This KB takes up some Exam Notes for 70-680 TS: Windows 7, Configuring. All notes are written by John Bryntze.
Important! This is NOT a braindump or alike.
The 070-680 Exam objectives are the following:
- Installing, Upgrading, and Migrating to Windows 7
- Deploying Windows 7
- Configuring Hardware and Applications
- Configuring Network Connectivity
- Configuring Access to Resources
- Configuring Mobile Computing
- Monitoring and Maintaining Systems that Run Windows 7
- Configuring Backup and Recovery Options
Installing, Upgrading, and Migrating to Windows 7 (14%)
Perform a clean installation
Identifying hardware requirements
The minimum hardware requirements for Windows 7 are:
- 1 GHz or faster 32-bit (x86) or 64-bit (x64) CPU
- 1 GB of RAM (32-bit)/2 GB of RAM (64-bit) (recommended 2GB of RAM in 32 bit if running Virtual PC in XP Mode)
- 16 GB of available disk space (32-bit)/20 GB (64-bit) (15GB extra if running Virtual PC in XP mode)
- DirectX 9 graphics device with Windows Display Driver Model 1.0 or higher driver
Setting up as dual boot
You can dual boot with other Windows OS but as always you need to install the oldest OS first. If you for example install Windows XP after Windows 7 the newer boot system (BCD (Boot Configuration Data)) will be overwritten by XP:s boot (boot.ini) that cannot handle Vista/Windows 7.
So install first XP, then Vista, then Windows 7 to be able to dual (well in this case triple) boot.
Install with answer files
When Windows 7 start to install it will look in the root of all removable medias for a file named Autounattend.xml and if it finds one tries to a do a silent installation with help of the answers in the file. Autounattended.xml can easily be created with Windows SIM.
If the answer file is in another path (not in a root) you can also specify the path by installing Windows 7 with setup.exe
Upgrade to Windows 7 from previous versions of Windows
You can only do a in-place upgrade from Vista with Service Pack 1 or later to Windows 7, all other versions demands a clean installation.
Check with Windows 7 Upgrade Advisory for known compatibility problems, such as lack of disk space, programs that will stop to work, drivers that need to be upgraded.
Upgrading from Windows Vista
Upgrade path per version are:
Windows Vista Home Premium -> Windows 7 Home Premium
Windows Vista Business -> Windows 7 Professional
Windows Vista Ultimate -> Windows 7 Ultimate
If you have Vista Home Premium you cannot upgrade to Windows 7 Ultimate, only to Windows 7 Home Premium (haven’t tried it myself, but I cannot see any problem to do this in 2 steps, first upgrade Vista Home Premium to Windows 7 Home Premium and then Windows Anytime Upgrade from Windows 7 Home Premium to Windows 7 Ultimate).
Know that if you for example have a French Windows Vista Business and want to upgrade to a Swedish Windows 7 Professional that is not possible, you cannot go from one language to another.
Upgrade media comes in DVD format.
Migrating from Windows XP
There is not direct in-place upgrade from XP to Windows 7. Nothing stops you from upgrading your Windows XP to windows Vista and then upgrade the Windows Vista to Windows 7 with a in-place upgrade. If not you will need to do a clean installation.
Upgrading from one edition of Windows 7 to another edition of Windows 7
If it follows Vista it should work to upgrade from lower edition to higher but not the other way around (not included started edition, not upgradable)
Windows 7 continues the Windows Anytime Upgrade, since all versions (except Starter) will include all features even if not active (depending with version/edition) it will not need a disc/DVD to upgrade from one edition to another edition.
- Windows 7 Starter Edition – in XP/Vista this edition could only have 3 programs opened at the same time, this limit is now gone with Windows 7 Starter Edition. Comes only as OEM and support no extra features such as Multiple monitors, fast user switching, aero, Windows Mobility Center etc.
- Windows 7 Home Basic – For emerging markets. Support: join (only) a Home Group, maximum 8GB of RAM, Windows Mobility Center, Multiple Monitors, Fast User Switching, Desktop Windows Manager, Windows AERO (partial).
- Windows 7 Home Premium – For home users. Support: same as Home Basic plus; Multi-Touch, Premium Games, Windows Media Center, Windows Media Player Remote Media Experience.
- Windows 7 Professional – For business use. Support: same as Home Premium plus; join a domain, EFS, Location Aware Printing, Remote Desktop Host, Presentation Mode and Windows XP Mode.
- Windows 7 Enterprise – For business only. Support: Same as Professional plus; AppLocker, BitLocker Drive Encryption, BranchCache, Distributed Cache, DirectAccess, Subsystem for Unix-based Applications, MUI pack and Virtual Hard Disk Booting.
- Windows 7 Ultimate – For home and business use. Support: same as Enterprise.
Unclear if this will be on the exam but it can be good to know anyway that E edition of Windows 7 is shipped without Internet Explorer and the N edition of Windows 7 is shipped without Windows Media Player (these versions can only be bought in Europe).
Migrate user profiles
Migrate user profile is either done by USMT 4.0 (User State Migration Tool) or Windows Easy Transfer (migwiz).
For better control and multiple user USMT is preferred and for home users or single profile migration Windows Easy Transfer could be used.
Windows Easy Transfer exist on Windows XP and newer and should be run first on the machine who got the profile to transfer “This is my old computer” and chose media (special USB transfer cable/network/external disk) and the wizard scan what can be transferred (you have no control of what is being transferred). You get an option to password protect the file (.mig). Then go to the new machine that needs the profile and run the Windows Easy Transfer wizard again and this time choose “This is my new computer“.
USMT work the same as Windows Easy Transfer but you can control what to transfer and not to transfer and other more advanced features. USMT uses scanstate to collect profile data and loadstate to apply profile data.
Scanstate and Loadstate are command line tools and include many different switches, here are some important:
- /all – Migrates all users
- /v – Verbose loging with 16 different levels
- /i – specifies XML files, example /i:MigDocs.xml
- /ue – Users to not migrate (think User Exclude) /ue:*\* excludes ALL users except those specified in /ui
- /ui – Users to migrate (think User Include)
- /lac – specifies it is a none admin Local user accounts
- /lae – Enables the account specified with /lac else the account is enabled on the target machine.
Exam Tips: Know Scanstate and Loadstate and some of the common switches for the exam.
Migration store types
- Compressed – saves space and save all migration data into one image file. This is default.
- Uncompressed – needed for Hard-links and can use explorer.exe to browse and modify migration data /nocompress
- Hard-Link – new feature in USMT 4.0. Files are not duplicated but stays on the disk and when the older OS has been removed and the new OS installed loadstate finds this data. This works of course only when reusing the same machine (Wipe and load/PC Refresh scenario) /hardlinks
You can migrate profile data from a 32-bit OS to a 64-bit OS but not the other way around. It doesn’t work if source and target machine has different OS languages. No starter edition are supported.
Migrating from one machine to another
1. Run Scanstate on source client machine for example this command:
scanstate \\jbkb-server01\USMT /i:migdocs.xml /i:migapp.xml /ui:JBKB\john /v:14 /l:scanresult.log
where \\jbkb-server01\USMT is the path to save the profile data, migdocs.xml specify which documents should be saved, migapp.xml which applications settings to save, /ui:JBKB\john to only take data from user JBKB\john and the last /v:14 /l:scanresult.log verbose level and logfile name.
2. On target machine make sure Windows 7 and all programs are installed.
3. Run Loadstate on target client machine for example this command:
loadstate \\jbkb-server01\USMT /i:migdocs.xml /ui:JBKB\john /i:migapp.xml /v:14 /l:loadresult.log
where \\jbkb-server01\USMT is the path to get the profile data from, migdocs.xml specify which documents should be transferred, migapp.xml which applications settings to transferring, /ui:JBKB\john to only take transfer data from user JBKB\john and the last /v:14 /l:loadresult.log verbose level and logfile name.
Migrating from previous version of windows
If the source machine is running Windows XP it must have Service Pack 2 or later for USMT to run scanstate on it (you cannot run loadstate on a Windows XP machine with USMT v4.0) and you must run scanstate as a local administrator on the machine.
If the source machine is running Windows Vista with UAC you must run scanstate in Administrator mode. (not needed for the exam but if target machine will be Vista then you need to specify /targetvista)
side-by-side vs. wipe and load
Side-by-side refers to have 2 machines, one old source machine and a newer target machines.
The user migration data must be transferred from the source machine with scanstate and then be loaded back to the target machine with loadstate.
Wipe and load refers to have 1 machine, the machine might have Windows XP but has the required hardware requirement for Windows 7 and therefor you need to run scanstate to save the migration data. and then run loadstate on the same machine after Windows 7 has been installed.
It is important to know a new feature in USMT 4.0, that is Hard-link. Hard-link migration store is stored on the machine so no extra disk space is needed. this is only possible if you reuse a machine (Wipe and load). To use Hardlinks you need to specify that while running scanstate with the switch /hardlink which always use migration store type Uncompressed with switch /nocompress.
Deploying Windows 7 (13%)
Capture a system image
When you a have a reference machine (sometimes called master machine) and prepared it with all configuration and software and want to prepare the system to be imaged you can strip away “not needed” info by using sysprep.
c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown
ImageX already default strip away not needed folder and files, sysprep removed unique settings such as the computer SID that must be unique for each machine in a domain.
Creating a WIM file
After a machine has been prepared (maybe with sysprep) – boot with a WinPE on the reference machine to take/create/capture a WIM image.
Once booted with a WinPE with ImageX tool create an WIM image to external disk e: by running the following command:
ImageX /Capture C: E:\WIMImages\JBKB.wim "Windows 7" /verify
With the command above a JBKB.wim will be created with the content of disk C:
Prepare a system for image deployment
In Vista and before it was Pkgmgr.exe to use for adding drivers and applications into WIM images, that was pretty tricky to do. With latest WAIK you can use DISM.exe instead that is more powerful and easier to use.
Insert a driver into a system image
To insert a driver into a WIM image you need DISM.exe (from WAIK 2.0)
First mount the WIM image file and then add driver with the /Add-Driver switch.
DISM.exe /Mount-Wim /wimfile:C:\WIMimages\JBKB.wim /index:1 /mountdir:c:\jbkbmount DISM.exe /Image:C:\jbkbmount /Add-Driver:C:\Drivers\NetworkDriver\oem01.inf DISM.exe /Unmount-Wim /MountDir:C:\jbkbmount /commit
Insert an application into a system image
To insert an application into a WIM image you need DISM.exe (from WAIK 2.0)
DISM.exe /Mount-Wim /wimfile:C:\WIMimages\JBKB.wim /index:1 /mountdir:c:\jbkbmount DISM.exe /image:c:\jbkbmount /Add-Package /PackagePath:”C:\JBKBcabs\jbkb.cab” DISM.exe /Unmount-Wim /MountDir:C:\jbkbmount /commit
Deploy a system image
You can deploy a WIM image with zero touch with help of SCCM/WDS/WDT and other tools but you can also deploy manually with ImageX.
Boot on target machine with help of example WinPE prepared with ImageX.
Prepare the disk with Diskpart for example to prepare a C: disk run these commands (if the disk already have a OS since before)
diskpart select disk 0 select partition 1 format fs=ntfs quick override label="windows" assign letter=c active exit
Where Quick do a Quick Format (takes about 3 seconds) and Override still continue even if partition is in use/locked.
Run the following command to deploy (apply) a WIM image located on an external disk e: to a machine
ImageX /apply e:\JBKB.WIM 1 c:
The “1” tells ImageX to use the first image in the file, since it is possible to have multiple images in the same WIM file (shared files reduce the size)
Exam Tips: Remember that ImageX uses /Apply to deploy an WIM image and /Capture to create a WIM image.
Configure a VHD
VHD (Virtual Hard Disk) is used in Microsoft Virtual Server and Windows Virtual PC. Windows 7 can even create VHDs, configure/edit and boot if you have right edition. Only Windows 7 Enterprise and Ultimate can boot from a VHD.
Then the Create and Attach Virtual Hard Disk window comes up. Here specify the location to the physical file (.vhd) and set size and VHD format; Dynamically expanding or Fixed Size (Dynamically expanding doesn’t verify if existing disk space is enough, Fixed size do and give error if disk space isn’t enough). Press OK when finished and the disk shows up in Disk Management.
Now this disk can be treated as a normal one to be formatted, assign drive letter.
2. Command Line: Start CMD, type in following
create vdisk file=d:\JBKB\JBKBdisk.vhd type=fixed maximum=50000
select vdisk file=d:\JBKB\JBKBdisk.vhd
First create the vhd disk with type and size (is set in MB by default). Then select the disk and attach it. Same as with Disk Manager if you want to format it and assign letter you need to continue with Diskpart create partition primary/assign letter=y/format fs=NTFS label=JBKBVHD quick
You can deploy VHD either by Xcopy or WDS (Windows DeploymentServices).
With Xcopy you need to boot and configure disks, then press SHIFT + F10 to get a command line during the installation, then use xcopy to copy in VHD file, then use diskpart to apply the VHD.
With WDS (on Windows Server 2008 R2) you can deploy bootable VHDs.
Only Windows 7 Enterprise and Ultimate can boot from a VHD.
You can use either Windows PowerShell (Install-WindowsImage.ps1) or ImageX to include a bootable WIM image to a VHD. You can also use a tool called WIM2VHD command-line to automate this stephttp://code.msdn.microsoft.com/InstallWindowsImage/Wiki/View.aspx?title=http%3a%2f%2fcode.msdn.microsoft.com%2fwim2vhd&referringTitle=Home (that is outside the scope of this KB).
Using Install-WindowsImage.ps1 (first download it here: http://code.msdn.microsoft.com/InstallWindowsImage/Release/ProjectReleases.aspx?ReleaseId=2662 and I needed to run this command to let PowerShell run unsigned ps1 set-executionpolicy unrestricted)
Run these commands:
.\Install-WindowsImage.ps1 -WIM e:\sources\install.wim
Now we got all Index, if we want to use Windows Ultimate we chose Index 4 (see image below)
.\Install-WindowsImage.ps1 -WIM e:\sources\install.wim -Apply -Index 4 -Destination Y:
Using ImageX (first install WAIK)
ImageX /info e:\sources\install.wim
This gives image data in XML format where you can read out <IMAGE INDEX=”number“> for the image you want to use.
ImageX /Apply E:\sources\install.wim 4 Y:
Once you got the VHD file you need to decide if you want to prepare it for VHD image native boot (by Windows 7 editions Enterprise/Ultimate) or VHD image boot inside virtual machine.
VHS native boot: Y:\Windows\System32\bcdboot y:\windows (if you want to change boot order or more advance change with BCDedit, that is out of the scope for this KB)
VHD virtual machine boot: Y:\Windows\System32\bcdboot y:\windows /s y:
Either use Disk Management or diskpart explained above to mount a VHD.
After a VHD file is mounted you can update the VHD using Windows Explorer.
For the exam and real life you need to know a command-line tool named DISM.EXE (Deployment Image Servicing and Management) that can update a VHD image’s drivers and add Windows Features.
Dism /image:y: /Add-Driver /driver:c:\drivers\jbkb-nic.inf
Dism /image:y:\ /Enable-FeatureName:TelnetClient
Would enable the Telnet Client in Windows 7 (default it is disabled)
Exam Tips: Know that offline update/servicing of VHD images can be done with DISM.exe
Configuring Hardware and Applications (14%)
Configure application compatibility
Application Compatibility Toolkit 5.5 (ACT) is a tool that collects information about the applications installed on the network. It is an important and critical process when doing the planning to migrate to Windows 7, will my applications work? better to know before deploying Windows 7 out in the organization.
Shim = an application compatibility workaround
Shims can be seen as an API that correct compatibility issues. You need to know that most vendors doesn’t support their applications if they been modified with a shim so it should be used in these cases:
- Vendor of the product is no longer in business.
- The application is developed internally
- The vendor will release a new supported version for Windows 7 but the current isn’t supported for Windows 7.
Shims included in Windows 7 Out of the box are updated through Windows Update. So you have the same support terms as the rest of the Windows operating system.
Configure application restriction
Windows 7 still support Software Restriction Policies (will be SRP at rest of this KB) for compatibility purpose. Windows 7 has the next version of SRP called AppLocker. These two versions doesn’t work together but separate.
This KB will cover both AppLocker and SRP.
Setting software restriction policies
There are 3 default security levels:
Disallow: Block all applications except those explicit set as allow (unrestricted).
Unrestricted: Allow all applications except those you explicit block (disallow).
Basic User: Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.
The 4 ways to explicit define a Disallow/Unrestricted application is the following:
- Network Zones rule
- Path rule (Support wild cards, if multiply rules exist the most narrated “wins”.)
- Hash rule (Supports for SHA256 hash rules)
- Certificate rule
For each of these rules you can apply an exception from the default security level:
Unrestricted: Can be used if default security level is set to Disallow
Disallow: Can be used if default security level is set to Unrestricted
Basic User: Uses UAC function to force an application to run as a normal user.
This new feature applies to all the above 4 rules except Certificates and can be very useful for limiting an application to do system wide changes.
Example of a Path Rule to set c:\jbkb\adminstools\QoS.exe to run as Basic User
If multiply rules match a software the latest in the list take present:
- Default rule (weakest)
- Network Zone rule
- Path rule
- Hash rule
- Certificate rule (strongest, always wins)
Example: If default rule is set Disallow and Path Rule for c:\jbkb\jbkb.exe is set to Unrestricted, then even default rule Disallow running c:\jbkb\jbkb.exe the Path Rule take presents and allow c:\jbkb\jbkb.exe to run.
To find in event viewer for blocked applications search for Event ID: 866
Application Event log shows only entries of applications that are blocked, if you want to see allowed (unrestricted) entries you will need to enable advanced logging by adding a string to the log file in the following registry key:
If you lock yourself out by to restrict polices log on in Safe Mode (restart press F8 during bootup) and login as a local administrator, since Windows 7 ignores Restriction Polices for local administrators in Safe Mode.
Setting application control
AppLocker is only supported by Windows 7 editions Enterprise/Ultimate (also supported by Windows Server 2008 R2) and needs the service Application Identity service started to run. Windows 7 Professional can however be used to create AppLock rules but it cannot itself be enforced by the rules.
AppLocker has the following new enhancements:
- You can define rules based on attributes from a files signature (publisher, product name, file name, file version)
- AppLocker PowerShell cmdlets to manage AppLocker from PowerShell.
- Only if a file is specified in a rule is allow to run, if not it cannot run.
- “What If” implementation, you can set all settings but not make them live and just audit what would have had been blocked if the rules where in place.
- MMC snap-in accessible from GPMC or Local Group Policy editor.
AppLocker doesn’t include the SRP rule types: Internet Zone, per-machine and registry path rules.
To configure AppLocker you can either use domain GPO or Local Security Policy (SecPol.msc), this KB will use Local Security Policy. Navigate: Security Settings -> Application Control Policies -> AppLocker.
There are several scenarios but this KB will take the most common one.
1. you have a reference computer (remember this machine can be a Windows 7 Professional) with all the companies standard software updated with the correct version.
2. Create the default rules, this is to ensure that administrators still can manage the machine and users can run files in %WinDir% (normally c:\windows) and %ProgramFiles% folder. Remember that if you have an application installed in c:\JBKBApps\design2010.exe will not work since it is not in the c:\program files folder, (you can later create a manual rule to allow to run applications that doesn’t install in default program files folder). To do this right click Executable Rulesand chose Create Default Rules.
This creates these 3 default rules:
- Allow all users (everyone) to run All files located in the Program Files Folder (%ProgramFiles%)
- Allow all users (everyone) to run All files located in the Windows Folder (%WinDir%)
- Allow Administrators (BUILTIN\Administrators) to run All files
3. Automatically generate rules: If your reference machine have all latest software and updates you require you can right click Executable Rules and chose Automatically Generate Rules…
Here specify which folder (default c:\Program Files) that will be analyzed and for which users/groups the rule will apply to (default set to Everyone) and finally set a Name to identify the rules.
Next is the Rule Preferences with 2 choices:
- Create publisher rules for files that are digitally signed – you also get the option if a file isn’t signed it can create a File hash or path rule.
- Create file hash rules for all files
Next it will scan the specified folder and create a suggestion of rules, it can take some minutes depending of quantity of files. The Review Rules where you can before to create the rules view that it is the expected rules (either way you will be able to manually change them after). Press Create to create the rules.
Now you got a lot of extra rules. Those files that had were digital signed (if chosen) will show up as Condition Publisher and the others as (if chosen) Path (those files that isn’t digitally signed).
Now modify/delete/add extra rules manually.
Something good with this is that if a user has a software that can run stand alone with just an exe file that is located in their Documents folder that program will not be able to run unless there is a specific rule for that.
Apply this either with GPO on Domain/site/OU level or configure it with Local Security Policy and make sure the machines refresh their Group Policy settings.
Enforcement can be set to Enforce rules or Audit Only; pretty self explainging but with Enforce rules the rules are active and with Audit Only the rules only log to Event Viewer, they are never block.
With digital signed files and condition Publisher you have a lot more freedom to do rules that for example check File version and allow it to be at a certain level And above or Exactly that version or in rare cases this version And Below.
Configure Internet Explorer
Windows 7 (except the E edition) has Internet Explorer 8 as it’s native web browser which include a lot of extra security features.
Remember that all settings here can be configures with GPO and IEAK8, the difference between GPO and IEAK8 is that GPO set values that end user might not be able to change and IEAK8 just set default values that the end user can change.
Configuring compatibility view
Internet Explorer 8 has a new rendering engine that can cause compatibility problems for websites that are designed for Internet Explorer 7’s rendering engine. The Compatibility view function include the Internet Explorer 7 rendering engine and can switch to that engine for specific sites (those who doesn’t render satisfied with Internet Explorer 8 rendering engine)
If you go Tools -> Compatibility View Settings you can change the default settings:
- Include updated website lists from Microsoft – Checked by default, get updated list from Microsoft Update of sites who need to be run in Compatibility View mode.
- Display intranet sites in Compatibility View – Checked by default, all sites that are on intranet site/zone are displayed with Compatibility View mode so for example companies Intranet done to work in Internet Explorer 7 still work.
- Display all websites in Compatibility View – Not checked by default, if checked would run all web pages with Internet Explorer 7 render engine (Compatibility View mode)
Internet Explorer 8 remembers which sites has been seen in Compatibility Mode for future visits.
Configuring security settings
There are several new or updates security functions/settings, here they come in short format:
- Enhanced Delete Browsing History – You can now keep cookies and temp files for sites specified in your favorites and delete all the others. You also have the option to delete InPrivate Filtering data.
- SmartScreen Filter – the new name; in Internet Explorer 7 it was called phishing filter (I didn’t like that name either, to hard to pronounce). Not only a new name it do have some new features such as Anti-Malware support, improved Group Policy support, faster performance, improved user interface.
- Cross-Site Scripting Filter – Cross Site Scripting (XSS) attacks are common, this filter helps to protect.
- Domain Name Highlighting – Some try to fool end user with names that looks to come from a trusted source for example http://www.ebay.onlinejbkb.com might look to be from ebay. So Domain Name Highlighting simply highlight the domain name.
- Tab Isolation – LCIE (Loosely-Coupled Internet Explorer) makes that if one tab crashes it doesn’t affect the other tabs or browser windows.
Search Providers can be configured with Manage add-ons – Search Providers where you can add/remove search providers, set order, default search and Prevent programs from suggesting changes to my default search provider (not checked default).
Toolbars and add-ons are usually the cause of Internet Explorer crashing, and in Internet Explorer 8 you control better add-ons and toolbars.
Toolbars now comes up with a cross/x on the right side so the users can close toolbars easier.
On the image above (Live Toolbar) you can close it by just pressing on the “X” and you get the dialog as below:
Controlling InPrivate mode
InPrivate Mode has two functions; InPrivate Browsing and InPrivate Filtering.
InPrivate Browsing: This function exist similiar in other browsers but under other names; called Private Browsing in Firefox and incognito in Chrome. When browsing in InPrivate the users browser history, temporary Internet files, form data,cookies and usernames/passwords are not stored or retained by the browser.
InPrivate Filtering: This function track third-party content on a website and provides users with control over which third-party content is downloaded and displayed. If a Third-party content appears frequently across web pages those can be blocked.
Either you set to Automatically Block or Choose content to block or allow or off (default). If you enable InPrivate Filtering default it is set to 10 frequent third-party content to trigger but can be changed by the user (value 3 to 30). If you choseAutomatically Block all sites who hit the value will be blocked. If you chose Choose content to block or allow all sites will be default Allowed but listed for you to chose Blocked.
Certificates for secure Web sites
If a site has a valid certificate the URL field will display it in Green
Configuring Network Connectivity (14%)
Configure IPv4 network settings
Not much have changed here in many years so it is still to know the old stuff such as:
IPv4 uses 32 bit length where the (sub)net mask decide which bits are network and which bits are for host. APIPA addresses doesn’t route but give access to other APIPA clients on the same net, the range is: 169.254.0.0/16. Keep in mind that if you see a output of a IPconfig and the client has 169.254.0.0/16 that machines is a DCHP client that failed to get a IP lease.
Know the private address range and that those addresses aren’t routable on the Internet:
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (APIPA: 169.254.0.0/16)
Remember that when you calculate how many hosts a certain subnet has you must remove 2 “reserved” hosts, all 1 = Broadcast address and all 0 = network address. Example 10.46.0.0/28 has 4 bits left for hosts and that is 16 decimal but due to 1111=Broadcast and 0000=network address there are only 16-2 (14!) hosts left for clients/servers/routers etc. The exam will for sure play on this that you need an range for a certain amount of server/clients/printers and test that you understand this.
Know that with subnetting you can make smaller broadcast domains with one assigned network ID (255.255.0.0 to 255.255.128.0) and supernetting is the opposite and merge to smaller net to a bigger (255.255.0.0 to 255.254.0.0).
Configure IPv6 network settings
Even if the exam probably will test nearly IPv4 you should know that IPv6 is fully supported by Windows 7
IPv6 uses 128 bit length and are for that reason longer so know that :: is shortening for only 0 (Zeros). 2001:AA12::G3D1:7AAE is shortening of original 2001:AA12:0000:0000:0000:0000:G3DA:7AAE.
Unicast IPv6 addresses uses the first 64 bits for network and the last 64 for host (the last 48 bits are usually the MAC address).
- Global Addresses: starts with 2000-3FFF, example 3ABA::1 is a Global Address.
- Link-local Addresses: starts with FE80, example FE80::AA12:231E:FFFF:12bC%2, notice the %2 is the zone ID, could be any number but unique on the host. Think of Link-local address as an IPv4 APIPA address, self configured except that you always get an Link-local address assigned.
- Unique Local Addresses: starts with FD, example FD46::1, think of these as IPv4 private addresses (10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16)
Know that IPv6 doesn’t use arp as IPv4 do, IPv6 uses Neighbor Discovery (ND) with higher security (no arp poisoning possible).
Configure network settings
Configuring location-aware printing
Windows 7 support Location-Aware printing a new feature only supported by Professional/Ultimate/Enterprise edition of Windows 7. You can also on a stand alone (or domain) Windows 7 machine set different default printer depending on which network you are connected to. For example you can have one printer default at home and another one at work.
Configure Windows Firewall
Windows Firewall is enabled by default for all connections. By default:
- The firewall drops all inbound traffic except traffic sent in response to a request by your computer, and traffic allowed by an exception.
- All outgoing traffic is allowed unless it matches an exception.
- Windows Firewall supports both incoming and outgoing network traffic (which it did in Vista also but in XP SP2 and later it only supported inbound).
Windows Firewall have 3 different network Location type and different Firewall rules applies depending on the type:
- Domain – Used when your computer is joined to an Active Directory domain
- Private – Used when your computer is connected to a Home or Work network in a workgroup
- Public – Used often on Wireless hot spots.
Configuring Access to Resources (13%)
Configure shared resources
Configuring HomeGroup settings
HomeGroup is a new concept and as the name implies it is used at home (in contrast to a Domain/WorkGroup). It works on all editions of Windows 7 but Starter and Home Basic editions cannot create a HomeGroup but they can join an existing HomeGroup.
When you setup a new computer a HomeGroup is created automatically if one doesn’t already exist on your home network. To join an existing HomeGroup your network location must be set to Home Network (not Work Network/ Public Network or Domain) and you must enter correct password (created when the HomeGroup was setup).
If you want to include other folders (share libraries) than Pictures/Music/Videos/Printers/Documents you can mark a folder in explorer.exe and go in menu Share With and chose:
- Homegroup (Read)
- Homegroup (Read/Write)
- Specific people…
Configure user account control (UAC)
User Account Control (will be shortening to UAC for rest of this KB) is nothing new, it has existed in Windows Vista and Windows Server 2008 for some years now.
Basically UAC works like this: When a user log on a machine that the account is member of the Local Administrator group and have admin rights on the machine the user get 2 access token, one normal user (removes the admin rights and admins SIDs) and one normal with admin rights. Explorer.exe (desktop) and all is ran with the lower right normal user account and all sub processes inherit those rights. If more rights/permission are needed UAC will prompt and depending on the settings it will elevate to the higher rights Access token.
Windows 7 also include UAC and it works like before but with some improvements:
- Increased numbers of tasks that standard user can perform without prompting for Admin Approval.
- Allow admin users to configure UAC experience (requires restart to be active)
- Local Security Policies to change behavior of UAC messages for admins in Admin Approval Mode and for standard users
Configuring local security policy
Local Computer Policies can be set to change behavior of UAC, those are found here: Local Computer Policies -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Here are the 10 different settings, the important for the exam in bold:
- User Account Control: Admin Approval Mode for the built-in Administrator account – This is disabled default, which means that default account administrators bypass UAC, if enabled it is treated as all other administrators account.
- User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop – This is disabled default, if enabled it means that applications such Remote Assistance can be run without getting blocked by Secure Desktop.
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode – This is set to Prompt for consent for non-Windows binaries default (more about this setting further below in this KB)
- User Account Control: Behavior of the elevation prompt for standard user – This is set to Prompt for credentials on the secure desktop default (more about this setting further below in this KB)
- User Account Control: Detect application installations and prompt for elevation – This is enabled default on Home editions and disabled default on enterprise edition; due to in enterprise you might deploy applications with SMS/SCCM/GPO and want that to install silent.
- User Account Control: Only elevate executables that are signed and validated – This is disabled default, even if this is good for security it is not practical since not all executables are signed.
- User Account Control: Only elevate UIAccess applications that are installed in secure locations – This is enabled default, only elevate UIAccess applications installed into %SystemDrive%\Program Files (including sub-folders),%SystemDrive%\Program Files (x86) (including sub-folders for 64-bit editions) and %SystemDrive%\windows\system32
- User Account Control: Run all administrators in Admin Approval Mode – This is enabled default, and if it is disabled whole UAC is disabled! know this for the exam as they will try to trick you on this one.
- User Account Control: Switch to the secure desktop when prompting for elevation – This is enabled default, All elevates request goes to Secure Desktop that dims the screen until you answer.
- User Account Control: Virtualize file and registry write failures to per-user locations – This is enabled default, if a none elevated program tried to write it HKLM registry or for example c:\program files, c:\windows\system32 etc and fails this setting does so it writes to the user profile instead so the program work. Good example is http://triplea.sourceforge.net/ a game who want saved games to be saved in a sub folder of the game installation that is default inc:\program files and instead get saved under %UserProfile%\AppData\Local\VirtualStore
Configuring admin vs. standard UAC prompt behaviors
For administrators in Admin Approval Mode you have the Behavior of the elevation prompt for administrators in Admin Approval Mode 6 different settings that can be set from to not notify at all when elevating to prompt for password with secure desktop and all between. Prompt for consent means that the user just accept/deny elevate a program/process without entering password.
For normal users (with no administrator rights/privileged) you have 3 different settings
- Automatically deny elevation requests – this will give an error each time admin rights/privileged is needed
- Prompt for credentials on the secure desktop (default) – this will prompt for administrator rights/privileged on the secure desktop.
- Prompt for credentials – same as above but without Secure Desktop.
Configuring Secure Desktop
Secure Desktop is a extra layer of security that is enabled default but can be turned off by Local Computer Security/GPO. When an executable file request elevation the user desktop is switched to Secure Desktop (it dims the user desktop) and the user get a question to elevate (yes or no). Only Windows processes can access the Secure Desktop.
BranchCache is a new feature that reduce WAN link utilization by letting the first client in a branch office download the file from Main Office and if a second client from the branch office request the same file it will not go over the WAN link but ask the first client for a copy.
Exam Tips: Know that only Windows 7 editions Enterprise and Ultimate support BranchCache.
In short the client request a file on a BranchCache-enabled server over a WAN link via HTTP/SMB/BITS preferable encrypted with IPSec. Then the client check if this file can be found cached locally on LAN (either by other Windows 7 clients or a local Windows Server 2008 R2). with BranchCache discovery Protocol and WS-discovery. If the file can be found locally it get it there and if it cannot it takes the file from the remote Main Office server and then cache it locally so next client doesn’t have to go over the WAN to get the file.
Network infrastructure requirements
You will need minimum one Windows Server 2008 R2 (2 servers for Hosted Cache mode) with BranchCache role/feature installed and Windows 7 Enterprise/Ultimate editions (BranchCache is installed default but not enabled by default). IPsec is needed and also a Certificate infrastructure.
Distributed cache mode vs. hosted mode
Know these 2 different mode and that you can only have one active at the same time on the client:
- Distributed Cache Mode – The Branch Office doesn’t need to have any servers, just Windows 7 clients and any files requested from the Main Office are hosted on clients and shared by clients.
- Hosted Cache Mode – The Branch Office has one (or more) Windows Server 2008 R2 that hosts the cached files from the Main Office Windows Server 2008 R2 file server. The win in this is that clients who aren’t always online can always get the cached file from their local servers.
Regardless of which mode you use the first time a file is accessed it goes to the Main Office, there after the file is accessed locally.
Default BranchCache is installed but not enabled. First step is to enable BranchCache and chose either Distributed Cache mode or Hosted mode on clients and that can be done either with GPO or Netsh (GPO override netsh).
- GPO: Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> BranchCache and set Turn on BranchCache to enabled and then chose one of Set BranchCache Distributed Cache mode orSet BranchCache Hosted Cache mode to enabled.
- Netsh: netsh branchcache set service mode=DISTRIBUTED (for Distributed Cache mode) or netsh branchcache set service mode=HOSTEDCLIENT LOCATION=jbkbserver01.jbkb.local (for Hosted Cache)
If you use Hosted Cache mode, the Hosted Cache server must have a certificate that the BranchCache clients trust. If the certificate isn’t trusted by the clients it must be exported from the server and then imported to the clients under local computer account
Configuring Mobile Computing (10%)
Configure BitLocker and BitLocker To Go
Know the 2 way to use BitLocker
1. Trusted Platform Mobile (TPM) 1.2 Chip, store decryption key in TPM (Preferred option)
2. Store decryption key on USB flash drive (this option needs to be activated in Group Policy and is not enabled default) the USB Flash drive must be presented at each startup.
If anything of the following changes, BitLocker will lock the drive and it will not be possible to read from it:
- Disable TPM in BIOS
- Clear TPM
- The BitLocker-encrypted disk is moved to another computer
- Changes in boot files
- Boot without TMP, PIN, USB flash drive.
BitLocker To Go is used for removable storage and include a hidden driver for Windows 7 (discovery drive) but viewable for XP and Vista that contains software for BitLocker To Go Reader that is used to unlock the BitLocker To Go drive with a password.
When you enable BitLocker on removable disks you get to chose how to unlock the drive; by password you specify or by smart card.
You then get 2 different options to store the recovery key; save to a file or print it.
Configuring BitLocker and BitLocker To Go policies
Here are some of the most important “BitLocker To Go” GPOs:
- Allow access to BitLocker-protected removable data drives from earlier versions of Windows – If this is not configured or enabled versions such as Vista and XP SP2 and higher can unlock the drive with BitLocker To Go Reader. There is also an checkbox for Do not Install BitLocker To Go Reader on FAT formatted removable drives
- Deny write access to removable drives not protected by BitLocker – If this policy is enabled removable disks that isn’t protected with BitLocker will be mounted as read-only.
- Control use of BitLocker on removable drives – If this policy is enabled or not configured user can run the BitLocker wizard to protect removable drives.
Here are some of the most important BitLocker GPOs:
- Require additional authentication at startup – If the checkbox “Allow BitLocker without a compatible TPM” is check you can boot with removable USB flash disk. This is not checked default and then only TPM chip enabled machines are allowed to use BitLocker. This policy also can set how TMP can be used together with Startup key/PIN/TPM
- Configure minimum PIN length for startup – If this is disabled or not configured the minimum length is 4 and maximum 20, if enabled you can set a value from 4 to 20.
- Choose drive encryption method and cipher strength – Default is AES-128 with Diffuser but can be changed to: AES 256-bit with Diffuser, AES-128, AES-256.
If you have TPM 1.2 Chip you can use nothing else or together with a PIN or a Startup key or both. Without TPM you can only specify a Startup key.
The image above show only the Startup key options due to no TPM 1.2 Chip on that computer.
If BitLocker is enabled and you need to change BIOS, Hardware upgrades, OS updates you should suspend protection and then do the changes. You could Turn Off BitLocker but then you would need to recreated it from start to get back encryption (also new keys are created).
Data recovery agent support
When enabling BitLocker you get the option to save or print the recovery key. Saving the recovery key either to a file or to a USB Flash drive.
The Data Recovery Agent needs to been configured with a proper certificate and you must Add Data Recovery Agent to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> BitLocker Drive Encryption (close to same path in GPMC).
In the wizard either add a user who got a correct certificate or add a certificate directly (.cer)
Know that the command line tool to manage all this is manage-bde.
For example on a BitLocker enabled machine who is decryption (disabling BitLocker) you can run this command to see the status:
In a Domain environment recommended is to store BitLock recovery information for system drives into AD DS
Latest technology that replace the need for VPN, DirectAccess is always active with no login and checks if it is on the Internal network then not in use, if it is outside the internal network the DirectAccess client connect to DirectAccess server (without being logged on the client) and can give access to files wherever you are. This solution requires latest technology on servers (Windows Server 2008 R2), Clients (Windows 7 Ultimate/Enterprise) and network (IPv6/IPsec).
Configuring client side
First of all the Windows 7 edition must be Enterprise or Ultimate. Second the machine must be joined to a Active Directory domain.
Have had problems to find any special local GPO or client settings on Windows 7, might be all managed from Windows Server 2008 R2.
The DirectAccess client establish 2 IPsec tunnels (first a NAP check can be used to check computers security health, but it is optional and out of the scope of this KB).
- IPsec ESP tunnel using Computer Certificate – used to connect to Intranet DNS/DC allowing GPO and authentication.
- IPsec ESP tunnel using both user and computer certificate – when reaching resources on the intranet.
- End-to-end protection – Separate IPsec connection to each resource/server, more secure but requires applications/servers to run IPv6
- End-to-egde protection – One IPsec connection to a IPsec gateway server (could be DirectAccess server) the IPsec gateway forward all requests without encryption (IPsec)
Default username and password is used as Authentication but smart card can be used as an extra layer of security.
After establish an IPsec connection with certificates the DirectAccess servers verify if the client and user is member of the AD group so they got authorized for connecting with DirectAccess.
Network infrastructure requirements
- Minimum one DirectAccess servers running Windows Server 2008 R2 with two NICs: one connected directly to the Internet, and a second connected to the intranet.
- On the DirectAccess server minimum 2 public IPv4 addresses assigned to the NIC connected to the Internet.
- DirectAccess clients running Windows 7 (Enterprise/Ultimate edition) or Windows Server 2008 R2.
- Active Directory Domain/DNS/GPO
- PKI and IPsec
- IPv6 transition technologies on DirectAccess server: ISATAP, Teredo, and 6to4.
Monitoring and Maintaining Systems that Run Windows 7 (11%)
Event subscriptions works more or less the same as it did in Vista, some smaller changes. One change is that Windows Remote Management has changed TCP port from 80/443 to 5985/5986 (where 5985 is setup default and 5986 encrypted needs extra actions).
Event subscriptions works so one machine will Forward it’s Event Viewer entries to a Collecting computer.
To enable a Windows 7 machine to be able to forward Event Viewer entries you need to run following command:
To give a remote machined named JBKB-Desktop245 (in domain jbkb.local) permission to collect EventViewer entries from the local forwarding machine the machine account needs to be added to the local group named Event Log Readers, for example:
net localgroup "Event Log Readers" JBKB-Desktop245email@example.com /add
notice the $ after the machine name.
Now the forwarding machine has been configured to listen to for incoming requests from collecting machine (in this case JBKB-Desktop245)
To enable a Windows 7 machine to be able to collect Event Viewer entries from a Forwarding machine you need to start the Windows Event Collector service by running following command:
Now you can create a subscription in Event Viewer and decide which entries you want to collect.
Configuring Backup and Recovery Options (11%)
The new updated backup in Windows 7 is a big improvement from Vista’s built-in backup that couldn’t specify a single file or folder to backup, now you can do that again :-).
Start the Backup wizard and chose where to save the backup, possible choices are writable CD/DVD or external hard disks. It is also possible to “Save on a network…” where you specify a UNC path together with a username and password with permission on the share.
If you later want the possibilities to do a system image (VHD) you must specify a NTFS disk.
What do you want to back up? either you let Microsoft choose getting all documents/music/video/e-mails/compressed files/data in libraries and desktop or let me choose and you can choose extra folders outside the user profile such asc:\jbkb\important data.
If you choose Let me choose you can browse the disk and add folders of choice. If the disk you chooses for backup is large enough and has the NTFS file-system you can do a system image by checking Include a system image (those will be saved under WindowsImagesBackup\%ComputerName%\xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.vhd as a Virtual Hard disk!)
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-680&locale=en-us#tab1 Certification 70-680 Windows 7, Configuration.
http://technet.microsoft.com/en-us/library/dd349342(WS.10).aspx – Technet info of Windows 7, a lot of this KB is based of this information.
http://en.wikipedia.org/wiki/Windows_7_editions#Comparison_chart – Compare different Windows 7 versions
http://www.microsoft.com/downloads/details.aspx?FamilyID=A9A1ED8A-71AB-468E-A7E0-470FD46E46B3&displaylang=en – BranchCache Early Adopter’s Guide
http://www.microsoft.com/downloads/details.aspx?familyid=64966e88-1377-4d1a-be86-ab77014495f4&displaylang=en – DirectAccess
http://www.microsoft.com/downloads/details.aspx?FamilyID=19d2fc2b-a7f2-4aad-a1e2-6bbb773fb78b&displaylang=en – Internet Explorer 8 Technology Overview for IT Pros
http://www.windowsnetworking.com/articles_tutorials/Deploying-Windows-7-Part2.html – good DISM.exe examples.