. The state of the policy setting is enabled when the Windows operating system reads the Local GPO. The policy setting is not configured in the Non-Administrators Local GPO. This has no effect on the state of the setting, so it remains enabled. The policy setting is disabled in the user-specific Local GPO. This changes the state of the setting to disabled. Windows reads the user-specific Local GPO last; therefore, it has the highest precedence. The Local Computer Policy has a lower precedence.
Domain Member Computers
Stand-alone computers benefit the most from MLGPOs because they are managed locally. Domain-based computers apply Local Group Policy first and then domain-based policy. Windows 8.1 continues to use the Last Writer Wins method for conflict resolution. Therefore, policy settings originating from domain Group Policy overwrite any conflicting policy settings found in any Local Group Policy to include administrative, non-administrative, and user-specific Local Group Policy. You can disable the processing of local GPOs on clients that are running Windows 8.1 by enabling the Turn off Local Group Policy objects processing policy setting in a domain GPO. You can find this setting by expanding Computer Configuration, expanding Administrative Templates, expanding System, and then clicking Group Policy.
10-16
Creating Multiple Local GPOs

MLGPOs are created by adding the snap-in for the Group Policy Object Editor to a MMC, and then performing the following procedure: 1. 2. 3. Click Browse in the Select Group Policy dialog box. Click the Users tab.
Select the object you for which you want to create a special GPO. You must add a separate instance of the snap-in for each instance of the local GPO that you want to create. Question: An administrator selects the Disable the Security page policy setting in the Local GPO. The administrator then enables the same setting in a user-specific Local GPO. The user who logs on to the computer is not an administrator. Which policy setting will be applied to this Local GPO?
Demonstration: Creating Multiple Local GPOs

In this demonstration, you will see how to: Create a custom management console. Modify the local policy settings. Test multiple local Group Policy settings.
Demonstration Steps Create a custom management console

1. 2. 3. 4. 5. Sign in to LON-CL1 as administrator. Open the Microsoft Management Console, and then add the Group Policy Object Editor snap-in to the console. Set the focus for the local computer. Add the Group Policy Object Editor snap-in to the console again, this time selecting the Administrators group as the focus. Add the Group Policy Object Editor snap-in to the console for a third time, this time selecting the Non-Administrators group as the focus. Save the console to the desktop.
Modify the local policy settings

1. 2. 3. Create a logon script for the default computer policy. Create a logon script that applies only to administrators. Create a logon script that applies to non-administrators.
Test multiple local Group Policy settings

1. 2. Sign in as a standard user to verify that both the computer and non-administrator policies apply. Sign in as administrator to verify that both the computer and administrators policies apply.

10-17
Demonstration: Configuring Local Security Policy Settings

Security-Related Group Policy Settings
A computer that belongs to an AD DS domain receives many of its security-related configuration settings through a GPO. You can use the Local Group Policy Editor to configure the same settings on a standalone workstation that is running Windows 8.1. To configure local Group Policy, run Gpedit.msc from the Run box with elevated permissions. You then can use the local Group Policy Object Editor to configure the security-related settings that are described in the following table. Setting Password Policy Meaning
A subcomponent of Account Policies that enables you to configure password history, maximum and minimum password age, password complexity, and password length. Note: This only applies to local accounts.
Account Lockout Policy
A subcomponent of Account Policies that enables you to define settings related to the action that you want Windows 8.1 to take when a user enters an incorrect password at logon. Note: This only applies to local accounts.
Audit Policy
A subcomponent of Local Policies that enables you to define audit behavior for various system activities, including logon events and object access. A subcomponent of Local Policies that enables you to configure user rights, including the ability to sign in locally, access the computer from the network, and shut down the system.
User Rights Assignment
Security Options
A subcomponent of Local Policies that enables you to configure many settings, including Interactive logon settings, UAC settings, and Shutdown settings. Enables you to configure the firewall settings.
WFAS Network List Manager Policies Public Key Policies Software Restrictions Policies IP Security Policies Windows Update
Enables you to configure user options for configuring new network locations. Include settings for Automatic Certificate Requests and Encrypted Data Recovery Agents.
Enables you to identify and control which applications can run on the local computer. Enables you to create, manage, and assign Internet Protocol security (IPsec) polices.
Enables you to configure Automatic Updates. Located under Administrative Templates\Windows Components.
10-18
Setting Disk Quotas Driver Installation
Meaning Enables you to configure disk quotas. Located under Administrative Templates\System.
Enables you to configure driver installation behavior. Located under Administrative Templates\System.
After you configure the local policy, you can export security-related settings to a policy file and then save them in a security template file with an .inf extension. You then can import the template into the Local Group Policy Editor to use these templates to configure additional computers. This demonstration shows different security settings in the Windows 8.1 Local Group Policy Editor and then reviews the changes to some of these settings.
Demonstration Steps
1. 2. 3. Sign in to LON-CL1 as administrator. Open the Group Policy Management Editor. Browse to Computer Configuration\Windows Settings\Security Settings, and then review the settings.
Microsoft Security Compliance Manager

Within Microsoft, there is a group called the Solution Accelerators team, which works on presenting free tools to help organizations make the most of the enterprise software that they use. As each version of an underlying technology such as the Windows operating system or Internet Explorer is updated, the Solution Accelerator tool also is updated, sometimes with improved functionality.
First released in 2010, the Security Compliance Manager tool allows an enterprise administrator to quickly configure and manage the computers by using Group Policy and Microsoft System Center 2012 R2 Configuration Manager. Security Compliance Manager has evolved over several years and continues to benefit from industry experts feedback and from extensive field use. This free tool comes complete with ready-to-deploy policies and desired configuration management configuration packs, which can be used with Configuration Manager. Administrators can modify any of the supplied policies to generate a custom policy that is available for export. You then can incorporate the custom policy into your preferred deployment tool such as Configuration Manager or the Microsoft Deployment Toolkit.

10-19
Administrators can use Security Compliance Manager to plan, deploy, operate, and manage security baselines quickly, which are essential for securing Windows client and server operating systems, Microsoft Office and other Microsoft applications. With Security Compliance Manager, you can configure the latest software releases and also configure previous editions of Windows Server and Microsoft Office. Throughout the lifespan of the tool, by default, Security Compliance Manager automatically checks for new updates to the available baselines each time you start the tool. Some of the key features of Security Compliance Manager are: Baselines based on Microsoft security guide recommendations and industry best practices. You can compare your configuration against industry best practices for the latest Windows client and server operating systems.
Centralized security baseline management features to manage the security and compliance process efficiently. Gold master support that allows the import of your existing Group Policy to reuse and deploy.
Stand-alone machine configuration that allows you to deploy your configurations to computers that are not domain-joined. Updated security guides provide security expertise and best practices.
For more information, see the Microsoft Security Compliance Manager page at the Microsoft Download Center. http://go.microsoft.com/fwlink/?LinkId=378250&clcid=0x409 For more information, see Solution Accelerators Downloads on the Microsoft TechNet website. http://go.microsoft.com/fwlink/?LinkId=378251&clcid=0x409 Question: Discuss scenarios when you would use Security Compliance Manager in an organization. Question: Your organization creates operations manuals for customers and uses several versions of Microsoft Word to produce the manuals, depending on client requirements. What tool would you recommend for creating and maintaining baseline security configurations for your organization if there is a requirement to ensure that all Microsoft Office applications are configured with the latest security baseline?
10-20
Lab A: Implementing Local GPOs

Scenario
Holly Dickson is the IT manager at A. Datum Corporation. She has expressed a concern that some of the laptop computers that users use outside of the A. Datum network are susceptible to security breaches. She wants you to investigate how best to configure security and other settings on these computers.
Objectives
After completing this lab, you will be able to: Create multiple local GPOs. Test the Application of the local GPOs.
Lab Setup
Estimated Time: 20 minutes Virtual machine: 20687C-LON-DC1 User name: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. In Hyper-V Manager, click 20687C-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Sign in by using the following credentials: o o o User name: Administrator Password: Pa$$w0rd Domain: Adatum
5.
Exercise 1: Creating Multiple Local GPOs

Scenario
Although you typically configure most security and other settings by using domain-based GPOs, you decide that for the roaming laptop computers, implementing local GPOs would achieve Hollys goal of securing them. You decide to implement multiple local GPOs to ensure that administrator and standard user accounts can have different settings. The main tasks for this exercise are as follows: 1. 2. 3. Create a management console for multiple local Group Policy settings. Configure the local computer settings. Configure non-administrators security settings.

10-21
Task 1: Create a management console for multiple local Group Policy settings
1. 2. Sign in to LON-CL1, and then open the Microsoft Management Console. Add the following snap-ins to the console: o o o 3. Group Policy Object Editor: Local Computer Group Policy Object Editor: Administrators Group Policy Object Editor: Non-Administrators
Save the console to the Desktop with the name Multiple Local Group Policy Editor.
Task 2: Configure the local computer settings

1. 2. 3. 4. Create a logon script in the Local Computer Policy. Add the following text to the script file: msgbox Warning. You are not connected to the A Datum Domain. Save the script file as RoamingScript.vbs. Change Save as type: to All Files, and then click Save.
Task 3: Configure non-administrators security settings

1. 2. Select the Non-Administrators Policy, and then navigate to User Configuration \Administrative Templates\Control Panel. Enable the Prohibit access to Control Panel and PC settings policy setting.
Results: After completing this exercise, you should have created and configured multiple local Group Policy Objects (MLGPOs) successfully.
Exercise 2: Testing the Application of the Local GPOs

Scenario
You have created and configured multiple local GPOs successfully. You now must sign in to test the application of the local GPOs. The main tasks for this exercise are as follows: 1. 2. Sign in as a standard user to test the policies. Sign in as administrator to test the policies.
Task 1: Sign in as a standard user to test the policies

1. 2. 3. Sign out of LON-CL1.
Sign in as Adatum\Holly with password Pa$$w0rd, and then verify that the logon script runs on the desktop. Attempt to open Control Panel.
10-22
Task 2: Sign in as administrator to test the policies

1. 2. 3. Sign in as Adatum\Administrator with password Pa$$w0rd, and then verify that the logon script runs on the desktop. Attempt to open Control Panel. Sign out of LON-CL1.
Results: After completing this exercise, you should have implemented and tested multiple local GPOs successfully.

When you are finished with the lab, leave the virtual machines running as they are needed for the next lab.

10-23
Lesson 3
Securing Data with EFS and BitLocker
Devices, laptops, and hard drives can be stolen, which poses a risk for confidential data. You can secure data against these risks by using a two-phased defensive strategy that incorporates both EFS and BitLocker.
This lesson provides a brief overview of EFS and BitLocker. However, IT professionals who are interested in implementing EFS must research it thoroughly before making a decision to use it. To implement a secure and recoverable EFS policy, you must have a more comprehensive understanding of EFS. If you implement EFS without implementing proper recovery operations or without understanding how the feature works, you can cause your data to be exposed unnecessarily. BitLocker is another defensive strategy that complements EFS. BitLocker protects against data theft or exposure on computers that are lost or stolen, and it offers more secure data deletion when computers are decommissioned. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by combining two major data-protection procedures: encrypting the entire Windows operating system volume on the hard disk, and encrypting multiple fixed volumes.
Lesson Objectives
After completing this lesson, you will be able to: Describe EFS. Describe how to encrypt and decrypt files with EFS. Describe BitLocker. Describe BitLocker To Go. Describe BitLocker requirements. Describe BitLocker modes. Describe Group Policy settings for BitLocker. Describe how to configure BitLocker. Describe how to configure BitLocker To Go. Describe how to recover BitLocker-encrypted drives.
10-24
What Is EFS?
EFS is a built-in file encryption tool for Windowsbased file systems. A component of the NTFS file system, EFS enables transparent encryption and decryption of files by using advanced, standard cryptographic algorithms. Any individual or program that does not possess an appropriate cryptographic key cannot read encrypted data. You can protect encrypted files even from those who gain physical possession of a computer on which files are storedeven people who are authorized to access a computer and its file system cannot view the data.
Encryption is a powerful addition to any defensive plan, but you also must use other defensive strategies because encryption is not the correct countermeasure for every threat. Also, every defensive weapon, if you use it incorrectly, carries a potential for harm. The basic EFS features are as follows:
EFS encryption does not occur at the application level. It occurs at the file-system level. Therefore, the encryption and decryption process is transparent to the user and the application. If you mark a folder for encryption, EFS will encrypt every file created in or moved to the folder. Applications do not have to understand EFS or manage EFS-encrypted files any differently than unencrypted files. If a user attempts to open a file and possesses the necessary key, the file opens without additional effort on the users part. If a user does not possess the key, he or she receives an access-denied message.
File encryption uses a symmetric key that it encrypts with a users public key, which is stored in the file header. Additionally, it stores a certificate with the users public and private keys (known as asymmetric keys) in the users profile. This key pair is bound to a user identity and made available to the user who has possession of the user ID and password. The users private key must be available for decryption of the file. If a private key incurs damage or is lost, even the user who encrypted the file cannot decrypt it. If a recovery agent exists, the file might be recoverable. If you implement key archival, then you can recover the key and decrypt the file. Otherwise, the file might be lost. This encryption system is referred to as Public Key Infrastructure.
You can archive a users certificate that contains his or her public and private keys, such as exporting it to a USB flash drive. You then can keep the USB flash drive in a safe place for recovery if the keys incur damage or are lost. A users password protects the public and private keys. Any user who can obtain the user ID and password can sign in as that user and then decrypt that users files. Therefore, a strong password policy and strong user education must be a component of each organizations security practices to protect EFS-encrypted files.
EFS-encrypted files do not remain encrypted during transport if you save them to, or open them from, a folder on a remote server. The file is decrypted and then traverses the network in plain text. EFS then encrypts it locally if you save it to a folder on the local drive that is marked for encryption. EFS-encrypted files can remain encrypted while traversing a network if you save them to a Web folder by using the World Wide Web Distributed Authoring and Versioning protocol.
EFS is supported only on the NTFS file system. If a user has permission to decrypt a file and moves or copies an encrypted file to a non-NTFS file system, such as a USB flash drive that is formatted with the

10-25
FAT or FAT32 file system, the file is decrypted and is no longer encrypted. If a user does not have permission to decrypt a file and attempts to move or copy an encrypted file to a non-NTFS file system, such as a USB flash drive that is formatted with the FAT or FAT32 file system, the operation will result in a permission-denied error. EFS supports industry-standard encryption algorithms, including Advanced Encryption Standard (AES). AES uses a 256-bit symmetric encryption key and is the default EFS algorithm.
The following are additional important facts about implementing EFS on Windows 8.1:
Support for storing private keys on smart cards. Windows 8.1 includes full support for storing users private keys on smart cards. If a user signs in to Windows 8.1 with a smart card, EFS also can use the smart card for file encryption. Administrators can store their domains recovery keys on a smart card. Recovering files is then as simple as signing in to the affected machine, either locally or by using Remote Desktop, and using the recovery smart card to access the files.
Encrypting File System Rekeying Wizard. The Encrypting File System Rekeying Wizard allows users to choose an EFS certificate and then select and migrate the existing files that will use the newly chosen EFS certificate. Administrators can use the wizard to migrate users in existing installations from software certificates to smart cards. The wizard also is helpful in recovery situations because it is more efficient than decrypting and re-encrypting files. Group Policy settings for EFS. You can use Group Policy to control and configure EFS protection policies centrally for an entire enterprise. For example, Windows 8.1 allows page file encryption through the local security policy or Group Policy.
Per-user encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote servers. When this option is enabled, each file in the offline cache is encrypted with a public key from the user who cached the file. Thus, only that user has access to the file, and even local administrators cannot read the file without access to the user's private keys. Selective Wipe. A new feature of Windows 8.1 in a corporate environment is Selective Wipe. If a device is lost or stolen, an administrator can revoke the EFS key that was used to protect the files on the device. Revoking a key prevents all access to data files that are stored on a users device.
Note: When users encrypt files in remote shared folders, their keys are stored on the file server.
Obtaining Key Pairs

Users need asymmetric key pairs to encrypt data, and they can obtain these keys: From a CA. An internal or third-party CA can issue EFS certificates. This method provides central management and backups of keys.
By self-generating them. If a CA is unavailable, users can generate a key pair. These keys have a lifespan of 100 years. This method is more cumbersome than using a CA because there is no centralized management, and users become responsible for managing their own keys. Additionally, it is more difficult to manage for recovery. However, it is still a popular method because no setup is required.
Managing EFS Certificates
EFS uses public key cryptography to allow file encryption. The keys are obtained from a users EFS certificate. Because EFS certificates also might contain private key information, you must manage them correctly.
10-26
Users can make encrypted files accessible to other users EFS certificates. If you grant access to another users EFS certificate, that user can in turn make the file available to other users EFS certificates. Note: You can issue EFS certificates only to individual users, not to groups.
Backing Up Certificates
CAs can archive and recover CA-issued EFS certificates. Users must back up their self-generated EFS certificates and private keys manually. To do this, they can export the certificate and private key to a Personal Information Exchange (.pfx) file, which is password-protected during the export process. The password then is required to import the certificate into a users certificate store.
If you need to distribute only your public key, you can export the client EFS certificate without the private key to Canonical Encoding Rules (.cer) files. A users private key is stored in the users profile in the RSA folder, which is accessed by expanding AppData, expanding Roaming, expanding Microsoft, and then expanding Crypto. Because there is only one instance of the key, it is vulnerable to hard-disk failure or data corruption. The Certificate Microsoft Management Console (MMC) snap-in exports certificates and private keys. The Personal Certificates store contains the EFS certificates.
Sharing Encrypted Files
EFS users can share encrypted files with other users on file shares and in Web folders. With this support, you can grant individual users permission to access an encrypted file. The ability to add users is restricted to individual files. After you encrypt a file, you can enable file sharing through the user interface. You first must encrypt a file and then save it before adding more users. You can add users from a local computer or from AD DS if the user has a valid certificate for EFS. It is important that users who elect to share encrypted files are aware of the following points:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over a network, a file share or Web folder is required. Alternatively, users can establish remote sessions with computers that store encrypted files by using Remote Desktop Services.
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting access is not limited to the file owner. Caution users to share files only with trusted accounts because those accounts can authorize other accounts. Removing the Write permission from a user or group of users can prevent this problem, but it also prevents the user or group from modifying the file. EFS sharing requires that the users who will have authorization to access the encrypted file have EFS certificates. These certificates can be located in roaming profiles or in the user profiles on the computer on which the file to be shared is stored, or they can be stored in and retrieved from AD DS.
EFS sharing of an encrypted file often means that users will access the file across a network. It is best if Web folders are used for encrypted file storage whenever possible. If a user chooses to remotely access an encrypted file that is stored on a file share and authorizes other users to access the file, the authorization process and requirements are the same as on the local computer. Additionally, EFS must impersonate the user to perform this operation, and all the requirements for remote EFS operations on files stored on file shares apply. If a user chooses to remotely access an encrypted file that is stored on a Web folder and authorizes other users to access the file, the file automatically is transmitted to the local computer in ciphertext. The authorization process takes place on the local computer with the same requirements as for encrypted files stored locally. Question: Why is it not possible to encrypt system files with EFS?

10-27
Demonstration: Encrypting Files and Folders with EFS

This demonstration shows how to encrypt and decrypt files and folders by using EFS.
Demonstration Steps Create a new Microsoft Word document

1. 2. 3. Sign in to LON-CL1 as administrator. Open File Explorer, and then create a new folder called Encrypted on drive C. Create a Word document in this folder named Private.docx.
Encrypt the folder

1. Encrypt the new folder and its contents.
Confirm that the file and folder have been encrypted

1. 2. 3. Sign in as Holly. Open File Explorer, and then navigate to C:\Encrypted\Private.docx. Attempt to open the file to confirm that the file and folder have been encrypted.
Decrypt the folder

1. 2. 3. Sign in as administrator. Open File Explorer, and then navigate to C:\Encrypted\Private.docx. Decrypt the file and folder.
Confirm that the file and folder have been decrypted

1. 2. 3. Sign in as Holly. Open File Explorer, and then navigate to C:\Encrypted\Private.doc. Attempt to open the file to confirm that it has been decrypted.
What Is BitLocker?
BitLocker provides protection for a computer operating system and the data that is stored on the operating system volume. It helps ensure that data stored on a computer remains encrypted even if someone tampers with the computer when the operating system is not running. BitLocker provides a closely integrated solution in Windows 8.1 to address the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
Data on a lost or stolen computer can become vulnerable to unauthorized access when a user either runs a software attack tool against it or transfers the computers hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing Windows file and system protections. BitLocker also helps render data inaccessible when you decommission or recycle BitLocker-protected computers.
10-28
BitLocker performs two functions that provide offline data protection and system-integrity verification:
It encrypts all data that is stored on a Windows operating system volume and configured data volumes. This includes the Windows operating system, hibernation and paging files, applications, and application data. BitLocker also provides umbrella protection for non-Microsoft applications, which benefits the applications automatically when they are installed on an encrypted volume.
By default, it is configured to use a TPM to help ensure the integrity of startup components, which an operating system uses in the early stages of the startup process. It locks any BitLocker-protected volumes, so they remain protected even if someone tampers with the computer when the operating system is not running. We will see later in this module that BitLocker can be enabled on devices without a TPM chip. Note: BitLocker is available in the Windows 8.1 Pro and Windows 8.1 Enterprise editions
only.
System Integrity Verification

BitLocker uses a TPM to verify the integrity of the startup process by: Providing a method to check that early boot file integrity has been maintained, and to help ensure that there has been no adverse modification of those files, such as with boot sector viruses or root kits.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for a Windows operating system volume. Locking the system when it is tampered with. If any monitored files have been tampered with, the system does not start. This alerts a user to tampering because the system fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with a TPM, BitLocker verifies the integrity of early startup components, which helps prevent additional offline attacks, such as attempts to insert malicious code into those components. This functionality is important because the components in the earliest part of the startup process must be available unencrypted so that the computer can start.
As a result, an attacker can change the code of those early startup components and then gain access to a computer even though the data on the disk was encrypted. Then, if the attacker gains access to confidential information, such as the BitLocker keys or user passwords, the attacker can circumvent BitLocker and other Windows security protections.
Comparing BitLocker and EFS

The following table compares BitLocker and EFS encryption functionality. BitLocker functionality Encrypts volumes (the entire operating system volume, including Windows system files and the hibernation file) Does not require user certificates Protects the operating system from modification EFS functionality Encrypts files
Requires user certificates Does not protect the operating system from modification

10-29
Device Encryption
Device encryption is a new feature built into all versions of Windows 8.1. It uses the same encryption technology that was implemented on Windows RT devices to help protect your devices data by blocking malicious users from accessing any of the files on your drive. In previous versions of Windows operating systems, a thief could physically remove a drive from a computer and then install it into a different device, thereby bypassing logon security. By default, device encryption protects the operating system drive and any fixed data drives on the system by using AES 128-bit encryption, which uses the same technology as used in BitLocker. Device encryption can be used with either a Microsoft account or a domain account. Device encryption is enabled automatically on all versions of Windows 8.1 on new devices so that the device is always protected. Supported devices that are upgraded to Windows 8.1 with a clean installation also will benefit from device encryption.
A user can turn off device encryption by using PC info within PC and devices, which can be found within Change PC Settings. The Device Encryption section appears at the bottom of the PC info page and can be turned off for all devices except those running Windows 8 RT.
BitLocker To Go
When a laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer asset. As more people use removable storage devices, they can lose data without losing a computer. BitLocker To Go provides enhanced protection against data theft and exposure by extending BitLocker support to removable storage devices such as USB flash drives, and you can manage it through Group Policy. In Windows 8.1, users can encrypt their removable media by opening File Explorer, right-clicking the drive, and clicking Turn On BitLocker. They then will be asked to choose a method to unlock the drive. These options include:
Password. This is a combination of letters, symbols, and numbers that a user will enter to unlock a drive.
Smart card. In most cases, a smart card is issued by your organization, and a user enters a smart card PIN to unlock a drive.
After choosing an unlock method, users must print or save their recovery key. You can store this 48-digit key in AD DS so that you can use it if other unlock methods fail, such as when users forget their passwords. Finally, users must confirm their unlock selections to begin encryption. When you insert a BitLocker-protected drive into your computer, the Windows operating system will detect that the drive is encrypted automatically and then prompt you to unlock it.
10-30
BitLocker Requirements
In both Windows 7 and Windows 8.1, drives are prepared for use by BitLocker automatically. As a result, there is no need to create separate partitions before turning BitLocker on. This is an improvement over BitLocker in Windows Vista, which required that users manually partition their hard drive. Windows 8.1 automatically creates the system partition on a hard drive. This partition does not have a drive letter, so it is not visible in File Explorer and data files will not be written to it inadvertently. In a default installation, a computer will have a separate system partition and an operating system drive. The system partition is smaller in Windows 7 and Windows 8.1 than in Windows Vista, requiring only 100 megabytes (MB) of space.
You can use BitLocker to encrypt operating system drives, fixed data drives, and removable data drives in Windows 8.1. When you use BitLocker with data drives, you can format the drive with the exFAT, FAT16, FAT32, or NTFS file system, but the drive must have at least 64 MB of available disk space. When you use BitLocker with operating system drives, you must format the drive with the NTFS file system.
Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from the hard disk, you must have one of the following: A computer with TPM 1.2. A removable USB memory device, such as a USB flash drive.
On computers that do not have TPM 1.2, you still can use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the prestartup system integrity verification that BitLocker provides when working with a TPM. Additionally, BitLocker offers the option to lock the normal startup process until a user supplies a PIN or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that a computer will not start or resume from hibernation until the correct PIN or startup key is presented.
Hardware Requirements
To turn on BitLocker, a computer must: Have the hard drive space necessary for Windows 8.1 to create two disk partitions: one for the operating system volume and one for the system volume: o Operating system volume. This partition includes the drive on which you install Windows. BitLocker encrypts this drive, which no longer needs a drive letter. System volume. A second partition is created as needed when you enable BitLocker in Windows 8.1. This partition must remain unencrypted so that you can start the computer. This partition must be at least 100 MB, and must be set as the active partition.

10-31
Have a BIOS that is compatible with TPM or supports USB devices during computer startup. The BIOS must be: o o o Trusted Computing Group (TCG) compliant. Set to start first from the hard disk, and not the USB or CD drives. Able to read from a USB flash drive during startup.
Determining if a Computer Has a TPM Version 1.2 Chip

BitLocker does not require a TPM. However, only a computer with a TPM can provide the additional security of prestartup system-integrity verification. Perform the following procedure to determine if a computer has a TPM version 1.2 chip: 1. 2. Open Control Panel, click System and Security, and then click BitLocker Drive Encryption. In the lower left corner, click TPM Administration. The TPM Management on Local Computer console opens. If the computer does not have a TPM 1.2 chip, the Compatible TPM cannot be found message appears.
BitLocker Modes
BitLocker can run on two types of computers: Those that are running TPM 1.2 and newer Those without TPM 1.2, but which have a removable USB memory device
This topic provides an in-depth examination of these two BitLocker modes.
Computers with TPM 1.2
The most secure implementation of BitLocker takes advantage of the enhanced security capabilities of TPM 1.2. The TPM is a hardware component that manufacturers install in many newer computers. It works with BitLocker to help protect user data and to ensure that a computer that is running Windows 8.1 is not tampered with while the system is offline. BitLocker supports TPM 1.2, but it does not support older TPMs. Version 1.2 TPMs provide increased standardization, security enhancement, and improved functionality compared to previous versions. Windows 8.1 was designed with these TPM improvements in mind.
On computers that have TPM 1.2, BitLocker uses the enhanced TPM security capabilities to help ensure that your data is accessible only if the computer's startup components appear unaltered and the encrypted disk is located in the original computer. If you enable BitLocker on a Windows 8.1 computer that has TPM 1.2, you can add the following additional factors of authentication to the TPM protection:
BitLocker offers the option to lock the normal startup process until a user supplies a PIN or inserts a USB device, such as a flash drive, that contains a BitLocker startup key. Both the PIN and the USB device can be required.
In a scenario that uses a TPM with an advanced startup option, you can add a second factor of authentication to the standard TPM protection: a PIN or a startup key on a USB flash drive. To use a USB flash drive with a TPM, the computer must have a BIOS that can read USB flash drives in the pre-operating
10-32
system environment (at startup). You can check your BIOS by running a hardware test near the end of the BitLocker setup wizard. These additional security measures provide multifactor authentication and help ensure that the computer will not start or resume from hibernation until a user presents the correct authentication method.
How TPM Works
On computers equipped with a TPM, each time a computer starts, each of the early startup components, such as the BIOS, the boot sector, and the boot manager code, examines the code that is about to run, calculates a hash value, and stores the value in the TPM. Once that value is stored in the TPM, it cannot be replaced until the user restarts the system. A combination of these values is recorded. You can use these recorded values to protect data by using the TPM to create a key that links to these values. When you create this type of key, the TPM encrypts it and only that specific TPM can decrypt it. Each time the computer starts, the TPM compares the values generated during the current startup with the values that existed when the key was created. It decrypts the key only if those values match. This process is called sealing and unsealing the key.
As part of its system integrity verification process, BitLocker examines and seals keys to the measurements of the following: The Core Root of Trust for Measurement The BIOS and any platform extensions Option read-only memory (ROM) code Master boot record code The NTFS boot sector The Boot Manager
If any of these items change unexpectedly, BitLocker locks the drive to prevent it from being accessed or decrypted.
Computers Without TPM 1.2
By default, BitLocker is configured to look for and use a TPM. You can use Group Policy to allow BitLocker to work without a TPM and store keys on an external USB flash drive. However, BitLocker then cannot verify early startup components. You can enable BitLocker on a computer without TPM 1.2 as long as the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock a protected volume until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system-integrity verification that BitLocker provides. If a startup key is located on a USB flash drive, your computer must have a BIOS that can read USB flash drives in the pre-operating system environment (at startup). You can check your BIOS by running the hardware test that is near the end of the BitLocker setup wizard. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker System Check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can read from USB devices properly at the appropriate time and that the computer meets other BitLocker requirements. To enable BitLocker on a computer without a TPM, use Group Policy to enable the advanced BitLocker user interface. With advanced options enabled, the non-TPM settings appear in the BitLocker setup wizard. Question: What is a disadvantage of running BitLocker on a computer that does not contain TPM 1.2?

10-33
Group Policy Settings for BitLocker

BitLocker in Windows 8.1 introduces several new Group Policy settings that permit straightforward feature management. For example, you can: Require all removable drives to be BitLockerprotected before users can save data to them. Require or disallow specific methods for unlocking BitLocker-protected drives. Configure methods to recover data from BitLocker-protected drives if a user's unlock credentials are not available. Require or prevent different types of recovery password storage or make them optional. Prevent BitLocker from being enabled if the keys cannot be backed up to AD DS.
In addition to recovery passwords, you can use Group Policy to configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker. Before you can use a data recovery agent, you must add it from the Public Key Policies item in either the GPMC or the Local Group Policy Editor. To use a data recovery agent with BitLocker, you must enable the appropriate Group Policy setting for the drives that you are using with BitLocker. These policy settings are: Choose how BitLocker-protected operating system drives can be recovered Choose how BitLocker-protected removable data drives can be recovered Choose how BitLocker-protected fixed data drives can be recovered
When you enable the policy setting, select the Enable data recovery agent check box. There is a policy setting for each type of drive, so you can configure individual recovery policies for each type of drive on which you enable BitLocker.
You also must enable and configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier with a new drive that is protected with BitLocker. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will manage and update data recovery agents only when an identification field is present on a drive and is identical to the value that is configured on the computer.
Using these policy settings helps enforce standard deployment of BitLocker in your organization. Group Policy settings that affect BitLocker are located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. Globally applied BitLocker Group Policy settings are located in this folder. Subfolders for fixed data drives, operating system drives, and removable drives support the configuration of policy settings specific to those drives. Note: If you want to use BitLocker to protect an operating system drive on a computer that does not have a TPM, you must enable the Require additional authentication at startup policy setting, and then within that setting, click Allow BitLocker without a compatible TPM.
Summary of Group Policy Settings

The BitLocker Drive Encryption folder contains the following subfolders: Fixed Data Drives, Operating System Drives, and Removable Data Drives.
10-34
The following table summarizes some of the key policy settings that affect Windows 8.1 client computers. Each setting includes the following options: Not Configured, Enabled, and Disabled. The default setting for each setting is Not Configured. Setting name Choose default folder for recovery password Location BitLocker Drive Encryption folder Description
This specifies a default location, which is shown to the user, to which the user can save recovery keys. This can be a local or network location. The user is free to choose other locations. This allows you to configure the algorithm and cipher strength that BitLocker uses to encrypt files. If you enable this setting, you will be able to choose an encryption algorithm and key cipher strength. If you disable or do not configure this setting, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method that the setup script specifies.
Choose drive encryption method and cipher strength
BitLocker Drive Encryption folder
Provide the unique identifiers for your organization
This allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. BitLocker will manage and update data recovery agents only when the identification field on the drive matches the value that you configure in the identification field. This also applies to removable drives that you configure by using BitLocker To Go.
Prevent memory overwrite on restart
This controls computer restart performance at the risk of exposing BitLocker secrets. BitLocker secrets include key material that you use to encrypt data. If you enable this setting, memory will not be overwritten when the computer restarts. This can improve restart performance, but it does increase the risk of exposing BitLocker secrets. If you disable or do not configure this setting, BitLocker removes secrets from memory when the computer restarts. This determines whether BitLocker protection is required for fixed data drives to be writable on a computer. If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as readonly. If the drive is BitLocker-protected, or if you disable or do not configure this setting, all fixed data drives will be mounted with read/write permission.
Deny write access to fixed drives not protected by BitLocker
Fixed Data Drives folder

10-35
Setting name Allow access to BitLocker-protected data drives from earlier versions of Windows
Location Fixed Data Drives folder
Description
This configures whether fixed data drives formatted with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, and Windows XP with Service Pack 3 (SP3) or Service Pack 2 (SP2) operating systems. This allows you to control how BitLockerprotected fixed data drives are recovered in the absence of the required credentials.
Choose how BitLockerprotected fixed drives can be recovered Require additional authentication at startup Choose how BitLockerprotected operating system drives can be recovered Configure TPM platform validation profile Control use of BitLocker on removable drives Configure use of smart cards on removable data drives Deny write access to removable drives not protected by BitLocker Allow access to BitLocker-protected removable drives from earlier versions of Windows Configure use of passwords for removable data drives
Fixed Data Drives folder
Operating System Drives folder
This allows you to configure whether you can enable BitLocker on computers without a TPM, and whether you can use multifactor authentication on computers with a TPM. This allows you to control how BitLockerprotected operating system drives are recovered in the absence of the required startup key information.
This configures which of the TPM platform measurements stored in the Platform Configuration Register indices are used to seal BitLocker keys. This controls the use of BitLocker on removable data drives.
Removable Data Drives folder Removable Data Drives folder
This allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable drives on a computer. This configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. This configures whether removable data drives formatted with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, and Windows XP with SP3 or SP2 operating systems. This specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length.
Removable Data Drives folder Removable Data Drives folder
Removable Data Drives folder
10-36
Setting name Choose how BitLockerprotected removable drives can be recovered
Location Removable Data Drives folder
Description This allows you to control how BitLockerprotected removable data drives are recovered in the absence of the required startup key information.
Group Policy Settings and TPM

Group Policy settings that control TPM behavior are located in Computer Configuration\Administrative Templates\System\Trusted Platform Module Services. The following table summarizes these settings. Setting name Turn on TPM backup to AD DS Default Disabled Description
This controls whether TPM owner password information is backed up in AD DS. If you enable this setting, it also can control whether backup is required or optional.
Configure the list of blocked TPM commands
None
This allows you to disable or enable specific TPM functions, but the next two settings can restrict which commands are available. Group Policy-based lists override local lists. You can configure local lists in the TPM Management console. By default, BitLocker blocks certain TPM commands. To enable these commands, you must enable this policy setting.
Ignore the default list of blocked TPM commands Ignore the local list of blocked TPM commands
Disabled
Disabled
By default, a local administrator can block commands in the TPM Management console. You can use this setting to prevent that behavior.
Microsoft BitLocker Administration and Monitoring 2.0
You have seen in this module that BitLocker and BitLocker To Go offer enhanced protection against data theft or data exposure from computers that might have been lost or stolen. We recommended that medium and large organizations that deploy BitLocker should use the Microsoft BitLocker Administration and Monitoring 2.0 tool to provide management capabilities for BitLocker and BitLocker To Go. Administrators can use Microsoft BitLocker Administration and Monitoring to simplify the following BitLocker management tasks: Deployment and encryption key recovery Centralized compliance monitoring and reporting Provisioning encrypted drives Supporting encrypted drives within an organization
Microsoft BitLocker Administration and Monitoring 2.0 enables administrators to enforce organizational BitLocker encryption policies across an enterprise. It also enables administrators to monitor the compliance of client computers with those policies, providing centralized reporting on the encryption status of devices used on a network.

10-37
Note: Microsoft BitLocker Administration and Monitoring 2.0 is only available as part of the Microsoft Desktop Optimization Pack, which offers Microsoft Software Assurance customers a suite of premium utilities which are useful for administrators to manage desktop computers and devices within an organization. Microsoft BitLocker Administration and Monitoring 2.0 is not supported with Windows 8.1. Microsoft is planning to release a newer version that is compatible with Windows 8.1.
In addition, Microsoft BitLocker Administration and Monitoring lets you access recovery key information, which is helpful when users forget their PIN or password, or when their BIOS/UEFI firmware or boot record changes. By adopting an enterprise BitLocker management solution, organizations can increase the level of effectiveness of BitLocker significantly and can reduce the administrative overhead and the total cost of ownership. Note: Microsoft BitLocker Administration and Monitoring 1.0 supports Windows 7, whereas Microsoft BitLocker Administration and Monitoring 2.0 supports Windows 7 and Windows 8 Microsoft BitLocker Administration and Monitoring 2.0 provides the following new features and functionality: Integration with Configuration Manager Hardware compatibility integration with Configuration Manager Protectors flexible policy, which allows more configuration options Microsoft BitLocker Administration and Monitoring 2.0 client can now upgrade the Microsoft BitLocker Administration and Monitoring 1.0 client Microsoft BitLocker Administration and Monitoring 2.0 can now upgrade previous version of the Microsoft BitLocker Administration and Monitoring Server
Microsoft BitLocker Administration and Monitoring 2.0 support for BitLockers enterprise scenarios on Windows 8 Self-Service Portal for end users to recover their recovery keys Automatic resumption of BitLocker protection from a suspended state after restart Fixed data drives can be configured to unlock automatically without a password For more information, see the Volume Licensing page on the Microsoft website. http://go.microsoft.com/fwlink/?LinkId=378252&clcid=0x409
For more information, see Microsoft BitLocker Administration and Monitoring on the Microsoft TechNet website. http://go.microsoft.com/fwlink/?LinkId=378253&clcid=0x409 Question: How can you use Microsoft BitLocker Administration and Monitoring 2.0 to reduce the amount of time that the help desk is required to spend recovering a BitLocker unlock key for a remote user?
10-38
Configuring BitLocker
In Windows 8.1, you can enable BitLocker from the Control Panel or by right-clicking the volume that you want to encrypt. This initiates the BitLocker Drive Encryption Wizard, which validates system requirements. During the preparation phase, BitLocker creates the second partition if it does not exist.
Administration
You can manage BitLocker by using the BitLocker Drive Encryption item within Control Panel. Manage-bde, also is available to add scripting functionality remotely from the Windows PowerShell command-line interface or from a Command Prompt window.
After you encrypt and protect a volume by using BitLocker, local and domain administrators can use the Manage Keys page in the BitLocker control panel item to duplicate keys and reset PINs.
Turning on BitLocker with TPM Management

The BitLocker control panel item displays BitLocker's status and provides the functionality to enable or disable BitLocker. If BitLocker is actively encrypting or decrypting data due to a recent installation or uninstall request, the progress status appears. IT professionals also can use the BitLocker control panel item to access the TPM Management snap-in to MMC. Perform the following procedure to turn on BitLocker: 1. 2. 3. In Control Panel, click System and Security, and then click BitLocker Drive Encryption.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. A message appears, warning that BitLocker encryption might have a performance impact on your computer. If your TPM is not initialized, the Initialize TPM Security Hardware Wizard appears. Follow the directions to initialize the TPM, and then restart or shut down your computer.
4.
The Save the recovery password page shows the following options: o o Save the password on a USB drive. Saves the password to a USB flash drive. Save the password in a folder. Saves the password to a folder on a network drive or other location. Print the password. Prints the password.
Use one or more of these options to preserve the recovery password. For each, select the option and then follow the wizard steps to set the location for saving or printing the recovery password. When you finish saving the recovery password, click Next. 5. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and then BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is not, an error message will alert you to the problem.

10-39
6.
If the computer is ready for encryption, the Encryption in Progress status bar displays. You can monitor the ongoing completion status of the disk-volume encryption by dragging your mouse pointer over the BitLocker Drive Encryption icon, which is in the notification area at the bottom of your screen.
By completing this procedure, you will have encrypted the operating system volume and created a recovery password unique to this volume. The next time that you sign in, you will see no change. If the TPM ever changes or BitLocker cannot access it, or if there are changes to key system files or someone tries to start the computer from a product CD or DVD to circumvent the operating system, the computer will switch to recovery mode until the user supplies the correct recovery password.
Turning on BitLocker Without TPM Management
Use the following procedure to change your computer's Group Policy settings so that you can turn on BitLocker without a TPM. Instead of a TPM, you will use a startup key to authenticate yourself. The startup key is on a USB flash drive that you insert into the computer before you turn it on. For this scenario, you must have a BIOS that will read USB flash drives in the pre-operating system environment (at startup). You can check your BIOS by running the system check that is in the final step of the BitLocker wizard. Before you start: You must be signed in as an administrator. BitLocker must be installed on this computer. You must have a USB flash drive to save the recovery password.
You should try to use a second USB flash drive to store the startup key separate from the recovery password.
Perform the following steps to turn on BitLocker on a computer without a compatible TPM: 1. 2. 3. Run Gpedit.msc.
If the User Account Control dialog box appears, confirm that the action it displays is the action that you want to occur, and then click Continue. In the Local Group Policy Editor console tree, click Computer Configuration, click Administrative Templates, click Windows Components, click BitLocker Drive Encryption, and then click Operating System Drives. Double-click the Require additional authentication at startup setting.
4. 5.
Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and then click OK. You have changed the policy setting so that you can use a startup key instead of a TPM. Close the Local Group Policy Editor.
6. 7. 8. 9.
To force Group Policy to apply immediately, from a command prompt, type gpupdate.exe /force, and then press Enter. From Control Panel, click System and Security, and then click BitLocker Drive Encryption.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
10. On the BitLocker Drive Encryption page, click Turn On BitLocker. This will appear only with the operating system volume.
10-40
11. On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every startup option. This is the only option available for non-TPM configurations. You must insert this key before you start the computer, each time you start it. 12. Insert your USB flash drive in the computer if you have not done so already. 13. On the Save your Startup Key page, choose the location of your USB flash drive, and then click Save. 14. The following options are available on the Save the recovery password page: o o Save the password on a USB drive. Saves the password to a USB flash drive. Save the password in a folder. Saves the password to a folder on a network drive or other location. Print the password. Prints the password.
Use one or more of these options to preserve the recovery password. For each, select the option and then follow the wizard steps to set the location for saving or printing the recovery password. Do not store the recovery password and the startup key on the same media. When you have finished saving the recovery password, click Next. 15. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts, and BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is not, an error message will alert you to the problem before encryption starts. 16. If the computer is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk-volume encryption by dragging your mouse pointer over the BitLocker Drive Encryption icon, which is in the notification area at the bottom of your screen. You also can click the Encryption icon to view the status.
By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to that volume. The next time that you turn your computer on, you must plug in the USB flash drive with the startup key into one of the computers USB ports. If not, you will not be able to access data on your encrypted volume.
If you do not have the USB flash drive that contains your startup key, then you will need to use recovery mode and supply the recovery password to access data.
Upgrading a BitLocker-Enabled Computer

The following steps are necessary to upgrade a BitLocker-enabled computer. Temporarily turn off BitLocker by placing it into disabled mode. Upgrade the system or the BIOS. Turn BitLocker on.
Forcing BitLocker into disabled mode keeps the volume encrypted, but the volume master key is encrypted with a symmetric key that it stores unencrypted on the hard disk. The availability of this unencrypted key disables the data protection that BitLocker offers, but it ensures that subsequent computer startups succeed without further user input. When you re-enable BitLocker, the unencrypted key is removed from the disk and BitLocker protection is turned on. Additionally, BitLocker identifies the volume master key and encrypts it again.

10-41
Moving a BitLocker-Enabled Computer
Moving the encrypted volume, which is the physical disk, to another BitLocker-enabled computer requires that you turn off BitLocker temporarily. No additional steps are required because the key that is protecting the volume master key is stored unencrypted on the disk. Note: Exposing the volume master key even for a brief period is a security risk. An attacker can access the volume master key and full volume encryption key when these keys are exposed by the clear key.
Computer Decommissioning and Recycling

Many personal computers are reused by people other than the computer's initial owner or user. In enterprise scenarios, you might redeploy computers to other departments or remove them from an organization as part of a standard computer hardware-refresh cycle.
On unencrypted drives, data might remain readable even after the drive has been formatted. Enterprises often use multiple overwrites or physical destruction to reduce the risk of exposing data on decommissioned drives.
You can use BitLocker to create a simple, cost-effective decommissioning process. Leaving data encrypted by BitLocker and then removing the keys results in an enterprise permanently reducing the risk of exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all BitLocker keys, because this requires solving 128-bit or 256-bit AES encryption. Note: Perform the procedures that this section describes only if you do not want or need the data in the future. You cannot recover the data in the encrypted volume if you perform the procedures that this section details.
You can remove a volumes BitLocker keys by formatting that volume from Windows 8.1. The format command has been updated to support this operation. To format the operating system volume, you can open a command prompt by using the recovery environment that the Windows 8.1 installation DVD includes.
Alternatively, an administrator can create a script that effectively removes all BitLocker key protectors. Running such a script will leave all BitLocker-encrypted data unrecoverable when you restart the computer. As a safety measure, BitLocker requires that an encrypted volume have at least one key protector. Given this requirement, you can decommission the drive by creating a new external key protector, not saving the created external key information, and then removing all other key protectors on the volume After you remove the BitLocker keys from the volume, you need to perform follow-up tasks to complete the decommissioning process. For example, reset the TPM to its factory defaults by clearing the TPM, and discard saved recovery information for the volume, such as printouts, files stored on USB devices, and information stored in AD DS. Question: When turning on BitLocker on a computer with TPM 1.2, what is the purpose of saving the recovery password?
10-42
Configuring BitLocker To Go
BitLocker To Go protects data on removable data drives. It allows you to configure BitLocker on USB flash drives and external hard drives. The option is available by simply right-clicking on a drive in File Explorer to enable BitLocker protection.
BitLocker To Go Scenario
Consider the following scenario. An administrator configures Group Policy to require that users can save data only on data volumes that are protected by BitLocker. Specifically, the administrator enables the Deny write access to removable drives not protected by BitLocker policy setting and deploys it to the domain.
Meanwhile, an end user inserts a USB flash drive. Because the USB flash drive is not protected with BitLocker, Windows 8.1 displays an informational dialog box indicating that the device must be encrypted with BitLocker. From this dialog, the user chooses to launch the BitLocker wizard to encrypt the volume or continues working with the device as read-only. If the user decides to implement the device as read-only and then attempts to save a document to the flash drive, an access-denied error message appears.
Configuring BitLocker To Go
When you select the Turn On BitLocker menu option, you must specify how you want to unlock a drive in the subsequent wizard. You can select one of the following methods: A recovery password or passphrase. You can configure the complexity in Group Policy. A smart card. Always auto-unlock this device on this PC.
After you configure a device to use BitLocker, when a user saves documents to an external drive, BitLocker encrypts them. When the user inserts the USB flash drive on a different computer, the computer detects that the portable device is BitLocker-protected and prompts the user to specify the passphrase. The user can specify to unlock the volume automatically on the second computer. Note: In the above scenario, the second computer does not have to be encrypted with BitLocker.
If a user forgets the passphrase for a device, he or she can use the I forgot my passphrase option from the BitLocker Unlock Wizard to recover it. Clicking this option displays a recovery password ID that the user supplies to an administrator, who then uses the password ID to obtain the devices recovery password. This recovery password can be stored in AD DS and recovered with the BitLocker Recovery Password Viewer. Question: How do you enable BitLocker To Go for a USB flash drive?

10-43
Recovering BitLocker-Encrypted Drives

When a BitLocker-enabled computer starts, BitLocker checks the operating system for conditions that might indicate a security risk. If such a condition is detected, BitLocker does not unlock the system drive, and instead enters recovery mode. When a computer enters recovery mode, the user must enter the correct recovery password to continue. The recovery password is tied to a particular TPM or computer, not to individual users, and typically it does not change. Save the recovery information on a USB flash drive or in AD DS by using one of these formats: A 48-digit number divided into eight groups. During recovery, use the function keys to type this password into the BitLocker recovery console. A recovery key in a format that can be read directly by the BitLocker recovery console.
Locating a BitLocker Recovery Password

A BitLocker recovery password is a 48-digit password that unlocks a system in recovery mode. The recovery password is unique to a particular BitLocker encryption, and you can store it in AD DS.
The recovery password will be required if the encrypted drive must be moved to another computer or changes are made to the system startup information. This password is so important that you should make additional copies of the password and store it in safe places to ensure access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session.
A computer's password ID is a 32-character password that is unique to a computer name. You can find the password ID under a computer's property settings, which you can use to locate passwords that are stored in AD DS. To locate a password, the following conditions must be true: You must be a domain administrator or have delegate permissions. The client's BitLocker recovery information is configured to be stored in AD DS. The clients computer has been joined to the domain. BitLocker must have been enabled on the client's computer.
Prior to searching for and providing a recovery password to a user, confirm that the person is the account owner and is authorized to access data on the computer in question. Search for the password in Active Directory Users and Computers by using either one of the following: Drive label Password ID
When you search by drive label, after locating the computer, right-click the drive label, click Properties, and then click the BitLocker Recovery tab to view associated passwords. To search by password ID, right-click the domain container, and then click Find BitLocker Recovery Password. In the Find BitLocker Recovery Password dialog box, enter the first eight characters of the password ID in the Password ID field, and then click Search.
10-44
Examine the returned recovery password to ensure it matches the password ID that the user provides. Performing this step helps verify that you have obtained the unique recovery password.
Data Recovery Agent Support
Windows 8.1 BitLocker provides data recovery agent support for all protected volumes. This provides users with the ability to recover data from any BitLocker and BitLocker To Go device when the data is inaccessible. This technology assists in the recovery of organizational data on a portable drive by using the key that was created by the enterprise. Data recovery agent support allows you to dictate that all BitLocker-protected volumes, such as operating system, fixed, and new portable volumes, are encrypted with an appropriate data recovery agent. The data recovery agent is a new key protector that is written to each data volume so that authorized IT administrators will always have access to BitLocker-protected volumes.
Back Up Your Windows 8.1 BitLocker Recovery Key to a Microsoft Account
For devices that are not domain-joined, Windows 8.1 allows a user to back up their BitLocker recovery key to a Microsoft account, which then is stored within the users SkyDrive. During the configuration of BitLocker on a fixed or removable drive and just before encryption begins, you are prompted to specify how you want to back up your recovery key. You are presented with the following locations: Save to your Microsoft account Save to a USB flash drive Save to a file Print the recovery key
To obtain your saved BitLocker recovery key, open an Internet browser and navigate to https://skydrive.com/RecoveryKey and then sign in with your Microsoft account. You will find the recovery keys for all of your BitLocker-protected drives in this location. Question: What is the difference between the recovery password and the password ID?

10-45
Lab B: Securing Data by Using BitLocker

Scenario
A user at A. Datum is working on a project that requires him to take his laptop computer home each day. The data files are very sensitive and must be secure at all times. The laptop computer does not have TPM 1.2.
Objectives
After completing this lab, you will be able to: Protect files with BitLocker.
Lab Setup
Estimated Time: 20 minutes Virtual machine: 20687C-LON-DC1 User name: Adatum\Administrator Password: Pa$$w0rd
Exercise 1: Protecting Files with BitLocker

Scenario
You have decided to implement BitLocker to protect the users data files. The main tasks for this exercise are as follows: 1. 2. 3. Configure GPO settings for BitLocker. Enable BitLocker. Complete the process of enabling BitLocker.
Task 1: Configure GPO settings for BitLocker

1. 2. 3. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Open the Local Group Policy Editor. Enable the Require additional authentication at startup value located at Computer Configuration\Administrative Templates\Windows Components \BitLocker Drive Encryption\Require additional authentication at startup. Close the Local Group Policy Editor. Refresh the Group Policy settings on the local computer by running gpupdate /force.
4. 5.
Task 2: Enable BitLocker

1. 2. 3. 4. 5. On LON-CL1, open File Explorer, right-click Local Disk (C:), and then click Turn on BitLocker.
Select the Enter a password option. This is necessary because the virtual machine does not support USB flash drives. Use password: Pa$$w0rd. Save the recovery key to the Allfiles (E:) drive. When prompted, click Restart now.
10-46
Task 3: Complete the process of enabling BitLocker

1. 2. 3. 4. When LON-CL1 is restarting, when prompted, enter password Pa$$w0rd to unlock the drive. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Open File Explorer, and then view the status of BitLocker on the Local Disk (C:). The drive is being encrypted. Close all open windows.
Results: After completing this exercise, you should have encrypted the hard drive successfully.


10-47
Lesson 4
Configuring UAC
Many users sign in to their computers with a user account that has more rights than necessary to run their applications and access their data files. Using an administrative user account for day-to-day user tasks poses significant security risks. In older versions of the Windows operating system, administrators were encouraged to use an ordinary user account for most tasks and to use the Run As account to execute tasks that required additional rights. Windows 8.1 provides UAC to simplify and secure the process of elevating your account rights. However, unless you know how UAC works and its potential impact, you might have problems when you attempt to carry out typical end-user support tasks. This lesson introduces how UAC works and how you can use UAC-related desktop features.
Lesson Objectives
After completing this lesson, you will be able to: Describe UAC. Describe how UAC works. Explain how to configure UAC notification settings. Describe how to configure UAC with GPOs.
What Is UAC?
UAC is a security feature that provides a way for each user to elevate their status from a standard user account to an administrator account without signing out or switching users. UAC is a collection of features rather than just a prompt. These featureswhich include File and Registry Redirection, Installer Detection, the UAC prompt, the ActiveX Installer Service, and moreallow Windows users to operate with user accounts that are not members of the Administrators group. These accounts typically are referred to as standard users and are broadly described as operating with least privilege. The most important fact is that when users sign in with standard user accounts, the experience typically is much more secure and reliable.
Windows 8.1 reduces the number of operating system applications and tasks that require elevation so that standard users can do more while experiencing fewer elevation prompts. This improves the interaction with UAC while upholding high security standards. When you need to make changes to your computer that require administrator-level permission, UAC notifies you as follows: If you are an administrator, click Yes to continue.
If you are not an administrator, someone with an administrator account on the computer will have to enter his or her password for you to continue.
If you are a standard user, providing permission temporarily gives you administrator rights to complete the task, and then your permissions are returned back to a standard user when you are finished. This ensures that even if you are using an administrator account, changes cannot be made to your computer
10-48
without you knowing about it. This helps prevent malware and spyware from being installed on, or making changes to, your computer.
How UAC Works

There are two general types of user groups in Windows 8.1: standard users and administrative users. UAC simplifies users ability to operate as standard users and perform all their necessary daily tasks. Administrative users also benefit from UAC because administrative permissions are available only after UAC requests permission from the user for that instance.
Standard Users
In previous versions of the Windows operating system, many users were configured to use administrative permissions rather than standard user permissions. This was done because previous versions of the Windows operating system required administrator permissions to perform basic system tasks, such as adding a printer or configuring the time zone. In Windows 8.1, many of these tasks no longer require administrative permissions.
When users have administrative permissions to their computers, they can install additional software. Despite corporate policies against installing unauthorized software, many users still do it, which can make their systems less stable and drive up support costs.
When you enable UAC and a user needs to perform a task that requires administrative permissions, UAC prompts the user for administrative credentials. In a corporate environment, the help desk can give a user temporary credentials that have local administrative permissions to complete the task. The default UAC setting allows a standard user to perform the following tasks without receiving a UAC prompt: Install updates from Windows Update. Install drivers from Windows Update or those that are included with the operating system. View Windows settings. However, a standard user is prompted for elevated permissions when changing Windows settings. Pair Bluetooth devices with the computer. Reset the network adapter and perform other network diagnostic and repair tasks.
Administrative Users
Administrative users automatically have: Read/write/execute permissions to all resources. All Windows permissions.
While it might seem clear that all users will not be able to read, alter, and delete any Windows resource, many enterprise IT departments that are running older versions of Windows operating systems had no other option but to assign all of their users to the local Administrators group. One of the benefits of UAC is that it allows users with administrative permissions to operate as standard users most of the time. When users with administrative permissions perform a task that requires

10-49
administrative permissions, UAC prompts the user for permission to complete the task. When the user grants permission, the task in question is performed by using full administrative rights, and then the account reverts to a lower level of permission.
UAC Elevation Prompts
Many applications by default require users to be administrators because they check Administrators group membership before running an application. No user security model existed for the Microsoft Windows 95 and the Microsoft Windows 98 operating systems. As a result, developers designed applications assuming that they will be installed and run by users with administrator permissions. A user security model was created for Microsoft Windows NT, but all users were created as administrators by default. Additionally, a standard user on a Windows XP computer must use the Run As command by right-clicking the executable file within Windows Explorer, or sign in with an administrator account to install applications and perform other administrative tasks. The following list details some of the tasks that a standard user can perform: Establish a Local Area Network connection Establish and configure a wireless connection Modify Display settings Users cannot defragment the hard drive, but a service does this on their behalf Play CD/DVD media (configurable with Group Policy) Burn CD/DVD media (configurable with Group Policy) Change the desktop background for the current user Open Date and Time in Control Panel and change the time zone Use Remote Desktop to connect to another computer Change user's own account password Configure battery power options Configure Accessibility options Restore user's backup files Set up computer synchronization with a mobile device (smart phone, laptop, or PDA) Connect and configure a Bluetooth device
The following list details some of the tasks that require elevation to an administrator account: Install and uninstall applications Install a driver for a device, such as a digital camera driver Install Windows updates Configure Parental Controls Install an ActiveX control Open Windows Firewall in Control Panel Change a user's account type Modify UAC settings in the Security Policy Editor snap-in (Secpol.msc) to the MMC Configure Remote Desktop access Add or remove a user account
10-50
Copy or move files into the Program Files or Windows directory Schedule Automated Tasks Restore system backup files Configure Automatic Updates Browse to another user's directory
When you enable UAC, members of the local Administrators group run with the same access token as standard users. Only when a member of the local Administrators group gives approval can a process use the administrators full access token.
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that require an administrator access token. When a standard user attempts to perform an administrative task, UAC prompts the user to enter valid credentials for an administrator account. This is the default for standard user-prompt behavior. The elevation prompt displays contextual information about the executable that is requesting elevation. The context is different depending on whether the application is signed by Microsoft Authenticode technology. The elevation prompt has two variations that are detailed in the table below: the consent prompt and the credential prompt. Elevation prompt Consent prompt Description Displayed to administrators in Admin Approval Mode when they attempt to perform an administrative task. It requests approval to continue from the user. Displayed to standard users when they attempt to perform an administrative task.
Credential prompt
Note: Elevation entry points do not remember that elevation has occurred, such as when you return from a shielded location or task. As a result, the user must re-elevate to enter the task again.
While the number of UAC elevation prompts for a standard user who performs an everyday task has been reduced in Windows 8.1, there are times when it is appropriate for an elevation prompt to be returned. For example, viewing firewall settings does not require elevation; however, changing the settings does require elevation because the changes have a system-wide impact.
Types of Elevation Prompts
When a permission or password is needed to complete a task, UAC will notify you with one of four different types of dialog boxes. The following table describes the different types of dialog boxes that are used to notify you, and the table provides guidance on how to respond to them. Type of elevation prompt A setting or feature that is part of Windows needs your permission to start. Description This item has a valid digital signature that verifies that Microsoft is the publisher of this item. If you get this type of dialog box, it is usually safe to continue. If you are unsure, check the name of the program or function to decide if it is something you want to run.

10-51
Type of elevation prompt A program that is not part of Windows needs your permission to start.
Description
This program has a valid digital signature, which helps to ensure that the program is what it claims to be and verifies the identity of the publisher of the program. If you get this type of dialog box, make sure the program is the one that you want to run and that you trust the publisher. This program does not have a valid digital signature from its publisher. This does not necessarily indicate danger because many older, legitimate apps lack signatures. However, use extra caution and only allow a program to run if you obtained it from a trusted source, such as the original CD or a publisher's website. If you are unsure, search the Internet for the programs name to determine if it is a known program or malware.
A program with an unknown publisher needs your permission to start.
Most of the time, you should log on to your computer with a standard user account. You can browse the Internet, send email, and use a word processor, all without an administrator account. When you want to perform an administrative task such as installing a new program or changing a setting that will affect other users, you do not have to switch to an administrator account; the Windows operating system will prompt you for permission or an administrator password before performing the task. Another recommendation is that you create standard user accounts for all the people that use your computer. Question: What are the differences between a consent prompt and a credential prompt?
Configuring UAC Notification Settings

In Windows 8.1, you can adjust how often UAC notifies you when changes are made to your computer. To do this, from Control Panel, click System and Security, and then under Action Center, click Change User Account Control settings. Use the slider to determine how Windows will prompt you. The default is Notify me only when apps try to make changes to my computer. The following table identifies the four settings that enable customization of the elevation prompt experience. Prompt Never notify me Notify me only when apps try to make changes to my computer (do not dim my desktop) Notify me only when apps try to make changes to my computer (default) Description UAC is off.
When a program makes a change, a prompt appears, and the desktop is dimmed to provide a visual cue that installation is being attempted. Otherwise, the user is not prompted. When a program makes a change, a prompt appears, but the desktop is not dimmed. Otherwise, the user is not prompted.
10-52
Prompt Always notify me
Description
The user is always prompted when changes are made to the computer.
Because you can configure the user experience with Group Policy, there can be different user experiences depending on policy settings. The configuration choices made in your environment affect the prompts and dialog boxes that standard users, administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always notify me or Always notify me and wait for my response. With this type of configuration, a yellow notification appears at the bottom of the User Account Control Settings page, indicating the requirement. Question: Which two configuration options are combined to produce the end-user elevation experience?
Demonstration: Configuring UAC with GPOs

In this demonstration, you will see how to: Open the User Accounts window. Review user groups. View the Credential prompt. Change UAC settings and view the Consent prompt.
Demonstration Steps View the current UAC settings

1. 2. 3. Sign in to LON-CL1 as administrator. Open the Local Group Policy Editor. Navigate to Computer Configuration\Windows Settings\Security Settings \Local Policies\Security Options.
Configure the UAC settings
Create a UAC Group Policy setting that prevents access elevation. Modify the User Account Control: Behavior of the elevation prompt for standard users setting to be Automatically deny elevation requests.
Test the UAC settings

1. 2. Sign in as Holly, a standard user. Attempt to open Local Group Policy Editor snap-in, an administrative task.
Reconfigure the UAC settings

1. 2. 3. Sign in as administrator. Open the Local Group Policy Editor. Navigate to Computer Configuration\Windows Settings\Security Settings \Local Policies\Security Options.

10-53
4.
Modify the User Account Control: Behavior of the elevation prompt for standard users setting to be Prompt for credentials.
Test the UAC settings

1. 2. 3. Sign in as Holly, a standard user. Attempt to open an Administrative Command Prompt, an administrative task. Enter administrative credentials as prompted. Question: Which UAC feature detects when an application is being installed in Windows 8.1?
10-54
Lab C: Configuring and Testing UAC

Scenario
Holly, the IT manager, is concerned that staff might be performing configuration changes to their computers for which they have no authorization. Windows 8.1 does not allow users to perform these tasks. However, Holly wants to ensure that users are prompted properly about their attempted actions.
Objectives
After completing this lab, you will be able to: Modify UAC prompts.
Lab Setup
Estimated Time: 15 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should be running from the preceding lab.
Exercise 1: Modifying UAC Prompts

Scenario
You decide to reconfigure the UAC notification behavior and prompts. The main tasks for this exercise are as follows: 1. 2. 3. Modify the User Account Control (UAC) prompts. Modify the UAC notification level. Test the UAC settings.
Task 1: Modify the User Account Control (UAC) prompts

1. 2. 3. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Open the Local Group Policy Editor, and then navigate to Computer Configuration \Windows Settings\Security Settings\Local Policies\Security Options.
Modify the User Account Control: Behavior of the elevation prompt for standard users setting to be Prompt for credentials on the secure desktop.
Task 2: Modify the UAC notification level

1. 2. Enable the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode value and select the Prompt for consent on the secure desktop option.
Enable the User Account Control: Only elevate executables that are signed and validated value.
Task 3: Test the UAC settings

1. 2. Sign in to LON-CL1 as Adatum\Dan with password Pa$$w0rd.
Open Command Prompt (Admin). You are prompted by UAC for credentials on the secure desktop. Provide the necessary credentials, and after Command Prompt (Admin) opens, close Command Prompt (Admin), and then sign out.

10-55
3.
Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd, and open Action Center to verify that the notification settings for UAC are configured for Always notify.
Results: After completing this exercise, you should have reconfigured UAC notification behavior and prompts.

When you are finished the lab, revert all virtual machines back to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. In the Revert Virtual Machines dialog box, click Revert. Repeat steps 2 to 3 for 20687C-LON-DC1.
10-56

Best Practice:
Best Practices for EFS

The following is a list of standard best practices for EFS users:
Users should export their certificates and private keys to removable media, and then store the media securely when it is not in use. For the greatest possible security, a private key must be removed from a computer whenever the computer is not in use. This protects against attackers who physically obtain a computer and try to access the private key. When you must access encrypted files, you can import the private key easily from the removable media. Encrypt the My Documents folder for all users (User_profile\My Documents). This ensures that the personal folder, where most documents are stored, is encrypted by default. Users should encrypt folders rather than individual files. Programs work on files in various ways. Encrypting files consistently at the folder level ensures that files are not decrypted unexpectedly.
Private keys that are associated with recovery certificates are extremely sensitive. You must generate these keys either on a computer that is physically secure, or you must export their certificates to a .pfx file, protect them with a strong password, and then save them on a disk that is stored in a physically secure location. You must assign recovery agent certificates to user accounts that you do not use for any other purpose. Do not destroy recovery certificates or private keys when recovery agents are changed (agents are changed periodically). Keep them all until all files that might have been encrypted with them are updated.
Designate two or more recovery agent accounts per OU, depending on the size of the OU. Designate two or more computers for recovery: one for each designated recovery agent account. Grant permissions to appropriate administrators who use the recovery agent accounts. It is a good idea to have two recovery agent accounts. Having two computers that hold these keys provides more redundancy for the recovery of lost data. Implement a recovery agent archive program to ensure that you can recover encrypted files by using obsolete recovery keys. Recovery certificates and private keys must be exported and stored in a controlled and secure manner. Ideally, as with all secure data, archives must be stored in a controlled access vault, and you must have two archives: a master and a backup. The master is kept on-site, while the backup is located in a secure, off-site location. Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in an encrypted folder. EFS does take some CPU overhead every time a user encrypts and decrypts a file. Plan your server usage wisely. Load balance your servers when many clients use EFS.
Best Practices for UAC
UAC security settings are configurable in the local Security Policy Manager (Secpol.msc) or the Local Group Policy Editor (Gpedit.msc). However, in most corporate environments, Group Policy is preferred because it can be managed and controlled centrally. There are nine GPO settings that you can configure for UAC.

10-57
Because the user experience can be configured with Group Policy, there can be different user experiences depending on policy settings. The configuration choices made in your environment affect the prompts and dialog boxes that standard users, administrators, or both can view. For example, you might require administrative permissions to change the UAC setting to Always notify me or Always notify me and wait for my response. With this type of configuration, a yellow notification appears at the bottom of the User Account Control Settings page, indicating the requirement.
Although UAC enables you to sign in with an administrative user account to perform everyday user tasks, it is still a good practice to sign in by using a standard user account for these everyday tasks. Sign in as an administrator only when necessary.
Best Practices for BitLocker
BitLocker stores its own encryption and decryption key in a hardware device that is separate from the hard disk, so you must have one of the following: A computer with TPM.
A removable USB storage device, such as a USB flash drive. If your computer does not have TPM 1.2 or newer, BitLocker stores its key on the memory device. The most secure implementation of BitLocker takes advantage of the enhanced security capabilities of TPM 1.2.
On computers that do not have a TPM 1.2, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation and does not provide the prestartup systemintegrity verification that BitLocker offers when it works with a TPM.
Review Questions
Question: When you implement UAC, what happens to standard users and administrative users when they perform a task that requires administrative permissions? Question: What are the requirements for BitLocker to store its own encryption and decryption key in a hardware device that is separate from a hard disk? Question: An administrator configures Group Policy to require that data can be saved only on data volumes that are protected by BitLocker. Specifically, the administrator enables the Deny write access to removable drives not protected by BitLocker policy setting and deploys it to the domain. Meanwhile, an end user inserts a USB flash drive that is not protected with BitLocker. What will happen, and how can the user resolve the situation?

11-1
Module 11
Configuring Applications for Windows 8.1
Contents:
Module Overview Lesson 1: Application Deployment Options in Windows 8.1 Lesson 2: Managing Windows Store Apps Lesson 3: Configuring Internet Explorer Settings Lab A: Configuring Internet Explorer Security Lesson 4: Configuring Application Restrictions Lab B: Configuring AppLocker Module Review and Takeaways 11-1 11-2 11-14 11-19 11-29 11-32 11-40 11-43
Module Overview
Computer users require applications for every task they perform, such as editing documents, querying databases, and generating reports. As part of administering the Windows 8.1 operating system, you need a strategy for deploying and managing the applications that users in your organization will run on their new Windows 8.1computers and devices. Based on the specific needs of your organization, you can choose from a variety of methods to deploy and manage applicationsfrom manual deployment methods to fully automated management technologies. You also need a strategy to handle the application compatibility issues that might arise when you try to run applications that were designed for older versions of Windows operating systems.
Objectives
After completing this module, you will be able to: Describe application deployment options in Windows 8.1. Install and manage Windows Store apps. Configure and secure Internet Explorer. Configure application restrictions.
11-2 Configuring Applications for Windows 8.1
Lesson 1
Application Deployment Options in Windows 8.1
In your organization, scenarios might exist for which certain application deployment methods are more appropriate than others. In this lesson, you will learn about traditional application deployment, in addition to the methods that you can use to automate application deployment.
Lesson Objectives
After completing this lesson, you will be able to: Differentiate between the types of apps in Windows 8.1. Describe manual application installation. Explain the methods for automating installation of desktop apps. Describe App-V. Explain how to sequence applications by using App-V. Explain the options for deploying App-V applications. Describe RemoteApp programs. Explain how to deploy RemoteApp programs.
Types of Apps in Windows 8.1

In Windows 8.1, there are two types of apps: desktop apps and Windows Store apps. Users install and manage these two types of apps in different ways. The following sections outline the differences between both types.
Desktop Apps
Desktop apps are the traditional apps, such as Microsoft Office 2013. Most users and network administrators are familiar with desktop apps. Desktop apps can be installed on Windows 8.1 and can be installed locally by an administrator with a product DVD that contains a desktop app, or via a network or by downloading an app from the Internet. Windows desktop apps: Are installed by using .exe or .msi installer files. Can be automated. Can be replaced by distributed app installation and execution methods in larger environments.
Windows Store Apps

A Windows Store app is a special type of app that is designed to run on computers that are running Windows 8 and newer. Windows Store apps do not run on Windows 7 or older versions of Windows operating systems.

11-3
Windows Store apps: Can run on Windows 8.1, Windows 8, Windows RT 8.1, and Windows RT. Are available from the Windows Store or through sideloading. Are distributed in the .appx file format and must be digitally signed.
Run in full-screen mode by default when not running as active tiles, and two or more Windows Store apps can be displayed at the same time on one or more displays. Are not installed by means of traditional application deployment methods.
If your organization has developed custom Windows Store apps, you can use a process called sideloading to install these apps. When sideloading a Windows Store app, you use an .appx installer file. You can use Dism.exe or the Windows PowerShell command-line interface to sideload and manage Windows Store apps. For large scale deployment of sideloaded apps, an enterprise also could use System Center 2012 R2 Configuration Manager. Sideloading Windows Store apps has the following prerequisites: Sideloading must be enabled in Group Policy. Windows Store apps must be digitally signed.
To enable sideloading, configure the Allow all trusted apps to install Group Policy setting. This item is located in the Computer Configuration\Administrative Templates\Windows Components\App Package Deployment node of the Group Policy Management Console.
Manual Application Installation

To install a desktop app from local media, an interactive user inserts a product DVD that contains a desktop app, after which Windows 8.1 prompts the user about what to do. Typically, a user chooses to run Setup.exe. Note: You also can install desktop apps by using Control Panel. If a network administrator has made applications available for network installation, you can open Control Panel, and then click Get Programs. A list of apps that are available for network installation displays. Windows 8.1 makes these apps available by using Group Policy Objects (GPOs) and software distribution points.
The installation process for a desktop app begins, and the app installs. By default, all users run as standard users. Windows 8.1 will prompt the user to elevate to full administrator privileges through User Account Control (UAC) to install the application. Note: Apps installed across a network can be installed automatically without user intervention, depending on the configuration of the app package.
Windows Installer
The Windows Installer is the desktop app installation and configuration service for Windows 8.1. Windows Installer packages are packaged apps in the .msi file format. An app that is designed for deployment on Windows-based client computers often is available from a vendor in the .msi format already. You also can use non-Microsoft app packaging products to convert app installers from the .exe file format to Windows Installer packages in the .msi format. A Windows Installer package in the .msi format includes the information that is necessary to add, remove, and repair an application. You can install an app installer in the .msi format locally, or you can deploy it through an automatic application deployment solution, such as Group Policy or Configuration Manager. Because of the way that Windows Installer packages manage changes to an operating system, applications that you deploy from these packages are more likely to uninstall cleanly than those that you deploy by using applications installers in executable files. This fact is important from an applicationmanagement perspective because it is just as important to be able to remove an application cleanly leaving no trace that the application was installed on a target computeras it is to be able to install it correctly in the first place. If an app is packaged as an .msi file and is accessible from the target computer, you can run Msiexec.exe from an elevated command prompt to install a desktop app. For example, to install an app from a shared folder, run the following sample command from an elevated command prompt:
Msiexec.exe /i \\lon-dc1\apps\app1.msi
Administrators also can use Windows Installer to update and repair installed desktop apps.
Methods to Automate Desktop App Installation

A single, user-directed installation process works in situations where a desktop app is installed only once or twice. However, for larger and more complex installations, planning and performing an automated desktop app deployment might be a better choice. Several options exist for automating the deployment of desktop apps to computers that are running Windows 8.1.
Automating Installation by Using Group Policy
Group Policy software deployment enables the deployment of desktop apps in the Windows Installer .msi file format to computers that belong to a Active Directory Domain Services (AD DS) environment. Group Policy software deployment offers the most basic form of automated app deployment. To perform Group Policy software deployment, you configure a GPO. Use Group Policy as a software deployment method in small organizations where the desktop apps that you want to deploy already are packaged in the Windows Installer format. Group Policy software deployment has the following requirements and properties: The target computers must belong to an AD DS domain. The software must be packaged in the Windows Installer .msi file format. User and computer accounts can be the targets of an application deployment. You can target a deployment at the domain level, the site level, or the organizational unit level.

11-5
Group Policy software deployment supports the following deployment types:
Assign. You can assign applications to users or computers. When you assign an application to a user, the application installs when the user signs in. When you assign an application to a computer, the application installs when the computer starts. Publish. You can publish applications to users. Doing so makes an application available through the Programs and Features item in Control Panel. You cannot publish applications to computers.
Group Policy software deployment has the following drawbacks:
Difficulty in determining the success of deployments. Group Policy software deployment does not include reporting functionality. The only way to determine whether an application has installed is to check it manually. No prerequisite checking. Group Policy software deployment does not enable you to perform prerequisite checks directly. You can use Windows Management Instrumentation queries to check, but doing so is a complex operation that requires significant expertise and time. No installation schedule. Deployment will occur the next time a Group Policy refresh occurs. You cannot schedule Group Policy software deployment to occur at a specific date and time.
Automating Installation by Using MDT
Microsoft Deployment Toolkit (MDT) 2013 is a solution accelerator that you can use to automate the deployment of operating systems and applications to computers. You can use MDT to perform lite-touch installation (LTI). LTI requires that you trigger operating system deployment or application installation on each computer, but it requires minimal intervention after the deployment begins. You can use MDT to perform automated operating system and application deployment without deploying Configuration Manager. However, you can use MDT when it is integrated with Configuration Manager to perform zerotouch installation (ZTI). ZTI enables operating system and application deployment and migration without requiring any intervention. You can use MDT to perform LTI deployment and migration from the following operating systems: Windows 8.1 or Windows 8 Windows 7 Windows Vista Service Pack 2 (SP2) Windows XP Service Pack 3 Windows Thin PC Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 SP2 Windows Server 2003 R2
The LTI process requires only the tools that are available in MDT. You do not need to deploy Configuration Manager in your environment to perform LTI. To perform LTI by using MDT, perform the following steps: 1. 2. Deploy MDT on a computer that will function as the management computer, create a deployment share on this computer, and then import the image files that you will use. Create a task sequence and a boot image for the computer that will function as the reference computer.
3. 4. 5. 6. 7. 8.
Start the reference computer by using the medium that contains MDT. The task sequence files, task sequence, and boot image transfer to the reference computer.
Use the Windows Deployment Wizard to deploy the operating system. After deployment, capture the reference computer as an image. Transfer the captured image to the management computer. Create a new boot image and task sequence for deployment to the target computers.
Start the deployment target computers by using the medium that contains MDT. The task sequence files, task sequence, and boot image transfer to the reference computer. Run the Windows Deployment Wizard to deploy the prepared image.
Automating Installation by Using Configuration Manager
Configuration Manager provides a comprehensive platform for application deployment and management, and it supports deploying applications in the .exe, .msi, .appv, and .appx file formats. Configuration Manager enables administrators to target deployments to groups of users and computers, and to configure deployments to occur at specific dates and times. Computers must have the Configuration Manager client installed to receive software that Configuration Manager deploys.
Collections
Configuration Manager enables the deployment of applications to computers, users, and security groups. Configuration Manager enables you to create collections that consist of manually created groups of users or computers. Collections also can be based on the results of queries of user or computer properties. Because Configuration Manager can collect information about all aspects of a user or computer, including all AD DS attributes and software and hardware configurations, you can create focused collections for targeted application deployment. For example, you can create a collection that includes only the computers that are located at a specific site with a certain deployed application and a specific piece of installed hardware.
Multiple Deployment Types
Configuration Manager enables you to use multiple deployment types when deploying an application. With this feature, you can configure a single application deployment but make it possible for that deployment to occur in different ways, depending on the conditions that apply to the target computer or user. For example, you can configure an application to install locally if a user is logged on to his or her primary device, but to stream as a Microsoft Application Virtualization (App-V) application if the user is logged on to another device. Deployment types also enable you to configure the deployment of the x86 version of an application if the target computer has a 32-bit processor, or to configure the deployment of the x64 version if the target computer has a 64-bit processor.
Reporting
Configuration Manager includes extensive reporting functionality. This feature enables you to determine how successful an application deployment was after its completion. Configuration Manager also enables you to simulate application deployments before performing them. This feature enables you to determinebefore you perform an actual deploymentwhether any factors that you have not considered might block a successful application deployment.
Wake On LAN and Maintenance Windows
Configuration Manager supports Wake On LAN (WOL) functionality and maintenance windows. Instead of interrupting a user with an application installation that might require a restart and the disruption of his or her current productivity, WOL functionality enables application deployment to occur after-hours, when the compatible computer is in a low power state. Configuration Manager sends a special signal to these

11-7
computers, which return to a fully powered-on state, perform the application installation, and then return to the low power state.
Maintenance windows enable administrators to define when operations such as software installations and software update deployments should occur. Maintenance windows give users a predictable period during which they know that operations requiring a restart of their computers might occur. If users know that their computers might need to restart at a certain time each week, they are less likely to leave important documents and programs open at that time, thereby avoiding potential data loss.
Software Inventory, Software Metering, and Asset Intelligence
Configuration Manager supports software inventory, software metering, and Asset Intelligence. A software inventory enables you to determine which applications are installed on computers in your organization. Software metering enables you to monitor how often particular applications are used. Asset intelligence enables you to check software licensing compliance, helping ensure that the number of applications deployed within an organization equals the number of software licenses that are available for those applications. With this information, you can make informed decisions with respect to future software deployment. You also can use software inventory and software metering information as a basis for the creation of collections.
Automating Installation by Using Windows Intune
You can use Windows Intune to perform software deployment on user or computer groups. Users and computers can belong to multiple groups. You can configure Windows Intune to synchronize account information from AD DS.
You need to deploy the Windows Intune client on the target computers to use Windows Intune. If users have local Administrator rights, they can perform this operation themselves by downloading the Windows Intune client software from the Windows Intune site in their organization. If users do not have Administrator rights, they can install the Windows Intune client by using Windows Remote Assistance or by bringing their computers to a branch office location.
You can use Windows Intune to deploy applications to Windows Intune clients in both the .exe and .msi file formats. You must upload applications to Windows Intune before you can deploy them. You can make software available as an optional installation or configure it as a required installation.
Windows Intune provides reporting on the success and failure of targeted application deployment. This feature means that you can determine how many clients out of the target group successfully installed the deployed application. It also is possible to use Windows Intune to remove applications that were deployed to client computers previously. You can integrate Windows Intune with Configuration Manager, enabling you to manage devices that are hosted in both platforms from a single console. You can use Windows Intune to manage computers that are running Windows 8.1 irrespective of whether they are members of an AD DS domain. In addition, you can use Windows Intune to manage computers that are running Windows 8, Windows RT 8.1, Mac OS X, Windows 7, Windows Vista, and Windows XP. You can use Windows Intune to manage PCs and devices at scale.
What Is App-V?
App-V is a Microsoft solution that enables users to run virtualized applications on their computers without having to install or configure them locally. App-V benefits an organization though faster deployment of applications and updates, and it minimizes conflicts between applications and various versions of applications. Before a Windows 8.1 computer can run streamed App-V applications, you must install the App-V client. The App-V client provides an isolated execution environment in which App-V applications run. The virtualized applications interact with the App-V client rather than directly with the host operating system.
With App-V, you can perform nonpersistent application deployment. Nonpersistent application deployment is useful in scenarios where a person might need to use an application on a computer on a one-off or infrequent basis. This type of deployment also is useful in environments where people are not assigned specific computers. For example, a person might need to use a specific application that is not installed as part of the standard operating-system build in an organization where people are assigned desktops each day on a first-come, first-served basis. With App-V, you can provision an application to a user no matter which computer the user is assigned to. You can configure the application so that it will no longer be present on the computer after the user signs out. App-V is part of the Microsoft Desktop Optimization Pack. App-V supports the virtualization of applications that run on Windows 8.1 computers and Remote Desktop Services (RDS) on Windows Server 2012 R2. App-V also supports client computers that are running Windows 7, Windows Vista, and Windows XP. It also can be used with RDS on Windows Server 2008 R2 and Windows Server 2008. Applications are still limited by platform constraints. You cannot run an x64 application on an x86 host, and an application that requires 4 gigabytes (GB) of RAM to run in a traditional manner still requires 4 GB of RAM to run when sequenced. When planning whether to use App-V as a part of your organizations application deployment strategy, consider the following:
App-V allows users to run different versions of the same application concurrently. Most applications do not allow you to install a later version of the application side-by-side with an older version. However, when applications are virtualized through App-V, the applications are unaware of each other because each has its own silo that the App-V client provides.
App-V minimizes application conflict. Although unusual, applications can conflict because of dynamic-link library (DLL) or application programming interface (API) conflicts. When applications are virtualized and running in separate silos under the App-V client, these conflicts do not occur. App-V applications can be streamed. App-V applications can be streamed from distribution points. This feature means that rather than waiting for an entire application to be transferred across a network and installed, a user can start using the application as soon as enough of it has transferred across the network for it to begin running. App-V uses Hypertext Transfer Protocol (HTTP) for streaming rather than Real-Time Streaming Protocol (RTSP), which was used in older versions of the product.
A deployment does not require a restart. You can deploy an App-V application to a target computer, and the user can run that application without requiring the target computer to restart.

11-9
No extra prerequisite components are required. Other than the App-V client, which must be present, any prerequisite components are included when sequencing the application. It is not necessary to deploy extra components, such as Microsoft Visual C++ runtime files, prior to deploying a sequenced application.
Upgrades are simplified. Because an App-V application runs in its own silo that is disconnected from the operating system, you can deploy an upgrade to an application over the existing application. This process is called resequencing.
Nonpersistent installation. You can configure streamed App-V applications so that they are not stored in the App-V cache after a user signs out. This feature enables you to have applications follow users as they sign in to different computers, while ensuring that only one instance of an application is deployed to a user. It also enables sensitive applications to be present on the local computer only when specific users are signed in, and otherwise, to be inaccessible. Applications use local resources. A drawback of Windows Server 2012 R2 RemoteApp is that when multiple users are using a RemoteApp program from the same Remote Desktop (RD) Session Host server, that server might be under resource pressure. On the other hand, an App-V application uses the resources of the local computer; therefore, the application does not consume the resources of the App-V server.
Sequencing Applications with App-V

By sequencing an application, you can create a version of that application that runs within the App-V client environment. You must sequence an application before it can run on a computer that has the App-V client installed.
The sequencing process is similar to the application packaging process to create a Windows Installer package. Sequencing an application with the App-V Sequencer produces an .appv file and a .msi file. You can deploy an .msi file to a computer in the same way as any other .msi file, although the application will run only if the App-V client is installed. When deployed as an .msi file, an application will remain on a computer until it is uninstalled. An application is streamed when deployed as an .appv file. The length of time that it remains in the .appv cache depends on the deployment settings.
The sequencing process records all changes that the installation of an application makes to a client computer. These changes include those made to files and folders, environment variables, .ini files, and the registry. The sequencing process functions in the following way: 1. 2. 3. 4. 5. The App-V Sequencer initiates the applications installation process. The Sequencer records all changes to files, registry settings, environment variables, and DLLs, in addition to any other changes to the computer that hosts the Sequencer. The Sequencer generates a special virtual environment.
The Sequencer runs the application in this environment. This includes all the modifications that were made to the computer that hosts the Sequencer. The technician performing the sequencing performs any required post-installation configuration tasks. The Sequencer records any additional modifications.
11-10
6.
The Sequencer generates .appv and .msi files and writes them to the folder that the technician specified.
The computer that functions as the Sequencer needs special preparation. This preparation involves shutting down services and applications, such as antimalware scanners, that might cause problems with the sequencing process. You should deploy the role of Sequencer on a virtual machine. The Sequencer records changes that are made to the host operating system during the application installation. When you deploy the Sequencer on a virtual machine, you can use virtual machine snapshots to roll the virtual machine back to a clean configuration after you sequence each application. This computer should run the same operating system as the clients on which you will be deploying the sequenced application. You can sequence an x86 application on a computer running an x64 version of the App-V Sequencer.
Options for Deploying App-V Applications

You have a number of options for deploying App-V applications after you ensure that the App-V client is locally installed. The option that you choose depends on what infrastructure is available in your organization. Three App-V deployment models exist: The stand-alone deployment model The App-V full infrastructure model The Configuration Manager integrated model
Stand-alone Deployment Model
The stand-alone deployment model requires that you deploy a minimal amount of infrastructure. In this deployment model, you must deploy a Sequencer to create sequenced applications, and you must deploy the App-V client to all the Windows 8.1 client computers that will consume App-V applications. In the stand-alone deployment model, you deploy sequenced applications in Windows Installer format either manually, through Group Policy, or through Windows Intune. Applications that you deploy by using the stand-alone deployment model remain on target computers until they are uninstalled.
App-V Full Infrastructure Model

The App-V full infrastructure model is appropriate for organizations that want to stream virtualized applications to clients but have not deployed Configuration Manager. In addition to the App-V client being installed on all Windows 8.1 client computers and the computer that functions as the Sequencer, this model requires the deployment of the following components: Management server. This server enables administrators to manage the App-V infrastructure and to assign the rights that allow users to consume applications.
Management server database. This database stores configuration settings for the management server. Publishing server. Sequenced applications are streamed to App-V clients over HTTP from the publishing server.
Reporting server. This server enables the generation of reports that detail application deployment and consumption. Reporting server database. This database stores reporting server data.

11-11
You can deploy each of the preceding roles on the same server. In large environments, you deploy publishing servers to each branch office so that Windows 8.1 computers will be able to stream applications locally rather than across wide area network (WAN) links.
Configuration Manager Integrated Model
You can use Configuration Manager to deploy applications in the .appv and .msi formats to client computers. An advantage of the Configuration Manager integrated model over the other models is that you can configure the application deployment process to detect automatically whether a target computer has an App-V client installed and, if a client is not present, to deploy a client before deploying the application. The Configuration Manager integrated model supports streaming when deploying sequenced applications in the .appv format, and it supports local installation when using sequenced applications in the .msi format. The Configuration Manager integrated model requires that you have deployed Configuration Manager in your environment previously and have configured a computer to function as an application Sequencer.
What Are RemoteApp Programs?

Windows Server 2012 R2 RemoteApp programs display locally but run remotely. From a users perspective, a RemoteApp program appears to be the same as any other application that is running on a computer. Consider deploying RemoteApp in situations where an application does not run on a client computer. Here are some of the scenarios in which you can use RemoteApp to deploy an application: Users of computers that are running Windows RT 8.1 need to access an application that only runs on the x64 version of Windows 8.1.
Users of computers that are running the x86 version of Windows 8.1 need to access an application that is available only in an x64 version. Users of computers that have 4 GB of RAM need to run an application that requires 8 GB of RAM.
In each of the preceding scenarios, the application is provided to the user through RemoteApp. The application displays locally but runs on a platform that has appropriate hardware resources to support the application. RemoteApp programs can run directly on RD Session Host servers or on separate virtual machines in a Remote Desktop Virtual Desktop Infrastructure (VDI) scenario. From the users perspective, little difference exists between a RemoteApp program that is running on an RD Session Host server and a RemoteApp program installed on a virtual machine in a VDI scenario. Running a RemoteApp program on an RD Session Host server has the following advantages and disadvantages:
You install applications directly on RD Session Host servers and then make them available to users as RemoteApp programs. This technique makes it simpler to deploy applications than by using RemoteApp on VDI. You cannot deploy different versions of the same application on RD Session Host servers. The exception to this rule occurs when you also deploy the App-V client on the RD Session Host Application Virtualization server.
11-12
Some applications cannot be installed in the RD Session Host environment. You must configure each RD Session Host server identically in the server farm.
You can scale this solution by adding more identically configured RD Session Host servers. Doing so can be complicated if a large number of applications need to be deployed on each RD Session Host server.
The RemoteApp on VDI solution has the following advantages and disadvantages: You install applications on virtual machines and make them available to users as published RemoteApp programs. Having to deploy Windows Server 2012 R2 Hyper-V and configure virtual machines for VDI can make this solution seem more complex from an administrative standpoint. Applications run on client virtual machines. Therefore, applications that are not supported on RD Session Host servers can be deployed as RemoteApp programs.
You do not need to configure virtual machines identically. You install an application on one or more virtual machines, and the Remote Desktop Connection Broker connects users to virtual machines that have the RemoteApp program installed.
Make sure that you have enough virtual machines with an application installed to meet the demand for that application. In complex environments, you can use System Center 2012 R2 - Orchestrator and System Center 2012 R2 - Virtual Machine Manager to automate the deployment of extra virtual machines and applications to meet specific demands. RemoteApp on VDI is more scalable. You can deploy Hyper-V, virtual machines, and also use cloned virtual machines.
Deploying RemoteApp Programs

You can publish RemoteApp programs in the following three ways: By using the RemoteApp Manager administration console. Through Remote Desktop (RD) Web Access. By using Group Policy.
You can publish RemoteApp programs by using the RemoteApp Manager administration console. The management server detects applications that have been installed on RD Session Host servers if you are using RemoteApp with a session host, and it also detects applications that are installed on virtual machines if you are using RemoteApp with virtual machines. You can use this console to configure session collections and RemoteApp permissions. By doing so, you can control which users will be able to access specific published RemoteApp programs. You can make RemoteApp programs available through RD Web Access. When you do so, users can connect to the RD Web Access server to launch applications. By default, the location of the RD Web Access site is https://<ServerFQDN>/RDWeb, where <ServerFQDN> represents the fully qualified domain name (FQDN) of the RD Web Access server. When a user connects to this site, the site displays a list of RemoteApp programs and RD Session Host servers to which that user has access.

11-13
You can publish RemoteApp programs through Group Policy by configuring the default connection URL policy with the address of the RemoteApp feed. When you do so, the list of available RemoteApp programs is published to the Start screen of Windows 8.1. The default location of this feed is https://<ServerFQDN>/Rdweb/webfeed.aspx. You can configure the default connection URL by editing the following policy: User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RemoteApp and Desktop Connections
11-14
Lesson 2
Managing Windows Store Apps
Windows 8.1 supports Windows Store apps that were introduced with Windows 8 and Windows RT. Windows Store apps are small, light, and easily accessible. It is important that you know how to manage user access to the Windows Store, which will enable you to control the installation and use of these apps.
Lesson Objectives
After completing this lesson, you will be able to: Describe the Windows Store and Windows Store apps. Explain how to manage and restrict access to the Windows Store. Describe how to sideload of Windows Store apps. Sideload Windows Store apps.
What Is the Windows Store?

The Windows Store provides a convenient, singlelocation for users to access and download apps. Users can access the Windows Store from the Start screen without needing to navigate to Control Panel. Note: To access the store, users must sign in to Windows by using a Microsoft account. Users can create this account during Windows 8.1 installation, or they can define it after installation.
Windows Store Apps
The Windows Store is enables users to access and install Windows Store apps. These are not like desktop apps, such as Microsoft Office 2013.
These apps can communicate with one another and with Windows 8.1 so that it is easier to search for and share information, such as photographs. When an app is installed, from the Start screen, users can see Live tiles that constantly update with live information from the installed apps.
Locating Windows Store Apps
The landing page is the initial page that users see when accessing the Windows Store. When users connect to the Windows Store, they can locate apps easily on the landing page. Windows Store Apps are divided into categories such as Games, Entertainment, Music & Videos, and others. Users also can use the Windows 8.1 Search charm to search the Windows Store for specific apps. For example, if a user is interested in an app that provides video-editing capabilities, he or she can select the Search charm, type in a search text string, and then click Store. The Windows Store returns suitable apps from which the user can make a selection.
Installing Windows Store Apps
Installing Windows Store apps is a straightforward task for most users. A single tap on the appropriate app in the listing should be sufficient to install the app. Apps install in the background so that users can

11-15
continue browsing the Windows Store. After an app is installed, a tile for the app appears on the users Start screen.
Updating Windows Store Apps
Windows 8.1 checks the Windows Store for updates to installed apps on a daily basis. When an update for an installed Windows Store app is available, Windows updates the Store tile on the Start screen to display an indication that updates are available. When a user selects the Store tile and connects to the Windows Store, the user can choose to update one, several, or all of his or her installed apps for which updates are available.
Installing Windows Store Apps on Multiple Devices
Many users have multiple devices, such as desktop and laptop computers. The Windows Store allows 81 installations of a single Windows Store app so that users can run the app on all of their devices. If users attempt to install an app on an 82nd device, they are prompted to remove the app from another device.
Managing Access to the Windows Store

While it might be convenient to let users search for and install apps, it does pose potential problems for network administrators who want to control app installation or to impose a rigid desktop standard on network-connected computers. For this reason, you can use domainbased or local GPOs to control access to the Windows Store.
Disable the Store application

To control access to the Store, perform the following procedure: 1. 2. 3. 4. 5. From the Start screen, run gpedit.msc with administrative permissions, and then load the Local Group Policy Editor.
Under Local Computer Policy, expand User Configuration, expand Administrative Templates, expand Windows Components, and then click Store. In the results pane, double-click Turn off the Store application. In the Turn off the Store application dialog box, click Enabled, and then click OK. Close all open windows.
When the Windows Store is disabled, users will see a Windows Store isnt available on this PC message when they attempt to access the Store tile on the Start screen. Note: You can use a GPO to disable the Windows Store for target computers, specific users, or groups of users.
11-16
Controlling the Windows Store Apps That Can Be Installed
In addition to disabling the Windows Store on a computer, you also can use AppLocker to control which apps can be installed. Note: AppLocker is covered later in this module.
Managing Updates
Information technology (IT) administrators have limited control over updates for installed Windows Store apps. By default, the app-update process is automated for users running Windows 8.1. It is possible to turn off automatic updates for apps at any time by configuring the App updates setting within the Windows Store. Unless you disable the automatic app updates, you cannot control which updates are available. Once triggered, all updates will be downloaded.
How to Sideload Windows Store Apps

Many larger organizations will want to distribute Windows Store apps to their client computers that are intended for internal use only. These line-ofbusiness (LOB) apps are not available on the Windows Store. Therefore, you must provide some other method for distribution and installation of these applications. Sideloading provides such a mechanism for distribution of LOB apps to client computers without publishing them in and downloading them from the Windows Store.
You can use the Dism.exe command-line tool and Windows PowerShell to add, list, and remove LOB apps. Windows PowerShell is the preferred method because it provides administrators much more functionality to sideload, especially when deploying a LOB app to a large volume of client computers. Note: Enterprises also can use Windows Intune to deploy apps via the Windows 8.1 SelfService Portal app.
To prevent malware being deployed via the sideloading process, Windows 8.1 only allows apps that have been signed by the developer using a trusted root certificate. If your organization creates a LOB app, it also should be signed by using the organizational trusted root certificate. You can use a self-signed certificate to sideload an app, but administrators should note that this is not a best practice in a production environment.
Sideloading Requirements Enterprise Scenarios

Computers must meet the following requirements to sideload Windows Store apps on them: Computers must run the Windows 8.1 Enterprise operating system. Computers must be members of a domain. The Allow all trusted apps to install GPO setting must be enabled. The app must be digitally signed.

11-17
Sideloading Requirements BYOD Scenarios
In a Bring Your Own Device (BYOD) scenario where a personal device such as a Surface 2 tablet is used in the workplace, you also can sideload this device with LOB apps by first installing a sideloading product key on the device. A sideloading product key can be obtained in the following ways: A developer will have a license to test the sideloading of an app on devices. From Microsoft Volume Licensing.
To activate a sideloading product key, follow this procedure: 1. 2. 3. 4.
Select Command Prompt (Admin) from the Administrative menu by pressing Windows logo key+X. Type Slmgr /ipk <sideloading product key>. Type Slmgr /ato ec67814b-30e6-4a50-bf7b-d55daf729d1e. Restart the Windows operating system. Note: The activation GUID will always be ec67814b-30e6-4a50-bf7b-d55daf729d1e.
Demonstration: Sideloading Windows Store Apps

In this demonstration, you will see how to: Enable sideloading. Install the root certificate. Install a LOB app. Remove an installed LOB app.
Demonstration Steps Enable sideloading

1. 2. 3. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Open the Local Group Policy Editor (Gpedit.msc).
Under Local Computer Policy in the navigation pane, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click App Package Deployment. In the results pane, double-click Allow all trusted apps to install. In the Allow all trusted apps to install dialog box, click Enabled, and then click OK. Force a Group Policy update Close all open windows.
4. 5. 6.
Install the root certificate

Note: To be able to sideload the app, the Windows operating system must trust the app. For testing purposes, the app is using a self-signed certificate. You need to install the root certificate on the client. 1. Right-click the file E:\Labfiles\Mod11\LeXProductsGrid81_1.1.0.2_AnyCPU.cer.
11-18
2. 3.
Install the certificate into the Local Machine Trusted Root Certification Authorities certificate store. Confirm that the import was successful.
Note: Your LOB apps must be digitally signed and can be installed only on computers that trust the certification authority that provided the apps signing certificate.
Install a LOB app

1. 2. 3. 4. 5. Sign in to LON-CL1 as Adatum\Dan with password Pa$$w0rd. On LON-CL1, open a Windows PowerShell command prompt window, type import-module appx, and then press Enter.
To install the app package, at the Windows PowerShell command prompt, type add-appxpackage E:\Labfiles\Mod11\LeXProductsGrid81_1.1.0.2_AnyCPU.appx, and then press Enter. On the Start screen, type TestAppTKL1 and then press Enter. Verify that the six groups of Tiles are present in the TestAppTKL1app. Sign out from LON-CL1.
Remove an installed LOB app

1. 2. Sign in to LON-CL1 as Adatum\Dan with password Pa$$w0rd. Use the Windows PowerShell command Remove-AppxPackage <Package1> to remove the TestAppTKL1 app from LON-CL1.
Note: The full package name for the sideloaded app is: 6483TKL.TestAppTKL1_1.1.0.2_neutral__aervmpxrfxxmo 3. Close the Windows PowerShell Command Prompt window.

11-19
Lesson 3
Configuring Internet Explorer Settings
A browser is like any other application. You either can manage and secure it well, or manage it poorly. If you manage a browser poorly, you and your organization risk consuming more time and money supporting users and dealing with security infiltrations, malware, and loss of productivity.
Users can browse more safely by using Internet Explorer 11, which in turn helps maintain customer trust in the Internet and helps protect the IT environment from the evolving threats that the web presents. Internet Explorer 11 specifically helps users maintain their privacy with features such as InPrivate Browsing and InPrivate Filtering. The SmartScreen Filter provides protection against social engineering attacks by:
Identifying malicious websites that try to trick people into providing personal information or installing malware. Blocking malware downloads. Providing enhanced antimalware support.
Internet Explorer 11 helps prevent a browser from becoming an attack agent, and it provides more detailed control over installation of ActiveX controls with per-site and per-user ActiveX features. The cross-site scripting filter protects websites from attacks.
Lesson Objectives
After completing this lesson, you will be able to: Describe Compatibility View. Explain the function of various Internet Explorer privacy features. Describe the SmartScreen feature. Explain how to manage Internet Explorer add-ons. List and explain other Internet Explorer security features. Configure security settings in Internet Explorer.
What Is Compatibility View?

None of the improvements in Internet Explorer 11 matter if websites look bad or work poorly. Internet Explorer 11 includes advancements in compliance with web standards, enabling websites to be created more efficiently and operate more predictably. Each new version of Internet Explorer must try to maintain compatibility with existing websites. Internet Explorer 11 includes multiple layout engines, putting the decision of whether Internet Explorer 11 needs to support legacy behaviors or strict standards in the hands of web developers, who can specify which layout engine to use on a page-by-page basis.
11-20
Internet Explorer 11 provides an automatic Compatibility View that invokes an older Internet Explorer engine to display webpages whenever a legacy website is detected. This helps improve compatibility with applications written for older versions of Internet Explorer. If you do not see the Compatibility View button appear in the Address bar, there is no need to turn on Compatibility View because Internet Explorer 11 will have detected that the webpage has loaded correctly. Note: By default, intranet sites and apps continue to run in Internet Explorer 11, which supports Compatibility View.
Compatibility View in Internet Explorer 11 helps display a webpage as it is meant to be viewed. This view provides a straightforward way to fix display problems such as out-of-place menus, images, and text. The main features in Compatibility View are: Internet websites display in Internet Explorer 11 standards mode by default. Use the Compatibility View button to fix sites that render differently than expected.
Internet Explorer 11 remembers sites that have been set to Compatibility View so that the button only needs to be pressed once for a site. After that, the site is always rendered in Compatibility View unless it is removed from the list. Intranet websites display in Compatibility View by default. This means that internal websites that were created for older versions of Internet Explorer will work. You can use Group Policy to set a list of websites to be rendered in Compatibility View.
Switching in and out of Compatibility View occurs without requiring that a user restart the browser.
The Compatibility View button only displays if is not clearly stated how the website is to be rendered. In other cases, such as viewing intranet sites or viewing sites with a <META> tag or a / HTTP header that indicates Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 standards, the button is hidden. When Compatibility View is activated, the page refreshes and a balloon tip in the taskbar notification area indicates that the site is now running in Compatibility View.
Configuring Compatibility View
The Compatibility View settings option in the Tools menu enables you to customize the Compatibility View to meet enterprise requirements. For example, you can configure it so that all intranet sites display in Compatibility View (the default), or you can configure it so that all website are viewed in Compatibility View.

11-21
Privacy Features
One of the biggest concerns for users and organizations is the issue of security and privacy when using the Internet. Internet Explorer 11 helps users maintain their security and privacy. For enterprises that need users to be able to browse without collecting browsing history, Internet Explorer 11 has a privacy mode called InPrivate Browsing, which allows users to surf the web without leaving a trail. As an alternative to InPrivate Browsing, a user can use the Delete Browsing history option found in the Internet options dialog box to delete their browsing history manually without losing site functionality.
InPrivate Browsing
InPrivate Browsing helps protect data and privacy by preventing browsing history, temporary Internet files, form data, cookies, user names, and passwords from being stored or retained locally by the browser. This leaves virtually no evidence of browsing or search history as the browsing session does not store session data.
From an enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than using the Delete Browsing history option to maintain privacy because there are no logs kept or tracks made during browsing. InPrivate Browsing is a proactive feature because it enables you to control what is tracked in a browsing session. Some users might attempt to use InPrivate Browsing to conceal their tracks when browsing prohibited or nonwork websites. However, you have full manageability control, and you can use Group Policy to configure how your organization uses InPrivate Browsing.
Tracking Protection
Most websites today contain content from several different sites. The combination of these sites sometimes is referred to as a mashup. People begin to expect this type of integrationfrom something like an embedded map from a mapping site, to greater integration of advertisements or multimedia elements. Organizations try to offer more of these experiences because it draws potential customers to their site. This capability makes the web more robust, but it also provides an opportunity for a hacker to create and exploit vulnerabilities.
Every piece of content that a browser requests from a website discloses information to that site, sometimes even if a user has blocked all cookies. Often, users are not fully aware that their web browsing activities are tracked by websites other than those they have consciously chosen to visit.
Tracking Protection monitors the frequency of all third-party content as it appears across all websites that a user visits. An alert or frequency level is configurable and is initially set to 10. Third-party content that appears with high incidence is blocked when the frequency level is reached. Tracking Protection does not discriminate between different types of third-party content. It blocks content only when it appears more than the predetermined frequency level. Note: Tracking Protection Lists can help increase your browsing privacy. When you install a Tracking Protection List, you will prevent the websites specified in the list from sending your browsing history to other content providers. Microsoft maintains a website that contains Tracking Protection Lists that you can install.
11-22
Tracking Protection Lists www.iegallery.com
Delete Browsing History
Cookies and cookie protection are one aspect of online privacy. Some organizations write scripts to clean up cookies and browsing history at the end of a browsing session. This type of environment might be necessary for sensitive data, for regulatory or compliance reasons, or for private data in the healthcare industry.
The Delete Browsing History dialog box in Internet Explorer 11 enables users and organizations to delete browsing history selectively. For example, a history can be removed for all websites except those in a users Favorites. You can switch this feature on and off in the Delete Browsing History dialog box, and it is called Preserve Favorites website data.
You can configure Delete Browsing history options through Group Policy. You also can configure which sites are included automatically in Favorites. This allows you to create policies that ensure security without impacting daily interactions with a users preferred and favorite websites. The Delete browsing history on exit check box in Internet options allows you to delete the browsing history automatically when Internet Explorer 11 closes.
The SmartScreen Feature

Businesses put a lot of effort into protecting computer assets and resources. Phishing attacks, otherwise known as social engineering attacks, can evade those protections and result in users giving up personal information. The majority of phishing scams target individuals in an attempt to extort money or perform identity theft. The SmartScreen Filter helps protect against phishing websites, other deceptive sites, and sites known to distribute malware.
How the SmartScreen Filter Works

The SmartScreen Filter was introduced in earlier versions of Internet Explorer and has developed into a range of defensive tools including: Windows SmartScreen, which is the client feature SmartScreen Filter, which is the spam filtering solution built into Microsoft email solutions Internet Explorer 11 SmartScreen Filter
The SmartScreen Filter component of Internet Explorer 11 relies on a web service backed by a Microsofthosted URL reputation database. The SmartScreen Filters reputation-based analysis works alongside other signature-based antimalware technologies, such as Windows Defender, to provide comprehensive protection against malware. With the SmartScreen Filter enabled, Internet Explorer 11 performs a detailed examination of an entire URL string and compares the string to a database of sites known to distribute malware. The SmartScreen Filter then checks the website that a user is visiting against a dynamic list of reported phishing sites and malware sites. If the website is known to be unsafe, it is blocked and the user is notified.

11-23
Manually Checking Website Safety
You can check the safety of a website manually with SmartScreen Filter. To do so, perform the following procedure: 1. 2. 3. 4. On the Start screen, click Internet Explorer. Visit the website that you want to check. On the Tools menu, click Safety. Click SmartScreen Filter, and then click Check This Website.
Turning Off SmartScreen Filter

To turn off SmartScreen Filter, follow this procedure: 1. 2. 3. 4. On the Start screen, click Internet Explorer. On the Tools menu, click Safety. Click Turn off SmartScreen Filter. In the Microsoft SmartScreen Filter dialog box, click OK.
Turning On SmartScreen Filter

Follow this procedure to turn on SmartScreen Filter: 1. 2. 3. 4. On the Start screen click Internet Explorer. On the Tools menu, click Safety. Click Turn on SmartScreen Filter. In the Microsoft SmartScreen Filter dialog box, click OK.
Managing Internet Explorer Add-ons

Most websites will display normally when you use Internet Explorer without any add-ons or modifications. Internet Explorer 11, included by default in Windows 8.1, is designed to provide an experience that is free from add-ons. Add-ons that enhance the browsing experience by providing multimedia content also are referred to as: ActiveX controls Plug-ins Browser extensions Browser helper objects Toolbars Explorer bars Search providers Accelerators Tracking Protection Lists
11-24
The following are examples of plug-in based technology: Microsoft Silverlight Apple QuickTime Java applets Adobe Flash Player Skype Click to Call
Two popular multimedia extensionsHTML5 and Adobe Flashare supported out-of-the-box as a platform feature on both the Internet Explorer and Internet Explorer for the desktop version. In previous versions of Internet Explorer, some multimedia add-ons could cause security concerns, which now have been addressed. This is because Automatic Updates is able to patch Internet Explorer and remediate problems quickly whenever a problem is identified. Sometimes an add-on such as a pop-up advertisement can annoy users, or even create problems and affect browser performance. A user can disable an individual add-on or all add-ons within Internet Explorer 11 by using the Manage Add-ons dialog box. To do so, perform the following procedure: 1. 2. 3. 4. 5. From the Start screen, click Internet Explorer. On the Tools menu, click Manage add-ons. In the Manage Add-ons dialog box, in the Show drop-down list, click All add-ons. Find the name of the add-on that you want to modify in the reading pane. To disable an add-on, click it, and then click Disable. To enable an add-on, tap or click it, and then click Enable. Close the Manage Add-ons dialog box.
Note: Add-ons will work only in Internet Explorer for the desktop. The Windows UI version of Internet Explorer always runs with Enhanced Protected Mode enabled, which means add-on free browsing.
If an organization wants to restrict users from viewing Adobe Flash videos, you can turn this feature on or off by using the Group Policy setting by performing the following procedure: 1. 2. 3. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, type gpedit.msc, and then press Enter.
In the Local Group Policy Editor, expand User Configuration, expand Administrative Templates, expand Windows Components, expand Internet Explorer, expand Security Features, expand Addon Management, and then double-click Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects. Click Enable. Close Local Group Policy Editor.
4. 5.
Windows 8.1 provides more than 90 GPOs that allow IT professionals to manage Internet Explorer 11 by using Group Policy. Settings that are related to Internet Explorer 11 can be found within the following locations in the Local Group Policy Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer User Configuration\Administrative Templates\Windows Components\Internet Explorer

11-25
Another popular add-on that can increase productivity for users is modifying the default Internet search provider. This can be achieved by performing the following procedure: 1. 2. 3. 4. 5. 6. 7. 8. 9. From the Start screen, click Internet Explorer. On the Tools menu, click Manage add-ons. In the Manage Add-ons dialog box, click Search Providers.
Right-click the name of the search provider that you want to use in the reading pane, and then click Set as default. If the search provider is not listed, click Find more search providers. On the Internet Explorer Gallery webpage at http:www.iegallery.com/en-us/addons, click the search provider. Click Add to Internet Explorer.
In the Manage Add-ons dialog box, click Search Providers, right-click the search provider that you added, and then click Set as default. Close the Manage Add-ons dialog box.
Internet Explorer Administration Kit
The Internet Explorer Administration Kit (IEAK) 11 is a set of tools that IT professionals can use to create, deploy, and manage customized versions of Internet Explorer 11 for use in organizations. Internet Explorer Administration Kit information and downloads http://go.microsoft.com/fwlink/?LinkId=378256&clcid=0x409
Atari Arcade with Internet Explorer 11 brings arcade classics to the web this is an example of the capabilities available within the modern browser. http://go.microsoft.com/fwlink/?LinkId=378257&clcid=0x409
Other Security Features

Additional security features in Internet Explorer 11 include the following: You can increase security and trust through improvements in ActiveX controls that enable control of how and where an ActiveX control loads and which users can load them. The Cross-Site Scripting Filter helps block Cross-Site Scripting attacks, one of the most common website vulnerabilities today. Data Execution Prevention (DEP) is enabled by default to help prevent system attacks where malware exploits memory-related vulnerabilities to execute code.
ActiveX Controls and Management
ActiveX controls are relatively straightforward to create and deploy, and they provide extra functionality beyond regular webpages. Organizations cannot control the inclusion of ActiveX controls or how they are
11-26
written. Therefore, organizations need a browser that provides flexibility in dealing with ActiveX controls so that they are usable, highly secure, and pose as small a threat as possible.
Per-User ActiveX
By default, Internet Explorer 11 employs ActiveX Opt-In, which disables most controls on a user's computer. Per-user ActiveX makes it possible for standard users to install ActiveX controls in their own user profile without requiring administrative permissions. This helps organizations realize the full benefit of UAC, giving standard users the ability to install ActiveX controls that are necessary in their daily browsing. In most situations, if a user happens to install a malicious ActiveX control, the overall system remains unaffected because the control is installed under the users account only. Because installations are restricted to a user profile, the cost and risk of a compromise are lowered significantly. When a webpage attempts to install a control, an information bar is displayed to the user. Users can choose to install the control system-wide or only for his or her user account. The options in the ActiveX menu vary depending on a users rights, as managed by Group Policy settings, and whether the control has been packaged to allow per-user installation. You can disable this feature in Group Policy.
Per-Site ActiveX
When a user navigates to a website that contains an ActiveX control, Internet Explorer 11 performs a number of checks, including a determination of where a control is permitted to run. If a control is installed but is not permitted to run on a specific site, an information bar appears that asks the users permission to run on the current website or on all websites. Administrators can use Group Policy to preset Internet Explorer configurations with allowed ActiveX controls and their related trusted domains.
Cross-Site Scripting Filter
Most sites have a combination of content from local site servers and content obtained from other sites or partner organizations. Cross-Site Scripting attacks exploit vulnerabilities in web applications and enable an attacker to control the relationship between a user and a website or web application that they trust. Cross-Site Scripting can enable attacks such as: Cookie theft, including session cookies, which can lead to account hijacking. Monitoring keystrokes. Performing actions on the victim website on behalf of the victim user. Cross-Site Scripting can use a victims website to subvert a legitimate website.
Internet Explorer 11 includes a filter that helps protect against Cross-Site Scripting attacks. The Cross-Site Scripting Filter has visibility into all requests and responses flowing through the browser. When the filter discovers likely Cross-Site Scripting in a request, it identifies and neutralizes the attack if it is replayed in the servers response. The Cross-Site Scripting filter helps protect users from website vulnerabilities. It does not ask difficult questions that users are unable to answer, nor does it harm functionality on a website.
DEP
Internet Explorer 7 introduced a Control Panel option to enable memory protection to help mitigate online attacks. DEP or No Execute (NX). DEP/NX helps thwart attacks by preventing code from running in memory that is marked non-executable, such as a virus disguised as a picture or video. DEP/NX also makes it harder for attackers to exploit certain types of memory-related vulnerabilities, such as buffer overruns.
DEP/NX protection applies to both Internet Explorer and the add-ons it loads. No additional user interaction is required to activate this protection, and unlike Internet Explorer 7, this feature is enabled by default for Internet Explorer 11.

11-27
Enhanced Protected Mode
Protected Mode was first introduced in Internet Explorer 7 with Windows Vista as a defense-in-depth feature, which reduced the amount of permissions that a browser was given to modify system settings or to write to a computers hard disk. Internet Explorer 11 builds on the additional security that was offered by previous versions of Internet Explorer. Unlike Internet Explorer 10, Enhanced Protected Mode is turned on by default in Internet Explorer 11. The inclusion of some additional capabilities in Enhanced Protected Mode are described in the following table. Enhancement 64-bit processes Protecting your personal information Description Protection against address space layout randomization and heap spraying attacks.
Enhanced Protected Mode restricts Internet Explorer from file locations that contain your personal information until you grant permission to it. Enhanced Protected Mode restricts an exploits ability to access corporate network resources.
Protecting your corporate assets
More information relating to the Internet Explorer Enhanced Protected Mode http://go.microsoft.com/fwlink/?LinkId=378258&clcid=0x409 Question: What is the Cross-Site Scripting Filter?
Demonstration: Configuring Internet Explorer

In this demonstration, you will see how to: Enable Configure Compatibility View. Delete browsing history. Configure InPrivate Browsing. View the add-on management interface. Manage downloading with the Download Manager.
Demonstration Steps Configure Compatibility View

1. 2. 3. 4. Sign in to LON-CL1 as administrator, and then open Internet Explorer. Enable the Menu bar. In Internet Explorer, open the LON-DC1 website at http://LON-DC1. Add the website to Compatibility View.
Delete browsing history

1. 2. In Internet Explorer, open the LON-DC1 website at http://LON-DC1. Delete the selected browsing history.
11-28
Configure InPrivate Browsing

1. 2. 3. Open InPrivate Browsing. In Internet Explorer, open the LON-DC1 website at http://LON-DC1. Verify that the website address has not been retained in the browsing history.
View the add-on management interface

1. 2. Open the Add-on manager. Review the current add-ons.
Download a file
1. 2. 3. 4. Navigate to http://LON-DC1, and then click the Download Current Projects link. View the current downloads. Open a downloaded file. Close Microsoft Office Excel and other open windows.

11-29
Lab A: Configuring Internet Explorer Security

Scenario
Holly Dickson at A. Datum Corporation, is concerned about her users security settings when they are browsing the Internet, especially when they are doing so while connected to their customers networks. She has asked you to investigate the improvement of Internet Explorer security settings on her users computers.
Objectives
After completing this lab, you will be able to: Configure security settings in Internet Explorer.
Lab Setup
Estimated Time: 15 minutes Virtual machines: 20687C-LON-DC1 and 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd
5.
Exercise 1: Configuring Internet Explorer

Scenario
The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Enable Compatibility View in Internet Explorer. Delete browsing history. Configure InPrivate Browsing. Configure intranet security settings. View the add-on management interface. Download a file.
In this exercise, you will implement some of the security and compatibility features in Internet Explorer 11.
11-30
Task 1: Enable Compatibility View in Internet Explorer

1. 2.
On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open Internet Explorer. Verify that Internet Explorer uses Microsoft compatibility lists.
Task 2: Delete browsing history

1. 2. 3. 4. 5. 6.
On the Tools menu, click Internet options and then open the Delete Browsing History dialog box.
In the Delete Browsing History dialog box, select the Preserve Favorites website data and History check boxes. Clear all other options, click Delete, and then click OK. Close Internet Explorer.
Open Internet Explorer, navigate to http://LON-DC1, and then verify that this sites address is stored in your history. Delete the browsing history again, selecting only Temporary Internet files and website files and Cookies and website data and History. Verify that there are no site addresses showing in your history.
Task 3: Configure InPrivate Browsing

1. 2. 3. 4. Open an InPrivate Browsing window. Navigate to http://LON-DC1. Confirm that this address has not been retained in your site history. Close Internet Explorer.
Task 4: Configure intranet security settings

1. 2. 3. 4. 5. Configure the Local intranet security settings to High. In the Address bar, type http://LON-DC1, and then press Enter.
Click the Current Projects link on the intranet home page. This fails to load a required add-on. Close the newly opened tab. Add the local intranet to the trusted sites. Click the Current Projects link on the intranet home page. This attempt is successful.
Task 5: View the add-on management interface

1. 2. In Internet Explorer, from the Tools menu, open the Manage Add-ons dialog box. Review the current add-ons.

11-31
Task 6: Download a file

1. 2. 3. 4. 5. 6. Browse to http://LON-DC1, and then click the Download Current Projects link. View the current downloads. Open a downloaded file. Close Excel. Close all open windows. Sign out from LON-CL1.
Results: After completing this exercise, you should have successfully configured security and compatibility settings in Internet Explorer.
11-32
Lesson 4
Configuring Application Restrictions
The reliability and security of enterprise devices significantly increases with the ability to control which applications a user, or set of users, can run. Overall, an application lockdown policy can lower the total cost of computer ownership in an enterprise. AppLocker controls application execution and simplifies the ability to author an enterprise application lockdown policy. It also reduces administrative overhead and helps administrators control how users access and use files such as .exe and .appx files, scripts, Windows Installer files (.msi, .mst and .msp files), and .dll files.
Lesson Objectives
After completing this lesson, you will be able to: Describe how to use AppLocker to control application usage. Explain how AppLocker rules work to enforce your chosen application usage policy. Configure AppLocker rules. Enforce AppLocker rules.
What Is AppLocker?
Todays organizations face a number of challenges in controlling which applications run on client computers, including: The packaged and custom applications that users can access. Which users are allowed to install new software. Which versions of applications are allowed to run, and for which users.
Users who run unauthorized software can experience a higher incidence of malware infections and generate more help desk calls. However, it can be difficult for you to ensure that user computers are running only approved, licensed software.
Windows Vista addressed this issue by supporting software restriction policies, which administrators used to define the list of applications that users were allowed to run. AppLocker builds on this security layer, providing you with the ability to control how users run all types of applications, such as executable files, Windows Store .appx apps, scripts, Windows Installer files (.msi, .mst and .msp), and.dll files.
AppLocker Benefits
You can use AppLocker to specify exactly what is allowed to run on user PCs and devices. This allows users to run the applications, installation programs, and scripts that they require to be productive, while still providing the security, operational, and compliance benefits of application standardization. AppLocker can be useful for organizations that want to: Limit the number and types of files that are allowed to run, by preventing unlicensed or malware from running, and by restricting the ActiveX controls that are installed.

11-33
Reduce the total cost of ownership by ensuring that workstations are homogeneous across an enterprise and that users are running only the software and applications that the enterprise approves. Reduce the possibility of information leaks from unauthorized software. Question: What are some applications that are good candidates for you to apply an AppLocker rule?
AppLocker Rules
You can prevent many problems in your work environment by controlling what applications a user can run. AppLocker lets you do just this by creating rules that specify exactly what applications a user is allowed to run, and can be configured to continue to function even when applications are updated. Because AppLocker is an additional Group Policy mechanism, IT professionals and system administrators need to be comfortable with Group Policy creation and deployment. This makes AppLocker ideal for organizations that currently use Group Policy to manage their Windows 8.1 computers or have per-user application installations.
To author AppLocker rules, there is a new AppLocker Microsoft Management Console (MMC) snap-in in the Group Policy Management Console (GPMC) that offers an improvement to the process of creating AppLocker rules. AppLocker provides several rule-specific wizards. You can use one wizard to create a single rule and another wizard to generate rules automatically, based on your rule preferences and the folder that you select. The four wizards that AppLocker offers administrators to author rules are: Executable Rules Windows Installer Rules Script Rules Packaged app Rules.
At the end of the wizard, you can review the list of analyzed files. You can then modify the list to remove any file before rules are created for the remaining files. You can also receive useful statistics about how often a file has been blocked, or test the AppLocker policy for a specific computer.
Accessing AppLocker
To access AppLocker, run Gpedit.msc from the Start screen. Then browse to Computer Configuration, Windows Settings, Security Settings, and then Application Control Policies. Expand the Application Control Policies node, and click AppLocker. In AppLocker you can configure Executable Rules, Windows Installer Rules, and Script Rules. For example, you can right-click the Executable Rules node, and then click Create New Rule. You then can create a rule that allows or denies access to an executable file based on such criteria as the file path or publisher. AppLocker also will let you apply both default and automatically generated rules.
Creating Default AppLocker Rules
Many organizations implement standard user policies, which allow users to sign in to their computers only as a standard user. More independent software vendors are creating per-user applications that do not
11-34
require administrative rights to be installed and are installed and run in the user profile folder. As a result, standard users can install many applications and circumvent the application lockdown policy.
With AppLocker, you can prevent users from installing and running per-user applications by creating a set of default AppLocker rules. The default rules also ensure that the key operating system files are allowed to run for all users. Note: Before you manually create new rules or automatically generate rules for a specific folder, you must create default AppLocker rules. Specifically, default rules enable the following: All users can run files in the default Program Files directory. All users can run all files signed by the Windows operating system. Members of the built-in Administrators group can run all files.
Perform the following steps to create default AppLocker rules: 1. 2. 3. To open the Local Security Policy MMC snap-in, run secpol.msc. In the console tree, double-click Application Control Policies, and then double-click AppLocker. Right-click Executable Rules, and then click Create Default Rules.
By creating these rules, you also have automatically prevented all non-administrator users from being able to run programs that are installed in their user profile directory. You can recreate the rules at any time. Note: Without default rules, critical system files might not run. Once you have created one or more rules in a rule collection, only applications that are affected by those rules are allowed to run. If default rules are not created, and you are blocked from performing administrative tasks, restart the computer in safe mode, add the default rules, delete any Deny rules that are preventing access, and then refresh the computer policy.
Automatically Generating AppLocker Rules
Once you create default rules, you can create custom application rules. To facilitate creating sets or collections of rules, AppLocker includes a new Automatically Generate Rules Wizard that is accessible from the Local Security Policy console. This wizard simplifies the task of creating rules from a user-specified folder. By running this wizard on reference computers and specifying a folder that contains the .exe files for applications for which you want to create rules, you can quickly create AppLocker policies automatically. When you create a rule manually, you can choose whether it is an Allow or Deny rule. Allow rules enable applications to run, whereas Deny rules prevent applications from running. The Automatically Generate Rules Wizard only creates Allow rules. Note: After you create one or more rules in a rule collection, only applications that are affected by those rules are allowed to run. For this reason, always create the default AppLocker rules for a rule collection first. If you did not create default rules and are prevented from performing administrative tasks, restart the computer in safe mode, add the default rules, delete any Deny rules that are preventing access, and then refresh the computer policy.

11-35
You can create exceptions for .exe files. For example, you can create a rule that allows all Windows processes to run except Regedit.exe and then use audit-only mode to identify files that will not be allowed to run if the policy is in effect. You can create rules automatically by running the wizard and specifying a folder that contains the .exe files for applications for which to create rules. Note: Do not select a folder that contains one or more user profiles. Creating rules to allow .exe files in user profiles might not be secure.
Before you create the rules at the end of the wizard, review the analyzed files and view information about the rules that will be created. After the rules are created, edit them to make them more or less specific. For example, if you selected the Program Files directory as the source for automatically generating the rules and also created the default rules, there is an extra rule in the Executable Rules collection.
Automatically Generating Rules

To generate rules automatically from a reference folder: 1. 2. 3. 4. 5. 6. 7. Ensure that the Local Security Policy MMC is open.
In the console tree under Application Control Policies\AppLocker, right-click Executable Rules, and then click Automatically Generate Rules. On the Folder and Permissions page, click Browse.
In the Browse For Folder dialog box, select the folder that contains the .exe files that you want to create the rules for, and then click OK.
Type a name to identify the rules, and then click Next. To help sort the rules in the MMC list view, the name that you provide is used as a prefix for the name of each rule that is created. On the Rule Preferences page, click Next without changing any of the default values. The Rule generation progress dialog box is displayed while the files are processed.
On the Review Rules page, click Create. The wizard closes, and the rules are added to the Executable Rules details pane.
After automatically generating rules based on your preferences, you can edit the rules to make them more detailed.
Creating Rules Allowing Only Signed Applications to Run
With the advent of new experimental identification technologies in web browsers and operating systems, more independent software vendors are using digital signatures to sign their applications. These signatures simplify an organizations ability to identify applications as genuine and to create a better and more trustworthy user experience. Creating rules based on the digital signature of an application helps make it possible to build rules that survive application updates. For example, an organization can create a rule to allow all versions greater than 9.0 of a program to run if it is signed by the software publisher. In this way, when the program is updated, IT professionals can deploy the application update safely without having to build another rule. Note: Before performing the following procedure, ensure that you have created default rules.
11-36
Perform the following steps to allow only signed applications to run: 1. 2. 3. 4. 5. 6. 7. 8. 9.
To open the Local Security Policy MMC snap-in, on the Start screen, type secpol.msc, and then press Enter. In the console tree, double-click Application Control Policies, and then double-click AppLocker. Right-click Executable Rules, and then click Create New Rule. On the Before You Begin page, click Next. On the Permissions page, click Next to accept the default settings. On the Conditions page, click Next.
On the Publisher page, note that the default setting is to allow any signed file to run, and then click Next. On the Exceptions page, click Next. On the Name and Description page, accept the default name or enter a custom name and description, and then click Create.
By using this rule and ensuring that all applications are signed within your organization, you can be sure that users are running only applications from known publishers. Note: This rule prevents unsigned applications from running. Before implementing this rule, ensure that all of the files that you want to run in your organization are digitally signed. If any applications are not signed, consider implementing an internal signing process to sign unsigned applications with an internal signing key.
Deleting Unnecessary Rules
If you created default rules and then selected the Program Files folder as the source to generate rules automatically, there are one or more extraneous rules in the Executable Rules collection. When you create the default rules, a path rule is added to allow any .exe file in the entire Program Files folder to run. This rule is added to ensure that users are not prevented by default from running applications. Because this rule conflicts with rules that were generated automatically, delete this rule to ensure that the policy is more specific. The name of the default rule is (Default Rule) Microsoft Windows Program Files Rule. Perform the following procedure to delete a rule: 1. 2. 3. 4. Ensure that the Local Security Policy MMC is open. In the console tree under Application Control Policies\AppLocker, click Executable Rules. In the details pane, right-click (Default Rule) Microsoft Windows Program Files Rule, and then click Delete. In the AppLocker dialog box, click Yes.
To determine if any applications are excluded from the rule set, enable the Audit only enforcement mode.
Starting the Application Identity Service
Before you can enforce AppLocker policies, you must start the Application Identity service. You need to be a member of the local Administrators group, or equivalent, to start the service by using the following procedure: 1. 2. Click Start, type Services, and then click View local services. In the Services console, double-click Application Identity.

11-37
3.
In the Application Identity Properties dialog box, in the Startup type list, click Automatic, click Start, and then click OK.
Note: If an AppLocker rule is not working, check to see that the Application Identity service has started. This service is required to be running for AppLocker to work. Question: When testing AppLocker, you must consider carefully how you will organize rules between linked Group Policy Objects (GPOs). What do you do if a GPO does not contain the default AppLocker rules?
Demonstration: Configuring AppLocker Rules

In this demonstration, you will see how to: Create a custom AppLocker rule. Automatically generate the script rules.
Demonstration Steps Create a custom AppLocker rule

1. 2. 3. 4. Sign in as administrator. Open the Local Group Policy Editor.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then double-click AppLocker. Create a new executable rule: o o o Permissions: Deny Group: Marketing Program: C:\Windows\Regedit.exe
Automatically generate the script rules

1. 2. Click the Script Rules node. Select Automatically generate rules.
Demonstration: Enforcing AppLocker Rules
After you create new AppLocker rules, you must configure enforcement for the rule collections and refresh the computer's policy. Enforcement is configured in the Local Security Policy console in the Configure Rule Enforcement area. The following table outlines the three enforcement options for each rule type. Enforcement mode Enforce rules with Group Policy inheritance Description
Default setting. If linked GPOs contain a different setting, that setting is used. If any rules are present in the corresponding rule collection, they are enforced.
11-38
Enforcement mode Enforce rules Audit only
Description Rules are enforced. Rules are audited, but not enforced.
To view information about applications that are affected by AppLocker rules, use Event Viewer. Each event in the AppLocker operational log contains detailed information, such as the following: Which file was affected and the path of that file Whether the file was allowed or blocked The rule type: Path, File Hash, or Publisher The rule name The security identifier for the user that is targeted in the rule
Review the entries in the log to determine if any applications were not included in the rules. The following table identifies three events to use in determining which applications are affected. Event ID 8002 Level Informational Event text Access to <file_name> is allowed by an administrator. Access to <file_name> is monitored by an administrator. Description
Specifies that the file is allowed by an AppLocker rule. Applied only when in the Audit only enforcement mode. Specifies that the file will be blocked if the Enforce rules enforcement mode is enabled. Applied only when the Enforce rules enforcement mode is either directly or indirectly set through Group Policy inheritance. The file cannot run.
8003
Warning
8004
Error
Access to <file_name> is restricted by an administrator.
Demonstration
This demonstration will show the different enforcement options and how to configure the enforcement for the rule that was created in the previous demonstration. The demonstration then will verify the enforcement with gpupdate.
Demonstration Steps Enforce AppLocker rules

1. 2. 3. Switch to the Local Group Policy Editor. View the properties of the AppLocker node. Configure Enforcement: o o Executable rules: Enforce rules Script rules: Audit only

11-39
Confirm the executable rule enforcement

1. 2. 3. 4. Refresh the Group Policy settings by typing gpudate /force. Open Computer Management, and then select Event Viewer.
Review the System log for Event ID 1502. This tells us that the Group Policy settings were refreshed. Start the Application Identity service, which is required for AppLocker enforcement.
Test the executable rule enforcement

1. 2. 3. 4. 5. 6. Sign out, and then sign in as Adatum\Adam.
Attempt to run Regedit.exe from the command prompt. You are successful, as the signed in user is not a member of the Marketing group. Sign in as Adatum\Administrator.
Open Event Viewer, and in Application and Services Logs\Microsoft\Windows\ AppLocker, select the EXE and DLL log. Review the entries. Locate Event ID 8004. It indicates that an attempt was made to run Regedit.exe, which was allowed to run. Close all open windows, and then sign out. Question: What is the command to update a computer's policy, and where is it run?
11-40
Lab B: Configuring AppLocker

Scenario
Holly is concerned that people in her department are spending time listening to music files. She wants a way to disable the Windows Media Player. You decide to implement AppLocker to prevent members of the IT group from running this program.
Objectives
After completing this lab, you will be able to: Configure AppLocker rules. Test AppLocker rules.
Lab Setup
Estimated Time: 20 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2.
Exercise 1: Configuring AppLocker Rules

Scenario
In this exercise, you will create the executable and default AppLocker rules. The main tasks for this exercise are as follows: 1. 2. Create a new executable rule. Enforce AppLocker rules.
Task 1: Create a new executable rule

1. 2. 3. Sign in as Adatum\Administrator with password Pa$$w0rd.
Open the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then double-click AppLocker. Create a new Executable rule with the following properties: o o o Permissions: Deny Group: IT Program: C:\Program Files\Windows Media Player\wmplayer.exe
4.
Create the default rules.

11-41
Task 2: Enforce AppLocker rules

1. 2. 3.
In the Local Group Policy Editor, open the AppLocker Properties, and then configure the Executable rules for Enforce rules. Close the Local Group Policy Editor, and then open an elevated command prompt. Run the gpupdate /force command. Sign out from LON-CL1.
Results: After completing this exercise, you should have created the required AppLocker rule successfully.
Exercise 2: Testing the AppLocker Rules

Scenario
In this exercise, you will confirm the executable rule and then test it by signing in as a member of the IT group. The main tasks for this exercise are as follows: 1. 2. Confirm the executable rule enforcement. Test the enforcement.
Task 1: Confirm the executable rule enforcement

1. 2. 3. 4. 5. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Open Event Viewer, and then expand Windows Logs. View the System log in Event Viewer. Check for Event ID 1502. Start the Application Identity service. Sign out from LON-CL1
Task 2: Test the enforcement

1. 2. 3. 4. 5. 6. Sign in to LON-CL1 as Adatum\Holly with password Pa$$w0rd. Attempt to open Windows Media Player. Sign out, and then sign in as Adatum\Administrator with password Pa$$w0rd. Open Event Viewer.
Locate the Application and Services\Microsoft\Windows\AppLocker\EXE and DLL log. Locate Event ID 8004. This shows that Holly attempted to run a prohibited application. Close all open windows, and then sign out.
Results: After completing this exercise, you should have verified the function of your executable AppLocker rule successfully.
11-42

When you have finished the lab, revert all virtual machines to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-DC1.

11-43

Best Practice: Best Practices for AppLocker
Before you manually create new rules or automatically generate rules for a specific folder, you should create the default AppLocker rules. The default rules ensure that key operating system files are allowed to run for all users.
When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If a GPO does not contain default rules, then add the rules directly to the GPO or add them to a GPO that links to it.
After creating new rules, you must configure enforcement for the rule collections and then refresh the computer's policy. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators must maintain a current list of allowed applications.
If AppLocker rules are defined in a GPO, only those rules are applied. To ensure interoperability between software restriction policy rules and AppLocker rules, define software restriction policy rules and AppLocker rules in different GPOs. When you set an AppLocker rule to Audit only, the rule is not enforced. When a user runs an application that is included in the rule, the application opens and runs normally, and information about that application is added to the AppLocker event log.

Common Issue AppLocker policies do not work correctly. Troubleshooting Tip
Review Questions
Question: What are some of the privacy features in Internet Explorer? Question: Trevor has implemented AppLocker. Before he created the default rules, he created a custom rule that allowed all Windows processes to run except for Regedit.exe. Because he did not create the default rules first, he is blocked from performing administrative tasks. What does he need to do to resolve the issue?
Tools
Tool Windows PowerShell Dism.exe Msiexec.exe Gpupdate Use for Command-line management tool Servicing and managing Windows images Managing installations Managing policy application Where to find it Windows 8.1 Windows 8.1 Command line Command line

12-1
Module 12
Optimizing and Maintaining Windows 8.1 Computers
Contents:
Module Overview Lesson 1: Optimizing Performance in Windows 8.1 Lab A: Optimizing Windows 8.1 Performance Lesson 2: Managing the Reliability of Windows 8.1 Lesson 3: Managing Software Updates in Windows 8.1 Lab B: Maintaining Windows Updates Module Review and Takeaways 12-1 12-2 12-10 12-14 12-19 12-26 12-28
Module Overview
Users have high expectations of technology. Therefore, performance is a key issue in todays business environment, and it is important to consistently optimize and manage your systems performance.
The Windows 8.1 operating system includes several monitoring and configuration tools that you can use to obtain information about computer performance, to maintain reliability, and to configure operating system and app updates.
Objectives
After completing this module, you will be able to: Optimize Windows 8.1 performance. Manage the reliability of Windows 8.1. Manage software updates in Windows 8.1.
12-2 Optimizing and Maintaining Windows 8.1 Computers
Lesson 1
Optimizing Performance in Windows 8.1
A computer system that performs at a low efficiency level can cause problems in a work environment. Poor performance potentially reduces user productivity and consequently increases user frustration. Computers that are not performing to their full capability need to be examined so that you can determine the source of the poor performance and correct it. Windows 8.1 helps you to determine potential causes of poor performance and then provides appropriate tools to resolve performance issues.
Lesson Objectives
After completing this lesson, you will be able to: Identify common issues with performance and reliability. Describe how to use Task Manager to identify performance problems. Describe how to use Performance Monitor and data collector sets. Use Resource Monitor to view system performance. Analyze system performance by using Performance Monitor and data collector sets. Describe the considerations for monitoring system performance.
Discussion: Common Issues with Performance and Reliability

Poor performance and a lack of reliability are two of the most common user complaints about computer systems. Computers respond slowly for several reasons, such as having an excessively fragmented file system, unnecessary software that consumes resources, too many startup programs, or perhaps even a virus. Additionally, the software that users install might have operational problems, incompatible drivers, or result in operating system failures. All of these issues can affect a computers reliability. Performance is a measure of how quickly a computer finishes application and system tasks. Performance problems can occur when computers lack available resources.
Reliability is a measure of how a system conforms to expected behavior. A system that often deviates from the behavior that you configure or expect has poor reliability. Question: What factors can influence computer system performance? Question: What factors might contribute to reliability issues in a computer system?

12-3
Overview of Task Manager

In Windows 8.1, Task Manager provides information that can help you identify and resolve performance-related problems. Task Manager includes the following tabs: Processes. The Processes tab displays a list of running programs, which is subdivided into apps and internal Windows processes. For each running process, this tab displays a summary of processor and memory usage. Performance. The Performance tab displays a summary of central processing unit (CPU) and memory usage, and network statistics.
App history. The App history tab displays statistics and resource consumption by apps. This is useful for identifying a specific app that is consuming excessive resources. Startup. The Startup tab displays items that are configured to run at startup. You can choose to disable any programs listed.
Users. The Users tab displays resource consumption on a per-user basis. You also can expand the user view to see more detailed information about the specific processes that a user is running. Details. The Details tab lists all the running processes on a server, providing statistics about the CPU, memory, and other resource consumption. You can use this tab to manage running processes. For example, you can stop a process, stop a process and all related processes, and change the priority values of processes. By changing the priority of a process, you determine how much CPU resources the process can consume. By increasing the priority, you allow the process to request more CPU resources. Services. The Services tab provides a list of running Windows services with related information, including whether a service is running and the processor identifier (PID) value of a running service. You can start and stop services by using the list on the Services tab.
Generally, you might consider using Task Manager when a performance-related problem first becomes apparent. For example, you might examine running processes to determine if a particular program is using excessive CPU resources. Always remember that Task Manager only shows current resource consumption. You also might need to examine historical data to determine the true picture about a server computers performance and response under load.
Using Performance Monitor and Data Collector Sets

Performance Monitor is a Microsoft Management Console (MMC) snap-in that you can use to obtain system performance information. You can use this tool to analyze performance effects that apps and services have on your computer, and you also can use it to obtain an overview of system performance or to collect detailed information for troubleshooting. Performance Monitor includes the following features: Monitoring Tools Data Collector Sets Reports
You also can access Resource Monitor from Performance Monitor.
Monitoring Tools
Monitoring Tools contains the Performance Monitor, and it provides a visual display of built-in Windows performance counters, either in real time or as historical data. Performance Monitor includes the following features: Multiple graph views Custom views that you can export as data collector sets
Performance Monitor uses performance counters to measure a systems state or activity, while the operating system or individual apps might include performance counters. Performance Monitor requests the current value of performance counters at specified time intervals.
You can add performance counters to Performance Monitor by performing a drag-and-drop operation on the counters or by creating a custom data collector set. Performance Monitor features multiple graph views that you can use for a visual review of performance log data. You can create custom views in Performance Monitor that you can export as data collector sets for use with performance and logging features.
Data Collector Sets

After you create a combination of data collectors that describe useful system information, you can save them as a data collector set, and then run and view the results.
A data collector set is a custom set of performance counters, event traces, and system-configuration data.
A data collector set organizes multiple data-collection points into a single, portable component. You can use a data collector set on its own, group it with other data collector sets and incorporate it into logs, or view it in Performance Monitor. You can configure a data collector set to generate alerts when it reaches thresholds so that third-party apps can use it.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or until it reaches a predefined size. For example, you can run a data collector set for 10 minutes every hour during your working hours to create a performance baseline. You also can set a data collector to restart when it reaches set limits so that a separate file will be created for each interval.

12-5
You can use data collector sets and Performance Monitor tools to organize multiple data collection points into a single component that you can use to review or log performance. Performance Monitor also includes default data collector set templates to help system administrators begin the process of collecting performance data that is specific to a server role or monitoring scenario.
Reports
Use the Reports feature to view and generate reports from a set of counters that you create by using data collector sets.
Resource Monitor
Use this view to monitor the use and performance of CPU, disk, network, and memory resources in real time. This lets you identify and resolve resource conflicts and bottlenecks.
By expanding the monitored elements, system administrators can identify which processes are using which resources. In previous versions of Windows operating systems, Task Manager made this this realtime, process-specific data available, but only in a limited form.
Demonstration: Using Resource Monitor

In this demonstration, you will see how to use Resource Monitor.
Demonstration Steps
1. 2. 3. Sign in to LON-CL1 as administrator. Open Resource Monitor.
View the information on the Overview tab. This tab shows CPU usage, disk I/O, network usage, and memory usage information for each process. A bar above each section provides summary information.
4. 5.
View the information on the CPU tab. This tab has more detailed CPU information that you can filter so that it is based on the process. View the information on the Memory tab. This tab provides detailed information about memory usage for each process. Notice that the process that you selected previously remains selected so that you can review multiple kinds of information about a process as you switch between tabs. View the information on the Disk tab. This tab shows processes with recent disk activity. View the information in the Network tab. This tab provides information about all processes with current network activity.
6. 7.
Demonstration: Analyzing System Performance by Using Performance Monitor and Data Collector Sets
In this demonstration, you will see how to analyze system performance by using data collector sets and Performance Monitor.
Demonstration Steps Open Performance Monitor

1. 2. Sign in to LON-CL1 as administrator, and then open Performance Monitor. View the default chart.
Add new values to the chart

Add additional real-time counters to the default chart view.
Create a data collector set

Create a user-defined data collector set.
Examine a report
Examine a report on the collected data.
Considerations for Monitoring System Performance

Monitor the Current System Resource by Using Resource Monitor
Resource Monitor provides at-a-glance data for CPU, disk, network, and memory resources. Therefore, it is a good starting point for monitoring or troubleshooting tasks. Resource Monitor shows you what happens with your current Windows operating system. You can view which processes are consuming CPU resources and generating disk activity, and you also can view the current activity of the network adapter. Note that each tab provides additional details.
For example, if you suspect high consumption of your CPU processing capacity, you can view the CPU tab and then see exactly what processes are executing on your machine, how many threads they are executing, and how much CPU use is occurring. You also can view your computers installed memory, how much the operating system can use, how much it is using currently, and how much is reserved for hardware. From the Disk view, you can view all disk I/O and detailed information on disk activity. You can view processes with network activity in the Network view, and monitor which processes are running and consuming too much bandwidth. Additionally, Resource Monitor enables you to investigate which product, which tool, or which app is running currently and consuming CPU, disk, network, and memory resources.
Create a Performance Baseline by Using Performance Monitor and Data Collector Sets
You can set up a baseline in Performance Monitor to help you with the following tasks: Evaluating a computers workload. Monitoring system resources. Noticing changes and trends in resource use. Testing configuration changes. Diagnosing problems.
By using data collector sets, you can establish a baseline to use as a standard for comparison. Create a baseline when you first configure a computer, at regular intervals of typical usage, and when you make any changes to a computers hardware or software configuration. If you have appropriate baselines, you can determine which resources are affecting a computers performance.

12-7
You can monitor your system remotely. However, the use of counters across a network connection for an extended period of time can congest network traffic. If you have disk space on a server for performance log files, we recommend that you record performance log information locally. Performance issues can occur because of the number of counters being sampled and the frequency with which sampling occurs. Therefore, it is important to test the number of counters and the frequency of data collection. This lets you determine the right balance between your environments needs and the provision of useful performance information. For an initial performance baseline, however, we recommend that you use the highest number of counters possible and the highest frequency available. The following table shows commonly used performance counters. Counter LogicalDisk\% Free Space Usage This counter measures the percentage of free space on a selected logical disk drive. Take note if this falls below 15 percent because you risk running out of free space for the operating system to use to store critical files. One obvious solution is to add more disk space. This counter measures the percentage of time the disk was idle during the sample interval. If this counter falls below 20 percent, the disk system is saturated. You might consider replacing the current disk system with a faster one. This counter measures the average time, in seconds, to read data from the disk. If the number is larger than 25 milliseconds (ms), that means the disk system is experiencing latency when it is reading from the disk. This counter measures the average time, in seconds, it takes to write data to the disk. If the number is larger than 25 ms, the disk system experiences latency when it is writing to the disk. This counter indicates how many I/O operations are waiting for the hard drive to become available. If the value is larger than two times the number of spindles, it means that the disk itself might be the bottleneck. This counter indicates the amount of memory that the file-system cache is using. There might be a disk bottleneck if this value is greater than 300 megabytes (MB). This counter measures the ratio of Committed Bytes to the Commit Limit, or in other words, the amount of virtual memory in use. If the number is greater than 80 percent, it indicates insufficient memory.
PhysicalDisk\% Idle Time
PhysicalDisk\Avg. Disk sec/Read
PhysicalDisk\Avg. Disk sec/Write
PhysicalDisk\Avg. Disk Queue Length
Memory\Cache Bytes
Memory\% Committed Bytes In Use
Counter Memory\Available MBytes
Usage This counter measures the amount of physical memory, in megabytes, available for running processes. If this value is less than 5 percent of the total physical random access memory (RAM), that means there is insufficient memory, and that can increase paging activity. This counter indicates the number of Page Table Entries not currently in use by the system. If the number is less than 5,000, there might be a memory leak. This counter measures the size, in bytes, of the nonpaged pool. This is an area of system memory for objects that cannot be written to disk, but instead must remain in physical memory as long as they are allocated. There is a possible memory leak if the value is greater than 175 MB (or 100 MB with a /3GBswitch). This counter measures the size, in bytes, of the paged pool. This is an area of system memory for objects that can be written to disk when they are not being used. There might be a memory leak if this value is greater than 250 MB (or 170 MB with the /3 GB switch). This counter measures the rate at which pages are read from, or written to, the disk to resolve hard page faults. If the value is greater than 1,000, as a result of excessive paging, there might be a memory leak. This counter measures the percentage of elapsed time that the processor spends executing a non-idle thread. If the percentage is greater than 85 percent, the processor is overwhelmed, and the computer might require a faster processor. This counter measures the percentage of elapsed time that the processor spends in user mode. If this value is high, the server is busy with the app. This counter measures the time that the processor spends receiving and servicing hardware interruptions during specific sample intervals. This counter indicates a possible hardware issue if the value is greater than 15 percent.
Memory\Free System Page Table Entries
Memory\Pool Nonpaged Bytes
Memory\Pool Paged Bytes
Memory\Pages/sec
Processor\% Processor Time
Processor\% User Time
Processor\% Interrupt Time

12-9
Counter System\Processor Queue Length
Usage This counter indicates the number of threads in the processor queue. The server does not have enough processor power if the value is more than two times the number of CPUs for an extended period of time. This counter measures the rate at which bytes are sent and received over each network adapter, including framing characters. The network is saturated if you discover that more than 70 percent of the interface is consumed. This counter measures the length of the output packet queue, in packets. There is network saturation if the value is more than two. This counter measures the total number of handles that a process currently has open. This counter indicates a possible handle leak if the number is greater than 10,000. This counter measures the number of threads currently active in a process. There might be a thread leak if this number is more than 500 between the minimum and maximum number of threads. This counter indicates the amount of memory that this process has allocated that it cannot share with other processes. If the value is greater than 250 between the minimum and maximum number of threads, there might be a memory leak.
Network Interface\Bytes Total/sec
Network Interface\Output Queue Length
Process\Handle Count
Process\Thread Count
Process\Private Bytes
Plan Monitoring Carefully
If you are monitoring several data collector sets that sample data at frequent intervals, this can create a load on the system that you are monitoring and large log files that youll need to analyze. Plan the monitoring of the counters and sampling intervals carefully to ensure that the data that you collect represents system performance accurately.
12-10
Lab A: Optimizing Windows 8.1 Performance

Scenario
Users at A. Datum Corporation are about to receive new Windows 8.1 computers. Use Performance Monitor to establish a performance baseline and measure a typical computers responsiveness under a representative load. This will help ensure that resources, such as RAM and CPU, are specified correctly for these computers.
Objectives
After you have completed this lab, you will be able to: Create a performance baseline. Introduce additional workload. Measure system performance and analyze results.
Lab Setup
Estimated Time: 25 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
5.
Exercise 1: Creating a Performance Baseline

Scenario
In this exercise, you will create a performance baseline against which to measure future performance. The main tasks for this exercise are as follows: 1. 2. Establish a performance baseline. View the baseline report.

12-11
Task 1: Establish a performance baseline

1. 2. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open Performance Monitor. Create a user-defined data collector set with the following properties: o o o o o Name: Adatum Baseline Create manually (Advanced) Performance counter Sample interval: 1 second Counters to include: 3. Memory > Pages/sec Network Interface > Packets/sec PhysicalDisk > % Disk Time Physical Disk > Avg. Disk Queue Length Processor > % Processor Time System > Processor Queue Length
Start the data collector set, and then start the following programs: o o o Microsoft Word 2013 Microsoft Office Excel 2013 Microsoft Office PowerPoint 2013
4.
Close all Microsoft Office apps, and in Performance Monitor, stop the Adatum Baseline data collector set.
Task 2: View the baseline report

1. 2.
In Performance Monitor, locate Reports\User Defined\Adatum Baseline. Click the report that has a name that begins with LON-CL1. Record the following values: o o o o o o Memory\Pages/sec Network Interface Packets/sec PhysicalDisk\% Disk Time PhysicalDisk\Avg. Disk Queue Length Processor\% Processor Time System\Processor Queue Length
Results: After completing this exercise, you should have created a performance baseline.
12-12
Exercise 2: Introducing Additional Workload

Scenario
In this exercise, you introduce additional computer workload by running a script that performs various tasks on the computer. The main task for this exercise is as follows: 1. Create a load on the computer.
Task 1: Create a load on the computer

1. 2. On LON-CL1, in Performance Monitor, start the Adatum Baseline data collector set. Run the E:\Labfiles\Mod12\Load.cmd script.
Results: After completing this exercise, you should have generated additional load on the computer.
Exercise 3: Measuring System Responsiveness Under Load

Scenario
In this exercise, you will compare the results that you collected during performance monitoring with those collected earlier when you created the baseline. The main task for this exercise is as follows: 1. Identify performance bottlenecks in the computer.
Task 1: Identify performance bottlenecks in the computer

1. 2. 3. 4. 5. 6. 7. Open Resource Monitor. Which components are under strain? After a few minutes, close the instance of C:\Windows\System32\Cmd.exe launched by the script. Switch to Performance Monitor, and then stop the Adatum Baseline data collector set, if necessary. In Performance Monitor, locate Reports\User Defined\Adatum Baseline. Click the second report that has a name that begins with LON-CL1. View the data as a report. Record the component details: o o o o o o Memory\Pages/sec Network Interface Packets/sec PhysicalDisk\% Disk Time PhysicalDisk\Avg. Disk Queue Length Processor\% Processor Time System\Processor Queue Length

12-13
8. 9.
In your opinion, which components are affected the most? Close all open windows and programs, and then go back to the Start screen.
Results: After completing this exercise, you should have identified the computers performance bottleneck.
12-14
Lesson 2
Managing the Reliability of Windows 8.1
Windows 8.1 includes several diagnostic tools that you can use to identify and potentially provide a workaround for different hardware and driver failures that might occur on a Windows 8.1 computer. This lesson introduces you to these tools, and explains how you can use them to diagnose problems in your environment.
Lesson Objectives
After completing this lesson, you will be able to: Describe problems that the Windows diagnostic tools can help resolve. Describe how to use the Windows Memory Diagnostics tool. Describe how to use the Windows Network Diagnostics tool. Describe how to use Reliability Monitor. Describe how to use Problems Reports and Solutions tool.
Problems That Windows Diagnostic Tools Can Help Resolve

You can solve computer problems effectively and reliably only by diagnosing them accurately. Therefore, if you understand the capabilities of Windows 8.1 diagnostics tools, you can determine where to find the troubleshooting information that you need to address existing problems and prevent future issues. WDI includes diagnostic tools that you can use to troubleshoot network-related issues, startup problems, and problems with unreliable memory.
Unreliable Memory
Memory problems can be especially difficult to troubleshoot because they frequently manifest themselves as app issues. Failing memory can cause app failures, operating system faults, and stop errors, and it can be difficult to identify because problems can be intermittent. For example, a memory chip might function perfectly when you test it in a controlled environment. However, it can start to fail when you use it in a hot computer.
Failing memory chips return data that differs from what an operating system stored originally. This can lead to secondary problems, such as corrupted files. Frequently, administrators take extreme steps, such as reinstalling apps or operating systems, to repair problems, only to have the failures persist.
Network-Related Problems
Network errors frequently cause an inability to access network resources and can be difficult to diagnose. Network interfaces that you do not configure correctly, incorrect IP addresses, hardware failures, and many other problems can affect connectivity. Operating system features such as cached credentials enable users to sign in as domain users, even when a network connection is not present. This feature can make it appear as if users have logged on to the domain successfully, even when they have not. Although this feature is useful, it does add another layer to the process of troubleshooting network connections.

12-15
Startup Problems
When diagnosing startup problems, you usually do not have access to Windows 8.1 troubleshooting and monitoring tools. Malfunctioning memory, incompatible or corrupted device drivers, missing or corrupted startup files, or corrupted disk data can all cause startup failures.
Windows Memory Diagnostic Tools

The Windows Memory Diagnostics tool works with Microsoft Online Crash Analysis to monitor computers for defective memory, and it determines whether defective physical memory is causing program crashes. If the Windows Memory Diagnostics tool identifies a memory problem, Windows 8.1 avoids using the affected part of physical memory so that the operating system can start successfully and avoid app failures. In most cases, a Windows operating system automatically detects possible problems with a computers memory and then displays a notification that asks whether to run the Windows Memory Diagnostics tool. You also can start the Windows Memory Diagnostics tool from Control Panel\System and Security\Administrative Tools.
How Does the Windows Memory Diagnostics Tool Run?
If the Windows Memory Diagnostics tool detects any problems with physical memory, Microsoft Online Crash Analysis automatically prompts you to run the tool.
You can decide whether to restart your computer and check for problems immediately, or to schedule the tool to run when the computer next restarts. When the computer restarts, the Windows Memory Diagnostics tool tests the computers memory. When this tool runs, it shows a progress bar that indicates the status of the test. It might take several minutes for the tool to finish checking a computer's memory. When the test finishes, the Windows operating system restarts again automatically, and the tool provides a clear report that details the problem. It also writes information to the event log so that it can be analyzed. You can run the Windows Memory Diagnostics tool manually. You have the same two choices: run the tool immediately or schedule it to run when the computer restarts. Additionally, you can start the Windows Memory Diagnostics tool from installation media.
Advanced Options
To access advanced diagnostic options, press F1 while the test is running. Advanced options include the following: Test mix. Select what kind of test to run. Cache. Select the cache setting for each test. Pass count. Enter the number of times that the test mix should repeat the tests.
Press the Tab key to move between the advanced options. When you finish selecting your options, press F10 to start the test.
12-16
Windows Network Diagnostics Tool

The Windows Network Diagnostics tool provides an advanced way to resolve network-related issues. When users cannot connect to a network resource, they receive specific repair options instead of general error messages, which can be difficult to understand. By understanding the repair options that the Windows Network Diagnostics tool presents, you can troubleshoot network-related issues effectively. You can start the Windows Network Diagnostic tool by clicking Troubleshoot problems in the Network and Sharing Center. From this page, you can troubleshoot different network problems. Some of these problems and tools are as follows: Internet Connections. Inability to connect to the Internet or to a particular website. Shared Folders. Inability to access shared files and folders on other computers. HomeGroup. Inability to view the computers or shared files in a homegroup for workgroupconfigured computers. Network Adapter. Problems with Ethernet, wireless, or other network adapters. Incoming Connections. Issues allowing other computers to connect to your computer.
Connections to a Workplace Using DirectAccess. Problems with connecting to your workplace when using DirectAccess. Printer. Problems on printer connections.
How Does the Windows Network Diagnostics Tool Run?
The Windows Network Diagnostics tool runs automatically when it detects a problem. You also can decide to run the tool manually by using the Diagnose option on the Local Area Connections Status property sheet. If Windows 8.1 detects a problem that it can repair automatically, it will do so. If Windows 8.1 cannot repair the problem automatically, it directs the user to perform simple steps to resolve the problem without having to call support.
What Is Reliability Monitor?

Reliability Monitor reviews a computers reliability and problem history. You can use the Reliability Monitor to obtain several kinds of reports and charts that can help you identify the source of reliability issues. Access the Reliability Monitor by clicking View reliability history in the Maintenance section of the Action Center. The following topics explain the main features of the Reliability Monitor in more detail.

12-17
System Stability Chart
A System Stability Chart summarizes system stability for the past year in daily increments. This chart indicates any information, error, or warning messages, and it simplifies the task of identifying issues and the date on which they occurred.
Installation and Failure Reports
The System Stability Report also provides information about each event in the chart. These reports include the following events: Software Installs Software Uninstalls Application Failures Hardware Failures Windows Failures Miscellaneous Failures
Records Key Events in a Timeline
The Reliability Monitor tracks key events about the system configuration, such as the installation of new apps, operating system patches, and drivers. It also tracks the following events and helps you identify the reasons for reliability issues: Memory problems Hard-disk problems Driver problems Application failures Operating system failures
The Reliability Monitor is a useful tool that provides a timeline of system changes, and then it reports a systems reliability. You can use this timeline to determine whether a particular system change correlates with the start of system instability.
What Is the Problem Reports and Solutions Tool?

The Problem Reports and Solutions tool in Reliability Monitor helps you track problem reports and any solution information that other tools have provided. This tool only helps store information. Windows Error Reporting handles all Internet communication that is related to problem reports and solutions. The Problem Report and Solution Tool provides a list of the attempts made to diagnose a computers problems.
If an error occurs while an app is running, Windows Error Reporting prompts the user to choose if they want to send error information to Microsoft over the Internet. If information is available that can help a user resolve a problem, Windows displays a message to the user with a link to information about how to resolve the issue.
12-18
You can use the Problem Reports and Solutions tool to track resolution information and to recheck and find new solutions. You can start the Problem Reports and Solutions tools from the Reliability Monitor. The following tools are available: Save reliability history View all problem reports Check for solutions to all problems Clear the solution and problem history

12-19
Lesson 3
Managing Software Updates in Windows 8.1
To keep your Windows 8.1 systems functioning properly and to protect them, you must update systems regularly with the latest security updates and fixes. Windows Update enables you to download and install important and recommended updates automatically instead of visiting the Windows Update website. You must be aware of the configuration options that Windows Update has available, and you must be able to guide users on how to configure these options.
Lesson Objectives
After completing this lesson, you will be able to: Explain how to configure local Windows Update settings. Describe the process of managing applied updates. Describe the Windows Update Group Policy settings.
Configuring Windows Update Settings

Windows Update is a service that provides software updates that keep your computer up-todate and protected. You can configure Windows Update to download and install updates automatically for a computer, or you can install updates manually. On the Windows Update page, you can see the important and optional updates that are available for a computer. You should configure computers that are running Windows 8.1 to download and install updates automatically. Therefore, make sure that a computer has the most up-to-date and protected configuration as possible.
You can turn on Automatic Updates during the initial Windows 8.1 setup, or you can configure it later.
Windows Update downloads a computers updates in the background while you are online. If your Internet connection is interrupted before an update downloads fully, the download process resumes when the connection becomes available.
Configure Settings
The Automatic Updates feature of Windows Update downloads and installs important updates, including security and critical performance updates. However, you have to select recommended and optional updates manually. The time of installation depends on the configuration options that you select. Most updates occur seamlessly, with the following exceptions: If an update requires a restart to complete installation, you can schedule it for a specific time.
When a software update applies to a file that is in use, Windows 8.1 can save the apps data, close the app, update the file, and then restart the app. Windows 8.1 might prompt the user to accept the Microsoft Software License Terms when the app restarts.
12-20
When you configure Windows Update, consider the following: You should use the recommended settings to download and install updates automatically. The recommended settings download and install updates automatically daily at 3:00 A.M. If a computer is turned off, the installation will be done the next time the computer is turned on. By using the recommended settings, users do not have to search for critical updates or worry that critical fixes might be missing from their computers.
You should use Windows Server Update Services (WSUS) to manage Windows Update in an enterprise environment. You can use Microsoft System Center 2012 R2 Configuration Manager for environments that have a large number of computers or that require specialized management that WSUS does not provide.
Change Settings
From the Windows Update page, you also have access to the Change settings features. On the Change settings page, four settings are available for Important updates: Install updates automatically (recommended). Download updates but let me choose whether to install them. Check for updates but let me choose whether to download and install them. Never check for updates (not recommended).
We recommend that you choose to have updates installed automatically so that Windows will install important updates as they become available.
If you do not want updates to be installed or downloaded automatically, you can instead select the option to be notified when updates apply to your computer so that you can download and install them yourself. For example, if you have a slow Internet connection or your work is interrupted because of automatic updates, you can have Windows check for updates but download and install them yourself later at a suitable time.
Managing Applied Updates

Generally, applying updates does not create problems for most computers. However, occasionally, an installed update might conflict with the unique combination of installed hardware and software on a users computer. This can result in a reliability problem. When this occurs, you can use Windows Update to review installed updates, and where necessary, you can uninstall an update.
View Update History

To review your update history, from the Windows Update page, click View update history. In the Status column, you can make sure that all important updates were installed successfully.

12-21
Uninstall Updates
If an update has been installed that you would like to remove, from the View Update History page, click Installed Updates. You then can view all the installed updates, and where necessary, you can right-click an update, and then click Uninstall.
Hide Updates
If an update attempts to reinstall at a later time, you can hide the update. To hide an update that you do not wish to install, from Windows Update, click the link for the available updates. Right-click the update that you do not want to install, and then click Hide update.
Restore Hidden Updates
If you have resolved the underlying problem with an update that you uninstalled, and you wish to install it, you first must unhide the update. From Windows Update, click Restore hidden updates.
Windows Update Group Policy Settings

Group Policy is an administrative tool for managing user and computer settings over a network. There are several Group Policy settings for Windows Update: Do not display the Install Updates and Shut Down option in the Shut Down Windows dialog box.
This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. If you enable this policy setting, Install Updates and Shut Down will not appear as a choice in the Shut Down Windows dialog box even if updates are available for installation when the user selects the Shut Down option in the Start menu. If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be available in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu. Do not adjust the default option to Install Updates and Shut Down in the Shut Down Windows dialog box.
You can use this policy setting to manage whether the Install Updates and Shut Down option is allowed to be the default choice in the Shut Down Windows dialog box. If you enable this policy setting, the user's last shutdown choice, such as Hibernate and Restart, is the default option in the Shut Down Windows dialog box, regardless of whether the Install Updates and Shut Down option is available in the What do you want the computer to do? list. If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be the default option in the Shut Down Windows dialog box if updates are available for installation when the user selects the Shut Down option in the Start menu. Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates This policy setting specifies whether Windows Update will use the Windows power management features to wake up your system automatically from hibernation if updates need to be installed.
12-22
Windows Update will wake up your system automatically only if you configure Windows Update to install updates automatically. If the system is in hibernation when the scheduled install time occurs and there are updates to be applied, Windows Update will use the Windows power Management features to wake the system automatically to install the updates. The system will not wake unless there are updates to be installed. If the system is on battery power, when Windows Update wakes it up, it will not install updates, and the system will return to hibernation automatically in two minutes. Configure Automatic Updates This setting specifies whether the computer will receive security updates and other important downloads through the Automatic Updates feature. If Automatic Updates are enabled on your computer, you must select one of the four options in the Group Policy setting: o 2 = Notify before downloading any updates and notify again before installing them
When Windows finds updates that apply to your computer, an icon appears in the status area with a message that updates are ready to be downloaded. Clicking the icon or message provides the option to select the specific updates that you want to download. Windows then downloads your selected updates in the background. When the download is complete, an icon again appears in the status area with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install. o
3 = (Default setting) Download the updates automatically and notify when they are ready to be installed Windows finds updates that apply to your computer and then downloads them in the background so that the user is not notified or interrupted during this process. When the download is complete, an icon appears in the status area with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.
4 = Automatically download updates and install them on the schedule specified below
Specify the schedule by using the options in the Group Policy setting. If no schedule is specified, the default schedule for all installations will be daily at 3:00 A.M. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. If a user is signed in to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart. o 5 = Allow local administrators to select the configuration mode that Automatic Updates must notify and install updates
With this option, local administrators will be allowed to use the Automatic Updates control panel item to select a configuration option. For example, they can choose their own scheduled installation time. Local administrators will not be allowed to disable Automatic Updates configuration.
To use the Configure Automatic Updates setting, click Enabled, and then select one of the options (2, 3, 4, or 5). If the status is set to Enabled, Windows recognizes when the computer is online and then uses its Internet connection to search Windows Update for updates that apply to your computer. If the status is set to Disabled, you manually must download and install any updates that are available on Windows Update. If the status is set to Not Configured, the use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.

12-23
Specify intranet Microsoft update service location
With this setting, you can specify a server on a network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to computers on the network. To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. If the status is set to Enabled, the Automatic Updates client connects to a specified intranet Microsoft Update service instead of Windows Update to search for and download updates. Enabling this setting means that end users in your organization do not have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them. If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. Automatic Updates detection frequency
This policy specifies how long a Windows operating system will wait before checking for available updates. The exact wait time is determined by using the hours that you specify in this policy, minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours. If the status is set to Enabled, Windows checks for available updates at the specified interval. If the status is set to Disabled or Not Configured, Windows checks for available updates at the default interval of 22 hours. Allow non-administrators to receive update notifications
This policy setting allows you to control whether non-administrative users will receive update notifications based on the Configure Automatic Updates policy setting. If you enable this policy setting, Automatic Update and Microsoft Update will include non-administrators during the process of determining which signed-in user will receive update notifications. Non-administrative users will be able to install all optional, recommended, and important content for which they received a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that contain User Interface, End User License Agreement, or Windows Update setting changes. If you disable or do not configure this policy setting, only administrative users will receive update notifications. By default, this policy setting is disabled. If the Configure Automatic Updates policy setting is disabled or not configured, then the Elevate Non-Admin policy setting has no effect. Turn on Software Notifications
This policy setting allows you to control whether users can view detailed, enhanced notification messages about featured software from the Microsoft Update service. Enhanced notification messages convey the value of optional software, and they promote its installation and use. This policy setting is intended for use in loosely managed environments in which you allow end-user access to the Microsoft Update service. If you enable this policy setting, a notification message will appear on users' computers when the featured software is available. Users can click the notification to open the Windows Update app and get more information about the software or install it. Users also can click Close this message or Show me later to defer the notification as appropriate. In Windows 8.1, this policy setting only will control detailed notifications for optional apps.
12-24
If you disable or do not configure this policy setting, Windows 8.1 users will not be offered detailed notification messages for optional apps. By default, this policy setting is disabled. If you are not using the Microsoft Update service or if the Configure Automatic Updates policy setting is disabled or is not configured, the Software Notifications policy setting has no effect. Let the service shut down when it is idle
This setting controls how many minutes the Windows Update service will wait before shutting down when there are no scans, downloads, or installations in progress. If configured to zero, the service will run always. Allow Automatic Updates immediate installation
This setting specifies whether Automatic Updates will install certain updates automatically that neither interrupt Windows services nor restart the Windows operating system. If you set the status to Enabled, Automatic Updates will install these updates immediately once they are downloaded and ready to install. If you set the status to Disabled, such updates will not be installed immediately. If the Configure Automatic Updates policy is disabled, this policy has no effect. Turn on recommended updates via Automatic Updates
This setting specifies whether Automatic Updates will deliver both important and recommended updates from the Windows Update service. When this policy is enabled, Automatic Updates will install recommended and important updates from Windows Update. When disabled or not configured, Automatic Updates will continue to deliver important updates if it is configured already to do so. No auto-restart with logged on users for scheduled automatic updates installations
This setting specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically. If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates will notify the user to restart the computer. Re-prompt for restart with scheduled installations
This setting specifies the amount of time for Automatic Updates to wait before prompting a user again to restart and complete the update process. If the status is set to Enabled, a scheduled restart will occur in the specified number of minutes after the previous prompt for restart was postponed. If the status is set to Disabled or Not Configured, the default interval is 10 minutes. Delay Restart for scheduled installations
This setting specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart. If the status is set to Enabled, a scheduled restart will occur at the specified number of minutes after the installation is finished. If the status is set to Disabled or Not Configured, the default wait time is 15 minutes. Reschedule Automatic Updates scheduled installations This setting specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously. If you set the status to Enabled, a scheduled installation that did not take place earlier will occur at the specified number of minutes after the computer is next started. If you set the status to Disabled, a missed scheduled installation will occur with the next scheduled installation.

12-25
If you set the status to Not Configured, a missed scheduled installation will occur one minute after the computer is next started. Enable client-side targeting
This setting specifies the target group name or names that will be used to receive updates from an intranet Microsoft Update service. If you set the status to Enabled, the specified target group information is sent to the Microsoft Update service, an intranet that uses this information to determine which updates must be deployed to a computer. If the intranet Microsoft Update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, you must specify a single group. If the status is set to Disabled or Not Configured, no target group information will be sent to the intranet Microsoft Update service. Allow signed updates from an intranet Microsoft update service location
This policy setting allows you to manage whether Automatic Updates accepts updates that are signed by entities other than Microsoft when an update is found on an intranet Microsoft Update service location. If you enable this policy setting, Automatic Updates accepts updates that are received through an intranet Microsoft Update service location if the updates are signed by a certificate in the Trusted Publishers certificate store of the local computer. If you disable or do not configure this policy setting, updates from an intranet Microsoft Update service location must be signed by Microsoft. Note: This setting sometimes is used on a critical system that cannot be restarted or changed without first being scheduled. If you enable this setting, you must implement another method of update delivery to ensure that these systems are kept up-to-date.
12-26
Lab B: Maintaining Windows Updates

Scenario
When A. Datum received the first shipment of Windows 8.1 computers, Holly disabled Automatic Updates because she was concerned that they would cause problems with a custom app on these systems. After extensive testing, you have determined that it is extremely unlikely that Automatic Updates will cause a problem with this app.
Objectives
After you complete this lab, you will be able to configure local Windows Update settings.
Lab Setup
Estimated Time: 20 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2.
Exercise 1: Configuring Windows Update

Scenario
You have to confirm that Automatic Updates are disabled for the Windows 8.1 computers, and then you must enable Automatic Updates by implementing a Group Policy. The main tasks for this exercise are as follows: 1. 2. 3. Verify that Automatic Updates are disabled. Enable Automatic Updates in Group Policy. Verify that the Automatic Updates setting from the Group Policy Object is being applied.
Task 1: Verify that Automatic Updates are disabled

On LON-CL1, open Windows Update, and then verify that Automatic Updates are disabled.
Task 2: Enable Automatic Updates in Group Policy

1. 2.
Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd, and then open the Group Policy Management administrative tool. Edit the Default Domain Policy: o Modify the settings for Computer Configuration\Policies\Administrative Templates \Windows Components\Windows Update\Configure Automatic Updates: Enabled 4 Auto download and schedule the install

12-27
Task 3: Verify that the Automatic Updates setting from the Group Policy Object is being applied
1. 2. On LON-CL1, open and command prompt and run gpupdate /force to update the Group Policy settings. Open Windows Update, and then verify that the new settings have been applied.
Results: After completing this exercise, you should have configured Windows Update settings by using Group Policy Objects.

12-28

Review Questions
Question: You are having problems with your computers performance. How can you create a data collector set to analyze a performance problem? Question: What are the benefits of creating a data collector set?

13-1
Module 13
Configuring Mobile Computing and Remote Access
Contents:
Module Overview Lesson 1: Configuring Mobile Computers and Device Settings Lab A: Configuring a Power Plan Lesson 2: Overview of DirectAccess Lab B: Implementing DirectAccess by Using the Getting Started Wizard Lesson 3: Configuring VPN Access Lesson 4: Configuring Remote Desktop and Remote Assistance Lab C: Implementing Remote Desktop Module Review and Takeaways 13-1 13-2 13-9 13-11 13-22 13-26 13-35 13-39 13-41
Module Overview
Mobile computers are available in many types and configurations. This module includes descriptions of various available mobile devices and describes how you can synchronize them with a computer that is running the Windows 8.1 operating system. Additionally, this module describes various power options that you can configure in Windows 8.1.
Windows 8.1 helps end users become more productive, regardless of their location, or that of the data they need. For users who want to use virtual private networks (VPNs) to connect to enterprise resources, new features in Windows 8.1 and Windows Server 2012 R2 create a seamless experience. You can use DirectAccess, VPN, and Remote Desktop functionality to enable users to access their work environments from anywhere they are connected.
Objectives
After completing this module, you will be able to: Configure mobile computers and device settings. Configure DirectAccess. Configure VPN access. Configure Remote Desktop and Remote Assistance.
13-2 Configuring Mobile Computing and Remote Access
Lesson 1
Configuring Mobile Computers and Device Settings

This lesson defines common terminology for mobile computing and provides an overview of related configuration settings that you can modify in Windows 8.1. Additionally, it provides guidelines for applying these configuration settings to Windows 8.1 computers.
Lesson Objectives
After completing this lesson, you will be able to: Describe the various types of mobile computers and devices. Describe the tools for configuring mobile computers and devices. Describe mobile device synchronization partnerships. Describe the available options to manage power settings in Windows 8.1. Configure a power plan in Windows 8.1.
Discussion: Types of Mobile Computers and Devices

Computers play an important part in peoples daily lives, and the ability to carry out computing tasks at any time and in any place has become a necessity for many users. A mobile computer is a device that you can use for work, even when you are away from your office. You must be able to answer users questions about mobile computers, and you must be able to assist users and other information technology (IT) support staff in choosing appropriate mobile computers for an organization. Different types of mobile computer include: Laptops and notebook computers Tablet PCs Netbook computers Ultrabook computers Portable media players
Laptop and Notebook Computers
People often use the terms laptop and notebook interchangeably. However, the term notebook computer refers to a computer that is lighter or smaller than a laptop. A laptop computer is a portable computer that contains an integrated screen, battery, keyboard, and pointing device. A laptop computer also might contain a CD or DVD drive. Many organizations issue laptop computers to employees rather than desktop computers so that they can work remotely. Hardware manufacturers are responding to this demand by producing laptops with specifications that are equivalent to or better than many desktop computers.

13-3
Tablet PCs
A tablet PC is a fully functional laptop computer with a touchscreen that is designed to interact with a users fingers or a stylus. Tablet PCs might have a detachable keyboard and touchpad. Many tablet PC screens also turn or fold onto the keyboard. Most tablet PCs allow multiple touch inputs simultaneously on the screen, allowing for complex gestures such as pinching to zoom and scrolling. Windows 8.1 provides an optimized UI for devices that support touchscreens.
Netbook Computers
A typical netbook computer features a 7-inch diagonal display, weighs around 2 pounds or 1 kilogram (kg), has an integrated touch panel, and has both Wi-Fi and Bluetooth enabled. A netbook computer is approximately the size and shape of a paperback book. Manufacturers build specialized components for ultra-mobile PCs, such as ultra-low-voltage processors from Intel, which help optimize battery life and minimize cooling requirements.
Netbook computers typically are equipped with 1 gigabyte (GB) of RAM and a solid-state hard disk drive. Netbook computers offer significant improvements in power consumption compared with more traditional laptops, and they provide the applications that mobile users require.
Ultrabook Computers
These thin, lightweight laptop computers provide more power and larger displays than netbooks, thereby enabling users to perform multiple tasks with their computers. Typically, Ultrabook computers have the same weight as netbooks, but are equipped with 4 GB of RAM and high-speed Intel mobile processors. Display sizes are 13.3 inches diagonally.
Mobile Devices
You must be able to assist users with connecting their mobile devices to Windows 8.1 computers. A mobile device is a computing device that is optimized for specific mobile computing tasks. Mobile devices typically synchronize with desktop or mobile computers to obtain data. The following types of mobile devices are available: Personal digital assistants (PDAs) Windows Phone devices Portable media players Mobile phones
Windows Phone Devices
Windows Phone devices are smartphones that feature an operating system with the familiar Windows UI and applications that are part of the Windows 8.1 operating system and Microsoft Office.
Windows Phone devices also include Music and Videos Hubs and typically feature mobile phone, Bluetooth, wireless broadband, and Wi-Fi capabilities. Although you can sometimes use a keyboard on these devices, they typically are touchscreen devices on which you can use your finger to navigate the operating system and use applications. Additionally, the Windows Phone operating system supports voice commands. Note: Bluetooth is a wireless communications protocol that uses shortwave radio signals to replace cables and enable compatible devices to communicate with each other. Bluetooth uses a low-powered radio signal in the unlicensed 2.4 gigahertz (GHz) to 2.485 GHz spectrum, also known as the Industrial, Scientific, and Medical (ISM) band. Bluetooth employs a technology called Adaptive Frequency Hopping, which helps devices switch frequencies within the ISM band. Bluetooth enables compatible devices to switch frequencies up to 1,600 times a second within the ISM band to maintain optimal connectivity.
Portable Media Player

A portable media player is a small, battery-powered device that contains flash memory or a hard drive from which you can play digital media files. Some of these devices have a screen. A Windows computer copies the media to the device, which means that you can use media from your own CD and DVD collection, or you can buy and download media from numerous online media services.
Mobile Phone
A mobile phone, also known as a cellular phone, is a portable telephone that uses a form of radio connectivity. Many mobile phones now have some PDA and media player functionality. You typically use a numerical keypad as the input for this device type.
Tools for Configuring Mobile Computers and Device Settings

When you select a mobile computer operating system, ensure that the device can adapt to a variety of scenarios. Windows 8.1 gives you with the ability to change configuration settings based on specific requirements. You can access and configure mobile computer settings by using the Mobile Computer control panel category page of configuration settings. You can access various settings such as Power Management, Windows Mobility Center, Sync Center, and Presentation Settings.
Power Management
Windows 8.1 power management includes a simple-to-find battery meter that tells you at a glance what power plan you are using and how much battery life is remaining. Use the battery meter to access and change the power plan to meet your needs. For example, you might want to conserve power by limiting the central processing unit (CPU) or configuring when your hard drive will turn off.
Power plans let you adjust your computers performance and power consumption. To access power plans in Windows 8.1, from Desktop, in the taskbar, right-click the battery icon, and then click Power Options. You also can change the Battery Status in the Windows Mobility Center. To access the Windows Mobility Center, in Control Panel, in the Hardware and Sound category, click Adjust commonly used mobility settings.
Windows Mobility Center

In Windows 8.1, the key mobile-related system configuration settings are all collected in the Windows Mobility Center. By using the Windows Mobility Center, you can adapt a mobile computer to meet different requirements as you change locations, networks, and activities. The Windows Mobility Center includes settings for: Display brightness Volume Battery Status External Display Sync Center Presentation Settings

13-5
Computer manufacturers can customize the Windows Mobility Center to include other hardware-specific settings, such as Bluetooth or auxiliary displays.
Sync Center
The Windows 8.1 Sync Center provides a single interface from which you can manage data synchronization in several scenarios: between multiple computers; between corporate network servers and computers; and with devices that you connect to the computer, such as a PDA, a mobile phone, and a music player. Because different devices synchronize by using different procedures, depending on the data source, there is no easy way to manage all of the individual sync relationships in older versions of the Windows operating system. The Sync Center enables you to initiate a manual synchronization, stop in-progress synchronizations, see the status of current synchronization activities, and receive notifications to resolve sync conflicts. A sync partnership is a set of rules that tells the Sync Center how and when to synchronize files or other information between two or more locations. A sync partnership typically controls how files synchronize between a computer and mobile devices, network servers, or compatible programs.
For example, you might create a sync partnership that instructs the Sync Center to copy every new file in the My Documents folder to a USB hard disk each time that you plug the device into the computer. You might create a more complex sync partnership to keep a wide variety of files, folders, and other information synchronized between a computer and a network server. Access the Sync Center by clicking Sync Center from the Windows Mobility Center screen.
Windows Mobile Device Center
Windows Mobile Device Center is a data synchronization program that you can use with mobile devices. It gives Windows users a way to transport documents, calendars, contact lists, and email between their desktop computer and mobile devices that support the Exchange ActiveSync protocol.
Windows Mobile Device Center provides overall device management features for Windows Mobilebased devices in Windows 8.1, including smartphones. To access the Windows Mobile Device Center, go to Control Panel.
Presentation Settings
Mobile users often have to reconfigure their computer settings for meetings or conference presentations, such as changing screen-saver timeouts or desktop wallpaper. To improve the user experience and avoid this inconvenience, Windows 8.1 includes a group of presentation settings that you can apply when you connect to a display device. To access the presentation settings, click Presentation Settings in the Windows Mobility Center in Control Panel. When you finish a presentation, return to the previous settings by clicking the notification area icon.
What Are Mobile Device Sync Partnerships?

You might need to assist users in establishing mobile device sync partnerships. A mobile device sync partnership updates information about the mobile device and the host computer. It typically synchronizes calendar information, clocks, email messages, Microsoft Office documents, and media files on supported devices. You can create mobile device sync partnerships with PDAs, mobile phones, Windows Phone devices, and portable media players.
Creating a Mobile Device Sync Partnership
Creating a sync partnership with a portable media player is straightforward. The following procedure describes how to connect a portable media player to a Windows 8.1 computer, create a sync partnership, and synchronize media to the device: 1.
Connect the device to a Windows 8.1 computer and open Sync Center. Windows 8.1 includes drivers for many common devices, but you also can obtain drivers from the CD that came with the device, or from Windows Update. Set up a sync partnership by clicking Set up for a media device Sync Partnership. This opens Windows Media Player.
2. 3. 4.
Select some media files or a playlist to synchronize to the device. To select media, simply drag it onto the Sync dialog box on the right side of Windows Media Player. Click Start Sync. When your chosen media has transferred to the device, disconnect the device from the computer, and then close Windows Media Player.
Using Windows Mobile Device Center

Windows Mobile Device Center is a data synchronization program for mobile devices. It provides Windows users a way to transport documents, calendars, contact lists, and email between their desktop computer and a mobile device that supports the Exchange ActiveSync protocol.
Windows Mobile Device Center provides overall device management features for Windows Phone-based devices in Windows 8.1.
The default options for Windows Mobile Device Center include core device-connectivity components only. These components enable the operating system to identify that a Windows Phone-based device is connected, and then load the appropriate device drivers and services. The Windows Mobile Device Center base application enables some basic functionality, including the ability to browse a devices contents, to use desktop pass-through to synchronize with Microsoft Exchange Server, and to change some general computer and connection settings.

13-7
Power Plans and Power-Saving Options

For mobile computer users, maintaining optimal system performance while conserving battery life has always been an important requirement. To advise users on how to conserve battery life without affecting system performance, you must be familiar with the various factors that affect power consumption. You also must be familiar with the power plans and power-saving options that are available in Windows 8.1. By using Windows 8.1 power options, you can conserve a mobile computers battery. A user can change various performance options, such as: CPU speed Display brightness
By using the CPU speed option, you can lower the speed of the computer processor, thereby reducing its power consumption. Screen brightness requires power, and lowering the brightness reduces power usage.
Power Plans
In Windows 8.1, power plans help you maximize computer and battery performance. With power plans, you can change a variety of system settings to optimize power or battery usage with a single click, depending on the scenario. There are three default power plans: Power saver. This plan saves power on a mobile computer by reducing system performance. Its primary purpose is to maximize battery life. High performance. This plan provides the highest level of performance on a mobile computer by adapting processor speed to your work or activity, and by maximizing system performance. Balanced. This plan balances energy consumption and system performance by adapting the computers processor speed to your activity.
The balanced plan provides the best balance between power and performance. The power saver plan reduces power usage by lowering the performance. The high performance plan consumes more power by increasing system performance. Each plan provides alternate settings for AC or DC power. You can customize or create additional power plans by using Power Options in Control Panel. Some hardware manufacturers supply additional power plans and power options. When you create additional power plans, be aware that the more power the computer consumes, the less time it runs on a single battery charge. By using Power Options, you can configure settings such as Choose what closing the lid does. In addition to considering power usage and performance, you also must consider the following three options for turning a computer on and off: Shut down Hibernate Sleep
Shut Down
When you shut down a computer, Windows 8.1 does the following: Saves all open files to the hard disk. Saves the memory contents to the hard disk or discards them as appropriate. Clears the page file. Closes all open applications.
Windows 8.1 then signs out the active user and turns off the computer.
Hibernate
When you put a computer in hibernation, Windows 8.1 saves the system state and the system memory contents to a file on the hard disk and then shuts down the computer. This state requires no power because the hard disk is storing the data.
Windows 8.1 supports hibernation at the operating system level without any additional drivers from a hardware manufacturer. Hibernation data is stored in a hidden system file called Hiberfil.sys. This file is the same size as the physical memory in the computer and typically is located in the root of the system drive.
Sleep
Sleep is a power-saving state that saves work and open programs to memory. This provides fast resume capability, typically within several seconds. Sleep does consume a small amount of power. Windows 8.1 automatically goes to sleep when you press the power button on the computer. If the battery power of the computer is low, Windows 8.1 puts the computer in hibernation.
Alternatively, you can enable hybrid sleep, during which Windows 8.1 saves data to the hard disk and to memory. If a power failure occurs on a computer when it is in hybrid sleep, data is not lost. Use hybrid sleep as an alternative to hibernation. Hybrid sleep uses the same Hiberfil.sys hidden system file as hibernation.
Demonstration: Configuring Power Plans

In this demonstration, you will see how to configure a power plan.
Demonstration Steps Create a power plan for Adams laptop

1. 2. 3. Sign in to LON-CL1 as Adatum\Adam, and then open Control Panel. Locate Power Options in System and Security. Using the existing power saver plan, create a new plan named Adams Plan.
Configure the power plan

1. 2. Configure advanced plan settings. Configure Adams Plan with the following properties: o o o o Turn off hard disk after: 10 minutes Wireless Adapter Settings, Power Saving Mode: Maximum Power Saving Power buttons and lid, Power button action: Shut down Close Power Options.

13-9
Lab A: Configuring a Power Plan

Scenario
Adam is about to take a long trip to visit all of A. Datum Corporations customers in the United Kingdom. Before he leaves, he would like you to optimize the power consumption on his Windows 8.1 laptop.
Objectives
After completing this lab, you will be able to: Create a new power plan. Configure basic and advanced power plan settings.
Lab Setup
Estimated Time: 15 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd
5.
Repeat steps 2 to 3 for 20687C-LON-CL1. Do not sign in until directed to do so.
Exercise 1: Creating and Configuring a New Power Plan

Scenario
Adam wants to ensure that his computers battery lasts as long as possible between charges while he is on his trip. He does not want to impose on his customers by asking to plug his computer into an electrical socket at their offices, and he would rather charge his laptop in the evenings at his hotel. The main tasks for this exercise are as follows: 1. 2. Create a power plan on Adams laptop computer. Configure the power plan.
Task 1: Create a power plan on Adams laptop computer 1. 2. 3. Sign in to LON-CL1 as Adatum\Adam with password Pa$$w0rd. Open Control Panel. From System and Security in Control Panel, click Power Options.
13-10
4.
Create a new power plan with the following properties: o o Based on: Power saver Name: Adams power-saving plan
Task 2: Configure the power plan

1. 2. In Power Options, under Adams power-saving plan, click Change plan settings. Modify the new power plan with the following properties: o o o 3. Turn off hard disk after: 3 minutes Wireless Adapter Settings, Power Saving Mode: Maximum Power Saving Power buttons and lid, Power button action: Shut down
Close all open windows, and then sign out from LON-CL1.
Results: After completing this exercise, you should have successfully created and configured a suitable power plan for Adams laptop computer.

13-11
Lesson 2
Overview of DirectAccess
The DirectAccess feature in Windows 8.1 enables seamless remote access to intranet resources without first establishing a user-initiated VPN connection. The DirectAccess feature also ensures seamless connectivity to an application infrastructure for internal users and remote users.
Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enables any application that supports Internet Protocol version 6 (IPv6) on a client computer to have complete access to intranet resources. DirectAccess also enables you to specify resources and client-side applications that are restricted for remote access.
Lesson Objectives
After completing this lesson, you will be able to: Describe the components that are required to implement DirectAccess. Describe DirectAccess tunneling protocol options. Describe how DirectAccess works for internal clients. Describe how DirectAccess works for external clients. Configure DirectAccess by running the Getting Started Wizard. Identify the changes made by the Getting Started Wizard. Identify the settings in the Getting Started Wizard. Identify Windows 8.1 DirectAccess client components.
DirectAccess Components
To deploy and configure DirectAccess, your organization must support the following infrastructure components: DirectAccess server DirectAccess clients Network Location Server Internal resources A Microsoft Active Directory Domain Services (AD DS) domain Group Policy Public key infrastructure (PKI)optional for the internal network Domain Name System (DNS) server Network Access Protection (NAP) server
DirectAccess Server
The DirectAccess server can be any computer running Windows Server 2012 R2 or Windows Server 2012 that you join to a domain, which accepts connections from DirectAccess clients, and that establishes communication with intranet resources. This server provides authentication services for DirectAccess
13-12
clients and acts as an Internet Protocol security (IPsec) tunnel mode endpoint for external traffic. The new Remote Access server role allows centralized administration, configuration, and monitoring for both DirectAccess and VPN connectivity. Compared with the previous implementation in Windows Server 2008 R2, the new wizard-based setup simplifies DirectAccess management for small and medium-size organizations. The wizard does so by removing the need for full PKI deployment and removing the requirement for two consecutive public Internet Protocol version 4 (IPv4) addresses for the physical adapter that is connected to the Internet. In Windows Server 2012 R2, the wizard detects the actual implementation state of the DirectAccess server, and automatically selects the best deployment, thereby not showing the administrator the complexity of manually configuring IPv6 transition technologies.
DirectAccess Clients
A DirectAccess client can be any domain-joined computer that is running the Enterprise edition of Windows 7, Windows 8, or Windows 8.1. Note: With off-premises provisioning, you can join the client computer in a domain without connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo. Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer that is using 6to4 or Teredo from connecting to the DirectAccess server, the client computer automatically attempts to connect by using the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS), which uses a Secure Sockets Layer (SSL) connection to ensure connectivity.
Network Location Server
A DirectAccess client uses the Network Location Server to determine its location. If the client computer can securely connect to the Network Location Server by using HTTPS, then the client computer assumes it is on the intranet, and the DirectAccess policies are not enforced. If the Network Location Server cannot be contacted, the client assumes it is on the Internet. The Network Location Server is installed on the DirectAccess server with the Web server role. Note: The URL for the Network Location Server is distributed by using a Group Policy Object (GPO).
Internal Resources
You can configure any IPv6-capable application that is running on internal servers or client computers to be available for DirectAccess clients. For older applications and servers that do not have IPv6 support, such as Windows Server 2003 or other non-Microsoft operating systems, Windows Server 2012 R2 includes native support for protocol translation (NAT64) and a name resolution (DNS64) gateway to convert IPv6 communication from the DirectAccess client to IPv4 for internal servers.
Active Directory Domain
You must deploy at least one AD DS domain running, at a minimum, Windows Server 2003 domain functional level. DirectAccess provides integrated multiple-domain support, which allows client computers from different domains to access resources that might be located in different trusted domains.

13-13
Group Policy
You need to use Group Policy for the centralized administration and deployment of DirectAccess settings. The Getting Started Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. DirectAccess enables client authentication requests to be sent over an HTTPS-based Kerberos proxy service that is running on the DirectAccess server. This eliminates the need for establishing a second IPsec tunnel between clients and domain controllers. The Kerberos proxy will send Kerberos requests to domain controllers on behalf of the client. However, for a full DirectAccess configuration that allows NAP integration, two-factor authentication, and force tunneling, you still must implement certificates for authentication for every client that will participate in DirectAccess communication.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 Service Pack 2 or newer, or a non-Windows DNS server that supports DNS message exchanges over ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance checking and enforce security policy for DirectAccess clients over the Internet. DirectAccess provides the ability to configure NAP health check directly from the setup UI. Remote Access (DirectAccess, Routing and Remote Access) Overview http://go.microsoft.com/fwlink/?LinkID=269658&clcid=0x409
DirectAccess Tunneling Protocol Options

DirectAccess uses IPv6 and IPsec when clients connect to internal resources. However, many organizations do not have native IPv6 infrastructure. Therefore, DirectAccess uses transitioning tunneling technologies to connect IPv6 clients to connect to IPv4 internal resources, and by communicating through IPv4-based Internet. DirectAccess tunneling protocols include:
ISATAP. ISATAP enables DirectAccess clients to connect to the DirectAccess server over the IPv4 networks for intranet communication. By using ISATAP, an IPv4 network emulates a logical IPv6 subnet to other ISATAP hosts, where ISATAP hosts automatically tunnel to each other for IPv6 connectivity. Windows Vista, Windows Server 2008, and newer Windows client and server operating systems can act as ISATAP hosts. ISATAP does not need changes on IPv4 routers because IPv6 packets are tunneled within an IPv4 header. To use ISATAP, you have to configure DNS servers to answer ISATAP queries, and Ipv6 must be enabled on network hosts. 6to4. 6to4 enables DirectAccess clients to connect to the DirectAccess server over the IPv4-based Internet. You can use 6to4 when clients have a public IP address. IPv6 packets are encapsulated in an IPv4 header, and sent over the 6to4 tunnel adapter to the DirectAccess server. You can configure the
13-14
6to4 tunnel adapter for DirectAccess clients and the DirectAccess server by using a GPO. 6to4 cannot work if clients are located behind an IPv4 network address translation (NAT) device. Teredo. Teredo enables DirectAccess clients to connect to the DirectAccess server across the IPv4 Internet, when clients are located behind an IPv4 NAT device and where you should configure the firewall to allow outbound traffic on User Datagram Protocol (UDP) port 3544. Clients that have a private IPv4 address use Teredo to encapsulate IPv6 packets in an IPv4 header and send them over the IPv4-based Internet. You can configure Teredo for DirectAccess clients and the DirectAccess server by using a GPO.
IP-HTTPS. IP-HTTPS enables DirectAccess clients to connect to the DirectAccess server over the IPv4based Internet. IP-HTTPS is used by clients that are unable to connect to the DirectAccess server by using ISATAP, 6to4, or Teredo. You can configure IP-HTTPS for DirectAccess clients and the DirectAccess server by using Group Policy. IPv6 Transition Technologies http://go.microsoft.com/fwlink/?LinkID=154382&clcid=0x409
How DirectAccess Works for Internal Clients

A Network Location Server is an internal network server that hosts an HTTPS-based URL. DirectAccess clients try to access a Network Location Server URL to determine if they are located on the intranet or on a public network. The DirectAccess server also can be the Network Location Server. In some organizations where DirectAccess is a business-critical service, the Network Location Server should be highly available. Generally, the Web server on the Network Location Server does not have to be dedicated just to supporting DirectAccess clients. It is critical that the Network Location Server be available from each company location, because the behavior of the DirectAccess client depends on the response from the Network Location Server. Branch locations might need a separate Network Location Server at each branch location to ensure that the Network Location Server remains accessible even when there is a link failure between branches.
How DirectAccess Works for Internal Clients

The DirectAccess connection process happens automatically, without requiring user intervention. DirectAccess clients use the following process to connect to intranet resources: 1. The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the Network Location Server URL.
Because the FQDN of the Network Location Server URL corresponds to an exemption rule in the Name Resolution Policy Table (NRPT), the DirectAccess client instead sends the DNS query to a locally configured DNS server (an intranet-based DNS server). The intranet-based DNS server resolves the name. 2. The DirectAccess client accesses the HTTPS-based URL of the Network Location Server, and during this process, it obtains the certificate of the Network Location Server.

13-15
3.
Based on the certificate revocation list (CRL) distribution points field of the Network Location Servers certificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point to determine if the Network Location Servers certificate has been revoked. If the HTTP response code is 200, the DirectAccess client determines the success of the Network Location Server URL (successful access, certificate authentication, and revocation check). Next, the DirectAccess client will use the network location awareness service to determine if it should switch to the domain firewall profile and ignore the DirectAccess policies because it is on the organizations network.
4.
5.
The DirectAccess client computer attempts to locate and log on to the AD DS domain by using its computer account. Because the client no longer references any DirectAccess rules in the NRPT for the rest of the connected session, all DNS queries are sent through interface-configured DNS servers (intranet-based DNS servers). With the combination of network location detection and computer domain logon, the DirectAccess client configures itself for normal intranet access. Based on the computers successful logon to the domain, the DirectAccess client assigns the domain (firewall network) profile to the attached network.
6.
By design, the DirectAccess connection security tunnel rules are scoped for the public and private firewall profiles, and they are disabled from the list of active connection security rules. The DirectAccess client has successfully determined that it is connected to its intranet, and does not use DirectAccess settings (NRPT rules or Connection Security tunnel rules). The DirectAccess client can access intranet resources normally. It also can access Internet resources through normal means, such as a proxy server.
How DirectAccess Works for External Clients

When a DirectAccess client cannot reach the URL address specified for the Network Location Server, the DirectAccess client assumes that it is not connected to the intranet and that it is located on the Internet. When the client computer cannot communicate with the Network Location Server, it starts to use NRPT and connection security rules. The NRPT has DirectAccess-based rules for name resolution, and connection security rules define DirectAccess IPsec tunnels for communication with intranet resources. Internet-connected DirectAccess clients use the following process to connect to intranet resources: 1. 2. 3. The DirectAccess client attempts to access the Network Location Server. The client attempts to locate a domain controller. The client attempts to access intranet resources first, and then Internet resources.
DirectAccess Client Attempts to Access the Network Location Server

The DirectAccess clients attempt to access the Network Location Server as follows: 1.
The client tries to resolve the FQDN of the Network Location Server URL. Because the FQDN of the Network Location Server URL corresponds to an exemption rule in the NRPT, the DirectAccess client does not send the DNS query to a locally configured DNS server (an Internet-based DNS server). An external Internet-based DNS server would not be able to resolve the name.
13-16
2. 3.
The DirectAccess client processes the name resolution request as defined in the DirectAccess exemption rules in the NRPT.
Because the Network Location Server is not found on the same network where the DirectAccess client is currently located, the DirectAccess client applies a public or private firewall network profile to the attached network. The Connection Security tunnel rules for DirectAccess, scoped for the public and private profiles, provide the public or private firewall network profile.
4.
The DirectAccess client uses a combination of NRPT rules and connection security rules to locate and access intranet resources across the Internet through the DirectAccess server.
DirectAccess Client Attempts to Locate a Domain Controller
After starting up and determining its network location, the DirectAccess client attempts to locate and log on to a domain controller. This process creates an IPsec tunnel, or an infrastructure tunnel, by using the IPsec tunnel mode and encapsulating security payload (ESP), to the DirectAccess server. The process is as follows: 1.
The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name query that is addressed to the IPv6 address of the intranet DNS server and forwards it to the DirectAccess clients TCP/IP stack for sending. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing rules or connection security rules for the packet.
2. 3.
Because the destination IPv6 address in the DNS name query matches a connection security rule that corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client (both the computer and the user) authenticates itself with its installed computer certificate and its NTLM credentials, respectively.
Note: AuthIP enhances authentication in IPsec by adding support for user-based authentication with Kerberos version 5 protocol or SSL certificates. AuthIP also supports efficient protocol negotiation and usage of multiple sets of credentials for authentication. 4. 5. The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the DirectAccess server. The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name query response is sent back to the DirectAccess server and back through the IPsec infrastructure tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
DirectAccess Client Attempts to Access Intranet Resources

The first time that the DirectAccess client sends traffic to an intranet location that is not on the list of destinations for the infrastructure tunnel (such as an email server), the following process occurs: 1. 2. The application or process that attempts to communicate constructs a message or payload, and hands it off to the TCP/IP stack for sending. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing rules or connection security rules for the packet.

13-17
3.
Because the destination IPv6 address matches the connection security rule that corresponds with the intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess server. The DirectAccess client authenticates itself with its installed computer certificate and the user accounts Kerberos credentials. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
4. 5.
The DirectAccess server forwards the packet to the intranet resources. The response is sent back to the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure tunnel connection security rule goes through the intranet tunnel.
DirectAccess Client Attempts to Access Internet Resources
When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an Internet Web server), the following process occurs: 1. The DNS client service passes the DNS name for the Internet resource through the NRPT. There are no matches. The DNS client service constructs the DNS name query that is addressed to the IP address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for sending. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing rules or connection security rules for the packet.
2. 3.
Because the destination IP address in the DNS name query does not match the connection security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query normally. The Internet DNS server responds with the IP address of the Internet resource.
4. 5.
The user application or process constructs the first packet to send to the Internet resource. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing rules or connection security rules for the packet.
6.
Because the destination IP address in the DNS name query does not match the connection security rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure intranet tunnel or connection security rules is sent and received normally.
The process of accessing the domain controller and intranet resources is very similar to the connection process, because both of these processes use NRPT tables to locate appropriate DNS server to resolve the name queries. However, the main difference is in the IPsec tunnel that is established between the client and DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the IPsec infrastructure tunnel, and when accessing intranet resources, a second IPsec tunnel is established to access intranet resources.
13-18
Demonstration: Configuring DirectAccess by Running the Getting Started Wizard

In this demonstration, you will learn how to configure DirectAccess by running the Getting Started Wizard.
Demonstration Steps
1. 2. Switch to LON-SVR2. On LON-SVR2 in the Server Manager console, select Remote Access Management. Complete the Getting Started Wizard in the Remote Access Management console with the following settings: o o On the Configure Remote Access page, click Deploy DirectAccess only.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients to connect to Remote Access server box, type 131.107.0.2. On the Remote Access Review page, remove the Domain Users group, and add the DA_Clients group On the Remote Access Review page, clear the Enable DirectAccess for mobile computers only check box.
o 3.
Restart LON-SVR2.
Getting Started Wizard Configuration Changes

The Getting Started Wizard makes multiple configuration changes so that DirectAccess clients can connect to an intranet. These changes include: GPO settings. Two GPOs are created to define which computers will be allowed to connect to an organizations network by using DirectAccess: o DirectAccess server settings GPO. Defines settings that will apply to DirectAccess servers. DirectAccess client settings GPO. Defines settings that will apply to DirectAccess clients.
Remote clients. In the wizard, you can configure the following client computer settings for DirectAccess: o
Select groups. You can select which groups of client computers will be configured for DirectAccess. By default, the Domain Computers group will be configured for DirectAccess. In the wizard, you can edit this setting and replace the Domain Computers group with a custom security group. Enable DirectAccess for mobile computers only. This setting is enabled by default, but you can disable it in the wizard. DirectAccess Connectivity Assistant. The Network Connectivity Assistant runs on every client computer and provides DirectAccess connectivity information, diagnostics, and remediation support.

13-19
Resources that validate connectivity to an internal network. DirectAccess client computers need information that will help them decide whether they are located on an intranet or the Internet. Therefore, they will contact resources that you provide in this wizard. You can provide the URL that will be accessed by HTTP request or the FQDN that will be contacted by PING command. By default, this is not configured. Help desk email address. By default, this setting is not configured. DirectAccess connection name. The default name is Workplace Connection. Allow DirectAccess clients to use local name resolution. This setting is disabled by default.
o o o
Remote access server. In the wizard, you define the network topology where the DirectAccess server is located: o o o On an edge of the internal corporate network, where the edge server has two network adapters. On a server located behind an edge device, where the server has two network adapters. On a server located behind an edge device, where the server has one network adapter.
One of the preceding settings is already selected in the wizard. The public name or IPv4 address where DirectAccess clients connect from the Internet is already entered in the wizard. You can also define the network adapter to which the DirectAccess clients connect, as well as certificates used for IP-HTTPS connections.
Infrastructure servers. In the wizard, you define infrastructure servers. DirectAccess clients connect to these servers before they connect to internal corporate resources. By default, two entries are configured: the domain name suffix and DirectAccess-NLS name followed by the domain name suffix. For example, if the domain name is contoso.com, then the following entries are configured: contoso.com and DirectAccess-NLS.contoso.com.
Demonstration: Identifying the Getting Started Wizard Settings

Demonstration Steps
1. 2. 3. 4. On LON-SVR2, switch to the Server Manager console, and then open the Remote Access Management console. In Remote Access Management console, select DirectAccess and VPN.
In this demonstration, you will identify the changes made by the DirectAccess Getting Started Wizard.
In the Remote Access Setup window, under the image of the client computer labeled as Step 1 Remote Clients, click Edit to display the DirectAccess Client Setup window.
Review the default settings of all items in the menu on the left, Deployment Scenario, Select Groups, and Network Connectivity Assistant, and then close the window without saving any changes. In the Remote Access Setup window, under the image of the client computer labeled as Step 2 Remote Access Servers, click Edit to display the Remote Access Server Setup window. Review the default settings of all items in the menu on the left, Network Topology, Network Adapters, and Authentication, and then close the window without saving any changes.
5. 6. 7.
In the Remote Access Setup window, under the image of the client computer labeled as Step 3 Infrastructure Servers, click Edit to display the Infrastructure Server Setup window.
13-20
8.
Review the default settings of all items in the menu on the left, Network Location Server, DNS, DNS Suffix Search List, and Management, and then close the window without saving any changes. In the Remote Access Setup window, under the image of the client computer labeled as Step 4 Application Servers, click Edit to display the DirectAccess Application Server Setup window.
9.
10. Review the default settings for all items, and then close the window without saving any changes. 11. Close all open windows.
Windows 8.1 DirectAccess Client Components

Windows 8.1 hosts several components that work together to facilitate DirectAccess connectivity: Connection security rules and Windows Firewall. Connection security rules determine how your computer will connect to network resources. By default, the DirectAccess GPOs that are created by the Getting Started Wizard will create a connection security rule in Windows Firewall named ClienttoCorp. The connection security rule will enable an IPsec connection to the DirectAccess server if the client computer cannot resolve the FQDN of the Network Location Server.
NRPT. The DirectAccess GPOs also will create NRPT entries for the client computer. You can view the configuration of the NRPT by running the Get-DNSClientNrptPolicy cmdlet in the Windows PowerShell command-line interface. The NRPT will have an entry for each DNS namespace that has been configured for DirectAccess. IPv6 connectivity. IPv6 must be enabled on the DirectAccess client to connect to the DirectAccess server. When you ping by DNS name to the DirectAccess server or to internal network resources, the address will be converted to IPv6 through IPv6 and IPv4 transition technologies.
DirectAccess Troubleshooting Tools in Windows 8.1
Incorrect Group Policy application is the most common cause of DirectAccess client configuration issues, but network connectivity configuration and Windows Firewall configuration also can affect DirectAccess functionality. You can use the following tools to confirm or troubleshoot DirectAccess connectivity in Windows 8.1.

13-21
DirectAccess Windows PowerShell cmdlets
You can use several DirectAccess Windows PowerShell cmdlets to configure and view the configuration status of a DirectAccess client. The most relevant cmdlets for troubleshooting and configuration are GetDAConnectionStatus and Get-DAClientExperienceConfiguration. Cmdlet Get-DAConnectionStatus Disable-DAManualEntryPointSelection Description Shows the current status of a DirectAccess client connection. Disables a manually selected DirectAccess entry point and reverts the selection to the default. Enables a specific DirectAccess entry point to use for connectivity. Returns the current client experience configuration for DirectAccess. Retrieves the list of entry points that have been configured for DirectAccess. Configures a new entry point for multisite DirectAccess. Removes a DirectAccess entry point from the specified configuration store. Renames a DirectAccess entry point. Restores the specified DirectAccess client configuration to the defaults. Resets the specified DirectAccess entry point configuration to the default configuration. Modifies the configuration of the specified DirectAccess client user experience. Modifies the configuration of a DirectAccess entry point stored in a GPO.
Enable-DAManualEntryPointSelection Get-DAClientExperienceConfiguration Get-DAEntryPointTableItem New-DAEntryPointTableItem Remove-DAEntryPointTableItem Rename-DAEntryPointTableItem ResetDAClientExperienceConfiguration Reset-DAEntryPointTableItem Set-DAClientExperienceConfiguration Set-DAEntryPointTableItem
Workplace Connection page
You can use the Workplace Connection page to determine if DirectAccess is on the client computer. To view DirectAccess status, open the Charms menu, click PC Settings, click Network, click Connections, and then click Workplace Connection. The Workplace Connection page will provide your current DirectAccess status, and a link that enables you to collect DirectAccess logs.
13-22
Lab B: Implementing DirectAccess by Using the Getting Started Wizard

Scenario
Many users at A. Datum work from outside the organization. This includes mobile users and people who work from home. These users currently connect to the internal network by using a third-party VPN solution. The Security department is concerned about the security of the external connections and wants to ensure that the connections are as secure as possible. The Support team wants to minimize the number of support calls related to remote access and would like to have more options for managing remote computers.
IT management at A. Datum is considering deploying DirectAccess as the remote access solution for the organization. As an initial proof-of-concept deployment, management has requested that you configure a simple DirectAccess environment that can be used with Windows 8.1 client computers.
Objectives
After completing this lab, you will be able to: Configure DirectAccess. Validate the DirectAccess deployment.
Lab Setup
Estimated Time: 30 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-SVR1, 20687C-LON-SVR2, 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd Lab Setup For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4. On the host computer, on the Start screen, click Hyper-V Manager. In Hyper-V Manager, click 20687C-LON-DC1, and in the Actions pane, click Start. In the Actions pane, click Connect. Wait until the virtual machine starts. Sign in by using the following credentials: o o 5. User name: Adatum\Administrator Password: Pa$$w0rd
Repeat steps 2 to 4 for 20687C-LON-SVR1, 20687C-LON-SVR2, and 20687C-LON-CL1.
Enable Ethernet 2 on LON-SVR2: 1. 2. 3. 4. Switch to LON-SVR2. From the Start screen, type ncpa.cpl, and then press Enter. In the Network Connections window, right-click Ethernet 2, and then click Enable. Close the Network Connections window.

13-23
Exercise 1: Configuring DirectAccess

Scenario
You must prepare the DirectAccess infrastructure for deployment. You must install the Remote Access server role on LON-SVR2, and configure DirectAccess on the DirectAccess server by using the Getting Started Wizard. The main tasks for this exercise are as follows: 1. 2. 3. Install the Remote Access server role. Create a security group for DirectAccess clients. Configure DirectAccess by using the Getting Started Wizard.
Task 1: Install the Remote Access server role
On LON-SVR2, install the Remote Access server role with the DirectAccess and VPN (RAS) role service.
Task 2: Create a security group for DirectAccess clients

1. 2. 3. On LON-DC1, open Active Directory Users and Computers.
In Active Directory Users and Computers, create a new global security group named DA_Clients in the Users container. Add LON-CL1 to the DA_Clients group.
Task 3: Configure DirectAccess by using the Getting Started Wizard

1. 2. Switch to LON-SVR2.
On LON-SVR2 in the Server Manager console, select Remote Access Management. Complete the Getting Started Wizard in the Remote Access Management console with the following settings: a. b. c. d. On the Configure Remote Access page, click Deploy DirectAccess only.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients to connect to Remote Access server box, type 131.107.0.2. On the Remote Access Review page, remove the Domain Users group, and add the DA_Clients group
On the Remote Access Review page, clear the Enable DirectAccess for mobile computers only check box.
3. 4. 5. 6.
Restart LON-SVR2. Wait for LON-SVR2 to restart, and then sign in as Adatum\Administrator with a password of Pa$$w0rd. Open the Remote Access console and view the Operations Status page.
All components should have a Status of Working and a green check mark beside them. If this is not the case, click Refresh to update the Operations Status view. You might have to do this several times.
Results: After completing this exercise, you should have successfully configured DirectAccess by using the Getting Stared Wizard.
13-24
Exercise 2: Validating the DirectAccess Deployment

Scenario
Now that you have configured DirectAccess, you need to verify that DirectAccess is working. You will start by verifying the changes made by the Getting Started Wizard, and then you will verify that client computers can access the internal network by using DirectAccess. The main tasks for this exercise are as follows: 1. 2. Verify the DirectAccess GPO deployment. Test DirectAccess connectivity.
Task 1: Verify the DirectAccess GPO deployment

1. 2. 3. 4. Switch to LON-CL1.
Restart LON-CL1 and sign in as Adatum\Administrator with a password of Pa$$w0rd to apply the GPOs. Open a command prompt on LON-CL1 At the command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is applied to the Computer Settings.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, and then repeat steps 3 and 4 on LON-CL1. 5. Run the following command at the command prompt.
netsh name show effectivepolicy
Verify that the following message is displayed: DNS Effective Name Resolution Policy Table Settings Note: DirectAccess settings are inactive when this computer is inside a corporate network. 6. 7. 8. 9.
To move the client from the intranet to the public network, go to the Start screen, type ncpa.cpl, and then press Enter. In the Network Connections window, right-click the Ethernet connection, and then click Disable. In the Network Connections window, right-click the Ethernet 2 connection, and then click Enable. Close all open windows.
Task 2: Test DirectAccess connectivity

1. 2. 3. 4. 5. 6. 7. Switch to LON-SVR1. In File Explorer, create a shared folder named C:\Data with the default settings for the Everyone group. Switch to LON-CL1.
On the Start screen, type \\LON-SVR1\Data, and then press Enter. Note that you are able to access the folder content. Close all open windows. Move the pointer to the lower-right corner of the screen, and in the notification area, click search, and in the search box, type cmd. At the command prompt, run the ipconfig command.

13-25
Note: Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS address. 8. At the command prompt, type the following command, and then press Enter.
Netsh name show effectivepolicy
9.
Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com and Directaccess-NLS.Adatum.com.
10. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
Note: Notice the DirectAccess client settings. 11. Switch to LON-SVR2. 12. In the Remote Access Management console, click Remote Client Status. Note: Notice that Client is connected via IPHttps. In the Connection Details pane, in the bottom-right of the screen, note the use of the Kerberos protocol for the Machine and the User. 13. Close all open windows.
Results: After completing this exercise, you should have successfully validated the DirectAccess deployment.

When you have finished the lab, revert the virtual machines to their initial state. 1. 2. 3. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-SVR1, 20687C-LON-SVR2, and 20687C-LON-DC1.
13-26
Lesson 3
Configuring VPN Access
To implement and support a VPN environment properly within your organization, you must understand how to select a suitable tunneling protocol, how to configure VPN authentication, and how to configure other settings to support your chosen environment.
Lesson Objectives
After completing this lesson, you will be able to: Describe a VPN connection. Describe the tunneling protocols that VPNs use. Describe VPN authentication mechanisms. Describe VPN Reconnect and VPN Auto-trigger. Configure a VPN. Describe the Connection Manager Administration Kit (CMAK). Identify key steps for configuring and distributing a connection profile. Create a connection profile.
What Is a VPN Connection?

A VPN provides a point-to-point connection between components of a private network, through a public network such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a connection to the listening virtual port of a VPN server. To emulate a point-to-point link, the data is encapsulated, or wrapped, and prefixed with a header. This header provides routing information that enables the data to traverse the public network to reach its endpoint. To emulate a private link, the data is encrypted to ensure confidentiality. Packets that are intercepted on the public network are indecipherable without encryption keys. Two types of VPN connections exist: Remote access Site-to-site
Remote Access VPN Connections
Remote access VPN connections enable users that are working at home, at customer sites, or from public wireless access points to access a server that exists in your organizations private network. They do so by using the infrastructure that a public network, such as the Internet, provides.
From the users perspective, the VPN is a point-to-point connection between the computer, the VPN client, and your organizations server. The exact infrastructure of the shared or public network is irrelevant, because it logically appears as if the data is sent over a dedicated private link.

13-27
Site-to-Site VPN Connections

Site-to-site VPN connections, which also are known as router-to-router VPN connections, enable your organization to have routed connections between separate offices or with other organizations over a public network, while maintaining secure communications.
A routed VPN connection across the Internet logically operates as a dedicated wide area network link. When networks connect over the Internet, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets that are sent from either router across the VPN connection typically do not originate at the routers.
Properties of VPN Connections
VPN connections that use Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP) with IPsec, and Secure Socket Tunneling Protocol (SSTP) have the following properties:
Encapsulation. With VPN technology, private data is encapsulated with a header that contains routing information, which allows the data to traverse the transit network. Authentication. Authentication for VPN connections takes the following three forms: o
User-level authentication by using Point-to-Point Protocol (PPP) authentication. To establish the VPN connection, the VPN server authenticates the VPN client that is attempting to make the connection by using a PPP user-level authentication method and verifies that the VPN client has the appropriate authorization. If you use mutual authentication, the VPN client also authenticates the VPN server, which provides protection against computers that are masquerading as VPN servers. Computer-level authentication by using Internet Key Exchange (IKE). To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to exchange either computer certificates or a preshared key. In either case, the VPN client and VPN server authenticate each other at the computer level. We recommend computer-certificate authentication because it provides much stronger authentication. Note that computer-level authentication is performed only for L2TP/IPsec connections.
Data origin authentication and data integrity. To verify that the data that is sent over the VPN connection originated at the connections other end and was not modified in transit, the data contains a cryptographic checksum based on an encryption key that only the sender and receiver know. Data origin authentication and data integrity are available only for L2TP/IPsec connections.
Data encryption. To ensure data confidentiality as the data traverses the shared or public transit network, the sender encrypts the data and the receiver decrypts it. The encryption and decryption processes depend on both the sender and the receiver using a common encryption key. Intercepted packets sent along the VPN connection in the transit network will be unintelligible to anyone who does not have the common encryption key.
The encryption keys length is an important security parameter. You can use computational techniques to determine the encryption key. However, such techniques require an increasing amount of computing power and computational time as encryption keys become larger. Therefore, it is important to use the largest possible key size to help ensure data confidentiality.
13-28
Tunneling Protocols for VPN Connections

You can use the following tunneling protocols for VPN connections in Windows 8.1.
PPTP
PPTP encrypts and encapsulates traffic in an IP header and then sends it across an IP network. You can use PPTP for remote client and site-tosite VPN connections. When using the Internet, the VPN server provides the following functionality to the client: Encapsulation. PPTP encapsulates PPP frames in IP datagrams for network transmission. PPTP uses Transmission Control Protocol (TCP) to manage the tunnel and a modified version of Generic Routing Encapsulation to encapsulate PPP frames for data that is transmitted through the tunnel. PPP frames can be encrypted, compressed, or both.
Encryption. The PPP frame is encrypted with Microsoft Point-to-Point Encryption by using encryption keys. These keys are generated by the Microsoft version of the Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) or the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication process. VPN clients must use MS-CHAPv2 or EAP-TLS authentication.
L2TP
L2TP enables you to encrypt multiple-protocol traffic to send over any medium that supports point-topoint datagram delivery, such as IP or asynchronous transfer mode. L2TP is a combination of PPTP and Layer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F. L2TP relies on IPsec for traffic encryption. The combination of L2TP and IPsec is known as L2TP/IPsec.
L2TP is built into Windows 8.1, Windows 8, Windows Vista, and Windows XP remote access clients, and VPN server support for L2TP is built into the Windows Server 2008 and Windows Server 2012 families, as follows: Encapsulation. Encapsulation for L2TP/IPsec packets consists of two layers: o First layer: L2TP encapsulation. A PPP frame (an IP datagram) is wrapped with an L2TP header and a UDP header. Second layer: IPsec encapsulation. The resulting L2TP message is wrapped with an IPsec ESP header and trailer, an IPsec authentication trailer that provides message integrity and authentication, and a final IP header. The IP header contains the source and destination IP addresses that correspond to the VPN client and the VPN server.
Encryption. The L2TP message is encrypted with either Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES) by using encryption keys that the IKE negotiation process generates.
SSTP
SSTP is a tunneling protocol that uses HTTPS over TCP port 443. SSTP commonly is used in scenarios where PPTP and L2TP/IPsec traffic might be blocked by firewalls. SSTP uses the SSL channel of HTTPS to encapsulate PPP traffic. When a client tries to establish an SSTP-based VPN connection, SSTP first establishes two-way communication on the HTTPS layer with the SSTP server. When this communication is established, the protocol packets flow as the data payload, as follows:

13-29
Encapsulation. SSTP encapsulates PPP frames in IP datagrams for transmission over a network. SSTP uses a TCP connection over port 443 for tunnel management and as PPP data frames. Encryption. The SSTP message is encrypted with the SSL channel of HTTPS.
IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec tunnel mode protocol over UDP port 500. Because of its support for mobility, IKEv2 is much more resilient than other protocols to changing network connectivity. This resiliency makes it a good choice for mobile users who move among access points and even switch between wired and wireless connections. An IKEv2 VPN provides resilience to the VPN client when the client either moves from one wireless hotspot to another or switches from a wireless to a wired connection. This ability is a requirement of VPN Reconnect.
The use of IKEv2 and IPsec enables support for strong authentication and encryption methods, as follows: Encapsulation. IKEv2 encapsulates datagrams by using IPsec ESP or Authentication Header (AH) headers for transmission over a network.
Encryption. The message is encrypted via one of the following protocols by using encryption keys that are generated from the IKEv2 negotiation process: AES 256, AES 192, AES 128, or 3DES encryption algorithms. IKEv2 is supported only on computers that are running Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2.
VPN Authentication
Authenticating users is an important security concern, especially when they connect over a public network such as the Internet. Authentication methods typically use an authentication protocol that is negotiated during the connection establishment process. Windows Server 2012 R2 and Windows 8.1 support a number of authentication methods: Password Authentication Protocol (PAP). PAP uses plaintext passwords and is the least secure authentication protocol. It typically is negotiated if the remote access client and remote access server cannot negotiate a more secure form of validation. PAP is included only for backward compatibility, and you should avoid using it.
CHAP. CHAP is a challenge/response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme. Various vendors of network access servers and clients support CHAP. CHAP is not considered to be sufficiently secure, and you should consider using MSCHAPv2 in its place.
MS-CHAPv2. MS-CHAPv2 provides a one-way, encrypted-password, mutual-authentication process. This version is preferable to CHAP and MS-CHAP version 1. EAP. EAP uses an arbitrary authentication mechanism to authenticate a remote access connection. The remote access client and the authenticator, which is either the remote access server or the Remote Authentication Dial-In User Service (RADIUS) server, negotiate the exact authentication scheme to use.
13-30
Digital certificates. Certificates are digital documents that are issued by certification authorities (CAs), such as Microsoft Active Directory Certificate Services (AD CS) and the VeriSign public CA. You can use certificates for many purposes, such as code signing and securing email communication. However, with VPNs, you use certificates for network access authentication because they provide strong security for authenticating users and computers and eliminate the need for less-secure, password-based authentication methods. Network Policy Server uses EAP-TLS and Protected Extensible Authentication Protocol (PEAP) to perform certificate-based authentication for many types of network access, including VPN and wireless connections.
Two authentication methods, EAP and PAP, use certificates when you configure them with certificatebased authentication types. With EAP, you can configure the authentication type TLS (EAP-TLS), and with PEAP, you can configure the authentication types TLS (PEAP-TLS) and MS-CHAP v2 (PEAP-MS-CHAPv2). These authentication methods always use certificates for server authentication. Depending on the authentication type that you configure with the authentication method, you also might use certificates for user authentication and client computer authentication.
The use of certificates for VPN connection authentication offers the strongest form of authentication that is available in Windows 8.1. You must use certificates for IPsec authentication on VPN connections that are based on L2TP/IPsec. PPTP connections do not require certificates, although you can configure PPTP connections to use certificates for computer authentication when you use EAP-TLS as the authentication method. For wireless clients, use PEAP with EAP-TLS and smart cards or certificates for authentication. Each of these authentication methods has advantages and disadvantages in terms of security, usability, and breadth of support. However, password-based authentication methods do not provide strong security, and we do not recommend them. You should use a certificate-based authentication method for all network access methods that support certificate use.
What Are VPN Reconnect and VPN Auto-trigger?

VPN Reconnect and VPN Auto-trigger provide VPN users with a less complex VPN experience. These features make the process of establishing VPN connections as simple as possible.
VPN Reconnect
In dynamic business scenarios, users must be able to access data securely at any time, from anywhere, and continuously, without interruption. To meet these requirements, you can configure the VPN Reconnect feature that is available in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, and Windows 7. With this feature, users can access an organizations data by using a VPN connection, which automatically reconnects if connectivity is interrupted. This feature also enables roaming among different networks. VPN Reconnect uses IKEv2 technology to help provide seamless and consistent VPN connectivity. VPN Reconnect automatically reestablishes a VPN connection when Internet connectivity becomes available again. Users who connect via a wireless mobile broadband card benefit most from this capability.
Consider a user with a Windows 8.1 laptop. When the user travels to work on a train, he or she connects to the Internet by using a wireless mobile broadband card and then establishes a VPN connection to the companys network. When the train passes through a tunnel, the Internet connection is lost. After the train emerges from the tunnel, the wireless mobile broadband card automatically reconnects to the Internet.

13-31
With Windows Vista, the VPN does not reconnect automatically. Therefore, the user has to repeat the multistep process of connecting to the VPN manually. Doing so is time-consuming for mobile users with intermittent connectivity.
With VPN Reconnect, Windows 8.1, Windows 8, and Windows 7 automatically reestablish active VPN connections when Internet connectivity is reestablished. Even though the reconnection might take several seconds, users reconnect automatically and have access to internal network resources. The system requirements for using the VPN Reconnect feature are: Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 as a VPN server.
Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 as the VPN client operating system.
A PKI, because a remote connection with VPN Reconnect requires a computer certificate. Certificates issued by either an internal or a public CA can be used.
VPN Auto-Trigger
You can configure Windows 8.1 to connect automatically through VPN when applications or network locations are used that require organizational network resources. Configuration for VPN Auto-trigger in Windows 8.1 is performed by using Windows PowerShell cmdlets that enable you to add and remove triggers for the following scenarios:
App-based triggering. When app-based triggering is configured, the VPN connection is triggered by a specific app being run. In this case, the app is added as a trigger to the VPN connection profile by using the Add-VpnConnectionTriggerApplication cmdlet. You can remove app triggers by using the Remove-VpnConnectionTriggerApplication cmdlet in Windows PowerShell.
Name-based triggering. You configure name-based triggering by adding DNS name suffixes to the VPN connection profile by using the Add-VpnConnectionTriggerDns cmdlet. You can remove name-based triggers by using the Remove-VpnConnectionTriggerApplication cmdlet in Windows PowerShell.
Configuring trusted networks
Trusted networks are represented by DNS suffixes where VPN Auto-trigger is not enabled. For example, if a user has his or her laptop connected to an internal corporate network, the laptop will have access to resources on the internal network without requiring a VPN connection. In this case, you would add the DNS suffix or suffixes for the internal network by using the AddVpnConnectionTriggerTrustedNetwork cmdlet. If a client computer always connects from outside an internal network, then no trusted networks need to be configured.
Enabling VPN Auto-triggering in the UI
When a VPN profile is configured with one more triggers, the user is presented with an option in the network connection window labeled, Let apps automatically use this VPN connection. When the check box for this option is selected, VPN Auto-trigger will connect the VPN.
Scenarios that do not support VPN Auto-triggering

The following scenarios do not support the use of VPN Auto-triggering in VPN profiles:
Split-tunneling is disabled. If the ability of a VPN connection to route specific traffic to an organizations network and other traffic through the clients connection to the Internet is disabled, you cannot use VPN Auto-triggering. VPN Auto-triggering requires split-tunneling to be enabled on the VPN connection.
The client computer is joined to a domain. VPN Auto-trigger is not supported on domain-joined computers. You can use a domain-joined computer to create and configure VPN profiles that support
13-32
VPN Auto-triggering, but the actual Auto-triggering functionality will not operate on the domainjoined computer. 8.1 http://go.microsoft.com/fwlink/?LinkId=378259&clcid=0x409
Automatically Triggering VPN Connections and VPN Diagnostics Enhancements in Windows
Demonstration: Configuring a VPN

In this demonstration, you will see how to: Create a new VPN connection. Configure the VPN connection. Test the connection.
Demonstration Steps Create a new VPN connection

1. 2. 3. Sign in as an administrator, and then open Network and Sharing Center. Create a new VPN by selecting Connect to a workplace.
Configure the initial settings, including 172.16.0.10 as the target IPv4 address and HQ as the name.
Configure the VPN connection

Modify the VPN settings to select PPTP as the tunneling type.
Test the connection

1. 2.
Connect to LON-DC1 with the HQ VPN, and then authenticate by using the Adatum\Administrator account. Disconnect the HQ connection.
What Is the CMAK?

You can use the CMAK to customize users remote-connection options by creating predefined connections to remote servers and networks. You use the CMAK wizard to create and customize a connection for your users. The CMAK wizard creates an executable file that you can distribute in many ways or include during deployment activities as part of an operating system image. Connection Manager is a client networkconnection tool that enables a user to connect to a remote network, such as an Internet Service Provider or a corporate network that a VPN server protects. CMAK is an optional component that is not installed by default. You must install CMAK to create connection profiles that your users can install and use to access remote networks.

13-33
Configuring and Distributing a Connection Profile

You can configure a new or existing connection profile by using the CMAK Connection Profile Wizard. Each page of the wizard allows you to complete another step of the process. The options presented in the CMAK wizard are: Select the Target Operating System Create or Modify a Connection Profile Specify the Service Name and the File Name Specify a Realm Name Merge Information from Other Connection Profiles Add Support for VPN Connections Add a Custom Phone Book Configure Dial-up Networking Entries Specify Routing Table Updates Configure Proxy Settings for Internet Explorer Add Custom Actions Display Custom Bitmaps and Icons Customize the Notification Area Shortcut Menu Include a Custom Help File Display Custom Support Information Include Connection Manager Software with the Connection Profile Display a Custom License Agreement Install Additional Files with the Connection Profile Build the Connection Profile and its Installation Program Make Advanced Customizations Your Connection Profile is Complete and Ready to Distribute
Demonstration: Creating a Connection Profile
You will require the 20687C-LON-DC1 and 20687C-LON-CL1 virtual machines for this demonstration. These should be running already.
Demonstration Steps Install the CMAK feature

1. 2. If necessary, on LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd. Open Control Panel, and then enable the RAS Connection Manager Administration Kit (CMAK) feature.
13-34
Create a connection profile

1. 2. Open the Connection Manager Administration Kit from Administrative Tools. Complete the wizard to create the connection profile.
Examine the created profile

Use File Explorer to examine the contents of the folder created by the CMAK wizard to create the connection profile. Normally, you now would distribute this profile to your users.

13-35
Lesson 4
Configuring Remote Desktop and Remote Assistance
Many organizations use remote management and troubleshooting so that they can reduce troubleshooting time and reduce travel costs for support staff. Remote troubleshooting allows support staff to operate effectively from a central location.
Lesson Objectives
After completing this lesson, you will be able to: Describe Remote Desktop and Remote Assistance. Describe how to configure and use Remote Desktop. Configure and use Remote Assistance.
What Are Remote Desktop and Remote Assistance?

The Windows 8.1 operating system supports remote troubleshooting capabilities such as Remote Desktop, Remote Assistance, and other remote administrative tools. Note: You also can use Windows PowerShell to perform remote administration. This is known as remoting, which lets you run Windows PowerShell cmdlets on remote computers. The appendix of this course discusses Windows PowerShell remoting in detail.
Remote Desktop
Remote Desktop uses the Remote Desktop Protocol (RDP) to allow users to access files on their office computer from another computer, such as one located at their home. Additionally, Remote Desktop allows administrators to connect to multiple Windows Server sessions for remote administration purposes. While a Remote Desktop session is active, Remote Desktop locks the target computer, prohibiting interactive logons for the sessions duration. Note: Microsoft RemoteFX delivers a rich user experience for Virtual Desktop Infrastructure by providing a three-dimensional virtual adapter, intelligent codecs, and the ability to redirect USB devices in virtual machines. RemoteFX is integrated with the RDP protocol, which enables shared encryption, authentication, management, and device support.
Remote Assistance
Remote Assistance allows a user to request help from a remote administrator. To access Remote Assistance, run the Windows Remote Assistance tool. By using this tool, you can do the following: Invite someone who is trustworthy to help you. Offer to help someone. View the remote users desktop.
13-36
Chat with the remote user with text chat. Send a file to the remote computer. Request to take remote control of the remote desktop, if permissions allow.
Users can send Remote Assistance invitations through email or by saving a request to a file that the remote administrator can read and act upon.
Windows Firewall
Windows 8.1 prevents remote troubleshooting tools from connecting to the local computer by using Windows Firewall. However, by default, Windows Firewall will allow Remote Desktop and Remote Assistance traversal of the firewall. To enable support for other applications, complete the following procedure: 1. 2. Open Windows Firewall from Control Panel. Click Allow a program or feature through the Windows Firewall, and then select for what you want to enable an exception.
Configuring Remote Desktop

To access a remote computer from a source computer by using the Remote Desktop feature, you need to configure certain Remote Desktop settings on both computers. On the remote computer, you need to perform the following steps to enable remote access to the computer: 1. In Control Panel, click System and Security, click System, and then click Remote settings. In the Remote tab of the System Properties dialog box, you can select one of the following options: o o Dont allow connections to this computer. Allow connections from computers running any version of Remote Desktop. This is a less secure option. Allow connections only from computers running Remote Desktop with Network Level Authentication. This is a more secure option.
2.
o 3. 4. 5.
Click Select Users. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
If you are an administrator on the computer, your current user account will be added automatically to the list of remote users, and you can skip the next two steps. In the Remote Desktop Users dialog box, click Add.

13-37
6.
In the Select Users or Groups dialog box, do the following: a. b.
To specify the location in which to search for the remote user, click Locations, and then select the location you want to search. Enter the object names to select, type the name of the user that you want to add as a remote user, and then click OK.
On the source computer, you need to perform the following to access the remote computer: 1. 2. Start Remote Desktop.
Before connecting, enter the logon credentials on the General tab, and make desired changes to the options in the Display, Local Resources, Programs, Experience, and Advanced tabs: o
Display. Choose the remote desktop display size. You have the option to run the remote desktop in full-screen mode. Local Resources. Configure local resources for use by the remote computer, such as Clipboard and printer access.
o o o 3. 4.
Programs. Specify which programs you want to start when you connect to the remote computer. Experience. Choose connection speeds and other visual options. Advanced. Provide security credential options.
Save these settings for future connections by clicking Save on the General tab. Click Connect to connect to the remote computer.
Demonstration: Configuring Remote Assistance
This demonstration shows how to enable and use Remote Assistance. Adam needs help with a Microsoft Word feature. He requests assistance, and you provide guidance on the feature by using Remote Assistance.
Demonstration Steps Create a Microsoft Word 2013 Document

1. 2. Sign in as Adam, and then open Microsoft Word 2013.
Create a blank document, and type this is my document into the new Microsoft Word document.
Enable and then request Remote Assistance

1. 2. 3. 4.
Open Remote settings, and then specify administrative credentials when prompted by User Account Control. Verify that remote access is allowed on this computer. Run msra.exe, and then request Remote Assistance. Save the invitation to a shared folder location that is accessible by your invitee.
13-38
Provide Remote Assistance

1. 2. 3. 4. 5. 6. Switch to LON-CL2, and then sign in as Holly. Retrieve the Remote Assistance request file, and then enter the password. Request access, and then await acknowledgement.
Take remote control, and then direct the user how to create a comment in a Word 2013 document. Create a chat window, and then ask the user if they are satisfied with the offered solution. Close the session.

13-39
Lab C: Implementing Remote Desktop

Scenario
Adam has a desktop computer in his office in London that he might wish to use while he travels around the UK between his customers.
Objectives
After completing this lab, you will be able to: Configure Remote Desktop.
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2.
You also will need to start and connect to 20687C-LON-CL2. Do not sign in until directed to do so.
Exercise 1: Configuring a Remote Desktop Connection

Scenario
You decide to enable Remote Desktop on his desktop computer so that Adam can access it to work on his data files should the need arise. Before Adam leaves, you decide to test the Remote Desktop connection to his desktop computer from his laptop. The main tasks for this exercise are as follows: 1. 2. Enable Remote Desktop through the firewall, and enable Remote Desktop on Adams office computer. Connect to the remote computer with Remote Desktop.
Task 1: Enable Remote Desktop through the firewall, and enable Remote Desktop on Adams office computer
1. 2. On LON-CL1, open Windows Firewall, and then enable Remote Desktop through the firewall for all network location profiles (Domain, Private, and Public). In Control Panel, in System and Security, click Allow remote access, and then select the following options: a. b. 3. Click Allow remote connections to this computer. Add Adatum\Adam as a Remote Desktop user.
Confirm your changes, and then close all open windows.
13-40
4. 5. 6.
Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd, and then open Remote Desktop Connection. Specify the computer to connect to as LON-CL1, and then click Show Options. On the Advanced tab, under Server authentication, in the If server authentication fails dropdown list, click Connect and dont warn me.
Note: You also can enable this firewall rule indirectly by enabling Remote Desktop from Control Panel\System\Remote settings.
Task 2: Connect to the remote computer with Remote Desktop

1. 2. 3. 4. Connect to LON-CL1. When prompted, enter the user name Adatum\Adam and the password Pa$$w0rd. Determine the computer name within the Remote Desktop session. Close the Remote Desktop session, and then close all open windows. On LON-CL1, notice that you have been signed out.
Results: After completing this exercise, you should have successfully verified that Remote Desktop is functional.

When you have finished the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL2, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-CL1 and 20687C-LON-DC1.

13-41

Review Question
Question: You have some important files on your desktop work computer that you need to retrieve when you are at a clients location with your laptop computer. What do you need to do on your desktop computer to ensure that you can download your files when at a customer site?

14-1
Module 14
Recovering Windows 8.1
Contents:
Module Overview Lesson 1: Backing Up and Restoring Files in Windows 8.1 Lesson 2: Recovery Options in Windows 8.1 Lab: Recovering Windows 8.1 Module Review and Takeaways 14-1 14-2 14-5 14-18 14-24
Module Overview
It is important to protect data on your computer from accidental loss or corruption. To recover from a problem, typically it is easier to restore system settings than to reinstall an operating system and apps. The Windows 8.1 operating system provides a number of features that you can use to protect important data files, in addition to tools that you can use to recover a computer that will not start or that starts with errors. You can use features such as File History, System Protection, and synchronization with SkyDrive to protect your data. To support your users, it is important that you understand how to use these features and tools.
Objectives
After completing this module, you will be able to: Back up and restore files in Windows 8.1. Explain the use of recovery options in Windows 8.1.
14-2 Recovering Windows 8.1
Lesson 1
Backing Up and Restoring Files in Windows 8.1
Although you might implement a file-recovery strategy for user data that is stored on network file servers or network-accessible storage devices, you should remember that users often save their work to local storage. Consequently, it is important that you provide some method of local file recovery so that you can recover these data files if they become corrupted or you delete them accidentally.
Lesson Objectives
After completing this lesson, you will be able to: Explain the need for data backup. Describe File History. Configure and use File History.
Discussion: The Need for Data Backup

A computer contains different types of data that it stores in different locations. Computer data types include operating system configuration files, app settings, user-related settings, and user data files. The latter can include documents, images, spreadsheets, and other types of files. Although computers are very reliable and most operating systems are robust and recoverable, problems do occur. Sometimes these problems can result in data loss. When data is stored on file servers, it usually is highly available and centrally backed up. But because users also store data locally, it is important that you protect data files and settings so that if a computer problem occurs, no data is lost.
A computer that is running Windows 8.1 stores data files and settings in several locations, so you need to ensure that you protect all of them. You can help protect these data files and settings by: Storing them on a file server, for example, when using Folder Redirection. Manually copying files to other media. By using Windows 8.1 file-recovery tools, such as File History. Syncing files and settings with SkyDrive. Question: Does Windows 8.1 include a backup tool?

14-3
What Is File History?
Windows 8.1 enables users with multiple devices to synchronize their settings and data across these devices. In such a scenario, traditional system backup is not a requirement. Windows 8.1 includes features to protect user files and the ability to revert devices to their initial configurations, either by keeping user settings or not. In such environments, traditional backup seems obsolete because it is lengthy, device-specific, and includes content that is part of the initial device configuration. For these reasons, Windows Backup is no longer part of Windows 8.1. However, Windows 8.1 provides other features that you can use to protect user settings and data.
File History
With File History, Windows 8.1 can save copies of your files automatically to a removable local drive or to a shared folder on a network. After you enable File History, it periodically saves a copy of your modified files to a designated location. Windows 8.1 saves modified files each hour and keeps file versions indefinitely by default. However, you can configure the interval at which saves occur and how long Windows 8.1 will keep saved files. File History save files from the following folders: Contacts Desktop Favorites
Additionally, File History save files from the following libraries: Documents Music Pictures Videos
Note: You cannot add additional folders or libraries to this list, but you can add folders to the libraries that are protected by File History. You also can define exceptions if you do not want all files for the included folders and libraries to be included in File History.
To recover files, from the File History dialog box, you can click Restore personal files, and then select the file from the folders or libraries. Alternatively, you can recover files directly from File Explorer. Navigate to the folder that contains a deleted file, and then on the Home ribbon, click History. File History opens and lists the recoverable files. Question: Is File History turned on by default? Question: Can you protect additional folders by using File History?
Demonstration: Configuring and Using File History

In this demonstration, you will see how to configure File History in Windows 8.1 and use this feature to recover a deleted file.
Demonstration Steps
1. 2. 3. 4. 5. Create a new Microsoft Word 2013 document named Recovery file in the Documents library. Modify the contents of the Recovery file document, and then save the file.
Use File History to add \\LON-DC1\FileHistory as an available drive, and then turn on File History. Delete the file named Recovery file in the Documents library. Use the History option in File Explorer to recover the file.

14-5
Lesson 2
Recovery Options in Windows 8.1
Registry corruption and issues with device drivers or system services can result in startup-related problems. Systematic troubleshooting is essential so that you can determine and resolve the underlying cause of the problem quickly and efficiently.
This lesson describes how to identify and troubleshoot issues that affect an operating systems ability to start, and how to identify problematic services that are running on an operating system. It also describes how to use troubleshooting tools in Windows 8.1. These tools are known collectively as the Windows Recovery Environment (RE).
Lesson Objectives
After completing this lesson, you will be able to: Explain the Windows 8.1 startup process. Describe Windows startup and recovery options. Describe System Restore. Describe the Boot Configuration Data (BCD) store. Describe BCD configuration settings. Describe advanced startup settings. Describe the tools available in Windows RE. Resolve startup-related problems. Explain how to configure a recovery drive.
The Windows 8.1 Startup Process

Before you can recover a Windows 8.1 computer that does not start or starts with errors, you must understand how the operating system starts up when there are no issues. The Windows 8.1 boot loader architecture provides a quick and secure mechanism for starting the Windows operating system. The boot loader architecture has three main components: The Windows Boot Manager (Bootmgr.exe) The Windows OS Loader (Winload.exe) The Windows Resume Loader (Winresume.exe)
Windows Boot Manager

As a computer starts, Bootmgr.exe loads first and then reads the BCD, which is a database of startup configuration information that the hard disk stores in a format similar to the registry.
Note: The BCD provides a firmware-independent mechanism for manipulating boot environment data for any type of Windows system. Windows 8.1 use the BCD to load the operating system or to run boot applications, such as memory diagnostics. Its structure is very similar to a registry key, although you should not manage it with the Registry Editor.
Bootmgr.exe replaces much of the functionality of the legacy NTLDR bootstrap loader that was used in Windows XP and older versions of the Windows operating system. Bootmgr.exe is a separate entity, and it is unaware of other startup operations of the operating system. Bootmgr.exe switches the processor into 32-bit or 64-bit protected mode, prompts the user for which operating system to load (if multiple operating systems are installed), and starts NTLDR if you have Windows XP or older installed.
Windows OS Loader
Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads the operating system kernel (Ntoskrnl.exe) and device drivers with start values of 0, which, combined with Bootmgr.exe, makes Winload.exe functionally equivalent to NTLDR. Winload.exe initializes memory, loads drivers that should start, and then transfers control to the kernel.
Windows Resume Loader
If the BCD contains information about a current hibernation image, Bootmgr.exe passes that information to Winresume.exe. Bootmgr.exe then exits, and Winresume.exe starts. Winresume.exe reads the hibernation image file and uses it to return the operating system to its pre-hibernation running state.
Windows 8.1 Startup Process on BIOS-Based Computers
When you switch on a computer, the startup process loads the BIOS. When it loads the BIOS, the system accesses the boot drive master boot record (MBR), followed by the drives boot sector. The Windows 8.1 startup process occurs in the following steps: 1.
The BIOS performs a power-on self test. From a startup perspective, the BIOS enables a computer to access peripherals such as hard disks, keyboards, and a computer display prior to loading an operating system. If any critical hardware component is malfunctioning or is not present, you can hear a sound and see an error if a display is connected.
2.
The computer uses information in the BIOS to locate a startup device, for example, a DVD drive, network adapter, or a hard disk. A computer can start from a hard disk only if it contains the MBR. A computer calls and loads Bootmgr.exe, which then locates an active drive partition on sector 0 of the discovered hard disk. Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines installed operating systems, and then displays a boot menu if needed. Bootmgr.exe transfers control to Winload.exe, or it calls Winresume.exe for a resume operation. If Winload.exe selects a down-level operating system, such as Windows XP, Bootmgr.exe transfers control to NTLDR.
3. 4.
5.
Otherwise, Winload.exe initializes memory and loads drivers that are set to begin at startup. These drivers are for fundamental hardware components such as disk controllers and peripheral bus drivers. Winload.exe then transfers control to the kernel of the operating system, Ntoskrnl.exe. The kernel initializes, and then device drivers and services with start values greater than 0 are loaded in the order of their start value and dependency. During this phase, you will see the screen switch to graphical mode as the Session Manager (Smss.exe) initializes the Windows subsystem. The operating system displays the logon screen, and a user can sign in to Windows 8.1.
6.
7.

14-7
Securing the Startup Process
Windows 8.1 includes two technologies that enhance the security of the startup process. These technologies help ensure that the boot environment is in a known and trusted state before antimalware software that is installed on the computer becomes active. These technologies are: Measured Boot. Measured Boot provides antimalware software that runs on Windows 8.1 with a tamper-proof log of all startup components that were running before the antimalware software started. This provides antimalware software with enough information to determine whether those startup components are trustworthy, or whether they have been modified by a malware infection. Measured Boot requires a client computer to have a trusted platform module chip.
Secure Boot. Secure Boot is a feature of the Windows 8.1 operating system that blocks unauthorized firmware, operating systems, or Unified Extensible Firmware Interface (UEFI) drivers from running during startup. Secure Boot functions by referring to a database of authorized software signatures and software images. If the firmware is not trusted, trusted firmware must be restored before boot can continue. If an untrusted version of Bootmgr.exe is found, the Secure Boot process will boot a backup copy of Bootmgr.exe. If problems are found with drivers or Ntoskrnl.exe, Secure Boot automatically loads Windows RE. Secure Boot requires UEFI and cannot be used with computers that boot by using BIOS. Question: Can you use the Last Known Good Configuration option in Windows 8.1 to use the same startup configuration that was used during the last successful computer startup?
Windows Startup and Recovery Options

If your computer fails to start correctly, you can use a number of tools to resolve the problem.
Windows RE
Windows RE is a recovery platform that is based on the Windows Preinstallation Environment (Windows PE). Windows RE provides three main functions: Diagnoses and repairs startup problems. Enables you to repair computers by performing push-button resets. Provides a platform for additional advanced recovery tools.
Accessing Windows RE
To access Windows RE, perform the following procedure: 1. 2. 3. 4. Insert a Windows 8.1 installation DVD, and then start the computer. When prompted, run the Windows 8.1 DVD setup program. After you configure language and keyboard settings, click the Repair your computer link.
Click the Troubleshoot option. After that, you can select if you want to Refresh your PC, Reset your PC, or select from Advanced options, which includes Startup Repair and System Image Recovery.
Note: A setup disk is not provided on some computers, and therefore, the process of accessing Windows RE might vary from the steps provided in this topic.
Automatic Failover to Recovery
Windows 8.1 provides an on-disk Windows RE. A computer that is running Windows 8.1 can fail over automatically to the on-disk Windows RE if it detects a startup failure. Startup failure is detected when any of following happens: A Windows operating system startup fails for two times. A Windows operating system is restarted unexpectedly two times in two minutes after the startup. An error is detected during Secure Boot. A BitLocker Drive Encryption error is detected on a touch-only device.
During startup, the Windows loader sets a status flag that indicates when the boot process starts. The Windows loader clears this flag before it displays the Windows logon screen. If the startup fails, the loader does not clear the flag. Consequently, the next time the computer starts, Windows loader detects the flag, assumes that a startup failure has occurred, and then presents to you an option to start Recovery instead of Windows 8.1. A computer must start successfully for the Windows loader to remove the flag. If there is an interruption to a computers power during the startup sequence, the Windows loader does not remove the flag. Be aware that this automatic failover requires the presence of both the Windows Boot Manager and the Windows loader. If either of these elements of the startup environment is missing or corrupted, automatic failover cannot function, and you must initiate a manual diagnosis and repair of the computers startup environment. Windows Recovery Environment (Windows RE) Overview http://go.microsoft.com/fwlink/?LinkId=378260&clcid=0x409
Advanced Startup Settings
Windows 8.1 provides Advanced options for Startup Settings that you can use to change Windows startup behavior. When you configure Startup Settings, after the computer starts, you can select one of the following startup options: Enable debugging Enable boot logging Enable Safe Mode Enable Safe Mode with Networking Enable Safe Mode with Command Prompt Disable driver signature enforcement Disable early launch anti-malware protection Disable automatic restart after failure Launch Recovery Environment Question: How can you access Windows RE if a computer cannot start from a hard disk because startup information is damaged?

14-9
Overview of System Restore

Windows 8.1 enables the System Restore feature automatically. System Restore takes a snapshot of your Windows configuration and stores it as a restore point. Restore points represent a point in time of the computers configuration and do not include user personal data. Windows 8.1 can create restore points automatically before the following changes occur: Application installation, if the application uses an installer that is System Restore-compliant. Installation of Windows updates.
Restore points can be created in Windows 8.1: Manually, whenever you choose to create them.
Based on a schedule. Windows 8.1 includes scheduled tasks, which can trigger restore point creation. A restore point is created automatically if no restore point has been created for seven days.
Automatically, if you choose to use System Restore to restore to a previous restore point. In this instance, System Restore creates a new restore point before it restores the system to a previous state. This provides you with a recovery option should the restore operation fail or result in issues. Windows RE does not create a restore point for the current state if you are in Safe mode and you restore to a previous state.
You can access System Restore and revert Windows settings from Windows 8.1 environment or from Windows RE. This means that you can restore your computer to an earlier restore point even if you cannot start Windows 8.1. If you want to restore your computer to an earlier restore point from Windows RE, you need to select a user and provide the users password before you can use System Restore. Note: Windows 8.1 includes a System Restore scheduled task named SR, which you can configure to automatically create restore points at scheduled intervals.
Perform Driver Rollbacks
If you install a device driver that results in a computer that is unstable or that fails to operate entirely, you might use System Restore. Older versions of Windows operating systems had a mechanism for driver rollbacks, but it required the computer to start successfully. With Windows 8.1, you can use System Restore to perform driver rollbacks by accessing the restore points, even when the computer does not start successfully.
Protect Against Accidental Deletion of Programs
System Restore also provides protection against accidental deletion of programs. System Restore creates restore points when you add or remove programs, and it keeps copies of application programs (file names with an .exe or .dll extension). If you accidentally delete an .exe file, you can use System Restore to recover it by selecting a recent restore point prior to your deletion of the program. Restore points http://go.microsoft.com/fwlink/?LinkId=378261&clcid=0x409
14-10
Question: How can you configure Windows 8.1 to create restore points automatically more often than every seven days?
What Is the BCD Store?

In the Windows operating system, the BCD store is an extensible database of objects and elements that can include information about a current hibernation image, in addition to special configuration options for starting Windows 8.1 or an alternate operating system. BCD provides an improved mechanism for describing boot configuration data for new firmware models. The boot sector loads Bootmgr.exe, which in turn accesses BCD, and then uses that information to display a boot menu to the user (if multiple boot options exist) and to load the operating system. These parameters were previously in the Boot.ini file (in BIOS-based operating systems) or in the nonvolatile random access memory (NVRAM) entries in operating systems based on an EFI. However, Windows 8.1 replaces the Boot.ini file and NVRAM entries with BCD. This file is more versatile than Boot.ini, and it can apply to computer platforms that do not use BIOS to start a computer. You also can apply it to firmware models such as computers that are based on EFI.
Windows 8.1 stores the BCD data in the same format as a registry hive. For BIOS-based systems, the BCD data files are on the active partition, in Boot directory, which is marked as system and hidden. For UEFIbased systems, BCD files are on the EFI system partition. Question: One of your coworkers would like to modify Windows 8.1 startup settings, but he is not able to find the Boot.ini file. How can you help him?
Understanding BCD Configuration Settings

Depending on what settings you want to change, you can use the following tools to modify BCD: Startup and Recovery Advanced system settings. Select the default operating system if you have multiple operating systems installed on your computer. You also can change the time-out value. System Configuration utility (MSConfig.exe). An advanced tool that enables you to select the following startup options: o Safe boot options include:
Minimal. Start Windows in safe mode, in which only critical system services are running and networking is disabled. Alternate shell. On startup, opens a command prompt in safe mode, in which only critical system services are running. Networking and the GUI are disabled.

14-11
o o o o
Active Directory repair. On startup, opens the Windows GUI in safe mode, running critical system services. Network. On startup, opens the Windows GUI in safe mode, running only critical system services. Networking is enabled.
Boot log. Records startup information into a log file. No GUI boot. Does not display the Windows Welcome screen when starting. Base video. Uses a generic video display adapter driver. Advanced options:
Number of processors. Limits the number of processors that are used on a multiprocessor system. Maximum memory. Limits the amount of memory that is used on a system.
PCI Lock. Prevents reallocation of I/O and interrupt request (IRQ) resources on the Peripheral Component Interconnect (PCI) bus. Debug. Enables kernel-mode debugging for device driver development.
BCDEdit.exe. BCDEdit.exe is a command-line tool in Windows 8.1 that replaces Bootcfg.exe. This advanced tool is for administrators and IT professionals. You can use BCDEdit.exe to change the BCD and perform tasks such as removing entries from the list that displays operating systems. BCDEdit.exe enables you to: o o o o o o o o o Add entries to an existing BCD store. Modify existing entries in a BCD store. Delete entries from a BCD store. Export entries to a BCD store. Import entries from a BCD store. List currently active settings. Query a particular type of entry. Apply a global change (to all entries). Change the default time-out value.
Typical reasons to manipulate BCD with BCDEdit.exe include: o Adding a new hard disk to your Windows 8.1 computer and changing the logical drive numbering.
Installing additional operating systems on your Windows 8.1 computer to create a multiboot configuration. Deploying Windows 8.1 to a new computer with a blank hard disk, which requires you to configure the appropriate boot store. Performing a backup of BCD. Restoring corrupted BCD.
o o
BootRec.exe. Rebuild BCD by using the BootRec.exe tool with the /rebuildbcd option in Windows RE. You must run BootRec.exe in Windows RE. If rebuilding BCD does not resolve startup issues, you can export and delete BCD, and then run this option again. By doing this, you ensure that BCD rebuilds completely.
14-12
BCDedit.exe syntax and parameters http://go.microsoft.com/fwlink/?LinkId=378262&clcid=0x409 Question: Your coworker has a dual-boot computer and would like to configure the computer to start Windows 8.1 automatically without showing the list of installed operating systems for 30 seconds first. Is BCDEdit.exe the only tool your coworker can use to achieve this goal?
Advanced Startup Settings

Windows 8.1 provides advanced startup settings that you can use to start an operating system in an advanced troubleshooting mode. If you want to use advanced startup settings, you must change advanced startup options. You can change advanced startup options in several ways: Change advanced startup options in Windows 8.1. Press the Shift key while selecting the Restart option in the Settings charm. Restart the computer by running the shutdown.exe /r /o command.
Note: In Windows 8.1, you cannot access advanced startup settings by pressing F8 during the startup process, as you were able to in older versions of Windows operating systems. When the computer restarts, you are presented with the following options:
Enable debugging. By selecting the debugging mode, you can start Windows 8.1 in a special troubleshooting mode. In this mode, you can monitor the behavior of device drivers and determine whether a specific device driver is causing Windows 8.1 to stop unexpectedly.
Enable boot logging. When you use this mode, the Windows 8.1 start process creates and writes to a file named Ntbtlog.txt. This file records the device drivers that Windows 8.1 installs and loads during startup. Enable low-resolution video. In this mode, you can start Windows 8.1 in a special low-resolution mode of 640480. This mode can be necessary when you attempt to resolve incorrectly applied graphics resolution settings.
Enable Safe Mode. In the safe mode, Windows 8.1 can start with a minimal set of drivers, services, and applications. You can use safe mode to disable services and applications that might be causing the Windows operating system to stop. Computers often start in the safe mode when they are unable to start normally. Safe mode does not load network drivers, so network connectivity is not possible in safe mode. Enable Safe Mode with Networking. Safe mode with networking is similar to safe mode, except that it allows network connectivity.

14-13
Enable Safe Mode with Command Prompt. This version of safe mode starts with a Command Prompt window rather than the Windows interface. In this mode, you can disable applications and services from the command line if you are unable to perform this operation by using safe mode. Disable driver signature enforcement. In this mode, you can load device drivers that are not digitally signed. This might be necessary when testing device drivers with Windows 8.1 that have not been formally released. Disable early launch anti-malware protection. In this mode, you can start Windows 8.1 without the early launch antimalware functionality running. This functionality might stop Windows 8.1 from starting in certain circumstances, but it should be disabled only after other options have been tried. Disable automatic restart after failure. Use this option to stop Windows 8.1 from automatically restarting after a failure occurs. You might need to use this option if Windows 8.1 enters a reboot cycle. Launch Recovery Environment. Use this option to start Windows RE. You can use the recovery environment to trigger the Refresh your PC or Reset your PC function. Question: Can you access Startup Setting options by pressing F8 during computer startup?
Tools Available in Windows RE

Windows RE provides access to tools that you can use to help recover your computers startup environment.
Refresh your PC
This option enables you to retain your personal data, apps, and settings, but replaces the Windows 8.1 operating system. This is useful when it is important to retain user-related files and settings, but you do not have the time to determine the specific cause of a startup problem or to resolve it. You need Windows installation or recovery media if you want to perform a refresh. Note: Because it is quite likely that user settings might have created the startup problem from which you are attempting to recover, the Refresh your PC option is careful about which settings to restore. For instance, this option does not restore file associations, display settings, and Windows Firewall settings during the refresh process. Note: It is possible to use the Recimg.exe command-line tool to create a refresh image, which enables you to refresh your computer to a specific point in time.
Reset your PC
This option removes all user data, user settings, and apps and then reinstalls Windows 8.1. You should select this option when there is no need to retain user data or settings. By using this setting, you revert your computer to the deployment defaults. You need Windows installation or recovery media if you want to perform a reset. Push-Button Reset Overview http://go.microsoft.com/fwlink/?LinkId=378263&clcid=0x409
14-14
System Restore
Windows 8.1 provides System Restore capabilities that you can access from the System Tools folder. If you have a system failure or another significant problem with your computer, you can use System Restore to return your computer to an earlier state. The primary benefit of System Restore is that it restores your system to a workable state without reinstalling the operating system or causing data loss. Additionally, if a computer does not start successfully, you can use System Restore by starting Windows RE from Windows 8.1 media.
System Image Recovery
System Image Recovery replaces your computers current operating system with a complete computer image that you created previously. You can use this tool only if you have made a recovery drive of your computer. You should use this tool only if other recovery methods are unsuccessful. It is a very intrusive recovery method that overwrites everything on a computer.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most common startup problems. Before you can use Startup Repair, you must provide the password of the administrator account that previously signed in to the computer. Startup Repair detects most common startup issues and automatically corrects them. It performs the following functions:
Replace or repair disk metadata. Disk metadata consists of several components, including the boot sector and the MBR. If these files are missing or corrupted, the startup process fails. If you suspect that an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk metadata. Startup Repair automatically checks and, if necessary, repairs the disk metadata.
Damage to disk metadata often occurs because of unsuccessful attempts to install multiple operating systems on a single computer. Another possible cause of metadata corruption is a virus infection. Repair boot configuration settings. Windows 8.1 uses a configuration store that is stored in a Boot folder on an active partition. If the boot configuration data is damaged or deleted, the operating system fails to start. The Startup Repair tool checks and, if necessary, rebuilds BCD by scanning for Windows installations on the local hard disks, and then storing the necessary BCD.
Resolve incompatible driver issues. Installing a new hardware device and its associated device driver often causes the Windows operating system to start incorrectly. The Startup Repair tool performs device driver checks as part of its analysis of your computer. If Startup Repair detects a driver problem, it uses System Restore points to attempt a resolution by rolling back the configuration to a known working state.
Command Prompt
Windows 8.1 uses a Command Prompt tool from the Windows RE tool set as its command-line interface. The Command Prompt tool is more powerful than the Recovery Console from older versions of Windows operating systems, and its features are similar to the command prompt that is available when Windows 8.1 is running normally. The Command Prompt tool performs the following functions: Resolves problems with a service or device driver. If a computer that is running Windows 8.1 experiences problems with a device driver or Windows service, use the Command Prompt tool to attempt a resolution. For example, if a device driver fails to start, use the Command Prompt tool to install a replacement driver or disable the existing driver from the registry. For example, if the Netlogon service fails to start, type Net Start Netlogon at the command prompt. You also can use the SC tool (Sc.exe) command-line tool to start and stop services. Recovers missing files. The Command Prompt tool enables you to copy missing files to your computers hard disk from original source media, such as the Windows 8.1 installation DVD or USB flash drive.

14-15
Accesses and configure BCD. Windows 8.1 uses a BCD store to retain information about the operating systems that you install on the computer. You can access this information by using the BCDEdit.exe tool at the command prompt. You also can reconfigure the store if necessary. For example, you can reconfigure the default operating system on a dual-boot computer with the BCDEdit.exe /default id command. Repairs the boot sector and MBR. If the boot sector or MBR on the local hard disk is damaged or missing, a computer that is running Windows 8.1 will fail to start successfully. You can launch the BootRec.exe command at the command prompt to resolve problems with the disk metadata.
Runs diagnostic and troubleshooting tools. The Command Prompt tool provides access to many programs that you can access from Windows 8.1 during normal operations. These programs include several troubleshooting and diagnostics tools, such as the Registry Editor (Regedit.exe), a disk and partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe, Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can use to determine which programs and services are running currently.
Note: Windows PE is not a complete operating system. Therefore, when you use the Command Prompt tool in Windows RE, remember that not all programs that work in the Windows operating system will work at the command prompt. Additionally, because there are no logon requirements for Windows PE and Windows RE, Windows 8.1 restricts the use of some programs for security reasons, including many that administrators typically run. Question: Can you use System Image Recovery without any previous preparation? Question: What is the main difference between the Refresh your PC and Reset your PC options?
Demonstration: Resolving Startup-Related Problems

In this demonstration, you will see how to resolve startup-related problems by using the tools in Windows RE.
Demonstration Steps
1. 2. 3. 4. On 20687C-LON-CL1, mount the Windows 8.1 installation DVD from D:\Program Files \Microsoft Learning\20687\Drives\ Win81Ent_Eval.iso, and then start the virtual machine. Initialize setup from the DVD, and then click Repair your computer. Click Troubleshoot from the available options, and then click Advanced options.
Click Command Prompt, and then run the following commands to view the startup environment:
Bcdedit /enum Bootrec /scanos Diskpart
5.
In Diskpart, type the following commands to view information about the disks and volumes installed on LON-CL1:
List disk List volume
6.
Close Diskpart, and then close the Command Prompt window.
14-16
7. 8. 9.
Perform Startup Repair from the Windows RE Troubleshoot menu. Restart your computer normally. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open an elevated command prompt
10. Create a duplicate boot entry by running the following command at the elevated command prompt:
bcdedit /copy {current} /d Duplicate boot entry
11. Verify the presence of Duplicate boot entry in the store with the following command, and then restart the computer:
Bcdedit /enum
12. When the Windows operating system restarts, wait until the Choose an operating system menu appears, and then click Change defaults or choose other options. Select the following options in turn: o o o o o Choose other options Troubleshoot Advanced options Startup Settings Restart
13. Start Windows in Safe Mode, and then sign in as Adatum\Administrator with password Pa$$w0rd.
Configuring a Recovery Drive

You can use a recovery drive to run Windows RE and troubleshoot a Windows 8.1 installation even if the computer cannot start from the hard drive. A recovery drive includes all the Windows RE tools, and it can include a copy of the recovery partition.
You can create a recovery drive by using the Recovery Drive Wizard. A recovery drive is created on a USB flash drive with a capacity of at least 256 Megabytes (MB). During creation of the recovery drive, the USB flash drive is formatted, so all of its previous content is lost. If your computer has a recovery partition, the Recovery Drive Wizard can copy it to a USB flash drive, and you can later use it to perform PC Refresh. Note: If a Windows 8.1 computer does not have a recovery partition, you can create one by running the recimg.exe command. A recovery partition is used during Refresh your PC, and it contains a copy of desktop apps and Windows system files. A recovery partition does not contain your documents, personal settings, user profiles, and Windows Store apps.

14-17
Recovery Drive http://go.microsoft.com/fwlink/?LinkId=378264&clcid=0x409 Question: Can you create a recovery drive on a DVD? Question: Which recovery tasks can you perform when you start a computer from a recovery drive?
14-18
Lab: Recovering Windows 8.1

Scenario
You must demonstrate to your coworkers how you can configure and use File History to protect documents. You also need to recover a Windows 8.1 computer that belongs to one of the employees at A. Datum Corporation. To do this, you first will examine the recovery options available in Windows 8.1. You then will attempt to resolve a startup issue, and you will document the solution that you used to resolve the issue.
Objectives
After completing this lab, you will be able to: Configure and use File History. Explore Windows 8.1 recovery options. Introduce a simulated problem. Resolve a problem.
Lab Setup
Estimated Time: 60 minutes Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd For this lab, you will use the available virtual machine environment. Before you begin the lab, you must complete the following steps: 1. 2. 3. 4.
5.
Repeat steps 2 through 4 for 20687C-LON-CL1.
Exercise 1: Configuring and Using File History

Scenario
A. Datum users are complaining that they cannot find any backup apps in Windows 8.1. You have been asked to demonstrate to these users how they can use File History to protect files that are stored locally on their computers. The main tasks for this exercise are as follows: 1. 2. 3. Create a share for File History. Configure and use File History. Protect an additional folder with File History.

14-19
Task 1: Create a share for File History
On LON-DC1, create a folder named FileHistory. Grant domain users Full Control permissions to the folder, and then share it with Full Control permissions for Everyone.
Task 2: Configure and use File History

1. 2. 3. 4. 5. Create a new Word 2013 document named Recovery file in the Documents library. Modify Recovery file contents, and then save the file.
Use File History to add \\LON-DC1\FileHistory as an available drive, and then turn on File History. Delete the file named Recovery file in the Documents library. Use the History option in File Explorer to recover the file.
Task 3: Protect an additional folder with File History

1. 2. 3. 4. 5. 6.
On LON-CL1, verify that three file folders and four libraries are protected by the File History feature. Also, verify that only Recovery file.docx is protected currently by File History. Use File Explorer to add the folder E:\Labfiles\Docs to the Documents library. Use File History to run file copy. Use File Explorer to delete the E:\Labfiles\Docs\Windows.docx file. Use File History to restore the Windows.docx file to the E:\Labfiles folder. Use File Explorer to verify that the Windows.docx file is restored to E:\Labfiles folder.
Results: After completing this exercise, you should have configured and used the File History feature.
Exercise 2: Exploring Windows 8.1 Recovery Options

Scenario
In this exercise, you will explore startup-recovery options, including accessing the advanced startup options. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Configuring System Restore. Using System Restore. Access Windows RE tools. Create a duplicate boot entry in the boot store. Enable advanced boot options.
Task 1: Configuring System Restore

1. 2. 3. 4. On LON-CL1, use System Properties to turn on System protection. Create a restore point, and then name it Initial settings.
Use File Explorer to navigate to the E:\Labfiles\Mod14 folder, and then install XML Notepad. Verify that XML Notepad 2007 shortcut is added to the desktop. Create a new text document on the desktop and name it My document.
14-20
5.
Use Device Manager to update the driver for Microsoft Hyper-V Virtual Keyboard with a driver for Microsoft Wireless Keyboard 700 v2.0 (106/109).
Note: Be aware that you must clear the Show compatible hardware check box to be able to select it. 6. In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) is shown with an exclamation point (!).
Task 2: Using System Restore

1. 2. 3. 4. 5. 6. 7.
Use System Restore to scan for programs that would be affected if you restored the Initial settings restore point. Use System Restore to restore the Initial settings restore point. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Verify that My document.txt is still on desktop and that the XML Notepad 2007 shortcut is no longer present on the desktop.
Use Device Manager to verify that Microsoft Hyper-V Virtual Keyboard is present. Microsoft Wireless Keyboard 700 v2.0 (106/109) was removed, as you added it after the restore point was created.
Use System Restore to verify that an additional restore point with the description Restore Operation and Type of Undo was created. Shut down LON-CL1 and wait until LON-CL1 is turned off.
Task 3: Access Windows RE tools

1. 2. 3. 4. On 20687C-LON-CL1, mount the Windows 8.1 installation DVD from D:\Program Files \Microsoft Learning\20687\Drives\ Win81Ent_Eval.iso, and then start the virtual machine. Initialize setup from the DVD, and then select Repair your computer. Select Troubleshoot from the available options, and then select Advanced options.
Use System Restore to verify that restore points that were created can be restored from Windows RE. Verify which programs would be affected if you would restore the Restore Operation restore point. Do not restore any restore point, and return to the Advanced options screen. Click Command Prompt, and then run the following commands to view the startup environment: o o o Bcdedit /enum Bootrec /scanos Diskpart
5.
6.
In Diskpart, type the following commands to view information about disks and volumes installed on LON-CL1: o o List disk List volume
7. 8. 9.
Close Diskpart, and then close the Command Prompt window. Perform Startup Repair from the Windows RE Troubleshoot menu. Restart your computer normally.

14-21
Task 4: Create a duplicate boot entry in the boot store

1. 2.
On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open command prompt Create a duplicate boot entry by running the following command at the elevated command prompt:
3.
Verify the presence of Duplicate boot entry in the store with the following command, and then restart the computer:
Bcdedit /enum
Task 5: Enable advanced boot options

1.
When the Windows operating system restarts, wait until the Choose an operating system menu appears, and then click Change defaults or choose other options. Select the following options in turn: o o o o o Choose other options Troubleshoot Advanced options Startup Settings Restart
2. 3.
Start the Windows operating system in safe mode, and then sign in as Adatum\Administrator with password Pa$$w0rd. Revert and restart the 20687C-LON-CL1 virtual machine in preparation for the next exercise.
Results: After completing this exercise, you should have used various Windows 8.1 operating system startup-recovery tools.
Exercise 3: Introducing a Simulated Problem

Scenario
In this exercise, you will attempt to fix a computer that is running Windows 8.1. The computer does not start successfully. You have an open help-desk ticket so that you can determine the likely cause of the problem. A. Datum Incident Record Incident number: 161071 Date and time of call User Jan 25 10:45am Adam Carter
Incident Details Adam Carter has reported that his computer will not start properly.
14-22
A. Datum Incident Record
Additional Information Adam has been trying to install an additional operating system on his computer so that he can run a specific line-of-business application. He abandoned the installation after getting only partway through the process. Since then, his computer displays the following error message when it starts: Windows Boot Manager. File: \Boot\BCD Status: 0xc0000034 Info: The Windows Boot Configuration Data (BCD) file is missing required information. Plan of Action
The main tasks for this exercise are as follows: 1. 2. 3. Read the help-desk Incident Record for Incident 161071. Update the Plan of Action section of the Incident Record. Simulate the problem.
Task 1: Read the help-desk Incident Record for Incident 161071

Read the help-desk Incident Record (in the exercise scenario in the student handbook) for Incident 161071.
Task 2: Update the Plan of Action section of the Incident Record

1. 2. Read the Additional Information section of the Incident Record. Update the Plan of Action section of the Incident Record with your recommendations.

1. Switch to LON-CL1, and then sign in by using the following credentials: o o 2. User name: Adatum\Administrator Password: Pa$$w0rd
Open File Explorer, run the E:\Labfiles\Mod14\Scenario1.vbs script, and then wait while LON-CL1 restarts.
Results: After this exercise, you should have reproduced the reported startup problem on Adams computer.

14-23
Exercise 4: Resolving a Problem

Scenario
In this exercise, you must attempt to resolve the startup problem. The main task for this exercise is as follows: 1. Attempt to resolve the problem.
Task 1: Attempt to resolve the problem

1. 2. 3.
On LON-CL1, attempt to resolve the problem by using your knowledge of the startup architecture and the tools available for troubleshooting the startup environment. Update the Plan of Action section of the Incident Record.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have resolved the startup problem and documented your solution.

14-24

Review Questions
Question: After installing a new video driver, your users computer becomes unstable and will not start correctly. What would you try first to resolve this problem? Question: The boot environment of a users computer is corrupted, and you suspect a virus. Before you can run virus removal tools, you must repair the boot configuration. What commandline tool or tools could you use? Question: You add a new hard disk to the computer, which changes the computers partition numbering. To enable the computer to start, you need to change the BCD. What tool can you use to change the BCD? Question: A user has reported a problem to the help desk. The user is experiencing problems with starting a computer after a new device driver was added. You decide to start the computer by using a minimal boot, but you want to configure that from the Windows operating system before restarting. What tool could you use? Question: A system service is causing startup problems, and your help-desk user has started the problematic computer in Windows RE. What command-line tool can you use to modify service startup type? Question: The help desk recently installed a new device driver on a computer. A stop code is generated and a blue screen is shown during computer startup. What recovery mechanism would you try first?
Tools
Tool BCDEdit.exe Sc.exe MSConfig.exe Windows RE Use for Viewing and configuring the BCD store Managing services Managing services and the startup environment Troubleshooting Windows 8.1 computers Troubleshooting startup Managing the boot environment Where to find it Command-line Command-line Windows operating system
Elements available on hard disk (automatic failover) and the product installation DVD Accessible from the Startup Settings page Command-line
Safe Mode BootRec.exe

15-1
Module 15
Configuring Client Hyper-V
Contents:
Module Overview Lesson 1: Overview of Client Hyper-V Lesson 2: Creating Virtual Machines Lesson 3: Managing Virtual Hard Disks Lesson 4: Managing Checkpoints Lab: Configuring Client Hyper-V Module Review and Takeaways 15-1 15-2 15-6 15-13 15-19 15-24 15-27
Module Overview
Hyper-V is the primary platform for infrastructure virtualization. Hyper-V enables multiple operating systems to run in individual virtual machines that share the same physical platform. Virtual machines can be isolated or connected to a network. This module will introduce you to Client Hyper-V in Windows 8.1 and explain the fundamentals of working with virtual machines in a Client Hyper-V environment.
Objectives
After completing this module, you will be able to: Describe the functionality and benefits of using Client Hyper-V. Create virtual machines. Manage virtual hard disks (VHDs). Manage checkpoints.
15-2 Configuring Client Hyper-V
Lesson 1
Overview of Client Hyper-V
Client Hyper-V is a Windows 8.1 feature that is available only in the 64-bit version of the operating system. You can use Client Hyper-V to create and run multiple virtual machines on the same Windows 8.1 computer. You can isolate virtual machines or connect them to a network. You also can use them to provide an additional environment, such as for running applications that are not compatible with Windows 8.1.
This lesson introduces you to Client Hyper-V functionality in Windows 8.1, and it introduces scenarios that might benefit from a virtual environment. Client Hyper-V provides the same core virtualization technology that is included in Windows Server 2012 R2.
Lesson Objectives
After completing this lesson, you will be able to: Explain the purpose and functionality of Client Hyper-V. Identify scenarios for using Client Hyper-V.
Purpose and Functionality of Client Hyper-V
At its most basic level, Client Hyper-V provides the ability to share a computers physical hardware with one or more isolated operating systems that are running in virtualized environments or virtual machines. Virtual machines are configured to share physical resources from a physical computer, and they represent those virtualized resources as usable components to a virtual machines operating system. For example, one computer with one network adapter might have five different virtual machines that run in Client Hyper-V. In each of these virtual machines, a virtualized network adapter is associated with the single physical network adapter, enabling five virtual machines to have individual media access control (MAC) addresses, to be assigned individual IP addresses, and to gain network access. Similar virtualization happens with other hardware components, such as processors, memory, and hard disks.
Client Hyper-V Functionality
Client Hyper-V is a feature that enables virtualization within a Windows 8.1 environment. Client Hyper-V uses the same virtualization engine as Hyper-V in Windows Server 2012 R2 and contains the same core feature set. Client Hyper-V replaces the Windows XP Mode that was previously available in Windows 7, and it has some significant differences in functionality: Compatibility with Hyper-V in Windows Server. Client Hyper-V supports the same standard functionality as Hyper-V in Windows Server. You can import and export virtual machines and virtual hard disks between Hyper-V and Client Hyper-V without any requirement for conversion or modification.
Support for 64-bit virtual machines. Client Hyper-V can provide both a 32-bit and a 64-bit virtualized hardware environment for virtual machines. Windows XP Mode supported only 32-bit virtualized hardware.

15-3
No application-level virtualization. In Windows 7, the Windows XP Mode enabled a user to run an application in a virtualized Windows XP environment while displaying it within a Windows 7 environment. In Windows 8.1, Client Hyper-V exposes the complete virtualized operating system in its own window.
Hyper-V and Client Hyper-V Feature Comparison

The following table compares the availability of some features between Client Hyper-V and Hyper-V. Feature Sleep and hibernate for physical computer and virtual machines Hyper-V Replica Microsoft RemoteFX graphics virtualization Single-root I/O virtualization (SR-IOV) Virtual Fibre Channel Virtual machine live migration Network virtualization Virtual wireless network adapters Live storage move Up to 64 terabytes (TB) per virtual disk Yes Yes Yes Client Hyper-V in Windows 8.1 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Hyper-V in Windows Server 2012 R2
Client Hyper-V Requirements

To implement Client Hyper-V in Windows 8.1, a computer must meet the following requirements:
Memory. A computer must have at least 4 gigabytes (GB) of physical memory to support Client Hyper-V. The memory in a computer is allocated and unallocated dynamically as required by the virtual machines. You can run several virtual machines on a Windows 8.1 host if it meets the minimum memory requirement. Depending on the specific requirements of virtual machines, you might need to install more physical memory. Storage. Client Hyper-V supports the same storage migration capability that is included in Hyper-V in Windows Server 2012 R2. This means that you can store virtual machines independently of the underlying storage. Additionally, you can move virtual machines storage between local drives, to a USB drive, or to a remote file share without having to stop the virtual machines.
Processor. A computer must have an x64 processor that supports hardware-assisted virtualization and Data Execution Prevention (DEP). Additionally, it must be running the 64-bit Windows 8.1 edition of the operating system. Client Hyper-V requires a 64-bit processor architecture that supports secondlevel address translation. Second-level address translation reduces the overhead incurred during the virtual-to-physical address mapping process performed for virtual machines.
Hyper-V Management Tools
Hyper-V Manager is the primary tool for managing Client Hyper-V. It is a console based on Microsoft Management Console (MMC). Hyper-V Manager provides complete access to Client Hyper-V functionality in Windows 8.1. Windows Server 2012 R2 Hyper-V also uses Hyper-V Manager, so any experience in either operating system will correspond directly to the other. The other graphical tool that is installed with Client Hyper-V is the Virtual Machine Connection tool. You can use the Virtual Machine Connection tool to connect to a virtual machine with an interface that is very similar to Remote Desktop Protocol. Note: Both Hyper-V Manager and the Virtual Machine Connection tool are installed if you turn on the Hyper-V GUI Management Tools feature in Windows 8.1.
The Hyper-V module for the Windows PowerShell command-line interface enables you to manage Client Hyper-V by using Windows PowerShell cmdlets. The Hyper-V module can be useful for scripting Client Hyper-V management or managing remote Hyper-V installations. Note: You can view the entire list of cmdlets that are related to Hyper-V by running the Get-Command -Module Hyper-V cmdlet at a Windows PowerShell command prompt. Question: What must you do to enable administration of Client Hyper-V by using Windows PowerShell?
Scenarios for Using Client Hyper-V

Hyper-V in Windows Server 2012 R2 and Client Hyper-V share the same underlying platform, which enables you to take advantage of the Client Hyper-V features in your organization in many different ways: Using Client Hyper-V, you can build a test lab infrastructure that is hosted entirely on a laptop or PC, and you can export the virtual machines that you create and test from your laptop or PC into production.
You can create a Client Hyper-V virtual machine and use it as a preproduction environment for testing apps. You might be preparing to migrate a Windows client infrastructure to Windows 8.1 and require testing of all line-of-business apps. You can employ a virtual machine that is running Windows 8.1 to test the app and then revert the virtual machine back to its default state by using checkpoints to test other apps. You can create several virtual machines, each with a different installed version of a Windows operating system, to test a new app. For example, you could install Windows 8.1 on the first virtual machine, Windows 7 on the second virtual machine, and Windows XP on the third virtual machine. You can configure each virtual machine to your testing specifications and then revert the machines after testing is complete so that the machines are immediately ready for the next testing task.

15-5
If you encounter problems with a virtual machine on Windows Server 2012 R2 in your production Hyper-V environment, you can copy or export that virtual machine from the production environment, import it into Client Hyper-V, perform the required troubleshooting, and then export it back into the production environment. With Client Hyper-V, you can use Hyper-V virtualization, wireless network adapters, and sleep states on your desktop computer. For example, if you run Client Hyper-V on a laptop and close the lid, the virtual machines that are running go into a saved state and resume when the machine wakes.
Virtual machine tools that are created for Hyper-V in Windows Server, such as Sysinternals Disk2VHD tools, also work in Client Hyper-V. Using virtual machine networking, you can create a multiple machine environment for test, development, and demonstration. This environment is secure and does not affect a production network.
You can use preconfigured virtual hard disks to test new Microsoft software. Microsoft.com hosts a large number of ready-to-use .virtual hard disk files that you can use with Hyper-V or Client Hyper-V. After you import a file, virtual hard disks provide a functional test version of the specific product for evaluation. With virtual hard disk files, there is no need to upgrade or configure operating systems, or to download and install apps. The entire environment is ready to go in the virtual hard disk file the first time you start the virtual machine. Question: Can you run two virtual machines with the same name and TCP/IP network settings in the same Client Hyper-V environment?
Lesson 2
Creating Virtual Machines
You can use Client Hyper-V for creating and running virtual machines. You can create virtual machines in several different ways. This lesson explains how you can create virtual machines by using Hyper-V Manager and Windows PowerShell. This lesson also explores hardware components of the virtual machine, explains the differences between Generation 1 and Generation 2 virtual machines, and describes the process for creating and managing virtual machines in Client Hyper-V.
Lesson Objectives
After completing this lesson, you will be able to: Describe how to create a virtual machine. Explain how to configure virtual machine settings. Describe how to run virtual machines.
Creating a Virtual Machine

A virtual machine represents a physical computer in a virtualization environment. Virtual computers have components similar to physical computers. However, virtual computers can use only components that are part of a Client Hyper-V virtualization infrastructure. Client Hyper-V can present devices to a virtual machine in the following two ways:
Emulated devices. Client Hyper-V presents an emulated device to a virtual machine as if it is actual hardware. Emulated devices present standard and well-known functionalities that are universal to all devices of that type. This means that almost any operating system supports them. Emulated devices are available when a virtual machine starts, and a virtual machine can start from them. These emulated devices include integrated device electronics (IDE) controllers or legacy network adapters.
Hyper-V specific devices. Client Hyper-V does not present synthetic components to the virtual machine as actual hardware. It presents them to the operating system on the virtual machine as a functionality that the device driver can use. Newer operating systems, such as Windows 8 and Windows 8.1, support such functionality by default when running in virtual machines, and for other operating systems, you need to install integration services to support them. Synthetic devices are not available during startup, and you cannot start a virtual computer from them.
Creating a virtual machine in Hyper-Manager is a wizard-based process that prompts you for necessary information to create the virtual machine. When creating a virtual machine, you must specify several virtual machine settings at the time of creation:
Virtual machine name. The name that you specify identifies the virtual machine in Hyper-V Manager, and also is used in the naming of various virtual machinerelated files.

15-7
Virtual machine location. By default, a virtual machine is created and located on a computers system drive. If your computer has multiple physical hard disks, you typically can increase the performance of your virtual machine by placing it on a disk that is separate from the system disk. For computers with solid-state drives (SSDs), this is not as effective. Virtual machine generation. Before Client Hyper-V in Windows 8.1, Hyper-V only supported what today is known as Generation 1 virtual machines. You now can create Generation 2 virtual machines, which include support for secure boot and which can be started either from a SCSI virtual disk or by using a network adapter. If you want to use a Generation 2 virtual machine, you must install at least Windows Server 2012 or a 64-bit version of Windows 8 or newer to the virtual machine. After the virtual machine is created, you cannot change its generation. Memory. The amount of memory that you specify will be assigned to a virtual machine from the available physical memory on your Windows 8.1 computer. You also can configure a virtual machine to use Dynamic Memory.
Network connection. Your virtual machine can have one or more virtual network adapters. By default, a new virtual machine is created with a single network adapter that can be connected to a virtual switch. You can create a virtual switch that will connect virtual machines to an external network through a physical network adapter, or you can create a self-contained virtual switch to provide an isolated network environment. Alternatively, you might choose not to connect a virtual machine to any virtual switch.
Virtual hard-disk location. By default, a single virtual hard disk is created in the same directory that is specified for the virtual machine location. You also might choose to use a preexisting virtual hard disk that has been created. For example, many Microsoft products are available for trial purposes in preconfigured .vhd files. Operating system installation media. Unless you are attaching a virtual hard disk that already has an installed operating system, you will need to install an operating system on your virtual machine. You can specify an .iso image CD/DVD file to use as installation media, or you can attach a physical CD/DVD drive from the host machine to the virtual machine, and then install the operating system from that media.
Creating a Virtual Machine in Hyper-V Manager

To create a virtual machine name, perform the following procedure: 1. 2. 3. 4. 5. 6. 7. 8.
Open Hyper-V Manager from the Start screen by typing Hyper-V Manager, and then press Enter. In Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine. The New Virtual Machine Wizard appears. Click Next.
On the Specify Name and Location page, in the Name field, type the name of your virtual machine. Select where you want to store the virtual machine and its associated VHDs, and then click Next. On the Specify Generation page, select if you want to create Generation 1 or Generation 2 virtual machine, and then click Next. On the Assign Memory page, in the Memory field, specify the amount of memory to assign the virtual machine, select if you want to use Dynamic Memory, and then click Next.
On the Configure Networking page, in the Connection list, select the appropriate network switch, and then click Next.
On the Connect Virtual Hard Disk page, create a new VHD or use an existing VHD file that you have created already, and then click Next.
9.
On the Installation Options page, select from where you want to install an operating system on the virtual machine, and then click Next.
10. On the Completing the New Virtual Machine Wizard page, click Finish.
Creating a Virtual Machine in Windows PowerShell
If you want to create new virtual machine by using Windows PowerShell, you can run the New-VM cmdlet. You should be aware that the New-VM cmdlet has a limited set of options, but you can modify and customize a virtual machine after you create it. You can create a new virtual machine by performing the following procedure: 1. On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog box.
2.
In the Administrator: Windows PowerShell window, run the following cmdlet to create a Generation 1 virtual machine named Windows 8.1 with 4 GB of memory, with its files stored in C:\VMs folder, with a 100 GB virtual hard disk named Disk1.vhdx, and connected to a virtual switch named Private:
New-VM Name Windows 8.1 Generation 1 MemoryStartupBytes 4GB Path C:\VMs NewVHDPath C:\VMs\Windows 8.1\Disk1.vhdx -NewVHDSizeBytes 100GB SwitchName Private
Question: Can you convert a Generation 1 virtual machine that has Windows Server 2012 R2 installed to a Generation 2 virtual machine?
Configuring Virtual Machine Settings
When you create a virtual machine by using the New Virtual Machine Wizard or the Windows PowerShell New-VM cmdlet, you only can configure a limited number of options. For example, you cannot adjust Dynamic Memory settings, add more than one virtual hard disk to the virtual machine, or configure the virtual machine with a directly attached or differencing virtual hard disk. However, after you create the virtual machine, you have many more options that you can configure. You can configure most of the virtual machine settings and modifications to hardware configuration only when the virtual machine is turned off (not paused or in saved state). However, you can configure options such as the virtual switch to which a network adapter is connected, or add a virtual hard disk to the SCSI controller while the virtual machine is running. Configuration options also depend slightly on the virtual machine generation because some virtual hardware is available only for Generation 1 virtual machines. You can enable safe boot for Generation 2 virtual machines, whereas Generation 1 does not have such an option. You can configure virtual machine settings in Hyper-V Manager or by using Windows PowerShell. In Hyper-V Manager, you right-click the virtual machine, click Settings, and then modify the properties of the hardware component that you want to configure. In Windows PowerShell, you can use several different cmdlets to configure a virtual machine, depending on whether you want to configure virtual machine settings (Set-VM), add virtual hardware components (Add-VMHardDiskDrive, AddVMNetworkAdapter), or modify existing hardware component settings (Set-VMHardDiskDrive, SetVMNetworkAdapter).

15-9
Generation 1 virtual machines contain the components that are listed in the following table. Component BIOS Memory Description Specifies the startup order of boot devices. Configures the amount of memory that is assigned to a virtual machine, the dynamic range of memory that can be used, and memory weight. When a virtual machine is running, that memory is allocated exclusively and cannot be used by other virtual machines or by the Hyper-V host. Configures the number of processors that are available to a virtual machine, the resource control, the processor compatibility settings, and the non-uniform memory access settings. Connects IDE virtual disks and DVD to a virtual machine. Generation 1 virtual machines have two IDE controllers. Devices that are connected to IDE controllers can be used to start a virtual machine. Connects SCSI virtual disks to a virtual machine. SCSI controllers are synthetic, which means that a Generation 1 virtual machine cannot start from a virtual disk that is connected to it. Connects a virtual machine with a virtual switch. Network adapters are synthetic, which means that Generation 1 virtual machines cannot use it for Pre-Boot Execution Environment (PXE) boot. Connects a virtual machine with a virtual switch. Legacy network adapters are emulated, which means that they are available during startup, and Generation 1 virtual machines can use them for PXE. Accesses Fibre Channelbased storage directly from a virtual machine. This is a synthetic device, which means that it is not available during startup. Configures a virtual COM port to communicate with a physical server through a named pipe. Connects virtual floppy disks to a virtual machine.
Processor
IDE controller
SCSI controller
Network adapter
Legacy network adapter Fibre Channel adapter COM port Diskette drive
As part of the virtual machine settings, you also can configure management settings. In the Management section, you can configure the components that are listed in the following table. Component Name Integration Services Description Specify the name of a virtual machine and add comments about it. Enable services that a Hyper-V host will offer to a virtual machine. To use any of the services, Integration services must be installed and supported on the virtual machine operating system. Specify the folder in which checkpoint files for a virtual machine will be stored. You can modify this location until the first checkpoint is created.
Checkpoint File Location
15-10
Component Smart Paging File Location Automatic Start Action
Description Specify the folder in which the Smart Paging file for a virtual machine will be created, if necessary. Specify whether to start a virtual machine automatically after the Hyper-V host restarts, and how long after Hyper-V is running to start them. Specify the state in which to place a virtual machine when the Hyper-V host shuts down.
Automatic Stop Action
Windows 8.1 and Windows Server 2012 R2 fully support the existing type of virtual machines, and they also provide support for the new type of virtual machines. Virtual machines that were created before Windows 8.1 are automatically named as Generation 1 virtual machines, while newly created virtual machines are called Generation 2 virtual machines. When you create a virtual machine in Windows 8.1, you can decide if you want to create a Generation 1 or Generation 2 virtual machine. Generation 2 is built on the assumption that operating systems are virtualization-aware. Generation 2 removes all legacy and emulated virtual hardware devices and uses only synthetic devices. BIOS-based firmware is replaced with advanced Unified Extensible Firmware Interface (UEFI) firmware that supports secure boot. Generation 2 virtual machines start from a SCSI controller or by using PXE from a network adapter. All legacy and emulated devices are removed from Generation 2 virtual machines. Question: Can you modify virtual machine memory settings while a virtual machine is running?
Running Virtual Machines

Virtual machines maintain their own state within Client Hyper-V. When a virtual machine is started, its state is set to Running, and it performs the startup process of a typical computer, including loading an operating system. After the operating system loads, it interacts with the virtual hardware configured for the virtual machine, and you can connect to it and work with it like you would a physical computer.
You can connect to a virtual machine by selecting the virtual machine and then clicking the Connect button on the toolbar, or by right-clicking the virtual machine and then clicking Connect in the shortcut menu. What is displayed in the virtual machine window will depend on the state of the virtual machine. In Client Hyper-V, a virtual machine can be in five different states: Off. A virtual machine that is stopped does not consume any resources on the host machine, and it exists in a state similar to a physical computer that is powered off. Starting. When a virtual machine is first started, it remains in the starting state for a brief moment, during which required resources are checked and assigned to the virtual machine. After this check and assignment occurs, the starting state changes.

15-11
Running. A virtual machine is in its normal operable state when Running is displayed. A running virtual machine responds to keyboard and mouse input and shows whatever information is being sent to the virtual machines display adapter when you are connected to the virtual machine. Paused. When a virtual machine is paused, it still maintains its allocation of host-computer resources, but it places the virtual machines operating system in a temporary sleep state.
Saved. When a virtual machine is in the saved state, its current operating state is saved to the hard disk, and it stops consuming host computer resources until you start it and place it into a running state. When a Client Hyper-V computer that supports hibernate and sleep modes enters one of these modes, virtual machines that are running will enter the saved state.
When you connect to a virtual machine, the Enhanced Session Mode is used by default in Client Hyper-V on Windows 8.1. Enhanced session mode uses the Remote Desktop Services (RDS) component in virtual machines, and establishes a full Remote Desktop session to a virtual machine. This means that local resources such as smart cards, printers, drives, USB devices, or any other supported Plug and Play devices can be redirected to virtual machines. You also can use a shared Clipboard for copying content to virtual machines, or even copy files to virtual machines, even if the virtual machine does not have network connectivity. Enhanced Session Mode is available only if you connect to virtual machines that are running Windows 8.1 or Windows Server 2012 R2. RDS must be running on the virtual machine, and the user account that is used to log on to the virtual machine must be a member of the Remote Desktop Users local group.
Exporting and Importing Virtual Machines
You can export and import virtual machines between computers that are running Client Hyper-V or Hyper-V in Windows Server 2012 R2. Exporting and importing virtual machines enables multiple troubleshooting and testing scenarios that might be impossible in a physical computing environment.
Exporting Virtual Machines
When you export a virtual machine, this exports all components that comprise the virtual machine to the path that you specify. There are four parts to each exported virtual machine: The Virtual Machines folder contains an .exp file that contains the GUID of the exported file.
The Virtual Hard Disks folder contains copies of each of virtual hard disk that is associated with the virtual machine. If the VHD is a differencing virtual hard disk, all base images that are associated with the VHD will be copied to the export folder.
The Snapshots folder contains a file with an .exp extension for each checkpoint of the virtual machine. Config.xml is a configuration file that the import process uses.
Importing Virtual Machines
When you import a virtual machine, Client Hyper-V reads the configuration file (Config.xml) and then creates a virtual machine by using the configuration information. As part of the import process, Hyper-V deletes all of the .exp files, which prevents importing the virtual machine a second time, and then replaces them with XML files. When you import a virtual machine, you have the following options: Register the virtual machine in-place or Register the virtual machine. When you select either of these options, Client Hyper-V creates a virtual machine that uses the same unique identifier (ID) as the exported virtual machine.
Copy the virtual machine. When you select this option, Client Hyper-V copies the virtual machine and replaces the unique ID for the virtual machine with a new ID.
15-12
The process of importing a virtual machine is enhanced considerably in Windows 8.1, and the export process is no longer required. You can simply copy virtual machine data files between Client Hyper-V computers, and then run the Import Virtual Machine Wizard on the destination Windows 8.1 computer to import virtual machines. The Import Virtual Machine Wizard detects and fixes more than 40 types of incompatibilities between Client Hyper-V environments. It prompts you to provide missing information, such as the location of a parent virtual hard disk or a virtual switch to which the virtual machine should be connected, when the appropriate virtual switch is not available. Question: Why would you rather import a virtual machine into Client Hyper-V than create new virtual machine and configure it to use existing virtual hard disks? Question: Can you use Enhanced Session Mode to start a virtual machine from a USB device?

15-13
Lesson 3
Managing Virtual Hard Disks
Just as physical computers store data on physical hard disks, virtual machines store data on virtual hard disks, which are actually files that reside on physical hard disks. There are different types of virtual hard disks available, and this lesson explains the differences between the various types. Virtual hard disks can be in one of two formats: .vhd, and .vhdx. Windows 8.1 also can mount and access their content from physical computers.
Lesson Objectives
After completing this module, you will be able to: Describe the purpose and functionality of virtual hard disks. Describe how to configure a virtual hard disk. Explain how to move virtual hard disk storage.
Overview of Virtual Hard Disks

Virtual machines have different options for storing their data. Just as virtual machines are isolated when running on a Hyper-V host, you also can isolate their hard disks and encapsulate their content in a single virtual hard disk file with the .vhd or .vhdx extension. From inside a virtual machine, virtual hard disks are seen as physical disks, and virtual machines use them as if they were physical disks.
You can connect storage to virtual machines by using two different storage controller types: SCSI and IDE. A virtual machine can access a disk either as a virtual Advanced Technology Attachment (ATA) device on a virtual IDE controller or as a virtual SCSI disk device on a virtual SCSI controller. Virtual storage controllers have the following characteristics: IDE controllers are available only in Generation 1 virtual machines. Each virtual machine has two IDE controllers and can have up to two devices, hard drives or DVD drives, attached to each controller. While a virtual machine is running, you cannot add devices to or remove devices from an IDE controller. A Generation 1 virtual machine can start only from an IDE controller. SCSI controllers are available in all virtual machines. Generation 1 virtual machines can use a SCSI controller only as a data disk, whereas Generation 2 virtual machines start from SCSI controller attached disks or DVD drives.
A SCSI controller is synthetic, and you can add disks to or remove disks from a SCSI controller while a virtual machine is running. A virtual machine can have up to four SCSI controllers, and each SCSI controller supports up to 64 devices, which means that each virtual machine can have as many as 256 virtual SCSI disks. You can use different hard disk typessuch as fixed size, dynamically expanding, differencing, and attached physical disks (pass-through disks)with both controller types.
15-14
A virtual machine uses storage controllers for accessing storage. The type of storage controller that a virtual machine uses does not have to be the same type that Client Hyper-V is using. For example, a Windows 8.1 computer can have only physical SCSI storage, but you can configure virtual machines with IDE controllers and use IDE-attached virtual hard disks that are stored on the SCSI storage of the Windows 8.1 computer.
You can store virtual machine virtual hard disks locally on a Windows 8.1 computer, on Server Message Block (SMB) 3.0 file shares, or on a storage area network (SAN) logical unit number (LUN).
Virtual Hard Disk Formats

The virtual hard disk format has evolved over time, and Client Hyper-V on Windows 8.1 supports two virtual hard disk formats:
.vhd. This format supports virtual hard disks up to 2,048 GB in size. This format has been available since Microsoft Virtual Server 2005 was released, which means that you can use the .vhd format with older versions of Hyper-V and with traditional Microsoft virtualization products such as Windows Virtual PC.
.vhdx. This format supports virtual hard disks up to 64 TB in size. This format has been available since Windows 8 and Windows Server 2012 and is not compatible with older versions of Hyper-V. Experience with the .vhd format guides .vhdx format improvements. The .vhdx format provides better data corruption protection and optimizes structural alignments on large sector physical disks.
When you compare the .vhd and .vhdx formats, the .vhdx format provides the following benefits: Support for larger virtual hard disk sizes, up to 64 TB. Protection against data corruption by logging updates to.vhdx metadata structures, which can be especially important during power failures.
Ability to store custom metadata about a file, such as which operating system is installed in .vhdx, or which patches are applied to it. Improved alignment of the virtual hard disk format to work better with large sector disks. Larger block sizes for dynamic and differential disks, which improves their performance. 4 kilobytes (KB) logical sector virtual disk, which increases performance when used by applications that are designed for 4 KB sectors. Efficiency in data representation, which results in smaller file size so that an underlying physical storage device can reclaim unused space (trim operation).
Virtual Hard Disk Types
You can create three types of virtual hard disks: fixed size, dynamically expanding, and differencing. After you create a virtual hard disk, you can edit it and change its format. When selecting a virtual hard disk format, you should be aware of the following factors:
Fixed size. When you create a fixed-size virtual hard disk, Client Hyper-V allocates space for the entire virtual hard disk. For example, if you create a 100-GB fixed-size virtual hard disk, Client Hyper-V creates a 100-GB file, even when it does not include any data. Creation of large fixed-size virtual hard disks can take significant time because Client Hyper-V has to create the file to the entire specified size and fill its content with zero values. The size of a fixed-size virtual hard disk does not change because Client Hyper-V allocates all of the storage space when it creates the virtual hard disk. You cannot create fixed-size virtual hard disks that require more space than is available on a physical disk. Fixedsize virtual hard disks are larger than dynamically expanding virtual hard disks, and as such, moving them can be more time-consuming.

15-15
Dynamically expanding. When you create a dynamically expanding virtual hard disk, Client Hyper-V only creates a small file. That file then grows as you write data to the virtual hard disk until it reaches its fully allocated size. The size of the dynamically expanding disk only grows. It does not shrink, even if you delete data. For example, if you create a 100-GB dynamically expanding virtual hard disk, Client Hyper-V creates a file that is only a few megabytes (MB) in size. When you write to that virtual hard disk file, it will grow; however, when you delete information from the virtual hard disk, it will not shrink. When you start using a dynamically expanding virtual hard disk, such as formatting partitions and installing an operating system on it, the virtual hard disk will start growing until it reaches its maximum size of 100 GB. Client Hyper-V creates the dynamically expanding virtual hard disk much faster because it does not allocate all the space at once. However, when you add data to a virtual hard disk, it become fragmented in the same way that any file would on your volume. You can create dynamically expanding virtual hard disks that would require more space on a physical disk than is currently available. Dynamically expanding virtual hard disks are smaller than other virtual hard disk types until their maximum size is reached.
Differencing. A differencing virtual hard disk is always linked to another virtual hard disk in a parent/child relationship. It cannot exist on its own. The parent virtual hard disk can be fixed-size or dynamically expanding, but as soon as it becomes a parent disk for a differencing virtual hard disk, you cannot write to it, so it will neither grow nor shrink. A differencing virtual hard disk is always dynamically expanding. You also can chain differencing virtual hard disks, as long as all base disks are not written to. In this scenario, one differencing virtual hard disk uses another differencing virtual hard disk as a base (parent) disk. The differencing virtual hard disk stores changes for the parent disk and provides a way to isolate changes without altering the parent disk. When you use a differencing virtual hard disk, you can access all the data from the parent disk, and changes you make are written only to the differencing virtual hard disk, not to the parent disk. In other words, reads for modified data are served from the differencing virtual hard disk, and reads of all other data are served from the parent virtual hard disk. Metadata is used in both cases to determine from where data should be read, which results in differencing virtual hard disks having slower performance than fixed-size or dynamically expanding virtual hard disks. Differencing virtual hard disks must use the same format as the parent diskseither .vhd or .vhdx. You cannot specify a size for a differencing virtual hard disk. Differencing virtual hard disks can grow as large as the parent disk size limit. However, unlike dynamically expanding disks, you cannot compact differencing virtual hard disks directly. You can compact a differencing virtual hard disk only after it merges with its parent disk.
Note: Using differencing virtual hard disks can be beneficial in some scenarios. For example, you could use as a parent a virtual hard disk that has a clean installation of the Windows 8.1 operating system, and you could use a new differencing virtual hard disk as a virtual machine hard disk. You could even create multiple differencing virtual hard disks for multiple virtual machines that would use the same Windows 8.1 virtual disk as their parent disk. Question: Is there any difference between connecting a virtual hard disk to a virtual machine by using an IDE or SCSI virtual controller? Question: Can Client Hyper-V allocate more storage space to a differencing virtual hard disk than to the parent disk to which it is linked?
15-16
Configuring a Virtual Hard Disk

Planning for and configuring virtual hard disks is an important component in implementing virtual machines on Client Hyper-V. When planning storage requirements, you need to ensure that enough resources are available to create new machines, but also to accommodate any virtual machines with dynamically expanding hard drives.
If you use a single drive on a Windows 8.1 computer for storing virtual machine hard disks, your disk I/O performance will degrade quickly for all virtual machines because of increasing disk read/write times and disk activity. Increasing the number of physical drives or spindles increases the performance of virtual machines greatly, as does using an SSD. Hard drive recommendations include: Use hard drives that are at least 10,000 revolutions per minute (RPM). Use SSDs where possible.
Consider using a SAN for virtual machine storage. SANs provide several benefits, such as high performance and high availability. Also, you can assign additional space for virtual machines as long as the SAN has storage available. Client Hyper-V enables you to run virtual machines that use virtual hard disks that are stored locally or on SMB 3.0 shares. Internet SCSI SANs can provide relatively inexpensive storage for virtual machines. Using iSCSI also enables you to configure virtual machines with direct access to storage.
Configure antivirus software on Windows 8.1 physical computers to exclude all .vhd, .avhd, .vfd, .vsv, and .xml files that are stored on hard drives that are hosting virtual machines. Alternatively, you can use virtualization-aware antivirus software.
Creating a VHD
You can create a virtual hard disk while you are creating a virtual machine or outside of the New Virtual Machine Wizard. If you create a virtual hard disk as a separate task, it is not attached to a virtual machine, and you must add it to a virtual IDE or a virtual SCSI controller before you can use it on a virtual machine. You can create a new virtual hard disk in Hyper-V Manager or by using Windows PowerShell.
Create a virtual hard disk by using Hyper-V Manager

1. 2. 3. 4. 5. 6. On the Windows 8.1 computer, in Hyper-V Manager, in the Actions pane, click New, and then click Hard Disk. On the Before You Begin page, click Next.
On the Choose Disk Type page, select a virtual disk typefor example, Dynamically expanding and then click Next.
On the Specify Name and Location page, in the Name field, type the name of the virtual hard disk file, and in the Location field, type an appropriate location, and then click Next. On the Configure Disk page, do not change the default values, and then click Next. On the Completing the New Virtual Disk Wizard page, click Finish.

15-17
Create a virtual hard disk by using Windows PowerShell

1.
On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog box. In the Administrator: Windows PowerShell windows, run following cmdlet to create a 100-GB, dynamically expanding virtual hard disk named Dynamic.vhdx in the C:\VHDs folder:
New-VHD Path C:\VHDs\Dynamic.vhdx -SizeBytes 100GB Dynamic
2.
3.
Run following cmdlet to add a virtual hard disk to a SCSI controller in the virtual machine named Windows 8.1:
Add-VMHardDiskDrive VMName Windows 8.1 ControllerType SCSI Path C:\VHDs\Dynamic.vhdx
Virtual Hard Disk Sharing and Quality of Service (QoS) Management
In older versions of Hyper-V, virtual machines used virtual hard disks exclusively. Therefore, while one virtual machine was using a virtual hard disk, another virtual machine could not use the same virtual hard disk. In Client Hyper-V on Windows 8.1, you can share virtual hard disks between multiple virtual machines. This can be especially useful when you configure failover clustering in virtual machines. You can enable virtual hard disk sharing only for .vhdx files that are connected to a virtual SCSI controller. You cannot use virtual hard disk sharing for .vhd files that are connected to a virtual IDE controller. You can enable virtual hard disk sharing only if the shared .vhdx is stored on a failover cluster. In older versions of Hyper-V, it was not possible to limit I/O operations per second per virtual machine. If a virtual machine had an application that was storage-intensive, and with a large number of read and write operations to the storage, the virtual machine could monopolize Hyper-V, and other virtual machines could have slower access to storage. In Windows 8.1, Client Hyper-V includes an option to configure QoS parameters when virtual machines access storage so that you can provide enough I/O operations per second to each virtual machine. You can configure the storage QoS for each virtual hard disk. By specifying the maximum I/O operations per second value on advanced features of a virtual hard disk, you can balance and throttle storage I/O between virtual machines. This prevents a virtual machine from consuming excessive storage I/O operations, which could affect other virtual machines. Question: When would you use shared virtual hard disks?
Moving Virtual Hard Disk Storage

You can use storage migration to move virtual hard disks and other data files that a virtual machine is using to different physical storage while the virtual machine is running. You can perform storage migration by using the Move Wizard in Hyper-V Manager or by using the Move-VMStorage cmdlet in Windows PowerShell.
You can use Client Hyper-V to move a virtual machines storage without downtime. For example, you can use storage migration when you need to move the virtual machine storage from a local disk to an SMB 3.0 share. You also can use storage migration to move various virtual machine items,
15-18
such as virtual hard disks, configuration, checkpoints, and smart paging, to different locations while a virtual machine is running. For example, after you create the first checkpoint for a virtual machine, you cannot modify the checkpoint file location setting unless you delete all virtual machine checkpoints or use storage migration. You can perform storage migration by using the following procedure: 1. 2. 3. 4. 5. Before migration starts, all virtual machine read and write operations are performed at the source virtual hard disk.
When storage migration starts, virtual hard disk content is copied over the network to the destination, while all the read and write operations are still performed on the source virtual hard disk. After the initial copy is complete, write operations for the virtual hard disks are mirrored to both the source and destination virtual hard disks. After the source and destination virtual hard disks are synchronized completely, the virtual machine switches over and starts using the destination virtual hard disk. The source virtual hard disk is deleted.
Storage migration is only supported for virtual hard disks, current virtual machine configurations, checkpoints, and Smart Paging files. When you migrate virtual machine storage, you can move all the data files to the same location or to different locations. During this storage migration process, the virtual machine continues to run on the same Windows 8.1 computer with the Client Hyper-V feature. Note: Use the Storage Migrations Hyper-V settings to specify how many storage migrations you can perform simultaneously. By default, two simultaneous storage migrations are configured, but you can increase this number.
Moving Virtual Machine Storage
When you move virtual machine storage, you have the option to move all virtual machine data to a single location, to move the virtual machine data to different locations, or to move only virtual machine virtual hard disks. If you choose to move virtual machine data to different locations, you can specify a new location for each of the virtual machine data items, which includes virtual hard disks, current configurations, checkpoints, and Smart Paging files. You can move virtual machine storage to other folders on the same Hyper-V host or to an SMB 3.0 share. You then can complete the Move Wizard and perform the move. For example, you can use the Move Wizard to modify the checkpoint file location when a virtual machine already has checkpoints. Note: In Hyper-V in Windows Server 2012 and Windows Server 2012 R2, you can move a virtual machine between Hyper-V hosts while it is running. Client Hyper-V does not support this feature, and you can move the virtual machine storage only, not the virtual machine itself. Question: Can you use storage migration to move only virtual hard disks? Question: Do you need to be a local administrator to use the Move Wizard?

15-19
Lesson 4
Managing Checkpoints
Checkpoints are a Hyper-V feature that you can use to create a point-in-time snapshot of a virtual machine, and then revert to it if needed. In previous versions of Hyper-V, this feature was called Snapshots, and you can still see references to Snapshots in Windows 8.1. The primary benefit of checkpoints in Client Hyper-V is that you can use them to create hierarchies of changes, and then you can revert to them at any time. Checkpoints can be quite useful in some scenarios, such as when testing Windows operating system updates. However, you must use checkpoints carefully to avoid issues, especially when reverting virtual machines in distributed environments such as Active Directory Domain Services (AD DS). This lesson describes how to create and work with virtual machine checkpoints.
Lesson Objectives
After completing this lesson, you will be able to: Describe the purpose and functionality of checkpoints. Describe how to create and manage checkpoints. Explain the considerations for working with checkpoints.
What Are Checkpoints?
When a virtual machine is running, changes are written to both its memory and virtual hard disk. Checkpoints are a Hyper-V feature that you can use to create a point-in-time snapshot of a virtual machine, including its configuration, memory, and disk state. You can create checkpoints when a virtual machine is running, when it is turned off, or when it is in a saved state, but not if it is in a paused state. You can create multiple checkpoints of a virtual machine and revert it to any of the previous states for which checkpoints exist. Checkpoints do not affect the running state of a virtual machine, but they can affect virtual machine performance because they are implemented by using differencing virtual hard disks. Note: Do not edit or modify a virtual hard disk file when it is used by a virtual machine that has checkpoints.
Checkpoints can be useful when you need to revert virtual machines to an earlier state. You can undo all the changes that took place after a specified state, such as the changes that occurred during testing, development, or in a training environment. Conversely, checkpoints in production environments can cause serious issues, such as user data getting lost.
15-20
Creating Checkpoints
When you create a checkpoint, the result is always the same, irrespective of the method you choose. After you create a checkpoint, you should not modify its files on a disk directly because this could cause problems with the checkpoint or even with the running virtual machine. You can create checkpoints by using one of the following procedures: In Hyper-V Manager, you can right-click a virtual machine, and then click Checkpoint (or in the Action pane, click Checkpoint).
You can use Virtual Machine Connection by clicking Checkpoint in the Action menu, or by using the Checkpoint-VM Windows PowerShell cmdlet.
Factors to Consider
When you are considering checkpoints, you should be aware of the following factors:
When you create a checkpoint of a virtual machine, the virtual machine is configured with a differencing virtual hard disk, even if it used a fixed-size virtual hard disk before. Differencing virtual hard disks might perform slower than normal disks because the two files (base and differencing) need to be read from.
Checkpoints require additional storage space. If you create a checkpoint of a running virtual machine, it also contains a virtual machine memory snapshot. Creating multiple checkpoints can use up a large amount of storage space. Although you can use checkpoints to revert a virtual machine to an earlier point in time, you should not consider them backups. Even if you use checkpoints, you should still make regular backups. If you no longer need a checkpoint, you should delete it immediately. However, this can cause merging of differencing virtual hard disks. In Windows 8.1, the merging process happens asynchronously in the background while the virtual machine is running.
A virtual machine is limited to 50 checkpoints. The actual number of checkpoints might be lower and depends on the available storage. Question: Which checkpoint requires more space: a checkpoint of a running virtual machine, or a checkpoint of a virtual machine that is turned off?
Creating and Managing Checkpoints

Checkpoints consist of several files that represent the complete state of a virtual machine at a certain moment in time. Because you cannot modify a previous state, checkpoints are readonly, and you cannot modify one after you create it. You can only view a checkpoint, change its name, or delete it. You can use checkpoints to revert virtual machines back to the state they were in when you created the checkpoints.

15-21
Creating Checkpoints
When you create a checkpoint, Client Hyper-V performs the following procedure in the background: 1. 2. Pauses the virtual machine. For each virtual hard disk that the virtual machine is using, Client Hyper-V creates a differencing virtual hard disk, configures it to use the virtual machine's virtual hard disk as a parent, and then updates virtual machine settings to use the created differencing virtual hard disk. Creates a copy of the virtual machine configuration file. Resumes running the virtual machine. Saves the content of the virtual machine memory to disk.
3. 4. 5.
Because a virtual machine is paused before a checkpoint is created, you cannot create a checkpoint of a virtual machine that is in a paused state. As the virtual machine resumes, while the memory is saving to the disk, Client Hyper-V intercepts memory changes that have not yet been written to the disk, writes the memory pages to the disk, and then modifies the virtual machine memory. Creating a checkpoint can take considerable time, depending on the virtual machine memory, physical disk speed, and what is running on the virtual machine. However, the process of checkpoint creation is transparent, and a virtual machine does not experience any outage.
Virtual Machine Checkpoint Files

A virtual machine checkpoint can consist of the following files: Virtual machine configuration file (*.xml) Virtual machine saved state file (*.vsv) Virtual machine memory content (*.bin) Checkpoint differencing virtual hard disks (*.avhd)
Client Hyper-V creates a saved state file and a memory content file for a virtual machine only if a checkpoint is created while the virtual machine is running, and not if the virtual machine is turned off.
The location of virtual machine checkpoint files is configured for each virtual machine, and by default, it is the same location where the virtual machine configuration is stored. When you create the first checkpoint, Client Hyper-V creates a Snapshots subfolder and stores checkpoint files there. You can modify the location of the checkpoint files only until the first checkpoint is created. After this, the checkpoint file location setting is read-only. You can modify this setting only after deleting all checkpoints, or by using the Move Wizard.
Using Checkpoints
When you select a checkpoint, you have the following options available in the Actions pane:
Settings. This option opens the virtual machine settings that were in effect at the moment the checkpoint was created. All of the settings are read-only because you cannot change the configuration that was used in the past. The only settings that you can modify are the checkpoint name and the notes associated with the checkpoint.
Apply. This option applies a checkpoint to a virtual machine, which means that you want to return the virtual machine to the exact historical state it was in. When you apply a checkpoint, any change in the virtual machine since the last checkpoint was made is lost. Before applying a checkpoint, Client Hyper-V prompts you to create a new checkpoint to avoid possible data loss. Export. This option exports a virtual machine checkpoint, which creates an exact copy of the virtual machine as it existed at the moment in which you created the checkpoint.
15-22
Rename. This option renames a checkpoint to provide better information about the state of a virtual machine when you created the checkpoint. The checkpoint name is independent of the checkpoint content, and by default, it contains the date and time of checkpoint creation. Delete Checkpoint. This option deletes a checkpoint if you no longer want to be able to revert a virtual machine to the state it was in when you created the checkpoint. Delete Checkpoint Subtree. This option deletes the selected checkpoint and any checkpoints that originate from it. Checkpoints that originate from it are listed below it in the Checkpoint pane.
When you right-click a virtual machine with at least one checkpoint, you also can click the Revert option. This returns a virtual machine to the last checkpoint. Question: Can you modify the configuration of a virtual machine checkpoint if you created that checkpoint when the virtual machine was turned off? Question: How are multiple branches created in a checkpoint tree?
Considerations for Working with Checkpoints

When you apply a checkpoint, you effectively revert a virtual machine back to the moment when you created the checkpoint. Depending on a virtual machines role and the applications that are installed on it, reverting a virtual machine back to a previous checkpoint can have disastrous implications and might result in data loss or corruption. The following two types of applications can be affected negatively when you revert a virtual machine back in time:
Cryptographic applications. Windows operating systems provide application programming interface (API) functions that generate random values with a high level of entropy. A checkpoint captures the logic for creating these random values when you create a checkpoint, and this can severely reduce the entropy of random data. For example, consider the generation of GUIDs. When a GUID value is generated, it should be unique and never repeated. However, if you request a GUID immediately after applying a checkpoint, there is a high probability that a duplicate GUID value will be generated each time the checkpoint is applied. Applications that use clock vector synchronization. Applying a checkpoint to a virtual machine can corrupt applications that use vector-clock synchronization. Examples of such applications are AD DS, Distributed File System (DFS) Replication, and Microsoft SQL Server replication. For these applications to work, each member of a replica set must maintain a monotonically increasing logical clock. When you apply a checkpoint, it reverts back the logical clock on the virtual machine, causing clock values to associate to different transactions. As a result, members of the replica set will not converge to the same state, thereby causing data corruption.
Before using checkpoints in your Hyper-V environment, you should consider the following:
Checkpoints can be very useful for testing applications or deployments, but they typically are not used regularly in a production environment. Using checkpoints might cause significant problems with applications or services that are time sensitive or that use data replication, such as Microsoft Exchange Server or SQL Server.

15-23
Checkpoints are not a replacement for a consistent backup strategy. However, you can use checkpoints in scenarios such as operating system upgrades and other tasks where you might want to revert back to the original state of a virtual machine should the task fail. Hyper-V virtual machine checkpoints have multiple uses in your network, predominately in a test lab. You can use checkpoints in a lab environment for testing a new deployment. When creating a new server, you can use a checkpoint for each phase of a servers creation. In a training environment, you can use checkpoints to revert a server to the previous lab. If you are going to use checkpoints for testing or training, the primary consideration is hard drive space. Checkpoints can use a large amount of hard drive space because each checkpoint creates a new differencing virtual hard disk.
Note: Client Hyper-V in Windows 8.1 projects a 64-bit integer value that is named Generation ID into a virtual machine through an emulated BIOS device that is named Microsoft Hyper-V Generation Counter. The Generation ID changes each time you apply a checkpoint, which enables an operating system in a virtual machine to detect that the checkpoint was applied. Virtual Machine Generation ID http://go.microsoft.com/fwlink/?LinkId=260709 Question: Can you prevent checkpoint creation from inside a virtual machine?
15-24
Lab: Configuring Client Hyper-V

Scenario
The Information Technology (IT) department at A. Datum Corporation wants to test several apps in different operating system environments prior to deploying the apps in production. Several members of the application testing team have expressed interest in creating virtual environments on their Windows 8.1 computers where they can create and configure virtual machines. You have been asked to demonstrate the process of creating an environment where apps can be tested.
Objectives
After completing this lab, you will be able to: Install Client Hyper-V. Create a virtual switch, a virtual hard disk, and a virtual machine.
Lab Setup
Estimated Time: 15 minutes Virtual machines: 20687C-LON-CL5 User name: Adatum\Admin Password: Pa$$w0rd To perform this lab, you must start the host computer to 20687C-LON-CL5. To do this, restart the host computer and choose 20867C-LON-CL5 from the Start menu. Sign in as Admin with password Pa$$w0rd.
Exercise 1: Installing Client Hyper-V

Scenario
You have been asked to turn on the Hyper-V feature on LON-CL5, a stand-alone Windows 8.1 computer in the IT department. To ensure that the IT department has access to all options in the virtual environment, you have been asked to install all of the management tools available for Client Hyper-V. The main task for this exercise is as follows: 1. Install the Client Hyper-V feature.
Task 1: Install the Client Hyper-V feature

1. 2. 3. 4. 5. 6. 7. On LON-CL5, verify that no program that contains the word Hyper-V is installed. Use the Get-Command cmdlet to verify that no cmdlets from the Hyper-V module is currently available. Use the Windows Features window to turn the Hyper-V feature on.
Restart the computer, and then select 20687C-LON-CL5 when prompted during startup to choose an operating system. Sign in to LON-CL5 as Admin with password Pa$$w0rd. After a second restart repeat steps 4 and 5.
Use the Get-Command cmdlet to verify that many cmdlets from the Hyper-V module are available.
Results: After completing this exercise, you should have installed the Client Hyper-V feature.

15-25
Exercise 2: Creating a Virtual Switch, a Virtual Hard Disk, and a Virtual Machine
Scenario
You have been asked to create a virtual network and virtual machine to accommodate app testing, and to demonstrate the Client Hyper-V environment to the apps testing team. The virtual network and virtual machine should adhere to the following specifications. Virtual network: Network type: Private Network name: Private Network
Virtual machine: Name: Windows 8.1 Test Memory: 1,024 MB Storage location: Default Network connection: Private Network Installation media: None
The main tasks for this exercise are as follows: 1. 2. 3. Create a virtual switch. Create a virtual hard disk. Create a virtual machine.
Task 1: Create a virtual switch

1. 2. On LON-CL5, open Hyper-V Manager. Create a new virtual switch with the following parameters: o o Connection type: Private Virtual switch name: Private Network

1. On LON-CL5, use Hyper-V Manager to create a new virtual hard disk with the following settings: o o o o o 2. Format: VHDX Type: Dynamically expanding Name: Dynamic.vhdx Location: C:\VM Size: 100 GB
Use Hyper-V Manager to create a new virtual hard disk with the following settings: o o o Format: VHD Type: Differencing Name: Differencing.vhd
15-26
o o 3.
Location: C:\VM Parent: F:\Program Files\Microsoft Learning\base\Base14C-W81-Office2013.vhd
In Windows PowerShell, use the New-VHD cmdlet to create a new virtual hard disk with the following settings: o o o Path: C:\VM\Fixed.vhdx Size: 1 GB Type: Fixed size
4.
In File Explorer, browse to the C:\VM folder, and then confirm that Fixed.vhdx allocates 1 GB disk space, while Dynamic.vhdx and Differencing.vhd allocates much less disk space.
Task 3: Create a virtual machine

1. On LON-CL5, use Hyper-V Manager to create a new virtual machine with the following settings: o o o o 2. Name: LON-VM2 Generation: Generation 2 Startup Memory: 1024 MB Use Dynamic Memory: Enabled
Use the Windows PowerShell cmdlet New-VM to create a new virtual machine with the following settings: o o o o Name: LON-VM1 Generation: Generation 1 Startup Memory: 1 GB Boot Device: IDE
3. 4.
Use the Windows PowerShell cmdlet Add-VMHardDiskDrive to add the C:\VM\Differencing.vhd disk to the IDE Controller of LON-VM1. Verify that you can start and connect to the LON-VM1 virtual machine.
Results: After completing this exercise, you should have created a virtual network and a virtual machine in Client Hyper-V.

15-27

Review Questions
Question: Why would you deploy Client Hyper-V to a Windows client computer in a corporate environment? Question: Why should you not use virtual machine checkpoints for backup and disaster recovery? Question: Can you create a checkpoint of a virtual machine that is turned off? Question: When you open Windows PowerShell and run the New-VM cmdlet to create a new virtual machine, you get an error that New-VM is not recognized as the name of a cmdlet. What could be the most probable reason for such an error?
Tools
Tool Hyper-V Manager Hyper-V Virtual Machine Connection tool Description Management console for Client Hyper-V Connect directly to local or remote virtual machines without opening Hyper-V Manager Where to find it Start screen Start screen
15-28
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

L2-1
Module 2: Installing and Deploying Windows 8.1
Lab A: Installing Windows 8.1

Exercise 1: Planning to Install Windows 8.1
Scenario
Prior to installing Windows 8.1, establish an installation plan by reading the request. A. Datum Wireless Network Requirements Document reference: HD-02-05-13 Document author Date Holly Dickson Dec 2, 2013
Requirements Overview
A. Datum Corporation wants to create a test environment for a new app that was developed internally. Ideally, we would like to be able to test the app on several different operating systems, but we have been provided with only one system. We have been told that Windows 8.1 supports the same virtualization as the servers in our production environment with Hyper-V, so maybe we could do it that way? We also need to be able to create Windows To Go UFD media. The computer that we have been given has a quad-core, 2 gigahertz (GHz) processor and 4 gigabytes (GB) of RAM. The processor supports Intel VT. It also has a 320 GB hard drive and a 512-megabyte (MB) graphics processing unit (GPU). The computer should be prepared for the Development team as soon as possible.
Task 1: Determine whether the customers computers meet the minimum requirements for Windows 8.1
Answer the following questions: Questions 1. Does the customers computer meet the minimum system requirements for Windows 8.1 in the following areas: a. Processor: 2GHz YES b. RAM: 4GB YES c. Hard-disk space: 320 GB YES d. GPU: 512MB YES 2. Does the customers computer meet the requirements for the following features: Client Hyper-V: 64-bit second level address translation (SLAT) capable YES
L2-2
Task 2: Select the appropriate Windows operating system edition to install on LON-REF1
You should install a 64-bit version of Windows 8.1 Enterprise. Windows 8.1 Enterprise supports Client Hyper-V, and is the only Windows 8.1 edition that supports creation of Windows To Go UFD media. You should use the 64-bit version to be able to use Client Hyper-V.
Results: After completing this exercise, you should have evaluated the installation environment, and then selected the appropriate Windows operating system edition to install.
Configuring Windows 8.1 L2-3
Exercise 2: Performing a Clean Installation of Windows 8.1

Task 1: Attach the Windows 8.1 DVD image file to LON-REF1
1. 2. 3. 4. 5.
On the host computer, double-click the Hyper-V Manager icon on the desktop or click Start, click Administrative Tools, and then click Hyper-V Manager. In the Hyper-V Manager console, right-click 20687C-LON-REF1, and then click Settings.
In the Settings for 20687C-LON-REF1 window, under IDE Controller 1, click DVD Drive in the lefthand column. In the details pane, click Image file, and then click Browse.
In the Open window, browse to D:\Program Files\Microsoft Learning\20687\Drives, double-click the Win81Ent_Eval.iso file, and then click OK to close the Settings for 20687C-LON-REF1 window.
Task 2: Install Windows 8.1 on LON-REF1

1. 2. 3. 4. 5. 6. 7. In Hyper-V Manager, right-click the 20687C-LON-REF1 virtual machine, and then click Start.
In Hyper-V Manager, right-click the 20687C-LON-REF1 virtual machine, and then click Connect. When the Windows Setup screen appears, select the appropriate regional settings, and then click Next. In the Windows Setup window, click Install now.
On the License terms page, select the I accept the license terms check box, and then click Next. On the Which type of installation do you want? page, click Custom: Install Windows only (advanced). On the Where do you want to install Windows page, click Next. Note: Wait for Windows 8.1 to install. This process will take 1520 minutes.
8. 9.
On the Personalize screen, type LON-REF1 in the PC name field, and then click Next. On the Settings page, click Use express settings.
10. On the Your account page, click Create a local account. 11. On the Your Account page, in the User name field, type User. 12. In the Password field and in the Reenter password field, type Pa$$w0rd.
13. In the Password hint field, type Forgot already?, click Finish, and then wait for the installation to complete.
Task 3: Confirm the successful installation of Windows 8.1 on LON-REF1

1. 2. 3. 4. Confirm that the Windows 8.1 Start screen appears. On the Start screen, click the Desktop tile to view the desktop of LON-REF1. Click the File Explorer icon on the taskbar. The This PC window opens. In the This PC window, in the navigation pane, right-click This PC, and then click Properties.
L2-4
5.
In the System window, verify that: o o o Windows 8.1 Enterprise Evaluation is installed The Computer name is LON-REF1 Workgroup is WORKGROUP
6. 7.
Click the Start icon on the taskbar. On the Start screen, click User, and then click Sign out.
Results: After completing this exercise, you should have performed a clean installation of Windows 8.1.

When you are finished with the lab, revert all virtual machines back to their initial state: 1. 2. 3. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-REF1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
Lab B: Customizing and Capturing a Windows 8.1 Image

Exercise 1: Creating an Answer File and Performing an Unattended Windows 8.1 Installation
Scenario
In this exercise, you have been asked to configure an answer file to use with Windows 8.1 installations at A. Datum. To modify this answer file, you have been given the following information by your IT administrator to assist you in the process. Component amd64_Microsoft-Windows-International-CoreWinPE_neutral Property InputLocale SystemLocale UILanguage UserLocale UILanguage DiskID WillWipeDisk Extend Order Type Active Format Order PartitionID Key Value Value en-US en-US en-US en-US en-US 0 True True 1 Primary True NTFS 1 1
amd64_Microsoft-Windows-International-CoreWinPE_neutral\SetupUILanguage amd64_Microsoft-WindowsSetup_neutral\DiskConfiguration\Disk amd64_Microsoft-WindowsSetup_neutral\DiskConfiguration\Disk\Create Partitions \CreatePartition amd64_Microsoft-WindowsSetup_neutral\DiskConfiguration\Disk\ModifyPartitions \ModifyPartition
amd64_Microsoft-Windows-Setup_neutral\ImageInstall \OSImage\InstallFrom\Metadata
/IMAGE/NAME Windows 8.1 Enterprise Evaluation 0 1
amd64_Microsoft-Windows-Setup_neutral\ImageInstall \OSImage\InstallTo amd64_Microsoft-Windows-Setup_neutral\UserData
DiskID PartitionID AcceptEULA FullName Organization SkipMachineOOBE SkipUserOOBE
True Adatum User Adatum True True
amd64_Microsoft-Windows-Shell-Setup_neutral\OOBE
L2-6
Component amd64_Microsoft-Windows-Shell-Setup_neutral \UserAccounts\LocalAccounts\LocalAccount
Property Description DisplayName Group Name Value
Value
Local Admin Administrator Administrators Administrator Pa$$w0rd
amd64_Microsoft-Windows-Shell-Setup_neutral \UserAccounts\LocalAccounts\LocalAccount\Password
Task 1: Mount a virtual floppy drive on LON-CL1

1. 2. 3. 4.
On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click Administrative Tools, and then click Hyper-V Manager. In the Hyper-V Manager console, right-click 20687C-LON-CL1, and then click Settings. In the Settings for 20687C-LON-CL1 window, click Diskette Drive. In the details pane, click Virtual floppy disk (.vfd) file, browse to D:\Program Files\Microsoft Learning\20687\Drives, double-click Lab2BEx1.vfd, and then click OK.
Task 2: Create an answer file

1. 2. 3. 4. 5. 6. 7. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
On Start screen, type Image Manager, and then press Enter. The Windows System Image Manager starts. In Windows System Image Manager, click File, and then click Select Windows Image.
In the Select a Windows Image dialog box, navigate to E:\Labfiles\mod02\Sources folder, select Install.wim and click Open. In Windows System Image Manager, click File, and then click New Answer File.
In the Windows Image pane, expand Components, scroll down, right-click amd64_MicrosoftWindows-International-Core-WinPE_neutral, and then click Add Setting to Pass 1 windowsPE.
In the Answer File pane, verify that amd64_Microsoft-Windows-International-CoreWinPE_neutral is selected. In the amd64_Microsoft-Windows-International-Core-WinPE pane, double-click InputLocale, and then type en-US. Also, double-click SystemLocale, UILanguage, and UserLocale, and then type en-US as a value for each of those three properties. In the Answer File pane, expand amd64_Microsoft-Windows-International-Core-WinPE_neutral, and then click SetupUILanguage. In the SetupUILanguage Properties pane, double-click UILanguage, double-click UILanguage and then type en-US.
8. 9.
10. In the Windows Image pane, expand the Components node and right-click amd64_MicrosoftWindows-Setup_neutral\DiskConfiguration\Disk, and then click Add Setting to Pass 1 windowsPE. 11. In the Answer File pane, verify that Disk is selected. 12. In the Disk Properties pane, double-click DiskID, and then type 0.
13. In the Disk Properties pane, double-click WillWipeDisk, and then in the drop-down list, click True.
14. In the Windows Image pane, expand the Components node and right-click amd64_MicrosoftWindows-Setup_neutral\DiskConfiguration\Disk\CreatePartitons\CreatePartition, and then click Add Setting to Pass 1 windowsPE. 15. In the Answer File pane, verify that CreatePartition is selected. 16. In the CreatePartition Properties pane, double-click Extend, and then in the drop-down list, click True. 17. In the CreatePartition Properties pane, double-click Order, and then type 1. 18. In the CreatePartition Properties pane, double-click Type, and then in the drop-down list, click Primary.
19. In the Windows Image pane, expand the Components node and right-click amd64_MicrosoftWindows-Setup_neutral\DiskConfiguration\Disk\ModifyPartitions\ModifyPartition, and then click Add Setting to Pass 1 windowsPE. 20. In the Answer File pane, verify that ModifyPartition is selected. 21. In the ModifyPartition Properties pane, double-click Active, and then in the drop-down list, click True.
22. In the ModifyPartition Properties pane, double-click Format, and then in the drop-down list, click NTFS. 23. In the ModifyPartition Properties pane, double-click Order, and then type 1. 24. In the ModifyPartition Properties pane, double-click PartitionID, and then type 1. 25. In the Windows Image pane, expand the Components node and right-click amd64_MicrosoftWindows-Setup_neutral\ImageInstall\OSImage\InstallFrom\Metadata, and then click Add Setting to Pass 1 windowsPE. 26. In the Answer File pane, verify that Metadata is selected. 27. In the Metadata Properties pane, double-click Key, and then type /IMAGE/NAME. 28. In the Metadata Properties pane, double-click Value, and then type Windows 8.1 Enterprise Evaluation.
29. In the Windows Image pane, expand the Components node and right-click amd64_MicrosoftWindows-Setup_neutral\ImageInstall\OSImage\InstallTo, and then click Add Setting to Pass 1 windowsPE. 30. In the Answer File pane, verify that InstallTo is selected. 31. In the InstallTo Properties pane, double-click DiskID, and then type 0. 32. In the InstallTo Properties pane, double-click PartitionID, and then type 1. 33. In the Windows Image pane, expand the Components node and right-click amd64_MicrosoftWindows-Setup_neutral\UserData, and then click Add Setting to Pass 1 windowsPE. 34. In the Answer File pane, verify that UserData is selected.
35. In the UserData Properties pane, double-click AcceptEULA, and then in the drop-down box, click True. 36. In the UserData Properties pane, double-click FullName, and then type Adatum User. 37. In the UserData Properties pane, double-click Organization, and then type Adatum. 38. In the Windows Image pane, expand the Components node and right-click amd64_MicrosoftWindows-Shell-Setup_neutral\OOBE, and then click Add Setting to Pass 7 oobe System.
L2-8
39. In the Answer File pane, verify that OOBE is selected.
40. In the OOBE Properties pane, double-click SkipMachineOOBE, and then in the drop-down box, click True. 41. In the OOBE Properties pane, double-click SkipUserOOBE, and then in the drop-down box, click True.
42. In the Windows Image pane, expand the Components node and right-click amd64_MicrosoftWindows-Shell-Setup_neutral\UserAccounts\LocalAccounts\LocalAccount, and then click Add Setting to Pass 7 oobe System. 43. In the Answer File pane, verify that LocalAccount is selected. 44. In the LocalAccount Properties pane, double-click Description, and then type Local Admin. 45. In the LocalAccount Properties pane, double-click DisplayName, and then type Administrator. 46. In the LocalAccount Properties pane, double-click Group, and then type Administrators. 47. In the LocalAccount Properties pane, double-click Name, and then type Administrator. 48. In the Answer File pane, expand LocalAccount and select Password. 49. In the Password Properties pane, double-click Value, and then type Pa$$w0rd.
Task 3: Save the answer file and remove the diskette drive
1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows System Image Manager, click File, and then click Save Answer File As. In the Save As window, in the navigation pane, click This PC. In the details pane, double-click Floppy Disk Drive (A:). In the File name field, type Autounattend.xml, and then click Save. Close Windows System Image Manager.
On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click Administrative Tools, and then click Hyper-V Manager. In the Hyper-V Manager console, right-click 20687C-LON-CL1, and then click Settings. In the Settings for 20687C-LON-CL1 window, click Diskette Drive. In the details pane, select None, and then click OK.
Task 4: Configure LON-REF1 and start the Windows 8.1 unattended installation
1. 2. 3. 4. 5. 6. 7.
On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click Administrative Tools, and then click Hyper-V Manager. In the Hyper-V Manager console, right-click 20687C-LON-REF1, and then click Settings. In the Settings for 20687C-LON-REF1 window, click Diskette Drive. In the details pane, select Virtual floppy disk (.vfd) file, browse to D:\Program Files \Microsoft Learning\20687\Drives, and then double-click Lab2BEx1.vfd. In the Settings for 20687C-LON-REF1 window, click DVD Drive. In the details pane, click Image file, browse to D:\Program Files\Microsoft Learning \20687\Drives, double-click Win81Ent_Eval.iso, and then click OK. In Hyper-V Manager, right-click 20687C-LON-REF1, and then click Connect.
8. 9.
In the 20687C-LON-REF1 on localhost window, click Actions, and then click Start.
Observe the Windows 8.1 installation process. Confirm that you are not prompted for any information during installation. While Windows 8.1 is installing, continue with the next exercise.
Note: During installation LON-REF1 will restart two times. Do not press any key to start it from DVD.
Results: After completing this exercise, you should have modified an unattended answer file to use for automating the Windows 8.1 installation process.
L2-10
Exercise 2: Viewing Install.wim Information and Capturing a Windows 8.1 Image

Task 1: View the information of the Windows 8.1 image in the Install.wim file
1. 2. 3. 4. In the Hyper-V Manager console, right-click 20687C-LON-CL1, and then click Settings. In the Settings for 20687C-LON-CL1 window, click DVD Drive. In the details pane, click Image file, browse to D:\Program Files\Microsoft Learning \20687\Drives, double-click Win81Ent_Eval.iso, and then click OK. On LON-CL1, in File Explorer, open the D:\Sources folder, and then view the properties of the Install.wim file.
Note: Note that the file is 2.99 GB (3.214.415.031 bytes) and that there is another .wim file named Boot.wim in the folder. 5. 6. On Start screen, type deployment, and then run Deployment and Imaging Tools Environment.
In Deployment and Imaging Tools Environment, run the following command to view the content of the Install.wim file:
dism /Get-ImageInfo /ImageFile:d:\sources\install.wim
7. 8.
Verify that the .wim file has one image named Windows 8.1 Enterprise Evaluation and that image has a size of more than 12 GB. This demonstrates how the .wim file format effectively compresses files.
You can view more details about the image by using the image index. For example, you can get more extensive information about the Windows 8.1 Enterprise Evaluation image by running the following command:
dism /Get-WimInfo /WimFile: d:\sources\install.wim /index:1
Task 2: Capturing an image

1. At the Deployment and Imaging Tools Environment command prompt, create a .wim file that contains the contents of the C:\Windows\Inf folder by running the following command:
dism /Capture-Image /ImageFile:c:\image.wim /CaptureDir:c:\windows\inf /name:First Image
2. 3.
Open File Explorer, browse to C:\Windows, right-click the Inf folder, and then click Properties.
At the Deployment and Imaging Tools Environment command prompt, run the following command to view the size of the .wim file that you created:
dir c:\image.wim
Note: You will see that image.wim is less than 5 MB in size, which shows how effectively the initial files were compressed when they were added to the .wim file.
4.
To capture the same content in a second image in the image.wim file, run the following command:
dism /Append-Image /ImageFile:c:\image.wim /CaptureDir:c:\windows\inf /name:Second Image
Note: Note that the second image, which has the same content as the first image, is added much quicker. 5. 6. Review the size of the .wim file that now contains two images.
At the Deployment and Imaging Tools Environment command prompt, run the following command:
dir c:\image.wim
Note: Note that image.wim is only slightly larger. The .wim file format uses single instance store, so each file is stored only once. Because the files in both images of the .wim file are the same, each file is contained only once. 7. Run the following command to verify which images are contained in the image.wim file:
dism /Get-ImageInfo /ImageFile:c:\image.wim
Task 3: Modifying an offline image

1. 2. In File Explorer, view the size of the file C:\Image.wim and when the file was last modified. At the Deployment and Imaging Tools Environment command prompt, run the following two commands to create an empty folder and mount the second image in image.wim to the created folder:
mkdir c:\mount dism /mount-wim /wimfile:c:\image.wim /index:2 /mountdir:c:\mount
3. 4. 5. 6.
In File Explorer, view the properties of the C:\Mount folder. Note that the contents of the folder are exactly the same as the contents of C:\Windows\inf folder
In File Explorer, navigate to the C:\Mount folder, and then create a subfolder named Folder1. Select and delete any three files in the C:\Mount folder. Close File Explorer. Unmount the image by running the following command:
dism /unmount-wim /mountdir:c:\mount /commit
7.
View the properties of the .wim file by running the following command:
dir c:\image.wim
8.
View the contents of the .wim file by running the following command:
dism /Get-ImageInfo /ImageFile:c:\image.wim
L2-12
9.
Run the following commands to view the content of the second and first image in the image.wim file:
dism /Get-WimInfo /WimFile: c:\image.wim /index:2 dism /Get-WimInfo /WimFile: c:\image.wim /index:1
Note: Note that the second image has one more directory and three files less than the first image. All those modifications were performed in the offline image.
Task 4: Capturing Windows 8.1 image

1. 2. 3. 4. 5. Sign in to LON-REF1 as user Admin with the password Pa$$w0rd. Verify that Windows 8.1 is installed. In the Hyper-V Manager console, right-click 20687C-LON-REF1, and then click Settings. In the Settings for 20687C-LON-REF1 window, click DVD Drive. In the details pane, click Image file, browse to D:\Program Files\Microsoft Learning \20687\Drives, double-click WindowsPE.iso, and then click OK.
In LON-REF1, open a command prompt as an Administrator, click Yes in User Account Control dialog box, and then run the following command:
C:\Windows\System32\sysprep\sysprep.exe
6. 7. 8.
In the System Preparation Tool 3.14 dialog box, click Generalize, and then click OK. When LON-REF1 restarts, press any key to start it from the DVD media. In the Administrator: X:\Windows\system32\cmd.exe window, run the following command:
Net use g: \\lon-cl1\share Pa$$w0rd /user:adatum\administrator
9.
Run the following command to capture a Windows 8.1 image on LON-REF1:

dism /Capture-Image /ImageFile:g:\Win81.wim /CaptureDir:d:\ /name:CustomImage
Note: You can continue with the lecture while the capture is in progress.
Results: After completing this exercise, you should have viewed Windows image information and captured a Windows 8.1 image.
Lab C: Deploying a Windows 8.1 Image

Exercise 1: Performing Offline Servicing and Deploying a Windows 8.1 Image
Task 1: Perform offline servicing of the Windows image
1. 2. 3. 4. Sign in to LON-CL1 as Adatum\Administrator. Open File Explorer, navigate to the C:\Mount folder, and then verify that the folder is empty. On Start screen, type command, and then click Command Prompt. Mount the Windows 8.1 image by running the following command:
Dism.exe /mount-image /imagefile:e:\labfiles\mod02\share\win81.wim /index:1 /mountdir:c:\mount
Note: If image Win81.wim is not yet captured or you didnt capture it in Lab B, you can use E:\labfiles\mod02\sources\install.wim instead. 5.
View the driver packages in the mounted Windows 8.1 image by running the following command:
dir /OD c:\mount\Windows\System32\DriverStore\FileRepository
6.
Add a driver to the image by running the following command:

dism /image:c:\mount /Add-Driver /driver:E:\Labfiles\mod02\drivers\dc3dh.inf
7.
Verify that the driver has been added to the offline image by running the following command:
dir /OD c:\mount\Windows\System32\DriverStore\FileRepository
8.
List the Windows 8.1 features and their state in the mounted image by running the following command:
dism /Image:c:\mount /Get-Features /format:Table
9.
Enable the Telnet Client Windows feature by running the following command:
dism /Image:c:\mount /Enable-Feature:TelnetClient
10. Unmount the Windows 8.1 image, and then commit the changes by running the following command:
Dism.exe /13nmounts-wim /mountdir:c:\mount /commit
Wait until image is saved and unmounted.
L2-14
Task 2: Use Deployment Image Servicing and Management (DISM) to deploy a Windows image
1.
On LON-REF1, at the command prompt, run the following commands to partition and format the disk. Press Enter after each command:
diskpart select disk 0 clean create partition primary format fs=ntfs quick assign letter c exit
2.
At the command prompt, apply the Windows 8.1 image by running the following command:
Dism.exe /apply-image /imagefile:g:\win81.wim /index:1 /applydir:c:\
3.
Verify that the Windows 8.1 image has been applied to the drive C by running the following command.
dir c:\
Results: After completing this exercise, you should have updated a Windows 8.1 installation image.

When you are finished the lab, revert all virtual machines back to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. In the Revert Virtual Machines dialog box, click Revert. Repeat steps 2 to 3 for 20687C-LON-DC1 and 20687C-LON-REF1.
Module 3: Managing Profiles and User State in Windows 8.1

L3-15
Lab A: Configuring Profiles and User State Virtualization

Exercise 1: Configuring Roaming User Profiles and Folder Redirection
Task 1: Create folders for roaming user profiles and Folder Redirection
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Local Disk (C:).
In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder. Type Profiles as the folder name, and then press Enter. Right-click the Profiles folder, and then click Properties. In the Profiles Properties dialog box, on the Security tab, click Edit, and then click Add. In the Enter the object names to select box, type Domain, click OK. Click Domain Users, and then click OK.
In the Permissions for Domain Users section, click Full control in the Allow column, and then click OK.
On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click Permissions. In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK twice.
10. In the Profiles Properties dialog box, click Close.
11. In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder. Type Redirected as the folder name, and then press Enter. 12. Right-click the Redirected folder, and then click Properties.
13. In the Redirected Properties dialog box, on the Security tab, click Edit, click Add, and in the Enter the object names to select box, enter Domain, and then click OK. 14. Click Domain Users, and click OK.
15. In the Permissions for Domain Users section, click Full control in the Allow column, and then click OK.
16. On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click Permissions. 17. In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK twice. 18. In the Redirected Properties dialog box, click Close. 19. Close File Explorer.
Task 2: Configure roaming user profiles

1. 2.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then click the Marketing organizational unit (OU). In the details pane, right-click Adam Barr, and then click Properties.
L3-16
3. 4.
On the Profile tab, in the Profile path box, type \\LON-DC1\Profiles\%username%, and then click OK. Minimize Active Directory Users and Computers.
Task 3: Configure Folder Redirection

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In the Group Policy Management Console (GPMC), in the navigation pane, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
In the navigation pane, right-click the Marketing OU, and then click Create a GPO in this domain, and Link it here. In the Name field, type Folder Redirection, and then click OK.
In the GPMC, in the navigation pane, expand the Marketing OU, right-click Folder Redirection, and then click Edit. The Group Policy Management Editor opens. In the Group Policy Management Editor, under User Configuration in the navigation pane, expand Policies, Windows Settings, and Folder Redirection. Right-click Documents, and then click Properties.
In the Documents Properties dialog box, click the Basic Redirect everyones folder to the same location option in the Setting drop-down box. In the Target folder location section, in the Root Path box, type \\LON-DC1\Redirected, and then click OK.
10. In the Warning dialog box, click Yes. 11. Close the Group Policy Management Editor and minimize the GPMC.
Task 4: Verify roaming user profiles and Folder Redirection

1. 2. 3. 4. 5. 6. On LON-DC1, in File Explorer, verify that the Profiles and Redirected folders are empty. Sign in to LON-CL1 as adatum\adam with password Pa$$w0rd.
On the Start screen, click the Desktop tile. Right-click anywhere on the desktop, point to New, and then click Folder. Type Presentations as the folder name, and then press Enter. On the desktop, right-click anywhere, and then click Personalize. In the Personalization dialog box, click Change desktop icons, and then click Computer in the Desktop icons section. Click OK and then close the Personalization dialog box.
On the desktop, right-click anywhere, point to New, and then click Shortcut. Click Browse, expand This PC, click Local Disk (C:), click OK, click Next, and then click Finish. A shortcut to drive C is added to the desktop. On the toolbar, click the Start icon. On the Start screen, type Notepad, and then press Enter. Type your name in Notepad. On the File menu, click Save As, enter your name in the File Name box, and then click Save. Close Notepad.
7. 8. 9.
10. On the taskbar, click File Explorer, and then double-click Documents in the details pane. In the details pane, right-click the file with your name, and then click Properties. Verify that the location of that file points to the network, to \\LON-DC1\redirected\adam\Documents and that it is not stored inside Adam Barrs local profile. Click OK.
11. Sign out of LON-CL1.
12. On LON-DC1, in File Explorer, verify that the Profiles and Redirected folders are no longer empty. The Profiles folder contains the Adam Barr roaming user profile (Adam.V2), while the Redirected folder contains Adam Barrs redirected Documents folder. 13. Sign in to LON-CL2 as Adatum\Adam with password Pa$$w0rd.
14. On the Start screen, click the Desktop tile. Verify the This PC icon is on the desktop, in addition to the Presentations folder and the Local Disk (C:) shortcut. 15. On the toolbar, click the Start icon.
16. On the Start screen, type Notepad, and then press Enter. On the File menu, click Open, click the file with your name, and then click Open. You verified that you can transparently access files that were created on other computers and saved in a redirected folder. 17. Sign out of LON-CL2.
Task 5: Configure primary computers for user Adam Barr

1. 2. 3. On LON-DC1, maximize Active Directory Users and Computers. On the View menu, click Advanced Features. In the navigation pane of Active Directory Users and Computers, click the Computers container, right-click the LON-CL1 computer account in the details pane, and then click Properties. On the Attribute Editor tab, in the Attributes section, double-click the distinguishedName attribute, press Ctrl+C to copy its value to the clipboard, and then click OK twice.
Note: The distinguishedName attribute should look like the following: CN=LONCL1,CN=Computers,DC=adatum,DC=com. 4. 5. 6. 7. 8. 9.
In the navigation pane, click the Marketing OU, right-click Adam Barr in the details pane, and then click Properties. On the Attribute Editor tab, in the Attributes section, click the msDS-PrimaryComputer attribute, and then click Edit. Right-click in the Value to add box, click Paste, and then click Add.
Right-click in the Value to add box, and then click Paste again. Replace LON-CL1 with LON-CL2, and then click Add. In the Multi-valued String Editor dialog box, click OK. In the Adam Barr Properties dialog box, click OK.
10. Minimize Active Directory Users and Computers. 11. Maximize the GPMC, right-click the Default Domain Policy group policy, and then click Edit.
12. In the Group Policy Management Editor, go to Computer Configuration\Policies \Administrative Templates\System\User Profiles. Double-click the Download roaming profiles on primary computers only policy setting, click Enabled, and then click OK. 13. In the Group Policy Management Editor, go to User Configuration\Policies \Administrative Templates\System\Folder Redirection. Double-click the Redirect folders on primary computers only policy setting, click Enabled, and then click OK. 14. Close the Group Policy Management Editor and the GPMC.
L3-18
Task 6: Verify Primary Computer setting for user Adam Barr

1. 2. 3. 4. Switch to LON-SVR1, and on the taskbar, click Windows PowerShell. Type gpupdate /force, and then press Enter. Sign out of LON-SVR1. Sign in to LON-SVR1 as Adatum\Adam with password Pa$$w0rd. Verify that the This PC icon, Presentations folder, and Local Disk (C:) shortcut are not on the desktop. This is because LON-SVR1 is not set as one of Adam Barrs primary computers and his roaming user profile is not available on LON-SVR1. On the taskbar, click the Start icon.
5. 6.
On the Start screen, type Notepad, and then press Enter. On the File menu, click Open. Verify that Documents is selected in the navigation pane, but the file with your name is not available. This is because LON-SVR1 is not set as one of Adam Barrs primary computers and his redirected folders are not available on LON-SVR1. Click Cancel and sign out of LON-SVR1. On LON-DC1, maximize Active Directory Users and Computers. Click the Marketing OU in the navigation pane. Right-click Adam Barr in the details pane, and then click Properties.
7. 8. 9.
On the Attribute Editor tab, in the Attributes section, click the msDS-PrimaryComputer attribute, and then click Edit.
In the Multi-valued String Editor dialog box, click the value that starts with CN=LON-CL2, and then click Remove.
10. In the Value to add box, replace LON-CL2 with LON-SVR1, click Add, and then click OK twice. 11. Sign in to LON-SVR1 as Adatum\Adam with password Pa$$w0rd. 12. Verify that the Presentations folder is on the desktop, as well as Local Disk (C:) shortcut. This is because you configured LON-SVR1 as Adam Barrs Primary Computer and roaming user profile is effective.
13. On the taskbar, click the File Explorer icon. In This PC, in the details pane, double-click Documents. Double-click the file with your name in the details pane. The file opens in Notepad. Because you configured LON-SVR1 as Adam Barrs Primary Computer, redirected folders now are available. 14. In Notepad, on the File menu, click Exit, and then sign out of LON-SVR1.
Results: After completing this exercise, you should have configured roaming user profiles and Folder Redirection. You also should have configured the user Adam Barr with the Primary Computer setting.
Exercise 2: Implementing and Configuring UE-V

Task 1: Prepare the environment for deploying Microsoft User Experience Virtualization (UE-V)
1. 2. On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Local Disk (C:).
In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder. Type UEVdata as the folder name, and then press Enter. Right-click the UEVdata folder, and then click Properties. On the Security tab, click Edit. Click Add, enter Domain in the Enter the object names to select box, and then click OK. Click Domain Users, and then click OK.
3. 4. 5. 6. 7. 8.
In the Permissions for Domain Users section, click Full control in the Allow column, and then click OK.
On the Sharing tab, click Advanced Sharing. Select the Share this folder check box, and then click Permissions. In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK twice. In the UEVdata Properties dialog box, click Close.
In File Explorer, in the details pane, right-click on an empty space, point to New, and then click Folder. Type UEVTemplates as the folder name, and then press Enter. Right-click the UEVTemplates folder, and then click Properties. On the Security tab, click Edit. Click Add, enter Domain in Enter the object names to select box, and then click OK. Click Domain Users, and then click OK.
9.
10. In the Permissions for Domain Users section, click Full control in the Allow column, and then click OK.
11. On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click Permissions. 12. In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK twice. 13. In the UEVTemplates Properties dialog box, click Close. 14. Minimize File Explorer.
Task 2: Configure UE-V Group Policy settings

1. 2. 3. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In the GPMC, in the navigation pane, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com. Right-click Default Domain Policy, and then click Edit.
In the Group Policy Management Editor, under User Configuration in the navigation pane, expand Policies, Administrative Templates, and Windows Components. Verify that there is no Microsoft User Experience Virtualization node. Close the Group Policy Management Editor.
4. 5.
Use File Explorer to copy file UserExperienceVirtualization.admx from E:\Labfiles\Mod03 to folder C:\Windows\PolicyDefinitions, and then copy file UserExperienceVirtualization.adml to folder C:\Windows\PolicyDefinitions\en-US.
L3-20
6. 7. 8.
In the GPMC, right-click the Adatum.com domain in the navigation pane, and then click Create a GPO in this domain, and Link it here. In the Name field, type UE-V, and then click OK. In the GPMC, in the navigation pane, right-click the UE-V Group Policy, and then click Edit. In the Group Policy Management Editor, under User Configuration in the navigation pane, expand Policies, Administrative Templates, Windows Components, and then click the Microsoft User Experience Virtualization node. In the details pane, right-click Settings storage path, click Edit, click Enabled, in the Settings storage path, type \\LON-DC1\UEVData\%username%, and then click OK.
9.
10. In the Group Policy Management Editor, under Computer Configuration in the navigation pane, expand Policies, Administrative Templates, Windows Components, and then click the Microsoft User Experience Virtualization node.
11. In the details pane, right-click Settings template catalog path, click Edit, click Enabled, in Settings template catalog path, type \\LON-DC1\UEVTemplates, and then click OK. 12. Close the Group Policy Management Editor and the GPMC.
Task 3: Install UE-V agents

1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On Start screen, type Explorer and click File Explorer. In File Explorer, navigate to E:\Labfiles\Mod03 folder and double-click AgentSetup.exe. On the Welcome to the Microsoft User Experience Virtualization Agent Setup Wizard page, click Next. On the End-User License Agreement page, select the I accept the terms in the License Agreement check box, and then click Next. On the Microsoft Update page, select Do not use Microsoft Update, and then click Next. On the Customer Experience Improvement Program page, select Do not join the program at this time and click Next. On the Begin Installation page, click Install.
On the Completed the Microsoft User Experience Virtualization Agent Setup Wizard page, click Finish, and then click Restart.
10. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. 11. On the Start screen, type PowerShell and click Windows PowerShell. 12. In Windows PowerShell command-line interface, run the following command:
E:\Labfiles\Mod03\AgentSetup.exe SyncMethod=None
13. Repeat steps 4 through 8 on LON-CL2.
Task 4: Configure UE-V to synchronize settings immediately

1. 2. 3. On LON-DC1, in File Explorer, verify that the C:\UEVdata folder is empty. Sign in to LON-CL1 and LON-CL2 as Adatum\Brad with password Pa$$w0rd. On LON-CL1, verify that the UE-V configuration is effective. On the Start screen, type Windows PowerShell, and then press Enter.
4.
In Windows PowerShell, run Get-UevConfiguration, and then press Enter. You will see that values for SettingsStoragePath and SettingsTemplateCatalogPath are configured as you set them in Group Policy. You also will see that current SyncMethod is set to SyncProvider. You can view other UE-V Windows PowerShell cmdlets by running the Get-Command Module UEV cmdlet. Close the Windows PowerShell window.
5. 6. 7.
On LON-CL2, on the Start screen, type Calculator. Verify that desktop app is selected and then press Enter. On the View menu, click Date calculation. The Calculator is extended with options for date calculation. Close Calculator.
8.
On LON-CL1, on the Start screen, type Calculator. Verify that desktop app is selected and then press Enter. Verify that the Calculator is not extended with options for date calculation, as the local cache is used and it has not yet been synchronized with the settings storage location. Close Calculator. On LON-CL1, on the Start screen, type Company, and the press Enter. Click Close in the dialog box.
9.
10. In Company Settings Center, click Sync Now. By doing that, you manually trigger synchronization of the local cache, which happens automatically every 30 minutes. 11. In Company Settings Center, click Close.
12. On LON-CL1, on the Start screen, type Calculator, and then press Enter. Verify that Calculator is now extended with options for date calculation, as you configured it on LON-CL2. 13. On LON-CL1, on the Start screen, type PowerShell, and then press Enter. 14. In Windows PowerShell, disable the use of local cache by running the following cmdlet:
Set-UevConfiguration SyncMethod None
15. Sign out of LON-CL1.
Task 5: Use UE-V to synchronize settings

1. 2. 3. On LON-CL2, on the Start screen, type WordPad, and then press Enter. In WordPad, click the View tab, and then verify that the Ruler and Status bar check boxes are selected by default. Clear the Ruler and Status bar check boxes, and then close WordPad.
On the desktop, right-click anywhere, point to New, and then select Shortcut. Click Browse, expand This PC, click Local Disk (C:), click OK, click Next, and then click Finish. Note: A shortcut to Local Disk (C:) is added to the desktop.
4.
On the Start screen, type Notepad, and then press Enter. On the Format menu, select Font, select 20 as Size, and then click OK. Type your name in Notepad. On the File menu, click Save As, type your name in the File Name box, and then click Save. Close Notepad. On LON-DC1, in File Explorer, verify that the UEVdata folder now has a brad subfolder.
5. 6.
On the View tab, click Hidden items, double-click the brad folder, and then verify that it contains the SettingsPackages subfolder. Double-click the SettingsPackages folder, and then verify that it contains multiple subfolders for the applications and Windows settings that are synchronized by UEV.
7.
On LON-CL2, on the Start screen, type Calculator. Verify that desktop app is selected and then press Enter.
L3-22
8. 9.
In Calculator, on the View menu, click Programmer, and then click Unit Conversion. Close Calculator. Sign in to LON-CL1 as Adatum\Brad with password Pa$$w0rd.
10. On LON-CL1, from the Start screen, type Calculator. Verify that desktop app is selected and then press Enter. The Calculator is in Programmer mode and extended with Unit Conversion, as you configured it on LON-CL2. Close Calculator. 11. On LON-CL1, open WordPad.
12. On the View tab, verify that the Ruler and Status bar check boxes are not selected, which is not the default configuration, but it is exactly as you configured it on LON-CL2. Close WordPad.
13. On LON-CL1, verify that a shortcut to Local Disk (C:) is not present on the desktop. You created it on the desktop on LON-CL2, and it is stored in that user profile. Contents of the desktop are not synchronized by UE-V; instead, you should use Folder Redirection or roaming user profiles to make data roam between computers. 14. On LON-CL1, on the Start screen, open Notepad. On the Format menu, select Font, verify that font size 20 is selected, and then click OK. 15. On the File menu, click Open. In the navigation pane, expand This PC and select Documents.
16. Verify that the file with your name is not available in the details pane. You created a file with your name on LON-CL2, and it is stored in that user profile. UE-V synchronizes only settings, not data. You should use Folder Redirection or roaming user profiles to make data roam between computers. Click Cancel and close Notepad.
Task 6: Restore app settings

1. 2. 3. 4. 5. 6.
On LON-CL1, on the Start screen, open Calculator. Verify that Calculator is in Programmer view and extended with Unit Conversion. Close Calculator. On the Start screen, type and run Windows PowerShell.
At the Windows PowerShell command prompt, run Get-UevTemplate *calc* to view which settings location template TemplateId is used for Calculator. Restore initial Calculator settings by running following cmdlet: Restore-UevUserSetting MicrosoftCalculator6. On the Start screen, open Calculator, and verify that is in default, Standard mode, in which it was before the first UE-V synchronization. Sign out of LON-CL1 and LON-CL2.
Task 7: Create UE-V settings location template

1. 2. 3. 4. 5. 6. 7. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, click Desktop tile. Open File Explorer, and then double-click ToolsSetup.exe in the E:\Labfiles\Mod03 folder.
On the Welcome to the Microsoft User Experience Virtualization Generator Setup Wizard page, click Next. Select the I accept the terms in the License Agreement check box, and then click Next. Select the Do not use Microsoft Update check box, and then click Next. On the Customer Experience Improvement Program page, select Do not join the program at this time and then click Next.
8. 9.
On the Begin Installation page, click Install.
On the Completed the Microsoft User Experience Virtualization Generator Setup Wizard page, click Finish and then click Restart.
10. After LON-CL1 restarts, sign in as Adatum\Administrator with password Pa$$w0rd. 11. On the Start screen, type generator, and then click Microsoft User Experience Virtualization Generator.
12. In Microsoft User Experience Virtualization Generator, click Create a settings location template.
13. Click Browse for the File path, browse to C:\Program files (x86)\Remote Desktop Connection Manager, click RDCMan.exe, and then click Open. 14. On the Specify Application page, click Next. Note: You will create settings location template for Remote Desktop Connection Manager.
15. After a few seconds, Remote Desktop Connection Manager will start. In Remote Desktop Connection Manager, on the Tools menu, click Options. 16. In the Options dialog box, select Click to select gives focus to remote client, and then click OK. Close Remote Desktop Connection Manager. 17. In the Discover Locations dialog box, click Next.
18. On the Review Locations page, select the Files tab, click Nonstandard (1), select File path, and then click Next.
19. On Edit Template page, view settings location template properties. You could modify the registry and files that are used for storing configuration data on this page. Click Create, and in the File name box, type \\LON-DC1\UEVTemplates\RDCMan.xml, and then click Save. 20. In the Create a Settings Location Template Wizard, click Close, and then close the Microsoft User Experience Virtualization (UE-V) Generator page.
Task 8: Using UE-V to synchronize custom app settings

1. 2. On LON-CL1, on the Start screen, run Windows PowerShell. At the Windows PowerShell command prompt, run the following cmdlet:
Get-UevTemplate *rdc*
Note: Output shows that no settings location template that contains string rdc is registered. 3.
Register the Remote Desktop Connection Manager settings location template by running following cmdlet: Register-UevTemplate \\LON-DC1\UEVTemplates\RDCMan.xml.
Note: By default, settings location templates updates are registered once per day; by running the cmdlet, you manually register the template.
L3-24
4.
To verify that the template is registered, run following cmdlet: Get-UevTemplate *rdc*. You can see that Remote Desktop Connection Manager (with TemplateId Remote-Desktop-RDCMan-v-2-2) is listed. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, click the Desktop tile, and then click File Explorer on the taskbar. In File Explorer, in the C:\Program Files\Microsoft User Experience Virtualization\Agent\x64 folder, double-click the ApplySettingsTemplateCatalog file.
5. 6. 7. 8. 9.
On LON-CL1, on Start screen, type remote, and then run Remote Desktop Connection Manager. In Remote Desktop Connection Manager, on the Tools menu, select Options.
10. In the Options dialog box, select Auto save interval and type 3 in the Minute(s) box. Click OK, and then close Remote Desktop Connection Manager. 11. On LON-CL2, on the Start screen, type remote, and then run Remote Desktop Connection Manager. 12. In Remote Desktop Connection Manager, on the Tools menu, select Options, and then verify that Auto save interval is selected and configured to 3 Minute(s). Click OK, and then close Remote Desktop Connection Manager.
Results: After completing this exercise, you should have successfully implemented and configured UE-V for synchronizing apps and Windows settings.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 through 3 for 20687C-LON-CL1, 20687C-LON-CL2, and 20687C-LON-SVR1.
Lab B: Migrating User State by Using USMT

Exercise 1: Creating and Customizing USMT XML Files
Scenario Supporting Documentation
Email from Max Stevens: Ed Meadows From: Sent: To: Subject: Max Stevens [Max@adatum.com] 10 January 2014 08:01 Ed@adatum.com User State Migration for the new Windows 8.1 computers in the Research department
Hi Ed,
We have 10 new Windows 8.1 computers that are being deployed within the Research department. We need to ensure that no user data stored on the old computers is lost in the migration, and that all user data is migrated to the new computers. What I want you to do is use USMT to help with the user state migration. Here are some additional things to consider: The old computers have Windows 7 installed. All computers have Microsoft Office 2010 installed.
The contents of the Shared Video, Shared Music, and Shared Pictures folders should not be migrated from Windows 7 to the new Windows 8.1 computers.
We have a custom folder named ResearchApps that has to be migrated from all the old computers to the new Windows 8.1 computers. All domain profiles that are on each existing computer should be migrated to the new systems.
You can use \\LON-DC1\Data as a location to store the data store during the migration. The data store should be compressed to minimize space. Because there is no confidential information on these specific computers, we do not need the migration store to be encrypted.
Thanks, Max
Your user state migration information states that several operating system features should not be migrated. You also have to migrate an additional folder from the old computers to the new Windows 8.1 computers. Your first task is to create the custom XML files that address these requirements.
Task 1: Read the supporting documentation

Read the supporting documentation provided in the exercise scenario.
L3-26
Task 2: Create a Config.xml file

1. 2. 3. 4. 5. 6. Sign in to LON-CL3 as Adatum\Don with password Pa$$w0rd. Verify that Don has black desktop and that the Computer and Don Funk folders are shown on the desktop.
On the desktop, right-click anywhere, select New, select Text Document, and then type your name. Sign out of LON-CL3, and then sign back in to LON-CL3 as Adatum\Administrator with password Pa$$w0rd. Click Start, type cmd, and then press Enter. At the command prompt, type the following command, and then press Enter.
7. 8.
At the command prompt, type F:, and then press Enter. At the command prompt, type the following, and then press Enter.
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
Note: The creation of the Config.xml file will begin. Wait until the command finishes. 9. At the command prompt, type notepad config.xml, and then press Enter.
10. To exclude Shared Video, under the Documents node, modify the line to match the following code:
component displayname="Shared Video" migrate="no"
11. Under the Documents node, modify the line to match the following code:
component displayname="Shared Music" migrate="no"
12. Under the Documents node, modify the line to match the following code:
component displayname="Shared Pictures" migrate="no"
13. Save your changes, and then close Notepad.
Task 3: Modify a custom migration XML file

1. 2. 3. At a command prompt, type notepad folders.xml, and then press Enter. Maximize the Notepad window. This is a custom XML file that is used to migrate a specific folder called ResearchApps to the new workstation. Change the variable <Foldername> to ResearchApps. The entire line should read as follows. <pattern type= "File">C:\ResearchApps\* [*]</pattern> 4. 5. 6. Save your changes, and then close Notepad. On the taskbar, click the Windows Explorer icon. In Windows Explorer, in the details pane, expand Computer, and then click Local Disk (C:). In the details pane, double-click ResearchApps, and then verify that there are several files in the folder.
7. 8.
In Windows Explorer, right-click in the details pane, select New, select Text Document, and then type your name. Close Windows Explorer.
Results: After completing this exercise, you should have created and customized XML files to use with the User State Migration Tool (USMT).
L3-28
Exercise 2: Capturing and Restoring User State to a Target Computer

Task 1: Capture user state on the source computer
1. 2. On LON-CL3, switch to the command prompt. Verify that there is no content on the \\LON-DC1\Data share by running the following command:
Dir \\lon-dc1\data
3.
Capture the state of LON-CL3 by running the following command:

F:\Scanstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml /config:config.xml /o /efs:copyraw
4.
Wait until the ScanState process completes, and then verify that the state is captured on the network share by running the following command:
Dir \\lon-dc1\data /s
Task 2: Restore user state on the destination computer

1. 2. 3. 4. 1. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. From the Start screen, type cmd, and then press Enter.
Click the File Explorer icon on the taskbar. Go to C:\Users, and then verify that there is no subfolder named Ed or Don. In File Explorer, click Local disk (C:), and then verify that there is no ResearchApps folder on drive C. At the command prompt, run the following command:
2. 3.
At the command prompt, type F:, and then press Enter. At the command prompt, type the following, and then press Enter.
Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
4. 5.
When the LoadState task completes, In File Explorer, in the C:\Users folder, verify that there are subfolders named Ed and Don. Sign out of LON-CL1.
Task 3: Verify the user state migration

1. 2. 3. 4. Sign in to LON-CL1 as Adatum\Don with password Pa$$w0rd. From the Start screen, click the Desktop tile.
Notice the Computer and Don Funk folders on the desktop, in addition to a text document with your name. On the taskbar, click the File Explorer icon.
5.
In File Explorer, in the details pane, double-click Local Disk (C:). In the details pane, double-click ResearchApps, and then verify that all the files from LON-CL3 have migrated, including the file with your name.
Results: After completing this exercise, you should have captured and restored user states by using USMT.

When you are finished with the lab, revert all virtual machines back to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat the steps for 20687C-LON-CL1 and 20687C-LON-CL3.

L4-31
Module 4: Tools Used for Configuring and Managing Windows 8.1
Lab: Using Management Tools to Configure Windows 8.1 Settings

Exercise 1: Planning Management of Windows 8.1 Computers
Task 1: Plan the management of Windows 8.1 computers
1. What tool will you use to apply the configuration changes to domain-joined computers? Answer: You can use Group Policy to apply all of the necessary configuration settings to domain-joined computers. 2.
Are there any organizational unit (OU) structure requirements to meet the management needs on the internal network? Answer: Yes, the computers on the machine floor need to be managed separately from other client computers. Also, the servers and domain controllers need to be managed separately from the client computers. The simplest way to do this is to place the different types of computers in different OUs and then link only appropriate Group Policy Objects (GPOs) to the OUs.
3.
Could you use security filtering as an alternative to a new OU structure? Answer: Yes, you could use security filtering as an alternative to creating separate OUs. You would need to create security groups that contain the appropriate computer accounts and then specify Read and Apply permissions to specific GPOs. In general, it is easier to implement OUs in this scenario.
Results: After completing this exercise, you will have planned the management of Windows 8.1 computers.
L4-32
Exercise 2: Managing Windows 8.1 by Using Group Policy

Task 1: Create an OU structure for managing computers
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. In the Active Directory Administrative Center, in the navigation pane, click Adatum (local). In the Tasks pane, under Adatum (local), click New, and then click Organizational Unit.
In the Create Organizational Unit window, in the Name box, type MachineFloor, and then click OK. In the Tasks pane, under Adatum (local), click New, and then click Organizational Unit. In the Create Organizational Unit window, in the Name box, type CorpComputers, and then click OK. Double-click Computers, right-click LON-CL1, and then click Move. In the Move window, click CorpComputers, and then click OK. Right-click LON-CL2, and then click Move.
10. In the Move window, click MachineFloor, and then click OK. 11. Close Active Directory Administrative Center.
12. Restart LON-CL1 and LON-CL2, and then log on to both as Adatum\Administrator with password Pa$$w0rd.
Task 2: Configure Group Policy for computers on the machine floor

1. 2. 3. 4. 5. 6. 7. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
In the Group Policy Management console, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click MachineFloor. Notice that no GPOs are linked. Right-click MachineFloor, and then click Block Inheritance. Right-click MachineFloor, and then click Create a GPO in this domain, and Link it here. In the New GPO window, in the Name box, type MachineFloor, and then click OK. On the Linked Group Policy Objects tab, right-click MachineFloor, and then click Edit. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update. Double-click Configure Automatic Updates. In the Configure Automatic Updates window, click Disabled, and then click OK.
8. 9.
10. Close the Group Policy Management Editor window.
Task 3: Verify the application of Windows Update settings to LON-CL2

1. 2. 3. 4. On LON-CL2, on the Start screen, type power, and then click Windows PowerShell. At a command prompt in the Windows PowerShell command-line interface, type gpupdate, and then press Enter. Type gpresult /h C:\results.htm, and then press Enter. Type C:\results.htm, and then press Enter.
5. 6. 7.
In Internet Explorer, read the Summary and verify that Inheritance is blocking all non-enforced GPOs linked above Adatum.com/MachineFloor. In Computer Details\Settings, verify that Configure Automatic Updates is Disabled. Close all open windows.
Task 4: Configure Group Policy for other client computers

1. 2. 3. 4. 5. On LON-DC1, in Group Policy Management, in the navigation pane, click CorpComputers. Right-click CorpComputers, and then click Create a GPO in this domain, and Link it here. In the New GPO window, in the Name box, type CorpComputers, and then click OK. On the Linked Group Policy Objects tab, right-click CorpComputers, and then click Edit.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update. Double-click Configure Automatic Updates. In the Configure Automatic Updates window, click Enabled, and then click OK.
6. 7. 8.
Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Inbound Rules. Right-click Inbound Rules, and click New Rule.
9.
10. In the New Inbound Rule Wizard, on the Rule Type tab, click Predefined. 11. In the Predefined box, select COM+ Remote Administration, and then click Next. 12. On the Predefined Rules tab, click Next. 13. On the Action tab, click Allow the connection, and then click Finish. 14. Right-click Inbound Rules, and then click New Rule. 15. In the New Inbound Rule Wizard, on the Rule Type tab, click Predefined. 16. In the Predefined box, select Remote Event Log Management, and then click Next. 17. On the Predefined Rules tab, click Next. 18. On the Action tab, click Allow the connection, and then click Finish. 19. Close the Group Policy Management Editor window. 20. Close Group Policy Management. 21. On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell. 22. At the Windows PowerShell command prompt, type gpupdate, and then press Enter. 23. Close the Windows PowerShell Command Prompt window.
L4-34
Task 5: Verify that remote administration is functional

1. 2. 3. 4. 5. 6. On LON-DC1, in Server Manager, click Tools, and then click Computer Management.
In Computer Management, right-click Computer Management (Local), and then click Connect to another computer. In the Select Computer window, in the Another computer box, type LON-CL1, and then click OK. Expand System Tools, and then click Event Viewer. Right-click Computer Management (LON-CL1), and then click Connect to another computer.
In the Select Computer window, in the Another computer box, type LON-CL2, and then click OK. This connection fails because remote management has not been configured for the computers in the MachineFloor OU. In the error window, read the message, and then click OK. Close Computer Management.
7. 8.
Results: After completing this exercise, you should have implemented an OU structure and GPO structure to support remote management of computers.
Exercise 3: Implementing Windows PowerShell Remoting

Task 1: Configure Windows PowerShell remoting manually
1. 2. 3. 4. 5. 6. On LON-DC1, on the taskbar, click Windows PowerShell. At the Windows PowerShell command prompt, type Enable-PSRemoting, and then press Enter.
When prompted to configure Windows Remote Management (WinRM), type A, and then press Enter. When prompted to configure the PSSession, type A, and then press Enter. On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell.
At the Windows PowerShell command prompt, type Get-ADUser, and then press Enter. This command is not recognized because the cmdlets for AD DS administration are not installed on LONCL1. Type Enter-PSSession ComputerName LON-DC1, and then press Enter. Type Get-ADUser, and then press Enter. When prompted for a filter, type *, and then press Enter.
7. 8. 9.
10. Type exit, and then press Enter. 11. Close the Windows PowerShell Command Prompt window.
Task 2: Configure Windows PowerShell remoting by using Group Policy

1. 2. 3. 4. 5. 6. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then click Adatum.com. Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here. In the New GPO window, in the Name box, type Enable PS Remoting, and then click OK.
Click the Linked Group Policy Objects tab, right-click Enable PS Remoting, and then click Edit.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, expand Windows Remote Management (WinRM), and then click WinRM Service. Double-click Allow remote server management through WinRM. In the Allow remote server management through WinRM window, click Enabled. In the IPv4 filter box, type *.
7. 8. 9.
10. In the IPv6 filter box, type *, and then click OK.
11. In the Group Policy Management Editor window, under Policies, expand Windows Settings, expand Security Settings, and then click System Services. 12. In the details pane, scroll down and double-click Windows Remote Management (WSManagement).
13. In the Windows Remote Management (WS-Management) Properties window, select the Define this policy setting check box, click Automatic, and then click OK.
14. In the Group Policy Management Editor window, under Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Inbound Rules.
L4-36
15. Right-click Inbound Rules, and then click New Rule. 16. In the New Inbound Rule Wizard, on the Rule Type tab, click Predefined. 17. In the Predefined box, select Windows Remote Management, and then click Next. 18. On the Predefined Rules tab, click Next. 19. On the Action tab, click Allow the connection, and then click Finish. 20. Close the Group Policy Management Editor window.
Task 3: Verify the configuration of Windows PowerShell remoting

1. 2. 3. 4. 5. 6. 7. 8. On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell. At the Windows PowerShell command prompt, type gpupdate, and then press Enter. Type Get-Service Winrm, and then press Enter to verify that the WinRM service is now running. On LON-DC1, on the taskbar, click Windows PowerShell. At the Windows PowerShell command prompt, type Get-Service Winrm ComputerName LONCL1, and then press Enter.
Type Invoke-Command ComputerName LON-CL1 {Get-ExecutionPolicy}, and then press Enter. Type Invoke-Command ComputerName LON-CL1 {Set-ExecutionPolicy AllSigned}, and then press Enter. Close the Windows PowerShell Command Prompt window.
Results: After completing this exercise, you will have implemented Windows PowerShell remoting in the Adatum.com domain.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 through 3 for 20687C-LON-CL1 and 20687C-LON-CL2.

L5-37
Module 5: Managing Disks and Device Drivers
Lab A: Managing Disks

Exercise 1: Creating Volumes
Task 1: Create a simple volume by using Disk Management
1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, type diskmgmt.msc, and then press Enter. In the Initialize Disk dialog box, click OK. Right-click the unallocated space on Disk 2, and then click New Simple Volume.
In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click Next. On the Specify Volume Size page, change the Simple volume size in MB value to 5103, and then click Next. On the Assign Drive Letter or Path page, click Next.
On the Format Partition page, in the Volume label text box, type Simple1, and then click Next. On the Completing the New Simple Volume Wizard page, click Finish.
10. When the New Simple Volume Wizard is complete, close Disk Management and any open windows.
Task 2: Create a simple volume by using Windows PowerShell 4.0

1. 2. 3.
Open the Start screen, type pow, in the Everywhere search screen, right-click Windows PowerShell, and then select Run as administrator. In the Administrator: Windows PowerShell window, type get-disk, and then press Enter.
In the Administrator: Windows PowerShell window, type get-disk -Number 3 | new-partition size (5GB) | Format-Volume -Confirm:$false FileSystem NTFS NewFileSystemLabel Simple2, and then press Enter. In the Administrator: Windows PowerShell window, type Get-Partition, and then press Enter. Make note of the PartitionNumber of the volume you just created on Disk Number 3. You will use this information in the next step.
4.
5.
In the Administrator: Windows PowerShell window, type Set-Partition -DiskNumber 3 PartitionNumber x -NewDriveLetter H, (where x is the results of the previous step), and then press Enter. In File Explorer, verify the visibility of the volume that you created and then close File Explorer. Minimize the Administrator: Windows PowerShell Command Prompt window.
6. 7.
Task 3: Resize a simple volume by using Disk Management

1. 2. 3. 4. Open the Start screen, type diskmgmt.msc, and then press Enter. Right-click Simple1 on Disk 2, and then click Extend Volume.
In the Extend Volume Wizard, on the Welcome to the Extend Volume Wizard page, click Next.
On the Select Disks page, select Disk 2, in the Select the amount of space in MB text box, type 500, and then click Next.
L5-38
5. 6.
On the Completing the Extend Volume Wizard page, click Finish. When the Extend Volume Wizard is complete, close Disk Management.
Task 4: Resize a simple volume by using Windows PowerShell version 4.0

1. 2. 3. 4. 5. 6. 7. Restore the Administrator: Windows PowerShell Command Prompt window. At the Administrator: Windows PowerShell command prompt, type Get-Partition, and then press Enter. Note the disk number, partition number, and size for the H: drive.
At the Administrator: Windows PowerShell command prompt, type Resize-Partition -DiskNumber 3 PartitionNumber 1 Size (5.5GB), and then press Enter. At the Administrator: Windows PowerShell command prompt, type Get-Partition, and then press Enter. Compare the size of the Simple2 volume with the size previously reported. Minimize the Administrator: Windows PowerShell Command Prompt window.
Task 5: Create a spanned volume by using Disk Management

1. 2. 3. 4. 5. 6. 7. 8. 9. Open the Start screen, type diskmgmt.msc, and then press Enter. Right-click the unallocated space on Disk 2, and then click New Spanned Volume.
In the New Spanned Volume Wizard, on the Welcome to the New Spanned Volume Wizard page, click Next. On the Select Disks page, select Disk 3. Hold down the Shift key, select Disk 4, and then click Add. On the Select Disks page, select Disk 2, and in the Select the amount of space in MB text box, type 2000. On the Select Disks page, select Disk 3, and in the Select the amount of space in MB text box, type 1500.
On the Select Disks page, with Disk 4 selected, in the Select the amount of space in MB text box, type 4000, and then click Next. On the Assign Drive Letter or Path page, click Next. On the Format Volume page, in the Volume label text box, type SpannedVol.
10. Select the Perform a quick format check box, and then click Next. 11. On the Completing the New Spanned Volume Wizard page, click Finish. 12. Review the Disk Management warning, and then click Yes.
Task 6: Create a striped volume by using Disk Management

1. 2. 3. 4. 5. Right-click the unallocated space on Disk 2, and then click New Striped Volume. In the New Striped Volume Wizard, on the Welcome to the New Striped Volume Wizard page, click Next. On the Select Disks page, click Disk 3. Hold down the Shift key, click Disk 4, and then click Add.
On the Select Disks page, in the Select the amount of space in MB text box, type 2000, and then click Next. On the Assign Drive Letter or Path page, click Next.
6. 7. 8. 9.
On the Format Volume page, in the Volume label text box, type StripedVol. Select the Perform a quick format check box, and then click Next. On the Completing the New Striped Volume Wizard page, click Finish. Close Disk Management and any open windows.
Results: After completing this exercise, you should have created several volumes on a client computer.
L5-40
Exercise 2: Configuring Disk Quotas

Task 1: Create disk quotas on a volume
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL2, click the File Explorer icon on the taskbar. Click This PC, right-click StripedVol (I:), and then click Properties. In the StripedVol (I:) Properties dialog box, click the Quota tab.
On the Quota tab, select the Enable quota management check box, and then select the Deny disk space to users exceeding quota limit check box. Click Limit disk space to, in the adjacent box, type 6, and then in the KB list, click MB. In the Set warning level to box, type 4, and then in the KB list, click MB. Select the Log event when a user exceeds their warning level check box, and then click OK. In the Disk Quota dialog box, review the message, and then click OK. Close all open windows.
Task 2: Create test files

1. 2. 3. 4. 5. 6. Open the Start screen, type com, and in the Everywhere search screen, click Command Prompt. At the command prompt, type I:, and then press Enter. At the command prompt, type fsutil file createnew 2mb-file 2097152, and then press Enter. At the command prompt, type fsutil file createnew 1kb-file 1024, and then press Enter. Close the Command Prompt window. Open the Start screen, click Administrator, and then click Sign out.
Task 3: Test the disk quota

1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL2 as Adatum\Alan with password Pa$$w0rd. Click the Desktop . Click the File Explorer icon on the taskbar. Click This PC, and then double-click StripedVol (I:). On the toolbar, click Home, and then click New Folder. Type Alans files, and then press Enter.
In File Explorer, in the right hand pane, copy the 2mb-file and the 1kb-file, and then paste both files in Alans files. Double-click the Alans files folder. In the Alans files folder right-click 2mb-file, and then click Copy and then press Ctrl+V.
10. Repeat task 9. 11. In the Copy Item dialog box, review the message, and then click Cancel. 12. Open the Start screen, click Alan Steiner, and then click Sign out.
Task 4: Review quota alerts and logging

1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. Click the Desktop tile. Click the File Explorer icon on the taskbar. Click This PC, right-click StripedVol (I:), and then click Properties. In the StripedVol (I:) Properties dialog box, click the Quota tab, and then click Quota Entries.
In the Quota Entries for StripedVol (I:) dialog box, in the Name column, double-click Alan Steiner. Review the entries in the Quota Settings for Alan Steiner dialog box, and then click OK. Close the Quota Entries for StripedVol (I:) and Striped Volume (I:) Properties dialog boxes. Close File Explorer.
10. Open the Start screen, type eventvwr, and then press Enter. 11. Maximize the Event Viewer desktop app window. 12. In the Event Viewer (Local) list, expand Windows Logs, and then click System. 13. Right-click System, and then click Filter Current Log. 14. In the <All Events IDs> box, type 36, and then click OK. 15. Examine the listed entry. 16. Close all open windows.
Results: After completing this exercise, you should have created and tested a disk quota.
L5-42
Exercise 3: Managing Virtual Hard Disks

1. 2. 3. 4. 5. 6. 7. 8. 9. If necessary, sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. Open the Start screen, type diskmgmt.msc, and then press Enter. In Disk Management, click the Action menu, and then click Create VHD. In the Create and Attach Virtual Hard Disk dialog box, in the Location text box, type I:\DemoDisk.vhdx. In the Virtual hard disk size section, type 100, and then select MB from the drop-down list. Select the VHDX option in the Virtual hard disk format section. Select the Dynamically expanding radio button in the Virtual hard disk type section. Click OK. Leave Disk Management open and proceed to the next Lab.
10. Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt, and then click Run as administrator. 11. In the Administrator: Command Prompt window, type DiskPart, and then press Enter. 12. In the Administrator: Command Prompt window, type create vdisk file=I:\virtualdisk2.vhdx maximum=1048 type=expandable, and then press Enter. 13. Leave the Administrator: Command Prompt window open, and then proceed to the next task.
Task 2: Mount the VHD file, browse to the VHD file, and create files on the drive
1. 2. 3. 4. 5. 6. 7. 8. 9. If Disk Management is still open, skip to step 4. If necessary, sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. Open the Start screen, type diskmgmt.msc, and then press Enter. In Disk Management, next to Disk 5, right-click the Disk, and then click Initialize Disk.
In Initialize Disk select Disk 5, and then select the master boot record (Master Boot Record) option, and then click OK. Disk 5 is now online. In Disk Management, right-click the unallocated space on Disk 5, and then click New Simple Volume.
In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click Next. On the Specify Volume Size page, change the Simple volume size in MB value to 97, and then click Next.
10. On the Assign Drive Letter or Path page, click Next. 11. On the Format Partition page, in the Volume label text box, type SimpleVHD1, and then click Next. 12. On the Completing the New Simple Volume Wizard page, click Finish. Note: When the New Simple Volume Wizard is complete, the drive is ready to be used.
13. Close Disk Management. 14. Open File Explorer, and then verify that the new drive named SimpleVHD1 has been created. 15. Select the new virtual drive, and then click New Folder on the File Explorer ribbon. 16. Name the new folder Test. 17. Create a new Notepad document named Test.txt, and then save it on the new drive. 18. Close File Explorer. 19. If the Administrator: Command Prompt window is still open, skip to step 22.
20. Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt, and then click Run as administrator. 21. In the Administrator: Command Prompt window, type DiskPart, and then press Enter.
22. In the Administrator: Command Prompt window, type select vdisk file=I:\virtualdisk2.vhdx, and then press Enter. 23. In the Administrator: Command Prompt window, type attach vdisk, and then press Enter.
24. In the Administrator: Command Prompt window, type List Disk, and then press Enter. Make note of the Disk### of the disk that has an asterisk (*) next to it and has a size of 1048MB. You will use this information in the next step. 25. In the Administrator: Command Prompt window, type create partition primary, and then press Enter.
26. In the Administrator: Command Prompt window, type format fs=ntfs label=SimpleVHD2 quick, and then press Enter. 27. In the Administrator: Command Prompt window, type assign, and then press Enter. 28. Close the Administrator: Command Prompt window. 29. Open File Explore, and then verify the visibility of the new virtual drive volume that you created. 30. Select the new virtual drive, and then click New Folder on the File Explorer ribbon. 31. Name the new folder Test. 32. Create a new Notepad document named Test.txt, and then save it on the new drive. 33. Close File Explorer.
Task 3: Remove a mounted VHD file

1. 2. 3. 4. 5. 6. 7. If necessary, sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. Open the Start screen, type diskmgmt.msc, and then press Enter. In Disk Management, right click Disk 5, and then select Detach VHD.
Verify that the file name provided in the Detach Virtual Hard Disk dialog box is I:\DemoDisk.VHDX, and then click OK. Verify that the virtual disk is no longer mounted. Open File Explorer, and then navigate to the I: drive. Verify that I:\DemoDisk.VHDX is still present. Note: Removing a mounted virtual disk does not delete the underlying VHD.
L5-44
8. 9.
Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt, and then click Run as administrator. In the Administrator: Command Prompt window, type DiskPart, and then press Enter.
10. In the Administrator: Command Prompt window, type List vdisk, then press Enter.
11. In the Administrator: Command Prompt window, type select vdisk file=I:\virtualdisk2.vhdx and then press Enter. 12. In the Administrator: Command Prompt window, type detach vdisk, and then press Enter. 13. Open File Explorer, and then verify that the new virtual drive is no longer visible as a volume. 14. Open the Start screen, type diskmgmt.msc, and then press Enter. 15. In Disk Management, verify that Disk 6 is no longer visible. 16. Close the Disk Management window. 17. Close File Explorer.
Results: After completing this exercise, you should have created, mounted and then deleted a VHD file.
When you have finished the lab, leave the virtual machines running as they are needed for the next lab.
Lab B: Configuring Device Drivers

Exercise 1: Installing Device Drivers
Task 1: Install a device driver into the protected store
1. 2. 3. 4. 5. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd.
Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt, and then click Run as administrator.
In the Administrator: Command Prompt window, type pnputil a E:\Labfiles\Mod05\Intellipoint \ipoint\setup64\files\driver\point64\point64.inf, and then press Enter.
In the Administrator: Command Prompt window, type pnputil e, and then press Enter. Take note of the published name for the driver you just installed into the store. Close the Administrator: Command Prompt window.
Results: After completing this exercise, you should have installed a driver into the protected Driver Store.
L5-46
Exercise 2: Managing Device Drivers

Task 1: Install a device driver
1. 2. 3. 4. 5. 6. 7. If necessary, sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. Select Device Manager from the Administrative menu by pressing Windows logo key+X.
In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update Driver Software. In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer for driver software. On the Browse for driver software on your computer page, click Let me pick from a list of device drivers on my computer.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key), click Next, and then click Close. In the System Settings Change dialog box, click Yes to restart the computer.
Task 2: Roll back a device driver

1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. Select Device Manager from the Administrative menu by pressing the Windows logo key+X.
In Device Manager, expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key), and then click Properties. In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab, and then click Roll Back Driver. In the Driver Package rollback dialog box, click Yes and then click Close. When prompted to restart the computer, click Yes. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. Select Device Manager from the Administrative menu by pressing the Windows logo key+X. In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click Properties.
10. In the Standard PS/2 Keyboard Properties dialog box, click the Driver tab and then verify that the driver has been rolled back to the Standard PS/2 Keyboard version. Close Device Manager.
Results: After completing this exercise, you should have installed and rolled back a device driver.


L6-47
Module 6: Configuring Network Connectivity
Lab A: Configuring a Network Connection

Exercise 1: Enabling Automatic IPv4 Configuration
Task 1: Verify the current IPv4 configuration
1. 2. 3. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
On the Start screen, click the down arrow in the bottom left of the screen to display Apps by name, scroll to the far left and then click Command Prompt. At the command prompt, type ipconfig /all, and then press Enter: o What is the current Internet Protocol version 4 (IPv4) address? 172.16.0.50 o What is the subnet mask? 255.255.0.0 o To which IPv4 network does this host belong? 172.16.0.0/16 o Is Dynamic Host Configuration Protocol (DHCP) enabled? No
Task 2: Configure the computer to obtain an IPv4 address automatically

1. 2. 3. 4. Right-click the Start charm and then click Network Connections. In the Network Connections window, right-click Ethernet and click Properties. In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
Click Obtain an IP address automatically, click Obtain DNS server address automatically, click OK, and then click OK to close the Ethernet Properties window.
L6-48
Task 3: Verify the new IPv4 configuration

1. In the Network Connections window, right click Ethernet and click Status, and then click Details. o What is the current IPv4 address? Answers will vary, but will be in the range of 172.16.0.x. o What is the subnet mask? 255.255.0.0 o To which IPv4 network does this host belong? 172.16.0.0/16 o Is DHCP enabled? Yes o When does the DHCP lease expire? Eight days from now. 2. Click the Close button.
Results: After completing this exercise, you should have configured LON-CL1 to obtain an IPv4 configuration automatically from a DHCP server.
Exercise 2: Configuring IPv4 Manually

Task 1: Deactivate the DHCP scope
1. 2. 3. 4. 5. 6. On LON-DC1, sign in as Adatum\Administrator with password Pa$$w0rd. In Server Manager, click Tools and then click DHCP.
Expand lon-dc1.adatum.com, expand IPv4, and then click Scope [172.16.0.0] A Datum Scope. Right-click Scope [172.16.0.0] A Datum Scope, and then click Deactivate. Click Yes to confirm deactivation of the scope. Close the DHCP window.
Task 2: Obtain a new IPv4 address

1. On LON-CL1, switch to the Command Prompt window. Note: This process can take some minutes to complete. 2. 3. 4. At the command prompt, type ipconfig /release, and then press Enter. At the command prompt, type ipconfig /renew, and then press Enter. At the command prompt, type ipconfig /all, and then press Enter: o What is the current IPv4 address? Answers will vary, but the address will be in the range of 169.254.x.x. o What is the subnet mask? 255.255.0.0 o To which IPv4 network does this host belong? 169.254.0.0 o What kind of address is this? An Automatic Private IP Addressing (APIPA) address
Task 3: Configure an alternate IPv4 address

1. 2. 3. In the Ethernet Status window, click Properties. In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. Click the Alternate Configuration tab, click User configured, and then enter the following: o o o 4. 5. 6. 7. IP address: 172.16.16.10 Subnet mask: 255.255.0.0 Preferred DNS server: 172.16.0.10
Clear the Validate settings, if changed, upon exit check box, and then click OK to save the settings. In the Ethernet Properties window, click Close. At the command prompt, type ipconfig /release, and then press Enter. At the command prompt, type ipconfig /renew, and then press Enter.
L6-50
8.
At the command prompt, type ipconfig /all, and then press Enter: o What is the current IPv4 address? 172.16.16.10 o What is the subnet mask? 255.255.0.0 o To which IPv4 network does this host belong? 172.16.0.0/16 o What kind of address is this? An alternate configuration address
9.
Close the Command Prompt window.
Task 4: Configure a static IPv4 address

1. 2. 3. In the Ethernet Status window, click Properties. In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. Click Use the following IP address, type the following, and then click OK: o o o 4. 5. IP address: 172.16.16.10 Subnet mask: 255.255.0.0 Preferred DNS server: 172.16.0.10
In the Ethernet Properties window, click Close. Close all open windows.
Results: After completing this exercise, you should have tested various scenarios for dynamic IP address assignment and then configured a static IP address.
Lab B: Resolving Network Connectivity Issues

Exercise 1: Creating a Simulated Network Connectivity Problem
Task 1: Verify connectivity to LON-DC1
1. 2. 3. 4. 5. On LON-CL1, on the taskbar, click File Explorer. In the navigation pane, right-click This PC, and then click Map network drive. In the Drive box, select P:. In the Folder box, type \\LON-DC1\Data, and then click Finish. Close the Data window.

1. 2. 3. 4. 5. 6. 7. 8. 9. Point to the lower-right corner of the desktop, and then click Settings. In the list, click Control Panel. In Control Panel, click Network and Internet. In Network and Internet, click View network status and tasks. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet. In the Ethernet Status window, click Properties. Clear the Internet Protocol Version 6 (TCP/IPv6) check box, and then click OK. In the Ethernet Status window, click Close, and then close Network and Sharing Center. In File Explorer, click This PC and then double-click Allfiles (E:).
10. Double-click Labfiles, double-click Mod06, and then double-click Mod6-Script.bat.
Task 3: Test connectivity to LON-DC1

1. 2. 3. 4. In File Explorer, in the navigation pane, click This PC. Double-click Data(\\lon-dc1)(P:). Click OK to clear the error message. Are you able to access mapped drive P? No
Task 4: Gather information about the problem

1. 2. 3. 4. 5. 6. On LON-CL1, click the Start charm. On the Start screen, type CMD, and then click Command Prompt. At the command prompt, type ping lon-dc1, and then press Enter. At the command prompt, type ping 172.16.0.10, and then press Enter. At the command prompt, type ipconfig /all, and then press Enter. What IP address is the computer using? 172.16.16.50
L6-52
7.
What subnet mask is the computer using? 255.255.255.255
8.
What network should the computer be on? 172.16.0.0/16
Results: After completing this exercise, you should have created a connectivity problem between LONCL1 and LON-DC1.
Exercise 2: Resolving a Network Connectivity Problem

Task 1: Resolve the first problem
1. 2. 3. 4. 5. Right-click the Start charm and then click Network Connections. Right-click Ethernet and then click Properties. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Subnet mask box, type 255.255.0.0, and then click OK. In the Ethernet Properties window, click Close.
Task 2: Test the resolution

1. 2. In the This PC window, double-click Data(\\lon-dc1)(P:). Are you able to access mapped drive P? Yes. 3. 4. 5. 6. At the command prompt, type ping lon-dc1, and then press Enter. At the command prompt, type ping 172.16.0.10, and then press Enter. At the command prompt, type ipconfig /all, and then press Enter. What Domain Name System (DNS) servers is the computer using? 172.16.16.10 172.16.0.10
Task 3: Resolve the DNS problem

1. 2. 3. 4. 5. 6. 7. 8. 9. Point to the lower-right corner of the display, and then click Settings. In the list, click Control Panel. In Control Panel, click Network and Internet. In Network and Internet, click View network status and tasks. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet. In the Ethernet Status window, click Properties. In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Preferred DNS server box, type 172.16.0.10. Delete the Alternate DNS Server setting IPv4 address, and then click OK.
10. In the Ethernet Properties window, click Close. 11. In the Ethernet Status window click Close.
Results: After completing this exercise, you should have resolved the connectivity problem between LONCL1 and LON-DC1.
L6-54

Module 7: Configuring Resource Access for Domain-Joined and Non-Domain Joined Devices
Lab: Configuring Resource Access for NonDomain Joined Devices

Exercise 1: Implementing Workplace Join
Task 1: Verify Workplace Join prerequisites
1. 2. 3. 4. 5. 6. 7. In Active Directory Users and Computers, on the View menu, select Advanced Features. On LON-DC1, on the Start screen, type users, and then run Active Directory Users and Computers.
In Active Directory Users and Computers, in the navigation pane, click Marketing. In the details pane, right-click Adam Barr, and then select Properties. In the Adam Barr Properties dialog box, click the Account tab. Verify that User logon name is Adam@Adatum.com, and then click Cancel.
In Active Directory Users and Computers, in the navigation pane, click RegisteredDevices, and then verify that in details pane no object is listed. On the Start screen, type pkiview.msc, and then press Enter. In the Pkiview [Enterprise PKI] console, in the navigation pane, click AdatumCA (V0.0). In the details pane, verify that AIA Location #2, CDP Location #2, and DeltaCRL Location #2 have a location that is accessible over http protocol. Note: CDP Location and Delta CRL Location have short validity period and their status could be shown as Expiring. You can ignore their value in Status column.

L7-55
8. 9.
Close pkiview. On the Start screen, type dns, and then click DNS console.
10. In DNS Manager, in the navigation pane, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com. In the details pane, verify that there is Enterpriseregistration CNAME record that points to LON-SVR1.adatum.com. 11. Close DNS Manager. 12. On LON-SVR1, on the Start screen, type ad fs, and then run AD FS Management. 13. In AD FS Management, in the navigation pane, select Authentication Policies, right-click Authentication Policies, and then select Edit Global Primary Authentication.
14. In the Edit Global Primary Authentication dialog box, on the Primary tab, verify that the Enable device authentication check box is selected, and then click OK.
15. In AD FS Management, in the navigation pane, expand Services, and then click Certificates. In the details pane, right-click CN-LON-SVR1.adatum.com under Service communications, and then select View Certificate.
16. In the Certificate dialog box, click the Details tab. Select Subject Alternative Name, and then verify that has values DNS Name=LON-SVR1.adatum.com and DNS Name=Enterpriseregistration.adatum.com.
L7-56 Configuring Resource Access for Domain-Joined and Non-Domain Joined Devices
17. Select the CRL Distribution Points field, and then verify that one of the URLs is accessible over http protocol.
18. Select the Authority Information Access field, and then verify that one of the URLs is accessible over http protocol. Click OK. 19. Close AD FS Management.
Task 2: Workplace Join a Windows 8.1 computer

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL4, sign in as Admin with the password of Pa$$w0rd. On LON-CL4, on the Start screen, type command, and then click Command Prompt.
At the command prompt, run nslookup enterpriseregistration.adatum.com. Verify that the name is resolved to an IP address, and then close the Command Prompt window. On LON-CL4, on the Start screen, type \\LON-DC1\certificate, and then press Enter.
In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password field, type Pa$$w0rd, and then click OK. In Certificate, in the details pane, right-click Root-CA, and then click Install Certificate. In the Certificate Import Wizard, select Local Machine, and then click Next. Click Yes in the User Account Control dialog box. On the Certificate Store page, select Place all certificates in the following store, click Browse, select Trusted Root Certification Authorities, click OK, and then click Next.
In the Certificate Import Wizard, on Completing the Certificate Import Wizard page, click Finish, and then click OK.
10. On the taskbar, click the Internet Explorer icon.
11. In Internet Explorer, in the address box, type https://LON-SVR2.adatum.com/claimapp, and then press Enter to access the internal company web app. 12. In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password field, type Pa$$w0rd, and then click OK. Confirm that the webpage opens and Adams claims are displayed. 13. Verify that no Claim Type starts with http://schemas.microsoft.com/2012/01/devicecontext. 14. Close Internet Explorer. 15. On the taskbar, click the Internet Explorer icon. In the Internet Explorer address box, type https://LON-SVR2.adatum.com/claimapp, and then press Enter.
16. Verify that the Windows Security dialog box opens again. In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password field, type Pa$$w0rd, and then click OK. This confirms that you are asked for credentials each time you access the company web app from a non-domain joined device. 17. Close Internet Explorer. 18. On the Start screen, type settings, and then click PC settings. 19. On the PC settings bar, select Network. 20. On the Network bar, select Workplace. In Enter your user ID to get workplace access or turn device management field, type adam@adatum.com, and then click Join.
21. Under Connecting to Adatum, verify that adam@adatum.com is in the first textbox. Enter Pa$$w0rd in the second textbox and click Sign in. Confirm that the device has joined your workplace network and that the button label changed from Join to Leave. 22. Move the pointer to the upper-left edge of LON-CL4, and then click the desktop tile.
Task 3: Explore Workplace Join effects

1.
On LON-DC1, in Active Directory Users and Computers, in the navigation pane, right-click RegisteredDevices, and then select Refresh. Confirm that one object of type msDS-Device is listed in the details pane. This object represents the LON-CL4 computer that you enabled for Workplace Join. Make note of the name of the msDS-Device object. On LON-CL4, on the taskbar, click the Internet Explorer icon. In Internet Explorer, press the Alt key. On the Tools menu, select Internet options. In the Internet Options dialog box, click the Content tab. In the Certificates section, click Certificates.
2. 3. 4. 5.
In the Certificates dialog box, on the Personal tab, verify that one certificate is listed and that it has a GUID in the Issued To field. This is the certificate that Device Registration Service provided to the user when device was enabled for Workplace Join. Verify that the GUID is the same as the name of the msDS-Device object from Active Directory Users and Computers. Click Close, and then click OK in the Internet Options dialog box. In Internet Explorer, in the address box, type https://LON-SVR2.adatum.com/claimapp, and then press Enter to access the internal company web app.
6. 7.
In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password field, type Pa$$w0rd, verify that the Remember my credentials check box is not selected, and then click OK. Confirm that the webpage opens and that Adams claims are displayed. Verify that Claim Type http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier has the same value as the name of the msDS-Device object from Active Directory Users and Computers. Close Internet Explorer.
8.
9.
10. Open Internet Explorer, and then access the same company app at https://LON-SVR2.adatum.com/claimapp.
11. Verify that this time, a webpage opens without asking you for credentials. You were not asked for credentials because you accessed it from the device that was enabled for Workplace Join.
Results: After completing this exercise, you should have successfully implemented and tested the Workplace Join feature.
Exercise 2: Configuring Work Folders

Task 1: Install the Work Folders feature and create a sync share
1. On LON-DC1, on the taskbar, click the Windows PowerShell icon, and then run the following cmdlet: Install-WindowsFeature FS-SyncShareService. Note: After the feature is installed, you will get a warning because Windows automatic updating is not enabled. You can ignore the warning. 2. 3. 4. 5. 6. 7. 8. 9.
Minimize the Windows PowerShell window, and then click the Server Manager icon on the taskbar. In Server Manager, in the navigation pane, click File and Storage Services, click Work Folders, click TASKS in WORK FOLDERS section, and then select New Sync Share. In the New Sync Share Wizard, on the Before you begin page, click Next. On the Select the server and path page, in the Enter a local path field, type C:\syncshare1, click Next, and then click OK.
On the Specify the structure for user folders page, verify that User alias is selected, and then click Next. On the Enter the sync share name page, click Next to accept the default sync share name. On the Grant sync access to groups page, click Add, and in the Enter the object name to be selected field, type Marketing, click OK, and then click Next.
On the Specify device policies page, verify two available options. Clear Automatically lock screen, and require a password policy, and then click Next.
10. On the Confirm selections page, click Create. 11. On the View Results page, click Close.
12. In Server Manager, verify that Syncshare1 is listed in the WORK FOLDERS section and that user Adam Barr is listed in the USERS section.
Task 2: Bind an SSL certificate for Work Folders

1. 2. 3. 4. 5. 6. In Internet Information Services (IIS) Manager, in the navigation pane, expand LON-DC1 (ADATUM\Administrator). Expand Sites, right-click Default Web Site, and then select Edit Bindings. In Site Bindings, click Add. In Add Site Bindings, select https as Type. In the SSL certificate box, select LON-DC1.adatum.com, click OK, click Yes and then click Close. Close Information Services (IIS) Manager.
On LON-DC1, on Start screen, type iis, and then run Internet Information Services (IIS) Manager.
Task 3: Configure Group Policy to deploy Work Folders

1. 2. In the Group Policy Management console, in the navigation pane, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then select Marketing.
On LON-DC1, in Server Manager, click the Tools menu, and then select Group Policy Management.
3. 4. 5. 6. 7.
Right-click Marketing, and then select Create a GPO in this domain, and Link it here. In the Name field, type Deploy Work Folders, and then click OK. Right-click Deploy Work Folders, and then select Edit.
In the Group Policy Management Editor, under User Configuration in the navigation pane, expand Policies, Administrative Templates, Windows Components, and then click the Work Folders node. In the details pane, right-click Specify Work Folder settings, and then select Edit.
In the Specify Work Folder settings dialog box, select Enabled. In the Work Folders URL field, type https://lon-dc1.adatum.com, select the Force automatic setup check box, click OK, and then close the Group Policy Management Editor. On LON-CL1, sign out, and then sign in as adatum\adam with Pa$$w0rd. On the Start screen, click the Desktop tile.
8. 9.
10. On the toolbar, click the File Explorer icon.
11. In This PC, in the navigation pane, click Work Folders. Right-click in the details pane, select New, select Text Document, and then name the file On LON-CL1.
Task 4: Deploy Work Folders on a non-domain device

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL4, on taskbar, right-click on Start icon and click Control Panel. In Control Panel, in the Search Control Panel field, type work, and then click Work Folders.
On the Manage Work Folders page, click Set up Work Folders. On the Enter your work email address page, click Enter a Work Folders URL instead. On the Enter a Work Folders URL page, in the Work Folders URL box, type https://lon-dc1.adatum.com, and then click Next.
In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password field, type Pa$$w0rd, and then click OK. On the Introducing Work Folders page, review local Work Folders location and click Next.
On the Security policies page, select the I accept these policies on my PC check box, and then click Set up Work Folders. On the Work Folders has started syncing with this PC page, click Close. On the Work Folders page, verify that the On LON-CL1.txt file is displayed.
Task 5: Use Work Folders to synchronize files

1. 2.
On LON-CL4, in Work Folders, right-click in the details pane, select New, select Text Document, and then name the file On LON-CL4. On LON-CL1, in Work Folders, verify that only the On LON-CL1 file is displayed. Note: Work Folders synchronizes every 10 minutes automatically. You have also option to manually trigger synchronization.
3.
In File Explorer, in the navigation pane, right-click Work Folders and click Sync Now. Press F5 to refresh view and verify that both files, On LON-CL1.txt and On LON-CL4.txt are displayed in the details pane. On the taskbar, right-click the Start button, and then select Control Panel.
4.
5.
In Control Panel, in the Search Control Panel field, type network, and then click View network connections. Right-click Ethernet, and then select Disable. In the User Account Control dialog box, type Administrator as User name, Pa$$w0rd as Password, and then click Yes. On LON-CL1, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad. In Notepad, type Modified offline, close Notepad, and then click Save. In Work Folders, right-click in the details pane, select New, select Text Document, and then name the file Offline LON-CL1. On LON-CL4, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
6. 7. 8. 9.
10. In Notepad, type Online modification, close Notepad, and then click Save.
11. On LON-CL1, in Network Connections, right-click Ethernet, and then select Enable. In the User Account Control dialog box, type Administrator as User name, Pa$$w0rd as Password, and then click Yes. 12. Switch to Work Folders. Verify that four files are displayed in the details pane, including On LON-CL1 and On LON-CL1-LON-CL1. Because the file was modified at two locations, a conflict occurred and one of the copies was renamed.
Task 6: To prepare for the next module

When you have finished the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-DC1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
Repeat steps 2 and 3 for 20687C-LON-SVR1, 20687C-LON-SVR2, 20687C-LON-CL1, and 20687CLON-CL4.
Results: After completing this exercise, you should have successfully configure the Work Folders feature.

L8-61
Module 8: Implementing Network Security
Lab A: Configuring Inbound and Outbound Firewall Rules

Exercise 1: Creating an Inbound Windows Firewall Rule
1. 2. 3. 4. 5. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, type Remote, and then click Remote Desktop Connection. In the Computer field, type LON-CL1, and then press Enter. Sign in to LON-CL1 as Adatum\Administrator with the course password. Open the Start screen on LON-CL1, click Administrator, and then click Sign out.
Task 2: Configure an inbound firewall rule

1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, click the Desktop tile. Open the Settings charm, and then click Control Panel. Click System and Security, and then click Windows Firewall. In the left pane, click Advanced settings, right-click Inbound Rules, and then click New Rule.
In the New Inbound Rule Wizard window, select Predefined, click the drop-down box, click Remote Desktop, and then click Next. On the Predefined Rules page, select all available rules, and then click Next. On the Action page, select Block the connection, and then click Finish. Minimize the Windows Firewall with Advanced Security window.
Task 3: Test the inbound firewall rule

1. 2. 3. 4. 5. Switch to LON-CL2. From the Start screen, type Remote, and then click Remote Desktop Connection. In the Computer field, type LON-CL1, and then press Enter. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Verify that the connection attempt fails.
Results: After completing this exercise, you should have created an inbound Windows Firewall rule.
L8-62
Exercise 2: Create an Outbound Firewall Rule

1. 2. 3. 4. 5. Switch to LON-CL1. On the Start screen, type Remote, and then click Remote Desktop Connection. In the Computer field, type LON-DC1, and then press Enter. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd. Open the Start screen on LON-DC1, click Administrator, and then click Sign out.
Task 2: Configure an outbound rule

1. 2. 3. 4. 5. 6. 7. 8. 9.
On LON-CL1, on the taskbar, click the Windows Firewall with Advanced Security window, and then click Outbound Rules. In the Actions pane, click New Rule. On the Rule Type page, verify that you are creating a Program rule, and then click Next.
On the Program page, browse and select C:\Windows\System32\mstsc.exe, click Open, and then click Next. On the Action page, verify the action is Block the Connection, and then click Next. On the Profile page, verify that all profiles are selected, and then click Next. On the Name page, type Block Outbound RDP to LON-DC1 in the Name field, and then click Finish.
In the Windows Advanced Firewall with Advanced Security window, click the Block Outbound RDP to LON-DC1 rule, and then in the Actions pane click Properties. Click the Scope tab, and then under the Remote IP address heading, select the These IP addresses option.
10. Under the Remote IP address heading, click Add, in the This IP address or subnet field, type 172.16.0.10, and then click OK. 11. On the Block Outbound RDP to LON-DC1 Properties, click OK.
Task 3: Test the outbound rule

1. 2. 3. 4. From the Start screen, type Remote, and then click Remote Desktop Connection. In the Computer field, type LON-DC1, and then press Enter. In the Remote Desktop Connection dialog box, click OK. Close all open windows.
Results: After completing this exercise, you should have configured and tested an outbound firewall rule.

Lab B: Configuring IPsec Rules

Exercise 1: Creating and Configuring IPsec Rules
Task 1: Create an Internet Protocol security (IPsec) rule on LON-CL1
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-CL1. Open the Settings charm, and then on the Desktop menu, click Control Panel. Click System and Security, and then click Windows Firewall. In the left pane, click Advanced settings, and then click Connection Security Rules. In the Actions pane, click New Rule. On the Rule Type page, verify that Isolation is selected, and then click Next.
On the Requirements page, select Require authentication for inbound connections and request authentication for outbound connections, and then click Next. On the Authentication Method page, select Computer and user (Kerberos V5), and then click Next. On the Profile page, click Next.
10. On the Name page, in the Name text box, type Authenticate all inbound connections, and then click Finish. 11. Close the Windows Firewall with Advanced Security window.

1. 2. 3. 4. Switch to LON-CL2. Open a Command Prompt window, type ping LON-CL1, and then press Enter. Verify that the ping generated four Request timed out messages. Close the Command Prompt window.
Task 3: Create a IPsec rule on LON-CL2 by using the Windows PowerShell command-line interface
1. 2.
On LON-CL2, from the Start screen, type Power, right-click Windows PowerShell, and then click Run as Administrator.
Open an Administrator: Windows PowerShell window, type the following, and then press Enter:
Note: The monitoring component for the newly created Connections Security Rule might not be created in a timely fashion. To force the creation of the monitoring component, perform the following steps: 1. 2. Open the Settings charm, and then on the Desktop menu, click Control Panel. Click System and Security, and then click Windows Firewall.
L8-64
3. 4. 5. 6.
In the left pane, click Advanced settings. Click Connection Security Rules. Double-click Authenticate all inbound connections. In the description field, type Requires inbound authentication, and then click OK.

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Administrator: Windows PowerShell window, type ping LON-CL1, and then press Enter.
Verify that the ping generated four Reply from 172.16.0.50: bytes=32 time=xms TTL=128 messages (your times might vary). Open the Settings charm, click Control Panel, click System and Security, and then click Windows Firewall. In the left pane, click Advanced settings. In the left pane, expand Monitoring, and then expand Security Associations. Click Main Mode, and then examine the information in the center pane. Click Quick Mode, and then examine the information in the center pane. Close all open windows. In the host system, click the 20687C-LON-CL1 window.
10. From the Start screen, type Power, right-click Windows PowerShell, and then click Run as Administrator. 11. To examine the Main Mode Security Associations (SAs), run the following cmdlet:
12. To examine the Quick Mode SAs, run the following cmdlet:
Results: After completing this exercise, you should have created and tested IPsec rules.

Lab C: Configuring Malware Protection

Exercise 1: Configuring Windows Defender
Task 1: Perform a quick scan
1. 2. 3. 4. 5. 6. Switch to LON-CL1. Open the Settings charm, and then on the Desktop menu, click Control Panel. Click View by:, then select Large Icons, and then click Windows Defender. On the Windows Defender Home tab, ensure that the Quick scan option is selected. Click Scan now, and then review the results. Close Windows Defender.
Task 2: Test malware detection

1. 2. 3. 4. 5. Open File Explorer, and then browse to E:\Labfiles\Mod08\Malware.
In the Malware folder, open sample.txt in Notepad. The sample.txt file contains a text string that is used to test malware detection. In the sample.txt file, delete both instances of <remove>, including the brackets. Save and close the file. Immediately, Windows Defender detects a potential threat. Shortly thereafter, the sample.txt will be removed from the Malware folder.
Task 3: Examine the Windows Defender history

1. 2. 3. 4. 5. 6. Open the Settings charm, and then on the Desktop menu, click Control Panel. Click Windows Defender. In Windows Defender, click the History tab. Click View details, and then review the results. Select the check box for the Virus:DOS/EICAR_Test_File, and then click Remove. Close all open windows.
Results: After completing this exercise, you should have configured and used Windows Defender.

When you finish the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL2, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-CL1 and 20687C-LON-DC1.

L9-67
Module 9: Configuring File Access and Printers on Windows 8.1 Clients
Lab A: Configuring File Access

Exercise 1: Creating a Shared Folder for the Marketing Group
Task 1: Create a Marketing folder
1. 2. 3. 4. 5. Sign on to LON-CL1 as Adatum\Administrator. Click the Desktop tile, and then click the File Explorer icon on the taskbar. Navigate to E:\Labfiles\Mod09. In the Mod09 window, right-click, point to New, and then click Folder. Name the folder Marketing.
Task 2: Share the Marketing folder for Everyone

1. 2. 3. 4. 5. Click the Marketing folder. On the menu bar, click Share, and then click Specific people. In the File Sharing Wizard, click the drop-down list, select Everyone, and then click Add. Verify that the Permission Level for Everyone is Read, and then click Share. In the File Sharing Wizard, click Done.
Task 3: Configure NTFS permissions for the Marketing folder

1. 2. 3. 4. 5. 6. 7. 8. 9. Right-click the Marketing folder, and then click Properties. In the Marketing Properties dialog box, click the Security tab, and then click Advanced. In the Advanced Security Settings for Marketing dialog box, click Add. In the Permission Entry for Marketing dialog box, click the Select a principle link. In the Enter the object name to select field, type Marketing, and then click OK. In the Basic permissions section, select the Modify check box. In the Permission Entry for Marketing dialog box, click OK. In the Advanced Security Settings for Marketing dialog box, click OK. In the Marketing Properties dialog box, click OK.
10. Close all open windows.
Task 4: Attempt to access the Marketing folder as Ed

1. 2. 3. 4. 5. On LON-CL2, sign in as Adatum\Ed with password Pa$$w0rd. Click the Desktop tile, and then on the taskbar, click File Explorer. In the Address bar, type \\LON-CL1\Marketing, and then press Enter. In the Marketing window, right-click, point to New, and then click Text Document. In the Destination Folder Access Denied window, click Cancel.
L9-68 Configuring File Access and Printers on Windows 8.1 Clients
6. 7.
Close the Marketing window. Open the Start screen, click Ed Meadows, and then click Sign out.
Task 5: Sign in to LON-CL2 as Adam

Sign in to LON-CL2 as Adatum\Adam with password Pa$$w0rd.
Task 6: Attempt to access the Marketing folder as Adam

1. 2. 3. 4. 5. On the Start screen, click the Desktop tile, and then on the taskbar, click File Explorer. In the Address bar, type \\LON-CL1\Marketing, and then press Enter. In the Marketing window, right-click, point to New, and then click Text Document. Name the file your name. Close all windows, and then sign out.
Results: After completing this exercise, you should have created and shared a folder for the Marketing department.
Exercise 2: Configuring File and Folder Compression

Task 1: Compress a folder
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-CL1. In File Explorer, navigate to E:\Labfiles\Mod09. Right-click the Windows8Docs folder, and then select Properties. Note the Size and Size on disk attributes. On the General tab, click Advanced. Select the Compress contents to save disk space check box. In the Advanced Attributes dialog box, click OK. In the Windows8Docs Properties dialog box, click Apply. In the Confirm Attribute Changes dialog box, ensure that the Apply changes to this folder, subfolders and files option is selected, and then click OK.
10. Note the change in the Size on disk attribute. 11. Click OK to close the Windows8Docs Properties dialog box. 12. Note that the Windows8Docs folder has changed colors. 13. Double-click the Windows8Docs folder. 14. Note that all the files are now blue. 15. Close all open windows.

Results: After completing this exercise, you will have compressed a folder.
L9-70 Configuring File Access and Printers on Windows 8.1 Clients
Lab B: Configuring Printers

Exercise 1: Creating and Sharing a Local Printer
Task 1: Add and share a local printer
1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. While on the Start screen, type control, and then click Control Panel in the search results. In Control Panel, click the View devices and printers link. In Devices and Printers, click the Add a printer link. In the Add Printer Wizard, click The printer that I want isnt listed. On the Find a printer by other options page, select the Add a local printer or network printer with manual settings option, and then click Next.
On the Choose a printer page, select the drop-down list for Use an existing port, select nul: (Local Port), and then click Next. On the Install the printer driver page, in the Manufacturer list, select Microsoft. In the Printers list, select Microsoft OpenXPS Class Driver, and then click Next.
10. On the Type a printer name page, in the Printer name field, type ManagersPrinter, and then click Next. 11. Review the Printer Sharing page, and then click Next. 12. Review the Youve successfully added ManagersPrinter page, and then click Finish.
Task 2: Configure printer security

1. 2. 3. 4. 5. 6. 7. 8. 9. Open the Start screen. Type Printmanagement.msc, and then press Enter. In the navigation pane, click All Printers. Right-click ManagersPrinter, and then select Properties. In the ManagersPrinter Properties dialog box, click the Security tab. Select Everyone, and then click Remove. Click Add, and then in the Enter the object names to select field, type Managers, and then click OK. In the ManagersPrinter Properties dialog box, click OK. Right-click ManagersPrinter, and then select Pause Printing.
10. Leave the Print Management program open.
Task 3: Sign in to LON-CL2 as Ed

Sign in to LON-CL2 as Adatum\Ed with password Pa$$w0rd.
Task 4: Connect to a network printer

1. 2. On the Start screen, type control. In the Apps search results, click Control Panel.
3. 4. 5. 6. 7. 8. 9.
In Control Panel, click the View devices and printers link. In Devices and Printers, click the Add a printer link. In the Add Printer Wizard, click The printer that I want isnt listed.
On the Find a printer by other options page, select the Select a shared printer by name option, and then click Browse. In the Printer field, type \\LON-CL1, and then press Enter. Double-click ManagersPrinter. On the Find a printer by other options page, click Next.
10. Review the Youve successfully added ManagersPrinter on LON-CL1 page, and then click Next. 11. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Print a test page. 12. Review the ManagersPrinter on LON-CL1 dialog box, and then click Close. 13. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Finish. 14. Close Devices and Printers. 15. On LON-CL1, in the Print Management app, verify that the Jobs In Queue column displays 1 for ManagersPrinter. 16. Right-click ManagersPrinter, and then select Resume Printing. 17. Close all open windows.
Task 5: Prepare for the next module

When you have finished the lab, revert all virtual machines back to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL2, and then click Revert. In the Revert Virtual Machines dialog box, click Revert. Repeat steps 2 to 3 for 20687C-LON-CL1 and 20687C-LON-DC1.
Results: After completing this exercise, you should have created, shared, and tested a printer.
L10-73
Module 10: Securing Windows 8.1 Devices
Lab A: Implementing Local GPOs

Exercise 1: Creating Multiple Local GPOs
Task 1: Create a management console for multiple local Group Policy settings
1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Select Run from the Administrative menu by pressing Windows logo key+X. In the Open box, type mmc, and then press Enter. In Console1 [Console Root], click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy Object Editor, and then click Add. In the Select Group Policy Object dialog box, click Finish. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy Object Editor, and then click Add. In the Select Group Policy Object dialog box, click Browse. In the Browse for a Group Policy Object dialog box, click the Users tab.
10. In the Local Users and Groups compatible with Local Group Policy list, click Administrators, and then click OK. 11. In the Select Group Policy Object dialog box, click Finish. 12. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy Object Editor, and then click Add. 13. In the Select Group Policy Object dialog box, click Browse. 14. In the Browse for a Group Policy Object dialog box, click the Users tab.
15. In the Local Users and Groups compatible with Local Group Policy list, click Non-Administrators, and then click OK. 16. In the Select Group Policy Object dialog box, click Finish. 17. In the Add or Remove Snap-ins dialog box, click OK. 18. In Console1 [Console Root], click File, and then click Save. 19. In the Save As dialog box, click Desktop. 20. In the File name box, type Multiple Local Group Policy Editor, and then click Save.
Task 2: Configure the local computer settings

1.
In Multiple Local Group Policy Editor [Console Root], in the console tree, expand Local Computer Policy, expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff). In the results pane, double-click Logon. In the Logon Properties dialog box, click Add. In the Add a Script dialog box, click Browse.
2. 3. 4.
L10-74
5. 6. 7. 8. 9.
In the Browse dialog box, right-click in the empty folder, point to New, click Text Document, and then press Enter. Right-click New Text Document, and then click Edit. Type msgbox Warning. You are not connected to the A Datum Domain. Click File, click Save As, type RoamingScript.vbs, change Save as type: to All Files, and then click Save. Close RoamingScript.vbs.
10. In the Browse dialog box, click the RoamingScript file, and then click Open. 11. In the Add a Script dialog box, click OK. 12. In the Logon Properties dialog box, click OK.
Task 3: Configure non-administrators security settings

1.
In Multiple Local Group Policy Editor [Console Root], in the console tree, expand Local Computer, expand Non-Administrators Policy, expand User Configuration, expand Administrative Templates, and then click Control Panel. In the results pane, double-click Prohibit access to Control Panel and PC settings.
2. 3.
In the Prohibit access to Control Panel and PC settings dialog box, click Enabled, and then click OK.
Results: After completing this exercise, you should have created and configured multiple local Group Policy Objects (MLGPOs) successfully.
Exercise 2: Testing the Application of the Local GPOs

Task 1: Sign in as a standard user to test the policies
1.
Sign out of LON-CL1. To sign out, on your host computer, in the 20687C-LON-CL1 on localhost Virtual Machine Connection window, click the Action menu, press Ctrl+Alt+Delete, and then click Sign out.
2. 3.
Sign in to LON-CL1 as Adatum\Holly with password Pa$$w0rd. To sign in as a different user, click Other user, type the required credentials, and then press Enter. On the Start screen, click the Desktop tile, click OK when prompted by the message box, and then click OK again. Note: The message may not appear immediately.
4. 5.
Select Control Panel from the Administrative menu by pressing Windows logo key+X, and then click Control Panel. In the Restrictions dialog box, click OK.
Task 2: Sign in as administrator to test the policies

1. 2. Sign out, and then sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
On the Start screen, click the Desktop tile, click OK when prompted by the message box, and then click OK again. Note: The message may not appear immediately.
3. 4.
Select Control Panel from the Administrative menu by pressing Windows logo key+X, and then click Control Panel. Sign out of LON-CL1.
Results: After completing this exercise, you should have implemented and tested multiple local GPOs successfully.
L10-76
Lab B: Securing Data by Using BitLocker

Exercise 1: Protecting Files with BitLocker
Task 1: Configure GPO settings for BitLocker
1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, type gpedit.msc, and then press Enter. In the Local Group Policy Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then expand BitLocker Drive Encryption. Click Operating System Drives, and then double-click Require additional authentication at startup.
In the Require additional authentication at startup dialog box, click Enabled, and then click OK. Close the Local Group Policy Editor. On the Start screen, type cmd.exe, and then press Enter. At the command prompt, type gpupdate /force, and then press Enter. Close all open windows.
Task 2: Enable BitLocker

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL1, click the Desktop tile on the Start screen. On the taskbar, click File Explorer.
In the navigation pane, click This PC, right-click Local Disk (C:), and then click Turn on BitLocker.
In the BitLocker Drive Encryption (C:) dialog box, click Enter a password. This is necessary because the virtual machine does not support USB flash drives. On the Create a password to unlock this drive page, in the Enter your password and Reenter your password boxes, type Pa$$w0rd, and then click Next. On the How do you want to back up your recovery key? page, click Save to a file. In the Save BitLocker recovery key as dialog box, click Allfiles (E:), On the File Explorer toolbar, click New folder, and type BitLocker, and then press Enter In the Save BitLocker recovery key as dialog box, click Open, then click Save, and then click Yes, and then click Next.
10. On the BitLocker Drive Encryption (C:) page click Continue. 11. When prompted, click Restart now.
Task 3: Complete the process of enabling BitLocker

1. 2. 3. 4. 5. During the restart sequence, when the BitLocker screen displays, in the Enter the password to unlock this drive box, type Pa$$w0rd, and then press Enter. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, click the Desktop tile. On the taskbar, click File Explorer. In the navigation pane, click This PC.
6. 7.
Right-click Local Disk (C:), and then click Manage BitLocker. The drive is being encrypted. Close all open windows.
Results: After completing this exercise, you should have encrypted the hard drive successfully.
L10-78
Lab C: Configuring and Testing UAC

Exercise 1: Modifying UAC Prompts
Task 1: Modify the User Account Control (UAC) prompts
1. 2. 3. 4. 5. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, type gpedit.msc, and then press Enter. In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. In the results pane, double-click User Account Control: Behavior of the elevation prompt for standard users. In the User Account Control: Behavior of the elevation prompt for standard users dialog box, click Prompt for credentials on the secure desktop, and then click OK.
Task 2: Modify the UAC notification level

1. 2. 3. 4. 5.
In the results pane, double-click User Account Control: Only elevate executables that are signed and validated.
In the User Account Control: Only elevate executables that are signed and validated dialog box, click Enabled, and then click OK. In the results pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode.
In the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode dialog box, click Prompt for consent on the secure desktop, and then click OK. Close the Local Group Policy Editor, and then sign out.
Task 3: Test the UAC settings

1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL1 as Adatum\Dan with password Pa$$w0rd. On the Start screen, click the Desktop tile. Open the Administrative menu by pressing Windows logo key+X and click Command Prompt (Admin). The Windows operating system displays the User Account Control prompt. In the User name field, type Administrator. In the Password field, type Pa$$w0rd, and then click Yes. Close the Command Prompt (Admin) console. Sign out. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Open the Administrative menu by pressing Windows logo key+X, and then click Control Panel.
10. In Control Panel, click System and Security.
11. In System and Security, click Change User Account Control settings. 12. Verify that the slider is configured for Always notify.
Results: After completing this exercise, you should have reconfigured UAC notification behavior and prompts.

When you are finished the lab, revert all virtual machines back to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. In the Revert Virtual Machines dialog box, click Revert. Repeat steps 2 to 3 for 20687C-LON-DC1.
L11-81
Module 11: Configuring Applications for Windows 8.1
Lab A: Configuring Internet Explorer Security

Exercise 1: Configuring Internet Explorer
Task 1: Enable Compatibility View in Internet Explorer
1. 2. 3. 4. 5. 6. Sign in to the LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, click the Desktop tile. On the taskbar, click Internet Explorer. Right-click the bar to the left of the home symbol, and then click Menu bar. On the menu bar, click Tools, and then click Compatibility View settings. Verify that Internet Explorer uses Microsoft compatibility lists, and then click Close.
Task 2: Delete browsing history

1. 2. 3. 4. 5. 6. 7. 8. 9. On the Tools menu, click Internet options. On the General tab, under Browsing history, click Delete.
In the Delete Browsing History dialog box, select the Preserve Favorites website data and History check boxes. Clear all other options, click Delete, and then click OK. Close Internet Explorer. On LON-CL1, click the Internet Explorer icon on the taskbar. In the Address bar, type http://LON-DC1, and then press Enter. Click the Down Arrow next to the Address bar to confirm that the address you typed is stored. In Internet Explorer, on the Tools menu, click Internet Options. Click the General tab. Under Browsing History, click Delete.
10. In the Delete Browsing History dialog box, clear the Preserve Favorites website data check box, select the Temporary Internet files and website files, Cookies and website data, and History check boxes, and then click Delete. 11. Click OK to close the Internet options dialog box.
12. Confirm that there are no addresses stored in the Address bar by clicking on the Down Arrow next to the Address bar.
Task 3: Configure InPrivate Browsing

1. 2. 3. 4. 5. On the Tools menu, click InPrivate Browsing. In the Address bar, type http://LON-DC1, and then press Enter.
Confirm that the address you typed is not stored by clicking the Down Arrow next to the Address bar. Close the InPrivate Browsing window. Close Internet Explorer.
L11-82
Task 4: Configure intranet security settings

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL1, click the Internet Explorer icon on the taskbar. In the Address bar, type http://LON-DC1, and then press Enter. In Internet Explorer, on the Tools menu, click Internet options. On the Security tab, click Local intranet, and then under Security level for this zone, move the slider to High, and then click OK. On the A. Datum intranet home page, click Current Projects. Close the new tab. In Internet Explorer, on the Tools menu, click Internet options. On the Security tab, click Trusted sites, and then click Sites. In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this zone check box, click Add, and then click Close.
10. In the Internet options dialog box, click OK. 11. On the A. Datum intranet home page, click Current Projects.
Task 5: View the add-on management interface

1. 2. 3. 4. 5. 6. On the Tools menu, click Manage add-ons. In the left navigation pane, click Search Providers. In the right navigation pane click Bing. In the left navigation pane, click Accelerators. In the left navigation pane click Tracking Protection. Click Close.
Task 6: Download a file

1. 2. 3. 4. 5. 6. 7. 8. In the Address bar, type http:// LON-DC1, and then press Enter. Click Download Current Projects. In the Internet Explorer dialog box, click Save. In the banner, click View downloads. In View Downloads Windows Internet Explorer, click Open. The file opens in Microsoft Office Excel. Close Excel and Internet Explorer. Sign out from LON-CL1.
Results: After completing this exercise, you should have successfully configured security and compatibility settings in Internet Explorer.
Lab B: Configuring AppLocker

Exercise 1: Configuring AppLocker Rules
Task 1: Create a new executable rule
1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, type gpedit.msc, and then press Enter.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Application Control Policies, and then double-click AppLocker. Right-click Executable Rules, and then click Create New Rule. In the Create Executable Rules Wizard, click Next. On the Permissions page, click Deny, and then click Select.
In the Select User or Group dialog box, in the Enter the object names to select (examples) box, type IT, click Check Names, click OK, and then click Next. On the Conditions page, click Path, and then click Next. Click Browse Files, in the File name box, type C:\Program Files\Windows Media Player \wmplayer.exe, and then click Open.
10. Click Next twice, and then click Create. 11. Click Yes when prompted to create default rules.
Task 2: Enforce AppLocker rules

1. 2. 3. 4. 5. 6. In the Local Group Policy Editor, right-click AppLocker, and then click Properties.
On the Enforcement tab, under Executable rules, select the Configured check box, click Enforce rules, and then click OK. Close the Local Group Policy Editor. Select Windows PowerShell from the Administrative menu by pressing Windows logo key+X
At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait for the policy to update. Sign out from LON-CL1.
Results: After completing this exercise, you should have created the required AppLocker rule successfully.
L11-84
Exercise 2: Testing the AppLocker Rules

Task 1: Confirm the executable rule enforcement
1. 2. 3. 4. 5. 6. 7. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. Select Computer Management from the Administrative menu by pressing Windows logo key+X. Expand Event Viewer, expand Windows Logs, and then click System. In the results pane, locate and click the latest event with Event ID 1502. Review event message details under the General tab. Expand Services and Applications, and then click Services. Right-click the Application Identity service, and then click Start. Sign out from LON-CL1.
Task 2: Test the enforcement

1. 2. 3. 4. 5. 6. 7. 8. Sign in to LON-CL1 as Adatum\Holly with password Pa$$w0rd. Type Media Player at the Start screen, and then click Windows Media Player. Sign out, and then sign in as Adatum\Administrator with password Pa$$w0rd. Select Event Viewer from the Administrative menu by pressing Windows logo key+X. In Event Viewer, expand Application and Services Logs, expand Microsoft, expand Windows, expand AppLocker, and then click EXE and DLL.
Review the entries in the results pane. Locate Event ID 8004. This shows that Holly attempted to run a prohibited application Close Event Viewer. Sign out.
Results: After completing this exercise, you should have verified the function of your executable AppLocker rule successfully.

When you have finished the lab, revert all virtual machines to their initial state: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-DC1.
L12-85
Module 12: Optimizing and Maintaining Windows 8.1 Computers
Lab A: Optimizing Windows 8.1 Performance

Exercise 1: Creating a Performance Baseline
Task 1: Establish a performance baseline
1. 2. 3. 4. 5. 6. 7. 8. 9. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. At the bottom left corner, right-click the Windows icon and then click Control Panel. Click System and Security, and then click Administrative Tools. Double-click Performance Monitor. In Performance Monitor, in the navigation pane, expand Data Collector Sets.
Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
In the Create new Data Collector Set Wizard, on the How would you like to create this new data collector set? page, in the Name box, type Adatum Baseline. Click Create manually (Advanced), and then click Next.
On the What type of data do you want to include? page, select the Performance counter check box, and then click Next.
10. On the Which performance counters would you like to log? page, in the Sample interval box, type 1, and then click Add. 11. In the Available counters list, expand Memory, select Pages/sec, and then click Add.
12. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add. 13. In the Available counters list, expand PhysicalDisk, select % Disk Time, and then click Add. 14. Under PhysicalDisk, select Avg. Disk Queue Length, and then click Add. 15. In the Available counters list, expand Processor, select % Processor Time, and then click Add.
16. In the Available counters list, expand System, select Processor Queue Length, click Add, and then click OK. 17. On the Which performance counters would you like to log? page, click Next. 18. On the Where would you like the data to be saved? page, click Next. 19. On the Create the data collector set? page, click Finish.
20. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start. 21. Pause the pointer over the lower-right corner of the desktop, and then click Start. 22. On the Start screen, click the down arrow, and then in Apps click Word 2013. 23. In the User Name dialog box, click OK.
24. In Microsoft Word 2013, if prompted to Help Protect and Improve Microsoft Office, click Dont make changes, and then click OK. 25. Pause the pointer over the lower-right corner of the desktop, and then click Start.
L12-86
26. On the Start screen, click the down arrow and then in Apps click Excel 2013. 27. Pause the pointer over the lower-right corner of the desktop, and then click Start. 28. On the Start screen, click the down arrow and then in Apps click PowerPoint 2013. 29. Close all open Microsoft Office apps, and then switch to Performance Monitor. 30. In the navigation pane, right-click Adatum Baseline, and then click Stop.
Task 2: View the baseline report

1. 2. 3. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand Adatum Baseline, and then click the report that has a name that begins with LON-CL1. View the chart. On the menu bar, click the drop-down arrow, and then click Report. Record the following values: o o o o o o Memory\Pages/sec Network Interface Packets/sec PhysicalDisk\% Disk Time PhysicalDisk\Avg. Disk Queue Length Processor\% Processor Time System\Processor Queue Length
Results: After completing this exercise, you should have created a performance baseline.
Exercise 2: Introducing Additional Workload

Task 1: Create a load on the computer
1. 2. 3.
On LON-CL1, in Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start. From the Start screen, type cmd, and then click Command Prompt.
In the Administrator: Command Prompt window, type E:\Labfiles\Mod12\Load.cmd, and then press Enter.
Results: After completing this exercise, you should have generated additional load on the computer.
L12-88
Exercise 3: Measuring System Responsiveness Under Load

Task 1: Identify performance bottlenecks in the computer
1. 2. 3. Switch to the Administrative Tools window. Double-click Resource Monitor. In Resource Monitor, which components are under strain? Answers will vary depending on the usage scenario and host configuration, although the central processing unit (CPU) and network likely are being used heavily. 4. 5. 6. 7. 8. 9. After a few minutes, click OK at the prompt, and then close the instance of C:\Windows\System32\Cmd.exe that the script launched, if necessary. Switch to Performance Monitor. In the navigation pane, right-click Adatum Baseline, and then click Stop. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand Adatum Baseline, and then click the second report that has a name that begins with LON-CL1. View the chart. On the menu bar, click the drop-down arrow, and then click Report. Record the component details: o o o o o o Memory\Pages/sec Network Interface Packets/sec PhysicalDisk\% Disk Time PhysicalDisk\Avg. Disk Queue Length Processor\% Processor Time System\Processor Queue Length
10. In your opinion, which components are affected the most? The script is affecting the CPU and network. However, no resources are approaching limits. 11. Close all open windows and programs, and then go back to the Start screen.
Results: After completing this exercise, you should have identified the computers performance bottleneck.
Lab B: Maintaining Windows Updates

Exercise 1: Configuring Windows Update
Task 1: Verify that Automatic Updates are disabled
1. 2. 3. 4. 5. Switch to LON-CL1, and from the Start screen, click Desktop. Pause the pointer in the lower-right corner of the display, and then click Settings. Click Control Panel, and then click System and Security. Click Windows Update, and then click Change settings. Click Never check for updates (not recommended), and then click OK.
Task 2: Enable Automatic Updates in Group Policy

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-DC1, and then sign in as Adatum\Administrator with password Pa$$w0rd. Pause the pointer over the lower-right corner of the desktop display, and then click Start.
On the Start screen, click Administrative Tools, and then double-click Group Policy Management. If necessary, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com. Right-click Default Domain Policy, and then click Edit. Under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update. In the results pane, double-click Configure Automatic Updates. In the Configure Automatic Updates window, click Enabled.
In the Configure automatic updating box, click 4 Auto download and schedule the install, and then click OK.
10. Close the Group Policy Management Editor window. 11. Close the Group Policy Management window.
Task 3: Verify that the Automatic Updates setting from the Group Policy Object is being applied
1. 2. 3. 4. 5. 6. 7. 8. Switch to LON-CL1. Pause the pointer in the lower-right corner of the display, and then click Start. On the Start screen, type Command. Click Command Prompt. At the command prompt, type gpupdate /force, and then press Enter. Close the Command Prompt window. Switch to Windows Update. Notice that your computer is now configured for Automatic Updates.
Results: After completing this exercise, you should have configured Windows Update settings by using Group Policy Objects.
L12-90

L13-91
Module 13: Configuring Mobile Computing and Remote Access
Lab A: Configuring a Power Plan

Exercise 1: Creating and Configuring a New Power Plan
Task 1: Create a power plan on Adams laptop computer
1. 2. 3. 4. 5. 6. 7. 8. Sign in to LON-CL1 as Adatum\Adam with password Pa$$w0rd. On the Start screen, type Control Panel. Click Control Panel. Click System and Security, and then click Power Options. On the left, click Create a power plan. On the Create a power plan page, click Power saver. In the Plan name box, type Adams power-saving plan, and then click Next. On the Change settings for the plan: Adams power-saving plan page, click Create.
Task 2: Configure the power plan

1. 2. 3. In Power Options, next to Adams power-saving plan, click Change plan settings.
On the Change settings for the plan: Adams power-saving plan page, click Change advanced power settings. Configure the following properties for the plan, and then click OK. o o o Turn off hard disk after: 3 minutes Wireless Adapter Settings, Power Saving Mode: Maximum Power Saving Power buttons and lid, Power button action: Shut down
4. 5. 6.
On the Change settings for the plan: Adams power-saving plan page, click Cancel. Close Power Options. Sign out from LON-CL1.
Results: After completing this exercise, you should have successfully created and configured a suitable power plan for Adams laptop computer.
L13-92
Lab B: Implementing DirectAccess by Using the Getting Started Wizard

Exercise 1: Configuring DirectAccess
Task 1: Install the Remote Access server role
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-SVR2, in Server Manager, click Manage, and then click Add Roles and Features. In the Add Roles and Features Wizard window, click Next. On the Select installation type page, click Next. On the Select destination server page, click Next. On the Select server roles page, click Remote Access, and then click Next. On the Select features page, click Next. On the Remote Access page, click Next.
On the Select role services page, click DirectAccess and VPN (RAS), and then in the Add Roles and Features Wizard window, click Add Features, and then click Next. On the Confirm installation selections page, click Install.
10. After the install is finished, click Close.
Task 2: Create a security group for DirectAccess clients

1. 2. 3. 4. 5. 6. 7. 8. 9. In Active Directory Users and Computers, right-click the Users container, click New, and then click Group. In the New Object Group window, type DA_Clients in the Group name box, and then click OK. Double-click the Users container. Right-click DA_Clients, and then click Properties. In the Properties window, click the Members tab, and then click Add. Click Object Types, select Computers, and then click OK. Type LON-CL1, and then click OK. In the DA_Clients Properties window, click OK.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
10. Close Active Directory Users and Computers.
Task 3: Configure DirectAccess by using the Getting Started Wizard

1. 2. 3. 4. 5. Switch to LON-SVR2. On LON-SVR2, in Server Manager, click Tools, and then select Remote Access Management.
In the Remote Access Management Console window, under Configuration, click DirectAccess and VPN. Click Run the Getting Started Wizard. On the Configure Remote Access page, click Deploy DirectAccess only.
6. 7. 8. 9.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients to connect to the Remote Access server box, type 131.107.0.2, and then click Next. On the Configure Remote Access page, click the here link.
On the Remote Access Review page, verify that two GPO objects have been created: DirectAccess Server Settings and DirectAccess Client Settings. Next to Remote Clients, click Change.
10. In the Remote Access Setup window, click Domain Computers (ADATUM\Domain Computers), and then click Remove. 11. Click Add. 12. In the Select Groups window, type DA_Clients, and then click OK. 13. Clear the Enable DirectAccess for mobile computers only check box, and then click Next. 14. On the DirectAccess Client Setup page, click Finish. 15. On the Remote Access Review page, click OK. 16. On the Configure Remote Access page, click Finish to finish the DirectAccess wizard. 17. In the Applying Getting Started Wizard Settings dialog box, click Close. 18. Restart LON-SVR2. 19. Wait for LON-SVR2 to restart, and then sign in as Adatum\Administrator with a password of Pa$$w0rd. 20. In Server Manager, click Tools, and then click Remote Access. 21. In the Remote Access Management console, click Operations Status.
All components should have a Status of Working and a green check mark beside them. If this is not the case, click Refresh to update the Operations Status view. You might have to do this several times.
Results: After completing this exercise, you should have successfully configured DirectAccess by using the Getting Stared Wizard.
L13-94
Exercise 2: Validating the DirectAccess Deployment

Task 1: Verify the DirectAccess GPO deployment
1. 2. 3. 4.
When you configured the DirectAccess server, the wizard created two Group Policies and linked them to the domain. Restart LON-CL1 and sign in as Adatum\Administrator with a password of Pa$$w0rd to apply the GPOs. On LON-CL1, from the Start screen, type cmd, and then press Enter. At the command prompt, type the following command, and then press Enter.
gpresult /R
5.
Under the Computer Settings section, verify that the DirectAccess Client Settings Group Policy Object (GPO) is applied.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then repeat steps 3 and 4 on LON-CL1. 6. At the command prompt, type the following command, and then press Enter.
netsh name show effectivepolicy
7.
Verify that following message is displayed: DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings are inactive when this computer is inside a corporate network. 8. 9.
To move the client from the intranet to the public network, go to the Start screen, type ncpa.cpl, and then press Enter. In the Network Connections window, right-click the Ethernet connection, and then click Disable.
10. In the Network Connections window, right-click the Ethernet 2 connection, and then click Enable. 11. Close the Network Connections window. 12. Close all open windows.
Task 2: Test DirectAccess connectivity

1. 2. 3. 4. 5. 6. 7. 8. Switch to LON-SVR1.
Click the File Explorer icon on the taskbar, and in the This PC window, double-click Local Disk (C:). In the Local Disk (C:) window, right-click in the empty space in the details pane, click New, click Folder, type Data, and then press Enter. In the Local Disk (C:) window, right-click Data, click Share with, and then click Specific people.
In the File Sharing window, from the drop-down list, select Everyone, click Add, click Share, and then click Done. Switch to LON-CL1.
On the Start screen, type \\LON-SVR1\Data, and then press Enter. Note that you are able to access the folder content. Close all open windows.
9.
Move the pointer to the lower-right corner of the screen, and in the notification area, click search, and in the search box, type cmd.
10. At the command prompt, type ipconfig, and then press Enter. Note: Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) address. 11. At the command prompt, type the following, and then press Enter.
Netsh name show effectivepolicy
12. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com and Directaccess-NLS.Adatum.com. 13. At the command prompt, type the following command, and then press Enter.
Powershell
14. At the command prompt in the Windows PowerShell command-line interface, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration
Note: Notice the DirectAccess client settings. 15. Switch to LON-SVR2. 16. Switch to the Remote Access Management console. 17. In the Remote Access Management console, click Remote Client Status. Note: Notice that Client is connected via IPHttps. In the Connection Details pane, in the bottom-right of the screen, note the use of the Kerberos version 5 protocol for the Machine and the User. 18. Close all open windows. Results: After completing this exercise, you should have successfully validated the DirectAccess deployment.

When you have finished the lab, revert the virtual machines to their initial state. 1. 2. 3. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-SVR1, 20687C-LON-SVR2, and 20687C-LON-DC1.
L13-96
Lab C: Implementing Remote Desktop

Exercise 1: Configuring a Remote Desktop Connection
Task 1: Enable Remote Desktop through the firewall, and enable Remote Desktop on Adams office computer
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL1, from the Start screen, type Control Panel, and then click the Control Panel tile. Click System and Security. Under Windows Firewall, click Allow an app through Windows Firewall. In the Name list, select Remote Desktop, and then enable the application for each of the network profiles: Domain, Private, and Public. Click OK. In System and Security, click Allow remote access.
In the System Properties dialog box, under Remote Desktop, click Allow remote connections to this computer. Click Select Users and click Add.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box, type Adam, click Check Names, and then click OK. In the Remote Desktop Users dialog box, click OK.
10. In the System Properties dialog box, click OK. 11. Close all open windows.
12. Switch to the LON-CL2 virtual machine, and then sign in as Adatum\Administrator with password Pa$$w0rd. 13. On the Start screen, type mstsc, and then click Remote Desktop Connection.
14. In the Remote Desktop Connection dialog box, in the Computer box, type lon-cl1, and then click Show Options. 15. Click the Advanced tab. 16. Under Server authentication, in the If server authentication fails drop-down list, click Connect and dont warn me.
Task 2: Connect to the remote computer with Remote Desktop

1. 2. 3. 4. 5. 6. 7. 8. On LON-CL2, in the Remote Desktop Connection dialog box, click Connect. In the Windows Security dialog box, click Use another account. In the User name box, type Adatum\Adam, and in the Password box, type Pa$$w0rd, and then click OK. When prompted, click Yes to proceed with the logon. On the Start screen, type This PC, right-click This PC, and then click Properties. Notice the computer name. Close the Remote Desktop session. In the Remote Desktop Connection dialog box, click OK. Close all open windows.
9.
Switch to the LON-CL1 virtual machine.
10. Notice that you have been signed out.
Results: After completing this exercise, you should have successfully verified that Remote Desktop is functional.

When you have finished the lab, revert the virtual machines to their initial state. 1. 2. 3. 4. On the host computer, start Hyper-V Manager. In the Virtual Machines list, right-click 20687C-LON-CL2, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. Repeat steps 2 and 3 for 20687C-LON-CL1 and 20687C-LON-DC1.
L14-99
Module 14: Recovering Windows 8.1
Lab: Recovering Windows 8.1

Exercise 1: Configuring and Using File History
Task 1: Create a share for File History
1. 2. 3. 4. On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Local Disk (C:).
In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder. Type FileHistory as the folder name, and then press Enter. Right-click the FileHistory folder, and then click Properties.
In the FileHistory Properties dialog box, on the Security tab, click Edit. Click Add, enter Domain in the Enter the object names to select box, and then click OK. Click Domain Users, and then click OK. In the Permissions for Domain Users section, in the Allow column, select the Full control check box, and click OK. On the Sharing tab, click Advanced Sharing.
5. 6. 7. 8.
Select the Share this folder check box, and then click Permissions. In the Permissions for Everyone section, in the Allow column, click Full Control, and then click OK twice. In the FileHistory Properties dialog box, click Close.
Task 2: Configure and use File History

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL1, on the Start screen, type file, and then click File Explorer. In File Explorer, in the navigation pane, expand This PC, and then click Documents.
Right-click in the details pane, point to New, click Microsoft Word Document, and then name the document Recovery file. Double-click Recovery file.docx.
In the Microsoft Office Activation Wizard, click Close, select Ask me later, and then click Accept. Close the Welcome to your new Office window. In Word, type This document is modified. In Word, save the file by pressing Ctrl+S, and then close Word. On the desktop, right-click the Start icon, and then click Control Panel.
10. In Control Panel, in the Search Control Panel field, type history, and then click File History. 11. In the File History dialog box, in the navigation pane, click the Select drive link.
12. In Select Drive, click Add network location, in the Folder field, type \\LON-DC1\FileHistory, click Select Folder, and then click OK. 13. In the File History dialog box, in the details pane, click Turn on.
14. In the File History dialog box, in the navigation pane, click Advanced settings. Review the options, and then click Cancel. 15. In File Explorer, in the navigation pane, click Documents.
L14-100 Recovering Windows 8.1
16. In File Explorer, right-click Recovery file.docx, press the Shift key, and then select Delete. Click Yes in the Delete File dialog box. 17. In File Explorer, click the Home tab, and then click History. 18. In Documents File History, right-click Recovery file.docx, and then click Restore. 19. In File Explorer, notice that the Word document has been recovered. 20. Double-click Recovery file.docx, and then verify that it has the content that you typed earlier. 21. Close File Explorer and the Documents File History window.
Task 3: Protect an additional folder with File History

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL1, In the File History dialog box, in the navigation pane, click Restore personal files.
In the Home File History window, verify that three file folders and four libraries are shown. Doubleclick Documents, and then verify that only Recovery file is shown. Close Documents File History. In File Explorer, click the View tab, select Options, and then select Change folder and search options. In the Folder Options dialog box, in the Navigation pane section, select Show libraries, and then click OK. In File Explorer, in the navigation pane, expand Libraries. Right-click the Documents library, and then click Properties.
In the Documents Properties dialog box, click Add. In the Folder field, type E:\Labfiles\Docs, click Include folder, and then click OK. In the File History dialog box, in the details pane, click Run now.
In File Explorer, navigate to the E:\Labfiles\Docs folder. Right-click Windows.docx, press the Shift key, and then select Delete. In the Delete File dialog box, click Yes. In the File History dialog box, in the navigation pane, click Restore personal files.
10. In Home File History, double-click Documents. Right-click Windows.docx, select Restore to, in the Folder field type E:\Labfiles, and then click Select Folder. 11. In File Explorer, verify that file Windows.docx is restored to the E:\Labfiles folder. 12. Close File Explorer, File History, and the Documents File History window.
Results: After completing this exercise, you should have configured and used the File History feature.
Exercise 2: Exploring Windows 8.1 Recovery Options

Task 1: Configuring System Restore
1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL1, open File Explorer, in the navigation pane, right-click This PC, and then click Properties. In the System window, in the navigation pane, click System protection. In the System Properties dialog box, in the Protection Settings section, select Local Disk (C:) (System), click Configure, select Turn on system protection, and then click OK.
In the System Properties dialog box, click Create. Type Initial settings in the System Protection dialog, click Create, and then click Close. In the System Properties dialog box, click OK.
In File Explorer, navigate to the E:\Labfiles\Mod14 folder, and then double-click XmlNotepad.msi. In the XML Notepad 2007 Setup Wizard, click Next, select I accept the terms in the License Agreement, click Next two times, click Install, and then click Finish. Close Internet Explorer. Verify that an XML Notepad 2007 shortcut is on the desktop.
10. Right-click the desktop, point to New, click Text Document, type My document as its name, and then press Enter. 11. On the toolbar, right-click the Start icon, and then click Device Manager.
12. In Device Manager, expand Keyboards, right-click Microsoft Hyper-V Virtual Keyboard, and then select Update Driver Software.
13. In the Update Driver Software dialog box, select Browse my computer for driver software. Select Let me pick from a list of device drivers on my computer, and then clear the Show compatible hardware check box. In the Model section, select Microsoft Wireless Keyboard 700 v2.0 (106/109), click Next, click Yes in the Update Driver Warning box, and then click Close. 14. In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) is shown with an exclamation point (!).
Task 2: Using System Restore

1. 2. 3. 4. 5. 6. 7. 8. 9. In File Explorer, in the navigation pane, right-click This PC, and select Properties. In the System window, in the navigation pane, click System protection. In the System Properties dialog box, click System Restore. In the System Restore dialog box, click Next.
Select the Initial settings restore point, and then click Scan for affected programs. Verify that XML Notepad 2007 is shown, as you installed it after the restore point was created. Click Close. In the System Restore dialog box, click Next, click Finish, and then click Yes. Wait until LON-CL1 is restarted and System Restore is performed. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd. On the Start screen, click the Desktop tile.
In the System Restore dialog box, click Close. Verify that My document.txt is still on desktop and that the XML Notepad 2007 shortcut is no longer present on the desktop.
10. On the toolbar, right-click the Start icon, and then click Device Manager.
11. In Device Manager, expand Keyboards, and then verify that Microsoft Hyper-V Virtual Keyboard is present. Microsoft Wireless Keyboard 700 v2.0 (106/109) was removed, as you add it after the restore point was created. 12. On the toolbar, click the File Explorer icon. 13. In File Explorer, in the navigation pane, right-click This PC, and then click Properties. 14. In the System window, in the navigation pane, click System protection. 15. In the System Properties dialog box, click System Restore. 16. In the System Restore dialog box, select Choose a different restore point, and then click Next. 17. In the System Restore dialog box, verify that the additional restore point with the description Restore Operation and Type of Undo was created. Click Cancel.
18. On the toolbar, right-click the Start icon, select Shut down or sign out and then select Shut down. Wait until LON-CL1 is turned off.
Task 3: Access Windows RE tools

1. 2. 3. 4. 5. 6. 7. 8. 9. On your host computer, in the 20687C-LON-CL1 on localhost Virtual Machine Connection dialog box, on the Media menu, point to DVD Drive, and then click Insert Disk. In the Open dialog box, in the File name box, type D:\Program Files\Microsoft Learning \20687\Drives\Win81Ent_Eval.iso, and then click Open. On the Action menu, click Start. When you see the Press any key to boot from CD or DVD message, press Spacebar. Setup loads. When prompted, in the Windows Setup dialog box, click Next. On the Windows Setup page, click Repair your computer. On the Choose an option page, click Troubleshoot. On the Troubleshoot page, click Advanced options. On the Advanced options page, click System Restore.
10. On the System Restore page, select Windows 8.1.
11. In the System Restore dialog box, click Next. Select the Restore Operation restore point, and then click Scan for affected programs. Verify that XML Notepad 2007 is listed as a program that might be restored. Click Close, and then click Cancel. Note: You can use System Restore from the Windows Recovery Environment (RE). 12. On the Choose an option page, click Troubleshoot, and then click Advanced options. 13. On the Advanced options page, click Command Prompt. 14. At the command prompt, type bcdedit /enum, and then press Enter. Review the output and verify that Windows 8.1 is listed as the default Windows Boot Loader operating system. 15. At the command prompt, type Bootrec /scanos, and then press Enter. 16. At the command prompt, type diskpart, and then press Enter. 17. At the command prompt, type list disk, and then press Enter. 18. At the command prompt, type list volume, and then press Enter. 19. At the command prompt, type exit, and then press Enter.
20. At the command prompt, type exit, and then press Enter. 21. On the Choose an option page, click Troubleshoot. 22. On the Troubleshoot page, click Advanced options. 23. On the Advanced options page, click Startup Repair. 24. On the Choose a target operating system page, click Windows 8.1. Startup Repair starts.
25. After a few seconds, the Startup Repair couldnt repair your PC page appears. This is because there is nothing wrong with your computer. Click Advanced options. 26. On the Choose an option page, click Continue. Windows starts normally.
Task 4: Create a duplicate boot entry in the boot store

1. 2. 3. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd. On the Start screen, type cmd and then click Command Prompt. At the command prompt, type the following command, and then press Enter:
4.
Verify the presence of Duplicate boot entry in the store by running the following command:
bcdedit /enum
5.
At the command prompt, type shutdown /r, press Enter and then click Close.
Task 5: Enable advanced boot options

1. 2. 3. 4. 5. 6. 7. 8. 9.
When the Windows operating system restarts, wait until the Choose an operating system menu appears, and then click Change defaults or choose other options. On the Options page, click Choose other options. On the Choose an option page, click Troubleshoot. On the Troubleshoot page, click Advanced options. On the Advanced options page, click Startup Settings. On the Startup Settings page, click Restart. In the Startup Settings menu, type 4 to select and enable Safe Mode. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd. On your host computer, switch to Hyper-V Manager.
10. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert. 11. In the Revert Virtual Machine dialog box, click Revert. 12. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Start. 13. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Connect.
Results: After completing this exercise, you should have used various Windows 8.1 operating system startup-recovery tools.
Exercise 3: Introducing a Simulated Problem

Scenario
In this exercise, you will attempt to fix a computer that is running Windows 8.1. The computer does not start successfully. You have an open help-desk ticket so that you can determine the likely cause of the problem. A. Datum Incident Record Incident number: 161071 Date and time of call User Jan 25 10:45am Adam Carter
Incident Details Adam Carter has reported that his computer will not start properly.
Additional Information Adam has been trying to install an additional operating system on his computer so that he can run a specific line-of-business application. He abandoned the installation after getting only partway through the process. Since then, his computer displays the following error message when it starts: Windows Boot Manager. File: \Boot\BCD Status: 0xc0000034 Info: The Windows Boot Configuration Data (BCD) file is missing required information.
Plan of Action
Task 1: Read the help-desk Incident Record for Incident 161071

Read the help-desk Incident Record (in the exercise scenario in the student handbook) for Incident 161071.
Task 2: Update the Plan of Action section of the Incident Record

1. 2. Read the Additional Information section of the Incident Record. Update the Plan of Action section of the Incident Record with your recommendations.
Plan of Action:
Visit with the user, and then view the error on his computer. Insert product installation DVD, and then restart the computer.
Use Windows RE to recover the startup environment by using the Command Prompt tool, and then running Bootrec.exe /RebuildBCD to repair the boot store.

1. 2. 3. Switch to LON-CL1, and then sign in as Adatum\Administrator with password Pa$$w0rd. On the Start screen, click the Desktop tile. From the taskbar, click File Explorer.
4. 5.
Browse to and run the E:\Labfiles\Mod14\Scenario1.vbs script. Wait while LON-CL1 restarts.
Results: After this exercise, you should have reproduced the reported startup problem on Adams computer.
Exercise 4: Resolving a Problem

Task 1: Attempt to resolve the problem
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to LON-CL1. On your host computer, in the 20687C-LON-CL1 on localhost Virtual Machine Connection dialog box, on the Media menu, point to DVD Drive, and then click Insert Disk. In the Open dialog box, in the File name box, type D:\Program Files\Microsoft Learning \20687\Drives\ Win81Ent_Eval.iso, and then click Open. On the Action menu, click Reset. In the dialog box, click Reset. When you see the Press any key to boot from CD or DVD message, press Spacebar. Setup loads. When prompted, in the Windows Setup dialog box, click Next. On the Windows Setup page, click Repair your computer. On the Choose an option page, click Troubleshoot. On the Troubleshoot page, click Advanced options.
10. On the Advanced options page, click Command Prompt. 11. At the command prompt, type Bootrec /Scanos, and then press Enter. 12. At the command prompt, type Bootrec /RebuildBCD, and then press Enter. 13. At the command prompt, type A, and then press Enter.
14. At the command prompt, type exit, and then press Enter to restart LON-CL1. When LON-CL1 starts, do not press any key. 15. Sign in to LON-CL1 by using the following credentials: o o User name: Adatum\Administrator Password: Pa$$w0rd
16. Update the Plan of Action section of the Incident Record.
17. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance. To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have resolved the startup problem and documented your solution.

L15-107
Module 15: Configuring Client Hyper-V
Lab: Configuring Client Hyper-V

Exercise 1: Installing Client Hyper-V
Task 1: Install the Client Hyper-V feature
1. 2. 3. On LON-CL5, from the Start screen, type Hyper-V, and then confirm that no match is found. On the Start screen, type powershell, right-click Windows PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog box.
At the Windows PowerShell command-line interface command prompt, run the following cmdlet, and then verify that no cmdlet is listed:
Get-Command Module Hyper-V
4. 5. 6. 7. 8. 9.
From the Start screen, type features, and then click Turn Windows Features on or off. In the Windows Features window, select the Hyper-V check box, and then click OK. On the Windows completed the requested changes page, click Restart Now. When prompted during startup, select 20687C-LON-CL5. Sign in to LON-CL5 as Admin with password Pa$$w0rd. After a second restart, repeat steps 7 and 8.
10. On the Start screen, type powershell, right-click Windows PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog box. 11. At the Windows PowerShell command prompt, run the following cmdlet:
Get-Command Module Hyper-V
Note: The output shows many cmdlets, which confirms that the Hyper-V module is installed and available.
Results: After completing this exercise, you should have installed the Client Hyper-V feature.
L15-108 Configuring Client Hyper-V
Exercise 2: Creating a Virtual Switch, a Virtual Hard Disk, and a Virtual Machine
Task 1: Create a virtual switch
1. 2. 3. 4. On LON-CL5, from the Start screen, type Hyper-V, and then click Hyper-V Manager. In Hyper-V Manager, right-click LON-CL5, and then click Virtual Switch Manager. In the Virtual Switch Manager window, in the Create virtual switch section, click Private, and then click Create Virtual Switch. In the Virtual Switch Properties section, type Private Network in the Name field, and then click OK.
Task 2: Create a virtual hard disk (VHD)

1. 2. 3. 4. 5. 6. 7. 8. 9. On LON-CL5, open Hyper-V Manager.
In Hyper-V Manager, select LON-CL5, and then in the Actions pane, click New, and then click Hard disk. In the New Virtual Hard Disk Wizard, on the Before You Begin page, click Next. On the Choose Disk Format page, confirm that VHDX is selected, and then click Next.
On the Choose Disk Type page, confirm that the default disk type for VHD hard disk is Dynamically expanding, and then click Next. On the Specify Name and Location page, in Name field, type Dynamic.vhdx. In Location field, type C:\VM, and then click Next.
On the Configure Disk page, confirm that Create a new blank virtual hard disk is selected, in the Size field, type 100, and then click Next. On the Completing the New Virtual Hard Disk Wizard page, click Finish. On LON-CL5, in Hyper-V Manager, in the Actions pane, click New, and then click Hard disk.
10. In the New Virtual Hard Disk Wizard, on the Before You Begin page, click Next. 11. On the Choose Disk Format page, select VHD, and then click Next. 12. On the Choose Disk Type page, click Differencing, and then click Next. 13. On the Specify Name and Location page, in the Name field, type Differencing.vhd. In the Location field, type C:\VM, and then click Next. 14. On the Configure Disk page, click Browse, and then browse to F:\Program Files \Microsoft Learning\base\. 15. In the Base folder, click Base14C-W81-Office2013.vhd, click Open, and then click Next. 16. On the Completing the New Virtual Hard Disk Wizard page, click Finish. 17. On LON-CL5, in Windows PowerShell, create a fixed size virtual hard disk by running the following cmdlet:
New-VHD Path C:\VM\Fixed.vhdx -SizeBytes 1GB Fixed
18. On LON-CL5, on the taskbar, click the File Explorer icon. 19. In the This PC window, browse to the C:\VM folder.
20. In the VM folder, confirm that the three virtual hard disks that you created in the previous task display.
21. In the VM folder, right-click Fixed.vhdx, select Properties, confirm that its size on the disk is 1.00 GB, and then click OK.
22. In the VM folder, verify that Dynamic.vhdx and Differencing.vhd are allocated much less space on the disk, even though you configured Dynamic.vhdx with 100 GB.
Task 3: Create a virtual machine

1. 2. 3. 4. 5. 6. 7. In the New Virtual Machine Wizard, on the Before You Begin page, click Next.
On LON-CL5, in Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine.
On the Specify Name and Location page, in the Name field, type LON-VM2, and then click Next. On the Specify Generation page, click Generation 2, and then click Next. On the Assign Memory page, in the Startup Memory field, type 1024, select the Use Dynamic Memory for this virtual machine check box, and then click Next four times.
On the Competing the Virtual Machine Wizard page, click Finish. A virtual machine named LONVM2 is created.
On LON-CL5, in Windows PowerShell, create a Generation 1 virtual machine, and then attach it to a virtual hard disk by running the following cmdlets:
New-VM Name LON-VM1 MemoryStartupBytes 1GB Generation 1 BootDevice IDE Add-VMHardDiskDrive VMName LON-VM1 ControllerType IDE Path C:\VM\Differencing.vhd
8.
In Hyper-V Manager, double -lick the LON-VM1 virtual machine, and then from the Action menu, select Start. Verify that the virtual machine starts.
Results: After completing this exercise, you should have created a virtual network and a virtual machine in Client Hyper-V.

Curs Microsoft

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Curs Microsoft

Загружено:

Авторское право:

Доступные форматы

MCT USE ONLY.

STUDENT USE PROHIBITED

Configuring Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

ii Configuring Windows 8.1

Product Number: 20687C Part Number: X19-17700 Released: 1/2014

MCT USE ONLY. STUDENT USE PROHIBITED

MICROSOFT LICENSE TERMS MICROSOFT INSTRUCTOR-LED COURSEWARE

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Windows 8.1 xi

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

xii Configuring Windows 8.1

Slavko Kukrika Content Developer

Jason Kellington Content Developer

Andrew Bettany Subject Matter Expert

Elias Mereb Technical Reviewer

Configuring Windows 8.1 xiii

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2: Installing and Deploying Windows 8.1

Module 3: Managing Profiles and User State in Windows 8.1

Module 4: Tools Used for Configuring and Managing Windows 8.1

Module 5: Managing Disks and Device Drivers

MCT USE ONLY. STUDENT USE PROHIBITED

xiv Configuring Windows 8.1

Module 6: Configuring Network Connectivity

Module 8: Implementing Network Security

Module 9: Configuring File Access and Printers on Windows 8.1 Clients

Module 10: Securing Windows 8.1 Devices

Configuring Windows 8.1 xv

MCT USE ONLY. STUDENT USE PROHIBITED

Module 11: Configuring Applications for Windows 8.1

Module 12: Optimizing and Maintaining Windows 8.1 Computers

Module 13: Configuring Mobile Computing and Remote Access

Module 14: Recovering Windows 8.1

Module 15: Configuring Client Hyper-V

MCT USE ONLY. STUDENT USE PROHIBITED

xvi Configuring Windows 8.1

Lab Answer Keys

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Virtual Machine Environment

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

Course Hardware Level

Navigation in Windows Server 2012 R2 or Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED