Installing,Upgrading,andMigratingtoWindows7

Gobackandaddnoteshere.
DeployingWindows
RunsyspreptoprepareacomputerforcapturinganimagewiththeWelcomeprompts
ImageXisincludedwithWindowsAIK
imagex/capturec:c:\wind7desktop.wimCaptureanimageoftheCdrivetotheCdrive
Ifyousaveanotherimagewithimagetothesamefilename,itonlysavesthechanges
/compressfastswitchescompressthefile
DISM(deploymentimageservicesandmanagementtool)canupdateaWIMfile
dism/getwiminfo/WimFile:install.wimShowsimagescontainedintheWIMfile
dism/MountWim/WimFile:install.wim/index:1/mountdir:c:\mountMountsthe
WimfiletotheCdriveforediting
CreatedinC:\Mount.Canaddfilestodefaultusersdesktop...etc.
dism/Image:<WimFile>/AddDriver/Driver:<INFfile>
Toaddsoftware,onlysupportsMSUandCABfiles
diskparttostartdiskpart(furthercommandscomelater)
selectdisk0
clean
createpartitionprimarysize=100(sizeinMB)
selectpartition1(partitionsstartwith1,asopposedtoHDDstartingwith0)
formatfs=ntfsquicklabel=system
active(copiesbootstrapdatatotheHDDtomakeitbootable)
createpartitionprimary(createspartitionusingallavailablespace)
selectpartition2
formatfs=ntfsquicklabel=windows
assignlatter=g(assignspartition2theletterg)
exit(leavesdiskpart)
NavigatetonetworkdrivewithImageXinit
imagex/applywin7desktop.wim1g:(appliestheimagetopartition2)
g:\windows\system32\bcdbootg:\windows
Systemisnowcompleteandreadytoboot
Allofthesecommandscanbeputintoabatchfile
CanalternativelydownloadMDT(MSDeploymentToolkit)
Itshellarobustandcomplicated
ConfiguringHardwareandApplications
Gobackandaddnoteshere.
ConfiguringNetworkConnectivity
IPtroubleshootingcommands:
ipconfig/release/renew/flushdns/registerdns
1

ping(testconnectiontootherdevice)
tracert(seeeachhop)
netstata(seeopenportsonyourmachine)
Metalstructurescaninterferewithwirelesssignals
Wirelessnetworksgenerallynotasfastaswired
WEP,WPA,WPA2Inorderofsecurity
CanchangechannelunderWirelessDeviceadvancedtabtoreduceinterference
WindowsFirewallfirstintroducedwithWindowsXP.
StateFullFirewall=dataisallowedinonlyiffirstrequestedbytheclientcomputer
NetworkLocationsinWindows7=Home,Work,Public.Setsfirewallrules.
WindowsFirewall>AllowedProgramstoallowcertainprogramsthroughthefirewall
Port80isInternetport.Port23istelnetport(unencrypted).
WindowsFirewallwithAdvancedSecuritysettingscanbeexportedandimportedintoGroup
Policyforyourdomain
RemoteDesktopsettingsControlPanel>SystemandSecurity>System>Remote
Settings
AllowConnectionsfromComputers
SelectUsersandaddadministrativeuseraccount
GoodtocreateaWIMimagewiththesesettingsforcompanycomputers
WindowsRemoteManagementService(WinRS)andPowerShellareusedforexecuting
commandsfromaremotecomputer
WinRMquickconfigcanberunontheclientcomputertoallowittoreceivecommands
WinRSr:CompNameipconfigwillrunipconfigonthatcomputer
PowerShellusedcmdlets,whicharepreconfiguredscriptsthatareverypowerful
PowerShell:icmcomputername{getwmiobjectclasswin32_desktop}
RemoteAssistancecanrequestforsomeonetoremoteinviaemail
EasyConnectrequiresIPv6
MusthaveAllowRemoteAccesstickedundertheRemotetabinComputerprops
RemoteDesktop,ontheotherhand,willlockthedesktop.Usedforremotecontrol.
Windows7Professional,Enterprise,andUltimaterequired
Caneditproperties(colordepth,connectionspeed...etc.)toimproveRemoteConnections
TwocomputersonaDOMAINalreadyhaveatrustforPowerShellcommunication
ConfiguringAccesstoResources
Foldervirtualization=Windows7Libraries
Libraryproperties>Setsavelocation=filesaresavedtothatfolderwithintheLibrary
Workgroupisdecentralizedandhardtomanageforlotsofcomputersandusers
Homegroupiscentralizedwithonepassword,andprintersandfilescanbeshared
ComputersonadomaincannotcreateoraccessresourcesfromaHomegroup
Networklocationawarenessforprintersonlyavailableoncomputerswithabatteryinstalled
WhenShareandNTFSpermissionsarecombined,themostrestrictiverulewins
EncryptedFileSystem(EFS)onProfessional,Enterprise,orUltimateonly
2

Encryptedfilecertificatesaretiedtoyouruseraccount.
Youcanbackupyourcertificatesincaseyoueverdeleteyouruserdata
DataRecoveryAgent(DRA)placesaseconddecryptionkeywithinthefile
RunmmcandaddanewCertificatesSnapIntoenablecertificates
RightclickonfileandtickEncryptfilestoprotectdata.
DRACreateanewaccount:
Openupcommandprompt,andtypecipher/r:DRAKeys
ThentypeinpasswordtoprotectthePFXfile.
Thiswillcreatetwokeys,onepublicandoneprivate.
OpenupLocalGroupPolicyEditor
SecuritySettings>PublicKeyPolicies>EncryptingFileSystem
RightclickandAddDataRecoveryAgent.
Selectthepubliccertificatefile(.CER)thatwascreated.
Dothisbeforeusersstartencryptingfiles
UACworksbyusingtwoSIDs(oneforloggedinuser,andoneforadmin)
CertificateAuthority(CA)caneitherbeprivate(managedbycompany)orthirdparty
certmgr.mscistheCertificateManager
Fromhere,youcanimportandexportcertificatescreatedonthecomputer
Smartcardisanycardwithachipembeddedinit,suchasAuthenticationcardsforWin7
Somebusinessesmightusesmartcardsbecausetheyaremoresecurethanname/pass
Smartcardscontainapublicandprivatekey.Needseitherlaptopreaderorexternalone.
Mostsmartcardswillnotallowyoutoexportaprivatekeyfromthecard.
PersonalIdentifyVerification(PIV)standardusedwithsmartcards(defineshowdataisstored)
Windows7automaticallysupportsPIVanddownloadsdrivers
TLSisprotocolusedwithSmartCardstocommunicatewithnetwork
GroupPolicylocation:Computerconfig\Policies\WindowsSettings\Security
Settings\LocalPolicies\SecurityOptions
Containsflagsandsettingstomakesmartcardlogonrequired
Definewhathappensifasmartcardisremoved(canforcelogoffornoaction)
Rights=AlloworDenybesttousedefaultgroupsinWindowswhenassigningrights
OpenLocalSecurityPolicytojumprighttotheuserrightsassignmentsection
Simplyadddifferentusergroupstoeachright(i.e.Logonlocally)
PROTIP:Shift+RightclickaddsRunasadifferentuseroption
runas/user:computername\username<pathtotheexecutable>
BranchCachecachesfilessentoverWANwithintheLANforfasteraccess
RequiresWin7Enterprise/UltimateorServer2008R2
Autokicksinwhenroundtriplatencyexceeds80ms
HostedmoderequiresServer2008ateachlocationandSSLcert
Distributedcachemode=EachWin7comphasitsowncache
GroupPolicy>AdminTemplates>Network>BranchCache
netshbranchcacheshowstatus(showsBCmoderunning)
netshbranchcachesetservicemode=hostedclientlocation=servername
3

mode=distributed(nolocationparamneededb/cnoserver)
netshbranchcacheshowlocalcache(showscachesize/location)
BCneedsport80(ib/obTCP)openregardlessofmode
DistributedneedsUDBport3702ib/ob
HostedneedsobTCPport43
ConfiguringMobileComputing
Bitlockerencryptstheentirevolumeincludingtheoperatingsystem
Windows7EnterpriseorUltimateonly
Needsa100mbseparatesystempartition(configuredwhenenablingBitLocker)
Harddrivecantberemovedandusedonanothercomputer
TrustedPlatformModule(TPM)chiponthemotherboardthatstoreskeys
KeyscanbestoredonaUSBkeyinsteadifyoudonthaveTPM
Thechipneedstobe1.2orhigherandenabledinBIOS
BitlockerModes:
TPMOnly=computerwillbootnormally
TPMw/aPIN=UserispromptedforaPINonstartup
TPMandUSBkey=StoreakeyonUSB.Readonbootup.
TPM,USBKeyandPIN=Mostsecure
WithoutTPM=JustaUSBkey
BitLockerRecoveryKeyiscreatedduringthewizard.Keepthisforrecoverylater.
AlsogivesyouoptiontoplacethekeyonaUSBdrive
TPMAdministrationunderControlPanel>SystemandSecurity>Bitlocker
BitlockerToGoencryptsportabledriveslikeflashdrives
Whenconfigured,readersoftwareforolderversionsofWindowsisinstalled
ReadonlyaccessonolderversionsofWindows
ConfiguringBitLockertoGofromGroupPolicy
gpedit.msctoopenthelocalgrouppolicyeditor
Bitlocker>RemovableDataDrives
Severaloptionsinthere(sixintotal)
DirectAccessrequiresIPv6torun
RequiresServer2008forDCandDNSandaPublicKeyInfrastructure
RequirestwonetworkcardsontheserverusingDirectAccess
UsedforlaptopsoutsideofworkinsteadofVPNtoconnecttoworknetwork
InGroupPolicy>WindowsSettings>NameResolutionPolicy
AddDNSserverstousewithDirectAccess
Canalsousenetsh(forscriptsoracoupleofcomputers)
netshinterfaceIPv6setTeredoenterpriseclient<IPaddress>
netshnamespaceshoweffectivepolicy(seewhichsettingsareineffect)

MonitoringandMaintainingSystemsthatRunWindows
VPN=virtualprivatenetwork
Dataisencrypted
Hasintegritycheckingandpreventsareplayattack
Protocols:
PPTPWeakestbecauseitdoesntrequirecerts(port1723)
L2TPUsesIPsecforencryptionandrequirescerts(1701andUDPport500)
SSTPUsesHTTPSforencryptionandport443(popularprotocol)
IKEv2SupportsnewW7reconnectfeature,requiresW7toServer2008R2
AuthenticationProtocols:
PAPusesunencryptedpasswords.Disabledbydefault.
CHAPSendsachallenge(Hash)totheclient.
MSCHAPv2ImprovedCHAPandusercanusecurrentlogincredentials
EAPAdditionalprotocolscanbeboltedon
PEAPProtectedEAP.EAPtrafficisencrypted.
TosetupaVPN:Network/SharingCenter>SetupaConnectionorNetwork>Connecttoa
workplace
diskpartlistpartition
Asterisknexttoprimarypartition
cleancommandwipestheharddisk
convertgptconvertsdisktoGPTformat
PagingfileonaseparatepartitionfromtheOS=performancebenefits
Avolumeisasinglelogicalstoragearea,cancontainseveralpartitions
Whenmovingadynamicdisktoanothercomputer,thedriveletterwillnotchange
Youcanconvertabasicdisctodynamic,butnottheotherwayaround
RAID(RedundantArrayofIndependentDisks)
Raid0(striped)andRaid1(Mirror)
RAIDinWindowsissoftwareonly
Raid0iswhendataonharddisksarespreadevenlyacrossallthedrivesinthevolume
Requirestwoormoredrives
Read/WriteperformanceisincreasedbecauseallHDDsworkatsametime
IfoneHDDfails,youloseallthedataintheset.
YoucantbootWin7inaRaid0HDD
Allharddisksinthesetmustbethesamesize
Raid1canstillfunctionifoneHDDfails
Requires2harddisks
Noperformanceadvantagedatacostiseffectivelydoubled.
DiskManagement>ImportForeignDisk
Rightclickonadisk>AddMirror.ThismakesitadynamicdiskandenablesaRAID1setup.
5

ConfiguringBackupandRecoveryOptions
Systemimageworksforbaremetalrecoveries(differenthardware)
Windows7willautomaticallydetectthedifferenthardware
Includesbootsector
CannotbackupWindowstothesamevolumeasWindows,recoverypartition,orapartition
encryptedwithBitLocker
AllPrograms>Maintenance>BackupandRestore
ControlPanel>BackupandRestore>Createasystemimage
YoucanrestoreusingasystemimageviaaSystemRestoredisc
Restoredisc>Advanced>Searchforasystemimageonthenetwork
PreviousVersionsusedtobecalledshadowcopies.
Restorepointiscreatedonstartup/midday/andwhenasignificantchangeoccurs
Onlysavesdocumentsthathavebeenmodified
Onlysavesonechangeperday
ComputerProperties>SystemProtection>Restoresystemsettingsandpreviousversionsof
files
Toaccesspreviousversionsoffilesthathavebeendeleted,rightclickonthecontainerfolder
andrestoreprev.versions

ProfessorMessorNotes
Section1:Installing,Upgrading,andMigratingtoWindows7
Windows7Editions:
Starter(32bitonly):
Builtfornetbooks
NoAero,DVDplayback,WindowsMediaCenter,webserver...etc.
Limitedto2GBofRAM
HomeBasic:
Geographicalactivationrestriction(emergingmarketsonly)
SimilarrestrictionstoStarter,exceptithasa64bitversion
HomePremium:
EverythingexceptforEnterprisetechnologies
Cantconnecttodomain,noBitlocker,EFS,Applocker,BranchCache...etc.
x64supportsupto16GBofRAM
Professional:
CanconnecttoaWindowsDomain
SupportsRemoteDesktopHostandEFS(encryptedfilesystem)
NoBitLocker,AppLocker,BranchCache...etc.
6

IncludesXPmode
x64supportsupto192GBofRAM
Ultimate:
BitLocker,Applocker,BrachCache...etc.included
x64supports192GBofRAM
Enterprise:
Cantbuyofftheshelf
SameasUltimate,butdesignedforvolumelicensing
Windows7InstallationSources
DVDorISO
Cheap,butdoesntscalewell.Slower.
USBDriveorportableharddrive
Flexible.Canadddriversandotherfiles.
Fasterread/writethanaDVD.
Needatleast4GBofspace.
PreparingaUSBInstallation:
RundiskpartfromanAdmincommandprompt
listdisktoseewhichdisktheUSBdriveis
selectdisk#
clean,createpartitionprimary,formatfs=fat32quick
activemakesitbootable
exittoleavediskpart
ThenjustcopycontentsofWind7installdisctoUSBdrive
Networkshare
Copytheinstallationmediatoashare
BootfromPE(barebonesWindowsenvironment)
Caneasilybeupdatedandmodified
WindowsPEisdownloadableforfreewithAIK
RunDeploymentToolsCommandPrompt
copypex86C:\windowspe86willcopythePEinstallfilestothatfolder
winpe.wimcanbecustomized
Copythewinpe.wimfiletoC:\windowspe86\ISO\sources
Renamewinpe.wimtoboot.wim
oscdimgcommandcreatesISOsfromadirectory
AutomatedDeployment
WindowsDeploymentServices(WDS)
Requiresanetwork,Server2008,AD,PXEnetworkadapter
Usesmulticastandscalesverywell

Windows7CleanInstallation
7

Unattendedinstallation:
AnswersareinUnattend.xml(usedwhennotbootingfrominstallationmedia)
Autounattend.xmlcanalsohaveanswers
Containspartitioninginformationandusedinconjunctionwithbootmedia
CleaninstallationjustmeansnoexistingOSontheHDDwhendoingtheinstallation
Windows7DualbootInstallation
EachOSneedsitsownpartition(Win7needsatleast15GB)
Alternatively,youcaninstalltoaVHDwithouttheneedtomakeanewpartition(Win7Ultimate)
The100MBrecovery(WinRE)partitionisntcreatedwhendualbooting
bcdedit
Edits/boot/bcdintheWindows7hiddenpartition
Needstoberunfromanelevatedprompt
displayorder[ntldr]=XP[current]=Win7
bcdedit/exportC:\savebcdExportcurrentbootsettings
bcdedit/importC:\savebcdImportsettingstoundochanges
bcdedit/set{current}descriptionNewEntryDescription
bcdedit/displayorder{ntldr}/addfirst(or/addlast)ChangetheOSlistorder
bcdedit/default{ntldr}Changesthedefaultoptionforwhenittimesout
UpgradingtoWindows7
OnlyWindowsVistaBusinesscanupgradetoWin7Professional
VistaEnterprisecanonlyupgradetoWin7Enterprise
WindowsVistaUltimatecanonlyupgradetoUltimate
AllversionsofVistacanupgradetoUltimate
Windows7UpgradeAdvisorwilldetermineifyoursystemcansupportWin7
MicrosoftAssessmentandPlanningToolkit(MAP)largescaleupgradeplanning
Beforeupgrading,makesureOSiscompletelyuptodate
Upgradeneedsatleast10GBoffreespace
MAPintegrateswithActiveDirectory(scansthenetworktofindcomputers)
Caninventorymanydifferentoperatingsystems
Doesntrequireanyagentsoftware
MigratingUserProfileswithWindowsEasyTransfer
Whendoingasidebysidetransfer,besttolaunchEasyTransferfromWindows7(notXP)
EasyTransfersavestoafile/foldertobeimportedonthenewercomputerorOS.
Sidebysidecanbedonewitheitheraneasytransfercableoranetworkshare
MigratingUserProfileswiththeUserStateMigrationTool(UMST)
IncludedwithWindowsAIKandworksatthecommandline
CanmigratefromXptoVistaor7,aswellasWin7toVista.NotWin7toXP.
MigApp.xmlMigratesapplicationsettings(folderoptions,fonts,wallpapers...etc.)
8

MigUser.xmlMigratesuserfolders,files,andfiletypes
MigDocs.xmlLocationofuserdocuments
Config.xmlExcludemigrationfeatures
StoringMigratedData:
UncompressedStoredinfolders,viewableinExplorer
CompressedUseslessspace,cantbeviewedinExplorer
HardlinkCreateslinkstotheuserdata,doesntduplicatefiles
Minimumof250MBfreetotransferuserinfo
scanstategrabstheuserdataandsavesittoafile(USMT.MIG)
loadstateimportstheUSMT.MIGfileanduserdata

Section2:DeployingWindows7
DeployingWindows7Overview
WindowsAutomatedInstallationKit(AIK):
WindowsSIM(SystemImageManager)Managesimagedistribution
ImageXCreateandmodifyWindowsimages(WIM)
DISMModifyanimagewithupdatesanddrivers
WindowsPEMinimalbootOS
oscdimgCommandlinecreationofISOfiles
CreatingaReferenceImage
Createananswerfileandsaveautounattend.xmltotheroot
Usesyspreptogeneralizeandsetoobe(outofboxexperience)
CreatebootableWindowsPEdiscorflashdriveandcreateimagefromthere
WindowsSystemImageManager(SIM)automatesbuildingananswerfile
SIM:
ImportaWIMfile(fromWin7DVD,forexample)
install.wimfilelocatedundersourcesfolderoftheinstalldisc
CreateNewAnswerFile
Windows_Setupcomponent>Userdatafolder
Addtoanswerfile
AcceptEula=truetoautoacceptagreement
Tools>Validateanswerfile
Thisfilecanbesavedtoaflashdriveifyouwant.
Runauditmode(ShiftCtrlF3)onbootup
BypassesWindowswelcome
Tweakthereferenceimage,loadappsanddrivers...etc.
Thisisdoneonthereferencecomputer
Fromhere,youcaninstallapplicationsandpatcheslikenormal
Runsysprep
9

Clearuniquenames
SetOOBE(WindowsWelcome)
C:\windows\system32\sysprep\sysprep.exe/oobe/generalize/shutdown
/generalizeletsitinstallondifferenthardware
CapturinganImage
CopyImageXtoWindowsPEdisc/flashdriveorcopyittoanetworkdrive
copyC:\ProgramFiles\windowsAIK\tools\x86\imagex.exeC:\winpe\ISO
copyc:\winpe\winpe.wimc:\winpe\iso\sources\boot.wim
oscdimgnbc:\winpe\etsfboot.comc:\winpe\isoc:\winpe\winpeimagex.iso
WIMfiledoesnotcontainpartitioninformation.Cancontainmanyimages.
OnceinWinPE:
netuseh:\\networksharefolder/u:admin\2191admin
Enteruserpasswordforthataccount.
DriveHisnowmappedto\\networksharefolder
netusetofindthedriveyouwanttoimage.Inthiscase,DistheWindowsdrive.
IfEdriveismountedCD,rune:\imagex/captured:h:\winlab.wimName
/compressfast/verifyThiswillcapturethecontentsofDandsaveasWIMfiletomappedH
PreparingforDeployment
DISMcanbeusedto:
Updateapplications
Managedrivers
Manageupdates
dism.exe/GetWimInfo/WimFile:<WIM_file>/Index:<image_index>
Canalternativeuseimagex/info<WIM_File>1(indexnum)MessyXMLresults
Showshumanreadableinfoabouttheimage
dism.exe/MountWim/WimFile:<path>{/Index:<index>}/MountDir:<target_mount_dir>
Alternatively,imagex/mountrw
GoodtocreateafoldercalledMountasthetargetdirectory
ManagingDrivers:
dism/online/getdrivers/allCurrentlyrunningOS.Readonly.
dism/image<imageDir>/getdrivers/allWIMfile.Canread/write.
dism/image:<imageDir>/adddriver(or/removedriver)
64bitdriversmustbesigned,unlessyouuse/forceunsigned
/adddriver:<folder_name>/recurseRecursewilladdalldriversfoundinfolder
Thirdpartydriversarerenamedtooem1,oem2...etc.afteraddingtoWIMfile
ManagingApplications:
/getpackages,/addpackage,/removepackage
Onlyworkswith.caband.msufiles
/getfeatures,/disablefeature:<Name>,/enablefeature:<Name>
10

Tosavechanges,youmustrun/CommitWim/MountDir:<target_dir>
Alternatively,/UnmountWim/MountDir:<target>/Commit(or/Discard)
Needtounmounteitherway,sosecondoptionisbetterifdone
MakesureExplorerwindowsandotherappsareclosedwhenunmounting
UseUnattend.xmltoconfigurepackageinstallationorderafterdeployment
dism/Image:<image_path>/ApplyUnattend:<path_to_unattend.xml>
CreatetheUnattend.xmlfilesusingWindowsSIM
DeployingaSystemImage
MicrosoftDeploymentToolkit(MDT)2010Graphical,makesprocesseasier
WindowsDeploymentServices(WDS)Imagemanysystemsatoncewithmulticast
LiteTouchInstallation(LTI)deploywithoutlargesystemsmanagementinfrastructure
ZeroTouchInstallation(ZTI)IntegratesSystemsManagementServer(SMS)orSystem
CenterConfigurationManager(SCCM)2007forcompleteautomation
MDT2010(requiresWindowsAIK):
ProvidesgraphicalfrontendforeverythingwedidwithImageX,dism...etc.
NewDeploymentSharewizard
Youcansetthelocaladminaccount
CansetwhetherornottoaskforProductKey
Onceshareiscreated,rightclickandgotoProperties.Otheroptionsinhere.
RightclickonOperatingSystemsandselectImportOperatingSystem.
Canchoosefullsourcefiles(DVD)orcustomimagefile(WIM)
OutofBoxDrivers>Importdrivers>Selectfolderwithdrivers
Packagescanbeadded(.caband/or.msu)
NewTaskSequenceWizard
Cansetproductkey,localpassword,andIEhomepage
Cancreatedifferenttasksequencesfordiff.computers
.Rightclick>Updatedeploymentsharetoapplychanges
CanpulltheresultingISOfilefromtheDeploymentSharedirectoryandrunonacomp
WillrunacustomversionofWindowsPEwithdeploymentoptions
Needtoenterinthecredentialsforaccesstothedeploymentshare
WindowsDeploymentServicesrequirements:
ADDomainServices
NTFSfilesystem
Localadminrights
DHCPserver(orPXE)
WDSisgraphical,whereaswdsutiliscommandlinebased
WDSImagesBootimage(viaPXE),Installimage(OStobeinstalled)
AdministrativeTools>WindowsDeploymentServices
SettheWIMfileastheInstallImageinWDS
Bootimage=boot.wimfromtheWindows7DVD
ThisisstillaLightTouchinstallation.SCCMisneededforzerotouch.
11

DiscoverimageisneedediftheclientcompdoesntsupportPXE
WorkingwithVirtualHardDisks
VHDsupportedinUltimateandEnterpriseonly
Ideally,theVHSwouldbeonaseparatedisk(oratleastanotherpartition)
CanuseImageXtoapplyaWIMfiletotheVHD
ComputerManagement(Diskmanagement):
Action>CreateVHD>Choosewheretosavethefile
FixedsizevsDynamicallyexpanding.Fixedsizeisrecommended.
UsingDiskpart:
createvdiskfilec:\vhd\win7lab.vhdmaximum=20000(20GB)type=fixed
selectvdiskfile=<path>
listdisk
attachdisk
createpartitionprimary
formatfs=ntfsquicklabel=Win7Lab2
assignletter=j(AssignsdriveletterJtotheVHD)
ImageX:
imagex/apply<path_to_WIM>
CanthencheckthedriveinExplorertomakesureeverythingisthere
diskpartdetachvdisk...ThenyoucanmovetheVHDfileelsewhere
NeedtousebcdedittomaketheVHDbootable
CanonlyboottoWindows7fromaVHD
CantstoretheVHDonadriverusingBitlockerorhibernation.Thisisbadforlaptops.
bcdedit/copy[current]/dWindowsblahblah
bcdedit/set<GUID>devicevhd=[c:]\\vhd\win7lab2.vhd
Dothesameforosdevice
/set<GUID>detecthal(detecthardwareabstractionlayer)
WindowsBlahBlahoptionwillnowboottotheVHDwhenselected

Section3:ConfiguringHardwareandApplications
ConfiguringDevices
Device>Properties>Details>DeviceGUIDtolookupdeviceuniqueID
DeviceInstallationSettingsSetwhoandwhatcanmakechanges
PlugandPlay(PnP)aredriversthatarealreadyinstalled
DriverStoreWindows/CurrentVersion/DevicePath
CopiesthedriverforusetoWindows\System32\drivers
Newdriverscanbestagedusingpnputil
pnputil.exeaC:\drivers\driver.infAddnewdriver(prestage)
12

pnputil.exeeShowsallthirdpartydriversinstalled
CansetclassesofalloweddeviceinstallationswithinLocalGroupPolicy
YoucanrunverifierfromthecommandlinetolaunchaGUIversion
Canlookatthereallydeep,nittygrittydetailsfordrivers
SigneddriverscontainacryptographicsignaturefromMicrosoft
Mustbeanadmintoinstallanunsigneddriver
IfyouhaveaCertificateAuthority,youcansigndriversyourself
ThisismoreimportantwithWindows764bit
Runsigveriftoscanfordevicedriversthathavenotbeendigitallysigned
msinfocanberuntogetalistofresourceconflictsonyoursystem
ConfiguringApplicationCompatibility
ApplicationCompatibilityToolkitDownloadfromMicrosoft.com
ComeswithApplicationCompatibilityManager
CompatibilityAdministrator
Viewcompatibilityfixesfor3rdpartyapps
Analyzeapps,createyourownshim
InternetExplorerCompatibilityTestTool
ApplicationCompatibilityManagerisusedtomonitorissuesacrossalargenetwork
HasaHUGElistofapplicationsandwhathappenswhenyoutrytorunthem
Thesecompatibilityfixesarecalledshims
IECompatibilitytesttoolneedstoberunwhilesurfingthewebwithIE8
Whenitdetectsproblemswithwebsites/apps,itwilllistthem
AppCompatibilityGroupPolicies
CanchangepoliciestomodifyhowWindowsreactstoerrors
Ifaninstallerfails,forexample,youcanenableDetectApplicationinstallfailures
ThiswillpromptauserwhenaninstallfailstorunitinXPcompatmode
WindowsXPMode:
RunsXPinavirtualmachine
OnlyavailableinProfessionalandup
IntegrateswithWin7,soyoucanlaunchapplicationsfromwithinWindows7
XPmodekicksininthebackgroundinthatcase
SoftwareRestrictionPolicies
GroupPolicyeditorRun>gpedit.mscorsearchforGroupPolicy
AbitofoverlapwithAppLocker,butAppLockeronlyworksin7UltandEnterprise
GrouppolicyworksacrossXP,Vista,and7
ComputerConfig\WindowsSettings\SecuritySettings\SoftwareRestrictionPolicies
UseLocalSecurityPolicyeditorifnotonadomain
EnforcementPropertiescansetrulestoapplytoallusersorallusersexceptlocaladmins
UnderDesignatedFileTypes,youcanaddorremovefiletypesthatwillbeaffected
IfApplockerisinuse,Applockeralwayswinsovergrouppolicyrules
13

Orderofpriority:
HashrulesSpecificrule,allowingordisallowinganexactexecutable,incl.version
CertrulesControlappusagebypublisher,hardtofool,appmustbesigned
PathRulesControlbasedonfilesorfolders,canbecircumventedbymovingfile
NetworkZoneRulesControlbasedondownloadlocation,onlyappliesto.msifiles
DefaultRulesEitherdisallowed,basicuser,orunrestricted(whichisthedefault)
Toapplyahashrule,justrightclick,NewHashRule,navigatetotheapp,thenDisallow.
UnderstandingAppLocker
OnlyavailableonW7Ultimate,Enterprise,andServer2008R2
CancontrolbyusersorgroupswithinGroupPolicy
RequiresApplicationIdentityservertoberunningautomatically
BlockrulesalwaysoverrideAllowrules
GroupPolicyWindowsSettings\SecuritySettings\ApplicationControlPolicies\AppLocker
AppLockerhaswizardsforconfiguringsettings
Rulecategories:
Executablerules.exeand.comfiles
WindowInstallerrules.msiand.mspfiles
Scriptrules.bat,.cmd,.js,.ps1,and.vbsfiles
DefaultistoblockeverythingafterenablingAppLocker
Whencreatenewdefaults,everythingisallowed.
PublisherRules:
Pulledfromthefileinformation
Existingfileandallfutureversions
PathRules:
Pickfileorfolderandallowexecutablestorun
FileHashRules:
Specificrulesforspecificprograms
Fileversion=*Appliestoanyversionoftheprogram
Exceptionscanbemadeforcertainversionsofaprogram
UnderAppLockerproperties,enableEnforcementorAuditmodetotestnewrules
ThenstarttheApplicationIdentityserviceontheclientcomputer
AuditModeresultscanbeviewedundertheAppLockerfolderinEventViewer
Sayswhetherornottheprogramwouldhaveopenedhadenforcementbeenenabled
CandoAutomaticallyGenerateRulesforanentiredirectory
InternetExplorerConfiguration
AdminTemplates\WindowsComponents\InternetExplorer\CompatibilityView
Canenable/disablethebutton,setsitesforautomaticcompat.view
IEZones:
Internet,LocalIntranet,TrustedSites,RestrictedSites
InPrivateFilteringblockscertainelementsonsitesautomatically
14

InPrivatebrowsingisIncognitoMode.OpensinnewWindow.
AdminTemplates\WindowsComponents\InternetExplorer\InPrivateInPrivatesettings

Section4:NetworkConnectivity
AnOverviewofIPv4andIPv6
IPv4:
32bitaddresses,numberofaddressesisquicklybeingdepleted
Foursetsof14numberseachsetoffouris8bits(binary).8x4=32bit
IPv6:
128bitaddresses,bajillionsofaddresses
Leading0sareoptional
Groupsof0scanbeabbreviatedby::(onlyoneperaddressallowed)
Subnetting:
EverydeviceneedsauniqueIPaddress
Subnetmaskusedtohavedevicesonsamelocalnetworkcommunicate
Defaultgatewayistherouterthatallowsoutsidecommunication
PrivateAddresses(usedforlocalcommunication)
10.0.0.010.255.255.255
172.16.0.0172.31.255.255
192.168.0.0192.168.255.255
DNS(DomainNameSystem)
ConvertsnamestoIPaddresses
DHCP(DynamicHostConfigurationProtocol)
AutomaticallyassignsIPaddresses,subnetmask,gateway...etc.todevices
APIPA(automaticprivateIPaddressing)
Connectanentirenetworkwithoutconfiguration(andw/oaDHCPserver)
NAT(networkaddresstranslation)
Usuallytherouterormodem.Devicethatisconnectedtotheinternet.
AllowsalldevicestocommunicatetotheInternet
Communicationmethods
UnicastOnetoone
MulticastOnepackettomultipledevices
BroadcastOnetoall(IPv4)
AnycastOnetonearest(IPv6)
IPv6UnicastAddresses
GlobalRoutableeverywhere
LocalUsedonlocalnetwork(noInternet)
LinklocalUsedinlocalsubnetonly(startwithfe80::/10
TeredoallowsyoutotunnelIPv6throughNATedIPv4.Nospecialrouterneeded
Addressesstartwith2001::/32

15

ConfiguringIPv4
NetworkandSharingCenter/ChangeAdapterSettings/Rightclick>Properties
netshinterfaceipv4showShownames
netshinterfaceipv4setaddressnamestatic<IPaddress><subnetmask><def.
gateway>
ipconfig/allreturnsa169.251.x.xaddress,noDHCPresponse
pingandtracert
ConfiguringIPv6
ConfigurationmostlythesameasIPv4
netshinterfaceipv6showneighbors
Use6switchafterpingortracerttouseIPv6usingTeredotunnel
ConfiguringNetworkingSettings
Wirelessstandards:
802.11a:
Operatesin5GHzrange,64Mbit/s
Higherfreq.absorbedbyobjectsintheway
Todayonlyseeinspecificcases
802.11b:
Operatesin2.4GHzrange,11Mbit/s
Betterrangethan802.11a,lessabsorption
Morefrequencyconflictwithcordlessphones,microwaves...etc.
802.11g
2.4Ghzrange,54Mbit/s
Samefreq.problemsas802.11b
802.11n
5GHzand/or2.4GHz
600Mbit/s
NewstandardhasMIMO(multipleantennas)
SecuritySettings:
WPAPersonalOlderversionofWPA.Usespassphrase.
WPA2PersonalAlwayschoosethis.
WPAEnterpriseUsesanauthenticationserver.Nosharedpassphrase.
Encryptiontypes:
WEPNotverygoodwaytoencryptdata
TKIPTemporalKeyIntegrityProtocol.MeanttoreplaceWEP.
AESUsedinWPA2
WPA2withAESisgenerallythebest,mostsecurecombination
netshwlanshowinterfacesShownetworkcards
netshwlanshownetworksShowavailablenetworks
netshwlanaddprofilefilename=whatever.xmlCreateprofiletoconnectwith.
16

netshwlanconnectname=whateverssid=whateverConnecttowhatevernetwork
LocationawarePrinting:
NewtoWindows7
Keepstrackofdefaultprinterbasedonwirelesslocation
ConfiguringWindowsFirewall
WindowsFirewallBasedonapplications,alltrafficapplies(noscope)
DifferentsettingsforHome/WorkandPublic
WindowsFirewallwithAdvancedSecurity:
InboundandOutboundrules
Connectionsecurityrules
GranularProgram,port,custom...etc.
Scope=IPaddressesthatareassociatedwithaparticularrule
Canhavearuleapplytoallusersoronlycertainones
RemoteManagement
RemoteAssistance:
Userinitiatedhelp,enduserisincontrol
SystemProperties>RemoteTab>CheckAllowRemoteassistance
Start>AllPrograms>Maintenance>RemoteAssistance
Generatesaninvitationfileandpassword.
AlsocanuseEasyConnectand/oremailtheremoteuser.
Enduserneedstograntpermissionforthemtotakecontrol
RemoteDesktop:
Initiatedbytheremoteuser,hostisalwayswaitingforaconnection
Start>Allprograms>Accessories>RemoteDesktopConnection
OnlyavailableinProfessional,Ultimate,andEnterprise
Hostusergetslockedoutandcannotseedesktop
SystemProperties>Remote>RemoteDesktop
AnyuserwithAuthenticationisthemostsecureoption
SelectUsersAllowand/ordisallowspecificusergroups
WindowsPowerShell:
Win7comeswithPowerShell2.0
Over240cmdlets(extensiveuseofpipelines)
WindowsRemoteShell(WinRS)
Runshellcommandonremotecomputer
RemoteDesktopnotrequired
winrmquickconfigonhostcomputerandselectYes
Allowsremotecommandstoberunonthatcomputer
winrsr:http://atlantislabpc:5985u:<comp_name>\usernamedirc:\
Listensonport5985
Willbeaskedforpassword
17

WillshowCdirectoryfromtheremotecomputer
GetWmiObjectclasswin32_servicecomputername
atlantislabpccredential<username>
Willpromptyouforpassword
Willthenreturnallservicesrunningonthecomputer

Section5:ResourceAccess
SharedResources
Foldervirtualizationallowsforroaminguserprofiles,accesstofilesfromanycomputer
SharingFolders:
netsharecommandtosetsharedfoldersviathecommandline
netsharesharename=drive:path/grant:username,full
Sharesthefolderwithusername,grantsfullcontrol
SharingPrinters:
SharethisprinterunderSharingtab
CanpreinstalldriversusingAdditionalDrivers
CanapplydifferentaccesssettingsperuserunderSecuritytab
HomeGroupsettings:
Foruseonnondomainnetwork,separateaccountsandpasswords
Easyaccesstofilesandprinters
NeedatleastHomePremiumtousethis
Othereditionscanconnecttoitbutnotcreateit
Usesaglobalpasswordforotheruserstoaccesssharedstuff
ControlPanel>HomeGroup>JoinNow.
FileandFolderAccess
EncryptingFileSystem(EFS)
RequiresNTFS
Encryptformultipleusers,regardlessofpersmissions
CreateaRecoveryAgentbeforeencryptinganyfiles
cipher/R:filename
RightclickonFolder>AdvancedAttributes>Encryptcontentstosecuredata
ciphercommandrevealswhichfilesinafolderareencrypted/unencrypted
GeneratesCERandPFXfiles.Savethesesomewhereimportant.
NTFSandSharepermissionsareseparate
SharepermissionsSharingtab/NTFSpermissionsSecuritytab
icaclsConfigureNTFSpermissionsfromcommandline
netshareConfigureSharepermissionsfromcommandline
NTFSpermissionsapplytobothlocalandnetworkconnections
Sharepermissionsonlyapplytoconnectionsoverthenetwork
Themostrestrictivesettingalwayswins.
18

Ifyoucopyafiletoanotherfolder,itwillinheritthepermissionsofthenewfolder.
Ifyoumoveafile,itspermissionswillfollowit.
AdvancedbuttonunderSecurity>EffectivePermissionsTabs
UserAccountControl
Informwhennewdevicedrivers,firewallchanges,modifyinguseraccounts
SecureDesktopBackgrounddimsandfreezes.Limitsautomatedaccess.
GroupPolicymanagement:
LocalSecurityPolicy>LocalPolicies>SecurityOptions
Enable/disablevariousvariablepertainingtoUAC
ControlPanel>UserAccounts>ChangeUACSettings
AuthenticationandAuthorization
Configuringrights:
GroupPolicy>CompConfiguration\Policies\WindowsSettings\SecuritySettings\Local
Policies\UserRightsAssignment
RightsaredifferentfromNTFSorSharepermissions
Examplesofrights:changesystemtime,denylogonasaservice,logonlocally
CanassignrightstoOUsorindividualusers
ManagingCredentials:
WindowsVaultstoresnamesandpasswords.Remembermycredentials
WindowsCredentialManager
BackupandrestoretheWindowsVault(usessecuredesktop)
ControlPanel>CredentialManager
Canrestoreonanothercomputertomoveovercredentials/logons
ManagingCertificates:
Managefileencryptioncertificates(certmgr.msc)
Personal>Certificates>UsernameExportasbackupforEFScertificate
SmartCardswithPIV:
PersonalIdentityVerification
Biometriccaptureandstorage,cryptographicalgorithms,keysizes
Itsastandardassociatedwiththestorageandformattingofcredentials
Carryyourcertwithyou
Multifactorauthentication(multiplerequirementsformoresecurity)
Username,password,smartcard,fingerprint
PIVisbuiltintoWindows7
UnderSecurityOptions
InteractiveLogon:Requiresmartcard
InteractiveLogon:Smartcardremovalbehavior
ElevatingUserPrivileges:
Userightsandpermissionsofanotheruserwithoutloggingout
Rightclick>runasadminorrunasdifferentuser(shift+rightclick)
19

Commandline:runas/user:<Username>program
ResolvingAuthenticationIssues
Onadomain,donthavetoworryaboutthisasmuch.
Onalocalcomputer,canuseCreateaPasswordResetDisk
Ifyouchangeauserspassword,accesstoEFSencrypteddataislost
CanberestoredifyourestoretheEFScertfrombefore
BranchCache
Cachingforbranchoffices
Conservebandwidthoverslowerlinks
NewtoWindows7/WindowsServer2008R2
Seamlesstotheenduser
Onlykicksiniflatencyexceeds80ms
InfrastructureRequirements
HostedCacheServer
Requiredateachremotelocation
Rundistributedmodeifcacheservernotlocal
WindowsServer2008R2
CreatedtrustedSSLcertificateontheserver
ClientsneedW7UltimateorEnterprise
MayneedtoimportCertificateAuthorityviagrouppolicy
DistributedMode:
Asksotherlocalmachinesiftheyhavealreadydownloadedandcachedafile
Localcomputercachesfilesthatitgrabsfromtheoutsideserver
HostedMode:
Cachingserverislocal
Anyfilesgrabbedfromoutsideserveriscachedonlocalserver
Localcomputersgrabcachedfilesfromserverwhenavailable
ConfiguringClientsettings:
GroupPolicyCompConfig\Policies\AdminTemplates\Network\BranchCache
Commandline:
netshBranchcachesetservicemode=distributed
netshBranchcachesetservicemode=hostedclientlocation=server
EnablesBCandconfiguresWindowsFirewallrules
CheckPeerDistSvcservice.Started,Manual.

Section6:MobileComputing
BitlockerandBitlockertoGo
Bitlocker:
Encryptanentirevolume,notjustasinglefile
Protectsalldataaswellastheoperatingsystem
20

Importantformobiledevices
W7UltimateandEnterpriseonly
TPM(TrustedPlatformModule)
Securelygeneratesandstorescryptokeys
Chipthatisonthemotherboard
Alsostandsforasetofstandards
Hardwarebasedpseudorandomnumbergeneratorforencyrption
Modes:
BitLockerwithaTPM(noadditionalauthenticationfactors)
BLwithaTPMandaPIN(inputPINduringstartup)
BLwithTPMandUSBstartupkey(needUSBkeytooperate)
BLwithoutaTPM(bootwithstartupkeyonflashdrive)
BLwithTPM,USBkey,andPINnumber
DataRecoveryAgents
ConfiguredinGroupPolicy
AddthisbeforeanyoneconfiguresBitLockerontheirlaptops
ComputerConfig\WinSettings\SecuritySettings\PublicKeyPolicies\BLDrive
Encryption
Configuringtheuniqueidentifiers:
AdminTemplates\WindowsComponents\BLDriveEncryption\Operating
SystemDrives
Rightclick>AddDataRecoveryAgent(wizard)>SelectCertthatallowsdisk
encryption.Needstobecreatedbytheadmin.
IssuetoAdministratorgroup
BitlockerDriveEncryption>ProvideuniqueIDsforyourorganization
EnableandtypeinidentificationfieldauniqueID
ChoosehowBitlockerprotectedOSdrivescanberecovered
Enable,andcheckAllowrecoveryagentbox
OnClientComputer:
ControlPanel>BitlockerDriveEncryption
Turnonfordesireddrives,selectstartuppreferences
BitLockerToGo:
Encryptportabledrives
SetGroupPoliciesonRemovableDataDrives.
RecoveryMode:
GetyourUSBdrivewiththerecoverykey
managebdestatusc:Getstatusofthatdrive
managebdeunlockc:certct<certificate_thumbprint>

DirectAccess
AutomatedVPNconnectivityalwaysonregardlessoflocation
21

NeedsIPv6
NeedsWindowsServer2008R2,WindowsDomain,TwoNICs,Digitalcertsforauthentication
Lotsofencryptioninvolved.
ClientwillseeCurrentlyconnectedto:InternetandCorporateAccess
CertificateManagement:
mmcMSManagementConsole
Certificatessnapin
Certificates(LocalComputer)\Personal\Certificates
Commandlineconfiguration:
netshinterfaceipv6setteredoenterpriseclient<ipaddress>
netshinterface6to4setrelay<ipaddress>
netshinterfacehttpstunneladdinterfaceclienthttps://myserver/IPHTTPS
ConfiguringWindows7Mobility
OfflineFiles:
Syncsfilesonserversharewithmobilecomputer(automatically)
OnlineModeWritetoserver,readfromthecache
AutoofflinemodeIfserverisoffline,convertstolocalcacheoperations
Willcheckifserverisbackonlineevery2minutes
Ifso,goesbacktoonlinemode
ManualofflinemodeForceyourselfintoofflinemodeWorkoffline
SlowlinkModeKickstocacheversionifspeedsdropbelow64kbps
Rightclick>Alwaysavailableoffline
OfflineFileGroupPolicy:
CompConfig\AdminTemplates\Network\OfflineFiles
Tonsofsettingstoconfigure(filetypestosync,lowlinkspeeds)
TransparentCaching:
IncreasefileperformanceacrossWANlinks
Keepsacopythatyouvepreviouslyopenedcachedonyourcomputer
MoreflexiblethanBranchCache(workswithProfessional,nodomainrequired)
EnableTransparentCachinggrouppolicyDeterminelatencylimit
ManagingPower:
SleepProcessoroff,memoryactive,mouseandkeyboardpowered
HybridSleepProcessoroff,memactiveandcopywrittentodisk
HibernateAlldevicesareoff,memoryiswrittentodisk
Canconfigureatcommandlinewithpowercfg

RemoteConnectionsPart1
VPNs(VirtualPrivateNetworks)
AuthenticationProtocols:
PAP(PasswordAuthenticationProtocol)
22

Unencryptedpasswords,dontusethisnormally
CHAP(ChallengeAuthenticationProtocol)
Sendthepasswordasahash,stillnotagreatidea
MSCHAPv2
IntegratestheWindowsusernameandpassword
Stillsomebruteforceweaknesses
PEAP/PEAPTLS
ProtectedExtensibleAuthenticationProtocol
SendsEAPauthenticationoverTLS(TransportLayerSecurity)
Certbasedquitesecure
EAPMSCHAPv2/PEAPMSCHAPv2
SecurityofPEAPwithWindowsintegration
Smartcardorcertificate
Needcertonboththeclientandtheserver
VPNProtocols(UnderVPNConnectionProperties>SecurityTab)
IKEv2(InternetKeyExchangev2)
Themoresecureoption
NewinWindows7(IPv6,VPNreconnectsupport)
Authenticationoptions:
EAPandcerts
NosupportforPAP,CHAP...etc.
UsesUDPport500
SSTP(SecureSocketTunnelingProtocol)
UsesTCP443(HTTPSport)
Verycompatiblewithexistingfirewalls
Doesntworkthroughproxies
L2TP(Layer2TunnelingProtocol)
L2TPtunnels,IPsectoencrypt
Compatiblewith3rdpartyVPNs
PPTP(PointtoPointTunnelingProtocol)
LeastsecureVPNprotocol
Encryptionbutnodataintegrityorauthentication
VPNReconnection:
MovebetweennetworksVPSreconnectsautomatically
UsesIKEv2tunnelingprotocol
Maximumtimeoutof8hoursThisisconfigurable.
Aftertimeout,willhavetoreconnectmanually
RemoteConnectionsPart2
NAP(NetworkAccessProtection)
Checkfirewall,virus/spywareprotection,automaticupdates,securiyupdates
Usersnotmatchingthepolicygetatimeout(remediationnetwork)
23

Onremediationnetwork,shouldbeabletodownloadwhatevertheyneed
Onceallupdates/patcheshavebeenapplied,theyareallowedbackontonetwork
Smallerorganizationsmaynothavetheresources
EnablesecurityauditingViewlogonsinEventViewer/SecurityLog
RemoteDesktop:
RemoteDesktopGatewayServer(formerlyknownasTerminalServicesGateway)
RemoteAppRunapplicationsremotely,lookslikeitsrunninglocally
RDPfiles=RemoteAppexecutables.Createdonserver.Placeonclientdesktop.

Section7:MonitoringandMaintainingWindows7
UpdatingWindows7
Mostupdatescanbeautomated
WindowsUpdateworksinconjunctionwithWindowsUpdateService
CanpointeveryonetoalocalWindowsUpdateServiceserver
Faster,savesbandwidth
wuauclt/detectnowChecktonewupdatesmanually
WindowsUpdateCategories:
ImportantUpdatesSecurityupdates
RecommendedUpdatesNoascritical,butstilluseful.Patches/OSupdates.
OptionalupdatesDriverupdates,newlanguages...etc.
InstallUpdatesAutomaticallyisrecommended(willinstallImportantupdates)
Canhideupdateswontbeaskedtoupdateitagain.Mustbeadmin.
Viewupdatehistoru
CanuninstallupdatesfromControlPanel>ProgramsandFeatures
IfIEhasthecorrectproxysettingsthatyouwanttouseforWindowsUpdate:
netshwinhttpimportproxysource=ie
Canmanuallyinstallupdatesvia.msufiles(standarduserscandothisaswell)
wusa.exeC:\<pathtomsufile>/quiet/norestartCommandlineMSUinstall
WindowsServerUpdateServices(WSUS):
Centralconfiguration,managedthroughgrouppolicy
Adminscandeterminerolloutscheduleforupdates
Centralrollbackmanagement
ComputerConfig\AdminTemplates\WinComponents\WindowsUpdate
GroupcomputerstogetherintoOUforscheduledupdates
Cancreateyourownupdatesandsignthem
ManagingDisks
MBR(MasterBootRecord)Fourpartitionsperdisk,2TBdisksizemaximum
GPT(GUIDPartitionTable)128partitions,Max256TBdisksize
ConvertusingdiskpartDiskpartconvertgpt
ComputerManagement>DiskManagement
24

BasicdisksMBRpartitionedonly
DynamicdisksGPTorMBR.LogicalDiskManager(LDM)insteadofanMBR
LDMisreplicatedtootherdynamicdisks
Movingdisksbetweencomputers
Basicdisksareindependent,canbemovedwithnoproblem
Dynamicdisksareawareofeachother,soshouldbemovedtogether
NeedtouninstallthediskbeforemovinginDiskManager
Fordynamicdisks,RemoveDisk
Innewcomputer,DiskManagement>RescanDisks
DynamicDiskAdvantages:
SpannedvolumesManydiskslooklikeonbigdriveinWindows
RAIDinWindows7software
RAID0StripingSplitsinglefileacrossmultipledrives
RAID1MirroringKeepscopyofalldataonanotherdisk
OnlyavailableinProfessional,Ultimate,andEnterprise
Rightclick>CreatenewStripedVolume
Selectdisksyouwant
DiskTools
RundefragfromcommandpromptdefragC:
Onlyadmincanrundefragfromanelevatedprompt
Removabledevicepolicies:
CompConfig\AdminTemplates\System\RemovableStorageAccess
Changesmaderequirearestart
MonitoringWindows7
EventViewer:
ControlPanel>AdministrativeTools
ViewloginformationApplication,security,setup,system,forwardedevents
Cancreatecustomviews(filterbytype,severity...etc.)
EventSubscriptions:
Centralizeeventlogsonacollectorcomputer(needsalotofdiskspace)
Collectorinitiatedsubscriptionsdontscalewell.Clientsalwayslistening.
Sourceinitiatedsubscriptionsarebestforlargeenvironments
Collectorisalwayslistening,sourcecomputerssendlogs
winrmquickconfigonallclientmachines
AddcollectorcomputertotheEventLogReadersgroupinLocalGP
wecutilquickconfigonthecollectorcomptoruntheWinEventCollector
wecutilcreatesubscriptionsubscription.xmlCreateasubscription
SubscriptionsareeasytocreateintheEventViewer(oncollector)
Onsourcecomputer,pointtothecollectorunderEventForwardinginlocalGP.
PerformanceMonitor:
25

perfmon/reportSystemdiagnosticsreport
Datacollectorsetssavelongtermdatatodiskforlateranalysis(graphs)
ApplicationEventLogtolookatapplicationerrors
PerformanceSettingsPart1
Pagefile=VirtualMemory
Harddrivewritecachingisalwaysenabledbydefault
Windowswritecachebufferflushingincaseofpoweroutages
USBdrivewritecachingisdisabledbydefaulttoavoiddataloss
ConfiguredrivescachinginDeviceManager>Properties>Policiestab
ConfigurenetworkperformanceunderInternetProperties>Advancedtab
TaskManager>SetAffinity=assignanapplicationtoaparticularCPU
PerformanceSettingsPart2
Allobviousstuff

Section8:BackupandRecoveryOptions
Windows7Backup
ControlPanel>BackupandRestore
ShadowCopykeepsbackupsofpreviousversionsoffiles
Doesnotbackupbydefaultsystemfiles,profiles,recyclebin,ortempfiles
CantellWindowstoexplicitlybackthoseupaswell
BackupentirevolumetoaVHD(systemimage)
CouldcopytheVHDtoanothercomputerandtellWindowstobootfromit
UltimateandEnterpriseonly
MustbackuptoanNTFSpartition
Initiatefromthecommandline:
wbadminstartbackupbackupstarget:d:include:c:quiet
Orschedulewithintaskscheduler
Allowedbackuplocations:CDR,DVDR,HDD,networklocation(Professionalandup)
Notapedrivesorflashdrives
Backupstructureforfilesandfolders:
Folderwithcomputername,multiplezipfilesforversions
GlobalCatalog.wbcatascatalogofallfilelocationswithinthebackup
SystemImageBackup:
Storedin\WindowsImageBackup
Onlyonesystemimage,updatedeachtime
Windows7SystemRecoveryOptions
SystemRestore:
Restorepointsarecreatedautomatically,butcanalsocreatethemmanually
26

SystemrestorewhenbootedorfromSystemRecovery(F8)
SystemProperties>SystemProtectiontab
UseSystemRecoverytorestoreifadriverupdatepreventsyoufrombooting
LastKnownGoodConfiguration:
Usefulisbootiscaughtinaloop
Eachtimeyoulogin,LKGCissaved.Onlyloginifeverythingisokay!
CompleteRestore:
Recoveryentiresystemusingrecoveryimage
BootfromWindowsInstallationmediaRepairYourComputer
Windows7FileRecoveryOptions
BackupandRestoreorShadowCopy
CangointobackupfolderandpullfromcompressedZIPfiles
Shadowcopy,createduringarestorepoint:
Rightclick>Restorepreviousversions
Ifafilewasmovedorrenamed,youcanrestorepreviousversionofthefolder
ReplacingwithPreviousVersioncannotbeundone

27