20687D ENU TrainerHandbook

M I C R O S O F T
20687D
L E A R N I N G
Configuring Windows 8.1
P R O D U C T
MCT USE ONLY. STUDENT USE PROHIBITED
O F F I C I A L
ii
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
email addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2014 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
Product Number: 20687D

Part Number: X19-17711
Released: 04/2014
MICROSOFT LICENSE TERMS

MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1.
DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c.
Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f.
Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i.
Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j.
MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
l.
Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2.
USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1
Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c.
If you are a MPN Member:

User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.
i.
For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii.
You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3.
LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c.
Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4.
SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6.
EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7.
SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8.
TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9.
LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10.
ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11.
APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13.
DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS

AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o
anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

xi
Acknowledgments
xii
Microsoft Learning wants to acknowledge and thank the following for their contribution toward
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Slavko Kukrika Content Developer
Slavko Kukrika is Microsoft Certified Trainer (MCT) for more than 15 years. He holds many technical
certifications, and he is honored to be one of the Microsoft Most Valuable Professionals (MVPs). Slavko
specializes in Windows operating systems, Active Directory, and virtualization. He has worked with
Windows 8 since it was first publicly available, and he helped several mid-size customers to migrate to
Windows 8. Slavko regularly presents at technical conferences, and he is the author of several Microsoft
Official Courses. In his private life, Slavko is the proud father of two sons, and he tries to extend each day
to at least 25 hours.
Jason Kellington Content Developer

Jason Kellington is a Microsoft Certified Trainer (MCT), Microsoft Certified IT Professional (MCITP),
and a Microsoft Certified Solutions Expert (MCSE), in addition to a consultant, trainer, and author. He
has experience working with a wide range of Microsoft technologies, focusing on the design and
deployment of enterprise network infrastructures. Jason works in several capacities with Microsoft, as
a Subject Matter Expert (SME) for Microsoft Learning courseware titles, a senior technical writer for
Microsoft IT Showcase, and an author for Microsoft Press.
Andrew Bettany Subject Matter Expert
Andrew Bettany is a published author, MVP (Windows ExpertIT Pro), holds numerous Microsoft
certifications, and has been a Microsoft trainer since 2005. Based in York, England, he manages the
University of York IT Academy and often participates in worldwide conferences and events. Most recently,
Andrew visited Haiti for the second time to deliver an intensive boot camp that focused on Windows
technologies to help the local community rebuild key IT skills following the earthquake in 2010.
Elias Mereb Technical Reviewer
Elias Mereb is a highly experienced infrastructure architect, consultant, trainer, and international speaker.
He currently holds more than 30 Microsoft certifications, including: MCP, MCSA: Security, MCTS, MCITP,
and MCT. He is also a six-time winner of the Microsoft Most Valuable Professional (MVP) award in the
Windows Expert-IT Pro technical expertise and Charter Springboard Series Technical Experts Program
(STEP) Member. Elias has been invited several times to speak at TechEd North America, TechEd Europe,
and the Microsoft Management Summit (MMS). He has participated as a SME, trainer, technical writer,
and technical reviewer in the design and development process of Microsoft certification exams and
courses that recently includes Windows Server 2008, Windows Server 2008 R2, Windows Server 2012,
Windows Server 2012 R2, Windows 7, Windows 8 and Windows 8.1 exams and courses for Microsoft
Learning.
Contents
Module 1: Windows 8.1 in an Enterprise Environment
Lesson 1: Managing Windows 8.1 in an Enterprise Environment
1-2
Lesson 2: Overview of Windows 8.1
1-8
Module 2: Installing and Deploying Windows 8.1

Lesson 1: Preparing to Install and Deploy Windows 8.1
2-2
Lesson 2: Installing Windows 8.1
2-12
Lab A: Installing Windows 8.1
2-24
Lesson 3: Customizing and Preparing a Windows 8.1 Image for

Deployment
2-27
Lab B: Customizing and Capturing a Windows 8.1 Image
2-39
Lesson 4: Volume Activation for Windows 8.1
2-43
Lab C: Deploying a Windows 8.1 Image
2-51
Module 3: Tools Used for Configuring and Managing Windows 8.1

Lesson 1: Tools Used to Perform Local and Remote Management of
Windows 8.1
3-2
Lesson 2: Using Windows PowerShell to Configure and Manage

Windows 8.1
3-9
Lesson 3: Using Group Policy to Manage Windows 8.1
3-16
Lab: Using Management Tools to Configure Windows 8.1 Settings
3-22
Module 4: Managing Profiles and User State in Windows 8.1

Lesson 1: Managing User Profiles
Lesson 2: Configuring User State Virtualization
4-2
4-8
Lab A: Configuring Profiles and User State Virtualization
4-21
Lesson 3: Migrating User State and Settings
4-27
Lab B: Migrating User State by Using USMT
4-34
Module 5: Managing Disks and Device Drivers

Lesson 1: Managing Disks, Partitions, and Volumes
5-2
Lesson 2: Maintaining Disks, Partitions, and Volumes
5-16
Lesson 3: Working with Virtual Hard Disks
5-23
Lab A: Managing Disks
5-28
Lesson 4: Installing and Configuring Device Drivers
5-34
Lab B: Configuring Device Drivers
5-47
xiii
Module 6: Configuring Network Connectivity

Lesson 1: Configuring IPv4 Network Connectivity
6-2
6-9
Lesson 3: Implementing Automatic IP Address Allocation
6-14
Lab A: Configuring a Network Connection
6-21
Lesson 4: Implementing Name Resolution
6-25
Lab B: Resolving Network Connectivity Issues
6-31
Lesson 5: Implementing Wireless Network Connectivity
6-34
Module 7: Configuring File Access and Printers on Windows 8.1 Clients

Lesson 1: Managing File Access
7-2
Lesson 2: Managing Shared Folders
7-15
Lesson 3: Configuring File Compression
7-24
Lab A: Configuring File Access
7-28
Lesson 4: Overview of OneDrive
7-31
Lesson 5: Managing Printers
7-37
Lab B: Configuring Printers
7-43
Module 8: Implementing Network Security

Lesson 1: Overview of Threats to Network Security
8-2
Lesson 2: Configuring Windows Firewall
8-8
Lab A: Configuring Inbound and Outbound Firewall Rules
8-17
Lesson 3: Securing Network Traffic by Using IPsec
8-20
Lab B: Configuring IPsec Rules
8-28
Lesson 4: Guarding Windows 8.1 Against Malware
8-30
Lab C: Configuring Malware Protection
8-33
Module 9: Configuring Resource Access for Domain-Joined Devices and Devices

That Are Not Domain Members
Lesson 1: Configuring Domain Access for Windows 8.1 Devices
9-2
Lesson 2: Configuring Resource Access for Devices That Are Not

Domain Members
9-9
Lesson 3: Configuring Workplace Join
9-17
Lesson 4: Configuring Work Folders
9-22
Lab: Configuring Resource Access for Devices That Are Not

Domain Members
9-30
xiv
Module 10: Securing Windows 8.1 Devices

Lesson 1: Authentication and Authorization in Windows 8.1
10-2
Lesson 2: Applying Security Settings by Using Group Policy
10-11
Lab A: Implementing Local GPOs
10-19
Lesson 3: Securing Data with EFS and BitLocker
10-21
Lab B: Securing Data by Using BitLocker
10-43
Lesson 4: Configuring UAC
10-45
Lab C: Configuring and Testing UAC
10-52
Module 11: Configuring Applications for Windows 8.1

Lesson 1: Application Deployment Options in Windows 8.1
11-2
Lesson 2: Managing Windows Store Apps
11-14
Lesson 3: Configuring Internet Explorer Settings
11-19
Lab A: Configuring Internet Explorer Security
11-29
Lesson 4: Configuring Application Restrictions
11-32
Lab B: Configuring AppLocker
11-40
Module 12: Optimizing and Maintaining Windows 8.1 Computers

Lesson 1: Optimizing Performance in Windows 8.1
12-2
Lab A: Optimizing Windows 8.1 Performance
12-9
Lesson 2: Managing the Reliability of Windows 8.1
12-13
Lesson 3: Managing Software Updates in Windows 8.1
12-18
Lab B: Maintaining Windows Updates
12-26
Module 13: Configuring Mobile Computing and Remote Access

Lesson 1: Configuring Mobile Computers and Device Settings
13-2
Lab A: Configuring a Power Plan
13-7
Lesson 2: Overview of DirectAccess
13-9
Lab B: Implementing DirectAccess by Using the Getting Started Wizard
13-20
Lesson 3: Configuring VPN Access
13-24
Lesson 4: Configuring Remote Desktop and Remote Assistance
13-33
Lab C: Implementing Remote Desktop
13-36
Module 14: Recovering Windows 8.1

Lesson 1: Backing Up and Restoring Files in Windows 8.1
14-2
Lesson 2: Recovery Options in Windows 8.1
14-5
Lab: Recovering Windows 8.1
14-18
xv
Module 15: Configuring Client Hyper-V

Lesson 1: Overview of Client Hyper-V
Lesson 2: Creating Virtual Machines
15-2
15-6
Lesson 3: Managing Virtual Hard Disks
15-13
Lesson 4: Managing Checkpoints
15-19
Lab: Configuring Client Hyper-V
15-24
Lab Answer Keys

Module 2 Lab A: Installing Windows 8.1
L2-1
Module 2 Lab B: Customizing and Capturing a Windows 8.1 Image
L2-3
Module 2 Lab C: Deploying a Windows 8.1 Image
L2-8
Module 3: Using Management Tools to Configure Windows 8.1 Settings
L3-11
Module 4 Lab A: Configuring Profiles and User State Virtualization
L4-17
Module 4 Lab B: Migrating User State by Using USMT
L4-27
Module 5 Lab A: Managing Disks
L5-31
Module 5 Lab B: Configuring Device Drivers
L5-38
Module 6 Lab A: Configuring a Network Connection
L6-41
Module 6 Lab B: Resolving Network Connectivity Issues
L6-44
Module 7 Lab A: Configuring File Access
L7-47
Module 7 Lab B: Configuring Printers
L7-49
Module 8 Lab A: Configuring Inbound and Outbound Firewall Rules
L8-51
Module 8 Lab B: Configuring IPsec Rules
L8-53
Module 8 Lab C: Configuring Malware Protection
L8-55
Module 9 Lab: Configuring Resource Access for Devices That Are

Not Domain Members
Module 10 Lab A: Implementing Local GPOs
L9-57
L10-63
Module 10 Lab B: Securing Data by Using BitLocker
L10-65
Module 10 Lab C: Configuring and Testing UAC
L10-67
Module 11 Lab A: Configuring Internet Explorer Security
L11-69
Module 11 Lab B: Configuring AppLocker
L11-71
Module 12 Lab A: Optimizing Windows 8.1 Performance
L12-73
Module 12 Lab B: Maintaining Windows Updates
L12-76
Module 13 Lab A: Configuring a Power Plan
L13-79
Module 13 Lab B: Implementing DirectAccess by Using the

Getting Started Wizard
L13-80
Module 13 Lab C: Implementing Remote Desktop
L13-84
Module 14 Lab: Recovering Windows 8.1
L14-87
Module 15 Lab: Configuring Client Hyper-V
L15-95
xvi
About This Course

This section provides a brief description of the course, audience, suggested prerequisites, and course
objectives.
Course Description
About This Course
xvii
This course is intended for IT professionals who administer and support Windows 8.1 PCs, devices, users,
and associated network and security resources. The networks with which these professionals typically work
are configured as a Windows Server domain-based environment with managed access to the Internet
and cloud services. The course is also intended for students who seek certification in the 70-687
Configuring Windows 8.1 exam. NOTE: This course is based on Windows 8.1 Enterprise edition with
domain services provided by Windows Server 2012 R2.
Note Microsoft has renamed SkyDrive to OneDrive and SkyDrive Pro to OneDrive for
Business, and the course content uses the updated names. However, the virtual machines
in this course use the original release of Windows 8.1 Enterprise edition that refers to the
terms SkyDrive and SkyDrive Pro. Because of this, in the labs and demonstrations, you might
see a discrepancy between the course content and the user interface in the virtual
machines.
Audience
This course is intended for IT professionals who administer and support Windows 8.1 PCs, devices,
users, and associated network and security resources. The networks with which these professionals
typically work are configured as Windows Server domain-based environments with managed access to
the Internet and cloud services. This course is also intended to provide foundation configuration skills
for Enterprise Desktop/Device Support Technicians (EDSTs) who provide Tier 2 support to users who run
Windows desktops and devices within a Windows domain environment in medium to large enterprise
organizations. Students who seek certification in the 70-687 Configuring Windows 8.1 exam will also
benefit from this course.
Student Prerequisites
This course requires that you meet the following prerequisites:
At least two years of experience in the IT field
Knowledge of networking fundamentals, including Transmission Control Protocol/Internet Protocol

(TCP/IP), User Datagram Protocol (UDP), and Domain Name System (DNS)
Knowledge of Active Directory Domain Services (AD DS) principles and fundamentals of AD DS
management
Understanding of certificate security and working knowledge of the fundamentals of Active Directory
Certificate Services (AD CS)
Understanding of Windows Server 2008 R2 or Windows Server 2012 fundamentals
Understanding of Windows client operating system essentials; for example, working knowledge of
Windows XP, Windows Vista, Windows 7 and Windows 8
Basic understanding of Windows PowerShell syntax
About This Course
xviii
Basic awareness of the following Windows deployment tools but no actual prerequisite skills with the
specific tools are assumed:
Windows Assessment and Deployment Kit (ADK)
Windows Preinstallation Environment (PE)
Windows System Image Manager (SIM)
Volume Activation Management Tool (VAMT)
User State Migration Tool (USMT)
Deployment Image Servicing and Management (DISM)
Course Objectives
After completing this course, students will be able to:
Describe solutions and features that are related to managing Windows 8.1 in an enterprise network
environment.
Determine requirements and perform the tasks for installing and deploying Windows 8.1.
Determine the most appropriate management tools to configure Windows 8.1 settings.
Manage profiles and user state between Windows-based devices.
Configure disks, partitions, volumes, and device drivers in a Windows 8.1 system.
Configure network connectivity.
Configure file, folder, and printer access.
Implement Windows 8.1 technologies to secure network connections.
Configure resource connectivity for both domain-joined devices and devices that are not domain
members.
Implement tools and technologies that can help secure Windows 8.1 PCs and devices.
Configure and control desktop apps and Windows Store apps.
Optimize and maintain Windows 8.1 PCs and devices.
Configure mobile computer settings and enable remote access.
Determine how to recover Windows 8.1 from various failures.
Describe Hyper-V for Windows 8.1 and describe how to use it to support legacy applications.
Course Outline
The course outline is as follows:
About This Course
xix
Module 1, Windows 8.1 in an Enterprise Network Environment" describes solutions and features that are
related to managing Windows 8.1 in an enterprise network environment. Students will identify how to use
Windows 8.1 features and related solutions to support intranet, Internet, and Windows 8.1 clients that are
not domain members. They will also learn how to identify changes to the Windows 8.1 user interface and
how to perform customizations of the desktop and Start screen.
Module 2, Installing and Deploying Windows 8.1" describes how to identify hardware, software, and
infrastructure readiness for installing and deploying Windows 8.1, and also describes the different options
for installing Windows 8.1 on a computer. It also explains how students can customize a Windows 8.1
image file and deploy it by using appropriate installation tools. Additionally, this module describes the
methods students can use to manage volume activation in Windows 8.1.
Module 3, Tools Used for Configuring and Managing Windows 8.1 explains how to determine the most
appropriate management tools to configure Windows 8.1 settings. It describes tools for local and remote
management of Windows 8.1 and the use of Group Policy and Windows PowerShell in managing
Windows 8.1 settings.
Module 4, Managing Profiles and User State in Windows 8.1" describes how to manage profiles and user
state between Windows-based devices. Students will learn about managing user accounts and profiles in
Windows 8.1, configuring User State Virtualization by using Microsoft User Experience Virtualization and
Windows 8.1, and migrating user state and settings when migrating to Windows 8.1.
Module 5, Managing Disks and Device Drivers" explains how to configure partitions, volumes, and device
drivers in a Windows 8.1 system. It also explains how to manage virtual hard disks in the Windows 8.1 file
system.
Module 6, Configuring Network Connectivity" explains how to configure network connectivity by using
IPv4 and IPv6. It also describes how to implement automatic IP address allocation and name resolution.
Module 7, Configuring File Access and Printers on Windows 8.1 Clients" explains how to manage secure
file and folder access, create and manage shared folders, and configure file and folder compression. It also
explains how to enable and configure OneDrive access, and how to create and configure shared printers.
Module 8, Implementing Network Security" explains how to secure network connections by
implementing Windows 8.1 technologies. It explains how to configure Windows Firewall, Windows
SmartScreen, and Windows Defender. It also explains how to implement connection security rules to
secure network traffic.
Module 9, Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain
Members" explains how to configure resource connectivity for domain-joined devices and devices that are
not domain members. It also explains how to configure Workplace Join for computers that are not
domain members, and how to configure Work Folders.
Module 10, Securing Windows 8.1 Devices" explains how to implement tools and technologies that can
help secure Windows 8.1 desktops. It describes methods for authentication and authorization in Windows
8.1. It also describes how to use local Group Policy Objects to configure security and other settings, and it
explains the use of file encryption methods and User Account Control.
Module 11, Configuring Applications for Windows 8.1" explains how to configure and control
applications in Windows 8.1. It describes application deployment methods and explains how to install and
manage Windows Store apps. It also explains how to configure and secure Internet Explorer, and how to
configure application restrictions with AppLocker.
About This Course
xx
Module 12, Optimizing and Maintaining Windows 8.1 Computers" explains how to optimize and
maintain Windows 8.1based computers. It also explains how to manage reliability, and how to configure
and manage software updates in Windows 8.1.
Module 13, Configuring Mobile Computing and Remote Access" explains how to configure Windows 8.1
settings that are applicable to mobile computing devices. It also describes DirectAccess, and how it can
provide remote access. This module also explains how to enable and configure virtual private network
access, Remote Desktop, and Windows Remote Assistance.
Module 14, Recovering Windows 8.1" explains how to recover Windows 8.1 from failures. It describes
how to provide for file and folder recovery, and how to identify when and how to recover Windows 8.1.
Module 15, Configuring Client Hyper-V" describes Hyper-V for Windows 8.1 and explains how to create
and configure virtual machines in Hyper-V for Windows 8.1. It also explains the use of virtual hard disks
and the creation and implementation of virtual machine checkpoints.
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical technical
information in a crisp, tightly focused format, which is essential for an effective in-class learning
experience:
About This Course
xxi
Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills that are
learned in the module.
Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skill retention.
Lab Answer Keys: provide step-by-step lab solution guidance.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc

website: searchable, easy-to-browse digital content with integrated, premium online resources that
supplement the Course Handbook:
Modules: include companion content, such as questions and answers, detailed demonstration
steps, and additional reading links, for each lesson. Additionally, they include Lab Review
questions and answers and Module Reviews and Takeaways sections, which contain the review
questions and answers, best practices, common issues and troubleshooting tips with answers, and
real-world issues and scenarios with answers.
Resources: include well-categorized additional resources that give you immediate access to the
most current premium content on TechNet, MSDN, or Microsoft Press.
Course evaluation: at the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor:
To provide additional comments or feedback on the course, send an email to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send an
email to mcphelp@microsoft.com.
Virtual Machine Environment
About This Course
xxii
This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not save
any changes. To close a virtual machine without saving the changes, perform the following
steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click
Turn off, delete changes, and then click OK.
The following table shows the role of each virtual machine that is used in this course.
Virtual machine
Role
20687D-LON-DC1
Domain controller in the Adatum.com domain
20687D-LON-CL1
Windows 8.1 computer in the Adatum.com domain
20687D-LON-CL2
Windows 8.1 computer in the Adatum.com domain
20687D-LON-CL3
Windows 7 computer in the Adatum.com domain
20687D-LON-CL4
Windows 8.1 computer that is not a domain member
20687D-LON-REF1
Blank virtual machine that is used for reference machine imaging and
capture scenarios
20687D-LON-SVR1
Active Directory Federation Services (AD FS) server in the

Adatum.com domain
20687D-LON-SVR2
Web server in the Adatum.com domain
Software Configuration
The following software is installed on each virtual machine:
Windows Server 8.1
Windows 8.1 client (Windows 8.1 Enterprise)
Microsoft Office 2010
On the server, possibly also Windows ADK
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level
About This Course
To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment

configuration for trainer and student computers in all Microsoft Learning Partner classrooms in which
Official Microsoft Learning Product courseware is taught.
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120-gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better*
8 GB of RAM
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft mouse or compatible pointing device
Sound card with amplified speakers
* Striped
In addition, the instructors computer must be connected to a projection display device that supports
SVGA 1024 768 pixels, 16-bit colors.
Navigation in Windows Server 2012 R2 or Windows 8.1

If you are not familiar with the user interface in Windows Server 2012 R2 or Windows 8.1, then the
following information will help orient you to the new interface:
Sign in and Sign out replace Log in and Log out.
Administrative Tools are found in the Tools menu of Server Manager.
Move your pointer to the lower-right corner of the desktop to open a menu with:
Settings. This includes Control Panel and Power.
Start menu. This provides access to some applications.
Search. This allows you to search applications, settings, and files.
You might also find the following shortcut keys useful:
Windows logo key. Opens the Start screen.
Windows logo key+C. Opens the Charms bar.
Windows logo key+I. Opens Settings.
Windows logo key+R. Opens the Run window.
xxiii

1-1
Module 1
Windows 8.1 in an Enterprise Environment
Contents:
Module Overview
1-1
Lesson 1: Managing Windows 8.1 in an Enterprise Environment
1-2
Lesson 2: Overview of Windows 8.1
1-8
Module Review and Takeaways
1-14
Module Overview
Windows client operating systems are essential to the functionality of almost every enterprise
environment. Most users perform the bulk of their computing tasks in the Windows client interface,
including editing documents, sending email, interacting with applications, and numerous other
tasks. Managing these clients, then, is an important task for enterprise information technology (IT)
administrators. You must manage Windows clients to ensure that operating systems and any applications
are operating properly. Providing adequate security measures, deploying new clients when required,
maintaining an inventory, and monitoring Windows clients in your environment are all essential tasks for
IT administrators. This module introduces you to Windows 8.1 and provides an overview of how you can
manage Windows 8.1 computers in your environment to meet common enterprise IT challenges.
Objectives
After completing this module, you will be able to:
Explain the different options for managing Windows 8.1 in an enterprise environment.
Describe Windows 8.1 and its UI.
Lesson 1
Managing Windows 8.1 in an Enterprise Environment
1-2 Windows 8.1 in an Enterprise Environment
Managing Windows clients in an enterprise environment can provide a variety of challenges. Windows
computers that come from outside your environment or that connect through the Internet to your
network are often outside the scope of many central configuration management tools. Moreover, even
central configuration management tools have limitations that provide challenges, depending on your
environment.
This lesson highlights some of the most common challenges facing administrators in the client
environment and the solutions that are available for Windows 8.1 devices.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the challenges of managing devices in todays enterprise environment.
Identify solutions for managing Windows 8.1 on an internal network.
Identify solutions for managing Internet-based Windows 8.1 devices.
Identify solutions for managing resource access for devices that are not domain-joined.
Explain how to manage Windows 8.1 devices by using enterprise management systems.
Challenges of Managing Devices in Todays Enterprise Environment

Managing devices in an enterprise environment
consists of many different challenges. Some of
these challenges center around the configuration
of the network environment, while others are
based on the type and configuration of clients in
the environment. Device management challenges
generally fall into one of the following categories.
Network Configuration Challenges

Network configuration challenges primarily relate
to how a client connects to an enterprise, or if it
is connected at all. Some examples of network
configuration challenges include:
Virtual private network (VPN) clients cannot connect to a network with the same functionality as
internal clients.
Clients that are not connected to a network do not have access to resources.
A remotely connected client does not have enough available network bandwidth to run applications
that are hosted on enterprise servers.
Client Configuration Challenges
1-3
Challenges related to client configuration typically involve not being able to enforce a configurations
standard, or being forced to perform the tedious task of manually configuring devices on an unplanned
basis:
Client computers that are not managed centrally might have different, potentially conflicting
configurations.
Centralized configuration management might not reach all clients in an enterprise network, and
typically cannot configure clients outside of an enterprise network.
Mobile devices that require specific configuration are left misconfigured or are unaccounted for.
Security and Privacy Challenges

When assessing security and privacy-related challenges, you should consider several scenarios:
Clients do not have consistent and current protection from malware and other malicious content.
Permissions and access to client settings might be different from client to client.
Users who bring their own devices and connect to an enterprise network could potentially
compromise enterprise security standards.
Resource Access Challenges
Users need access to resources on a network. Missing or misconfigured access to files and printers can
have a significant negative impact on business activity in an organization. Some examples of resource
access challenges include:
Access to files and shared folders differs from client to client.
Installed printers are not consistent from client to client.
Files stored on an enterprise network are not available when a client is disconnected.
Access to profile and user data differs from client to client.
User profile data becomes corrupted.
Solutions for Managing Windows 8.1 on an Internal Network

The most robust management environment for a
Windows 8.1 client is when it is connected to an
internal network. You can use a number of serverbased configuration mechanisms to configure
Windows 8.1 clients. The most important aspect
of managing a large number of Windows 8.1
clients is the ability to manage them centrally
without needing to sign in to and configure each
computer individually. The following tools enable
central configuration on an internal network.
Group Policy
Group Policy helps you manage client computers
centrally in a domain environment. With Group Policy, you do not need to configure Windows 8.1
computers manually in your environment.
You can configure Windows 8.1 devices effectively by using centralized configuration management. In the
Active Directory Domain Services (AD DS) environment common to most Windows-based networks, you
can use Group Policy to provide centralized configuration management for Windows client computers.
When a Windows 8.1 client joins an AD DS domain, you can use Group Policy to specify configuration
settings for a client computer, including UI elements, security settings, available applications and features,
and operating system functionality. You also can use Group Policy to distribute common settings to client
computers, such as mapped drives, printers, or environment variables.
You can set Group Policy to affect as narrow or broad a scope of client devices as you determine if the
clients are connected to the domain where you implement the Group Policy.
User Experience Virtualization
You can use Microsoft User Experience Virtualization (UE-V) to provide consistent and synchronized user
settings configuration for Windows 8.1 computers. With UE-V, user profile information is stored remotely
and synchronizes with client computers when users log on and make changes to the environment. UE-V
enables a consistent user environment.
Solutions for Managing Internet-based Windows 8.1 Devices

Clients that connect from the Internet can
provide unique challenges for administrators.
The Windows 8.1 and Windows Server 2012 R2
operating systems provide several options
for enabling greater management control of
Windows 8.1 computers that are connected to
the Internet, but are not directly connected to
your internal network.
VPN
VPN connectivity has been a long-standing

connectivity option for Internet-based clients.
VPN enables a client to connect to an internal
network by using a VPN server, which typically is located in a perimeter network. Through VPN, a client
user authenticates to a network environment and can gain access to network resources. VPN connections
provide a very limited scope of management. Common configuration management methods like Group
Policy typically do not function over a VPN connection.
DirectAccess
DirectAccess takes the concept of VPN and uses Windows Server 2012 R2 technology to enable an
Internet-based client to connect to a domain controller on an internal network, authenticate a client
computer account, and accept sign-ins from users as if the client computer is connected to the internal
network. Because the appropriate authentication has been performed, you can manage DirectAccess
clients by using Group Policy, and they appear to other enterprise management systems as if they were
connected to the internal network.
Solutions for Managing Resource Access for Non-Domain Devices

Windows 8.1 provides several features that
enable computers that are not joined to a
domain to function as you require. These
devices are becoming more common and
important to the overall client management
process as organizations adopt policies that
enable users to bring their own devices into
the workplacea scenario known as Bring
You Own Device (BYOD).
Workplace Join
1-5
Workplace Join enables a device to be neither

completely joined to a domain, nor be completely
isolated from it. With Workplace Join, users can work on a device of their choosing and still have access to
enterprise network resources. IT administrators can control access to resources and provide a finer level of
control over devices that register through Workplace Join.
Work Folders
Work Folders enable users to synchronize their data from their user folder on a network to their own
device. When you implement Work Folders, locally created files also synchronize back to a network folder
location. You can configure Work Folders to synchronize network files without having a client joined to a
domain. In versions prior to Windows 8.1 and before Work Folders were introduced, domain membership
was required for this type of synchronization, and the client had to be connected to a corporate network
to initialize synchronization.
Remote Business Data Removal
With Windows 8.1 and Windows Server 2012 R2, you can use remote business data removal to classify
and flag corporate files and to differentiate between these files and user files. With this classification, the
remote wipe of a Windows 8.1 device will not remove user-owned data when securing or removing
corporate data on the device.
Managing Windows 8.1 Devices by Using Enterprise Management Systems

In addition to the management capabilities
that are native to Windows 8.1 and Windows
Server 2012 R2, Microsoft also provides
centralized configuration management tools
that you can use to provide more comprehensive
management of Windows devices, both inside
and outside of your enterprise network.
System Center 2012 R2 Configuration

Manager
Microsoft System Center 2012 R2 Configuration

Manager is an on-premises solution for managing
desktop computers and mobile devices. To
manage computers with Configuration Manager, you need to install the Configuration Manager agent.
Configuration Manager has the following capabilities:
Deploy applications. Configuration Manager enables you to deploy packaged applications to devices
in your environment.
Manage Endpoint Protection. Managing Microsoft System Center 2012 Endpoint Protection from
within Configuration Manager allows you to use a single console to manage desktop computers and
devices.
Deploy software updates. Configuration Manager uses the basic infrastructure of Windows
Server Update Services (WSUS) to provide software updates.
Deploy operating systems. Configuration Manager expands the capabilities of Windows Deployment
Services.
Inventory hardware and software. Configuration Manager includes hardware and software inventory
capabilities.
Track license compliance for software. You can use the Asset Intelligence and software metering
features in Configuration Manager to track license compliance.
Windows Intune
Windows Intune is a cloud service that you can use to secure and manage Windows client computers
and mobile devices. It uses a subscription-based model that does not require any on-premises
infrastructure to manage supported Windows client computers. Windows Intune can manage clients
irrespective of whether they are workgroup or domain members and without regard for their network
settings, as long as they are accessible over the Internet.
After you install Windows Intune client software, a computer account is created in Windows Intune,
and you now can manage that computer centrally. You can install the Windows Intune client in various
ways, such as by using Group Policy, by including it in a desktop image, or through the Windows Intune
company portal. An administrator also can deploy the client manually on a per-computer basis.
Windows Intune provides several benefits, including:
Updates. Windows Intune ensures that updates install on client computers. All updates through
Windows Update are available with Windows Intune, and you can deploy other non-Microsoft
updates by using Windows Intune.
Endpoint Protection. Windows Intune includes Windows Intune Endpoint Protection, which provides
real-time protection against malware such as viruses and spyware.
Software deployment. You can use Windows Intune for deploying software such as Windows client
operating systems or apps from Microsoft or third parties.
Monitoring and alerting. Windows Intune can monitor client computers and raise an alert when
certain criteria are met.
Reporting. Windows Intune provides several reports, such as detected software on client computers,
client computer inventory, and update reports on organizational use of licenses.
Integrating Configuration Manager and Windows Intune
The Configuration Manager 2012 R2 console now includes interoperability features that enable
administrators to view all client devices irrespective of whether Windows Intune or Configuration Manager
2012 R2 manages them. This enables you to add any mobile devices that you manage with Windows
Intune into the Configuration Manager 2012 R2 console. You then can manage all the devices through a
single administrative tool.
1-7
If your company does not have Configuration Manager 2012 R2, you can still use Windows Intune to
manage mobile devices and Windows client computers. However, if you already have Configuration
Manager 2012 R2 installed, Windows Intune enables you to extend the reach of your management
infrastructure to include mobile devices through cloud services. Configuration Manager 2012 R2 still has
more client computer management features than Windows Intune. However, Configuration Manager
2012 R2 only includes a limited set of mobile device management features because it relies on Windows
Intune for those tasks.
Lesson 2
Overview of Windows 8.1
Windows 8.1 is the latest version of the Windows client operating system. It includes the same core
functionality as Windows 8, along with several important enhancements and functionality improvements
that affect an enterprise environment.
This lesson introduces you to Windows 8.1, demonstrates changes to the UI, and shows you how to
customize the interface and other Windows 8.1 settings.
Lesson Objectives
Describe the user experience.
Describe the Windows desktop versus the Start screen.
Customize the Windows 8.1 UI.
Describe Start screen control.
Explain how to customize Windows 8.1 settings.
Describe Windows Store apps.
Overview of the User Experience

Windows 8.1 is designed for navigation and
functionality for touch-enabled devices, and for
devices that are equipped with a keyboard and
mouse. When you sign in to Windows 8.1, you
are presented with a series of interfaces:
1.
Sign-in screen. At the sign-in screen, you

must click or swipe to the top of the screen
to access the credentials screen. From here,
you can provide your credentials to sign in to
the computer. These can be for a local user
account or a domain user account, provided
that the computer is joined to an AD DS
domain. You also can adjust Ease of Access features, change network connections, and shut down or
restart the computer.
2.
Start screen. The Start screen presents to you after signing in to Windows 8.1. The Start screen
contains tiles that represent installed apps on the computer.
3.
Desktop. By clicking on the Desktop tile from the Start screen, you can access the desktop, which
appears whenever you run desktop apps.
Important Windows 8.1 Navigation Shortcuts
You can access Windows 8.1 interface elements with several convenient touch gestures, mouse gestures,
and keyboard shortcuts:
Start screen. Click the Start button on the taskbar or press the Windows logo key on the keyboard.
Display Charms menu. Point to the upper-right or lower-right corner or press Windows logo key+C
on the keyboard.
1-9
Get commands and shortcut menus. On the Start screen or in Windows Store apps, right-click the
screen or press Windows logo key+Z. You also can swipe up from the bottom of the screen to access
these commands and menus on a touch-screen device.
Switch between recently used apps. Point to the upper-left corner with the mouse and then click or
swipe in from the left on a touch-screen device.
Close an app. With Windows Store open, move the mouse to the top of the screen, click, and then
pull down. You also can swipe down from the top on a touch-screen device or press Alt+F4 on the
keyboard.
Display the Quick Link menu. Right-click the Start button or press Windows logo key+X on the
keyboard to display a menu of commonly used shortcuts to Windows interface components such as
the Shutdown menu, Task Manager, Command Prompt, and Control Panel.
Other Touch-Enabled Gestures
You can navigate the Windows 8.1 interface by using the following gestures on touch-screen devices:
Pinch to zoom. You can pinch to zoom. You can reverse the pinching gesture to zoom out in many
apps and on the Start screen.
Press, hold, drag, and drop. You can use this gesture to move interface elements around in Windows
Store apps or to move and edit tiles on the Start Screen.
Other Keyboard Shortcuts

The following keyboard shortcuts provide access to other Windows 8.1 interface components:
Windows logo key+D. Display and hide the desktop.
Windows logo key+E. Open File Explorer.
Windows logo key+F. Open the Search charm to search files.
Windows logo key+H. Open the Share charm.
Windows logo key+I. Open the Settings charm.
Windows logo key+J. Switch between the main app and a snapped app.
Windows logo key+K. Open the Devices charm.
Windows logo key+L. Lock the computer or switch users.
Windows logo key+O. Lock the screen orientation for accelerometer-enabled devices.
Windows logo key+P. Choose a presentation mode for multiple monitors.
Windows logo key+Q. Open the Search charm to search for apps.
Windows logo key+R. Open the Run dialog box.
Windows logo key+W. Open the Search charm to search settings.
Windows logo key+Spacebar. Switch input language and keyboard layout.
Windows logo key+Tab. Cycle through Windows Store apps.
Windows logo key+Page Up or Page Down. Move the Start screen and apps to the next monitor.
For more information on the keyboard shortcuts in Windows 8.1, refer to:
Microsoft Accessibility: Keyboard Shortcuts
http://go.microsoft.com/fwlink/?LinkId=356124&clcid=0x409
Windows Desktop vs. the Start Screen

Windows 8.1 supports the following two app
types:
Desktop apps. These run in the context of the

desktop in the same way they did in previous
versions of Windows operating systems.
Windows Store apps. These are full-screen,

touch-optimized apps that run in the context
of the Start screen.
The Windows desktop has been the traditional

starting point in Windows client operating
systems for almost 20 years. In Windows 8 and
Windows 8.1, the Start screen provides a new startup experience for the end user. The Start screen
contains tiles, which represent apps that are installed on the computer. These tiles can be static, or they
can provide live information from the app. For example, the tile for a weather app might provide the
current temperature in your area. The Start screen provides quick access to commonly used apps on a
computer.
Starting Windows 8.1 to the Desktop

If your organization does not use any Windows Store apps, or if it has the majority of its applications
hosted in the desktop environment, you might want to start Windows 8.1 computers to the desktop
rather than the Start screen. To configure a Windows 8.1 computer to start to the desktop, use the
following procedure:
1.
On the desktop, right-click the taskbar, and then click Properties.
2.
On the Navigation tab, in the Start screen section, select the Go to the desktop instead of Start
when I sign in check box.
Demonstration: Customizing the Windows 8.1 UI

In this demonstration, you will see how to customize the Windows 8.1 UI.
Demonstration Steps
1.
Sign in to LON-CL1 as Adatum\Adam with password Pa$$w0rd.
2.
Open and close the Photos app.
3.
Change the size of the Photos tile to Wide.
4.
Move the Photos app.
5.
Unpin the Photos app from the Start screen.
6.
Open the Applications screen by clicking the Down Arrow at the bottom of the Start screen.
7.
Pin the Calculator tile to the Start screen.
8.
Open the desktop.
9.
Open the Quick Links menu, and then click Command Prompt.
10. Configure Windows 8.1 to start to the desktop instead of the Start screen.
Overview of Start Screen Control

Windows 8.1 enables you to control the layout
of the Start screen by using the Windows
PowerShell command-line interface and Group
Policy in AD DS. You can use this functionality to
configure a Windows 8.1 computer with a Start
screen that is representative of what your end
users should have, export the configuration to an
XML file, and then use Group Policy to enforce the
Start screen layout for your users.
Configuring Start Screen Control

To configure Start screen control, follow this
procedure:
1.
Configure the Start screen layout on a Windows 8.1 computer.
2.
Run the Export-StartLayout Windows PowerShell cmdlet and specify the output file.
For example:
Export-StartLayout -path C:\path\StartLayout.xml -As XML
1-11
3.
Store the StartLayout.xml file in a network location where users have Read permissions.
4.
Edit the local policy on a Windows 8.1 computer, or create or edit a Group Policy Object (GPO) with
an appropriate Group Policy setting to specify the location of the StartLayout.xml file:
5.
Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar

\Start Screen Layout
User Configuration\Policies\Administrative Templates\Start Menu and Taskbar

\Start Screen Layout
Link the GPO in the Group Policy Management Console if you use Group Policy.
Note: When you use Start screen control to set the layout of the Windows 8.1 Start screen,
users cannot customize or make changes to the Start screen.
Customizing Windows 8.1 Settings

Windows 8.1 has a large number of computer
settings that you can configure to provide
the optimal interface for your users. You can
configure most of the Windows 8.1 settings in
one of two locations: the PC Settings screen, or
Control Panel.
PC Settings
The PC Settings screen contains configuration

options that you can apply to the Windows Start
screen interface. It also provides a touch screen
optimized configuration interface for Windows 8.1
settings that you can configure elsewhere in
Windows 8.1. You can access the PC Settings screen by opening the Charms menu, clicking Settings, and
then clicking PC Settings at the bottom of the menu. The following settings are available within the PC
Settings screen:
Activate Windows. You can activate your version of Windows 8.1 from this screen.
PC & devices. The PC & devices screen contains a large number of configuration settings for the look
and feel of Windows 8.1, such as lock screen view; display resolution and orientation; and mouse,
touchpad, and other input device behavior. It also contains sections for adding and removing
peripheral devices, such as printers.
Accounts. You can configure both local and Microsoft-based accounts from this screen, including
sign-in options like account picture and picture passwords.
OneDrive. You can view and configure your online storage space from Microsoft OneDrive (formerly
SkyDrive) from this screen.
Search & apps. You can use this screen to control your search experience in Windows 8.1, and the
default settings for tasks such as notifications and default apps.
Privacy. You can control the behavior of devices such as cameras, and location-based behavior from
this screen.
Network. You can use the Network screen to manipulate network settings and connect to new
networks.
Time & language. You can use this screen to configure local and regional settings for time and
language display and input.
Ease of Access. The Ease of Access screen contains settings that enable the customization of input and
display methods.
Update & recovery. The Update & recovery screen presents options for updating your computer,
recovering previous versions of files, or enabling advanced recovery modes for Windows 8.1.
Demonstration: Customizing Windows 8.1 Settings

In this demonstration, you will see how to customize Windows 8.1 settings.
Demonstration Steps
1.
Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
2.
Open the Change PC Settings screen.
3.
Open the PC & devices screen.
4.
Add the Weather app to the lock screen display options.
5.
Open the Accounts screen, and then view available options.
6.
Open the Search & apps screen.
7.
Configure the Recent apps list to display 10 apps.
Understanding Windows Store Apps

Windows Store provides a convenient, single
location for you to access and download apps.
You can access the Windows Store from the Start
screen without navigating to Control Panel.
Note: To access the store, users must sign
in to Windows 8.1 by using a Microsoft account.
Users can create this account during Windows 8.1
installation, or they can define it after installation.
Windows Store Apps
1-13
Windows Store enables users to access and install Windows Store apps. These apps are not like desktop
applications such as Microsoft Office 2010. Rather, they are full-screen apps that can run on a number of
device types, including x86, x64, and ARM platforms. However, not all Windows Store apps are compatible
with all platforms.
These apps can communicate with one another and with Windows 8.1 so that it is easier to search for and
share information, such as photographs.
When an app is installed, from the Start screen, users can see live tiles that constantly update with live
information from the installed apps.
Locating Apps
When users connect to the Windows Store, the landing pagethat is, the initial page users see when
accessing the Windows Storeis designed to make apps easy to locate. Apps are divided into categories
such as Games, Entertainment, Music & Videos, and others.
Users also can use the Windows 8.1 Search charm to search the Windows Store for specific apps. For
example, if a user is interested in an app that provides video-editing capabilities, he or she can bring up
the Search charm, type in a search string, and then click Store. The Windows Store returns suitable apps
from which the user can make a selection.
Installing Apps
A single tap or click on the appropriate app in the listing should be sufficient to install the app. The app
installs in the background so that a user can continue to browse the Windows Store. After the app installs,
a tile for the app appears on the users Start screen.
Updating Apps
Windows 8.1 checks the Windows Store for updates to installed apps on a daily basis. When an update
for an installed app is available, the Windows operating system updates the Store tile in the Start screen
to display an indication that updates are available. When a user selects the Store tile and connects to the
Windows Store, the user can choose to update one, several, or all of the installed apps for which updates
are available.
Installing Apps on Multiple Devices
Many users have multiple devices, such as desktop and laptop computers. Windows Store allows five
installations of a single app to enable users to run the app on all of their devices. If users attempt to install
an app on a sixth device, they are prompted to remove the app from another device.

Review Question
Question: What advantages does the domain environment provide for managing
Windows 8.1 computers?

2-1
Module 2
Installing and Deploying Windows 8.1
Contents:
Module Overview
2-1
Lesson 1: Preparing to Install and Deploy Windows 8.1
2-2
Lesson 2: Installing Windows 8.1
2-12
2-24
Lesson 3: Customizing and Preparing a Windows 8.1 Image for Deployment
2-27
2-39
Lesson 4: Volume Activation for Windows 8.1
2-43
2-51
2-53
Module Overview
The Windows 8.1 operating system builds on the core functionality of Windows 8 and Windows 7 to
provide a stable client experience across many device form factors and processor architectures. In this
module, you will learn about the features that are available in different Windows 8.1 editions. This module
introduces planning considerations and hardware requirements for a Windows 8.1 installation. You also
will learn about the importance of device driver compatibility and application compatibility during
installation.
This module describes how you can perform a clean installation of Windows 8.1. It also describes how you
can upgrade or migrate to Windows 8.1 and the upgrade paths that are supported. You will learn about
the tools and technologies that you can use to customize an installation. You also will learn about
Windows 8.1 activation and the different activation options.
Objectives
Prepare to install and deploy Windows 8.1.
Install Windows 8.1.
Customize and prepare a Windows 8.1 image for deployment.
Describe volume activation for Windows 8.1.
Lesson 1
Preparing to Install and Deploy Windows 8.1
2-2 Installing and Deploying Windows 8.1
Before you install Windows 8.1 on a computer, you must ensure that the hardware and software on that
computer is compatible with it. As you prepare for the installation, you must understand the minimum
hardware requirements and the installation methods that you can use.
In this lesson, you will learn about the planning process for a successful Windows 8.1 installation and
deployment. You will learn how to identify problematic devices, drivers, and apps, and you will determine
methods for mitigating compatibility issues. By doing so, you can minimize or eradicate the problems you
might face during or after installation.
Lesson Objectives
Describe how to plan for a Windows 8.1 installation.
Identify considerations for deploying Windows 8.1 in the enterprise environment.
Identify hardware requirements for installing Windows 8.1.
Describe how to determine device driver compatibility.
Describe common application compatibility issues.
Describe methods for mitigating common application compatibility issues.
Planning for a Windows 8.1 Installation

You can install Windows 8.1 as an upgrade to
an existing and supported Windows operating
system, such as Windows 7 or Windows 8. You
also can install it on a new computer that does
not have an operating system. When you are
planning for a Windows 8.1 installation, you
should consider the following factors:
Windows 8.1 is available in three editions:

Windows 8.1, Windows 8.1 Pro, and
Windows 8.1 Enterprise. You should select
the edition that includes features that you
need while minimizing licensing costs.
You can perform a clean Windows 8.1 installation or upgrade an existing operating system. An
upgrade retains files, apps, and settings from the operating system that you upgraded. A clean
installation includes only default settings and apps from the Windows 8.1 installation. You also can
perform a clean installation and load the saved user settings from the previous environment.
All Windows 8.1 editions are available in 32-bit or 64-bit versions. Both versions include the same
features, but 64-bit versions support more memory and provide better security because they require
digitally signed device drivers.
Verify that your computer and devices are compatible with Windows 8.1 and that device drivers for
all components are available.
Verify that the apps that you plan to use are compatible with Windows 8.1 and that they are
supported on that platform.
You can deploy Windows 8.1 by using different methods. You should select a deployment method
based on the existing environment and the number of computers that you must deploy. The
deployment methods you can use include the following:
o
Running setup from DVD media.
Performing an installation from a network share.
Using Windows Deployment Services (DS).
Using software deployment solutions such as Microsoft System Center 2012 R2 Configuration
Manager (Configuration Manager).
Windows 8.1 Editions

Windows 8.1 is available in three separate editions:
2-3
Windows 8.1. This edition contains only the key operating system features. It can run apps such as the
Microsoft Office System, and it is appropriate for use in home environments, which do not require
features such as BitLocker Drive Encryption and DirectAccess. From a planning perspective, it is
important to note that you cannot join computers that are running this edition of Windows 8.1 to an
Active Directory Domain Services (AD DS) domain. Also important to note is that you can activate
this edition of Windows 8.1 only with a retail license key.
Windows 8.1 Pro. This edition includes features such as BitLocker, Client Hyper-V, Domain Join,
Group Policy, and native boot from virtual hard disk. This edition of Windows 8.1 is suitable for smalland medium-size businesses that do not require technologies such as AppLocker, BranchCache,
DirectAccess, and Windows To Go to meet business objectives. You can use Windows 8.1 Pro with
retail license keys and with volume licensing options such as multiple activation keys (MAKs) and Key
Management Service (KMS) keys.
Windows 8.1 Enterprise. You are most likely to deploy this edition of Windows 8.1 in large business
environments. This edition includes all the features that are available in the Windows 8.1 operating
system, from being able to join an AD DS domain, to edition-specific features such as AppLocker,
BranchCache, DirectAccess, Windows To Go, and the ability to sideload Windows Store apps. You can
activate Windows 8.1 Enterprise only by using a volume license key.
The following table represents the key features that are available in each edition of Windows 8.1.
Feature
Windows 8.1
Windows 8.1 Pro
Windows 8.1
Enterprise
Maximum physical CPU
Maximum memory (x86)
4 GB
4 GB
4 GB
Maximum memory (x64)
128 GB
512 GB
512 GB
Workplace Join
Work Folders
Remote Desktop
Client only
Domain Join
Group Policy
Feature
Windows 8.1
Windows 8.1 Pro
Windows 8.1
Enterprise
Boot from virtual hard disk
BitLocker and BitLocker To

Go
Encrypting File System
Client Hyper-V
Only on x64
Only on x64
AppLocker
BranchCache
DirectAccess
Windows To Go
Understanding Windows RT
The Windows RT operating system is designed to run apps built on the Windows RT platform, and it is
only available as a preinstalled operating system on tablets and similar devices with ARM processors. ARM
provides a lightweight form factor with excellent battery life specifically for mobile devices. Windows RT is
preloaded with touch-optimized versions of Microsoft Office apps and is otherwise limited to running
Windows Store apps. Devices that run Windows RT cannot be members of AD DS domains, but they can
use Workplace Join and Work Folders.
Advantages of 64-bit Windows 8.1 Versions
Each Windows 8.1 edition is available in 32-bit and 64-bit versions. The 64-bit versions of Windows 8.1
are designed to work with computers that utilize the 64-bit processor architecture. Although the 64-bit
versions are similar in features to their 32-bit counterparts, there are several advantages to using a 64-bit
version of Windows 8.1, including the following:
Improved performance. 64-bit processors can process more data for each clock cycle, and therefore,
you can scale your apps to run faster. However, to benefit from this improved processor capacity, you
must install a 64-bit edition of the operating system.
Enhanced memory. A 64-bit operating system can use random access memory (RAM) more
efficiently, and it can address memory above 4 gigabytes (GB). This is unlike all 32-bit operating
systems, including all 32-bit editions of Windows 8.1, which are limited to 4 GB of addressable
memory.
Improved device support. Although 64-bit processors have been available for some time, in the
past, it was difficult to obtain third-party drivers for commonly used devices such as printers,
scanners, and other common office equipment. Since the release of the 64-bit versions of Windows 7,
the availability of drivers for these devices has improved greatly. Because Windows 8.1 is built on the
same kernel as Windows 7, most of the drivers that work with Windows 7 also work with Windows 8
and Windows 8.1.
Improved security. The architecture of 64-bit processors enables a more secure operating system
environment through Kernel Patch Protection, mandatory kernel-mode driver signing, and Data
Execution Prevention.
Support for the Client Hyper-V feature. This feature is supported only in the 64-bit versions of
Windows 8.1. Client Hyper-V requires 64-bit processor architecture that supports Second Level
Address Translation (SLAT).
2-5
The 64-bit versions of Windows 8.1 do not support the 16-bit Windows on Windows environment. If
your organization requires older versions of 16-bit apps, they will not run natively on 64-bit versions of
Windows 8.1. One solution is to run the app within a virtual environment by using Client Hyper-V.
Choosing Windows 8.1 Versions for Installation
In most cases, a computer will run the version of Windows 8.1 that corresponds to its processor
architecture. A computer with a 32-bit processor will run the 32-bit version of Windows 8.1, and a
computer with a 64-bit processor will run the 64-bit version of Windows 8.1. You can use the following
list to determine which version of Windows 8.1 you should install on a computer:
You can install 64-bit versions of Windows 8.1 only on computers with 64-bit processor architectures.
You can install 32-bit versions of Windows 8.1 on computers with 32-bit or 64-bit processor
architectures. When you install a 32-bit version of Windows 8.1 on a 64-bit processor architecture,
the operating system does not take advantage of any 64-bit processor architecture features or
functionality.
32-bit drivers will not work on 64-bit versions of Windows 8.1. If you have hardware that is supported
by 32-bit drivers only, you must use a 32-bit version of Windows 8.1, regardless of the computers
processor architecture.
You can install 32-bit versions of Windows 8.1 on 64-bit architecture computers to support older
16-bit versions of apps or for testing purposes.
Question: Can you use Microsoft Office 2013 on Windows RT?
Considerations for Deploying Windows 8.1 in the Enterprise Environment
You must consider several important differences

if you are considering Windows 8.1 deployment
for several computers in a small company versus
deployment in an enterprise environment. In a
small company, you can use Windows Setup
and deploy Windows 8.1 individually on each
computer. However, such an approach is not
appropriate for an enterprise environment that
already has AD DS and infrastructures in place for
management, updating, and deployment. In an
enterprise environment, Windows 8.1 is deployed
on several client computers at once. Deployment
solutions such as Windows DS, Microsoft Deployment Toolkit (MDT), or Configuration Manager typically
are used, and a high level of automation is necessary. You can use Windows DS to deploy Windows 8.1 to
multiple client computers at once by using multicast. You also can use Configuration Manager to deploy
Windows 8.1 without any user interaction. This type of deployment is called zero-touch installation (ZTI).
Because you typically use Windows 8.1 to upgrade an existing environment, users already have their
accounts and settings. You need to preserve user state during the deployment, which means that you
must perform either an upgrade or a migration. In an enterprise environment, you usually would use
migration because it provides a clean and standardized environment, and it removes all the legacy files
that might exist on computers. You also can control what is migrated from a previous environment. In
many cases, enterprises use Folder Redirection and roaming profiles (both technologies are referred to as
user state virtualization), which means that user state is not stored locally, and you do not need to migrate
it at all. In such cases, when users sign in to a Windows 8.1 computer, their settings will be applied, and
they will have access to their documents.
The default Windows 8.1 installation image often is customized to include specific requirements for an
enterprise. For example, apps that are used on all clients, such as Microsoft Office 2013, are included in
the installation image, in addition to language packs, additional device drivers, and updates. Apps that
are used in an enterprise must be verified for compatibility with Windows 8.1, and when a customized
installation image is built, it must pass extensive testing. All these factors and the large number of clients
to which Windows 8.1 must be deployed make Windows 8.1 deployment in an enterprise environment a
lengthy project that requires extensive planning, preparation, and testing.
Question: Why do enterprises not use default Windows 8.1 DVD media to perform
installations?
Hardware Requirements for Installing Windows 8.1

Windows 8.1 can run on older computer
configurations, and many computers in
enterprises today can meet minimum hardware
requirements easily. The Windows 8.1 kernel
has been refined and improved from Windows 7,
and in many cases, you might see general
performance improvements on a computer in
several different areas.
Windows 8.1 installation might be successful if
some of the minimum recommended hardware
requirements are not met. However, user
experience and operating system performance
might be compromised if the computer does not meet or exceed recommended specifications. The
following list outlines the minimum recommended hardware requirements for Windows 8.1:
1 gigahertz (GHz) or faster processor.
1 GB of RAM (32-bit) or 2 GB of RAM (64-bit).
16 GB of available hard disk space (32-bit) or 20 GB of available hard disk space (64-bit).
A DirectX 9 graphics device with a device driver that supports Windows Display Driver Model
(WDDM) 1.0 or newer.
In addition to these hardware requirements, Windows 8.1 includes several features that require a specific
hardware configuration before they will install or run correctly. These features are as follows:
The Windows 8.1 secured boot process requires a pre-boot environment that is based on Unified
Extensible Firmware Interface (UEFI). The secure boot process takes advantage of UEFI to prevent
starting unknown or potentially unwanted operating system boot loaders between the systems BIOS
start and the Windows 8.1 operating system start. The secure boot process is not mandatory for
Windows 8.1, but it greatly increases the integrity of the boot process.
Client Hyper-V requires a 64-bit processor architecture that supports SLAT. SLAT reduces the
overhead incurred during the virtual-to-physical address mapping process performed for virtual
machines.
The BitLocker and Virtual Smart Card features require a computer that supports Trusted Platform
Module (TPM) to provide the most seamless and secure experience. TPM allows the storage of
BitLocker encryption keys and Virtual Smart Cards within a microcontroller on a computers
motherboard.
2-7
Miracast is a Windows 8.1 feature that you can use to share your display with a Miracast-enabled
display or projector over a wireless connection. This feature requires a display adapter that supports
Miracast and uses a device driver that is designed for Windows 8.1.
To use touch and gestures as an input method, a tablet or monitor must support multitouch. If your
device does not support such input, you can still use a mouse and keyboard.
Windows Store apps require a minimum of 1024 768 screen resolution for the Snap feature. This
feature enables you to use Windows 8.1 apps side by side, making the app viewable while you use
other Windows Store apps. You cannot use Windows Store apps with resolution that is lower than
1024 768 because you will receive an error message if you start it in such a configuration.
Windows 8.1 includes support for three-dimensional (3-D) printing, but you should have a supported
3-D printer device.
Question: Do you have to create a virtual machine with at least 1 GB of memory if you want
to install Windows 8.1 Pro on that virtual machine?
Determining Device Driver Compatibility

Besides minimum hardware requirements, you
also must determine the compatibility of other
computer hardware. You should check devices
such as printers, wireless keyboards, and wireless
mice to ensure that they are compatible with
Windows 8.1 and that they have functioning
device drivers for Windows 8.1.
Importance of Device Drivers
A device driver is a component that the Windows

operating system uses to communicate with a
device. It contains device-specific code that
enables the Windows operating system to use the
device. Device drivers are critical for system stability, and without them, the Windows operating system
cannot communicate with devices. However, other devices and computer hardware components also
must have loaded drivers. Critical system components such as hard drive controllers, chipsets, graphics
adapters, and network adapters must have drivers to function properly. If the specific driver for a device is
not found, the Windows operating system can use a more generic driver for a compatible device, if it is
present.
Windows 8.1 includes device drivers for tens of thousands of devices, and you can add additional drivers
during or after a Windows 8.1 operating system installation.
Note: All device drivers that are included with Windows 8.1 are digitally signed, and
Windows 8.1 requires all device drivers and other kernel components to be digitally signed. You
can disable this requirement, but we strongly discourage it.
A digital signature does not change driver functionalityit only confirms that the device driver was not
modified. Remember that 64-bit versions of Windows 8.1 require 64-bit drivers, and they cannot use 32bit drivers (and vice versa).
Checking Hardware Compatibility
The Windows 8.1 setup process automatically checks the installation computer for device and driver
compatibility. However, when an organization deploys multiple installations of Windows 8.1 at once, it is
a best practice to ensure that the hardware for those computers is compatible with Windows 8.1.
Confirming hardware compatibility enables a smoother installation process.
Windows Compatibility Center for Windows 8.1
The Windows Compatibility Center for Windows 8.1 website provides information about Windows 8.1
program and device compatibility. The website contains a catalog of programs and devices, and pertinent
compatibility information, including:
Device maker and model
Links to more information about the device
Compatibility status
Available driver versions (32-bit or 64-bit)
The Windows Compatibility Center for Windows 8.1 website also enables community interaction, where
users can provide feedback for devices to confirm compatibility.
Windows Compatibility Center
Question: Can you use a device driver from a 64-bit version of Windows 8 with a 32-bit
version of Windows 8.1?
Common Application Compatibility Issues

An application written for a specific operating
system can cause problems for several reasons
when you install it on a computer with a different
operating system. Generally, applications and
hardware that work on Windows 7 will continue
to work on Windows 8.1. To troubleshoot and
address any compatibility issues effectively, it is
important to be aware of the general areas that
typically cause the most issues.
Setup and Installation of Applications
During application setup and installation, an app

might try to copy files and shortcuts to folders
that existed in a previous Windows operating system, but no longer exist in Windows 8.1. This can prevent
the app from installing properly or even installing at all.
UAC
User Account Control (UAC) adds security to the Windows operating system by controlling administratorlevel access to a computer and by restricting most users to run as standard users. When users attempt to
launch an app that requires administrative permissions, the system prompts them to confirm their consent
to do so.
2-9
UAC also limits the context in which a process executes to minimize the ability of users to expose their
computer to viruses or other malware inadvertently. This change affects any application installer or
update that requires administrator permissions to run, that performs unnecessary administrator checks or
actions, or that attempts to write to a non-virtualized registry location.
However, UAC might cause the following compatibility issues:
Custom installers, uninstallers, and updaters might not be detected and elevated to run as
administrator.
Standard user apps that require administrative privileges to perform their tasks might fail or might
not make this task available to standard users.
Apps that attempt to perform tasks for which the current user does not have the necessary
permissions might fail. How the failure manifests itself depends on how the app was written.
Control Panel apps that perform administrative tasks and make global changes might not function
properly and might fail.
Dynamic-link library (DLL) apps that run by using RunDLL32.exe might not function properly if they
perform global operations.
Standard user apps writing to global locations will redirect to per-user locations through
virtualization.
WRP
Windows Resource Protection (WRP) protects Windows resources such as files, folders, and registry keys in
a read-only state. This affects specific files, folders, and registry keys only. WRP limits updates to protected
resources to the trusted operating system installers, such as Windows Servicing. This enables better
protection for components and apps that ship with the operating system from the impact of other apps
and administrators. However, WRP might cause the following compatibility issues:
Application installers that attempt to replace, modify, or delete operating system files or registry
keys that WRP protects might fail with an error message that indicates that the resource cannot be
updated. This is because access to these resources is denied.
Applications that attempt to write new registry keys or values to protected registry keys might fail
with an error message that indicates that the change failed because access was denied.
Applications that attempt to write to protected resources might fail if they rely on registry keys or
values.
64-Bit Architecture
All Windows 8.1 editions are available as 32-bit and 64-bit versions. The 64-bit version of Windows 8.1
can run all 32-bit apps with the help of the Windows 32-bit on Windows 64-bit subsystem. Considerations
for the 64-bit Windows 8.1 include:
Apps or components that use 16-bit executable files, 16-bit installers, or 32-bit kernel drivers will fail
to start or will function improperly on a 64-bit version of Windows 8.1.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer manually adds a driver
by editing the registry, the system will not load this driver, and this can cause a system failure.
Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer manually adds a
driver by editing the registry, the system will not load the driver during load time if it is not signed.
WFP
Windows Filtering Platform (WFP) is an application programming interface (API) that enables developers
to create code that interacts with the filtering that occurs at several layers in the networking stack and
throughout the operating system. If you are using a previous version of this API in your environment, you
might experience failures when running security-class apps, such as network scanning, antivirus programs,
or firewall apps.
Operating System Version Changes
The operating system version number changes with each operating system release. For Windows 7, the
internal version number is 6.1; for Windows 8, the internal version is 6.2; for Windows 8.1, the internal
version is 6.3. The GetVersion function returns this value when it is queried by an app. This change affects
any app or application installer that specifically checks for the operating system version, and this change
might prevent the installation from occurring or the app from running.
Kernel-Mode Drivers
Kernel-mode drivers must support the Windows 8.1 operating system or be redesigned to follow the
User-Mode Driver Framework (UMDF). UMDF is a device driver development platform that the Windows
operating system uses.
Deprecated Components
Windows 8.1 does not include several deprecated APIs and DLLs that were available in the legacy
Windows XP and Windows Vista operating systems. Windows 8.1 also uses credential provider
framework and service isolation, which was not available in legacy Windows operating systems. Apps
that use deprecated APIs, DLLs, old credential providers, or do not support service isolation will have
compatibility issues in Windows 8.1. Some of these apps will have reduced functionality, and some might
fail to start.
Application Compatibility
http://go.microsoft.com/fwlink/?LinkID=378172&clcid=0x409
Question: Can you run a program that was developed for Windows XP on Windows 8.1?
Methods for Mitigating Common Application Compatibility Issues

You can use the Application Compatibility
Toolkit (ACT) to determine if your applications are
compatible with Windows 8.1. ACT also helps you
determine how an update to a new version will
affect your applications. You can use ACT features
to:
Verify the compatibility of your application,

device, and computer with a new version of
the Windows operating system.
Verify the compatibility of a Windows update.
Become involved in the ACT community and

share your risk assessment with other ACT users.
Test your web applications and websites for compatibility with new releases and security updates to
Internet Explorer.
Mitigating an application compatibility issue typically depends on various factors, such as the type of
application and the current support for an application.
Mitigation Methods
Some of the more common mitigation methods include the following:
2-11
Modifying the configuration of an existing application. Compatibility issues might require a

modification to an application configuration, such as moving files to different folders, modifying
registry entries, or changing file or folder permissions. You can use tools such as Compatibility
Administrator to detect and create application fixes, called shims, to address compatibility issues.
Contact software vendors for information about any additional compatibility solutions.
Applying updates or service packs to an application. Updates or service packs might be available to
address many compatibility issues, and they help an application to run on a new operating system
environment. After applying an update or service pack, additional application tests can ensure that
compatibility issues have been mitigated.
Upgrading an application to a compatible version. If a newer, compatible version of an application

exists, the best long-term mitigation is to upgrade to the newer version. By using this approach, you
must consider both the cost of the upgrade and any potential problems that might arise with having
two different versions of an application.
Modifying the security configuration. If your compatibility issues appear to be permissions-related, a

short-term solution is to modify the security configuration of an application. By using this approach,
you must conduct a full risk analysis and gain consensus from your organizations security team
regarding the modifications. For example, you can mitigate Internet Explorer Protected Mode by
adding a site to the trusted site list.
Running an application in a virtualized environment. If all other methods are unavailable, you might
be able to run an application in an older version of the Windows operating system by using
virtualization tools such as Client Hyper-V.
Using application compatibility features. You can mitigate application issues, such as operating
system versioning, by running an application in compatibility mode. You can access this mode by
right-clicking the shortcut or .exe file and then selecting compatibility mode from the Compatibility
tab.
Selecting another application that performs the same business function. If another compatible
application is available, consider switching to it. When using this approach, you must consider both
the cost of the application and the cost of employee support and training.
Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1
Application Compatibility Toolkit (ACT) Technical Reference
Lesson 2
Installing Windows 8.1
Although you can perform a Windows 8.1 installation by using a number of different methods, the
image-based nature of the installation process and the desired resulta properly functioning
Windows 8.1 computerremain consistent, regardless of the method. Determining which method to use
and how to best implement that method are important parts of the planning process for a Windows 8.1
installation. This lesson will help you analyze the reasons behind using certain methods, and it will help
you understand how you can implement those methods. Also, this lesson will introduce you to Windows
To Go and native boot virtual hard disk methods.
Lesson Objectives
Explain the options for installing Windows 8.1.
Describe the methods for performing a clean installation.
Explain how to upgrade to Windows 8.1.
Identify the supported Windows 8.1 upgrade paths.
Explain how to migrate to Windows 8.1.
Describe Windows To Go.
Explain how to boot from a native boot virtual hard disk.
Options for Installing Windows 8.1

You can install Windows 8.1 in a number of
different ways, including the following:
Clean installation. A clean installation of

Windows 8.1 occurs when the hard disk
on which you are installing the Windows
operating system contains no previous
Windows installation, or when you erase
the disk prior to installation. To perform a
clean installation on a computer without an
operating system, start the computer directly
from the DVD. If the computer already has an
operating system, run Setup.exe to start the
installation. You can run Setup.exe from the following sources:
o
DVD
Network share
USB drive
You also can use an image to perform a clean installation.

Note: If you perform a clean installation on a hard disk partition that contains a
Windows operating system, the existing Windows files are moved to a \Windows.old directory.
This includes files in the Users and Program Files folders and the Windows directory.
2-13
Upgrade installation. Perform an upgrade, which also is known as an in-place upgrade, when you
want to replace an existing version of Windows with Windows 8.1, and you need to retain all user
applications, files, and settings. To perform an in-place upgrade to Windows 8.1, run the Windows 8.1
Setup.exe installation program, and then click Upgrade. You can run Setup.exe from the product
DVD or from a network share. During an in-place upgrade, the Windows 8.1 installation program
automatically retains all user settings, data, hardware device settings, apps, and other configuration
information. Always back up all of your important data before performing an upgrade.
Migration. You perform a migration when you have a computer that is already running Windows 7,
and you need to move files and settings from your old operating system (the source computer) to the
Windows 8.1 computer (the destination computer). Perform a migration by doing the following:
o
Back up user settings and data
Perform a clean installation
Reinstall the apps
Restore user settings and data
There are two migration scenarios: side-by-side, and wipe-and-load, which also is called refresh. In sideby-side migration, the source computer and the destination computer are two different computers. In
wipe-and-load migration, the target computer and the source computer are the same. To perform wipeand-load migration, you perform a clean installation of Windows 8.1 on a computer that already has an
operating system by running the Windows 8.1 installation program, and then clicking Custom (advanced).
You can perform an automated installation when you use any of the above installation methods in
combination with an automation tool, such as MDT, to make the installation more seamless or to remove
repetitive tasks from the installation process. Automated installations can take many forms, including
pushing premade images to computers by using an enterprise-level tool, such as MDT, Windows DS, and
Windows Assessment and Deployment Kit (ADK), or even by creating an answer file manually to provide
information directly to the installation process.
Question: What is the main difference between a clean installation of Windows 8.1 and
migration to Windows 8.1?
Methods for Performing a Clean Installation

The most common form of deployment in
medium-size and large environments is a clean
installation. Clean installations involve deploying
an operating system to new hardware that has no
existing operating system, or wiping an existing
operating system and installing a new operating
system. Compared to performing an upgrade,
a clean installation has some benefits and
drawbacks, which are outlined in the following
table.
Clean installation
Benefits
Drawbacks
Can be automated
Existing apps are not retained
Quickest form of deployment
Must use a special procedure to retain

user state data
Supported in all scenarios

Upgrade
Existing data and apps are

retained
Difficult to automate
Only supported in certain scenarios
You can perform a clean deployment of the Windows 8.1 operating system by using the following
methods:
Install from DVD. To use this method, the computer you are installing on must have a connected
optical drive. You can use the installation media provided with a retail copy of the operating system
or a copy of the installation media that is obtained from Microsoft Volume Licensing Services and
then written to optical media. You can use a customized image with optical media, but the size of the
image is constrained by the maximum amount of data that can be stored on a DVD. This installation
method is slower than installing from a USB device.
Install from USB. Retail versions of Windows 8.1 are available in this form. The drawback of this
method is that one USB device can only install the operating system on one computer at a time.
You can use customized images for this installation method. Installation from a USB device is quicker
than an installation from a DVD, but it requires you to modify BIOS or UEFI settings on the target
computer to allow boot from USB. You can perform an unattended installation if an unattended
installation file is located on the USB device.
Install from Windows DS. To use this method, you must deploy Windows DS and Dynamic Host
Configuration Protocol on Windows-based servers on the LAN. Another requirement is that target
computers must have a Pre-Boot Execution Environment (PXE) network card, or you must configure
a boot device to allow network communication. You can use this installation method with an
unattended installation file that is configured on a Windows DS server, with multiple operating
system images, and to deploy Windows 8.1 to multiple computers at once by using multicast.
Perform an image-based installation. You can use the Windows Preinstallation Environment (PE) to
start a computer and then use Deployment Image Servicing and Management (DISM) to apply the
Windows 8.1 image. You also can use deployment solutions such as MDT and Configuration Manager
to deploy Windows 8.1 and apps automatically across networks. By using MDT and Configuration
Manager, you can configure lite-touch installation (LTI) and ZTI. During the deployment, LTI requires
minimal user interaction, whereas ZTI requires no user interaction.
Install from a shared network folder. This method involves starting the computer by using
Windows PE and connecting to a copy of the installation files stored on a shared network folder. This
method is no longer commonly used because other methods are more efficient, such as installation
from USB devices, Windows DS, MDT, or Configuration Manager.
The method that you use to perform a clean installation depends on your organizations business
requirements. An organization that performs a small number of Windows 8.1 deployments that do not
require substantial customization should use the DVD or USB installation methods. An organization that
performs a large number of Windows 8.1 deployments should consider using MDT or Configuration
Manager.
Question: What happens with user settings, data, and installed apps if you perform a clean
installation of Windows 8.1 on a computer that has Windows 7 installed?
Upgrading to Windows 8.1
2-15
When you perform an upgrade installation of

Windows 8.1, it replaces the existing version of
the Windows operating system, but it retains
user settings and applications. When you use this
method, you directly upgrade computers that run
older versions of the Windows operating system
to Windows 8.1. The Windows 8.1 installation
program runs with minimal user interaction, and
it automatically retains all user settings, data,
hardware device settings, applications, and other
configuration information. You also can specify
additional settings by using unattended-setup
answer files. All previously installed applications remain installed. You typically perform an upgrade
when you do not want to reinstall all of your applications. Additionally, consider performing an upgrade
when you:
Are upgrading from a recent version of the Windows operating system that has compatible
applications.
Do not have the storage space to store your user state.
Are not replacing existing computer hardware.
Plan to upgrade the Windows operating system on a few computers only.
Evaluating an Upgrade Scenario
In any potential upgrade scenario, there might be certain variables that favor an upgrade. However, there
also are disadvantages.
Advantages
Disadvantages
Retains user settings, application settings, and

files with no additional effort.
Does not take advantage of the opportunity to

start fresh with standardized reference
configurations.
Preserves installed applications and typically

does not require reinstallation of the
applications.
Does not require additional storage space for
migration files.
Impacts user productivity minimally and
preserves user settings and data.
Provides a more simple setup process.
Preserved applications might not work

correctly after upgrading from an older version
of the Windows operating system.
Remnant files or settings from an in-place
upgrade might contribute to performance and
security issues.
Does not allow Windows operating system
edition changes.
Can be done only on supported operating
systems.
Data Retention in a Windows 8.1 Upgrade
When you run an upgrade, Windows Setup automatically detects existing operating systems and their
potential for upgrade. Depending on the version of the operating system, you might see the following
options for retaining data from the previous version of the Windows operating system:
Windows settings. Windows settings such as your desktop background or Internet favorites and
history will be kept. Windows Setup does not move all settings.
Personal files. Anything that you save in the User folder is considered a personal file, such as the
Documents and Desktop folders.
Desktop apps. Some apps are compatible with Windows 8.1, and they will operate properly when
you install Windows 8.1. However, you may have to install some desktop apps after a Windows 8.1
installation finishes, so be sure to find the installation discs and installers for desktop apps that you
want to keep.
Nothing. Deletes everything and replaces your current version with a copy of Windows 8.1. Your
personal files will be moved to a Windows.old folder.
Upgrade Considerations
The following considerations might be critical in determining whether you choose to upgrade:
Amount of interaction. An upgrade does not require significant user interaction. You can use an
answer file to minimize user interaction and effort further when performing an upgrade.
State of user data. An upgrade does not require reinstallation of apps or any of the user settings, data,
hardware device settings, or other configuration information. However, you might have to reinstall
some apps after you perform an upgrade.
Note: You can perform an upgrade only if you run Setup.exe from the existing Windows
installation. You cannot perform an upgrade if you start a computer from Windows installation
media.
Question: Can you upgrade Windows 7 Pro to Windows 8.1 Pro if you start a computer from
Windows 8.1 DVD installation media?
Supported Windows 8.1 Upgrade Paths

Performing an upgrade to Windows 8.1 can save
time and enable you to retain user and computers
settings from a previous version of the Windows
operating system. However, the version of the
Windows operating system from which you are
upgrading will dictate what options are available
for the upgrade process.
Windows 8.1 Upgrade Paths
2-17
The following table lists operating systems and upgrade path restrictions for upgrading to Windows 8.1.
Upgrading to
Windows 8.1
Keep Windows
settings, personal files,
and apps
Keep Windows settings

and personal files (data
and system settings)
Windows XP SP3
Keep personal files

only (data only)
Yes
Windows Vista SP2
Yes
Yes
Windows 7
Yes
Yes
Windows 8
Yes
Yes
Windows 8.1
Yes
Yes
Note: You cannot preserve Windows settings and apps if you perform a cross-language
installation of Windows 8.1.
Upgrade Paths for Windows Operating System Editions

You cannot upgrade previous versions of the Windows operating system that do not have the same
features as the edition of Windows 8.1 that you are installing. The following table lists upgrade
possibilities based on the editions of Windows 7 and Windows 8.1.
Windows 7 edition
Windows 8.1
Windows 8.1 Pro
Enterprise
Windows 8.1 Enterprise

Yes
Ultimate
Yes
Professional
Yes
Home Premium
Yes
Yes
Home Basic
Yes
Yes
Starter
Yes
Yes
Yes
Even though an upgrade path is supported, it does not necessarily mean that you should perform an
upgrade installation by following that path. You should evaluate considerations for both upgrades and
migrations.
Windows 8 and Windows 8.1 Upgrade Paths
Question: Can you upgrade the 32-bit version of Windows 8 Pro to the 64-bit version of
Windows 8.1 Pro?
Migrating to Windows 8.1
When you install Windows 8.1 by using a

migration scenario, you first must perform a
clean installation of Windows 8.1, followed by
the migration of user settings and data from the
older version of the Windows operating system
to Windows 8.1. Depending on your business
environment, you can use two migration
scenarios: side-by-side migration and in-place
migration. In a migration scenario known as a
refresh computer scenario or in-place migration,
the source computer and the destination
computer are the same, whereas in a side-by-side
migration scenario, the source computer and the destination computer are different. Both migration
scenarios require a clean installation of Windows 8.1. When you migrate previous configurations from an
old operating system, you are moving files and settings to a clean installation of a Windows 8.1 operating
system.
Evaluating a Migration Scenario
In any potential upgrade scenario, there might be certain variables that favor a migration. However, there
also are disadvantages.
Advantages
Disadvantages
Offers the opportunity to clean up existing

workstations and to create more stable
and secure desktop environments. It takes
advantage of the opportunity for a fresh start,
which is a significant advantage when creating
a managed environment.
Requires the use of migration tools, such

as Windows Easy Transfer or the User State
Migration Tool (USMT), to save and restore
user settings and data.
Avoids the performance degradation issues

associated with an in-place upgrade scenario
because there are no remnant files and settings.
Allows for the installation of any edition without
concern for what edition was running
previously.
Provides the opportunity to reconfigure
hardware-level settings, such as disk
partitioning, before installation.
Prevents the migration of viruses, spyware, and
other malicious software to the new installation
of the Windows operating system. Security
settings can be hardened by using Group Policy
and security templates.
Steps for Performing a Migration

Typical steps in a migration scenario include:
1.
Back up a computers entire hard disk.
2.
Save user settings and data for migration.
3.
Perform a clean installation of Windows 8.1.
Requires the reinstallation of applications.

Requires storage space for the user settings
and files to be migrated.
Might have an impact on user productivity

because of the reconfiguration of applications
and settings.
4.
Reinstall applications.
5.
Restore user settings and data.
Migration Scenarios
2-19
When planning a migration, you have to determine how you will move existing data to the newly
deployed operating system. The method that you use depends on the tools and resources that you have.
In enterprise environments, you can use Configuration Manager to automate the migration process.
Migration strategies also depend on whether users will be moving to new computers, or whether they will
use existing computers with a new operating system. You can perform the following types of migration:
Side-by-side migration. In a side-by-side migration, data and settings are moved from the original
operating system on one computer to the destination operating system on another computer. In
most automated side-by-side migrations, migration data is transmitted across a network. You also can
transfer migration data by using removable storage devices, although this is only practical when the
migration is performed manually.
Wipe-and-load migration. In a wipe-and-load migration, migration data is captured and moved to a

location off of the computer, usually a network shared folder. After this, the source operating system
is wiped from the host. The destination operating system replaces the source operating system and
the migration data then is restored from the safe location.
Operating system refresh. This migration type is similar to a wipe-and-load migration. However, in
this type of migration, the source and destination operating systems are the same. You might perform
this type of migration when upgrading to a new operating system service pack, or if the original
operating system deployment suffers some type of corruption that makes a refresh operation more
practical than a manual attempt to resolve the fault.
Choosing When to Perform a Migration

Perform a migration when you:
Want a standardized environment for all users who are running a Windows operating system. A
migration takes advantage of a clean installation. A clean installation ensures that all of your systems
begin with the same configuration and that all applications, files, and settings are reset. With a
migration, you also can ensure that you retain user settings and data.
Have storage space to store the user state. Typically, you will need storage space to store the user
state when performing migration. USMT introduces hard-link migration, in which case you do not
need extra storage space. This is only applicable to wipe-and-load migrations.
Plan to keep existing computer hardware. If you do not plan to replace existing computers, you still
can perform a migration by performing a wipe-and-load migration.
Windows 8.1 also includes built-in functions that allow a refresh of the operating system. These are called
Reset your PC and Refresh your PC. PC refresh keeps all personal data and Windows Store apps, but you
must reinstall other software. PC reset returns an operating system to its original state, removing any
installed applications, settings, and user data. PC refresh and PC reset must be performed locally. If you
wanted to perform an operating system refresh across multiple computers, you would automate the task
with Configuration Manager.
Question: You have a user who wants to upgrade a Windows XP computer to Windows 8.1.
The computer meets all of the hardware requirements for Windows 8.1. The user wants to
retain all of the existing user settings and applications. The user has no time-related
requirements and can be without the computer while you install Windows 8.1. How should
you perform the Windows 8.1 installation?
What Is Windows To Go?

Windows To Go is a special deployment option
that is available in the Windows 8.1 Enterprise
edition. You can use Windows To Go to deploy
the Windows 8.1 Enterprise edition to a specially
prepared USB storage device. You then can use
this USB storage device to start any compatible
computer. When a Windows To Go device starts
on a new computer, the boot process detects the
computers hardware and installs appropriate
drivers. When the same Windows To Go device
is used to start the same computer again, the
appropriate drivers are loaded automatically and
Windows To Go starts normally. Windows To Go can store the hardware configurations of multiple
computers.
Windows To Go Restrictions
Windows To Go functions in a way that is very similar to a traditional Windows 8.1 desktop deployment.
But because Windows To Go runs from a USB storage device, which has less storage and can be removed
while the computer is running, it has several restrictions when compared with a traditional Windows 8.1
desktop deployment:
By default, sleep and hibernation are disabled in Windows To Go. Though it is possible to enable this
functionality by configuring Group Policy, this can lead to data corruption.
Fixed internal disks on the host computer are offline. This is a security measure to ensure that third
parties do not gain access to files on the host computers file system, and that locally stored files are
not unintentionally modified when starting computers by using Windows To Go. If you need to, you
can use Disk Management to put locally attached disks online.
BitLocker uses a boot password rather than a TPM password because the Windows To Go device will
be used across multiple computers.
Windows Recovery Environment (RE) and push-button reset are disabled because Windows To Go
does not include a recovery image.
Only Windows 8.1 Enterprise edition is licensed to be installed on Windows To Go devices.
A USB storage device prepared with an x86 version of Windows To Go can be used with a computer
with an x86 or an x64 processor.
A computer prepared with an x64 version of Windows To Go only can be used with a computer that
has an x64-compatible processor.
Windows RT devices cannot be used with Windows To Go.
The Windows Store is disabled by default in Windows To Go.
The USB storage device with the Windows To Go deployment can be removed from the computer for
up to 60 seconds. If the USB device is not reconnected in that time, the computer will restart.
Windows To Go Requirements
Windows To Go only works with specific USB storage devices that are certified by Microsoft. One of the
requirements for Windows To Go is that the operating system recognizes the USB device as a fixed disk.
You create Windows To Go devices by using the Windows To Go Wizard. This wizard is only available on
computers that are running the Enterprise edition of Windows 8.1. You can start a computer from a
Windows To Go device if it is connected to a USB 2.0 or USB 3.0 port.
Comparing Windows To Go and Traditional Windows 8.1 Deployments
2-21
Windows To Go and traditional deployments differ in several ways, and both methods have their benefits
and drawbacks. Some of the key differences are as follows:
To use Windows To Go, you must configure a computer to boot from a USB device. Enabling boot
from USB poses a security risk because it can allow access to a computers volumes if technologies
such as BitLocker are not in use. Organizations should be wary of allowing non-administrative users
to boot from USB devices.
In a traditional deployment, BitLocker can be configured to use TPM. Windows To Go does not have
this security and only allows BitLocker to use a passphrase. The Windows To Go boot environment
might be modified by malicious software.
On Windows To Go, the Windows Store is disabled by default. You can change this by editing the
Allow Store to install apps on the Windows To Go workspaces policy setting, located in the
Computer Configuration\Administrative Templates\Windows Components\Store node of the Group
Policy Management Editor window. Windows Store is enabled by default on a traditionally deployed
Windows 8.1 computer.
Sleep and hibernation are disabled by default in Windows To Go and enabled on traditionally
deployed Windows 8.1 systems. If a user accidentally leaves his or her Windows To Go device in a
running computer, the computer will not shut down.
In a traditional installation, data is stored locally on hard disks. In Windows To Go, data is stored on a
USB device. USB devices are more likely to fail, which means that local data is more likely to be lost.
Users also are more likely to misplace a USB device than a portable computer.
Windows To Go allows users to take their apps and data with them. As long as they have compatible
hardware, they can access their apps and data.
Windows To Go assists Information Technology (IT) departments that want to allow users to use their
own devices, but also want to ensure that only securely managed operating systems can interact with
sensitive services on a network.
Note: A computer must be compatible with Windows 8.1 if you want to use it with
Windows To Go.
Windows To Go: Feature Overview
Question: When would you use Windows To Go in your company?
Booting from a Native Boot Virtual Hard Disk

You can configure Windows 8.1 Pro and
Enterprise editions for native boot from a
virtual hard disk, which can have a .vhd or .vhdx
extension. You can configure a computer to start
from a single virtual hard disk or from different
virtual hard disks. Booting from a virtual hard
disk is advantageous compared to configuring
traditional dual boot because it is not necessary
to create a new volume when deploying an
additional operating system. You can configure a
computer to boot between multiple virtual hard
disk files stored on the same volume.
Planning for Virtual Hard Disk with Native Boot
Configuring a virtual hard disk with native boot includes creating and preparing the virtual hard disk,
installing or applying a Windows image, adding the virtual hard disk native boot option to the startup
menu, and restarting the computer. You can create a virtual hard disk by using Disk Management or
Diskpart.exe. Deploy Windows images by using Dism.exe, and add the boot option by using Bcdboot.exe.
Some of the main points to consider when planning for virtual hard disk with native boot are volume size,
deployment options, and operating systems that can be used for native boot.
Volume size
You must configure a virtual hard disk to have a smaller maximum size than the volume that hosts
the virtual hard disk. For example, if you have a 200-GB volume and a virtual hard disk that represents
a 500-GB volume, the computer will be unable to boot, even if the virtual hard disk only consumes
100 GB of the possible 500 GB. Multiple virtual hard disk files can reside on the same volume, although
it is necessary to keep volume size restrictions in mind when placing more than one virtual hard disk on
a volume. For example, you can create a 15-GB virtual hard disk, create a simple volume, and format it by
running the following commands:
diskpart
create vdisk file=C:\windows81.vhdx maximum=15000 type=fixed
select vdisk file=C:\windows81.vhdx
attach vdisk
create partition primary
assign letter=F
format quick
exit
Deployment options
You can deploy a virtual hard disk to a new computer in a preconfigured state, with apps already
installed and operating system settings already configured. You can copy a prepared virtual hard disk file
to a new computer and then configure the computer to boot from that virtual hard disk. You also can
configure Windows DS to deploy virtual hard disks as operating system images, just as you can configure
Windows DS to deploy operating system images in .wim file format. You can apply the first image from
the Install.wim file by running the following command:
Dism /Apply-Image /ImageFile:Install.wim /Index:1 /ApplyDir:F:\
Operating system
2-23
Computers that run Windows 8.1 Pro and Enterprise editions can use native boot from virtual hard disk.
After an image is applied to a virtual hard disk, you can add the native boot from virtual hard disk option
by running the following commands:
cd F:\Windows\System32
bcdboot F:\Windows
After you run these commands, the option for native boot is added to the startup menu, and you can
select it after you restart the computer.
Deploy Windows on a Virtual Hard Disk with Native Boot
Question: Do you need to enable the Client Hyper-V feature if you want to use native boot
from a virtual hard disk that contains Windows 8.1 Pro?

Scenario
A. Datum Corporation is considering the use of Windows 8.1 as its client operating system. You have been
provided with a testing environment and asked to install Windows 8.1 to evaluate the new environment.
For the initial installation on a single computer, you will use default Windows 8.1 DVD media.
Objectives
After completing this lab, you will be able to:
Plan to install Windows 8.1.
Perform a clean installation of Windows 8.1.
Lab Setup
Estimated Time: 30 minutes
Virtual machine: 20687D-LON-REF1
User name: Adatum\Administrator
Password: Pa$$w0rd
Only LON-REF1 is used for this lab. You do not need to sign in to any virtual machine to perform this lab.
Exercise 1: Planning to Install Windows 8.1

Scenario
Prior to installing Windows 8.1, establish an installation plan by reading the request.
A. Datum Wireless Network Requirements
Document reference: HD-02-05-13
Document author
Holly Dickson
Date
Dec. 2, 2013
Requirements Overview
A. Datum Corporation wants to create a test environment for a new app that was developed internally.
Ideally, we would like to be able to test the app on several different operating systems, but we have
been provided with only one system. We have been told that Windows 8.1 supports the same
virtualization as the servers in our production environment with Hyper-V, so maybe we could do it that
way? We also need to be able to create Windows To Go USB flash drive media.
The computer that we have been given has a quad-core, 2-GHz processor and 4 GB of RAM. The
processor supports Intel VT. It also has a 320-GB hard drive and a 512-megabyte (MB) graphics
processing unit (GPU).
The computer should be prepared for the Development team as soon as possible.
The main tasks for this exercise are as follows:
1.
Determine whether the customers computers meet the minimum requirements for Windows 8.1.
2.
Select the appropriate Windows operating system edition to install on LON-REF1.
Task 1: Determine whether the customers computers meet the minimum

requirements for Windows 8.1
Answer the following questions.
1.
2.
Does the customers computer meet the minimum system requirements for Windows 8.1 in the
following areas:
a.
Processor
b.
RAM
c.
Hard-disk space
d.
GPU
Does the customers computer meet the requirements for the following features:
o
Client Hyper-V
Task 2: Select the appropriate Windows operating system edition to install on

LON-REF1
2-25
Given the hardware that you are using and the features that you require, which edition and version of
Windows 8.1 should you install on LON-REF1?
Results: After completing this exercise, you should have evaluated the installation environment and then
selected the appropriate Windows operating system edition to install.
Exercise 2: Performing a Clean Installation of Windows 8.1

Scenario
You have confirmed that LON-REF1 meets the installation requirements for Windows 8.1. Your next step is
to install the Windows 8.1 operating system on LON-REF1 and to confirm the success of the installation.
1.
Attach the Windows 8.1 DVD image file to LON-REF1.
2.
Install Windows 8.1 on LON-REF1.
3.
Confirm the successful installation of Windows 8.1 on LON-REF1.
Task 1: Attach the Windows 8.1 DVD image file to LON-REF1

1.
Open the Hyper-V Manager console on the host computer, and then open the Settings page for
20687D-LON-REF1.
2.
On the Settings page, click DVD Drive, and then attach the image file located at D:\Program Files
\Microsoft Learning\20687\Drives\Win81Ent_EVAL.iso.
Task 2: Install Windows 8.1 on LON-REF1

1.
Start the 20687D-LON-REF1 virtual machine. When the Windows Setup screen appears, select the
appropriate regional settings, and then click Next.
2.
Perform the installation of Windows 8.1 by using the following information:

o
Installation type: Custom
Location: Drive 0
PC name: LON-REF1
Settings: Express settings
Account: Local account
User name: User
Password: Pa$$w0rd
Task 3: Confirm the successful installation of Windows 8.1 on LON-REF1

1.
2.
Confirm that the Windows 8.1 Start screen appears. Open System Properties, and verify that:
o
Windows 8.1 Enterprise Evaluation is installed
The computer name is LON-REF1
The computer is a member of a workgroup
Sign out.
Results: After completing this exercise, you should have performed a clean installation of Windows 8.1.
Prepare for the next lab

When you are finished with the lab, revert all virtual machines back to their initial state:
1.
On the host computer, start Hyper-V Manager.
2.
In the Virtual Machines list, right-click 20687D-LON-REF1, and then click Revert.
3.
In the Revert Virtual Machine dialog box, click Revert.
Lesson 3
Customizing and Preparing a Windows 8.1 Image for

Deployment
2-27
The Windows 8.1 installation process is designed to be as fast and efficient as possible. However, installing
Windows 8.1 on multiple computers can be a time-consuming process if you do it manually on each
computer.
To expedite Windows 8.1 installation on multiple computers, or to standardize the Windows 8.1
installation process, Windows 8.1 deployment can be customized and automated. This lesson will
introduce you to the various tools and technologies that you can use to manage and automate
installation of Windows 8.1.
Lesson Objectives
Describe the Windows image file format.
Describe tools for performing an image-based installation.
Explain the image-based installation process.
Describe how to use answer files to automate an installation process.
Build an answer file by using Windows System Image Manager (SIM).
Explain how to prepare a reference installation by using the System Preparation Tool (Sysprep).
Describe Windows PE.
Create bootable Windows PE media.
Explain how to use DISM to capture and apply an installation image.
Explain how to modify and maintain Windows images.
The Windows Image File Format

The Windows Image file format is a public, filebased disk image format that was developed by
Microsoft. Windows image files are compressed
packages that can contain several related files. All
Windows 8.1 installations use the .wim file format.
When installing Windows 8.1, you apply an image
to the hard disk. This process occurs at a file level
instead of at a hard-disk sector level.
Windows Image File Structure

A Windows image file structure contains up to six
types of resources:
Header. Defines the Windows image file content, such as memory, location of key resources
(metadata resource, lookup table, and XML data), and Windows image file attributes (version, size,
and compression type).
File Resource. A series of packages that contain captured data, such as source files.
Metadata Resource. Stores information on how captured data is organized in the Windows image file,
including directory structure and file attributes. There is one metadata resource for each image in a
Windows image file.
Lookup Table. Contains the memory location of resource files in the Windows image file.
XML Data. Contains additional miscellaneous data about the Windows image, such as directory and
file counts, total bytes, creation and modification times, and description information.
Integrity Table. Contains security hash information that is used to verify the integrity of the image
during an apply operation. This is created when you set the /check switch during a capture
operation.
Benefits of the .wim File Format
The .wim file format addresses many challenges found in other imaging formats. The benefits of the .wim
file format include the following:
A single Windows image file can address many hardware configurations. The .wim file format does
not require the destination hardware to match the source hardware. This helps you reduce the
number of images tremendously, and you have the advantage of only having one image to address
the many hardware configurations.
A Windows image file can store multiple images in a single file. This is useful because you can store
images with or without core apps in a single image file. Another benefit is that you can mark one of
the images as bootable, which allows you to start a machine from a disk image that a Windows image
file contains.
The .wim file format enables compression and single instancing. This reduces the size of image files
significantly. Single instancing is a technique that enables multiple images to share a single copy of
files that are common between the instances.
The .wim file format enables you to service an image offline. You can add or remove certain
operating system elements, files, updates, and drivers without creating a new image. For example,
to add an update to a Windows XP image, you must deploy and start the master image, install the
update, and then generalize and capture the image again. With Windows 8.1, you can mount an
image file and then perform an integrated installation of the update (also known as a slipstreamed
installation) into the image file without needing to deploy or recapture the master image.
The .wim file format enables you to install an image on a partition that is smaller, equal to, or larger
than the original partition that was captured, as long as the target partition has sufficient space to
store the image content. This is different from sector-based image formats that require you to deploy
a disk image to a partition that is the same size or larger than the source disk.
Windows 8.1 includes the DISM tool, Dism.exe, which you can use for capturing, managing, and
deploying Windows image files. It also includes the DISM Windows PowerShell module with cmdlets
for managing Windows image files. Developers can use an API for the .wim file format, called
WIMGAPI, to work with Windows image files.
The .wim file format allows for nondestructive image deployment. Nondestructive image deployment
means that you can leave data on the volume where you apply the image, because when the image is
applied, it does not delete the disks existing contents.
The .wim file format enables you to start Windows PE from a Windows image file. The Windows 8.1
setup process uses Windows PE. The Windows image file is loaded into a RAM disk and runs directly
from memory.
Windows Imaging File Format (WIM)
Windows Imaging File Format (WIM)

Question: Why is the size of a single Windows image file that contains images of
Windows 8.1 and Windows 8.1 Pro considerably smaller than the combined size of two
Windows image files, where one contains a Windows 8.1 image and the other contains
a Windows 8.1 Pro image?
Tools for Performing an Image-Based Installation

You can use several tools and technologies
to perform an image-based installation of
Windows 8.1. The following list describes these
tools and where to use them in deployment
situations:
2-29
Windows Setup (Setup.exe). This program

installs the Windows operating system or
upgrades previous versions of the Windows
operating system. Windows Setup supports
both interactive installations and unattended
installations.
Answer file. This XML file stores the answers

for a series of GUI dialog boxes. The answer file for Windows Setup commonly is called Unattend.xml.
You can create and modify this answer file by using Windows SIM. The Oobe.xml answer file is used
to customize Windows Welcome, which starts after Windows Setup and during the first system
startup.
Catalog. This binary file (.clg) contains the state of the settings and packages in a Windows image.
The catalog file is not required for a Windows operating system deployment, and it is not included on
the Windows 8.1 DVD media. The catalog file is required if you want to create an answer file by using
Windows SIM, and it can be created by using this tool.
Windows ADK is a collection of tools and documentation that you can use to automate the
deployment of Windows operating systems and to assess deployed systems. Windows ADK tools are
used in most Windows deployment scenarios and include the following:
o
Windows SIM. You can use this tool to create unattended installation answer files and distribution
shares, or to modify the files that a configuration set contains.
Windows PE. This is a minimal 32-bit or 64-bit operating system with limited services, which
is built on the Windows 8.1 kernel. You can use Windows PE for capturing Windows images,
installing or deploying Windows, and for troubleshooting the deployment. Windows PE
provides read and write access to Windows file systems and supports a range of hardware
drivers, including network connectivity, which makes it useful for system recovery. You can run
Windows PE from a CD or DVD, USB flash drive, or on a network by using PXE. Windows ADK
includes several tools that you can use to build and configure Windows PE.
USMT. You can use this tool to migrate user settings and data files from a previous Windows
operating system to Windows 8.1.
DISM. You can use this tool to service and manage Windows images, and to apply updates,
drivers, and language packs to a Windows image, offline or online.
Sysprep. Sysprep prepares a Windows image for disk imaging, system testing, or delivery to a
customer. You can use Sysprep to remove any system-specific data from a Windows image, such
as the security identifier (SID). After removing unique system information from an image, you can
capture that Windows image and then use it for deployment on multiple computers. You also can use
Sysprep to configure a Windows operating system to start the out-of-box experience (OOBE) the next
time you start the system. Sysprep is available in all Windows operating systems since Windows Vista.
DiskPart. This is a command-line tool for hard disk configuration.
Windows DS. Windows DS is a server-based deployment solution that enables an administrator to set
up new client computers over a network without having to visit each client. Windows DS is a server
role that you can configure for Windows Server 2012 or Windows Server 2012 R2.
Virtual hard disk. The Microsoft .vhd file format and the new .vhdx file format are publicly available
format specifications that specify a virtual hard disk encapsulated in a single file, which is capable of
hosting native file systems and supporting standard disk operations. You can deploy Windows 8.1 to
.vhd or .vhdx files and start a computer from such files.
Deployment Walkthroughs
Question: Can you set up Windows DS on a Windows 8.1 computer?
The Image-Based Installation Process

Windows Setup for Windows 8.1 uses an
Install.wim file to deploy the default Windows 8.1
installation. You can use the same .wim file or
create and deploy a custom Windows 8.1
installation image. The image-based installation
process consists of the following high-level steps:
1.
Build an answer file. By default, a

Windows 8.1 installation requires some user
interaction. For example, you might have
to enter a product key, select an installation
type, and specify where you want to install
the Windows operating system. You can use
an answer file to configure all of these and many more Windows settings that are applied during
installation. For example, you can configure how to partition and format a hard drive, networking
configuration, computer name, whether a computer should be joined to the domain, and other
customizations. Additionally, an answer file can contain all of the settings required for an unattended
installation, in which case, you will not be prompted during an installation. You can use Windows SIM
to create an answer file, although the answer file is an XML document that you can create and
customize by using any text editor.
2.
Build a reference installation. A reference computer has a customized installation of Windows 8.1 that
you plan to duplicate on one or more destination computers. You can create a reference installation
by using Windows 8.1 installation media and an answer file. After the installation, you can perform
additional customizations. For example, you can install apps that are required on all destination
computers. After you configure a reference installation, you must generalize it by using Sysprep.
3.
Create bootable Windows PE media. You can create a Windows PE environment by using the
CopyPE.cmd script, customizing it, and writing it to bootable media such as Universal Disk Format,
2-31
CD, or DVD by using the MakeWinPEMedia.cmd script. Windows PE enables you to start a computer
for purposes of deployment and recovery. Windows PE starts a computer directly from memory,
enabling you to remove the Windows PE media after the computer starts. After you start a computer
in Windows PE, you can use the DISM tool to capture, modify, and apply file-based disk images.
4.
Capture an installation image. You can capture an image of your reference computer by using
Windows PE and the DISM tool. You can store the image that you capture locally on removable
media or on a network share.
5.
Modify an installation image. Optionally, you can use DISM or the Windows PowerShell commandline interface to modify Windows images when required. If additional drivers or Windows features
are required, or if image configuration requirements change, you can use DISM to modify an image
offline by mounting it to an empty folder and injecting drivers and updates, or by modifying the
operating system settings. You can modify the Windows image file without having to deploy the
Windows 8.1 image first.
6.
Deploy an installation image. After you have an image of your reference installation, you can deploy
the image to destination computers. You can use the DiskPart tool to format the hard drive and copy
the image from the network share. Use DISM to apply the image to the destination computer. For
high-volume deployments, you can store an image of the new installation on your distribution share
and deploy the image to destination computers by using deployment tools such as Windows DS,
MDT, or Configuration Manager.
Question: Can you create a customized Windows 8.1 installation image only by using tools
that are included in Windows 8.1?
Using Answer Files to Automate an Installation Process

An answer file is a .xml file that has information
that is passed to the Windows Setup process. For
example, an answer file can contain information
on disk partitioning, the location of the Windows
image to install, and the product key to be
applied. It also can contain values that are related
to the Windows operating system installation.
Some of these values include user account names,
display settings, and Internet Explorer favorites.
The Windows Setup answer file typically is named
Unattend.xml.
Using an Answer File
Use an answer file to customize Windows installations so that the versions of Windows operating systems
deployed to each destination computer are configured in the same way. The two types of Windows
installations are attended and unattended:
In attended installations, you respond to Windows Setup prompts, selecting options such as the
partition to which you want to install and the Windows image to install.
In unattended installations, which offer many additional options, you automate this process to avoid
installation prompts. You can use an answer file with Windows Setup in two ways:
o
When you start Windows Setup by running Setup.exe, you can use the /unattend parameter to
explicitly specify an answer file name and location.
If you do not specify an answer file, for example, when you start a computer from Windows 8.1
media, Windows Setup looks for an answer file in several default locations, such as in the root
directory of all drives. In that case, the answer file must be named Unattend.xml or
Autounattend.xml.
Before beginning your deployment process, identify all the requirements of your environment. Consider
the following possible requirements:
Hard drive partitions
Computer name and domain membership
Support for BitLocker or a recovery solution
Additional out-of-box drivers
Support for multilingual configurations
Other post-installation modifications to Windows, such as installing additional apps
What Is in an Answer File?

Settings in an answer file are organized into two sections: components and packages.
Components
This section has all the component settings that are applied during Windows Setup. You can configure
component settings in different configuration passes: windowsPE, oobeSystem, generalize, specialize,
auditUser, auditSystem, and offlineServicing. Each of the configuration passes represents a distinct phase
of Windows Setup. Not all the phases of Windows Setup happen during Windows installation. Settings can
be applied during one or more passes.
Packages
Microsoft uses packages for the distribution of software updates, service packs, and language packs.
Packages also can comprise Windows features. You can configure packages so that you add them to
a Windows image, remove them from a Windows image, or change the settings for features within a
package. You can either enable or disable features in Windows. If you enable a Windows feature, the
resources, executable files, and settings for that feature are available to users of the system. If you
disable a Windows feature, the package resources are not available, but the Windows operating system
does not remove the resources from the system. Some Windows features might require you to install
other features before enabling the installed version of the Windows operating system. You need to
validate your answer file and then add any required packages. For example, you can disable the Windows
Media Player feature to prevent users from running it. However, disabling the package does not remove
those resources from the Windows image. The Windows operating system applies packages in an answer
file to the Windows image during the offlineServicing configuration pass.
Creating an Answer File
While you can create an answer file manually by entering the appropriate XML code into the
Unattend.xml file, you typically create it by using the component of Windows ADK called Windows SIM.
Windows SIM requires a catalog of the Windows image before you can use it to create an answer file.
Windows 8.1 does not include a catalog file for the Windows images in Install.wim, but Windows SIM can
create the catalog dynamically. Answer files that Windows SIM creates are associated with a particular
Windows image. This enables you to validate the settings in an answer file to the settings available in the
Windows image. However, because you can use any answer file to install a Windows image, if there are
settings in the answer file for components that do not exist in the Windows image, then Windows ignores
those settings.
Note: An answer file can include destructive actions like deleting disk content and
formatting disk partitions. If you want Windows Setup to use an answer file automatically, and if
the answer file includes settings in the windowsPE and offlineServicing configuration passes, you
must rename the answer file Autounattend.xml.
Understanding Answer Files
Methods for Running Windows Setup
Question: What must you do before you can create an answer file for a Windows 8.1
installation?
Demonstration: Building an Answer File by Using Windows SIM

In this demonstration, you will see how to build an answer file by using Windows SIM.
Demonstration Steps
2-33
1.
Open Windows System Image Manager and add E:\Labfiles\mod02\Sources\Install.wim as a

Windows image.
2.
In the Components section of Windows SIM, add the following components, and then configure their
properties with following values in the answer file:
3.
amd64_Microsoft-Windows-Setup_6.3.9600.16384_neutral \DiskConfiguration\Disk
DiskID: 0
WillWipeDisk: True
amd64_Microsoft-Windows-Setup_6.3.9600.16384_neutral\DiskConfiguration\Disk
\CreatePartitions\CreatePartition
Extend: True
Order: 1
Type: Primary
amd64_Microsoft-Windows-Setup_6.3.9600.16384_neutral\ImageInstall\OSImage\InstallTo
DiskID: 0
PartitionID: 1
amd64_Microsoft-Windows-Setup_6.3.9600.16384_neutral\UserData
AcceptEULA: True
Organization: Adatum
You can configure the property values by using the following process:
a.
Expand the component referenced in the table in the Components section.
b.
Right-click the component, and then click the appropriate Add Setting to Pass choice.
4.
c.
In the Answer File pane, locate and then click the added component.
d.
In the corresponding Properties pane, double-click the setting, and then set the value.
Save the answer file on the desktop as Autounattend.xml. Open the answer file in Internet Explorer,
and then verify that the settings that you configured in Windows SIM are saved in the answer file.
Preparing a Reference Installation by Using Sysprep

The Sysprep tool prepares an installation of
the Windows operating system for duplication,
auditing, and end-user delivery. Duplication
enables you to capture a customized Windows
image that you can reuse throughout an
organization. The Sysprep tool is part of a
Windows installation, and you can find it in
the C:\Windows\System32\Sysprep folder.
Sysprep Tasks
You can use Sysprep to:
Remove system-specific data from the

Windows operating system, which is known as generalizing the computer.
Uninstall computer-specific drivers.
Configure the Windows operating system to start OOBE or in audit mode.
Add an answer file to an existing installation.
Note: Only use Sysprep to configure reference Windows installations. Remember that
Sysprep can delete existing system configurations. Do not use Sysprep to reconfigure an existing
Windows installation.
Sysprep Command-Line Options

The Sysprep tool uses the following syntax:
sysprep.exe [/oobe | /audit] [/generalize] [/reboot | /shutdown | /quit] [/quiet]
[/unattend:answerfile] [/mode:<mode>]
In Windows 8.1, the /mode:vm command-line parameter for Sysprep generalizes a virtual hard disk. You
can use this parameter if you will deploy the virtual hard disk on the same virtualization platform.
Note: You can run virtual machine mode only from inside a virtual machine.
Sysprep Command-Line Syntax
System Preparation (Sysprep) Technical Reference
Question: Why should you not run Sysprep on a Windows 8.1 computer that is deployed
and being used already?
What Is Windows PE?
2-35
Windows PE is the core deployment foundation

for Windows 8.1. Windows PE is a compact,
special-purpose Windows operating system that
prepares and initiates a computer for Windows
Setup, maintenance, or imaging tasks, and it
recovers operating systems such as Windows 8.1.
With Windows PE, you can start a subset of
Windows 8.1 from a network or removable media,
which provides network and other resources
necessary to install and troubleshoot Windows 8.1.
Windows PE is not a general-purpose operating
system, but you can use it to start a computer that
has no functional operating system installed, and it can act as a replacement for startup disks. Windows PE
is designed to make customized Windows 8.1 deployments simpler by addressing the following tasks:
Installing Windows 8.1. Windows PE runs every time you install Windows 8.1. The graphical tools that
collect configuration information during the setup phase are running within Windows PE.
Troubleshooting. Windows PE is useful for automatic and manual troubleshooting. For example, if
Windows 8.1 fails to start because of a corrupted system file, Windows PE can start automatically and
launch Windows RE.
Recovery. OEMs and IT pros can use Windows PE to build customized, automated solutions for
recovering and rebuilding computers that run Windows 8.1.
Benefits of Windows PE
Microsoft developed Windows PE as the primary tool for starting computers that do not have a functional
operating system. After a computer starts in Windows PE, you can prepare it for Windows installation and
then initiate Windows Setup from a network or local source. You also can service an existing Windows
installation or recover data. Because Windows PE is based on the Windows 8.1 kernel, it provides the
following capabilities:
Native support for the NTFS 5.x file system, including dynamic volume creation and management.
Native support for TCP/IP networking and file sharing. Windows PE can connect to network shares
onlyyou cannot share folders in Windows PE.
Native support for 32-bit or 64-bit Windows device drivers.
Native support for a subset of the Win32 API.
Optional support for Windows Management Instrumentation, Microsoft Data Access Component, and
HTML Application.
Ability to start from a number of media types, including CD, DVD, USB flash drive, and a Remote
Installation Services server.
Windows PE offline sessions are supported.
Windows PE images can be serviced offline.
Windows PE includes all Hyper-V drivers, except display drivers. This enables Windows PE to run in a
hypervisor. Supported features include mass storage, mouse integration, and network adapters.
Windows PE is available as part of Windows ADK. You can create a custom Windows PE environment by
running the CopyPE.cmd script. After that, you can customize the environment. For example, you can add
support for Windows PowerShell, database connectivity, or scripting. You also can copy additional drivers
and programs to Windows PE. You can write a customized Windows PE environment to bootable media
by running the MakeWinPEMedia.cmd script.
WinPE: Windows PE Overview
Question: What are some of the tasks in which you can use Windows PE for
troubleshooting?
Question: How you can customize Windows PE?
Demonstration: Creating Bootable Windows PE Media

In this demonstration, you will see how to create bootable Windows PE media.
Demonstration Steps
1.
Open the Deployment and Imaging Tools Environment.
2.
Use CopyPE.cmd to copy the base amd64 Windows PE files to C:\winpe.
3.
Use DISM to view the properties of the Windows PE image, and then mount the image file located at
C:\winpe\media\sources\boot.wim to C:\winpe\mount folder.
4.
Use File Explorer to verify that there are four subfolders in the C:\winpe\mount folder.
5.
Use DISM to dismount and commit the image.
6.
Use File Explorer to verify that that there are no subfolders in the C:\winpe\mount folder.
7.
Create an .iso file from the image to copy to a CD or DVD.
Using DISM to Capture and Apply an Installation Image

Windows 8.1 installation media includes default
Windows installation images, which are contained
in the Install.wim file. You can use Windows Setup
to deploy the default images, but you also can use
it to deploy custom images when you provide an
answer file.
If you need to create a custom Windows 8.1
imagefor example, from the reference
installationyou can capture the image by
using Dism.exe. Dism.exe is a command-line tool
that is included in Windows 8.1, and it is available
as part of Windows ADK. DISM is the main tool for
managing Windows image files, which includes operations such as creating, mounting, updating, and
applying the image.
Note: In the past, the ImageX tool often was used for creating, mounting, and applying
Windows image files. This tool is still available as part of Windows ADK, but it is deprecated since
Windows 8. All of its functionality is included in DISM, and you should avoid using ImageX.
2-37
Although you can create an image that includes a single folder or folder hierarchy, you often will create
an image of the entire volume. You cannot add files that are opened exclusively by any process in the
image, and because of that, you cannot capture an image of the running operating system. You will need
to restart the computer to another operating system, such as Windows PE, before you can capture the
image of the Windows 8.1 installation. When capturing the image, you can specify additional options,
such as the file types to exclude from the image and the compression type to usecompression type can
be defined only when capturing the first image in the Windows image file. You can capture the content of
the volume C: to the file D:\Custom.wim by running the following command:
Dism /Capture-Image /ImageFile:D:\Custom.wim /CaptureDir:C:\ /Name:"Captured Windows 8.1
installation"
You cannot create and format a volume by using DISM, which means that the volume already must be
created and formatted before you can apply the image to it. For example, you can create and format a
volume by using Dism.exe. After the volume is prepared, you can deploy the first Windows image
contained in file D:\Custom.wim to volume C: by running the following command:
Dism /apply-image /imagefile:D:\Custom.wim /index:1 /ApplyDir:C:\
Besides capturing and applying Windows images, you can use DISM to service and manage Windows
images.
DISM - Deployment Image Servicing and Management Technical Reference
Question: What must you do before you can capture an image of a Windows 8.1 computer
by using Dism.exe?
Modifying and Maintaining Windows Images

DISM is a command-line tool that combines
separate Windows platform technologies into
a single, cohesive tool for servicing Windows
images. By using DISM, IT pros can view
components of an applied or mounted operating
system image and add or remove packages,
software updates, and drivers. You can use DISM
to service Windows images offline before
deployment or to prepare a Windows PE image.
Some of the most common tasks that you can
perform by using DISM include:
Mount, unmount, and commit modifications
Apply updates, drivers, and language packs
Add, remove, and enumerate packages and drivers
Enable or disable Windows features
Apply changes based on the offlineServicing section of an answer file
Configure international settings
Upgrade a Windows image to a different edition
Prepare and customize Windows PE images
Service online and offline Windows images
DISM Command-Line Options

DISM has two main sets of commands: imaging commands, and servicing commands.
Imaging commands
Imaging commands enable image management tasks such as mounting an image file or enumerating
images in a file. You can use the following syntax for imaging commands:
Dism.exe [dism_global_options] {servicing_option} [<servicing_argument>]
Servicing commands
Servicing commands enable tasks that involve modifying a Windows image, such as injecting drivers,
adding packages, and modifying Windows configurations. You can use the following syntax for servicing
commands:
Dism.exe {/Image:<path_to_image> | /Online} [dism_global_options] {servicing_option}
[<servicing_argument>]
Deployment Image Servicing and Management (DISM) Command-Line Options

You also can manage Windows image files by using Windows PowerShell cmdlets. You can get a list of
available DISM cmdlets by running the following cmdlet:
Get-Command Module dism
Question: Can you use Dism.exe to modify only Windows installation images in a .wim file?
2-39

Scenario
You have been asked to modify the answer file that is being used for the A. Datum Windows 8.1
installation process. A. Datum is deploying a test group of Windows 8.1 computers, and it would like to
have a standard installation that requires no user input as part of the setup process.
Your task is to create a new answer file that automates the installation accordingly. Use it to test an
installation of Windows 8.1 on LON-REF1.
Objectives
Create an answer file and perform an unattended Windows 8.1 installation.
View Install.wim information and capture a Windows 8.1 image.
Lab Setup
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, and 20687D-LON-REF1
Password: Pa$$w0rd
Start first the 20687D-LON-DC1 virtual machine, then start the 20687D-LON-CL1 virtual machine, and
sign in as Adatum\Administrator with password Pa$$w0rd.
Exercise 1: Creating an Answer File and Performing an Unattended

Windows 8.1 Installation
Scenario
In this exercise, you have been asked to configure an answer file to use with Windows 8.1 installations at
A. Datum. To modify this answer file, your IT administrator has given you the following information to
assist in the process.
Component
Property
Value
amd64_Microsoft-Windows-International-CoreWinPE_neutral
InputLocale
SystemLocale
UILanguage
UserLocale
en-US
en-US
en-US
en-US
amd64_Microsoft-Windows-International-CoreWinPE_neutral\SetupUILanguage
UILanguage
en-US
amd64_Microsoft-Windows-Setup_neutral
\DiskConfiguration\Disk
DiskID
WillWipeDisk
0
True
\DiskConfiguration\Disk\Create Partitions
\CreatePartition
Extend
Order
Type
True
1
Primary
Component
Property
Value
\DiskConfiguration\Disk\ModifyPartitions
\ModifyPartition
Active
Format
Order
PartitionID
True
NTFS
1
1
\ImageInstall\OSImage\InstallFrom\Metadata
Key
Value
/IMAGE/NAME
Windows 8.1
Enterprise
Evaluation
\ImageInstall\OSImage\InstallTo
DiskID
PartitionID
0
1
amd64_Microsoft-Windows-Setup_neutral\UserData
AcceptEULA
FullName
Organization
True
Adatum User
Adatum
amd64_Microsoft-Windows-Shell-Setup_neutral\OOBE
SkipMachineOOBE
SkipUserOOBE
True
True
amd64_Microsoft-Windows-Shell-Setup_neutral
\UserAccounts\LocalAccounts\LocalAccount
Description
DisplayName
Group
Name
Local Admin
Admin
Administrators
Admin
amd64_Microsoft-Windows-Shell-Setup_neutral
\UserAccounts\LocalAccounts\LocalAccount\Password
Value
Pa$$w0rd

1.
Mount a virtual floppy drive on LON-CL1.
2.
Verify answer file and remove diskette drive.
3.
Configure LON-REF1 and start the Windows 8.1 unattended installation.
Task 1: Mount a virtual floppy drive on LON-CL1

1.
Use the Hyper-V Manager console on the host computer to open the Settings page for
20687D-LON-CL1.
2.
In Settings, click Diskette Drive, and then attach the virtual floppy drive named Lab2BEx1.vfd found
at D:\Program Files\Microsoft Learning\20687\Drives.
Task 2: Verify answer file and remove diskette drive

1.
Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd, and then start Windows
System Image Manager.
2.
In Windows System Image Manager, open answer file Autounattend.xml from Floppy Disk
Drive (A:).
3.
In the Answer File section of Windows SIM, verify that the answer file is configured with the
parameters that were specified in the preceding table.
4.
Close Windows System Image Manager.
5.
Open the Settings page for 20687D-LON-CL1 in Hyper-V Manager.
6.
Configure the Diskette Drive to None.
Task 3: Configure LON-REF1 and start the Windows 8.1 unattended installation
2-41
1.
In Hyper-V Manager, open the Settings page for 20687D-LON-REF1.
2.
In Settings, click Diskette Drive, and then attach Lab2BEx1.vfd found at D:\Program Files
\Microsoft Learning\20687\Drives.
3.
In Settings, click DVD Drive, and then attach the DVD image file found at D:\Program Files
\Microsoft Learning\20687\Drives\Win81Ent_EVAL.iso.
4.
Start 20687D-LON-REF1, and then begin Windows Setup. Confirm that you are not prompted for any
information during installation. While Windows 8.1 installs, continue with the next exercise.
Note: During installation, LON-REF1 will restart two times. Do not press any key to start it
from DVD.
Results: After completing this exercise, you should have modified an unattended answer file to use for
automating the Windows 8.1 installation process.
Exercise 2: Viewing Install.wim Information and Capturing a Windows 8.1

Image
Scenario
One of your tasks is to capture a Windows 8.1 image. Before performing the task, you need to view the
content of the existing Windows image file and explore the benefits of using the .wim file format.
1.
View the information of the Windows 8.1 image in the Install.wim file.
2.
Capture an image.
3.
Modify an offline image.
4.
Capture Windows 8.1 image.
Task 1: View the information of the Windows 8.1 image in the Install.wim file
1.
Add Windows 8.1 DVD media to LON-CL1 by attaching the DVD image file found at
D:\Program Files\Microsoft Learning\20687\Drives\Win81Ent_EVAL.iso.
2.
Use File Explorer to view the properties of the Install.wim file in the Sources folder on the DVD drive.
3.
Use Dism.exe with the Get-ImageInfo parameter to view the content of the Install.wim file.
4.
Use Dism.exe with the Get-WimInfo parameter to view the information about the first image in the
Install.wim file.
Task 2: Capture an image

1.
Use Dism.exe with the Capture-Image parameter to capture the content of the C:\Windows\Inf
folder to a file named C:\image.wim, and then name the image First image.
2.
Use File Explorer to view the properties of the C:\Windows\Inf folder.
3.
View the size of the C:\image.wim file, and then consider the benefits of Windows image
compression.
4.
Use Dism.exe with the Append-Image parameter to add the content of C:\Windows\Inf folder as a
second image to the C:\image.wim file, and then name the image Second Image.
5.
View the size of C:\image.wim, and then consider the benefits of single instancing when multiple
images in the same Windows image file have the same files.
6.
Use Dism.exe with the Get-ImageInfo parameter to view which images are contained in the
C:\image.wim file.
Task 3: Modify an offline image

1.
Use File Explorer to view the properties of the C:\image.wim file, including its size and date of last
modification.
2.
Create a folder named C:\mount and use Dism.exe with the Mount-Wim parameter to mount the
second image in the C:\Image.wim file to the C:\mount folder.
3.
Use File Explorer to view the properties of the C:\mount folder.
4.
Create a subfolder named Folder1, and then delete three files in the C:\mount folder.
5.
Use Dism.exe with the Unmount-Wim and Commit parameters to unmount the image.
6.
View the properties of C:\image.wim.
7.
Use Dism.exe with the Get-WimInfo parameter to view and compare the properties of the second
and first image in the C:\image.wim file.
Task 4: Capture Windows 8.1 image

1.
Sign in to LON-REF1 as user Admin with password Pa$$w0rd. Verify that Windows 8.1 is installed.
2.
Add Windows PE media to LON-REF1 by attaching the DVD image file found at D:\Program Files
\Microsoft Learning\20687\Drives\WindowsPE.iso.
3.
On LON-REF1, run Sysprep.exe as an Administrator to generalize the computer.
4.
Start LON-REF1 from DVD media.
5.
On LON-REF1, use Adatum\Administrator credentials to connect the G: drive to \\lon-cl1\share.
6.
Use Dism.exe with the Capture-Image parameter to capture the C: drive to the G:\Win81.wim file,
and then name the image CustomImage.
Note: You can continue with the lecture while the capture is in progress.
Results: After completing this exercise, you should have viewed Windows image information and
captured a Windows 8.1 image.
Lesson 4
Volume Activation for Windows 8.1
2-43
Product activation is a requirement of the Windows 8.1 operating system. It requires validation for
each Windows 8.1 license through an online activation service at Microsoft, by phone, through KMS, or
through AD DS. Activation enhances protection from software piracy, and it helps you manage operating
system and application instances within an environment. This lesson describes how activation works and
the volume activation models to consider for an effective Windows 8.1 desktop deployment.
Lesson Objectives
Describe activation.
Describe volume activation technologies.
Describe how KMS activation works.
Describe how Active Directory-based activation works.
Describe tools to manage activation.
Explain how to troubleshoot volume activation.
What Is Activation?
All editions of Windows 8.1 require activation.
Activation confirms the status of a Windows
product and ensures that the product key has
not been compromised. The activation process
links the softwares product key to a particular
installation of that software on a device. If the
device hardware changes considerably, you need
to activate the software again. Activation assures
software integrity and provides you access to
Microsoft support and a full range of updates.
Activation also is necessary if you want to comply
with licensing requirements.
Unlike Windows 7, Windows 8.1 does not have a grace period. You must activate Windows 8.1
immediately upon installation. Failure to activate a Windows operating system will prevent users from
completing customization. In older versions of the Windows operating system, activation and validation
by using the Windows Genuine Advantage tool occurred separately. This caused confusion for users who
thought the terms were interchangeable. In Windows 8, activation and validation occur at the same time.
If you wish to evaluate Windows 8.1, Microsoft provides a separate evaluation edition that is available as
an .iso image file to MSDN subscribers and Microsoft partners.
There are three main methods for activation:
Retail. Any Windows 8.1 product purchased at a retail store comes with one unique product key that
you type in during product installation. Use the product key to complete activation after installing the
operating system.
OEM. OEM system builders typically sell computer systems that include a customized build of
Windows 8.1. You can perform OEM activation by associating the operating system to the computer
system BIOS.
Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization.
Volume customers set up volume licensing agreements with Microsoft. These agreements include
Windows upgrade benefits and other benefits related to value-added software and services. Microsoft
Volume Licensing customers use Volume Activation Services to assist in activation tasks, which consist
of Active Directory-based activation, KMS, and MAK models.
You can view the Windows 8.1 activation status on the System properties page or by running the
following command:
cscript C:\windows\system32\slmgr.vbs -dli
Question: What is activation?
Volume Activation Technologies

Volume activation provides a simple, securityenhanced activation experience for enterprise
organizations, while addressing issues associated
with generic volume license keys (VLKs). Volume
activation provides administrators the ability to
manage and protect product keys centrally, and it
also provides several flexible deployment options
that activate enterprise computers, regardless of
the organizations size.
Volume Activation Keys
Three main types of volume activation models are

used in enterprise environments. You can use any
or all of the options associated with these models, depending on your organizations needs and network
infrastructure:
Volume Activation Services is a server role in Windows Server 2012 and Windows Server 2012 R2. This
role service enables you to activate Windows 7, Windows Server 2008, and newer Windows operating
systems automatically, without having to contact Microsoft product activation servers. With Volume
Activation Services, you can configure KMS and enable Active Directory-based activation:
o
KMS allows organizations to perform local activation for computers in a management

environment without connecting to Microsoft individually. By default, Windows 8.1 and
Windows Server 2012 R2 volume editions connect to a system that hosts the KMS service, which
in turn requests activation. KMS usage is targeted for managed environments where more than
25 client computers or more than five servers use KMS activation.
Active Directory-based activation is a role service that allows you to use AD DS to store activation
objects, which can greatly simplify the task of maintaining volume activation services for a
network. You can use Active Directory-based activation to activate only AD DS-joined computers,
and activation requests are processed during client computer startup. Any computer that runs
Windows 8, Windows Server 2012, or a newer Windows operating system with a generic VLK that
is joined to the domain will activate automatically and without user interaction. Computers will
2-45
stay activated as long as they remain members of the domain and maintain periodic contact with
a domain controller. Activation takes place after the licensing service starts.
MAK activation uses product keys that can activate only a specific number of computers. If the use
of volume licensing media is not controlled, excessive activations can occur, and after the depletion
of the activation pool, no further computers can be activated. You do not use MAKs to install
Windows 8.1, but rather, to activate it after installation. You can use MAKs to activate any
Windows 8.1 edition.
Plan for Volume Activation
Licensing and Volume Activation
Question: How can you determine if Windows 8.1 is activated? How you can activate
Windows 8.1?
How KMS Activation Works

With KMS, organizations can perform local
activations for computers in a managed
environment without connecting to Microsoft
individually. You can enable KMS functionality on
a physical or virtual system that runs Windows 7,
Windows Server 2008, or a newer Windows
operating system.
Windows 8, Windows Server 2012, and newer

Windows operating systems include KMS.
After you initialize KMS, the KMS activation
infrastructure is self-maintaining. The KMS service
does not require dedicated computers and can be
cohosted with other services. A single KMS host can support several thousand KMS clients. Most
organizations probably will be able to operate with just two KMS hosts for their entire infrastructureone
main KMS host, and a backup host for redundancy.
Implementing KMS Activation

To enable KMS functionality, you install a KMS key on the KMS host and then activate it by using an
online web service at Microsoft. Start the Command Prompt window and then run the following
command:
cscript C:\windows\system32\slmgr.vbs -ipk <KmsKey>
You then can activate the KMS host by using online or phone activation.
During installation, a KMS host automatically attempts to publish its existence in service (SRV) resource
record locations within the Domain Name System (DNS). This provides the ability for both domain
members and stand-alone computers to activate against the KMS infrastructure. Client computers locate
the KMS host dynamically by using the service (SRV) resource records found in DNS or the connection
information specified in the registry. Client computers then use information obtained from the KMS host
to activate.
KMS Activation Considerations

If you decide to implement KMS activation, consider the following:
Client computers that are not activated attempt to connect with the KMS host every two hours.
To stay activated, client computers must renew their activation by connecting to the KMS host at least
once every 180 days.
After activation, client computers attempt to renew their activation every seven days. After each
successful connection, the expiration extends to the full 180 days.
Client computers connect to the KMS host for activation by using anonymous remote procedure
calls (RPCs) over TCP/IP and by using default port 1688. You can configure this port information. The
connection is anonymous, enabling workgroup computers to communicate with the KMS host. You
might need to configure the firewall and the router network to pass communications for the TCP port
that will be used.
To use KMS activation with Windows 8, Windows Server 2012, or newer Windows operating systems, the
computer must contain a Windows marker in the BIOS, and it must have a qualifying operating system
license, which often is obtained through OEMs as part of a new computer purchase.
Volume Activation Overview
Question: Can a Windows 8.1 computer be a KMS host?
How Active Directory-Based Activation Works

Active Directory-based activation simplifies the
process of activating clients that are running
Windows 8, Windows Server 2012, or newer
Windows operating systems. If you implement
Active Directory-based activation, your Windows
operating system is activated automatically when
you join the computer to the domain, as long as
a generic VLK is used on the computer. This
activation method requires that the AD DS
schema is extended to at least the
Windows Server 2012 level.
You cannot edit activation objects directly in
AD DS. However, an administrator can use advanced AD DS tools to view each activation object.
Administrators also can configure security access control lists for activation objects to restrict access as
needed, and if necessary, they can delete activation objects. On a local client, a user with read/write
permission for the activation object can use a command prompt to perform these functions.
Main Considerations
Many organizations have complex volume licensing infrastructures to support KMS and Microsoft Office
installations. To add Active Directory-based activation to these environments, administrators must assess
their current implementations and determine what role Active Directory-based activation will play in
their environment. Some considerations include how to upgrade operating systems and applications to
versions that support Active Directory-based activation. For environments that will run only Windows 8,
Windows Server 2012, and newer Windows operating systems, Active Directory-based activation is a
suitable option for activating all clients and servers, and you might be able to remove any KMS hosts. If an
2-47
environment will continue to contain older volume-licensed operating systems and applications,
administrators need a KMS host to maintain activation status, in addition to enabling Active Directorybased activation.
Planning considerations when working with Active Directory-based activation include the following:
You do not need an additional host server with Active Directory-based activation. Your existing
domain controllers can support activation clients with the following limitations:
o
You cannot configure Active Directory-based activation on read-only domain controllers.
You cannot use Active Directory-based activation with non-Microsoft directory services.
The AD DS schema must be at the Windows Server 2012 or higher level to store activation
objects.
Domain controllers that run older versions of Windows Server can activate clients after the AD DS
schema has been extended to Windows Server 2012 or higher level.
Active Directory-based activation is forest-wide, and you only need to implement it once, even if the
forest contains multiple domains.
There are no threshold limits that must be met before computers can be activated by using
Active Directory-based activation.
Volume Activation Process
In an environment that uses Active Directory-based activation, the volume activation process takes place
in the following steps:
1.
An enterprise administrator installs the Active Directory-based activation role service on a domain
controller. After that, the administrator activates the KMS host key with Microsoft-hosted activation
services. Administrators can complete this installation from any computer that has a Volume
Activation Management Tool (VAMT) console.
2.
When a domain-joined computer that is running Windows 8, Windows Server 2012, or a newer
Windows operating system with a generic VLK starts, the licensing service on the client automatically
queries the domain controller for licensing information. Lightweight Directory Access Protocol (LDAP)
is used for the authentication.
Note: You cannot use Active Directory-based activation to license computers that are not
members of the domain.
3.
If a valid activation object is found, then the activation will continue silently and will not require user
intervention. For Active Directory-based activation, the same renewal guidelines are applicable as for
KMS activation.
4.
If volume licensing information is not found in AD DS, computers that are running Windows 8,
Windows Server 2012, or a newer Windows operating system will try to find a KMS host and try
activation by using the KMS activation process.
Active Directory-Based Activation Overview
Active Directory-Based Activation vs. Key Management Services
Question: What type of connection is established between a Windows 8.1 computer and a
Windows Server 2012 R2 domain controller when Active Directory-based activation is
performed?
Tools to Manage Activation
If you need to manage activation of a

Windows 8.1 computer on a network, you
probably will use VAMT. If VAMT is not deployed
in your environment, you can still use Slmgr.vbs
as the software licensing configuration tool.
Slmgr.vbs is part of Windows 8.1, and you can
use it for viewing activation information, installing
product keys, activating Windows operating
systems, and performing additional actions. You
can get a list of all available actions by running
slmgr -?. Slui.exe also is available in Windows 8.1,
but its functionality is reduced in Windows 8.1.
You can use it only for changing product keys, activating Windows 8.1, or displaying a list of telephone
numbers for activation.
VAMT
You can use VAMT to automate and centrally manage the volume and retail-activation process of
Windows operating systems, Microsoft Office software, and certain other Microsoft products. VAMT
manages volume activation by using MAK or KMS. VAMT is a standard Microsoft Management Console
(MMC) snap-in, and it is available as part of Windows ADK. You can install VAMT on a computer that is
running Windows 7, Windows Server 2008, or a newer version of the Windows operating system. You can
use VAMT to manage and specify a group of computers to activate based on the following:
AD DS
Workgroup names
IP addresses
LDAP queries
Note: VAMT cannot manage volume activation for legacy Windows XP or Windows Server
2003 operating systems. However, you can still manage Microsoft Office 2010 or Microsoft Office
2013 on those two operating systems by using VAMT.
VAMT provides a single console for managing activations and for performing other activation-related
tasks, such as the following:
Adding and removing computers. VAMT can discover computers in a local environment by querying
AD DS and workgroups, by the computer name or IP address, or by using LDAP.
Discovering products. VAMT can discover Windows operating systems, Microsoft Office programs,
and other products that are installed on client computers. It uses a Microsoft SQL Server database
for storing discovery information and activation data.
Monitoring activation status. You can use VAMT to gather product activation information such as the
last five characters of a product key. You also can determine a product edition and whether the
product has a licensed, grace, or unlicensed licensing state.
2-49
Managing product keys. You can store multiple product keys and use VAMT to install these keys for
remote client products. You also can determine the number of activations remaining for MAKs.
Managing activation data. VAMT uses an SQL database to store activation data, and it can export this
data to other VAMT hosts or to an archive in XML format.
Reporting on volume licensing. VAMT can provide the licensing status of every computer in the
database.
Performing proxy authentication. If you are on a network that requires a user name and password to
reach the Internet, VAMT enables you to sign in and perform proxy activation.
Deploying Active Directory-based activation. VAMT can online-activate or proxy-activate an Active

Directory-based activation object. When Active Directory-based activation is deployed, any new
qualifying machines joined to the domain are activated automatically.
Volume Activation Management Tool (VAMT) Technical Reference
Volume Activation Services
You can use the Volume Activation Services server role to issue and manage Microsoft software volume
licenses in a simplified and automated manner, to install and activate a KMS host key, and to configure
KMS. After this service is installed, you can use it to issue, monitor, and manage volume licenses for
Microsoft products that support volume activation based on computer account information in AD DS. You
can configure Active Directory-based activation and KMS activation when installing the Volume Activation
Services server role. This server role also includes the Volume Activation Tools console, which you can use
to activate and manage one or more volume activation license keys in AD DS or on a KMS host.
Question: What is the main benefit that VAMT provides for an environment without direct
Internet connectivity?
Troubleshooting Volume Activation

The steps you take to troubleshoot volume
activation depend on whether the problem is
associated with MAK activation or KMS activation.
MAK Activation Troubleshooting

Use the following list to troubleshoot common
issues with MAK activation:
Verify the activation status. You can

verify activation status by looking for the
Windows is activated message in the
System properties. You also can run the
slmgr.vbs -dli command.
If your computer will not activate over the Internet, ensure that an Internet connection is available
and that the computer has the correct TCP/IP settings. You also might need to set a proxy
configuration from your browser. If the computer cannot connect to the Internet, try telephone
activation.
If Internet and telephone activation both fail, you will need to contact the Microsoft Product
Activation Center.
KMS Activation Troubleshooting

Use the following list to troubleshoot common issues with KMS activation:
Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command.
Ensure that the KMS service (SRV) resource record is present in DNS and that DNS does not restrict
dynamic updates. If DNS restrictions are intentional, you will have to provide the KMS host write
permission to the DNS database, or you will have to create the service (SRV) resource records
manually.
Ensure that firewalls and routers do not block TCP port 1688.
If your computer will not activate, verify that the minimum number of clients required for activation
contact the KMS host. Until the KMS host has a count of 25, it will not activate Windows clients,
including Windows 8.1.
Display the client Windows Application event log for event numbers 12288, 12289, and 12290 for
possible troubleshooting information.
Active Directory-Based Activation Troubleshooting

Use the following list to troubleshoot common issues with Active Directory-based activation:
Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command.
Ensure that computers can communicate with domain controllers. This includes network connectivity
and DNS name resolution.
Ensure that there is at least one activation object in the AD DS configuration partition. If there are two
activation objectsone for client and one for server operating systemsthe client object can be
safely deleted because the server object will activate both clients and servers.
Active Directory-based activation is available only for domain-joined computers. If you remove a
computer from the domain, activation will fail on the next activation attempt.
Volume Activation Troubleshooting
Question: Will the user be notified immediately if a Windows 8.1 computer cannot
reactivate by using a KMS host?

Scenario
2-51
A. Datum has captured a reference Windows 8.1 image. You have been asked to perform the offline
update of the image by injecting the driver and enabling the Telnet Client feature. You also will deploy
the updated image and test the changes.
Objectives
Perform offline servicing and deploy a Windows 8.1 image.
Lab Setup
Virtual machine: 20687D-LON-DC1, 20687D-LON-CL1, and 20687D-LON-REF1
Password: Pa$$w0rd
In this lab, students are using the Windows 8.1 image that they started capturing at the end of the
previous lab. If the capture process has not yet finished or if you decided to skip Lab B, be aware that
LON-CL1 includes the pre-created image E:\labfiles\mod02\sources\install.wim, which can be used
instead.
Exercise 1: Performing Offline Servicing and Deploying a Windows 8.1

Image
Scenario
Students will mount a Windows 8.1 image and perform offline servicing of the image by injecting the
driver. They then will unmount the image and apply it to the LON-REF1 computer.
1.
Perform offline servicing of the Windows image.
2.
Use Deployment Image Servicing and Management (DISM) to deploy a Windows image.
Task 1: Perform offline servicing of the Windows image

1.
Sign in to LON-CL1 as Adatum\Administrator.
2.
Use File Explorer to verify that the C:\mount folder is empty.
3.
Use Dism.exe to mount the image E:\labfiles\mod02\share\Win81.wim in the C:\mount folder by

using image index 1.
Note: If image Win81.wim is not yet captured or you did not capture it in the previous lab,
you can use E:\labfiles\mod02\sources\install.wim instead.
4.
Use the dir command to view driver packages in the mounted Windows 8.1 image.
5.
Use Dism.exe to inject the driver E:\Labfiles\Mod02\Drivers\dc3dh.inf into the mounted image.
6.
Use the dir command to confirm that the folder for the driver package has been created in the
C:\mount\Windows\System32\DriverStore\FileRepository folder.
7.
Use Dism.exe with the Get-Features parameter to list the Windows 8.1 features and their states in the
mounted image.
8.
Use Dism.exe to enable the Telnet Client feature in the mounted image.
9.
Use Dism.exe with the Unmount-Wim parameter to unmount the image and commit the changes.
Task 2: Use Deployment Image Servicing and Management (DISM) to deploy a

Windows image
1.
On LON-REF1, use DiskPart to clean Disk 0.
2.
Create a primary partition on the disk, format it with the NTFS, and then assign drive letter C to the
volume.
3.
Use Dism.exe to apply the image win81.wim, located on drive G, to volume C.
4.
Use the dir command to verify that the Windows 8.1 image has been applied to drive C.
Results: After completing this exercise, you should have updated a Windows 8.1 installation image.
Prepare for the next module

1.
2.
In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
3.
In the Revert Virtual Machines dialog box, click Revert.
4.
Repeat steps 2 through 3 for 20687D-LON-DC1 and 20687D-LON-REF1.

Review Questions
Question: Can you use the Client Hyper-V feature on 32-bit versions of Windows 8.1
Enterprise?
Question: One of your users has been promoted to a new position and has been given a
new computer. The user needs the new apps that the job requires. The user also needs to
have the documents and settings from the old Windows 7 computer transferred to the new
computer. How should you perform the Windows 8.1 installation?
2-53

3-1
Module 3
Tools Used for Configuring and Managing Windows 8.1
Contents:
Module Overview
3-1
Lesson 1: Tools Used to Perform Local and Remote Management of

Windows 8.1
3-2
Lesson 2: Using Windows PowerShell to Configure and Manage Windows 8.1
3-9
Lesson 3: Using Group Policy to Manage Windows 8.1
3-16
Lab: Using Management Tools to Configure Windows 8.1 Settings
3-22
3-27
Module Overview
The Windows 8.1 operating system provides several methods to configure operating system components
while signed in locally or connected remotely. This module describes the primary management tools in
Windows 8.1 and the scenarios for using them.
Objectives
Identify the tools used to perform local and remote management of Windows 8.1.
Use Windows PowerShell to configure and manage Windows 8.1.
Use Group Policy to manage Windows 8.1.
Lesson 1
3-2 Tools Used for Configuring and Managing Windows 8.1
Tools Used to Perform Local and Remote Management of

Windows 8.1
This lesson describes Windows 8.1 management tools and how to use them. To simplify remote
management of computers that are running Windows 8.1, you can use many of the administrative
tools to connect to a remote computer. However, you need to configure Windows 8.1 properly to
allow remote administration. You also can use Remote Desktop and Windows Remote Assistance for
remote administration of computers that run Windows 8.1. This lesson also describes Remote Server
Administration Tools (RSAT), which is a collection of server administration tools that you can install on
computers that run Windows 8.1.
Lesson Objectives
Describe Windows 8.1 administrative tools.
Explain how to create custom Microsoft Management Console (MMC) configurations.
Describe the functionality of Windows PowerShell.
Describe remote management in Windows 8.1.
Describe RSAT in Windows 8.1.
Windows 8.1 Administrative Tools

Windows 8.1 contains many administrative tools
that you can use to configure and manage a
Windows 8.1 computer. The Administrative Tools
item in Control Panel provides access to the key
tools you can use to manage Windows 8.1. The
following tools are included in the Administrative
Tools item in Control Panel:
Component Services. Use to configure

Microsoft Component Services (COM+)
and Distributed Component Object Model
(DCOM) applications. In most cases, you do
not use this tool unless a vendor directs you
to do so to resolve an application issue.
Computer Management. Contains a number of commonly used tools in a single console: Task
Scheduler, Event Viewer, Shared Folders, Local Users and Groups, Performance, Device Manager, Disk
Management, Services, and WMI Control.
Defragment and Optimize your drives. Use to defragment hard disks to increase overall disk
performance. Normally, you do not need to run this tool because defragmentation is scheduled once
per week by default.
Disk Cleanup. Use to scan your hard disks for temporary files and other files that can be removed
without affecting the performance of Windows 8.1 or your apps. You can use this tool to free up disk
space quickly without removing data or apps.
3-3
Event Viewer. Use to view and search event logs to diagnose and troubleshoot app, service, and
operating system issues.
iSCSI Initiator. Use to connect Windows 8.1 to an Internet SCSI (iSCSI) target and use the iSCSI target
as storage.
Local Security Policy. Use to configure local security settings in Windows 8.1. In most cases, you will
use Group Policy to configure computers that run Windows 8.1 instead of the local security settings.
ODBC Data Sources (32-bit). Use to configure Open Database Connectivity (ODBC) connections to
data sources for 32-bit apps.
ODBC Data Sources (64-bit). Use to configure ODBC connections to data sources for 64-bit apps.
Performance Monitor. Use to view real-time performance data, and to record and view historical
performance and configuration data.
Print Management. Use to configure local printers and remote print servers in a single console.
Resource Monitor. Use to view real-time central processing unit, memory, hard disk, and network
resource utilization.
Services. Use to configure the startup type for services and the credentials that are used by services.
System Configuration. Use to control the startup process for Windows 8.1 by disabling programs or
services that run at startup. You also can set some boot options, such as the default operating system
on a multiboot system.
System Information. Use to view information about the hardware and software configuration of a
computer that runs Windows 8.1. The information that displays includes drivers, startup programs,
and hardware resources.
Task Scheduler. Use to create scheduled tasks. You also can review the scheduled tasks that are
created during the installation of Windows 8.1.
Windows Firewall with Advanced Security. Use to create and manage rules for Windows Firewall.
Windows Memory Diagnostic. Use to identify problems with physical memory.
Windows PowerShell (x86). Use to open a command prompt in the Windows PowerShell
command-line interface (CLI) that you can use to manage Windows 8.1.
Windows PowerShell ISE. Use to simplify the development of Windows PowerShell scripts. This
tool provides color-coded error checking as you enter Windows PowerShell Integrated Scripting
Environment (ISE) commands. Windows PowerShell ISE also provides a list of available parameters
for cmdlets.
Creating Custom Management Console Configurations

The MMC is an environment for loading snap-ins
that provide administrative functionality. The
MMC provides the basic framework for building
an administrative tool, and snap-ins provide the
specific functionality that is required to perform
an administrative tasks. Most of the administrative
tools in Windows 8.1 are snap-ins that are loaded
into the MMC. The Computer Management
administrative tool is a combination of multiple
snap-ins that are loaded into the MMC.
The snap-ins for managing Windows 8.1 are
included as part of a Windows 8.1 installation.
Snap-ins for managing specific apps typically are included as part of an installation for that app. For
example, the snap-in for managing Microsoft Exchange Server 2010 installs as an option from the
Exchange 2010 installation media.
Not all snap-ins have a corresponding administrative tool. To use a snap-in that is not part of an existing
administrative tool, you need to create a custom management console that includes the snap-in. Snap-ins
that are not part of an administrative tool include:
Certificates. Use this snap-in to manage certificates for users and the local computer.
NAP Client Configuration. Use this snap-in to manage the client for Network Access Protection (NAP)
to ensure computer health before network access is granted.
Resultant Set of Policy. Use this snap-in to view reports on Group Policy application.
You also can create customized MMC configurations with snap-ins that you commonly use. Customized
MMC configurations increase your productivity by eliminating the need to open multiple administrative
tools. After you create a custom management console, you can save it as an .msc file. Once the .msc file is
saved, you can reuse it later or share it with other administrators.
Creating a Custom Management Console

To create a custom management console, perform the following procedure:
1.
From the Start screen, type MMC, and then click the mmc tile or press Enter.
2.
From the MMC window, click File, and then click Add/Remove Snap-in.
3.
Choose one or more snap-ins from the list of available snap-ins, and then click OK.
4.
When you close the console window, click Yes when prompted to save the custom management
console, and then save the file to a convenient location.
After these steps are complete, you can double-click the saved console app to open the MMC with the
snap-ins that you specified in step 3 already loaded.
Overview of Windows PowerShell

Windows PowerShell is an integrated shell
environment that enables scriptable, flexible, and
comprehensive management of Windows 8.1.
Windows PowerShell has several important
characteristics that make it ideal for local and
remote management of one or more Windows 8.1
computers:
3-5
Windows operating system integration.

Windows PowerShell 1.0 was introduced as an
installable option for Windows Vista and as a
feature for Windows Server 2008. Windows
PowerShell 2.0 was part of Windows 7 and
Windows Server 2008 R2. Windows PowerShell 3.0 is part of Windows 8 and Windows Server 2012.
Windows PowerShell 4.0, the most recent version, is part of Windows 8.1 and Windows
Server 2012 R2. So, for every Windows operating system version since Windows 7 and Windows
Server 2008 R2, Windows PowerShell is supported natively.
Remote management capability. You can use Windows PowerShell to manage remote computers,
provided remote management is enabled and the user who is performing the remote management
has the proper authorization.
Script-based execution. You can use Windows PowerShell scripts to build automation and complex
logic into management tasks.
Commands provide Windows PowerShells main functionality. These come in many varieties: cmdlets
(pronounced command-lets), functions, workflows, and more. These commands are building blocks,
designed to be pieced together to implement complex and customized processes and procedures.
Windows PowerShell provides a CLI that you can use to enter cmdlets interactively. However, Windows
PowerShell is not restricted to the command-line. For example, the Active Directory Administrative
Center in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 is a GUI that
uses Windows PowerShell to perform all of its tasks.
This architecture and the ability to use Windows PowerShell directly as a CLI, or to use it through a
GUI that embeds the shell, is intended to help increase consistency and coverage for administrative
capabilities. For example, an administrator might rely completely on a GUI app to perform tasks.
However, if the administrator must perform some task or implement some process that the GUI does not
explicitly support, the administrator instead can use the shell directly. When correctly implemented, this
architecture helps ensure that anything that can be done in the GUI also can be done in the CLI, with the
CLI offering the additional ability to customize processes and procedures.
Overview of Remote Management

Many of the tools that you use to manage a local
Windows 8.1 computer also can remotely manage
a Windows 8.1 computer. By using remote
management of Windows 8.1, you can manage
computers that are running Windows 8.1 without
physically accessing the computer or interrupting
a user who is already signed in and working.
Administrative tools perform remote management

of Windows 8.1 through remote procedure calls
(RPCs) or by using Windows Remote Management
(WinRM). The method used varies based on the
administrative tools and is not configurable. By
default, remote management is not enabled on Windows 8.1 computers. You need to allow remote access
to Windows 8.1 computers. The method for allowing remote access is different for RPC and WinRM. In a
domain environment, you typically configure remote management settings by using Group Policy.
RPC
Remote management by using RPC requires the RPC and RPC endpoint mapper services to be running.
These two services are configured to start automatically. You also need to configure Windows Firewall
to allow remote management. You can enable predefined rules in Windows Firewall to allow remote
management for specific parts of Windows 8.1, such as:
Event logs
Scheduled tasks
Services
Volumes
Window Firewall
WinRM
WinRM is a web service that provides remote management access to Windows 8.1. Remote management
by using WinRM requires you to start the Windows Remote Management (WS-Management) service and
to configure a listener. By default, this service is configured as a manual startup type. You also need to
configure a listener for WinRM. A WinRM listener configures the web service to listen on a specific port.
The default port for WinRM is 5985.
In most cases, you will want to configure WinRM with the default configuration that apps expect. To
configure WinRM manually with the default configuration, run winrm /quickconfig. The /quickconfig
option configures the service to start automatically, creates a listener on port 5985, and configures
Windows Firewall to allow remote communication on port 5985.
In large organizations, manually configuring WinRM on each computer is not feasible because it is too
time-consuming. Instead, you can use Group Policy to perform all of the necessary actions.
Remote Desktop
Remote Desktop allows you to connect to a remote computer and have the desktop of that remote
computer display locally. When you connect, you sign in just as you would if you were sitting in front
of the computer. This allows you to sign in and run apps just as a user would for troubleshooting.
3-7
Some organizations also provide remote access for users by using Remote Desktop and the Remote
Desktop Gateway on Windows Server 2012 R2. This allows users to control their own desktop computer
remotely and have access to all of their data and apps.
When users connect remotely, you can allow the redirection of printers and local drives. Printer redirection
allows you to print from an app on a remote computer and have it print on a local printer. Drive
redirection allows you to save files from a remote computer on a local computer.
By default, Remote Desktop is not enabled. You can enable and configure Remote Desktop in the System
Properties or by using Group Policy. Any necessary firewall rules for Windows Firewall are configured
when you enable Remote Desktop.
By default, local Administrators are allowed to connect remotely, but you can add any users or groups
that are required. When you add users or groups, they are made members of the Remote Desktop Users
local group that has rights to connect by using Remote Desktop.
Windows Remote Assistance
When you use Remote Desktop, you need to sign in to the remote computer. This creates a session for
your user account and disconnects a user that is signed in. You cannot view what the user is doing. You
can use Windows Remote Assistance to view the desktop of a computer when a user is signed in, and
you see what the user sees. You also can request to take control of the mouse and keyboard to perform
troubleshooting. The ability to connect to an existing user session is useful for troubleshooting problems
that might relate to user-specific configurations, such as permissions or settings in the user profile.
You can offer remote assistance to a user on a remote computer, or a user on a remote computer can
request assistance. When you offer remote assistance, you connect to a remote computer by name or
IP address, and the user is prompted to allow remote assistance. When users request remote assistance,
they can generate an invitation file that you open to connect, or you can use Easy Connect. Easy Connect
requires you to enter a 12-character password that the user selects. Easy Connect works over the Internet
if Peer Name Resolution Protocol is allowed through all firewalls.
By default, Windows Remote Assistance is not enabled. You enable Windows Remote Assistance in the
System Properties. There are no permissions to configure for Windows Remote Assistance because it is
allowed based on the currently signed-in user who is allowing it.
Overview of RSAT
RSAT is a collection of server administration tools
that can be installed on a Windows 8.1 computer.
RSAT includes Server Manager, MMC snap-ins,
Windows PowerShell providers, and commandline tools for managing Windows Server 2012 R2,
Windows Server 2012, Windows Server 2008 R2,
Windows Server 2008, and some Windows
Server 2003 roles and features.
RSAT for Windows 8.1 includes management tools
for the following Windows roles and features:
Active Directory Certificate Services (AD CS)
Active Directory Domain Services (AD DS)
BitLocker Drive Encryption
Dynamic Host Configuration Protocol (DHCP) Server
DirectAccess
Domain Name System (DNS) Server
Failover clustering
File and Storage Services
IP Address Management
NIC Teaming
Network Load Balancing
Remote Desktop Services
Simple Mail Transfer Protocol (SMTP) server
Windows System Resource Manager
Windows Server Update Services
Lesson 2
Using Windows PowerShell to Configure and Manage

Windows 8.1
3-9
You can use Windows PowerShell for system administration, as an alternative to more complex scripting
languages such as Microsoft Visual Basic, Scripting Edition (VBScript). You can perform relatively complex
administrative tasks by using scripts or the Windows PowerShell pipeline. To simplify creating and editing
scripts, you can use Windows PowerShell ISE. You also can perform remote administration by using
Windows PowerShell. This module will introduce you to the important Windows PowerShell concepts and
explain how to use Windows PowerShell for local and remote management of Windows 8.1 computers.
Lesson Objectives
Describe Windows PowerShell.
Identify the key features in Windows PowerShell 4.0.
Describe Windows PowerShell ISE.
Use Windows PowerShell ISE.
Describe how to use Windows PowerShell scripts to manage Windows 8.1.
Describe Windows PowerShell remoting.
Use Windows PowerShell remoting.
Overview of Windows PowerShell

Windows PowerShell is a command-line shell that
is designed for system administration. You can use
Windows PowerShell to run individual cmdlets
that perform actions or scripts that use cmdlets.
Using Windows PowerShell is much simpler than
other scripting languages such as VBScript.
Windows PowerShell uses Windows PowerShell
drives to provide access to data stores. These
drives present data in a format similar to a file
system. Some common Windows PowerShell
drives are as follows:
The C: drive is the local file system C: drive.
The cert: drive is the local certificate store.
The Env: drive contains environmental variables that are stored in memory.
The HKCU: drive is the HKEY_CURRENT_USER portion of the registry.
The HKLM: drive is the HKEY_LOCAL_MACHINE portion of the registry.
The Variable: drive contains the variables that are stored in memory.
Cmdlets
Cmdlets use a naming convention of a verb or action, followed by a noun or a subject. For example, to
retrieve a list of services, you would use the Get-Service cmdlet. This standardization helps you learn
more easily how to accomplish administrative tasks.
Some common cmdlet verbs are:
Get retrieves data.
Set establishes or modifies data.
New creates a new object.
Each cmdlet has options called parameters. Some parameters are required, and some parameters are
optional. The parameters vary for each cmdlet.
The following example shows how to start the Application Identity service by using the Name parameter.
Start-Service Name Application Identity
Note: The cmdlets that are available for use on a computer system varies depending on the
version of Windows PowerShell that has been installed and the snap-ins with cmdlets that have
been installed.
Compatibility with Command-Line Tools
You can run batch files and executable files at a Windows PowerShell command prompt. For example,
you can run Ipconfig.exe at a Windows PowerShell command prompt, and it behaves exactly the same as
if you ran it from a command prompt. This allows you to start using Windows PowerShell as your default
command-line environment for administration.
In some cases, commands or options for commands contain reserved words or characters for
Windows PowerShell. In such a case, you can enclose the command in single quotation marks to prevent
Windows PowerShell from evaluating the reserved word or combination of words. You also can use the
grave accent (`) character to prevent the evaluation of a single character.
In rare cases, an executable file does not run correctly at a Windows PowerShell command prompt. You
should test batch files to ensure that they work properly at a Windows PowerShell command prompt.
Using Windows PowerShell for Bulk Operations
Windows PowerShell is designed to work well for managing multiple computers or for performing
bulk operations in the Windows environment. You can leverage Windows PowerShell features, such as
variables, scripts, and system interoperability to encapsulate tedious and time-consuming management
tasks into scripts or cmdlets that only take seconds to run.
Key Features in Windows PowerShell 4.0

Windows PowerShell 4.0 includes several new
features that improve Windows PowerShell
functionality and enable greater management
capability for Windows 8.1 PCs. Windows
PowerShell 4.0 is backward compatible with
previous versions of Windows PowerShell and
includes several new features, such as:
3-11
Windows PowerShell Desired State

Configuration (DSC). This feature enables
you to deploy and manage configuration
data for the Windows environment and
software services. With DSC, you can create a
variable that contains configuration data, and then pass that variable to the Start-DscConfiguration
cmdlet to carry out the configuration.
Save-Help cmdlet. The Save-Help cmdlet enables you to save help for installed modules that are
present on remote computers.
The new default setting for execution policy in Windows Server 2012 R2 is RemoteSigned.
Support for Windows PowerShell Workflow debugging and remote script debugging.
Windows PowerShell Workflow will reconnect to managed nodes automatically after an unexpected
crash or restart.
You can disconnect from and connect to existing sessions in Windows PowerShell Web Access.
You can open multiple Windows PowerShell Web Access windows in a single browser session.
For more information, see the following webpage on the Microsoft TechNet website.
What's New in Windows PowerShell
What Is Windows PowerShell ISE?

You can create Windows PowerShell scripts by
using a simple text editor. However, you can
reduce the amount of troubleshooting that you
perform for your scripts if you use Windows
PowerShell ISE. Windows PowerShell ISE provides
additional features that make it easier to create
scripts:
Windows PowerShell ISE provides colorcoding of cmdlets, parameters, and variables.

This helps you visually identify syntax errors
as you are typing or editing a script.
IntelliSense provides suggestions as you

type. When you type a cmdlet or parameter, IntelliSense provides similar information to that provided
by tab completion. This helps you minimize typographical errors and speeds up the entry of the
script.
Line numbers and column numbers are displayed. This simplifies troubleshooting because error
messages display the line number and column number where the error occurred.
Ability to run selective code. You can select a specific portion of a script to run. This allows you to test
parts of a script as you create it.
Debugging tools. You can set break points in a script and then query variable values to identify why
errors are occurring, or you confirm that the values are correct.
A command toolbar. This provides a list of cmdlets and parameters that are available for those
cmdlets. In some cases, this prevents the need to view help documentation for a cmdlet.
Multiple tabs for multiple scripts. You can have multiple scripts open at the same time, each
contained on its own tab. This allows you to move content from one script to another.
Demonstration: Using Windows PowerShell ISE

In this demonstration, you will see how to:
Prepare the computer to run scripts.
Open and review a script.
Modify and test a script.
Run a script from the Windows PowerShell command prompt.
Demonstration Steps
Prepare the computer to run scripts
1.
On LON-CL1, open Administrative Tools, and then open Windows PowerShell ISE.
2.
In Windows PowerShell ISE, at the Windows PowerShell command prompt, use the
Get-ExecutionPolicy cmdlet to view the current execution policy for scripts.
Open and review a script

1.
In Windows PowerShell ISE, open E:\Labfiles\Mod04\Services.ps1.
2.
Read the script, and then explain what the script is doing. Note the following:
o
Comments are green
Variables are red
Cmdlets are bright blue
Text in quotation marks is dark red
Modify and test a script

1.
Select line 3 in the script, and then run the selection.
2.
In the console pane, view the contents of the $services variable.
3.
Run the script, and then read the output. Notice that it does not have multiple colors.
4.
At the end of line 14, type ForegroundColor $color.
5.
Run the script, and then read the output. Notice that running services are green and services that are
not running are red.
6.
On line 16, type Write-Host A total of $services.count services were evaluated
7.
Run the script.
8.
In the Commands pane, build a Write-Host command with the following options:
9.
BackgroundColor: Gray
ForegroundColor: Black
Object: Script execution is complete
Copy the command, and then paste it on line 17 of the script.
10. Run the script.

11. Save the script.
Run a script from the Windows PowerShell command prompt

1.
Open a Windows PowerShell Command Prompt window.
2.
At the command prompt, type Set-Location E:\Labfiles\Mod04, and then press Enter.
3.
Type .\Services.ps1, and then press Enter.
Using Windows PowerShell Scripts

You can accomplish several tasks by using a
pipeline and multiple cmdlets. There might be
times when you need to run multiple cmdlets,
make choices, wait for tasks to complete, or run
the same code repeatedly. In these cases, you
can use a Windows PowerShell script to put all
of the steps together. A script is a text-based file
that includes at least one Windows PowerShell
command and is saved with a .ps1 extension.
You can create scripts to take input from the
command line, thereby enabling you to customize
how a script executes.
Execution Policy
3-13
By default, the execution policy does not allow Windows PowerShell scripts to execute automatically. This
safeguards a computer by preventing unattended scripts from running without an administrators
knowledge. You can set five execution policies:
Restricted. This is the default policy for Windows 8.1. It does not allow configuration files to load, nor
does it allow scripts to run. The Restricted execution policy is perfect for any computer on which you
do not run scripts, or on which you run scripts only rarely. Keep in mind that you could open the shell
manually with a less restrictive execution policy.
AllSigned. This policy requires that a trusted publisher sign all scripts and configuration files, including
scripts that are created on your local computer. This execution policy is useful for environments
where you do not want to run any script unless it has a trusted digital signature. This policy needs
additional effort because it requires you to digitally sign every script that you write, and then resign
each script every time that you make any changes to it.
RemoteSigned. This policy requires that a trusted publisher sign all scripts and configuration files
downloaded from the Internet. This execution policy is useful because it assumes that local scripts are
ones that you create yourself and that you trust them. It does not require those scripts to be signed.
Scripts that are downloaded from the Internet or received through email, however, are not trusted
unless they carry an intact, trusted digital signature. You could still run those scripts by running the
shell under a lesser execution policy, for example, or even by signing the script yourself. However,
those are additional steps that you have to take, so it is unlikely that you would be able to run such
a script accidentally or unknowingly.
Unrestricted. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, you are warned about potential dangers and must give permission
for the script to run. The Unrestricted execution policy typically is not appropriate for production
environments because it provides little protection against accidentally or unknowingly running
untrusted scripts.
Bypass. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, the script will run without any warnings. This execution policy typically
is not appropriate for production environments because it provides no protection against accidentally
or unknowingly running untrusted scripts.
You can view the execution policy for a computer by using the Get-ExecutionPolicy cmdlet. To configure
the execution policy, you must open an elevated Windows PowerShell command prompt and then run
the Set-ExecutionPolicy cmdlet. After you configure the execution policy, you can run a script by typing
the entire name of the script.
Running a Script
When you run a script, you cannot provide just the name of the scriptyou need to provide the path
to the script as well. If the file is not in the current directory, you can provide a complete path, such as
C:\scripts\Myscript.ps1. You also can specify a relative path such as .\Myscript.ps1, which runs the script
from the current directory.
The following script displays a list of files on drive C that have been modified in the last seven days.
$date=(Get-Date).AddDays(-7)
Get-ChildItem C:\ -Recurse | Where-Object {$_.LastWriteTime gt $date}
The first line of this script gets the date seven days prior to the current date and puts it in a variable
named $date. The second line of the script obtains a list of all of the files on drive C and uses WhereObject to filter the list of files to include only those that have a LastWriteTime that is greater than the
value of $date.
Overview of Windows PowerShell Remoting

You use Windows PowerShell to connect
to computers remotely and run scripts or
query information. Some cmdlets use the
ComputerName parameter to specify a remote
computer that should be contacted. When you
use the ComputerName parameter, you can
provide a single computer name, a commaseparated list, or a variable that contains multiple
computer names. You need to review the
documentation for a cmdlet to determine whether
it supports using the ComputerName parameter.
This example shows how to query a list of processes from a remote computer.
Get-Process ComputerName LON-DC1.adatum.com
Windows PowerShell Remoting
3-15
You can use Windows PowerShell remoting to run cmdlets or scripts on remote computers, regardless of
whether the cmdlets support the ComputerName parameter. You also can use Windows PowerShell
remoting to create a remote session at a Windows PowerShell command prompt or in Windows
PowerShell ISE.
To enable Windows PowerShell remoting, you need to use the Enable-PSRemoting cmdlet. The EnablePSRemoting cmdlet configures WinRM if it is not already configured and configures all of the necessary
permissions. You also can use Group Policy to enable Windows PowerShell remoting.
This example shows how to retrieve a directory listing from a remote computer.
Invoke-Command ComputerName LON-DC1.adatum.com ScriptBlock {Get-ChildItem C:\}
This example shows how to run a script on a remote computer.

Invoke-Command ComputerName LON-DC1.adatum.com FilePath E:\Scripts\MyScript.ps1
Note: When you run a script on a remote computer, the script does not need to exist on
the remote computer. The script is copied from the local computer to the remote computer.
This example shows how to create a remote session at a Windows PowerShell command prompt.
Enter-PSSession ComputerName LON-DC1.adatum.com
Demonstration: Using Windows PowerShell Remoting
In this demonstration, you will see how to enable Windows PowerShell remoting on a client computer and
how to use Windows PowerShell remoting in several basic scenarios.
Demonstration Steps
1.
Ensure that you are signed in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
2.
Ensure that you have the correct execution policy in place by runnning the command
Set-ExecutionPolicy RemoteSigned.
3.
Enable Windows PowerShell remoting.
4.
Open a one-to-one connection to LON-DC1.
5.
Get a list of processes that are running on LON-DC1.
6.
Close the LON-DC1 connection.
7.
Get a list of the most recent 10 Security event log entries from LON-CL1 and LON-DC1.
Lesson 3
Using Group Policy to Manage Windows 8.1
Group Policy is an effective way to manage the configuration of Windows 8.1 computers. You can
configure thousands of settings and enforce them on desktop computers. In addition to Group Policy
settings, you can use Group Policy Preferences to configure the user environment with options such as
printers and drive mappings. To ensure that you can implement Group Policy for your organization, you
need to understand how Group Policy Objects (GPOs) are processed. You also should be aware of the
tools that you can use to troubleshoot the application of Group Policy.
Lesson Objectives
Describe GPOs and Group Policy settings.
Configure Group Policy settings.
Describe Group Policy Preferences.
Describe how to configure GPOs in a domain environment.
Configure domain-based GPOs.
Determine how GPOs are processed and applied.
What Are GPOs and Group Policy Settings?

Group Policy is a system for applying
configuration settings to Windows clients and
servers. You create GPOs that contain Group
Policy settings. Domain-joined Windows 8.1
computers download and apply the settings
in GPOs.
GPOs
A GPO is an object that contains one or more

policy settings that apply configuration setting
for users, computers, or both. GPOs in AD DS are
stored in the SYSVOL share on domain controllers,
and you can manage them by using the Group
Policy Management Console (GPMC). Within the GPMC, you can open and edit a GPO by using the Group
Policy Management Editor window. GPOs logically link to AD DS containers to apply settings to the
objects in those containers.
Note: GPOs can link to AD DS sites, domains, and organizational units (OUs). GPOs cannot
link to the default Computers or Users containers.
Group Policy Settings
A Group Policy setting is the most specific component of Group Policy. It defines a specific configuration
change to apply to an object (a computer, a user, or both) within AD DS. Group Policy has thousands of
configurable settings. These settings can affect nearly every area of the computing environment. Not all
settings can be applied to all older versions of Windows Server and Windows operating systems. Each new
3-17
version introduces new settings and capabilities that only apply to that specific version. If a computer has
a Group Policy setting applied that it cannot process, it simply ignores it.
Most policy settings have three states:
Not Configured. The GPO will not modify the existing configuration of the particular setting for the
user or computer.
Enabled. The policy setting will be applied.
Disabled. The policy setting is specifically reversed.
By default, most settings are set to Not Configured.

Note: Some settings are multivalued or have text string values. These typically provide
specific configuration details to applications or operating system components. For example, a
setting might provide the URL of the home page for Internet Explorer or for blocked
applications.
The effect of the configuration change depends on the policy setting. For example, if you enable the
Prohibit Access to Control Panel policy setting, users will be unable to open Control Panel. If you
disable the policy setting, you ensure that users can open Control Panel. Notice the double negative in
this policy setting: you disable a policy setting that prevents an action, thereby allowing the action.
Group Policy Settings Structure

There are two distinct areas of Group Policy settings:
User settings. These settings modify the HKey_Current_User hive of the registry.
Computer settings. These settings modify the HKEY_Local_Machine hive of the registry.
User and computer settings each have three areas of configuration, as described in the following table.
Section
Description
Software settings
Contains software settings that can deploy to either the user or the
computer. Software that deploys or publishes to a user is specific to that
user. Software that deploys to a computer is available to all users of that
computer.
Windows operating
system settings
Contains script settings and security settings for both user and computer,
and Internet Explorer maintenance for the user configuration.
Administrative
templates
Contains hundreds of settings that modify the registry to control various

aspects of the user and computer environment. New administrative
templates might be created by Microsoft or other vendors. You can add
these new templates to the GPMC. For example, Microsoft has Office 2010
templates that are available for download that you can add to the GPMC.
Group Policy Management Editor
The Group Policy Management Editor window displays the individual Group Policy settings that are
available in a GPO. These display in an organized hierarchy that begins with the division between
computer settings and user settings, and then expand to show the Computer Configuration node and the
User Configuration node. All Group Policy settings and preferences are configured in the Group Policy
Management Editor window.
Group Policy Preferences
In addition to the Group Policy sections shown in the preceding table, a Preferences node is present
under both the Computer Configuration and User Configuration nodes in the Group Policy Management
Editor window. Preferences provide even more capabilities with which to configure the environment.
Group Policy Preferences are discussed later in this module.
Demonstration: Configuring Group Policy Settings

Edit the local GPO to restrict the use of registry editing tools.
Edit the local GPO to allow administrators to use registry editing tools.
Demonstration Steps
Edit the local GPO to restrict the use of registry editing tools
1.
On LON-CL1, open the Local Group Policy Editor.
2.
In User Configuration\Administrative Templates\System, configure the Prevent access to

registry editing tools policy setting as Enabled.
3.
Attempt to run Regedit.exe, and then review the error message.
Edit the local GPO to allow administrators to use registry editing tools
1.
Open the Microsoft Management Console, add the Group Policy Object Editor snap-in, and then
select the Administrators GPO. In the Browse for a Group Policy Object window, click the Users tab,
click Administrators, and then click OK.
2.

registry editing tools policy setting as Disabled.
3.
Run Regedit.exe, and then verify that it starts successfully.
4.
Revert the LON-CL1 virtual machine. Do not revert LON-DC1, as it will be used in the next
demonstration.
Overview of Group Policy Preferences

Group Policy Preferences are a set of Group Policy
extensions that expand the range of configurable
settings in a GPO. Like Group Policy settings,
Group Policy Preferences are available for both
users and computers. However, unlike Group
Policy settings, preferences are not enforced.
Users can change the configurations that are
applied. Also, by default, Group Policy Preferences
remain even when the GPO that contains the
preferences is no longer applicable.
Some of the more common uses for Group Policy
Preferences are:
Map network drives for users
Configure desktop shortcuts for users or computers
Set environment variables
Install printers
Set power options
Configure Start menus
Configure data sources (ODBC connections)
Configure Internet options
Schedule tasks
3-19
Many of the tasks that you can perform by using Group Policy Preferences would have otherwise required
scripting to perform. In some cases, Group Policy Preferences can be used in place of logon scripts.
Targeting
You can use targeting for individual Group Policy Preferences in a GPO. By using targeting, you can
specify the criteria that must be met for a preference item to apply. Security group membership is a
commonly used criterion for targeting. For example, you can map drive M to the marketing share only
for users who are members of the Marketing security group.
Other criteria for targeting include:
IP address range
Operating system
Computer name
A battery is preset
AD DS site
Note: Group Policy Preferences are not present in local GPOs.
Configuring GPOs in a Domain Environment

You can use Group Policy in an AD DS
environment to provide centralized configuration
management. Domain-based GPOs are
created and linked to objects within an AD DS
infrastructure. The settings in the GPO then affect
the computers and users that are within those
objects, depending on how the application of the
GPO is configured. Domain-based GPOs have
several characteristics that do not apply to local
GPO policy objects.
GPO Storage
AD DS GPOs are stored as two components: a
Group Policy container and a Group Policy template.
The Group Policy container is an AD DS object that is stored in the Group Policy container in the AD DS
database. The Group Policy container defines basic attributes of a GPO, but it does not contain any of the
settings. The settings are contained in the Group Policy template, which is a collection of files that are
stored in the SYSVOL of each domain controller in the %SystemRoot%\SYSVOL\Domain\Policies\ path.
This method of storage means that domain-based GPOs are stored and synchronized across all domain
controllers in the domain.
GPO Linking
AD DS GPOs can be applied to an AD DS infrastructure by linking the GPO. A GPO can link to an AD DS
site, an AD DS domain, or to an AD DS OU. This enables you to apply GPO settings to specific computers
within an AD DS structure, or to the entire domain.
GPO Inheritance
GPO settings are inherited from parent objects in AD DS so that GPOs applied at a higher level are passed
down to computers and users in child objects in AD DS. This behavior ensures that settings applied at a
high levellike the domainare applied to all computers. In special cases, inheritance can be modified or
blocked to provide a very specific configuration environment for certain computers or users.
GPO Application
By default, AD DS GPOs apply to all users and computers within the parent object where the GPO is
linked. This application can be modified by filtering the application of GPOs by Windows Management
Instrumentation (WMI) filters or security groups.
Demonstration: Configuring Domain-Based GPOs

Use the GPMC to create a new GPO.
Configure domain-based Group Policy settings.
Demonstration Steps
Use the GPMC to create a new GPO
1.
Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.
2.
Open the Group Policy Management Console.
3.
Create a new GPO called Desktop.
Configure domain-based Group Policy settings

1.
Open the new Desktop policy for editing.
2.
In Computer Configuration, prevent the last logon name from displaying, and then prevent Windows
Installer from running.
3.
In User Configuration, remove the Search link from the Start menu, and then hide the display
settings tab.
4.
Close all open windows.
5.
Revert the LON-DC1 virtual machine.
Group Policy Processing

GPOs apply in a consistent order that allows you
to predict which settings are effective when there
are conflicting settings in GPOs that apply to a
user or computer. GPOs that are applied later in
the process of applying GPOs overwrite any
conflicting policy settings that were applied
earlier.
GPOs apply in the following order:
3-21
1.
Local GPOs. Each operating system that is

running Windows 2000 or newer potentially
has a local Group Policy configured already.
2.
Site GPOs. Policies that link to sites process next.
3.
Domain GPOs. Policies that link to the domain process next. There often are multiple polices at the
domain level. These policies process in order of preference.
4.
OU GPOs. Policies linked to OUs process next. These policies contain settings that are unique to the
objects in that OU. For example, Sales users might have special required settings. You can link a policy
to the Sales OU to deliver those settings.
5.
Child OU policies. Any policies that link to child OUs process last.
Objects in the containers receive the cumulative effect of all polices in their processing order. In the
case of a conflict between settings, the last policy applied takes effect. For example, a domain-level policy
might restrict access to registry editing tools, but you could configure an OU-level policy and link it to the
Information Technology (IT) OU to reverse that policy. Because the OU-level policy applies later in the
process, access to registry tools would be available to users in the IT OU.
If multiple policies apply at the same level, an administrator can assign a preference value to control the
order of processing. The default preference order is the order in which the policies were linked.
You also can disable the user or computer configuration of a particular GPO. If one section of a policy
is known to be empty, then you should disable the empty section to speed up policy processing. For
example, if you have a policy that only delivers user desktop configuration, you could disable the
computer side of the policy.
Options for Modifying Group Policy Processing

You can modify the default processing of GPOs by using:
Security filtering. You can use security filtering to specify specific users, computers, or groups that are
able or not able to process a GPO. For example, you could specify that members of the Technical
Support group have special security settings.
Enforcement. You can use enforcement to ensure that settings in a specific GPO apply regardless
of any lower-level GPOs that would normally override this GPO. For example, you could specify
standardized security settings at the domain level.
Block inheritance. You can use block inheritance to prevent settings from a higher-level OU from
being inherited by a lower-level OU. For example, settings applied at the domain level could be
blocked from affecting users in the IT OU.
Note: When a link is enforced and a lower-level OU blocks inheritance, the settings in the
enforced GPO are applied.
Lab: Using Management Tools to Configure Windows 8.1

Settings
Scenario
You have been asked to configure the Windows 8.1 computers in A. Datum Corporations London
location. There are 100 computers used by internal departments that have varying configuration
requirements:
Computers on the machine floor require that Windows Update be disabled. These computers are not
updated until the equipment manufacturer verifies that the updates are compatible with the
applications that run on the equipment.
Computers on the machine floor should not allow remote management. This is done to ensure that
changes are not made remotely that might affect the equipment.
All computers not on the machine floor should be managed remotely.
Remote Desktop should be allowed on all computers that are not on the machine floor.
Windows PowerShell remoting should be enabled for all computers that are not on the machine
floor.
Servers and domain controllers should not be affected by configurations that are applied to desktop
computers.
You should implement these configuration settings and then test the configuration with LON-CL1, a
computer on the machine floor, and LON-CL2, a computer in the Finance department.
Objectives
Plan the management of Windows 8.1 computers.
Manage Windows 8.1 by using Group Policy.
Implement Windows PowerShell remoting.
Lab Setup
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, 20687D-LON-CL2
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and in the Actions pane, click Start.
3.
In the Actions pane, click Connect. Wait until the virtual machine starts.
4.
Sign in by using the following credentials:
5.
Password: Pa$$w0rd
Repeat steps 2 through 4 for 20687D-LON-CL1 and 20687D-LON-CL2.
Exercise 1: Planning Management of Windows 8.1 Computers

Scenario
3-23
You need to determine the best way to manage computers that are running Windows 8.1 for A. Datum.
There are 100 internal computers that are used by various departments. Some departments have different
needs than others:
Computers on the machine floor require that Windows Updates be disabled. These computers are not
updated until the equipment manufacturer verifies that the updates are compatible with the apps
that run the equipment.
Computers on the machine floor should not allow remote management. This is done to ensure that
changes are not made remotely that might impact the equipment.
All computers not on the machine floor should be managed remotely.
Remote Desktop should be allowed on all computers that are not on the machine floor.
Windows PowerShell remoting should be enabled for all computers that are not on the machine
floor.
Servers and domain controllers should not be affected by configurations that are applied to desktop
computers.
The main task for this exercise is as follows:

1.
Plan the management of Windows 8.1 computers.
Task 1: Plan the management of Windows 8.1 computers

Answer the following questions:
1.
What tool will you use to apply the configuration changes to domain-joined computers?
2.
Are there any OU structure requirements to meet the management needs on the internal network?
3.
Could you use security filtering as an alternative to a new OU structure?
Results: After completing this exercise, you will have planned the management of Windows 8.1
computers.
Exercise 2: Managing Windows 8.1 by Using Group Policy

Scenario
After completing your plan, you need to begin implementing it. The implementation process includes
setting up GPOs and OUs to allow for the separate management of client computers and machine floor
computers.
You will create two OUs, named MachineFloor and CorpComputers. Computers from the machine floor
will be placed into the MachineFloor OU, and the rest of the Windows 8.1 computers will be placed into
the CorpComputers OU.
1.
Create an OU structure for managing computers.
2.
Configure Group Policy for computers on the machine floor.
3.
Verify the application of Windows Update settings to LON-CL2.
4.
Configure Group Policy for other client computers.
5.
Verify that remote administration is functional.
Task 1: Create an OU structure for managing computers
1.
On LON-DC1, open Active Directory Administrative Center.
2.
In the Adatum.com domain, create a new OU named MachineFloor.
3.
In the Adatum.com domain, create a new OU named CorpComputers.
4.
Move LON-CL1 from the Computers container to the CorpComputers OU.
5.
Move LON-CL2 from the Computers container to the MachineFloor OU.
6.
Restart LON-CL1 and LON-CL2, and then sign in to both as Adatum\Administrator with password
Pa$$w0rd.
Task 2: Configure Group Policy for computers on the machine floor

1.
On LON-DC1, open the Group Policy Management Console.
2.
Block inheritance at the MachineFloor OU.
3.
Create a new GPO named MachineFloor, and then link it to the MachineFloor OU.
4.
Edit the MachineFloor GPO and browse to Computer Configuration\Policies\Administrative

Templates\Windows Components\Windows Update.
5.
Disable the Configure Automatic Updates setting.
Task 3: Verify the application of Windows Update settings to LON-CL2

1.
On LON-CL2, open Windows PowerShell, and then run gpupdate /force.
2.
Run gpresult /h C:\results.htm.
3.
Open C:\results.htm.
4.
In Internet Explorer, read the Summary and verify that Inheritance is blocking all non-enforced
GPOs linked above Adatum.com/MachineFloor.
5.
In Computer Details\Settings, verify that Configure Automatic Updates is Disabled.
Task 4: Configure Group Policy for other client computers

1.
On LON-DC1, in Group Policy Management, create a new GPO named CorpComputers, and then
link it to the CorpComputers OU.
2.
Edit the CorpComputers GPO, and then browse to Computer Configuration\Policies

\Administrative Templates\Windows Components\Windows Update.
3.
Enable the Configure Automatic Updates setting.
4.
Browse to Computer Configuration\Policies\Windows Settings\Security Settings\Windows

Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.
5.
Create a new inbound rule:

o
Predefined: COM+ Remote Administration
Allow the connection
Leave other settings with default values
6.
7.

o
Predefined: Remote Event Log Management
Leave other settings with default values
On LON-CL1, open Windows PowerShell, and then run gpupdate.
Task 5: Verify that remote administration is functional
3-25
1.
On LON-DC1, open Computer Management.
2.
In Computer Management, connect to LON-CL1, and then verify that you can access Event Viewer.
3.
Connect to LON-CL2. This connection fails because remote management has not been configured for
the computers in the MachineFloor OU.
Results: After completing this exercise, you should have implemented an OU structure and GPO structure
to support remote management of computers.
Exercise 3: Implementing Windows PowerShell Remoting

Scenario
As part of implementing your management plan for Windows 8.1, you need to configure Windows
PowerShell remoting for all computers except those on the machine floor. You need to configure a GPO
that links to the domain to configure Windows PowerShell remoting and test the functionality of your
configuration.
1.
Configure Windows PowerShell remoting manually.
2.
Configure Windows PowerShell remoting by using Group Policy.
3.
Verify the configuration of Windows PowerShell remoting.
Task 1: Configure Windows PowerShell remoting manually

1.
On LON-DC1, open Windows PowerShell, and then run Enable-PSRemoting.
2.
On LON-CL1, open Windows PowerShell, and then run Get-ADUser. This command is not recognized
because the cmdlets for AD DS administration are not installed on LON-CL1.
3.
At the Windows PowerShell command prompt, create a remote session by running Enter-PSSession
ComputerName LON-DC1.
4.
Run Get-ADUser and use the asterisk (*) filter.
5.
Exit the remote session.
Task 2: Configure Windows PowerShell remoting by using Group Policy

1.
On LON-DC1, open Group Policy Management.
2.
Create a new GPO named Enable PS Remoting, and then link it to Adatum.com.
3.
Edit the Enable PS Remoting GPO, and then browse to Computer Configuration\Policies
\Administrative Templates\Windows Components\Windows Remote Management
(WinRM)\WinRM Service.
4.
Enable the setting Allow remote server management through WinRM:

o
IPv4 filter: *
IPv6 filter: *
5.
Browse to Computer Configuration\Policies\Windows Settings\Security Settings

\System Services.
6.
Configure the Windows Remote Management (WS-Management) service to start automatically.
7.
Browse to Computer Configuration\Policies\Windows Settings\Security Settings\Windows

Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.
8.
9.
Predefined: Windows Remote Management
Close the Group Policy Management Editor window.
Task 3: Verify the configuration of Windows PowerShell remoting

1.
On LON-CL1, open Windows PowerShell, and then run gpupdate /force.
2.
Run Get-Service Winrm to verify that the WinRM service is now running.
3.
On LON-DC1, open Windows PowerShell, and then run Get-Service Winrm ComputerName
LON-CL1.
4.
To view the execution policy on LON-CL1, run Invoke-Command ComputerName LON-CL1 {GetExecutionPolicy}.
5.
To update the execution policy on LON-CL1, run Invoke-Command ComputerName LON-CL1

{Set-ExecutionPolicy AllSigned}.
Results: After completing this exercise, you will have implemented Windows PowerShell remoting in the
Adatum.com domain.

When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
1.
2.
In the Virtual Machines list, right-click 20687D-LON-DC1, and then click Revert.
3.
4.

Review Questions
Question: Recently, your organization added Windows 8.1 computers to the network. You
have tried to connect to a remote computer that is running Windows 8.1 by using Event
Viewer, but you cannot connect. You know that the remote computer is turned on. Why is
this problem occurring, and how can you resolve it?
Question: One of the server administrators is complaining that you need to use Remote
Desktop and connect to a domain controller to manage user accounts. What alternative can
you use to administer user accounts from a Windows 8.1 computer?
Question: You have configured a public-use computer in the lobby for visiting clients. This
computer is not part of the AD DS domain. How can you secure this computer to prevent
visiting clients from making changes to it and still allow administrators to have full access?
3-27

4-1
Module 4
Managing Profiles and User State in Windows 8.1
Contents:
Module Overview
4-1
Lesson 1: Managing User Profiles
4-2
Lesson 2: Configuring User State Virtualization
4-8
4-21
Lesson 3: Migrating User State and Settings
4-27
4-34
4-38
Module Overview
User profiles store user settings and data. For users working on a single computer, profiles can be stored
locally. However, for users who roam between multiple computers, the user profile, or at least some parts
of it, should be available on the network. This module describes the different user profile types. It also
describes Microsoft User Experience Virtualization (UE-V), which you can use to synchronize settings
between computers without using roaming user profiles. The operating system itself provides user
profiles, whereas UE-V is a separate product that is part of the Microsoft Desktop Optimization Pack.
In this module, you will learn about UE-V features and how to deploy and configure it on your network.
You also will learn how to migrate user state and settings to computers that run Windows 8.1 operating
systems.
Objectives
Manage user profiles.
Configure User State Virtualization.
Migrate user state and settings.
Lesson 1
Managing User Profiles
4-2 Managing Profiles and User State in Windows 8.1
A user who signs in to the Windows operating system must have his or her user profile, which stores user
settings such as the desktop theme, data such as the files stored in the Documents folder, screen saver
settings, and desktop icons. This lesson introduces each user profile type, explains how to configure user
profiles, and explains when to use a user profile type. It also describes how you can use Group Policy for
managing user profiles and the differences between roaming user profiles and redirected folders.
Lesson Objectives
Describe user profiles in Windows 8.1.
Describe user profile types.
Explain how to manage user profiles by using Group Policy.
Configure roaming user profiles and Folder Redirection.
Explain how to use the Primary Computer setting to control profiles.
User Profiles in Windows 8.1
For security reasons, Windows 8.1 requires that

each user who signs in to have a user profile. A
user profile is created when a user signs in for
the first time. The initial user profile is based
on the default user profile, and it is used for all
subsequent sign-ins. User profiles contain details
of the user environment, such as Start screen
settings, desktop settings, user documents, Start
screen tiles and their layout, and the user hive of
the registry. By default, the user profile is stored
on the same drive as the Windows operating
system in the Users folder. The user profile is used
only when the user signs in to the same computer, but you can change the location and the user profile
type.
Elements in a User Profile

A user profile contains the following elements:
User part of the registry. User profiles contain the NTuser.dat file, which is the user part
of the registry. When the user signs in, the system loads this file, and it is mapped to the
HKEY_CURRENT_USER registry subtree. NTuser.dat contains user settings such as desktop
background and screen saver settings.
Set of folders. For each user who signs in, a separate subfolder with his or her name is created in the
Users folder. This folder is a container for applications, user settings, and data that are organized in
various subfolders, such as AppData, Desktop, Downloads, and Documents.
Advantages of User Profiles

User profiles provide the following advantages:
4-3
User settings are persistent. With user profiles, users have the same settings as when they signed out
the last time.
If multiple users are sharing the same computer, individual users have their own customized
environment when they sign in.
Settings in the user profile are unique to each user. When users change settings in their user profiles,
this does not affect other users whose profiles are on the same computer.
Customize the Start screen
Customize the Default User Profile by Using CopyProfile
Question: By default, where is the local user profile stored in Windows 8.1?
User Profile Types

Windows 8.1 requires each user to have a user
profile. User profiles are created during a users
first sign-in and are stored in the Users folder.
User profiles are created based on the content in
the default profile in the Users folder. There are
three different types of user profiles:
Local. Available only on a single computer.
Roaming. Can roam between domain-joined

computers.
Mandatory. Special type of preconfigured

user profile that does not store user changes
between sign-ins.
Local User Profiles
When a user signs in to a computer for the first time, the operating system automatically creates a local
user profile for all subsequent sign-ins to the same computer. The local user profile is used only when a
user signs in to the computer where the profile was created, and it is useful when a user is using a single
computer. If a user roams between multiple computers, then by default, separate local user profiles will
be created on each computer. This means that modifications and documents that the user created on one
computer will not be used or available on other computers. Therefore, local profiles should be avoided if a
user signs in to multiple devices.
Roaming User Profiles
In a domain environment, administrators can configure a user with a roaming user profile by configuring
his or her profile path. With roaming user profiles, user settings and data are stored on a network location
and locally on the computer where the user signs in. When a user signs in, the local copy of the user
profile is compared to the copy that is stored on the network location, and only new files are copied
locally. The user can change settings and create data files, which are stored in the local user profile copy.
When the user signs out, these changes are copied to the network location. If users roam between
multiple computers, their documents and settings will follow them.
If a user profile contains a lot of data, or if the user stores large files on the desktop, then the process
of signing in to the computer might take a long time. If a user signs in to multiple computers at the
same time, changes performed on one computer will override changes performed on a second computer
because user profile changes are copied to the network location only when the user signs out. Some parts
of the user profile, such as Temporary Internet Files or AppData\Local, are never copied to the network
location, even if roaming user profiles are used.
Mandatory User Profiles

A mandatory user profile is a type of roaming user profile that administrators can configure for users.
With mandatory user profiles, user changes are stored in the local copy of the user profile but are not
preserved after a user signs out from the computer. When the user signs in again, the mandatory user
profile is downloaded from the network location, and it overrides the local user profile copy. The two
types of mandatory user profiles are normal mandatory profiles and super-mandatory profiles.
Administrators can configure users with mandatory user profiles first by configuring them with roaming
user profiles and then by renaming the NTuser.dat file in their profiles to NTuser.man. The .man extension
causes user modifications to the profile to be discarded at the next sign-in and user profiles to behave as
read-only.
Super-mandatory user profiles
User profiles become super-mandatory when the administrator adds the .man extension to a users
roaming user profile folder name. For example, if a roaming user profile is stored in the \\Server\Profiles
\User1.V2 folder, the administrator can add the .man extension to the folder and store the roaming user
profile at \\Server\Profiles\User1.man.V2. Mandatory and super-mandatory user profiles behave similarly;
both do not preserve user modifications. If a user is configured with a super-mandatory profile, he or she
will not be able to sign in if the network copy of the profile is not available. In such cases, users with a
normal mandatory profile would still be able to sign in, and they would get temporary profiles, which
could be against company policy.
Question: When would you configure users with roaming user profiles?
Managing User Profiles by Using Group Policy

You can use Group Policy to manage user
environments centrally, including many of
the user profile settings. Group Policy includes
many user profilerelated settings that you can
configure for users and computers. Some of the
user profile settings that can be configured by
using Group Policy include:
Limit the size of a user profile
Exclude user profile directories from roaming
Prevent users from sharing files in their

profiles
Set roaming profile paths for users
Prevent roaming profile changes from propagating to a server
Set the schedule for a background upload of a roaming user registry file
4-5
Folder Redirection is a Group Policy setting that is most often used for configuring user profiles.
Administrators can use Folder Redirection to redirect individual folders from a user profile to a new
location. For example, an administrator can redirect the Documents folder from a local or roaming
user profile to a separate network location. The contents of a redirected folder are available from any
computer on the network and are not copied to the computer on which a user signs in, as with roaming
user profiles. Folder Redirection also provides users with access to the same configuration and data on
multiple domain computers without copying user profiles locally, as with roaming user profiles. You can
configure Folder Redirection by modifying Policies\Windows Settings\Folder Redirection settings in the
User Configuration part of the Group Policy.
Redirected folders are stored only on a network share, and users access them transparently in the same
way as when they are stored in a local user profile. The Offline Files feature, which is enabled by default
when redirected folders are used, provides users with access to content in redirected folders even if
there is no network connectivity. The administrator configures Folder Redirection by using user settings
in Group Policy, and by doing so, can redirect individual folders in a user profile. In Windows 8.1, an
administrator can redirect 13 folders in user profiles, including Desktop, Start Menu, and Documents.
Administrators can redirect predefined folders and folders in a user profile only. For each user with
redirected folders, a new subfolder with the users sign-in name will be created, and folders can be
redirected to the same location or to a different location based on user group membership.
When you configure Folder Redirection, you can configure what will happen if Folder Redirection is no
longer effective. Options are to leave the redirected content on the network location or to move the
content to the original location to a users profile. Folder Redirection can redirect many parts of a user
profile, but settings stored in NTuser.dat cannot be redirected. Because of this, some administrators use
roaming user profiles together with Folder Redirection.
Folder Redirection provides several advantages:
Contents of redirected folders are available from any computer in the domain.
Contents of redirected folders are not copied to local computers, which minimizes network traffic
during user sign-in.
Administrators can set quotas (limiting disk space) and permissions on redirected folders. By doing so,
administrators can control how much space a user can utilize and whether the user can modify
contents of that part of the folderfor example, Desktop.
Redirected folders are stored on network locations (network shares) and not on local computers. If a
local hard drive fails, users can still access data in redirected folders from a different computer.
Contents of redirected folders can be backed up centrally because they are not stored locally on user
computers. If Shadow Copies for Shared Folders is configured on a network location, users can access
previous versions of their redirected files.
Folder Redirection Overview
Question: What is the main difference between roaming user profiles and redirected
folders?
Demonstration: Configuring Roaming User Profiles and Folder Redirection

In this demonstration, you will see how to configure roaming user profiles and Folder Redirection.
Demonstration Steps
1.
On LON-DC1, in Active Directory Users and Computers, show the Profile Path property of user
Adam Barr, who is located in the Marketing organizational unit (OU).
2.
On LON-DC1, in the Group Policy Management Console (GPMC), show how the Documents folder is
redirected to \\LON-DC1\Redirected in the Folder Redirection Group Policy.
3.
On LON-DC1, verify that the Profiles and Redirected folders are empty.
4.
Sign in to LON-CL1 as Adatum\Adam.
5.
On Adam Barrs desktop, create a folder named Presentations, add a shortcut to Local Disk (C:), and
then add the This PC icon.
6.
In Notepad, create a file with your name, and then save it in the Documents library.
7.
Verify that the file is stored in the \\LON-DC1\redirected\Adam\Documents folder, and that it is not
stored inside the Adam local profile.
8.
Sign out of LON-CL1.
9.
On LON-DC1, verify that the Profiles and Redirected folders are no longer empty. The Profiles folder
contains the Adam Barr roaming user profile (Adam.V2), whereas the Redirected folder contains the
Adam redirected Documents folder.
10. Sign in to LON-CL2 as Adatum\Adam.
11. Verify that the This PC icon is on the desktop, in addition to the Presentations folder and the Local
Disk (C:) shortcut.
12. Verify that you can access the file transparently with your name that you created in Notepad.
Using the Primary Computer Setting to Control Profiles
When an administrator configures users with

roaming user profiles and Folder Redirection,
these settings apply to users irrespective of the
domain computer to which they sign in. However,
sometimes you might want to restrict roaming
user profiles and Folder Redirection to be
available only when a user signs in to specific
computers. This could be because you do not
want a user to leave any personal or company
data when he or she signs out, or you do not want
to roam the users settings and data between 32bit and 64-bit client computers. For Windows 8.1
computers in domain environments, you can apply this restriction by using the Primary Computer feature.
By using the Primary Computer feature, an administrator can specify a list of computers, known as primary
computers, for each domain user. Folder Redirection, roaming user profiles, or both features are used only
when a user signs in to a computer on his or her primary computer list.
4-7
To use the Primary Computer feature, the Active Directory Domain Services (AD DS) schema must be
extended to at least the Windows Server 2012 level. A Windows Server 2012 domain controller is not
required, but the AD DS schema must be extended. The Primary Computer feature will work only when
a user signs in to a Windows 8, Windows Server 2012, or a newer Windows operating system because
older versions of Windows operating systems will ignore the Primary Computer setting. The Group Policy
settings that configure the Primary Computer feature require Windows 8, Windows Server 2012, or a
newer operating system. Older clients and servers will not understand these settings, so they will simply
ignore the settings.
An administrator can configure the primary computers list for a user in one of two ways:
By configuring the msDS-Primary Computer user attribute, for example, in Active Directory
Administrative Center.
By running the Set-ADUser Windows PowerShell cmdlet.
After configuring the list of primary computers for a user, an administrator also should enable the
Redirect folders on primary computers only and Download roaming profiles on primary computers
only Group Policy settings.
Deploy Primary Computers for Folder Redirection and Roaming User Profiles
Question: Do you need Windows Server 2012 or newer domain controllers in your network
to limit where Folder Redirection and roaming user profiles will be available?
Lesson 2
Configuring User State Virtualization
UE-V is an enterprise-scale User State Virtualization solution that synchronizes application and operating
system settings across many devices in a domain environment. It requires an agent on each client device,
and it stores configuration data on a shared folder. An administrator can use Group Policy to configure
UE-V settings and control which application settings will synchronize. Before you can use UE-V, you
first must first deploy the UE-V agent to each computer on which you want to use UE-V for settings
synchronization. You also must create and share the folder for the settings storage location. If you want
to synchronize more than just default settings, you also must create custom settings location templates,
store them to the settings template catalog, and configure clients with the settings template catalog
location.
Lesson Objectives
Describe UE-V.
Explain how UE-V works.
Explain how UE-V synchronizes settings.
Compare roaming user profiles, Microsoft account, and UE-V.
Explain how to prepare the environment for deploying UE-V.
Explain how to deploy UE-V.
Explain how to manage UE-V by using Group Policy.
Explain how to create and edit UE-V templates.
Overview of UE-V
For users who work on multiple computers,
you can use roaming user profiles and Folder
Redirection to make their settings and data
available on every domain computer to which
they sign in. An administrator can configure a
user's primary computers list to control which
computers will use Folder Redirection and
roaming user profiles. However, roaming user
profiles and Folder Redirection include all user
profile settings and data.
UE-V is an enterprise solution that enables

synchronization of operating system settings,
desktop apps settings, and Windows Store apps settings between computers in the same AD DS domain
environment. Administrators can precisely control to which computers settings will roam, and which
settings will roam. In contrast to roaming user profiles, where everything in the profile roams, with UE-V,
nothing roams unless specifically enabled. UE-V provides several default settings location templates that
define where each application stores its settings. Administrators can create additional settings location
templates, and UE-V will synchronize only those settings that are defined and enabled in the settings
location templates.
Note: For Windows Store apps, you only can control if UE-V will synchronize its settings or
not. You cannot control which Windows Store app settings will be synchronized.
4-9
UE-V stores settings on a network location as soon as a user closes an application, and those settings can
synchronize on other computers without the user having to sign out. Computers periodically synchronize
their settings with a network location, and if computers have permanent connectivity to a network
location, you can configure them to use those settings immediately.
Note: If a user links a Microsoft account with his or her domain account, UE-V only
synchronizes settings for desktop apps. Users can synchronize other settings, such as operating
system settings and Windows Store apps settings, by using Microsoft OneDrive (formerly
known as SkyDrive).
UE-V synchronizes settings between apps on different platforms, as long as they are stored in the same
location. Regardless of how an app is deployed, UE-V can synchronize settings between locally installed
apps on one computer, Microsoft Application Virtualization (App-V) apps on another computer, and
RemoteApp programs on another Remote Desktop Session Host computer. UE-V also can synchronize
settings between Windows Store apps and between physical and virtual computers, such as the virtual
desktops used in Virtual Desktop Infrastructure (VDI) implementations.
Note: UE-V is not part of the Windows operating system. It is available as a part of the
Microsoft Desktop Optimization Pack, which is available to customers with an appropriate
agreement with Microsoft.
Before you can use UE-V, you must install the UE-V agent on each computer on which you want
to synchronize settings by using UE-V.
Microsoft Desktop Optimization Pack (MDOP)
http://go.microsoft.com/fwlink/?LinkId=392419
Note: UE-V can synchronize settings only, not user data. To make user data available from
multiple domain computers, use Folder Redirection.
You can use UE-V to synchronize operating system settings, apps settings, and Windows Store apps
settings between computers that run supported operating systems and are members of the AD DS
domain. The following table lists the operating systems and system requirements for using UE-V.
Operating system
Edition
Architecture
Microsoft .NET
Framework
Windows 7 Service Pack 1

(SP1)
Ultimate, Enterprise, or
Professional
32-bit or 64-bit
.NET Framework 4
or newer
Windows Server 2008 R2

SP1
Standard, Enterprise,
Data Center, or Web
Server
64-bit
.NET Framework 4
or newer
Windows 8 and
Windows 8.1
Pro or Enterprise
32-bit or 64-bit
.NET Framework 4.5
Windows Server 2012 and

Standard or Datacenter
64-bit
.NET Framework 4.5
Besides the requirements for supported operating systems, there are no additional random access
memory (RAM) requirements for UE-V. Administrator user rights are required to install the UE-V agent,
and you must restart the computer to make the UE-V agent operational.
UE-V Windows PowerShell Prerequisites
You must install .NET Framework 4 or newer and Windows PowerShell 3.0 or newer before you can install
the UE-V agent. A default installation of Windows 8 or Windows 8.1 meets those requirements. However,
on Windows 7 SP1, you first need to install Windows PowerShell 3.0 before you can install the UE-V agent.
Computer clock synchronization
UE-V compares local time on a client computer with the time stamp of the stored settings on a network
location to decide if settings synchronization is required. Because of that, computer clocks on UE-V client
computers should be synchronized, which is the default behavior in an AD DS environment. If computer
clocks are not synchronized, older settings can overwrite newer settings, or newer settings might not be
stored to the network location.
Question: Can you synchronize user documents between computers by using UE-V?
How UE-V Works

To understand better the workings of UE-V, you
should be familiar with its high-level architecture
and the components that enable synchronization
of settings between computers. The following
sections describe the elements that are part of a
standard UE-V deployment.
UE-V Agent
You must install the UE-V agent on every

computer that will synchronize settings. The
UE-V agent monitors changes to settings and
synchronizes them between computers. It stores
settings on a network location called the settings
storage location, and it periodically synchronizes the local cache with the settings storage location. When
you start an app, the UE-V agent applies settings from the local cache, and when you close an app, the
UE-V agent stores the app settings to the settings storage location. This means that app settings are
available for synchronization as soon as you close an app. However, remember that when you start an
app, by default, settings from the local cache are used, not settings from the setting storage location on
the network. In an environment where a computer has permanent network connectivity, you can modify
this behavior and always use the settings from the settings storage location on the network. Operating
system settings are applied at sign-in, when a computer is unlocked, or when a user connects remotely to
a computer. The UE-V agent saves settings when a user signs out, when a computer is locked, or when a
remote session is disconnected.
Settings Storage Location
A settings storage location is the network location where the UE-V agent stores the settings that are
synchronized. Administrators can specify this location during UE-V agent installation, in AD DS as a user's
home folder, or by using Group Policy. The settings storage location can be on any file share where users
have read and write access. The UE-V agent verifies the location and creates a hidden system folder
named SettingsPackages into which it stores settings.
Settings Location Template
4-11
A settings location template is an XML file that specifies the settings locations where values are stored on
a computer, not the settings values. Only settings defined in the settings location templates are captured
and applied on UE-V client computers. Several settings location templates, such as Microsoft Office 2010,
Microsoft Office 2007, Windows Internet Explorer 8, Windows Internet Explorer 9, Internet Explorer 10,
and desktop settings, are included with UE-V. Administrators can create additional settings location
templates by using UE-V Generator.
Settings Template Catalog
A settings template catalog is a folder that stores settings location templates. This usually is a shared
folder, although a settings template catalog also can be a local folder. By default, a UE-V agent reads new
or updated settings location templates from this folder once per day. This is done by a scheduled task
named Template Auto Update, which runs daily at 3:30 A.M., and it applies the changes (modified, added,
or removed templates) to the UE-V agent. If only the default settings location templates are used, then
the settings template catalog is not used.
Settings Packages
Desktop app settings, Windows settings, and Windows Store app settings are stored in settings packages,
which the UE-V agent creates in the settings storage location. A settings package is a collection of settings
that are defined in the settings location templates. A UE-V agent that runs on one computer reads and
writes to a settings storage location independently of UE-V agents that run on other computers. The most
recent settings and values are applied when the next UE-V agent synchronizes with the settings storage
location.
UE-V Generator
UE-V includes several operating system and application settings location templates. When you need to
synchronize the settings of additional applications, you can use the UE-V Generator to create additional,
custom settings location templates. UE-V Generator monitors the registry (the HKEY_CURRENT_USER
registry subtree) and file system (the AppData\Roaming and AppData\Local folders in user profiles) to
discover where application settings are stored. Administrators can modify a generated template and
include it in the settings template catalog. You also can use the UE-V Generator for editing existing
templates or for validating templates that were created in another XML editor.
Question: How often is the settings template catalog checked for changes?
How UE-V Synchronizes Settings

When you sign in to a Windows operating
system, UE-V synchronizes settings from a
network settings storage location with the local
cache. After that, the local cache is synchronized
periodically with the settings storage location
every 30 minutes by default. Synchronization
is triggered by a scheduled task named Sync
Controller Application, which is created when
you install a UE-V agent. You also can trigger
synchronization manually by using Company
Settings Center, which is installed automatically
during a UE-V agent installation.
When you start an app, UE-V applies settings to the app from the local cache. App settings are saved to a
network settings storage location when the app is closed. This means that a user does not have to sign
out and then sign in to another computer to synchronize app settings, like when roaming user profiles are
used. When using UE-V to synchronize settings, the user can be signed in to multiple computers at the
same time. When you configure app settings and close an app, the app settings are written to the settings
storage location in a settings package. When the user starts the application on another computer, the
UE-V agent reads and applies app settings from the local cache on that computer. If the local cache has
not yet synchronized with the settings storage location, you can wait for synchronization to occur, trigger
synchronization manually, or modify the UE-V configuration to always use the settings from the settings
storage location on the network. The user experience with UE-V is similar to having app settings roam
with a user.
Note: If computers have permanent connections to a settings storage location, you can
configure the UE-V agent to always apply the settings from the network settings storage location.
You can do so by setting the synchronization method (SyncMethod) to none, for example, when
installing a UE-V agent or by running the Set-UevConfiguration cmdlet.
Desktop background and Ease of Access settings are applied when a user signs in, when a computer is
locked, or when a remote connection is established. To optimize the sign-in experience, these settings
are not synchronized by default. You can enable desktop background and Ease of Access settings by
using Company Settings Center, Group Policy, the Windows PowerShell cmdlet Enable-UevTemplate, or
Windows Management Instrumentation (WMI). Like synchronizing app settings, a user does not have to
sign out to store Windows settings to the settings storage location. The UE-V agent saves settings when a
user signs out, when a computer is locked, or when a remote connection is disconnected.
Users sometimes accidentally modify settings. UE-V provides the capability to restore application
or operating system settings to the initial values that were on a computer before the first UE-V
synchronization of settings. UE-V can restore settings on a per-application or per-operating system
setting basis. The settings are restored the next time a user starts the application or when a user signs in
to an operating system. You can restore settings only by using Windows PowerShell or WMIthere is no
graphical interface for it. UE-V provides the Restore-UevUserSetting Windows PowerShell cmdlet, which
you can use to restore user settings for an application or a group of Windows settings.
Question: Does a user have to sign out to synchronize application settings when using
UE-V?
Comparing Roaming User Profiles, Microsoft Account, and UE-V
When you want to synchronize settings between

the different computers that a user signs in to, you
can use different solutions such as roaming user
profiles, Microsoft account, or UE-V. Microsoft
account is the only solution that can synchronize
settings even if computers are not domain-joined,
but it requires Internet connectivity because
it stores settings in the cloud. You can only
synchronize Windows Store app configurations
when signing in with a Microsoft account or by
using UE-V. When a user has Microsoft account
linked to his or her domain account, UE-V will
synchronize desktop app settings only. You can use Microsoft account and OneDrive synchronization to
synchronize other settings.
Note: Microsoft account provides you with a unified identity, which you can use for
accessing Microsoft and non-Microsoft cloud services. You can link your domain or workgroup
account with your Microsoft account, and you can also use it for transparent access to Microsoft
Store, OneDrive, or for signing in to Windows 8.1.
4-13
Roaming user profiles can synchronize only the entire profile, including the settings and data that are
stored in the profile. You cannot control which settings you want to synchronize, but in Windows 8 and
Windows 8.1, you can control which computers you want to synchronize settings on by configuring the
Primary Computer user Active Directory attribute. Roaming user profiles are copied to a file server only
when users sign out, and they are not synchronized periodically. When you configure Folder Redirection,
redirected folders are exempt from this copying.
If you use UE-V, to be able to synchronize settings, you must install a UE-V agent on the computer.
UE-V can synchronize only those settings that are defined in settings location templates, and it is the
only solution that can synchronize settings between physical and virtual applications. UE-V also is the only
solution that applies settings periodically, and not only when the user signs in. UE-V is not included in the
operating system, and you must obtain and license it separately. On the other hand, roaming user profiles
is a feature of domain-joined computers that run any version of the Windows operating system. Microsoft
account is freely available, and you can use it to sign in on any computer that runs Windows 8 or
Windows 8.1.
Question: Can you use Microsoft account to synchronize settings between Windows 7
computers and Windows 8.1 computers?
Preparing the Environment for Deploying UE-V

Before deploying UE-V, you first should prepare
the environment for the deployment. This includes
the following steps:
1.
Configure the settings storage location

where UE-V will store settings packages,
which are the settings that will be
synchronized between computers. This can
be either the user home directory, if you
have it configured in AD DS, or the network
share that is available from each computer. If
the user home directory is to be used as the
settings storage location, you should ensure
that the user has the home folder configured and that it is set on the Profile page of the user
properties in Active Directory Users and Computers. If a network share is to be used as the settings
storage location, you should create and share the folder with the permissions shown in the following
tables.
Account
Share permissions
Administrators
Full Control
Security group of UE-V users
Full Control
Account
File permissions
Apply to
Administrators
Full Control
This folder, subfolders, and files
Creator/owner
Full Control
Subfolders and files only
Security group of UE-V users
List Folder/Read Data,

Create Folders/Append Data
This folder only
You can configure the UE-V agent with the settings storage location by using an installation
parameter, a Windows PowerShell cmdlet, or Group Policy settings. If users have a home directory
defined and you configure a network share as the settings storage location, UE-V will store settings
packages on a network share, and not in the user home directory.
2.
Configure the settings template catalog. The settings template catalog is not required, and it will be
used only if you want to use UE-V to synchronize additional application settings in addition to the
ones that are provided by default. The settings template catalog is a network share where custom
settings location templates are stored. If your UE-V deployment will use the settings template catalog,
you should create and share a folder with the permissions shown in the following tables.
Account
Share permissions
Everyone
No permissions
Domain computers
Read permission
Administrators
Read/write permission
Account
File permissions
Apply to
Creator/owner
Full Control
Domain computers
List Folder Contents and Read
Everyone
No Permissions
Administrators
Full Control
You can configure the UE-V agent with the settings template catalog location by using an installation
parameter, a Windows PowerShell cmdlet, or Group Policy settings.
3.
Add UE-V Group Policy administrative templates. You can configure UE-V by using Group Policy, but
before doing so, you must add UE-V administrative templates, which are .admx and .adml files, to the
appropriate location. This could be either the local %SystemRoot%\PolicyDefinitions folder on each
computer from where you will configure Group Policy, or the central store on the domain controller,
%SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions, if your domain environment is configured
to use it. After you copy UE-V Group Policy administrative templates to this location, the Microsoft
User Experience Virtualization node appears under Policies\Administrative Templates
\Windows Components in the Computer Configuration and User Configuration parts of Group Policy
settings.
Microsoft Desktop Optimization Pack Administrative Templates download page

Question: What must you do before you can use Group Policy to configure UE-V?
Deploying UE-V
You must install the UE-V agent on each computer
that will use UE-V to synchronize settings. The UE-V
installation file supports various command-line
parameters such as SettingStoragePath,
SettingsTemplateCatalogPath, and SyncMethod,
which you can use for initial UE-V configuration.
All command-line parameters are documented in
the UE-V administrator's guide on the Microsoft
TechNet website.
4-15
You can deploy the UE-V agent by using almost

any software or operating system deployment
tool, such as manual installation or Group Policy,
or by including it in the standard desktop image. The following table lists various deployment methods
and when to use them.
Method
Group Policy
Use this method when

You deployed software already by using Group Policy.
You want to deploy the UE-V agent to existing computers.
You want to deploy the UE-V agent after operating system images are
deployed.
You are configuring the UE-V agent by using Group Policy and not by
using command-line options.
Computers have high-speed, persistent connections to the shared folder

containing the installation files.
Microsoft Deployment
Toolkit 2012
You use the Microsoft Deployment Toolkit (MDT) for operating system
deployment.
You want to deploy the UE-V agent as part of an operating system
deployment.
Windows Intune
You used Windows Intune already for client management.

You want to deploy the UE-V agent without requiring additional
infrastructure.
You have computers in multiple locations with limited connectivity
between locations.
Microsoft System Center

2012 R2 Configuration
Manager
You used System Center 2012 R2 Configuration Manager already for

application and operating system deployment.
You want to use one deployment tool to deploy the UE-V agent to
existing computers and during operating system deployment.
Computers have high-speed, persistent connections to the distribution

points where the UE-V agent installation files are located.
You want to manage and maintain your application deployments
centrally.
Method
Scripted installation
Use this method when

You want to script the installation as part of an operating system
installation, and you are not using MDT or System Center 2012 R2
Configuration Manager.
You want to deploy the UE-V agent by using a third-party Electronic
Software Distribution system.
Computers might not have high-speed, persistent connections to the
enterprise network, and installation from local media is required.
After the UE-V agent is installed, you must restart the computer to make the UE-V agent operational.
After the installation, a new service named User Experience Virtualization is installed. Also, the following
six scheduled tasks are added:
Collect CEIP data
Monitor Application Settings
Sync Controller Application
Synchronize Settings at Logoff
Template Auto Update
Upload CEIP data
These tasks periodically synchronize the local cache with the settings storage location, check for
updates in the UE-V settings location templates, and upload data if you joined the Customer Experience
Improvement Program (CEIP). UE-V agent installation also installs the Company Settings Center, which
you can use to control what settings UE-V should synchronize, to trigger the synchronization manually,
and to view the synchronization status of UE-V.
Microsoft User Experience Virtualization (UE-V) 1.0
Question: Where can users see UE-V synchronization status and manually trigger UE-V
synchronization?
Managing UE-V by Using Group Policy

You can manage the UE-V agent by using
Group Policy. By default, Group Policy does not
include settings related to UE-V, so you first must
download and install UE-V ADMX templates. You
can download the templates from the Microsoft
Download Center and copy them to the local
PolicyDefinitions folder or the central Group
Policy store. The .admx file must be placed in the
PolicyDefinitions folder. The .adml file must be
placed in the PolicyDefinitions\en-US folder.
4-17
After you install the UE-V Group Policy ADMX files, the Microsoft User Experience Virtualization node
appears under Policies\Administrative Templates\Windows Components in the Group Policy Management
Editor window. You can configure some UE-V Group Policy settings only for computers, some only for
users, and some for both. The following table lists the policy settings that you can configure for UE-V.
Policy setting name
Target
Policy setting description
Use User Experience

Virtualization (UE-V)
Computers and
Users
This policy setting allows you to enable or disable

UE-V.
Settings storage path
Computers and
Users
This policy setting configures where the user

settings will be stored.
Settings template
catalog path
Computers Only
This policy setting configures where custom

settings location templates are stored. This policy
setting also configures whether the catalog will be
used to replace the default Microsoft templates
that are installed with the UE-V agent.
Do not use the Sync

Provider
Computers and
Users
This policy setting allows you to configure whether

UE-V will use the Sync Provider feature. This policy
setting also allows you to enable notification to
occur when the import of user settings is delayed.
Synchronization
timeout
Computers and
Users
This policy setting configures the number of

milliseconds (ms) that the computer waits before
a timeout when retrieving user settings from the
remote settings location. If the remote storage
location is unavailable, the application launch is
delayed by that many ms.
Package size warning

threshold
Computers and
Users
This policy setting allows you to configure the UE-V

agent to report when a settings package file size
reaches a defined threshold.
First Use Notification
Computers Only
This policy setting enables a notification in the

notification area that appears when the UE-V agent
runs for the first time.
Tray Icon
Computers Only
This policy setting enables the UE-V tray icon.
Do not synchronize
Windows 8 Apps
Computers and
Users
This policy setting defines whether the

UE-V agent synchronizes settings for
Windows Store apps.
Roam Applications
settings
Users Only
This is a multiple policy setting to configure the

roaming of user settings of each individual
application.
Roam
Windows settings
Users Only
This policy setting configures the roaming of

Windows settings.
UE-V settings that can be configured in different places have the following order of precedence:
1.
User-targeted settings managed by Group Policy.
2.
Computer-targeted settings managed by Group Policy.
3.
Configuration settings defined by the current user who is using Windows PowerShell or WMI.
4.
Configuration settings defined for the computer that is using Windows PowerShell or WMI.
This means that if the same UE-V settings are configured in multiple places, configuration in the user part
of Group Policy has precedence over configuration in the computer part of Group Policy. Group Policy
has precedence over locally configured settings.
Question: When will a UE-V setting that is configured through Group Policy be effective on
a UE-V client?
Creating and Editing UE-V Templates

UE-V only synchronizes settings that are defined
in the locations specified by the settings location
templates. Settings location templates are .xml
files that specifyfor each applicationwhere in
the registry and where on the file system it stores
its settings. UE-V includes several predefined
settings location templates, and administrators
can create additional templates for third-party
applications. Not all application settings can
safely roam between computers. Settings that
synchronize by using UE-V should meet the
following criteria:
Settings must be stored in an accessible location. UE-V can synchronize settings only in the
HKEY_CURRENT_USER registry subtree and the AppData\Roaming or AppData\Local folders in a
user profile. If an application stores its settings in other locations, you cannot synchronize its settings
by using UE-V.
Settings should not be specific to a particular computer. Some settings such as network configuration
are relevant only for a certain computer and should not be synchronized with other computers.
Settings must be synchronized without the risk of corrupting data. For example, if settings are stored
in a database file, these settings should not be synchronized by using UE-V. You should consider
some other solution, such as storing the database file with configuration settings on a network
location.
When you install a UE-V agent, it includes settings location templates for operating system settings
and common Microsoft applications. You can view the list of registered settings location templates by
running the Get-UevTemplate cmdlet. These templates are stored in the Microsoft User Experience
Virtualization\Templates folder and include the desktop apps and Windows settings in the following table.
Application category or Windows settings
Description
Applications from the Microsoft Office 2007

family
Applications from the Microsoft Office 2010

family
Browser options (Windows Internet Explorer 8,

Windows Internet Explorer 9, and Internet
Explorer 10)
Favorites, home page, tabs, and toolbars
Application category or Windows settings
Description
4-19
Windows accessories
Calculator, Notepad, WordPad
Desktop background
Currently active desktop background
Ease of Access
Accessibility and input settings, Magnifier,

Narrator, and on-screen keyboard
Desktop settings
Start menu and taskbar settings, folder options,

default desktop icons, additional clocks, and
region and language settings
Note: You can download Microsoft Office 2013 UE-V templates from the UE-V 2.0
template gallery.
Microsoft UE-V 2.0 template gallery
http://go.microsoft.com/fwlink/p/?LinkId=246589
UE-V also synchronizes Windows Store app settings. Settings location templates are not used for
Windows Store apps because they synchronize only the settings that were configured to synchronize by
the app developer. You can run the Windows PowerShell cmdlet Get-UevConfiguration to view the list
of Windows Store apps for which settings are synchronized.
If you want to synchronize app settings that are not covered by default settings location templates, then
you must create additional settings location templates. If the settings location template for your app has
been developed already, you can obtain it online.
TechNet Gallery - resources for IT professionals
You also can use UE-V Generator to create custom settings location templates and store them in a
settings template catalog. You do not need to copy the default settings location templates to the settings
template catalog. To provide UE-V with a custom settings location template, you must perform the
following steps:
1.
Install the UE-V Generator. The UE-V Generator is a part of UE-V, and it is used for creating and
editing custom settings location templates. The UE-V Generator monitors an app to discover and
capture the locations where the app stores its settings. The monitored app must be a traditional
desktop app because UE-V Generator does not create templates for virtualized applications,
applications offered through Remote Desktop Services, Java applications, and Windows Store apps.
UE-V Generator requires .NET Framework 4 or newer.
2.
Create a custom settings location template by using the UE-V Generator. You can do this by
running UE-V Generator and pointing it to the application for which you want to create the settings
location template. UE-V Generator will start the application and monitor the registry and file system
to discover the locations where the application stores its settings. UE-V Generator monitors the
HKEY_CURRENT_USER registry subtree and the AppData\Roaming and AppData\Local folders in
a user profile. After the application opens, you can close it and UE-V Generator will capture the
locations that it accessed. You can review the locations, edit the template, and store it as a settings
location template .xml file.
3.
Deploy the custom settings location template to the catalog. Because the settings template catalog is
a network share, you simply can copy the .xml file that the UE-V Generator created to that network
share. Each UE-V client computer has a Template Auto Update scheduled task that runs once daily
and updates settings location templates on a client. You can force the UE-V agent to apply custom
settings location templates from a catalog immediately by running
ApplySettingsTemplateCatalog.exe or by using the Windows PowerShell cmdlet RegisterUevTemplate.
To enable UE-V to use custom settings location templates, you also must create a settings template
catalog on a file server and configure the settings template catalog path for the UE-V agentall of which
you can perform as part of UE-V environment preparation.
Question: How can you use UE-V to synchronize the settings of third-party applications?
4-21

Scenario
The Marketing department at A. Datum Corporation has many users who often use different computers.
You have been asked to evaluate different solutions that would enable user settings and data to roam
with users when they use one of the computers on which UE-V is installed, and from which UE-V will
synchronize settings.
Objectives
Configure roaming user profiles and Folder Redirection.
Implement and configure UE-V.
Lab Setup
Virtual machines: 20687D-LON-DC1, 20687D-LON-SVR1, 20687D-LON-CL1, and 20687D-LON-CL2
Password: Pa$$w0rd
Start 20687D-LON-DC1 first and after that start 20687D-LON-SVR1, 20687D-LON-CL1, and
20687D-LON-CL2. Sign in as Adatum\Administrator with Pa$$w0rd password to LON-DC1 and
LON-SVR1, but do not sign in to LON-CL1 and LON-CL2.
Exercise 1: Configuring Roaming User Profiles and Folder Redirection

Scenario
As you evaluate different solutions, the first step is to explore user data and settings solutions that
Windows 8.1 provides. You plan to implement roaming user profiles and Folder Redirection. Because
user profile content should be available only on approved computers, you also will implement Primary
Computer settings.
1.
Create folders for roaming user profiles and Folder Redirection.
2.
Configure roaming user profiles.
3.
Configure Folder Redirection.
4.
Verify roaming user profiles and Folder Redirection.
5.
Configure primary computers for user Adam Barr.
6.
Verify Primary Computer setting for user Adam Barr.
Task 1: Create folders for roaming user profiles and Folder Redirection
1.
On LON-DC1, open File Explorer, and on drive C, create a folder named Profiles. Grant Domain
Users Full Control permissions to the folder, and then share it with Full Control permissions for
Everyone.
2.
On drive C, create a folder named Redirected. Grant Domain Users Full Control permissions to the
folder, and then share it with Full Control permissions for Everyone.
Task 2: Configure roaming user profiles
Configure Adam Barr, which is located in the Marketing OU, with profile settings that point to
\\LON-DC1\Profiles\%username%.
Task 3: Configure Folder Redirection

1.
Create a Group Policy Object named Folder Redirection, and then link it to Marketing.
2.
Configure the Folder Redirection group policy setting to redirect the Documents folder to
\\LON-DC1\Redirected.
Task 4: Verify roaming user profiles and Folder Redirection
1.
On LON-DC1, verify that the Profiles and Redirected folders are empty.
2.
3.
On Adams desktop, create a folder named Presentations, add a shortcut to Local Disk (C:), and
then add the This PC icon.
4.
In Notepad, create a file with your name, and then save it in the Documents library.
5.
Verify that file is stored in the \\LON-DC1\redirected\adam\Documents folder and is not stored inside
Adam Barrs local profile.
6.
Sign out from LON-CL1.
7.
On LON-DC1, verify that the Profiles and Redirected folders are no longer empty. The Profiles folder
contains the adam roaming user profile (Adam.V2), whereas the Redirected folder contains the adam
redirected Documents folder.
8.
9.
Verify that the This PC icon is on the desktop, in addition to the Presentations folder and the Local
Disk (C:) shortcut.
10. Verify that you can transparently access the file with your name in Notepad.
11. Sign out of LON-CL2.
Task 5: Configure primary computers for user Adam Barr

1.
Copy the value of the distinguishedName attribute of LON-CL1 to the msDS-PrimaryComputer

attribute of Adam Barr.
2.
Add the value of the distinguishedName attribute of LON-CL2 to the msDS-PrimaryComputer

attribute of Adam Barr.
3.
Enable the Computer Configuration\Policies\Administrative Templates\System\User Profiles

\Download roaming profiles on primary computers only setting and the User Configuration
\Policies\Administrative Templates\System\Folder Redirection\Redirect folders on primary
computers only setting in Default Domain Policy.
Task 6: Verify Primary Computer setting for user Adam Barr

1.
Switch to LON-SVR1, and then update Group Policy.
2.
Sign out of LON-SVR1.
3.
Sign in to LON-SVR1 as Adatum\Adam, and then verify that the This PC icon, Presentations folder,
and the Local Disk (C:) shortcut are not on the desktop. Also, verify in Notepad that the file with your
name is not available in the Documents library. Sign out of LON-SVR1.
4-23
4.
On LON-DC1, edit the value of the msDS-PrimaryComputer attribute of Adam Barr and replace
LON-CL2 with LON-SVR1.
5.
Sign in to LON-SVR1 as Adatum\Adam, and then verify that the Presentations folder is on the
desktop, in addition to the Local Disk (C:) shortcut and the Computer icon. Also verify in Notepad that
the file with your name is available in the Documents library. Because you configured LON-SVR1 as
Adam Barrs Primary Computer, redirected folders are now available.
6.
Results: After completing this exercise, you should have configured roaming user profiles and Folder
Redirection. You also should have configured the user Adam Barr with the Primary Computer setting.
Exercise 2: Implementing and Configuring UE-V

Scenario
You have demonstrated to your management the benefits of roaming user profiles, Folder Redirection,
and Primary Computer settings. Because A. Datum has an enterprise agreement with Microsoft and access
to the Microsoft Desktop Optimization Pack, you have been asked to implement a pilot deployment of
UE-V. You will demonstrate how UE-V can synchronize additional apps. Based on the results of your
demonstration, management will decide whether to deploy UE-V in production.
1.
Prepare the environment for deploying Microsoft User Experience Virtualization (UE-V).
2.
Configure UE-V Group Policy settings.
3.
Install UE-V agents.
4.
Configure UE-V to synchronize settings immediately.
5.
Use UE-V to synchronize settings.
6.
Restore app settings.
7.
Create a UE-V settings location template.
8.
Using UE-V to synchronize custom app settings.
Task 1: Prepare the environment for deploying Microsoft User Experience

1.
On LON-DC1, create a folder named UEVdata. Grant Domain Users Full Control permissions to the
2.
On LON-DC1, create a folder named UEVTemplates. Grant Domain Users Full Control permissions
to the folder, and then share it with Full Control permissions for Everyone.
Task 2: Configure UE-V Group Policy settings

1.
On LON-DC1, verify that there is no Microsoft User Experience Virtualization node available in
Group Policy Object under User Configuration\Policies\Administrative Templates
\Windows Components.
2.
Copy the UserExperienceVirtualization.admx file from E:\Labfiles\Mod03 to the

C:\Windows\PolicyDefinitions folder, and then copy the UserExperienceVirtualization.adml file
to the C:\Windows\PolicyDefinitions\en-US folder.
3.
Create a Group Policy named UE-V, and then link it to the Adatum.com domain.
4.
In the UE-V Group Policy, under User Configuration\Policies\Administrative Templates

\Windows Components\Microsoft User Experience Virtualization, enable the Settings storage
path setting, and then configure it to point to \\LON-DC1\UEVData\%username%.
5.
In the UE-V Group Policy, under Computer Configuration\Policies\Administrative Templates

\Windows Components\Microsoft User Experience Virtualization, enable the Settings template
catalog path setting, and then configure it to point to \\LON-DC1\UEVTemplates.
Task 3: Install UE-V agents

1.
2.
Install the UE-V agent by running AgentSetup.exe in the E:\Labfiles\Mod03 folder. Restart
LON-CL1 after completing the installation.
3.
4.
Install the UE-V agent by running the following command:

E:\Labfiles\Mod03\AgentSetup.exe SyncMethod=None
Task 4: Configure UE-V to synchronize settings immediately

1.
On LON-DC1, verify that the C:\UEVdata folder is empty.
2.
Sign in to LON-CL1 and LON-CL2 as Adatum\Brad with password Pa$$w0rd.
3.
On LON-CL1, use the Get-UevConfiguration cmdlet to verify that UE-V configuration is effective.
You will see that values for SettingsStoragePath and SettingsTemplateCatalogPath are configured
as you set them in Group Policy. You also will see that the current SyncMethod is set to
SyncProvider.
4.
On LON-CL2, run Calculator, and then choose the Date calculation view. Close Calculator.
5.
On LON-CL1, run Calculator, and then verify that it is not extended with options for date calculation.
6.
On LON-CL1, synchronize UE-V settings by using Company Settings Center.
7.
On LON-CL1, run Calculator, and then verify that it is extended with options for date calculation.
8.
On LON-CL1, use the Set-UevConfiguration cmdlet with the SyncMethod parameter to disable use
of local cache.
9.
Task 5: Use UE-V to synchronize settings

1.
On LON-CL2, run WordPad, and then clear the Ruler and Status bar check boxes on the View tab.
Close WordPad.
2.
Create a shortcut to Local Disk (C:) on the desktop.
3.
In Notepad, select Font Size 20, type your name, and then save the file in the Documents library.
Close Notepad.
4.
On LON-DC1, verify that the UEVdata folder now has a brad subfolder.
5.
On the View tab, click Hidden items. Double-click the Brad folder, and then verify that it contains a
SettingsPackages subfolder.
6.
Double-click the SettingsPackages folder, and then verify that it contains multiple subfolders for the
applications and Windows settings that UE-V synchronizes.
4-25
7.
Sign in to LON-CL1 as Adatum\Brad with password Pa$$w0rd. Run Calculator, and then verify that
is extended with options for date calculation, as you configured it on LON-CL2. On the View menu,
click Programmer, click Unit conversion, and then close Calculator.
8.
On LON-CL1, run WordPad, and then verify that the Ruler and Status bar check boxes are not
selected, exactly as you configured it on LON-CL2. Close WordPad.
9.
On LON-CL1, verify that the shortcut to Local Disk (C:) is not present on the desktop.
Note: Contents of the desktop are not synchronized by UE-V. Instead, you should use
Folder Redirection or roaming user profiles to do so.
10. Verify in Notepad that File Size 20 is configured, but that the file with your name is not available in
the Documents library.
Task 6: Restore app settings

1.
On LON-CL1, run Calculator, and then verify that it is in Programmer view and extended with Unit
conversion. Close Calculator.
2.
Use the Get-UevTemplate cmdlet to view which settings location template Calculator uses.
3.
Use the Restore-UevUserSetting cmdlet to restore initial Calculator settings.
4.
Run Calculator, and then verify that is in default Standard mode, the way it was before the first UE-V
synchronization.
5.
Sign out of LON-CL1 and LON-CL2.
Task 7: Create a UE-V settings location template

1.
2.
Install UE-V Generator by running ToolsSetup.exe in the E:\Labfiles\Mod03 folder.
3.
Run Microsoft User Experience Virtualization Generator. Click Create a settings location template
and point to C:\Program files (x86)\Remote Desktop Connection Manager\RDCMan.exe.
4.
In Remote Desktop Connection Manager, modify one of the available options, and then close Remote
Desktop Connection Manager.
5.
Include nonstandard file locations in the settings location template and save the settings location
template to \\LON-DC1\UEVTemplates\RDCMan.xml.
Task 8: Using UE-V to synchronize custom app settings

1.
On LON-CL1, use the Get-UevTemplate cmdlet to verify that no settings location template that
contains string rdc is registered.
2.
Use the Register-UevTemplate cmdlet to register the \\LON-DC1\UEVTemplates\RDCMan.xml

settings location template.
3.
Use the Get-UevTemplate cmdlet to verify that the Remote-Desktop-RDCMan-v-2-2 settings

location template is registered.
4.
Sign in to LON-CL2 as Adatum\Administrator, and then use the Register-UevTemplate cmdlet to

register the \\LON-DC1\UEVTemplates\RDCMan.xml settings location template.
5.
On LON-CL1, run Remote Desktop Connection Manager, configure Auto save interval to 3
minute(s), and then close Remote Desktop Connection Manager.
6.
On LON-CL2, run Remote Desktop Connection Manager, and then verify that Auto save interval is
selected and configured to 3 minute(s).
Results: After completing this exercise, you should have successfully implemented and configured UE-V
for synchronizing apps and Windows settings.

following steps:
1.
2.
3.
4.
Repeat steps 2 through 3 for 20687D-LON-CL1, 20687D-LON-CL2, and 20687D-LON-SVR1.
Lesson 3
Migrating User State and Settings
4-27
Many users spend a significant amount of time configuring their Windows-based environment. They
might customize items such as desktop wallpaper, the appearance of user interface elements, or other
operating system and application components. This grouping of specific settings is referred to as user
state. User state is an important part of the migration process when you replace a computer, or when you
install a new operating system on a computer. This lesson introduces you to user state migration and to
the tools and methods you can use in planning and implementing a user state migration in a Windowsbased environment.
Lesson Objectives
Describe the tools for migrating user data and settings.
Explain how to migrate user settings by using Windows Easy Transfer.
Explain how to migrate user settings and data by using the User State Migration Tool (USMT).
Explain how to capture user state by using ScanState.
Explain how to restore user state by using LoadState.
Tools for Migrating User Data and Settings

A user state migration captures all of the custom
settings on a group of existing computers, known
as source computers, and restores these settings
on a group of newly deployed computers, known
as destination computers. Typically, you would
perform a user state migration during or after
the deployment of a new operating system. A
user state migration enables users to be more
productive because they do not have to spend
time reconfiguring settings or looking for personal
data after a deployment.
User State Migration Elements

User state migration includes the following elements:
User preferences. These include user profile features, web browser settings, and mail settings.
Consider which user accounts, operating system settings, and user preferences you want to migrate
or standardize:
o
User accounts. Computers might have settings related to domain and local user accounts. You
must determine whether local user accounts should be migrated. You also should consider if
you must enable the accounts on destination computers and how you will deal with password
requirements.
Operating system settings. Identify which operating system settings to migrate and to what
extent you want to create a new standard environment on the destination computers. Operating
system settings can include appearance, mouse actions such as single-click or double-click,
keyboard settings, Internet settings, email account settings, dial-up connections, accessibility
settings, and fonts.
User data. This includes data that is stored on local hard drives. Typically, critical data is stored on file
servers. However, users sometimes store data on local hard drives.
Application settings. These include application-specific configuration settings, preferences, and data
files. User state migration does not include migration of actual applications. Determine and locate
the application settings that you want to migrate. You can acquire this information when you are
testing new applications for compatibility with a new operating system. You should consider whether
the destination version of an application is newer than the source version and where the specific
application settings are stored. Settings might be stored in the registry, .ini files, or in text or binary
files. To determine the location of an application setting, review the applications documentation or
relevant websites.
Windows 8.1 provides two options for performing user state migration: Windows Easy Transfer and USMT.
Windows Easy Transfer
Windows 8.1 includes the Windows Easy Transfer tool, which provides a wizard-based process for
migrating user data and files from one Windows-based computer to another. Windows Easy Transfer can
transfer the data from a source computer to a number of different intermediary media types, and then it
can restore that data on a destination computer. End users primarily use Windows Easy Transfer, and it is
designed to perform migrations with a small number of computers. The Windows Easy Transfer process
cannot be automated, and it is not an appropriate solution if you need to migrate data for a large number
of users.
Note: This tool is deprecated and has reduced functionality compared to Windows Easy
Transfer in Windows 8. However, it is still a part of Windows 8.1, and you can use it in
Windows 8.1.
USMT
USMT is a set of command-line tools that gives administrators more control over user data migrations.
You can use USMT in large environments where you need to migrate the data of multiple users on
multiple machines. The command-line interface for USMT helps administrators incorporate USMT into
enterprise environments and automated processes. USMT uses tools to capture and store user data in
the first phase of the migration, and then restore the data to another operating system from the captured
data. USMT is included in the Windows Assessment and Deployment Kit (ADK) for Windows 8.1.
Question: You have been asked to upgrade 10 computers in a small branch office from
Windows 7 to Windows 8.1. You also have been asked to perform a clean installation of
Windows 8.1 and to show the local manager how to migrate user files and other data after
installing Windows 8.1. The manager will perform the Windows 8.1 installation and user state
migration for the rest of the computers. Which tool should you demonstrate to the
manager?
Migrating User Settings by Using Windows Easy Transfer
4-29
Windows Easy Transfer is deprecated in

Windows 8.1. The tool is still available, and you
can use it for gathering and transferring data
and settings from previous Windows operating
systems, but you cannot use it to transfer data and
settings between Windows 8.1 computers. If you
have used Windows Easy Transfer in the past, you
will notice that in Windows 8.1, you can transfer
the data only by using removable media, local
storage, and network shares. You can no longer
use a network connection or an Easy Transfer
cable for transferring data. If you need to transfer
data between Windows 8.1 computers, you should use OneDrive to synchronize settings among devices.
You can use the Windows Easy Transfer tool when you need to migrate settings and data for a limited
number of users and you do not need to customize and automate the migration process. You can use
Windows Easy Transfer to transfer user accounts and settings, files and folders, email settings, contacts
and messages, application settings, Internet settings, and favorites. You cannot use Windows Easy Transfer
to transfer installed apps or advanced configurations such as custom registry keys. Apps must be installed
already on a Windows 8.1 computer before you can transfer the app settings by using Windows Easy
Transfer. You can use Windows Easy Transfer to transfer data and settings to Windows 8.1 only from
Windows 8, Windows RT, or Windows 7 source computers.
Question: Can you use Windows Easy Transfer to migrate user settings and data between
two Windows 8.1 computers?
Migrating User Settings and Data by Using USMT

You can use USMT in many user state migration
scenarios. USMT offers a comprehensive set of
features and capabilities that enables you to
address your environments migration needs.
Benefits of USMT
USMT provides the following benefits to
organizations that deploy Windows operating
systems:
It safely migrates user accounts, operating

system settings, and application settings. It
is customizable and highly scriptable, which
increases automation in large-deployment scenarios.
It reduces the cost of deploying Windows operating systems by preserving user states. This reduces
the time needed for users to become familiar with new operating systems, and this reduces the time
required to customize desktops and locate missing files and settings.
It reduces end-user downtime, which reduces help desk calls and increases employee satisfaction with
the migration experience.
It minimizes migration storage by using hard-link migration. For use in the computer refresh scenario,
hard-link migration stores are saved locally on the computer that is being refreshed. It drastically
improves migration performance, significantly reduces hard-disk utilization, reduces deployment

costs, and enables entirely new migration scenarios. Hard-link migration store differs from other
migration store types in that hard links are used to keep files stored on a source computer during the
migration. Keeping files in place on a source computer eliminates the redundant work of duplicating
files to an external storage location, which enables performance benefits and reduces disk utilization.
It can perform migration from alternate locations (offline migration). This enables you to collect data
from offline Windows operating systems by using the ScanState tool in the Windows Preinstallation
Environment. In addition, USMT supports migrations from previous operating system installations
contained in Windows.old directories.
Components of USMT
The following list defines the USMT components:
ScanState. This tool scans a source computer, collects the files and settings, and then creates a store.
ScanState does not modify the source computer. By default, it compresses the files and saves them as
a migration store. ScanState copies files into a temporary location and then to the migration store.
LoadState. This tool migrates files and settings, one at a time, from the store to a temporary location
on the destination computer. Files are decompressed, and decrypted if necessary, during this process.
LoadState then transfers files to their correct locations, deletes their temporary copies, and begins
migrating more files. Compression improves performance by reducing network bandwidth usage and
the space required for the store. You can turn off compression with the /nocompress option.
USMTUtils. This tool can perform several functions related to compression, encryption, and validation
of a migration store. USMTUtils also can manage USMT files manually in the event of a corrupted
data store or a locked hard-link store.
Migration XML files. These are the XML files that USMT uses for migrations. They include the
MigApp.xml, MigUser.xml, or MigDocs.xml files, and any custom .xml files that you create:
o
MigApp.xml. This file contains rules for migrating application settings.
MigDocs.xml. This file contains rules for the MigXmlHelper.GenerateDocPatterns helper function,
which can find user documents on a computer automatically without creating extensive custom
migration .xml files.
MigUser.xml. This file contains rules for migrating user profiles and data.
Config.xml. To exclude data from a migration, you can create and modify the Config.xml file by
using the /genconfig option with the ScanState tool. This optional file has a different format from
the migration .xml files because it does not contain migration rules. The Config.xml file lists the
elements that can be migrated. Specify migrate=no for the elements that you want to exclude
from the migration. You also can use this file to control some migration options for USMT.
Component manifests. The component manifest files control which operating system settings are
migrated and how they are migrated, and you cannot modify them. If you want to exclude certain
operating system settings, you need to create and modify a Config.xml file.
USMT internal files. All other files included with USMT are for USMT internal use, and you should not
modify them.
Question: Do you need to install Windows ADK on the source computer from which you
plan to migrate user settings?
Capturing User State by Using ScanState

ScanState is a tool that is included in USMT. When
you use USMT to migrate user settings and data,
the first step in the migration process is to collect
files and settings from the source computer that
has the ScanState tool.
Collect Files and Settings from the

Source Computer
To collect files and settings from the source
computer:
1.
Close all applications on the source computer.
2.
Run the ScanState tool on the source

computer to collect files and settings. Specify all of the .xml files that you want ScanState to use.
Understanding User State
4-31
USMT controls what data to migrate by using migration .xml filesMigApp.xml, MigDocs.xml, and
MigUser.xmland any custom .xml files that you create. The user state consists of several components:
user data, operating system elements, and supported applications settings.
User data
ScanState uses rules in the MigUser.xml file to collect everything in a users profile. ScanState then
performs a file extensionbased search on most of the system for other user data.
By default, USMT migrates the following user data and access control lists (ACLs) by using the
MigUser.xml file:
Folders from each user profile. USMT migrates everything in a users profile, including My Documents,
My Video, My Music, My Pictures, Desktop files, Start menu, Quick Launch settings, and Favorites.
Folders from the All Users and Public profiles. USMT also migrates the following from the All Users
profile or the Public profile: Shared Documents, Shared Video, Shared Music, Shared Desktop files,
Shared Pictures, Shared Start menu, and Shared Favorites.
File types. The ScanState tool searches the fixed drives and collects and migrates files that have any of
the following file name extensions: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp,
.one*, .oqy, .or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk,
.txt, .vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, .xls*.
ACL. USMT migrates the ACL for specified files and folders from source computers.
The following data does not migrate by using the MigUser.xml file:
Files outside of a user profile that do not match one of the file name extensions in the MigUser.xml
file.
ACLs for folders outside of a user profile.
Operating system elements
By default, USMT migrates most standard operating system features to destination computers. Some
settings such as fonts are not available for an offline migration until after the destination computer
restarts.
Supported applications settings
We recommend installing all applications on a destination computer before restoring the user state
to ensure that migrated settings are preserved. The versions of installed applications must match the
application version on the source computer. USMT only migrates the settings that were used or changed
by a user. If an application setting on the source computer was not used, it will not migrate.
Creating and Using a Custom XML File

Config.xml is an optional USMT file that you can create by using the /genconfig option with the
ScanState tool. To include all of the default elements without changing the default store-creation or
profile-migration behaviors, you do not need to create a Config.xml file.
However, if you are satisfied with the default migration behavior defined in the MigApp.xml,
MigUser.xml, and MigDocs.xml files, but you want to exclude certain elements, you can create and modify
the Config.xml file and leave the other .xml files unchanged. For example, you must create and modify the
Config.xml file to exclude any of the operating system settings that are migrated. You must create and
modify this file to change any of the default store-creation or profile-migration behaviors.
The Config.xml file has a different format compared to other migration .xml files because it does not
contain any migration rules. It only contains a list of the operating system features, applications, and user
documents that can be migrated, in addition to user-profile and error-control policies. For this reason,
excluding features by using the Config.xml file is easier than modifying migration .xml files because you
do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard
characters in this file.
How To Include Files and Settings
Example of ScanState Syntax
The following syntax provides an example of how you can configure ScanState to scan a source computer:
Scanstate \\LON-SRV1\DesktopMigration /i:migapp.xml /i:miguser.xml /config:config.xml /o
/ui:DBService /ue:Adatum\Don
What USMT Does Not Migrate

USMT does not migrate the following settings:
Application settings. USMT does not migrate settings from older versions of an application. It also
does not migrate application settings and some operating system settings when a local account is
created.
Installed applications. USMT does not migrate installed applications. You have to reinstall all
applications on a destination computer before restoring application settings.
Operating system settings. USMT does not migrate the following operating system settings:
o
Mapped network drives, local printers, hardware-related settings, drivers, passwords, application
binary files, synchronization files, dynamic-link library files, or other executable files.
Shared folder permissions.
Files and settings that migrate between operating systems with different languages.
Customized icons for shortcuts.
Taskbar settings when a source computer is running Windows XP.
What Does USMT Migrate?

Question: Why would you use additional XML configuration files with ScanState.exe?
Restoring User State by Using LoadState

You can use the LoadState tool to restore files and
settings from a migration store to a destination
computer. Remember that you can restore only
the settings and data that were captured on
the source computer. Similar to ScanState, the
LoadState tool supports many parameters, and
you can use them in any order. You can consult
documentation to view the parameters that
ScanState supports.
LoadState Syntax
30&clcid=0x409
Prepare and Restore Files and Settings on the Destination Computer

To prepare a destination computer:
1.
Install an operating system on the destination computer.
2.
Install all applications that were on the source computer.
To restore files and settings on a destination computer:
4-33
1.
Run the LoadState tool on the destination computer. Specify the same set of .xml files that you
specified when you used the ScanState tool. However, you do not have to specify the Config.xml file
unless you want to exclude some files and settings that you migrated to the store.
2.
Sign out after running the LoadState tool. Some settings, such as fonts, wallpaper, and screen saver,
will not take effect until the next time the user signs in.
LoadState Syntax Example

The following syntax provides an example of how to configure LoadState to migrate user states to a
destination computer:
Loadstate \\LON-SRV1\DesktopMigration /i:migapp.xml /i:miguser.xml /ue:Adatum\Don
/ui:DBService /lac:Pa$$w0rd /lae
Question: How can you ensure that user data is safe during a migration?

Scenario
You have been asked to implement the upgrade of 10 new computers that are being deployed to the
Research department at A. Datum. Max Stevens, the IT manager from the Research department, has sent
you an email outlining the upgrade requirements.
Objectives
Create and customize USMT XML files.
Capture and restore user state to a target computer.
Lab Setup
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL1, and 20687D-LON-CL3
Password: Pa$$w0rd
Start the LON-DC1 first and then start LON-CL1 and LON-CL3 virtual machines if they are not running
already. You do not need to sign in to any computer.
Exercise 1: Creating and Customizing USMT XML Files

Scenario
Supporting Documentation
Email from Max Stevens:
Ed Meadows
From:
Max Stevens [Max@adatum.com]
Sent:
10 January 2014 08:01
To:
Ed@adatum.com
Subject:
User State Migration for the new Windows 8.1 computers in the Research department
Hi Ed,
We have 10 new Windows 8.1 computers that are being deployed within the Research department. We
need to ensure that no user data stored on the old computers is lost in the migration, and that all user
data is migrated to the new computers. What I want you to do is use USMT to help with the user state
migration. Here are some additional things to consider:
The old computers have Windows 7 installed.
All computers have Microsoft Office 2010 installed.
The contents of the Shared Video, Shared Music, and Shared Pictures folders should not be migrated
from Windows 7 to the new Windows 8.1 computers.
We have a custom folder named ResearchApps that has to be migrated from all the old computers to
the new Windows 8.1 computers.
4-35
All domain profiles that are on each existing computer should be migrated to the new systems.
You can use \\LON-DC1\Data as a location to store the data store during the migration. The data
store should be compressed to minimize space. Because there is no confidential information on these
specific computers, we do not need the migration store to be encrypted.
Thanks,
Max
Your user state migration information states that several operating system features should not be
migrated. You also have to migrate an additional folder from the old computers to the new Windows 8.1
computers. Your first task is to create the custom XML files that address these requirements.
1.
Read the supporting documentation.
2.
Create a Config.xml file.
3.
Modify a custom migration XML file.
Task 1: Read the supporting documentation
Read the supporting documentation provided in the exercise scenario.
Task 2: Create a Config.xml file

1.
Sign in to LON-CL3 as Adatum\Don with password Pa$$w0rd.
2.
Verify that Don has a black desktop and that the Computer and Don Funk folders are on the desktop.
3.
Create a new text document named your name on the desktop.
4.
Sign out and sign in to LON-CL3 as Adatum\Administrator with password Pa$$w0rd.
5.
At a command prompt, map a network drive located on LON-DC1 by using the following command:
Net Use F: \\LON-DC1\USMT
6.
Change to drive F, and then create a Config.xml file by using the following command:
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
7.
At the command prompt, type notepad config.xml to view the Config.xml file.
8.
Modify the XML code to exclude the following from the migration:
o
Shared Video
Shared Music
Shared Pictures
Note: For each of the folders, look for component displayname, and then change the
migrate attribute to no.
Task 3: Modify a custom migration XML file

1.
At a command prompt, type notepad folders.xml, and then press Enter.
2.
Maximize the Notepad window. This is a custom XML file that is used to migrate a specific folder
named ResearchApps to the new workstation.
3.
Change the variable <Foldername> to ResearchApps. The entire line should read as follows:
<pattern type= File>C:\ResearchApps\* [*]</pattern>
4.
Verify that there is a C:\ResearchApps folder on the disk and that it contains multiple files.
5.
Create a new text document with your name in the C:\ResearchApps folder.
Results: After completing this exercise, you should have created and customized XML files to use with the
User State Migration Tool (USMT).
Exercise 2: Capturing and Restoring User State to a Target Computer

Scenario
Now that you have the required custom XML files, you can perform the USMT migration task. Use USMT
to capture the current user state on LON-CL3 by using ScanState and the custom migration files. Then,
restore the user state to LON-CL1 and confirm the migration.
1.
Capture user state on the source computer.
2.
Restore user state on the destination computer.
3.
Verify the user state migration.
Task 1: Capture user state on the source computer

1.
On LON-CL3, switch to the command prompt.
2.
Verify that the \\LON-DC1\Data shared folder is empty.
3.
Capture user state by using the following command:

F:\Scanstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
/config:config.xml /o /efs:copyraw
4.
Verify that the \\LON-DC1\Data shared folder stores the USMT.MIG captured user state.
Task 2: Restore user state on the destination computer

1.
2.
Verify that C:\Users does not contain subfolders named Ed or Don.
3.
Verify that there is no ResearchApps folder on drive C.
4.
Open the Command Prompt window, and then map network drive F to \\LON-DC1\USMT. Use the
following command:
5.
Change to drive F, and then restore user state on the destination computer by using the following
command:
Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
6.
Verify that the C:\Users folder contains subfolders named Ed and Don.
7.
Task 3: Verify the user state migration
4-37
1.
2.
Verify that the Computer and Don Funk folders, in addition to a text document with your name, are
on the desktop.
3.
Verify that the C:\ResearchApps folder with all its content has migrated successfully, including the file
with your name.
Results: After completing this exercise, you should have captured and restored user states by using USMT.

1.
2.
3.
4.
Repeat steps 2 and 3 for 20687D-LON-CL1 and 20687D-LON-CL3.

Review Questions
Question: After you created a user account in AD DS, you noticed that the domain user does
not have a user profile yet. Why?
Question: Can you use UE-V to synchronize application settings for a user who is configured
with Folder Redirection already?
Question: You have been asked to retain user settings for 200 users who are having their
Windows 7 desktop computers replaced with new Windows 8.1 computers. Which tool
should you use to migrate user settings?

5-1
Module 5
Managing Disks and Device Drivers
Contents:
Module Overview
5-1
Lesson 1: Managing Disks, Partitions, and Volumes
5-2
Lesson 2: Maintaining Disks, Partitions, and Volumes
5-16
Lesson 3: Working with Virtual Hard Disks
5-23
5-28
Lesson 4: Installing and Configuring Device Drivers
5-34
5-47
5-49
Module Overview
The Windows 8.1 operating system simplifies common tasks for information technology (IT)
professionals who manage and deploy desktops and laptops, devices, or virtual environments. It also
helps IT professionals take advantage of the tools and skills similar to those that they use in Windows 7
and Windows 8.
Although most computers that run Windows 8.1 have a single physical disk that is configured as a single
volume, this is not always the case. For example, there might be times when you want to have multiple
operating systems on a single computer, or you might want to have virtual memory on a different
volume. Therefore, it is important that you understand how to create and manage simple, spanned,
and striped volumes. You also might be interested in implementing the Storage Spaces feature. In
addition to traditional storage, you can use Windows 8.1 to create and access virtual hard disks from
within the operating system installed on a physical computer. To help maintain and optimize file system
performance, you must be familiar with file system fragmentation and the tools that you can use to
defragment a volume. Additionally, a good understanding of disk quotas is helpful if you are managing
available disk space on installed volumes.
To ensure that previously installed devices continue to work in Windows 8.1, Microsoft is working to
make device drivers available directly from Windows Update or from device manufacturer websites.
Objectives
Manage disks, partitions, and volumes.
Maintain disks, partitions, and volumes.
Explain how to use virtual hard disks.
Install and configure device drivers.
Lesson 1
Managing Disks, Partitions, and Volumes
5-2 Managing Disks and Device Drivers
Before you can use a disk in Windows 8.1, you must prepare it for use. You must partition the disk by
using the master boot record (MBR) partitioning scheme or the GUID partition table (GPT) partitioning
scheme. After partitioning the disk, you must create and format one or more volumes before an operating
system can use the disk.
You can use disk management tools to perform disk-related tasks, such as creating and formatting
partitions and volumes, assigning drive letters, and resizing disks.
Lesson Objectives
Compare MBR and GPT disks.
Describe the tools available for managing disks.
Describe how to convert a basic disk to a dynamic disk.
Describe a simple volume.
Create a simple volume.
Describe mirrored, spanned, and striped volumes.
Create spanned and striped volumes.
Describe the purpose of resizing a volume.
Resize a volume.
Describe Storage Spaces.
Comparing MBR and GPT Disks

MBR Disks
The MBR contains the partition table for a disk

and a small amount of executable code called
the master boot code. A bootable hard disk that
contains an MBR is known as an MBR disk. The
MBR is created when a disk is partitioned initially,
and it is located on the first sector of the hard
disk. The MBR contains a four-partition entry
table that describes the size and location of a disk
partition by using 32-bit logical block addressing
(LBA) fields. Most Windows 8.1 platforms, such as
32-bit and 64-bit versions that run on motherboards with BIOS firmware, require an MBR-partitioned
system disk and are not bootable with a larger capacity disk. Newer Unified Extensible Firmware Interface
(UEFI)enabled motherboards can read MBR and the newer GPT disks that are discussed later.
Note: Disk partitioning is the process of dividing a physical disks storage into manageable
pieces to support operating system requirements.
How MBR-Based Disks Work
5-3
The MBR is stored at a consistent location on a physical disk, enabling a computers BIOS to reference it.
During the startup process, a computer examines the MBR to determine which partition is active on the
installed disks. The active partition contains the operating system startup files.
Note: You can install the rest of an operating system on another partition or disk. In
Windows 8.1, when you boot to an MBR disk, the active partition must contain the boot sector,
Windows Boot Manager, and related files.
Features of MBR-Based Disks

The MBR partition scheme has been around for a long time, and it supports both current and early
desktop operating systems, such as the MS-DOS and Microsoft Windows NT Server 4.0 operating
systems. Consequently, the MBR partition scheme is supported widely. However, the MBR partition
scheme imposes certain restrictions, including:
Four partitions on each disk. MBR-based disks are limited to four partitions. All of these can be
primary partitions, or one can be an extended partition with logical volumes inside. You can configure
the extended partition to contain multiple volumes.
A 2 terabyte (TB) maximum partition size. A partition cannot be larger than 2 TB.
No redundancy provided. The MBR is a single point of failure, and if it becomes corrupted or
damaged, it can render an operating system unable to start.
MBR disks can be either basic or dynamic disk types. Dynamic disks support additional options that are
not available on a basic disk, including volumes that are able to span multiple disks and fault tolerant
volumes.
GPT Disks
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on a
disk. Each GPT partition has a unique GUID and partition-content type. Also, each LBA that the partition
table describes is 64 bits in length. The UEFI specifies the GPT format, but it is not exclusive to UEFI
systems. Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems.
However, they cannot start from them. 64-bit Windows operating systems support GPT for boot disks on
UEFI systems.
Features of GPT Disks

GPT-based disks address the limitations of MBR-based disks and provide support for the following:
128 partitions per disk. This is a vast improvement over MBR-based disks.
18 exabyte volume size. This is a theoretical maximum because hard-disk hardware that can support
such vast volume sizes is not yet available.
Redundancy. Cyclic redundancy check duplicates and protects the GPT.
You can implement GPT-based disks on Windows Server 2008 and newer versions, Windows Vista,
Windows 7, Windows 8, and Windows 8.1. You cannot use the GPT partition style on removable disks.
GPT Architecture
A GPT-partitioned disk defines the following sectors:
Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the entire
disk:
o
The protective MBR protects GPT disks from previously released MBR disk tools, such as MS-DOS
Fdisk or Windows NT Disk Administrator.
These tools view a GPT disk as having a single encompassing (possibly unrecognized) partition by
interpreting the protected MBR, rather than mistaking the disk for one that is not partitioned.
Legacy software that does not know about GPT interprets only the protected MBR when it
accesses a GPT disk.
Sector 1 contains a partition table header. The partition table header contains the unique disk GUID,
the number of partition entries (usually 128), and pointers to the partition table.
The partition table starts at sector 2. Each partition entry contains a unique partition GUID, the
partition offset, length, type (also a GUID), attributes, and a 36-character name.
The following table describes the partitions that Windows 8.1 creates when you install it on a GPT disk.
Partition
Type
Size
Description
EFI system
partition (ESP)
100 megabytes
(MB)
Contains the Windows Boot Manager, the files

that an operating system requires to start, the
platform tools that run before an operating
system start up, or the files that the Windows
Boot Manager must access before an operating
system starts.
The ESP must be the first partition on the disk
because it is impossible to span volumes when
the ESP is logically between what you are
attempting to span.
Microsoft
Reserved (MSR)
partition
128 MB
Reserved for Windows components.

This partition is hidden in Disk Management and
does not receive a drive letter.
Usage example: When you convert a basic GPT
disk to dynamic, the system decreases the size of
the MSR partition and uses that space to create
the Logical Disk Manager (LDM) Metadata
partition.
Operating
system
Remaining disk
Contains the operating system and is the size of

the remaining disk.
Disk Management Tools

You can use the following tools to manage
Windows 8.1 disks and the volumes or partitions
that they contain:
5-5
Disk Management. A GUI for managing disks

and volumes, both basic and dynamic, locally
or on remote computers. After you select the
remote computer that you want to manage,
you can perform the same tasks that you
typically perform when you use a local
computer.
DiskPart. A scriptable command-line tool

with functionality that is similar to Disk
Management, which also includes advanced features. You can create scripts to automate disk-related
tasks, such as creating volumes or converting disks to dynamic. This tool always runs locally.
Note: The Storage module cmdlets contained in the Windows PowerShell 4.0 commandline interface replace DiskPart.
Windows PowerShell 4.0. Windows PowerShell is a scripting language that accomplishes many tasks
in the Windows environment. Starting with Windows PowerShell 3.0, disk management commands
have been added for use as stand-alone commands or as part of a script.
Note: Windows 8.1 does not support remote connections in workgroups. Both the local
computer and the remote computer must be in a domain to use Disk Management to manage a
disk remotely.
Note: Do not use disk-editing tools such as DskProbe.exe to make changes to GPT disks.
Any change that you make renders the checksums invalid, which might cause the disk to become
inaccessible. To make changes to GPT disks, use Windows PowerShell, DiskPart, or Disk
Management.
With either tool, you can initialize disks, create volumes, and format a volume file system. Additional
common tasks include moving disks between computers, changing disks between basic and dynamic
types, and changing the partition style of disks. You can perform most disk-related tasks without
restarting a system or interrupting users, and most configuration changes take effect immediately.
Disk Management
Using the Disk Management snap-in to the Microsoft Management Console (MMC), administrators can
quickly manage standard fault-tolerant volume sets and can confirm the health of each volume. Disk
Management in Windows 8.1 provides the same features with which you might be familiar from previous
versions, including:
Simpler partition creation. When you right-click a volume, you can choose whether to create a basic,
spanned, or striped partition directly from the menu.
Disk conversion options. When you try to add more than four partitions to a basic disk, you are
prompted to convert the disk to dynamic or to the GPT partition style. You also can convert basic
disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic is not
possible without first deleting all of the volumes.
Extend and shrink partitions. You can extend and shrink partitions directly from the Windows
interface.
To open Disk Management, use this procedure:

1.
On the Start screen, type disk. This will display the Everywhere search screen.
2.
Type diskmgmt.msc in the search box, and then click diskmgmt in the results list.
DiskPart
Using DiskPart, you can manage fixed disks and volumes by using scripts or direct input from the
command line. At the command prompt, type DiskPart, and then enter commands at the DiskPart
command prompt. The following are common DiskPart actions:
To view a list of DiskPart commands, at the DiskPart command prompt, type commands.
To create a DiskPart script in a text file and then run the script, type a script similar to DiskPart /s
testscript.txt.
To create a log file of the DiskPart session, type DiskPart /s testscript.txt > logfile.txt.
The following table shows several DiskPart commands that you will use frequently in this scenario.
Command
Description
list disk
Displays a list of disks and related information, including disk size, the
amount of available free space on the disks, whether the disks are basic
or dynamic, and whether the disks use the MBR or GPT partition style.
The disks marked with an asterisk (*) are the ones against which the
commands will execute.
select disk <disknumber>
Selects the specified disk, where <disknumber> is the disk number, and
gives it focus.
convert gpt
Converts an empty, basic disk with the MBR partition style to a basic
disk with the GPT partition style.
For additional information about DiskPart commands, start Disk Management, and then open the Help
Topics from the Help menu.
Note: You can abbreviate many, but not all of the DiskPart commands. For example, use
SEL instead of SELECT and PART instead of PARTITION.
Windows PowerShell 4.0
5-7
Prior to Windows 8, if you wanted to script disk management tasks, you would have to make calls to
Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. Windows
PowerShell 3.0 and 4.0 now includes commands for natively managing disks. The following table details
some Windows PowerShell commands.
Command
Description
Additional parameters
Get-Disk
Returns information on all

disks or disks that you
specify with a filter.
-FriendlyName returns information about disks

that have the specified friendly name.
-Number returns information about a specific disk.
Clear-Disk
Cleans a disk by removing

all partition information.
-ZeroOutEntireDisk writes zeroes to all sectors of

a disk.
Initialize-Disk
Prepares a disk for use. By

default, it creates a GPT
partition.
-PartitionStyle<PartitionStyle> specifies the type

of the partition, either MBR or GPT.
Set-Disk
Updates a physical disk

with the specified
attributes.
-PartitionStyle<PartitionStyle> specifies the type

of the partition, either MBR or GPT. You can use
this to convert a disk that was initialized previously.
Get-Volume
Returns information on all

of a systems volumes, or
those volumes that you
specify with a filter.
-DriveLetter<Char> gets information about the

specified drive letter.
-FileSystemLabel<String> returns information on
NTFS file systems or Resilient File System (ReFS)
volumes.
For more information, see:

Storage Cmdlets in Windows PowerShell
Converting a Basic Disk to a Dynamic Disk

When you add a new hard disk to a computer
and then start Disk Management, a wizard guides
you through the initialization process, during
which you select whether to have an MBR or a
GPT partition style. Although you can change
between partition styles later, some disk
conversions require you to reformat the drive.
You should carefully consider the disk type and
partition style that is most appropriate for your
situation. Before you change the partition style,
remember that you:
Must be a member of the Backup Operators

or Administrators group.
Must back up the entire contents of the hard disk before making a change, which is true for any
major change that you make to disk contents.
Must ensure that disks are online before you can initialize them or create new partitions or volumes.
To bring a disk online or take it offline in Disk Management, right-click the disk name, and then click
the appropriate action.
Can convert from GPT to MBR only if the disk does not contain any volumes or partitions.
Should use Event Viewer to check the system log for disk-related messages.
All MBR disks initially are basic disks, which then can convert to dynamic disks. Dynamic disks can be
useful when fault tolerance or spanning of disks is required.
Dynamic disks support the following features:
Ability to be extended.
Creation of simple, spanned, striped, mirrored, and redundant array of independent disks (RAID)-5
volumes.
Repair mirrored or RAID-5 volumes.
Reactivating missing or offline disks.
Note: In a multiboot scenario, if you are in one operating system, and you convert a basic
MBR disk that contains an alternate operating system to a dynamic MBR disk, you will not be
able to start in the alternate operating system.
What Is a Simple Volume?

The most commonly used disk arrangement is
a simple volume. This volume is a contiguous,
unallocated area of a physical hard disk that
you format to create a file system. You then
can assign a drive letter to it or mount it in an
existing volume by using a volume mount point.
Simple Volume Characteristics
A simple volume is a dynamic volume that

encompasses available free space from a single,
basic, or dynamic hard-disk drive. It is a portion
of a physical disk that functions as though it were
a physically separate unit. A simple volume can
consist of a single region on a disk or multiple regions of the same disk that link together. Simple volumes
have the following characteristics:
Not fault tolerant. Disk failure leads to volume failure.
Volume I/O performance is the same as disk I/O performance.
Simple Volume Scenarios

The following table contains example scenarios for disks and volumes.
Scenario
Description
5-9
Business desktop
computer with
one disk
Most business users require a basic disk and one basic volume for storage,
but do not require a computer with volumes that span multiple disks or that
provide fault-tolerance. This is the best choice for those who require simplicity
and ease of use.
Business desktop
computer with
one disk and
more than one
volume
If small business users want to upgrade their operating systems and reduce the
impact on their business data, they must store an operating system in a
separate location from business data.
This scenario requires a basic disk with two or more basic volumes. Users can
install an operating system on the first volume, creating a boot volume or
system volume, and use the second volume to store data.
When a new version of an operating system releases, users can reformat the
boot or system volume, and then install the new operating system. The business
data, located on the second volume, remains untouched.
A simple volume might provide better performance than striped data layout schemes. For example, when
serving multiple, lengthy, sequential streams, performance is best when a single disk services each stream.
Also, workloads that are composed of small, random requests do not always result in performance
benefits when you move them from a simple to a striped data layout.
The emergence of solid-state drives (SSDs), which offer extremely fast data transfer rates, offer the
Windows 8.1 user another decision related to storing data. SSDs currently are more expensive and
have smaller capacities compared to traditional magnetic hard disk drives (HDDs). This combination
of performance, size, and cost is an acceptable compromise when used in small form factor devices;
however, a desktop PC might benefit from a combination of an SSD for Windows system files and a
large capacity HDD for business data.
Demonstration: Creating a Simple Volume
This demonstration shows how to create a simple volume. First, you create a volume by using the Disk
Management snap-in, and then you will use Windows PowerShell.
Demonstration Steps
Using Disk Management
1.
2.
Open the Start screen, and then start Disk Management.
3.
Create a new simple volume on Disk 2.
4.
Complete the New Simple Volume Wizard by using the following settings:
o
Use 5103 MB to create the volume.
Name the volume Simple1.
Format the drive using the default settings.
Using Windows PowerShell

1.
Start Windows PowerShell as administrator.
2.
At the Windows PowerShell command prompt, run the following commands:
3.
Get-Disk -Number 3
New-Partition Size 5350879232
Format-Volume -Confirm:$false
FileSystem NTFS NewFileSystemLabel Simple2
Get-Partition (Note the partition number you just created on disk 3, as you will use that in the
next step.)
Set-Partition -DiskNumber 3 -PartitionNumber x -NewDriveLetter G
In File Explorer, verify that the volumes that you created are visible.
Question: In what circumstances will you use less than all of the available space on a new
volumes disk?
What Are Mirrored, Spanned, and Striped Volumes?

A mirrored volume presents two disks to the
operating systems as a single logical volume. A
mirrored volume always consists of exactly two
disks. Each disk has an identical copy of the data
that is on the logical volume.
A spanned volume joins areas of unallocated
space on at least two, and at most 32 disks, into a
single logical disk. Similar to a spanned volume, a
striped volume also requires two or more disks.
However, striped volumes map stripes of data
cyclically across the disks.
Basic disks support only primary partitions,

extended partitions, and logical drives. To use mirrored, spanned, or striped volumes, you must convert
the disks to dynamic volumes as described previously. Dynamic disks use a database to track information
about the disks dynamic volumes and about the computers other dynamic disks. Because each dynamic
disk on a computer stores a replica of the dynamic disk database, the Windows operating system can
repair a corrupted database on one dynamic disk by using the database on another dynamic disk.
Characteristics of Mirrored Volumes
A mirrored volume also is known as a RAID-1 volume. A striped volume combines equal-sized areas of
unallocated space from multiple disks. You use a mirrored volume when you wish to provide redundancy
for your system partition. Both spanned volumes and striped volumes require a Windows operating
system to be running to recognize the volumetherefore, neither of those solutions can provide
protection against disk failures for a system partition.
When creating a mirrored volume, the disk for the shadow volume must be at least the same size as the
volume being mirrored. Once the mirror is established, you cannot resize the mirrored volume.
There are two main benefits of using mirrored volumes. Recovering from a disk failure is very quick as
there is no data to rebuild. Additionally, read operations have a slight performance boost because you can
read from both disks simultaneously.
5-11
There are two main disadvantages of using mirrored volumes. Write operations are slightly slower as every
write needs to occur on both disks. Also, using mirrored volumes is the least efficient use of space
compared with other RAID configurations.
Characteristics of Spanned Volumes
A spanned volume gives users the option to gather noncontiguous free space from one or many disks
into the same volume. A spanned volume does not provide any fault tolerance. Additionally, because the
areas that you combine are not necessarily equally distributed across the participating disks, there is no
performance benefit to implementing spanned volumes. I/O performance is comparable to simple
volumes.
You can create a spanned volume by extending a simple volume to an area of unallocated space on a
second disk, or you can designate multiple disks during the volume-creation process. The benefits of
using spanned volumes include uncomplicated capacity planning and straightforward performance
analysis.
If you create a new spanned volume, you must define the same properties as when you create a simple
volume in terms of size, file system, and drive letter. Also, you must define how much space to allocate to
the spanned volume from each physical disk.
You can create spanned volumes on dynamic disks only. If you attempt to create a spanned volume on
basic disks, the Windows operating system prompts you to convert the disk to dynamic after you have
defined the volumes properties and confirmed the choices.
It is possible to shrink a spanned volume. However, it is not possible to remove an area from a specific
disk. For example, if a spanned volume consists of three 100-MB partitions on each of three disks, you
cannot delete the third element. Depending on the space consumption on the volume, you can reduce
the volumes total size.
Note: When you shrink a spanned volume, no data loss occurs. However, the number
of disks involved might decrease. If the spanned volume resides on a single disk, the spanned
volume converts to a simple volume. If there are empty dynamic disks that result from shrinking a
spanned volume, the empty dynamic disks convert to basic disks.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of
unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk limit
for spanned volumes.
Characteristics of Striped Volumes

A striped volume also is known as a RAID-0 volume. A striped volume combines equal-sized areas of
unallocated space from multiple disks.
You should create a striped volume when you want to improve the I/O performance of a computer.
Striped volumes provide for higher throughput by distributing I/O across all disks that are configured as
part of the set. The more physical disks that you combine, preferably across several disk controllers, the
faster the potential throughput is. For most workloads, a striped data layout provides better performance
than simple or spanned volumes, as long as you select the striped unit appropriately based on workload
and storage hardware characteristics. The overall storage load balances across all physical drives.
Striped volumes also are well suited for isolating the paging file. By creating a volume where Pagefile.sys
is the only file on the entire volume, the paging file is less likely to become fragmented, which helps
improve performance. Redundancy is not required for the paging file normally. Striped volumes provide
a better solution than RAID-5 for paging file isolation. This is because the paging file activity is writeintensive, and RAID-5 is better suited for read performance than write performance.
Because no capacity is allocated for redundant data, RAID-0 does not provide data-recovery mechanisms
such as those in RAID-1 and RAID-5. The failure of any disk results in data loss on a larger scale than it
would on a simple volume because it disrupts the entire file system that spreads across multiple physical
disks. The more disks that you combine in RAID-0, the less reliable the volume becomes.
When you create a striped volume, you will define the file system, drive letter, and other standard volume
properties. Additionally, you must define the disks from which to allocate free space. The allocated space
from each disk must be identical in size.
It is possible to delete a striped volume, but it is not possible to extend or to shrink the volume.
Configuration Changes
There are times when you might want to upgrade or in some way alter the configuration of computer
hardware or software. For example:
When the addition of functionality adds value to an organization.
When a fault in software, hardware, or the combined architecture results in apps failing to run.
When a change in the functionality or role of a device or workstation occurs.
Other forms of volume management with different types of fault tolerance and recovery are available.
These include using RAID-1 or RAID-5 volumes, hardware mirroring, and disk duplexing. You could
consider using these forms of volume management in your enterprise if the standard Windows 8.1 tools
are not sufficient for your needs.
Question: How will the emergence of solid-state drives (SSDs) in enterprise workstations,
devices, and enterprise storage arrays change the storage landscape?
Demonstration: Creating Spanned and Striped Volumes

In this demonstration, you will see how to create spanned and striped volumes.
Demonstration Steps
Creating a spanned volume
1.
If necessary, sign in to LON-CL2 as Adatum\Administrator.
2.
3.
Right-click the unallocated space on Disk 2, and then start the New Spanned Volume Wizard.
4.
Complete the New Spanned Volume Wizard by using defaults, except for the following information:
5.
Use 2000 MB from Disk 2
Name the volume SpanVol
Select the Perform a quick format check box
Read the Disk Management warning, and then click Yes.
Creating a striped volume

1.
Right-click the unallocated space on Disk 2, and then start the New Striped Volume Wizard.
2.
Complete the New Striped Volume Wizard by using the defaults, except for the following
information:
o
Use 2000 MB from each disk
Name the volume StripedVol
Question: What is the advantage of using striped volumes, and conversely, what is the major
disadvantage?
Purpose of Resizing a Volume

Windows 8.1 allows you to resize a volume
by using the Shrink Volume or Extend Volume
options within the provided disk tools. You can
shrink existing volumes to allow space to create
additional, unallocated space to use for data or
apps on a new volume. On the new volume, you
can:
Install another operating system, and then

perform a dual-boot.
Save data separate from the operating

system.
5-13
To perform a shrink operation, ensure that the disk either is formatted with NTFS or unformatted and
that you are part of the Backup Operator or Administrators group. When you shrink a volume, contiguous
free space relocates to the end of a volume. There is no need to reformat the disk, but to ensure that the
maximum amount of space is available, make sure you perform the following tasks before shrinking:
Defragment the disk. This rearranges the disk sector so that unused space is at the end of the disk.
Ensure that no page files are stored on the volume that you are shrinking.
When you shrink a volume, unmovable files (for example, a page file) do not relocate automatically. It is
not possible to decrease the allocated space beyond the point where the unmovable files are located. If
you need to shrink a partition further, transfer the unmovable file to another disk, shrink the volume, and
then transfer the unmovable file back to the disk.
Note: Volume Shadow Copy Service (VSS) is a technology in the Windows operating
system that allows users to restore previous versions of files. Windows 8.1 has deprecated the
Previous Versions feature that creates snapshots of local volumes. However, users can still use the
Previous Versions feature when accessing file shares on a Windows Server 2012 R2 server. To view
the amount of space used by the shadow copy feature, use the VSS administrative command-line
tool. Start an elevated command prompt from the Administrative menu by pressing the Windows
logo key+X, clicking Command Prompt (Admin), and then typing vssadmin list shadowstorage.
Defragmentation in Windows 8.1 improves on previous versions of the Windows operating system. You
now can optimally replace some files that you could not relocate in Windows Vista or earlier versions.
Note: Please note that you might destroy or lose data if you shrink a raw partition,
meaning a partition that does not have a file system but does contain data. Remember to make a
backup prior to extending or shrinking a partition or volume.
You can shrink simple and spanned dynamic disks, but not others. Here are a few ways in which you can
increase the size of a simple volume:
Extend the simple volume on the same disk. The volume remains a simple volume.
Extend a simple volume to include unallocated space on other disks on the same computer. This
creates a spanned volume.
Demonstration: Resizing a Volume
This demonstration shows how to shrink a volume with the DiskPart tool. Then, the Disk Management tool
is used to extend a simple volume.
Demonstration Steps
Using DiskPart
1.
2.
Start DiskPart.
3.
At the DiskPart command prompt, run the following commands:
4.
list volume (note the volume number associated with Simple2)
select volume <n> (where n is the volume number noted)
shrink desired=50
Compare the size of the Simple2 volume with the size previously reported.
Using Disk Management

1.
2.
Click the spanned volume on Disk 3.
3.
Start the Extend Volume Wizard, and then extend the spanned volume with 50 MB from Disk 3.
Question: When might you need to reduce the system partitions size?
Overview of Storage Spaces

Storage Spaces is a new feature in Windows 8.1
and Windows Server 2012 R2 that you can use to
add additional storage to your system and to pool
storage devices in a resilient arrangement.
The operating system manages all disks that are
added to a storage pool, and you can configure
these disks to ensure that the data in a pool is
protected from data loss.
You create a storage pool by adding drives to a
system. You then configure Storage Spaces to use
some or all of the available pooled space and
define the drive resiliency, name, and size.
Storage Spaces offers the types of resiliency listed in the following table.
Type
Resiliency description
Simple (none)
No mirroring. All data is lost if a drive fails.
Two-way mirror
All files in the pool are maintained on at least two different physical drives,
mirroring your data.
Three-way mirror
Similar to a two-way mirror, but stored on three drives.
Parity
At least three drives store the data and parity bit. This is the most efficient
storage option, but also, potentially the poorest regarding performance, as
the parity information needs to be calculated.
Note: Notice the change to modern and familiar terminology when discussing types of disk
redundancy compared with the traditional RAID-0, RAID-1, and RAID-5 nomenclature seen
earlier in the module.
5-15
The Storage Spaces feature allows the addition of disparate disk types, such as internal/external, USB
drives, Serial ATA, and other types. During the addition of the storage, a drive is formatted and configured
as a new storage pool.
Note: Ensure that you have made a backup or removed any data before adding a drive, as
Windows 8.1 will format any drive that is added to a storage pool as part of the configuration.
After you configure a storage space, you can modify the storage space name and size and even delete the
space completely, which will return the space back to the storage pool.
Note: Deleting a storage space will permanently delete all the files it contains. Ensure that
you move or back up any data before deleting a storage space.
Question: Discuss scenarios when you would use Storage Spaces in a client workstation
environment.
Lesson 2
Maintaining Disks, Partitions, and Volumes
When you first create a volume, you typically create new files and folders on a volumes available free
space in contiguous blocks. This provides an optimized file system environment. As the volume becomes
full, the availability of contiguous blocks diminishes. This can lead to suboptimal performance. This lesson
explores file system fragmentation and the tools that you can use to reduce fragmentation. You also will
see how Windows 8.1 automatically checks and fixes most file system issues and how you can configure
disk quotas to monitor and control how disks are filled.
Lesson Objectives
Describe file system fragmentation.
Explain how to defragment a disk on a Windows 8.1 client computer.
Describe how to check for disk errors.
Describe disk quotas and how they manage storage.
Configure disk maintenance tasks.
What Is Disk Fragmentation?

Fragmentation of a file system occurs over time
as you save, change, and delete files. Initially, the
Windows I/O manager saves files in contiguous
areas on a given volume. This is efficient for the
physical disk as the read/write heads are able to
access these contiguous blocks most quickly.
As the volume fills with data and other files,

contiguous areas of free space become harder
to find. File deletion also causes fragmentation
of available free space. Additionally, when you
extend and save a file, such as editing a document
or spreadsheet, there might not be contiguous
free space following the existing file blocks. This forces the I/O manager to save the remainder of
the file in a noncontiguous area. Over time, contiguous free space becomes harder to find, leading to
fragmentation of newly stored content. The incidence and extent of fragmentation varies depending on
available disk capacity, disk consumption, and usage patterns.
Although NTFS is more efficient at handling disk fragmentation than earlier file systems, this
fragmentation still presents a potential performance problem. Combined hardware and software advances
in the Windows operating system help to mitigate the impact of fragmentation and deliver better
responsiveness.
Question: How does the increasing storage capacity of HDDs affect file fragmentation?
Defragmenting a Disk
When you optimize a disk, files are relocated
optimally. This ability to relocate files is beneficial
when you are shrinking a volume because it lets
the system free up space that you can later
reclaim.
Windows 8.1 defragments drives automatically
on a scheduled basis, running weekly in the
background to rearrange data and reunite
fragmented files. You can check the status of
a defragmentation or perform a manual
optimization at any time by launching the
Optimize Drives tool.
5-17
To optimize a volume or drive manually, or to change the automatic optimization schedule, right-click a
volume in File Explorer, click Properties, click the Tools tab, and then click Optimize. You then can perform
the following tasks:
Change settings, which allows you to:

o
Enable or disable the automated optimization.
Specify the automated optimization frequency.
Set a notification for three consecutive missed optimization runs.
Select which volumes that you want to optimize.
Analyze the disk to determine whether it requires optimization.
Launch a manual optimization.
You also can start the optimization process by launching Defragment and Optimize Drives from the
Administrative Tools section within Control Panel\System and Security.
To verify that a disk requires defragmentation, in the Optimize Drives tool, select the disk that you want to
defragment, and then click Analyze. After Windows finishes analyzing the disk, check the percentage of
fragmentation on the disk in the Current status column. If the number is high, you should defragment the
disk. The Optimize Drives tool might take from several minutes to a few hours to finish defragmenting,
depending on the size and degree of fragmentation of the disk or USB device, such as an external hard
drive. You can use the computer during the defragmentation process, although disk access might be
slower and the defragmentation might take longer.
You can configure and run disk defragmentation from an elevated command prompt by using the defrag
command-line tool. Use Defrag /? at a command prompt for available options.
You can minimize file system fragmentation:
Partition a disk so that you isolate static files from those that are created and deleted frequently, such
as some user-profile files and temporary Internet files.
Use the Disk Cleanup feature (Cleanmgr.exe) to free disk space that is consumed by each users
preferences for console files that the profile saves.
Use the Optimize Drives tool to help reduce the impact of disk fragmentation on disk volumes,
including USB drives. The Optimize Drives tool rearranges fragmented data so that disks and drives
can work more efficiently.
Newer drives such as SSDs do not need to be defragmented in the same way as HDDs because files are
not accessed mechanically. If a SSD or USB flash drive becomes fragmented, only a small amount of
performance benefit will be gained by optimizing the drive because all files are accessed at equally
high speed, regardless of the location or level of fragmentation. Because of the volume of read/write
operations that are required during the optimization process, SSDs should not be defragmented.
Note: Defragmenting an SSD or a USB flash drive can decrease the life span of a drive
significantly.
Checking for Disk Errors

Earlier versions of the Windows operating system
included automatic scheduling for several disk
maintenance activities. Windows 8.1 introduces
new feature enhancements to NTFS, including
self-healing abilities that provides online
corruption scanning, and repair capabilities to
resolve many NTFS issues. At 3 A.M. local time,
Windows 8.1 automatically performs a scan of
hard drives by using the improved Check Disk
tool (Chkdsk), which fixes file errors and NTFS
inconsistencies within volumes on a disk. In an
enterprise environment, if preferred, you could
use Group Policy to schedule this task to take place during lunchtime or other periods of low activity.
Unlike previous versions of Chkdsk, Windows can now repair a volume while the Windows operating
system is still running. Windows can take the volume offline temporarily while it carries out repairs. For all
boot and system drive repairs, the Windows operating system cannot be running, and these actions will
perform at the next system restart.
Note: The computer or device must be connected to AC power during the 3 A.M.
automated maintenance window for this procedure to take place. Alternatively, if the
maintenance window is missed, the task is carried over until the next time that AC power is
connected and the operating system is idle.
In addition to automatic scanning, you can manage disk health manually by using the Chkdsk command
from an elevated command prompt or within Windows PowerShell with one of the following commands.
Command
Description
/?
Displays the available command options.
volume
Specifies the drive letter (followed by a colon), mount point, or volume name.
Filename
The FAT file system or FAT32 only: specifies the files to check for
fragmentation.
/F
Fixes errors on a disk.
/V
On FAT or FAT32: displays the full path and name of every file on a disk. On
NTFS: displays cleanup messages, if any.
Command
Description
5-19
/R
Locates bad sectors and recovers readable information. Implies /F when /scan
is not specified.
/L:size
NTFS only: changes the log file size to the specified number of kilobytes (KB). If
size is not specified, displays the current size.
/X
Forces the volume to dismount first if necessary. All opened handles to the
volume would then be invalid. Implies /F.
/I
NTFS only: performs a less vigorous check of index entries.
/C
NTFS only: skips checking of cycles within the folder structure.
/B
NTFS only: re-evaluates bad clusters on the volume. Implies /R.
/scan
NTFS only: runs an online scan on the volume.
/forceofflinefix
NTFS only: bypass all online repair; all defects found are queued for offline
repair (i.e. Chkdsk /spotfix). Must be used with /scan.
/perf
NTFS only: uses more system resources to complete a scan as fast as possible.
This might have a negative performance impact on other tasks that are
running on a system. Must be used with /scan.
/spotfix
NTFS only: runs spot fixing on a volume.
/sdcleanup
NTFS only: garbage collect unneeded security descriptor data. Implies /F.
/offlinescanandfix
Runs an offline scan and fix on a volume.
Question: In addition to the automatic scheduled maintenance that the Windows operating
system performs, what other options could be considered to prevent unexpected data loss?
What Are Disk Quotas?

It is important to manage the storage space that
Windows 8.1 computers consume locally. With
ever-increasing demands on available storage,
you must consider methods that can help you
manage these demands. A disk quota is a way
for you to limit each persons use of disk space on
a volume. Using disk quotas, you can track and
restrict disk consumption. You can enable quotas
on any NTFS-formatted volume, including local
volumes, storage pools, and removable storage.
You can use quotas to track disk space

consumption and to determine who is consuming
available space. Disk quotas are disabled by default, and users are not prevented from writing to disk
volumes unless this requirement is specified.
Note: The Administrator user account is exempt from any warnings or disk space
limitations.
Several different methods are available to the user for managing disk quotas.
Disk Properties
From the File Explorer window, view the properties of a selected disk or volume. You can use the
Quota tab to enable and manage quotas on individual drives. You can use the GUI to configure the same
settings that are available to the disk quota Group Policy Object (GPO). Additionally, you can manage and
view individual quota entries. When you manage individual quota settings, you can perform the following
tasks:
Create a new quota entry. You can configure settings that override the default values for specific
users.
Delete a quota entry. You can remove a previously created quota entry and allow the default settings
to apply to the user.
Export and import. You can export configured settings on a specific volume, and you can import the
settings on another volume for ease of management.
Over time, the amount of available disk space inevitably diminishes. Therefore, you should ensure that you
have a contingency plan to increase storage capacity.
Fsutil
You can manage quotas by using the fsutils quota command from an elevated command prompt or
from within Windows PowerShell with one of the following commands:
Disable <volumePath>. Disables quota tracking on the specified volume.
Enforce <volumePath>. Enforces quota usage on the specified volume.
Modify <volumePath> <Threshold> <Limit> <UserName>. Modifies an existing quota or creates

a new quota entry on the specified volume.
Query <volumePath>. Lists existing quotas on the specified volume.
Track <volumePath>. Tracks disk usage on the specified volume.
Violations. Queries the application and system logs for quota violations.
Group Policy
In either a local or domain-based GPO, you can add the Administrative Templates, System, and Disk
Quotas section. The policy settings available within this GPO are:
Enable disk quotas
Enforce disk quota limit
Specify default quota limit and warning level
Log event when quota limit is exceeded
Log event when quota warning level is exceeded
Apply policy to removable media
Note: Quotas track separately for each volume. When restricting disk space limits, each
user shares the same limit per volume. By contrast, Windows Server 2012 and newer versions
allow administrators more detailed restrictions, including the ability to set different limits for each
user.
Question: Will quota management be useful in your organization?
Demonstration: Configuring Disk Maintenance Tasks
5-21
This demonstration shows how to configure drive defragmentation, check a volume for errors, and create
a disk quota.
Demonstration Steps
Configure drive defragmentation
1.
2.
Analyze drive I, and then defragment the drive.
3.
Open an administrative Windows PowerShell window, and then run the following command on
drive l:
o
4.
Defragment drive I by typing the following command:

o
5.
Defrag I: /A
Defrag I: /H /U /V
View the verbose results of the operation.
Check a volume for errors

1.
Open an administrative Windows PowerShell window, and then run the following command on
drive l:
o
2.
Chkdsk /scan I:
If the tool finds errors, you can attempt to repair them by typing the following command on drive l:
o
Chkdsk /spotfix I:
Create a disk quota

1.
Open File Explorer, and then navigate to This PC.
2.
Open the StripedVol (I:) Properties.
3.
Click the Quota tab, and then enable quotas with the following settings:
o
Deny disk space to users exceeding quota limit
Limit disk space to 6 MB
Set warning level to 4 MB
Log event when a user exceeds their warning level
4.
Close all open windows and sign out.
5.
Sign in to LON-CL2 as Adatum\Alan with password Pa$$w0rd.
6.
Open a Command Prompt window, and then run the following commands on drive l:
o
fsutil file createnew 4mb-file 4194304
7.
The quota is exceed and an error is displays, indicating that there is not enough space on the disk to
save the additional user file.
8.
Lesson 3
Working with Virtual Hard Disks

With virtual hard disks, you can present a portion of a hard drive as an independent hard drive to
the Windows 8.1 operating system. Virtual hard disks generally are associated with virtual machines.
Beginning with Windows 7, Windows operating systems can mount virtual hard disks directly. In this
lesson, you will learn what a virtual hard disk is and how to mount one in Windows 8.1.
Lesson Objectives
Describe the tools used to create, delete, and mount virtual hard disks in Windows 8.1.
Describe how to manage virtual hard disk files in the Windows 8.1 file system.
Virtual Hard Disks in Windows 8.1

Windows 8.1 fully supports virtual hard disks.
The virtual hard disk (.vhd) file format specifies a
virtual hard disk, which is encapsulated in a single
file and is capable of hosting native file systems
and supporting standard disk operations.
Virtual hard disks are not used solely with
virtual machine environments such as with Client
Hyper-V, which is discussed later in this course.
You can use virtual hard disks in any scenario
where you might use a physical hard disk. If
you plan to use a virtual hard disk in place of a
physical disk, consider the following advantages
and disadvantages.
Advantages of Using Virtual Hard Disks
5-23
Portability. Virtual hard disk files might be easier to move between systems, particularly when shared
storage is used.
Backup. A .vhd file represents a single file for backup purposes.
Disadvantages of Using Virtual Hard Disks
Performance. In high I/O scenarios, the additional overhead of using a virtual hard disk can affect
performance.
Physical failures. A .vhd file does not protect against cluster failure on the underlying physical disks.
Some of the usage scenarios for virtual hard disks include:
Multiboot. Windows 7 and Windows 8.1 support native boot from virtual hard disk. This can allow
you to start a system from multiple .vhd files to support different applications without the need to
install them in the same operating system.
Managing desktop image deployment. You can use virtual hard disks as reference images for either
physical or virtual machines to ensure that each system starts with a common image.
Physical disk virtualization. You can use virtual hard disks in conjunction with underlying storage that
is configured for resiliency.
Supporting Virtual Disk Formats
Windows 8.1 supports both virtual disk formats: .vhd and .vhdx. The .vhdx format has a metadata
structure that is aimed at reducing data corruption and improving alignment on large sector disks. Virtual
hard disks are limited to 2 TB of storage, whereas the new .vhdx format is suitable for virtual disks up to a
supported maximum size of 64 TB.
For more information on the .vhdx format, go to:
Hyper-V Virtual Hard Disk Format Overview
You can configure virtual hard disks as three types: fixed-size, dynamically expanding, or differencing.
Fixed-size
A fixed-size virtual hard disk is allocated its maximum size when you create a virtual disk. The fixed-size
disk type is the recommended type of virtual disk in the following scenarios:
When using the .vhd format.
When I/O performance is required to be as high as possible. Because the file does not dynamically
expand as data is created within it or copied to the virtual disk, fixed-size virtual disks typically are
only 6 percent slower than the underlying physical drive.
When a dynamically expanding disk increases in size, the host physical drive could run out of space
and cause write operations to fail. The use of fixed-size virtual disks ensures that this does not happen
because the full drive size has already been committed to the virtual disk.
The file data will not become inconsistent because of a lack of storage space or power loss.
Dynamically expanding virtual disks depend on multiple write operations to expand the file. The
internal-block allocation information can become inconsistent if all I/O operations to the virtual disk
file and the host volume are not complete and persisted on the physical disk. This can happen if the
computer suddenly loses power.
Dynamically expanding
A dynamically expanding virtual hard disk starts very small in size and grows as large as the data that is
written to it. As more data writes to a dynamically expanding virtual hard disk, the file increases to the
configured maximum size. For example, a 50-gigabyte (GB) dynamically expanding virtual hard disk that
has 10 GB of data files copied to it will occupy approximately 10 GB space on the physical hard drive and
can accommodate a further 40 GB of data. With the improvements in the .vhdx format, we recommend
the dynamically expanding disk type when creating .vhdx drives.
Note: The .vhdx format is not backward compatible with Windows 7.
Differencing disk
A differencing disk tracks the changes made from another virtual disk. Creating a parent/child relationship
between virtual disks can save significant disk space. Because this disk type lets you use the contents of
a base disk (parent) without making changes to the base disk, all changes are made to the differencing
(child) disk. You should configure base disks as read-only to prevent changes to them. All changes made
when using the virtual machine then write to the differencing disk. A differencing disk must be a
dynamically expanding disk.
Note: You can create differencing disks only by using DiskPart or Windows PowerShell.
Managing Virtual Hard Disk Files in the Windows 8.1 File System
Virtual disks are supported fully by Windows 8.1,
and you should understand the tools that are
available to create, mount, and delete virtual
disks.
Several methods are available for managing
virtual disks in Windows 8.1: by using Disk
Management, DiskPart, and by using Windows
PowerShell 4.0.
Disk Management
The Disk Management snap-in for the MMC
provides a familiar GUI where a user can create,
attach, and detach virtual disks within a Windows operating system.
5-25
After you create a new virtual disk, a new disk appears in the console, and you need to initialize this disk
so that the Windows operating system can manage the drive. After it initializes, you can treat the drive
like any other drive. For example, you can format it, assign a drive letter to it, or the system can create a
mount point and use the drive. After a virtual disk is allocated a drive letter, it is mounted and you can
access the drive by using File Explorer to carry out normal activitiesit behaves just like a physical drive.
Note: A virtual disk appears in the Disk Management console with a light blue drive icon to
indicate to the user that it is a virtual disk.
If you wish to remove a virtual hard disk from your system, for example, to make it portable, or to connect
it to a virtual machine, you first must return to Disk Management to detach the disk. While a virtual disk
is online and managed by Disk Management, it is not possible to delete the virtual disk from within File
Explorer, as the file is marked as an open file by the system. If the virtual disk is external to the system, for
example, if it resides on a USB drive, disconnecting the USB drive without first detaching the virtual disk
can corrupt the .vhd file and make it unusable.
Note: Take care when placing virtual hard disks on portable drivesthey can become
corrupted easily if they are in use when you disconnect the portable drive.
Managing Virtual Hard Disk Files by Using DiskPart
Although Disk Management gives users the ability to configure virtual disks from a GUI, there are some
limitations, such as the inability to create differencing virtual disks. To access more powerful options,
consider using DiskPart and Windows PowerShell, which provide more control of virtual disks from the
command-line with cmdlets.
To create a virtual hard disk by using DiskPart, you use the create vdisk command at the DiskPart
command prompt. You can create and manage virtual disks by using one of the following commands
within DiskPart:
Create vdisk
Detach vdisk
Expand vdisk
Select vdisk
The following table shows the available options that the create vdisk command supports.
Option
Description
file=<filename>
Specifies the complete path and file name of the virtual disk file.
The file might be on a network share.
maximum=<n>
The maximum amount of space that the virtual disk exposes, in

megabytes.
type=<fixed|expandable>
The fixed option specifies a fixed-size virtual disk file. The

expandable option specifies a virtual disk file that resizes to
accommodate the allocated data. The default option is fixed.
sd=<sddl string>
Specifies a security descriptor in the security descriptor definition

language (SDDL) format. By default, the security descriptor is taken
from the parent directory.
parent=<filename>
Path to a parent virtual disk file to create a differencing disk. With

the parent parameter, you should not specify maximum because
the differencing disk gets the size from its parent. Also, do not
specify type, because only expandable differencing disks can be
created.
source=<filename>
Path to an existing virtual disk file to be used to prepopulate the

new virtual disk file. When source is specified, data from the input
virtual disk file is copied block for block from the input virtual disk
file to the created virtual disk file. Be aware that this does not
establish a parent/child relationship.
noerr
For scripting only. When DiskPart encounters an error, it continues

to process commands as if the error did not occur.
To create a differencing virtual disk from an existing parent virtual disk you would use the following
command:
CREATE VDISK FILE=i:\newdiffdisk.vhdx PARENT=i:\parentdisk.vhdx
To mount a virtual disk by using DiskPart, you first must use the select vdisk command to specify the
virtual hard disk file, and then use the attach vdisk command. The following table shows the available
options that the select vdisk command supports.
Option
Description
file = <filename>
Specifies the complete path and file name of the virtual hard disk file. The file
might be on a network share.
noerr
For scripting only. When DiskPart encounters an error, it continues to process

commands as if the error did not occur.
The following table shows the available options that the attach vdisk command supports.
Option
Description
readonly
Attaches the virtual disk as read-only. Any write operation will return an I/O
device error.
sd=<sddl string>
Specifies a security descriptor in the SDDL format. By default, the security

descriptor allows access like any physical disk.
usefilesd
Specifies that the security descriptor on the virtual file itself should be used on
the virtual disk. If not specified, the disk will not have an explicit security
descriptor unless specified with sd=<sddl string>.
5-27
To unmount a virtual disk by using DiskPart, you first must use the select vdisk command to specify the
virtual hard disk file, and then use the detach vdisk command. The detach vdisk command only
supports the noerr option.
Managing Virtual Hard Disk files by Using Windows PowerShell 4.0
Windows PowerShell 4.0 and 3.0 contain native disk management cmdlets that you can use to script or
manage virtual disks in an enterprise environment.
Windows PowerShell includes commands that you can use to manipulate existing disk image files, which
can be .iso, .vhd, or .vhdx files. You can use the following commands with existing disk image files.
Cmdlet
Description
Dismount-DiskImage
Dismounts a disk image (virtual hard disk or ISO image) so that it can no
longer be accessed as a disk.
Get-DiskImage
Returns information about one or more disk images (virtual hard disk or
ISO image) for the specific location.
Mount-DiskImage
Mounts a disk image (virtual hard disk or ISO image), making it appear
as a normal disk.
Note: Use the VirtualDisk cmdlet within Windows PowerShell to manage the virtual disks
found in Storage Spaces.
To mount an existing .iso, .vhd, or .vhdx file, you use the following command:
Mount-DiskImage ImagePath <Path>\<FileName>
Note: To view all the available cmdlets in the Storage module for Windows PowerShell, run
the following cmdlet:
Get-Command Module Storage
To view the cmdlets for working with disk images, run the following cmdlet:
Get-Command Module Storage *DiskImage*

Scenario
A. Datum Corporation has purchased additional hard drives for the laptop computers used by the
Marketing department. You need to modify the hard drive configuration manually. Because of application
requirements, you need to create several simple partitions, a spanned partition, and a striped partition.
The laptop computers are shared and require that you place a quota on the spanned drive. In certain
instances, you plan to use virtual hard drives.
Objectives
Create and manage volumes in Windows 8.1.
Create disk quotas to manage volume usage.
Manage virtual hard disks.
Lab Setup
Virtual machines: 20687D-LON-DC1, 20687D-LON-CL2
User names: Adatum\Administrator and Adatum\Alan
Password: Pa$$w0rd
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Repeat steps 2 through 4 for 20687D-LON-CL2.
Exercise 1: Creating Volumes

Scenario
A. Datum has purchased additional hard drives for the laptop computers used by the Marketing
department. To ensure that the new disks can store corporate Microsoft Office PowerPoint presentations
and media, you need to create and manage the volumes on the newly installed hard disks.
1.
Create a simple volume by using Disk Management.
2.
Create a simple volume by using Windows PowerShell 4.0.
3.
Resize a simple volume by using Disk Management.
4.
Resize a simple volume by using Windows PowerShell version 4.0.
5.
Create a spanned volume by using Disk Management.
6.
Create a striped volume by using Disk Management.
Task 1: Create a simple volume by using Disk Management

1.
2.
Start Disk Management.
3.
Create a new simple volume on Disk 2.
4.
Complete the New Simple Volume Wizard by using the following settings:
o
Volume Size: 5103 MB
Name the volume Simple1
5.
Format the volume with the default settings.
6.
Close Disk Management and any open windows.
Task 2: Create a simple volume by using Windows PowerShell 4.0

1.
Start Windows PowerShell as administrator.
2.
At the Windows PowerShell command prompt, run the following commands:
5-29
Get-Disk -Number 3 | New-Partition Size (5GB) | Format-Volume -Confirm:$false

FileSystem NTFS NewFileSystemLabel Simple2
Get-Partition (Note the partition number you just created on Disk 3. You will use that in the next
step.)
Set-Partition -DiskNumber 3 -PartitionNumber x -NewDriveLetter H (where x is the results

of the previous step)
3.
Minimize the Windows PowerShell Command Prompt window.
4.
In File Explorer, verify that the volume that you created is visible.
5.
Close File Explorer, and then minimize the Windows PowerShell command prompt window.
Task 3: Resize a simple volume by using Disk Management

1.
2.
Start the Extend Volume Wizard, and then extend Simple1 with 500 MB from Disk 2.
3.
Close Disk Management.
Task 4: Resize a simple volume by using Windows PowerShell version 4.0

1.
Restore the Windows PowerShell Command Prompt window.
2.
At the Windows PowerShell command prompt, run the Get-Partition command.
3.
Note the disk number, partition number, and size for drive H.
4.
At the Windows PowerShell command prompt, run the following command, and then substitute the
DiskNumber and PartitionNumber information with the information you recorded in the previous
step:
o
5.
Resize-Partition -DiskNumber 3 PartitionNumber 1 Size (5.5GB)
At the Windows PowerShell command prompt, run the Get-Partition command.
6.
7.
Minimize the Windows PowerShell Command Prompt window.
Task 5: Create a spanned volume by using Disk Management
1.
2.
Right-click the unallocated space on Disk 2, and then start the New Spanned Volume Wizard.
3.
Complete the New Spanned Volume Wizard by using defaults, except for the following information:
4.
Name the volume SpannedVol
Read the Disk Management warning, and then click Yes.
Task 6: Create a striped volume by using Disk Management

1.
Right-click the unallocated space on Disk 2, and then start the New Striped Volume Wizard.
2.
Complete the New Striped Volume Wizard by using defaults, except for the following information:
3.
Use 2000 MB from each disk
Name the volume StripedVol
Results: After completing this exercise, you should have created several volumes on a client computer.
Exercise 2: Configuring Disk Quotas

Scenario
In this exercise, you will configure a disk quota on one of the new volumes. You will enforce a quota limit
and then sign in as a standard user to test it.
1.
Create disk quotas on a volume.
2.
Create test files.
3.
Test the disk quota.
4.
Review quota alerts and logging.
Task 1: Create disk quotas on a volume

1.
On LON-CL2, open File Explorer, and then navigate to This PC.
2.
3.
4.
Click the Quota tab, and then enable quotas with the following settings:
o
Deny disk space to users exceeding quota limit
Limit disk space to 6 MB
Set warning level to 4 MB
Log event when a user exceeds their warning level
Task 2: Create test files

1.
2.
Open a Command Prompt window, and then run the following commands on drive I:
o
fsutil file createnew 1kb-file 1024
Task 3: Test the disk quota

1.
Sign in to LON-CL2 as Adatum\Alan.
2.
Open File Explorer to the StripedVol (I:) drive.
3.
Create a new folder called Alans files.
4.
Copy the 1kb-file and 2mb-file files to Alans files.
5.
Make a copy of the 2mb-file.
6.
Make another copy of 2mb-file.
7.
Review the message that appears when you make the second copy, and then click Cancel.
8.
Task 4: Review quota alerts and logging
1.
2.
Open File Explorer, and then navigate to This PC.
3.
4.
Click the Quota tab, and then open the Quota Entries.
5.
Review the entries for Alan Steiner in the Quota Entries for StripedVol (I:) dialog box, and then
close all open windows.
6.
Open the Event Viewer, and then look for events with an Event ID of 36.
7.
Review the event or events found, and then close all open windows.
Results: After completing this exercise, you should have created and tested a disk quota.
5-31
Exercise 3: Managing Virtual Hard Disks

Scenario
In this exercise, you will create, mount, and then delete a virtual hard disk.
1.
Create a virtual hard disk.
2.
Mount the virtual hard disk file, browse to the virtual hard disk file, and create files on the drive.
3.
Remove a mounted virtual hard disk file.
Task 1: Create a virtual hard disk

1.
2.
3.
Complete the Create and Attach Virtual Hard Disk Wizard by using the following settings:
o
Name the volume I:\DemoDisk.VHDX
Use 100 MB as the disk size
Use .vhdx format
Dynamically expanding disk type
4.
Open an Administrative Command Prompt window, and then open DiskPart.
5.
Create a virtual hard drive by using the following settings:

o
Name the virtual hard disk file I:\virtualdisk2.vhdx
Use 1048 MB as the disk size
Use .vhdx format
Dynamically expanding disk type
Task 2: Mount the virtual hard disk file, browse to the virtual hard disk file, and
create files on the drive
1.
Using the virtual hard disk I:\DemoDisk.VHDX that was created previously, bring the disk online, and
then format the unallocated space, naming the drive SimpleVHD1.
2.
In File Explorer, verify that a new drive named SimpleVHD1 has been created.
3.
Create a new folder named Test on the new drive.
4.
Create a new Notepad document named Test.txt, and then save it on the new drive.
5.
Using the virtual hard disk I:\virtualdisk2.vhdx that was created previously, bring the disk online,
and then format the unallocated space, naming the drive SimpleVHD2.
6.
In File Explorer, verify that a new drive named SimpleVHD1 has been created.
7.
Create a new folder named Test on the new drive.
8.
Open the Test folder, and then create a new Notepad document named Test.txt.
Task 3: Remove a mounted virtual hard disk file

1.
2.
3.
Detach the virtual disk SimpleVHD1.
4.
Open an Administrative Command Prompt window, and then open DiskPart.
5.
Detach the mounted virtual disk I:\virtualdisk2.vhdx.
5-33
Results: After completing this exercise, you should have created, mounted, and then deleted a virtual
hard disk file.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
Lesson 4
Installing and Configuring Device Drivers
Devices have changed from being single-function peripherals to complex, multifunction devices with a
large amount of local storage and the ability to run many apps. They have evolved from a single type of
connection, such as USB 1.0, to multi-transport devices that support USB 3.0, Bluetooth, and Wi-Fi. Newer
connection methods such as near field communication and Miracast wireless display capabilities are
emerging technologies that have built-in support within Windows 8.1.
Many of todays devices often are integrated and sold with services that are delivered over the Internet.
Internet delivery has simplified the delivery mechanism, which means that a computers ability to
recognize and use devices has expanded to cover several possibilities. Microsoft constantly expands the
list of devices and peripherals that are tested for compatibility with Windows 8.1.
The device experience in Windows 8.1 is designed on existing connectivity protocols and driver models to
maximize compatibility with existing devices. You can use the following areas in Windows 8.1 to manage
devices:
The Devices and Printers control panel item gives users a single location to find and manage all the
devices that connect to a Windows 8.1based computer, and it provides quick access to device status,
product information, and key functions such as faxing and scanning. This enhances and simplifies the
customer experience with a Windows 8.1connected device.
Device Manager is used to view and update hardware settings and driver software for devices such as
internal hard drives, network cards, sound cards, video or graphics cards, memory, processors, and
other internal computer components.
Building on the Plug and Play concept, seamless user experiences begin with the ability to effortlessly
connect devices to a Windows 8.1 device. Windows Update automatically retrieves up-to-date and newly
released drivers, and when appropriate, users are given an option to download and install additional apps
for the device. These components all help reduce support calls and increase customer satisfaction.
Lesson Objectives
Describe device drivers in Windows 8.1.
Describe the process for installing devices and drivers.
Describe the process for staging drivers in the driver store.
Describe the device driver management tools.
Describe the options for updating drivers.
Describe how to manage signed drivers.
Discuss options for recovering from a driver issue.
Manage drivers on a Windows 8.1 computer.
Overview of Device Drivers in Windows 8.1

A driver is a small software application that an
operating system uses to communicate with
hardware or devices. Generally, they are specific
to an operating system or a family of operating
systems. Without drivers, the hardware that you
connect to a computer does not work properly.
Windows supports most devices without
needing additional downloads. With Windows 8.1,
additional drivers and device support are available
online through Windows Update. If the Windows
operating system does not have a required
driver, look for it on the disc that came with the
hardware or device, or on the manufacturer's website.
32-Bit and 64-Bit Drivers
5-35
Windows 8.1 is available in 32-bit and 64-bit versions. Drivers that were developed for the 32-bit version
do not work with the 64-bit version, and vice versa. Make sure that you obtain appropriate device drivers
before you install Windows 8.1.
Driver Signing
The device drivers that are included with Windows 8.1 have a Microsoft digital signature that indicates
whether a particular driver or file has met a certain level of testing, is stable and reliable, and has not been
altered since it was digitally signed. Windows 8.1 checks for a drivers digital signature during installation
and prompts the user if no signature is available.
Note: The signature file is stored as a .cat file in the same location as the driver file.
Driver Store and Driver Packages
The driver store is the driver repository in Windows 8.1. A driver package is a set of files that make up
a driver. It includes the .inf file, any files that the .inf file references, and the .cat file that contains the
digital signature for the device driver. You can preload the driver store with drivers for commonly used
peripheral devices. The driver store is located in %SystemRoot%\System32\DriverStore.
Installing a driver is a two-stage process. First, you install the driver package into the driver store. You
must use administrator credentials to install the driver package into the driver store. The second step is
to attach the device and install the driver. A standard user can perform this second step.
During hardware installation, if the appropriate driver is not available, Windows 8.1 uses Windows Error
Reporting to report an unknown device. This enables OEMs to work with Microsoft to provide additional
information to users, such as a statement of nonsupport for a particular device, or a link to a website with
additional support information.
In Windows 8.1, the Device Metadata Retrieval Client provides an end-to-end process for defining and
distributing device metadata packages. These packages contain device-experience XML documents that
represent a devices properties and functions, together with applications and services that support the
device. Through these XML documents, the Devices and Printers control panel category page, and Device
Stage, users are presented with an interface that is specific to a device, which the device maker defines.
Windows 8.1 uses Windows Metadata and Internet Services (WMIS) to discover, index, and match device
metadata packages to specific devices that connect to a computer. Device makers also can distribute
device metadata packages directly to a computer through their own setup applications.
Note: You can use the Pnputil.exe tool to add a driver to the Windows 8.1 driver store
manually.
Installing Devices and Drivers

Windows operating systems have supported
Plug and Play for device and driver installation
since the Microsoft Windows 95 operating
system. When you install a new device,
typically Windows 8.1 recognizes and configures
it. To support Plug and Play, devices contain
configuration and driver information. Each Plug
and Play device must:
Be uniquely identified.
State the services it provides and resources

that it requires.
Identify the driver that supports it.
Allow software to configure it.
Windows 8.1 reads this information when a device attaches to a computer and then completes
the configuration so that the device works properly with other installed devices. When properly
implemented, Plug and Play provides automatic configuration of PC hardware and devices. The driver
architecture for Windows supports comprehensive, operating systemcontrolled Plug and Play. Plug
and Play technologies are defined for Institute of Electrical and Electronics Engineers 1394 (IEEE 1394),
Peripheral Component Interconnect (PCI) cards, PC Card/CardBus, USB, SCSI, Advanced Technology
Attachment (ATA), Industry Standard Architecture (ISA), LPT, and Component Object Model (COM). You
can use Device Manager to install device drivers manually that are not compliant with Plug and Play.
Windows 8.1 introduces several improvements to the way that users can discover and use the devices
that their computers host and which connect to their computers. Windows 8.1 can detect nearby devices
in the home, automatically making them available for use. Windows 8.1 also can install a Windows 8.1
device app automatically from the Windows Store when users connect their device for the first time.
Windows 8.1 device apps that are companions to a device or PC have the ability to take advantage of
the full range of functionality of that device or PC.
Improved End-User Experience
The success of a driver installation depends on several factors. Two key factors are whether a device is
supported by a driver package that is included with a Windows operating system, available on Windows
Update, or available from the Windows Store, and whether the user has media with the driver package
that the vendor provides. Windows 8.1 includes several features that help an administrator make device
driver installation more straightforward for users:
Staging driver packages in the protected driver store. A standard user without any special privileges
or permissions can install a driver package that is in the driver store.
Configuring client computers to search a specified list of folders automatically when a new device
attaches to the computer. A network share can host these folders. When a device driver is accessible
in this manner, the Windows operating system does not need to prompt the user to insert media.
Restarting the system is rarely necessary when installing Plug and Play devices or software
applications. This is true because of the following reasons:
5-37
The Plug and Play Manager installs and configures drivers for Plug and Play devices when the
operating system is running.
Applications can use side-by-side components instead of replacing shared, in-use dynamic-link
libraries (DLLs).
These features improve the user experience and reduce help desk support costs because standard users
can install approved driver packages without requiring additional permissions or administrator assistance.
These features also help increase computer security by ensuring that standard users only can install driver
packages that you authorize and trust.
Driver Detection Process
When a user inserts a device, the Windows operating system detects it and then signals the Plug and
Play service to make the device operational. Plug and Play queries the device for identification strings
and searches the driver store for a driver package that matches the identification strings. If a matching
package is found, Plug and Play copies the device driver files from the driver store to their operational
locations, typically %SystemRoot%\System32\Drivers, and then updates the registry as needed. Finally,
Plug and Play starts the newly installed device driver.
If a matching package is not found in the driver store, the Windows operating system searches for a
matching driver package by looking in the following locations:
Folders specified by the DevicePath registry entry.
The Windows Update website.
Media or a manufacturers website that is provided after the system prompts the user.
A Windows operating system also checks that the driver package has a valid digital signature. If a
certificate that is valid but is not found in the trusted publisher store signs a driver package, the Windows
operating system prompts the user for confirmation.
Staging device driver packages in this manner provides significant benefits. After a driver package stages
successfully, any user who logs on to that computer can install the drivers simply by plugging in an
appropriate device.
Non-Plug and Play Devices
Devices that are not compatible with Plug and Play are becoming increasingly rare as manufacturers stop
producing them in favor of Plug and Play devices. The term non-Plug and Play typically applies to older
equipment with devices that require manual configuration of hardware settings before use. To view nonPlug and Play devices, in Device Manager, click the View menu, click Show hidden devices, and then
expand Non-Plug and Play Drivers.
Staging Drivers in the Driver Store

Typically, standard users cannot install device
drivers. However, you can use the Plug and Play
utility (Pnputil.exe) to stage drivers to the driver
store. After the signed driver package is in the
driver store, the Windows operating system
considers the package trusted.
Note: Run the pnputil.exe tool from an
elevated command prompt. The tool cannot
invoke the User Account Control dialog box.
If you attempt to use the pnputil.exe tool from
a command prompt that is not running as
administrator, the commands fail.
To add a driver, use the -a parameter to specify the path and name of the driver, for example, pnputil -a
<PathToDriver>/<Driver>.inf. The Windows operating system validates that the signature attached to
the package is valid, the files are unmodified, and the file thumbprints match the signature.
After adding a driver, note the assigned number. Drivers are renamed oem*.inf during the addition. This is
to ensure unique naming. For example, the file MyDriver1.inf might be renamed oem0.inf. You can view
the published name by using the -e parameter, for example, pnputil -e.
Typically, you do not need to uninstall a Plug and Play device. Just disconnect or unplug the device so
that the Windows operating system does not load or use the driver.
The following table lists the options available with pnputil.exe:
Option
Description
-a <PathToDriver>/<Driver>.inf
Add the driver package specified by

<PathToDriver>/<Driver>.inf to the driver store.
-a <PathToDriver>/*.inf
Add all the driver packages in the path specified.
-I a <PathToDriver>/<Driver>.inf
Add and install the driver package specified by

<PathToDriver>/<Driver>.inf to the driver store.
-e
Enumerate all third-party driver packages.
-d OEM<#>.inf
Delete the driver package specified by OEM<#>.inf.
-f -d OEM<#>.inf
Force the deletion of the driver package specified by

OEM<#>.inf.
Device Driver Management Tools

There are several areas in Windows 8.1 from which
you can manage devices and their related drivers:
Windows 8.1 device apps
Device Manager
Devices and Printers
Device Stage
The Pnputil tool run from an elevated

command prompt or Windows PowerShell
Windows 8.1 Apps
5-39
Windows 8.1 introduces Windows 8.1 device apps, which build on the Plug and Play experience from
Windows 7. Using these apps, device manufacturers can deliver an app that pairs with their device and
downloads automatically to the user the first time the device connects. Providing a Windows 8.1 device
app gives hardware developers a unique opportunity to highlight device functionality.
Device Manager
Device Manager helps you install and update the drivers for hardware devices, change the hardware
settings for those devices, and troubleshoot problems. You can perform the following tasks in Device
Manager:
View a list of installed devices. View all devices that are installed currently based on their type, by
their connection to the computer, or by the resources they use. This device list is recreated after every
system restart or dynamic change.
Uninstall a device. Uninstall the device driver and remove the driver software from the computer.
Enable or disable devices. If you want a device to remain attached to a computer without being
enabled, you can disable the device instead of uninstalling it. Disable is different from uninstall
because only the drivers are disabled, and the hardware configuration is not changed.
Troubleshoot devices. Determine whether the hardware on a computer is working properly. If a

device is not operating correctly, it might be listed as an Unknown Device with a yellow question
mark (?) next to it.
Update device drivers. If you have an updated driver for a device, you can use Device Manager to
apply the updated driver.
Roll back drivers. If you experience system problems after updating a driver, you can roll back to a
previous driver. Using this feature, you can reinstall the last device driver that was functioning before
the installation of the current device driver.
You can use Device Manager to manage devices on a local computer only. On a remote computer,
Device Manager works in read-only mode. This means that you can view but not change that computers
hardware configuration. Device Manager is accessible in the Hardware and Sound category in Control
Panel.
View the Status of a Device
The status of a device shows whether a device has drivers installed and whether the Windows operating
system is able to communicate with the device. To view the status of a device, follow this procedure in
Device Manager:
1.
Right-click the device, and then click Properties.
2.
On the General tab, the Device status area shows a description of the current status.
Hidden Devices
The most common type of hidden device is for non-Plug and Play devices, storage volumes, and internal
network adapters. To view hidden devices in Device Manager, click View, and then click Show hidden
devices.
The Hardware and Sound category in Control Panel provides an additional place to manage devices,
such as Devices and Printers. Wizards guide you through the setup process, which reduces complex
configuration tasks. Windows 8.1 recognizes new devices and automatically attempts to download and
install any drivers that are required for a device.
After a device connects, it appears in the Devices and Printers control panel category page. Devices that
display in this location usually are external ones that you connect to or disconnect from a computer
through a port or network connection. These devices include, but are not limited to, the following:
Portable devices, such as mobile phones, music players, and digital cameras.
All devices plugged into a USB port on a computer, such as flash drives, webcams, keyboards, and
mice.
All printers, whether they are connected by USB cable, the network, or wirelessly.
Bluetooth and wireless devices.
The computer itself.
Network-enabled scanners or media extenders.
Internal card readers.
Monitors and other displays.
Devices and Printers does not include the following:
Devices such as internal hard drives, disk drives, sound cards, video or graphics cards, memory,
processors, and other internal computer components.
Speakers that connect to a computer with conventional speaker wires.
Older devices, such as mice and keyboards, that connect to a computer through a PS/2 or serial port.
In Devices and Printers, a multifunction printer displays and can be managed as one device instead of
individual printer, scanner, or fax devices. In Device Manager, each individual component of a
multifunction printer is displayed and managed separately.
PC Settings
A new option with Windows 8.1 is PC settings. To access PC settings, you click the Settings charm from the
lower-right corner of the Start screen, and then click Change PC settings. In the left pane, you can click PC
and devices, click Devices, and then add devices or remove already installed devices, or you can search for
recommended apps for the device.
Device Stage
5-41
Device Stage provides users with a new way to access devices and advanced options for managing them.
Devices that are in use are shown with a photorealistic icon. This icon can include quick access to common
device tasks and status indicators that let users quickly discern battery status, device synchronization
status, remaining storage capacity, and other information. Device makers can customize this experience
to highlight device capabilities and branding, and they can include links to product manuals, additional
applications, community information and help, or additional products and services.
The entire Device Stage experience remains current. Graphics, task definitions, status information, and
links to websites distribute to computers by using WMIS.
For a list of device-stage experiences, go to:
Windows 8.1 device experience
Options for Updating Drivers

A newer version of a device driver often adds
functionality and fixes problems that were
discovered in older versions, and you can resolve
many hardware problems by installing updated
device drivers. Also, device driver updates often
help resolve security problems and improve
performance.
Dynamic Update is a feature that works with

Windows Update to download any critical
fixes and device drivers that are required during
the setup process. Dynamic Update downloads
new drivers for devices that are connected to a
computer and are required to run Setup. This feature updates the required setup files and improves the
Windows 8.1 process.
Dynamic Update downloads the following types of files:
Critical updates. Dynamic Update replaces files from the Windows 8.1 operating system DVD that
require critical fixes or updates. Dynamic Update also replaces DLLs that Setup requires. The only files
that download are those that replace existing files. No new files download.
Device drivers. Dynamic Update only downloads drivers that are not included on an operating system
installation CD or DVD. Dynamic Update does not update existing drivers, but you can obtain these
by connecting to Windows Update after Setup is complete.
When updated device drivers are required, Microsoft tries to ensure that you can get them directly from
Windows Update or from device manufacturer websites. Look up Windows Update first to update drivers
after they install. If an updated device driver is not available through Windows Update, find the latest
version of a device driver by any of the following methods:
Visit the computer manufacturers website for an updated driver.
Visit the hardware manufacturers website.
Search the Internet by using the device name.
Note: Exercise care and caution when searching the Internet for device drivers because
malware and viruses frequently masquerade on driver download websites. Wherever possible,
only download drivers from Microsoft or a manufacturers website.
You can perform manual device updates in Device Manager. To update a device driver manually, follow
this procedure in Device Manager:
1.
Double-click the type of device you want to update.
2.
Right-click the device, and then click Update Driver Software.
3.
Follow the instructions in the Update Driver Software Wizard.
Windows 8.1 also includes several enhancements to the upgrade experience, including a load driver
feature. If an upgrade is blocked because of incompatible or missing drivers that are required for the
system to start, you can use this feature to load a new or updated driver from the Compatibility Report
and continue with the upgrade.
Managing Signed Drivers

Because device drivers run with system-level
privileges and can access anything on a computer,
it is critical to trust installed device drivers. Trust,
in this context, includes two main principles:
Authenticity. A guarantee that the package

came from its claimed source.
Integrity. An assurance that the package is

intact and has not been modified after its
release.
Administrators and end users who install

Windows-based software can use digital
signatures to verify that a legitimate publisher has provided the software package. It is an electronic
security mark that indicates the publisher of the software and if someone has changed the driver
packages original contents. If a publisher signs a driver, you can be confident that the driver comes from
that publisher and has not been altered.
A digital signature uses an organization's digital certificate to encrypt specific details about the package.
The encrypted information in a digital signature includes a thumbprint for each file that is included with
the package. A special cryptographic algorithm referred to as a hash algorithm generates this thumbprint.
The algorithm generates a code that only that files contents can create. Changing a single bit in the file
changes the thumbprint. After the thumbprints generate, they combine together into a catalog and then
are encrypted.
Note: 64-bit versions of Windows 8.1 require that all drivers be digitally signed.
If your organization has a Software Publishing Certificate, you can use that to add your own digital
signature to drivers that you have tested and that you trust. If you experience stability problems after you
install a new hardware device, an unsigned device driver might be the cause.
Note: To disable the enforcement of driver signatures, access the Advanced Boot Options
menu and select Disable driver signature enforcement. The next topic describes the procedure
for accessing the Advanced Boot Options menu.
Signature Verification Tool
5-43
You can use Sigverif.exe to check if unsigned device drivers are in the system area of a computer.
Sigverif.exe writes the results of a scan to a log file that includes the system file, the signature file, and the
signature files publisher. The log file shows any unsigned device drivers as unsigned. You then can choose
whether to remove the unsigned drivers.
To remove an unsigned device driver, follow this procedure:
1.
Run sigverif to scan for unsigned drivers, and then review the resulting log file.
2.
Create a temporary folder for the storage of unsigned drivers.
3.
Manually move any unsigned drivers from %SystemRoot%\System32\Drivers into the temporary
folder.
4.
Disable or uninstall the associated hardware devices.
5.
Restart the computer.
If this resolves the problem, try to obtain a signed driver from the hardware vendor, or replace the
hardware with a device that is compatible with Windows 8.1.
You can obtain a basic list of signed and unsigned device drivers at a command prompt by running the
driverquery command with the /si switch.
Note: Some hardware vendors use their own digital signatures, so drivers can have a valid
digital signature even if Microsoft has not tested them. The Sigverif report lists the vendors for
each signed driver. This can help you identify problem drivers that particular vendors issued.
Benefits of Signing and Staging Driver Packages
Because device driver software runs as a part of an operating system, it is critical that only known and
authorized device drivers are permitted to run. Signing and staging device driver packages on client
computers provide the following benefits:
Improved security. You can allow standard users to install approved device drivers without
compromising computer security or requiring help desk assistance.
Reduced support costs. Users only can install devices that your organization has tested and is
prepared to support. Therefore, you maintain the security of computers as you simultaneously reduce
the demands on the help desk.
Better user experience. A driver package that is staged in driver store works automatically when
the user plugs in a device. Alternatively, driver packages placed on a shared network folder can be
discovered whenever an operating system detects a new hardware device. In both cases, a user is not
prompted before installation.
Configuring the Certificate Store to Support an Unknown Certification Authority
On each computer, the Windows operating system maintains a store for digital certificates. As the
computer administrator, you can add certificates from trusted publishers. If a package is received for
which a matching certificate cannot be found, a Windows operating system requires confirmation that the
publisher is trusted. By placing a certificate in a certificate store, you inform a Windows operating system
that packages that are signed by a certificate are trusted.
You can use Group Policy to deploy certificates to client computers. By using Group Policy, you can install
a certificate automatically to all managed computers in a domain, organizational unit, or site.
Discussion: Options for Recovering from a Driver Issue

You can use driver rollback to recover from a
device problem if your computer can start
successfully, using safe mode if necessary. This
is most useful in cases where a device driver
update has created a problem. Driver rollback
reconfigures a device to use a previously installed
driver, overwriting a more recent driver.
To roll back a driver, restart the computer, using
safe mode if necessary. Accessing safe mode has
changed in Windows 8.1. Perform the following
procedure to access safe mode:
1.
Hold down the Shift key, and then press F8

during startup. This starts the recovery mode.
2.
On the recovery page, click See advanced repair options, click Troubleshoot, and then click
Advanced options.
3.
From the Advanced options menu, click Windows Startup Settings, and then click Restart.
4.
On the subsequent restart, you can access the Advanced Boot Options menu. You then select Safe
Mode from the list.
Alternatively, you can use the Msconfig.exe tool to enable safe mode for the next restart from within
Windows 8.1.
Note: To ensure that the function keys operate properly, you should use full-screen mode
when using safe mode.
After you have started a computer successfully in safe mode, as an administrative user, follow this
procedure to roll back a device driver:
1.
Open Device Manager.
2.
Right-click the device to rollback, and then click Properties.
3.
In the Properties dialog box, click the Drivers tab, and then click Roll Back Driver.
4.
In the Driver Package rollback dialog box, click Yes.
Note: Rolling back a driver can cause the loss of new functionality and can reintroduce
problems that the newer version addressed.
Note: The Roll Back Driver button is available only if a previous version of the driver
was installed. If the current driver for the device is the only one that was ever installed on the
computer, then the Roll Back Driver button is not available.
System Restore
5-45
In rare cases, after you install a device or update a driver for a device, a computer might not start. This
problem might occur in the following situations:
The new device or driver causes conflicts with other drivers on the computer.
A hardware-specific issue occurs.
The installed driver is damaged.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are
unable to recover a computer by using a driver rollback, consider using System Restore.
You can use System Restore when you want to retain all new data and changes to existing files, but still
want to perform a restoration of the system from when it was running well. Windows 8.1 lets you return a
computer to the way it was at a previous point in time without deleting any personal files. System Restore
is reversible because an undo restore point creates before the restore operations are completed. During
the restoration, a list of files appears that shows applications that will be removed or added.
To restore a computer to a previous configuration by using System Restore, you can use:
Safe mode.
Windows Recovery Environment.
At the Start screen, type recovery in the Everywhere search screen, select Recovery, and then select
Open System Restore.
Last Known Good Configuration
Even the earliest versions of the Windows NT operating system provided the Last Known Good
Configuration startup option as a way of rolling a system back to a previous configuration. In
Windows 8.1, some startup-related configuration and device-related configuration information is stored
in the registry databasespecifically, the HKLM\SYSTEM hive. A series of control sets are stored beneath
this registry hive, most notably CurrentControlSet and LastKnownGood. The latter is located in the
HKLM\SYSTEM\Select node.
When you make a device configuration change to a computer, the change is stored in the
CurrentControlSet key in the appropriate registry folder and value. After you restart a computer and
successfully sign in, the Windows operating system synchronizes the CurrentControlSet key and the
LastKnownGood key.
However, if after a device configuration change, you experience a startup problem but do not sign in,
the two control sets are out of synchronization, and the LastKnownGood key contains the previous
configuration set.
To use the Last Known Good Configuration startup option, restart the computer without logging on, and
then press F8 during the boot sequence to access the Advanced Boot Options menu. Select Last Known
Good Configuration (advanced) from the list.
If you have a hardware problem, the cause could be hardware or a device driver. Fortunately, the process
to update device drivers to newer versions is straightforward. Alternatively, you can roll back device
drivers to older versions or reinstall them. Troubleshooting hardware problems often starts by
troubleshooting device drivers. To identify a device driver problem, answer the following questions:
Did you recently upgrade a device driver or other software related to the hardware? If so, roll back
the device driver to the previous version.
Are you experiencing occasional problems, or is the device not compatible with the current version of
the Windows operating system? If so, upgrade the device driver.
Did the hardware suddenly stop working? If so, upgrade the device driver. If that does not solve the
problem, reinstall the device driver. If the problem continues, try troubleshooting the hardware
problem.
Demonstration: Managing Drivers
This demonstration shows how to update a device driver and then roll back that driver update. You also
will install a driver into the driver store. This demonstration requires two machine restarts.
Demonstration Steps
Update a device driver
1.
2.
Start Device Manager.
3.
Expand Keyboards, and then update the Standard PS/2 Keyboard driver to the PC/AT Enhanced
PS/2 Keyboard (101/102 Key) driver.
4.
Restart the computer when prompted.
Roll back a device driver

1.
2.
3.
Expand Keyboards, and then roll back the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver.
4.
5.
6.
7.
Verify that you have successfully rolled back the Standard PS/2 Keyboard driver.
8.
Close Device Manager.
Install a driver into the driver store

1.
Open an elevated command prompt.
2.
Use pnputil a E:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files\driver

\point64\point64.inf to install a driver into the driver store.
3.
Check the list of installed OEM drivers by typing the pnputil e command, and then press Enter.
When you have finished the demonstration, revert all virtual machines back to their initial state:
1.
2.
3.
4.
Repeat steps 2 and 3 for 20687D-LON-DC1.

Question: If your computer does not start normally because of a device driver issue, what
options are there for performing a driver roll back?

Scenario
5-47
A. Datum recently purchased new laptop computers for the Sales department. The Sales manager has
reported an error with one of the laptop drivers that is causing problems. You have identified the issue
and determined that you need to install an updated driver. Also, you must ensure that members of the
Sales department are able to roll back the driver if it causes errors.
Objectives
Install and configure a new driver.
Manage device drivers.
Lab Setup
Password: Pa$$w0rd
1.
2.
Verify that the following virtual machines are running:

o
20687D-LON-DC1
20687D-LON-CL2
Exercise 1: Installing Device Drivers

Scenario
By default, standard users cannot install device drivers. When you know that certain Plug and Play devices
will be used in your environment, you can preload device drivers so that users can use the devices.
1.
Install a device driver into the protected store.
Task 1: Install a device driver into the protected store

1.
2.
Open an elevated command prompt.
3.
At the command prompt, type pnputil a E:\Labfiles\Mod05\Intellipoint\ipoint\setup64\files

\driver\point64\point64.inf, and then press Enter.
4.
Check the list of installed OEM drivers by typing pnputil e, and then press Enter.
Results: After completing this exercise, you should have installed a driver into the protected driver store.
Exercise 2: Managing Device Drivers

Scenario
Several A. Datum users in the Sales department would like to update a poorly performing wireless
network device driver on their new laptop computers. You have been asked to demonstrate to these users
how they update a device driver and also how they can roll back a device driver if the updated one does
not provide acceptable performance gains.
1.
Install a device driver.
2.
Roll back a device driver.
Task 1: Install a device driver

1.
2.
Expand Keyboards, and then update the Standard PS/2 Keyboard driver to the PC/AT Enhanced
PS/2 Keyboard (101/102 Key) driver.
3.
Task 2: Roll back a device driver

1.
2.
3.
Expand Keyboards, and then roll back the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver.
4.
5.
6.
7.
Verify that you have successfully rolled back the Standard PS/2 Keyboard driver.
8.
Close Device Manager.
Results: After completing this exercise, you should have installed and rolled back a device driver.

When you have finished the lab, revert all virtual machines back to their initial state:
1.
2.
3.
4.

Review Questions
Question: You are implementing 64-bit Windows 8.1 and need to partition the disk to
support 25 volumes, some of which will be larger than 2 terabytes (TB). Can you implement
this configuration by using a single hard disk?
Question: You have created a volume on a newly installed hard disk by using DiskPart. Now,
you want to continue using DiskPart to perform the following tasks:
o
Format the volume for NTFS.
Assign the next available drive letter.
Assign a volume label of sales-data.
What two commands must you use for these tasks?

Question: You recently upgraded to Windows 8.1 and are experiencing occasional problems
with the shortcut keys on your keyboard. Describe the first action you might take to the
resolve the issue, and then list the steps to perform the action.
Common Issues and Troubleshooting Tips

Common Issue
Configuring disk quotas on multiple
volumes
Exceeding the quota allowance
If you have a hardware problem, the

hardware or a device driver might be
causing it. Troubleshooting hardware
problems often starts by troubleshooting
device drivers.
Troubleshooting Tip
5-49
Tools
The following table lists some of the tools that are available for managing hard disks and devices.
Tool
Used for
Where to find it
Defrag.exe
Performing disk defragmentation tasks from

the command-line.
Command prompt
Device Manager
Viewing and updating hardware settings

and driver software for devices, such as
internal hard drives, disk drives, sound
cards, video or graphics cards, memory,
processors, and other internal computer
components.
Devmgmt.msc
or
Embedded in Computer
Management
Windows 8.1 device

apps
Helps users interact with devices and use

the full functionality of devices.
Start screen
or
Taskbar
Provides users a single location to find and

manage all the devices that are connected
to their Windows 8.1based computers.
Also, provides quick access to device status,
product information, and key functions such
as faxing and scanning to enhance and
simplify the customer experience with a
Windows 8.1connected device.
Control Panel
The Optimize Drives

tool
Rearranging fragmented data so that disks

and drives can work more efficiently.
In File Explorer, right-click a

volume, click Properties, click
the Tools tab, and then click
Optimize.
Disk Management
Managing disks and volumes, both basic

and dynamic, locally or on remote
computers.
Diskmgmt.msc
DiskPart
Managing disks, volumes, and partitions

from the command line or from the
Windows Preinstallation Environment.
At a command prompt, type

DiskPart.
Fsutil.exe
Performing tasks that relate to FAT and

NTFS, such as managing reparse points,
managing sparse files, or dismounting a
volume.
Elevated command prompt
Pnputil.exe
Adding drivers to and managing drivers in

the protected device store.
Elevated command prompt

6-1
Module 6
Configuring Network Connectivity
Contents:
Module Overview
6-1
6-2
6-9
Lesson 3: Implementing Automatic IP Address Allocation
6-14
6-21
Lesson 4: Implementing Name Resolution
6-25
6-31
Lesson 5: Implementing Wireless Network Connectivity
6-34
6-40
Module Overview
Network connectivity is essential in todays business environment. An increasing number of computer

users want to connect their computers to a network. These users might be part of a business network
infrastructure, a home office, or they might need to share files and access the Internet.
The Windows 8.1 operating system provides enhanced networking functionality compared with
earlier Windows client operating systems, and it provides support for newer technologies. By default,
Windows 8.1 implements both TCP/Internet Protocol version 4 (IPv4) and TCP/Internet Protocol version 6
(IPv6). Understanding IPv4, IPv6, and the operating systems access capabilities will help you configure
and troubleshoot Windows 8.1 networking features.
Objectives
Describe how to configure IPv4 network connectivity.
Describe how to configure IPv6 network connectivity.
Implement automatic IP address allocation.
Implement name resolution.
Implement wireless network connectivity.
Lesson 1
Configuring IPv4 Network Connectivity
6-2 Configuring Network Connectivity
IPv4 uses a specific addressing scheme and name-resolution mechanism to transmit data between
connected nodes. To connect and configure computers that are running Windows 8.1 to a network, you
must understand the concepts of the IPv4 addressing scheme.
Lesson Objectives
Describe the use of IPv4 in network connectivity.
Describe how to define network identifications (IDs) with subnet masks.
Describe the purpose of the default gateway.
Describe public and private IPv4 addresses.
Configure a network connection with an IPv4 address.
Describe how to verify IPv4 network connectivity.
Network Connectivity Using IPv4

To troubleshoot network connectivity problems,
you must be familiar with IPv4 addresses and how
they work. Communication between computers
can happen only if they can identify each other
on the network. When you assign a unique IPv4
address to each networked computer, the IPv4
address identifies the computer to the other
computers on the network. That IPv4 address,
combined with the subnet mask also identifies
the computers location on the network, much like
the combination of a number and a street name
identify the location of a house.
Overview of Connecting With Another Network Host
In a typical situation, communication starts with a request to connect to another host by its computer
name. However, to communicate, the requesting host needs to know the media access control (MAC)
address of the receiving hosts network interface. Conversely, the receiving host needs to know the
senders MAC address. Once the requesting host discovers the MAC information, it caches it locally. A
MAC address is a hard-coded, unique identifier assigned to network interfaces by the manufacturers of
network adapters. Before the requesting host can find the receiving hosts MAC address, a number of
steps occur. A high-level overview of these steps is:
1.
A request is sent from a host to connect to Server1.
2.
The name Server1 must be resolved to an IPv4 address. There are a number of methods to
accomplish this.
3.
Once the sender knows the recipients IPv4 address, it determines whether the IPv4 address is remote
or on the local subnet. The subnet mask is used for this purpose.
6-3
4.
If local, an Address Resolution Protocol (ARP) request is broadcast on the local subnet. If it is remote,
an ARP request is sent to the default gateway. It then is routed to the correct subnet.
5.
The host that owns that IPv4 address will respond with its MAC address and a request for the senders
MAC address.
6.
Once the exchange of MAC addresses completes, IPv4 communication negotiation and the exchange
of IP data packets can occur.
Components of an IPv4 Address

IPv4 uses 32-bit addresses. If you view the address in its binary format, it has 32 characters, as the
following example shows:
11000000101010000000000111001000
IPv4 divides the address into four octets, as the following example shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in
decimal form, as the following example shows:
192.168.1.200
In conjunction with a subnet mask, the address identifies:
The computers unique identity, which is the host ID.
The subnet on which the computer resides, which is the network ID.
This enables a networked computer to communicate with other networked computers in a routed
environment.
IPv4 Address Classes
The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes, and a networks
number of hosts determines the required class of addresses. Class A through Class E are the names that
IANA has specified for IPv4 address classes.
Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses, whereas
you can use Class D for multicasting. Additionally, IANA reserves Class E for experimental use.
Defining Network IDs by Using Subnet Masks

A subnet mask specifies which parts of an IPv4
address are the network ID and which are the host
ID. A subnet mask has four octets, similar to an
IPv4 address.
Simple IPv4 Networks

In simple IPv4 networks, the subnet mask defines
full octets as part of the network and host IDs. A
255 represents an octet that is part of the network
ID, and a 0 represents an octet that is part of the
host ID. Class A, B, and C networks use default subnet masks. The following table lists the characteristics of
each IP address class.
Class
First octet
Default subnet mask
Number of
networks
Number of hosts
per network
1 to 127
255.0.0.0
126
16,777,214
128 to 191
255.255.0.0
16,384
65,534
192 to 223
255.255.255.0
2,097,152
254
Complex IPv4 Networks
In complex networks, subnet masks might not be simple combinations of 255 and 0. Rather, you might
subdivide one octet with some bits that are for the network ID and some for the host ID. If you do not use
an octet for subnetting, this is classless addressing, or Classless Interdomain Routing (CIDR). You either use
more or less of the octet, and this type of subnetting uses a different notation, which the following
example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many leftmost subnet bits are set to 1 in the mask. This notation style is called
CIDR. This subnet mask in binary notation would look like this:
11111111.11111111.11110000.00000000
The first 20 bits are set to 1 and indicate the subnet ID, and the last 12 zero placeholders represent how
many bits are used to identify the host.
Planning Supernetting and Classless Interdomain Routing (CIDR)
What Is a Subnet?
A subnet is a network segment, and single or multiple routers separate the subnet from the rest of the
network. When your Internet service provider (ISP) assigns a network to a Class A, B, or C address range,
you often must subdivide the range to match the networks physical layout. Subdividing enables you to
break a large network into smaller, logical subnets.
When you subdivide a network into subnets, you must create a unique ID for each subnet, which you
derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to
the network ID. By doing so, you can create more networks.
By using subnets, you can:
Use a single Class A, B, or C network across multiple physical locations.
Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome the limitations of current technologies, such as exceeding the maximum number of hosts
that each segment can have.
Configuring Connectivity to Other Subnets

A default gateway is a device on a TCP/IP
internetwork, usually a router, which forwards
IP packets to other subnets. A router connects
groups of subnets to create an intranet. In an
intranet, any given subnet might have several
routers that connect it to other local and remote
subnets. You must configure one of the routers
as the default gateway for local hosts so that the
local hosts can communicate with hosts on
remote networks.
6-5
When a host delivers an IPv4 packet, it performs

an internal calculation by using the subnet mask
to determine whether the destination host is on the same network or on a remote network. If the
destination host is on the same network, the local host delivers the packet. If the destination host is on a
different network, the host transmits the packet to a router for delivery.
Note: The host determines the MAC address of the router for delivery, and the initiating
host addresses the router explicitly, at the media access layer.
When a host on the network uses IPv4 to transmit a packet to a destination subnet, IPv4 consults
the internal routing table to determine the appropriate router to ensure that the packet reaches the
destination subnet. If the routing table does not contain any routing information about the destination
subnet, IPv4 forwards the packet to the default gateway. The host assumes that the default gateway
contains the required routing information.
In most cases, you can use a Dynamic Host Configuration Protocol (DHCP) server to assign the default
gateway automatically to a DHCP client. This is more straightforward than manually assigning a default
gateway on each host.
Public vs. Private IPv4 Addresses

Devices and hosts that connect directly to the
Internet require a public IPv4 address. However,
hosts and devices that do not connect directly to
the Internet do not require a public IPv4 address.
Public IPv4 Addresses

Public IPv4 addresses, which IANA assigns, must
be unique. Usually, your ISP allocates you one or
more public addresses from its address pool. The
number of addresses that your ISP allocates to
you depends upon how many devices and hosts
that you have to connect to the Internet.
Private IPv4 Addresses

The pool of IPv4 addresses is becoming smaller, so IANA is reluctant to allocate superfluous IPv4
addresses. Technologies such as network address translation (NAT) enable administrators to use a
relatively small number of public IPv4 addresses, and at the same time, enable local hosts to connect to
remote hosts and services on the Internet.
IANA defines the following address ranges as private. Internet-based routers do not forward packets
originating from, or destined to, these ranges.
Class
Mask
Range
10.0.0.0/8
10.0.0.0 - 10.255.255.255
172.16.0.0/12
172.16.0.0 - 172.31.255.255
192.168.0.0/16
192.168.0.0 - 192.168.255.255
In todays network environments, it is most common for organizations to have one or more public,
routable IP addresses from an ISP assigned to the external interfaces of their firewall appliance.
Additionally, they use the designated private IP subnets internally.
Note: Request For Comments (RFC) 3330 defines these private address ranges.
Question: Which of the following is not a private IP address?
a. 171.16.16.254
b. 192.16.18.5
c. 192.168.1.1
d. 10.255.255.254
Demonstration: Configuring an IPv4 Address
You can configure IPv4 settings on a Windows 8.1 computer by using the Network and Sharing Center,
the Netsh command-line tool, or the Windows PowerShell command-line interface.
To configure IPv4 by using Netsh, you can use the following example:
Netsh interface ipv4 set address name="Local Area Connection" source=static
addr=172.16.16.3 mask=255.255.255.0 gateway=172.16.16.1
The following table describes some of the Windows PowerShell cmdlets that you can use to view and
configure IPv4 settings.
Cmdlet
Description of IPv4 configuration uses
Set-NetIPAddress
Modifies an existing IP address and sets the subnet mask
Set-NetIPInterface
Enables or disables DHCP for an interface
Set-NetRoute
Modifies routing table entries, including the default gateway

(0.0.0.0)
Set-DNSClientServerAddresses
Configures the Domain Name System (DNS) server that is

used for an interface
Demonstration
6-7
This demonstration shows how to configure an IPv4 address manually by using the Network and Sharing
Center.
Demonstration Steps
View the current network connection configuration
1.
Sign in to LON-CL1 as administrator.
2.
Open a Command Prompt window, and then use ipconfig /all to view the current IPv4 configuration.
This displays the configuration for all network connections on the computer.
View the IPv4 configuration

1.
In Network and Sharing Center, view the Ethernet Status. This window shows the same configuration
information for this adapter as the IPConfig command.
2.
View the IPv4 configuration for Ethernet. You can configure the IP address, subnet mask, default
gateway, and DNS servers in this window.
3.
View the Advanced settings. In the Advanced TCP/IP Settings window, you can configure additional
settings, such as additional IP addresses, DNS settings, and Windows Internet Name Service
(WINS) servers for NetBIOS name resolution.
Question: When might you need to change a computers IPv4 address?
Verifying IPv4 Network Connectivity

One of the first steps in troubleshooting
connection issues is verifying connectivity at the
IPv4 level. One scenario for which you would
troubleshoot is if a user cannot connect to the
Internet or shared network drives. You should
ensure that basic IPv4 connectivity exists between
the client computer and the network resource.
There are a number of tools that you can use to
verify IPv4 connectivity, including:
IPConfig
Ping
Tracert
Windows PowerShell cmdlets
IPConfig
IPConfig is a command-line tool that is used to display basic IPv4 configurations. IPConfig supports a
number of parameters including:
All. Displays all the TCP/IP configuration information for all network adapters.
Release. Sends a DHCPRELEASE message to the DHCP server, which will release the current DHCP
configuration of all network adapters or a specific network adapter.
Renew. Renews the DHCP configuration for all network adapters or a specific network adapter that
are configured to use DHCP.
When you run IPConfig without any parameters, it will display the current IP address, subnet mask, and
default gateway.
Ping
Ping is a command-line tool used to verify connectivity to another computer by sending four Internet
Control Message Protocol (ICMP) Echo Request messages. The receiving computer will respond with a
reply to each request along with the round-trip time of the packets. Ping has a number of parameters
including:
-t. Specifies that ping continues sending echo request messages to the destination until interrupted
by pressing CTRL+BREAK.
-a. Specifies that reverse name resolution is performed on the destination IP address. If this is
successful, ping displays the corresponding host name.
Note: Most Internet sites and firewalls block ICMP traffic. This makes the Ping tool less
useful outside of your own local area network (LAN).
Tracert
Tracert is a command-line tool used to display the routing path and measure the delays of packets while
in transit. This can help determine incorrect entries in routing tables that are affecting the routing of IP
traffic.
Windows PowerShell Cmdlets
There are many cmdlets available for the configuration and testing of IPv4. The following table describes
some of the common cmdlets:
Cmdlet
Description
Get-NetIPAddress
Gets information about IP address configuration.
Get-NetIPv4Protocol
Gets information about the IPv4 Protocol configuration.
Get-NetRoute
Gets the IP routing table.
New-NetIPAddress
Creates an IP address and the configuration properties of that IP

address.
New-NetRoute
Creates an entry in the IP routing table.
Remove-NetIPAddress
Deletes an IP address and the configuration properties of that IP

address.
Remove-NetRoute
Deletes an entry or entries (IP routes) from the IP routing table.
Set-NetIPAddress
Modifies IP address configuration properties of an existing IP address.
Set-NetRoute
Modifies an entry or entries in the IP routing table.
Test-connection
Runs similar connectivity tests to that used by the ping command.
Lesson 2
Configuring IPv6 Network Connectivity
6-9
Though most networks to which you connect Windows 8.1-based computers currently provide IPv4
support, many also support IPv6. To connect computers that are running Windows 8.1 to IPv6-based
networks, you must understand the IPv6 addressing scheme and the differences between IPv4 and IPv6.
Lesson Objectives
Describe the benefits of implementing IPv6.
Describe how Windows 8.1 supports IPv6.
Describe IPv6 addresses.
Describe the connection process by using IPv6
Benefits of Implementing IPv6

The IPv6 protocol provides the following benefits:
Large address space. A 32-bit address

space can have 2^32 or 4,294,967,296
possible addresses; and a 128-bit
address space can have 2^128 or
340,282,366,920,938,463,463,374,607,431,768,
211,456 (or 3.4x10^38 or 340 undecillion)
possible addresses.
Hierarchical addressing and routing

infrastructure. The IPv6 address space is
more efficient for routers, which means that
even though there are many more addresses,
routers can process data much more efficiently because of address optimization.
Stateless and stateful address configuration. IPv6 has autoconfiguration capability without DHCP,
and it can discover router information so that hosts can access the Internet. This is a stateless address
configuration. A stateful address configuration is when you use the DHCP version 6 (DHCPv6) protocol.
Stateful configuration has two additional configuration levels: one in which DHCP provides all the
information, including the IP address and configuration settings, and another in which DHCP provides
just configuration settings.
Required support for Internet Protocol security (IPsec). The IPv6 standards require support for the
Authentication Header (AH) and Encapsulating Security Payload (ESP) headers that IPsec defines.
Although IPsec does not define support for its specific authentication methods and cryptographic
algorithms, IPsec is defined from the start as the way to protect IPv6 packets.
Note: IPsec provides for authentication and optionally, encryption for communications
between hosts.
Restored end-to-end communication. The global addressing model for IPv6 traffic means that
translation between different types of addresses is not necessary, such as the translation done by
NAT devices for IPv4 traffic. This simplifies communication because you do not need to use NAT
devices for peer-to-peer applications, such as video conferencing.
Prioritized delivery. IPv6 contains a field in the packet that lets network devices determine that
the packet processing should occur at a rate that you specify. This enables traffic prioritization. For
example, when you are streaming video traffic, it is critical that the packets arrive in a timely manner.
You can set this field to ensure that network devices determine that the packet delivery is timesensitive.
Support for single-subnet environments. IPv6 has much better support of automatic configuration
and operation on networks consisting of a single subnet. You can use this to create temporary,
ad-hoc networks through which you can connect and share information.
Extensibility. The design of IPv6 enables you to extend it with less constraint than IPv4.
TCP/IP v4 and v6
IPv6 in Windows 8.1

Windows 8.1 uses IPv6 by default, and includes
several features that support IPv6.
Windows 8.1 Dual Stack
Windows 8.1 supports both IPv6 and IPv4 in

a dual stack configuration. The dual IP stack
provides a shared transport and framing layer,
shared filtering for firewalls and IPsec, and
consistent performance, security, and support
for both IPv6 and IPv4. These features help
reduce maintenance costs. When you connect
to a new network that advertises IPv6 routability,
Windows 8.1 tests IPv6 connectivity, and it will
only use IPv6 if IPv6 connectivity is actually functioning. Windows 8.1 also supports a functionality called
address sorting. This functionality helps the Windows 8.1 operating system determine which protocol to
use when applications that support both IPv4 and IPv6 and addresses are configured for both protocol
stacks.
DirectAccess Use of IPv6
DirectAccess enables remote users to access a corporate network anytime they have an Internet
connection because it does not require a virtual private network (VPN). DirectAccess provides a flexible
corporate network infrastructure to help you remotely manage and update user PCs on and off a network.
DirectAccess makes the end-user experience of accessing corporate resources over an Internet connection
nearly indistinguishable from the experience of accessing these resources from a computer at work.
DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients.
Windows Services Can Use IPv6
Windows 8.1 services such as file sharing and remote access use IPv6 features, such as IPsec. This includes
VPN Reconnect, which uses Internet Key Exchange version 2, an authentication component of IPv6.
The Windows 8.1 operating system supports remote troubleshooting capabilities such as Windows
Remote Assistance and Remote Desktop. Remote Desktop enables administrators to connect to multiple
Windows Server sessions for remote administration purposes. You can use IPv6 addresses to make
6-11
remote desktop connections. Windows Remote Assistance and Remote Desktop uses the Remote Desktop
Protocol to enable users to access files on their office computer from another computer, such as one
located at their home.
IPv6 Addresses
The most obvious, distinguishing feature of IPv6 is
its use of much larger addresses. IPv4 addresses
are expressed in four groups of decimal numbers,
such as 192.168.1.1. Each grouping of numbers
represents a binary octet. In binary, the preceding
number is as follows:
11000000.10101000.00000001.00000001 (4
octets = 32 bits)
The size of an address in IPv6 is four times

larger than an IPv4 address. IPv6 addresses
are expressed in hexadecimal, as the following
example shows:
2001:DB8::2F3B:2AA:FF:FE28:9C5A
This might seem complex for end users, but the assumption is that users will rely on DNS names to resolve
hosts, meaning they rarely will type IPv6 addresses manually. The IPv6 address in hexadecimal also is
easier to convert to binary. This simplifies working with subnets and in calculating hosts and networks.
IPv6 Address Types

IPv6 address types are similar to IPv4 address types. The IPv6 address types are:
Unicast. An IPv6 unicast address is equivalent to an IPv4 unicast address. You can use this address
type for one-to-one communication between hosts. Each IPv6 host has multiple unicast addresses.
There are three types of unicast addresses:
o
Global unicast addresses. These are equivalent to public IPv4 addresses. They are globally
routable and reachable on the IPv6 portion of the Internet.
Link-local addresses. Hosts use link-local addresses when communicating with neighboring hosts
on the same link. For example, on a single-link IPv6 network with no router, hosts communicate
by using link-local addresses.
Link-local addresses are local-use unicast addresses with the following properties:
IPv6 link-local addresses are equivalent to IPv4 Automatic Private IP Addressing (APIPA)
addresses.
Link-local addresses always begin with FE80.
Unique local unicast addresses. Unique local addresses provide an equivalent to the private
IPv4 address space for organizations, without the overlap in address space when organizations
combine.
Multicast. An IPv6 multicast is equivalent to an IPv4 multicast address. You use this address type
for one-to-many communication between computers that you define as using the same multicast
address.
Anycast. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When
IPv6 addresses communicate to an anycast address, only the closest host responds. You typically use
this address type for locating services or the nearest router.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign
multiple unicast addresses to each host. To verify communication processes on a network, you must know
for what purposes IPv6 uses each of these addresses.
Interface Identifiers
The last 64-bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4
address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface
identifier is unique to each interface, IPv6 uses interface identifiers rather than MAC addresses to identify
hosts uniquely.
IPv6 Address Types
Network Connectivity Using IPv6

The connection process for IPv6 is similar to IPv4,
in that names must be resolved to addresses and
MAC addresses must be discovered. However, the
underlying protocols and methods that IPv6 uses
are different.
Neighbor Discovery Protocol
The Neighbor Discovery protocol gathers and
maintains information about routes and hosts on
the local link. It performs many of the tasks that
ARP provides in IPv4, including those that
following table describes.
Task
Router discovery
Description
IPv6 hosts can locate default routers on the link automatically by using the
following two ICMPv6 messages:
Router solicitation. When it is first coming online, an IPv6 host
multicasts a router solicitation message.
Router advertisement. Each router on the active link that hears the
solicitation message will respond with a router advertisement message
that contains the address of the router.
Prefix discovery
Router advertisement messages carry IPv6 prefix information that

represents which IPv6 prefixes are reachable on the local link. Because
multiple prefixes might be available on the same link, a router message
might contain multiple prefixes. Once an IPv6 host is aware of which
prefixes are reachable on the local link, they can communicate directly
with hosts on the local link without going through the router.
Address
autoconfiguration
IPv6 hosts can configure themselves with an address automatically based

on the prefix learned from the router prefix discovery. This allows the host
to perform stateless configuration.
Task
Address resolution
Description
Address resolution functions much like router discovery. The ICMPv6
protocol uses two message types:
Neighbor solicitation. The sender requests the MAC address of a
neighbor node on the local link.
6-13
Neighbor advertisement. The recipient responds with its MAC address.

Next-hop determination
Next-hop determination is a process for using the local routing table to

determine whether to send the packet to a router, or send it on the local
link. A routing table is present on each IPv6 host, and it stores information
about network prefixes and whether they can be reached directly or
indirectly.
Duplicate address
detection
When a host first comes online on the link, it broadcasts neighbor

solicitation messages for its own IPv6 address to determine if that address
is already in use on the link. If the host receives a response, it will know
not to use that address.
The first step in establishing communication is still name resolution, as in IPv4. For example, if an IPv6 host
wants to communicate with a host named Server1, it must first resolve that name to an IPv6 address. In
DNS, host names map to IPv6 addresses by AAAA resource records. When the DNS server returns the
IPv6 address of the host, the prefix of the IPv6 address determines whether the destination host is local
or remote. If the destination is on the local link, then the next-hop address is the direct address of the
recipient on the local link. If the destination is not on the local link, then the next-hop address of the
packet is the router.
How IPv6 Works: IPv6 Routing
Lesson 3
Implementing Automatic IP Address Allocation
Windows 8.1 enables both the IPv4 and IPv6 protocols to obtain configuration automatically. This means
that you can efficiently deploy IP-based computers that are running Windows 8.1.
Lesson Objectives
Describe the autoconfiguration process for IPv4.
Describe the autoconfiguration process for IPv6.
Configure a Windows 8.1 computer to obtain an IPv4 configuration automatically.
Describe the process with which to troubleshoot and resolve IPv4 autoconfiguration problems,
Automatic IPv4 Configuration

It is important that you know how to assign static
IP addresses manually and be able to support
computers that use DHCP to assign IP addresses
dynamically.
Static Configuration
You can configure static IPv4 configuration
manually for each of your networks computers.
When you perform IPv4 configuration, you must
configure the:
IPv4 address
Subnet mask
Default gateway
DNS server
Static configuration requires that you visit each computer and input the IPv4 configuration. This
method of computer management is time-consuming if your network has more than 10 to 12 computers.
Additionally, making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign IPv4 configurations automatically for a large numbers of computers
without having to assign each one individually. The DHCP service receives requests for IPv4 configuration
from computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4
information from scopes that you define for each of your networks subnets. The DHCP service identifies
the subnet from which the request originated and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process, but you must be aware that if you use DHCP to assign
IPv4 information and the service is business-critical, you must do the following:
Include resilience into your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network, and it can prevent communication.
IPv4 Alternate Configuration
6-15
If you use a laptop to connect to multiple networks, such as at work and at home, each network might
require a different IP configuration. Windows 8.1 supports the use of APIPA and an alternate static IP
address for this scenario.
When you configure Windows 8.1 computers to obtain IPv4 addresses from DHCP, use the Alternate
Configuration tab to control the behavior if a DHCP server is not available. By default, Windows 8.1
uses APIPA to assign itself an IP address automatically from the 169.254.0.0 to 169.254.255.255 address
range. This enables you to use a DHCP server at work and the APIPA address range at home without
reconfiguring IP settings. Additionally, this is useful for troubleshooting DHCP. If the computer has an
address from the APIPA range, it is an indication that the computer cannot communicate with a DHCP
server.
Automatic IPv6 Configuration

An IPv6 host can proceed through several states
as it goes through the autoconfiguration process,
and there are several ways to assign an IPv6
address and other configuration settings. Based
on how the router is set up, a client might use a
stateless configuration with no DHCPv6 service
or a stateful configuration with a DHCPv6 server
involved, to either assign an IP address and other
configuration settings, or just assign other
configuration settings. The other configuration
settings can include DNS servers and domain
names.
Autoconfigured Address States

Autoconfigured addresses are in one or more of the following states:
Tentative. Verification occurs to determine if the address is unique. Duplicate address detection
performs verification by using Neighbor Discovery protocol. A node cannot receive unicast traffic to a
tentative address.
Valid. The address has been verified as unique, and can send and receive unicast traffic.
Preferred. The address enables a node to send and receive unicast traffic.
Deprecated. The address is valid but its use is discouraged for new communication.
Invalid. The address no longer allows a node to send or receive unicast traffic.
Types of Autoconfiguration
Types of autoconfiguration include:
Stateless. The receipt of router advertisement messages is the basis for address configuration.
Stateful. Configuration is based on the use of a stateful address configuration protocol, such as
DHCPv6, to obtain addresses and other configuration options:
o
A host uses stateful address configuration when it receives instructions to do so in router

advertisement messages.
A host also uses a stateful address configuration protocol when there are no routers present on
the local link.
Both. The receipt of router-advertisement messages and DHCPv6 is the basis for configuration.
Why Use Stateful Configuration?

By using stateful configuration, organizations can control how IPv6 addresses are assigned by using
DHCPv6.
If there are specific scope options that you need to configure, such as the IPv6 addresses of DNS servers,
then a DHCPv6 server is necessary.
Communication with DHCP Server
When IPv6 attempts to communicate with a DHCP server, it uses multicast IPv6 addresses to communicate
with the DHCP server. This is different from IPv4, which uses broadcast IPv4 addresses.
When a host obtains an IPv6 address from a DHCPv6 server, the following occurs:
The client sends a solicitation message to locate DHCPv6 servers.
The server sends an advertisement message to indicate that it offers IPv6 addresses and configuration
options.
The client sends a request message to a specific DHCPv6 server to request configuration information.
The selected server sends a reply message to the client that contains the address and configuration
settings.
When a client requests configuration information only, the following occurs:

o
The client sends an information-request message.
A DHCPv6 server sends a reply message to the client with the requested configuration settings.
Note: DHCPv6 is a service that provides stateful autoconfiguration of IPv6 hosts. It can
configure IPv6 hosts automatically with an IPv6 address and other configuration information,
such as DNS servers. This is equivalent to DHCPv4 for IPv4 networks.
Demonstration: Configuring a Windows 8.1 Computer to Obtain an IPv4

Configuration Automatically
This demonstration shows how to configure a Windows 8.1 computer to obtain an IPv4 address
automatically.
Demonstration Steps
View the current IPv4 configuration
Sign in to LON-CL1 as administrator, and then verify the current IPv4 configuration by using the
Windows PowerShell cmdlet Get-NetIPConfiguration Detailed.
Reconfigure the IPv4 configuration

1.
Open the Ethernet properties, and then view the IPv4 settings for the selected network connection.
2.
Modify the connection to obtain an IPv4 configuration automatically.
3.
Verify these changes.
4.
When you have finished the demo, revert the virtual machines to their initial state.
a.
b.
c.
d.
Repeat steps b and c for 20687D-LON-DC1.
Resolving Client-Side IPv4 Autoconfiguration Issues

IPConfig is the primary client-side DHCP
troubleshooting tool.
Using IPConfig
If the computer is experiencing connectivity
problems, you can use IPConfig to determine
the computers IP address.
If the address is in the range 169.254.0.1 to
169.254.255.254, the computer is using an
APIPA address. This might indicate a DHCPrelated problem. From the client computer, open
an elevated command prompt, and then use the
IPConfig options in the following table to diagnose the problem.
Note: An elevated command prompt provides a context for running command-line tools
and programs with administrative rights. To open an elevated command prompt, right-click the
Command Prompt shortcut, and then click Run as administrator, providing administrative
credentials if prompted.
Option
Description
6-17
/all
This option displays all IP address configuration information.

If the computer uses DHCP, verify the DHCP Server Option in the output. This
indicates the server from which the client is attempting to obtain an address.
Also, verify the Lease Obtained and Lease Expires values to determine when
the client last obtained an address.
/release
It sometimes is necessary to force the computer to release an IP address.
/renew
This option forces the client computer to renew its DHCP lease. This is useful
when you think that the DHCP-related issue is resolved, and you want to obtain
a new lease without restarting the computer.
/release6
The IPv6 version of the /release command.
/renew6
The IPv6 version of the /renew command.
Note: You can use the IPConfig /release6 and /renew6 options to perform these same
tasks on IPv6-configured computers.
The following are some troubleshooting examples.

Problem
Solution
The DHCP client does not

have an IP address
configured or indicates that
its IP address is 0.0.0.0.
Verify that the client computer has a valid and functioning network
connection. First, check that related client hardware (cables and
network adapters) are working properly at the client end by using basic
network and hardware troubleshooting steps.
If the client hardware appears to be prepared and functioning
properly, check that the DHCP server is available on the network by
pinging it from another computer on the same network as the affected
DHCP client.
The DHCP client appears to

have assigned itself an IP
address automatically that
is incorrect for the current
network.
First, use the ping command to test connectivity from the client to the
server. To force ping to use IPv6, use the -6 parameter. An example is
the command ping -6 Server1.Adatum.com. Your next step is to
either verify or manually attempt to renew the client lease. Depending
on your network requirements, it might be necessary to disable IP
autoconfiguration at the client. Before you make this decision, you
should learn more about IP autoconfiguration and how it works.

be missing some network
configuration details or is
unable to perform related
tasks, such as resolving
names.
For DHCP clients, verify that the most commonly used and supported
options have been configured at the server, scope, client, or class level
of options assignment.

have incorrect or
incomplete options, such as
an incorrect or missing
router (default gateway),
configured for the subnet
on which it is located.
Change the IP address list for the router (default gateway) option at
the applicable DHCP scope and server. If you configure the router
option as a Server Option at the affected DHCP server, remove it there
and set the correct value in the Scope Options node for the applicable
DHCP scope that services the client.
In rare instances, you might have to configure the DHCP client to use a
specialized list of routers that is different from other scope clients. In
such cases, you can add a reservation and then configure the router
option list specifically for the reserved client.
Many DHCP clients are

unable to get IP addresses
from the DHCP server.
A DHCP server can only service requests for a scope that has a network
ID that is the same as the network ID of its IP address.
Completing the following steps might correct this problem:
1. Configure a BOOTP/DHCP relay agent on the client subnetthat is,
the same physical network segment. The relay agent can be located
on:
o The router itself
o A computer that is running Microsoft Windows NT Server and
the DHCP relay agent component
o A computer that is running Windows 2000 Server with the

Routing and Remote Access Service enabled and configured as a
DHCP relay agent, or
o A computer that is running a Windows Server 2003 operating

system with the Routing and Remote Access Service enabled and
configured as a DHCP relay agent.
Problem
Solution
2. At the DHCP server, do the following:
6-19
o Configure a scope to match the network address on the other

side of the router where the affected clients are located.
o In the scope, make sure that the subnet mask is correct for the
remote subnet.
o Use a default gateway on the network connection of the DHCP

server in such a way that it is not using the same IP address as the
router that supports the remote subnet where the clients are
located.
o Do not include this scope, which is the one for the remote subnet,
in superscopes configured for use on the same local subnet or
segment where the DHCP server resides.
o Make sure there is only one logical route between the DHCP
server and the remote subnet clients.
Many DHCP clients are
unable to get IP addresses
from the DHCP server.
Ensure that you do not configure multiple DHCP servers on the same
LAN with overlapping scopes.
You might want to rule out the possibility that one of the DHCP servers
in question is a computer that is running Small Business Server (SBS).
On a computer that is running Windows SBS, the DHCP Server service
automatically stops when it detects another DHCP server on the LAN.

be affected by another
problem not described
previously.
Search the Microsoft website for updated technical information that

might relate to the problem you observed. If necessary, you can obtain
information and instructions that pertain to your current problem or
issue.
Test a TCP/IP configuration by using the ping command

Verify, release, or renew a client address lease
Configure TCP/IP for automatic addressing
Disable automatic address configuration
Manage Options and classes
Assigning options
DHCP Best Practices
Using superscopes
Configuring scopes

Scenario
6-21
A. Datum Corporation is introducing new laptop computers for some of its managers. You need to test
how the IPv4 configuration will behave when the managers are away from the office and a DHCP server is
unavailable.
Objectives
Enable automatic IPv4 configuration.
Configure IPv4 manually.
Lab Setup
Virtual machines: 20687D-LON-DC1 and 20687D-LON-CL1
Password: Pa$$w0rd
1.
2.
In Hyper-V Manager, click 20687D-LON-DC1, and then in the Actions pane, click Start.
3.
4.
5.
Password: Pa$$w0rd
Exercise 1: Enabling Automatic IPv4 Configuration

Scenario
You need to determine how the Windows 8.1 client operating system currently receives its IPv4 address.
You need to provide an automated way for client computers to receive IPv4 configuration. You will
configure a Windows 8.1 client to receive IPv4 configuration from a DHCP server and then verify the
configuration.
1.
Verify the current IPv4 configuration.
2.
Configure the computer to obtain an IPv4 address automatically.
3.
Verify the new IPv4 configuration.
Task 1: Verify the current IPv4 configuration

1.
Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2.
Open a Command Prompt window, and then run the command ipconfig /all.
o
What is the current IPv4 address?
What is the subnet mask?
To which IPv4 network does this host belong?
Is DHCP enabled?
Task 2: Configure the computer to obtain an IPv4 address automatically

1.
Use Network Connections to view the properties of Ethernet.
2.
Modify TCP/IPv4 to:

o
Obtain an IP address automatically.
Obtain a DNS server address automatically.
Task 3: Verify the new IPv4 configuration
In the Ethernet Status window, view the Details.

o
Is DHCP enabled?
When does the DHCP lease expire?
Results: After completing this exercise, you should have configured LON-CL1 to obtain an IPv4
configuration automatically from a DHCP server.
Exercise 2: Configuring IPv4 Manually

Scenario
As the network administrator, you need to test various scenarios for assigning IPv4 addresses to client
computers. You will deactivate the current DHCP scope, and renew that address on the Windows 8.1
client operating system to see what address is assigned. You will configure an alternate address to be
assigned when DHCP is not available. Finally, you will assign a static IPv4 address to the Windows 8.1
client operating system.
1.
Deactivate the DHCP scope.
2.
Obtain a new IPv4 address.
3.
Configure an alternate IPv4 address.
4.
Configure a static IPv4 address.
Task 1: Deactivate the DHCP scope

1.
Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2.
Use the DHCP management console to deactivate the IPv4 scope named A Datum Scope:
a.
In Server Manager, open the DHCP management console.
b.
Deactivate the [172.16.0.0] A Datum Scope.
c.
Close the DHCP window.
Task 2: Obtain a new IPv4 address

Note: This process can take several minutes to complete.
1.
On LON-CL1, at the command prompt, run the command ipconfig /release.
2.
Run the command ipconfig /renew.
3.
Run the command ipconfig /all.

o
What kind of address is this?
Task 3: Configure an alternate IPv4 address

1.
In the TCP/IPv4 properties for Ethernet, use the Alternate Configuration tab to configure the
following:
o
IP address: 172.16.16.10
Subnet mask: 255.255.0.0
Preferred DNS server: 172.16.0.10
Do not validate settings
2.
At the command prompt, type ipconfig /release, and then press Enter.
3.
At the command prompt, type ipconfig /renew, and then press Enter.
4.
At the command prompt, type ipconfig /all, and then press Enter:
o
6-23
Task 4: Configure a static IPv4 address

1.
In the Ethernet Status window, view the Properties.
2.
In the properties for TCP/IPv4 for Ethernet, configure the following:

o
IP address: 172.16.16.10
Results: After completing this exercise, you should have tested various scenarios for dynamic IP address
assignment and then configured a static IP address.
When you have finished the lab, leave the virtual machines running, as you will need them for the
next lab.
Lesson 4
Implementing Name Resolution
6-25
Computers can communicate over a network by using a name in place of an IP address. Computers use
name resolution to find an IP address that corresponds to a name, such as a host name. This lesson
focuses on different types of computer names and the methods to resolve them.
Lesson Objectives
Describe the types of names used by IPv4 computers.
Describe the methods for resolving computer names into IP addresses.
Describe the tools you can use to resolve name resolution issues.
Types of Computer Names

Name resolution is the process of converting
computer names to IP addresses. Name resolution
is an essential part of computer networking
because it is easier for users to remember names
than abstract numbers, such as an IPv4 address.
The application developer determines an
applications name. In Windows operating
systems, applications can request network services
through Winsock, Winsock Kernel, or NetBIOS. If
an application requests network services through
Windows Sockets or Winsock Kernel, it uses host
names. If an application requests services through
NetBIOS, it uses a NetBIOS name.
Note: NetBIOS is a session management protocol that was used in older versions of
Microsoft server operating systems. Windows 8.1 provides support for NetBIOS.
Host Name
A host name is a user-friendly name that is associated with a hosts IP address and identifies it as a
TCP/IP host. A host name can be no more than 255 characters in length and must contain alphanumeric
characters, periods, and hyphens.
A host name is an alias or a fully qualified domain name (FQDN).
An alias is a single name associated with an IP address.
The host name combines an alias with a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the
Internet.
An example of an FQDN is payroll.contoso.com.
NetBIOS Name
Applications use the 16-character NetBIOS name to identify a NetBIOS resource on a network. A NetBIOS
name represents a single computer or a group of computers. NetBIOS uses the first 15 characters for a
specific computers name and the final sixteenth character to identify a resource or service on that
computer. An example of a NetBIOS name is NYC-SVR2[20h].
Windows supports a number of different methods for resolving computer names, such as DNS, WINS, and
the host name resolution-process.
Methods for Resolving Computer Names

Many current apps, including Internet apps,
use Windows Sockets to access network services.
Newer apps that are designed for Windows 8.1
use Winsock Kernel. Older applications use
NetBIOS.
Name Resolution Process

DNS is the Microsoft standard for resolving host
names to IP addresses. Applications also use DNS
to do the following:
Locate domain controllers and global catalog

servers. This is used when you log on to
Active Directory Domain Services (AD DS).
Resolve IP addresses to host names. This is useful when a log file contains only a hosts IP address.
Locate a mail server for email delivery. This is used for the delivery of all Internet email.
WINS provides a centralized database for registering dynamic mappings of a networks NetBIOS names.
Support is retained for WINS to provide backward compatibility.
While you can use WINS, you also can resolve NetBIOS names by using the following:
Broadcast messages. Broadcast messages do not work well on large networks because routers do not
propagate broadcasts.
Lmhosts file on all computers. Using an Lmhosts file for NetBIOS name resolution is a
high-maintenance solution because you must maintain the file manually on all computers.
Host-Name Resolution Process

When an application specifies a host name and uses Windows Sockets, TCP/IP uses the DNS resolver
cache, DNS, and Link-Local Multicast Name Resolution when it attempts to resolve the host name. The
Hosts file is loaded into the DNS resolver cache. If NetBIOS over TCP/IP is enabled, TCP/IP also uses
NetBIOS name resolution methods when resolving single-label, unqualified host names.
Depending on the configuration, Windows 8.1 resolves host names by performing the following actions:
1.
Checking whether the host name is the same as the local host name.
2.
Searching the DNS resolver cache.
3.
Searching the Hosts file.
4.
Sending a DNS request to its configured DNS servers.
Windows resolves hosts names that are single-label, unqualified names by performing the following
actions:
6-27
1.
Converting the host name to a NetBIOS name and checking the local NetBIOS name cache.
2.
Sending a DNS request to its configured WINS servers.
3.
Broadcasting as many as three NetBIOS name query request messages on the subnet that is directly
attached.
4.
Searching the Lmhosts file.
Note: Windows 8.1 can use Link-Local Multicast Name Resolution for networks that do
not have a DNS server. For example, if a Windows 8.1 computer must resolve a single-label name,
it first will try to petition a DNS server. If there is no DNS server or no response from the DNS
server, Windows 8.1 will use. If this is unsuccessful, Windows 8.1 will attempt resolution by using
the NetBIOS methods that the above section explains.
Note: You can exert control over the precise order used to resolve names. For example, if
you disable NetBIOS over TCP/IP, none of the NetBIOS name-resolution methods are attempted.
GlobalNames Zone
GlobalNames Zone is a feature in Windows Server 2008 and newer versions. GlobalNames Zone provides
single-label name resolution for large enterprise networks that do not deploy WINS. Some networks
might require the ability to resolve static, global records with the single-label names that WINS currently
provides. These single-label names refer to well-known and widely used servers with statically assigned
IP addresses. A GlobalNames Zone is created manually and is not available for dynamic registration of
records. GlobalNames Zone helps your customers migrate to DNS for all name resolution. The DNS Server
role in Windows Server 2008 and newer versions supports the GlobalNames Zone feature.
GlobalNames Zone assists in the migration from WINS. However, it is not a replacement for WINS.
GlobalNames Zone supports the single-label name resolution of records that are registered in WINS
dynamically and those that are not managed by IT administrators typically. Support for these dynamically
registered records is not scalable, especially for larger customers with multiple domains and forests.
The recommended GlobalNames Zone deployment is to use an AD DS-integrated zone, named
GlobalNames, which is distributed globally.
Instead of using GlobalNames Zone, you can choose to configure DNS and WINS integration. Do this
by configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The
advantage of this approach is that you can configure client computers to only use a single name service
(DNS) and still be able to resolve NetBIOS-compliant names.
Understanding DNS Client Settings
Tools Used to Resolve Name Resolution Issues

Windows 8.1 includes a number of tools that you
can use to diagnose name-resolution problems,
including:
Event Viewer
Windows Network Diagnostics
IPConfig
Ping
NSlookup
Windows PowerShell
Microsoft Message Analyzer
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. The System log will reference IP conflicts, which can prevent services form starting. When these
events occur, a Windows operating system records the event in an appropriate event log. You can use
Event Viewer to read the log. When you troubleshoot errors in Windows 8.1, view the events in the event
logs to troubleshoot the problems cause.
Event Viewer enables you to access the Application, Security, Setup, and System logs under the Windows
Logs node. When you select a log and then select an event, a preview pane under the event list contains
details of the specified event. To help diagnose network problems, look for errors or warnings in the
System log related to network services.
Windows Network Diagnostics
Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a
Windows 8.1 networking problem, the Diagnose Connection Problems option helps diagnose and repair
the problem, and will return a description of the potential problem and a possible remedy. The solution
might require manual intervention from the user.
IPConfig
IPConfig displays the current TCP/IP network configuration. Additionally, you can use IPConfig to refresh
DHCP and DNS settings as discussed in the previous Windows Network Diagnostics topic. For example,
you might need to flush the DNS cache.
Ping
Ping might verify IP-level connectivity to another TCP/IP computer. Ping sends and receives Internet
Control Message Protocol (ICMP) echo request messages and displays the receipt of corresponding echo
reply messages. Ping is the primary TCP/IP command used to troubleshoot connectivity. Ping is more
useful on an internal network because firewalls on the Internet commonly block ICMP requests.
NSlookup
NSlookup displays information that you can use to diagnose a DNS infrastructure. You can use NSlookup
to confirm connection to a DNS server and that the required records exist. You can use NSlookup in the
following two modes:
Interactive. To use NSlookup in interactive mode, type NSlookup at the command prompt and press
Enter. By default, NSlookup will query against the local DNS server. Interactive mode provides many
options for NSlookup, such as setting a specific DNS server to be queried. You can view the available
6-29
options by typing Help at the interactive command prompt. A common use for NSlookup in
interactive mode is to query for a specific type of record. For example, to query for Mail Exchanger
MX records from the interactive mode command prompt, you would type set q=mx and press Enter,
and then type the name of the domain you are looking for and press Enter again. The query will
return only the MX records for that domain.
Noninteractive. The noninteractive mode is useful for quick lookups of names. For example, to
discover the IP address of a computer named Server1 in the Contoso.com domain, you can type the
query NSlookup Server1.Contoso.com directly at the command prompt, and the local DNS server
will respond with a reply to the query.
Windows PowerShell
You also can use Windows PowerShell cmdlets for configuring and troubleshooting network settings. The
following table lists some of these cmdlets and their purposes.
Cmdlet
Purpose
Clear-DnsClientCache
Similar to the IPConfig /flushdns command, this cmdlet clears

a clients resolver cache.
Get-DnsClient
Retrieves configuration details specific to the different network

interfaces on a specified computer.
Get-DnsClientCache
Similar to the IPConfig /displaydns command, this cmdlet

retrieves the contents of the local DNS client cache.
Get-DnsClientGlobalSetting
Retrieves global DNS client settings like the suffix search list.
Get-DnsClientServerAddress
Gets one or more DNS server IP addresses associated with the

interfaces on a computer.
Register-DnsClient
Registers all of the IP addresses on a computer onto the

configured DNS server.
Set-DnsClient
Sets the interface-specific DNS client configurations on a

computer.
Set-DnsClientGlobalSetting
Configures global DNS client settings like the suffix search list.
Set-DnsClientServerAddress
Configures one or more DNS server IP addresses associated

with the interfaces on a computer.
Microsoft Message Analyzer
Microsoft Message Analyzer is the replacement for Network Monitor, which Microsoft last released
as version 3.4. The Microsoft Message Analyzer provides more capabilities than Network Monitor for
determining network issues. It can capture, display, and analyze live network traffic in multiple viewing
formats such as grids, charts, and timeline views. It also allows you to import, aggregate, and analyze data
from log and trace files.
Key capabilities include:
Integrated event and message capture at different system levels and endpoints
Parsing and validation of protocol messages and sequences
Automatic re-assembly of packets and the ability to render the payloads

Microsoft Message Analyzer Operating Guide

Scenario
6-31
An intern has been unsuccessful in attempts to resolve a network connectivity problem on a Windows 8.1
computer, and has not documented the changes made to the computer. You need to restore network
connectivity for the computer.
Objectives
Create a simulated network connectivity problem.
Resolve a network connectivity problem.
Lab Setup
Virtual machines: 20687D-LON-DC1 and 20687D-LON-CL1
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment.
Exercise 1: Creating a Simulated Network Connectivity Problem

Scenario
Windows 8.1 clients are experiencing issues when connecting to network resources. As the network
administrator, you must resolve these issues by performing troubleshooting steps to identify and resolve
the issues.
1.
Verify connectivity to LON-DC1.
2.
Simulate the problem.
3.
Test connectivity to LON-DC1.
4.
Gather information about the problem.
Task 1: Verify connectivity to LON-DC1
On LON-CL1, map the drive letter P to \\LON-DC1\Data.
Task 2: Simulate the problem

1.
On LON-CL1, in the properties of Local Area Connection, disable the IPv6 protocol.
2.
Run the file E:\LabFiles\Mod06\ Mod6-Script.bat.
Task 3: Test connectivity to LON-DC1
Access drive letter P by using File Explorer. Are you able to access the mapped drive P?
Task 4: Gather information about the problem
Use the techniques and tools from this module to determine the following information:
o
What IP address is the computer using?
What subnet mask is the computer using?
What network should the computer be on?
Results: After completing this exercise, you should have created a connectivity problem between
LON-CL1 and LON-DC1.
Exercise 2: Resolving a Network Connectivity Problem

Scenario
You must use troubleshooting tools and techniques to resolve and test the resolution of the connectivity
issue.
1.
Resolve the first problem.
2.
Test the resolution.
3.
Resolve the DNS problem.
Task 1: Resolve the first problem
Use the tools and techniques from this module to resolve the problem.
Task 2: Test the resolution

1.
Access drive letter P by using File Explorer. Are you able to access mapped drive P?
2.
Open a Command Prompt window, and at the command prompt, run the following commands:
o
ping lon-dc1
ping 172.16.0.10
ipconfig /all
What DNS servers is the computer using?
Task 3: Resolve the DNS problem
Use the tools and techniques from this module to resolve the problem.
Results: After completing this exercise, you should have resolved the connectivity problem between
LON-CL1 and LON-DC1.

When you have finished the lab, revert the virtual machines to their initial state.
1.
2.
3.
4.
6-33
Lesson 5
Implementing Wireless Network Connectivity
An increasing number of devices use wireless connections as the main method for accessing corporate
intranets and the Internet. Additionally, many users have come to expect a wireless infrastructure in a
corporate workplace. As a result, a strong knowledge of wireless connectivity is a requirement for todays
networking environment. This lesson discusses the various wireless standards and the configuration and
support of Windows 8.1 wireless clients.
Lesson Objectives
Describe wireless network technologies.
Describe Windows 8.1 support for wireless broadband.
Explain how to configure wireless network settings.
Describe considerations for improving wireless signal strength.
Explain how to resolve wireless network connection issues.
Wireless Network Technologies

Wireless networking uses radio waves to connect
wireless devices to other network devices. Wireless
networks generally consist of wireless network
devices, access points (APs), and wireless bridges
that conform to 802.11x wireless standards.
Wireless Network Topologies

There are two types of wireless topologies:
Infrastructure. Infrastructure wireless networks

consist of wireless LANs and cellular networks,
and require the use of a device, such as an
AP, to allow communication between client
wireless devices. You manage infrastructure wireless networks centrally.
Ad hoc. Ad hoc networks can connect wireless devices dynamically in a peer-to-peer configuration
without the use of any infrastructure devices.
802.11x Wireless Standards
6-35
The 802.11 standard has been evolving since 1997. There have been many improvements in transmission
speed and security of the 802.11 technology since then. A letter of the alphabet designates each new
standard, as the following table shows.
Specification
Description
802.11a
This is the first extension to the original 802.11 specification. It provides up to 54

megabits per second (Mbps) and operates in the 5 gigahertz (GHz) range. It is not
compatible with 802.11b.
802.11b
This specification provides 11 Mbps and operates in the 2.4 GHz range.
802.11e
This specification defines Quality of Service and multimedia support.
802.11g
This specification is for transmission over short distances at speeds up to 54 Mbps.

It is backward-compatible with 802.11b, and operates in the 2.4 GHz range.
802.11n
This specification adds multiple-input and multiple-output, thereby providing

increased data throughput at speeds up to 100 Mbps. It vastly improves speed
over previous specifications, and it supports both 2.4GHz and 5 GHz ranges.
802.11ac
This specification builds on 802.11n to attain data rates of 433 Mbps. 802.11ac
operates only in the 5 GHz frequency range.
Wireless Security
Wireless security has been the biggest consideration by organizations planning a wireless implementation.
Because wireless traffic travels across open airwaves, it is susceptible to interception by attackers.
Therefore, organizations utilize several security technologies to address these concerns. Most Wi-Fi
devices support multiple security standards. The following table describes the current security methods
available for wireless networks:
Security method
Wired Equivalent
Privacy (WEP)
Description
WEP is the oldest form of wireless security. Some devices support different
versions:
WEP 64-bit key
WEP 128-bit key
WEP 256-bit key
The security issues surrounding WEP are well-documented, and WEP should
not be used unless it is the only alternative.
Wi-Fi Protected
Access (WPA)
Developed to replace WEP, WPA has two variations:

WPA-Personal. WPA-Personal is for home and small business networks and
is easier to implement than WPA-Enterprise. It involves providing a security
password, and it uses a technology called Temporal Key Integrity Protocol.
The password and the network service set identifier (SSID) generate
constantly changing encryption keys for each wireless client.
WPA-Enterprise. WPA-Enterprise is for corporate networks. It involves the
use of a RADIUS server for authentication.
WPA2
This is an improved version of WPA that has become the Wi-Fi security
standard. WPA2 employs Advanced Encryption Standard (AES), which
employs larger encryption key sizes.
The security methods that a given wireless device supports depend on the vendor and the devices age.
All modern wireless devices should support WPA2.
Windows 8.1 Support for Wireless Broadband

Mobile broadband is a term that describes a
wireless wide area network that provides wireless
Internet access by using mobile devices from any
location where cellular service is available. This
ability requires a mobile broadband subscription
to a data service from a provider. In previous
versions of Windows operating systems, custom
drivers were required along with a mobile data
card, which might be in the form of a PC Card,
USB dongle, or an internal laptop module.
Microsoft has worked with broadband providers
and hardware vendors to design a new mobile
broadband driver that certified broadband devices will support, and that is built into Windows 8 and
Windows 8.1. This makes the broadband-connection experience for users as simple as plugging in a
device.
Broadband Management
Previously, most mobile broadband devices typically came with connection-management software that
users had to install and configure on a computer. Depending on the provider, this software could be
difficult to configure, and it sometimes interfered with Windows internal connection-management
functions. In Windows 8 and Windows 8.1, you can use the network settings to manage individual Wi-Fi,
broadband, or Bluetooth devices to turn them off or on. You do not have to install extra software.
Windows 8.1 also supports airplane mode, which allows you to disable all radio devices simultaneously.
Windows 8.1 also gives priority to available preferred Wi-Fi networks over broadband connections by
default. When you are out of range of a preferred Wi-Fi network, the broadband connection is restored
automatically.
Many data plans have limits on how much data you can use before extra charges come into play. To track
data usage, each individual wireless network provides information on the current amount of data that you
have used. You have the ability to reset the counter when you choose, so you can track data usage the
way that you want, such as on a monthly basis or even by session.
Plan Purchase
If you already have a subscription to a data plan with a provider, you just need to plug in your device.
If you want to purchase a subscription, you can go to the Networks Settings pane, and click Connect next
to an advertised providers icon. This will direct you to the providers website where you can purchase a
data plan. After purchasing your plan, you can provision your computer automatically for that providers
network. In the background, the Windows operating system gathers information by using a database of
access-point names so that it can provision your system to connect to the providers network.
Broadband Tethering
Windows 8.1 supports broadband tethering for up to 10 devices. Now, any computer or device can use a
broadband-enabled Windows 8.1 device as a wireless hotspot. To set up tethering, you only have to share
the network connection from the Network item in Control Panel. Once shared, a network name and
password are required. The password must be eight characters long.
Configuring Wireless Network Settings

The first time you connect to a wireless network,
you must provide a Windows operating system
with the correct information to make a successful
connection. There are a number of ways to
connect to existing wireless networks in
Windows 8 or Windows 8.1.
Connecting to a Wireless Network from

Control Panel
The method of connecting from Control Panel
has not significantly changed from Windows 7. To
connect to a wireless network from Control Panel,
perform the following procedure:
6-37
1.
In Control Panel, view by icons, and then open the Network and Sharing Center.
2.
In the Network and Sharing Center window, click Set up a new connection or network.
3.
In the Set up a Connection or Network window, click Manually connect to a wireless network, and
then click Next. This option will appear only if a wireless device is installed.
4.
In the Manually connect to a wireless network window, enter the following details:
5.
a.
Network name: A friendly name to identify the network.
b.
Security type: WEP, WPA-Personal, WPA-Enterprise, WPA2-Personal, or WPA2-Enterprise.
c.
Encryption key: Temporal Key Integrity Protocol or AES.
d.
Security key: The password configured for the wireless network.
You also have the option to Start the connection automatically and Connect even if the network
is not broadcasting.
After the initial configuration of the network, you can open the properties to change settings or to further
configure the wireless network to:
Connect automatically when in range.
Connect to a more preferred network if available.
Connect even if the network is not broadcasting its name (SSID).
Connecting to a Wireless Network from the Network Settings Pane
In Windows 8 or Windows 8.1, you can use the Network Settings pane from the Start screen settings to
configure wireless network settings by performing the following procedure:
1.
Access the Charms bar, and then click Settings.
2.
Click the wireless network Available icon. If no wireless networks are in range, the icon will say
Unavailable. The Networks pane will appear with a list of available wireless networks.
3.
Click the name of the wireless network to which you want to connect, and then click Connect.
4.
Enter the password for your wireless network.
5.
Choose whether you want to share your files with others on the network.
Windows will remember the settings, and then reconnect automatically when you are in range. If you
need to change the configuration, you can right-click the wireless network name in the Network pane,
and then click View connection properties.
Considerations for Improving Wireless Signal Strength

When you design your wireless network, you
can take a number of steps to optimize the
wireless signal strength in your environment.
A poorly designed wireless network will cause
frustration and result in multiple help desk
calls. By following best practices for wireless
networking, you can provide your users with a
better wireless experience. The first step is to
analyze the requirements for the wireless network.
Two major considerations are:
What is the size and design of the physical

area for which you need wireless coverage?
What channel or frequency does you wireless network operate in?
Considerations for the Physical Environment
The building layout and construction material can significantly affect signal interference. Buildings with a
lot of brick or steel construction pose issues with signal availability. When placing APs, you should avoid
physical obstructions as much as possible. Even objects such as metal cabinets can cause signal blockage.
Try to avoid placing APs near reflective surfaces. Signals can bounce off mirrors and windows, thereby
reducing signal range. Avoid installing APs close to electrical equipment such as motors and fluorescent
lights. Consider using Wi-Fi repeaters to extend the range of the AP to provide better coverage.
Considerations for the Wireless Channel and Frequency
Interference can come from other networks. If you are in a small area with many competing wireless
networks, such as in large office buildings, you might be able to get better performance by changing the
Wi-Fi channel. APs operate on specific channels and usually come preconfigured for a certain channel.
There are non-Microsoft tools available that you can use to analyze your environment and see which
channels are the most populated by other wireless networks. Choose the channel with the least traffic for
your network. The 2.4 GHz frequency and the 5 GHz frequency support different channels.
Other considerations to improve your wireless environment include:
Update your firmware to the latest versions for both APs and client network adapters.
On Windows 8.1, you can adjust the Advanced Power Options for the wireless network adapter to use
maximum power.
Consider using Wi-Fi repeaters to extend the range of the AP to provide better coverage.
Consider upgrading the antenna of the AP, and consider the use of hi-gain and omnidirectional
antennas to increase signal distance and coverage.
Resolving Wireless Network Connection Issues

A wireless connection might fail for many
reasons. The following table describes some of the
common issues, and the methods you can use to
resolve these issues.
Issue
Resolution
6-39
Wireless adapters are not

enabled on the laptop
Laptops that have built-in wireless adapters have a physical switch

that can enable or disable the wireless adapter. Each vendor will be
different, but make sure that you enable the wireless adapter.
Security type or passwords are

incorrectly configured
Make sure that you enter the wireless password correctly. In smaller
wireless networks, this information is on the administration page of
the wireless router.
Drivers are corrupted or

outdated
Make sure that the wireless adapter has the proper drivers. You
might have to go to the vendor site to obtain the latest version of
drivers.
Firmware updates are missing
As with drivers, make sure the wireless adapter firmware is current.

You might have to go to the vendor site to obtain the latest version.
Wireless connection settings

are incorrectly configured
Make sure you configure the SSID correctly. Also, make sure that
you configure the wireless adapter to use the proper encryption
protocol, such as WPA or WPA2.
Hardware issues
Make sure that the Windows operating system supports the wireless
adapter. You can perform this check at the Windows Compatibility
Center.
Windows Compatibility Center

You also can use the Windows automated troubleshooter in Windows 8.1. Right-click the network icon in
the notification area of your taskbar, and then click Troubleshoot problems.

Common Issue
Troubleshooting Tip
Windows 8.1 host cannot connect to a

Microsoft SharePoint 2010 site.
Windows 8.1 host cannot access the

database server.
Windows 8.1 host cannot connect to the

Internet.
DNS server is not resolving FQDNs

correctly.
Review Questions
Question: After starting her computer, Amy notices that she is unable to access her normal
resources. What tool can she use to determine if she has a valid IP address?
Question: When transmitting accounts receivable updates to a billing partner in China, Amy
notices that the files are transmitting slowly. What tool can she use to determine the network
path and latency of the network?
Question: Amy notices that she cannot access normal enterprise websites. She knows that
she has a valid IP address but wants to troubleshoot the DNS access of her computer. What
tool must she use?
Question: What is the IPv6 equivalent of an IPv4 APIPA address?
Question: You are troubleshooting a network-related problem, and you suspect a nameresolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do
you do that?
Question: You are troubleshooting a network-related problem. The IP address of the host
you are troubleshooting is 169.254.16.17. What is a possible cause of the problem?
Tools
You can use the following tools to troubleshoot network connectivity issues.
Tool
Description
6-41
Network and Sharing Center
The Network and Sharing Center informs you about your network
and verifies whether your computer can access the Internet
successfully. Then, it summarizes this information in the form of a
network map.
Netsh.exe
Netsh.exe is a command-line tool that you can use to configure

network properties.
Pathping.exe
Pathping.exe is a command-line tool that combines the functionality

of Ping and Tracert, which you can use to troubleshoot network
latency and provide information about path data.
NSlookup.exe
NSlookup.exe is a command-line tool that you can use to test and

troubleshoot DNS and name-resolution issues.
IPConfig.exe
IPConfig.exe is a general IP configuration and troubleshooting tool.
Ping.exe
Ping.exe is a basic command-line tool that you can use for verifying
IP connectivity.
Tracert.exe
Tracert.exe is similar to Pathping, which provides information about

network routes.
Windows PowerShell
Windows PowerShell is a command-line shell and scripting language

that provides cmdlets to view and configure network settings.

7-1
Module 7
Configuring File Access and Printers on Windows 8.1
Clients
Contents:
Module Overview
7-1
Lesson 1: Managing File Access
7-2
Lesson 2: Managing Shared Folders
7-15
Lesson 3: Configuring File Compression
7-24
7-28
Lesson 4: Overview of OneDrive
7-31
Lesson 5: Managing Printers
7-37
7-43
7-45
Module Overview
This module provides the information and tools that you need to manage access to shared folders and
printers on a computer that is running the Windows 8.1 operating system. Specifically, the module
describes how to share and protect folders, configure folder compression, and how to install, configure,
and manage printers. Additionally, this module introduces Microsoft OneDrive (formerly known as
SkyDrive) functionality.
To maintain network or local file and printer systems, it is essential to understand how to safeguard these
systems and make them operate as efficiently and effectively as possible. This includes setting up File
permissions (previously known as NTFS permissions), compressing and managing shared folders and files,
and configuring printers.
Objectives
Implement file access management in Windows 8.1.
Configure and manage shared folders.
Configure file compression in Windows 8.1.
Describe the purpose and functionality of OneDrive.
Configure and manage printers.
Lesson 1
Managing File Access
7-2 Configuring File Access and Printers on Windows 8.1 Clients
One of the most common way that users access data is from network file shares. You can control access to
file shares with file share permissions and File permissions. Understanding how to determine effective
permissions is essential to securing your files.
You can use File permissions to define the level of access that users have to files that are available on a
network or locally on a Windows 8.1 computer. This lesson explores File permissions and describes the
tools for managing files and folders, in addition to the effect of various file and folder activities on these
permissions.
Lesson Objectives
Describe how to configure local security permissions.
Describe the concept of permission inheritance.
Describe the tools for managing file and folder access.
Configure local security permissions for files and folders.
Determine effective access for a file or folder.
Describe how copying and moving files and folders affect access.
Describe effective permissions.
Implement conditions to limit file and folder access.
Configuring Local Security Permissions

Permission is the authorization to perform an
operation on a specific object, such as a file.
The objects owners, or anyone with authority
to grant permissions, can do so. This typically
includes system administrators. If you own an
object, you can grant any user or security group
any permission on that object, including the
permission to take ownership.
Every container and object on a network has a

set of access-control information attached to it.
Known as a security descriptor, this information
controls the type of access allowed to users and
groups. You can define permissions within an objects security descriptor and then associate them with or
assign them to specific users and groups.
File and folder permissions define the type of access that you grant to a user, group, or computer. For
example, you can let one user read a files contents, while you let another user make changes to that file.
Alternatively, you can prevent all other users from accessing that file. You can set similar permissions on
folders.
There are two levels of permissions:
7-3
Shared folder permissions. These allow security principals such as users to access shared resources
from across a network. Shared folder permissions only are in effect when a user accesses a resource
from a network. The next lesson covers this topic in detail.
File permissions. These are always in effect, irrespective of whether a user accesses a file by
connecting across a network or by logging on to the local machine where the resource is located. You
can grant File permissions to a file or folder for a named group or user.
Each NTFS file and folder has an access control list (ACL) with a list of users and groups who have
permissions on the file or folder. Each entry in the ACL is an access control entry that identifies the specific
permissions granted to a user or group.
Conflicts Between User Rights and Permissions
User rights allow administrators to assign specific privileges and logon rights to groups or users. These
rights authorize users to perform specific actions, such as logging on to a system interactively or backing
up files and directories. User rights are different from permissionsuser rights apply to user accounts,
whereas permissions are attached to objects.
Administrators can employ user rights to manage who has the authority to perform operations that span
an entire computer rather than a particular object. Administrators assign user rights to individual users or
groups as part of a computers security settings. Although you can manage user rights centrally through
Group Policy, Windows 8.1 applies user rights locally. Users can, and usually do, have different user rights
on different computers.
Unlike permissions, which an objects owner (or a user with appropriate permissions) grants, you assign
users rights as part of a computers local security policy.
There are two types of user rights: privileges, such as the right to back up files and directories, and logon
rights, such as the right to log on to a system locally.
Possible Scenarios
Conflicts between rights and permissions typically occur only where the rights that are required to
administer a system overlap with resource-ownership rights. When there is a conflict, rights override
permissions.
For example, to create a backup of files and folders, backup software must be able to traverse all folders
in an NTFS volume, list the contents of each folder, read the attributes of every file, and read data in any
file that has its archive attribute set. It is impractical to arrange this access by coordinating with the owner
of every file and folder. Therefore, the required rights are included in the Back up files and directories
user right, which is assigned by default to two built-in groups: Administrators and Backup Operators. Any
user who has this right can access all files and folders on the computer to back up the system. The same
default permissions that allow members of the Backup Operators group to back up and restore files also
enables them to use the groups permissions for other purposes, such as reading another users files or
installing Trojan horse programs. Therefore, you should limit the Backup Operators group to highly
trusted user accounts that require the ability to back up and restore computers.
The ability to take ownership of files and other objects is another case where an administrators need to
maintain a system takes priority over an owners right to control access. Normally, you can take ownership
of an object only if its current owner grants you permission to do so. Owners of NTFS objects can allow
another user to take ownership by granting the other user Take Ownership permission. Owners of Active
Directory Domain Services (AD DS) objects can grant another user the Modify Owner permission. A user
who has this right can take ownership of an object without the current owners permission. By default, the
right is assigned only to the built-in Administrators group. Administrators typically use this to take and
reassign ownership of resources for which the current owner is no longer available.
Types of File Permissions

The two types of File permissions are standard and special:
Standard permissions are the most commonly used permissions.
Special permissions provide a finer degree of control for assigning access to files and folders.
However, special permissions are more complex to manage than standard permissions.
Standard File and Folder Permissions

The following table lists the standard file and folder permissions. You can choose whether to allow or
deny each of the permissions.
File permissions
Description
Full Control
Complete control of the file or folder and control of permissions.
Modify
Read/write permissionthis applies to an object and any child objects by

default. The specific permissions that make up Modify permissions are
Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read
Extended Attributes, Create Files/Write Data, Create Folders/Append Data,
Write Attributes, Write Extended Attributes, Delete, and Read Permissions.
Read and Execute
With this permission, you can see folder content, read files, and start
programsthis applies to an object and any child objects by default. The
specific permissions that make up Read and Execute permissions are Traverse
Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended
Attributes, and Read Permissions.
Read
Read-only permissionthis applies to an object and any child objects by

default. The specific permissions that make up Read permissions are List
Folder/Read Data, Read Attributes and Read Extended Attributes.
Write
With this permission, you can change folder and file contentthis applies to
an object and any child objects by default.
The specific permissions that make up Write permissions are Create Files/Write
Data, Create Folders/Append Data, Write Attributes, and Write Extended
Attributes.
Special permissions
A custom configuration.
Note: Groups or users that are granted Full Control on a folder can delete any files in that
folder, regardless of the permissions protecting the file.
To modify File permissions, you must have the Full Control File permission for a folder or file. The one
exception is for file and folder owners. The owner of a file or folder can modify File permissions, even if
they do not have any current File permissions. Administrators can take ownership of files and folders to
make modifications to File permissions.
Special File and Folder Permissions
7-5
Special permissions give you a finer degree of control for assigning access to files and folders. However,
special permissions are more complex to manage than standard permissions. The following table defines
the special permissions for which you can provide custom configuration for each file and folder.
File permissions
Description
Traverse
Folder/Execute File
The Traverse Folder permission applies only to folders and allows or denies
a user permission to move through folders to reach other files or folders
even if the user does not have permissions for the traversed folders.
Traverse Folder takes effect only when you do not grant the Bypass
Traverse Checking user right to a group or user. The Bypass Traverse
Checking user right checks user rights in the Group Policy snap-in. By
default, the Everyone group is given the Bypass Traverse Checking user
right.
The Execute File permission allows or denies access to program files that
are running. If you set the Traverse Folder permission on a folder, the
Execute File permission is not set automatically on all files in that folder.
List Folder/Read Data
The List Folder permission allows or denies a user permission to view file
names and subfolder names in a folder. The List Folder permission applies
only to folders and affects only the contents of that folder. This permission
is not affected if the folder on which you are setting the permission is listed
in the folder list.
The Read Data permission applies only to files, and it allows or denies a
user from viewing data in files.
Read Attributes
The Read Attributes permission allows or denies a user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. NTFS
defines the attributes.
Read Extended
Attributes
The Read Extended Attributes permission allows or denies a user from

viewing the extended attributes of a file or folder. Programs define
extended attributes, and they can vary by program.
Create Files/Write Data
The Create Files permission applies only to folders, and it allows or denies a
user from creating files in a folder.
The Write Data permission applies only to files and allows or denies the
user from making changes to a file and overwriting existing content by
NTFS.
Create Folders/Append
Data
The Create Folders permission applies only to folders and allows or denies a
user from creating folders in the folder.
The Append Data permission applies only to files and allows or denies a
user from making changes to the end of the file but not from changing,
deleting, or overwriting existing data.
Write Attributes
The Write Attributes permission allows or denies a user from changing the
attributes of a file or folder, such as read-only or hidden. NTFS defines the
attributes.
The Write Attributes permission does not imply that you can create or
delete files or folders. It includes only the permission to make changes to
the attributes of a file or folder.
File permissions
Description
Write Extended
Attributes
The Write Extended Attributes permission allows or denies a user from

changing the extended attributes of a file or folder. Programs define the
extended attributes, which can vary by program.
The Write Extended Attributes permission does not imply that a user can
create or delete files or folders. It includes only the permission to make
changes to the attributes of a file or folder.
Delete Subfolders and

Files
The Delete Subfolders and Files permission applies only to folders and
allows or denies a user from deleting subfolders and files even if you do not
grant Delete permission on the subfolder or file.
Delete
The Delete permission allows or denies a user from deleting the file or
folder. If you do not have the Delete permission on a file or folder, you can
still delete the file or folder if you have the Delete Subfolders and Files
permission on the parent folder.
Read Permissions
Read permissions allows or denies a user from reading permissions about a

file or folder, such as Full Control, Read, and Write.
Change Permissions
Change Permissions allows or denies a user from changing permissions on

a file or folder, such as Full Control, Read, and Write.
Take Ownership
The Take Ownership permission allows or denies a user from taking

ownership of a file or folder. The owner of a file or folder can change
permissions on it regardless of any existing permissions that protect the file
or folder.
Conditions
In Windows 8.1, you can assign conditions that must be met for a permission to take effect. You can base
conditions on group memberships or the device with which a user accesses a file or folder. When viewing
the File permissions for a file or folder, the applied conditions are listed in the Condition column in the
Advanced Security Settings for <file/foldername>.
When you use a Group condition, you can specify that the permission will apply to the user based on
the following group membership rules:
o
Member of Any of the specified groups.
Member of Each of the specified groups.
Not Member of Any of the specified groups.
Not Member of Each of the specified groups.
When you use a Device condition, you can specify that the permission will apply if a user accesses the
file from a specified computer or computers. The following topic explains this condition further.
You can specify multiple conditions for the configured permission to apply. For example, you can create a
permission that would give members of the Financial group Full Control permissions if they also are
members of the Managers group and are accessing the folder from <computername>.
Overview of Permission Inheritance

There are two types of permissions:
Explicit permissions. Permissions that are

set by default on nonchild objects when
an object is created, or by user action on
nonchild, parent, or child objects.
Inherited permissions. Permissions that

propagate to an object from a parent
object. Inherited permissions ease the task
of managing permissions and ensure the
consistency of permissions among all objects
within a given container.
7-7
Permission inheritance allows the File Permissions that are set on a folder to apply automatically to files
that users create in that folder and its subfolders. This means that you can set File Permissions for an
entire folder structure at a single point. If you have to modify the permissions, you then only have to
perform the change at that single point.
For example, when you create a folder called MyFolder, all subfolders and files created within MyFolder
automatically inherit that folders permissions. Therefore, MyFolder has explicit permissions, while all
subfolders and files within it have inherited permissions.
You also can add permissions to files and folders below an initial point of inheritance without modifying
the original permissions assignment. This grants a specific user or group different access than the
inherited permissions.
Inheritance for All Objects
If the Allow or Deny check boxes that are associated with each of the permissions appear shaded, a file or
folder has inherited permissions from its parent folder. There are three ways to make changes to inherited
permissions:
Make changes to a parent folder, and then the file or folder will inherit these permissions.
Select the opposite permission (Allow or Deny) to override the inherited permission.
Choose not to inherit permissions from a parent object. You then can make changes to the
permissions or remove a user or group from the permissions list of the file or folder.
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her
file even though he is a member of the Marketing group. She can exclude Bob by explicitly denying him
permission to read the file. Normally, this is how you use explicit denial to exclude a subset (such as
Bob) from a larger group (such as Marketing) that is granted permission to perform an operation.
Note that while possible, the use of explicit denials increases the complexity of the authorization policy,
which can create unexpected errors. For example, you might want to allow domain administrators to
perform an action but deny domain users. If you attempt to implement this by explicitly denying domain
users, you also deny any domain administrators who also are domain users. Though it is sometimes
necessary, you should avoid the use of explicit denials.
In most cases, Deny overrides Allow unless a folder inherits conflicting settings from different parents. In
that case, the setting inherited from the parent closest to the object in the subtree will have precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has an
explicit Allow permission entry. Explicit permissions take precedence over inherited permissions
even inherited Deny permissions.
Child objects only inherit permissions that they are capable of inheriting. When you set permissions on a
parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the
following procedure to assign permissions that can be inherited:
1.
In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2.
In the Advanced Security Settings for <file or folder> dialog box, the Inherited From column lists
from where the permissions are inherited. The Applies To column lists the folders, subfolders, or files
to which the permissions are applied.
3.
Double-click the user or group for which you want to adjust permissions.
4.
In the Permissions Entry for <name> dialog box, click the Applies to drop-down list, and then
select one of the following options:
5.
This folder only
This folder and subfolder
This folder and files
Subfolders and files only
Subfolders only
Files only
Click OK in the Permission Entry for <name> dialog box, click OK in the Advanced Security
Settings for <name> dialog box, and then click OK in the Properties dialog box.
If the Special permissions entry in Permissions for <User or Group> box is shaded, it does not
imply that this permission is inherited. Rather, this means that a special permission is selected.
Preventing Permission Inheritance
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit
these permissions. You can block permission inheritance to restrict access to these files and subfolders. For
example, you can assign all Accounting users the Modify permission to the ACCOUNTING folder. On the
subfolder WAGES, you can block inherited permissions and grant only a few specific users access to the
folder.
Note: When permission inheritance is blocked, you have the option to copy existing
permissions or begin with blank permissions. If you only want to restrict a particular group or
user, then copying existing permissions simplifies the configuration process.
To prevent a child file or folder from inheriting permissions from a parent folder, select This folder only in
the Applies to drop-down list when you set up permissions for the parent folder.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following
procedure:
1.
In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2.
In the Advanced Security Settings for <file or folder> dialog box, click Disable inheritance.
3.
4.
In the Block Inheritance dialog box, select any of the following options:
o
Convert inherited permissions into explicit permissions on this object
Remove all inherited permissions from this object
Cancel
Click OK in the Advanced Security Settings for <name> dialog box, and then click OK in the
Properties dialog box.
Forcing Permission Inheritance
7-9
The Advanced Security dialog box for folders includes a check box labeled Replace all child object
permission entries with inheritable entries from this object. Selecting this check box will replace the
permissions on all child objects that you have the ability to change permissions on, including child objects
that had Block inheritance configured. This can be particularly useful if you need to change permissions
on a large number of subfolders and files, especially when the original permissions were set incorrectly.
Tools for Managing File and Folder Access

File access is based on File Permissions set in ACLs.
To use permissions to control access, you need a
way to set permissions on files and folders. A
number of tools are available for managing access
to files and folders. This topic will describe the
following tools:
File Explorer, formerly known as Windows

Explorer
The Windows PowerShell command-line

interface
Icacls
File Explorer
File Explorer provides a simple interface that is familiar to most Windows users. You can perform several
functions by using File Explorer, including:
Creating files and folders
Accessing files and folders
Managing properties of files and folders
Searching for content in files and folders
Previewing contents of files and folders
File Explorer is pinned to the taskbar by default in Windows 8.1. You can use File Explorer to access the
properties of any file or folder that is attached to a local computer if you have the rights to do so. You can
manage the attributes and local security File permissions of those files and folders.
The toolbar in File Explorer is context sensitive such that when you click a particular type of object, like a
document or a bitmap image, the toolbar presents actions that you can perform on that type of object.
Windows PowerShell
Windows PowerShell provides cmdlets to manage files and folders. To manage File Permissions, you can
use the Get-ACL and Set-ACL cmdlets. For example, to see the current ACL on the C:\Perflogs directory
with the output in list format, you would run the following command:
Get-ACL C:\perflogs | Format-List
To modify the ACL of a file or folder, use the Set-ACL cmdlet in conjunction with the Get-ACL cmdlet.
The Get-ACL cmdlet provides the input by getting the object that represents the ACL of the file or folder.
Then the Set-ACL cmdlet changes the ACL of the target file or folder to match the values supplied by
the Get-ACL cmdlet. For example, to set the ACL on the folder C:\Qtr1_Sales to match the permissions,
including inheritance settings, on a folder named C:\Qrt2_Sales, you would run the following command:
Get-ACL C:\Qrt1_Sales | Set-ACL C:\Qrt2_Sales
You also can create variables and arguments to modify existing ACLs.
For more information on the Set-ACL cmdlet, refer to:
Set-Acl
Icacls
Icacls is a command-line utility to display or modify ACLs. It can grant standard permissions such
as Modify or Full Control, or specific permissions such as Write Data/Add File or Delete, and it can
modify inheritance settings. For example, to disable inheritance, remove the inherited ACLs, and set
new permissions for the Adatum\Sales group to be Modify and the Administrators group to be Full
Control on the folder C:\Data and all the objects in the folder, you would run the following command:
Icacls C:\data /inheritance:r /grant Adatum\Sales:(oi)M /grant Administrators:(oi)F
Where (oi) instructs Icacls to have objects in the folder inherit the Modify permission.
Demonstration: Configuring Local Security Permissions for Files and

Folders
In this demonstration, you will see how to configure File Permissions.
Demonstration Steps
Create a new folder
1.
On LON-CL1, start File Explorer.
2.
Open the E:\Labfiles\Mod09 folder.
3.
Create a folder named Adatum.
Disable inherited permissions on the Adatum folder

1.
Open the Advanced security settings for the Adatum folder.
2.
Disable inheritance for the Adatum folder, and then convert the inherited permissions to explicit
permissions.
3.
Apply the change.
4.
Note the change in the Inherited From column. Note the contents of the Applies To column.
Create a file in the Adatum folder

1.
In the Advanced Security Settings for Adatum dialog box, click OK.
2.
Open the Adatum folder, and then create a new file named PermissionsTest.txt.
Examine the permissions on the PermissionsTest file

1.
Open the Advanced security settings for the PermissionsTest file.
2.
Review the permissions on the PermissionsTest file.
Grant managers Modify permissions on the PermissionsTest file
1.
Add the Managers group, and then grant them Modify permissions to the PermissionsTest file.
2.
Note the Managers permission and from where it is inherited.
3.
4.
Keep the virtual machines running for the next demonstration
Determining Effective Access for a File or Folder

Each file and folder contains user and group
permissions. Windows 8.1 determines a file or
folders effective permissions by combining its
user and group permissions. For example, if you
assign the Read permission to a user and assign
the Modify permission to a group that the user is
a member of, the effective permissions of the user
are Modify.
Note: When you combine permissions, a
Deny permission takes precedence and overrides
an Allow permission.
Effective Permissions Feature
7-11
The Effective Permissions feature determines the permissions a user or group has on an object by
calculating the permissions that are granted to the user or group. The calculation takes into account
the permissions in effect from group membership and any of the permissions inherited from the parent
object. It looks up all domain and local groups in which the user or group is a member.
Note: The Effective Permissions feature always includes the Everyone group when
calculating effective permissions, as long as the selected user or group is not a member of the
Anonymous Logon group.
The Effective Permissions feature only produces an approximation of the permissions that a user has. The
actual permissions a user has might be different because permissions can be granted or denied based on
how a user logs on. The Effective Permissions feature cannot determine this logon-specific information,
because the user might not log on. Therefore, the effective permissions it displays reflect only those
permissions that a user or group specifies, not the permissions specified by the logon.
For example, if a user connects to a computer through a file share, the logon for that user is marked as a
Network Logon. You then can grant or deny permissions to the well-known security identifier Network
that the connected user receives. This way, a user has different permissions when logged on locally than
when logged on over a network.
You can view effective permissions in the Advanced Security Settings for <folder> dialog box. You can
access this dialog box from a folders Properties dialog box by using the Advanced button on the Security
tab, or directly from the Share menu on the ribbon.
How Does Copying and Moving Files and Folders Affect Access?
When copying or moving a file or folder, the
permissions might change, depending on where
you move the file or folder. Therefore, when you
copy or move files or folders, it is important to
understand the impact on permissions.
Effects of Copying Files and Folders

When you copy a file or folder from one folder
to another, or from one partition to another,
permissions for the files or folders might change.
Copying a file or folder has the following effects
on File Permissions:
When you copy a file or folder within a single NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a different NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a non-NTFS partition, such as a FAT file system partition, the copy
of the folder or file loses its File Permissions because non-NTFS partitions do not support File
Permissions.
Note: When you copy a file or folder within a single NTFS partition or between NTFS
partitions, you must have Read permission for the source folder and Write permission for the
destination folder.
Effects of Moving Files and Folders
When moving a file or folder, permissions might change, depending on the permissions of the destination
folder. Moving a file or folder has the following effects on File Permissions:
When you move a file or folder within an NTFS partition, the file or folder inherits the permissions of
the new parent folder. If the file or folder has explicitly assigned permissions, those permissions are
retained, in addition to the newly inherited permissions.
Note: Most files do not have explicitly assigned permissions. Instead, they inherit
permissions from their parent folder. If you move files that have only inherited permissions, they
do not retain these inherited permissions during the move.
7-13
When you move a file or folder to a different NTFS partition, the folder or file inherits the permissions
of the destination folder. When you move a folder or file between partitions, Windows 8.1 copies the
folder or file to the new location and then deletes it from the old location.
When you move a file or folder to a non-NTFS partition, the folder or file loses its File Permissions
because non-NTFS partitions do not support File Permissions.
Note: When you move a file or folder within an NTFS partition or between NTFS partitions,
you must have both Write permission for the destination folder and Modify permission for the
source file or folder. Modify permission is required to move a folder or file because Windows 8.1
deletes the folder or file from the source folder after it copies it to the destination folder.
The Copy command is not aware of the security settings on folders or files. However, commands that are
more robust have this awareness. For example:
Xcopy has the /o switch to include Ownership and NTFS ACL settings.
Robocopy has several switches that will cause security information to be copied:
o
/Copy:copyflag(s) the default setting is the equivalent of /Copy:DAT where D=Data,

A=Attributes and T=Timestamps. You can add the S flag where S=Security, i.e. NTFS ACLs
/Sec is the equivalent of /Copy:DATS.
Discussion: Determining Effective Permissions

This discussion includes a scenario and three
underlying situations in which you are asked to
apply File Permissions. You and your classmates
will discuss possible solutions for each situation.
Scenario
User1 is a member of the Users group and the
Sales group. The graphic on the slide, which shows
folders and files on an NTFS partition, includes
three situations, each of which has a
corresponding discussion question.
Question: The Users group has Write
permission, and the Sales group has Read permission for Folder1. What permissions does
User1 have for Folder1?
Question: The Users group has Read permission for Folder1. The Sales group has Write
permission for Folder2. What permissions does User1 have for File2?
Question: The Users group has Modify permission for Folder1. The files in Folder 2 should
only be accessible to the Sales group, and they should only have read permissions to the
files. What do you need to do to ensure that the members of the Sales group only have Read
permission to the files in Folder 2?
Implementing Conditions to Limit File and Folder Access

Windows authorization and access control
technologies allow Windows Server 2012 R2 and
Windows 8.1 to employ Dynamic Access Control,
which provides detailed access to resources by
basing access decisions on conditions. The
following table lists the server-based features.
Feature
Description
Central access rules
Conditions based on criteria such as group membership, user claims,

device claims, or resource properties are used to create authorization
rules. You then can implement rules to limit access to resources.
Central access policies
Central access policies use conditional expressions to restrict access to

certain types of information, such as financial or medical information. You
can add policies to central access rules and then apply the rules to files
that contain sensitive data.
Claims-based
authentication
A claim is a piece of information that uniquely identifies a user or device

or resource. Claims take the form of authentication tokens and might
contain different types of information, such as group memberships,
security state of a computer, or classification of a file. Windows
Server 2012 R2 and Windows 8.1 support the following types of claims:
User claims. AD DS attributes of the user.
Device claims. AD DS attributes of the computer.
Resource attributes. Resource properties published in AD DS.
Conditional expressions
Conditional expressions allow or deny access to resources when conditions

such as group membership are met. You can configure expressions in the
properties of the file or folder, on the Security tab, in Advanced Security
Settings when you add a new permission entry or edit an existing
permission entry, or you can use the Active Directory Administrative
Center.
Advanced Security Settings
Both Windows Server 2012 R2 and Windows 8.1 provide advanced security settings in the ACL Editor. You
can access these settings by opening the Security Properties of the file or folder and clicking Advanced. In
the Advanced Security Settings dialog box, adding a security principal displays the Permission Entry screen
where you can configure conditions to limit access. For example, you might set a condition that specifies
that only computers in the HR computer group can access the HR shared folder. You also can specify
conditions that file classification properties define, such as a files business impact value. You can define
multiple conditions by using the AND or OR operators to provide specific access.
Lesson 2
Managing Shared Folders
7-15
Collaboration is an important part of an administrators job. Your team might create documents that
only team members can share, or you might work with a remote team member who needs access to your
teams files. Because of collaboration requirements, you must understand how to manage shared folders
in a network environment.
Sharing folders enable users to connect to a shared folder over a network and to access the folders and
files that the shared folder contains.
Shared folders can contain applications, public data, or a users personal data. Managing shared folders
helps you provide a central location for users to access common files, and it simplifies the task of backing
up data that those folders contain. This module examines various methods of sharing folders, along with
the effect this has on file and folder permissions when you create shared folders on an NTFS-formatted
partition.
Lesson Objectives
Describe shared folders.
Describe methods for sharing folders.
Describe the effect of combining File permissions and share permissions.
Describe the Network and Sharing Center.
Describe how to configure HomeGroup for resource access.
What Are Shared Folders?

Sharing a folder makes it available to multiple
users simultaneously over a network. When you
share a folder, you can identify specific users with
whom you want to share the folder, or you can
share it with all users on a network. Sharing is
limited to folders. You cannot share specific files
within a folder that is not shared.
Most organizations deploy dedicated file
servers to host shared folders. You can store
files in shared folders according to categories or
functions. For example, you can put shared files
for the Sales department in one shared folder, and
shared files for executives in another.
Windows 8.1 uses the Public folder to simplify file sharing. With Public folder sharing enabled, the Public
folder and all the folders within the Public folder are shared automatically with the name Public. You do
not have to configure file sharing on separate folders. Just move or copy a file or folder that you want to
share on the network to the Public folder on your Windows 8.1 client.
In Windows 8.1, members of the Administrators, Power Users, and Server Operators groups can share
folders. Other users who are granted the Create Permanent Shared Objects user right also can share
folders. If a folder resides on an NTFS volume, you must have at least Read permission to share the folder.
When you share a folder, you must decide the permissions that a user or group will have when they
access the folder through the share. This is called sharing permissions.
Basic sharing permissions are simplified greatly in Windows 8.1, which offers two choices:
Read. The look but do not touch option. Recipients can open, but not modify or delete a file.
Read/Write. The full control option. Recipients can open, modify, or delete a file.
You can share folders with others on a network in several different ways:
In the Shared Folders snap-in to the Microsoft Management Console (MMC)
In File Explorer
Through the command line
Through the Computer Management tool
By using Windows PowerShell 4.0 cmdlets
Sharing Through Shared Folders
You can use Shared Folders to manage all file shares centrally on a computer. Use this snap-in to create
file shares, set permissions, and to view and manage open files and the users who connect to a computers
file shares. Additionally, you can view the properties for the folder, which would allow you to perform
actions such as specifying File Permissions.
Using the Shared Folders snap-in presents the Create a Shared Folder Wizard when you create a new
share. By default, the share name is the same as the folder name, and all users have Read access share
permissions.
Sharing Through File Explorer

You can share a folder through File Explorer by using two options:
Using the Share with option from the shortcut menu or ribbon.
From the Sharing tab on the Properties dialog box.
Note: When sharing a folder through File Explorer the default permission assigns the
Everyone group Full Control permission. For all other methods of sharing, the default permission
assigns the Everyone group Read permission.
Using the Share with Option from the Shortcut Menu or Ribbon
The Share with option is a simple and fast way to share a folder. When you right-click a folder and then
select Share with, you get a submenu that allows you to either stop sharing the folder or share the folder
with specific people. When you share with specific people, you can select Everyone or use Find people to
share the folder with specific groups. After selecting who you want to share with, you can set either Read
or Read/Write permissions. The wizard will set the Share permissions as Everyone Full Control and the
File Permissions based on what you selected. The share name will be the same as the folder name.
Using the Sharing Tab on the Properties Dialog Box
Using the Properties dialog box provides two options. You can click the Share button, which then presents
the same dialog box as Share with Specific people, or you can click the Advanced Sharing button. When
you use Advanced Sharing, you can specify the Share name. The default is the same as the folder name,
and you can specify share permissions as Full Control, Change, or Read. Additionally, because you are in
the Properties dialog box, you can click the Security tab and set File Permissions.
Sharing Through the Command Line
7-17
You can share a folder through the command line by using the net share command, which the following
example shows in its basic form:
Net Share name=drive:path
This will create a simple share, which uses the share name that you specify and grants all users Read
permissions. Additional options are listed in the following table.
Option
Description
/Grant:user
permission
Allows you to specify Read, Change, or Full share permissions for the
specified user.
/Users:number
Allows you to limit the number of users who can connect to the share.
/Remark:text
Allows you to add a comment to the share.
/Cache:option
Allows you to specify the caching options for the share.
sharename /Delete
Allows you to remove an existing share.
Sharing Through Computer Management

The Computer Management tool is a collection of MMC snap-ins that includes the Shared Folders
snap-in.
Sharing by Using Windows PowerShell 4.0 Cmdlets
Windows PowerShell 4.0 introduces several cmdlets that you can use to manage shares in Windows 8.1.
The command for creating a share by using Windows PowerShell 4.0 is:
New-SmbShare Name ShareName Path C:\LocalFolder
Additional Windows PowerShell commands for managing shares are listed in the following table.
Command
Description
Get-SmbShare
Gets a list of the existing shares on the computer.
Set-SmbShare
Modify an existing share.
Remove-SmbShare
Removes an existing share.
Get-SmbShareAccess
Retrieves the share permissions for a share.
Get-Acl
Retrieves the NTFS ACL (this cmdlet is not new).
Grant-SmbShareAccess
Used to set share permissions on a share.
Set-Acl
Used to set the NTFS ACL for a specified resource (this cmdlet is not new).
Methods for Sharing Folders

Windows 8.1 provides two methods for sharing
folders directly from your computer:
Folder sharing. Enables sharing of music,

photos, and other files from any folder on
your computer, without having to move them
from their current location. There are two
types of folder sharing: basic and advanced.
Public folder sharing. Public folders serve as

open locations for sharing files. Copying a file
into a public folder makes it immediately
available to other users on a computer or
network.
Basic Folder Sharing
Basic folder sharing is the simplest form of folder sharing because it enables users to share a folder quickly
and simply. You can create basic folder shares by using the File Explorer Share with Wizard or the net
share command without any additional options.
Advanced Folder Sharing

You can use Advanced Sharing to exert more control over the folder sharing process. When you use
Advanced Sharing to share a folder, you must specify the following information:
A share name. The default name is the folder name.
The maximum number of concurrent connections to the folder. The default number is 20 concurrent
connections.
Shared folder permissions. The default permissions are Read permissions for the special group
Everyone. The permissions that are set here are only share permissions. This does not modify the
underlying File Permissions.
Caching options. The default caching option allows user-selected files and programs to be available
offline. You can disable offline files and programs, or you can configure files and programs to be
available offline automatically.
You can access Advanced Sharing by using the:
Shared Folder Wizard from the Shared Folder snap-in.
Sharing tab on the Properties dialog box.
Command line with optional settings.
Public Folder Sharing
When you turn on Public folder sharing in Windows 8.1, anyone with an account on your computer or a
PC on your network can access the contents of these folders. To share something, copy or move it into
one of the Public folders. By default, Windows 8.1 provides the following Public folders:
Documents
Music
Pictures
Videos
7-19
You can view these folders by clicking File Explorer from the Start screen, and then clicking Libraries to
expand the folders.
By default, Public folder sharing is not enabled. However, files stored in the Public folder hierarchy are
available to all users who have an account on a given computer and can log on to it locally. You can
configure Windows 8.1 to allow access to Public folders from a network in the Change advanced sharing
settings link in the Network and Sharing Center in the All Networks section. You can:
Turn on sharing so that anyone with network access can read and write files in Public folders.
Turn off Public folder sharing. Users who log on to this computer can still access these folders.
Public folder sharing does not allow you to fine-tune sharing permissions, but it does provide a simple
way to make your files available to others. When you enable Public folder sharing, the system group
Everyone is granted Full Control permissions for the share and File Permissions.
Discussion: Combining File and Share Permissions

When you create a shared folder on a partition
that is formatted with NTFS, both the shared
folder permissions and the File Permissions
combine to protect file resources. File Permissions
apply whether users access a resource locally or
over a network, but they filter against the shared
folder permissions.
When you grant shared folder permissions on an
NTFS volume, the following rules apply:
Except when using the Share with Wizard, the

Everyone group is granted the Read shared
folder permission.
Users must have appropriate File Permissions for each file and subfolder in a shared folderin
addition to the appropriate shared folder permissionsto access those resources.
When you combine File Permissions and shared folder permissions, the resulting permission is the
most restrictive one of the effective shared folder permissions or the effective File Permissions.
The share permissions on a folder apply to that folder, to all files in that folder, to subfolders, and to
all files in those subfolders when the content is accessed through the share.
Note: If the Guest user account is enabled on your computer, the Everyone group includes
anyone. As a best practice, remove the Everyone group from any permission lists, and replace it
with the Authenticated Users group.
The following analogy can be helpful in understanding what happens when you combine NTFS and
share permissions. When you are dealing with a shared folder, you must always go through the shared
folder to access its files over a network. Therefore, you can think of the shared folder permissions as a
filter that only allows users to perform those actions that are acceptable to the share permissions. All File
Permissions that are less restrictive than the share permissions filter out so that only the most restrictive
permissions remain.
For example, if a share permission is set to Read, the most that you can do is read through the share, even
if individual NTFS file permission is set to Full Control. If you configure the share permission to Modify,
you are allowed to read or modify the share. If the File Permission is set to Full Control, the share
permissions filter the effective permission to Modify.
Question: If you assign a user Full Control File Permission to a file, but the user accesses the
file through a share with Read permission, what will be the effective permissions that the user
will have on the file?
Question: If you want a user to be able to view all files in a shared folder but only be able to
modify certain files in that folder, what permissions do you give the user?
Question: Identify a scenario at your organization where it might be necessary to combine
NTFS and share permissions. What is the reason for combining permissions?
The Network and Sharing Center

With older versions of Windows operating
systems, many different graphical interfaces and
commands were required to configure networking
and network sharing. Windows 8.1 makes this
significantly easier by providing all of the required
tools in one central location, the Network and
Sharing Center. You can access the Network and
Sharing Center through Control Panel.
It is important to be familiar with all aspects of the
Network and Sharing Center and be able to use it
to configure all types of network connections. This
topic focuses on the network sharing aspect of the
Network and Sharing Center. Module 6 of this course, Configuring Network Connectivity, covers
network-configuration topics.
The Network and Sharing Center provides the following tools:
Set up a new connection or network
Change advanced sharing settings
Troubleshoot problems
Set Up a New Connection or Network
You can customize currently active network connections and set up a new connection. Use the graphical
view of your current network to change the description and icon appearance of network components to
include more information. View and change network connection properties by clicking View Status on
the right side of the connection listing.
You can maintain the following network connections in this section:
Connect to the Internet. Set up a wireless, broadband, or dial-up connection to the Internet.
Set up a new network. Configure a new router or access point.
Set up a dial-up connection. Connect to the Internet by using a dial-up connection.
Connect to a workplace. Set up a dial-up or virtual private network connection to your workplace.
Note: You can change the network location profile between private and public. This
changes firewall and visibility settings for that network connection.
Change Advanced Sharing Settings
7-21
The Network and Sharing Center includes a Change advanced sharing settings link that you can use to
enable, disable, and change the way that various network services behave. The first time that you connect
to a network, you must choose a network location. This automatically sets the appropriate firewall,
security, and sharing settings for the type of network to which you connect.
If you connect to networks in different locations, such as from your home network, at a local coffee shop,
or at work, then choosing a network location can help ensure that your computer is always set to an
appropriate security level. When users connects to a new network, they can select one of the following
network locations in Windows 8.1:
Private. In a trusted private network, all computers on a network are in a private network, and you
recognize them. Do not choose this network location for public places such as coffee shops and
airports.
Network discovery and file and printer sharing are turned on for private networks. This allows you to
see and access other computers and devices on a network, and it allows other network users to see
and access your computer.
Guest or Public. If you do not recognize all the computers on a network (for example, you are in
a coffee shop or airport, or you have mobile broadband), then this is a public network and is not
trusted. This location helps you keep your computer from being visible to other computers around
you and helps protect your computer from any malware from the Internet. Also, choose this option
if you connect directly to the Internet without using a router or if you have a mobile broadband
connection. Network discovery and file and printer sharing are turned off.
Domain. The domain network location is for domain networks such as those in corporate workplaces.
Your network administrator typically controls this type of network location.
All Networks. These settings apply regardless of the network profile.
Windows 8.1 automatically applies correct network settings based on the network location. For each of
these network profiles, you can configure the network sharing settings found in the following table.
Feature
Settings
Result
Network
discovery
On
Off
When network discovery is on, your computer can see other

network computers and devices and is visible to other network
computers.
File and printer

sharing
On
Off
When file and printer sharing is on, people on the network can
access files and printers that you have shared from your
computer.
Note: By default, Windows 8.1 uses Windows Firewall with Advanced Security. Therefore,
using another firewall might interfere with the network discovery and file sharing features.
The following table describes the All Networks settings.

Feature
Setting
Result
Public folder
sharing
On
Off
When Public folder sharing is on, people on a network,

including HomeGroup members, can access files in
public folders.
Media streaming
On
Off
When media streaming is on, people and devices on a

network can access pictures, music, and videos on your
computer. Your computer also can find media on the
network.
File sharing
connections
128-bit encryption
40-bit or 56-bit
encryption
Windows uses 128-bit encryption to help protect file

sharing connections. Some devices do not support 128bit encryption and must use 40-bit or 56-bit encryption.
Note: When a Server Message Block (SMB) client connects to a Windows share, the systems
negotiate their highest level of encryption, and the server will transfer an encryption key to the
client. This encryption key generates an encrypted hash of the connecting users password. This
hash then is sent to the server with the user name. The server then will decrypt the hash and
validate the user. This ensures that a users password is never transmitted. If you are using older
client systems, you might need to allow 40-bit or 56-bit encryption.
Troubleshoot Problems
Use this feature to diagnose and repair network problems and to get troubleshooting information for the
following network components:
Internet connections
Shared folders
HomeGroup
Network adapter
Incoming connections
Connection to a workplace by using Windows 8.1 DirectAccess
Printers
Configuring HomeGroup for Resource Access

HomeGroup allows you to connect multiple
computers and share devices and libraries on your
home network if the systems run Windows 7 or
newer. When you set up your first home
computer with the basic version of Windows 8.1, a
homegroup is created automatically. Homegroups
are password protected automatically by a
system-generated password. You can change
the system-generated password to one of your
choosing in the HomeGroup settings.
When you add a second Windows 8.1 computer,
you will be asked to join an existing homegroup
instead of creating a new one. To join an existing homegroup, you need to perform the following
procedure:
7-23
1.
Locate the password for your homegroup by going to HomeGroup settings on the first PC. Note the
password from the Membership section. You will need to enter it on the new computer.
2.
On the new Windows 8.1 PC, go to the HomeGroup settings and locate the Membership section.
Windows will detect the homegroup automatically and prompt you for the password.
3.
Enter the password of the homegroup and click Join.
The HomeGroup settings screen allows you to select which libraries or devices and printers you wish to
share with other users in the HomeGroup. The default permission for shared libraries is Read, but you can
change this. You also can exclude specific files from sharing. You can choose to share resources such as
individual files or devices with specific people or with everyone in the HomeGroup.
The homegroup will show up in File Explorer in the left pane and is named Homegroup. Expanding the
Homegroup folder will display the resources that are available on the network by the user name of the
owner of the device or library.
Homegroups have the following restrictions:
A computers network location must be set to Private to join a homegroup.
Network sharing must be turned on.
Computers that run Professional or Enterprise versions of Windows operating systems cannot create
homegroups, but they can join them.
Devices that run Windows RT 8.1 can join a homegroup, but they cannot create one or share content
in one.
You cannot delete homegroups, but if nothing is shared and no computers have joined the homegroup, it
effectively does not exist.
Lesson 3
Configuring File Compression
The primary focus of this lesson is to examine the two methods in Windows 8.1 for compressing files and
folders to consume less disk space: NTFS file compression and compressed files and folders.
Lesson Objectives
Describe how NTFS file compression works.
Describe the impact of moving and copying compressed files and folders.
Describe how to create a compressed folder.
Compress files and folders.
Compressing Content to Save Disk Space

NTFS supports file compression on an individualfile basis. The file compression algorithm is a
lossless compression algorithm. This means that no
data is lost when compressing and decompressing
a file, as opposed to other types of compression
algorithms, where some data is lost each time
data compression and decompression occur.
NTFS compression, which is available on volumes
that use NTFS, has the following features and
limitations:
Compression is an attribute of a file or folder.
Volumes, folders, and files on an NTFS volume are either compressed or uncompressed.
New files that are created in a compressed folder are compressed by default.
The compression state of a folder does not necessarily reflect the compression state of the files within
that folder. For example, you can compress a folder without compressing its contents, and you can
compress some or all of the files in a compressed folder.
NTFS compression works with NTFS-compressed files without decompressing them because they are
decompressed and recompressed without user intervention:
o
When you open a compressed file, the Windows operating system automatically decompresses it
for you.
When the file closes, the Windows operating system compresses it again.
NTFS-compressed file and folder names display in a different color to make them easier to identify.
NTFS-compressed files and folders only remain compressed while they are stored on an NTFS volume.
You cannot encrypt an NTFS-compressed file.
7-25
The compressed bytes of a file are not accessible to applications, which see only the uncompressed
data:
o
Applications that open a compressed file can perform tasks on it as if the file was not
compressed.
You cannot copy compressed files to another file system.

Note: You can use the compact command-line tool to manage NTFS compression.
Discussion: What Is the Impact of Moving and Copying Compressed Files

and Folders?
Moving and copying compressed files and folders
can change their compression state.
This discussion presents five situations in which
you are asked to identify the impact of copying
and moving compressed files and folders. You and
your classmates will discuss the possible solutions
for each situation.
Question: What happens to the compression
state of a file or folder when you copy it
within an NTFS partition?
Question: What happens to the compression
state of a file or folder when you move it within an NTFS partition?
Question: What happens to the compression state of a file or folder when you copy or move
it between NTFS partitions?
Question: What happens to the compression state of a file that you copy or move between
FAT32 and NTFS volumes?
Creating a Compressed (Zipped) Folder

In Windows 8.1, you can combine several files and
folders into a single compressed folder by using
the Compressed (zipped) Folder feature. Use this
feature to share a group of files and folders with
others, without being concerned about sending
individual files and folders.
Files and folders that you compress by using the
Compressed (zipped) Folder feature can compress
on FAT and NTFS drives. A zipper icon identifies
files and folders that are compressed by using this
feature.
You can open files directly from these compressed

folders, and you can run some of these programs directly from compressed folders without
uncompressing them. Files in compressed folders are compatible with other file compression programs
and files. You also can move compressed files and folders to any drive or folder on your computer, the
Internet, or your network.
Compressing folders by using Compressed (zipped) Folder does not affect a computers overall
performance. CPU utilization increases only when you use Compressed (zipped) Folder to compress a file.
Compressed files take up less storage space, and you can transfer them to other computers more quickly
than uncompressed files. You can work with compressed files and folders the same way you work with
uncompressed files and folders.
Send To Compressed (zipped) Folder

By using the Send to Compressed (zipped) Folder command in File Explorer, you can quickly:
Create a compressed version of a file.
Send a file to a compressed (zipped) folder.
Alternatively, if a compressed folder has been created already, and you need to add a new file or folder to
it, you can drag the desired file to the compressed folder instead of using the Send To Compressed
(zipped) Folder command.
Comparing Zipped Folder Compression and NTFS Folder Compression
You should be aware of the differences between zipped folder compression and NTFS folder compression.
A zipped folder is a single file inside of which Windows allows you to browse. Some applications can
access data directly from a zipped folder, while other applications require that you first unzip the folder
contents before the application can access the data.
In contrast, individual files within a folder are compressed by NTFS compression. Therefore, NTFS
compression does not experience the data access issues that are associated with zipped folders because
it occurs at the individual file system level and not the folder level. Additionally, zipped folders are useful
for combining multiple files into a single email attachment, whereas NTFS compression is not.
File and folder compression that uses the Send To Compressed (zipped) Folder command is different from
the NTFS file and folder compression that was discussed earlier:
For selected files or folders, the Send To Compressed (zipped) Folder command compresses the
selected content into a portable zip file. The original file or folder is left unchanged, but a new,
compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the
size of the selected file, folder, or volume by compressing its content.
Note: Unlike NTFS-compressed folders and files, you can move or copy compressed
(zipped) folders without change between volumes, drives, and file systems.
Demonstration: Compressing Files and Folders

In this demonstration, you will see how to compress files and folders.
Demonstration Steps
Compress a file
1.
Start File Explorer.
2.
Open the E:\Labfiles\Mod09\Windows8Docs folder.
3.
Compress the largest document in the folder.
4.
Examine the file attributes.
Compress a folder
1.
Compress the Windows8Docs folder.
2.
Examine the folder and files in the folder.
3.
Keep the virtual machines running for the next demonstration.
7-27

Scenario
You have users in the Marketing department who need to share files. You will create a shared folder on
the network and configure permissions such that Marketing users have Modify permission to the shared
folder and all other users have Read permission. You will also test the access to the shared folder.
Objectives
Create a folder shared to all users.
Configure file and folder compression.
Lab Setup
User names: Adatum\Administrator and Adatum\Ed
Password: Pa$$w0rd
1.
2.
In Hyper-V Manager, click 20687B-LON-DC1, and in the Actions pane, click Start.
3.
4.
5.
Password: Pa$$w0rd
Repeat steps 2 and 3 for 20687D-LON-CL1 and 20687D-LON-CL2. Do not sign in until directed to
do so.
Exercise 1: Creating a Shared Folder for the Marketing Group

Scenario
You need to create a shared folder for the Marketing Department.
1.
Create a Marketing folder.
2.
Share the Marketing folder for Everyone.
3.
Configure File Permissions for the Marketing folder.
4.
Attempt to access the Marketing folder as Ed.
5.
Sign in to LON-CL2 as Adam.
6.
Attempt to access the Marketing folder as Adam.
Task 1: Create a Marketing folder

1.
Sign on to LON-CL1 as Adatum\Administrator.
2.
Create a new folder in the E:\Labfiles\Mod09 folder named Marketing.
Task 2: Share the Marketing folder for Everyone
Share the Marketing folder so that Everyone can read it.
Task 3: Configure File Permissions for the Marketing folder

1.
Configure the Marketing folder so that the Marketing security group has Modify permission.
2.
Task 4: Attempt to access the Marketing folder as Ed

1.
On LON-CL2, sign in as Adatum\Ed with password Pa$$w0rd.
2.
Open the \\Lon-CL1\Marketing folder.
3.
Attempt to create a file in the Marketing folder.
4.
Task 5: Sign in to LON-CL2 as Adam
Task 6: Attempt to access the Marketing folder as Adam

1.
Start File Explorer.
2.
Open the \\LON-CL1\Marketing folder.
3.
Attempt to create a file in the Marketing folder.
4.
Close all windows, and then sign out.
7-29
Results: After completing this exercise, you should have created and shared a folder for the Marketing
department.
Exercise 2: Configuring File and Folder Compression

Scenario
In an effort to save space on your hard disk, you will compress a folder that contains documents.
1.
Compress a folder.
Task 1: Compress a folder

1.
Switch to LON-CL1.
2.
Compress the E:\Labfiles\Mod09\Windows8Docs folder.
3.
Examine the folder and files in the folder.
Results: After completing this exercise, you will have compressed a folder.
When you finish the lab, leave the virtual machines running, as they are needed for the next lab.
Lesson 4
Overview of OneDrive
7-31
In this lesson, you will learn about Microsofts OneDrive service (formerly SkyDrive) and its integration
with Windows 8.1. The lesson will describe both the consumer version of OneDrive and the enterprise
version, OneDrive for Business (formerly SkyDrive Pro).
One of the decisions that organizations frequently need to make is whether to allow users to use the
consumer version of OneDrive in their enterprise. This lesson will also explain how to restrict access to
OneDrive in an enterprise.
Lesson Objectives
Describe how to use OneDrive for storing and sharing files.
Describe how to configure OneDrive access.
Describe how to share files in OneDrive.
Describe how to synchronize and recover OneDrive files with Windows 8.1.
Describe OneDrive for Business.
Using OneDrive for Storing and Sharing Files

OneDrive is Microsofts free cloud-based file
service that is available for Microsoft account
holders. The OneDrive service is a consumeroriented solution and allows for 7 gigabytes (GB)
of free cloud storage. You can use OneDrive to
save personal files in your private store for your
own use or in your public store so that you can
share files with anyone. OneDrive is designed for
personal files and is not intended to be used as an
enterprise solution. A different service named
OneDrive for Business is intended for corporate
organizations.
Note: You also can purchase more storage space by clicking on the Buy more storage link
in the Storage space screen.
Features
OneDrive offers many features that enable users to access and use OneDrive as best fits their needs,
such as:
Microsoft Office. You can use Microsoft Office to save documents to OneDrive by clicking the File
menu in Office 2013, clicking Save (or Save As), and then selecting OneDrive as the save location.
Microsoft Office Web Apps. You can use Office Web Apps to view and edit documents that are stored
in OneDrive.
PDF and OpenDocument Format (ODF) support. You can view PDF and ODF documents that are
saved in OneDrive.
Bing integration. You can use the Bing Save & Share feature to save search histories in a OneDrive
folder.
For more information on OneDrive features, refer to:

OneDrive
Accessing OneDrive
You can access OneDrive in several different ways, including:
A web browser at http://www.OneDrive.com
Microsoft Office 365 Outlook Web Access
A Windows PC that is running Windows Vista Service Pack 2 (SP2) or newer
Windows Server 2008 SP2 and the Windows Platform Update for Windows Server 2008 or newer
Mac OS X 10.7 (Lion)
Windows Phone app
An iOS app
An iPad app
Windows 8.1
OneDrive Privacy
The Microsoft Online Privacy Statement specifies the terms of use of the personal information that you
provide when you use OneDrive. Before you use Microsoft online services, you must read and understand
the privacy statement. The main points in the privacy statement include the following:
Microsoft collects personal information from you when you register, and may combine this
information with data that other companies and Microsoft services collect.
To personalize your experience, Microsoft tracks your interaction with their sites by using cookies and
other technologies.
Microsoft does not share your personal information with third parties, but may provide this
information to companies that work on behalf of Microsoft.
Microsoft uses your personal information to provide services such as personalized content and
advertising to inform you about Microsoft products and services, and to invite you to surveys of
Microsoft services.
Terms of Service
The OneDrive terms of service specify how the information you post on OneDrive will be used. Some of
the main terms of service are:
Ownership of Content. You own content such as documents, videos, photos, and email that you
upload to the services store. The same is true of content that you store on the services, or transfer
through it. Microsoft does not claim ownership of your content, except for Microsoft material, such
as clip art, that Microsoft licenses to you, and that you may use in your content.
7-33
Access of Content. You can choose who you share your content with. You can choose not to share
your content, to share your content publicly, or choose other users with whom you want to share
your content. If you share your content with other users, they may use, reproduce, distribute, or
display your content for free.
Microsoft Use of Content. Microsoft may use, modify, adapt, save, reproduce, distribute, and display
your content to protect you, and to improve Microsoft services. In such cases, Microsoft protects
your privacy by taking necessary steps. Examples of such usage of your content include isolation of
information from content to prevent and protect you from spam and malware.
Removal of Content. Microsoft may ask you to remove content that is in violation of the anti-spam
policy, the Microsoft Code of Conduct, or your local law, or if you infringe on a third partys
intellectual property. If you fail to comply, you might lose access to your account, or your account
might be cancelled. In such cases, Microsoft may also remove your content without asking you.
Configuring OneDrive Access

Before you can use OneDrive from the
Windows 8.1 OneDrive tile, you must connect
your domain or local account with your Microsoft
account. To begin the process, click the OneDrive
tile from the Start screen. You then will be
prompted to sign in with your Microsoft account
or to create an account if you do not have one.
If you want to configure your synchronization
settings, you will need to connect your domain
account to your Microsoft account by performing
the following procedure:
1.
From the Start screen, open the Computer

menu, and then select the Settings charm.
2.
Click Change PC Settings, and then click the Accounts section.
3.
To start the wizard for synchronizing your domain account with your Microsoft account, click
Connect your Microsoft account.
In the wizard, you can choose which features you want to synchronize, including:
Start screen. Colors and background.
Desktop personalization. Themes, taskbar, and more.
Ease of Access. High contrast, Narrator, Magnifier, and more.
Language preferences. Keyboards, other input methods, display language, and more.
App data. Certain settings in your apps.
Browser settings. History, bookmarks, and favorites.
Other Windows settings. File Explorer and mouse settings.
Passwords. For some apps, websites, networks, and HomeGroup.
You can toggle the synchronization setting of these options from the Sync your settings menu on the PC
Settings page.
Restricting Access to OneDrive
As an information technology (IT) administrator, you might wish to prevent your users from accessing
OneDrive from organizational systems. You can accomplish this by using Group Policy. In the appropriate
Group Policy Object (GPO), go to the Computer Configuration\Policies\Administrative Templates
\Windows Components\OneDrive node and enable the Prevent the usage of OneDrive for file storage
policy setting. When this Group Policy setting applies to the client system, if users try to start OneDrive,
they will receive a notification that the system administrator has blocked the use of OneDrive.
If you need to block access to OneDrive for all devices, including users personal devices, you could create
a URL block list on your organizational firewall.
Sharing Files in OneDrive

You can use OneDrive to share files as publicly
accessible folders or folders that you secure
by using your Microsoft account contacts. The
Windows 8.1 OneDrive app lets you use OneDrive
directly from your desktop.
By using the OneDrive app, you can access and
manage all your folders from your computers
desktop.
A new, updated version of the OneDrive app is
integrated into Windows 8.1.
Sharing Folders in OneDrive
When you first create a OneDrive account, you have three folders by default: Documents, Pictures, and
Public. By default, the share folder setting for the Documents and Pictures folders are set to This folder
is not shared, which means that you are the only one who can access it. The Public folder is shared as
Everyone Can view, which means anybody can see, but not edit, any documents in that folder. When
you create a new folder in OneDrive, you can choose how you want to share it. When you share a file or
folder, the word Shared appears on it.
You can invite individuals or groups by using email and grant them permissions to specific files or folders.
You can grant email recipients read-only permission or edit permission. You also can specify whether the
recipients need a Microsoft account or not. You can share a link to an item or publish directly to social
media, such as Facebook or LinkedIn.
You can stop sharing or modify permissions by selecting the shared item and clicking the Share button on
the menu bar.
Synchronizing and Recovering OneDrive Files with Windows 8.1

In Windows 8, OneDrive was available as an
app; OneDrive integrates fully with Windows 8.1.
During setup, if you create a new Microsoft
account or use an existing one, you are prompted
to accept the default OneDrive settings. The
default OneDrive settings are:
Camera roll and PC settings will back up to

the cloud automatically.
New documents that you create can save to

the cloud by default.
7-35
You have the option to turn off OneDrive

integration. If you enable it, you will see a OneDrive folder in the File Explorer folder tree. You can use the
OneDrive folder to save, copy, or paste files in the same way you would use any network folder or folder
on a local disk.
Synchronization
Windows 8.1 provides a redesigned synchronization model for OneDrive that is more efficient. The files
in the OneDrive folder appear to be stored on the local hard disk, but the files are stored as placeholders
that take a small amount of space. Placeholder files contain a thumbnail and basic information about
the file. Files download to your local computer when you open them. This is beneficial for tablets,
smartphones, and other devices that have limited disk space. You also can control whether
synchronization and backup to OneDrive will occur when you are on a metered connection, such
tethered to a smartphone. Synchronization happens automatically and cannot trigger manually.
Note: If you have Apple devices, you can configure pictures that you store in the Camera
Roll folder to upload to OneDrive automatically.
Support for Offline Files
You also can choose to make some files or folders available offline in the same way as with network-based
files. Simply right-click the file or folder in OneDrive, and click Make available offline. This will keep a
synchronized copy on the local hard disk. If you edit or add a file to OneDrive while you are offline, it
stores on the local hard drive until you connect to the Internet. Then it synchronizes across all your
OneDrive-enabled devices. If you are offline, you cannot edit files unless they have been cached to the
local disk previously.
Conflict Resolution
If you edit a cached file on one of your offline devices and then edit the same file from a different device
that is online, when synchronization occurs, you will get two versions of the file on the device that was
offline. The one that was modified while offline will be appended with the name of the device. For
example, if you edit a cached version of File1.txt on an offline device named Client1 and then modify
File1.txt from an online device before synchronization occurs, when the offline device connects to the
internet, a new file named File1.txt-Client1 will be created and synchronized to all devices.
Recovering Files
Occasionally, users might accidentally delete files. When users delete a file from a OneDrive folder, it
goes to the Recycle Bin on the local machine and also to the Recycle Bin on all other Windows computers
where OneDrive is enabled. You can restore a file or folder to OneDrive from any of the Recycle Bins in
which it appears.
What Is OneDrive for Business?

OneDrive for Business is a synchronization
service that allows users to synchronize document
libraries from Microsoft SharePoint sites to
their local computers or mobile devices. It is
implemented either as part of Office 365 through
Microsoft SharePoint Online or through onpremises SharePoint 2013.
How to Synchronize Document Libraries
Start the OneDrive for Business app, copy and

paste the URL of the SharePoint document library,
and then click the Sync Now button. If you are in
a document library, you can click the SYNC icon in
the top-right corner to synchronize the current library. Synchronized libraries will appear in File Explorer
under Favorites. Users need to sign in to their Office 365 account to access, view, or synchronize libraries
to OneDrive for Business. On-premise implementations require the same credentials that users would
provide to sign in to the SharePoint site.
Note: SharePoint administrators can prevent a document library from being available to
synchronize by configuring the properties of the document library. If synchronization of any
library stops, any previously synchronized files will remain on users computers.
Installing OneDrive for Business
OneDrive for Business is included with Microsoft Office Professional Plus 2013 and Office 365 plans, but
you also can download it as a free, stand-alone product. The download is available in .msi format, so you
can deploy it by using Group Policy. There also is a free mobile app that is available from the Windows
app store. The mobile app will only work with Office 365 subscriptions and cannot synchronize with onpremises implementations of SharePoint.
Note: To install OneDrive for Business, a client computer must be running Windows 7 or a
newer operating system.
Lesson 5
Managing Printers
To set up a shared printing strategy to meet your users needs, you must understand Windows 8.1
printing components and how to manage them.
7-37
This lesson examines printing components in a Windows 8.1 environment, including printer ports and
drivers.
The instructor will demonstrate how to install and share a printer, and you will review how to use the Print
Management tool to administer multiple printers and print servers.
Lesson Objectives
Describe the new printing features in Windows 8.1.
Describe the components of a printer.
Install and share a printer.
Describe how to manage client-side printing.
Describe how to manage print server properties.
Describe how to troubleshoot printing issues.
Windows 8.1 Printer Features

Windows 8.1 supports two new features for
printing:
Near field communication (NFC) printing, also

known as tap-to-pair printing.
Three-dimensional printing.
NFC Printing
Windows 8.1 supports NFC printing. Users can
tap their handheld device against a printer that
is equipped with an NFC tag and print directly.
These tags are inexpensive and can be purchased
and programmed for any existing printer. IT
departments now can provide printing support for a wide variety of handheld devices.
NFC currently is available for smartphones as a way to transfer files simply by touching the devices
together. That technology is expanding and becoming available for other purposes, such as printing.
3-D Printing
3-D printing is an emerging technology. Microsoft has worked closely with software and hardware
partners to build on this technology. Because 3-D printing is based on traditional two-dimensional
printing, there are familiar management abilities, such as print queue management. Now, companies that
design virtual models have the capability to print physical versions of those models at reasonable costs.
3-D printing has existed for some time, but it has been cost prohibitive for all but the largest
organizations. Desktop 3-D printers are making headway and soon will be within reach of small and
medium-size businesses.
Overview of Printing Components

When you install and share a printer in
Windows 8.1, you must define the relationship
between the printer and two printer components:
the printer port and the printer driver. Typically,
Plug and Play devices install automatically.
However, when you add a wireless device or
printer in Devices and Printers by using the Add
devices and printers button, Windows 8.1 must be
able to communicate with the device to complete
the wizard. To specify all the connection
information for a printer manually, use the
Advanced printer setup button.
Defining the Printer Port
Windows 8.1 detects printers that you connect to your computer, and it installs the driver for the printer
automatically if the driver is available in the driver store. However, a Windows operating system might not
detect printers that connect by using older ports, such as serial or parallel ports, or network printers. In
these cases, you must configure a printer port manually.
Installing a Driver
A printer driver is a software interface that enables a computer to communicate with a print device.
Without a printer driver, the printer that connects to a computer will not work properly. A printer driver is
responsible for converting a print job into a page-description language (PDL) that the printer can use to
print a job. The most common PDLs are PostScript, Printer Control Language, and XML Paper
Specification (XPS).
In most cases, drivers are included with the Windows operating system, or you can find them by checking
for updates with Windows Update in Control Panel. If the Windows operating system does not have a
driver that you need, you can find it on the disc that came with the printer or on the manufacturer's
website.
If the Windows operating system does not recognize your printer automatically, you must configure the
printer type during the installation process. The Printer Setup Wizard presents you with an exhaustive list
of currently installed printer types. However, if your printer is not listed, you must obtain and install the
necessary driver.
You can preinstall printer drivers in the driver store, thereby making them available in the printer list by
using the pnputil.exe command-line tool.
When you connect a new printer to your computer, the Windows operating system tries to find and install
a software driver for the printer. Occasionally, you might see a notification that a driver is unsigned or
altered, or that the Windows operating system cannot install it. You have a choice whether to install a
driver that is unsigned or has been altered since it was signed.
Demonstration: Installing and Sharing a Printer

In this demonstration, you will see how to create and share a printer.
Demonstration Steps
1.
On LON-CL1, open Control Panel.
2.
On LON-CL1, open the Add Printer Wizard.
3.
Create and share a Microsoft OpenXPS printer named AdatumPrinter.
When you have finished the demo, revert all virtual machines back to their initial state:
1.
2.
3.
4.
Managing Client-Side Printing

Print Management provides a single interface to
administer multiple printers and print servers.
You can access the Print Management console
through the Administrative Tools item in Control
Panel or you can open the Print Management
console directly by typing Printmanagement.msc
in the Search dialog box.
You can use Print Management to perform all
the basic management tasks for a printer. You
also can manage printers from the Devices and
Printers category page in Control Panel.
View the Print Queue
7-39
After you initiate a print job, you can view, pause, or cancel it through the print queue. The print queue
shows you what is printing or waiting to print. It also displays information such as job status, who is
printing what, and how many unprinted pages remain. From the print queue, you can view and maintain
the print jobs for each printer.
You can access the print queue from the Print Management console through the See whats printing
option on the Devices and Printers. Documents that are listed first will be the first to print.
Cancel Print Jobs

If you start a print job by mistake, it is simple to cancel the print job even if printing is underway. To
cancel a print job:
1.
Open the print queue for the specific printer by performing the steps outlined previously.
2.
To cancel an individual print job, right-click the print job you want to remove, and then click Cancel.
3.
To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item that is
printing currently might finish, but the remaining items will be cancelled.
Pause or Resume a Print Job

You can pause and resume a single print job or multiple jobs in the queue. To pause or resume a print
job:
1.
2.
To pause or resume an individual print job, right-click the print job, and then click Pause or Resume.
3.
To pause all print jobs, click the Printer menu, and then click Pause Printing. To resume printing,
click Resume Printing.
Restart a Print Job
If a print job is printing in the wrong color ink or wrong size paper, you can start over. To restart a print
job:
1.
2.
Right-click the print job to reprint, and then click Restart.
Reorder the Print Queue
If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the
print queue:
1.
2.
Right-click the print job to reorder, and then click Properties.
3.
Click the General tab, and then drag the Priority slider left or right to change its print order. Items
with higher priority print first.
Managing Print Server Properties

Windows 8.1 includes Print and Document
Services. Windows 8.1 can act as a print server or
connect to Windows-based print servers through
the Print Management console and manage them
remotely. The Print Management console is
included in the built-in administration tools in
Windows 8.1. It allows administrators to perform
management tasks such as:
Install printer drivers and print devices
Manage print queues
View the status of printers
Installing Printer Drivers and Print Devices
You might need to support both 32-bit and 64-bit printer drivers. The Print Management console allows
you to add printer drivers to the printer driver store in the Windows\System32\spool\drivers folder. You
can use the Add Printer Driver Wizard to add drivers.
You also can add print devices by using the Network Printer Installation Wizard. The wizard allows you to:
Search a network for printers.
Add a TCP/IP or Web Service Printer by IP address or host name.
Add a new printer by using an existing port.
Create a new port and add a new printer.
Managing Print Queues

You can view all installed printers in the All Printers node. You can view the printers queue by rightclicking the printer and selecting Open Printer Queue from the shortcut menu.
View the Status of Printers
7-41
The All Printers node shows information about each printer, including the queue status, number of jobs in
the queue, name and version of the printer driver, and the driver type.
Troubleshooting Printing
Printing problems are common in most
organizations. How you approach troubleshooting printing issues might depend on how
you installed the printer on the client operating
system. For example, your approach will vary
depending on whether the printer connects
locally by using a USB cable or if it is a network
printer.
You can isolate and resolve common printer issues
by answering the following questions:
What has changed in the environment?

o
Has new software or new device drivers been installed?
Has the client operating system been upgraded?
Is the print device connected to the workstation locally, or is it a mapped network printer?
If it is a network printer, how widespread is the issue?

o
Determine if the problem is isolated to a single user or a single printer on the print server.
Can other users successfully send print jobs to the printer?
Troubleshooting Locally Connected Printers
Even in large organizations, it is common to have users with printers that connect directly to their
workstations by using a USB cable or through the network. Troubleshooting steps for these types of issues
include:
Checking the local print queue to see if there is a hung print job and deleting it.
Restarting the local Print Spooler service.
Removing the print device and reinstalling the printer. This will often entail locating and downloading
the printer driver from a vendor website.
Troubleshooting Network Printers

Organizations that have many printers will usually have one or more print servers. Client operating
systems map to these printers through the print servers. Troubleshooting these issues will involve the
following steps:
If a problem is restricted to a single user, deleting and remapping the printer will often clear the issue.
If the problem affects all users of that printer, check the print queue on the server for a hung print job
and delete it.
Check that the IP address of the print device has not changed.
Restart the Print Spooler service on the print server.
Reinstall the printer driver on the print server.

Scenario
A. Datum Corporation wants to use shared printers in its environment.
Objectives
After you complete this lab, you will be able to create and share a local printer.
Lab Setup
User names: Adatum\Administrator and Adatum\Ed
Password: Pa$$w0rd
7-43
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Repeat steps 2 and 3 for 20687D-LON-CL1 and 20687D-LON-CL2. Do not sign in until directed to
do so.
Exercise 1: Creating and Sharing a Local Printer

Scenario
You need to create and share a printer on one of the local systems and then test connectivity to it.
1.
Add and share a local printer.
2.
Configure printer security.
3.
Sign in to LON-CL2 as Ed.
4.
Connect to a network printer.
Task 1: Add and share a local printer

1.
Sign in to LON-CL1 as Adatum\Administrator, and then open Control Panel.
2.
Open the Add Printer Wizard.
3.
Create and Share a Microsoft OpenXPS printer named ManagersPrinter by using the Nul port.
Task 2: Configure printer security

1.
Open the Print Management console.
2.
Configure the ManagersPrinter so that Managers can print to it, and not Everyone.
3.
Pause the ManagersPrinter.
Task 3: Sign in to LON-CL2 as Ed
Sign in to LON-CL2 as Adatum\Ed.
Task 4: Connect to a network printer
1.
On LON-CL2, open the Add Printer Wizard.
2.
Connect to ManagersPrinter.
3.
Switch to LON-CL1, verify that the test page is in the ManagersPrinter queue, and then click Resume
Printing.
Results: After completing this exercise, you should have created, shared, and tested a printer.

1.
2.
3.
4.
Repeat steps 2 and 3 for 20687D-LON-CL1 and 20687D-LON-DC1.

Review Questions
Question: A. Datum is installing Microsoft Dynamics GP and has contracted with a vendor
to provide some custom programming work. Joseph, a senior IT desktop specialist at A.
Datum, has been asked to configure the File Permissions for the GP planning files that the
company will be accumulating. A. Datum has asked that all IT users be assigned Modify
permissions to the GP Implementation Planning folder. However, A. Datum only wants the
subfolder titled Vendor Contracts to be available for viewing by a select group of managers.
How can Joseph accomplish this by taking into account permission inheritance?
Question: Robin recently created a spreadsheet in which she explicitly assigned it NTFS file
permissions that restricted file access to herself only. Following the system reorganization,
the file moved to a folder on another NTFS partition, and Robin discovered that other users
were able to access the spreadsheet. What is the probable cause of this situation?
Best Practice: NTFS Permissions

Supplement or modify the following best practices for your own work situations:
7-45
To simplify the assignment of permissions, you can grant the Everyone group Full Control share
permission to all shares and use only File Permissions to control access. Restrict share permissions to
the minimum required to provide an extra layer of security in case File Permissions are configured
incorrectly.
When permission inheritance is blocked, you have the option to copy existing permissions or begin
with blank permissions. If you only want to restrict a particular group or user, then copy existing
permissions to simplify the configuration process.
Best Practice: Managing Shared Folders

Supplement or modify the following best practices for your own work situations:
If the guest user account is enabled on your computer, the Everyone group includes anyone. In
practice, remove the Everyone group from any permission lists and replace it with the Authenticated
Users group.
Using a firewall other than that supplied with Windows 8.1 can interfere with the network discovery
and file sharing features.
Tools
Use the following command-line tools to manage file and printer sharing.
Tool
Description
Net share
Share folders at the command prompt.
Net use
Connect to shared resources at the command prompt.
lcacls.exe
Configure NTFS file and folder permissions at the command prompt.
Compact.exe
Compress NTFS files and folders at the command prompt.
Pnputil.exe
Preinstall printer drivers in the driver store.

8-1
Module 8
Implementing Network Security
Contents:
Module Overview
8-1
Lesson 1: Overview of Threats to Network Security
8-2
Lesson 2: Configuring Windows Firewall
8-8
8-17
Lesson 3: Securing Network Traffic by Using IPsec
8-20
8-28
Lesson 4: Guarding Windows 8.1 Against Malware
8-30
8-33
8-35
Module Overview
When computers are connected to a network, they are exposed to potential security threats. You need
to formulate a strategy to protect your computers. User policies, antivirus software, encrypted network
traffic, and other protective measures work together to help shield your Windows 8.1 computers from
security threats. It also is important to identify possible threats and to optimize appropriate Windowsbased network security features, such as Windows Firewall and Windows Defender, to help eliminate
them.
Objectives
Describe the threats to network security.
Configure Windows Firewall.
Secure network traffic by using Internet Protocol security (IPsec).
Guard Windows 8.1 against malware.
Lesson 1
Overview of Threats to Network Security
8-2 Implementing Network Security
Security is an integral part of any computer network, and you must consider it from many perspectives.
You must understand the nature of network-based security threats and be able to implement appropriate
security measures to mitigate these threats. In this lesson, you will learn about some of the network
security threats and the defense-in-depth strategy that helps you lessen your vulnerability to them. Finally,
you will learn about ways to mitigate the various network security threats that are discussed.
Lesson Objectives
Describe defense-in-depth.
Identify common network security threats.
Describe options for mitigation of network security threats.
What Is Defense-in-Depth?
You can mitigate risks to your computer network
by providing security at different infrastructure
layers. The term defense-in-depth typically
describes the use of multiple security technologies
at different points throughout your organization.
Policies, Procedures, and Awareness

Physical security measures must complement
organizational policies regarding security best
practices. For example, enforcing a strong user
password policy is not helpful if users write their
passwords down on sticky notes and then attach
those notes to their computer screens. When you
establish a security foundation for your organizations network, it is a good idea to start by creating
appropriate policies and procedures, and make users aware of them. Then, you might progress to the
other aspects of the defense-in-depth model.
Even when you implement policies to prevent security problems, users can circumvent them, either by
plan or inadvertently. Some ways that users can compromise policies and procedures include:
Users are unaware of the policies. When users are unaware of policies, you cannot expect them to
follow them.
Users view the policies as unnecessary. If you do not adequately communicate the reasons for
policies, some users will think of them as unnecessary.
Social engineering. Users and computer administrators are vulnerable to social engineering, where
hackers manipulate them into violating policies or revealing sensitive data. An example of this is
when you receive an email that appears to be from your bank, asking you to update your account
information by following a link in the email that resolves to a website that does not belong to your
actual banking system.
Mitigation
You should consider taking the following actions to mitigate these threats:
Create specific policies that help prevent social engineering.
Educate users on policies and their relevance.
Implement compliance monitoring.
Physical Security
8-3
With respect to securing computer systems, enterprise administrators commonly overlook physical
security. If any unauthorized person can gain physical access to a computer, then most other security
measures are of little consequence. Make sure that computers that contain the most sensitive data, such
as servers, are physically secure.
In general, anyone who has physical access to computer systems can:
Damage systems. This can be as simple as storing a server next to a desk, where a user might
accidentally bump into it or spill a drink on it.
Install unauthorized software on systems. Hackers can use unauthorized software to attack systems.
For example, there are tools available to reset the administrator password on a Windows-based
workstation or member server.
Steal hardware. Hackers can steal laptops if you do not ensure that users secure them. They even can
steal servers, which often include extremely sensitive data and intellectual property, if you do not
secure them properly.
Mitigation
Restrict physical access by locking doors.
Monitor server room access.
Install fire suppression equipment.
Perimeter
No organization is an isolated enterprise. Organizations operate within a global community, and

network resources must be available to service that global community. Perimeter layer security refers
to the connectivity between your network and other untrusted networks. This might include building a
website to describe your organizations services or making internal services such as web conferencing
and email accessible externally so that users can work from home or from satellite offices.
Perimeter networks mark the boundary between public and private networks. By providing specialized
servers such as reverse proxy servers in your perimeter network, you can provide corporate services across
a public network in a more secure manner.
Note: You can use a reverse proxy server to publish services such as email or web services
from a corporate intranet without placing email or Web servers in the perimeter.
You also need to consider the following access issues:
Remote access client. Though you can control the conditions under which they can connect, these
client computers access your network from a remote location over which you have little or no control.
Because of this, these types of clients have access to more data than a typical Internet client that
connects to a webpage.
Business partners. You do not control the networks of business partners, which means that you
cannot ensure that they have appropriate security controls in place. Therefore, if a business partner
is compromised, the network links between your organization and that partner pose a risk.
Mitigation
Implement firewalls at network boundaries.
Implement network address translation (NAT).
Use virtual private networks (VPNs) and implement encryption.
Internal Networks
As soon as you connect computers to a network, they are susceptible to a number of threats. Internal
network layer security refers to services and processes on your internally controlled network, including
LANs and wide area networks (WANs). The latter includes Multiprotocol Label Switching circuit, where
you control all aspects of the network.
Security threats to an internal network include eavesdropping, spoofing, denial-of-service (DoS) attacks,
and replay attacks. This is especially relevant when communication occurs over public networks because
users are working from home, remote offices, or other locations, such as coffee shops.
Mitigation
Segment your network.
Implement IPsec.
Implement a network-based intrusion-detection system.
Host
The host layer refers to a networks individual computers. This includes the operating system, but not
application software. Host-layer security includes operating system services such as a Web server, and
hackers can compromise it by:
Operating system vulnerabilities. An operating system is complex. Consequently, there are

vulnerabilities that hackers often can exploit. Attackers can use these vulnerabilities to install malware
(malicious software) or to control hosts.
Default operating system configurations. Operating systems and their services include default
configurations. In some cases, the default configuration might not include a password or might
include sample files with vulnerabilities. Attackers use their knowledge of default configurations to
compromise systems.
Viruses that attack hosts. A virus uses operating system flaws or default configurations to infect a host
and replicate itself.
Mitigation
Harden operating systems.
Implement a host-based intrusion-detection system.
Use host-based antivirus, antimalware, and antispyware software, such as Windows Defender.
Application
8-5
The application layer refers to apps that run on hosts. This includes additional services such as mail servers,
and desktop apps such as the Microsoft Office System. The risks to apps are similar to the risks that hosts
face, which can include:
App vulnerabilities. Apps are complex programs that are likely to have vulnerabilities. Attackers can
use these vulnerabilities to install malicious apps or remotely control a computer.
Default app configurations. Apps such as databases might have a default password or no password at
all. Not securing the default configuration simplifies the work of attackers who attempt to access a
system.
Viruses that users introduce. In some cases, users introduce viruses by their actions rather than by
flaws. In other cases, an app actually is a Trojan horse that contains malicious code embedded in what
appears to be a useful app.
Mitigation
Run apps at the lowest level of permissions possible.
Install Microsoft and third-party app security updates.
Enable only required features and functionality for operating systems and apps.
Data
The final layer of security is the data security layer. This includes data files, app files, databases, and Active
Directory Domain Services (AD DS). When your data layer becomes compromised, it can result in:
Unauthorized access to data files. Unauthorized access to data files might result in unauthorized users
reading data, such as users inadvertently viewing the salaries of other staff members. It also might
result in data modification, which could cause it to be inaccurate.
Unauthorized access to AD DS. Hackers could reset user passwords and then attack your network by
using the new passwords.
Modification of app files. When app files are modified, they might perform unwanted tasks, such as
data replication over the Internet, where an attacker can access it.
Mitigation
Implement and configure suitable file permissions.
Implement encryption.
Implement rights management.
Note: File permissions was called NTFS permissions previously, but now it applies to both
NTFS and ReFS files and folders.
Common Network Security Threats

There are a variety of network security threats
that fall into many categories. Common networkbased security threats include:
Eavesdropping. An eavesdropping attack

occurs when a hacker captures network
packets that workstations connected to your
network send and receive. Eavesdropping
attacks might result in the compromise of
sensitive data such as passwords, which can
lead to other, more damaging attacks.
Note: Eavesdropping also is known as

network sniffing.
DoS attack. This type of attack limits the function of a network app, or it makes the app or network
resource unavailable. Hackers can initiate a DoS attack in several ways and often are aware of
vulnerabilities in the target app that they can exploit to render it unavailable. DoS attacks often are
performed by overloading a service that replies to network requestslike Domain Name System
(DNS)with a large number of fake requests in an attempt to overload and shut down a service or
the server that hosts the service.
Note: Hacking is a generic term that refers to the act of trying to crack a computer
program or code. When talking about network security, hacking is an important topic because
hackers will hack your network to attack it, your extended user base, or your cache of apps and
sensitive intellectual property.
Port scanning. Apps that run on a computer using the TCP/IP protocol use Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) ports to identify themselves. One way that attackers
exploit a network is to query hosts for the ports on which they listen for client requests. These ports
are said to be open. Once attackers identify an open port, they can use other attack techniques to
access a network.
Man-in-the-middle (MITM) attack. The network attacker uses a computer to impersonate a legitimate
host on the network with which your computers are communicating. The attacker intercepts all of the
communications that are intended for a destination host. The attacker might wish to view the data in
transit between the two hosts, but also can modify the data in transit before forwarding the packets
to the destination host.
Options for Mitigation of Network Security Threats

Attackers look for access into your network by
using a variety of tools and techniques. Once
they have found a way in, however minor
and apparently innocuous, they can exploit
that success and take the attack further. For
this reason, it is important to implement a
comprehensive approach to network security
to ensure that one loophole or omission does
not result in another.
You can use any or all of the following defense
mechanisms to protect your network from
malicious attacks:
8-7
IPsec. IPsec provides a way to authenticate IP-based communications between two hosts and, where
desirable, encrypt that network traffic.
Firewalls. Firewalls allow or block network traffic based on the type of traffic.
Perimeter networks. A perimeter network is an isolated area on your network to and from which you
can define network traffic flow. When you need to make network services available on the Internet,
it is not advisable to connect hosting servers directly to the Internet. By placing these servers in a
perimeter network, you can make them available to Internet users without letting those users gain
access to your corporate intranet.
VPNs. When users must connect to an organizations intranet from the Internet, it is important that
they do so as securely as possible. The Internet is a public network, and data in transit across the
Internet is susceptible to eavesdropping or MITM attacks. By using VPNs, you can authenticate and
encrypt connections between remote users and your organizations intranet, thereby mitigating risk.
Server hardening. By only running the services that you need, you can make servers inherently more
secure. To determine what services you require, you must establish a baseline of security among your
servers. It is sometimes difficult to determine precisely which Windows Server services you need to
support the functionality that you or your enterprise requires. Therefore, you can use tools such as
the Security Configuration Wizard or the Microsoft Baseline Security Analyzer to help you.
Intrusion detection. Although it is important to implement the preceding techniques to secure

your network, it also is sensible to monitor your network regularly for signs of attack. You can use
intrusion-detection systems to do this by implementing them on devices at the perimeter, such as
Internet-facing routers.
Domain Name System Security Extensions (DNSSEC). DNSSEC provides the ability for DNS servers
and resolvers to trust DNS responses by using digital signatures for validation. All signatures
generated are contained within the DNS zone itself in the new resource records. When a resolver
issues a query for a name, the accompanying digital signature is returned in the response. Validation
of the signature then is performed through the use of a preconfigured trust anchor. Successful
validation proves that no data modification or tampering has occurred.
Lesson 2
Configuring Windows Firewall
Windows Firewall provides built-in functionality that you can use to protect Windows 8.1 computers from
unauthorized access attempts or other unwanted incoming or outgoing traffic on a network. Unwanted
traffic often comes from Internet-based sources, but the network security of any computer also can be
compromised from a LAN or WAN. You can use Windows Firewall to filter incoming and outgoing traffic
based on the traffics characteristics and the type of network to which a Windows 8.1 computer is
connected.
Lesson Objectives
Describe network location profiles.
Explain how to configure basic firewall settings.
Explain how to configure Windows Firewall with Advanced Security.
Explain how to identify well-known ports.
Configure inbound and outbound rules.
Understanding Network Location Profiles

The first time that you connect a computer to a
network, you must select a network location,
which sets appropriate firewall and security
settings automatically. When you connect to
networks in different locations, choosing a
network location can help you ensure that your
computer is set to an appropriate security level
at all times.
Windows 8.1 uses network location awareness
(NLA) to uniquely identify networks to which a
computer is connected. NLA collects information
from networks, including IP address and media
access control (MAC) address data from important network components like routers and gateways to
identify a specific network.
There are three network location types:
Domain networks. These are networks at a workplace that attach to a domain. Use this option for any
network that allows communication with a domain controller. Network discovery is on by default, and
you cannot create or join a HomeGroup.
Private networks. These are networks at home or work where you know and trust the people and
devices on the network. When you select Home or work (private) networks, this turns on network
discovery. Computers on a home network can belong to a HomeGroup.
Guest or public networks. These are networks in public places. This location keeps the computer from
being visible to other computers. When you select the Public place network location, HomeGroup is
not available and network discovery is turned off.
8-9
You can modify the firewall settings for each type of network location from the main Windows Firewall
page. Click Turn Windows Firewall on or off, select the network location, and then make your selection.
You also can modify the following options:
Block all incoming connections, including those in the list of allowed programs.
Notify me when Windows Firewall blocks a new program.
Note: A system administrator can configure Windows Firewall settings by using Group
Policy.
The Public networks location blocks certain programs and services from running, which protects a
computer from unauthorized access. If you connect to a Public network and Windows Firewall is on, some
programs or services might ask you to allow them to communicate through the firewall so that they can
work properly.
Configuring Basic Firewall Settings

Windows 8.1 centralizes basic firewall information
in Control Panel, in the Network and Sharing
Center and System and Security items. In System
and Security, you can configure basic Windows
Firewall settings and access the Action Center
to view notifications for firewall alerts. In the
Network and Sharing Center, you can configure all
types of network connections, such as changing
the network location profile.
Firewall Exceptions
When you add a program to the list of allowed

programs or open a firewall port, you are allowing
that program to send information to or from your computer. Allowing a program to communicate
through a firewall is like poking a hole in the firewall. Each time you make another hole, the computer
becomes less secure.
Generally, it is safer to add a program to the list of allowed programs than to open a port for the app. If
you open a port without scoping the port to a specific app, you make a hole in the firewall, and it stays
open until you close the portwhether a program is using it or not. If you add a program to the list of
allowed programs, you are allowing the app itself to poke a hole in the firewall, but only when necessary.
The holes are open for communication only when required by an allowed program or computer.
To add, change, or remove allowed programs and ports, click Allow an app or feature through Windows
Firewall in the left pane of the Windows Firewall page, and then click Change settings. For example, to
view performance counters from a remote computer, you must enable the Performance Logs and Alerts
firewall exception on the remote computer.
To help decrease security risks when you open communications, consider the following:
Only allow a program or open a port when necessary.
Remove programs from the list of allowed programs, or close ports when you do not require them.
Never allow a program that you do not recognize to communicate through the firewall.
Multiple Active Firewall Policies
Windows 8.1 includes multiple active firewall policies. These firewall policies enable computers to
obtain and apply a domain firewall profile, regardless of the networks that are active on the computers.
Information technology (IT) professionals can maintain a single set of rules for remote clients and those
that physically connect to an organizations network. To set up or modify profile settings for a network
location, click Change advanced sharing settings in the left pane of the Network and Sharing Center.
Windows Firewall Notifications
You also can display firewall notifications in the taskbar. Click Change notification settings in the left pane
of the Windows Firewall page, and then for each network location, check or clear the Notify me when
Windows Firewall blocks a new app check box.
Configuring Windows Firewall with Advanced Security

Although typical end-user configuration still
occurs via Windows Firewall in Control Panel,
you now can perform advanced configuration in
Windows Firewall with Advanced Security. This
snap-in is accessible in Control Panel from the
Windows Firewall page by clicking Advanced
settings in the left pane. The snap-in provides an
interface for configuring Windows Firewall locally,
on remote computers, and by using Group Policy.
Windows Firewall with Advanced Security is an

example of a network-aware app. You can create
a profile for each network location type, and each
profile can contain different firewall policies. For example, you can allow incoming traffic for a specific
desktop management tool when a computer is on a domain network, but block traffic when the computer
connects to public or private networks.
Network awareness enables you to provide flexibility on an internal network without sacrificing
security when users travel. A public network profile must have stricter firewall policies to protect against
unauthorized access. A private network profile might have less restrictive firewall policies to allow file and
print sharing or peer-to-peer discovery.
Windows Firewall with Advanced Security Properties
Use the Windows Firewall with Advanced Security Properties dialog box to configure basic firewall
properties for domain, private, and public network profiles. A firewall profile is a way of grouping settings,
including firewall rules and IPsec rules. Use the IPsec Settings tab on the Windows Firewall with Advanced
Security Properties dialog box to configure the default values for IPsec configuration options.
Note: To access the global profile settings in Windows Firewall with Advanced Security
Properties, perform one of the following procedures:
In the navigation pane, right-click Windows Firewall with Advanced Security, and then click
Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Overview
section, click Windows Firewall Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Actions pane,
click Properties.
The options that you can configure for each of the three network profiles are:
8-11
Firewall state. Turn on or off independently for each profile.
Inbound connections. Configure to block connections that do not match any active firewall rules,
block all connections regardless of inbound rule specifications, or allow inbound connections that do
not match an active firewall rule.
Outbound connections. Configure to allow connections that do not match any active firewall rules, or
block outbound connections that do not match an active firewall rule.
Settings. Configure display notifications, unicast responses, local firewall rules, and local IPsec rules.
Logging. Configure the following logging options:

o
Name. Use a different name for each network profiles log file.
Size limit (KB). The default size is 4,096. Adjust this if necessary when troubleshooting.
No logging occurs until you set one or both of following two options to Yes:
Log dropped packets
Log successful connections
Windows Firewall with Advanced Security Rules
Rules are a collection of criteria that define what traffic you will allow, block, or secure with a firewall. You
can configure the following types of rules:
Inbound
Outbound
IPsec
Inbound rules
Inbound rules explicitly allow or block traffic that matches the rules criteria. For example, you can
configure a rule to allow traffic that is secured by IPsec for Remote Desktop through the firewall, but
block the same traffic if IPsec does not secure it. You must use a separately configured IPsec rule to secure
the traffic.
When you first install the Windows operating system, Windows Firewall blocks all unsolicited inbound
traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that
describes that traffic. For example, if you want to run a Web server, you must create a rule that allows
unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows
Firewall with Advanced Security takes, which is whether to allow or block connections when no inbound
rule applies.
Outbound rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or
deny traffic originating from a computer that matches a rules criteria. For example, you can configure a
rule to explicitly block outbound traffic to a computer by IP address through the firewall, but allow the
same traffic for other computers.
Inbound and outbound rule types

There are four different types of inbound and outbound rules:
Program rules. These control connections for a program. Use this type of firewall rule to allow a
connection based on the program that is trying to connect. These rules are useful when you are not
sure of the port or other required settings, because you only specify the path to the programs
executable (.exe) file.
Port rules. These control connections for a TCP or UDP port. Use this type of firewall rule to allow a
connection based on the TCP or UDP port number over which the computer is trying to connect. You
specify the protocol and the individual or multiple local ports to which the rule applies.
Predefined rules. These control connections for a Windows-based experience. Use this type of firewall
rule to allow a connection by selecting one of the programs or experiences from the list. Networkaware programs that you install typically add their own entries to this list so that you can enable and
disable them as a group.
Custom rules. Configure these as necessary. Use this type of firewall rule to allow a connection based
on criteria that other types of firewall rules do not cover.
Consider the scenario in which you want to create and manage tasks on a remote computer by using the
Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote
Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the
predefined rule type on an inbound rule.
Alternatively, you might want to block all web traffic on the default TCP Web server port 80. In this
scenario, you create an outbound port rule that blocks the specified port. The next topic discusses wellknown ports, such as port 80.
Ipsec rules
Firewall rules and IPsec rules are complementary, and both contribute to a defense-in-depth strategy
to protect a computer. IPsec rules secure traffic as it crosses a network by using IPsec. Use IPsec rules to
specify that connections between two computers must be authenticated or encrypted. IPsec rules specify
how and when authentication occurs, but they do not allow connections. To allow a connection, create an
inbound or outbound rule. After an IPsec rule is in place, you can specify that inbound and outbound
rules apply only to specific users or computers.
You can create the following IPsec rule types:
Isolation rules. These isolate computers by restricting connections based on authentication criteria,
such as domain membership or health status. Isolation rules allow you to implement a server or
domain isolation strategy.
Authentication exemption rules. These designate connections that do not require authentication. You
can designate computers by specific IP address, an IP address range, a subnet, or a predefined group,
such as a gateway.
You typically use this type of rule to grant access to infrastructure computers, such as Active Directory
domain controllers, certification authorities (CAs), or Dynamic Host Configuration Protocol servers.
Server-to-server rules. These protect connections between specific computers. When you create
this type of rule, you must specify the network endpoints between which you want to protect
communications. Then, you designate requirements and the type of authentication that you want
to use, such as the Kerberos version 5 protocol. A scenario in which you might use this rule is to
authenticate the traffic between a database server and a business-layer computer.
8-13
Tunnel rules. These secure communications that travel between two computers by using tunnel mode
in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you
route between two defined endpoints.
For each endpoint, specify a single computer that receives and consumes the sent network traffic, or
specify a gateway computer that connects to a private network onto which the received traffic is
routed after extracting it from the tunnel.
Custom rules. Configure these as necessary. Custom rules authenticate connections between two
endpoints when you cannot set up authentication rules by using the other rule types.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules, IPsec
rules, and security associations (SAs). The Monitoring page displays which profiles are active (domain,
private, or public), and the settings for the active profiles.
The Windows Firewall with Advanced Security events also is available in Event Viewer. For example, the
ConnectionSecurity operational event log is a resource that you can use to view IPsec-related events. The
operational log is always on, and it contains events for IPsec rules.
Identifying Well-Known Ports

Before you configure either inbound or
outbound firewall rules, you must understand
how apps communicate on a TCP/IP network.
At a high level, when an app wants to establish
communications with an app on a remote host, it
creates a connection to a defined TCP or UDP
socket.
The combination of the following three parts
defines a socket:
The transport protocol that the app uses,

either TCP or UDP.
The Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses of the source and
destination hosts.
The TCP or UDP port number that the apps are using. TCP or UDP communications use ports to name
the ends of logical connections that transfer data.
Well-Known Ports
The Internet Assigned Numbers Authority (IANA) assigns the well-known ports on most systems. Typically,
only system processes or programs that privileged users execute can use these ports. Ports receive a
number between 0 and 65,535 and fall into three ranges:
Well-known ports are those from 0 through 1,023.
Registered ports are those from 1,024 through 49,151.
Dynamic and private ports are those from 49,152 through 65,535.
To view the current TCP/IP network connections and listening ports, use the netstat -a command or the
Get-NetTCPConnection Windows PowerShell command-line interface cmdlet.
IANA assigns well-known ports to specific apps so that client apps can locate them on remote systems.
Therefore, to the extent that is possible, use the same port assignments with TCP and UDP. To view
a list of well-known ports and the associated services that are recognized by Windows 8.1, open the
C:\Windows\System32\drivers\etc\Services file. The following table identifies some well-known ports.
Port
Protocol
Application
21
TCP
File Transfer Protocol (FTP)
23
TCP
Telnet provides access to a command-line interface on a remote host
25
TCP
Simple Mail Transfer Protocol (SMTP) that email servers and clients use to
send email
53
UDP
DNS
53
TCP
DNS
80
TCP
Hypertext Transfer Protocol (HTTP) that Web servers use
110
TCP
Post Office Protocol version 3 (POP3) that email clients use for email
retrieval
143
TCP
Internet Message Access Protocol (IMAP) used for email retrieval from
email clients
161
UDP
Simple Network Management Protocol (SNMP)
389
TCP
Lightweight Directory Access Protocol (LDAP)
443
TCP
Hypertext Transfer Protocol Secure (HTTPS) for secured Web servers
3389
TCP
Remote Desktop Protocol (RDP) is a proprietary protocol that provides a

user with a graphical interface to another computer
Typically, it is not necessary to configure applications to use specific ports. However, you must be aware of
the ports that applications use to ensure that the required ports are open through your firewall when you
use a port rule.
Remember that when you add a TCP or UDP port to the rules list, the port is open whenever Windows
Firewall with Advanced Security is running, regardless of whether there is a program or system service
listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic,
create a program rule instead of a port rule. With a program rule, the port opens and closes dynamically
as the program requires. You also do not need to be aware of the port number that the application uses.
If you change the application port number, the firewall automatically continues communication on the
new port.
Demonstration: Configuring Inbound and Outbound Rules
8-15
In this demonstration, you will see how to configure inbound and outbound firewall rules for Windows
Firewall.
Demonstration Steps
Test Remote Desktop connectivity
1.
2.
Open the Start screen, and then start Remote Desktop Connection.
3.
Connect to LON-CL1, and then sign in as Adatum\Administrator with password Pa$$w0rd.
4.
After verifying the connection, sign out of LON-CL1.
Configure an inbound rule

1.
Switch to LON-CL1.
2.
3.
Open Control Panel, and then open Windows Firewall.
4.
Create the following inbound rule:

o
Rule Type: Predefined
Rule Name: Remote Desktop
Predefined Rules:
Remote Desktop Shadow (TCP-in)
Remote Desktop User Mode (TCP-In)
Remote Desktop User Mode (UDP-In)
Action: Block the connection
Test the inbound rule

1.
Switch to LON-CL2, open the Start screen, and then start Remote Desktop Connection.
2.
Connect to LON-CL1.
3.
Verify that the connection attempt fails.
Test outbound Remote Desktop connectivity

1.
Switch to LON-CL1.
2.
3.
Connect to LON-DC1, and then sign in as Adatum\Administrator.
4.
After verifying the connection, sign out of LON-DC1.
Configure an outbound rule

1.
On LON-CL1, restore the Windows Firewall with Advanced Security window.
2.
Create a new program rule with the following properties:

o
3.
Block connections from the C:\Windows\System32\mstsc.exe program
Name the rule Block Outbound RDP to LON-DC1.
4.
Open the properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab.
5.
Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.
Test outbound Remote Desktop connectivity

1.
2.
Attempt to connect to LON-DC1, which should fail immediately.
3.
8-17

Scenario
Remote Desktop is enabled on all client systems through a Group Policy Object (GPO). However, as part
of your infrastructure security plan, you must configure certain desktops systems, such as the Human
Resources department systems, for limited exposure to remote connections. Before implementing firewall
rules in a GPO, you want to validate your plan by manually configuring the rules on local systems. You
decide to control this through local firewall rules that block traffic on the client systems, using LON-CL1 as
a test computer.
Objectives
Create an inbound Windows Firewall rule.
Create an outbound Windows Firewall rule.
Lab Setup
Password: Pa$$w0rd
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Exercise 1: Creating an Inbound Windows Firewall Rule

Scenario
To prevent incoming Remote Desktop connections, you must implement an inbound firewall rule on
LON-CL1 to block all incoming RDP traffic.
1.
Test Remote Desktop connectivity.
2.
Configure an inbound firewall rule.
3.
Test the inbound firewall rule.
Task 1: Test Remote Desktop connectivity

1.
2.
3.
Connect to LON-CL1, and then sign in as Adatum\Administrator.
4.
After verifying the connection, sign out of LON-CL1.
Task 2: Configure an inbound firewall rule

1.
2.
Open Control Panel, and then open Windows Firewall.
3.
Create the following Inbound Rule:

o
Rule Type: Predefined
Rule Name: Remote Desktop
Predefined Rules:
o
4.
Remote Desktop Shadow (TCP-in)
Remote Desktop User Mode (TCP-In)
Remote Desktop User Mode (UDP-In)
Minimize the Windows Firewall with Advanced Security window.
Task 3: Test the inbound firewall rule

1.
Switch to LON-CL2, open the Start screen, and then start Remote Desktop Connection.
2.
Connect to LON-CL1.
3.
Results: After completing this exercise, you should have created an inbound Windows Firewall rule.
Exercise 2: Create an Outbound Firewall Rule

Scenario
You must implement a firewall rule on LON-CL1 that prevents it from connecting to LON-DC1 with the
Remote Desktop Connection app.
1.
Test Remote Desktop connectivity.
2.
Configure an outbound rule.
3.
Test the outbound rule.

1.
Switch to LON-CL1.
2.
3.
Connect to LON-DC1, and then sign in as Adatum\Administrator.
4.
After verifying the connection, sign out of LON-DC1.
Task 2: Configure an outbound rule

1.
On LON-CL1, restore the Windows Firewall with Advanced Security window.
2.
Create a new outbound rule with the following properties:

o
Rule Type: Program
Program: C:\Windows\System32\mstsc.exe
Profile: Domain, Private, and Public
Name: Block Outbound RDP to LON-DC1
8-19
3.
Open the Properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab.
4.
Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.
Task 3: Test the outbound rule

1.
Open the Start screen, and then start the Remote Desktop Connection app.
2.
Attempt to connect to LON-DC1, which should fail immediately.
3.
Results: After completing this exercise, you should have configured and tested an outbound firewall rule.
Lesson 3
Securing Network Traffic by Using IPsec
IPsec is a suite of protocols that can protect data in transit through a network by using security services
and, optionally, digital certificates with public and private keys. Because of its design, IPsec helps provide
much better security than previous protection methods. Network administrators who use IPsec do not
have to configure security for individual programs.
You can use IPsec rules to configure IPsec settings for specific connections between your computer
and other computers. Windows Firewall with Advanced Security uses IPsec rules to evaluate network
traffic, and then it blocks or allows messages based on criteria that you establish in the rule. In some
circumstances, Windows Firewall with Advanced Security will block the communication. If you configure
settings that require security for a connection (in either direction), and the two computers cannot
authenticate each other, then IPsec blocks the connection. Once you enable and configure IPsec, it is
important that you know how to monitor IPsec.
Lesson Objectives
Identify the benefits of IPsec.
Identify tools for configuring IPsec.
Describe IPsec rules.
Explain how to configure authentication.
Explain how to choose an authentication method.
Explain how to monitor connection security.
Configure IPsec rules.
Benefits of IPsec
You can use IPsec to ensure confidentiality,
integrity, and authentication in data transport
across channels that are not secure. Though its
original purpose was to secure traffic across public
networks, many organizations have chosen to
implement IPsec to address perceived weaknesses
in their own private networks that might be
susceptible to exploitation.
If you implement it properly, IPsec provides a
private channel for sending and exchanging
potentially sensitive or vulnerable data, whether
it is email, FTP traffic, news feeds, partner and
supply-chain data, medical records, or any other type of TCP/IP-based data.
IPsec:
Offers mutual authentication before and during communications.
Forces both parties to identify themselves during the communication process.
Enables confidentiality through IP traffic encryption and digital packet authentication.
IPsec Modes
IPsec has two modes:
Encapsulating security payload (ESP). This mode encrypts data using one of several available
algorithms.
Authentication Header (AH). This mode signs traffic, but does not encrypt it.
Providing IP Traffic Integrity by Rejecting Modified Packets
8-21
ESP and AH verify the integrity of all IP traffic. If a packet has been modified, the digital signature will
not match, and IPsec will discard the packet. ESP in tunnel mode encrypts the source and destination
addresses as part of the payload. In tunnel mode, a new IP header is added to the packet that specifies
the tunnel endpoints source and destination addresses. ESP can make use of Data Encryption Standard
(DES), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and DES encryption
algorithms in Windows Server 2012 R2. As a best practice, you should avoid using DES unless clients
cannot support the stronger encryption that AES or 3DES offer.
Providing Protection from Replay Attacks
ESP and AH use sequence numbers. As a result, any packets that hackers attempt to capture for later
replay use numbers that are out of sequence. Using sequenced numbers ensures that an attacker cannot
reuse or replay captured data to establish a session or gain information. Using sequenced numbers also
protects against attempts to intercept a message and use it to access resources, possibly months later.
Tools for Configuring IPsec

Some network environments are ideal for using
IPsec as a security solution, while others are not.
We recommend IPsec for the following uses:
Packet filtering. IPsec functions in a limited

capacity as a firewall for protected computers.
You can combine IPsec with the NAT and
basic firewall functionality of the Routing and
Remote Access Service to allow or block
inbound or outbound traffic.
Securing host-to-host traffic. You can use

IPsec to encrypt traffic between servers, other
devices with static IP addresses, or network
subnets. For example, you can use IPsec to secure traffic between domain controllers in different sites,
or between an application server and the database server that hosts the applications database.
Securing traffic to servers. You can implement IPsec for all client computers that access a server. You
also can configure restrictions on the server, specifying which clients can connect.
Layer Two Tunneling Protocol (L2TP)/IPsec for VPN connections. You can combine the L2TP tunneling
protocol with IPsec, known as L2TP/IPsec, to provide additional data protection for VPN connections.
Site-to-site (gateway-to-gateway) tunneling. You can use IPsec to create site-to-site tunnels when you
need to connect to routers, gateways, or other network nodes that do not support L2TP/IPsec or
Point-to-Point Tunneling Protocol (PPTP) connections.
Enforcing logical networks (server/domain isolation). In a Windows-based network, you can isolate
server and domain resources logically to limit access to authenticated and authorized computers. For
example, you can create a logical network inside an existing physical network, where computers share
common requirements for secure communications. To establish connectivity, each computer in this
logically isolated network must provide authentication credentials to other computers.
This isolation prevents unauthorized computers and programs from gaining inappropriate access to
resources. IPsec ignores requests from computers that are not part of the isolated network. Server and
domain isolation can protect specific high-value servers and data, and it can protect managed
computers from unmanaged or rogue computers and users.
You can protect a network with two types of isolation:
Server isolation. To isolate a server, you configure specific servers to require an IPsec policy to accept
authenticated communications from other computers. For example, you might configure the
database server to accept connections from a web application server only.
Domain isolation. To isolate a domain, you use Active Directory domain membership to ensure that
computers that are domain members accept only authenticated and secured communications from
other domain-member computers. The isolated network consists only of that domains member
computers, and domain isolation uses an IPsec policy to protect traffic between domain members,
including all client and server computers.
Note: IPsec depends on IP addresses for establishing secure connections. Using dynamic IP
addresses for both clients and servers, or at either end of an IPsec connection, can introduce
significant complexity to the design of an IPsec policy.
Considering IPsec for Special Scenarios

If you perform the following tasks when using IPsec, you must consider additional configuration
requirements:
Protect traffic over wireless 802.11 LANs. You can use IPsec to encrypt traffic over 802.11 networks.
However, you should not use IPsec for securing organizational 802.11 wireless LANs. You should use
Wi-Fi Protected Access 2 encryption and Institute of Electrical and Electronics Engineers, Inc. (IEEE)
802.1X authentication instead.
You also can use L2TP/IPsec VPN connections to protect remote access traffic over the Internet
between organizational networks.
Use IPsec in tunnel mode for remote access VPN connections. You should not use IPsec only for
Windows-based VPN clients and servers. Rather, use L2TP/IPsec or PPTP.
What Are IPsec Rules?

An IPsec rule forces authentication between
two peer computers before they can establish
a connection and transmit secure information.
Windows Firewall with Advanced Security uses
IPsec to enforce the rules listed below. The
configurable rules are:
Isolation. An isolation rule isolates

computers by restricting connections based
on credentials, such as domain membership
or health status. Isolation rules allow you to
implement an isolation strategy for servers or
domains.
8-23
Authentication exemption. You can use an authentication exemption to designate connections that
do not require authentication. You can designate computers by a specific IP address, an IP address
range, a subnet, or a predefined group, such as a gateway.
Server-to-server. A server-to-server rule protects connections between specific computers. This

type of rule usually protects connections between servers. When you create the rule, you specify the
network endpoints between which communications are protected. You then designate requirements
and the authentication that you want to use.
Tunnel. A tunnel rule allows you to protect connections between gateway computers, and typically,
you use it when you are connecting across the Internet between two security gateways.
Custom. Sometimes, you cannot set up authentication rules that you need by using the rules available
in the New Connection Security Rule Wizard. In such cases, you can use a custom rule to authenticate
connections between two endpoints.
How Firewall Rules and IPsec Rules Are Related
Firewall rules allow traffic through a firewall, but do not secure that traffic. To secure traffic with IPsec, you
can create connection security rules. However, when you create a connection security rule, this does not
allow the traffic through the firewall. You must create a firewall rule to do this if the traffic is not allowed
by the firewalls default behavior. Connection security rules do not apply to programs and services, but
rather, they apply between the computers that are the two endpoints.
Configuring Authentication
When you use the New Connection Security Rule
Wizard to create a new rule, you can use the
Requirements page to specify how you want
authentication to apply to inbound and outbound
connections. If you request authentication, this
enables communications when authentication
fails. If you require authentication, this causes the
connection to drop if authentication fails.
Request Authentication for Inbound and

Outbound Connections
Use the Request authentication for inbound and

outbound connections option to specify that all
inbound and outbound traffic must authenticate, but that the connection is allowable if authentication
fails. However, if authentication succeeds, traffic is protected. You typically use this option in low-security
environments or in an environment where computers must be able to connect, but they cannot perform
the types of authentication that are available with Windows Firewall with Advanced Security.
Require Authentication for Inbound Connections and Request Authentication for

Outbound Connections
Use the Require authentication for inbound connections and request authentication for outbound
connections option if you want to require that all inbound traffic either is authenticated or else blocked.
Outbound traffic can be authenticated, but it is allowed if authentication fails. If authentication succeeds
for outbound traffic, that traffic is authenticated. You typically use this option in most IT environments in
which the computers that need to connect can perform the authentication types that are available with
Windows Firewall with Advanced Security.
Require Authentication for Inbound and Outbound Connections
Use the Require authentication for inbound and outbound connections option if you want to require
that all inbound and outbound traffic either is authenticated or else blocked. You typically use this option
in higher-security IT environments where you must protect and control traffic flow, and in which the
computers that must be able to connect can perform the authentication types that are available with
Windows Firewall with Advanced Security.
Choosing an Authentication Method

The New Connection Security Rule Wizard
has a page on which you can set up the
authentication method to configure the
authentication credentials that you want clients
to use. If the rule exists already, you can use the
Authentication tab in the Properties dialog box of
the rule that you wish to edit.
Default
Select the Default option to use the
authentication method that you configured on
the IPsec Settings tab of the Windows Firewall
with Advanced Security Properties dialog box.
Computer and User (Kerberos V5)
The Computer and user (Kerberos V5) method uses both computer and user authentication, which means
that you can request or require both the user and the computer to authenticate before communications
continue. You can use the Kerberos V5 authentication protocol only if both computers and users are
domain members.
Computer (Kerberos V5)
The Computer (Kerberos V5) method requests or requires the computer to authenticate by using the
Kerberos V5 authentication protocol. You can use the Kerberos V5 authentication protocol only if both
computers are domain members.
User (Kerberos V5)
The User (Kerberos V5) method requests or requires the user to authenticate by using the Kerberos V5
authentication protocol. You can use the Kerberos V5 authentication protocol only if the user is a domain
member.
Computer Certificate
The Computer certificate method requests or requires a valid computer certificate to authenticate, and
you must have at least one CA to do this. Use this method if the computers are not part of the same
AD DS domain.
Only Accept Health Certificates
The Only accept health certificates method requests or requires a valid health certificate to authenticate.
Health certificates declare that a computer has met system health requirements, as determined by a
Network Access Protection (NAP) health policy server, such as all software and other updates that network
access requires. These certificates are distributed during the NAP health evaluation process. Use this
method only for supporting NAP.
Advanced
8-25
You can configure any available method, and you can specify methods for first authentication and second
authentication. First authentication methods include Computer (Kerberos V5), computer certificate, and
a Preshared key (not recommended). Second authentication methods include User (Kerberos V5), User
NTLM (Windows NT Challenge/Response protocol), user certificates, and computer certificates. Only
computers that are running Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008,
Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 support second
authentication methods.
Monitoring Connection Security

Windows Firewall with Advanced Security is
a stateful, host-based firewall that blocks
incoming and outgoing connections based on
its configuration. Although a typical end-user
configuration for Windows Firewall still occurs
via the Windows Firewall control panel item,
advanced configuration now occurs in the
Microsoft Management Console (MMC) snap-in
named Windows Firewall with Advanced Security.
The inclusion of this snap-in not only provides an

interface for configuring Windows Firewall locally,
but also for configuring Windows Firewall on
remote computers and through Group Policy. You also can use Windows PowerShell to configure
Windows Firewall policies throughout your environment. Windows Firewall functions now integrate with
connection security protection settings, reducing the possibility of conflict between the two protection
mechanisms.
Monitoring Options for Windows Firewall with Advanced Security
You can use the Windows Firewall with Advanced Security console to monitor security policies that you
create in the Connection Security Rules node. However, you cannot view the policies that you create by
using the IP Security Policy Management snap-in. These security options are for use with Windows Vista,
Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows
Server 2012, and Windows Server 2012 R2. For older operating systems, such as Windows XP and
Windows 2000, you must use the Connection Security Rules node to view SAs and connections.
Monitoring Connection Security Rules
The Connection Security Rules node lists all of the enabled IPsec rules with detailed information about
their settings. Connection security rules define which authentication, key exchange, data integrity, or
encryption you can use to form an SA. The SA defines the security that protects the communication from
the sender to the recipient.
Implementing Connection Security Monitor
You can implement Connection Security Monitor as an MMC snap-in. It includes enhancements that you can
use to view details about an active connection security policy that the domain applies or that you apply
locally. Additionally, you can view Quick Mode and Main Mode statistics, and active connection security
SAs. You also can use Connection Security Monitor to search for specific Main Mode or Quick Mode
filters. To troubleshoot complex connection security policy designs, you can use Connection Security
Monitor to search for all matches for filters of a specific traffic type.
Changing Default Settings

You can change the Connection Security Monitor default settings, such as automatic refresh and DNS
name resolution. For example, you can specify the time that elapses between IPsec data refreshes.
Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note that
there are some issues to consider when enabling DNS. For example, it only works in a specific filter view
for Quick Mode and in SAs view for Quick Mode and Main Mode monitoring. There also is the possibility
that you can affect a servers performance if several items in the view require name resolution. Finally, the
DNS record name resolution requires a proper pointer (PTR) resource record in DNS.
Adding a Computer to Monitor
You can monitor computers remotely from a single console, but you must modify a registry value so that
the remote system accepts a console connection.
Setting the HKLM\system\currentcontrolset\services\policyagent\EnableRemoteMgmt registry
value to 1 prevents the IPsec service is not running error when you manage a computer remotely.
Obtaining Information About the Active Policy
You can get basic information about the current IP security policy in the Active Policy node of the IP
Security Monitoring snap-in to the MMC. During troubleshooting, this is useful to identify which policy
IPsec is applying to the server. Details such as the policy location and when it was modified last provide
key details when you are determining the current in-place policy.
To view the IPsec rules in the active policy store, you can use the following Windows PowerShell
command:
Show-NetIPsecRule PolicyStore ActiveStore
Main Mode SA and Quick Mode SA
The Main Mode SA is the initial SA that is established between two computers. This negotiates a set of
cryptographic protection suites between both hosts. This initial SA allows Quick Mode key exchange to
occur in a protected environment. The Main Mode SA also is known as the Internet Security Association
Key Management Protocol or Phase 1 SA. Main Mode establishes the secure environment to other
exchange keys, as required by the IPsec policy.
A Quick Mode SA depends on the successful establishment of a Main Mode SA. A Quick Mode SA also is
known as an IPsec or Phase 2 SA. This process establishes keys based on the information that the policy
specifies. Quick Mode SAs establish protected transmission channels for the actual application IP data that
the policy specifies.
Monitoring SAs
The Security Associations folder lists all of the Main Mode and Quick Mode SAs with detailed information
about their settings and endpoints.
Main Mode
Main Mode statistics provide data about the total number of SAs created and invalid packet information.
Quick Mode
Quick Mode provides more detailed information about connections. If you are having issues with an IPsec
connection, Quick Mode statistics can provide insight into the problem.
Demonstration: Configuring an IPsec Rule

In this demonstration, you will see how to configure and monitor IPsec rules.
Demonstration Steps
Create a connection rule
8-27
1.
On LON-CL1, open Control Panel, open Windows Firewall, and then open the Advanced settings.
2.
Create a connection security rule that allows traffic on LON-CL1 with the following settings:
o
Rule: Isolation
Requirements: Require authentication for inbound connections and request authentication

for outbound connections
Authentication: Computer and user (Kerberos V5)
Name: Authenticate all inbound connections
Test connectivity between LON-CL2 and LON-CL1

1.
Switch to LON-CL2, open a Command Prompt window, and then ping LON-CL1.
2.
Close the Command Prompt window.
Create a connection rule by using Windows PowerShell
Open an Administrator: Windows PowerShell window, and then run the following cmdlet:
Note: The ComputerKerberos and UserKerberos switches used in the following cmdlet
are case sensitive. Please type the command as written, including case.
New-NetIPsecRule DisplayName Authenticate all inbound connections InboundSecurity
Require OutboundSecurity Request -Phase1AuthSet ComputerKerberos -Phase2AuthSet
UserKerberos
Test connectivity between LON-CL2 and LON-CL1

1.
Ping LON-CL1.
2.
Open Control Panel, open Windows Firewall, and then open the Advanced settings.
3.
Examine the Security Associations monitoring.
Examine the security associations on LON-CL1 by using Windows PowerShell

1.
Switch to LON-CL1, and open an Administrator: Windows PowerShell Command Prompt window.
2.
To examine the Main Mode Security Associations, run the following cmdlet:
Get-NetIPsecMainModeSA
3.
To examine the Quick Mode Security Associations, run the following cmdlet:
Get-NetIPsecQuickModeSA
4.
Revert the LON-DC1, LON-CL1, and LONCL2 virtual machines to prepare for the next lab.

Scenario
A. Datum Corporation uses many outside consultants. The enterprises management has a concern that if
consultants were on the company network, they might be able to connect to unauthorized computers.
Objectives
Create and configure IPsec rules.
Lab Setup
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should
be running already from the preceding lab.
Exercise 1: Creating and Configuring IPsec Rules

Scenario
You have decided to test using secured connections between computers on sensitive segments of your
network.
1.
Create an Internet Protocol security (IPsec) rule on LON-CL1.
2.
Test connectivity between LON-CL2 and LON-CL1.
3.
Create an IPsec rule on LON-CL2 by using the Windows PowerShell command-line interface.
4.
Test connectivity between LON-CL2 and LON-CL1.
Task 1: Create an Internet Protocol security (IPsec) rule on LON-CL1

1.
On LON-CL1, open Control Panel, and then open Windows Firewall.
2.
Create a connection security rule that allows traffic on LON-CL1 with the following settings:
o
Rule: Isolation
Requirements: Require authentication for inbound connections and request authentication

for outbound connections
Authentication: Computer and user (Kerberos V5)
Name: Authenticate all inbound connections
Task 2: Test connectivity between LON-CL2 and LON-CL1

1.
Switch to LON-CL2, open a Command Prompt window, and then ping LON-CL1.
2.
Task 3: Create a IPsec rule on LON-CL2 by using the Windows PowerShell

command-line interface
On LON-CL2, open an Administrator: Windows PowerShell window, and then run the following
cmdlet:
UserKerberos
Note: The monitoring component for the newly created Connections Security Rule might
not be created in a timely fashion. To force the creation of the monitoring component, perform
8-29
1.
Open the Control Panel, open Windows Firewall, and then navigate to the Advanced Security
page.
2.
Under the Connection Security Rules node, double-click Authenticate all inbound connections.
3.
In the Description field, type Requires inbound authentication, and then click OK.

1.
Ping LON-CL1.
2.
Open Control Panel, open Windows Firewall, and then open the Advanced settings.
3.
Examine the Security Associations monitoring.
4.
Switch to LON-CL1, and then open a Windows PowerShell Command Prompt window in
Administrator mode.
5.
To examine the Main Mode Security Associations, run the following cmdlet:
6.
To examine the Quick Mode Security Associations, run the following cmdlet:
Results: After completing this exercise, you should have created and tested IPsec rules.
Lesson 4
Guarding Windows 8.1 Against Malware
Malware might show up on computers and devices in your organization, despite your efforts to prevent it.
When this occurs, you must investigate it immediately and take appropriate action. Windows 8.1 includes
components that can help you identify and remove malware from computers in your environment.
Lesson Objectives
Describe Windows 8.1 protection against malware.
Explain how to adjust Windows SmartScreen settings.
Explain how to configure scanning options in Windows Defender.
Windows 8.1 Protection Against Malware

Windows 8.1 contains two important features
that help protect your computer against malware.
These two features are Windows SmartScreen and
Windows Defender, which are described in the
sections below.
Windows SmartScreen
The Windows SmartScreen safety feature in
Windows 8.1 helps protect against apps that
might contain malware or perform unwanted
operations on your computer. When an app is
executed, Windows SmartScreen takes advantage
of the Microsoft SmartScreen online databases to
determine whether an app has been identified as malicious. Windows SmartScreen then will warn you
prior to executing a potentially malicious app.
The SmartScreen filter that is built into Windows 8.1 and Internet Explorer scans incoming files, in addition
to visited sites, to determine the possibility that content might compromise your computer. If content
poses a risk, Windows SmartScreen will provide a warning to the user that the content or site might be
unsafe.
Windows Defender
Windows Defender helps protect your computer from spyware, malware, and viruses. Windows Defender
also is Hyper-V aware, meaning that it detects if Windows 8.1 is running as a virtual machine. Windows
Defender uses definitions to determine if software it detects is unwanted, and to alert you to potential
risks. To help keep definitions up-to-date, Windows Defender automatically installs new definitions as
they are released.
In Windows Defender, you can run a Quick, Full, or Custom scan. If you suspect spyware has infected a
specific area of a computer, you can customize a scan by selecting specific drives and folders. You also can
configure the schedule that Windows Defender will use.
You can choose to have Windows Defender exclude processes in your scan. Doing so can make the scan
complete faster, but your computer will be less protected. When Windows Defender detects potential
spyware activity, it stops the activity and then raises an alert.
8-31
Alert levels help you determine how to respond to spyware and unwanted software. You can configure
Windows Defender behavior when a scan identifies unwanted software. You also are alerted if software
attempts to change important Windows operating system settings.
To help prevent spyware and other unwanted software from running on a computer, turn on Windows
Defender real-time protection.
Adjusting Windows SmartScreen Settings

Depending on the requirements of your
organization, you can adjust Windows
SmartScreen settings to alter its functionality.
You can configure Windows SmartScreen to
treat unrecognized apps in one of three ways
by selecting one of these options:
Get administrator approval before running

an unrecognized app from the Internet
(recommended)
Warn before running an unrecognized app,

but dont require administrator approval
Dont do anything (turn off Windows SmartScreen)
Configuring Windows SmartScreen Settings

You can configure Windows SmartScreen settings by following this procedure:
1.
From the Start screen, type SmartScreen.
2.
In the Action Center window, click Change Windows SmartScreen settings.
In the Windows SmartScreen window, select the appropriate action you would like Windows SmartScreen
to take when an unrecognized app is downloaded.
Configuring Scanning Options in Windows Defender

Windows Defender includes automatic scanning
options that provide regular scanning and ondemand scanning for malware. The following
table identifies scanning options.
Scan options
Description
Quick
Checks the areas that malware, including viruses, spyware, and unwanted software,
are most likely to infect.
Full
Checks all the files on your hard disk and all running programs.
Custom
Enables users to scan specific drives and folders.
As a best practice, you should schedule a daily Quick scan. At any time, if you suspect that spyware
has infected a computer, run a Full scan. When you run a scan, the progress displays on the Windows
Defender Home page. When Windows Defender detects a potentially harmful file, it moves the file to
a quarantine area and does not allow it to run or allow other processes to access it. Once the scan is
complete, choose to Remove or Restore Quarantined items and to maintain the Allowed list. A list of
Quarantined items is available from the Settings page. Click View to see all items. Review each item and
individually Remove or Restore each. Alternatively, if you want to remove all Quarantined items, click
Remove All.
Note: Do not restore software with severe or high alert ratings because it can put your
privacy and your computers security at risk.
If you trust detected software, stop Windows Defender from alerting you to risks that the software might
pose by adding it to the Allowed list. If you decide to monitor the software later, remove it from the
Allowed list.
The next time Windows Defender alerts you about software that you want to include in the Allowed list,
in the Alert dialog box, on the Action menu, click Allow, and then click Apply actions. Review and remove
software that you have allowed from the Excluded files and locations list on the Settings page.
Advanced Scanning Options

When you scan the computer, you can choose from five additional options:
Scan archive files. Scanning these locations might increase the time that is required to complete a
scan, but spyware and other unwanted software can install itself and attempt to hide in these
locations.
Scan removable drives. Use this option to scan the contents of removable drives, such as USB flash
drives.
Create a system restore point. Use this option before applying actions to detected items. Because you
can set Windows Defender to remove detected items automatically, selecting this option allows you
to restore system settings.
Allow all users to view the full History results. Use this option to allow all users that sign into this
computer to see the scanning history. If you do not select this option, users will only see scan results
that relate to their files.
Remove quarantined files after: <Time>. Removes quarantined files after a set period. When you
enable this option, the default period is one month, but you can set it from one day to three months.

Scenario
8-33
You are planning to use Window Defender to check for malware every day. You also want to ensure that
Windows Defender will quarantine any files that it considers a severe risk to your systems security.
Objectives
Configure Windows Defender.
Lab Setup
Password: Pa$$w0rd
Exercise 1: Configuring Windows Defender

Scenario
You need to configure Windows Defender to perform a full scan every day at 2:00 A.M. Before
configuring Windows Defender, you plan to run a Quick scan. Finally, you want to configure the
default actions for Windows Defender to take and to check the items that you do not want it to scan.
1.
Perform a Quick scan.
2.
Test malware detection.
3.
Examine the Windows Defender history.
Task 1: Perform a Quick scan

1.
On LON-CL1, open Control Panel, and then open Windows Defender.
2.
On the Home page, perform a Quick scan, and then review the results.
3.
Close Windows Defender.
Task 2: Test malware detection

1.
Open File Explorer, and then browse to E:\Labfiles\Mod08\Malware.
2.
In the Malware folder, open sample.txt in Notepad. The sample.txt file contains a text string to test
malware detection.
3.
In the sample.txt file, delete both instances of <remove>, including the brackets and any extra lines
or blank spaces.
4.
Save and close the file. Immediately, Windows Defender detects a potential threat.
5.
Shortly thereafter, sample.txt will be removed from the Malware folder.
Task 3: Examine the Windows Defender history

1.
Open Control Panel, and then open Windows Defender.
2.
On the History tab, click View Details, and then review the results.
3.
Remove any quarantined files.
4.
Results: After completing this exercise, you should have configured and used Windows Defender.

When you finish the lab, revert the virtual machines to their initial state:
1.
2.
3.
4.
8-35
Best Practice: Configuration Guidelines for Windows Firewall with Advanced Security
You can configure Windows Firewall with Advanced Security in the following ways:
1.
Configure a local or remote computer by using either the Windows Firewall with Advanced Security
snap-in to the MMC or the cmdlets in the NetSecurity module for Windows PowerShell.
2.
Configure Windows Firewall with Advanced Security settings by using the Group Policy Management
Console or the cmdlets in the NetSecurity module.
3.
If you configure the firewall by using Group Policy, you need to ensure that the Windows Firewall
service has explicit write access by its service security identifier to the location that you specify.
4.
If you deploy Windows Firewall with Advanced Security by using Group Policy and then block
outbound connections, ensure that you enable the Group Policy outbound rules, and do full testing
in a test environment before deploying. Otherwise, you might prevent all of the computers that
receive the policy from updating the policy in the future, unless you intervene manually.
Best Practice: Implementing Defense-in-Depth

Supplement or modify the following best practices for your own work situation:
Create specific rules that help prevent social engineering, and educate users on these rules and their
relevance.
Restrict physical access to servers by locking doors, and then monitor server room access.
Implement antivirus and antispyware software.
Implement host-based firewalls.
Best Practice: Windows Defender

Supplement or modify the following best practices for your own work situation:
When you use Windows Defender, you must have current definitions.
To help keep your definitions current, Windows Defender automatically installs new definitions as
they are released. You also can set Windows Defender to check online for updated definitions before
scanning.
When you scan your computer, before applying actions to detected items, you should select the
advanced option to Create a system restore point. Because you can set Windows Defender to remove
detected items automatically, selecting this option allows you to restore system settings in case you
want to use software that you did not intend to remove.
Review Questions
Question: You need to ensure that traffic passing between a computer in the perimeter
network and one that is deployed in the internal network is encrypted and authenticated.
The computer in the perimeter is not a member of your Active Directory Domain Services
(AD DS) forest. What authentication methods could you use if you attempted to establish an
IPsec rule between these two computers?
Question: If you want to ensure that only domain computers can communicate with other
domain computers, how can you achieve this with Windows Firewall?
Question: What does Windows Defender do to software that it quarantines?

9-1
Module 9
Configuring Resource Access for Domain-Joined Devices and

Devices That Are Not Domain Members
Contents:
Module Overview
9-1
Lesson 1: Configuring Domain Access for Windows 8.1 Devices
9-2
Lesson 2: Configuring Resource Access for Devices That Are Not

Domain Members
9-9
Lesson 3: Configuring Workplace Join
9-17
Lesson 4: Configuring Work Folders
9-22
Lab: Configuring Resource Access for Devices That Are Not

Domain Members
9-30
9-35
Module Overview
Before you can start working on a computer that is running the Windows 8.1 operating system, you must
sign in. Signing in to a computer is a mandatory step, and based on your computer membership, you can
sign in with a local account, a domain account, or a Microsoft account. In an Active Directory Domain
Services (AD DS) environment, you typically would use a domain account exclusively because it has many
benefits. However, in todays world, users are not restricted to using company-owned computers only.
They commonly use their own devices for accessing company data. Windows 8.1 and Windows Server
2012 R2 have several new features such as Workplace Join, Work Folders, and Remote Business Data
Removal that are useful in such Bring Your Own Device (BYOD) scenarios. In this module, you will learn
about the benefits of domain accounts and Windows 8.1 features that are useful when administrators
need to control resource access for devices that are not domain members. You also will learn how to
configure and use Workplace Join and Work Folders.
Objectives
Configure domain access for Windows 8.1 devices.
Configure resource access for devices that are not domain members.
Configure the Workplace Join feature in Windows 8.1.
Configure the Work Folders feature in Windows 8.1.
Lesson 1
Configuring Domain Access for Windows 8.1 Devices
9-2 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
A domain environment offers many advantages over workgroups, but it also has some specific
requirements, including that a device must join the domain before you can sign in to it with a domain
account. When you use a domain account, you can access resources such as network shares and printers
without entering your credentials again. Single sign-on (SSO) provides you transparent access to domain
resources. Windows 8 and newer versions enable you to connect your Windows account with your
Microsoft account and transparently access cloud-based services, such as OneDrive (formerly known as
SkyDrive) and Outlook.com.
Lesson Objectives
Compare the features of local accounts and domain accounts.
Describe the benefits of a domain-based environment.
Describe the methods for adding a computer to a domain.
Add a computer to a domain.
Explain how to use a Microsoft account in Windows 8.1
Challenges of Todays Work Environments

In the past, companies allowed access to company
apps and data only to users who logged on with
a domain account by using company-owned and
domain member devices. However, this behavior
is changing, and companies are moving from a
device-centric approach to a more user-friendly,
people-centric approach. In todays world, users
expect that they will be able to work from any
location, use their own devices, and run company
apps and access company data on those devices.
This evolving user behavior brings new challenges
to company IT departments.
Users more commonly today are not utilizing traditional desktop computers. Devices come in various
form factors that did not exist a few years ago, such as smartphones and tablets, and they usually are
not domain members. Sometimes, devices are not domain members because the company does not
own them, and sometimes because their operating system, such as Windows RT or third-party operating
systems, cannot be joined to the domain. However, users are familiar with such devices from their
personal use and they want to use them for work. This is known as the Bring Your Own Device (BYOD)
scenario.
Previously, only domain member computers and domain accounts could access apps. This no longer is
the case. Users still have a domain account as proof of their identity, but they need to access the same
company apps from various devices, running on different hardware architecture and various displays,
without providing credentials each time. They want the same experience on their personal devices as they
have when working in a domain environment.
9-3
Company servers typically store data, and users expect to access it securely from anywhere and from any
device. This presents new challenges for companies, as users are accessing and storing a local copy of
the data on their personal devices. Administrators must be able to control not only which data users can
access, but also which data can be cached locally and how to remotely wipe company data if users leave
the company or lose their devices. Furthermore, administrators have to be able to wipe the company data
off users personal devices without affecting their personal data.
New challenges to IT departments include:
Allowing users to work on the devices of their choice and providing consistent access to corporate
resources.
Unifying the environment, and providing unified applications and device management of the
company-owned and domain-owned devices, as along with BYOD devices.
Protecting company data, enforcing company policies, compliance requirements, and managing risk
regardless from where device data is accessed, or from which device.
Note: You can learn more on how Microsoft is addressing challenges of todays work
environment in Understanding Access and Information Protection at
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/WCA-B207
Local Accounts vs. Domain Accounts

When you want to sign in, you have to
present some form of authentication. You
typically sign in by providing a user name and a
password, although you can use other forms of
authentication, such as a picture password or a
smart card. Authentication is the process that
confirms your identity and provides you with
credentials after a successfully authentication.
Windows 8.1 stores a list of local users in the

part of the registry called the Security Accounts
Manager database. If a Windows 8.1 computer is a
member of a workgroup, only local users can sign
in. If a Windows 8.1 computer is a member of an AD DS domain, you can sign in either as a user or as a
domain local user. A list of domain users is stored in AD DS, and one of the domain controllers perform
authentication. Domain controllers are Windows-based servers on which you install the AD DS role service.
Users first authenticate and then can sign in locally. Users provide their credentials, or security tokens, and
then the Start screen or desktop displays.
When you sign in as a local user, the computer to which you sign in authenticates you. If you sign in as a
domain user, a domain controller authenticates you. The computer on which you enter your credentials
trusts the domain controller, because the computer is a domain member. If you sign in to a Windows 8.1
computer as a local user and want to access a shared folder on a file server, there is an immediate
problem. The server does not trust the credentials that you present to it because you have been
authenticated by an unknown or untrusted computer. A file server only trusts its own identity store, its
own Security Accounts Manager, or AD DS, if the file server is a domain member. Therefore, if you want to
access a file server, you must sign in as a domain user, or the file server must have your user account in its
local Security Accounts Manager. If your local user name and password are identical on the file server and
the Windows 8.1 computer, the authentication process that occurs is transparent. This is pass-through
authentication. If, however, the logon names or passwords do not match, you will be prompted to enter
credentials that are valid for the file server that you attempt to access.
Centralizing your account store, and ensuring that all of your computers trust it, address the challenge of
using local accounts. AD DS provides a centralized account store that all domain-member computers will
trust. If you sign in with a domain account, you can access other domain computers, without providing
your user name and password again, by using SSO.
Question: Can you create a domain account on a Windows 8.1 computer?
Benefits of a Domain-Based Environment
A Windows 8.1 computer can be a workgroup or

a domain member. If a computer is a workgroup
member, you can sign in only by using a local
account. In a workgroup, each user must have a
local user account on each computer to which he
or she needs to gain access. For example, if five
users are using five computers in a workgroup,
and each user needs access to resources on all
five computers, you would need to create 25 user
accounts. When a change occurs to a user account
in a workgroup, such as when a user changes their
password, you must make the change to all the
accounts for that user on every computer in the workgroup. This ensures that the user continues to have
access to all necessary resources.
You can set up a workgroup easily, and no server infrastructure is required for that. However, when
you need to manage more than just a few computers, you should not use a workgroup environment. A
domain-based environment has significant advantages. It provides centralized authentication services and
management for all domain-joined computers and domain users. If you need to set up a domain-based
environment, you must use Windows servers as domain controllers. Additionally, you will need additional
infrastructure such as Domain Name System (DNS) servers. A domain-based environment provides many
benefits when you need to manage more than a few computers and users. The following sections describe
some of the benefits that a domain-based environment provides.
Better Scalability
Domains are more scalable and can store and use billions of objects, such as domain users and computer
accounts. The key component of a Windows-based domain is AD DS. In AD DS, computers, similar to
users and groups, have accounts in the domain and are security principals. This means that computer
accounts have security identifiers (SIDs), can belong to groups, and can be given or denied access to
resources. All security principal accounts are treated as AD DS objects, and along with other objects are
stored in the AD DS database. The database resides on a domain controller. Domains can have any
number of domain controllers, and the AD DS database replicates to all domain controllers in the domain.
To provide redundancy and fault tolerance, even the smallest domains should have at least two domain
controllers.
Central Administration
Every domain controller stores an AD DS database. Any domain controller can perform authentication,
and you can modify domain objects on any writable domain controller. Consider a scenario where, as an
administrator, you connect to a domain controller and modify an AD DS object by creating, modifying, or
deleting domain users. You can perform these changes on any domain controller, and the changes to the
9-5
AD DS database replicate automatically from the domain controller on which you performed the change
to all other domain controllers.
Delegation of Control
In a domain environment, you can control permissions for every object in AD DS. Every AD DS object has
associated security settings, and by modifying the security of AD DS objects, you can delegate control in a
domain environment. For example, you can allow members of the Help Desk group to reset user account
passwords or site administrators to manage only AD DS objects at their site. You can delegate control at
different levels. For example, you can delegate permissions for the whole domain, for an organizational
unit (OU), or for a single computer account and can be specific, up to a property level.
Better Control and Event Logging
A domain environment enables you to control those computers and folders that a specific account can
access, and to log its actions. You cannot do this with workgroups. SSO enables you to enter credentials
once, and then access resources on different domain computers without having to enter credentials again.
Actions that a user performs, such as printing a document or reading a document from a file share, can be
logged on the system where the action occurs, and then the system forwards the user to a single location.
Managing the Environment by Using Domain-Based GPOs
In a domain environment, you can use domain-based Group Policy Object (GPO) policies and preferences
that you can apply to many users and computers at once. You can use a GPO to set any setting that is
applicable to a user or computer, such as ensuring that computers get important security updates or that
users get mapped drives and printers prepopulated on their devices.
Question: How can you enable help desk employees to reset user passwords in a domain
environment? Which tool should you use?
Methods Used to Add a Computer to a Domain
When a computer joins a domain, it delegates

the task of authenticating users to the domain.
When a user signs in to a computer with a domain
account, a domain controller, rather than the local
Security Accounts Manager, authenticates the
user. In other words, the computer now trusts
another authority to validate a user's identity.
Trust between a domain member computer
and its domain is established when you join the
computer to the domain. Because all domain
member computers trust the domain, they also
trust each account that the domain authenticates.
This allows users with a domain account to access resources on all domain computers with a single
account, and by entering their credentials only once, because a domain environment provides the SSO
capability.
Before you can add a computer to a domain, several conditions must be met:
A domain must exist before you can add a computer to it. If you add a computer to a workgroup,
a new workgroup is created when you add the first computer to it. However, before you can add a
computer to a domain, the AD DS domain must exist and at least one domain controller must be
reachable.
The computer must be able to locate the domain controller, which typically resolves and locates a
domain controller. This means that the computer must have the correct TCP/IP settings.
You must have local administrator permissions for the computer. Only members of the local
Administrators group can add a computer to a domain.
You must have permissions to create a computer account in the domain, or a computer account must
exist, and you must have permissions to modify that account.
There are several different ways to add a computer to a domain. First, you can create a computer account
in a domain, which is prestaging a computer account. You then add the computer to a domain. You also
can add a computer to a domain, and a computer account is created automatically during that step.
Prestaging a computer account has two benefits. You can control the part of the AD DS domain in which
a computer object is created, and you can delegate control of who has permissions to add that computer
to a domain. If you add a computer to a domain and create its account in the same step, all computer
accounts are created in the same location of AD DS. By default, new computer accounts are created in the
Computers container.
Note: You can change the default AD DS location where new computer accounts are
created by using the redircmp.exe command.
As an administrator, you can prestage a computer account by using Active Directory tools such as Active
Directory Users and Computers or Active Directory Administrative Center, which are installed on a domain
controller by default. You can add a computer to a domain by configuring the computers System
Properties dialog box or by using the Windows PowerShell command-line interface.
To add a computer to a domain, type the following Windows PowerShell cmdlet, and then press Enter:
Add-Computer -Credential adatum\administrator -DomainName adatum.com
When you use the Add-Computer cmdlet, you also can specify the AD DS location where the computer
account should be created. For example, type the following cmdlet, and then press Enter.
Add-Computer -Credential adatum\administrator -DomainName adatum.com -OUPath
"OU=NewComputerOU,DC=adatum,DC=com"
After you add a computer to the domain, you should restart it. You can restart a computer by using the
Restart-Computer cmdlet or the Power options on the Settings charm.
Question: Can a local administrator add a Windows 8.1 computer to a domain?
Demonstration: Adding a Computer to a Domain

In this demonstration, you will see how you can add a computer to a domain by modifying its system
properties and by using Windows PowerShell.
Demonstration Steps
Join a computer to a domain by using the UI
1.
On LON-DC1, use Active Directory Users and Computers to verify that the LON-CL1 computer
account is not present in the Computers container.
2.
Sign in to LON-CL1 as Admin with the password Pa$$w0rd.
3.
Navigate to the System Properties Computer Name tab, and then join LON-CL1 to the
Adatum.com domain by using the adatum\administrator credentials.
4.
Restart LON-CL1.
5.
6.
account is created in the Computers container.
Join a computer to a domain by using Windows PowerShell

1.
Sign in to LON-CL2 as admin with the password Pa$$w0rd.
2.
Open Windows PowerShell with Administrator credentials.
3.
Type the following command, and then press Enter:

Add-Computer -Credential adatum\administrator -DomainName adatum.com -OUPath
"OU=NewComputerOU,DC=adatum,DC=com"
4.
Restart LON-CL2.
5.
6.
account is created in the NewComputerOU organizational unit.
Using a Microsoft Account in Windows 8.1

Microsoft account, known as Windows Live
ID or Microsoft Passport in earlier versions,
provides you with a unified identity, which you
can use for authenticating to Microsoft and other
cloud-based services. You can use this account
regardless of where you are or the organization
of which you are a member. Your Microsoft
account includes an email address and a password
that you use to sign in to different services. You
already have a Microsoft account if you sign in
to services such as OneDrive, Xbox LIVE ,
Outlook.com, or Windows Phone. Even if you
have a Microsoft account, you can sign up for a new one.
Note: All Microsoft account credentials are passed back to the Microsoft authentication
server through a Secure Sockets Layer (SSL) connection by using the Hypertext Transfer Protocol
Secure (HTTPS) protocol.
9-7
Windows 8.1 is highly integrated with Microsoft account functionality. You can sign in to Windows 8.1 as
a local user or a domain user, but you also can sign in by using a Microsoft account if your computer has
Internet connectivity and the account is associated with either a local or a domain account. When you use
a Microsoft account, you can synchronize some of the Windows 8.1 settings between devices. You can
control these settings in the PC Settings app. To access the PC Settings app, click the Settings charm, and
then click Change PC settings at the bottom of the Settings charm. In the PC Settings app, you can set
your account picture and desktop background, among other settings. After you set up Windows once,
your settings will synchronize between every computer you sign in to by using your Microsoft account.
When you connect a Microsoft account with your local or domain account, you can access Microsoft
cloud services such as OneDrive, and the Mail and Calendar apps. You can browse the Windows Store
even if you do not have a Microsoft account, but to download and install an app from a Windows Store
app, you must sign up for a Microsoft account.
Small and medium environments typically use a Microsoft account to provide users access to, and
integration with, public cloud services, such as OneDrive. Enterprise environments typically implement
strict control and allow access only to company-owned resources. Typically, these environments use
integration with a Microsoft account less often.
Note: Your domain account or Group Policy settings might not allow you to connect a
Microsoft account or synchronize some settings.
You can disconnect your Microsoft account from your account whenever you want. To do so,
click Change PC settings on the Settings charm, click Accounts, and then click Disconnect your
Microsoft account.
Signing Up for a Microsoft Account
You also can use your Microsoft account to access Windows Intune, Microsoft Office 365, Windows
Azure, and other Microsoft cloud services. You can create a new Microsoft account at Outlook.com, or
you can use an address that you already have as your Microsoft account. To sign up for a Microsoft
account at the Microsoft account sign-up webpage, perform the following procedure:
1.
Go to the Microsoft account sign-up webpage (http://go.microsoft.com/fwlink/?LinkID=291262).
2.
To use your own email address for your Microsoft account, enter it. If your email provider supports
Post Office Protocol version 3, you can even manage your existing address in Windows Live Hotmail
or Outlook.com. If you want to create a Hotmail account, click Sign up now, and then create a new
email address for your Microsoft account.
3.
Provide the rest of the information, and then read the Microsoft service agreement and the privacy
statement. If you agree to the terms, click I accept.
4.
If you used an existing email address to sign up, you will need to verify it to prove that it is yours.
Question: Can you sign in to a Windows 8.1 computer by using a Microsoft account if the
computer does not have Internet connectivity?
Lesson 2
Configuring Resource Access for Devices That Are Not

Domain Members
9-9
Domain-joined devices trust an AD DS domain. You can sign in to such devices by using domain
credentials, and you can access domain resources without entering your credentials again. Domain
controllers do not trust devices that are not domain members, and you do not have SSO benefits when
you want to access domain resources from such devices. The Open Mobile Device Management protocol
enables you to enroll and manage Windows 8.1 devices regardless of their domain membership. Because
Windows 8.1 mobile devices can have different form factors and are not necessarily domain-joined, it is
important to ensure that locally stored data is secure and that you can remotely wipe company data if the
device is lost or stolen. Workplace Join is one of the new Windows 8.1 features that provide this capability,
but you can manage Windows 8.1 devices that are not domain members also by using Windows Intune or
Microsoft System Center 2012 R2 Configuration Manager.
Lesson Objectives
Describe the challenges of managing devices that are not domain members.
Explain how to manage data and settings on devices that are not domain members.
Describe the features of Open Mobile Alliance device management.
Describe the security features for devices that are not domain members.
Explain the purpose of the Remote Business Data Removal feature.
Describe how to manage devices that are not domain members by using Windows Intune and
Configuration Manager.
Challenges of Managing Devices That Are Not Domain Members
In the past, users could use only computers

that were connected to a companys local area
network (LAN) to access company data. However,
with the evolution of mobile technology and
changing business demands, users today expect
to be able to work at any location and have access
to all of their work resources. Wireless access is
available almost everywhere, and users more and
more are eschewing traditional desktops and
laptop computers in place of new devices, such
as convertible laptops, tablets, and smart phones.
Users often use their own devices for accessing
company data, and a BYOD scenario is common. Therefore, users still expect to use company apps
and data on their devices. Having local copies of company data on user devices is a challenge for an
Information Technology (IT) department, because IT personnel must ensure that the data that is available,
and devices access to it, complies with company policies and security practices.
All these changes and the rapid adoption of new types of devices are changing the standards-based
approach to managing a companys infrastructure. When a device is domain-joined, a company can
control it because the device has an account in AD DS. This ensures that a domain controller performs
authentication, you can enforce company policies by using Group Policy, and that you can use products
such as Microsoft System Center Configuration Manager for collecting device inventories and managing
devices. When a device is not domain-joined, a company has limited, or no, control over it. This is because
authentication occurs locally, and the domain has no knowledge of who is using the device. Domain
accounts cannot sign in to a device, and you cannot use them for managing a device or deploying apps.
You also cannot apply domain Group Policy to devices that are not domain-joined.
Question: Your company uses a client/server-based accounting app that you cannot install
on the third-party operating system that is running on a users device. How can the user still
use the company accounting app from his device?
Managing Data and Settings on Devices That Are Not Domain Members
With the consumerization of IT, people often
use their own devices for accessing company
resources. Such BYOD initiatives often are
encouraged by a company. Windows 8.1 and
Windows Server 2012 R2 include several features
that make using devices that are not companyowned easier and more secure. These features
include:
Windows To Go. Windows To Go is a

Windows 8.1 Enterprise feature that enables
you to install Windows 8.1 on the universal
serial bus (USB) flash media, and then start
the device from that USB flash media. You can customize and domain-join Windows To Go to
provide the same environment as when Windows 8.1 is installed locally. You can start your device
with Windows To Go and work from a company-approved environment while personal data on the
device remains intact.
Virtual Desktop Infrastructure (VDI). The Windows Server 2012 R2 Remote Desktop Services
role implements VDI, which hosts multiple virtual desktops. These virtual desktops can include
Windows 8.1 virtual machines, to which you can connect from any device. They offer an experience
similar to using a local installation of Windows 8.1. You can use company apps and access company
data from a virtual desktop, but you must have network connectivity from your device to a virtual
desktop.
Workplace Join. Traditionally, devices either could be joined to a domain or be a workgroup member.
You could access company resources from domain-joined devices, but you could not access them
from a workgroup device without entering domain credentials. Workplace Join was introduced in
Windows 8.1 and requires that a domain has at least one Windows Server 2012 R2 member server.
When you join a device to a workplace, you get a certificate to access company resources, such as
internal websites and business apps. You also can allow enablement of apps and services on your
device by an IT administration who is using the Workplace Join feature.
The Open MDM protocol. You can use this protocol to manage mobile devices after they enroll in
the management system. Microsoft implemented support for the Open Mobile Device Management
(MDM) protocol in Windows 8.1, and you can use it for managing tablets and other BYOD devices
with third-party mobile device management products. The Open MDM protocol supports capabilities
such as inventory collection, settings management, application management, certificate provisioning,
Wi-Fi, virtual private network (VPN) profile management, and data protection.
9-11
Web Application Proxy. You can use Web Application Proxy for publishing web applications from
a company network to an external network. This enables users who are connected to an external
network to access and use a companys web applications from any device. Web Application Proxy
also enables Workplace Join for devices that are not connected to a company network.
Work Folders. You can use Work Folders to synchronize data from a companys Windows
Server 2012 R2 file server to your device. Work Folders functionality is similar to Offline Files, which
means that you can access and modify Work Folders content without network connectivity and
changes will synchronize back when network connectivity is restored. You can access Work Folders
from an external network if Web Application Proxy is implemented and domain membership is not
required, and you enable the device for Workplace Join.
Remote Business Data Removal. In a BYOD scenario, users access company data from devices that
also contain their personal data. One of the Remote Business Data Removal features is to treat
company data differently than personal data. An administrator can configure company data to
be encrypted on a device. This ensures that if a user leaves the company or loses his or her device,
company data on the device automatically becomes inaccessible or is removed completely, while
the users personal data remains intact.
Question: How does the Remote Business Data Removal feature enable you to comply with
a company security policy?
Overview of Open Mobile Alliance Device Management
The Device Management Working Group is

part of the Open Mobile Alliance (OMA), and
it specifies the protocols and mechanisms for
managing mobile devices, services access, and
software on various devices. The OMA has
developed a client/server protocol that you can
use to deliver configuration and management
commands from a device management server
to the devices that it manages. Before you can
manage a device, you first must enroll it in the
management system. A device presents its
features to a management server as a hierarchical
device management tree named the DM Tree, and the management of a device feature consists of the
management of the DM Tree.
Microsoft is a member of the OMA, and it has implemented the Open MDM protocol in Windows 8.1.
Open MDM is a client/server protocol that you can use to manage mobile devices that are enrolled in
a management service. It does not require a domain environment. However, you first must assign the
device to the management server, and the device must trust the managed server before the device can
be managed. Open MDM uses the HTTPS protocol between the server and the managed devices, which
means that a public key infrastructure (PKI) must be in place. Features that Open MDM can manage
depend on the implementation and on the device features. Open MDM supports the following features:
Inventory collection
Settings management
Application management
Certificate provisioning
Wi-Fi and VPN profile management
Data protection
The Open MDM protocol implements the Windows 8.1 Workplace Join feature. You also can manage
Windows 8.1 devices by using mobile device management products such as MobileIron or AirWatch.
For more information, see the OMA device management working group website.
Device Management
[MS-MDM]: Mobile Device Management Protocol
Question: Which Windows 8.1 feature is based on the Open MDM protocol? How can you
benefit from the Open MDM implementation in Windows 8.1?
Security Features for Devices That Are Not Domain Members

Windows 8.1 includes various security features
that you can use in a domain or non-domain
environment. Some security features are new or
improved in Windows 8.1 and can be especially
beneficial on devices that are not domain
members. These security features include:
Mandatory sign-in. Before users can start

working on a Windows 8.1 device, they first
must sign in. Sign-in is mandatory and by
signing in, users prove their identity. Based
on the sign-in, users get different permissions
and access to data. You can sign in to
Windows 8.1 by using a local account, a Microsoft account, or a domain account.
Biometrics. You can authenticate users in all Windows 8.1 editions by using biometrics such as a
fingerprint. You also can use biometric authentication when you are signed in already, such as when
you want to establish a remote access connection, authenticate in a User Account Control dialog box,
or access Windows Store apps, their features, a certificate release, and more.
Pervasive device encryption. By default, Windows RT and Windows 8 encrypt all locally stored data on
a device. All Windows 8.1 editions include a similar feature, which you can enhance further by using
BitLocker Drive Encryption protection in the Pro and Enterprise editions. Windows 8.1 supports the
Encrypted Hard Drives feature, which are hard drives that are self-encrypting at a hardware level and
perform full disk hardware encryption.
Malware resistance. Windows 8.1 includes Windows Defender, which is an antivirus and antimalware
solution. Windows Defender scans for thumbprints of known malicious software (also called malware),
but it also includes network behavior monitoring, which detects unusual and suspicious behavior and
stops the execution of unknown malware. Internet Explorer 11 uses Windows Defender to scan
downloaded content (for example, ActiveX controls) before potentially harmful content is run.
Assigned access. Assigned access is included in all Windows 8.1 editions and in Windows RT 8.1. By
configuring assigned access, you can enable a single Windows Store app experience on a device. A
9-13
restricted and locked-down environment previously was known as the kiosk mode. You can use
assigned access to limit user accounts to a single app that you select. You can sign out of assigned
access by quickly pressing the Windows logo key five times. You can use assigned access only with
standard user accounts.
Remote Business Data Removal. When you access company data from Windows 8.1 and a local copy
of the data is stored on a device, you can configure such data as company data, encrypt it, and then
remotely wipe it if the device is lost or stolen. The Remote Business Data Removal feature can remove
the local copy of company data while user data on the device remains intact. Work Folders support
this feature, and you can implement this in other client apps. If you want to wipe data remotely or
make it inaccessible, you must use Windows Intune, Configuration Manager, or a similar product to
manage the device.
Internet Explorer 11. Internet Explorer 11 is included in Windows 8.1 and it provides many
improvements, such as faster webpage loads, side-by-side browsing, enhanced pinned site
notifications, and synchronization of app settings such as favorites and tabs across all your
Windows 8.1 devices. Internet Explorer 11 also uses an antimalware app on your device to scan
downloaded content before it runs.
Remote Business Data Removal

The Remote Business Data Removal feature
enables you to wipe data on a device selectively,
without user interaction. In the past, you could
wipe all the data on a managed device and set it
into its initial state. Windows 8.1 can differentiate
between company and personal data, and can
prevent access to company data or wipe it on a
device, while keeping the users personal data
intact. If you want to benefit from the feature,
local apps on a Windows 8.1 device must support
the Remote Business Data Removal feature, and
you must manage the device by using Windows
Intune or Configuration Manager.
Windows 8.1 includes Work Folders, which you can use with the Remote Business Data Removal feature.
When you use Work Folders, a local copy of the files is stored on the device, and you can configure
device policies to protect the local copy of the files by encrypting them and to require a password on the
device. However, in BYOD scenarios, devices can use different form factors, and with an increase in device
mobility, devices can sometimes be lost or stolen. You typically want to remove company data from such
devices and from all other user devices if a user leaves the company.
Note: The Work Folders feature only can store company data safely on a user device by
encrypting it, but it cannot wipe the company data remotely.
If a user device is lost or stolen, the user can initiate a remote wipe for his or her device from
Windows Intune Company Portal if the organization is using Windows Intune to manage the device. An
administrator can initiate a remote wipe for any managed device from the Windows Intune Administrator
Console, from the Configuration Manager console or from third-party management product that uses
MDM.
For more information, refer to:

Protecting Corporate Data on Mobile Devices by using Configuration Manager and
Windows Intune
For more information about data removal by using Windows Intune, see to the following webpage at the
Windows Intune Help website.
What Happens if You Remove or Reset a Device Using the Company Portal
Question: Can you use Remote Business Data Removal to wipe company data selectively
and remotely from a lost Windows 8 device that you are managing by using Windows
Intune?
Managing Devices That Are Not Domain Members by Using Windows

Intune and Configuration Manager
In a domain environment, you can manage
computers centrally by using Group Policies.
Managing computers and devices that are not
domain members is challenging because AD DS
does not list them, and domain settings do not
apply to them. You can manage devices that are
not domain members by using different solutions,
including Windows Intune and Configuration
Manager.
Windows Intune
Windows Intune is a cloud-based system for

securing, managing, and monitoring devices that
are running Windows and operating systems that are not based on Windows. You can use Windows
Intune to manage domain-joined devices and devices that are not domain members. This makes Windows
Intune well suited to:
Manage devices in remote locations that are not part of the domain.
Manage devices that are out of the office for extended periods.
Manage devices that users purchase, and with which they access company resources.
Windows Intune does not require any on-premises infrastructure to manage supported devices and only
requires Internet connectivity. After you configure a device to be managed by Windows Intune, the
devices account is created in Windows Intune, and you can now manage that device centrally.
Benefits of Windows Intune

Windows Intune provides several benefits, including:
9-15
Updates. Windows Intune ensures that the installation of updates occurs on client computers. All
updates through Windows Update are available with Windows Intune, and you can deploy other,
non-Microsoft updates by using Windows Intune. You can control which updates are approved for
installation on specific computers. You can approve updates manually or create automatic approval
rules. These rules approve updates automatically when they become available, based on the product
that they update and the update classification. You also can review updates that clients require and
generate update reports.
Endpoint Protection. Windows Intune includes Windows Intune Endpoint Protection, which
provides real-time protection against malware such as viruses and spyware. Endpoint Protection also
can scan files and running programs periodically to mitigate detected threats and provide you with
notifications. Endpoint Protection replaces Windows Defender, which is included in Windows 8.1 by
default, but does not provide central management.
Software deployment. You can use Windows Intune for deploying software on Windows devices and
devices that are not based on Windows. You can add software by uploading it to Windows Intune,
configuring its properties, and then deploying it to target devices or user groups.
Monitoring and alerting. Windows Intune can monitor client computers and raise an alert when
certain criteria is met, such as when event log is full, free disk space is low, or a Microsoft Office app
is using a large amount of memory. Alerts display in the Windows Intune administrator console, and
you also can configure them to be sent to a specified email recipient.
Reporting. Windows Intune provides several reports, such as detected software on client computers,
client computer inventory, and update reports on a companys use of licenses. You can generate and
view reports based on a set of report criteria, such as update classification, update status, device
group, or available disk space.
For more information, refer to:

Enable users to work anywhere on the device of their choice
System Center 2012 R2 Configuration Manager
Configuration Manager is an on-premises solution for managing computers and devices. You can use it
to manage domain-joined devices and devices that are not domain members. Configuration Manager
includes Windows Intune connector, which enables you to manage Windows Intune clients in the
Configuration Manager console to provide an integrated solution.
Benefits of System Center 2012 R2 Configuration Manager

Configuration Manager provides many benefits, including:
Deploy applications. You can target applications to users rather than devices, and Configuration
Manager determines the best way to deliver that application to the user from a specific device
whether the device is mobile, a remote desktop, or a PC. You can track and monitor application
deployment.
Manage Endpoint Protection. Managing Microsoft System Center 2012 R2 Endpoint Protection from
within Configuration Manager allows you to use a single console to manage PCs and devices.
Deploy software updates. Configuration Manager uses the basic infrastructure of Windows
Server Update Services (WSUS) to provide software updates. Without Configuration Manager, WSUS
is limited to distributing software updates from Microsoft. Configuration Manager extends the
capabilities of WSUS to include third-party product updates.
Inventory hardware and software. Configuration Manager includes hardware and software inventory
capabilities. You can use the inventory to identify which PCs in your organization are capable of
running specific software or operating systems.
Track license compliance for software. You can use the Asset Intelligence and software metering
features in Configuration Manager to track license compliance. In Asset Intelligence, you import
licensing information and correlate it with the software inventory. Software metering tracks when
applications are used.
For more information, see System Center 2012 R2 on the Microsoft website.
System Center 2012 R2 Configuration Manager
Question: What must you first do before you can manage a Windows 8.1 device by using
Windows Intune?
Lesson 3
Configuring Workplace Join
9-17
When a device is domain-joined, you can access company resources without entering credentials each
time. You can get a similar experience from a device that you enable for Workplace Join, but without
requiring that it is a domain member. Workplace Join provides an SSO experience when accessing internal
company websites and company apps. Users with domain accounts can implement Workplace Join on
their devices if their company has the appropriate infrastructure in place.
Lesson Objectives
Describe the purpose and benefits of the Workplace Join feature.
Describe the scenarios for using Workplace Join.
Describe the components of the Workplace Join feature.
Explain how to register and enroll devices.
Enroll devices to the Workplace Join feature.
Overview of Workplace Join
Traditionally, if users want to access data

transparently from their devices, the devices
must be joined to the domain. If the devices are
not domain-joined, users can use them to access
company data, but they have to enter their
domain credentials each time they want to access
company resources. Windows 8.1 introduces the
Workplace Join feature, which enables users to
access internal company websites and company
apps from devices that you enable for Workplace
Join, without entering user credentials each time.
Workplace Join also enables administrators to
have some control over the devices, such as controlling the web apps that users can access from devices
that you enable for Workplace Join.
The Workplace Join feature is especially useful when users use their own devices to access company data.
Many organizations implement BYOD scenarios. If you enable Workplace Join, you can register and enroll
your devices in the company network. After you enroll a device, the device is associated with your user
account in the company directory, the device object is created in AD DS, and the user certificate is
installed on the device. The device object in AD DS establishes a link between the user and the device.
Further communication with company resources that support claims-based authentication from a device
enabled for Workplace Join includes information about the device and the user. When you configure an
app properly, you do not need to enter credentials again. After you enable the device for Workplace Join,
it is used as a second form of authentication. If multiple users use the same device, each user can enable a
device for Workplace Join independently. Administrators can configure apps that users can access from a
device enabled for Workplace Join without entering credentials, and they can then ensure that company
policies and security applies to those devices by configuring a device policy. You should be aware that a
company Group Policy applies only to domain-joined devices and not to devices enabled for Workplace
Join. If a device enabled for Workplace Join is compromised, or a device owner leaves the company, an
administrator can remove the device object from the domain, and by doing so, the administrator revokes
the devices ability to access domain resources.
For more information, see the following webpage on the Microsoft TechNet website.
Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor
Authentication Across Company Applications
Question: What is the difference in accessing company resources from domain-joined
devices and devices that you enable for Workplace Join?
Scenarios for Using Workplace Join

Employees use different devices for accessing
company data. Many devices are company-owned
and those devices usually are domain-joined.
Users also might access company data by using
their own devices from inside the company
network and over the Internet. The companys
IT department can closely monitor and manage
domain-joined PCs, but devices that are not
domain members can be an issue. Users typically
use these devices not only for accessing virtual
desktops, but also for running company apps
and accessing other company resources. Such
environments, which adopt the BYOD scenario, are particularly suitable for the Workplace Join feature.
Users can access company resources from devices enabled for Workplace Join with SSO, and
administrators can control access to resources and the compliance of local copies of company data on
such devices while a device is not domain-joined.
A device that is enabled for the Workplace Join feature is used as a second authentication factor when
accessing claims-based company apps. For such apps, administrators can control not only who can
access them, but also from which devices they can be accessed, and if they can be accessed only from
the company network or also from the Internet. Devices enabled for Workplace Join trust the company
certification authority (CA), which makes it easier to configure them for additional features, such as Work
Folders.
Question: Can you enable the Workplace Join feature for a Windows 8 tablet?
Workplace Join Components

Workplace Join enables users to access company
resources from their own devices by using SSO
and without adding devices to the domain.
Workplace Join is a simple process, and any user
can perform it, but you first must configure a
companys infrastructure to allow Workplace Join.
There are several prerequisites that must be in
place before you can enable Workplace Join your
devices:
9-19
AD DS environment. Workplace Join requires

that you implement a domain environment.
At least one domain controller must be
running Windows Server 2012 or a newer operating system, and the schema must be extended to the
Windows Server 2012 R2 level.
PKI. The Workplace Join feature requires that PKI is deployed and properly configured. Devices must
trust the CA, which is true by default for domain-joined devices, but requires manual configuration
on devices that are not domain members. Certificates must include information on where the list of
revoked certificates is available, such as the certificate revocation list (CRL) distribution point (CDP),
and where up-to-date certificates for the CA are available, such as authority information access (AIA).
Devices must be able to access the CRL, delta CRL, and AIA before they can use Workplace Join.
Note: Delta CRL is published in a file, which includes the Plus Sign character (+) in its
name by default. Internet Information Services (IIS) Web server does not allow access to files with
special characters in their names by default, and you must enable double escaping to allow it.
You can verify that you can access CRL, delta CRL, and AIA by running Pkiview.msc on the server
where Active Directory Certificate Services (AD CS) is installed.
Active Directory Federation Services (AD FS). A company must set up AD FS before users can use
the Workplace Join feature on their devices. You must configure AD FS with an SSL certificate from
a trusted CA, and the SSL certificate must have properly configured Subject Name and Subject
Alternative Name attributes.
Device Registration Service. Device Registration Service registers a device in AD DS when you perform
Workplace Join. It also provides the certificate to users who enabled their device for Workplace Join.
A DNS record for the host named Enterpriseregistration. The name Enterpriseregistration is
mandatory, and you cannot change it. The DNS server must resolve this name to the IP address of the
AD FS server, and the AD FS server must use it as one of its Subject Alternative Name attributes in
the SSL certificate.
Web Application Proxy. This is an optional component that is not required when you enable
Workplace Join on devices that are connected to the company network. If you want to enable
Workplace Join on devices that are not connected to the company network, but which are connected
to the Internet, you must set up Web Application Proxy.
A supported operating system on the device. The device that you want to enable for Workplace Join
must be running a supported operating system. Currently you can enable Workplace Join only on
devices that are running Windows 8.1, Windows RT 8.1, and iOS operating system.
When users enable Workplace Join on their devices, they can access a companys internal web
applications and company apps without entering credentials again. To use SSO, administrators must
configure claims-based web applications and create a relying party trust between the AD FS server to the
web server on which the web application is running.
For more information, the following Microsoft TechNet website:
Set up the lab environment for AD FS in Windows Server 2012 R2
Question: What must you configure on a device before you can enable the Workplace Join
feature on it?
Registering and Enrolling Devices

After all the prerequisites are met, you can enable
Workplace Join on a device. Any user with domain
credentials can enroll a device, and each device
can be enrolled multiple times, once per user who
uses that device. If you want to enroll the device,
you must perform the following procedure:
1.
Click the Settings charm, and then select

Change PC settings.
2.
On the PC settings page, click Network.
3.
On the Network page, click Workplace.
4.
On the Workplace page, enter the user ID

with which you want to Workplace Join the device. User ID looks the same as a users email
address and is composed from the users logon name, the at sign (@), and a domain suffix. Domain
administrators refer to user ID as the user principal name (UPN). When performing a Workplace Join,
a computer tries to resolve the Enterpriseregistration.<domain suffix> name, and verifies that the SSL
certificate is trusted and that it is still valid.
5.
You need to enter user domain credentials. The device can be a workgroup member, but the user
must have a domain account to enable Workplace Join on the device.
6.
The device is enabled for Workplace Join. The Device Registration Service creates a domain object for
the joined device in the RegisteredDevices AD DS container, and the user is provided with a certificate
for client authentication.
Note: You must configure a device that you want to Workplace Join with network settings
to resolve company server names. You also must configure the device to trust the company CA.
For more information, see the following Microsoft TechNet website:
Walkthrough Guide: Workplace Join with a Windows Device
Question: What information must you enter when you want to enable the Workplace Join
feature on a device?
Demonstration: Demonstration: Enrolling Devices
9-21
In this demonstration, you will see how a user can enable the Workplace Join feature on a Windows 8.1
device. The entire company infrastructure has been set up already. Because the Windows 8.1 device is not
a domain member, you first must configure it to trust the company CA and then perform Workplace Join.
Demonstration Steps
1.
On LON-CL4, use Internet Explorer to connect to the company internal web app on the following
URL: https://lon-svr2.adatum.com/claimapp. Use Adatum\adam with the password Pa$$w0rd as
the credentials.
2.
Close Internet Explorer.
3.
Open Internet Explorer, and then navigate to the same URL: https://lon-svr2.adatum.com
/claimapp. Verify that you are asked for your credentials again.
4.
5.
On the PC settings page, navigate to Network, and then navigate to Workplace. Join the device to
Workplace as adam@adatum.com with the Pa$$w0rd.
6.
On LON-DC1, use Active Directory Users and Computers to verify that the RegisteredDevices
container contains an object of type msDS-Device, which represents the LON-CL4 computer that you
enabled for Workplace Join. Make note of the name of the msDS-Device object.
7.
On the LON-CL4, use Internet Explorer to verify that the user has one certificate. This is the certificate
that Device Registration Service provided to the user when the device was enabled for Workplace
Join. Verify that globally unique identifier (GUID) is the same as the name of the msDS-Device object
from Active Name Directory Users and Computers.
8.
Use Internet Explorer to navigate to the internal web app by entering the following URL:
https://lon-svr2.adatum.com/claimapp. Use adatum\adam and Pa$$w0rd as the credentials.
9.
Verify that Claim Type http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier

has the same value as the name of the msDS-Device object from Active Directory Users and
Computers.
10. Close Internet Explorer.
11. Use Internet Explorer to navigate to the internal web app by entering the following URL:
https://lon-svr2.adatum.com/claimapp. Verify that a webpage opens without asking for
credentials. You were not asked for credentials because you accessed it from the device that was
enabled for Workplace Join. Close Internet Explorer.
Lesson 4
Configuring Work Folders
Work Folders is a new Windows 8.1 feature that enables users to have their local copy of files in sync with
files on a Windows Server 2012 R2 file server. Users can use Work Folders even if their Windows 8.1 device
is not joined to the domain, and an administrator can configure policy for the local copy of the files. For
example, a local copy can be encrypted, and if a device is lost or an employee has left the company, the
local copy of the data in a Work Folder can be wiped remotely while user data on the device is left intact.
Lesson Objectives
Describe the features of Work Folders.
Describe Work Folders components.
Explain how to configure Work Folders.
Describe how to integrate Workplace Join and Work Folders.
Describe how to use GPOs to manage Work Folders.
Configure Work Folders.
Explain how to troubleshoot Work Folders.
Compare Work Folders with other file synchronization technologies.
Overview of Work Folders
Company files traditionally are stored on file

servers. This approach has many advantages, such
as central access control and auditing, central
backup, quotas, reporting, and availability from
any domain-joined and network-attached device.
However, users also need to access and modify
company data when they are not connected to
a company network, and from devices that are
not domain members, because the BYOD scenario
is implemented in many environments. You can
use several solutions for such scenarios, such as
Folder Redirection and Offline Files, and by using
synchronization with OneDrive or OneDrive for Business (formerly known as SkyDrive Pro). Windows 8.1
introduces an additional solution, Work Folders, which can be useful in scenarios where users are using
multiple devices for accessing company data, they need to synchronize data between the devices, and
some of the devices are not domain-joined.
Work Folders allow home and office users to access their individual data, regardless of whether their
devices are connected to a company network or whether their devices are domain-joined or not. Work
Folders only store users individual files, and users can access their own Work Folders only. Work Folders
data is stored on a traditional file server, but devices also keep a local copy of the users subfolders in a
sync share, which is a user work folder. Users can access a local copy of their Work Folders even without
network connectivity, and any modifications they make synchronize with their Work Folders on a file
server immediately or after restoration of connectivity to the file server. Users can access and use Work
Folders from various devices, irrespective of their domain membership. Windows 8.1 and Windows RT 8.1
9-23
devices support Work Folders, and Windows 7 and iPad will support it in the future. If users are
using multiple devices that are configured with Work Folders, changes they make on one device are
synchronized with their other devices automatically. Because Work Folders content is stored on a file
server, you can use all the features that are available on a file server, such as dynamic access control,
auditing, quotas, file classification infrastructure, and protecting content with Rights Management
Services. You can define a policy for devices that access Work Folders. For example, you can create a
policy that requires that the local copy of the Work Folders data is encrypted on a device. You also can
use the Remote Business Data Removal feature to prevent access or remotely wipe the local copy of Work
Folders data on a device if the device is lost or if the employee leaves the company.
For more information, see the following webpage on the Microsoft TechNet website:
Work Folders Overview
Question: Can you share your Work Folders content with your coworkers?
Work Folders Components

If you want to use Work Folders, several
components must be available in your
environment:
Work Folders server. You need a file server

that is running Windows Server 2012 R2 to
host Work Folders because previous versions
of Windows Server do not support the Work
Folders feature. The file server must be joined
to an AD DS domain, and it must have the
Work Folder role service installed, which is
part of File and Storage Services role. When
you install the role service, this adds an
additional access protocol and extends Server Manager. You can use Server Manager to create and
manage sync shares, which contain users Work Folders. You also can use Server Manager to view
who can access sync shares, when and from which devices users accessed it, and to perform other
tasks, such as setting quotas and managing volumes. Users can access and synchronize their Work
Folders by using the HTTPS encapsulated access protocol. Because synchronization uses HTTPS
encryption, the file server must have an installed SSL certificate, and the devices from which the Work
Folders are being accessed must trust that certificate.
Sync share. A sync share is a unit of synchronization between the Work Folders server and client
devices. You can create multiple sync shares on a Work Folders server, and each sync folder maps to
the physical folder on the file server. For each user who uses Work Folders, a personal subfolder is
created inside the sync share, and users can access and synchronize the content of their subfolders
only. You can configure who can access a sync share and specify a device policy, such as specifying
that the local copy of Work Folders data on client devices must be encrypted. Although users can
have permissions to access multiple sync shares, they are limited to a single sync share. You can
access a sync share only by using the Work Folders feature by default, but an administrator also can
create a Server Message Block (SMB) share that uses the same folder as a sync share. If users can
access sync share content by using SMB access also, you can view synced content from devices that
do not use Work Folders. Because the sync share is stored on a file server, you can use features such
as dynamic access control, quotas, and file screening when managing its content.
User devices. These are the devices from which you can access, modify, and synchronize content
that is stored in Work Folders. You can access Work Folders from workgroup devices, devices that
are workplace-joined, or from domain member devices. The devices must be running one of the
supported operating systems, which currently are Windows 8.1 and Windows RT 8.1. Support for
Windows 7 and iPad devices has been announced. Devices also must trust the SSL certificate that the
Work Folders server is using. If you configure devices to use Work Folders, changes to local copies of
data are detected in real time and synchronized with the server. By default, devices check the Work
Folders server every 10 minutes and synchronize changes with local copies of the Work Folders data.
When you configure Work Folders on a device, you establish a Work Folders sync partnership between
the device and the file server. During initialization, the data directory, version database, and downloadstaging directory are created on a device. Version database helps to keep a local copy of the data in
sync with the data on file server. On the server side, when a user first synchronizes, similar structures are
created. The server Work Folders are provisioned only once per user, while the client side is provisioned
for each device on which the user is using Work Folders. When users modify their Work Folders content,
the following process takes place:
1.
When users modify local Work Folders content, the change is detected on the client in real time, the
client device initiates a sync session with the Work Folders server, and then uploads the changes.
2.
After the upload is complete, the Work Folders server applies uploaded changes to the users Work
Folders content. By default, the server is configured so that it can perform all modifications to the
users data. If there is an error, for example, when the server permissions are modified and the server
cannot apply the modifications, the user is notified about the problem. If the file is changed on
multiple user devices at the same time in the same synchronization cycle, based on the time stamp,
the latest version of the file keeps the original file name. The other copies of the file are preserved
in the same directory, but their name is extended with the name of the device on which the conflict
occurred, and a number is added if there are multiple conflicts for the same file. The Work Folders
server keeps 100 conflict files and after that, Work Folders synchronization stops for the user until the
user manually resolves the problem.
3.
Synchronization is initiated by the second client device. This can happen for two reasons: data is
modified also on the second client device, and the second client device initiates synchronization
of those modifications. Alternatively, if there are no local changes, the second device initiates
synchronization based on the pooling interval, which is 10 minutes by default. The second client
downloads changes from the Work Folders server and applies them to the local copy of the data.
When you use Work Folders, you should be aware of following:
In this first release of Work Folders, synchronization is limited to one partnership per user per device.
If multiple users use the same device, all users can have their own partnership with the sync folder on
the same or on different Work Folders servers, but the same user cannot create a sync partnership
with a second sync share on the same or different Work Folders servers.
Clients always initiate synchronization. A Work Folders server is passive and only responds to sync
requests.
Clients synchronize only with the Work Folders server. If users are using multiple devices, and they are
all configured with Work Folders, devices do not synchronize changes between themselves, but only
with the server. After one device synchronizes changes with a server, other devices get the changes
from the server.
The system that applies the change, which can be either the user device or the Work Folders server, is
responsible for conflict resolution. Conflicts are resolved automatically by renaming the conflicting
files with older time stamps.
Question: Can users access multiple Work Folders?
Configuring Work Folders

A server administrator has to create Work Folders
on a Windows Server 2012 R2 file server before
you can configure and use Work Folders on a
Windows 8.1 computer. To create Work Folders
on a Windows Server 2012 R2, you must perform
the following two steps:
1.
Install the Work Folders role service. Before

you can configure a file server to host Work
Folders, you first must install the Work Folders
role service. This is a new role service in
Windows Server 2012 R2, and you can install
it from Server Manager or by running the
following cmdlet:
Install-WindowsFeature FS-SyncShareService
2.
9-25
Create a sync share for Work Folders. A sync share is the unit of synchronization that can be
synchronized with a user device. You can create a sync share by using Server Manager or by using
the New-SyncShare cmdlet. A sync share can be an existing SMB share, or you can point it to a new
folder. Multiple users can have access to the same sync share and because of that, you need to specify
the naming syntax for the user subfolders, which can be either user_alias or user_alias@domain. The
first syntax maintains compatibility with existing user folders that use aliases for their names, while
the second syntax eliminates conflicts between identical user aliases in multiple domains in the same
AD DS forest. By default, users synchronize their whole Work Folders structure, but you can limit the
synchronization to specific subfolders. You also can configure who has permissions to access the sync
folder and device policy, in which you define requirements that must be met on a device that will be
used for accessing sync shares.
After you configure Work Folders on a Windows Server 2012 R2 file server, you can deploy Work Folders
to client devices. Based on the client device type and whether it is domain-joined or not, you have
different options for deploying Work Folders:
Manual. You can configure Work Folders by using the Manage Work Folders option in Control Panel.
If the device is a domain member or is workplace-joined, you can enter a users email address, which
is used to automatically discover the Work Folders server where the users sync shares are located. If
the device is a member of a workgroup, you need to enter the Work Folders URL instead, as the user
email cannot be resolved.
Opt-in. You can configure Work Folders settings by using domain-based Group Policy, Windows
Intune, or Configuration Manager. However, those settings are not mandatory. Users can decide if
they want to use those settings and configure Work Folders on the device or not.
Mandatory. You can use the same three methods, domain-based Group Policy, Windows Intune, or
Configuration Manager, to deliver Work Folders settings to a device. However, these settings are
mandatory and users cannot modify them. Work Folders are configured transparently on devices
without user interaction.
Question: Can you use Group Policy to deploy Work Folders centrally to devices that are not
domain-joined?
Integrating Workplace Join and Work Folders

The Workplace Join feature primarily is targeted
for devices that are not domain members because
you already can use SSO from domain-joined
devices to access domain resources. If you use the
Workplace Join feature on a device, you can get a
similar SSO experience when accessing company
resources that support claims-based
authentication.
The Work Folders feature is targeted to all

devices that support Work Folders, regardless of
their domain membership and whether they are
enabled for Workplace Join or not. You can use
the Work Folders feature to synchronize content across all those devices, but one of the requirements is
that devices must trust a company CA. Domain-joined devices trust a company CA by default because the
domain-based Group Policy adds a CA public key in the trusted root CA certificate store of all domain
computers. However, a domain-based Group Policy does not apply to workgroup devices or to devices
that you enable for Workplace Join. Because of that, workgroups and devices that you enable for
Workplace Join do not trust a company CA by default. However, one of the requirements to enable a
Workplace Join device is that it trusts a company CA. If you enable a device for Workplace Join, it is a bit
easier to set up Work Folders, because it already trusts the company CA. However, you can set up Work
Folders on a device regardless of whether it is enabled for Workplace Join or not.
Note: Use Windows Intune or Configuration Manager to manage Work Folders centrally on
computers that are not domain members, regardless of whether they are enabled for Workplace
Join or not.
Question: Is it required to enable a device for the Workplace Join feature before you can set
up Work Folders on that device?
Using GPOs to Manage Work Folders

You can deploy Work Folders by using Group
Policy. By using Group Policy, you can specify the
Work Folders configuration but still allow users to
decide if they want to use Work Folders on their
devices, because they have to use the Work
Folders control panel item to configure Work
Folders, such as in the opt-in scenario. You also
can use Group Policy to make the Work Folders
configuration mandatory. This configures devices
to use Work Folders transparently and without
user interaction, but prevents user from changing
the Work Folder configuration or specifying where
a local copy of sync folder data is stored.
9-27
Work Folderrelated settings are located in the user and computer parts of Group Policy. In the user part
of Group Policy, you can enable Work Folders, specify a Work Folders URL, and force automatic setup of
Work Folders. In the computer part of Group Policy, you can force all users of the device to which Group
Policy applies to use Work Folders automatically.
Note: If you configure the Work Folder settings in a domain-based Group Policy, those
settings can apply only to the domain-joined devices and to the users who sign in with domain
accounts. Those settings do not apply to devices that are members of a workgroup or that you
enable for Workplace Join. If you need to configure Work Folders automatically on devices that
are not domain members, you should use Windows Intune.
Question: Can you configure Work Folders settings in the user or computer part of Group
Policy?
Demonstration: Configuring Work Folders
In this demonstration, you will see how you can deploy Work Folders on a domain-joined Windows 8.1
device by using Group Policy and how to deploy Work Folders manually on workgroup Windows 8.1
devices.
Demonstration Steps
1.
On LON-CL1, sign out, and then sign in as user adatum\adam with the password Pa$$w0rd.
2.
Use File Explorer to create a new text document named On LON-CL1.txt in Work Folders.
3.
On LON-CL4, use Work Folders to Set up Work Folders. Use following settings:
4.
Work Folders URL: https://lon-dc1.adatum.com
Credentials: adatum\adam with Pa$$w0rd as the password
Verify that file On LON-CL1.txt is available in Work Folders on the LON-CL4 computer.
Troubleshooting Work Folders

Work Folders use a client/server architecture. You
can set up Work Folders and then use them from
any supported device, regardless of its domain
membership. If a device is domain-joined, it
usually is configured correctly to be able to use
Work Folders. If a device is not a member of a
domain, additional configuration steps must be
taken before you can use Work Folders
successfully.
If there is a problem with accessing and using

Work Folders, you can use several troubleshooting
tools. You first should verify that Work Folders are
available on a Windows Server 2012 R2 file server and that users have synchronization access. You can use
Server Manager to verify the configuration, to determine if users have ever connected to their sync share,
when the last connection was, and from which devices users connected to their sync shares. You also can
use the Get-SyncUserStatus cmdlet on the server to verify all that information. Based on the problem
that user has, there are several tools you could use for troubleshooting, including the following:
Standard networking troubleshooting tools such as Ipconfig.exe, Ping.exe and Nslookup.exe
Active Directory Users and Computers
Server Manager
File Explorer
Certificates snap-in
Events Viewer (WorkFolders logs)
Windows PowerShell, especially cmdlets from the SyncShare module
Note: Active Directory Users and Computers, Server Manager, and the SyncShare module
for Windows PowerShell are not included in the default Windows 8.1 installation. If you want to
use them on a Windows 8.1 computer, you need to install Remote Server Administration Tools.
The following list explains some of the potential issues and troubleshooting steps that you should be
aware of:
Network connectivity and name resolution. Before you can configure Work Folders on a device, the
device must be able to connect to a Work Folders server. Additionally, you must configure it with a
DNS server, which resolves the Work Folders server URL and user email addresses.
Users must have a domain account that has synchronization access to a sync share on a Work Folders
server. If users do not have domain accounts or access to sync share, they will not be able to connect
to Work Folders.
The device from which users want to use Work Folders must be running a supported operating
system and must be able to comply with the sync folder device policy. For example, if the sync folder
device policy requires encryption of Work Folders, the device must be able to encrypt a local copy of
the Work Folders content.
The device must trust the SSL certificate of the Work Folders server. In a domain environment with an
enterprise CA, domain-joined devices trust the enterprise CA by default. If the device is not domainjoined, you must configure the device manually to trust a Work Folders server SSL certificate.
Users must have NTFS file system permissions to a sync share. When you create a sync share, users
have appropriate NTFS file system permissions by default. If you modify the NTFS file system
permissions , it is possible that users will no longer be able to synchronize changes.
If users change their domain passwords, they need to enter the latest password for accessing Work
Folders on a device that is not a domain member.
If users use multiple devices with Work Folders and modify the content on one device, modified
content does not synchronize immediately with other devices. Content synchronizes with the server,
but other devices synchronize based on the pooling interval, which is 10 minutes by default. You can
decrease the pooling interval or manually trigger the synchronization from the device.
Multiple files with similar names. If the same file is modified on multiple devices before the
synchronization happens, for example when devices do not have connectivity to a Work Folders
server, conflicts will happen during synchronization. Conflicts will be resolved automatically, and
there will be multiple copies of the file with a similar name. The names of the additional copies will be
extended with the device name. You must review the copies manually, merge the changes, and then
decide if you can remove additional copies.
Question: Can you use the Work Folders Windows PowerShell cmdlets or Server Manager on
Windows 8.1 by default?
9-29
Comparing Work Folders with Other File Synchronization Technologies

Before implementing Work Folders, you should
be aware that there are other file-synchronization
technologies available. You should be familiar
with their features, and then decide which file
synchronization technology is most appropriate
for your environment. Some of them require that
the device is domain-joined, that you deploy
additional servers, or that a single user uses files
that synchronize, while others can be used on any
Windows 8.1 device. File Synchronization solutions
that are provided by Microsoft include OneDrive,
OneDrive for Business, Work Folders and Folder
Redirection with Offline files.
If you want a solution for synchronizing data that is for collaboration and is shared between team
members, you should consider OneDrive for Business. OneDrive for Business is available as part of
Microsoft SharePoint Server 2013 and Microsoft SharePoint Online, and you can access it if your
company uses on premise SharePoint or if SharePoint is available as part of an Microsoft Office 365
subscription. You should be aware that depending on what the company is using, shared data is hosted
either in the company data center or in the cloud. You also should note that OneDrive for Business
support is not included in Windows 8.1. You can deploy it as part of Microsoft Office 2013 or as a separate
OneDrive for Business client. You can access OneDrive for Business from PCs and Windows Phone devices.
Other file synchronization technologies are for single-user access, although files that you store on
OneDrive often are shared with others. Work Folders and Folder Redirection store data on servers in a
company data center. However, Work Folders require that servers that store data are running Windows
Server 2012 R2, while you can redirect folders on a file server, irrespective of the Windows Server version
that it is running. Windows 8.1 includes support for both technologies, but you can use Folder Redirection
only on domain-joined devices. Work Folders are available regardless of whether the device is joined to
the domain. You can use Work Folders on Windows 8.1, Windows 8, Windows 7, and iPad devices, while
Folder Redirection is available on Windows XP and newer domain-joined computers.
OneDrive is a publicly available cloud storage service. Data that you save on OneDrive is stored in the
public cloud, and you do not need any local server infrastructure; you only need Internet connectivity.
OneDrive support is integrated in Windows 8.1, and you can access OneDrive from various devices
regardless of their operating system and domain membership. OneDrive is for personal data.
For more information, see the link on the Microsoft TechNet website
Work Folders Compared to Other Sync Technologies
Question: A user has three Windows 8.1 devices and needs to keep files synchronized
among all three devices. Two devices are domain-joined Windows 8.1 computers.
Additionally, the user has a Windows 8.1 tablet, which is enabled for Workplace Join.
The users company has deployed two Windows Server 2012 R2 file servers. Which
synchronization technology should the user use?
Lab: Configuring Resource Access for Devices That Are

Not Domain Members
Scenario
A. Datum Corporation uses the AD DS environment, and all users access company data by using company
owned computers. Many users bring their own devices to work and would like to access company data
from them. These users complain that they must enter their credentials every time they access company
resources. Users with their own tablets complain that when they copy data locally, it is challenging to keep
it synchronized with files on the companys file servers. IT administrators complain that they do not have
an overview of user devices that are used for accessing company data, and that they cannot enforce
company security policies on data that is stored locally on such devices. A few weeks ago, a security
incident occurred because one of the managers lost his tablet, which contained confidential company
files.
Objectives
Implement Workplace Join.
Configure Work Folders.
Lab Setup
Virtual machines: 20687D-LON-DC1, 20687D-LON-SVR1, 20687D-LON-SVR2, 20687D-LON-CL1,
20687D-LON-CL4
Password: Pa$$w0rd
1.
2.
3.
4.

o
Password: Pa$$w0rd
5.
Repeat steps 2 through 4 for 20687D-LON-SVR1, 20687D-LON-SVR2, and 20687D-LON-CL1.
6.
Repeat steps 2 and 3 for 20687D-LON-CL4. Do not sign in until directed to do so.
Exercise 1: Implementing Workplace Join

Scenario
The IT department has decided that it will enable Workplace Join for the company. It has set up the
required infrastructure, and you must test the Workplace Join feature in Windows 8.1. You decide to use
your own Windows 8.1 device to perform the Workplace Join and test if you can use the internal company
website by providing credentials only once to use SSO functionality.

1.
Verify Workplace Join prerequisites.
2.
Workplace Join a Windows 8.1 computer.
3.
Explore Workplace Join effects.
Task 1: Verify Workplace Join prerequisites
9-31
1.
On LON-DC1, configure Active Directory Users and Computers to show Advanced Features.
2.
Verify that user Adam Barr is in the Marketing OU, and that his User logon name is
Adam@Adatum.com.
3.
Verify that the RegisteredDevices container is empty.
4.
Use Pkiview.msc to verify that status of all locations are OK, and that AIA Location #2, CDP Location
#2, and DeltaCRL Location #2 are accessible over http protocol.
Note: CDP Location and Delta CRL Location have short validity period and their status
could be shown as Expiring. You can ignore their value in Status column.
5.
Use DNS Manager to verify that Adatum.com zone has an Enterpriseregistration CNAME record that
points to LON-SVR1.adatum.com.
6.
On LON-SVR1, use AD FS Management to verify that the Enable device authentication check box is
selected, and that the Service communications certificate has following attributes:
o
Subject Alternative Name: DNS Name=LON-SVR1.adatum.com, DNS

Name=Enterpriseregistration.adatum.com
CRL Distribution Points: One of the URLs is accessible over http protocol
Authority Information Access: One of the URLs is accessible over http protocol
Task 2: Workplace Join a Windows 8.1 computer

1.
On LON-CL4, sign in as Admin with the password Pa$$w0rd.
2.
On LON-CL4, use the nslookup command to verify that it can resolve

enterpriseregistration.adatum.com name.
3.
Connect to \\LON-DC1\certificate as user adatum\adam with the password Pa$$w0rd.
4.
Install the Root-CA certificate in the Trusted Root Certification Authorities certificates store.
5.
Use Internet Explorer to connect to the internal company web app with the following URL:
https://LON-SVR2.adatum.com/claimapp. Use adatum\adam with the password Pa$$w0rd as the
credentials.
6.
Verify that no Claim Type starts with http://schemas.microsoft.com/2012/01/devicecontext, and

then close Internet Explorer.
7.
Open Internet Explorer, and then navigate to the same URL: https://LON-SVR2.adatum.com
/claimapp. Verify that you are asked for your credentials again, and then close Internet Explorer.
8.
On the PC settings page, navigate to Network, and then navigate to Workplace. Join the device to
Workplace as adam@adatum.com, by using adam@adatum.com with the password Pa$$w0rd as
the credentials.
Task 3: Explore Workplace Join effects
1.
On LON-DC1, use Active Directory Users and Computers to verify that the RegisteredDevices
container contains an object of type msDS-Device, which represents the LON-CL4 computer that you
enabled for Workplace Join. Make note of the name of the msDS-Device object.
2.
On LON-CL4, use Internet Explorer to verify that the user has one certificate. This is the certificate that
Device Registration Service provided to the user when device was enabled for Workplace Join. Verify
that the GUID is the same as the name of the msDS-Device object from Active Directory Users and
Computers.
3.
Use Internet Explorer to navigate to the internal web app by entering the following URL:
https://LON-SVR2.adatum.com/claimapp. Use adatum\adam with Pa$$w0rd as the credentials.
4.

Computers.
5.
6.
Use Internet Explorer to navigate to an internal web app by entering the following URL:
https://LON-SVR2.adatum.com/claimapp. Verify that a webpage opens without asking you for
credentials. You were not asked for credentials because you accessed it from the device that was
enabled for Workplace Join.
Results: After completing this exercise, you should have successfully implemented and tested the
Workplace Join feature.
Exercise 2: Configuring Work Folders

Scenario
Users currently are using Offline Files to keep local copies of data in sync with data on a file server.
However, many users are using devices that are not domain-joined, and they complain that they cannot
use Offline Files. The IT department is considering implementing Work Folders, but it must confirm that
users with devices that are not domain members will be able to use it, and that Work Folders will be
configured automatically on domain-joined devices. You were asked to implement a proof-of-concept
deployment of Work Folders. Based on the results, the IT department will decide if Work Folders meet the
companys needs.
1.
Install the Work Folders feature and create a sync share.
2.
Bind an SSL certificate for Work Folders.
3.
Configure Group Policy to deploy Work Folders.
4.
Deploy Work Folders on a device that is not a domain member.
5.
Use Work Folders to synchronize files.
Task 1: Install the Work Folders feature and create a sync share
9-33
1.
On LON-DC1, install the FS-SyncShareService feature by using the Install-WindowsFeature cmdlet.
2.
Use Server Manager to create New Sync Share. Use following data:
3.
Local path: C:\syncshare1
Structure for user folders: User alias
Grant sync access to groups: Marketing
Device policies: No policy is selected
Use Server Manager to verify that syncshare1 is listed in the WORK FOLDERS section and that user
Adam Barr is listed in the USERS section.
Task 2: Bind an SSL certificate for Work Folders
On LON-DC1, use IIS Manager to add https Site Bindings to the Default Web Site. Use
LON-DC1.adatum.com as a SSL certificate.
Task 3: Configure Group Policy to deploy Work Folders

1.
On LON-DC1, use Group Policy Management to create and link a Group Policy named Deploy Work
Folders to the Marketing OU.
2.
In the Deploy Work Folders Group Policy, under User Configuration\Policies\Administrative

Templates\Windows Components\Work Folders, enable the Specify Work Folder settings
setting, configure it with https://lon-dc1.adatum.com as Work Folders URL, and then select the
Force automatic setup check box.
3.
On LON-CL1, sign out, and then sign in as adatum\adam with the password Pa$$w0rd.
4.
Use File Explorer to create a New Text Document named On LON-CL1 in Work Folders.
Task 4: Deploy Work Folders on a device that is not a domain member

1.
2.
On LON-CL4, use Work Folders to Set up Work Folders. Use following settings:
Work Folders URL: https://lon-dc1.adatum.com
Credentials: adatum\adam with Pa$$w0rd as the password
Verify that file On LON-CL1.txt is available in Work Folders on the LON-CL4 computer.
Task 5: Use Work Folders to synchronize files

1.
On LON-CL4, use File Explorer to create a New Text Document named On LON-CL4.txt in
WorkFolders.
2.
On LON-CL1, verify that only the On LON-CL1.txt file is displayed in Work Folders.
Note: Work Folders synchronizes every 10 minutes automatically. You also have an option to trigger
synchronization manually.
3.
Use File Explorer to sync the Work Folders on LON-CL1.
4.
Use File Explorer to verify that both files, On LON-CL1 and On LON-CL2, are displayed in Work
Folders.
5.
Disable the Ethernet network connection by using Administrator and the password Pa$$w0rd as the
credentials.
6.
Modify the file On LON-CL1.txt in Work Folders by adding the following content: Modified offline.
7.
Create a New Text Document named Offline LON-CL1.txt in Work Folders.
8.
On LON-CL4, modify the file On LON-CL1.txt in Work Folders by adding the following content:
Online modification.
9.
On LON-CL1, enable the Ethernet network connection. Use Administrator and the password
Pa$$w0rd as the credentials.
10. On LON-CL1, verify that four files are displayed in Work Folders, including On LON-CL1.txt and
On LON-CL1-LON-CL1.txt. Because the file was modified at two locations, a conflict occurred, and
one of the copies was renamed.
Results: After completing this exercise, you should have successfully configure the Work Folders feature.
To prepare for the next module

1.
2.
3.
4.
Repeat steps 2 and 3 for 20687D-LON-SVR1, 20687D-LON-SVR2, 20687D-LON-CL1, and

20687D-LON-CL4.

Review Questions
Question: Do you need to grant domain users additional permissions to enable Workplace
Join on their devices?
Question: Can you access Work Folders content on a computer without network
connectivity?
9-35

10-1
Module 10
Securing Windows 8.1 Devices
Contents:
Module Overview
10-1
Lesson 1: Authentication and Authorization in Windows 8.1
10-2
Lesson 2: Applying Security Settings by Using Group Policy
10-11
10-19
Lesson 3: Securing Data with EFS and BitLocker
10-21
10-43
Lesson 4: Configuring UAC
10-45
10-52
10-54
Module Overview
Users are becoming increasingly computer-literate, and they expect more from the technology that they
use at work. They expect to be able to work from home, from branch offices, and on the road without a
decrease in their productivity or a loss of access to the programs and applications that they need most.
As the needs of users have changed, the demands on information technology (IT) support professionals
have increased. Today, support professionals need to provide more capabilities and to support greater
flexibility while continuing to minimize security risks. In this module, you will explore features of the
Windows 8.1 operating system that you can use to maintain a secure computer environment for your
users, such as Encrypting File System (EFS), BitLocker Drive Encryption, and User Account Control (UAC).
Objectives
Implement authentication and authorization features in Windows 8.1.
Use Group Policy Objects (GPOs) to apply security settings.
Describe how to secure data with EFS and BitLocker.
Describe how to configure UAC.
Lesson 1
Authentication and Authorization in Windows 8.1
10-2 Securing Windows 8.1 Devices
Windows 8.1 provides a number of security technologies for devices, including authentication and
authorization, volume-based encryption for files and disks, and UAC. Some of these security technologies
strengthen the overall Windows infrastructure, and others are useful in controlling your system and your
data.
Before effectively defining Windows 8.1 security measures such as file permissions and file and folder
sharing properties, it is essential that you understand the user account types that are used during security
configuration and how the Kerberos Version 5 protocol authenticates and authorizes user logons. This
lesson examines the authentication and authorization features that provide the foundation for the
Windows security infrastructure.
Note: File permissions was called NTFS permissions previously, but now it applies to both
NTFS and ReFS files and folders.
Lesson Objectives
Describe authentication and authorization.
Describe the process of authentication and authorization.
Identify and describe important security features in Windows 8.1.
Describe how to use biometrics for authentication.
Configure a picture password or PIN for authentication.
Describe how to integrate Virtual Smart Cards into the authentication process.
What Are Authentication and Authorization?

Authentication is the process that confirms a users
identity when he or she accesses a computer
system or a system resource. In private and
public computer networks, including the Internet,
the most common authentication method that
controls access to resources is the verification of
a users credentialstypically, user name and
password.
However, for certain critical transactions such as
payment processing, user name and password
authentication has an inherent weakness because
passwords can be stolen or revealed inadvertently.
Because of this weakness, most Internet businesses implement digital certificates that a certification
authority (CA) issues and verifies. Logically, authentication comes before authorization.
10-3
With authorization, a system can determine if an authenticated user is able to access and update secured
system resources. Authorized permissions include access to files and file directories, hours of access,
amount of allocated storage space, and other specifications. Authorization has two facets:
A system administrator initially defines permissions for system resources.
A system or application verifies users permission values when users attempt to access or update a
system resource.
You can provide authorization and access without implementing authentication. Typically, this is the case
when permissions are granted for anonymous users who are not authenticated. Usually, these permissions
are limited.
The Process of Authentication and Authorization

To understand the authentication and
authorization process, you first must understand
the role of user accounts. A user account is a
collection of information that the Windows
operating system uses to determine the user
rights and access permissions a person has on a
computer. A user account records the user name,
password, and a unique number that identifies
that account.
User Account Types and Rights

Windows 8.1 has three different user account
types, all of which offer users varying degrees of
access. The different user account types are:
Standard. Users with this account type can use most of the capabilities of a computer. A person who
logs on with a standard user account can use most apps on a computer and can change settings that
affect his or her user account.
However, the user typically cannot install or uninstall software and hardware, delete files that the
computer requires, or change settings that affect other users or the computers security. The system
might prompt a standard user for an administrator password before he or she can perform certain
tasks.
Administrator. Users with this account type can make changes that affect other users. Administrators
can change security settings, install software and hardware, and access all files on a computer.
Administrators also can make changes to other user accounts.
Guest. Users with this account type have temporary access to another users computer. People who
use Guest accounts cannot install software or hardware, change settings, or create a password. You
must enable this feature before guests can use it.
Note: When you set up a computer, you must create an administrator user account, which
provides the ability to set up your computer and install any device-wide apps that you want.
After setup is complete, you should use a standard user account for your daily computing tasks.
Users then can use Windows Store to install user-specific apps. It is more secure to use a standard
user account than an administrator account. When you use a standard account, you can prevent
accidental changes that affect anyone who uses the computer, especially if your user account
credentials are stolen.
Windows Authentication Methods

Users must authenticate to verify their identity when they access files over a network. Authentication
occurs during the network logon process. The Windows 8.1 operating system supports the following
authentication methods for network logons:
Kerberos protocol. Windows-based clients and servers use this as the main logon authentication
method. It provides authentication for user and computer accounts.
NTLM. This method provides backward compatibility with pre-Windows 2000 operating systems and
some applications. However, it is less flexible, less efficient, and not as secure as the Kerberos
protocol.
Certificate mapping. Typically, this method is used in conjunction with smart cards. The certificate
stored on a smart card links to a user account for authentication. A smart card reader is used to read
a smart card and authenticate a user.
Kerberos Authentication
For Windows 8.1 clients, the Kerberos authentication protocol provides the mechanism for mutual
authentication between a client and a server before a network connection opens between them.
Note: Active Directory Domain Services (AD DS) implements Kerberos authentication.
In a client/server application model:
Windows 8.1 clients are apps that act on behalf of users who need to perform tasks such as opening a
file, accessing a mailbox, querying a database, or printing a document.
Servers, such as Windows Server 2012, are apps that provide services to clients. Some examples of
services can include file storage, mail handling, query processing, print spooling, and a number of
other specialized tasks.
Clients initiate an action and servers respond. Typically, this means that a server listens to a
communications port, waiting for clients to connect and ask for service.
In the Kerberos security model, every client/server connection begins with authentication. The client and
server, in turn, step through a sequence of actions that helps parties on each end of the connection verify
that the other party is genuine. If authentication is successful, session setup completes, and the
client/server application can start working.
Benefits of Kerberos Authentication for Windows 8.1 Clients
The Kerberos protocol allows you to turn off NTLM authentication once all network clients are capable
of Kerberos authentication. The Kerberos protocol is more flexible, efficient, and secure than NTLM. The
benefits of using Kerberos authentication are:
Faster connections. With NTLM authentication, an application server must connect to a domain
controller to authenticate each client. With Kerberos authentication, a server does not need to
connect to a domain controller. It can authenticate a Windows 8.1 client by examining the credentials
that a client presents. Clients can obtain credentials for a particular server once and then reuse them
throughout a network logon session.
Mutual authentication. By using NTLM, servers can verify the identities of their clients. However,
clients cannot use NTLM to verify a servers identity, and servers cannot verify the identity of other
servers. NTLM authentication is ideal for a network environment in which servers are assumed to be
genuine. The Kerberos protocol makes no such assumptions, and it enables parties at both ends of a
network connection to identify and verify the party on the other end.
Question: Which authentication method is used when a Windows 8.1 client computer logs
on to Active Directory Domain Services (AD DS)?
Important Security Features in Windows 8.1

The Windows 8.1 operating system improves
platform security by including a number of apps
that help simplify the balancing of security and
usability. To diagnose, troubleshoot, and resolve
any security-related issues quickly and effectively,
you must understand how the new Windows 8.1
security features work.
The Windows 8.1 operating system provides
the following assortment of tools and features
that maximize platform and client security while
balancing security and usability:
10-5
Windows 8.1 Action Center. This is the

starting point for diagnosing and solving system issues. It also is a central location for users to address
messages about their local computer.
Group Policy/Local Policy. Administrators can use policies to specify security settings to apply to
Windows 8.1.
EFS. This is a built-in encryption tool for Windows-based file systems.
BitLocker and BitLocker To Go. These tools help mitigate unauthorized data access by rendering
data inaccessible when you decommission or recycle BitLocker-protected computers. BitLocker To Go
provides similar protection for data on removable data drives.
AppLocker. Administrators can use this tool to specify exactly what apps and services can run on a
users computer.
UAC. Users can use this tool to run their computers as standard users and perform all necessary daily
tasks.
Windows Firewall with Advanced Security. This snap-in provides protection from malicious users and
apps that rely on unsolicited incoming traffic to attack computers.
Windows Defender. This feature helps protect your computer from spyware and other forms of
malware.
Using Biometrics for Authentication
The Windows Biometric Framework (WBF) was

introduced in Windows 7. However, different
types of advanced hardware that take full
advantage of the WBF only became available in
Windows 8 and Windows 8.1. Biometrics is an
example of two-factor authentication, which is
authentication that requires two authentication
methods. These authentication methods might
include something the user provides, such as
certificates; something the user knows, such as
user names, passwords, or pass phrases; physical
attributes, such as a thumbprint; or personal
attributes, such as a personal signature. Biometrics allows for validation of user credentials in a growing
number of ways, including fingerprint recognition, retinal scanning, and facial recognition. Biometrics is
becoming the preferred method of authentication on mobile devices.
The Windows Biometrics Service is set to manual start by default. In Windows 8.1, this service:
Captures the input data from a biometric scan and stores it in a template.
Securely stores and manages the biometric template for future use.
Can be mapped to a unique identifier, such as a GUID or a security identifier (SID).
Allows additional templates to be created.
Can be extended by developers by using the WBF application programming interface (API).
In addition to the low-level framework support, Windows 8.1 offers users the following management
features that support biometrics:
A fingerprint management application within PC settings.
Support for installed biometric devices within Device Manager.
GPOs for configuring system-wide biometric options.
Credential Provider support that allows biometric data to be used to log on to a local or
domain-joined computer.
Note: Although WBF is built into Windows 8.1, you must install a biometric device to take
advantage of the framework. Installed devices will appear in Device Manager and Control Panel.
Biometric Fingerprints
Currently, the WBF in Windows 8.1 only supports the fingerprint biometric factor. All versions of
Windows 8.1 support biometrics, allowing users to acknowledge a multitude of requests, such as Windows
sign-in, remote access, and UAC, by using their fingerprints.
You can record your fingerprint by using biometrics in Windows 8.1 by following this procedure:
1.
On the Start screen, type Fingerprint.
2.
Browse to PC Settings, click Accounts, and then click Sign-in options.
Note: The fingerprint option will only be available if there is a WBF-supported fingerprint
reader installed on the Windows 8.1 device.
10-7
When the biometric scanning process uses a fingerprint, the actual fingerprint picture is not itself stored.
Biometrics converts the scan into information that is required by the template. The sign-in process then
uses this information in a similar manner as the use of a password for authentication.
Credential Management UI Integration
After you configure fingerprint-based authentication, you can use it as an alternative way to authenticate
at a Windows password prompt. Whenever the Windows operating system requires a specific user to
authenticate, the Credential Management UI (CredUI) will display the option to authenticate via a
fingerprint.
Note: Windows 8 provided a biometric devices control panel item. Windows 8.1 does not
include this item, but provides additional support through independent software vendors or
directly via the application that uses the fingerprint biometric feature.
Picture Passwords
Windows 8.1 operates in both touch and traditional PC scenarios. The touch interface offers a new way for
users to log on and authenticate. Windows 8 introduced the option to use a picture password or PIN as a
logon option. For touch users, the use of a picture password or PIN is more intuitive and quicker than the
use of an on-screen keyboard to type a complex password.
For your picture password, you can choose a picture that came with Windows 8.1, or you can add your
own picture and then create gestures to create your own personal logon. When selecting an appropriate
picture, use one that has several points of interest, as this will increase the complexity of the password.
Gestures
By selecting a personal picture and drawing gestures in a way that is meaningful only to the user, a
picture password can be extremely secure and difficult for a hacker to crack. When you add gestures to
your picture password, you can choose from the gestures below:
A tap
A small clockwise circle
A small counterclockwise circle
A larger clockwise circle
A larger counterclockwise circle
A straight line drawn between any two points of interest on your picture
Microsoft has increased the security of the picture password feature by introducing two safeguards
against repeated attacks:
When you enter your picture password incorrectly five times, the system will prevent you from using
the feature again until you log on with your plain text password.
To mitigate network attacks, the picture password is disabled in remote and network scenarios.
PIN Authentication
The option to use a four-digit PIN to sign in to Windows 8.1 offers users a simple, familiar, and quick
way to unlock their devices. Domain users are restricted from using a PIN password. However, an
administrator can override this restriction by configuring the Turn on PIN sign-in GPO within the
Computer Configuration\Administrative Templates\System\Logon container.
MSDN Blogs: Signing in with a picture password
Note: Although a PIN might not be suitable in situations where complex passwords are
required, both the picture password and PIN sign-in options are attractive to users in low-risk
environments such as home users and those on personal devices.
Demonstration: Configuring a Picture Password or PIN for Authentication

Create a picture password to sign in with gestures.
Create a PIN password to sign in.
Demonstration Steps
Create a picture password to sign in with gestures
1.
Sign in to LON-CL4 as Admin with password Pa$$w0rd.
2.
On the Start screen, type Picture Password, and then click Set up picture password.
3.
Click Choose picture, and then draw three gestures on your picture.
4.
Click Finish, and then close the Sign-in account app.
Create a PIN password to sign in

1.
On the Start screen, type PIN, and then click Set up PIN sign-in.
2.
On the Sign-in options page, under the PIN option, click Add, and then create a PIN.
3.
Revert LON-CL4.
Integrating Virtual Smart Cards into the Authentication Process

Windows 8.1 builds on the features of Windows 7
and offers enhanced support for smart cards.
System administrators can use smart cards
to protect the security of an organizations
computers and devices. Smart card technology
offers significant advantages in the protection of
business assets. However, with the exception of
large and medium-sized organizations, there has
not been a widespread adoption of smart card
technology. Reasons include the additional cost
of hardware devices and the complexity of smart
card management and control.
To address these issues, Windows 8.1 introduces Virtual Smart Card technology. Network administrators
can bring this technology to end users without the previous hardware requirements of card readers and
the cards themselves. At the same time, Virtual Smart Cards still take advantage of the Personal Identity
Verification benefits that the smart card feature provides.
Note: Smart cards are another example of a multifactor authentication. A user must have
access to a smart card reader and knowledge of the password or PIN to be able to authenticate
and gain access to a system.
10-9
Many Windows 8.1 devices now ship with a Trusted Platform Module (TPM) that meets specification
version 1.2. A Virtual Smart Card takes advantage of a devices tamper-proof TPM security chip to store
certificates that authenticate each user account. Because a TPM is an internal component of a device, you
configure a Virtual Smart Card to protect a device in an environment that is domain-joined or is not
domain-joined.
Being virtual, once you configure a device to use TPM, you do not require any further hardware or cards.
Effectively, the device acts as a smart card reader, and users supply an unlock PIN that is personal to them.
A TPM chip can store up to six Virtual Smart Cards.
Note: If a TPM is present, it might need to be turned on in the system BIOS/Unified
Extensible Firmware Interface (UEFI) firmware.
Note: You must run the Tpmvscmgr.exe command-line utility with local administrator
permissions to gain access to a TPM and generate a Virtual Smart Card.
Tpmvscmgr.exe
Windows 8.1 provides the Tpmvscmgr.exe Virtual Smart Card management tool that administrators can
use to provision Virtual Smart Cards on a device. The syntax of Tpmvscmgr.exe is as follows:
tpmvscmgr.exe create /name NameofVSC /pin prompt /puk prompt /adminkey random /generate
Notice that the command is configured to ask a user for a PIN. A user also is asked for a PIN unlock key
(PUK) that can be used to unlock a Virtual Smart Card and reset the PIN if it is forgotten. The default PIN
and PUK must be at least eight characters long. Once the command has completed, you will be notified
of the device instance ID for the NameofVSC. You should record this device instance ID so that if
required, you will be able to delete a Virtual Smart Card from a device. You also are able to configure an
administrator key, which provides an alternative method of unlocking a card for a PIN reset. In the above
example, Tpmvscmgr.exe will generate a random 48-hexadecimal digit administrator key.
In Windows 8.1, the process to enroll TPM-enabled devices to be used as a Virtual Smart Card device has
improved. The high-level process for using a Virtual Smart Card is as follows:
1.
Enable TPM 1.2 in BIOS/UEFI firmware.
2.
Create and install a Virtual Smart Card by using the Virtual Smart Card management tool,
Tpmvscmgr.exe.
3.
Enroll for a logon certificate (protected by the TPM).
4.
Sign in to the device with the smart card PIN.
The default PIN policy for a Virtual Smart Card that is generated by Windows 8.1 is as follows:
Minimum length of 8
Maximum length of 127
Uppercase characters allowed
Lowercase characters allowed
Digits allowed
Special characters allowed

Note: The lower and upper boundaries for PIN length are 4 and 127 respectively.
In a corporate AD DS environment, you likely have a CA configured already. Once your device has created
a Virtual Smart Card, you then will enroll for a logon certificate from your Windows CA by using the
Certificate Enrollment Wizard in the Certificates Microsoft Management Console (MMC) snap-in, which is
accessed by typing Certmgr.msc at the Start screen.
Note: A PIN typically is a secret numeric password. However, a Virtual Smart Card allows a
PIN to include digits, alphabetic and special characters, and not just numbers. The term PIN has
been retained because legacy smart cards used simple numeric PINs.
Understanding and Evaluating Virtual Smart Cards
Lesson 2
Applying Security Settings by Using Group Policy
10-11
Before learning about the important security features in Windows 8.1, it is important that you understand
the best ways in which to configure security-related settings in Windows 8.1. Although you can perform
computer-specific administration and configuration tasks manually, it can be more efficient to implement
your planned configuration settings by using GPOs. GPOs provide an infrastructure for centralized
configuration management of operating systems and the applications that run on operating systems. This
lesson discusses how to apply security settings by using Group Policy.
Lesson Objectives
Describe how to use GPOs to apply common security settings.
Describe how to configure account policy settings.
Describe how to use multiple local Group Policy Objects (MLGPOs) for non-domain joined devices.
Describe Microsoft Security Compliance Manager.
Using GPOs to Apply Common Security Settings

You can use Group Policy to access and configure
security options. You can configure settings for
Security Options by accessing the Computer
Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options location
from the Group Policy Management Console
(GPMC). Common computer security settings that
you can configure in Security Options include the
following:
Administrator and Guest account names
Access to CD/DVD drives
Digital data signatures
Driver installation behavior
Logon prompts
UAC
The following are examples of commonly used Security Options:
Prompt user to change password before expiration. Determines how many days in advance of a user
password expiration the operating system will provide a warning.
Interactive logon: Do not display last user name. Determines whether the name of the last user to sign
in to a computer displays in the Windows logon window.
Accounts: Rename administrator account. Determines whether a different account name is associated
with the SID for the administrator account.
Devices: Restrict CD-ROM access to locally logged on user only. Determines whether a CD-ROM is
accessible simultaneously to both local and remote users.
Domain-Based GPO vs. Local GPO in Windows 8.1
A local GPO is the least influential object in an AD DS environment because its settings can be overwritten
by GPOs that are associated with sites, domains, and organizational units (OUs). In an environment that is
not networked, or in a networked environment that does not have a domain controller, local GPO settings
are important because they are not overwritten by other GPOs. Stand-alone computers only use local
GPOs to control the environment.
Each Windows 8.1 computer has one local GPO that contains default computer and user settings,
regardless of whether the computer is part of an AD DS environment. In addition to this default local
GPO, you can create custom local user GPOs.
Configuring Account Policy Settings

Account policies protect your organizations
accounts and data by mitigating the threat of
attacks that try to guess account user names
and passwords (these are sometimes referred to
as brute force attacks). Securing your network
environment requires that all users use strong
passwords. You use password policy settings
to control the complexity and lifetime of user
passwords. You configure password policy settings
through Group Policy.
Account Policies
Account policy components include password
policies, account lockout policies, and Kerberos policies.
The policy settings under Account Policies are implemented at the domain level. A Windows Server 2012
domain can have multiple password and account lockout policies, which are called fine-grained password
policies. You can apply these multiple policies to a user or to a global security group in a domain, but not
to an OU.
Note: If you need to apply a fine-grained password policy to users of an OU, you can use a
shadow group, which is a global security group that is logically mapped to an OU.
You can configure settings for Account Policies by accessing the following location:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies
Password Policy
Password policies that you can configure are listed in the following table.
Policy
Password must meet
complexity
requirements
10-13
Function
Best practice
Requires passwords to:

Be at least as long as
specified by the Minimum
Password Length, with a
minimum of 3 characters if
the Minimum Password
Length is set to 0.
Enable this setting. These complexity

requirements can help ensure a strong
password. Strong passwords are more
difficult to decrypt than those containing
simple letters or numbers.
Instruct users to use pass phrases to create
long passwords that are easy to remember.
Contain a combination of at
least three of the following
types of characters:
uppercase letters, lowercase
letters, numbers, and
symbols (punctuation
marks).
Must not contain the users
user name or screen name.
Enforce password
history
Prevents users from creating a

new password that is the same
as their current password or a
recently used password.
To specify how many
passwords are remembered,
provide a value. For example, a
value of 1 means that only the
last password is remembered,
and a value of 5 means that
the previous five are
remembered.
The greater number ensures better

security. The default value is 24. Enforcing
password history ensures that passwords
that have been compromised are not used
repeatedly.
Maximum password
age
Sets the maximum number of

days that a password is valid.
After this number of days, the
user will have to change the
password.
The default value is 42 days. Setting the

number of days too high provides hackers
with an extended window of opportunity
to crack or brute force the password.
Setting the number of days too low
frustrates users who have to change their
passwords too frequently, and could result
in more frequent calls to the IT help desk.
Minimum password
age
Sets the minimum number of

days that must pass before a
password can be changed.
Set the minimum password age to at least

1 day. By doing so, you require that a user
can only change their password once a
day. This helps enforce other settings.
For example, if the past five passwords are
remembered, this ensures that at least five
days must pass before the user can reuse
the original password. If the minimum
password age is set to 0, the user can
change their password six times on the
same day and begin reusing the original
password on the same day.
Policy
Function
Best practice
Minimum password
length
Specifies the fewest number of

characters that a password can
have.
Set the length to between 8 and 12

characters (provided that they also meet
complexity requirements). A longer
password is more difficult to crack than a
shorter password, assuming the password
is not a common word.
Store passwords by
using reversible
encryption
Provides support for apps that

need to know a user password
for authentication purposes.
Do not use this setting unless you use an

app that requires it. Enabling this setting
decreases the security of stored passwords.
Account Lockout Policy

Account lockout policies that you can configure are listed in the following table.
Policy
Function
Best practice
Account lockout
threshold
Specifies the number of failed login

attempts that are allowed before
the account is locked.
For example, if the threshold is set
to 3, the account is locked out after
a user enters incorrect login
information three times.
A setting of 5 allows for reasonable user

error and limits repeated login attempts
for malicious purposes. Note that the
threshold can have a negative impact by
allowing for a denial of service attack on
user objects, especially from the Internet.
Because of this, some organizations are
moving toward a higher threshold.
Account lockout
duration
Allows you to specify a timeframe,

in minutes, after which the account
automatically unlocks and resumes
normal operation. If you specify 0,
then the account locks indefinitely
until an administrator manually
unlocks it.
After the threshold has been reached

and the account is locked out, the
account should remain locked long
enough to block or deter any potential
attacks, but short enough not to interfere
with productivity for legitimate users. A
duration of 30 to 90 minutes works well
in most situations.
Reset account
lockout counter
after
Defines a time frame for counting

incorrect logon attempts. If the
policy is set for one hour and the
account lockout threshold is set for
three attempts, users can enter the
incorrect logon information three
times within one hour. If they enter
incorrect information twice but get
it correct the third time, the counter
will reset after one hour has elapsed
(from the first incorrect entry) so
that future failed attempts will
again start counting at one.
Using a time frame between 30 and 60

minutes is usually sufficient to deter
automated attacks and manual attempts
by an attacker to guess a password.
Note: You can use the Local Group Policy Editor to configure GPO settings on a standalone Windows 8.1 workstation. To configure local Group Policy, run Gpedit.msc from the Run
box with elevated permissions.
10-15
After you configure the local policy, you can export security-related settings to a policy file and then save
them in a security template file with an .inf extension. You then can import the template into the Local
Group Policy Editor to use these templates to configure additional computers.
Question: What setting must you configure to ensure that users are allowed only three
invalid sign-in attempts?
Using Multiple Local GPOs for Non-Domain Joined Devices

Securing computers and users' devices is
an important responsibility of a network
administrator. Given the plethora of configurable
settings, most domain administrators manage
these settings by using domain-based GPOs. For
stand-alone Windows 8.1 client computers, you
can address this issue through MLGPOs.
MLGPOs improve previous Local Group Policy

technology by allowing you to apply different
levels of Local Group Policy to local users on a
stand-alone computer. This technology is ideal for
shared computing environments where domainbased management is not available, such as shared library computers or public Internet kiosks. In these
situations, the local GPO's settings are more important because they are not overwritten by other GPOs.
Stand-alone computers only use the local GPO to control their environment.
Introduction to MLGPO
Local Group Policy is a subset of the broader Group Policy technology. Group Policy is domain-based,
whereas Local Group Policy is specific to a local computer. Both technologies allow you to configure
specific settings in the operating system and then force those settings to computers and users.
Local Group Policy is not as robust as Group Policy. For example, you can use Group Policy to configure
any number of policies that might affect some, all, or none of the users of a domain-joined computer. You
can even use Group Policy to apply policies to users that have specific group memberships.
Local Group Policy
The Local Group Policy layer is the topmost layer in the list of MLGPOs. Local Group Policy, which also
is known as the Local Computer Policy, is the only local GPO that allows computer settings. Besides
computer settings, you can select user settings. User settings that are contained in the Local Group Policy
apply to all users of the computereven the local administrator. Local Group Policy behaves the same as
it did in previous versions of the Windows operating system.
Administrators and Non-Administrators Local Group Policy
The Administrators and Non-Administrators local GPOs do not exist by default. You must create them if
you want to use them on your Windows 8.1 client. These GPOs act as a single layer and logically sort all
local users into two groups when a user signs in to the computer: a user is either an administrator or a
non-administrator. Users who are members of the Administrators group receive policy settings assigned
in the Administrators Local Group Policy. All other users receive policy settings assigned in the NonAdministrators Local Group Policy.
User-Specific Group Policy
Local administrators can use the last layer of the local GPO, Per-User local GPOs, to apply specific policy
settings to a specific local user.
Processing Order
The benefits of MLGPOs come from the processing order of the three separate layers. The layers are
processed as follows:
1.
The local GPO applies first. This local GPO might contain both computer and user settings. User
settings contained in this policy apply to all users, including the local administrator.
2.
The Administrators and Non-Administrators local GPOs are applied next. These two local GPOs
represent a single layer in the processing order, and the user receives one or the other. Neither of
these local GPOs contains computer settings.
3.
User-specific Local Group Policy is applied last. This layer of local GPOs contains only user settings,
and you apply it to one specific user on a local computer.
Conflict Resolution Between Policy Settings
Available user settings are the same between all local GPOs. It is possible that a policy setting in one local
GPO contradicts the same setting in another local GPO. Windows 8.1 resolves these conflicts by using the
Last Writer Wins method. This method resolves conflicts by overwriting any previous setting with the lastread (most current) setting. The final setting is the one that the Windows operating system uses.
For example, an administrator enables a setting in a local GPO. The administrator then disables the
same setting in a user-specific local GPO. When a non-administrator user signs in to the computer, the
Windows operating system reads the local GPO first, followed by the Non-Administrators local GPO, and
then the user-specific local GPO.
The state of the policy setting is enabled when the Windows operating system reads the local GPO. The
policy setting is not configured in the Non-Administrators local GPO. This has no effect on the state of the
setting, so it remains enabled. The policy setting is disabled in the user-specific local GPO. This changes
the state of the setting to disabled. Windows reads the user-specific local GPO last; therefore, it has the
highest precedence. The Local Computer Policy has a lower precedence.
Domain Member Computers
Stand-alone computers benefit the most from MLGPOs because they are managed locally. Domain-based
computers apply Local Group Policy first and then domain-based policy. Windows 8.1 continues to use
the Last Writer Wins method for conflict resolution. Therefore, policy settings originating from domain
Group Policy overwrite any conflicting policy settings found in any Local Group Policy to include
administrative, non-administrative, and user-specific Local Group Policy.
You can disable the processing of local GPOs on clients that run Windows 8.1 by enabling the Turn off
Local Group Policy objects processing policy setting in a domain GPO. You can find this setting by
expanding Computer Configuration, expanding Administrative Templates, expanding System, and then
clicking Group Policy.
Creating MLGPOs
MLGPOs are created by adding the snap-in for the Group Policy Object Editor to the MMC and then
performing the following procedure:
1.
Click Browse in the Select Group Policy dialog box.
2.
Click the Users tab.
3.
Select the object you for which you want to create a special GPO. You must add a separate instance
of the snap-in for each instance of the local GPO that you want to create.
Microsoft Security Compliance Manager

Within Microsoft is a group called the Solution
Accelerators team, which works on presenting free
tools to help organizations make the most of the
enterprise software that they use. As each version
of an underlying technology such as the Windows
operating system or Internet Explorer is updated,
the Solution Accelerator tool also is updated,
sometimes with improved functionality.
10-17
First released in 2010, the Security Compliance

Manager tool allows an enterprise administrator
to quickly configure and manage the computers
by using Group Policy and Microsoft System
Center 2012 R2 Configuration Manager. Security Compliance Manager has evolved over several years and
continues to benefit from industry experts feedback and from extensive field use. This free tool comes
complete with ready-to-deploy policies and desired configuration management configuration packs,
which can be used with Configuration Manager. Administrators can modify any of the supplied policies
to generate a custom policy that is available for export. You then can incorporate the custom policy into
your preferred deployment tool such as Configuration Manager or the Microsoft Deployment Toolkit.
Administrators can use Security Compliance Manager to plan, deploy, operate, and manage security
baselines quickly, which are essential for securing Windows client operating systems, Microsoft Office,
and other Microsoft applications. Throughout the lifespan of the tool, by default, Security Compliance
Manager automatically checks for new updates to the available baselines each time you start the tool.
Some of the key features of Security Compliance Manager are:
Baselines that are based on Microsoft security guide recommendations and industry best practices.
You can compare your configuration against industry best practices for the latest Windows client and
Microsoft applications.
Centralized security baseline management features to manage the security and compliance process
efficiently.
Gold master support that allows the import of your existing Group Policy to reuse and deploy.
Stand-alone machine configuration that allows you to deploy your configurations to computers that
are not domain-joined.
Updated security guides provide security expertise and best practices.

Microsoft Security Compliance Manager
Solution Accelerators
Question: Discuss scenarios where you would use Security Compliance Manager in an
organization.
Question: Your organization creates operations manuals for customers and uses several
versions of Microsoft Word to produce the manuals, depending on client requirements.
What tool would you recommend for creating and maintaining baseline security
configurations for your organization if there is a requirement to ensure that all Microsoft
Office applications are configured with the latest security baseline?

Scenario
10-19
Holly Dickson is the IT manager at A. Datum Corporation. She has expressed a concern that some of
the users on laptop computers are able to use registry editing tools, which could affect the operational
security of the A. Datum network. She wants you to investigate how best to configure security and other
settings on these computers.
Objectives
Restrict the use of registry editing tools.
Lab Setup
Password: Pa$$w0rd
1.
2.
3.
4.
5.
User name: Administrator
Password: Pa$$w0rd
Domain: Adatum
Exercise 1: Restricting the Use of Registry Editing Tools

Scenario
Although you typically configure most security and other settings by using domain-based GPOs, you
decide that for the roaming laptop computers, implementing local GPOs would achieve Hollys goal of
securing them. You decide to implement multiple local GPOs to ensure that administrator and standard
user accounts can have different settings.
1.
Edit the local GPO to restrict use of registry editing tools.
2.
Edit the local GPO to allow administrators to use registry editing tools.
Task 1: Edit the local GPO to restrict use of registry editing tools
1.
2.
Open the Local Group Policy Editor.
3.

registry editing tools setting as Enabled.
4.
Restart LON-CL1.
5.
6.
Attempt to run Regedit.exe, and then review the error message.
Task 2: Edit the local GPO to allow administrators to use registry editing tools
1.
Open the Microsoft Management Console, add the Group Policy Object Editor snap-in, and then
select the Administrators GPO. In the Browse for a Group Policy Object dialog box, click the Users
tab, click Administrators, and then click OK.
2.
In the Microsoft Management Console, expand Local Computer\Administrators Policy and in

User Configuration\Administrative Templates\System, configure the Prevent access to registry
editing tools setting as Disabled.
3.
Run Regedit.exe, and then verify that it starts successfully.
4.
Close the Registry Editor.
Results: After completing this exercise, you should have created and configured multiple local Group
Policy Objects (MLGPOs).
When you are finished with the lab, leave the virtual machines running, as they are needed for the
next lab.
Lesson 3
Securing Data with EFS and BitLocker
10-21
Devices, laptops, and hard drives can be stolen, which poses a risk for confidential data. You can secure
data against these risks by using a two-phase defensive strategy that incorporates both EFS and BitLocker.
This lesson provides a brief overview of EFS and BitLocker. However, IT professionals who are interested in
implementing EFS must research it thoroughly before making a decision to use it. To implement a secure
and recoverable EFS policy, you must have a more comprehensive understanding of EFS. If you implement
EFS without implementing proper recovery operations or without understanding how the feature works,
you can expose your data unnecessarily.
BitLocker is another defensive strategy that complements EFS. BitLocker protects against data theft or
exposure on computers that are lost or stolen, and it offers more secure data deletion when computers
are decommissioned. Data on a lost or stolen computer is vulnerable to unauthorized access, either
by running a software attack tool against it or by transferring the computer's hard disk to a different
computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by combining
two major data-protection procedures: encrypting the entire Windows operating system volume on a
hard disk, and encrypting multiple fixed volumes.
Lesson Objectives
Describe EFS.
Describe how to encrypt and decrypt files and folders with EFS.
Describe BitLocker.
Describe BitLocker To Go.
Describe BitLocker requirements.
Describe BitLocker modes.
Describe Group Policy settings for BitLocker.
Describe how to configure BitLocker.
Describe how to configure BitLocker To Go.
Describe how to recover BitLocker-encrypted drives.
What Is EFS?
EFS is a built-in file encryption tool for Windowsbased file systems. A component of the NTFS file
system, EFS enables transparent encryption and
decryption of files by using advanced, standard
cryptographic algorithms. Any individual or
program that does not possess an appropriate
cryptographic key cannot read encrypted data.
You can protect encrypted files even from those
who gain physical possession of a computer on
which files are storedeven people who are
authorized to access a computer and its file
system cannot view the data.
Encryption is a powerful addition to any defensive plan, but you also must use other defensive strategies
because encryption is not the correct countermeasure for every threat. Also, every defensive weapon, if
you use it incorrectly, carries a potential for harm.
The basic EFS features are as follows:
EFS encryption does not occur at the application level. It occurs at the file-system level. Therefore, the
encryption and decryption process is transparent to the user and the application. If you mark a folder
for encryption, EFS will encrypt every file created in or moved to the folder. Applications do not have
to understand EFS or manage EFS-encrypted files any differently than unencrypted files.
If a user attempts to open a file and possesses the necessary key, the file opens without additional
effort on the users part. If a user does not possess the key, he or she receives an access-denied
message.
File encryption uses a symmetric key that it encrypts with a users public key, which is stored in
the file header. Additionally, it stores a certificate with the users public and private keys (known as
asymmetric keys) in the users profile. This key pair is bound to a user identity and made available to
the user who has possession of the user ID and password. The users private key must be available for
decryption of the file.
If a private key incurs damage or is lost, even the user who encrypted the file cannot decrypt it. If a
recovery agent exists, the file might be recoverable. If you implement key archival, then you can
recover the key and decrypt the file. Otherwise, the file might be lost. This encryption system is
referred to as Public Key Infrastructure.
You can archive a users certificate that contains his or her public and private keys, such as exporting
it to a USB flash drive. You then can keep the USB flash drive in a safe place for recovery if the keys
incur damage or are lost.
A users password protects the public and private keys. Any user who can obtain the user ID and
password can sign in as that user and then decrypt that users files. Therefore, a strong password
policy and strong user education must be components of an organizations security practices to
protect EFS-encrypted files.
EFS-encrypted files do not remain encrypted during transport if you save them to, or open them
from, a folder on a remote server. The file is decrypted and then traverses the network in plain text.
EFS then encrypts it locally if you save it to a folder on the local drive that is marked for encryption.
EFS-encrypted files can remain encrypted while traversing a network if you save them to a Web folder
by using the World Wide Web Distributed Authoring and Versioning protocol.
EFS is supported only on the NTFS file system. If a user has permission to decrypt a file and moves
or copies an encrypted file to a non-NTFS file system, such as a USB flash drive that is formatted with
the FAT or FAT32 file system, the file is decrypted and is no longer encrypted. If a user does not
have permission to decrypt a file and attempts to move or copy an encrypted file to a non-NTFS file
system, such as a USB flash drive that is formatted with the FAT or FAT32 file system, the operation
will result in a permission-denied error.
EFS supports industry-standard encryption algorithms, including Advanced Encryption Standard

(AES). AES uses a 256-bit symmetric encryption key and is the default EFS algorithm.
The following are additional important facts about implementing EFS on Windows 8.1:
Support for storing private keys on smart cards. Windows 8.1 includes full support for storing users
private keys on smart cards. If a user signs in to Windows 8.1 with a smart card, EFS also can use the
smart card for file encryption. Administrators can store their domains recovery keys on a smart card.
Recovering files is then as simple as signing in to the affected machine, either locally or by using
Remote Desktop, and using the recovery smart card to access the files.
10-23
Encrypting File System Rekeying Wizard. The Encrypting File System Rekeying Wizard allows users to
choose an EFS certificate, then select and migrate the existing files that will use the newly chosen EFS
certificate. Administrators can use the wizard to migrate users in existing installations from software
certificates to smart cards. The wizard also is helpful in recovery situations because it is more efficient
than decrypting and re-encrypting files.
Group Policy settings for EFS. You can use Group Policy to control and configure EFS protection
policies centrally for an entire enterprise. For example, Windows 8.1 allows page file encryption
through the local security policy or Group Policy.
Per-user encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote
servers. When this option is enabled, each file in the offline cache is encrypted with a public key from
the user who cached the file. Thus, only that user has access to the file, and even local administrators
cannot read the file without access to the user's private keys.
Selective Wipe. A new feature of Windows 8.1 in a corporate environment is Selective Wipe. If a
device is lost or stolen, an administrator can revoke the EFS key that was used to protect the files
on the device. Revoking a key prevents all access to data files that are stored on a users device.
Note: When users encrypt files in remote shared folders, their keys are stored on the file
server.
Obtaining Key Pairs

Users need asymmetric key pairs to encrypt data, and they can obtain these keys:
From a CA. An internal or third-party CA can issue EFS certificates. This method provides central
management and backups of keys.
By self-generating them. If a CA is unavailable, users can generate a key pair. These keys have a
lifespan of 100 years. This method is more cumbersome than using a CA because there is no
centralized management, and users become responsible for managing their own keys. Additionally,
it is more difficult to manage for recovery. However, it is still a popular method because no setup is
required.
Managing EFS Certificates
EFS uses public key cryptography to allow file encryption. The keys are obtained from a users EFS
certificate. Because EFS certificates also might contain private key information, you must manage them
correctly.
Users can make encrypted files accessible to other users EFS certificates. If you grant access to another
users EFS certificate, that user can in turn make the file available to other users EFS certificates.
Note: You can issue EFS certificates only to individual users, not to groups.
Backing Up Certificates
CAs can archive and recover CA-issued EFS certificates. Users must back up their self-generated EFS
certificates and private keys manually. To do this, they can export the certificate and private key to a
Personal Information Exchange (.pfx) file, which is password-protected during the export process. The
password then is required to import the certificate into a users certificate store.
If you need to distribute only your public key, you can export the client EFS certificate without the private
key to Canonical Encoding Rules (.cer) files. A users private key is stored in the users profile in the RSA
folder, which you can access by expanding AppData, expanding Roaming, expanding Microsoft, and then
expanding Crypto. Because there is only one instance of the key, it is vulnerable to hard-disk failure or
data corruption.
The Certificates MMC snap-in exports certificates and private keys. The Personal Certificates store contains
the EFS certificates.
Sharing Encrypted Files
EFS users can share encrypted files with other users on file shares and in Web folders. With this support,
you can grant individual users permission to access an encrypted file. The ability to add users is restricted
to individual files. After you encrypt a file, you can enable file sharing through the user interface. You first
must encrypt a file and then save it before adding more users. You can add users from a local computer
or from AD DS if the user has a valid certificate for EFS.
Users who elect to share encrypted files must be aware of the following points:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over a network,
a file share or Web folder is required. Alternatively, users can establish remote sessions with
computers that store encrypted files by using Remote Desktop Services.
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting
access is not limited to the file owner. Caution users to share files only with trusted accounts because
those accounts can authorize other accounts. Removing the Write permission from a user or group of
users can prevent this problem, but it also prevents the user or group from modifying the file.
EFS sharing requires that the users who will have authorization to access the encrypted file have
EFS certificates. These certificates can be located in roaming profiles or in the user profiles on the
computer on which the file to be shared is stored, or they can be stored in and retrieved from AD DS.
EFS sharing of an encrypted file often means that users will access the file across a network. It is best
to use Web folders for encrypted file storage whenever possible.
If a user chooses to remotely access an encrypted file that is stored on a file share and authorizes
other users to access the file, the authorization process and requirements are the same as on the
local computer. Additionally, EFS must impersonate the user to perform this operation, and all the
requirements for remote EFS operations on files stored on file shares apply.
If a user chooses to remotely access an encrypted file that is stored on a Web folder and authorizes
other users to access the file, the file automatically is transmitted to the local computer in ciphertext.
The authorization process takes place on the local computer with the same requirements as for
encrypted files that are stored locally.
Question: Why is it not possible to encrypt system files with EFS?
Demonstration: Encrypting Files and Folders with EFS

This demonstration shows how to encrypt and decrypt files and folders by using EFS.
Demonstration Steps
Create a new Microsoft Word document
1.
2.
Open File Explorer, and then create a new folder called Encrypted on drive C.
3.
Create a Word document in this folder named Private.docx.
Encrypt the folder
Encrypt the new folder and its contents.
Confirm that the file and folder have been encrypted

1.
Sign in as Holly.
2.
Open File Explorer, and then navigate to C:\Encrypted\Private.docx.
3.
Attempt to open the file to confirm that the file and folder have been encrypted.
Decrypt the folder

1.
Sign in as administrator.
2.
Open File Explorer, and then navigate to C:\Encrypted\Private.docx.
3.
Decrypt the file and folder.
Confirm that the file and folder have been decrypted

1.
Sign in as Holly.
2.
Open File Explorer, and then navigate to C:\Encrypted\Private.doc.
3.
Attempt to open the file to confirm that it has been decrypted.
What Is BitLocker?
BitLocker provides protection for a computer
operating system and the data that is stored
on the operating system volume. It helps ensure
that data stored on a computer remains encrypted
even if someone tampers with the computer
when the operating system is not running.
BitLocker provides a closely integrated solution in
Windows 8.1 to address the threats of data theft
or exposure from lost, stolen, or inappropriately
decommissioned computers.
10-25
Data on a lost or stolen computer can become

vulnerable to unauthorized access when a user
either runs a software attack tool against it or transfers the computers hard disk to a different computer.
BitLocker helps mitigate unauthorized data access by enhancing Windows file and system protections.
BitLocker also helps render data inaccessible when you decommission or recycle BitLocker-protected
computers.
BitLocker performs two functions that provide offline data protection and system-integrity verification:
It encrypts all data that is stored on a Windows operating system volume and configured data
volumes. This includes the Windows operating system, hibernation and paging files, applications, and
application data. BitLocker also provides umbrella protection for non-Microsoft applications, which
benefits the applications automatically when they are installed on an encrypted volume.
By default, it is configured to use a TPM to help ensure the integrity of startup components, which
an operating system uses in the early stages of the startup process. It locks any BitLocker-protected
volumes, so they remain protected even if someone tampers with the computer when the operating
system is not running. We will see later in this module that BitLocker can be enabled on devices
without a TPM chip.
Note: BitLocker is available in the Windows 8.1 Pro and Windows 8.1 Enterprise editions
only.
System Integrity Verification

BitLocker uses a TPM to verify the integrity of the startup process by:
Providing a method to check that early boot file integrity has been maintained, and to help ensure
that there has been no adverse modification of those files, such as with boot sector viruses or root
kits.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for a Windows operating system volume.
Locking the system when it is tampered with. If any monitored files have been tampered with, the
system does not start. This alerts a user to tampering because the system fails to start as usual. In the
event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with a TPM, BitLocker verifies the integrity of early startup components, which helps
prevent additional offline attacks, such as attempts to insert malicious code into those components. This
functionality is important because the components in the earliest part of the startup process must be
available unencrypted so that the computer can start.
As a result, an attacker can change the code of those early startup components and then gain access to a
computer even though the data on the disk is encrypted. Then, if the attacker gains access to confidential
information, such as the BitLocker keys or user passwords, the attacker can circumvent BitLocker and
other Windows security protections.
Comparing BitLocker and EFS

The following table compares BitLocker and EFS encryption functionality.
BitLocker functionality
EFS functionality
Encrypts volumes (the entire operating system volume,

including Windows system files and the hibernation file)
Encrypts files
Does not require user certificates
Requires user certificates
Protects the operating system from modification
Does not protect the operating system

from modification
Device Encryption
Device encryption is a new feature that is built into all versions of Windows 8.1. It uses the same
encryption technology that was implemented on Windows RT devices to help protect your devices
data by blocking hackers from accessing any of the files on your drive. In previous versions of Windows
operating systems, a thief could physically remove a drive from a computer and then install it into a
different device, thereby bypassing logon security.
By default, device encryption protects the operating system drive and any fixed data drives on the system
by using AES 128-bit encryption, which uses the same technology as BitLocker. Device encryption can be
used with a Microsoft account or a domain account.
Device encryption is enabled automatically on all versions of Windows 8.1 on new devices so that the
device is always protected. Supported devices that are upgraded to Windows 8.1 with a clean installation
also will benefit from device encryption.
10-27
A user can turn off device encryption by using PC info within PCs and devices, which is in Change PC
Settings. The Device Encryption section appears at the bottom of the PC info page and can be turned off
for all devices except those running Windows 8 RT.
BitLocker To Go
When a laptop is lost or stolen, the loss of data
typically has more impact than the loss of the
computer asset. As more people use removable
storage devices, they can lose data without losing
a computer. BitLocker To Go provides enhanced
protection against data theft and exposure by
extending BitLocker support to removable storage
devices such as USB flash drives, and you can
manage it through Group Policy.
In Windows 8.1, users can encrypt their removable
media by opening File Explorer, right-clicking the
drive, and clicking Turn On BitLocker. They then
will be asked to choose a method to unlock the drive. These options include:
Password. This is a combination of letters, symbols, and numbers that a user will enter to unlock a
drive.
Smart card. In most cases, an organization issues a smart card, and a user enters a smart card PIN to
unlock a drive.
After choosing an unlock method, users must print or save their recovery key. You can store this 48-digit
key in AD DS so that you can use it if other unlocking methods fail, such as when users forget their
passwords. Finally, users must confirm their unlocking selections to begin encryption. When you insert a
BitLocker-protected drive into your computer, the Windows operating system will detect that the drive is
encrypted automatically and then prompt you to unlock it.
BitLocker Requirements
In both Windows 7 and Windows 8.1,
BitLocker automatically prepares drives for use.
As a result, there is no need to create separate
partitions before turning BitLocker on. This is an
improvement over BitLocker in Windows Vista,
which required that users manually partition their
hard drive.
Windows 8.1 automatically creates the system

partition on a hard drive. This partition does
not have a drive letter, so it is not visible in File
Explorer and data files will not be written to it
inadvertently. In a default installation, a computer
will have a separate system partition and an operating system drive. The system partition is smaller in
Windows 7 and Windows 8.1 than in Windows Vista, requiring only 100 megabytes (MB) of space.
You can use BitLocker to encrypt operating system drives, fixed data drives, and removable data drives in
Windows 8.1. When you use BitLocker with data drives, you can format the drive with the exFAT, FAT16,
FAT32, or NTFS file system, but the drive must have at least 64 MB of available disk space. When you use
BitLocker with operating system drives, you must format the drive with the NTFS file system.
Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from
the hard disk, you must have one of the following:
A computer with TPM 1.2.
A removable USB memory device, such as a USB flash drive.
On computers that do not have TPM 1.2, you still can use BitLocker to encrypt the Windows operating
system volume. However, this implementation requires the user to insert a USB startup key to start the
computer or resume from hibernation, and it does not provide the prestartup system-integrity verification
that BitLocker provides when working with a TPM.
Additionally, BitLocker offers the option to lock the normal startup process until a user supplies a PIN or
inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security
measures provide multifactor authentication and assurance that a computer will not start or resume from
hibernation until the correct PIN or startup key is presented.
Hardware Requirements
To turn on BitLocker, a computer must:
Have the hard drive space necessary for Windows 8.1 to create two disk partitions: one for the
operating system volume and one for the system volume:
o
Operating system volume. This partition includes the drive on which you install Windows.
BitLocker encrypts this drive, which no longer needs a drive letter.
System volume. A second partition is created as needed when you enable BitLocker in
Windows 8.1. This partition must remain unencrypted so that you can start the computer. This
partition must be at least 100 MB, and must be set as the active partition.
Have a BIOS that is compatible with TPM or supports USB devices during computer startup. The BIOS
must be:
o
Trusted Computing Group (TCG)compliant.
Set to start first from the hard disk, and not the USB or CD drives.
Able to read from a USB flash drive during startup.
Determining if a Computer Has a TPM Version 1.2 Chip

BitLocker does not require a TPM. However, only a computer with a TPM can provide the additional
security of prestartup system-integrity verification. Perform the following procedure to determine if a
computer has a TPM version 1.2 chip:
1.
Open Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2.
In the lower left corner, click TPM Administration. The TPM Management on Local Computer
console opens. If the computer does not have a TPM 1.2 chip, the Compatible TPM cannot be
found message appears.
BitLocker Modes
BitLocker can run on two types of computers:
Those with TPM 1.2 and newer
Those without TPM 1.2, but which have a

removable USB memory device
This topic provides an in-depth examination of

these two BitLocker modes.
Computers with TPM 1.2
10-29
The most secure implementation of BitLocker

takes advantage of the enhanced security
capabilities of TPM 1.2. TPM is a hardware
component that manufacturers install in many newer computers. It works with BitLocker to help protect
user data and to ensure that a computer that is running Windows 8.1 is not tampered with while the
system is offline.
BitLocker supports TPM 1.2, but it does not support older TPMs. Version 1.2 TPMs provide increased
standardization, security enhancement, and improved functionality compared with previous versions.
Windows 8.1 was designed with these TPM improvements in mind.
On computers that have TPM 1.2, BitLocker uses the enhanced TPM security capabilities to help ensure
that your data is accessible only if the computer's startup components appear unaltered and the
encrypted disk is located in the original computer.
If you enable BitLocker on a Windows 8.1 computer that has TPM 1.2, you can add the following
additional factors of authentication to the TPM protection:
BitLocker offers the option to lock the normal startup process until a user supplies a PIN or inserts a
USB device, such as a flash drive, that contains a BitLocker startup key.
Both the PIN and the USB device can be required.
In a scenario that uses a TPM with an advanced startup option, you can add a second factor of
authentication to the standard TPM protection: a PIN or a startup key on a USB flash drive. To use a USB
flash drive with a TPM, the computer must have a BIOS that can read USB flash drives in the pre-operating
system environment (at startup). You can check your BIOS by running a hardware test near the end of the
BitLocker setup wizard.
These additional security measures provide multifactor authentication and help ensure that a computer
will not start or resume from hibernation until a user presents the correct authentication method.
How TPM Works
On computers equipped with a TPM, each time a computer starts, each of the early startup components,
such as the BIOS, the boot sector, and the boot manager code, examines the code that is about to run,
calculates a hash value, and stores the value in the TPM. Once that value is stored in the TPM, it cannot be
replaced until the user restarts the system. A combination of these values is recorded.
You can use these recorded values to protect data by using the TPM to create a key that links to these
values. When you create this type of key, the TPM encrypts it and only that specific TPM can decrypt it.
Each time the computer starts, the TPM compares the values that are generated during the current
startup with the values that existed when the key was created. It decrypts the key only if those values
match. This process is called sealing and unsealing the key.
As part of its system integrity verification process, BitLocker examines and seals keys to the measurements
of the following:
The Core Root of Trust for Measurement
The BIOS and any platform extensions
Option read-only memory (ROM) code
Master boot record code
The NTFS boot sector
The Boot Manager
If any of these items change unexpectedly, BitLocker locks the drive to prevent it from being accessed or
decrypted.
Computers Without TPM 1.2
By default, BitLocker looks for and uses a TPM. You can use Group Policy to allow BitLocker to work
without a TPM and store keys on an external USB flash drive. However, BitLocker then cannot verify early
startup components.
You can enable BitLocker on a computer without TPM 1.2 as long as the BIOS has the ability to read from
a USB flash drive in the boot environment. This is because BitLocker will not unlock a protected volume
until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash
drive that contains the BitLocker startup key for that computer. However, computers without TPMs will
not be able to use the system-integrity verification that BitLocker provides.
If a startup key is located on a USB flash drive, your computer must have a BIOS that can read USB flash
drives in the pre-operating system environment (at startup). You can check your BIOS by running the
hardware test that is near the end of the BitLocker setup wizard.
To help determine whether a computer can read from a USB device during the boot process, use the
BitLocker System Check as part of the BitLocker setup process. This system check performs tests to
confirm that the computer can read from USB devices properly at the appropriate time and that the
computer meets other BitLocker requirements.
To enable BitLocker on a computer without a TPM, use Group Policy to enable the advanced BitLocker
user interface. With advanced options enabled, the non-TPM settings appear in the BitLocker setup
wizard.
Question: What is a disadvantage of running BitLocker on a computer that does not contain
TPM 1.2?
Group Policy Settings for BitLocker

BitLocker in Windows 8.1 introduces several new
Group Policy settings that permit straightforward
feature management. For example, you can:
Require all removable drives to be BitLockerprotected before users can save data to them.
Require or disallow specific methods for

unlocking BitLocker-protected drives.
Configure methods to recover data from

BitLocker-protected drives if a user's unlock
credentials are not available.
Require or prevent different types of recovery

password storage or make them optional.
Prevent BitLocker from enabling if the keys cannot back up to AD DS.
10-31
In addition to recovery passwords, you can use Group Policy to configure a domain-wide public key called
a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker.
Before you can use a data recovery agent, you must add it from the Public Key Policies item in either the
GPMC or the Local Group Policy Editor.
To use a data recovery agent with BitLocker, you must enable the appropriate Group Policy setting for the
drives that you use with BitLocker. These policy settings are:
Choose how BitLocker-protected operating system drives can be recovered
Choose how BitLocker-protected removable data drives can be recovered
Choose how BitLocker-protected fixed data drives can be recovered
When you enable the policy setting, select the Enable data recovery agent check box. There is a policy
setting for each type of drive, so you can configure individual recovery policies for each type of drive on
which you enable BitLocker.
You also must enable and configure the Provide the unique identifiers for your organization policy
setting to associate a unique identifier with a new drive that is protected with BitLocker. Identification
fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will
manage and update data recovery agents only when an identification field is present on a drive and is
identical to the value that is configured on the computer.
Using these policy settings helps enforce standard deployment of BitLocker in your organization. Group
Policy settings that affect BitLocker are located in Computer Configuration\Administrative Templates
\Windows Components\BitLocker Drive Encryption. Globally applied BitLocker Group Policy settings are
located in this folder. Subfolders for fixed data drives, operating system drives, and removable drives
support the configuration of policy settings specific to those drives.
Note: If you want to use BitLocker to protect an operating system drive on a computer that
does not have a TPM, you must enable the Require additional authentication at startup policy
setting, and then within that setting, click Allow BitLocker without a compatible TPM.
Summary of Group Policy Settings
The BitLocker Drive Encryption folder contains the following subfolders: Fixed Data Drives, Operating
System Drives, and Removable Data Drives.
The following table summarizes some of the key policy settings that affect Windows 8.1 client computers.
Each setting includes the following options: Not configured, Enabled, and Disabled. The default setting for
each setting is Not configured.
Setting name
Location
Description
Choose default folder

for recovery password
BitLocker Drive
Encryption folder
This specifies a default location, which is shown

to the user, to which the user can save recovery
keys. This can be a local or network location.
The user is free to choose other locations.
Choose drive encryption

method and cipher
strength
BitLocker Drive
Encryption folder
This allows you to configure the algorithm

and cipher strength that BitLocker uses to
encrypt files. If you enable this setting, you
will be able to choose an encryption algorithm
and key cipher strength. If you disable or do
not configure this setting, BitLocker will use the
default encryption method of AES 128-bit with
Diffuser or the encryption method that the
setup script specifies.
Provide the unique

identifiers for your
organization
BitLocker Drive
Encryption folder
This allows you to associate unique

organizational identifiers to a new drive that is
enabled with BitLocker. BitLocker will manage
and update data recovery agents only when
the identification field on the drive matches the
value that you configure in the identification
field. This also applies to removable drives that
you configure by using BitLocker To Go.
Prevent memory
overwrite on restart
BitLocker Drive
Encryption folder
This controls computer restart performance at

the risk of exposing BitLocker secrets. BitLocker
secrets include key material that you use to
encrypt data. If you enable this setting, memory
will not be overwritten when the computer
restarts. This can improve restart performance,
but it does increase the risk of exposing
BitLocker secrets. If you disable or do not
configure this setting, BitLocker removes secrets
from memory when the computer restarts.
Deny write access to

fixed drives not
protected by BitLocker
Fixed Data Drives

folder
This determines whether BitLocker protection is

required for fixed data drives to be writable on
a computer. If you enable this setting, all fixed
data drives that are not BitLocker-protected
will be mounted as read-only. If the drive is
BitLocker-protected, or if you disable or do not
configure this setting, all fixed data drives will
be mounted with read/write permission.
Allow access to
BitLocker-protected
data drives from earlier
versions of Windows
Fixed Data Drives

folder
This configures whether fixed data drives

formatted with the FAT file system can be
unlocked and viewed on computers that are
running Windows Server 2008, Windows Vista,
and Windows XP with Service Pack 3 (SP3) or
Service Pack 2 (SP2) operating systems.
Setting name
Location
Description
10-33
Choose how BitLockerprotected fixed drives

can be recovered
Fixed Data Drives

folder
This allows you to control how BitLockerprotected fixed data drives are recovered in the
absence of the required credentials.
Require additional
authentication at startup
Operating System
Drives folder
This allows you to configure whether you

can enable BitLocker on computers without a
TPM, and whether you can use multifactor
authentication on computers with a TPM.
Choose how BitLockerprotected operating

system drives can be
recovered
Operating System
Drives folder
This allows you to control how BitLockerprotected operating system drives are recovered
in the absence of the required startup key
information.
Configure TPM platform

validation profile
Operating System
Drives folder
This configures which of the TPM

platform measurements stored in the Platform
Configuration Register indices are used to seal
BitLocker keys.
Control use of BitLocker

on removable drives
Removable Data
Drives folder
This controls the use of BitLocker on removable

data drives.
Configure use of smart

cards on removable data
drives
Removable Data
Drives folder
This allows you to specify whether smart cards

can authenticate user access to BitLockerprotected removable drives on a computer.
Deny write access to

removable drives not
protected by BitLocker
Removable Data
Drives folder
This configures whether BitLocker protection is

required for a computer to be able to write data
to a removable data drive.
Allow access to
BitLocker-protected
removable drives from
earlier versions of
Windows
Removable Data
Drives folder
This configures whether removable data drives

formatted with the FAT file system can be
unlocked and viewed on computers that are
running Windows Server 2008, Windows Vista,
and Windows XP with SP3 or SP2 operating
systems.
Configure use of
passwords for
removable data drives
Removable Data
Drives folder
This specifies whether a password is required

to unlock BitLocker-protected removable data
drives. If you choose to allow the use of a
password, you can require a password to be
used, enforce complexity requirements, and
configure a minimum length.
Choose how BitLockerprotected removable

drives can be recovered
Removable Data
Drives folder
This allows you to control how BitLockerprotected removable data drives are recovered
in the absence of the required startup key
information.
Group Policy Settings and TPM
Group Policy settings that control TPM behavior are located in Computer Configuration\Administrative
Templates\System\Trusted Platform Module Services. The following table summarizes these settings.
Setting name
Default
Description
Turn on TPM backup to

Active Directory Domain
Services
Disabled
This controls whether TPM owner password

information is backed up in AD DS. If you enable
this setting, it also can control whether backup is
required or optional.
Configure the list of blocked

TPM commands
None
This allows you to disable or enable specific TPM

functions, but the next two settings can restrict
which commands are available. Group Policybased lists override local lists. You can configure
local lists in the TPM Management console.
Ignore the default list of

blocked TPM commands
Disabled
By default, BitLocker blocks certain TPM

commands. To enable these commands, you must
enable this policy setting.
Ignore the local list of

blocked TPM commands
Disabled
By default, a local administrator can block

commands in the TPM Management console. You
can use this setting to prevent that behavior.
Microsoft BitLocker Administration and Monitoring 2.0
You have seen in this module that BitLocker and BitLocker To Go offer enhanced protection against data
theft or data exposure from computers that might have been lost or stolen. We recommended that
medium and large organizations that deploy BitLocker should use the Microsoft BitLocker Administration
and Monitoring 2.0 tool to provide management capabilities for BitLocker and BitLocker To Go.
Administrators can use Microsoft BitLocker Administration and Monitoring to simplify the following
BitLocker management tasks:
Deployment and encryption key recovery
Centralized compliance monitoring and reporting
Provisioning encrypted drives
Supporting encrypted drives within an organization
Microsoft BitLocker Administration and Monitoring 2.0 enables administrators to enforce organizational
BitLocker encryption policies across an enterprise. It also enables administrators to monitor the
compliance of client computers with those policies, providing centralized reporting on the encryption
status of devices used on a network.
Note: Microsoft BitLocker Administration and Monitoring 2.0 is only available as part of the
Microsoft Desktop Optimization Pack, which offers Microsoft Software Assurance customers a
suite of premium utilities that are useful for administrators to manage desktop computers and
devices within an organization.
Microsoft BitLocker Administration and Monitoring 2.0 is not supported with Windows 8.1.
Microsoft is planning to release a newer version that is compatible with Windows 8.1.
10-35
In addition, Microsoft BitLocker Administration and Monitoring lets you access recovery key information,
which is helpful when users forget their PINs or passwords, or when their BIOS/UEFI firmware or boot
records change. By adopting an enterprise BitLocker management solution, organizations can increase the
level of effectiveness of BitLocker significantly and can reduce the administrative overhead and the total
cost of ownership.
Note: Microsoft BitLocker Administration and Monitoring 1.0 supports Windows 7, whereas
Microsoft BitLocker Administration and Monitoring 2.0 supports Windows 7 and Windows 8.
Microsoft BitLocker Administration and Monitoring 2.0 provides the following new features and
functionality:
Integration with Configuration Manager.
Hardware compatibility integration with Configuration Manager.
Protectors flexible policy, which allows more configuration options.
Microsoft BitLocker Administration and Monitoring 2.0 client can now upgrade the Microsoft
BitLocker Administration and Monitoring 1.0 client.
Microsoft BitLocker Administration and Monitoring 2.0 can now upgrade previous version of the
Microsoft BitLocker Administration and Monitoring Server.
Microsoft BitLocker Administration and Monitoring 2.0 support for BitLockers enterprise scenarios on
Windows 8.
Self-Service Portal for end users to recover their recovery keys.
Automatic resumption of BitLocker protection from a suspended state after restart.
Fixed data drives can be configured to unlock automatically without a password.

Software Assurance for Volume Licensing
Microsoft BitLocker Administration and Monitoring
Question: How can you use Microsoft BitLocker Administration and Monitoring 2.0 to
reduce the amount of time that the help desk is required to spend recovering a BitLocker
unlock key for a remote user?
Configuring BitLocker
In Windows 8.1, you can enable BitLocker
from the Control Panel or by right-clicking the
volume that you want to encrypt. This initiates the
BitLocker Drive Encryption Wizard, which validates
system requirements. During the preparation
phase, BitLocker creates the second partition if it
does not exist.
Administration
You can manage BitLocker by using the BitLocker
Drive Encryption item within Control Panel.
Manage-Bde, also is available to add scripting
functionality remotely from the Windows
PowerShell command-line interface or from a Command Prompt window.
After you encrypt and protect a volume by using BitLocker, local and domain administrators can use the
Manage Keys page in the BitLocker control panel item to duplicate keys and reset PINs.
Turning on BitLocker with TPM Management

The BitLocker control panel item displays BitLocker's status and provides the functionality to enable or
disable BitLocker. If BitLocker is actively encrypting or decrypting data due to a recent installation or
uninstall request, the progress status appears. IT professionals also can use the BitLocker control panel
item to access the TPM Management snap-in to the MMC.
Perform the following procedure to turn on BitLocker:
1.
In Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2.
If the User Account Control dialog box appears, confirm that the action it displays is what you want,
and then click Continue.
3.
On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.
A message appears, warning that BitLocker encryption might have a performance impact on your
computer.
If your TPM is not initialized, the Initialize TPM Security Hardware Wizard appears. Follow the
directions to initialize the TPM, and then restart or shut down your computer.
4.
The Save the recovery password page shows the following options:
o
Save the password on a USB drive. Saves the password to a USB flash drive.
Save the password in a folder. Saves the password to a folder on a network drive or other
location.
Print the password. Prints the password.
Use one or more of these options to preserve the recovery password. For each, select the option and
then follow the wizard steps to set the location for saving or printing the recovery password.
When you finish saving the recovery password, click Next.
5.
On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check
check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and
then BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is
not, an error message will alert you to the problem.
6.
10-37
If the computer is ready for encryption, the Encryption in Progress status bar displays. You can
monitor the ongoing completion status of the disk-volume encryption by moving your pointer over
the BitLocker Drive Encryption icon, which is in the notification area at the bottom of your screen.
By completing this procedure, you will have encrypted the operating system volume and created a
recovery password unique to this volume. The next time that you sign in, you will see no change. If the
TPM ever changes or BitLocker cannot access it, or if there are changes to key system files or someone
tries to start the computer from a product CD or DVD to circumvent the operating system, the computer
will switch to recovery mode until the user supplies the correct recovery password.
Turning on BitLocker Without TPM Management
Use the following procedure to change your computer's Group Policy settings so that you can turn on
BitLocker without a TPM. Instead of a TPM, you will use a startup key to authenticate yourself. The startup
key is on a USB flash drive that you insert into the computer before you turn it on.
For this scenario, you must have a BIOS that will read USB flash drives in the pre-operating system
environment (at startup). You can check your BIOS by running the system check that is in the final step of
the BitLocker wizard.
Before you start:
You must sign in as an administrator.
BitLocker must be installed on this computer.
You must have a USB flash drive to save the recovery password.
You should try to use a second USB flash drive to store the startup key separate from the recovery
password.
Perform the following steps to turn on BitLocker on a computer without a compatible TPM:
1.
Run Gpedit.msc.
2.
If the User Account Control dialog box appears, confirm that the action it displays is the action that
you want to occur, and then click Continue.
3.
In the Local Group Policy Editor console tree, click Computer Configuration, click Administrative
Templates, click Windows Components, click BitLocker Drive Encryption, and then click
Operating System Drives.
4.
Double-click the Require additional authentication at startup setting.
5.
Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and
then click OK. You have changed the policy setting so that you can use a startup key instead of a
TPM.
6.
Close the Local Group Policy Editor.
7.
To force Group Policy to apply immediately, from a command prompt, type gpupdate.exe /force,
and then press Enter.
8.
From Control Panel, click System and Security, and then click BitLocker Drive Encryption.
9.
If the User Account Control dialog box appears, confirm that the action it displays is what you want,
and then click Continue.
10. On the BitLocker Drive Encryption page, click Turn On BitLocker. This will appear only with the
operating system volume.
11. On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every
startup option. This is the only option available for non-TPM configurations. You must insert this key
before you start the computer, each time you start it.
12. Insert your USB flash drive in the computer if you have not done so already.
13. On the Save your Startup Key page, choose the location of your USB flash drive, and then click
Save.
14. The following options are available on the Save the recovery password page:
o
Save the password on a USB drive. Saves the password to a USB flash drive.
Save the password in a folder. Saves the password to a folder on a network drive or other
location.
Print the password. Prints the password.
Use one or more of these options to preserve the recovery password. For each, select the option and
then follow the wizard steps to set the location for saving or printing the recovery password. Do not
store the recovery password and the startup key on the same media. When you have finished saving
the recovery password, click Next.
15. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check
check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts, and
BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is not,
an error message will alert you to the problem before encryption starts.
16. If the computer is ready for encryption, the Encryption in Progress status bar displays. You can
monitor the ongoing completion status of the disk-volume encryption by moving your pointer over
the BitLocker Drive Encryption icon, which is in the notification area at the bottom of your screen.
You also can click the Encryption icon to view the status.
By completing this procedure, you have encrypted the operating system volume and created a recovery
password that is unique to that volume. The next time that you turn your computer on, you must plug in
the USB flash drive with the startup key into one of the computers USB ports. If not, you will not be able
to access data on your encrypted volume.
If you do not have the USB flash drive that contains your startup key, then you will need to use recovery
mode and supply the recovery password to access data.
Upgrading a BitLocker-Enabled Computer

The following steps are necessary to upgrade a BitLocker-enabled computer.
1.
Temporarily turn off BitLocker by placing it into disabled mode.
2.
Upgrade the system or the BIOS.
3.
Turn BitLocker on.
Forcing BitLocker into disabled mode keeps the volume encrypted, but the volume master key is
encrypted with a symmetric key that it stores unencrypted on the hard disk. The availability of this
unencrypted key disables the data protection that BitLocker offers, but it ensures that subsequent
computer startups succeed without further user input. When you re-enable BitLocker, the unencrypted
key is removed from the disk and BitLocker protection is turned on. Additionally, BitLocker identifies the
volume master key and encrypts it again.
Moving a BitLocker-Enabled Computer
10-39
Moving an encrypted volume, which is a physical disk, to another BitLocker-enabled computer requires
that you turn off BitLocker temporarily. No additional steps are required because the key that is
protecting the volume master key is stored unencrypted on the disk.
Note: Exposing the volume master key even for a brief period is a security risk. An attacker
can access the volume master key and full volume encryption key when these keys are exposed
by the clear key.
Computer Decommissioning and Recycling

Many personal computers are reused by people other than the computer's initial owner or user. In
enterprise scenarios, you might redeploy computers to other departments or remove them from an
organization as part of a standard computer hardware-refresh cycle.
On unencrypted drives, data might remain readable even after the drive has been formatted. Enterprises
often use multiple overwrites or physical destruction to reduce the risk of exposing data on
decommissioned drives.
You can use BitLocker to create a simple, cost-effective decommissioning process. Leaving data
encrypted by BitLocker and then removing the keys results in an enterprise permanently reducing the risk
of exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all
BitLocker keys, because this requires solving 128-bit or 256-bit AES encryption.
Note: Perform the procedures that this section describes only if you do not want or need
the data in the future. You cannot recover the data in the encrypted volume if you perform the
procedures that this section details.
You can remove a volumes BitLocker keys by formatting that volume from Windows 8.1. The format
command has been updated to support this operation. To format the operating system volume, you can
open a command prompt by using the recovery environment that the Windows 8.1 installation DVD
includes.
Alternatively, an administrator can create a script that effectively removes all BitLocker key protectors.
Running such a script will leave all BitLocker-encrypted data unrecoverable when you restart the
computer. As a safety measure, BitLocker requires that an encrypted volume have at least one key
protector. Given this requirement, you can decommission the drive by creating a new external key
protector, not saving the created external key information, and then removing all other key protectors
on the volume.
After you remove the BitLocker keys from the volume, you need to perform follow-up tasks to complete
the decommissioning process. For example, reset the TPM to its factory defaults by clearing the TPM, and
discard saved recovery information for the volume, such as printouts, files stored on USB devices, and
information stored in AD DS.
Question: When turning on BitLocker on a computer with TPM 1.2, what is the purpose of
saving the recovery password?
Configuring BitLocker To Go
BitLocker To Go protects data on removable data
drives. It allows you to configure BitLocker on USB
flash drives and external hard drives. The option is
available to simply right-click on a drive in File
Explorer to enable BitLocker protection.
BitLocker To Go Scenario
Consider the following scenario. An administrator
configures Group Policy to require that users
can save data only on BitLocker-protected data
volumes. Specifically, the administrator enables
the Deny write access to removable drives not
protected by BitLocker policy setting and
deploys it to the domain.
Meanwhile, an end user inserts a USB flash drive. Because the USB flash drive is not protected with
BitLocker, Windows 8.1 displays an informational dialog box indicating that the device must be encrypted
with BitLocker. From this dialog, the user chooses to launch the BitLocker wizard to encrypt the volume or
continues working with the device as read-only.
If the user decides to implement the device as read-only and then attempts to save a document to the
flash drive, an access-denied error message appears.
Configuring BitLocker To Go
When you select the Turn On BitLocker menu option, you must specify how you want to unlock a drive in
the subsequent wizard. You can select one of the following methods:
A recovery password or passphrase. You can configure the complexity in Group Policy.
A smart card.
Always auto-unlock this device on this PC.
After you configure a device to use BitLocker, when a user saves documents to an external drive, BitLocker
encrypts them. When the user inserts the USB flash drive on a different computer, the computer detects
that the portable device is BitLocker-protected and prompts the user to specify the passphrase. The user
can specify to unlock the volume automatically on the second computer.
Note: In the above scenario, the second computer does not have to be encrypted with
BitLocker.
If a user forgets the passphrase for a device, he or she can use the I forgot my passphrase option from the
BitLocker Unlock Wizard to recover it. Clicking this option displays a recovery password ID that the user
supplies to an administrator, who then uses the password ID to obtain the devices recovery password.
This recovery password can be stored in AD DS and recovered with the BitLocker Recovery Password
Viewer.
Question: How do you enable BitLocker To Go for a USB flash drive?
Recovering BitLocker-Encrypted Drives

When a BitLocker-enabled computer starts,
BitLocker checks the operating system for
conditions that might indicate a security risk.
If such a condition is detected, BitLocker does
not unlock the system drive, but instead enters
recovery mode. When a computer enters recovery
mode, the user must enter the correct recovery
password to continue. The recovery password
is tied to a particular TPM or computer, not to
individual users, and it typically does not change.
Save the recovery information on a USB flash drive
or in AD DS by using one of these formats:
A 48-digit number divided into eight groups. During recovery, use the function keys to type this
password into the BitLocker recovery console.
A recovery key in a format that can be read directly by the BitLocker recovery console.
Locating a BitLocker Recovery Password

A BitLocker recovery password is a 48-digit password that unlocks a system in recovery mode. The
recovery password is unique to a particular BitLocker encryption, and you can store it in AD DS.
10-41
The recovery password will be required if the encrypted drive must be moved to another computer or
changes are made to the system startup information. This password is so important that you should make
additional copies of the password and store it in safe places to ensure access to your data.
You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a
locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to
recover encrypted data from any other BitLocker encryption session.
A computer's password ID is a 32-character password that is unique to a computer name. You can find the
password ID under a computer's property settings, which you can use to locate passwords that are stored
in AD DS. To locate a password, the following conditions must be true:
You must be a domain administrator or have delegate permissions.
The client's BitLocker recovery information is configured to be stored in AD DS.
The clients computer has been joined to the domain.
BitLocker must have been enabled on the client's computer.
Prior to searching for and providing a recovery password to a user, confirm that the person is the account
owner and is authorized to access data on the computer in question.
Search for the password in Active Directory Users and Computers by using either one of the following:
Drive label
Password ID
When you search by drive label, after locating the computer, right-click the drive label, click Properties,
and then click the BitLocker Recovery tab to view associated passwords.
To search by password ID, right-click the domain container, and then click Find BitLocker Recovery
Password. In the Find BitLocker Recovery Password dialog box, enter the first eight characters of the
password ID in the Password ID field, and then click Search.
Examine the returned recovery password to ensure it matches the password ID that the user provides.
Performing this step helps verify that you have obtained the unique recovery password.
Data Recovery Agent Support
Windows 8.1 BitLocker provides data recovery agent support for all protected volumes. This provides
users with the ability to recover data from any BitLocker and BitLocker To Go device when the data is
inaccessible. This technology assists in the recovery of organizational data on a portable drive by using the
key that the enterprise created.
Data recovery agent support allows you to dictate that all BitLocker-protected volumes, such as operating
system, fixed, and new portable volumes, are encrypted with an appropriate data recovery agent. The
data recovery agent is a new key protector that is written to each data volume so that authorized IT
administrators will always have access to BitLocker-protected volumes.
Back Up Your Windows 8.1 BitLocker Recovery Key to a Microsoft Account
For devices that are not domain-joined, Windows 8.1 allows a user to back up their BitLocker recovery
key to a Microsoft account, which then is stored within the users OneDrive (formerly known as SkyDrive)
account. During BitLocker configuration on a fixed or removable drive, and just before encryption begins,
you are prompted to specify how you want to back up your recovery key. You are presented with the
following locations:
Save to your Microsoft account
Save to a USB flash drive
Save to a file
Print the recovery key
To obtain your saved BitLocker recovery key, open an Internet browser, go to

https://onedrive.live.com/recoverykey, and then sign in with your Microsoft account. You will find
recovery keys for all of your BitLocker-protected drives at this location.
Question: What is the difference between the recovery password and the password ID?

Scenario
10-43
A user at A. Datum is working on a project that requires him to take his laptop computer home each day.
The data files are very sensitive and must be secure at all times. The laptop computer does not have
TPM 1.2.
Objectives
Protect files with BitLocker.
Lab Setup
Password: Pa$$w0rd
Exercise 1: Protecting Files with BitLocker

Scenario
You have decided to implement BitLocker to protect the users data files.
1.
Configure GPO settings for BitLocker.
2.
Enable BitLocker.
3.
Unlock the BitLocker encrypted drive.
Task 1: Configure GPO settings for BitLocker

1.
2.
3.
Enable the Require additional authentication at startup policy setting located at

Computer Configuration\Administrative Templates\Windows Components
\BitLocker Drive Encryption\Operating System Drives.
4.
5.
Refresh the Group Policy settings on the local computer by running gpupdate /force.
Task 2: Enable BitLocker

1.
On LON-CL1, open File Explorer, right-click Allfiles (E:), and then click Turn on BitLocker.
2.
Select the Enter a password option. This is necessary because the virtual machine does not support
USB flash drives.
3.
Use password Pa$$w0rd.
4.
Save the recovery key to the Local Disk (C:) drive.
Note: The drive will be encrypted as a background process; you do not need to wait for the
process to complete to continue the lab.
5.
Restart LON-CL1.
Task 3: Unlock the BitLocker encrypted drive

1.
2.
Open File Explorer, and then explore Drive E, which is encrypted.
3.
Right-click the Allfiles (E:) icon, and then click Unlock Drive.
4.
Enter password Pa$$w0rd to unlock the drive, and then verify access to the drive.
5.
Results: After completing this exercise, you should have encrypted the hard drive.
next lab.
Lesson 4
Configuring UAC
10-45
Many users sign in to their computers with a user account that has more rights than necessary to run their
applications and access their data files. Using an administrative user account for day-to-day user tasks
poses significant security risks. In older versions of the Windows operating system, administrators were
encouraged to use an ordinary user account for most tasks and to use the Run As account to execute
tasks that required additional rights. Windows 8.1 provides UAC to simplify and secure the process of
elevating your account rights. However, unless you know how UAC works and its potential impact, you
might have problems when you attempt to carry out typical end-user support tasks. This lesson introduces
how UAC works and how you can use UAC-related desktop features.
Lesson Objectives
Describe UAC.
Describe how UAC works.
Explain how to configure UAC notification settings.
Configure UAC with GPOs.
What Is UAC?
UAC is a security feature that provides a way
for users to elevate their status from a standard
user account to an administrator account without
signing out or switching users. UAC is a collection
of features rather than just a prompt. These
featureswhich include File and Registry
Redirection, Installer Detection, the UAC prompt,
the ActiveX Installer Service, and moreallow
Windows users to operate with user accounts
that are not members of the Administrators
group. These accounts typically are referred to
as standard users and are broadly described as
operating with least privilege. The most important fact is that when users sign in with standard user
accounts, the experience typically is much more secure and reliable.
Windows 8.1 reduces the number of operating system applications and tasks that require elevation so that
standard users can do more while experiencing fewer elevation prompts. This improves the interaction
with UAC while upholding high security standards.
When you need to make changes to your computer that require administrator-level permissions, UAC
notifies you as follows:
If you are an administrator, click Yes to continue.
If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue.
If you are a standard user, providing permission temporarily gives you administrator rights to complete
the task, and then your permissions are returned back to a standard user when you are finished. This
ensures that even if you are using an administrator account, changes cannot be made to your computer
without your knowledge. This helps prevent malware and spyware from being installed on, or making
changes to, your computer.
How UAC Works

There are two general types of user groups in
Windows 8.1: standard users and administrative
users. UAC simplifies users ability to operate as
standard users and perform all their necessary
daily tasks. Administrative users also benefit
from UAC because administrative permissions are
available only after UAC requests permission from
the user for that instance.
Standard Users
In previous versions of the Windows operating

system, many users were configured to use
administrative permissions rather than standard
user permissions. This was because previous versions of the Windows operating system required
administrator permissions to perform basic system tasks, such as adding a printer or configuring the time
zone. In Windows 8.1, many of these tasks no longer require administrative permissions.
When users have administrative permissions on their computers, they can install additional software.
Despite organizational policies against installing unauthorized software, many users still do it, which can
make their systems less stable and drive up support costs.
When you enable UAC and a user needs to perform a task that requires administrative permissions, UAC
prompts the user for administrative credentials. In an enterprise environment, the help desk can give a
user temporary credentials that have local administrative permissions to complete a task.
The default UAC setting allows a standard user to perform the following tasks without receiving a UAC
prompt:
Install updates from Windows Update.
Install drivers from Windows Update or those that are included with the operating system.
View Windows settings. However, a standard user is prompted for elevated permissions when
changing Windows settings.
Pair Bluetooth devices with the computer.
Reset the network adapter and perform other network diagnostic and repair tasks.
Administrative Users
Administrative users automatically have:
Read/write/execute permissions for all resources.
All Windows permissions.
While it might seem clear that all users will not be able to read, alter, and delete any Windows resource,
many enterprise IT departments that run older versions of Windows operating systems had no other
option but to assign all of their users to the local Administrators group.
One of the benefits of UAC is that it allows users with administrative permissions to operate as standard
users most of the time. When users with administrative permissions perform a task that requires
10-47
administrative permissions, UAC prompts the user for permission to complete the task. When the user
grants permission, the task in question is performed by using full administrative rights, and then the
account reverts to a lower level of permission.
UAC Elevation Prompts
By default, many applications require users to be administrators because they check Administrators group
membership before running an application. No user security model existed for the Microsoft Windows 95
and the Microsoft Windows 98 operating systems. As a result, developers designed applications, assuming
that they would be installed and run by users with administrator permissions. A user security model was
created for Microsoft Windows NT, but all users were created as administrators by default. Additionally, a
standard user on a Windows XP computer must use the Run As command by right-clicking the executable
file within Windows Explorer, or sign in with an administrator account to install applications and perform
other administrative tasks.
The following list details some of the tasks that a standard user can perform:
Establish a LAN connection
Establish and configure a wireless connection
Modify display settings
Users cannot defragment the hard drive, but a service does this on their behalf
Play CD/DVD media (configurable with Group Policy)
Burn CD/DVD media (configurable with Group Policy)
Change the desktop background for the current user
Open Date and Time in Control Panel and change the time zone
Use Remote Desktop to connect to another computer
Change a user's own account password
Configure battery power options
Configure accessibility options
Restore a user's backup files
Set up computer synchronization with a mobile device (smartphone, laptop, or PDA)
Connect and configure a Bluetooth device
The following list details some of the tasks that require elevation to an administrator account:
Install and uninstall applications
Install a driver for a device, such as a digital camera driver
Install Windows updates
Configure Parental Controls
Install an ActiveX control
Open Windows Firewall in Control Panel
Change a user's account type
Modify UAC settings in the Security Policy Editor snap-in (Secpol.msc) to the MMC
Configure Remote Desktop access
Add or remove a user account
Copy or move files into the Program Files or Windows directory
Schedule Automated Tasks
Restore system backup files
Configure Automatic Updates
Browse to another user's directory
When you enable UAC, members of the local Administrators group run with the same access token as
standard users. Only when a member of the local Administrators group gives approval can a process use
the administrators full access token.
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that
require an administrator access token. When a standard user attempts to perform an administrative task,
UAC prompts the user to enter valid credentials for an administrator account. This is the default for
standard userprompt behavior.
The elevation prompt displays contextual information about the executable that is requesting elevation.
The context is different depending on whether the application is signed by Authenticode technology.
The elevation prompt has two variations that are detailed in the table below: the consent prompt and the
credential prompt.
Elevation prompt
Description
Consent prompt
Displayed to administrators in Admin Approval Mode when they attempt

to perform an administrative task. It requests approval to continue from the
user.
Credential prompt
Displayed to standard users when they attempt to perform an

administrative task.
Note: Elevation entry points do not remember that elevation has occurred, such as when
you return from a shielded location or task. As a result, the user must re-elevate to enter the task
again.
While the number of UAC elevation prompts for a standard user who performs an everyday task has been
reduced in Windows 8.1, there are times when it is appropriate for an elevation prompt to be returned.
For example, viewing firewall settings does not require elevation; however, changing the settings does
require elevation because the changes have a system-wide impact.
Types of Elevation Prompts
10-49
When a permission or password is needed to complete a task, UAC will notify you with one of four
different types of dialog boxes. The following table describes the different types of dialog boxes that are
used to notify you, and the table provides guidance on how to respond to them.
Type of elevation prompt
Description
A setting or feature that is part

of Windows needs your
permission to start.
This item has a valid digital signature that verifies that Microsoft is
the publisher of this item. If you get this type of dialog box, it is
usually safe to continue. If you are unsure, check the name of the
program or function to decide if it is something you want to run.
A program that is not part of

Windows needs your
This program has a valid digital signature, which helps to ensure

that the program is what it claims to be and verifies the identity of
the publisher of the program. If you get this type of dialog box,
make sure the program is the one that you want to run and that
you trust the publisher.
A program with an unknown

publisher needs your
This program does not have a valid digital signature from its
publisher. This does not necessarily indicate danger because many
older, legitimate apps lack signatures. However, use extra caution
and only allow a program to run if you obtained it from a trusted
source, such as the product CD or a publisher's website. If you are
unsure, search the Internet for the programs name to determine if
it is a known program or malware.
Most of the time, you should sign in to your computer with a standard user account. You can browse
the Internet, send email, and use a word processor, all without an administrator account. When you want
to perform an administrative task such as installing a new program or changing a setting that will affect
other users, you do not have to switch to an administrator account; the Windows operating system
will prompt you for permission or an administrator password before performing the task. Another
recommendation is that you create standard user accounts for all the people that use your computer.
Question: What are the differences between a consent prompt and a credential prompt?
Configuring UAC Notification Settings

In Windows 8.1, you can adjust how often UAC
notifies you when changes are made to your
computer. To do this, from Control Panel, click
System and Security, and then under Action
Center, click Change User Account Control
settings. Use the slider to determine how
Windows will prompt you. The default is Notify
me only when apps try to make changes to my
computer.
The following table identifies the four settings that enable customization of the elevation prompt
experience.
Prompt
Description
Never notify me
UAC is off.
Notify me only when apps try to make

changes to my computer (do not dim my
desktop)
When a program makes a change, a prompt appears,

and the desktop dims to provide a visual cue that
installation is being attempted. Otherwise, the user is not
prompted.
Notify me only when apps try to make

changes to my computer (default)
When a program makes a change, a prompt appears,

but the desktop does not dim. Otherwise, the user is not
prompted.
Always notify me
The user is always prompted when changes are made to

the computer.
Because you can configure the user experience with Group Policy, there can be different user experiences,
depending on policy settings. The configuration choices made in your environment affect the prompts
and dialog boxes that standard users, administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always notify
me or Always notify me and wait for my response. With this type of configuration, a yellow notification
appears at the bottom of the User Account Control Settings page, indicating the requirement.
Question: Which two configuration options are combined to produce the end-user elevation
experience?
Demonstration: Configuring UAC with GPOs

View the current UAC settings.
Configure the UAC settings.
Test the UAC settings.
Reconfigure the UAC settings.
Demonstration Steps
View the current UAC settings
1.
2.
3.
Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies

\Security Options.
Configure the UAC settings
Create a UAC Group Policy setting that prevents access elevation. Modify the User Account Control:
Behavior of the elevation prompt for standard users setting to Automatically deny elevation
requests.
Test the UAC settings

1.
Sign in as Holly, a standard user.
2.
Attempt to open the Local Group Policy Editor snap-in, which is an administrative task.
Reconfigure the UAC settings
10-51
1.
2.
3.
Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies

\Security Options.
4.
Modify the User Account Control: Behavior of the elevation prompt for standard users setting
to Prompt for credentials.
Test the UAC settings

1.
Sign in as Holly, a standard user.
2.
Attempt to open an administrative Command Prompt window, an administrative task.
3.
Enter administrative credentials as prompted.
4.
Revert 20687D-LON-DC1 and 20687D-LON-CL1.

Question: Which UAC feature detects when an application is being installed in Windows 8.1?

Scenario
Holly, the IT manager, is concerned that staff might be performing configuration changes to their
computers for which they have no authorization. Windows 8.1 does not allow users to perform these
tasks. However, Holly wants to ensure that users are prompted properly about their attempted actions.
Objectives
Modify UAC prompts.
Lab Setup
Password: Pa$$w0rd
be running from the preceding lab.
Exercise 1: Modifying UAC Prompts

Scenario
You decide to reconfigure the UAC notification behavior and prompts.
1.
Modify the User Account Control (UAC) prompts.
2.
Modify the UAC notification level.
3.
Task 1: Modify the User Account Control (UAC) prompts

1.
2.
Open the Local Group Policy Editor, and then navigate to Computer Configuration
\Windows Settings\Security Settings\Local Policies\Security Options.
3.
Modify the User Account Control: Behavior of the elevation prompt for standard users setting
to Prompt for credentials on the secure desktop.
Task 2: Modify the UAC notification level

1.
Enable the User Account Control: Only elevate executables that are signed and validated policy
setting.
2.
Enable the User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode policy setting, and then select the Prompt for consent on the secure
desktop option.
Task 3: Test the UAC settings
10-53
1.
Sign in to LON-CL1 as Adatum\Dan with password Pa$$w0rd.
2.
Open an administrative Command Prompt window. You are prompted by UAC for credentials on the
secure desktop. Provide the necessary credentials, and after the administrative Command Prompt
window opens, close it and then sign out.
3.
Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd, and then open Action
Center to verify that the notification settings for UAC are configured for Always notify.
Results: After completing this exercise, you should have reconfigured UAC notification behavior and
prompts.

When you are finished the lab, revert all virtual machines back to their initial state:
1.
2.
3.
4.

Review Questions
Question: When you implement UAC, what happens to standard users and administrative
users when they perform a task that requires administrative permissions?
Question: What are the requirements for BitLocker to store its own encryption and
decryption key in a hardware device that is separate from a hard disk?
Question: An administrator configures Group Policy to require that data can be saved only
on data volumes that are protected by BitLocker. Specifically, the administrator enables the
Deny write access to removable drives not protected by BitLocker policy setting and
deploys it to the domain. Meanwhile, an end user inserts a USB flash drive that is not
protected with BitLocker. What will happen, and how can the user resolve the situation?
Best Practice: EFS

The following is a list of standard best practices for EFS users:
Users should export their certificates and private keys to removable media, and then store the media
securely when it is not in use. For the greatest possible security, you must remove a private key from a
computer whenever the computer is not in use. This protects against attackers who physically obtain
a computer and try to access the private key. When you must access encrypted files, you can import
the private key easily from the removable media.
Encrypt the My Documents folder for all users (User_profile\My Documents). This ensures that the
personal folder, where most documents are stored, is encrypted by default.
Users should encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level ensures that files are not decrypted unexpectedly.
Private keys that are associated with recovery certificates are extremely sensitive. You must generate
these keys either on a computer that is physically secure, or you must export their certificates to a .pfx
file, protect them with a strong password, and then save them on a disk that is in a physically secure
location.
You must assign recovery agent certificates to user accounts that you do not use for any other
purpose.
Do not destroy recovery certificates or private keys when recovery agents are changed (agents are
changed periodically). Keep them all until all files that might have been encrypted with them are
updated.
Designate two or more recovery agent accounts per organizational unit (OU), depending on the size
of the OU. Designate two or more computers for recovery: one for each designated recovery agent
account. Grant permissions to appropriate administrators who use the recovery agent accounts. It is a
good idea to have two recovery agent accounts. Having two computers that hold these keys provides
more redundancy for the recovery of lost data.
Implement a recovery agent archive program to ensure that you can recover encrypted files by
using obsolete recovery keys. You must export and store recovery certificates and private keys in a
controlled and secure manner. Ideally, as with all secure data, archives must be stored in a controlledaccess vault, and you must have two archives: a master and a backup. The master is kept on-site,
while the backup is located in a secure, off-site location.
10-55
Avoid using print spool files in your print server architecture, or make sure that print spool files are
generated in an encrypted folder.
EFS does take some CPU overhead every time a user encrypts and decrypts a file. Plan your server
usage wisely. Load balance your servers when many clients use EFS.
Best Practice: UAC
UAC security settings are configurable in the local Security Policy Manager (Secpol.msc) or the Local
Group Policy Editor (Gpedit.msc). However, in most corporate environments, Group Policy is preferred
because it can be managed and controlled centrally. You can configure nine GPO settings for UAC.
Because the user experience can be configured with Group Policy, there can be different user
experiences depending on policy settings. The configuration choices made in your environment
affect the prompts and dialog boxes that standard users, administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always
notify me or Always notify me and wait for my response. With this type of configuration, a yellow
notification appears at the bottom of the User Account Control Settings page, indicating the
requirement.
Although UAC enables you to sign in with an administrative user account to perform everyday user
tasks, it is still a good practice to sign in by using a standard user account for these everyday tasks.
Sign in as an administrator only when necessary.
Best Practice: BitLocker
BitLocker stores its own encryption and decryption key in a hardware device that is separate from the
hard disk, so you must have one of the following:
A computer with TPM.
A removable USB storage device, such as a USB flash drive. If your computer does not have TPM 1.2
or newer, BitLocker stores its key on a memory device.
The most secure implementation of BitLocker takes advantage of the enhanced security capabilities
of TPM 1.2.
On computers that do not have TPM 1.2, you can still use BitLocker to encrypt the Windows
operating system volume. However, this implementation will require a user to insert a USB startup
key to start the computer or resume from hibernation and does not provide the prestartup systemintegrity verification that BitLocker offers when it works with a TPM.

11-1
Module 11
Configuring Applications for Windows 8.1
Contents:
Module Overview
11-1
Lesson 1: Application Deployment Options in Windows 8.1
11-2
Lesson 2: Managing Windows Store Apps
11-14
Lesson 3: Configuring Internet Explorer Settings
11-19
11-29
Lesson 4: Configuring Application Restrictions
11-32
11-40
11-43
Module Overview
Computer users require applications for every task they perform, such as editing documents, querying
databases, and generating reports. As part of administering the Windows 8.1 operating system, you
need a strategy for deploying and managing the applications that users in your organization will run
on their new Windows 8.1 computers and devices. Based on the specific needs of your organization, you
can choose from a variety of methods to deploy and manage applicationsfrom manual deployment
methods to fully automated management technologies. You also need a strategy to handle the
application compatibility issues that might arise when you try to run applications that were designed for
older versions of Windows operating systems.
Objectives
Describe application deployment options in Windows 8.1.
Install and manage Windows Store apps.
Configure and secure Internet Explorer.
Configure application restrictions.
Lesson 1
Application Deployment Options in Windows 8.1
11-2 Configuring Applications for Windows 8.1
In your organization, scenarios might exist for which certain application deployment methods are more
appropriate than others. In this lesson, you will learn about traditional application deployment, in addition
to the methods that you can use to automate application deployment.
Lesson Objectives
Differentiate between the types of apps in Windows 8.1.
Describe manual application installation.
Explain the methods for automating installation of desktop apps.
Describe Microsoft Application Virtualization (App-V).
Explain how to sequence applications by using App-V.
Explain the options for deploying App-V applications.
Describe RemoteApp programs.
Explain how to deploy RemoteApp programs.
Types of Apps in Windows 8.1

In Windows 8.1, there are two types of apps:
desktop apps and Windows Store apps. Users
install and manage these two types of apps in
different ways. The following sections outline
the differences between both types.
Desktop Apps
Desktop apps are the traditional apps, such as
Microsoft Office 2013. Most users and network
administrators are familiar with desktop apps.
Desktop apps can be installed on Windows 8.1
computers locally by an administrator with a
product DVD that contains a desktop app, or via a
network or by downloading an app from the Internet.
Windows desktop apps:
Are installed by using .exe or .msi installer files.
Can be automated.
Can be replaced by distributed app installation and execution methods in larger environments.
Windows Store Apps

A Windows Store app is a special type of app that is designed to run on computers that are running
Windows 8 and newer. Windows Store apps do not run on Windows 7 or older versions of Windows
operating systems.
Windows Store apps:
11-3
Can run on Windows 8.1, Windows 8, Windows RT 8.1, and Windows RT.
Are available from the Windows Store or through sideloading.
Are distributed in the .appx file format and must be digitally signed.
Run in full-screen mode by default when not running as active tiles. Two or more Windows Store apps
can be displayed at the same time on one or more displays.
Are not installed by means of traditional application deployment methods.
If your organization has developed custom Windows Store apps, you can use a process called sideloading
to install these apps. When sideloading a Windows Store app, you use an .appx installer file. You can use
Dism.exe or the Windows PowerShell command-line interface to sideload and manage Windows Store
apps. For large-scale deployment of sideloaded apps, an enterprise also could use Microsoft System
Center 2012 R2 Configuration Manager.
Sideloading Windows Store apps has the following prerequisites:
Sideloading must be enabled in Group Policy.
Windows Store apps must be digitally signed.
To enable sideloading, configure the Allow all trusted apps to install policy setting. This item is located
in the Computer Configuration\Administrative Templates\Windows Components\App Package
Deployment node of the Group Policy Management Console.
Manual Application Installation

To install a desktop app from local media,
an interactive user inserts a product DVD that
contains a desktop app, after which Windows 8.1
prompts the user about what to do. Typically, a
user chooses to run Setup.exe.
Note: You also can install desktop apps by
using Control Panel. If a network administrator
has made applications available for network
installation, you can open Control Panel, and then
click Get Programs. A list of apps that are available
for network installation displays. Windows 8.1
makes these apps available by using Group Policy Objects (GPOs) and software distribution
points.
The installation process for a desktop app begins, and the app installs. By default, all users run as standard
users. Windows 8.1 will prompt the user to elevate to full administrator privileges through User Account
Control (UAC) to install the application.
Note: Apps installed across a network can be installed automatically without user
intervention, depending on the configuration of the app package.
Windows Installer
The Windows Installer is the desktop app installation and configuration service for Windows 8.1. Windows
Installer packages are packaged apps in the .msi file format. An app that is designed for deployment on
Windows-based client computers often is available from a vendor in the .msi format already. You also can
use non-Microsoft app packaging products to convert app installers from the .exe file format to Windows
Installer packages in the .msi format.
A Windows Installer package in the .msi format includes the information that is necessary to add,
remove, and repair an application. You can install an app installer in the .msi format locally, or you can
deploy it through an automatic application deployment solution, such as Group Policy or Configuration
Manager. Because of the way that Windows Installer packages manage changes to an operating system,
applications that you deploy from these packages are more likely to uninstall cleanly than those that
you deploy by using applications installers in executable files. This fact is important from an applicationmanagement perspective because it is just as important to be able to remove an application cleanly
leaving no trace that the application was installed on a target computeras it is to install it correctly in
the first place.
If an app is packaged as an .msi file and is accessible from the target computer, you can run Msiexec.exe
from an elevated command prompt to install a desktop app. For example, to install an app from a shared
folder, run the following sample command from an elevated command prompt:
Msiexec.exe /i \\lon-dc1\apps\app1.msi
Administrators also can use Windows Installer to update and repair installed desktop apps.
Methods to Automate Desktop App Installation

A single, user-directed installation process works
in situations where a desktop app is installed only
once or twice. However, for larger and more
complex installations, planning and performing an
automated desktop app deployment might be a
better choice. Several options exist for automating
the deployment of desktop apps to Windows 8.1
computers.
Automating Installation by Using Group

Policy
Group Policy software deployment enables the

deployment of desktop apps in the Windows
Installer .msi file format to computers that belong to an Active Directory Domain Services (AD DS)
environment. Group Policy software deployment offers the most basic form of automated app
deployment. To perform Group Policy software deployment, you configure a GPO. Use Group Policy as
a software deployment method in small organizations where the desktop apps that you want to deploy
already are packaged in the Windows Installer format.
Group Policy software deployment has the following requirements and properties:
The target computers must belong to an AD DS domain.
The software must be packaged in the Windows Installer .msi file format.
User and computer accounts can be the targets of an application deployment.
You can target a deployment at the domain level, the site level, or the organizational unit level.
Group Policy software deployment supports the following deployment types:
11-5
Assign. You can assign applications to users or computers. When you assign an application to a user,
the application installs when the user signs in. When you assign an application to a computer, the
application installs when the computer starts.
Publish. You can publish applications to users. Doing so makes an application available through the
Programs and Features item in Control Panel. You cannot publish applications to computers.
Group Policy software deployment has the following drawbacks:
Difficulty in determining the success of deployments. Group Policy software deployment does not
include reporting functionality. The only way to determine whether an application has installed is to
check it manually.
No prerequisite checking. Group Policy software deployment does not enable you to perform
prerequisite checks directly. You can use Windows Management Instrumentation queries to check,
but doing so is a complex operation that requires significant expertise and time.
No installation schedule. Deployment will occur the next time a Group Policy refresh occurs. You
cannot schedule Group Policy software deployment to occur at a specific date and time.
Automating Installation by Using MDT
Microsoft Deployment Toolkit (MDT) 2013 is a solution accelerator that you can use to automate the
deployment of operating systems and applications to computers. You can use MDT to perform lite-touch
installation (LTI). LTI requires that you trigger operating system deployment or application installation
on each computer, but it requires minimal intervention after the deployment begins. You can use MDT
to perform automated operating system and application deployment without deploying Configuration
Manager. However, you can use MDT when it is integrated with Configuration Manager to perform zerotouch installation (ZTI). ZTI enables operating system and application deployment and migration without
requiring any intervention.
You can use MDT to perform LTI deployment and migration from the following operating systems:
Windows 8.1 or Windows 8
Windows 7
Windows Vista Service Pack 2 (SP2)
Windows XP Service Pack 3
Windows Thin PC
Windows Server 2012
Windows Server 2008 SP2
The LTI process only requires the tools that are available in MDT. You do not need to deploy
Configuration Manager in your environment to perform LTI. To perform LTI by using MDT, perform the
following steps:
1.
Deploy MDT on a computer that will function as the management computer, create a deployment
share on this computer, and then import the image files that you will use.
2.
Create a task sequence and a boot image for the computer that will function as the reference
computer.
3.
Start the reference computer by using the medium that contains MDT. The task sequence files, task
sequence, and boot image transfer to the reference computer.
4.
Use the Windows Deployment Wizard to deploy the operating system. After deployment, capture the
reference computer as an image.
5.
Transfer the captured image to the management computer.
6.
Create a new boot image and task sequence for deployment to the target computers.
7.
Start the deployment target computers by using the medium that contains MDT. The task sequence
files, task sequence, and boot image transfer to the reference computer.
8.
Run the Windows Deployment Wizard to deploy the prepared image.
Automating Installation by Using Configuration Manager
Configuration Manager provides a comprehensive platform for application deployment and management,
and it supports deploying applications in the .exe, .msi, .appv, and .appx file formats. Configuration
Manager enables administrators to target deployments to groups of users and computers, and to
configure deployments to occur at specific dates and times. Computers must have the Configuration
Manager client installed to receive software that Configuration Manager deploys.
Collections
Configuration Manager enables the deployment of applications to computers, users, and security groups.
Configuration Manager enables you to create collections that consist of manually created groups of users
or computers. Collections also can be based on the results of queries of user or computer properties.
Because Configuration Manager can collect information about all aspects of a user or computer, including
all AD DS attributes and software and hardware configurations, you can create focused collections
for targeted application deployment. For example, you can create a collection that includes only the
computers that are located at a specific site with a certain deployed application and a specific piece of
installed hardware.
Multiple deployment types
Configuration Manager enables you to use multiple deployment types when deploying an application.
With this feature, you can configure a single application deployment but make it possible for that
deployment to occur in different ways, depending on the conditions that apply to the target computer
or user. For example, you can configure an application to install locally if a user is logged on to his or
her primary device, but to stream as an App-V application if the user is logged on to another device.
Deployment types also enable you to configure the deployment of the x86 version of an application if the
target computer has a 32-bit processor, or to configure the deployment of the x64 version if the target
computer has a 64-bit processor.
Reporting
Configuration Manager includes extensive reporting functionality. This feature enables you to determine
how successful an application deployment was after its completion. Configuration Manager also enables
you to simulate application deployments before performing them. This feature enables you to
determinebefore you perform an actual deploymentwhether any factors that you have not
considered might block a successful application deployment.
Wake On LAN and maintenance windows
Configuration Manager supports Wake On LAN (WOL) functionality and maintenance windows. Instead
of interrupting a user with an application installation that might require a restart and the disruption of his
or her current productivity, WOL functionality enables application deployment to occur after-hours, when
the compatible computer is in a low power state. Configuration Manager sends a special signal to these
11-7
computers, which return to a fully powered-on state, perform the application installation, and then return
to the low power state.
Maintenance windows enable administrators to define when operations such as software installations and
software update deployments should occur. Maintenance windows give users a predictable period during
which they know that operations requiring a restart of their computers might occur. If users know that
their computers might need to restart at a certain time each week, they are less likely to leave important
documents and programs open at that time, thereby avoiding potential data loss.
Software inventory, software metering, and Asset Intelligence
Configuration Manager supports software inventory, software metering, and Asset Intelligence. A software
inventory enables you to determine which applications are installed on computers in your organization.
Software metering enables you to monitor how often particular applications are used. Asset Intelligence
enables you to check software licensing compliance, helping ensure that the number of applications
deployed within an organization equals the number of software licenses that are available for those
applications. With this information, you can make informed decisions with respect to future software
deployment. You also can use software inventory and software metering information as a basis for the
creation of collections.
Automating Installation by Using Windows Intune
You can use Windows Intune to perform software deployments on user or computer groups. Users and
computers can belong to multiple groups. You can configure Windows Intune to synchronize account
information from AD DS.
You need to deploy the Windows Intune client on target computers to use Windows Intune. If users have
local Administrator rights, they can perform this operation themselves by downloading Windows Intune
client software from the Windows Intune site in their organization. If users do not have Administrator
rights, they can install a Windows Intune client by using Windows Remote Assistance or by bringing their
computers to a branch office location.
You can use Windows Intune to deploy applications to Windows Intune clients in both the .exe and .msi
file formats. You must upload applications to Windows Intune before you can deploy them. You can make
software available as an optional installation or configure it as a required installation.
Windows Intune provides reporting on the success and failure of targeted application deployment. This
feature means that you can determine how many clients out of the target group successfully installed the
deployed application. It also is possible to use Windows Intune to remove applications that previously
were deployed to client computers.
You can integrate Windows Intune with Configuration Manager, enabling you to manage devices that
are hosted in both platforms from a single console. You can use Windows Intune to manage Windows 8.1
computers, irrespective of whether they are members of an AD DS domain. In addition, you can use
Windows Intune to manage computers that run Windows 8, Windows RT 8.1, Mac OS X, Windows 7,
Windows Vista, and Windows XP. You can use Windows Intune to manage PCs and devices at scale.
What Is App-V?
App-V, which is part of the Microsoft Desktop
Optimization Pack, is a Microsoft solution that
enables users to run virtualized applications
on their computers without having to install
or configure them locally. App-V benefits an
organization though faster deployment of
applications and updates, and it minimizes
conflicts between applications and various
versions of applications. Before a Windows 8.1
computer can run streamed App-V applications,
you must install the App-V client. The App-V
client provides an isolated execution environment
in which App-V applications run. The virtualized applications interact with the App-V client rather than
directly with a host operating system.
With App-V, you can perform nonpersistent application deployment. Nonpersistent application
deployment is useful in scenarios where a person might need to use an application on a computer on an
infrequent basis. This type of deployment also is useful in environments where people are not assigned to
specific computers. For example, a person might need to use a specific application that is not installed as
part of the standard operating-system build in an organization, or where people are assigned computers
each day on a first-come, first-served basis. With App-V, you can provision an application to a user no
matter which computer the user is assigned to. You can configure the application so that it will not remain
on the computer after the user signs out.
The Microsoft Desktop Optimization Pack is a suite of tools and technologies that are available to
customers who purchase Microsoft Software Assurance. App-V supports the virtualization of applications
that run on Windows 8.1 computers and Remote Desktop Services (RDS) on Windows Server 2012 R2.
App-V also supports client computers that run Windows 7, Windows Vista, and Windows XP. It also can
be used with RDS on Windows Server 2008 R2 and Windows Server 2008. Applications are still limited by
platform constraints. You cannot run an x64 application on an x86 host, and an application that requires 4
gigabytes (GB) of RAM to run in a traditional manner still requires 4 GB of RAM to run when sequenced.
You can use App-V to rapidly deploy software and reduce application delivery timesin some cases,
by over 80 percent. Reduced desktop image sizes save time and network bandwidth during deployment
and allow rapid deployment of applications directly to a device. You also can update software and
troubleshoot issues quickly by replacing centrally held source files, which you then can test and make
available to all users as they require the software.
Microsoft Application Virtualization case studies
When planning whether to use App-V as a part of your organizations application deployment strategy,
consider the following:
App-V allows users to run different versions of the same application concurrently. Most applications
do not allow you to install a later version of an application side-by-side with an older version.
However, when applications are virtualized through App-V, the applications are unaware of each
other because each has its own silo that the App-V client provides.
App-V minimizes application conflict. Although unusual, applications can conflict because of
dynamic-link library (DLL) or application programming interface (API) conflicts. When applications
are virtualized and running in separate silos under the App-V client, these conflicts do not occur.
11-9
App-V applications can be streamed. App-V applications can be streamed from distribution points.
This feature means that rather than waiting for an entire application to be transferred across a
network and installed, a user can start using the application as soon as enough of it has transferred
across the network for it to begin running. App-V uses Hypertext Transfer Protocol (HTTP) for
streaming rather than Real-Time Streaming Protocol (RTSP), which was used in older versions of the
product.
A deployment does not require a restart. You can deploy an App-V application to a target computer,
and the user can run that application without requiring the target computer to restart.
No extra prerequisite components are required. Other than the App-V client, which must be present,
any prerequisite components are included when sequencing the application. It is not necessary to
deploy extra components, such as Microsoft Visual C++ runtime files, prior to deploying a
sequenced application.
Upgrades are simplified. Because an App-V application runs in its own silo that is disconnected from
the operating system, you can deploy an upgrade to an application over the existing application. This
process is called resequencing.
Nonpersistent installation. You can configure streamed App-V applications so that they are not
stored in the App-V cache after a user signs out. This feature enables you to have applications follow
users as they sign in to different computers, while ensuring that only one instance of an application is
deployed to a user. It also enables sensitive applications to be present on the local computer only
when specific users are signed in, and otherwise, to be inaccessible.
Applications use local resources. A drawback of Windows Server 2012 R2 RemoteApp is that when
multiple users are using a RemoteApp program from the same Remote Desktop (RD) Session Host
server, that server might be under resource pressure. On the other hand, an App-V application uses
the resources of the local computer; therefore, the application does not consume the resources of the
App-V server.
Sequencing Applications with App-V

By sequencing an application, you can create a
version of that application that runs within the
App-V client environment. You must sequence an
application before it can run on a computer that
has an installed App-V client.
The sequencing process is similar to the

application packaging process to create a
Windows Installer package. Sequencing an
application with the App-V Sequencer produces
an .appv file and an .msi file. You can deploy an
.msi file to a computer in the same way as any
other .msi file, although the application will run
only if the App-V client is installed. When deployed as an .msi file, an application will remain on a
computer until it is uninstalled. An application is streamed when deployed as an .appv file. The length
of time that it remains in the .appv cache depends on the deployment settings.
The sequencing process records all changes that the installation of an application makes to a client
computer. These changes include those made to files and folders, environment variables, .ini files, and the
registry. The sequencing process functions in the following way:
1.
The App-V Sequencer initiates the applications installation process.
2.
The Sequencer records all changes to files, registry settings, environment variables, and DLLs, in
addition to any other changes to the computer that hosts the Sequencer.
3.
The Sequencer generates a special virtual environment.
4.
The Sequencer runs the application in this environment. This includes all the modifications that were
made to the computer that hosts the Sequencer.
5.
The technician performing the sequencing performs any required post-installation configuration
tasks. The Sequencer records any additional modifications.
6.
The Sequencer generates .appv and .msi files and writes them to the folder that the technician
specified.
The computer that functions as the Sequencer needs special preparation. This preparation involves
shutting down services and applications, such as antimalware scanners, that might cause problems with
the sequencing process. You should deploy the role of Sequencer on a virtual machine. The Sequencer
records changes that are made to the host operating system during the application installation. When you
deploy the Sequencer on a virtual machine, you can use virtual machine checkpoints to roll the virtual
machine back to a clean configuration after you sequence each application. This computer should run
the same operating system as the clients on which you will deploy the sequenced application. You can
sequence an x86 application on a computer that runs an x64 version of the App-V Sequencer.
Options for Deploying App-V Applications

You have a number of options for deploying
App-V applications after you ensure that the
App-V client is locally installed. The option that
you choose depends on what infrastructure is
available in your organization. Three App-V
deployment models exist:
The stand-alone deployment model
The App-V full infrastructure model
The Configuration Manager integrated model
Stand-Alone Deployment Model
The stand-alone deployment model requires that you deploy a minimal amount of infrastructure. In this
deployment model, you must deploy a Sequencer to create sequenced applications, and you must deploy
the App-V client to all the Windows 8.1 client computers that will consume App-V applications. In the
stand-alone deployment model, you deploy sequenced applications in Windows Installer format manually
with Group Policy or through Windows Intune. Applications that you deploy by using the stand-alone
deployment model remain on target computers until they are uninstalled.
App-V Full Infrastructure Model

The App-V full infrastructure model is appropriate for organizations that want to stream virtualized
applications to clients but have not deployed Configuration Manager. In addition to the App-V client
11-11
being installed on all Windows 8.1 client computers and the computer that functions as the Sequencer,
this model requires the deployment of the following components:
Management server. This server enables administrators to manage the App-V infrastructure and to
assign the rights that allow users to consume applications.
Management server database. This database stores configuration settings for the management server.
Publishing server. Sequenced applications are streamed to App-V clients over HTTP from the
publishing server.
Reporting server. This server enables the generation of reports that detail application deployment and
consumption.
Reporting server database. This database stores reporting server data.
You can deploy each of the preceding roles on the same server. In large environments, you deploy
publishing servers to each branch office so that Windows 8.1 computers will be able to stream
applications locally rather than across wide area network (WAN) links.
Configuration Manager Integrated Model
You can use Configuration Manager to deploy applications in the .appv and .msi formats to client
computers. An advantage of the Configuration Manager integrated model over the other models is
that you can configure the application deployment process to detect automatically whether a target
computer has an App-V client installed and, if a client is not present, to deploy a client before deploying
the application. The Configuration Manager integrated model supports streaming when deploying
sequenced applications in the .appv format, and it supports local installation when using sequenced
applications in the .msi format. The Configuration Manager integrated model requires that you have
deployed Configuration Manager in your environment previously and have configured a computer to
function as an application sequencer.
What Are RemoteApp Programs?

Windows Server 2012 R2 RemoteApp programs
display locally but run remotely. From a users
perspective, a RemoteApp program appears to
be the same as any other application that runs on
a computer. Consider deploying RemoteApp in
situations where an application does not run on a
client computer. Here are some of the scenarios in
which you can use RemoteApp to deploy an
application:
Users of Windows RT 8.1 computers need to

access an application that only runs on the
x64 version of Windows 8.1.
Users of computers that run the x86 version of Windows 8.1 need to access an application that is
available only in an x64 version.
Users of computers that have 4 GB of RAM need to run an application that requires 8 GB of RAM.
In each of the preceding scenarios, the application is provided to the user through RemoteApp. The
application displays locally but runs on a platform that has appropriate hardware resources to support
the application. RemoteApp programs can run directly on RD Session Host servers or on separate virtual
machines in a Remote Desktop Virtual Desktop Infrastructure (VDI) scenario. From a users perspective,
little difference exists between a RemoteApp program that runs on an RD Session Host server and a
RemoteApp program that is installed on a virtual machine in a VDI scenario.
Running a RemoteApp program on an RD Session Host server has the following advantages and
disadvantages:
You install applications directly on RD Session Host servers and then make them available to users as
RemoteApp programs. This technique makes it simpler to deploy applications than by using
RemoteApp on VDI.
You cannot deploy different versions of the same application on RD Session Host servers. The
exception to this rule occurs when you also deploy the App-V client on an RD Session Host
Application Virtualization server.
Some applications cannot be installed in the RD Session Host environment.
You must configure each RD Session Host server in the server farm identically.
You can scale this solution by adding more identically configured RD Session Host servers. Doing so
can be complicated if a large number of applications need to be deployed on each RD Session Host
server.
The RemoteApp on VDI solution has the following advantages and disadvantages:
You install applications on virtual machines and make them available to users as published
RemoteApp programs.
Having to deploy Windows Server 2012 R2 Hyper-V and configure virtual machines for VDI can
make this solution seem more complex from an administrative standpoint.
Applications run on client virtual machines. Therefore, applications that are not supported on
RD Session Host servers can be deployed as RemoteApp programs.
You do not need to configure virtual machines identically. You install an application on one or more
virtual machines, and the Remote Desktop Connection Broker connects users to virtual machines that
have the RemoteApp program installed.
Make sure that you have enough virtual machines with an application installed to meet the demand
for that application. In complex environments, you can use Microsoft System Center 2012 R2 Orchestrator and Microsoft System Center 2012 R2 - Virtual Machine Manager to automate the
deployment of extra virtual machines and applications to meet specific demands.
RemoteApp on VDI is more scalable. You can deploy Hyper-V, virtual machines, and use cloned
virtual machines.
Deploying RemoteApp Programs

You can publish RemoteApp programs in the
following three ways:
By using the RemoteApp Manager

administration console.
Through Remote Desktop (RD) Web Access.
By using Group Policy.
11-13
You can publish RemoteApp programs by using

the RemoteApp Manager administration console.
The management server detects applications that
have been installed on RD Session Host servers if
you are using RemoteApp with a session host, and
it detects applications that are installed on virtual machines if you are using RemoteApp with virtual
machines. You can use this console to configure session collections and RemoteApp permissions. By
doing so, you can control which users will be able to access specific published RemoteApp programs.
You can make RemoteApp programs available through RD Web Access. When you do so, users can
connect to an RD Web Access server to launch applications. By default, the location of an RD Web
Access site is https://<ServerFQDN>/RDWeb, where <ServerFQDN> represents the fully qualified domain
name (FQDN) of the RD Web Access server. When a user connects to this site, the site displays a list of
RemoteApp programs and RD Session Host servers to which that user has access.
You can publish RemoteApp programs through Group Policy by configuring the default connection
URL policy with the address of the RemoteApp feed. When you do so, the list of available RemoteApp
programs is published to the Start screen of Windows 8.1. The default location of this feed is
https://<ServerFQDN>/Rdweb/webfeed.aspx. You can configure the default connection URL by editing
the following policy: User Configuration\Policies\Administrative Templates\Windows Components
\Remote Desktop Services\RemoteApp and Desktop Connections.
Lesson 2
Managing Windows Store Apps
Windows 8.1 supports Windows Store apps, which were introduced with Windows 8 and Windows RT.
Windows Store apps are small, light, and easily accessible. It is important that you know how to manage
user access to the Windows Store, which will enable you to control the installation and use of these apps.
Lesson Objectives
Describe the Windows Store and Windows Store apps.
Explain how to manage and restrict access to the Windows Store.
Explain how to sideload Windows Store apps.
Sideload Windows Store apps.
What Is the Windows Store?

The Windows Store provides a convenient, single
location for users to access and download apps.
Users can access the Windows Store from the Start
screen without needing to navigate to Control
Panel.
Note: To access the store, users must sign
in to Windows by using a Microsoft account.
Users can create this account during Windows 8.1
installation, or they can define it after installation.
Windows Store Apps

The Windows Store enables users to access and install Windows Store apps. These are not like desktop
apps, such as Microsoft Office 2013.
These apps can communicate with one another and with Windows 8.1 so that it is easier to search for and
share information, such as photographs. After an app is installed, from the Start screen, users can see tiles
that constantly update with live information from installed apps.
Locating Windows Store Apps
The landing page is the initial page that users see when accessing the Windows Store. When users connect
to the Windows Store, they can locate apps easily on the landing page. Windows Store Apps are divided
into categories such as Games, Entertainment, Music & Videos, and others.
Users also can use the Windows 8.1 Search charm to search the Windows Store for specific apps. For
example, if a user is interested in an app that provides video-editing capabilities, he or she can select the
Search charm, type in a search text string, and then click Store. The Windows Store returns suitable apps
from which the user can make a selection.
Installing Windows Store Apps
11-15
Installing Windows Store apps is a straightforward task for most users. A single tap on the appropriate
app in the listing should be sufficient to install the app. Apps install in the background so that users can
continue browsing the Windows Store. After an app is installed, a tile for the app appears on the users
Start screen.
Updating Windows Store Apps
Windows 8.1 checks the Windows Store for updates to installed apps on a daily basis. When an update for
an installed Windows Store app is available, Windows updates the Store tile on the Start screen to display
an indication that updates are available. When a user selects the Store tile and connects to the Windows
Store, the user can choose to update one, several, or all of his or her installed apps for which updates are
available.
Installing Windows Store Apps on Multiple Devices
Many users have multiple devices, such as desktop and laptop computers. The Windows Store allows 81
installations of a single Windows Store app so that users can run the app on all of their devices. If users
attempt to install an app on an 82nd device, they are prompted to remove the app from another device.
Managing Access to the Windows Store

While it might be convenient to let users search
for and install apps, it does pose potential
problems for network administrators who want
to control app installation or to impose a rigid
desktop standard on network-connected
computers. For this reason, you can use domainbased or local GPOs to control access to the
Windows Store.
Disable the Store Application

To control access to the Store, perform the
following procedure:
1.
From the Start screen, run gpedit.msc with administrative permissions, and then load the Local
Group Policy Editor.
2.
Under Local Computer Policy, expand User Configuration, expand Administrative Templates,
expand Windows Components, and then click Store.
3.
In the results pane, double-click Turn off the Store application.
4.
In the Turn off the Store application dialog box, click Enabled, and then click OK.
5.
When the Windows Store is disabled, users will see a Windows Store isnt available on this PC message
when they attempt to access the Store tile on the Start screen.
Note: You can use a GPO to disable the Windows Store for target computers, specific users,
or groups of users.
Controlling the Windows Store Apps That Can Be Installed
In addition to disabling the Windows Store on a computer, you also can use AppLocker to control which
apps can be installed.
Note: This module covers AppLocker later.
Managing Updates
Information technology (IT) administrators have limited control over updates for installed Windows Store
apps. By default, the update process for apps is automated for users of Windows 8.1 computers. It is
possible to turn off automatic updates for apps at any time by configuring the App updates setting within
the Windows Store. Unless you disable the automatic app updates, you cannot control which updates are
available. Once triggered, all updates will be downloaded.
How to Sideload Windows Store Apps

Many larger organizations will want to distribute
Windows Store apps to their client computers
that are intended for internal use only. These lineof-business (LOB) apps are not available at the
Windows Store. Therefore, you must provide some
other method for distributing and installing these
apps. Sideloading provides such a mechanism for
the distribution of LOB apps to client computers
without publishing them to and downloading
them from the Windows Store.
You can use the Dism.exe command-line tool

and Windows PowerShell to add, list, and remove
LOB apps. Windows PowerShell is the preferred method because it provides administrators much more
functionality to sideload, especially when deploying a LOB app to a large volume of client computers.
Note: Enterprises also can use Windows Intune to deploy apps via the Windows 8.1 SelfService Portal app.
To prevent malware from deploying via the sideloading process, Windows 8.1 only allows apps that have
been signed by the developer using a trusted root certificate. If your organization creates a LOB app, it
also should be signed by using the organizational trusted root certificate. You can use a self-signed
certificate to sideload an app, but administrators should note that this is not a best practice in a
production environment.
Sideloading Requirements Enterprise Scenarios

Computers must meet the following requirements to sideload Windows Store apps on them:
Computers must run the Windows 8.1 Enterprise operating system.
Computers must be members of a domain.
The Allow all trusted apps to install GPO setting must be enabled.
The app must be digitally signed.
Sideloading Requirements BYOD Scenarios
11-17
In a Bring Your Own Device (BYOD) scenario where a personal device such as a Microsoft Surface 2 tablet
is used in the workplace, you also can sideload this device with LOB apps by first installing a sideloading
product key on the device. A sideloading product key can be obtained in the following ways:
A developer will have a license to test sideloading of an app on devices.
From Microsoft Volume Licensing.
To activate a sideloading product key, follow this procedure:

1.
Select Command Prompt (Admin) from the Administrative menu by pressing Windows logo
key+X.
2.
Type Slmgr /ipk <sideloading product key>.
3.
Type Slmgr /ato ec67814b-30e6-4a50-bf7b-d55daf729d1e.
4.
Restart the Windows operating system.

Note: The activation GUID will always be ec67814b-30e6-4a50-bf7b-d55daf729d1e.
Demonstration: Sideloading Windows Store Apps

Enable sideloading.
Install the root certificate.
Install a Windows Store app.
Remove an installed Windows Store app.
Demonstration Steps
Enable sideloading
1.
2.
Open the Local Group Policy Editor (Gpedit.msc).
3.
Under Local Computer Policy in the navigation pane, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click App Package
Deployment.
4.
In the results pane, double-click Allow all trusted apps to install.
5.
In the Allow all trusted apps to install dialog box, click Enabled, and then click OK.
6.
Force a Group Policy update.
7.
Install the root certificate

Note: To be able to sideload the app, the Windows operating system must trust the app.
For testing purposes, the app is using a self-signed certificate. You need to install the root
certificate on the client.
1.
Right-click the file E:\Labfiles\Mod11\LeXProductsGrid81_1.1.0.2_AnyCPU.cer.
2.
Install the certificate into the Local Machine Trusted Root Certification Authorities certificate
store.
3.
Confirm that the import was successful.
Note: Your Windows Store apps must be digitally signed and can be installed only on
computers that trust the certification authority that provided the apps signing certificate.
Install a Windows Store app

1.
2.
On LON-CL1, at a Windows PowerShell command prompt, type add-appxpackage

E:\Labfiles\Mod11\LeXProductsGrid81_1.1.0.2_AnyCPU.appx, and then press Enter.
3.
On the Start screen, type TestAppTKL1 and then press Enter. Verify that the six groups of tiles are
present in the TestAppTKL1 app.
Remove an installed Windows Store app

1.
On the Start Screen, right-click the TestAppTKL1 tile, and then click Uninstall.
2.
Sign out of LON CL1
Lesson 3
Configuring Internet Explorer Settings
11-19
A browser is like any other application. You either can manage and secure it well, or manage it poorly.
If you manage a browser poorly, you and your organization risk consuming more time and money
supporting users and dealing with security infiltrations, malware, and loss of productivity.
Users can browse more safely by using Internet Explorer 11, which in turn helps maintain customer trust
in the Internet and helps protect the IT environment from the evolving threats that the web presents.
Internet Explorer 11 specifically helps users maintain their privacy with features such as InPrivate
Browsing and InPrivate Filtering. The SmartScreen Filter provides protection against social engineering
attacks by:
Identifying malicious websites that try to trick people into providing personal information or installing
malware.
Blocking malware downloads.
Providing enhanced antimalware support.
Internet Explorer 11 helps prevent a browser from becoming an attack agent, and it provides more
detailed control over the installation of ActiveX controls with per-site and per-user ActiveX features.
The cross-site scripting filter protects websites from attacks.
Lesson Objectives
Describe Compatibility View.
Explain the function of various Internet Explorer privacy features.
Describe the SmartScreen feature.
Explain how to manage Internet Explorer add-ons.
List and explain other Internet Explorer security features.
Configure security settings in Internet Explorer.
What Is Compatibility View?

None of the improvements in Internet Explorer 11
matter if websites look bad or work poorly.
Internet Explorer 11 includes advancements in
compliance with web standards, enabling websites
to be created more efficiently and operate more
predictably. Each new version of Internet Explorer
must try to maintain compatibility with existing
websites. Internet Explorer 11 includes multiple
layout engines, putting the decision of whether
Internet Explorer 11 needs to support legacy
behaviors or strict standards in the hands of web
developers, who can specify which layout engine
to use on a page-by-page basis.
Internet Explorer 11 provides an automatic Compatibility View that invokes an older Internet Explorer
engine to display webpages whenever detecting a legacy website. This helps improve compatibility with
applications written for older versions of Internet Explorer. If you do not see the Compatibility View
button appear in the Address bar, there is no need to turn on Compatibility View because Internet
Explorer 11 will have detected that the webpage has loaded correctly.
Note: By default, intranet sites and apps continue to run in Internet Explorer 11, which
supports Compatibility View.
Compatibility View in Internet Explorer 11 helps display a webpage as it is meant to be viewed. This view
provides a straightforward way to fix display problems such as out-of-place menus, images, and text. The
main features in Compatibility View are:
Internet websites display in Internet Explorer 11 standards mode by default. Use the Compatibility
View button to fix sites that render differently than expected.
Internet Explorer 11 remembers sites that have been set to Compatibility View so that a user only
needs to press the button once for a site. After that, the site always renders in Compatibility View
unless it is removed from the list.
Intranet websites display in Compatibility View by default. This means that internal websites that were
created for older versions of Internet Explorer will work.
You can use Group Policy to set a list of websites to render in Compatibility View.
Switching in and out of Compatibility View occurs without requiring that a user restart the browser.
The Compatibility View button only displays if is not clearly stated how the website is to render. In other
cases, such as viewing intranet sites or viewing sites with a <META> tag or a / HTTP header that
indicates Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 standards, the
button is hidden.
When Compatibility View is activated, the page refreshes and a balloon tip in the taskbar notification area
indicates that the site is now running in Compatibility View.
Configuring Compatibility View
The Compatibility View settings option in the Tools menu enables you to customize the Compatibility
View to meet enterprise requirements. For example, you can configure it so that all intranet sites display
in Compatibility View (the default), or you can configure it so that all website are viewed in Compatibility
View.
Privacy Features
One of the biggest concerns for users and
organizations is the issue of security and privacy
when using the Internet. Internet Explorer 11
helps users maintain their security and privacy. For
enterprises that need users to be able to browse
without collecting browsing history, Internet
Explorer 11 has a privacy mode called InPrivate
Browsing, which allows users to surf the web
without leaving a trail. As an alternative to
InPrivate Browsing, a user can use the Delete
Browsing history option found in the Internet
options dialog box to delete their browsing
history manually without losing site functionality.
InPrivate Browsing
11-21
InPrivate Browsing helps protect data and privacy by preventing the browser from locally storing or
retaining browsing history, temporary Internet files, form data, cookies, user names, and passwords. This
leaves virtually no evidence of browsing or search history as the browsing session does not store session
data.
From an enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than
using the Delete Browsing history option to maintain privacy because there are no logs kept or tracks
made during browsing. InPrivate Browsing is a proactive feature because it enables you to control what
is tracked in a browsing session.
Some users might attempt to use InPrivate Browsing to conceal their tracks when browsing prohibited
or nonwork websites. However, you have full manageability control, and you can use Group Policy to
configure how your organization uses InPrivate Browsing.
Tracking Protection
Most websites today contain content from several different sites. The combination of these sites
sometimes is referred to as a mashup. People begin to expect this type of integrationfrom something
like an embedded map from a mapping site, to greater integration of advertisements or multimedia
elements. Organizations try to offer more of these experiences because it draws potential customers to
their site. This capability makes the web more robust, but it also provides an opportunity for a hacker to
create and exploit vulnerabilities.
Every piece of content that a browser requests from a website discloses information to that site,
sometimes even if a user has blocked all cookies. Often, users are not fully aware that their web browsing
activities are tracked by websites other than those they have consciously chosen to visit.
Tracking Protection monitors the frequency of all third-party content as it appears across all websites that
a user visits. An alert or frequency level is configurable and is initially set to 10. Third-party content that
appears with high incidence is blocked when the frequency level is reached. Tracking Protection does not
discriminate between different types of third-party content. It blocks content only when it appears more
than the predetermined frequency level.
Note: Tracking Protection Lists can help increase your browsing privacy. When you install
a Tracking Protection List, you will prevent the websites specified in the list from sending your
browsing history to other content providers. Microsoft maintains a website that contains Tracking
Protection Lists that you can install.
Tracking Protection Lists

www.iegallery.com
Delete Browsing History
Cookies and cookie protection are one aspect of online privacy. Some organizations write scripts to clean
up cookies and browsing history at the end of a browsing session. This type of environment might be
necessary for sensitive data, for regulatory or compliance reasons, or for private data in the healthcare
industry.
The Delete Browsing History dialog box in Internet Explorer 11 enables users and organizations to delete
browsing history selectively. For example, a history can be removed for all websites except those in a
users Favorites. You can switch this feature on and off in the Delete Browsing History dialog box, and it
is called Preserve Favorites website data.
You can configure Delete Browsing history options through Group Policy. You also can configure which
sites are included automatically in Favorites. This allows you to create policies that ensure security without
affecting daily interactions with a users preferred and favorite websites. The Delete browsing history on
exit check box in Internet options allows you to delete the browsing history automatically when Internet
Explorer 11 closes.
The SmartScreen Feature

Businesses put a lot of effort into protecting
computer assets and resources. Phishing attacks,
otherwise known as social engineering attacks,
can evade those protections and result in users
giving up personal information. The majority of
phishing scams target individuals in an attempt
to extort money or perform identity theft.
The SmartScreen Filter helps protect against
phishing websites, other deceptive sites, and sites
known to distribute malware.
How the SmartScreen Filter Works
The SmartScreen Filter was introduced in previous versions of Internet Explorer and has developed into a
range of defensive tools, including:
Windows SmartScreen, which is the client feature.
SmartScreen Filter, which is the spam filtering solution that is built into Microsoft email solutions.
Internet Explorer 11 SmartScreen Filter.
The SmartScreen Filter component of Internet Explorer 11 relies on a web service that is backed by a
Microsoft-hosted URL reputation database. The SmartScreen Filters reputation-based analysis works
alongside other signature-based antimalware technologies, such as Windows Defender, to provide
comprehensive protection against malware. With the SmartScreen Filter enabled, Internet Explorer 11
performs a detailed examination of an entire URL string and compares the string to a database of sites
known to distribute malware. The SmartScreen Filter then checks the website that a user is visiting against
a dynamic list of reported phishing sites and malware sites. If the website is known to be unsafe, it is
blocked and the user is notified.
Manually Checking Website Safety
11-23
You can check the safety of a website manually with SmartScreen Filter. To do so, perform the following
procedure:
1.
On the Start screen, click Internet Explorer.
2.
Visit the website that you want to check.
3.
On the Tools menu, click Safety.
4.
Click SmartScreen Filter, and then click Check This Website.
Turning Off SmartScreen Filter

To turn off SmartScreen Filter, follow this procedure:
1.
On the Start screen, click Internet Explorer.
2.
3.
Click Turn off SmartScreen Filter.
4.
In the Microsoft SmartScreen Filter dialog box, click OK.
Turning On SmartScreen Filter

Follow this procedure to turn on SmartScreen Filter:
1.
On the Start screen click Internet Explorer.
2.
3.
Click Turn on SmartScreen Filter.
4.
In the Microsoft SmartScreen Filter dialog box, click OK.
Managing Internet Explorer Add-ons

Most websites will display normally when you
use Internet Explorer without any add-ons
or modifications. Internet Explorer 11, which
Windows 8.1 includes by default, is designed to
provide an experience that is free from add-ons.
Add-ons that enhance the browsing experience by
providing multimedia content also are referred to
as:
ActiveX controls
Plug-ins
Browser extensions
Browser helper objects
Toolbars
Explorer bars
Search providers
Accelerators
Tracking Protection Lists
The following are examples of plug-in based technology:
Microsoft Silverlight
Apple QuickTime
Java applets
Adobe Flash Player
Skype Click to Call
Two popular multimedia extensionsHTML5 and Adobe Flashare supported out-of-the-box as a

platform feature on both the Internet Explorer and Internet Explorer for the desktop version. In previous
versions of Internet Explorer, some multimedia add-ons could cause security concerns, which now have
been addressed. This is because Automatic Updates is able to patch Internet Explorer and remediate
problems quickly whenever a problem is identified.
Sometimes an add-on such as a pop-up advertisement can annoy users or even create problems and
affect browser performance. A user can disable an individual add-on or all add-ons within Internet
Explorer 11 by using the Manage Add-ons dialog box. To do so, perform the following procedure:
1.
From the Start screen, click Internet Explorer.
2.
On the Tools menu, click Manage add-ons.
3.
In the Manage Add-ons dialog box, in the Show drop-down list, click All add-ons.
4.
Find the name of the add-on that you want to modify in the reading pane. To disable an add-on,
click it, and then click Disable. To enable an add-on, tap or click it, and then click Enable.
5.
Close the Manage Add-ons dialog box.
Note: Add-ons will work only in Internet Explorer for the desktop. The Windows UI version
of Internet Explorer always runs with Enhanced Protected Mode enabled, which means add-on
free browsing.
If an organization wants to restrict users from viewing Adobe Flash videos, you can turn this feature on or
off by using the Group Policy setting by performing the following procedure:
1.
2.
On the Start screen, type gpedit.msc, and then press Enter.
3.
In the Local Group Policy Editor, expand User Configuration, expand Administrative Templates,
expand Windows Components, expand Internet Explorer, expand Security Features, expand Addon Management, and then double-click Turn off Adobe Flash in Internet Explorer and prevent
applications from using Internet Explorer technology to instantiate Flash objects.
4.
Click Enable.
5.
Close Local Group Policy Editor.
Windows 8.1 provides more than 90 GPOs that allow IT professionals to manage Internet Explorer 11 by
using Group Policy. Settings that are related to Internet Explorer 11 can be found within the following
locations in the Local Group Policy Editor:
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
User Configuration\Administrative Templates\Windows Components\Internet Explorer
11-25
Another popular add-on that can increase productivity for users is modifying the default Internet search
provider. This can be achieved by performing the following procedure:
1.
From the Start screen, click Internet Explorer.
2.
3.
In the Manage Add-ons dialog box, click Search Providers.
4.
Right-click the name of the search provider that you want to use in the reading pane, and then click
Set as default.
5.
If the search provider is not listed, click Find more search providers.
6.
On the Internet Explorer Gallery webpage at http:www.iegallery.com/en-us/addons, click the

search provider.
7.
Click Add to Internet Explorer.
8.
In the Manage Add-ons dialog box, click Search Providers, right-click the search provider that you
added, and then click Set as default.
9.
Close the Manage Add-ons dialog box.
Internet Explorer Administration Kit
The Internet Explorer Administration Kit (IEAK) 11 is a set of tools that IT professionals can use to create,
deploy, and manage customized versions of Internet Explorer 11 for use in organizations.
Internet Explorer Administration Kit Information and Downloads
Atari Arcade with Internet Explorer 11 brings arcade classics to the web this is an example
of the capabilities available within the modern browser.
Other Security Features

Additional security features in Internet Explorer 11
include the following:
You can increase security and trust through

improvements in ActiveX controls that enable
control of how and where an ActiveX control
loads and which users can load them.
The Cross-Site Scripting Filter helps block

Cross-Site Scripting attacks, one of the most
common website vulnerabilities today.
Data Execution Prevention (DEP) is enabled

by default to help prevent system attacks
where malware exploits memory-related vulnerabilities to execute code.
ActiveX Controls and Management
ActiveX controls are relatively straightforward to create and deploy, and they provide extra functionality
beyond regular webpages. Organizations cannot control the inclusion of ActiveX controls or how they are
written. Therefore, organizations need a browser that provides flexibility in dealing with ActiveX controls
so that they are usable, highly secure, and pose as small a threat as possible.
Per-user ActiveX
By default, Internet Explorer 11 employs ActiveX Opt-In, which disables most controls on a user's
computer. Per-user ActiveX makes it possible for standard users to install ActiveX controls in their own
user profile without requiring administrative permissions. This helps organizations realize the full benefit
of UAC, giving standard users the ability to install ActiveX controls that are necessary in their daily
browsing.
In most situations, if a user happens to install a malicious ActiveX control, the overall system remains
unaffected because the control is installed under the users account only. Because installations are
restricted to a user profile, the cost and risk of a compromise are lowered significantly.
When a webpage attempts to install a control, an information bar is displayed to the user. The user can
choose to install the control system-wide or only for his or her user account. The options in the ActiveX
menu vary depending on a users rights, as managed by Group Policy settings, and whether the control
has been packaged to allow per-user installation. You can disable this feature in Group Policy.
Per-site ActiveX
When a user navigates to a website that contains an ActiveX control, Internet Explorer 11 performs a
number of checks, including a determination of where a control is permitted to run. If a control is installed
but is not permitted to run on a specific site, an information bar appears that asks the users permission to
run on the current website or on all websites. Administrators can use Group Policy to preset Internet
Explorer configurations with allowed ActiveX controls and their related trusted domains.
Cross-Site Scripting Filter
Most sites have a combination of content from local site servers and content obtained from other sites or
partner organizations. Cross-Site Scripting attacks exploit vulnerabilities in web applications and enable an
attacker to control the relationship between a user and a website or web application that they trust.
Cross-Site Scripting can enable attacks such as:
Cookie theft, including session cookies, which can lead to account hijacking.
Monitoring keystrokes.
Performing actions on the victim website on behalf of the victim user.
Cross-Site Scripting can use a victims website to subvert a legitimate website.
Internet Explorer 11 includes a filter that helps protect against Cross-Site Scripting attacks. The Cross-Site
Scripting Filter has visibility into all requests and responses flowing through the browser. When the filter
discovers likely Cross-Site Scripting in a request, it identifies and neutralizes the attack if it is replayed in
the servers response. The Cross-Site Scripting filter helps protect users from website vulnerabilities. It does
not ask difficult questions that users are unable to answer, nor does it harm functionality on a website.
DEP
Internet Explorer 7 introduced a Control Panel option to enable memory protection to help mitigate
online attacks: DEP or No Execute (NX). DEP/NX helps thwart attacks by preventing code from running
in memory that is marked non-executable, such as a virus disguised as a picture or video. DEP/NX also
makes it harder for attackers to exploit certain types of memory-related vulnerabilities, such as buffer
overruns.
11-27
DEP/NX protection applies to both Internet Explorer and the add-ons it loads. No additional user
interaction is required to activate this protection, and unlike Internet Explorer 7, this feature is enabled by
default for Internet Explorer 11.
Enhanced Protected Mode
Protected Mode was first introduced in Internet Explorer 7 with Windows Vista as a defense-in-depth
feature, which reduced the amount of permissions that a browser was given to modify system settings
or to write to a computers hard disk. Internet Explorer 11 builds on the additional security in previous
versions of Internet Explorer. Unlike Internet Explorer 10, Enhanced Protected Mode is turned on by
default in Internet Explorer 11.
The inclusion of some additional capabilities in Enhanced Protected Mode is described in the following
table.
Enhancement
Description
64-bit processes
Protection against address space layout randomization and heap

spraying attacks.
Protecting your personal

information
Enhanced Protected Mode restricts Internet Explorer from file

locations that contain your personal information until you grant
permission to it.
Protecting your corporate assets
Enhanced Protected Mode restricts an exploits ability to access

corporate network resources.
IEBlog: Enhanced Protected Mode

Question: What is the Cross-Site Scripting Filter?
Demonstration: Configuring Internet Explorer

Configure Compatibility View.
Delete browsing history.
Configure InPrivate Browsing.
View the add-on management interface.
Manage downloading with the Download Manager.
Demonstration Steps
Configure Compatibility View
1.
Sign in to LON-CL1 as administrator, and then open Internet Explorer.
2.
Enable the Menu bar.
3.
In Internet Explorer, open the LON-DC1 website at http://LON-DC1.
4.
Add the website to Compatibility View.
Delete browsing history

1.
2.
Delete the selected browsing history.
Configure InPrivate Browsing

1.
Open InPrivate Browsing.
2.
3.
Verify that the website address has not been retained in the browsing history.
View the add-on management interface

1.
Open the Add-on manager.
2.
Review the current add-ons.
Download a file
1.
Navigate to http://LON-DC1, and then click the Download Current Projects link.
2.
View the current downloads.
3.
Open a downloaded file.
4.
Close Microsoft Office Excel and other open windows.

Scenario
11-29
Holly Dickson at A. Datum Corporation is concerned about her users security settings when they are
browsing the Internet, especially when they are doing so while connected to their customers networks.
She has asked you to investigate the improvement of Internet Explorer security settings on her users
computers.
Objectives
Configure security settings in Internet Explorer.
Lab Setup
Password: Pa$$w0rd
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Exercise 1: Configuring Internet Explorer

Scenario
In this exercise, you will implement some of the security and compatibility features in Internet Explorer 11.
1.
Enable Compatibility View in Internet Explorer.
2.
Delete browsing history.
3.
Configure InPrivate Browsing.
4.
Configure intranet security settings.
5.
View the add-on management interface.
6.
Download a file.
Task 1: Enable Compatibility View in Internet Explorer
1.
On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open Internet
Explorer.
2.
Verify that Internet Explorer uses Microsoft compatibility lists.
Task 2: Delete browsing history

1.
On the Tools menu, click Internet options and then open the Delete Browsing History dialog box.
2.
In the Delete Browsing History dialog box, select the Preserve Favorites website data and History
check boxes. Clear all other options, click Delete, and then click OK.
3.
4.
Open Internet Explorer, navigate to http://LON-DC1, and then verify that this sites address is stored
in your history.
5.
Delete the browsing history again, selecting only Temporary Internet files and website files,
Cookies and website data, and History.
6.
Verify that there are no site addresses showing in your history.
Task 3: Configure InPrivate Browsing

1.
Open an InPrivate Browsing window.
2.
Navigate to http://LON-DC1.
3.
Confirm that this address has not been retained in your site history.
4.
Task 4: Configure intranet security settings

1.
Configure the Local intranet security settings to High.
2.
In the Address bar, type http://LON-DC1, and then press Enter.
3.
Click the Current Projects link on the intranet home page. This fails to load a required add-on. Close
the newly opened tab.
4.
Add the local intranet to the trusted sites.
5.
Click the Current Projects link on the intranet home page. This attempt is successful.
Task 5: View the add-on management interface

1.
In Internet Explorer, from the Tools menu, open the Manage Add-ons dialog box.
2.
Review the current add-ons.
Task 6: Download a file

1.
Browse to http://LON-DC1, and then click the Download Current Projects link.
2.
View the current downloads.
3.
Open a downloaded file.
4.
Close Excel.
5.
6.
11-31
Results: After completing this exercise, you should have successfully configured security and compatibility
settings in Internet Explorer.
lab.
Lesson 4
Configuring Application Restrictions
The reliability and security of enterprise devices significantly increases with the ability to control which
applications a user, or set of users, can run. Overall, an application lockdown policy can lower the total
cost of computer ownership in an enterprise. AppLocker controls application execution and simplifies the
ability to author an enterprise application lockdown policy. It also reduces administrative overhead and
helps administrators control how users access and use files such as .exe and .appx files, scripts, Windows
Installer files (.msi, .mst, and .msp files), and .dll files.
Lesson Objectives
Describe how to use AppLocker to control application usage.
Explain how AppLocker rules work to enforce your chosen application usage policy.
Configure AppLocker rules.
Enforce AppLocker rules.
What Is AppLocker?
Todays organizations face a number of challenges
in controlling which applications run on client
computers, including:
The packaged and custom applications that

users can access.
Which users are allowed to install new

software.
Which versions of applications are allowed to

run, and for which users.
Users who run unauthorized software can

experience a higher incidence of malware
infections and generate more help desk calls. However, it can be difficult for you to ensure that user
computers run only approved, licensed software.
Windows Vista addressed this issue by supporting software restriction policies, which administrators used
to define the list of applications that users were allowed to run. AppLocker builds on this security layer,
providing you with the ability to control how users run all types of applications, such as executable files,
Windows Store .appx apps, scripts, Windows Installer files (.msi, .mst, and .msp), and .dll files.
AppLocker Benefits
You can use AppLocker to specify exactly what is allowed to run on user PCs and devices. This allows
users to run the applications, installation programs, and scripts that they require to be productive, while
still providing the security, operational, and compliance benefits of application standardization.
AppLocker can be useful for organizations that want to:
Limit the number and types of files that are allowed to run, by preventing unlicensed software
or malware from running, and by restricting the ActiveX controls that are installed.
Reduce the total cost of ownership by ensuring that workstations are homogeneous across an
enterprise and that users only run software and applications that an enterprise approves.
Reduce the possibility of information leaks from unauthorized software.

Question: What are some applications that are good candidates for you to apply an
AppLocker rule?
AppLocker Rules
You can prevent many problems in your work
environment by controlling what applications
a user can run. AppLocker lets you do this
by creating rules that specify exactly what
applications a user is allowed to run, and can be
configured to continue to function even when
applications are updated.
Because AppLocker is an additional Group
Policy mechanism, IT professionals and system
administrators need to be comfortable with Group
Policy creation and deployment. This makes
AppLocker ideal for organizations that currently
use Group Policy to manage their Windows 8.1 computers or have per-user application installations.
11-33
A new AppLocker Microsoft Management Console (MMC) snap-in in the Group Policy Management
Console (GPMC) offers an improvement to the process of creating AppLocker rules. AppLocker provides
several rule-specific wizards. You can use one wizard to create a single rule and another wizard to
generate rules automatically, based on your rule preferences and the folder that you select. The four
wizards that AppLocker offers administrators to author rules are:
Executable Rules
Windows Installer Rules
Script Rules
Packaged app Rules.
At the end of the wizards, you can review a list of analyzed files. You then can modify the list to remove
any file before rules are created for the remaining files. You also can receive useful statistics about how
often a file has been blocked, or test the AppLocker policy for a specific computer.
Accessing AppLocker
To access AppLocker, run Gpedit.msc from the Start screen. Then browse to Computer Configuration,
Windows Settings, Security Settings, and then Application Control Policies. Expand the Application Control
Policies node, and click AppLocker.
In AppLocker you can configure Executable Rules, Windows Installer Rules, and Script Rules. For example,
you can right-click the Executable Rules node, and then click Create New Rule. You then can create a rule
that allows or denies access to an executable file based on such criteria as the file path or publisher.
AppLocker also will let you apply both default and automatically generated rules.
Creating Default AppLocker Rules
Many organizations implement standard user policies, which allow users to sign in to their computers only
as a standard user. More independent software vendors are creating per-user applications that do not
require administrative rights to be installed and are instead installed and run in the user profile folder. As
a result, standard users can install many applications and circumvent an application lockdown policy.
With AppLocker, you can prevent users from installing and running per-user applications by creating a set
of default AppLocker rules. Default rules also ensure that the key operating system files are allowed to run
for all users.
Note: Before you manually create new rules or automatically generate rules for a specific
folder, you must create default AppLocker rules.
Specifically, default rules enable the following:
All users can run files in the default Program Files directory.
All users can run all files that are signed by the Windows operating system.
Members of the built-in Administrators group can run all files.
Perform the following procedure to create default AppLocker rules:

1.
To open the Local Security Policy MMC snap-in, run secpol.msc.
2.
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3.
Right-click Executable Rules, and then click Create Default Rules.
By creating these rules, you also have automatically prevented all non-administrator users from being
able to run programs that are installed in their user profile directory. You can recreate the rules at any
time.
Note: Without default rules, critical system files might not run. Once you have created one
or more rules in a rule collection, only applications that are affected by those rules are allowed to
run. If default rules are not created and you are blocked from performing administrative tasks,
restart the computer in safe mode, add the default rules, delete any Deny rules that are
preventing access, and then refresh the computer policy.
Automatically Generating AppLocker Rules
Once you create default rules, you can create custom application rules. To facilitate creating sets or
collections of rules, AppLocker includes a new Automatically Generate Rules Wizard that is accessible from
the Local Security Policy console. This wizard simplifies the task of creating rules from a user-specified
folder. By running this wizard on reference computers and specifying a folder that contains the executable
files for applications for which you want to create rules, you can quickly create AppLocker policies
automatically.
When you create a rule manually, you can choose whether it is an Allow or Deny rule. Allow rules enable
applications to run, whereas Deny rules prevent applications from running. The Automatically Generate
Rules Wizard only creates Allow rules.
Note: After you create one or more rules in a rule collection, only applications that are
affected by those rules are allowed to run. For this reason, always create the default AppLocker
rules for a rule collection first. If you did not create default rules and are prevented from
performing administrative tasks, restart the computer in safe mode, add the default rules, delete
any Deny rules that are preventing access, and then refresh the computer policy.
11-35
You can create exceptions for executable files. For example, you can create a rule that allows all Windows
processes to run except Regedit.exe and then use audit-only mode to identify files that will not be
allowed to run if the policy is in effect. You can create rules automatically by running the wizard and
specifying a folder that contains the executable files for applications for which to create rules.
Note: Do not select a folder that contains one or more user profiles. Creating rules to allow
executable files in user profiles might not be secure.
Before you create the rules at the end of the wizards, review the analyzed files and view information
about the rules that will be created. After the rules are created, edit them to make them more or less
specific. For example, if you selected the Program Files directory as the source for automatically
generating the rules and also created the default rules, there is an extra rule in the Executable Rules
collection.
Automatically Generating Rules

To generate rules automatically from a reference folder:
1.
Ensure that the Local Security Policy MMC is open.
2.
In the console tree under Application Control Policies\AppLocker, right-click Executable Rules,
and then click Automatically Generate Rules.
3.
On the Folder and Permissions page, click Browse.
4.
In the Browse For Folder dialog box, select the folder that contains the executable files that you
want to create the rules for, and then click OK.
5.
Type a name to identify the rules, and then click Next. To help sort the rules in the MMC list view, the
name that you provide is used as a prefix for the name of each rule that is created.
6.
On the Rule Preferences page, click Next without changing any of the default values. The Rule
generation progress dialog box is displayed while the files are processed.
7.
On the Review Rules page, click Create. The wizard closes, and the rules are added to the Executable
Rules details pane.
After automatically generating rules based on your preferences, you can edit the rules to make them
more detailed.
Creating Rules Allowing Only Signed Applications to Run
With the advent of new experimental identification technologies in web browsers and operating
systems, more independent software vendors are using digital signatures to sign their applications. These
signatures simplify an organizations ability to identify applications as genuine and to create a better and
more trustworthy user experience.
Creating rules based on the digital signature of an application helps make it possible to build rules that
survive application updates. For example, an organization can create a rule to allow all versions greater
than 9.0 of a program to run if it is signed by the software publisher. In this way, when the program is
updated, IT professionals can deploy the application update safely without having to build another rule.
Note: Before performing the following procedure, ensure that you have created default
rules.
Perform the following procedure to allow only signed applications to run:
1.
To open the Local Security Policy MMC snap-in, on the Start screen, type secpol.msc, and then press
Enter.
2.
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3.
Right-click Executable Rules, and then click Create New Rule.
4.
On the Before You Begin page, click Next.
5.
On the Permissions page, click Next to accept the default settings.
6.
On the Conditions page, click Next.
7.
On the Publisher page, note that the default setting is to allow any signed file to run, and then click
Next.
8.
On the Exceptions page, click Next.
9.
On the Name and Description page, accept the default name or enter a custom name and
description, and then click Create.
By using this rule and ensuring that all applications are signed within your organization, you can be sure
that users only run applications from known publishers.
Note: This rule prevents unsigned applications from running. Before implementing this
rule, ensure that all of the files that you want to run in your organization are digitally signed. If
any applications are not signed, consider implementing an internal signing process to sign
unsigned applications with an internal signing key.
Deleting Unnecessary Rules
If you created default rules and then selected the Program Files folder as the source to generate rules
automatically, there are one or more extraneous rules in the Executable Rules collection. When you create
the default rules, a path rule is added to allow any executable file in the entire Program Files folder to run.
This rule is added to ensure that users are not by default prevented from running applications. Because
this rule conflicts with rules that were generated automatically, delete this rule to ensure that the policy is
more specific. The name of the default rule is (Default Rule) Microsoft Windows Program Files Rule.
Perform the following procedure to delete a rule:
1.
Ensure that the Local Security Policy MMC is open.
2.
In the console tree under Application Control Policies\AppLocker, click Executable Rules.
3.
In the details pane, right-click (Default Rule) Microsoft Windows Program Files Rule, and then
click Delete.
4.
In the AppLocker dialog box, click Yes.
To determine if any applications are excluded from the rule set, enable the Audit only enforcement
mode.
Starting the Application Identity Service
11-37
Before you can enforce AppLocker policies, you must start the Application Identity service. You need to be
a member of the local Administrators group, or equivalent, to start the service by using the following
procedure:
1.
Click Start, type Services, and then click View local services.
2.
In the Services console, double-click Application Identity.
3.
In the Application Identity Properties dialog box, in the Startup type list, click Automatic, click
Start, and then click OK.
Note: If an AppLocker rule is not working, check to see that the Application Identity service
has started. This service is required to be running for AppLocker to work.
Question: When testing AppLocker, you must consider carefully how you will organize rules
between linked Group Policy Objects (GPOs). What do you do if a GPO does not contain the
default AppLocker rules?
Demonstration: Configuring AppLocker Rules

Create a custom AppLocker rule.
Automatically generate the script rules.
Demonstration Steps
Create a custom AppLocker rule
1.
2.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Application Control Policies, and then double-click AppLocker.
4.
Create a new executable rule:

o
Permissions: Deny
Group: Marketing
Program: C:\Windows\Regedit.exe
Automatically generate the script rules

1.
Click the Script Rules node.
2.
Select Automatically generate rules.
Demonstration: Enforcing AppLocker Rules

After you create new AppLocker rules, you must configure enforcement for the rule collections and
refresh the computer's policy. Enforcement is configured in the Local Security Policy console in the
Configure Rule Enforcement area. The following table outlines the three enforcement options for each
rule type.
Enforcement mode
Description
Enforce rules with Group Policy

inheritance
Default setting. If linked GPOs contain a different setting, that

setting is used. If any rules are present in the corresponding rule
collection, they are enforced.
Enforce rules
Rules are enforced.
Audit only
Rules are audited, but not enforced.
To view information about applications that are affected by AppLocker rules, use Event Viewer. Each event
in the AppLocker operational log contains detailed information, such as the following:
Which file was affected and the path of that file
Whether the file was allowed or blocked
The rule type: Path, File Hash, or Publisher
The rule name
The security identifier for the user that is targeted in the rule
Review the entries in the log to determine if any applications were not included in the rules. The following
table identifies three events to use in determining which applications are affected.
Event ID
Level
Event text
Description
8002
Informational
Access to <file_name> is
allowed by an administrator.
Specifies that the file is allowed by

an AppLocker rule.
8003
Warning
monitored by an
administrator.
Applied only when in the Audit

only enforcement mode. Specifies
that the file will be blocked if the
Enforce rules enforcement mode
is enabled.
8004
Error
restricted by an
administrator.
Applied only when the Enforce

rules enforcement mode is either
directly or indirectly set through
Group Policy inheritance. The file
cannot run.
Demonstration
This demonstration will show the different enforcement options and how to configure the enforcement
for the rule that was created in the previous demonstration. The demonstration then will verify the
enforcement with gpupdate.
Demonstration Steps
Enforce AppLocker rules
1.
Switch to the Local Group Policy Editor.
2.
View the properties of the AppLocker node.
3.
Configure Enforcement:
o
Executable rules: Enforce rules
Script rules: Audit only
Confirm the executable rule enforcement
11-39
1.
Refresh the Group Policy settings by typing gpudate /force.
2.
Open Computer Management, and then select Event Viewer.
3.
Review the System log for Event ID 1502. This tells us that the Group Policy settings were refreshed.
4.
Start the Application Identity service, which is required for AppLocker enforcement.
Test the executable rule enforcement

1.
Sign out, and then sign in as Adatum\Adam.
2.
Attempt to run Regedit.exe from the command prompt. You are successful, as the signed-in user is
not a member of the Marketing group.
3.
Sign in as Adatum\Administrator.
4.
Open Event Viewer, and in Application and Services Logs\Microsoft\Windows\ AppLocker, select
the EXE and DLL log.
5.
Review the entries. Locate Event ID 8004. It indicates that an attempt was made to run Regedit.exe,
which was allowed to run.
6.
Close all open windows, and then sign out.

Question: What is the command to update a computer's policy, and where is it run?

Scenario
Holly is concerned that people in her department are spending time listening to music files. She wants a
way to disable the Windows Media Player. You decide to implement AppLocker to prevent members of
the IT group from running this program.
Objectives
Configure AppLocker rules.
Test AppLocker rules.
Lab Setup
Password: Pa$$w0rd
1.
2.

o
20687D-LON-DC1
20687D-LON-CL1
Exercise 1: Configuring AppLocker Rules

Scenario
In this exercise, you will create the executable and default AppLocker rules.
1.
Create a new executable rule.
2.
Enforce AppLocker rules.
Task 1: Create a new executable rule

1.
Sign in as Adatum\Administrator with password Pa$$w0rd.
2.
Open the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
3.
Create a new executable rule with the following properties:
4.
Permissions: Deny
Group: IT
Program: C:\Program Files\Windows Media Player\wmplayer.exe
Create the default rules.
Task 2: Enforce AppLocker rules
11-41
1.
In the Local Group Policy Editor, open the AppLocker Properties, and then configure the Executable
rules for Enforce rules.
2.
Close the Local Group Policy Editor, and then open an elevated command prompt. Run the
gpupdate /force command.
3.
Results: After completing this exercise, you should have created the required AppLocker rule.
Exercise 2: Testing the AppLocker Rules

Scenario
In this exercise, you will confirm the executable rule and then test it by signing in as a member of the IT
group.
1.
Confirm the executable rule enforcement.
2.
Test the enforcement.
Task 1: Confirm the executable rule enforcement

1.
2.
Open Event Viewer, and then expand Windows Logs.
3.
View the System log in Event Viewer. Check for Event ID 1502.
4.
Start the Application Identity service.
5.
Task 2: Test the enforcement

1.
Sign in to LON-CL1 as Adatum\Holly with password Pa$$w0rd.
2.
Attempt to open Windows Media Player.
3.
Sign out, and then sign in as Adatum\Administrator with password Pa$$w0rd.
4.
Open Event Viewer.
5.
Locate the Application and Services\Microsoft\Windows\AppLocker\EXE and DLL log. Locate

Event ID 8004. This shows that Holly attempted to run a prohibited application.
6.
Close all open windows, and then sign out.
Results: After completing this exercise, you should have verified the function of your executable
AppLocker rule.

When you have finished the lab, revert all virtual machines to their initial state:
1.
2.
3.
4.

Best Practice: Best Practices for AppLocker
11-43
Before you manually create new rules or automatically generate rules for a specific folder, you should
create the default AppLocker rules. The default rules ensure that key operating system files are
allowed to run for all users.
When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If a
GPO does not contain default rules, then add the rules directly to the GPO or add them to a GPO that
links to it.
After creating new rules, you must configure enforcement for the rule collections and then refresh the
computer's policy.
By default, AppLocker rules do not allow users to open or run any files that are not specifically
allowed. Administrators must maintain a current list of allowed applications.
If AppLocker rules are defined in a GPO, only those rules are applied. To ensure interoperability
between software restriction policy rules and AppLocker rules, define software restriction policy rules
and AppLocker rules in different GPOs.
When you set an AppLocker rule to Audit only, the rule is not enforced. When a user runs an
application that is included in the rule, the application opens and runs normally, and information
about that application is added to the AppLocker event log.

Common Issue
Troubleshooting Tip
AppLocker policies do not work correctly.
Review Questions
Question: What are some of the privacy features in Internet Explorer?
Question: Trevor has implemented AppLocker. Before he created the default rules, he
created a custom rule that allowed all Windows processes to run except for Regedit.exe.
Because he did not create the default rules first, he is blocked from performing
administrative tasks. What does he need to do to resolve the issue?
Tools
Tool
Use for
Where to find it
Windows PowerShell
Command-line management tool
Windows 8.1
Dism.exe
Servicing and managing Windows images
Windows 8.1
Msiexec.exe
Managing installations
Command line
Gpupdate
Managing policy application
Command line

12-1
Module 12
Optimizing and Maintaining Windows 8.1 Computers
Contents:
Module Overview
12-1
Lesson 1: Optimizing Performance in Windows 8.1
12-2
12-9
Lesson 2: Managing the Reliability of Windows 8.1
12-13
Lesson 3: Managing Software Updates in Windows 8.1
12-18
12-26
12-28
Module Overview
Users have high expectations of technology. Therefore, performance is a key issue in todays business
environment, and it is important to consistently optimize and manage your systems performance.
The Windows 8.1 operating system includes several monitoring and configuration tools that you can use
to obtain information about computer performance, to maintain reliability, and to configure operating
system and app updates.
Objectives
Optimize performance in Windows 8.1.
Manage the reliability of Windows 8.1.
Manage software updates in Windows 8.1.
Lesson 1
Optimizing Performance in Windows 8.1
12-2 Optimizing and Maintaining Windows 8.1 Computers
A computer system that performs at a low efficiency level can cause problems in a work environment.
Poor performance potentially reduces user productivity and consequently increases user frustration.
Computers that are not performing to their full capability need to be examined so that you can determine
the source of the poor performance and correct it. Windows 8.1 helps you to determine potential causes
of poor performance and then provides appropriate tools to resolve performance issues.
Lesson Objectives
Identify common issues with performance and reliability.
Describe how to use Task Manager to identify performance problems.
Describe how to use Performance Monitor and data collector sets.
Use Resource Monitor to view system performance.
Analyze system performance by using Performance Monitor and data collector sets.
Describe the considerations for monitoring system performance.
Discussion: Common Issues with Performance and Reliability

Poor performance and a lack of reliability are
two of the most common user complaints about
computer systems. Computers respond slowly
for several reasons, such as having an excessively
fragmented file system, unnecessary software
that consumes resources, too many startup
programs, or perhaps even a virus. Additionally,
the software that users install might have
operational problems, incompatible drivers, or
result in operating system failures. All of these
issues can affect a computers reliability.
Performance is a measure of how quickly a

computer finishes application and system tasks. Performance problems can occur when computers lack
available resources.
Reliability is a measure of how a system conforms to expected behavior. A system that often deviates from
the behavior that you configure or expect has poor reliability.
Question: What factors can influence computer system performance?
Question: What factors might contribute to reliability issues in a computer system?
Overview of Task Manager

In Windows 8.1, Task Manager provides
information that can help you identify and resolve
performance-related problems. Task Manager
includes the following tabs:
12-3
Processes. The Processes tab displays a list

of running programs, which is subdivided
into apps and internal Windows processes.
For each running process, this tab displays a
summary of processor and memory usage.
Performance. The Performance tab displays a

summary of central processing unit (CPU) and
memory usage, and network statistics.
App history. The App history tab displays statistics and resource consumption by apps. This is useful
for identifying a specific app that is consuming excessive resources.
Startup. The Startup tab displays items that are configured to run at startup. You can choose to
disable any listed programs.
Users. The Users tab displays resource consumption on a per-user basis. You also can expand the user
view to see more detailed information about the specific processes that a user is running.
Details. The Details tab lists all the running processes on a server, providing statistics about the CPU,
memory, and other resource consumption. You can use this tab to manage running processes. For
example, you can stop a process, stop a process and all related processes, and change the priority
values of processes. By changing the priority of a process, you determine how much CPU resources
the process can consume. By increasing the priority, you allow the process to request more CPU
resources.
Services. The Services tab provides a list of running Windows services with related information,
including whether a service is running and the processor identifier (PID) value of a running service.
You can start and stop services by using the list on the Services tab.
Generally, you might consider using Task Manager when a performance-related problem first
becomes apparent. For example, you might examine running processes to determine if a particular
program is using excessive CPU resources. Always remember that Task Manager only shows current
resource consumption. You also might need to examine historical data to determine the true picture
about a server or computers performance and response under load.
Using Performance Monitor and Data Collector Sets

Performance Monitor is a Microsoft
Management Console (MMC) snap-in that
you can use to obtain system performance
information. You can use this tool to analyze
performance effects that apps and services have
on a computer, and you also can use it to obtain
an overview of system performance or to collect
detailed information for troubleshooting.
Performance Monitor includes the following
features:
Monitoring Tools
Data Collector Sets
Reports
You also can access Resource Monitor from Performance Monitor.
Monitoring Tools
Monitoring Tools contains the Performance Monitor, and it provides a visual display of built-in Windows
performance counters, either in real time or as historical data.
Performance Monitor includes the following features:
Multiple graph views
Custom views that you can export as data collector sets
Performance Monitor uses performance counters to measure a systems state or activity, while the
operating system or individual apps might include performance counters. Performance Monitor requests
the current value of performance counters at specified time intervals.
You can add performance counters to Performance Monitor by performing a drag-and-drop operation on
the counters or by creating a custom data collector set.
Performance Monitor features multiple graph views that you can use for a visual review of performance
log data. You can create custom views in Performance Monitor that you can export as data collector sets
for use with performance and logging features.
Data Collector Sets
A data collector set is a custom set of performance counters, event traces, and system-configuration data.
After you create a combination of data collectors that describe useful system information, you can save
them as a data collector set, and then run and view the results.
A data collector set organizes multiple data-collection points into a single, portable component. You can
use a data collector set on its own, group it with other data collector sets and incorporate it into logs, or
view it in Performance Monitor. You can configure a data collector set to generate alerts when it reaches
thresholds so that third-party apps can use it.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or
until it reaches a predefined size. For example, you can run a data collector set for 10 minutes every hour
during your working hours to create a performance baseline. You also can set a data collector to restart
when it reaches set limits so that a separate file will be created for each interval.
12-5
You can use data collector sets and Performance Monitor tools to organize multiple data collection points
into a single component that you can use to review or log performance.
Performance Monitor also includes default data collector set templates to help system administrators
begin the process of collecting performance data that is specific to a server role or monitoring scenario.
Reports
Use the Reports feature to view and generate reports from a set of counters that you create by using data
collector sets.
Resource Monitor
Use this view to monitor the use and performance of CPU, disk, network, and memory resources in real
time. This lets you identify and resolve resource conflicts and bottlenecks.
By expanding the monitored elements, system administrators can identify which processes are using
which resources. In previous versions of Windows operating systems, Task Manager made this real-time,
process-specific data available, but only in a limited form.
Demonstration: Using Resource Monitor

In this demonstration, you will see how to use Resource Monitor.
Demonstration Steps
1.
2.
Open Resource Monitor.
3.
View the information on the Overview tab. This tab shows CPU usage, disk I/O, network usage, and
memory usage information for each process. A bar above each section provides summary
information.
4.
View the information on the CPU tab. This tab has more detailed CPU information that you can filter
so that it is based on the process.
5.
View the information on the Memory tab. This tab provides detailed information about memory
usage for each process. Notice that the process that you selected previously remains selected so you
can review multiple kinds of information about a process as you switch between tabs.
6.
View the information on the Disk tab. This tab shows processes with recent disk activity.
7.
View the information in the Network tab. This tab provides information about all processes with
current network activity.
Demonstration: Analyzing System Performance by Using Performance

Monitor and Data Collector Sets
In this demonstration, you will see how to analyze system performance by using data collector sets and
Performance Monitor.
Demonstration Steps
Open Performance Monitor
1.
Sign in to LON-CL1 as administrator, and then open Performance Monitor.
2.
View the default chart.
Add new values to the chart
Add additional real-time counters to the default chart view.
Create a data collector set
Create a user-defined data collector set.
Examine a report
Examine a report on the collected data.
Considerations for Monitoring System Performance

Monitor the Current System Resource
by Using Resource Monitor
Resource Monitor provides at-a-glance data
for CPU, disk, network, and memory resources.
Therefore, it is a good starting point for
monitoring or troubleshooting tasks.
Resource Monitor shows you what happens
with your current Windows operating system.
You can view which processes are consuming
CPU resources and generating disk activity, and
you can view the current activity of the network
adapter. Note that each tab provides additional details.
For example, if you suspect high consumption of your CPU processing capacity, you can view the CPU
tab and then see exactly what processes are executing on your machine, how many threads they are
executing, and how much CPU use is occurring. You also can view your computers installed memory,
how much the operating system can use, how much it is using currently, and how much is reserved for
hardware. From the Disk view, you can view all disk I/O and detailed information on disk activity. You can
view processes with network activity in the Network view, and monitor which processes are running and
consuming too much bandwidth.
Additionally, Resource Monitor enables you to investigate which product, which tool, or which app is
running currently and consuming CPU, disk, network, and memory resources.
Create a Performance Baseline by Using Performance Monitor and Data Collector

Sets
You can set up a baseline in Performance Monitor to help you with the following tasks:
Evaluating a computers workload.
Monitoring system resources.
Noticing changes and trends in resource use.
Testing configuration changes.
Diagnosing problems.
By using data collector sets, you can establish a baseline to use as a standard for comparison. Create a
baseline when you first configure a computer, at regular intervals of typical usage, and when you make
any changes to a computers hardware or software configuration. If you have appropriate baselines, you
can determine which resources are affecting a computers performance.
12-7
You can monitor your system remotely. However, the use of counters across a network connection for an
extended period can congest network traffic. If you have disk space on a server for performance log files,
we recommend that you record performance log information locally.
Performance issues can occur because of the number of sampled counters and the frequency with which
sampling occurs. Therefore, it is important to test the number of counters and the frequency of data
collection. This lets you determine the right balance between your environments needs and the provision
of useful performance information. For an initial performance baseline, however, we recommend that you
use the highest number of counters possible and the highest frequency available. The following table
shows commonly used performance counters.
Counter
Usage
LogicalDisk\% Free Space
This counter measures the percentage of free space on a selected logical

disk drive. Take note if this falls below 15 percent because you risk
running out of free space for the operating system to use to store
critical files. One obvious solution is to add more disk space.
PhysicalDisk\% Idle Time
This counter measures the percentage of time the disk was idle during
the sample interval. If this counter falls below 20 percent, the disk
system is saturated. You might consider replacing the current disk
system with a faster one.
PhysicalDisk\Avg. Disk
sec/Read
This counter measures the average time, in seconds, to read data from
the disk. If the number is larger than 25 milliseconds (ms), that means
the disk system is experiencing latency when it is reading from the disk.
sec/Write
This counter measures the average time, in seconds, it takes to write

data to the disk. If the number is larger than 25 ms, the disk system
experiences latency when it is writing to the disk.
Queue Length
This counter indicates how many I/O operations are waiting for the
hard drive to become available. If the value is larger than two times the
number of spindles, it means that the disk itself might be the
bottleneck.
Memory\Cache Bytes
This counter indicates the amount of memory that the file-system cache
is using. There might be a disk bottleneck if this value is greater than
300 megabytes (MB).
Memory\% Committed
Bytes In Use
This counter measures the ratio of Committed Bytes to the Commit

Limit, or in other words, the amount of virtual memory in use. If the
number is greater than 80 percent, it indicates insufficient memory.
Memory\Available MBytes
This counter measures the amount of physical memory, in megabytes,

available for running processes. If this value is less than 5 percent of the
total physical random access memory (RAM), that means there is
insufficient memory, and that can increase paging activity.
Memory\Free System Page

Table Entries
This counter indicates the number of Page Table Entries not currently in
use by the system. If the number is less than 5,000, there might be a
memory leak.
Memory\Pool Nonpaged
Bytes
This counter measures the size, in bytes, of the nonpaged pool. This is
an area of system memory for objects that cannot be written to disk, but
instead must remain in physical memory as long as they are allocated.
There is a possible memory leak if the value is greater than 175 MB (or
100 MB with a /3GB switch).
Counter
Usage
Memory\Pool Paged Bytes
This counter measures the size, in bytes, of the paged pool. This is an
area of system memory for objects that can be written to disk when
they are not being used. There might be a memory leak if this value is
greater than 250 MB (or 170 MB with the /3GB switch).
Memory\Pages/sec
This counter measures the rate at which pages are read from, or written
to, the disk to resolve hard page faults. If the value is greater than 1,000,
as a result of excessive paging, there might be a memory leak.
Processor\% Processor
Time
This counter measures the percentage of elapsed time that the

processor spends executing a non-idle thread. If the percentage is
greater than 85 percent, the processor is overwhelmed, and the
computer might require a faster processor.
Processor\% User Time
This counter measures the percentage of elapsed time that the

processor spends in user mode. If this value is high, the server is busy
with the app.
Processor\% Interrupt
Time
This counter measures the time that the processor spends receiving and
servicing hardware interruptions during specific sample intervals. This
counter indicates a possible hardware issue if the value is greater than
15 percent.
System\Processor Queue
Length
This counter indicates the number of threads in the processor queue.

The server does not have enough processor power if the value is more
than two times the number of CPUs for an extended period.
Network Interface\Bytes
Total/sec
This counter measures the rate at which bytes are sent and received
over each network adapter, including framing characters. The network is
saturated if you discover that more than 70 percent of the interface is
consumed.
Network Interface\Output
Queue Length
This counter measures the length of the output packet queue, in

packets. There is network saturation if the value is more than two.
Process\Handle Count
This counter measures the total number of handles that a process

currently has open. This counter indicates a possible handle leak if the
number is greater than 10,000.
Process\Thread Count
This counter measures the number of threads currently active in a

process. There might be a thread leak if this number is more than 500
between the minimum and maximum number of threads.
Process\Private Bytes
This counter indicates the amount of memory that this process has
allocated that it cannot share with other processes. If the value is greater
than 250 between the minimum and maximum number of threads,
there might be a memory leak.
Plan Monitoring Carefully
If you monitor several data collector sets that sample data at frequent intervals, this can create a load on
the system that you are monitoring and large log files that you will need to analyze. Plan the monitoring
of the counters and sampling intervals carefully to ensure that the data that you collect represents system
performance accurately.

Scenario
12-9
Users at A. Datum Corporation are about to receive new Windows 8.1 computers. Use Performance
Monitor to establish a performance baseline and measure a typical computers responsiveness under a
representative load. This will help ensure that resources such as RAM and CPU are specified correctly for
these computers.
Objectives
After you have completed this lab, you will be able to:
Create a performance baseline.
Introduce additional workload.
Measure system responsiveness under load.
Lab Setup
Password: Pa$$w0rd
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Exercise 1: Creating a Performance Baseline

Scenario
In this exercise, you will create a performance baseline against which to measure future performance.
1.
Establish a performance baseline.
2.
View the baseline report.
Task 1: Establish a performance baseline

1.
On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open

Performance Monitor.
2.
Create a user-defined data collector set with the following properties:
3.
4.
Name: Adatum Baseline
Create manually (Advanced)
Performance counter
Sample interval: 1 second
Counters to include:
Memory > Pages/sec
Network Interface > Packets/sec
PhysicalDisk > % Disk Time
Physical Disk > Avg. Disk Queue Length
Processor > % Processor Time
System > Processor Queue Length
Start the data collector set, and then start the following programs:
o
Microsoft Word 2013
Microsoft Office Excel 2013
Microsoft Office PowerPoint 2013
Close all Microsoft Office apps, and in Performance Monitor, stop the Adatum Baseline data collector
set.
Task 2: View the baseline report

1.
In Performance Monitor, locate Reports\User Defined\Adatum Baseline. Click the report that has a
name that begins with LON-CL1.
2.
Record the following values:

o
Memory\Pages/sec
Network Interface\Packets/sec
PhysicalDisk\% Disk Time
PhysicalDisk\Avg. Disk Queue Length
Processor\% Processor Time
System\Processor Queue Length
Results: After completing this exercise, you should have created a performance baseline.
Exercise 2: Introducing Additional Workload

Scenario
12-11
In this exercise, you introduce additional computer workload by running a script that performs various
tasks on the computer.
1.
Create a load on the computer.
Task 1: Create a load on the computer

1.
On LON-CL1, in Performance Monitor, start the Adatum Baseline data collector set.
2.
Run the E:\Labfiles\Mod12\Load.cmd script.
Results: After completing this exercise, you should have generated additional load on the computer.
Exercise 3: Measuring System Responsiveness Under Load

Scenario
In this exercise, you will compare the results that you collected during performance monitoring with those
collected earlier when you created the baseline.
1.
Identify performance bottlenecks on the computer.
Task 1: Identify performance bottlenecks on the computer

1.
Open Resource Monitor.
2.
Which components are under strain?
3.
After a few minutes, close the instance of C:\Windows\System32\Cmd.exe launched by the script.
4.
Switch to Performance Monitor, and then stop the Adatum Baseline data collector set, if necessary.
5.
In Performance Monitor, locate Reports\User Defined\Adatum Baseline. Click the second report
that has a name that begins with LON-CL1.
6.
View the data as a report.
7.
Record the component details:

o
Memory\Pages/sec
8.
In your opinion, which components are affected the most?
9.
Close all open windows and programs, and then go back to the Start screen.
lab.
Results: After completing this exercise, you should have identified the computers performance
bottleneck.
Lesson 2
Managing the Reliability of Windows 8.1
12-13
Windows 8.1 includes several diagnostic tools that you can use to identify and potentially provide a
workaround for different hardware and driver failures that might occur on a Windows 8.1 computer. This
lesson introduces you to these tools and explains how you can use them to diagnose problems in your
environment.
Lesson Objectives
Describe problems that Windows diagnostic tools can help resolve.
Describe how to use Windows Memory Diagnostic tools.
Describe how to use the Windows Network Diagnostics tool.
Describe how to use Reliability Monitor.
Describe how to use the Problem Reports and Solutions tool.
Problems That Windows Diagnostic Tools Can Help Resolve

You can only solve computer problems effectively
and reliably by diagnosing them accurately.
Therefore, if you understand the capabilities of
Windows 8.1 diagnostics tools, you can determine
where to find the troubleshooting information
that you need to address existing problems and
prevent future issues.
The Windows Diagnostic Infrastructure includes
diagnostic tools that you can use to troubleshoot
network-related issues, startup problems, and
problems with unreliable memory.
Unreliable Memory
Memory problems can be especially difficult to troubleshoot because they frequently manifest themselves
as app issues. Failing memory can cause app failures, operating system faults, and stop errors, and it can
be difficult to identify because problems can be intermittent. For example, a memory chip might function
perfectly when you test it in a controlled environment. However, it can start to fail when you use it in a
hot computer.
Failing memory chips return data that differs from what an operating system stored originally. This can
lead to secondary problems, such as corrupted files. Frequently, administrators take extreme steps, such
as reinstalling apps or operating systems, to repair problems, only to have the failures persist.
Network-Related Problems
Network errors frequently cause an inability to access network resources and can be difficult to diagnose.
Network interfaces that you do not configure correctly, incorrect IP addresses, hardware failures, and
many other problems can affect connectivity. Operating system features such as cached credentials enable
users to sign in as domain users, even when a network connection is not present. This feature can make it
appear as if users have logged on to the domain successfully, even when they have not. Although this
feature is useful, it does add another layer to the process of troubleshooting network connections.
Startup Problems
When diagnosing startup problems, you usually do not have access to Windows 8.1 troubleshooting and
monitoring tools. Malfunctioning memory, incompatible or corrupted device drivers, missing or corrupted
startup files, or corrupted disk data can all cause startup failures.
Windows Memory Diagnostic Tools

The Windows Memory Diagnostics tool
works with Microsoft Online Crash Analysis to
monitor computers for defective memory, and it
determines whether defective physical memory is
causing program crashes. If the Windows Memory
Diagnostics tool identifies a memory problem,
Windows 8.1 avoids using the affected part of
physical memory so that the operating system
can start successfully and avoid app failures.
In most cases, a Windows operating system
automatically detects possible problems with
a computers memory and then displays a
notification that asks whether to run the Windows Memory Diagnostics tool.
You also can start the Windows Memory Diagnostics tool from Control Panel\System and Security
\Administrative Tools.
How Does the Windows Memory Diagnostics Tool Run?
If the Windows Memory Diagnostics tool detects any problems with physical memory, Microsoft Online
Crash Analysis automatically prompts you to run the tool.
You can restart your computer and check for problems immediately, or you can schedule the tool to run
when the computer next restarts.
When the computer restarts, the Windows Memory Diagnostics tool tests the computers memory. When
this tool runs, it shows a progress bar that indicates the status of the test. It might take several minutes for
the tool to finish checking a computer's memory. When the test finishes, the Windows operating system
restarts again automatically, and the tool provides a clear report that details the problem. It also writes
information to the event log so that it can be analyzed.
You can run the Windows Memory Diagnostics tool manually. You have the same two choices: run the
tool immediately or schedule it to run when the computer restarts. Additionally, you can start the
Windows Memory Diagnostics tool from installation media.
Advanced Options
To access advanced diagnostic options, press F1 while the test is running. Advanced options include the
following:
Test mix. Select what kind of test to run.
Cache. Select the cache setting for each test.
Pass count. Enter the number of times that the test mix should repeat the tests.
Press the Tab key to move between the advanced options. When you finish selecting your options, press
F10 to start the test.
Windows Network Diagnostics Tool

The Windows Network Diagnostics tool provides
an advanced way to resolve network-related
issues. When users cannot connect to a network
resource, they receive specific repair options
instead of general error messages, which can
be difficult to understand. By understanding
the repair options that the Windows Network
Diagnostics tool presents, you can troubleshoot
network-related issues effectively.
You can start the Windows Network Diagnostic
tool by clicking Troubleshoot problems in the
Network and Sharing Center. From this page, you
can troubleshoot different network problems. Some of these problems and tools are as follows:
12-15
Internet Connections. Inability to connect to the Internet or to a particular website.
Shared Folders. Inability to access shared files and folders on other computers.
HomeGroup. Inability to view the computers or shared files in a homegroup for workgroupconfigured computers.
Network Adapter. Problems with Ethernet, wireless, or other network adapters.
Incoming Connections. Issues allowing other computers to connect to your computer.
Connections to a Workplace Using DirectAccess. Problems with connecting to your workplace when
using DirectAccess.
Printer. Problems on printer connections.
How Does the Windows Network Diagnostics Tool Run?
The Windows Network Diagnostics tool runs automatically when it detects a problem. You also can decide
to run the tool manually by using the Diagnose option on the Local Area Connections Status dialog box.
If Windows 8.1 detects a problem that it can repair automatically, it will do so. If Windows 8.1 cannot
repair the problem automatically, it directs the user to perform simple steps to resolve the problem
without having to call support.
What Is Reliability Monitor?

Reliability Monitor reviews a computers reliability
and problem history. You can use the Reliability
Monitor to obtain several kinds of reports and
charts that can help you identify the source of
reliability issues. Access Reliability Monitor by
clicking View reliability history in the Maintenance
section of the Action Center.
The following topics explain the main features of
the Reliability Monitor in more detail.
System Stability Chart
A System Stability Chart summarizes system stability for the past year in daily increments. This chart
indicates any information, error, or warning messages, and it simplifies the task of identifying issues and
the date on which they occurred.
Installation and Failure Reports
The System Stability Report also provides information about each event in the chart. These reports include
the following events:
Software Installs
Software Uninstalls
Application Failures
Hardware Failures
Windows Failures
Miscellaneous Failures
Records Key Events in a Timeline
Reliability Monitor tracks key events about the system configuration, such as the installation of new apps,
operating system patches, and drivers. It also tracks the following events and helps you identify the
reasons for reliability issues:
Memory problems
Hard-disk problems
Driver problems
Application failures
Operating system failures
Reliability Monitor is a useful tool that provides a timeline of system changes and then reports on a
systems reliability. You can use this timeline to determine whether a particular system change correlates
with the start of system instability.
What Is the Problem Reports and Solutions Tool?

The Problem Reports and Solutions tool in
Reliability Monitor helps you track problem
reports and any solution information that other
tools have provided. This tool only helps store
information. Windows Error Reporting handles all
Internet communication that is related to problem
reports and solutions. The Problem Reports and
Solutions tool provides a list of the attempts made
to diagnose a computers problems.
If an error occurs while an app is running,
Windows Error Reporting prompts the user to
choose if they want to send error information to
Microsoft over the Internet. If information is available that can help a user resolve a problem, Windows
displays a message to the user with a link to information about how to resolve the issue.
12-17
You can use the Problem Reports and Solutions tool to track resolution information and to recheck and
find new solutions. You can start the Problem Reports and Solutions tool from Reliability Monitor. The
following tools are available:
Save reliability history
View all problem reports
Check for solutions to all problems
Clear the solution and problem history
Lesson 3
Managing Software Updates in Windows 8.1
To keep Windows 8.1 systems functioning properly and to protect them, you must update systems
regularly with the latest security updates and fixes. Windows Update enables you to download and install
important and recommended updates automatically instead of visiting the Windows Update website.
You must be aware of the available Windows Update configuration options, and you must be able to
guide users on how to configure these options.
Lesson Objectives
Identify the most common methods for managing software updates in Windows 8.1.
Explain how to configure local Windows Update settings.
Describe the process of managing applied updates.
Describe the Windows Update Group Policy settings.
Overview of Managing Software Updates in Windows 8.1

Updates to operating system files, device
drivers, and apps can provide new functionality,
fix problems, and increase the reliability of
Windows 8.1 computers. However, updates also
can conflict with existing apps and devices if not
tested and managed properly.
By default, a Windows 8.1 computer obtains

updates from the Microsoft Update website in
the same frequency that was configured when
the Windows operating system was installed. This
configuration is suitable for home users and very
small organizations with only a few computers.
However, scalable options for software update management are more suitable for an organization that
requires some level of control over the update process.
Windows Server Update Services
Windows Server Update Services (WSUS) is a server role that you can install on a Windows Server 2012
R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 computer. WSUS enables an
administrator to manage and control the update process in many ways, including the following:
Create and maintain computer groups.
Selectively approve or deny updates based on computer group or update classification.
Centralize the update download process to streamline bandwidth usage.
System Center 2012 Configuration Manager
Microsoft System Center 2012 Configuration Manager performs many configuration managementbased
tasks in an enterprise, including update management. You can use Configuration Manager to incorporate
WSUS into your configuration management environment and to provide greater control over update
scheduling, deployment, and reporting. Configuration Manager also can deploy non-Microsoft updates.
Windows Intune
12-19
Windows Intune enables cloud-based configuration management for client computers that are within an
organizations networks or simply connected to the Internet. Windows Intune provides features similar to
Configuration Manager. However, Windows Intune enables you to extend configuration management
beyond an organizations networks.
Configuring Windows Update Settings

Windows Update is a service that provides
software updates that keep a computer upto-date and protected. You can configure
Windows Update to download and install updates
automatically for a computer, or you can install
updates manually. On the Windows Update page,
you can see the important and optional updates
that are available for a computer.
You should configure Windows 8.1 computers
to download and install updates automatically.
Therefore, make sure that a computer has the
most up-to-date and protected configuration as
possible.
You can turn on Automatic Updates during the initial Windows 8.1 setup, or you can configure it later.
Windows Update downloads a computers updates in the background while you are online. If your
Internet connection is interrupted before an update downloads fully, the download process resumes when
the connection becomes available.
Configure Settings
The Automatic Updates feature of Windows Update downloads and installs important updates, including
security and critical performance updates. However, you have to select recommended and optional
updates manually.
The time of installation depends on the configuration options that you select. Most updates occur
seamlessly, with the following exceptions:
If an update requires a restart to complete installation, you can schedule it for a specific time.
When a software update applies to a file that is in use, Windows 8.1 can save the apps data, close the
app, update the file, and then restart the app. Windows 8.1 might prompt the user to accept the
Microsoft Software License Terms when the app restarts.
When you configure Windows Update, consider the following:
You should use the recommended settings to download and install updates automatically.
The recommended settings automatically download and install updates daily at 3:00 A.M. If a
computer is turned off, the installation will be done the next time the computer is turned on.
By using the recommended settings, users do not have to search for critical updates or worry that
critical fixes might be missing from their computers.
You should use WSUS to manage Windows Update in an enterprise environment.
You can use Configuration Manager for environments that have a large number of computers or that
require specialized management that WSUS does not provide.
Change Settings
From the Windows Update page, you also have access to the Change settings feature. On the Change
settings page, four settings are available for Important updates:
Install updates automatically (recommended).
Download updates but let me choose whether to install them.
Check for updates but let me choose whether to download and install them.
Never check for updates (not recommended).
We recommend that you choose to have updates installed automatically so that Windows will install
important updates as they become available.
If you do not want updates to install or download automatically, you can instead select the option to
be notified when updates apply to your computer so that you can download and install them yourself.
For example, if you have a slow Internet connection or your work is interrupted because of automatic
updates, you can have Windows check for updates but download and install them yourself later at a
suitable time.
Managing Applied Updates

Generally, applying updates does not create
problems for most computers. However,
occasionally, an installed update might
conflict with the unique combination of installed
hardware and software on a users computer.
This can result in a reliability problem. When this
occurs, you can use Windows Update to review
installed updates, and where necessary, you can
uninstall an update.
View Update History

To review your update history, from the Windows
Update page, click View update history. In the
Status column, you can make sure that all of the important updates installed successfully.
Uninstall Updates
If you would like to remove an installed update, from the View update history page, click Installed
Updates. You then can view all the installed updates, and where necessary, you can right-click an update,
and then click Uninstall.
Hide Updates
If an update attempts to reinstall at a later time, you can hide the update. To hide an update that you do
not wish to install, from Windows Update, click the link for the available updates. Right-click the update
that you do not want to install, and then click Hide update.
Restore Hidden Updates
If you have resolved the underlying problem with an update that you uninstalled, and you wish to install
it, you first must unhide the update. From Windows Update, click Restore hidden updates.
Windows Update Group Policy Settings

Group Policy is an administrative tool for
managing user and computer settings over a
network.
There are several Group Policy settings for
Windows Update:
Do not display the Install Updates and

Shut Down option in the Shut Down
Windows dialog box.
This policy setting allows you to manage
whether the Install Updates and Shut Down
option displays in the Shut Down Windows
dialog box.
12-21
If you enable this policy setting, Install Updates and Shut Down will not appear as a choice in the Shut
Down Windows dialog box even if updates are available for installation when the user selects the Shut
Down option in the Start menu.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be
available in the Shut Down Windows dialog box if updates are available when the user selects the
Shut Down option in the Start menu.
Do not adjust the default option to Install Updates and Shut Down in the Shut Down Windows
dialog box.
You can use this policy setting to manage whether the Install Updates and Shut Down option is
allowed to be the default choice in the Shut Down Windows dialog box.
If you enable this policy setting, the user's last shutdown choice, such as Hibernate and Restart, is the
default option in the Shut Down Windows dialog box, regardless of whether the Install Updates and
Shut Down option is available in the What do you want the computer to do? list.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be
the default option in the Shut Down Windows dialog box if updates are available for installation when
the user selects the Shut Down option in the Start menu.
Enabling Windows Update Power Management to automatically wake up the system to install
scheduled updates
This policy setting specifies whether Windows Update will use the Windows power management
features to wake up your system automatically from hibernation if updates need to install.
Windows Update will wake up your system automatically only if you configure Windows Update to
install updates automatically. If the system is in hibernation when the scheduled install time occurs
and there are updates to apply, Windows Update will use the Windows power management features
to wake the system automatically to install the updates.
The system will not wake unless there are updates to install. If the system is on battery power, when
Windows Update wakes it up, it will not install updates, and the system will return to hibernation
automatically in two minutes.
Configure Automatic Updates
This setting specifies whether the computer will receive security updates and other important
downloads through the Automatic Updates feature. If Automatic Updates are enabled on a computer,
you must select one of the four options in the Group Policy setting:
o
2 = Notify before downloading any updates and notify again before installing them
When Windows finds updates that apply to your computer, an icon appears in the status area
with a message that updates are ready to download.
Clicking the icon or message provides the option to select the specific updates that you want to
download. Windows then downloads your selected updates in the background.
When the download is complete, an icon again appears in the status area with notification that
the updates are ready to install. Clicking the icon or message provides the option to select which
updates to install.
o
3 = (Default setting) Download the updates automatically and notify when they are ready
to be installed
Windows finds updates that apply to your computer and then downloads them in the
background so that the user is not notified or interrupted during this process.
When the download is complete, an icon appears in the status area with notification that the
updates are ready to install. Clicking the icon or message provides the option to select which
updates to install.
4 = Automatically download updates and install them on the schedule specified below
Specify the schedule by using the options in the Group Policy setting. If no schedule is specified,
the default schedule for all installations will be daily at 3:00 A.M.
If any of the updates require a restart to complete the installation, Windows will restart the
computer automatically. If a user is logged on to the computer when Windows is ready to restart,
the user will be notified and given the option to delay the restart.
o
5 = Allow local administrators to select the configuration mode that Automatic Updates
must notify and install updates
With this option, local administrators will be allowed to use the Automatic Updates control
panel item to select a configuration option. For example, they can choose their own scheduled
installation time. Local administrators will not be allowed to disable Automatic Updates
configuration.
To use the Configure Automatic Updates policy setting, click Enabled, and then select one of the
options (2, 3, 4, or 5).
If the status is set to Enabled, Windows recognizes when the computer is online and then uses its
Internet connection to search Windows Update for updates that apply to a computer.
If the status is set to Disabled, you must manually download and install any updates that are available
on Windows Update.
If the status is set to Not Configured, the use of Automatic Updates is not specified at the Group
Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
Specify intranet Microsoft update service location
12-23
With this setting, you can specify a server on a network to function as an internal update service. The
Automatic Updates client will search this service for updates that apply to computers on the network.
To use this setting, you must set two server name values: the server from which the Automatic
Updates client detects and downloads updates, and the server to which updated workstations upload
statistics. You can set both values to be the same server.
If the status is set to Enabled, the Automatic Updates client connects to a specified intranet Microsoft
Update service instead of Windows Update to search for and download updates. Enabling this setting
means that end users in your organization do not have to go through a firewall to get updates, and it
gives you the opportunity to test updates before deploying them.
If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy
or user preference, the Automatic Updates client connects directly to the Windows Update site on the
Internet.
Automatic Updates detection frequency
This policy specifies how long a Windows operating system will wait before checking for available
updates. The exact wait time is determined by using the hours that you specify in this policy, minus 0
to 20 percent of the hours specified. For example, if this policy is used to specify a 20-hour detection
frequency, all clients to which this policy applies will check for updates anywhere between 16 and 20
hours.
If the status is set to Enabled, Windows checks for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows checks for available updates at the default
interval of 22 hours.
Allow non-administrators to receive update notifications

This policy setting allows you to control whether non-administrative users will receive update
notifications based on the Configure Automatic Updates policy setting.
If you enable this policy setting, Automatic Update and Microsoft Update will include
non-administrators during the process of determining which logged-on user will receive update
notifications.
Non-administrative users can install all optional, recommended, and important content for which
they received a notification. Users will not see a User Account Control window and do not need
elevated permissions to install these updates, except in the case of updates that contain user
interface, End User License Agreement, or Windows Update setting changes.
If you disable or do not configure this policy setting, only administrative users will receive update
notifications. By default, this policy setting is disabled.
If the Configure Automatic Updates policy setting is set to Disabled or Not Configured, then the
Elevate Non-Admin policy setting has no effect.
Turn on Software Notifications

This policy setting allows you to control whether users can view detailed, enhanced notification
messages about featured software from the Microsoft Update service.
Enhanced notification messages convey the value of optional software, and they promote its
installation and use. This policy setting is intended for loosely managed environments in which you
allow end-user access to the Microsoft Update service.
If you enable this policy setting, a notification message will appear on users' computers when the
featured software is available. Users can click the notification to open the Windows Update app and
get more information about the software or install it. Users also can click Close this message or Show
me later to defer the notification as appropriate. In Windows 8.1, this policy setting only will control
detailed notifications for optional apps.
If you disable or do not configure this policy setting, Windows 8.1 users will not be offered detailed
notification messages for optional apps. By default, this policy setting is disabled. If you are not using
the Microsoft Update service or if the Configure Automatic Updates policy setting is disabled or is
not configured, the Turn on Software Notifications policy setting has no effect.
Let the service shut down when it is idle
This setting controls how many minutes the Windows Update service will wait before shutting down
when there are no scans, downloads, or installations in progress. If configured to zero, the service will
run always.
Allow Automatic Updates immediate installation
This setting specifies whether Automatic Updates will install certain updates automatically that
neither interrupt Windows services nor restart the Windows operating system. If you set the status to
Enabled, Automatic Updates will install these updates immediately once they are downloaded and
ready to install.
If you set the status to Disabled, such updates will not install immediately. If the Configure
Automatic Updates policy is disabled, this policy has no effect.
Turn on recommended updates via Automatic Updates
This setting specifies whether Automatic Updates will deliver both important and recommended
updates from the Windows Update service. When this policy is enabled, Automatic Updates will install
recommended and important updates from Windows Update. When disabled or not configured,
Automatic Updates will continue to deliver important updates if it is configured already to do so.
No auto-restart with logged on users for scheduled automatic updates installations
This setting specifies that to complete a scheduled installation, Automatic Updates will wait for the
computer to be restarted by any user who is logged on, instead of causing the computer to restart
automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a
scheduled installation if a user is logged on to the computer. Instead, Automatic Updates will notify
the user to restart the computer.
Re-prompt for restart with scheduled installations

This setting specifies the amount of time for Automatic Updates to wait before prompting a user
again to restart and complete the update process.
If the status is set to Enabled, a scheduled restart will occur in the specified number of minutes after
the previous prompt for restart was postponed.
If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
Delay Restart for scheduled installations

This setting specifies the amount of time for Automatic Updates to wait before proceeding with a
scheduled restart.
If the status is set to Enabled, a scheduled restart will occur at the specified number of minutes after
the installation is finished.
If the status is set to Disabled or Not Configured, the default wait time is 15 minutes.
Reschedule Automatic Updates scheduled installations
12-25
This setting specifies the amount of time for Automatic Updates to wait, following system startup,
before proceeding with a scheduled installation that was missed previously.
If you set the status to Enabled, a scheduled installation that did not take place earlier will occur at
the specified number of minutes after the computer is next started.
If you set the status to Disabled, a missed scheduled installation will occur with the next scheduled
installation.
If you set the status to Not Configured, a missed scheduled installation will occur one minute after the
computer is next started.
Enable client-side targeting
This setting specifies the target group name or names that will be used to receive updates from an
intranet Microsoft Update service.
If you set the status to Enabled, the specified target group information is sent to the Microsoft
Update service, an intranet that uses this information to determine which updates must deploy to a
computer.
If the intranet Microsoft Update service supports multiple target groups, this policy can specify
multiple group names separated by semicolons. Otherwise, you must specify a single group.
If the status is set to Disabled or Not Configured, no target group information will be sent to the
intranet Microsoft Update service.
Allow signed updates from an intranet Microsoft update service location
This policy setting allows you to manage whether Automatic Updates accepts updates that are signed
by entities other than Microsoft when an update is found on an intranet Microsoft Update service
location.
If you enable this policy setting, Automatic Updates accepts updates that are received through an
intranet Microsoft Update service location if the updates are signed by a certificate in the Trusted
Publishers certificate store of the local computer.
If you disable or do not configure this policy setting, updates from an intranet Microsoft Update
service location must be signed by Microsoft.
Note: This setting sometimes is used on a critical system that cannot be restarted or
changed without first being scheduled. If you enable this setting, you must implement another
method of update delivery to ensure that these systems are kept up-to-date.

Scenario
When A. Datum received the first shipment of Windows 8.1 computers, Holly disabled Automatic Updates
because she was concerned that they would cause problems with a custom app on these systems.
After extensive testing, you have determined that it is extremely unlikely that Automatic Updates will
cause a problem with this app.
Objectives
After you complete this lab, you will be able to configure local Windows Update settings.
Lab Setup
Password: Pa$$w0rd
1.
2.

o
20687D-LON-DC1
20687D-LON-CL1
Exercise 1: Configuring Windows Update

Scenario
You have to confirm that Automatic Updates are disabled for the Windows 8.1 computers, and then you
must enable Automatic Updates by implementing a Group Policy.
1.
Verify that Automatic Updates are disabled.
2.
Enable Automatic Updates in Group Policy.
3.
Verify that the Automatic Updates setting from the Group Policy Object is being applied.
Task 1: Verify that Automatic Updates are disabled
On LON-CL1, open Windows Update, and then verify that Automatic Updates are disabled.
Task 2: Enable Automatic Updates in Group Policy

1.
Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd, and then open the Group
Policy Management administrative tool.
2.
Edit the Default Domain Policy:

o
Modify the settings for Computer Configuration\Policies\Administrative Templates

\Windows Components\Windows Update\Configure Automatic Updates:
Enabled
4 Auto download and schedule the install
12-27
Task 3: Verify that the Automatic Updates setting from the Group Policy Object is
being applied
1.
On LON-CL1, at a command prompt, run gpupdate /force to update the Group Policy settings.
2.
Open Windows Update, and then verify that the new settings have been applied.
Results: After completing this exercise, you should have configured Windows Update settings by using
Group Policy Objects.

1.
2.
3.
4.

Review Questions
Question: You are having problems with your computers performance. How can you create
a data collector set to analyze a performance problem?
Question: What are the benefits of creating a data collector set?

13-1
Module 13
Configuring Mobile Computing and Remote Access
Contents:
Module Overview
13-1
Lesson 1: Configuring Mobile Computers and Device Settings
13-2
13-7
Lesson 2: Overview of DirectAccess
13-9
Lab B: Implementing DirectAccess by Using the Getting Started Wizard
13-20
Lesson 3: Configuring VPN Access
13-24
Lesson 4: Configuring Remote Desktop and Remote Assistance
13-33
13-36
13-38
Module Overview
Mobile computers are available in many types and configurations. This module includes descriptions of
various available mobile devices and describes how you can synchronize them with a computer that is
running the Windows 8.1 operating system. Additionally, this module describes various power options
that you can configure in Windows 8.1.
Windows 8.1 helps end users become more productive, regardless of their location or that of the data
they need. For users who want to use virtual private networks (VPNs) to connect to enterprise resources,
new features in Windows 8.1 and Windows Server 2012 R2 create a seamless experience. You can use
DirectAccess, VPN, and Remote Desktop functionality to enable users to access their work environments
from anywhere they are connected.
Objectives
Configure mobile computers and device settings.
Configure DirectAccess.
Configure VPN access.
Configure Remote Desktop and Remote Assistance.
Lesson 1
Configuring Mobile Computers and Device Settings

This lesson defines common terminology for mobile computing and provides an overview of related
configuration settings that you can modify in Windows 8.1. Additionally, it provides guidelines for
applying these configuration settings to Windows 8.1 computers.
Lesson Objectives
Describe the various types of mobile computers and devices.
Describe the tools for configuring mobile computers and device settings.
Describe the available options to manage power settings in Windows 8.1.
Configure a power plan in Windows 8.1.
Discussion: Types of Mobile Computers and Devices

Computers play an important part in peoples
daily lives, and the ability to carry out computing
tasks at any time and in any place has become a
necessity for many users. A mobile computer is a
device that you can use for work, even when you
are away from your office.
You must be able to answer users questions
about mobile computers, and you must be able
to assist users and other information technology
(IT) support staff in choosing appropriate mobile
computers for an organization. Different types of
mobile computers include:
Laptops and notebook computers
Tablet PCs
Ultrabook computers
Windows phone devices
Mobile phones
Laptop and Notebook Computers
13-2 Configuring Mobile Computing and Remote Access
People often use the terms laptop and notebook interchangeably. However, the term notebook computer
refers to a computer that is lighter or smaller than a laptop. A laptop computer is a portable computer
that contains an integrated screen, battery, keyboard, and pointing device. A laptop computer also might
contain a CD or DVD drive. Many organizations issue laptop computers to employees rather than desktop
computers so that they can work remotely. Hardware manufacturers are responding to this demand by
producing laptops with specifications that are equivalent to or better than many desktop computers.
Tablet PCs
A tablet PC is a fully functional laptop computer with a touchscreen that interacts with a users fingers or
a stylus. Tablet PCs might have a detachable keyboard and touchpad. Many tablet PC screens also turn or
fold onto the keyboard. Most tablet PCs allow multiple touch inputs simultaneously on the screen,
allowing for complex gestures such as pinching to zoom and scrolling. Windows 8.1 provides an
optimized UI for devices that support touchscreens.
Ultrabook Computers
13-3
Ultrabook computers are thin, lightweight laptop computers. Ultrabook computers enable users to
perform multiple tasks, and are typically equipped with 4 gigabytes (GB) of RAM and high-speed Intel
mobile processors. Display sizes are typically 13.3 inches diagonally.
Windows Phone Devices
Windows Phone devices are smartphones that feature an operating system with the familiar Windows UI
and applications that are part of the Windows 8.1 operating system and Microsoft Office.
Windows Phone devices also include Music and Videos Hubs and typically feature mobile phone,
Bluetooth, wireless broadband, and Wi-Fi capabilities. Although you can sometimes use a keyboard on
these devices, they typically are touchscreen devices on which you can use your finger to navigate the
operating system and use applications. Additionally, the Windows Phone operating system supports voice
commands.
Note: Bluetooth is a wireless communications protocol that uses shortwave radio signals to
replace cables and enable compatible devices to communicate with each other. Bluetooth uses a
low-powered radio signal in the unlicensed 2.4 gigahertz (GHz) to 2.485 GHz spectrum, also
known as the industrial, scientific, and medical band.
Bluetooth employs a technology called adaptive frequency hopping, which helps devices switch
frequencies within the industrial, scientific, and medical band. Bluetooth enables compatible
devices to switch frequencies up to 1,600 times a second within the industrial, scientific, and
medical band to maintain optimal connectivity.
Mobile Phone
A mobile phone, also known as a cellular phone, is a portable telephone that uses a form of radio
connectivity. Many mobile phones now have some personal digital assistant (PDA) and media player
functionality. You typically use a numerical keypad or touch screen as the input for this device type.
Tools for Configuring Mobile Computers and Device Settings

When you select a mobile computer operating
system, ensure that the device can adapt to a
variety of scenarios. Windows 8.1 gives you the
ability to change configuration settings based on
specific requirements.
You can access and configure mobile computer
settings by using the Mobile Computer control
panel category page of configuration settings.
You can access various settings such as Power
Management, Windows Mobility Center, Sync
Center, and Presentation Settings.
Power Management
Windows 8.1 Power Management includes a simple-to-find battery meter that tells you at a glance what
power plan you are using and how much battery life is remaining. Use the battery meter to access and
change the power plan to meet your needs. For example, you might want to conserve power by limiting
the central processing unit (CPU) or configuring when your hard drive will turn off.
Power plans let you adjust your computers performance and power consumption. To access power plans
in Windows 8.1, from Desktop, in the taskbar, right-click the battery icon, and then click Power Options.
You also can change the Battery Status in the Windows Mobility Center. To access the Windows Mobility
Center, in Control Panel, in the Hardware and Sound category, click Adjust commonly used mobility
settings.
Windows Mobility Center

In Windows 8.1, the key mobile-related system configuration settings are all collected in the Windows
Mobility Center. By using the Windows Mobility Center, you can adapt a mobile computer to meet
different requirements as you change locations, networks, and activities. The Windows Mobility Center
includes settings for:
Display brightness
Volume
Battery Status
External Display
Sync Center
Presentation Settings
Computer manufacturers can customize the Windows Mobility Center to include other hardware-specific
settings, such as Bluetooth or auxiliary displays.
Presentation Settings
Mobile users often have to reconfigure their computer settings for meetings or conference presentations,
such as changing screen-saver timeouts or desktop wallpaper. To improve the user experience and avoid
this inconvenience, Windows 8.1 includes a group of presentation settings that you can apply when you
connect to a display device.
To access the presentation settings, click Presentation Settings in the Windows Mobility Center in Control
Panel. When you finish a presentation, return to the previous settings by clicking the notification area
icon.
Power Plans and Power-Saving Options

For mobile computer users, maintaining optimal
system performance while conserving battery life
has always been an important requirement. To
advise users on how to conserve battery life
without affecting system performance, you must
be familiar with the various factors that affect
power consumption. You also must be familiar
with the power plans and power-saving options
that are available in Windows 8.1.
13-5
By using Windows 8.1 power options, you can conserve a mobile computers battery. A user can change
various performance options, such as:
CPU speed
Display brightness
By using the CPU speed option, you can lower the speed of the computer processor, thereby reducing its
power consumption. Screen brightness requires power, and lowering the brightness reduces power usage.
Power Plans
In Windows 8.1, power plans help you maximize computer and battery performance. With power plans,
you can change a variety of system settings to optimize power or battery usage with a single click,
depending on the scenario. There are three default power plans:
Power saver. This plan saves power on a mobile computer by reducing system performance. Its
primary purpose is to maximize battery life.
High performance. This plan provides the highest level of performance on a mobile computer by
adapting processor speed to your work or activity, and by maximizing system performance.
Balanced. This plan balances energy consumption and system performance by adapting the
computers processor speed to your activity.
The balanced plan provides the best balance between power and performance. The power saver plan
reduces power usage by lowering the performance. The high performance plan consumes more power
by increasing system performance. Each plan provides alternate settings for AC or DC power.
You can customize or create additional power plans by using Power Options in Control Panel. Some
hardware manufacturers supply additional power plans and power options. When you create additional
power plans, be aware that the more power the computer consumes, the less time it runs on a single
battery charge. By using Power Options, you can configure settings such as Choose what closing the lid
does.
In addition to considering power usage and performance, you also must consider the following three
options for turning a computer on and off:
Shut down
Hibernate
Sleep
Shut Down
When you shut down a computer, Windows 8.1 does the following:
Saves all open files to the hard disk.
Saves the memory contents to the hard disk or discards them as appropriate.
Clears the page file.
Closes all open applications.
Windows 8.1 then signs out the active user and turns off the computer.
Hibernate
When you put a computer in hibernation, Windows 8.1 saves the system state and the system memory
contents to a file on the hard disk and then shuts down the computer. This state requires no power
because the hard disk is storing the data.
Windows 8.1 supports hibernation at the operating system level without any additional drivers from a
hardware manufacturer. Hibernation data is stored in a hidden system file called Hiberfil.sys. This file is the
same size as the physical memory in the computer and typically is located in the root of the system drive.
Sleep
Sleep is a power-saving state that saves work and open programs to memory. This provides fast resume
capability, typically within several seconds. Sleep does consume a small amount of power.
Windows 8.1 automatically goes to sleep when you press the power button on a computer. If the battery
power of the computer is low, Windows 8.1 puts a computer in hibernation.
Alternatively, you can enable hybrid sleep, during which Windows 8.1 saves data to the hard disk and to
memory. If a power failure occurs on a computer when it is in hybrid sleep, data is not lost. Use hybrid
sleep as an alternative to hibernation. Hybrid sleep uses the same Hiberfil.sys hidden system file as
hibernation.
Demonstration: Configuring Power Plans

In this demonstration, you will see how to create and configure a power plan.
Demonstration Steps
Create a power plan for Adams laptop
1.
Sign in to LON-CL1 as Adatum\Adam, and then open Control Panel.
2.
Locate Power Options in System and Security.
3.
Using the existing power saver plan, create a new plan named Adams plan.
Configure the power plan

1.
Configure advanced plan settings.
2.
Configure Adams Plan with the following properties:

o
Turn off hard disk after: 10 minutes
Wireless Adapter Settings, Power Saving Mode: Maximum Power Saving
Power buttons and lid, Power button action: Shut down
Close Power Options.

Scenario
13-7
Adam is about to take a long trip to visit all of A. Datum Corporations customers in the United Kingdom.
Before he leaves, he would like you to optimize the power consumption on his Windows 8.1 laptop.
Objectives
Create and configure a new power plan.
Lab Setup
Password: Pa$$w0rd
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Repeat steps 2 and 3 for 20687D-LON-CL1. Do not sign in until directed to do so.
Exercise 1: Creating and Configuring a New Power Plan

Scenario
Adam wants to ensure that his computers battery lasts as long as possible between charges while he is on
his trip. He does not want to impose on his customers by asking to plug his computer into an electrical
socket at their offices, and he would rather charge his laptop in the evenings at his hotel.
1.
Create a power plan on Adams laptop computer.
2.
Configure the power plan.
Task 1: Create a power plan on Adams laptop computer

1.
2.
Open Control Panel.
3.
From System and Security in Control Panel, click Power Options.
4.
Create a new power plan with the following properties:

o
Based on: Power saver
Name: Adams power-saving plan
Task 2: Configure the power plan

1.
On the Power Options page, next to Adams power-saving plan, click Change plan settings.
2.
Modify the new power plan with the following properties:
3.
Close all open windows, and then sign out from LON-CL1.
Results: After completing this exercise, you should have successfully created and configured a suitable
power plan for Adams laptop computer.
lab.
Lesson 2
Overview of DirectAccess
13-9
The DirectAccess feature in Windows 8.1 enables seamless remote access to intranet resources without
first establishing a user-initiated VPN connection. The DirectAccess feature also ensures seamless
connectivity to an application infrastructure for internal users and remote users.
Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess
enables any application that supports Internet Protocol version 6 (IPv6) on a client computer to have
complete access to intranet resources. DirectAccess also enables you to specify resources and client-side
applications that are restricted for remote access.
Lesson Objectives
Describe the components that are required to implement DirectAccess.
Describe DirectAccess tunneling protocol options.
Describe how DirectAccess works for internal clients.
Describe how DirectAccess works for external clients.
Configure DirectAccess by running the Getting Started Wizard.
Identify the changes made by the Getting Started Wizard.
Identify the settings in the Getting Started Wizard.
Identify Windows 8.1 DirectAccess client components.
DirectAccess Components
To deploy and configure DirectAccess, your
organization must support the following
infrastructure components:
DirectAccess server
DirectAccess clients
Network Location Server
Internal resources
An Active Directory Domain Services (AD DS)

domain
Group Policy
Public key infrastructure (PKI)optional for the internal network
Domain Name System (DNS) server
Network Access Protection (NAP) server
DirectAccess Server
The DirectAccess server can be any computer that runs the Windows Server 2012 R2 or Windows
Server 2012 operating systems that you join to a domain, which accepts connections from DirectAccess
clients, and that establishes communication with intranet resources. This server provides authentication
services for DirectAccess clients and acts as an Internet Protocol security (IPsec) tunnel mode endpoint for
external traffic. The new Remote Access server role allows centralized administration, configuration, and
monitoring for both DirectAccess and VPN connectivity.
Compared with the previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium-size organizations. The wizard does so by
removing the need for full PKI deployment and removing the requirement for two consecutive public
Internet Protocol version 4 (IPv4) addresses for the physical adapter that is connected to the Internet. In
Windows Server 2012 R2, the wizard detects the actual implementation state of the DirectAccess server,
and automatically selects the best deployment, thereby not showing the administrator the complexity of
manually configuring IPv6 transition technologies.
DirectAccess Clients
A DirectAccess client can be any domain-joined computer that runs the Enterprise edition of Windows 7,
Windows 8, or Windows 8.1.
Note: With off-premises provisioning, you can join a client computer in a domain without
connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer that is using 6to4 or Teredo from connecting to
the DirectAccess server, the client computer automatically attempts to connect by using Internet Protocol
over Secure Hypertext Transfer Protocol (IP-HTTPS), which uses a Secure Sockets Layer (SSL) connection to
ensure connectivity.
Network Location Server
A DirectAccess client uses the Network Location Server to determine its location. If the client computer
can securely connect to the Network Location Server by using HTTPS, then the client computer assumes it
is on the intranet, and the DirectAccess policies are not enforced. If the Network Location Server cannot
be contacted, the client assumes it is on the Internet. The Network Location Server is installed on the
DirectAccess server with the Web server role.
Note: The URL for the Network Location Server is distributed by using a Group Policy
Object (GPO).
Internal Resources
You can configure any IPv6-capable application that is running on internal servers or client computers
to be available for DirectAccess clients. For older applications and servers that do not have IPv6 support,
such as Windows Server 2003 or other non-Microsoft operating systems, Windows Server 2012 R2
includes native support for protocol translation (NAT64) and a name resolution (DNS64) gateway to
convert IPv6 communication from the DirectAccess client to IPv4 for internal servers.
Active Directory Domain
You must deploy at least one AD DS domain running, at a minimum, Windows Server 2003 domain
functional level. DirectAccess provides integrated multiple-domain support, which allows client computers
from different domains to access resources that might be located in different trusted domains.
Group Policy
13-11
You need to use Group Policy for the centralized administration and deployment of DirectAccess settings.
The Getting Started Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. DirectAccess enables client
authentication requests to be sent over an HTTPS-based Kerberos proxy service that is running on the
DirectAccess server. This eliminates the need for establishing a second IPsec tunnel between clients and
domain controllers. The Kerberos proxy will send Kerberos requests to domain controllers on behalf
of the client. However, for a full DirectAccess configuration that allows NAP integration, two-factor
authentication, and force tunneling, you still must implement certificates for authentication for every
client that will participate in DirectAccess communication.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 Service Pack 2 or
newer, or a non-Windows DNS server that supports DNS message exchanges over ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and to enforce security policy for DirectAccess clients over the Internet. DirectAccess provides
the ability to configure NAP health check directly from the setup UI.
Remote Access (DirectAccess, Routing and Remote Access) Overview
DirectAccess Tunneling Protocol Options

DirectAccess uses IPv6 and IPsec when
clients connect to internal resources. However,
many organizations do not have native IPv6
infrastructure. Therefore, DirectAccess uses
transitioning tunneling technologies to connect
IPv6 clients to IPv4 internal resources, and by
communicating through IPv4-based Internet.
DirectAccess tunneling protocols include:
ISATAP. ISATAP enables DirectAccess clients

to connect to the DirectAccess server over the
IPv4 networks for intranet communication.
By using ISATAP, an IPv4 network emulates a
logical IPv6 subnet to other ISATAP hosts, where ISATAP hosts automatically tunnel to each other
for IPv6 connectivity. Windows Vista, Windows Server 2008, and newer Windows client and server
operating systems can act as ISATAP hosts. ISATAP does not need changes on IPv4 routers because
IPv6 packets are tunneled within an IPv4 header. To use ISATAP, you have to configure DNS servers
to answer ISATAP queries, and IPv6 must be enabled on network hosts.
6to4. 6to4 enables DirectAccess clients to connect to the DirectAccess server over the IPv4-based
Internet. You can use 6to4 when clients have a public IP address. IPv6 packets are encapsulated in an
IPv4 header and sent over the 6to4 tunnel adapter to the DirectAccess server. You can configure the
6to4 tunnel adapter for DirectAccess clients and the DirectAccess server by using a GPO. 6to4 cannot
work if clients are located behind an IPv4 network address translation (NAT) device.
Teredo. Teredo enables DirectAccess clients to connect to the DirectAccess server across the IPv4
Internet, when clients are located behind an IPv4 NAT device and where you should configure the
firewall to allow outbound traffic on User Datagram Protocol (UDP) port 3544. Clients that have a
private IPv4 address use Teredo to encapsulate IPv6 packets in an IPv4 header and send them over
the IPv4-based Internet. You can configure Teredo for DirectAccess clients and the DirectAccess
server by using a GPO.
IP-HTTPS. IP-HTTPS enables DirectAccess clients to connect to the DirectAccess server over the
IPv4-based Internet. IP-HTTPS is used by clients that are unable to connect to the DirectAccess
server by using ISATAP, 6to4, or Teredo. You can configure IP-HTTPS for DirectAccess clients and the
DirectAccess server by using Group Policy.
IPv6 Transition Technologies
How DirectAccess Works for Internal Clients

A Network Location Server is an internal
network server that hosts an HTTPS-based URL.
DirectAccess clients try to access a Network
Location Server URL to determine if they are
located on an intranet or on a public network.
The DirectAccess server also can be the Network
Location Server. In some organizations where
DirectAccess is a business-critical service, the
Network Location Server should be highly
available. Generally, the Web server on the
Network Location Server does not have to be
dedicated just to supporting DirectAccess clients.
It is critical that the Network Location Server be available from each company location, because the
behavior of the DirectAccess client depends on the response from the Network Location Server. Branch
locations might need a separate Network Location Server at each branch location to ensure that the
Network Location Server remains accessible even when there is a link failure between branches.
How DirectAccess Works for Internal Clients

The DirectAccess connection process happens automatically, without requiring user intervention.
DirectAccess clients use the following process to connect to intranet resources:
1.
The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the Network
Location Server URL.
Because the FQDN of the Network Location Server URL corresponds to an exemption rule in the
Name Resolution Policy Table (NRPT), the DirectAccess client instead sends the DNS query to a locally
configured DNS server (an intranet-based DNS server). The intranet-based DNS server resolves the
name.
2.
The DirectAccess client accesses the HTTPS-based URL of the Network Location Server, and during
this process, it obtains the certificate of the Network Location Server.
13-13
3.
Based on the certificate revocation list (CRL) distribution points field of the Network Location Servers
certificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point to
determine if the Network Location Servers certificate has been revoked.
4.
If the HTTP response code is 200, the DirectAccess client determines the success of the Network
Location Server URL (successful access, certificate authentication, and revocation check). Next, the
DirectAccess client will use the network location awareness service to determine if it should switch to
the domain firewall profile and ignore the DirectAccess policies because it is on the organizations
network.
5.
The DirectAccess client computer attempts to locate and log on to the AD DS domain by using its
computer account. Because the client no longer references any DirectAccess rules in the NRPT for
the rest of the connected session, all DNS queries are sent through interface-configured DNS servers
(intranet-based DNS servers). With the combination of network location detection and computer
domain logon, the DirectAccess client configures itself for normal intranet access.
6.
Based on the computers successful logon to the domain, the DirectAccess client assigns the domain
(firewall network) profile to the attached network.
By design, the DirectAccess connection security tunnel rules are scoped for the public and private firewall
profiles, and they are disabled from the list of active connection security rules.
The DirectAccess client has successfully determined that it is connected to its intranet, and it does not use
DirectAccess settings (NRPT rules or connection security tunnel rules). The DirectAccess client can access
intranet resources normally. It also can access Internet resources through normal means, such as a proxy
server.
How DirectAccess Works for External Clients

When a DirectAccess client cannot reach the URL
address specified for the Network Location Server,
the DirectAccess client assumes that it is not
connected to an intranet and that it is located on
the Internet. When the client computer cannot
communicate with the Network Location Server, it
starts to use NRPT and connection security rules.
The NRPT has DirectAccess-based rules for name
resolution, and connection security rules define
DirectAccess IPsec tunnels for communication
with intranet resources. Internet-connected
DirectAccess clients use the following process to
connect to intranet resources:
1.
The DirectAccess client attempts to access the Network Location Server.
2.
The client attempts to locate a domain controller.
3.
The client attempts to access intranet resources first, and then Internet resources.
DirectAccess Client Attempts to Access the Network Location Server

The DirectAccess clients attempt to access the Network Location Server as follows:
1.
The client tries to resolve the FQDN of the Network Location Server URL. Because the FQDN of the
Network Location Server URL corresponds to an exemption rule in the NRPT, the DirectAccess client
does not send the DNS query to a locally configured DNS server (an Internet-based DNS server). An
external Internet-based DNS server would not be able to resolve the name.
2.
The DirectAccess client processes the name resolution request as defined in the DirectAccess
exemption rules in the NRPT.
3.
Because the Network Location Server is not found on the same network where the DirectAccess client
is currently located, the DirectAccess client applies a public or private firewall network profile to the
attached network.
4.
The Connection Security tunnel rules for DirectAccess, scoped for the public and private profiles,
provide the public or private firewall network profile.
The DirectAccess client uses a combination of NRPT rules and connection security rules to locate and
access intranet resources across the Internet through the DirectAccess server.
DirectAccess Client Attempts to Locate a Domain Controller
After starting up and determining its network location, the DirectAccess client attempts to locate and log
on to a domain controller. This process creates an IPsec tunnel, or an infrastructure tunnel, by using the
IPsec tunnel mode and encapsulating security payload (ESP), to the DirectAccess server. The process is as
follows:
1.
The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name
query that is addressed to the IPv6 address of the intranet DNS server and forwards it to the
DirectAccess clients TCP/IP stack for sending.
2.
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3.
Because the destination IPv6 address in the DNS name query matches a connection security rule that
corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client (both
the computer and the user) authenticates itself with its installed computer certificate and its NTLM
credentials, respectively.
Note: AuthIP enhances authentication in IPsec by adding support for user-based

authentication with Kerberos version 5 protocol or SSL certificates. AuthIP also supports efficient
protocol negotiation and the use of multiple sets of credentials for authentication.
4.
The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.
5.
The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server and back through the IPsec infrastructure
tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When a user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
DirectAccess Client Attempts to Access Intranet Resources

The first time that a DirectAccess client sends traffic to an intranet location that is not on the list of
destinations for the infrastructure tunnel (such as an email server), the following process occurs:
1.
The application or process that attempts to communicate constructs a message or payload, and
hands it off to the TCP/IP stack for sending.
2.
13-15
3.
Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel, which specifies the IPv6 address space of the entire intranet, the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
accounts Kerberos credentials.
4.
The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5.
The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.
DirectAccess Client Attempts to Access Internet Resources
When a user or a process on a DirectAccess client attempts to access an Internet resource, such as an
Internet Web server, the following process occurs:
1.
The DNS client service passes the DNS name for the Internet resource through the NRPT. There
are no matches. The DNS client service constructs the DNS name query that is addressed to the IP
address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for
sending.
2.
3.
Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4.
The Internet DNS server responds with the IP address of the Internet resource.
5.
The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.
6.
Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
intranet tunnel or connection security rules is sent and received normally.
The process of accessing the domain controller and intranet resources is very similar to the connection
process, because both of these processes use NRPT to locate appropriate DNS server to resolve the name
queries. However, the main difference is in the IPsec tunnel that is established between the client and
DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the IPsec
infrastructure tunnel, and when accessing intranet resources, a second IPsec tunnel is established to access
intranet resources.
Demonstration: Configuring DirectAccess by Running the Getting Started

Wizard
In this demonstration, you will learn how to configure DirectAccess by running the Getting Started
Wizard.
Demonstration Steps
1.
Switch to LON-SVR2.
2.
On LON-SVR2, in the Server Manager console, select Remote Access Management. Complete the
Getting Started Wizard with the following settings:
3.
a.
On the Configure Remote Access page, click Deploy DirectAccess only.
b.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients
to connect to Remote Access server box, type 131.107.0.2.
c.
On the Remote Access Review page, remove the Domain Users group, and then add the
DA_Clients group.
d.
On the Remote Access Review page, clear the Enable DirectAccess for mobile computers
only check box.
Restart LON-SVR2.
Getting Started Wizard Configuration Changes

The Getting Started Wizard makes multiple
configuration changes so that DirectAccess clients
can connect to an intranet. These changes include:
GPO settings. Two GPOs are created to define

which computers will be allowed to connect
to an organizations network by using
DirectAccess:
o
DirectAccess Server Settings GPO. Defines

settings that will apply to DirectAccess
servers.
DirectAccess Client Settings GPO. Defines

settings that will apply to DirectAccess clients.
Remote clients. In the wizard, you can configure the following client computer settings for
DirectAccess:
o
Select groups. You can select which groups of client computers will be configured for
DirectAccess. By default, the Domain Computers group will be configured for DirectAccess. In
the wizard, you can edit this setting and replace the Domain Computers group with a custom
security group.
Enable DirectAccess for mobile computers only. This setting is enabled by default, but you can
disable it in the wizard.
DirectAccess Connectivity Assistant. The DirectAccess Connectivity Assistant runs on every client
computer and provides DirectAccess connectivity information, diagnostics, and remediation
support.
13-17
Resources that validate connectivity to an internal network. DirectAccess client computers need
information that will help them decide whether they are located on an intranet or the Internet.
Therefore, they will contact resources that you provide in this wizard. You can provide the URL
that will be accessed by HTTP request or the FQDN that will be contacted by PING command. By
default, this is not configured.
Help desk email address. By default, this setting is not configured.
DirectAccess connection name. The default name is Workplace Connection.
Allow DirectAccess clients to use local name resolution. This setting is disabled by default.
Remote access server. In the wizard, you define the network topology where the DirectAccess server is
located:
o
On an edge of the internal corporate network, where the edge server has two network adapters.
On a server located behind an edge device, where the server has two network adapters.
On a server located behind an edge device, where the server has one network adapter.
One of the preceding settings is already selected in the wizard. The public name or IPv4 address
where DirectAccess clients connect from the Internet is already entered in the wizard.
You can also define the network adapter to which the DirectAccess clients connect, in addition to the
certificates that IP-HTTPS connections use.
Infrastructure servers. In the wizard, you define infrastructure servers. DirectAccess clients connect
to these servers before they connect to internal corporate resources. By default, two entries are
configured: the domain name suffix and DirectAccess-NLS name followed by the domain name suffix.
For example, if the domain name is contoso.com, then the following entries are configured:
contoso.com and DirectAccess-NLS.contoso.com.
Demonstration: Identifying the Getting Started Wizard Settings

In this demonstration, you will identify changes made by the DirectAccess Getting Started Wizard.
Demonstration Steps
1.
On LON-SVR2, switch to Server Manager, and then open the Remote Access Management console.
2.
In the Remote Access Management console, select DirectAccess and VPN.
3.
In the Remote Access Setup window, under the image of the client computer labeled as Step 1
Remote Clients, click Edit to display the DirectAccess Client Setup window.
4.
Review the default settings of all items in the menu on the left, Deployment Scenario, Select
Groups, and Network Connectivity Assistant, and then close the window without saving any
changes.
5.
Remote Access Servers, click Edit to display the Remote Access Server Setup window.
6.
Review the default settings of all items in the menu on the left, Network Topology, Network
Adapters, and Authentication, and then close the window without saving any changes.
7.
Infrastructure Servers, click Edit to display the Infrastructure Server Setup window.
8.
Review the default settings of all items in the menu on the left, Network Location Server, DNS, DNS
Suffix Search List, and Management, and then close the window without saving any changes.
9.
Application Servers, click Edit to display the DirectAccess Application Server Setup window.
10. Review the default settings for all items, and then close the window without saving any changes.
11. Close all open windows.
Windows 8.1 DirectAccess Client Components

Windows 8.1 hosts several components that work
together to facilitate DirectAccess connectivity:
Connection security rules and Windows

Firewall. Connection security rules determine
how your computer will connect to network
resources. By default, the DirectAccess GPOs
that are created by the Getting Started
Wizard will create a connection security rule
in Windows Firewall named ClienttoCorp. The
connection security rule will enable an IPsec
connection to the DirectAccess server if the
client computer cannot resolve the FQDN of
the Network Location Server.
NRPT. The DirectAccess GPOs also will create NRPT entries for the client computer. You can view
the configuration of the NRPT by running the Get-DNSClientNrptPolicy cmdlet in the Windows
PowerShell command-line interface. The NRPT will have an entry for each DNS namespace that has
been configured for DirectAccess.
IPv6 connectivity. IPv6 must be enabled on the DirectAccess client to connect to the DirectAccess
server. When you ping by DNS name to the DirectAccess server or to internal network resources, the
address will be converted to IPv6 through IPv6 and IPv4 transition technologies.
DirectAccess Troubleshooting Tools in Windows 8.1
Incorrect Group Policy application is the most common cause of DirectAccess client configuration issues,
but network connectivity configuration and Windows Firewall configuration also can affect DirectAccess
functionality. You can use the following tools to confirm or troubleshoot DirectAccess connectivity in
Windows 8.1.
DirectAccess Windows PowerShell cmdlets
13-19
You can use several DirectAccess Windows PowerShell cmdlets to configure and view the configuration
status of a DirectAccess client. The most relevant cmdlets for troubleshooting and configuration are GetDAConnectionStatus and Get-DAClientExperienceConfiguration.
Cmdlet
Description
Get-DAConnectionStatus
Shows the current status of a DirectAccess client

connection.
Disable-DAManualEntryPointSelection
Disables a manually selected DirectAccess entry point and

reverts the selection to the default.
Enable-DAManualEntryPointSelection
Enables a specific DirectAccess entry point to use for

connectivity.
Get-DAClientExperienceConfiguration
Returns the current client experience configuration for

DirectAccess.
Get-DAEntryPointTableItem
Retrieves the list of entry points that have been

configured for DirectAccess.
New-DAEntryPointTableItem
Configures a new entry point for multisite DirectAccess.
Remove-DAEntryPointTableItem
Removes a DirectAccess entry point from the specified

configuration store.
Rename-DAEntryPointTableItem
Renames a DirectAccess entry point.
ResetDAClientExperienceConfiguration
Restores the specified DirectAccess client configuration to

the defaults.
Reset-DAEntryPointTableItem
Resets the specified DirectAccess entry point

configuration to the default configuration.
Set-DAClientExperienceConfiguration
Modifies the configuration of the specified DirectAccess

client user experience.
Set-DAEntryPointTableItem
Modifies the configuration of a DirectAccess entry point

stored in a GPO.
Workplace Connection page
You can use the Workplace Connection page to determine if DirectAccess is on a client computer. To view
DirectAccess status, open the Charms menu, click PC Settings, click Network, click Connections, and then
click Workplace Connection. The Workplace Connection page will provide your current DirectAccess
status and a link that enables you to collect DirectAccess logs.
Lab B: Implementing DirectAccess by Using the Getting

Started Wizard
Scenario
Many users at A. Datum work from outside the organization. This includes mobile users and people
who work from home. These users currently connect to the internal network by using a third-party VPN
solution. The Security department is concerned about the security of the external connections and wants
to ensure that the connections are as secure as possible. The Support team wants to minimize the number
of support calls related to remote access and would like to have more options for managing remote
computers.
IT management at A. Datum is considering deploying DirectAccess as the remote access solution for the
organization. As an initial proof-of-concept deployment, management has requested that you configure a
simple DirectAccess environment to use with Windows 8.1 client computers.
Objectives
Configure DirectAccess.
Validate a DirectAccess deployment.
Lab Setup
Virtual machines: 20687D-LON-DC1, 20687D-LON-SVR1, 20687D-LON-SVR2, 20687D-LON-CL1
Password: Pa$$w0rd
1.
On the host computer, on the Start screen, click Hyper-V Manager.
2.
3.
4.
5.
Password: Pa$$w0rd
Repeat steps 2 through 4 for 20687D-LON-SVR1, 20687D-LON-SVR2, and 20687D-LON-CL1.
Enable Ethernet 2 on LON-SVR2:

1.
Switch to LON-SVR2.
2.
From the Start screen, type ncpa.cpl, and then press Enter.
3.
In the Network Connections window, right-click Ethernet 2, and then click Enable.
4.
Close the Network Connections window.
Exercise 1: Configuring DirectAccess

Scenario
13-21
You must prepare the DirectAccess infrastructure for deployment. You must install the Remote Access
server role on LON-SVR2, and configure DirectAccess on the DirectAccess server by using the Getting
Started Wizard.
1.
Install the Remote Access server role.
2.
Create a security group for DirectAccess clients.
3.
Configure DirectAccess by using the Getting Started Wizard.
Task 1: Install the Remote Access server role
On LON-SVR2, install the Remote Access server role with the DirectAccess and VPN (RAS) role service.
Task 2: Create a security group for DirectAccess clients

1.
On LON-DC1, open Active Directory Users and Computers.
2.
In Active Directory Users and Computers, create a new global security group named DA_Clients in
the Users container.
3.
Add LON-CL1 to the DA_Clients group.
Task 3: Configure DirectAccess by using the Getting Started Wizard

1.
Switch to LON-SVR2.
2.
On LON-SVR2, in Server Manager, select Remote Access Management. Complete the Getting
Started Wizard with the following settings:
a.
b.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients
to connect to Remote Access server box, type 131.107.0.2.
c.
On the Remote Access Review page, remove the Domain Users group, and add the
DA_Clients group.
d.
On the Remote Access Review page, clear the Enable DirectAccess for mobile computers
only check box.
3.
Restart LON-SVR2.
4.
Wait for LON-SVR2 to restart, and then sign in as Adatum\Administrator with password Pa$$w0rd.
5.
Open the Remote Access console, and then view the Operations Status page.
6.
All components should have a Status of Working and a green check mark beside them. If this is not
the case, click Refresh to update the Operations Status view. You might have to do this several times.
Results: After completing this exercise, you should have configured DirectAccess by using the Getting
Stared Wizard.
Exercise 2: Validating the DirectAccess Deployment

Scenario
Now that you have configured DirectAccess, you need to verify that DirectAccess is working. You will start
by verifying the changes made by the Getting Started Wizard, and then you will verify that client
computers can access the internal network by using DirectAccess.
1.
Verify the DirectAccess GPO deployment.
2.
Test DirectAccess connectivity.
Task 1: Verify the DirectAccess GPO deployment

1.
Switch to LON-CL1.
2.
Restart LON-CL1, and then sign in as Adatum\Administrator with password Pa$$w0rd to apply the
GPOs.
3.
Open a Command Prompt window on LON-CL1.
4.
At the command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is
applied to the Computer Settings.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, and then
repeat steps 3 and 4 on LON-CL1.
5.
Run the following command at the command prompt:

netsh name show effectivepolicy
Verify that the following message displays: DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings are inactive when this computer is inside a corporate network.
6.
To move the client from the intranet to the public network, go to the Start screen, type ncpa.cpl, and
then press Enter.
7.
In the Network Connections window, right-click the Ethernet connection, and then click Disable.
8.
In the Network Connections window, right-click the Ethernet 2 connection, and then click Enable.
9.
Task 2: Test DirectAccess connectivity

1.
Switch to LON-SVR1.
2.
In File Explorer, create a shared folder named C:\Data with the default settings for the Everyone
group.
3.
Switch to LON-CL1.
4.
On the Start screen, type \\LON-SVR1\Data, and then press Enter. Note that you are able to access
the folder content.
5.
13-23
6.
Move the pointer to the lower-right corner of the screen, and in the notification area, click Search,
and in the Search box, type cmd.
7.
At the command prompt, run the ipconfig command.
Note: Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an
IP-HTTPS address.
8.
At the command prompt, type the following command, and then press Enter:
Netsh name show effectivepolicy
9.
Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.
10. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Note: Notice the DirectAccess client settings.

11. Switch to LON-SVR2.
12. In the Remote Access Management console, click Remote Client Status.
Note: Notice that Client is connected via IPHttps. In the Connection Details pane, in the
lower-right of the screen, note the use of the Kerberos protocol for the Machine and the User.
Results: After completing this exercise, you should have validated the DirectAccess deployment.

When you have finished the lab, revert the virtual machines to their initial state:
1.
2.
3.
4.
Repeat steps 2 and 3 for 20687D-LON-SVR1, 20687D-LON-SVR2, and 20687D-LON-DC1.
Lesson 3
Configuring VPN Access
To implement and support a VPN environment properly within your organization, you must understand
how to select a suitable tunneling protocol, how to configure VPN authentication, and how to configure
other settings to support your chosen environment.
Lesson Objectives
Describe a VPN connection.
Describe the tunneling protocols that VPNs use.
Describe VPN authentication mechanisms.
Describe VPN Reconnect and VPN Auto-trigger.
Configure a VPN.
Describe the Connection Manager Administration Kit (CMAK).
Identify key steps for configuring and distributing a connection profile.
Create a connection profile.
What Is a VPN Connection?

A VPN provides a point-to-point connection
between components of a private network,
through a public network such as the Internet.
Tunneling protocols enable a VPN client to
establish and maintain a connection to the
listening virtual port of a VPN server. To emulate
a point-to-point link, the data is encapsulated,
or wrapped, and prefixed with a header. This
header provides routing information that enables
the data to traverse the public network to reach
its endpoint.
To emulate a private link, the data is encrypted to
ensure confidentiality. Packets that are intercepted on the public network are indecipherable without
encryption keys. Two types of VPN connections exist:
Remote access
Site-to-site
Remote Access VPN Connections
Remote access VPN connections enable users that are working at home, at customer sites, or from public
wireless access points to access a server that exists in your organizations private network. They do so by
using the infrastructure that a public network, such as the Internet, provides.
From a users perspective, a VPN is a point-to-point connection between a computer, the VPN client, and
your organizations server. The exact infrastructure of the shared or public network is irrelevant because it
logically appears as if the data is sent over a dedicated private link.
Site-to-Site VPN Connections
13-25
Site-to-site VPN connections, which also are known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices or with other organizations over a
public network, while maintaining secure communications.
A routed VPN connection across the Internet logically operates as a dedicated wide area network link.
When networks connect over the Internet, a router forwards packets to another router across a VPN
connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a
routed connection to the network to which the VPN server is attached. The calling router (the VPN client)
authenticates itself to the answering router (the VPN server), and for mutual authentication, the answering
router authenticates itself to the calling router.
In a site-to site VPN connection, the packets that are sent from either router across the VPN connection
typically do not originate at the routers.
Properties of VPN Connections
VPN connections that use Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP)
with IPsec, and Secure Socket Tunneling Protocol (SSTP) have the following properties:
Encapsulation. With VPN technology, private data is encapsulated with a header that contains routing
information, which allows the data to traverse the transit network.
Authentication. Authentication for VPN connections takes the following three forms:
User-level authentication by using Point-to-Point Protocol (PPP) authentication. To establish

the VPN connection, the VPN server authenticates the VPN client that is attempting to make the
connection by using a PPP user-level authentication method and verifies that the VPN client has
the appropriate authorization. If you use mutual authentication, the VPN client also authenticates
the VPN server, which provides protection against computers that are masquerading as VPN
servers.
Computer-level authentication by using Internet Key Exchange (IKE). To establish an IPsec

security association, the VPN client and the VPN server use the IKE protocol to exchange
either computer certificates or a preshared key. In either case, the VPN client and VPN
server authenticate each other at the computer level. We recommend computer-certificate
authentication because it provides much stronger authentication. Note that computer-level
authentication is performed only for L2TP/IPsec connections.
Data origin authentication and data integrity. To verify that the data that is sent over a VPN
connection originated at the connections other end and was not modified in transit, the data
contains a cryptographic checksum based on an encryption key that only the sender and receiver
know. Data origin authentication and data integrity are available only for L2TP/IPsec connections.
Data encryption. To ensure confidentiality as data traverses a shared or public transit network, the
sender encrypts the data and the receiver decrypts it. The encryption and decryption processes
depend on both the sender and the receiver using a common encryption key. Intercepted packets
sent along a VPN connection in a transit network will be unintelligible to anyone who does not have
the common encryption key.
The encryption keys length is an important security parameter. You can use computational
techniques to determine the encryption key. However, such techniques require an increasing amount
of computing power and computational time as encryption keys become larger. Therefore, it is
important to use the largest possible key size to help ensure data confidentiality.
Tunneling Protocols for VPN Connections

You can use the following tunneling protocols for
VPN connections in Windows 8.1.
PPTP
PPTP encrypts and encapsulates traffic in an IP
header and then sends it across an IP network.
You can use PPTP for remote client and site-tosite VPN connections. When using the Internet,
the VPN server provides the following
functionality to the client:
Encapsulation. PPTP encapsulates PPP frames

in IP datagrams for network transmission.
PPTP uses Transmission Control Protocol (TCP) to manage the tunnel and a modified version of
Generic Routing Encapsulation to encapsulate PPP frames for data that is transmitted through the
tunnel. PPP frames can be encrypted, compressed, or both.
Encryption. The PPP frame is encrypted with Microsoft Point-to-Point Encryption by using encryption
keys. These keys are generated by the Microsoft version of the Challenge Handshake Authentication
Protocol version 2 (MS-CHAPv2) or the Extensible Authentication Protocol-Transport Layer Security
(EAP-TLS) authentication process. VPN clients must use MS-CHAPv2 or EAP-TLS authentication.
L2TP
L2TP enables you to encrypt multiple-protocol traffic to send over any medium that supports point-topoint datagram delivery, such as IP or asynchronous transfer mode. L2TP is a combination of PPTP and
Layer Two Forwarding (L2F). L2TP represents the best features of PPTP and L2F.
L2TP relies on IPsec for traffic encryption. The combination of L2TP and IPsec is known as L2TP/IPsec.
L2TP is built into Windows 8.1, Windows 8, Windows Vista, and Windows XP remote access clients, and
VPN server support for L2TP is built into the Windows Server 2008 and Windows Server 2012 families, as
follows:
Encapsulation. Encapsulation for L2TP/IPsec packets consists of two layers:

o
First layer: L2TP encapsulation. A PPP frame (an IP datagram) is wrapped with an L2TP header
and a UDP header.
Second layer: IPsec encapsulation. The resulting L2TP message is wrapped with an IPsec
ESP header and trailer, an IPsec authentication trailer that provides message integrity and
authentication, and a final IP header. The IP header contains the source and destination IP
addresses that correspond to the VPN client and the VPN server.
Encryption. The L2TP message is encrypted with either Advanced Encryption Standard (AES) or Triple
Data Encryption Standard (3DES) by using encryption keys that the IKE negotiation process generates.
SSTP
SSTP is a tunneling protocol that uses HTTPS over TCP port 443. SSTP commonly is used in scenarios
where PPTP and L2TP/IPsec traffic might be blocked by firewalls. SSTP uses the SSL channel of HTTPS to
encapsulate PPP traffic.
When a client tries to establish an SSTP-based VPN connection, SSTP first establishes two-way
communication on the HTTPS layer with the SSTP server. When this communication is established,
the protocol packets flow as the data payload, as follows:
13-27
Encapsulation. SSTP encapsulates PPP frames in IP datagrams for transmission over a network. SSTP
uses a TCP connection over port 443 for tunnel management and as PPP data frames.
Encryption. The SSTP message is encrypted with the SSL channel of HTTPS.
IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec tunnel mode protocol over UDP port 500.
Because of its support for mobility, IKEv2 is much more resilient than other protocols to changing network
connectivity. This resiliency makes it a good choice for mobile users who move among access points and
even switch between wired and wireless connections. An IKEv2 VPN provides resilience to the VPN client
when the client either moves from one wireless hotspot to another or switches from a wireless to a wired
connection. This ability is a requirement of VPN Reconnect.
The use of IKEv2 and IPsec enables support for strong authentication and encryption methods, as follows:
Encapsulation. IKEv2 encapsulates datagrams by using IPsec ESP or Authentication Header (AH)
headers for transmission over a network.
Encryption. The message is encrypted via one of the following protocols by using encryption keys that
are generated from the IKEv2 negotiation process: AES 256, AES 192, AES 128, or 3DES encryption
algorithms.
IKEv2 is supported only on computers that run Windows 8.1, Windows 8, Windows 7, Windows
Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2.
VPN Authentication
Authenticating users is an important
security concern, especially when they connect
over a public network such as the Internet.
Authentication methods typically use an
authentication protocol that is negotiated during
the connection establishment process.
Windows Server 2012 R2 and Windows 8.1
support a number of authentication methods:
Password Authentication Protocol (PAP). PAP

uses plaintext passwords and is the least
secure authentication protocol. It typically is
negotiated if the remote access client and
remote access server cannot negotiate a more secure form of validation. PAP is included only for
backward compatibility, and you should avoid using it.
CHAP. CHAP is a challenge/response authentication protocol that uses the industry-standard

Message Digest 5 (MD5) hashing scheme. Various vendors of network access servers and clients
support CHAP. CHAP is not considered sufficiently secure, and you should consider using MS-CHAPv2
in its place.
MS-CHAPv2. MS-CHAPv2 provides a one-way, encrypted-password, mutual-authentication process.

This version is preferable to CHAP and MS-CHAP version 1.
EAP. EAP uses an arbitrary authentication mechanism to authenticate a remote access connection.
The remote access client and the authenticator, which is either the remote access server or the
Remote Authentication Dial-In User Service (RADIUS) server, negotiate the exact authentication
scheme to use.
Digital certificates. Certificates are digital documents that are issued by certification authorities
(CAs), such as Active Directory Certificate Services (AD CS) and the VeriSign public CA. You can use
certificates for many purposes, such as code signing and securing email communication. However,
with VPNs, you use certificates for network access authentication because they provide strong
security for authenticating users and computers, and they eliminate the need for less-secure,
password-based authentication methods. Network Policy Servers use EAP-TLS and Protected
Extensible Authentication Protocol (PEAP) to perform certificate-based authentication for many
types of network access, including VPN and wireless connections.
Two authentication methods, EAP and PAP, use certificates when you configure them with certificatebased authentication types. With EAP, you can configure the authentication type TLS (EAP-TLS), and with
PEAP, you can configure the authentication types TLS (PEAP-TLS) and MS-CHAPv2 (PEAP-MS-CHAPv2).
These authentication methods always use certificates for server authentication. Depending on the
authentication type that you configure with the authentication method, you also might use certificates for
user authentication and client computer authentication.
The use of certificates for VPN connection authentication offers the strongest form of authentication that
is available in Windows 8.1. You must use certificates for IPsec authentication on VPN connections that
are based on L2TP/IPsec. PPTP connections do not require certificates, although you can configure PPTP
connections to use certificates for computer authentication when you use EAP-TLS as the authentication
method. For wireless clients, use PEAP with EAP-TLS and smart cards or certificates for authentication.
Each of these authentication methods has advantages and disadvantages in terms of security, usability,
and breadth of support. However, password-based authentication methods do not provide strong
security, and we do not recommend them. You should use a certificate-based authentication method for
all network access methods that support certificate use.
What Are VPN Reconnect and VPN Auto-Trigger?

VPN Reconnect and VPN Auto-trigger provide
VPN users with a less complex VPN experience.
These features make the process of establishing
VPN connections as simple as possible.
VPN Reconnect
In dynamic business scenarios, users must be
able to access data securely at any time, from
anywhere, and continuously, without interruption.
To meet these requirements, you can configure
the VPN Reconnect feature that is available in
Windows Server 2012 R2, Windows Server 2012,
Windows Server 2008 R2, Windows 8.1,
Windows 8, and Windows 7. With this feature, users can access an organizations data by using a VPN
connection, which automatically reconnects if connectivity is interrupted. This feature also enables
roaming among different networks.
VPN Reconnect uses IKEv2 technology to help provide seamless and consistent VPN connectivity. VPN
Reconnect automatically reestablishes a VPN connection when Internet connectivity becomes available
again. Users who connect via a wireless mobile broadband card benefit most from this capability.
13-29
Consider a user with a Windows 8.1 laptop. When the user travels to work on a train, he or she connects
to the Internet by using a wireless mobile broadband card and then establishes a VPN connection to the
companys network. When the train passes through a tunnel, the Internet connection is lost. After the train
emerges from the tunnel, the wireless mobile broadband card automatically reconnects to the Internet.
With Windows Vista, the VPN does not reconnect automatically. Therefore, the user has to repeat the
multistep process of connecting to the VPN manually. Doing so is time-consuming for mobile users with
intermittent connectivity.
With VPN Reconnect, Windows 8.1, Windows 8, and Windows 7 automatically reestablish active VPN
connections when Internet connectivity is reestablished. Even though the reconnection might take several
seconds, users reconnect automatically and have access to internal network resources.
The system requirements for using the VPN Reconnect feature are:
Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 as a VPN server.
Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows
Server 2008 R2 as the VPN client operating system.
A PKI, because a remote connection with VPN Reconnect requires a computer certificate. Certificates
issued by either an internal or a public CA can be used.
VPN Auto-Trigger
You can configure Windows 8.1 to connect automatically through VPN when applications or network
locations are used that require organizational network resources. Configuration for VPN Auto-trigger in
Windows 8.1 is performed by using Windows PowerShell cmdlets that enable you to add and remove
triggers for the following scenarios:
App-based triggering. When app-based triggering is configured, the VPN connection is triggered by
a specific app being run. In this case, the app is added as a trigger to the VPN connection profile by
using the Add-VpnConnectionTriggerApplication cmdlet. You can remove app triggers by using
the Remove-VpnConnectionTriggerApplication cmdlet in Windows PowerShell.
Name-based triggering. You configure name-based triggering by adding DNS name suffixes to
the VPN connection profile by using the Add-VpnConnectionTriggerDns cmdlet. You can remove
name-based triggers by using the Remove-VpnConnectionTriggerApplication cmdlet in Windows
PowerShell.
Configuring trusted networks

Trusted networks are represented by DNS suffixes where VPN Auto-trigger is not enabled. For
example, if a user has his or her laptop connected to an internal corporate network, the
laptop will have access to resources on the internal network without requiring a VPN connection.
In this case, you would add the DNS suffix or suffixes for the internal network by using the
Add-VpnConnectionTriggerTrustedNetwork cmdlet. If a client computer always connects from
outside an internal network, then no trusted networks need to be configured.
Enabling VPN Auto-triggering in the UI
When a VPN profile is configured with one more triggers, the user is presented with an option in the
network connection window labeled, Let apps automatically use this VPN connection. When the check
box for this option is selected, VPN Auto-trigger will connect the VPN.
Scenarios that do not support VPN Auto-triggering

The following scenarios do not support the use of VPN Auto-triggering in VPN profiles:
Split-tunneling is disabled. If the ability of a VPN connection to route specific traffic to an

organizations network and other traffic through the clients connection to the Internet is disabled,
you cannot use VPN Auto-triggering. VPN Auto-triggering requires split-tunneling to be enabled on
the VPN connection.
The client computer is joined to a domain. VPN Auto-trigger is not supported on domain-joined
computers. You can use a domain-joined computer to create and configure VPN profiles that support
VPN Auto-triggering, but the actual Auto-triggering functionality will not operate on the domainjoined computer.
Automatically Triggering VPN Connections and VPN Diagnostics Enhancements in

Windows 8.1
Demonstration: Configuring a VPN

Create a new VPN connection.
Configure the VPN connection.
Test the connection.
Demonstration Steps
Create a new VPN connection
1.
Sign in as an administrator, and then open Network and Sharing Center.
2.
Create a new VPN by selecting Connect to a workplace.
3.
Configure the initial settings, including 172.16.0.10 as the target IPv4 address and HQ as the name.
Configure the VPN connection
Modify the VPN settings to select PPTP as the tunneling type.
Test the connection

1.
Connect to LON-DC1 with the HQ VPN, and then authenticate by using the Adatum\Administrator
account.
2.
Disconnect the HQ connection.
What Is the CMAK?

The CMAK is a wizard-based interface that you
can use to create VPN connection profiles. You
can use the CMAK to customize users remoteconnection options by creating predefined
connections to remote servers and networks. You
use the CMAK wizard to create and customize a
connection for your users. The CMAK wizard
creates an executable file that you can distribute
in many ways or include during deployment
activities as part of an operating system image.
Connection Manager is a client network-connection tool that enables a user to connect to a remote
network, such as an Internet Service Provider or a corporate network that a VPN server protects.
The CMAK is an optional component that is not installed by default. You must install CMAK to create
connection profiles that your users can install and use to access remote networks.
Configuring and Distributing a Connection Profile

You can configure a new or existing connection
profile by using the CMAK Connection Profile
Wizard. Each page of the wizard allows you to
complete another step of the process. The options
presented in the CMAK wizard are:
Select the Target Operating System
Create or Modify a Connection Profile
Specify the Service Name and the File Name
Specify a Realm Name
Merge Information from Other Connection

Profiles
Add Support for VPN Connections
Add a Custom Phone Book
Configure Dial-up Networking Entries
Specify Routing Table Updates
Configure Proxy Settings for Internet Explorer
Add Custom Actions
Display Custom Bitmaps and Icons
Customize the Notification Area Shortcut Menu
Include a Custom Help File
Display Custom Support Information
Include Connection Manager Software with the Connection Profile
Display a Custom License Agreement
Install Additional Files with the Connection Profile
Build the Connection Profile and its Installation Program
Make Advanced Customizations
Your Connection Profile is Complete and Ready to Distribute
13-31
Demonstration: Creating a Connection Profile

Install the CMAK feature.
Create a connection profile.
Examine the created profile.
Demonstration Steps
Install the CMAK feature
1.
If necessary, on LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd.
2.
Open Control Panel, and then enable the RAS Connection Manager Administration Kit (CMAK)
feature.
Create a connection profile

1.
Open the Connection Manager Administration Kit from Administrative Tools.
2.
Complete the wizard to create the connection profile.
Examine the created profile
Use File Explorer to examine the contents of the folder that was created by the CMAK wizard to
create the connection profile. Normally, you now would distribute this profile to your users.
Lesson 4
Configuring Remote Desktop and Remote Assistance
13-33
Many organizations use remote management and troubleshooting so that they can reduce
troubleshooting time and reduce travel costs for support staff. Remote troubleshooting allows support
staff to operate effectively from a central location.
Lesson Objectives
Describe Remote Desktop and Remote Assistance.
Describe how to configure and use Remote Desktop.
Configure and use Remote Assistance.
What Are Remote Desktop and Remote Assistance?

The Windows 8.1 operating system supports
remote troubleshooting capabilities such as
Remote Desktop, Remote Assistance, and other
remote administrative tools.
Note: You also can use Windows PowerShell
to perform remote administration. This is known
as remoting, which lets you run Windows
PowerShell cmdlets on remote computers. The
appendix of this course discusses Windows
PowerShell remoting in detail.
Remote Desktop
Remote Desktop uses the Remote Desktop Protocol (RDP) to enable users to access files on their office
computer from another computer, such as one located at their home. Additionally, Remote Desktop
allows administrators to connect to multiple Windows Server sessions for remote administration purposes.
While a Remote Desktop session is active, Remote Desktop locks the target computer, prohibiting
interactive logons for the sessions duration.
Note: Microsoft RemoteFX delivers a rich user experience for Virtual Desktop
Infrastructure by providing a three-dimensional virtual adapter, intelligent codecs, and the ability
to redirect USB devices in virtual machines. RemoteFX is integrated with the RDP, which enables
shared encryption, authentication, management, and device support.
Remote Assistance
Remote Assistance allows a user to request help from a remote administrator. To access Remote
Assistance, run the Windows Remote Assistance tool. By using this tool, you can do the following:
Invite someone who is trustworthy to help you.
Offer to help someone.
View a remote users desktop.
Chat with a remote user with text chat.
Send a file to a remote computer.
Request to take remote control of a remote desktop, if permissions allow.
Users can send Remote Assistance invitations through email or by saving a request to a file that a remote
administrator can read and act on.
Windows Firewall
Windows 8.1 prevents remote troubleshooting tools from connecting to a local computer by using
Windows Firewall. However, by default, Windows Firewall will allow Remote Desktop and Remote
Assistance traversal of the firewall.
To enable support for other applications, complete the following procedure:
1.
Open Windows Firewall from Control Panel.
2.
Click Allow a program or feature through the Windows Firewall, and then select for what you
want to enable an exception.
Configuring Remote Desktop

To access a remote computer from a source
computer by using the Remote Desktop feature,
you need to configure certain Remote Desktop
settings on both computers.
On the remote computer, you need to perform
the following procedure to enable remote access
to the computer:
1.
In Control Panel, click System and Security,

click System, and then click Remote
settings.
2.
In the Remote tab of the System Properties

dialog box, you can select one of the following options:
o
Dont allow connections to this computer.
Allow connections from computers running any version of Remote Desktop. This is a less
secure option.
Allow connections only from computers running Remote Desktop with Network Level
Authentication. This is a more secure option.
3.
Click Select Users. If you are prompted for an administrator password or confirmation, type the
password or provide confirmation.
4.
If you are an administrator on the computer, your current user account will be added automatically to
the list of remote users, and you can skip the next two steps.
5.
In the Remote Desktop Users dialog box, click Add.
6.
In the Select Users or Groups dialog box, do the following:

a.
To specify the location in which to search for the remote user, click Locations, and then select
the location you want to search.
b.
13-35
Enter the object names to select, type the name of the user that you want to add as a remote
user, and then click OK.
On the source computer, you need to perform the following to access the remote computer:
1.
Start Remote Desktop.
2.
Before connecting, enter the logon credentials on the General tab, and make desired changes to the
options in the following tabs:
o
Display. Choose the remote desktop display size. You have the option to run the remote desktop
in full-screen mode.
Local Resources. Configure local resources for use by the remote computer, such as Clipboard
and printer access.
Programs. Specify which programs you want to start when you connect to the remote computer.
Experience. Choose connection speeds and other visual options.
Advanced. Provide security credential options.
3.
Save these settings for future connections by clicking Save on the General tab.
4.
Click Connect to connect to the remote computer.
Demonstration: Configuring Remote Assistance
This demonstration shows how to enable and use Remote Assistance. Adam needs help with a Microsoft
Word feature. He requests assistance, and you provide guidance on the feature by using Remote
Assistance.
Demonstration Steps
Create a Microsoft Word 2013 Document
1.
Sign in as Adam, and then open Microsoft Word 2013.
2.
Create a blank document, and then type This is my document into the new Microsoft Word
document.
Enable and then request Remote Assistance

1.
Open Remote settings, and then specify administrative credentials when prompted by User Account
Control.
2.
Verify that remote access is allowed on this computer.
3.
Run msra.exe, and then request Remote Assistance.
4.
Save the invitation to a shared folder location that is accessible by your invitee.
Provide Remote Assistance

1.
Switch to LON-CL2, and then sign in as Holly.
2.
Retrieve the Remote Assistance request file, and then enter the password.
3.
Request access, and then await acknowledgement.
4.
Take remote control, and then direct the user how to create a comment in a Word 2013 document.
5.
Create a chat window, and then ask the user if they are satisfied with the offered solution.
6.
Close the session.

Scenario
Adam has a desktop computer in his office in London that he might wish to use while he travels around
the UK between his customers.
Objectives
Configure Remote Desktop.
Lab Setup
Password: Pa$$w0rd
1.
2.

o
20687D-LON-DC1
20687D-LON-CL1
You also will need to start and connect to 20687D-LON-CL2. Do not sign in until directed to do so.
Exercise 1: Configuring a Remote Desktop Connection

Scenario
You decide to enable Remote Desktop on his desktop computer so that Adam can access it to work on his
data files should the need arise. Before Adam leaves, you decide to test the Remote Desktop connection
to his desktop computer from his laptop.
1.
Enable Remote Desktop through the firewall, and enable Remote Desktop on Adams office
computer.
2.
Connect to the remote computer with Remote Desktop.
Task 1: Enable Remote Desktop through the firewall, and enable Remote Desktop on
Adams office computer
1.
On LON-CL1, open Windows Firewall, and then enable Remote Desktop through the firewall for all
network location profiles (Domain, Private, and Public).
2.
In Control Panel, in System and Security, click Allow remote access, and then select the following
options:
a.
Click Allow remote connections to this computer.
b.
Add Adatum\Adam as a Remote Desktop user.
13-37
3.
Confirm your changes, and then close all open windows.
4.
Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd, and then open Remote
Desktop Connection.
5.
Specify the computer to connect to as LON-CL1, and then click Show Options.
6.
On the Advanced tab, under Server authentication, in the If server authentication fails dropdown list, click Connect and dont warn me.
Note: You also can enable this firewall rule indirectly by enabling Remote Desktop from
Control Panel\System\Remote settings.
Task 2: Connect to the remote computer with Remote Desktop

1.
Connect to LON-CL1. When prompted, enter the user name Adatum\Adam and the password
Pa$$w0rd.
2.
Determine the computer name within the Remote Desktop session.
3.
Close the Remote Desktop session, and then close all open windows.
4.
On LON-CL1, notice that you have been signed out.
Results: After completing this exercise, you should have verified that Remote Desktop is functional.

1.
2.
3.
4.

Review Question
Question: You have some important files on your desktop computer at work that you need
to retrieve when you are at a clients location with your laptop computer. What do you need
to do on your desktop computer to ensure that you can download your files when at a
customer site?

14-1
Module 14
Recovering Windows 8.1
Contents:
Module Overview
14-1
Lesson 1: Backing Up and Restoring Files in Windows 8.1
14-2
Lesson 2: Recovery Options in Windows 8.1
14-5
14-18
14-24
Module Overview
It is important to protect data on your computer from accidental loss or corruption. To recover from a
problem, typically it is easier to restore system settings than to reinstall an operating system and apps.
The Windows 8.1 operating system provides a number of features that you can use to protect important
data files, in addition to tools that you can use to recover a computer that will not start or that starts with
errors. You can use features such as File History, System Protection, and synchronization with Microsoft
OneDrive (formerly known as SkyDrive) to protect your data. To support your users, it is important that
you understand how to use these features and tools.
Objectives
Back up and restore files in Windows 8.1.
Explain the use of recovery options in Windows 8.1.
Lesson 1
Backing Up and Restoring Files in Windows 8.1
14-2 Recovering Windows 8.1
Although you might implement a file-recovery strategy for user data that is stored on network file servers
or network-accessible storage devices, you should remember that users often save their work to local
storage. Consequently, it is important that you provide some method of local file recovery so that you can
recover these data files if they become corrupted or you delete them accidentally.
Lesson Objectives
Explain the need for data backup.
Describe File History.
Configure and use File History.
Discussion: The Need for Data Backup

A computer contains different types of data that
it stores in different locations. Computer data
types include operating-system configuration files,
app settings, user-related settings, and user data
files. The latter can include documents, images,
spreadsheets, and other types of files. Although
computers are very reliable and most operating
systems are robust and recoverable, problems do
occur. Sometimes these problems can result in
data loss.
When data is stored on file servers, it usually

is highly available and centrally backed up.
However, because users also store data locally, it is important that you protect data files and settings so
that if a computer problem occurs, no data is lost.
A computer that is running Windows 8.1 stores data files and settings in several locations, so you need to
ensure that you protect all of them. You can help protect these data files and settings by:
Storing them on a file server, such as when you are using Folder Redirection.
Manually copying files to other media.
By using Windows 8.1 file-recovery tools, such as File History.
Synchronizing files and settings with OneDrive.

Question: Does Windows 8.1 include a backup tool?
What Is File History?

Windows 8.1 enables users with multiple
devices to synchronize their settings and
data across these devices. In such a scenario,
traditional system backup is not a requirement.
Windows 8.1 includes features to protect user
files and the ability to revert devices to their
initial configurations, either by keeping user
settings or not. In such environments, traditional
backup seems obsolete because it is lengthy,
device-specific, and includes content that is part
of the initial device configuration. Windows 8.1
includes the File History feature that you can use
to protect user data.
File History
14-3
With File History, Windows 8.1 can save copies of your files automatically to a removable local drive or to
a shared folder on a network. After you enable File History, it periodically saves a copy of your modified
files to a designated location. Windows 8.1 saves modified files each hour and keeps file versions
indefinitely by default. However, you can configure the interval at which saves occur and how long
Windows 8.1 will keep saved files.
File History save files from the following folders:
Contacts
Desktop
Favorites
Additionally, File History save files from the following libraries:
Documents
Music
Pictures
Videos
Note: You cannot add additional folders or libraries to this list, but you can add folders to
the libraries that File History is protecting. You also can define exceptions if you do not want all
files for the included folders and libraries to be included in File History.
To recover files, from the File History dialog box, you can click Restore personal files, and then select the
file from the folders or libraries. Alternatively, you can recover files directly from File Explorer. Navigate to
the folder that contains a deleted file, and then on the Home ribbon, click History. File History opens and
lists the recoverable files.
Question: Is File History turned on by default?
Question: Can you protect additional folders by using File History?
Demonstration: Configuring and Using File History
In this demonstration, you will see how to configure File History in Windows 8.1 and use this feature to
recover a deleted file.
Demonstration Steps
1.
Create a new Microsoft Word 2013 document named Recovery file in the Documents library.
2.
Modify the contents of the Recovery file document, and then save the file.
3.
Use File History to add \\LON-DC1\FileHistory as an available drive, and then turn on File History.
4.
Delete the file named Recovery file in the Documents library.
5.
Use the History option in File Explorer to recover the file.
Lesson 2
Recovery Options in Windows 8.1
14-5
Registry corruption and issues with device drivers or system services can result in startup-related
problems. Systematic troubleshooting is essential so that you can determine and resolve the underlying
cause of the problem quickly and efficiently.
This lesson describes how to identify and troubleshoot issues that affect an operating systems ability to
start, and how to identify problematic services that are running on an operating system. It also describes
how to use troubleshooting tools in Windows 8.1. These tools are known collectively as the Windows
Recovery Environment (RE).
Lesson Objectives
Explain the Windows 8.1 startup process.
Describe Windows startup and recovery options.
Describe System Restore.
Describe the Boot Configuration Data (BCD) store.
Describe BCD configuration settings.
Describe advanced startup settings.
Describe the tools available in Windows RE.
Resolve startup-related problems.
Explain how to configure a recovery drive.
The Windows 8.1 Startup Process

Before you can recover a Windows 8.1 computer
that does not start or starts with errors, you must
understand how the operating system starts up
when there are no issues. The Windows 8.1 boot
loader architecture provides a quick and secure
mechanism for starting the Windows operating
system.
The boot loader architecture has three main
components:
The Windows Boot Manager (Bootmgr.exe)
The Windows Operating System Loader

(Winload.exe)
The Windows Resume Loader (Winresume.exe)
Windows Boot Manager

As a computer starts, Bootmgr.exe loads first and then reads the BCD, which is a database of startup
configuration information that the hard disk stores in a format similar to the registry.
Note: The BCD provides a firmware-independent mechanism for manipulating boot

environment data for any type of Windows system. Windows 8.1 use the BCD to load the
operating system or to run boot applications, such as memory diagnostics. Its structure is very
similar to a registry key, although you should not manage it with the Registry Editor.
Bootmgr.exe replaces much of the functionality of the legacy NTLDR bootstrap loader that was in
Windows XP and older versions of the Windows operating system. Bootmgr.exe is a separate entity, and
it is unaware of other startup operations of the operating system. Bootmgr.exe switches the processor
into 32-bit or 64-bit protected mode, prompts the user for which operating system to load (if there are
multiple operating systems), and starts NTLDR if you have are using Windows XP or older operating
systems.
Windows Operating-System Loader
Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads
the operating system kernel (Ntoskrnl.exe) and device drivers with start values of 0, which, combined with
Bootmgr.exe, makes Winload.exe functionally equivalent to NTLDR. Winload.exe initializes memory, loads
drivers that should start, and then transfers control to the kernel.
Windows Resume Loader
If the BCD contains information about a current hibernation image, Bootmgr.exe passes that
information to Winresume.exe. Bootmgr.exe exits, and then Winresume.exe starts. Winresume.exe reads
the hibernation image file and uses it to return the operating system to its prehibernation running state.
Windows 8.1 Startup Process on BIOS-Based Computers
When you switch on a computer, the startup process loads the BIOS. When it loads the BIOS, the system
accesses the boot drive master boot record (MBR), followed by the drives boot sector.
The Windows 8.1 startup process occurs in the following steps:
1.
The BIOS performs a power-on self-test. From a startup perspective, the BIOS enables a computer
to access peripherals, such as hard disks, keyboards, and a computer display, prior to loading an
operating system. If any critical hardware component is malfunctioning or is not present, you can
hear a sound and see an error if a display is connected.
2.
The computer uses information in the BIOS to locate a startup device, for example, a DVD drive,
network adapter, or a hard disk. A computer can start from a hard disk only if it contains the MBR. A
computer calls and loads Bootmgr.exe, which then locates an active drive partition on sector 0 of the
discovered hard disk.
3.
Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines
installed operating systems, and then displays a boot menu if needed.
4.
Bootmgr.exe transfers control to Winload.exe, or it calls Winresume.exe for a resume operation. If

Winload.exe selects a down-level operating system, such as Windows XP, Bootmgr.exe transfers
control to NTLDR.
5.
Otherwise, Winload.exe initializes memory and loads drivers that are set to begin at startup. These
drivers are for fundamental hardware components such as disk controllers and peripheral bus drivers.
Winload.exe then transfers control to the kernel of the operating system, Ntoskrnl.exe.
6.
The kernel initializes, and then device drivers and services with start values that are greater than zero
(0) are loaded in the order of their start value and dependency. During this phase, you will see the
screen switch to graphical mode as the Session Manager (Smss.exe) initializes the Windows
subsystem.
7.
The operating system displays the logon screen, and a user can sign in to Windows 8.1.
Securing the Startup Process
14-7
Windows 8.1 includes two technologies that enhance the security of the startup process. These
technologies help ensure that the boot environment is in a known and trusted state before antimalware
software that is installed on the computer becomes active. These technologies are:
Measured Boot. Measured Boot provides antimalware software that runs on Windows 8.1 with a
tamper-proof log of all startup components that were running before the antimalware software
started. This provides antimalware software with enough information to determine whether those
startup components are trustworthy, or whether a malware infection has modified them. Measured
Boot requires a client computer to have a trusted platform module chip.
Secure Boot. Secure Boot is a feature of the Windows 8.1 operating system that blocks unauthorized
firmware, operating systems, or Unified Extensible Firmware Interface (UEFI) drivers from running
during startup. Secure Boot functions by referring to a database of authorized software signatures
and software images. If Secure Boot does not trust the firmware, it must be restored before boot can
continue. If Secure Boot finds an untrusted version of Bootmgr.exe, the Secure Boot process will boot
a backup copy of Bootmgr.exe. If it locates problems with drivers or Ntoskrnl.exe, Secure Boot loads
Windows RE automatically. Secure Boot requires UEFI, and you cannot use it with computers that
boot by using BIOS.
Secured Boot and Measured Boot: Hardening Early Boot Components against Malware
Windows Startup and Recovery Options

If your computer fails to start correctly, you can
use a number of tools to resolve the problem.
Windows RE
Windows RE is a recovery platform that is based
on the Windows Preinstallation Environment
(Windows PE). Windows RE provides three main
functions:
Diagnoses and repairs startup problems.
Enables you to repair computers by

performing push-button resets.
Provides a platform for additional advanced recovery tools.
Accessing Windows RE
To access Windows RE, perform the following procedure:
1.
Insert a Windows 8.1 installation DVD, and then start the computer.
2.
When prompted, run the Windows 8.1 DVD setup program.
3.
After you configure language and keyboard settings, click the Repair your computer link.
4.
Click the Troubleshoot option. After that, you can select if you want to Refresh your PC, Reset your
PC, or select from Advanced options, which includes Startup Repair and System Image Recovery.
Note: Some computer manufacturers do not include a setup disk. Therefore, the process of
accessing Windows RE might vary from the steps that this topic provides.
Automatic Failover to Recovery
Windows 8.1 provides an on-disk Windows RE. A computer that is running Windows 8.1 can fail over
automatically to the on-disk Windows RE if it detects a startup failure. Startup failure is detected when any
of following happens:
A Windows operating system startup fails for two times.
A Windows operating system restarts unexpectedly, two times in two minutes after the startup.
An error is detected during Secure Boot.
A BitLocker Drive Encryption error is detected on a touch-only device.
During startup, the Windows loader sets a status flag that indicates when the boot process starts. The
Windows loader clears this flag before it displays the Windows logon screen. If the startup fails, the loader
does not clear the flag. Consequently, the next time the computer starts, Windows loader detects the flag,
assumes that a startup failure has occurred, and then presents to you an option to start Recovery instead
of Windows 8.1. A computer must start successfully for the Windows loader to remove the flag. If there is
an interruption to a computers power during the startup sequence, the Windows loader does not remove
the flag. Be aware that this automatic failover requires the presence of both the Windows Boot Manager
and the Windows loader. If either of these elements of the startup environment is missing or corrupted,
automatic failover cannot function, and you must initiate a manual diagnosis and repair of the computers
startup environment.
Windows Recovery Environment (Windows RE) Overview
Advanced Startup Settings
Windows 8.1 provides Advanced options for Startup Settings that you can use to change Windows startup
behavior. When you configure Startup Settings, after the computer starts, you can select one of the
following startup options:
Enable debugging
Enable boot logging
Enable Safe Mode
Enable Safe Mode with Networking
Enable Safe Mode with Command Prompt
Disable driver signature enforcement
Disable early launch anti-malware protection
Disable automatic restart after failure
Launch Recovery Environment

Question: How can you access Windows RE if your computer cannot start from a hard disk
because of damaged startup information?
Overview of System Restore

Windows 8.1 enables the System Restore feature
automatically. System Restore takes a snapshot
of your Windows configuration and stores it as a
restore point. Restore points represent a point in
time of the computers configuration and do not
include user personal data. Windows 8.1 can
create restore points automatically before the
following changes occur:
Application installation, if the application uses

an installer that is System Restore-compliant.
Installation of Windows updates.
Restore points can be created in Windows 8.1:
14-9
Manually, whenever you choose to create them.
Based on a schedule. Windows 8.1 includes scheduled tasks, which can trigger restore point creation.
A restore point is created automatically if no restore point has been created for seven days.
Automatically, if you choose to use System Restore to restore to a previous restore point. In this
instance, System Restore creates a new restore point before it restores the system to a previous
state. This provides you with a recovery option should the restore operation fail or result in issues.
Windows RE does not create a restore point for the current state if you are in Safe mode and you
restore to a previous state.
You can access System Restore and revert Windows settings from Windows 8.1 environment or from
Windows RE. This means that you can restore your computer to an earlier restore point even if you cannot
start Windows 8.1. If you want to restore your computer to an earlier restore point from Windows RE, you
need to select a user and provide the users password before you can use System Restore.
Note: Windows 8.1 includes a System Restore scheduled task named SR, which you can
configure to create restore points automatically at scheduled intervals.
Perform Driver Rollbacks
If you install a device driver that results in a computer that is unstable or that fails to operate entirely,
you might use System Restore. Older versions of Windows operating systems had a mechanism for driver
rollbacks, but it required the computer to start successfully. With Windows 8.1, you can use System
Restore to perform driver rollbacks by accessing the restore points, even when the computer does not
start successfully.
Protect Against Accidental Deletion of Programs
System Restore also provides protection against accidental deletion of programs. System Restore creates
restore points when you add or remove programs, and it keeps copies of application programs (file names
with an .exe or .dll extension). If you accidentally delete an .exe file, you can use System Restore to recover
it by selecting a recent restore point prior to your deletion of the program.
Restore points
Question: How can you configure Windows 8.1 to create restore points automatically more
often than every seven days?
What Is the BCD Store?

In the Windows operating system, the BCD store
is an extensible database of objects and elements
that can include information about a current
hibernation image, in addition to special
configuration options for starting Windows 8.1
or an alternate operating system. BCD provides
an improved mechanism for describing boot
configuration data for new firmware models.
The boot sector loads Bootmgr.exe, which in turn

accesses BCD, and then uses that information to
display a boot menu to the user (if multiple boot
options exist) and to load the operating system.
These parameters were previously in the Boot.ini file (in BIOS-based operating systems) or in the
nonvolatile random access memory (NVRAM) entries in operating systems based on an Extensible
Firmware Interface (EFI). However, Windows 8.1 replaces the Boot.ini file and NVRAM entries with BCD.
This file is more versatile than Boot.ini, and it can apply to computer platforms that do not use BIOS to
start a computer. You also can apply it to firmware models, such as computers that are based on EFI.
Windows 8.1 stores the BCD data in the same format as a registry hive. For BIOS-based systems, the BCD
data files are on the active partition, in Boot directory, which is marked as system and hidden. For UEFIbased systems, BCD files are on the EFI system partition.
Question: One of your coworkers would like to modify Windows 8.1 startup settings, but he
is not able to find the Boot.ini file. How can you help him?
Understanding BCD Configuration Settings

Depending on what settings you want to change,
you can use the following tools to modify BCD:
Startup and Recovery Advanced system

settings. Select the default operating system if
you have multiple operating systems installed
on your computer. You also can change the
time-out value.
System Configuration utility (MSConfig.exe).

An advanced tool that enables you to select
the following startup options:
o
Safe boot options include:
Minimal. Start Windows in safe mode, in which only critical system services are running and
networking is disabled.
Alternate shell. On startup, opens a command prompt in safe mode, in which only critical
system services are running. Networking and the GUI are disabled.
14-11
Active Directory repair. On startup, opens the Windows GUI in safe mode, running critical
system services.
Network. On startup, opens the Windows GUI in safe mode, running only critical system
services. Networking is enabled.
Boot log. Records startup information into a log file.
No GUI boot. Does not display the Windows Welcome screen when starting.
Base video. Uses a generic video display adapter driver.
Advanced options:
Number of processors. Limits the number of processors that are used on a multiprocessor
system.
Maximum memory. Limits the amount of memory that is used on a system.
PCI Lock. Prevents reallocation of I/O and interrupt request (IRQ) resources on the peripheral
component interconnect (PCI) bus.
Debug. Enables kernel-mode debugging for device driver development.
BCDEdit.exe. BCDEdit.exe is a command-line tool in Windows 8.1 that replaces Bootcfg.exe. This
advanced tool is for administrators and IT professionals. You can use BCDEdit.exe to change the BCD
and perform tasks such as removing entries from the list that displays operating systems. BCDEdit.exe
enables you to:
o
Add entries to an existing BCD store.
Modify existing entries in a BCD store.
Delete entries from a BCD store.
Export entries to a BCD store.
Import entries from a BCD store.
List currently active settings.
Query a particular type of entry.
Apply a global change (to all entries).
Change the default time-out value.
Typical reasons to manipulate BCD with BCDEdit.exe include:
Adding a new hard disk to your Windows 8.1 computer and changing the logical drive
numbering.
Installing additional operating systems on your Windows 8.1 computer to create a multiboot
configuration.
Deploying Windows 8.1 to a new computer with a blank hard disk, which requires you to
configure the appropriate boot store.
Performing a backup of BCD.
Restoring corrupted BCD.
BootRec.exe. Rebuild BCD by using the BootRec.exe tool with the /rebuildbcd option in Windows RE.
You must run BootRec.exe in Windows RE. If rebuilding BCD does not resolve startup issues, you can
export and delete BCD, and then run this option again. By doing this, you ensure that BCD rebuilds
completely.
BCDedit.exe syntax and parameters

Question: Your coworker has a dual-boot computer and would like to configure the
computer to start Windows 8.1 automatically without showing the list of installed operating
systems for 30 seconds first. Is BCDEdit.exe the only tool your coworker can use to achieve
this goal?
Advanced Startup Settings

Windows 8.1 provides advanced startup settings
that you can use to start an operating system
in an advanced troubleshooting mode. If you
want to use advanced startup settings, you must
change the advanced startup options, which you
can do by:
Changing the advanced startup options in

Windows 8.1.
Pressing the Shift key while selecting the

Restart option in the Settings charm.
Restarting the computer by running the

shutdown.exe /r /o command.
Note: In Windows 8.1, you cannot access advanced startup settings by pressing F8 during
the startup process, as you were able to do in older versions of Windows operating systems.
When the computer restarts, you are presented with the following options:
Enable debugging. By selecting the debugging mode, you can start Windows 8.1 in a special
troubleshooting mode. In this mode, you can monitor the behavior of device drivers and determine
whether a specific device driver is causing Windows 8.1 to stop unexpectedly.
Enable boot logging. When you use this mode, the Windows 8.1 start process creates and writes to a
file named Ntbtlog.txt. This file records the device drivers that Windows 8.1 installs and loads during
startup.
Enable low-resolution video. In this mode, you can start Windows 8.1 in a special low-resolution
mode of 640480. This mode can be necessary when you attempt to resolve incorrectly applied
graphics resolution settings.
Enable Safe Mode. In the safe mode, Windows 8.1 can start with a minimal set of drivers, services,
and applications. You can use safe mode to disable services and applications that might be causing
the Windows operating system to stop. Computers often start in the safe mode when they are unable
to start normally. Safe mode does not load network drivers, so network connectivity is not possible in
safe mode.
Enable Safe Mode with Networking. Safe mode with networking is similar to safe mode, except that it
allows network connectivity.
14-13
Enable Safe Mode with Command Prompt. This version of safe mode starts with a Command Prompt
window rather than the Windows interface. In this mode, you can disable applications and services
from the command line if you are unable to perform this operation by using safe mode.
Disable driver signature enforcement. In this mode, you can load device drivers that are not signed
digitally. This might be necessary when testing device drivers with Windows 8.1 that have not been
released formally.
Disable early launch anti-malware protection. In this mode, you can start Windows 8.1 without
the early launch antimalware functionality running. This functionality might stop Windows 8.1 from
starting in certain circumstances, but it should be disabled only after other options have been tried.
Disable automatic restart after failure. Use this option to stop Windows 8.1 from automatically
restarting after a failure occurs. You might need to use this option if Windows 8.1 enters a reboot
cycle.
Launch Recovery Environment. Use this option to start Windows RE. You can use the recovery
environment to trigger the Refresh your PC or Reset your PC function.
Question: Can you access Startup Setting options by pressing F8 during computer startup?
Tools Available in Windows RE

Windows RE provides access to tools that you can
use to help recover your computers startup
environment.
Refresh your PC
This option enables you to retain your personal
data, apps, and settings, but replaces the
Windows 8.1 operating system. This is useful
when it is important to retain user-related files
and settings, but you do not have the time to
determine the specific cause of a startup problem
or to resolve it. You need Windows installation or
recovery media if you want to perform a refresh.
Note: Because it is quite likely that user settings might have created the startup problem
from which you are attempting to recover, the Refresh your PC option is careful about which
settings to restore. For instance, this option does not restore file associations, display settings, and
Windows Firewall settings during the refresh process.
Note: It is possible to use the Recimg.exe command-line tool to create a refresh image,
which enables you to refresh your computer to a specific point in time.
Reset your PC
This option removes all user data, user settings, and apps and then reinstalls Windows 8.1. You should
select this option when there is no need to retain user data or settings. By using this setting, you revert
your computer to the deployment defaults. You need Windows installation or recovery media if you want
to perform a reset.
Push-Button Reset Overview

System Restore
Windows 8.1 provides System Restore capabilities that you can access from the System Tools folder. If you
have a system failure or another significant problem with your computer, you can use System Restore to
return your computer to an earlier state.
The primary benefit of System Restore is that it restores your system to a workable state without
reinstalling the operating system or causing data loss. Additionally, if a computer does not start
successfully, you can use System Restore by starting Windows RE from Windows 8.1 media.
System Image Recovery
System Image Recovery replaces your computers current operating system with a complete computer
image that you created previously. You can use this tool only if you have made a recovery drive of your
computer. You should use this tool only if other recovery methods are unsuccessful, because it is very
intrusive and it overwrites all data on a computer.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. Before you can use Startup Repair, you must provide the password of the
administrator account that previously signed in to the computer. Startup Repair detects most common
startup issues and automatically corrects them. It performs the following functions:
Replace or repair disk metadata. Disk metadata consists of several components, including the boot
sector and the MBR. If these files are missing or corrupted, the startup process fails. If you suspect that
an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk
metadata. Startup Repair automatically checks and, if necessary, repairs the disk metadata. Damage to
disk metadata often occurs because of unsuccessful attempts to install multiple operating systems on
a single computer. Another possible cause of metadata corruption is a virus infection.
Repair boot configuration settings. Windows 8.1 uses a configuration store that is stored in a Boot
folder on an active partition. If the boot configuration data is damaged or deleted, the operating
system fails to start. The Startup Repair tool checks and, if necessary, rebuilds BCD by scanning for
Windows installations on the local hard disks, and then storing the necessary BCD.
Resolve incompatible driver issues. Installing a new hardware device and its associated device
driver often causes the Windows operating system to start incorrectly. The Startup Repair tool
performs device driver checks as part of its analysis of your computer. If Startup Repair detects a
driver problem, it uses System Restore points to attempt a resolution by rolling back the
configuration to a known working state.
Command Prompt
Windows 8.1 uses a Command Prompt tool from the Windows RE tool set as its command-line
interface. The Command Prompt tool is more powerful than the Recovery Console from older versions of
Windows operating systems, and its features are similar to the command prompt that is available when
Windows 8.1 is running normally. The Command Prompt tool performs the following functions:
Resolves problems with a service or device driver. If a computer that is running Windows 8.1
experiences problems with a device driver or Windows service, use the Command Prompt tool to
attempt a resolution. For example, if a device driver fails to start, use the Command Prompt tool
to install a replacement driver or disable the existing driver from the registry. For example, if the
Netlogon service fails to start, type Net Start Netlogon at the command prompt. You also can use
the SC tool (Sc.exe) command-line tool to start and stop services.
14-15
Recovers missing files. The Command Prompt tool enables you to copy missing files to your
computers hard disk from original source media, such as the Windows 8.1 installation DVD or USB
flash drive.
Accesses and configure BCD. Windows 8.1 uses a BCD store to retain information about the operating
systems that you install on the computer. You can access this information by using the BCDEdit.exe
tool at the command prompt. You also can reconfigure the store if necessary. For example, you can
reconfigure the default operating system on a dual-boot computer with the BCDEdit.exe /default id
command.
Repairs the boot sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that is running Windows 8.1 will fail to start successfully. You can launch the
BootRec.exe command at the command prompt to resolve problems with the disk metadata.
Runs diagnostic and troubleshooting tools. The Command Prompt tool provides access to many
programs that you can access from Windows 8.1 during normal operations. These programs include
several troubleshooting and diagnostics tools, such as the Registry Editor (Regedit.exe), a disk and
partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe,
Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you
can use to determine which programs and services are running currently.
Note: Windows PE is not a complete operating system. Therefore, when you use the
Command Prompt tool in Windows RE, remember that not all programs that work in the
Windows operating system will work at the command prompt. Additionally, because there are
no logon requirements for Windows PE and Windows RE, Windows 8.1 restricts the use of some
programs for security reasons, including many that administrators typically run.
Question: Can you use System Image Recovery without any previous preparation?
Question: What is the main difference between the Refresh your PC and Reset your PC
options?
Demonstration: Resolving Startup-Related Problems

In this demonstration, you will see how to resolve startup-related problems by using the tools in
Windows RE.
Demonstration Steps
1.
On 20687D-LON-CL1, mount the Windows 8.1 installation DVD from D:\Program Files
\Microsoft Learning\20687\Drives\ Win81Ent_Eval.iso, and then start the virtual machine.
2.
Initialize setup from the DVD, and then click Repair your computer.
3.
Click Troubleshoot from the available options, and then click Advanced options.
4.
Click Command Prompt, and then run the following commands to view the startup environment:
Bcdedit /enum
Bootrec /scanos
Diskpart
5.
In Diskpart, type the following commands to view information about the disks and volumes installed
on LON-CL1:
List disk
List volume
6.
Close Diskpart, and then close the Command Prompt window.
7.
Perform Startup Repair from the Windows RE Troubleshoot menu.
8.
Restart your computer normally.
9.
On LON-CL1, sign in as Adatum\Administrator with the password Pa$$w0rd, and then open an
elevated command prompt
10. Create a duplicate boot entry by running the following command at the elevated command prompt:
bcdedit /copy {current} /d Duplicate boot entry
11. Verify the presence of Duplicate boot entry in the store with the following command, and then
restart the computer:
Bcdedit /enum
12. When the Windows operating system restarts, wait until the Choose an operating system menu
appears, and then click Change defaults or choose other options. Select the following options in
turn:
o
Choose other options
Troubleshoot
Advanced options
Startup Settings
Restart
13. Start Windows in Safe Mode, and then sign in as Adatum\Administrator with the password
Pa$$w0rd.
Configuring a Recovery Drive

You can use a recovery drive to run Windows RE
and troubleshoot a Windows 8.1 installation even
if the computer cannot start from the hard drive. A
recovery drive includes all the Windows RE tools,
and it can include a copy of the recovery partition.
You can create a recovery drive by using the
Recovery Drive Wizard. You can create a recovery
drive on a USB flash drive that has a capacity of at
least 512 Megabytes (MB). During creation of the
recovery drive, the USB flash drive is formatted, so
all of its previous content is lost. If your computer
has a recovery partition, the Recovery Drive Wizard
can copy it to a USB flash drive, and you can use it later to perform PC Refresh.
Note: If a Windows 8.1 computer does not have a recovery partition, you can create one by
running the recimg.exe command. The Refresh your PC feature uses a recovery partition, and it
contains a copy of desktop apps and Windows system files. However, a recovery partition does
not contain your documents, personal settings, user profiles, and Windows Store apps.
Recovery Drive
Question: Can you create a recovery drive on a DVD?
Question: Which recovery tasks can you perform when you start a computer from a recovery
drive?
14-17

Scenario
You must demonstrate to your coworkers how you can configure and use File History to protect
documents. You also need to recover a Windows 8.1 computer that belongs to one of the employees at A.
Datum Corporation. To do this, you first will examine the recovery options available in Windows 8.1. You
then will attempt to resolve a startup issue, and you will document the solution that you used to resolve
the issue.
Objectives
Explore Windows 8.1 recovery options.
Introduce a simulated problem.
Resolve a problem.
Lab Setup
Password: Pa$$w0rd
1.
2.
3.
4.
5.
Password: Pa$$w0rd
Domain: Adatum
Exercise 1: Configuring and Using File History

Scenario
A. Datum users are complaining that they cannot find any backup apps in Windows 8.1. You must
demonstrate to these users how they can use File History to protect files that are stored locally on their
computers.
1.
Create a share for File History.
2.
3.
Protect an additional folder with File History.
Task 1: Create a share for File History
14-19
On LON-DC1, create a folder named FileHistory. Grant domain users Full Control permissions to the
Task 2: Configure and use File History

1.
Create a new Word 2013 document named Recovery file in the Documents library.
2.
Modify Recovery file contents, and then save the file.
3.
Use File History to add \\LON-DC1\FileHistory as an available drive, and then turn on File History.
4.
Delete the file named Recovery file in the Documents library.
5.
Use the History option in File Explorer to recover the file.
Task 3: Protect an additional folder with File History

1.
On LON-CL1, verify that the File History feature is protecting three file folders and four libraries. Also,
verify file History is only protecting the Recovery file.docx currently.
2.
Use File Explorer to add the folder E:\Labfiles\Docs to the Documents library.
3.
Use File History to run file copy.
4.
Use File Explorer to delete the E:\Labfiles\Docs\Windows.docx file.
5.
Use File History to restore the Windows.docx file to the E:\Labfiles folder.
6.
Use File Explorer to verify that the Windows.docx file is restored to E:\Labfiles folder.
Results: After completing this exercise, you should have configured and used the File History feature.
Exercise 2: Exploring Windows 8.1 Recovery Options

Scenario
In this exercise, you will explore startup-recovery options, including accessing the advanced startup
options.
1.
Configure System Restore.
2.
Use System Restore.
3.
Access Windows RE tools.
4.
Create a duplicate boot entry in the boot store.
5.
Enable advanced boot options.
Task 1: Configure System Restore

1.
On LON-CL1, use System Properties to turn on System protection.
2.
Create a restore point, and then name it Initial settings.
3.
Use File Explorer to navigate to the E:\Labfiles\Mod14 folder, and then install XML Notepad. Verify
that XML Notepad 2007 shortcut is added to the desktop.
4.
Create a new text document on the desktop and name it My document.
5.
Use Device Manager to update the driver for Microsoft Hyper-V Virtual Keyboard with a driver for
Microsoft Wireless Keyboard 700 v2.0 (106/109).
Note: Be aware that you must clear the Show compatible hardware check box to be able
to select it.
6.
In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) is shown with an
exclamation point (!).
Task 2: Use System Restore
1.
Use System Restore to scan for programs that would be affected if you restored the Initial settings
restore point.
2.
Use System Restore to restore the Initial settings restore point.
3.
4.
Verify that My document.txt is still on desktop and that the XML Notepad 2007 shortcut is no longer
present on the desktop.
5.
Use Device Manager to verify that Microsoft Hyper-V Virtual Keyboard is present. Microsoft Wireless
Keyboard 700 v2.0 (106/109) was removed, as you added it after the restore point was created.
6.
Use System Restore to verify that an additional restore point with the description Restore Operation
and Type of Undo was created.
7.
Shut down LON-CL1, and then wait until LON-CL1 is turned off.
Task 3: Access Windows RE tools

1.
On 20687D-LON-CL1, mount the Windows 8.1 installation DVD from D:\Program Files
\Microsoft Learning\20687\Drives\ Win81Ent_Eval.iso, and then start the virtual machine.
2.
Initialize setup from the DVD, and then select Repair your computer.
3.
Select Troubleshoot from the available options, and then select Advanced options.
4.
Use System Restore to verify that restore points that were created can be restored from Windows RE.
Verify which programs would be affected if you would restore the Restore Operation restore point.
Do not restore any restore point, and return to the Advanced options screen.
5.
Click Command Prompt, and then run the following commands to view the startup environment:
Bcdedit /enum
Bootrec /scanos
Diskpart
6.
In Diskpart, type the following commands to view information about disks and volumes installed on
LON-CL1:
List disk
List volume
7.
Close Diskpart, and then close the Command Prompt window.
8.
Perform Startup Repair from the Windows RE Troubleshoot menu.
9.
Restart the computer as you normally would.
Task 4: Create a duplicate boot entry in the boot store
14-21
1.
On LON-CL1, sign in as Adatum\Administrator with the password Pa$$w0rd, and then open
command prompt
2.
Create a duplicate boot entry by running the following command at the elevated command prompt:
3.
Verify the presence of Duplicate boot entry in the store with the following command, and then
restart the computer:
Bcdedit /enum
Task 5: Enable advanced boot options

1.
When the Windows operating system restarts, wait until the Choose an operating system menu
appears, and then click Change defaults or choose other options. Select the following options in
turn:
o
Choose other options
Troubleshoot
Advanced options
Startup Settings
Restart
2.
Start the Windows operating system in safe mode, and then sign in as Adatum\Administrator with
the password Pa$$w0rd.
3.
Revert and restart the 20687D-LON-CL1 virtual machine in preparation for the next exercise.
Results: After completing this exercise, you should have used various Windows 8.1 operating system
startup-recovery tools.
Exercise 3: Introducing a Simulated Problem

Scenario
In this exercise, you will attempt to fix a computer that is running Windows 8.1. The computer does not
start successfully. You have an open help-desk ticket so that you can determine the likely cause of the
problem.
A. Datum Incident Record
Incident number: 161071
Date and time of call
Jan 25 10:45am
User
Adam Carter
Incident Details
Adam Carter has reported that his computer will not start properly.
Additional Information
Adam has been trying to install an additional operating system on his computer so that he can run a
specific line-of-business application. He abandoned the installation after getting only partway through
the process. Since then, his computer displays the following error message when it starts:
Windows Boot Manager.
File: \Boot\BCD
Status: 0xc0000034
Info: The Windows Boot Configuration Data (BCD) file is missing required information.
Plan of Action

1.
Read the help-desk Incident Record for Incident 161071.
2.
Update the Plan of Action section of the Incident Record.
3.
Simulate the problem.
Task 1: Read the help-desk Incident Record for Incident 161071
Read the help-desk Incident Record (in the exercise scenario in the student handbook) for Incident
161071.
Task 2: Update the Plan of Action section of the Incident Record

1.
Read the Additional Information section of the Incident Record.
2.
Update the Plan of Action section of the Incident Record with your recommendations.

1.
Switch to LON-CL1, and then sign in by using the following credentials:

o
Password: Pa$$w0rd
2.
14-23
Open File Explorer, run the E:\Labfiles\Mod14\Scenario1.vbs script, and then wait while LON-CL1
restarts.
Results: After this exercise, you should have reproduced the reported startup problem on Adams
computer.
Exercise 4: Resolving a Problem

Scenario
In this exercise, you must attempt to resolve the startup problem.
1.
Attempt to resolve the problem.
Task 1: Attempt to resolve the problem

1.
On LON-CL1, attempt to resolve the problem by using your knowledge of the startup architecture
and the available tools for troubleshooting the startup environment.
2.
Update the Plan of Action section of the Incident Record.
3.
If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have resolved the startup problem and documented
your solution.

1.
2.
3.
4.

Review Questions
Question: After installing a new video driver, your users computer becomes unstable, and it
will not start correctly. What would you try first to resolve this problem?
Question: The boot environment of a users computer is corrupted, and you suspect a virus.
Before you can run virus removal tools, you must repair the boot configuration. What
command-line tool or tools could you use?
Question: You add a new hard disk to the computer, which changes the computers
partition numbering. To enable the computer to start, you need to change the BCD. What
tool can you use to change the BCD?
Question: A user has reported a problem to the help desk. The user is experiencing
problems with starting a computer after a new device driver was added. You decide to start
the computer by using a minimal boot, but you want to configure that from the Windows
operating system before restarting. What tool could you use?
Question: A system service is causing startup problems, and your help-desk user has started
the problematic computer in Windows RE. What command-line tool can you use to modify
service startup type?
Question: The help desk recently installed a new device driver on a computer. A stop code is
generated, and a blue screen is shown during computer startup. What recovery mechanism
would you try first?
Tools
Tool
Use for
Where to find it
BCDEdit.exe
Viewing and configuring the BCD store
Command-line
Sc.exe
Managing services
Command-line
MSConfig.exe
Managing services and the startup

environment
Windows operating system
Windows RE
Troubleshooting Windows 8.1 computers
Elements available on hard disk

(automatic failover) and the product
installation DVD
Safe Mode
Troubleshooting startup
Accessible from the Startup Settings

page
BootRec.exe
Managing the boot environment
Command-line

15-1
Module 15
Configuring Client Hyper-V
Contents:
Module Overview
15-1
Lesson 1: Overview of Client Hyper-V
15-2
Lesson 2: Creating Virtual Machines
15-6
Lesson 3: Managing Virtual Hard Disks
15-13
Lesson 4: Managing Checkpoints
15-19
15-24
15-27
Module Overview
Hyper-V is the primary platform for infrastructure virtualization. Hyper-V enables multiple operating
systems to run in individual virtual machines that share the same physical platform. Virtual machines can
be isolated or connected to a network. This module will introduce you to Client Hyper-V in Windows 8.1
and explain the fundamentals of working with virtual machines in a Client Hyper-V environment.
Objectives
Describe the functionality and benefits of using Client Hyper-V.
Create virtual machines.
Manage virtual hard disks.
Manage checkpoints.
Lesson 1
Overview of Client Hyper-V
15-2 Configuring Client Hyper-V
Client Hyper-V is a Windows 8.1 feature that is available only in the 64-bit version of the operating
system. You can use Client Hyper-V to create and run multiple virtual machines on the same Windows 8.1
computer. You can isolate virtual machines or connect them to a network. You also can use them to
provide an additional environment, such as for running applications that are not compatible with
Windows 8.1.
This lesson introduces you to Client Hyper-V functionality in Windows 8.1, and it introduces scenarios
that might benefit from a virtual environment. Client Hyper-V provides the same core virtualization
technology that is included in Windows Server 2012 R2.
Lesson Objectives
Explain the purpose and functionality of Client Hyper-V.
Identify scenarios for using Client Hyper-V.
Purpose and Functionality of Client Hyper-V
At its most basic level, Client Hyper-V provides the

ability to share a computers physical hardware
with one or more isolated operating systems
that are running in virtualized environments or
virtual machines. Virtual machines are configured
to share physical resources from a physical
computer, and they represent those virtualized
resources as usable components to a virtual
machines operating system. For example, one
computer with one network adapter might have
five different virtual machines that run in Client
Hyper-V. In each of these virtual machines, a
virtualized network adapter is associated with the single physical network adapter, enabling five virtual
machines to have individual media access control (MAC) addresses, to be assigned individual IP addresses,
and to gain network access. Similar virtualization happens with other hardware components such as
processors, memory, and hard disks.
Client Hyper-V Functionality
Client Hyper-V is a feature that enables virtualization within a Windows 8.1 environment. Client Hyper-V
uses the same virtualization engine as Hyper-V in Windows Server 2012 R2 and contains the same core
feature set. Client Hyper-V replaces the Windows XP Mode that was previously available in Windows 7,
and it has some significant differences in functionality:
Compatibility with Hyper-V in Windows Server. Client Hyper-V supports the same standard
functionality as Hyper-V in Windows Server. You can import and export virtual machines and virtual
hard disks between Hyper-V and Client Hyper-V without any requirement for conversion or
modification.
Support for 64-bit virtual machines. Client Hyper-V can provide both a 32-bit and a 64-bit virtualized
hardware environment for virtual machines. Windows XP Mode supported only 32-bit virtualized
hardware.
15-3
No application-level virtualization. In Windows 7, the Windows XP Mode enabled a user to run

an application in a virtualized Windows XP environment while displaying it within a Windows 7
environment. In Windows 8.1, Client Hyper-V exposes the complete virtualized operating system in
its own window.
Hyper-V and Client Hyper-V Feature Comparison
The following table compares the availability of some features between Client Hyper-V and Hyper-V.
Feature
Sleep and hibernate for physical computer and
virtual machines
Client Hyper-V in
Windows 8.1
Hyper-V in
Yes
Hyper-V Replica
Yes
Microsoft RemoteFX graphics virtualization
Yes
Single-root I/O virtualization (SR-IOV)
Yes
Virtual Fibre Channel
Yes
Virtual machine live migration
Yes
Network virtualization
Yes
Virtual wireless network adapters
Yes
Yes
Live storage move
Yes
Yes
Up to 64 terabytes (TB) per virtual disk
Yes
Yes
Client Hyper-V Requirements

To implement Client Hyper-V in Windows 8.1, a computer must meet the following requirements:
Memory. A computer must have at least 4 gigabytes (GB) of physical memory to support Client
Hyper-V. The memory in a computer is allocated and unallocated dynamically as required by the
virtual machines. You can run several virtual machines on a Windows 8.1 host if it meets the minimum
memory requirement. Depending on the specific requirements of virtual machines, you might need
to install more physical memory.
Storage. Client Hyper-V supports the same storage migration capability that is included in Hyper-V
in Windows Server 2012 R2. This means that you can store virtual machines independently of the
underlying storage. Additionally, you can move virtual machines storage between local drives, to a
USB drive, or to a remote file share without having to stop the virtual machines.
Processor. A computer must have an x64 processor that supports hardware-assisted virtualization and
Data Execution Prevention (DEP). Additionally, it must be running the 64-bit Windows 8.1 edition of
the operating system. Client Hyper-V requires a 64-bit processor architecture that supports secondlevel address translation. Second-level address translation reduces the overhead incurred during the
virtual-to-physical address mapping process performed for virtual machines.
Hyper-V Management Tools
Hyper-V Manager is the primary tool for managing Client Hyper-V. It is a console based on Microsoft
Management Console (MMC). Hyper-V Manager provides complete access to Client Hyper-V functionality
in Windows 8.1. Windows Server 2012 R2 Hyper-V also uses Hyper-V Manager, so any experience in either
operating system will correspond directly to the other.
The other graphical tool that is installed with Client Hyper-V is the Virtual Machine Connection tool. You
can use the Virtual Machine Connection tool to connect to a virtual machine with an interface that is very
similar to Remote Desktop Protocol.
Note: Both Hyper-V Manager and the Virtual Machine Connection tool are installed if you
turn on the Hyper-V GUI Management Tools feature in Windows 8.1.
The Hyper-V module for the Windows PowerShell command-line interface enables you to manage Client
Hyper-V by using Windows PowerShell cmdlets. The Hyper-V module can be useful for scripting Client
Hyper-V management or managing remote Hyper-V installations.
Note: You can view the entire list of cmdlets that relate to Hyper-V by running the
Get-Command -Module Hyper-V cmdlet at a Windows PowerShell command prompt.
Question: What must you do to enable administration of Client Hyper-V by using Windows
PowerShell?
Scenarios for Using Client Hyper-V

Hyper-V in Windows Server 2012 R2 and Client
Hyper-V share the same underlying platform,
which enables you to take advantage of the Client
Hyper-V features in your organization in many
different ways:
Using Client Hyper-V, you can build a test

lab infrastructure that is hosted entirely on a
laptop or PC, and you can export the virtual
machines that you create and test from your
laptop or PC into production.
You can create a Client Hyper-V virtual

machine and use it as a preproduction
environment for testing apps. You might be preparing to migrate a Windows client infrastructure to
Windows 8.1 and require testing of all line-of-business apps. You can employ a virtual machine that is
running Windows 8.1 to test the app and then revert the virtual machine back to its default state by
using checkpoints to test other apps.
You can create several virtual machines, each with a different installed version of a Windows
operating system, to test a new app. For example, you could install Windows 8.1 on the first virtual
machine, Windows 7 on the second virtual machine, and Windows XP on the third virtual machine.
You can configure each virtual machine to your testing specifications and then revert the machines
after testing is complete so that the machines are immediately ready for the next testing task.
15-5
If you encounter problems with a virtual machine in Windows Server 2012 R2 in your production
Hyper-V environment, you can copy or export that virtual machine from the production environment,
import it into Client Hyper-V, perform the required troubleshooting, and then export it back into the
production environment.
With Client Hyper-V, you can use Hyper-V virtualization, wireless network adapters, and sleep states
on your desktop computer. For example, if you run Client Hyper-V on a laptop and close the lid, the
virtual machines that are running go into a saved state and resume when the machine wakes.
Virtual machine tools that are created for Hyper-V in Windows Server, such as Sysinternals Disk2VHD
tools, also work in Client Hyper-V.
Using virtual machine networking, you can create a multiple machine environment for test,
development, and demonstration. This environment is secure and does not affect a production
network.
You can use preconfigured virtual hard disks to test new Microsoft software. Microsoft.com hosts a
large number of ready-to-use virtual hard disk files that you can use with Hyper-V or Client Hyper-V.
After you import a file, virtual hard disks provide a functional test version of the specific product for
evaluation. With virtual hard disk files, there is no need to upgrade or configure operating systems, or
to download and install apps. The entire environment is ready to go in the virtual hard disk file the
first time you start the virtual machine.
Question: Can you run two virtual machines with the same name and TCP/IP network
settings in the same Client Hyper-V environment?
Lesson 2
Creating Virtual Machines
You can use Client Hyper-V for creating and running virtual machines. You can create virtual machines
in several different ways. This lesson explains how you can create virtual machines by using Hyper-V
Manager and Windows PowerShell. This lesson also explores hardware components of the virtual
machine, explains the differences between Generation 1 and Generation 2 virtual machines, and describes
the process for creating and managing virtual machines in Client Hyper-V.
Lesson Objectives
Describe how to create a virtual machine.
Explain how to configure virtual machine settings.
Describe how to run virtual machines.
Creating a Virtual Machine

A virtual machine represents a physical
computer in a virtualization environment. Virtual
computers have components similar to physical
computers. However, virtual computers can use
only components that are part of a Client Hyper-V
virtualization infrastructure. Client Hyper-V can
present devices to a virtual machine in the
following two ways:
Emulated devices. Client Hyper-V presents an

emulated device to a virtual machine as if it
is actual hardware. Emulated devices present
standard and well-known functionalities that
are universal to all devices of that type. This means that almost any operating system supports them.
Emulated devices are available when a virtual machine starts, and a virtual machine can start from
them. These emulated devices include integrated device electronics (IDE) controllers or legacy
network adapters.
Hyper-V-specific devices. Client Hyper-V does not present synthetic components to the virtual
machine as actual hardware. It presents them to the operating system on the virtual machine as
a functionality that the device driver can use. Newer operating systems, such as Windows 8 and
Windows 8.1, support such functionality by default when running in virtual machines, and for other
operating systems, you need to install integration services to support them. Hyper-V-specific devices
are not available during startup, and you cannot start a virtual computer from them.
Creating a virtual machine in Hyper-Manager is a wizard-based process that prompts you for necessary
information to create the virtual machine. When creating a virtual machine, you must specify several
virtual machine settings at the time of creation:
Virtual machine name. The name that you specify identifies the virtual machine in Hyper-V Manager
and is used in the naming of various virtual machinerelated files.
Virtual machine location. By default, a virtual machine is created and located on a computers system
drive. If your computer has multiple physical hard disks, you typically can increase the performance of
15-7
your virtual machine by placing it on a disk that is separate from the system disk. For computers with
solid-state drives (SSDs), this is not as effective.
Virtual machine generation. Before Client Hyper-V in Windows 8.1, Hyper-V only supported what
today is known as Generation 1 virtual machines. You now can create Generation 2 virtual machines,
which include support for secure boot and which can be started either from a SCSI virtual disk or by
using a network adapter. If you want to use a Generation 2 virtual machine, you must install at least
Windows Server 2012 or a 64-bit version of Windows 8 or newer to the virtual machine. After creating
a virtual machine, you cannot change its generation.
Memory. The amount of memory that you specify will be assigned to a virtual machine from the
available physical memory on your Windows 8.1 computer. You also can configure a virtual machine
to use Dynamic Memory.
Network connection. Your virtual machine can have one or more virtual network adapters. By default,
a new virtual machine is created with a single network adapter that can be connected to a virtual
switch. You can create a virtual switch that will connect virtual machines to an external network
through a physical network adapter, or you can create a self-contained virtual switch to provide an
isolated network environment. Alternatively, you might choose not to connect a virtual machine to
any virtual switch.
Virtual hard disk location. By default, a single virtual hard disk is created in the same directory that is
specified for the virtual machine location. You also might choose to use a preexisting virtual hard disk.
For example, many Microsoft products are available for trial purposes in preconfigured .vhd files.
Operating system installation media. Unless you are attaching a virtual hard disk that already has
an installed operating system, you will need to install an operating system on your virtual machine.
You can specify an .iso image CD/DVD file to use as installation media, or you can attach a physical
CD/DVD drive from the host machine to the virtual machine, and then install the operating system
from that media.
Creating a Virtual Machine in Hyper-V Manager

To create a virtual machine, perform the following procedure:
1.
Open Hyper-V Manager from the Start screen by typing Hyper-V Manager, and then press Enter.
2.
In Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine.
3.
The New Virtual Machine Wizard appears. Click Next.
4.
On the Specify Name and Location page, in the Name field, type the name of your virtual machine.
Select where you want to store the virtual machine and its associated virtual hard disks, and then click
Next.
5.
On the Specify Generation page, select if you want to create a Generation 1 or Generation 2
virtual machine, and then click Next.
6.
On the Assign Memory page, in the Memory field, specify the amount of memory to assign the
virtual machine, select if you want to use Dynamic Memory, and then click Next.
7.
On the Configure Networking page, in the Connection list, select the appropriate network switch,
and then click Next.
8.
On the Connect Virtual Hard Disk page, create a new virtual hard disk or use an existing virtual hard
disk file that you have created already, and then click Next.
9.
On the Installation Options page, select from where you want to install an operating system on the
virtual machine, and then click Next.
10. On the Completing the New Virtual Machine Wizard page, click Finish.
Creating a Virtual Machine in Windows PowerShell
If you want to create new virtual machine by using Windows PowerShell, you can run the New-VM
cmdlet. You should be aware that the New-VM cmdlet has a limited set of options, but you can modify
and customize a virtual machine after you create it. You can create a new virtual machine by performing
the following procedure:
1.
On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows
PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog
box.
2.
In the Administrator: Windows PowerShell window, run the following cmdlet to create a
Generation 1 virtual machine named Windows 8.1 with 4 GB of memory, with its files stored in
C:\VMs folder, with a 100 GB virtual hard disk named Disk1.vhdx, and connected to a virtual switch
named Private:
New-VM Name Windows 8.1 Generation 1 MemoryStartupBytes 4GB Path C:\VMs
NewVHDPath C:\VMs\Windows 8.1\Disk1.vhdx -NewVHDSizeBytes 100GB SwitchName Private
Question: Can you convert a Generation 1 virtual machine that has Windows Server 2012 R2
installed to a Generation 2 virtual machine?
Configuring Virtual Machine Settings
When you create a virtual machine by using the

New Virtual Machine Wizard or the Windows
PowerShell New-VM cmdlet, you only can
configure a limited number of options. For
example, you cannot adjust Dynamic Memory
settings, add more than one virtual hard disk to
the virtual machine, or configure the virtual
machine with a directly attached or differencing
virtual hard disk. However, after you create the
virtual machine, you have many more options that
you can configure. You can configure most of the
virtual machine settings and modifications to
hardware configuration only when the virtual machine is turned off (not paused or in saved state).
However, you can configure options such as the virtual switch to which a network adapter is connected, or
add a virtual hard disk to the SCSI controller while the virtual machine is running. Configuration options
also depend slightly on the virtual machine generation because some virtual hardware is available only
for Generation 1 virtual machines. You can enable safe boot for Generation 2 virtual machines, whereas
Generation 1 does not have such an option.
You can configure virtual machine settings in Hyper-V Manager or by using Windows PowerShell. In
Hyper-V Manager, you right-click the virtual machine, click Settings, and then modify the properties
of the hardware component that you want to configure. In Windows PowerShell, you can use several
different cmdlets to configure a virtual machine, depending on whether you want to configure
virtual machine settings (Set-VM), add virtual hardware components (Add-VMHardDiskDrive,
Add-VMNetworkAdapter), or modify existing hardware component settings
(Set-VMHardDiskDrive, Set-VMNetworkAdapter).
Generation 1 virtual machines contain the components that are listed in the following table.
Component
Description
15-9
BIOS
Specifies the startup order of boot devices.
Memory
Configures the amount of memory that is assigned to a virtual machine, the

dynamic range of memory that can be used, and memory weight. When a virtual
machine is running, that memory is allocated exclusively and cannot be used by
other virtual machines or by the Hyper-V host.
Processor
Configures the number of processors that are available to a virtual machine, the
resource control, the processor compatibility settings, and the non-uniform
memory access settings.
IDE controller
Connects IDE virtual disks and DVD to a virtual machine. Generation 1 virtual
machines have two IDE controllers. Devices that are connected to IDE controllers
can be used to start a virtual machine.
SCSI controller
Connects SCSI virtual disks to a virtual machine. SCSI controllers are synthetic,
which means that a Generation 1 virtual machine cannot start from a virtual disk
that is connected to it.
Network adapter
Connects a virtual machine with a virtual switch. Network adapters are synthetic,
which means that Generation 1 virtual machines cannot use it for Pre-Boot
Execution Environment (PXE) boot.
Legacy network
adapter
Connects a virtual machine with a virtual switch. Legacy network adapters are
emulated, which means that they are available during startup, and Generation 1
virtual machines can use them for PXE.
Fibre Channel
adapter
Accesses Fibre Channelbased storage directly from a virtual machine. This is a

synthetic device, which means that it is not available during startup.
COM port
Configures a virtual COM port to communicate with a physical server through a

named pipe.
Diskette drive
Connects virtual floppy disks to a virtual machine.
As part of the virtual machine settings, you also can configure management settings. In the Management
section, you can configure the components that are listed in the following table.
Component
Description
Name
Specify the name of a virtual machine and add comments about it.
Integration
Services
Enable services that a Hyper-V host will offer to a virtual machine. To use any of
the services, Integration services must be installed and supported on the virtual
machine operating system.
Checkpoint File
Location
Specify the folder in which checkpoint files for a virtual machine will be stored.
You can modify this location until the first checkpoint is created.
Smart Paging File

Location
Specify the folder in which the Smart Paging file for a virtual machine will be
created, if necessary.
Component
Description
Automatic Start
Action
Specify whether to start a virtual machine automatically after the Hyper-V host
restarts, and how long after Hyper-V is running to start them.
Automatic Stop
Action
Specify the state in which to place a virtual machine when the Hyper-V host
shuts down.
Windows 8.1 and Windows Server 2012 R2 fully support the existing type of virtual machines, and
they provide support for the new type of virtual machines. Virtual machines that were created before
Windows 8.1 are automatically named as Generation 1 virtual machines, while newly created virtual
machines are called Generation 2 virtual machines. When you create a virtual machine in Windows 8.1,
you can decide if you want to create a Generation 1 or Generation 2 virtual machine. Generation 2 is built
on the assumption that operating systems are virtualization-aware. Generation 2 removes all legacy and
emulated virtual hardware devices and uses only synthetic devices. BIOS-based firmware is replaced with
advanced Unified Extensible Firmware Interface (UEFI) firmware that supports secure boot. Generation 2
virtual machines start from a SCSI controller or by using PXE from a network adapter. All legacy and
emulated devices are removed from Generation 2 virtual machines.
Question: Can you modify virtual machine memory settings while a virtual machine is
running?
Running Virtual Machines

Virtual machines maintain their own state within
Client Hyper-V. When a virtual machine is started,
its state is set to running, and it performs the
startup process of a typical computer, including
loading an operating system. After the operating
system loads, it interacts with the virtual hardware
configured for the virtual machine, and you can
connect to it and work with it like you would a
physical computer.
You can connect to a virtual machine by selecting

the virtual machine and then clicking the Connect
button on the toolbar, or by right-clicking the
virtual machine and then clicking Connect in the shortcut menu. What displays in the virtual machine
window will depend on the state of the virtual machine. In Client Hyper-V, a virtual machine can be in five
different states:
Off. A virtual machine that is stopped does not consume any resources on the host machine, and it
exists in a state similar to a physical computer that is powered off.
Starting. When a virtual machine is first started, it remains in the starting state for a brief moment,
during which required resources are checked and assigned to the virtual machine. After this check
and assignment occurs, the starting state changes.
Running. A virtual machine is in its normal operable state when Running is displayed. A running
virtual machine responds to keyboard and mouse input and shows whatever information is being
sent to the virtual machines display adapter when you are connected to the virtual machine.
Paused. When a virtual machine is paused, it still maintains its allocation of host-computer resources,
but it places the virtual machines operating system in a temporary sleep state.
15-11
Saved. When a virtual machine is in the saved state, its current operating state is saved to the hard
disk, and it stops consuming host computer resources until you start it and place it into a running
state. When a Client Hyper-V computer that supports hibernate and sleep modes enters one of these
modes, virtual machines that are running will enter the saved state.
When you connect to a virtual machine, the Enhanced Session Mode is used by default in Client Hyper-V
on Windows 8.1. Enhanced Session Mode uses the Remote Desktop Services (RDS) component in virtual
machines and establishes a full Remote Desktop session to a virtual machine. This means that local
resources such as smart cards, printers, drives, USB devices, or any other supported Plug and Play devices
can redirect to virtual machines. You also can use a shared Clipboard for copying content to virtual
machines, or even copy files to virtual machines, even if the virtual machine does not have network
connectivity. Enhanced Session Mode is available only if you connect to virtual machines that are running
Windows 8.1 or Windows Server 2012 R2. RDS must be running on the virtual machine, and the user
account that is used to log on to the virtual machine must be a member of the Remote Desktop Users
local group.
Exporting and Importing Virtual Machines
You can export and import virtual machines between computers that are running Client Hyper-V
or Hyper-V in Windows Server 2012 R2. Exporting and importing virtual machines enables multiple
troubleshooting and testing scenarios that might be impossible in a physical computing environment.
Exporting Virtual Machines
When you export a virtual machine, this exports all components that comprise the virtual machine to the
path that you specify. There are four parts to each exported virtual machine:
The Virtual Machines folder contains an .exp file that contains the GUID of the exported file.
The Virtual Hard Disks folder contains copies of each of virtual hard disk that is associated with the
virtual machine. If the virtual hard disk is a differencing virtual hard disk, all base images that are
associated with the virtual hard disk will be copied to the export folder.
The Snapshots folder contains a file with an .exp extension for each checkpoint of the virtual machine.
Config.xml is a configuration file that the import process uses.
Importing Virtual Machines
When you import a virtual machine, Client Hyper-V reads the configuration file (Config.xml) and then
creates a virtual machine by using the configuration information. As part of the import process, Hyper-V
deletes all of the .exp files, which prevents importing the virtual machine a second time, and then replaces
them with XML files. When you import a virtual machine, you have the following options:
Register the virtual machine in-place or Register the virtual machine. When you select either of these
options, Client Hyper-V creates a virtual machine that uses the same unique identifier (ID) as the
exported virtual machine.
Copy the virtual machine. When you select this option, Client Hyper-V copies the virtual machine and
replaces the unique ID for the virtual machine with a new ID.
Windows 8.1 enhances the process of importing a virtual machine considerably, and the export process is
no longer required. You can simply copy virtual machine data files between Client Hyper-V computers
and then run the Import Virtual Machine Wizard on the destination Windows 8.1 computer to
import virtual machines. The Import Virtual Machine Wizard detects and fixes more than 40 types of
incompatibilities between Client Hyper-V environments. It prompts you to provide missing information,
such as the location of a parent virtual hard disk or a virtual switch to which the virtual machine should be
connected, when the appropriate virtual switch is not available.
Question: Why would you rather import a virtual machine into Client Hyper-V than create
new virtual machine and configure it to use existing virtual hard disks?
Question: Can you use Enhanced Session Mode to start a virtual machine from a USB
device?
Lesson 3
Managing Virtual Hard Disks
15-13
Just as physical computers store data on physical hard disks, virtual machines store data on virtual hard
disks, which are actually files that reside on physical hard disks. There are different types of virtual hard
disks available, and this lesson explains the differences between the various types. Virtual hard disks can
be in one of two formats: .vhd, and .vhdx. Windows 8.1 also can mount and access their content from
physical computers.
Lesson Objectives
Describe the purpose and functionality of virtual hard disks.
Describe how to configure a virtual hard disk.
Explain how to move virtual hard disk storage.
Overview of Virtual Hard Disks

Virtual machines have different options for storing
their data. Just as virtual machines are isolated
when running on a Hyper-V host, you also can
isolate their hard disks and encapsulate their
content in a single virtual hard disk file with the
.vhd or .vhdx extension. From inside a virtual
machine, virtual hard disks are seen as physical
disks, and virtual machines use them as if they
were physical disks.
You can connect storage to virtual machines by

using two different storage controller types: SCSI
and IDE. A virtual machine can access a disk either
as a virtual Advanced Technology Attachment (ATA) device on a virtual IDE controller or as a virtual SCSI
disk device on a virtual SCSI controller. Virtual storage controllers have the following characteristics:
IDE controllers are available only in Generation 1 virtual machines. Each virtual machine has two IDE
controllers and can have up to two devices, hard drives or DVD drives, attached to each controller.
While a virtual machine is running, you cannot add devices to or remove devices from an IDE
controller.
A Generation 1 virtual machine can start only from an IDE controller.
SCSI controllers are available in all virtual machines. Generation 1 virtual machines can use a SCSI
controller only as a data disk, whereas Generation 2 virtual machines start from SCSI controller
attached disks or DVD drives.
A SCSI controller is synthetic, and you can add disks to or remove disks from a SCSI controller while
a virtual machine is running. A virtual machine can have up to four SCSI controllers, and each SCSI
controller supports up to 64 devices, which means that each virtual machine can have as many as 256
virtual SCSI disks.
You can use different hard disk typessuch as fixed size, dynamically expanding, differencing, and
attached physical disks (pass-through disks)with both controller types.
A virtual machine uses storage controllers for accessing storage. The type of storage controller that a
virtual machine uses does not have to be the same type that Client Hyper-V is using. For example, a
Windows 8.1 computer can have only physical SCSI storage, but you can configure virtual machines
with IDE controllers and use IDE-attached virtual hard disks that are stored on the SCSI storage of the
Windows 8.1 computer.
You can store virtual machine virtual hard disks locally on a Windows 8.1 computer, on Server Message
Block (SMB) 3.0 file shares, or on a storage area network (SAN) logical unit number (LUN).
Virtual Hard Disk Formats

The virtual hard disk format has evolved over time, and Client Hyper-V on Windows 8.1 supports two
virtual hard disk formats:
.vhd. This format supports virtual hard disks up to 2,048 GB in size. This format has been available
since Microsoft Virtual Server 2005 was released, which means that you can use the .vhd format with
older versions of Hyper-V and with traditional Microsoft virtualization products such as Windows
Virtual PC.
.vhdx. This format supports virtual hard disks up to 64 TB in size. This format has been available
since Windows 8 and Windows Server 2012 and is not compatible with older versions of Hyper-V.
Experience with the .vhd format guides .vhdx format improvements. The .vhdx format provides better
data corruption protection and optimizes structural alignments on large sector physical disks.
When you compare the .vhd and .vhdx formats, the .vhdx format provides the following benefits:
Support for larger virtual hard disk sizes, up to 64 TB.
Protection against data corruption by logging updates to .vhdx metadata structures, which can be
especially important during power failures.
Ability to store custom metadata about a file, such as which operating system is installed in .vhdx, or
which patches are applied to it.
Improved alignment of the virtual hard disk format to work better with large sector disks.
Larger block sizes for dynamic and differential disks, which improves their performance.
4 kilobytes (KB) logical sector virtual disk, which increases performance when used by applications
that are designed for 4-KB sectors.
Efficiency in data representation, which results in smaller file size so that an underlying physical
storage device can reclaim unused space (trim operation).
Virtual Hard Disk Types
You can create three types of virtual hard disks: fixed size, dynamically expanding, and differencing. After
you create a virtual hard disk, you can edit it and change its format. When selecting a virtual hard disk
format, you should be aware of the following factors:
Fixed size. When you create a fixed-size virtual hard disk, Client Hyper-V allocates space for the entire
virtual hard disk. For example, if you create a 100-GB fixed-size virtual hard disk, Client Hyper-V
creates a 100-GB file, even when it does not include any data. Creation of large fixed-size virtual hard
disks can take significant time because Client Hyper-V has to create the file to the entire specified size
and fill its content with zero values. The size of a fixed-size virtual hard disk does not change, because
Client Hyper-V allocates all of the storage space when it creates the virtual hard disk. You cannot
create fixed-size virtual hard disks that require more space than is available on a physical disk. Fixedsize virtual hard disks are larger than dynamically expanding virtual hard disks, and as such, moving
them can be more time-consuming.
15-15
Dynamically expanding. When you create a dynamically expanding virtual hard disk, Client Hyper-V
only creates a small file. That file then grows as you write data to the virtual hard disk until it reaches
its fully allocated size. The size of the dynamically expanding disk only grows. It does not shrink, even
if you delete data. For example, if you create a 100-GB dynamically expanding virtual hard disk, Client
Hyper-V creates a file that is only a few megabytes in size. When you write to that virtual hard disk
file, it will grow; however, when you delete information from the virtual hard disk, it will not shrink.
When you start using a dynamically expanding virtual hard disk, such as formatting partitions and
installing an operating system on it, the virtual hard disk will start growing until it reaches its
maximum size of 100 GB. Client Hyper-V creates the dynamically expanding virtual hard disk much
faster because it does not allocate all the space at once. However, when you add data to a virtual
hard disk, it might fragment in the same way that any file would on a volume. You can create
dynamically expanding virtual hard disks that would require more space on a physical disk than is
currently available. Dynamically expanding virtual hard disks are smaller than other virtual hard disk
types until their maximum size is reached.
Differencing. A differencing virtual hard disk always links to another virtual hard disk in a parent/child
relationship. It cannot exist on its own. The parent virtual hard disk can be fixed-size or dynamically
expanding, but as soon as it becomes a parent disk for a differencing virtual hard disk, you cannot
write to it, so it will neither grow nor shrink. A differencing virtual hard disk is always dynamically
expanding. You also can chain differencing virtual hard disks, as long as all base (parent) disks are not
written to. In this scenario, one differencing virtual hard disk uses another differencing virtual hard
disk as a base disk. The differencing virtual hard disk stores changes for the parent disk and provides
a way to isolate changes without altering the parent disk. When you use a differencing virtual hard
disk, you can access all the data from the parent disk, and changes you make are written only to the
differencing virtual hard disk, not to the parent disk. In other words, reads for modified data are
served from the differencing virtual hard disk, and reads of all other data are served from the parent
virtual hard disk. Metadata is used in both cases to determine from where data should be read, which
results in differencing virtual hard disks having slower performance than fixed-size or dynamically
expanding virtual hard disks. Differencing virtual hard disks must use the same format as the parent
diskseither .vhd or .vhdx. You cannot specify a size for a differencing virtual hard disk. Differencing
virtual hard disks can grow as large as the parent disk size limit. However, unlike dynamically
expanding disks, you cannot compact differencing virtual hard disks directly. You can compact a
differencing virtual hard disk only after it merges with its parent disk.
Note: Using differencing virtual hard disks can be beneficial in some scenarios. For
example, you could use as a parent a virtual hard disk that has a clean installation of the
Windows 8.1 operating system, and you could use a new differencing virtual hard disk as a
virtual machine hard disk. You could even create multiple differencing virtual hard disks for
multiple virtual machines that would use the same Windows 8.1 virtual disk as their parent disk.
Question: Is there any difference between connecting a virtual hard disk to a virtual machine
by using an IDE or SCSI virtual controller?
Question: Can Client Hyper-V allocate more storage space to a differencing virtual hard disk
than to the parent disk to which it links?
Configuring a Virtual Hard Disk

Planning for and configuring virtual hard disks is
an important component in implementing virtual
machines in Client Hyper-V. When planning
storage requirements, you need to ensure that
enough resources are available to create new
machines, but also to accommodate any virtual
machines with dynamically expanding hard drives.
If you use a single drive on a Windows 8.1

computer for storing virtual machine hard disks,
your disk I/O performance will degrade quickly
for all virtual machines because of increasing disk
read/write times and disk activity. Increasing the
number of physical drives or spindles increases the performance of virtual machines greatly, as does using
an SSD.
Hard drive recommendations include:
Use hard drives that are at least 10,000 revolutions per minute (RPM).
Use SSDs where possible.
Consider using a SAN for virtual machine storage. SANs provide several benefits, such as high
performance and high availability. Also, you can assign additional space for virtual machines as long
as the SAN has storage available.
Client Hyper-V enables you to run virtual machines that use virtual hard disks that are stored locally
or on SMB 3.0 shares.
Internet SCSI (iSCSI) SANs can provide relatively inexpensive storage for virtual machines. Using iSCSI
also enables you to configure virtual machines with direct access to storage.
Configure antivirus software on Windows 8.1 physical computers to exclude all .vhd, .avhd, .vfd, .vsv,
and .xml files that are stored on hard drives that are hosting virtual machines. Alternatively, you can
use virtualization-aware antivirus software.
Creating a Virtual Hard Disk
You can create a virtual hard disk while you are creating a virtual machine or outside of the New Virtual
Machine Wizard. If you create a virtual hard disk as a separate task, it is not attached to a virtual machine,
and you must add it to a virtual IDE or a virtual SCSI controller before you can use it on a virtual machine.
You can create a new virtual hard disk in Hyper-V Manager or by using Windows PowerShell.
Create a virtual hard disk by using Hyper-V Manager

1.
On the Windows 8.1 computer, in Hyper-V Manager, in the Actions pane, click New, and then click
Hard Disk.
2.
On the Before You Begin page, click Next.
3.
On the Choose Disk Type page, select a virtual disk typefor example, Dynamically expanding
and then click Next.
4.
On the Specify Name and Location page, in the Name field, type the name of the virtual hard disk
file, and in the Location field, type an appropriate location, and then click Next.
5.
On the Configure Disk page, do not change the default values, and then click Next.
6.
On the Completing the New Virtual Disk Wizard page, click Finish.
Create a virtual hard disk by using Windows PowerShell
15-17
1.
On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows
PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog
box.
2.
In the Administrator: Windows PowerShell windows, run following cmdlet to create a 100-GB
dynamically expanding virtual hard disk named Dynamic.vhdx in the C:\VHDs folder:
New-VHD Path C:\VHDs\Dynamic.vhdx -SizeBytes 100GB Dynamic
3.
Run the following cmdlet to add a virtual hard disk to a SCSI controller in the virtual machine named
Windows 8.1:
Add-VMHardDiskDrive VMName Windows 8.1 ControllerType SCSI Path
C:\VHDs\Dynamic.vhdx
Virtual Hard Disk Sharing and Quality of Service (QoS) Management
In older versions of Hyper-V, virtual machines used virtual hard disks exclusively. Therefore, while one
virtual machine was using a virtual hard disk, another virtual machine could not use the same virtual hard
disk. In Client Hyper-V in Windows 8.1, you can share virtual hard disks between multiple virtual machines.
This can be especially useful when you configure failover clustering in virtual machines. You can enable
virtual hard disk sharing only for .vhdx files that are connected to a virtual SCSI controller. You cannot use
virtual hard disk sharing for .vhd files that are connected to a virtual IDE controller. You can enable virtual
hard disk sharing only if the shared .vhdx is stored on a failover cluster.
In older versions of Hyper-V, it was not possible to limit I/O operations per second per virtual machine.
If a virtual machine had an application that was storage-intensive, and with a large number of read
and write operations to the storage, the virtual machine could monopolize Hyper-V, and other virtual
machines could have slower access to storage. In Windows 8.1, Client Hyper-V includes an option to
configure QoS parameters when virtual machines access storage so that you can provide enough I/O
operations per second to each virtual machine. You can configure the storage QoS for each virtual hard
disk. By specifying the maximum I/O operations per second value on advanced features of a virtual hard
disk, you can balance and throttle storage I/O between virtual machines. This prevents a virtual machine
from consuming excessive storage I/O operations, which could affect other virtual machines.
Question: When would you use shared virtual hard disks?
Moving Virtual Hard Disk Storage

You can use storage migration to move virtual
hard disks and other data files that a virtual
machine is using to different physical storage
while the virtual machine is running. You can
perform storage migration by using the Move
Wizard in Hyper-V Manager or by using the
Move-VMStorage cmdlet in Windows
PowerShell.
You can use Client Hyper-V to move a virtual

machines storage without downtime. For
example, you can use storage migration when you
need to move the virtual machine storage from a
local disk to an SMB 3.0 share. You also can use storage migration to move various virtual machine items
such as virtual hard disks, configuration, checkpoints, and Smart Paging to different locations while a
virtual machine is running. For example, after you create the first checkpoint for a virtual machine, you
cannot modify the checkpoint file location setting unless you delete all virtual machine checkpoints or use
storage migration.
You can perform storage migration by using the following procedure:
1.
Before migration starts, all virtual machine read and write operations are performed at the source
virtual hard disk.
2.
When storage migration starts, virtual hard disk content is copied over the network to the destination,
while all the read and write operations are still performed on the source virtual hard disk.
3.
After the initial copy is complete, write operations for the virtual hard disks mirror to both the source
and destination virtual hard disks.
4.
After the source and destination virtual hard disks synchronize completely, the virtual machine
switches over and starts using the destination virtual hard disk.
5.
The source virtual hard disk is deleted.
Storage migration is only supported for virtual hard disks, current virtual machine configurations,
checkpoints, and Smart Paging files. When you migrate virtual machine storage, you can move all the
data files to the same location or to different locations. During this storage migration process, the virtual
machine continues to run on the same Windows 8.1 computer with the Client Hyper-V feature.
Note: Use the storage migrations Hyper-V settings to specify how many storage migrations
you can perform simultaneously. By default, two simultaneous storage migrations are configured,
but you can increase this number.
Moving Virtual Machine Storage
When you move virtual machine storage, you have the option to move all virtual machine data to a
single location, to move the virtual machine data to different locations, or to move only virtual machine
virtual hard disks. If you choose to move virtual machine data to different locations, you can specify a
new location for each of the virtual machine data items, which includes virtual hard disks, current
configurations, checkpoints, and Smart Paging files. You can move virtual machine storage to other
folders on the same Hyper-V host or to an SMB 3.0 share. You then can complete the Move Wizard and
perform the move. For example, you can use the Move Wizard to modify the checkpoint file location
when a virtual machine already has checkpoints.
Note: In Hyper-V in Windows Server 2012 and Windows Server 2012 R2, you can move a
virtual machine between Hyper-V hosts while it is running. Client Hyper-V does not support this
feature, and you can move the virtual machine storage only, not the virtual machine itself.
Question: Can you use storage migration to move only virtual hard disks?
Question: Do you need to be a local administrator to use the Move Wizard?
Lesson 4
Managing Checkpoints
15-19
Checkpoints are a Hyper-V feature that you can use to create a point-in-time snapshot of a virtual
machine and then revert to it if needed. In previous versions of Hyper-V, this feature was called Snapshots,
and you can still see references to Snapshots in Windows 8.1. The primary benefit of checkpoints in Client
Hyper-V is that you can use them to create hierarchies of changes, and then you can revert to them at any
time. Checkpoints can be quite useful in some scenarios, such as when testing Windows operating system
updates. However, you must use checkpoints carefully to avoid issues, especially when reverting virtual
machines in distributed environments such as Active Directory Domain Services (AD DS). This lesson
describes how to create and work with virtual machine checkpoints.
Lesson Objectives
Describe the purpose and functionality of checkpoints.
Describe how to create and manage checkpoints.
Explain the considerations for working with checkpoints.
What Are Checkpoints?
When a virtual machine is running, changes are

written to both its memory and virtual hard disk.
Checkpoints are a Hyper-V feature that you can
use to create a point-in-time snapshot of a virtual
machine, including its configuration, memory, and
disk state. You can create checkpoints when a
virtual machine is running, when it is turned off,
or when it is in a saved state, but not if it is in a
paused state. You can create multiple checkpoints
of a virtual machine and revert it to any of the
previous states for which checkpoints exist.
Checkpoints do not affect the running state of a
virtual machine, but they can affect virtual machine performance because they are implemented by using
differencing virtual hard disks.
Note: Do not edit or modify a virtual hard disk file when it is used by a virtual machine that
has checkpoints.
Checkpoints can be useful when you need to revert virtual machines to an earlier state. You can undo
all the changes that took place after a specified state, such as the changes that occurred during testing,
development, or in a training environment. Conversely, checkpoints in production environments can
cause serious issues, such as the loss of user data.
Creating Checkpoints
When you create a checkpoint, the result is always the same, irrespective of the method you choose.
After you create a checkpoint, you should not modify its files on a disk directly because this could cause
problems with the checkpoint or even with the running virtual machine. You can create checkpoints by
using one of the following procedures:
In Hyper-V Manager, you can right-click a virtual machine, and then click Checkpoint (or in the
Action pane, click Checkpoint).
You can use Virtual Machine Connection by clicking Checkpoint in the Action menu, or by using the
Checkpoint-VM Windows PowerShell cmdlet.
Factors to Consider
When you are considering checkpoints, you should be aware of the following factors:
When you create a checkpoint of a virtual machine, the virtual machine is configured with a
differencing virtual hard disk even if it used a fixed-size virtual hard disk before. Differencing virtual
hard disks might perform slower than normal disks because the two files (base and differencing) need
to be read from.
Checkpoints require additional storage space. If you create a checkpoint of a running virtual machine,
it also contains a virtual machine memory snapshot. Creating multiple checkpoints can use up a large
amount of storage space.
Although you can use checkpoints to revert a virtual machine to an earlier point in time, you should
not consider them backups. Even if you use checkpoints, you should still make regular backups.
If you no longer need a checkpoint, you should delete it immediately. However, this can cause
merging of differencing virtual hard disks. In Windows 8.1, the merging process happens
asynchronously in the background while the virtual machine is running.
A virtual machine is limited to 50 checkpoints. The actual number of checkpoints might be fewer and
depends on the available storage.
Question: Which checkpoint requires more space: a checkpoint of a running virtual machine,
or a checkpoint of a virtual machine that is turned off?
Creating and Managing Checkpoints

Checkpoints consist of several files that represent
the complete state of a virtual machine at a
certain moment in time. Because you cannot
modify a previous state, checkpoints are readonly, and you cannot modify one after you create
it. You can only view a checkpoint, change its
name, or delete it. You can use checkpoints to
revert virtual machines back to the state they were
in when you created the checkpoints.
Creating Checkpoints
When you create a checkpoint, Client Hyper-V performs the following procedure in the background:
1.
Pauses the virtual machine.
2.
For each virtual hard disk that the virtual machine is using, Client Hyper-V creates a differencing
virtual hard disk, configures it to use the virtual machine's virtual hard disk as a parent, and then
updates virtual machine settings to use the created differencing virtual hard disk.
3.
Creates a copy of the virtual machine configuration file.
4.
Resumes running the virtual machine.
5.
Saves the content of the virtual machine memory to disk.
15-21
Because a virtual machine is paused before a checkpoint is created, you cannot create a checkpoint of a
virtual machine that is in a paused state. As the virtual machine resumes, while the memory is saving to
the disk, Client Hyper-V intercepts memory changes that have not yet been written to the disk, writes the
memory pages to the disk, and then modifies the virtual machine memory. Creating a checkpoint can take
considerable time, depending on the virtual machine memory, physical disk speed, and what is running
on the virtual machine. However, the process of checkpoint creation is transparent, and a virtual machine
does not experience any outage.
Virtual Machine Checkpoint Files

A virtual machine checkpoint can consist of the following files:
Virtual machine configuration file (*.xml)
Virtual machine saved state file (*.vsv)
Virtual machine memory content (*.bin)
Checkpoint differencing virtual hard disks (*.avhd)
Client Hyper-V creates a saved state file and a memory content file for a virtual machine only if a
checkpoint is created while the virtual machine is running, and not if the virtual machine is turned off.
The location of virtual machine checkpoint files is configured for each virtual machine, and by default, it is
the same location where the virtual machine configuration is stored. When you create the first checkpoint,
Client Hyper-V creates a Snapshots subfolder and stores checkpoint files there. You can modify the
location of the checkpoint files only until the first checkpoint is created. After this, the checkpoint file
location setting is read-only. You can modify this setting only after deleting all checkpoints, or by using
the Move Wizard.
Using Checkpoints
When you select a checkpoint, you have the following options available in the Actions pane:
Settings. This option opens the virtual machine settings that were in effect at the moment
the checkpoint was created. All of the settings are read-only because you cannot change the
configuration that was used in the past. The only settings that you can modify are the checkpoint
name and the notes associated with the checkpoint.
Apply. This option applies a checkpoint to a virtual machine, which means that you want to return the
virtual machine to its exact historical state. When you apply a checkpoint, any change in the virtual
machine since the last checkpoint was made is lost. Before applying a checkpoint, Client Hyper-V
prompts you to create a new checkpoint to avoid possible data loss.
Export. This option exports a virtual machine checkpoint, which creates an exact copy of the virtual
machine at the moment in which you created the checkpoint.
Rename. This option renames a checkpoint to provide better information about the state of a virtual
machine when you created the checkpoint. The checkpoint name is independent of the checkpoint
content, and by default, it contains the date and time of checkpoint creation.
Delete Checkpoint. This option deletes a checkpoint if you no longer want to be able to revert a
virtual machine to the state it was in when you created the checkpoint.
Delete Checkpoint Subtree. This option deletes the selected checkpoint and any checkpoints that
originate from it. Checkpoints that originate from it are listed below it in the Checkpoint pane.
When you right-click a virtual machine with at least one checkpoint, you also can click the Revert option.
This returns a virtual machine to the last checkpoint.
Question: Can you modify the configuration of a virtual machine checkpoint if you created
that checkpoint when the virtual machine was turned off?
Question: How are multiple branches created in a checkpoint tree?
Considerations for Working with Checkpoints

When you apply a checkpoint, you effectively
revert a virtual machine back to the moment
when you created the checkpoint. Depending
on a virtual machines role and the applications
that are installed on it, reverting a virtual machine
back to a previous checkpoint can have disastrous
implications and might result in data loss
or corruption. The following two types of
applications can be affected negatively when
you revert a virtual machine back in time:
Cryptographic applications. Windows

operating systems provide application
programming interface (API) functions that generate random values with a high level of entropy. A
checkpoint captures the logic for creating these random values when you create a checkpoint, and
this can severely reduce the entropy of random data. For example, consider the generation of GUIDs.
When a GUID value generates, it should be unique and never repeated. However, if you request a
GUID immediately after applying a checkpoint, there is a high probability that a duplicate GUID value
will generate each time the checkpoint is applied.
Applications that use clock vector synchronization. Applying a checkpoint to a virtual machine
can corrupt applications that use clock vector synchronization. Examples of such applications are
AD DS, Distributed File System (DFS) Replication, and Microsoft SQL Server replication. For these
applications to work, each member of a replica set must maintain a monotonically increasing logical
clock. When you apply a checkpoint, it reverts the logical clock on the virtual machine, causing clock
values to associate to different transactions. As a result, members of the replica set will not converge
to the same state, thereby causing data corruption.
Before using checkpoints in your Hyper-V environment, you should consider the following:
15-23
Checkpoints can be very useful for testing applications or deployments, but they typically are not
used regularly in a production environment. Using checkpoints might cause significant problems with
applications or services that are time sensitive or that use data replication, such as Microsoft Exchange
Server or SQL Server.
Checkpoints are not a replacement for a consistent backup strategy. However, you can use
checkpoints in scenarios such as operating system upgrades and other tasks where you might want
to revert to the original state of a virtual machine should the task fail.
Hyper-V virtual machine checkpoints have multiple uses in your network, predominately in a test lab.
You can use checkpoints in a lab environment for testing a new deployment. When creating a new
server, you can use a checkpoint for each phase of a servers creation. In a training environment, you
can use checkpoints to revert a server to the previous lab.
If you are going to use checkpoints for testing or training, the primary consideration is hard drive
space. Checkpoints can use a large amount of hard drive space because each checkpoint creates a
new differencing virtual hard disk.
Note: Client Hyper-V in Windows 8.1 projects a unique value that is named Generation
ID into a virtual machine through an emulated BIOS device that is named Microsoft Hyper-V
Generation Counter. The Generation ID changes each time you apply a checkpoint, which
enables an operating system in a virtual machine to detect that the checkpoint was applied.
Virtual Machine Generation ID
Question: Can you prevent checkpoint creation from inside a virtual machine?

Scenario
The Information Technology (IT) department at A. Datum Corporation wants to test several apps in
different operating system environments prior to deploying the apps in production. Several members
of the application testing team have expressed interest in creating virtual environments on their
Windows 8.1 computers where they can create and configure virtual machines. You have been asked
to demonstrate the process of creating an environment where apps can be tested.
Objectives
Install Client Hyper-V.
Create a virtual switch, a virtual hard disk, and a virtual machine.
Lab Setup
Virtual machine: 20687D-LON-CL5
User name: Admin
Password: Pa$$w0rd
To perform this lab, you must start the host computer to 20687D-LON-CL5. To do this, restart the host
computer and choose 20687D-LON-CL5 from the Start menu. Sign in as Admin with password
Pa$$w0rd.
Exercise 1: Installing Client Hyper-V

Scenario
You have been asked to turn on the Hyper-V feature on LON-CL5, a stand-alone Windows 8.1 computer
in the IT department. To ensure that the IT department has access to all options in the virtual
environment, you have been asked to install all of the management tools available for Client Hyper-V.
1.
Install the Client Hyper-V feature.
Task 1: Install the Client Hyper-V feature

1.
On LON-CL5, verify that no program that contains the word Hyper-V is installed.
2.
Use the Get-Command cmdlet to verify that no cmdlets from the Hyper-V module are currently
available.
3.
Use the Windows Features window to turn the Hyper-V feature on.
4.
Restart the computer, and then select 20687D-LON-CL5 when prompted during startup to choose
an operating system.
5.
6.
After a second restart, repeat steps 4 and 5.
7.
Use the Get-Command cmdlet to verify that many cmdlets from the Hyper-V module are available.
Results: After completing this exercise, you should have installed the Client Hyper-V feature.
Exercise 2: Creating a Virtual Switch, a Virtual Hard Disk, and a Virtual

Machine
Scenario
15-25
You have been asked to create a virtual network and virtual machine to accommodate app testing, and to
demonstrate the Client Hyper-V environment to the application testing team. The virtual network and
virtual machine should adhere to the following specifications.
Virtual network:
Network type: Private
Network name: Private Network
Virtual machine:
Name: Windows 8.1 Test
Memory: 1,024 megabytes (MB)
Storage location: Default
Network connection: Private Network
Installation media: None

1.
Create a virtual switch.
2.
Create a virtual hard disk.
3.
Create a virtual machine.
Task 1: Create a virtual switch

1.
On LON-CL5, open Hyper-V Manager.
2.
Create a new virtual switch with the following parameters:

o
Connection type: Private
Virtual switch name: Private Network

1.
2.
On LON-CL5, use Hyper-V Manager to create a new virtual hard disk with the following settings:
o
Format: VHDX
Type: Dynamically expanding
Name: Dynamic.vhdx
Location: C:\VM
Size: 100 GB
Use Hyper-V Manager to create a new virtual hard disk with the following settings:
o
Format: VHD
Type: Differencing
Name: Differencing.vhd
3.
4.
Location: C:\VM
Parent: F:\Program Files\Microsoft Learning\Base\Base14C-W81-Office2013.vhd
In Windows PowerShell, use the New-VHD cmdlet to create a new virtual hard disk with the
following settings:
o
Path: C:\VM\Fixed.vhdx
Size: 1 GB
Type: Fixed size
In File Explorer, browse to the C:\VM folder, and then confirm that Fixed.vhdx allocates 1 GB disk
space, while Dynamic.vhdx and Differencing.vhd allocates much less disk space.
Task 3: Create a virtual machine

1.
2.
On LON-CL5, use Hyper-V Manager to create a new virtual machine with the following settings:
o
Name: LON-VM2
Generation: Generation 2
Startup memory: 1024 MB
Use Dynamic Memory: Enabled
Use the Windows PowerShell cmdlet New-VM to create a new virtual machine with the following
settings:
o
Name: LON-VM1
Generation: Generation 1
Startup Memory: 1 GB
Boot Device: IDE
3.
Use the Windows PowerShell cmdlet Add-VMHardDiskDrive to add the C:\VM\Differencing.vhd

disk to the IDE Controller of LON-VM1.
4.
Verify that you can start and connect to the LON-VM1 virtual machine.
Results: After completing this exercise, you should have created a virtual network and a virtual machine in
Client Hyper-V.

Review Questions
Question: Why would you deploy Client Hyper-V to a Windows client computer in a
corporate environment?
Question: Why should you not use virtual machine checkpoints for backup and disaster
recovery?
Question: Can you create a checkpoint of a virtual machine that is turned off?
Question: When you open Windows PowerShell and run the New-VM cmdlet to create a
new virtual machine, you get an error that New-VM is not recognized as the name of a
cmdlet. What could be the most probable reason for such an error?
Tools
Tool
Description
Where to find it
Hyper-V Manager
Management console for Client Hyper-V
Start screen
Hyper-V Virtual Machine

Connection tool
Connect directly to local or remote virtual

machines without opening Hyper-V Manager
Start screen
15-27
Course Evaluation
Your evaluation of this course will help Microsoft
understand the quality of your learning experience.
Please work with your training provider to access
the course evaluation form.
Microsoft will keep your answers to this survey
private and confidential and will use your
responses to improve your future learning
experience. Your open and honest feedback is
valuable and appreciated.

L2-1
Module 2: Installing and Deploying Windows 8.1

Exercise 1: Planning to Install Windows 8.1
Task 1: Determine whether the customers computers meet the minimum
requirements for Windows 8.1
Answer the following questions.
1.
2.
Does the customers computer meet the minimum system requirements for Windows 8.1 in the
following areas:
a.
Processor: 2 GHz YES
b.
RAM: 4 GB YES
c.
Hard-disk space: 320 GB YES
d.
GPU: 512 MB YES
Does the customers computer meet the requirements for the following features:
o
Client Hyper-V: 64-bit Second Level Address Translation (SLAT) capable YES
Task 2: Select the appropriate Windows operating system edition to install on

LON-REF1
You should install a 64-bit version of Windows 8.1 Enterprise. Windows 8.1 Enterprise supports
Client Hyper-V, and is the only Windows 8.1 edition that supports the creation of Windows To Go
USB flash drive media. You should use the 64-bit version to be able to use Client Hyper-V.
Results: After completing this exercise, you should have evaluated the installation environment and then
selected the appropriate Windows operating system edition to install.
Exercise 2: Performing a Clean Installation of Windows 8.1

Task 1: Attach the Windows 8.1 DVD image file to LON-REF1
1.
On the host computer, double-click the Hyper-V Manager icon on the desktop or click Start, click
Administrative Tools, and then click Hyper-V Manager.
2.
In the Hyper-V Manager console, right-click 20687D-LON-REF1, and then click Settings.
3.
In the Settings for 20687D-LON-REF1 window, under IDE Controller 1, click DVD Drive in the lefthand column.
4.
In the details pane, click Image file, and then click Browse.
5.
In the Open window, browse to D:\Program Files\Microsoft Learning\20687\Drives, double-click

the Win81Ent_EVAL.iso file, and then click OK to close the Settings for 20687D-LON-REF1 window.
Task 2: Install Windows 8.1 on LON-REF1

1.
In Hyper-V Manager, right-click the 20687D-LON-REF1 virtual machine, and then click Start.
2.
In Hyper-V Manager, right-click the 20687D-LON-REF1 virtual machine, and then click Connect.
L2-2 Installing and Deploying Windows 8.1
3.
When the Windows Setup screen appears, select the appropriate regional settings, and then click
Next.
4.
In the Windows Setup window, click Install now.
5.
On the License terms page, select the I accept the license terms check box, and then click Next.
6.
On the Which type of installation do you want? page, click Custom: Install Windows only
(advanced).
7.
On the Where do you want to install Windows page, click Next.

Note: Wait for Windows 8.1 to install. This process will take 1520 minutes.
8.
On the Personalize screen, type LON-REF1 in the PC name field, and then click Next.
9.
On the Settings page, click Use express settings.
10. On the Your Account page, click Create a local account.

11. On the Your Account page, in the User name field, type User.
12. In the Password field and in the Reenter password field, type Pa$$w0rd.
13. In the Password hint field, type Forgot already?, click Finish, and then wait for the installation to
complete.
Task 3: Confirm the successful installation of Windows 8.1 on LON-REF1

1.
Confirm that the Windows 8.1 Start screen appears.
2.
On the Start screen, click the Desktop tile to view the desktop of LON-REF1.
3.
Click the File Explorer icon on the taskbar. The This PC window opens.
4.
In the This PC window, in the navigation pane, right-click This PC, and then click Properties.
5.
In the System window, verify that:

o
Windows 8.1 Enterprise Evaluation is installed
The computer name is LON-REF1
Workgroup is WORKGROUP
6.
Click the Start icon on the taskbar.
7.
On the Start screen, click User, and then click Sign out.
Results: After completing this exercise, you should have performed a clean installation of Windows 8.1.

1.
2.
In the Virtual Machines list, right-click 20687D-LON-REF1, and then click Revert.
3.
Lab B: Customizing and Capturing a

Windows 8.1 Image
Exercise 1: Creating an Answer File and Performing an Unattended
Windows 8.1 Installation
Task 1: Mount a virtual floppy drive on LON-CL1
L2-3
1.
On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click
2.
In the Hyper-V Manager console, right-click 20687D-LON-CL1, and then click Settings.
3.
In the Settings for 20687D-LON-CL1 window, click Diskette Drive.
4.
In the details pane, click Virtual floppy disk (.vfd) file, browse to D:\Program Files
\Microsoft Learning\20687\Drives, double-click Lab2BEx1.vfd, and then click OK.
Task 2: Verify answer file and remove diskette drive

1.
2.
On the Start screen, type Image Manager, and then press Enter. The Windows System Image
Manager starts.
3.
In Windows System Image Manager, click File, and then click Open Answer File.
4.
In the Open dialog box, navigate to Floppy Disk Drive (A:), select Autounattend.xml, and then
click Open. Notice that the Components and Packages nodes are added in the Windows Image
pane, and the Answer File pane is populated with installation passes.
5.
In the Answer File pane, expand 1 windowsPE, and then select amd64_Microsoft-WindowsInternational-Core-WinPE_neutral. In the amd64_Microsoft-Windows-International-Core-WinPE
pane, verify that InputLocale, SystemLocale, UILanguage, and UserLocale have en-US values.
6.
In the Answer File pane, expand amd64_Microsoft-Windows-Setup_neutral, expand

DiskConfiguration, expand Disk[DiskID=0], expand CreatePartitions, and then expand
ModifyPartitions.
7.
Click CreatePartition[Order=1]. In the CreatePartition[Order=1] Properties pane, verify that the

Extend setting has a value of True, the Order setting has a value of 1, and the Type setting has a
value of Primary.
8.
In the Answer File pane, select ModifyPartitions[Order=1]. In the ModifyPartition[Order=1]

Properties pane, verify that the Active setting has a value of True, the Format setting has a value of
NTFS, and the Order and PartitionID settings have values of 1.
9.
In the Answer File pane, expand ImageInstall, expand OSImage, expand InstallFrom and then select
MetaData[Key=/IMAGE/NAME]. In the Metadata[Key=/IMAGE/NAME] Properties pane, verify
that the Value setting has a value of Windows 8.1 Enterprise Evaluation.
10. In the Answer File pane, expand 7 oobeSystem, expand amd64_Microsoft-Windows-ShellSetup_neutral, expand UserAccounts, expand LocalAccounts, and then click
LocalAccount[Name=Admin]. In the LocalAccount[Name=Admin] Properties pane, verify the
values of the following settings:
o
Description: Local Admin
DisplayName: Admin
Group: Administrators
Name: Admin
11. Close Windows System Image Manager.
12. On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click
13. In the Hyper-V Manager console, right-click 20687D-LON-CL1, and then click Settings.
14. In the Settings for 20687D-LON-CL1 window, click Diskette Drive.
15. In the details pane, select None, and then click OK.
Task 3: Configure LON-REF1 and start the Windows 8.1 unattended installation
1.
On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click
2.
3.
In the Settings for 20687D-LON-REF1 window, click Diskette Drive.
4.
In the details pane, select Virtual floppy disk (.vfd) file, browse to D:\Program Files
\Microsoft Learning\20687\Drives, and then double-click Lab2BEx1.vfd.
5.
In the Settings for 20687D-LON-REF1 window, click DVD Drive.
6.
In the details pane, click Image file, browse to D:\Program Files\Microsoft Learning
\20687\Drives, double-click Win81Ent_EVAL.iso, and then click OK.
7.
In Hyper-V Manager, right-click 20687D-LON-REF1, and then click Connect.
8.
In the 20687D-LON-REF1 on localhost window, click Actions, and then click Start.
9.
Observe the Windows 8.1 installation process. Confirm that you are not prompted for any information
during installation. While Windows 8.1 installs, continue with the next exercise.
Note: During installation, LON-REF1 will restart two times. Do not press any key to start it
from DVD.
Results: After completing this exercise, you should have modified an unattended answer file to use for
automating the Windows 8.1 installation process.
Exercise 2: Viewing Install.wim Information and Capturing a Windows 8.1

Image
Task 1: View the information of the Windows 8.1 image in the Install.wim file
1.
In the Hyper-V Manager console, right-click 20687D-LON-CL1, and then click Settings.
2.
In the Settings for 20687D-LON-CL1 window, click DVD Drive.
3.
\20687\Drives, double-click Win81Ent_EVAL.iso, and then click OK.
4.
On LON-CL1, in File Explorer, open the D:\Sources folder, and then view the properties of the
Install.wim file.
Note: Note that the file is 2.99 GB (3,214,415,031 bytes) and that there is another Windows
image file named Boot.wim in the folder.
L2-5
5.
On the Start screen, type deployment, and then run Deployment and Imaging Tools Environment.
6.
In Deployment and Imaging Tools Environment, run the following command to view the content of
the Install.wim file:
dism /Get-ImageInfo /ImageFile:d:\sources\install.wim
7.
Verify that the .wim file has one image named Windows 8.1 Enterprise Evaluation and that image has
a size of more than 12 GB. This demonstrates how the .wim file format effectively compresses files.
8.
You can view more details about the image by using the image index. For example, you can get more
extensive information about the Windows 8.1 Enterprise Evaluation image by running the following
command:
dism /Get-WimInfo /WimFile:d:\sources\install.wim /index:1
Task 2: Capture an image

1.
At the Deployment and Imaging Tools Environment command prompt, create a Windows image file
that contains the contents of the C:\Windows\Inf folder by running the following command:
dism /Capture-Image /ImageFile:c:\image.wim /CaptureDir:c:\windows\inf /name:First
Image
2.
Open File Explorer, browse to C:\Windows, right-click the Inf folder, and then click Properties.
3.
At the Deployment and Imaging Tools Environment command prompt, run the following command
to view the size of the Windows image file that you created:
dir c:\image.wim
Note: You will see that image.wim is less than 5 MB in size, which shows how effectively the
initial files were compressed when they were added to the Windows image file.
4.
To capture the same content in a second image in the image.wim file, run the following command:
dism /Append-Image /ImageFile:c:\image.wim /CaptureDir:c:\windows\inf /name:Second
Image
Note: Note that the second image, which has the same content as the first image, is added
much quicker.
5.
Review the size of the Windows image file that now contains two images.
6.
At the Deployment and Imaging Tools Environment command prompt, run the following command:
dir c:\image.wim
Note: Note that image.wim is only slightly larger. The .wim file format uses single instance
store, so each file is stored only once. Because the files in both images of the Windows image file
are the same, each file is contained only once.
7.
Run the following command to verify which images are contained in the image.wim file:
dism /Get-ImageInfo /ImageFile:c:\image.wim
Task 3: Modify an offline image

1.
In File Explorer, view the size of the file C:\Image.wim and when the file was last modified.
2.
At the Deployment and Imaging Tools Environment command prompt, run the following two
commands to create an empty folder and mount the second image in image.wim to the created
folder:
mkdir c:\mount
dism /mount-wim /wimfile:c:\image.wim /index:2 /mountdir:c:\mount
3.
In File Explorer, view the properties of the C:\mount folder. Note that the contents of the folder are
exactly the same as the contents of C:\Windows\inf folder
4.
In File Explorer, navigate to the C:\mount folder, and then create a subfolder named Folder1. Select
and delete any three files in the C:\mount folder.
5.
Close File Explorer.
6.
Unmount the image by running the following command:

dism /unmount-wim /mountdir:c:\mount /commit
7.
View the properties of the Windows image file by running the following command:
dir c:\image.wim
8.
View the contents of the Windows image file by running the following command:
dism /Get-ImageInfo /ImageFile:c:\image.wim
9.
Run the following commands to view the content of the second and first image in the image.wim file:
dism /Get-WimInfo /WimFile:c:\image.wim /index:2
dism /Get-WimInfo /WimFile:c:\image.wim /index:1
Note: Note that the second image has one more directory and three files less than the first
image. All those modifications were performed in the offline image.
Task 4: Capture Windows 8.1 image

1.
Sign in to LON-REF1 as Admin with password Pa$$w0rd. Verify that Windows 8.1 is installed.
2.
3.
In the Settings for 20687D-LON-REF1 window, click DVD Drive.
4.
\20687\Drives, double-click WindowsPE.iso, and then click OK.
5.
On LON-REF1, open a command prompt as an Administrator, click Yes in the User Account Control
dialog box, and then run the following command:
C:\Windows\System32\sysprep\sysprep.exe
6.
In the System Preparation Tool 3.14 dialog box, click Generalize, and then click OK.
7.
When LON-REF1 restarts, press any key to start it from the DVD media.
8.
In the Administrator: X:\Windows\system32\cmd.exe window, run the following command:

Net use g: \\lon-cl1\share Pa$$w0rd /user:adatum\administrator
9.
L2-7
Run the following command to capture a Windows 8.1 image on LON-REF1:

dism /Capture-Image /ImageFile:g:\Win81.wim /CaptureDir:c:\
/name:CustomImage
Note: You can continue with the lecture while the capture is in progress.
Results: After completing this exercise, you should have viewed Windows image information and
captured a Windows 8.1 image.

Exercise 1: Performing Offline Servicing and Deploying a Windows 8.1
Image
Task 1: Perform offline servicing of the Windows image
1.
2.
Open File Explorer, navigate to the C:\mount folder, and then verify that the folder is empty.
3.
On the Start screen, type command, and then click Command Prompt.
4.
Mount the Windows 8.1 image by running the following command:

Dism.exe /mount-image /imagefile:e:\labfiles\mod02\share\win81.wim /index:1
/mountdir:c:\mount
Note: If image Win81.wim is not yet captured or you not capture it in the previous lab, you
can use E:\labfiles\mod02\sources\install.wim instead.
5.
View the driver packages in the mounted Windows 8.1 image by running the following command:
dir /OD c:\mount\Windows\System32\DriverStore\FileRepository
6.
Add a driver to the image by running the following command:

dism /image:c:\mount /Add-Driver /driver:E:\Labfiles\mod02\drivers\dc3dh.inf
7.
Verify that the driver has been added to the offline image by running the following command:
dir /OD c:\mount\Windows\System32\DriverStore\FileRepository
8.
List the Windows 8.1 features and their state in the mounted image by running the following
command:
dism /Image:c:\mount /Get-Features /format:Table
9.
Enable the Telnet Client Windows feature by running the following command:
dism /Image:c:\mount /Enable-Feature:TelnetClient
10. Unmount the Windows 8.1 image, and then commit the changes by running the following command:
Dism.exe /unmount-wim /mountdir:c:\mount /commit
Wait until image is saved and unmounted.
Task 2: Use Deployment Image Servicing and Management (DISM) to deploy a

Windows image
1.
On LON-REF1, at the command prompt, run the following commands to partition and format the
disk. Press Enter after each command:
diskpart
select disk 0
clean
create partition primary
format fs=ntfs quick
assign letter c
exit
2.
At the command prompt, apply the Windows 8.1 image by running the following command:
Dism.exe /apply-image /imagefile:g:\win81.wim /index:1 /applydir:c:\
3.
L2-9
Verify that the Windows 8.1 image has been applied to drive C by running the following command.
dir c:\
Results: After completing this exercise, you should have updated a Windows 8.1 installation image.

1.
2.
3.
4.
Repeat steps 2 through 3 for 20687D-LON-DC1 and 20687D-LON-REF1.

L3-11
Module 3: Tools Used for Configuring and Managing

Windows 8.1
Lab: Using Management Tools to Configure

Windows 8.1 Settings
Exercise 1: Planning Management of Windows 8.1 Computers
Task 1: Plan the management of Windows 8.1 computers
1.
What tool will you use to apply the configuration changes to domain-joined computers?
Answer: You can use Group Policy to apply all of the necessary configuration settings to domainjoined computers.
2.
Are there any organizational unit (OU) structure requirements to meet the management needs on the
internal network?
Answer: Yes, the computers on the machine floor need to be managed separately from other client
computers. Also, the servers and domain controllers need to be managed separately from client
computers. The simplest way to do this is to place the different types of computers in different OUs
and then link only appropriate Group Policy Objects (GPOs) to the OUs.
3.
Could you use security filtering as an alternative to a new OU structure?
Answer: Yes, you could use security filtering as an alternative to creating separate OUs. You would
need to create security groups that contain the appropriate computer accounts and then specify Read
and Apply permissions to specific GPOs. In general, it is easier to implement OUs in this scenario.
Results: After completing this exercise, you will have planned the management of Windows 8.1
computers.
Exercise 2: Managing Windows 8.1 by Using Group Policy

Task 1: Create an OU structure for managing computers
1.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2.
In Active Directory Administrative Center, in the navigation pane, click Adatum (local).
3.
In the Tasks pane, under Adatum (local), click New, and then click Organizational Unit.
4.
In the Create Organizational Unit window, in the Name box, type MachineFloor, and then click OK.
5.
In the Tasks pane, under Adatum (local), click New, and then click Organizational Unit.
6.
In the Create Organizational Unit window, in the Name box, type CorpComputers, and then
click OK.
7.
Double-click Computers, right-click LON-CL1, and then click Move.
8.
In the Move window, click CorpComputers, and then click OK.
9.
Right-click LON-CL2, and then click Move.
10. In the Move window, click MachineFloor, and then click OK.
11. Close Active Directory Administrative Center.
L3-12 Tools Used for Configuring and Managing Windows 8.1
12. Restart LON-CL1 and LON-CL2, and then sign in to both as Adatum\Administrator with password
Pa$$w0rd.
Task 2: Configure Group Policy for computers on the machine floor

1.
On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2.
In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click MachineFloor. Notice that no GPOs are linked.
3.
Right-click MachineFloor, and then click Block Inheritance.
4.
Right-click MachineFloor, and then click Create a GPO in this domain, and Link it here.
5.
In the New GPO window, in the Name box, type MachineFloor, and then click OK.
6.
On the Linked Group Policy Objects tab, right-click MachineFloor, and then click Edit.
7.
In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
8.
Double-click Configure Automatic Updates.
9.
In the Configure Automatic Updates window, click Disabled, and then click OK.
10. Close the Group Policy Management Editor window.
Task 3: Verify the application of Windows Update settings to LON-CL2

1.
On LON-CL2, on the Start screen, type power, and then click Windows PowerShell.
2.
At a command prompt in the Windows PowerShell command-line interface, type gpupdate /force,
3.
Type gpresult /h C:\results.htm, and then press Enter.
4.
Type C:\results.htm, and then press Enter.
5.
In Internet Explorer, read the Summary and verify that Inheritance is blocking all non-enforced
GPOs linked above Adatum.com/MachineFloor.
6.
In Computer Details\Settings, verify that Configure Automatic Updates is Disabled.
7.
Task 4: Configure Group Policy for other client computers

1.
On LON-DC1, in Group Policy Management, in the navigation pane, click CorpComputers.
2.
Right-click CorpComputers, and then click Create a GPO in this domain, and Link it here.
3.
In the New GPO window, in the Name box, type CorpComputers, and then click OK.
4.
On the Linked Group Policy Objects tab, right-click CorpComputers, and then click Edit.
5.
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
6.
Double-click Configure Automatic Updates.
7.
In the Configure Automatic Updates window, click Enabled, and then click OK.
L3-13
8.
Under Computer Configuration, expand Windows Settings, expand Security Settings, expand
Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security,
and then click Inbound Rules.
9.
Right-click Inbound Rules, and click New Rule.
10. In the New Inbound Rule Wizard, on the Rule Type tab, click Predefined.
11. In the Predefined box, select COM+ Remote Administration, and then click Next.
12. On the Predefined Rules tab, click Next.
13. On the Action tab, click Allow the connection, and then click Finish.
14. Right-click Inbound Rules, and then click New Rule.
16. In the Predefined box, select Remote Event Log Management, and then click Next.
20. Close Group Policy Management.
21. On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell.
22. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.
23. Close the Windows PowerShell Command Prompt window.
Task 5: Verify that remote administration is functional

1.
On LON-DC1, in Server Manager, click Tools, and then click Computer Management.
2.
In Computer Management, right-click Computer Management (Local), and then click Connect to
another computer.
3.
In the Select Computer window, in the Another computer box, type LON-CL1, and then click OK.
4.
Expand System Tools, and then click Event Viewer.
5.
Right-click Computer Management (LON-CL1), and then click Connect to another computer.
6.
In the Select Computer window, in the Another computer box, type LON-CL2, and then click OK.
This connection fails because remote management has not been configured for the computers in the
MachineFloor OU.
7.
In the error window, read the message, and then click OK.
8.
Close Computer Management.
Results: After completing this exercise, you should have implemented an OU structure and GPO structure
to support remote management of computers.
Exercise 3: Implementing Windows PowerShell Remoting

Task 1: Configure Windows PowerShell remoting manually
L3-14 Tools Used for Configuring and Managing Windows 8.1
1.
On LON-DC1, on the taskbar, click Windows PowerShell.
2.
At the Windows PowerShell command prompt, type Enable-PSRemoting, and then press Enter.
3.
When prompted to configure Windows Remote Management (WinRM), type A, and then press Enter.
4.
When prompted to configure the PSSession, type A, and then press Enter.
5.
On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell.
6.
At the Windows PowerShell command prompt, type Get-ADUser, and then press Enter. This
command is not recognized because the cmdlets for Active Directory Domain Services (AD DS)
administration are not installed on LON-CL1.
7.
Type Enter-PSSession ComputerName LON-DC1, and then press Enter.
8.
Type Get-ADUser, and then press Enter.
9.
When prompted for a filter, type an asterisk (*), and then press Enter.
10. Type exit, and then press Enter.

11. Close the Windows PowerShell Command Prompt window.
Task 2: Configure Windows PowerShell remoting by using Group Policy

1.
2.
In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then click
Adatum.com.
3.
Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.
4.
In the New GPO window, in the Name box, type Enable PS Remoting, and then click OK.
5.
Click the Linked Group Policy Objects tab, right-click Enable PS Remoting, and then click Edit.
6.
expand Administrative Templates, expand Windows Components, expand Windows Remote
Management (WinRM), and then click WinRM Service.
7.
Double-click Allow remote server management through WinRM.
8.
In the Allow remote server management through WinRM window, click Enabled.
9.
In the IPv4 filter box, type an asterisk (*).
10. In the IPv6 filter box, type an asterisk (*), and then click OK.
11. In the Group Policy Management Editor window, under Policies, expand Windows Settings, expand
Security Settings, and then click System Services.
12. In the details pane, scroll down and double-click Windows Remote Management
(WS-Management).
13. In the Windows Remote Management (WS-Management) Properties window, select the Define this
policy setting check box, click Automatic, and then click OK.
14. In the Group Policy Management Editor window, under Security Settings, expand Windows
Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then
click Inbound Rules.
15. Right-click Inbound Rules, and then click New Rule.
17. In the Predefined box, select Windows Remote Management, and then click Next.
Task 3: Verify the configuration of Windows PowerShell remoting
L3-15
1.
On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell.
2.
At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter.
3.
Type Get-Service Winrm, and then press Enter to verify that the WinRM service is now running.
4.
On LON-DC1, on the taskbar, click Windows PowerShell.
5.
At the Windows PowerShell command prompt, type Get-Service Winrm ComputerName

LON-CL1, and then press Enter.
6.
Type Invoke-Command ComputerName LON-CL1 {Get-ExecutionPolicy}, and then press Enter.
7.
Type Invoke-Command ComputerName LON-CL1 {Set-ExecutionPolicy AllSigned}, and then

press Enter.
8.
Close the Windows PowerShell Command Prompt window.
Results: After completing this exercise, you will have implemented Windows PowerShell remoting in the
Adatum.com domain.
following steps:
1.
2.
3.
4.

L4-17
Module 4: Managing Profiles and User State in

Windows 8.1
Lab A: Configuring Profiles and User State

Virtualization
Exercise 1: Configuring Roaming User Profiles and Folder Redirection
Task 1: Create folders for roaming user profiles and Folder Redirection
1.
On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Local Disk (C:).
2.
In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder.
Type Profiles as the folder name, and then press Enter.
3.
Right-click the Profiles folder, and then click Properties.
4.
In the Profiles Properties dialog box, on the Security tab, click Edit, and then click Add.
5.
In the Enter the object names to select box, type Domain, and then click OK.
6.
Click Domain Users, and then click OK.
7.
In the Permissions for Domain Users section, click Full control in the Allow column, and then
click OK.
8.
On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click
Permissions.
9.
In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK
twice.
10. In the Profiles Properties dialog box, click Close.
11. In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder.
Type Redirected as the folder name, and then press Enter.
12. Right-click the Redirected folder, and then click Properties.
13. In the Redirected Properties dialog box, on the Security tab, click Edit, click Add, and in the Enter
the object names to select box, type Domain, and then click OK.
14. Click Domain Users, and then click OK.
15. In the Permissions for Domain Users section, click Full control in the Allow column, and then
click OK.
16. On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click
Permissions.
17. In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK
twice.
18. In the Redirected Properties dialog box, click Close.
19. Close File Explorer.
Task 2: Configure roaming user profiles
L4-18 Managing Profiles and User State in Windows 8.1
1.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2.
In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click the Marketing organizational unit (OU). In the details pane, right-click Adam Barr, and then
click Properties.
3.
On the Profile tab, in the Profile path box, type \\LON-DC1\Profiles\%username%, and then
click OK.
4.
Minimize the Active Directory Users and Computers window.
Task 3: Configure Folder Redirection

1.
2.
In the Group Policy Management Console (GPMC), in the navigation pane, expand Forest:
Adatum.com, expand Domains, and then expand Adatum.com.
3.
In the navigation pane, right-click the Marketing OU, and then click Create a GPO in this domain,
and Link it here.
4.
In the Name field, type Folder Redirection, and then click OK.
5.
In the GPMC, in the navigation pane, expand the Marketing OU, right-click Folder Redirection, and
then click Edit. The Group Policy Management Editor window opens.
6.
In the Group Policy Management Editor window, under User Configuration in the navigation pane,
expand Policies, expand Windows Settings, and then expand Folder Redirection.
7.
Right-click Documents, and then click Properties.
8.
In the Documents Properties dialog box, click the Basic Redirect everyones folder to the same
location option in the Setting drop-down box.
9.
In the Target folder location section, in the Root Path box, type \\LON-DC1\Redirected, and then
click OK.
10. In the Warning dialog box, click Yes.

11. Close the Group Policy Management Editor window and minimize the GPMC.
Task 4: Verify roaming user profiles and Folder Redirection

1.
On LON-DC1, in File Explorer, verify that the Profiles and Redirected folders are empty.
2.
Sign in to LON-CL1 as adatum\adam with password Pa$$w0rd.
3.
On the Start screen, click the Desktop tile. Right-click anywhere on the desktop, point to New, and
then click Folder. Type Presentations as the folder name, and then press Enter.
4.
On the desktop, right-click anywhere, and then click Personalize.
5.
In the Personalization dialog box, click Change desktop icons, and then select the Computer check
box in the Desktop icons section. Click OK, and then close the Personalization dialog box.
6.
On the desktop, right-click anywhere, point to New, and then click Shortcut. Click Browse, expand
This PC, click Local Disk (C:), click OK, click Next, and then click Finish. A shortcut to drive C is
added to the desktop.
7.
On the toolbar, click the Start icon.
8.
On the Start screen, type Notepad, and then press Enter. Type your name in Notepad. On the File
menu, click Save As, enter your name in the File Name box, and then click Save.
9.
Close Notepad.
L4-19
10. On the taskbar, click File Explorer, and then double-click Documents in the details pane. In the
details pane, right-click the file with your name, and then click Properties. Verify that the location of
that file points to the network, to \\LON-DC1\redirected\adam\Documents and that it is not stored
inside Adam Barrs local profile. Click OK.
12. On LON-DC1, in File Explorer, verify that the Profiles and Redirected folders are no longer empty. The
Profiles folder contains the Adam Barr roaming user profile (Adam.V2), while the Redirected folder
contains Adam Barrs redirected Documents folder.
13. Sign in to LON-CL2 as Adatum\Adam with password Pa$$w0rd.
14. On the Start screen, click the Desktop tile. Verify that the This PC icon is on the desktop, in addition
to the Presentations folder and the Local Disk (C:) shortcut.
15. On the toolbar, click the Start icon.
16. On the Start screen, type Notepad, and then press Enter. On the File menu, click Open, click the file
with your name, and then click Open. You verified that you can transparently access files that were
created on other computers and saved in a redirected folder.
Task 5: Configure primary computers for user Adam Barr

1.
On LON-DC1, maximize the Active Directory Users and Computers window. To turn on Advanced
Features view, on the View menu, click Advanced Features.
2.
In the navigation pane of Active Directory Users and Computers, click the Computers container,
right-click the LON-CL1 computer account in the details pane, and then click Properties.
3.
On the Attribute Editor tab, in the Attributes section, double-click the distinguishedName
attribute, press Ctrl+C to copy its value to the Clipboard, and then click OK twice.
Note: The distinguishedName attribute should look like the following:

CN=LON-CL1,CN=Computers,DC=adatum,DC=com.
4.
In the navigation pane, click the Marketing OU, right-click Adam Barr in the details pane, and then
click Properties.
5.
On the Attribute Editor tab, in the Attributes section, click the msDS-PrimaryComputer attribute,
and then click Edit.
6.
Right-click in the Value to add box, click Paste, and then click Add.
7.
Right-click in the Value to add box, and then click Paste again. Replace LON-CL1 with LON-CL2,
and then click Add.
8.
In the Multi-valued String Editor dialog box, click OK.
9.
In the Adam Barr Properties dialog box, click OK.
10. Minimize the Active Directory Users and Computers window.

11. Maximize the GPMC, right-click the Default Domain Policy group policy, and then click Edit.
12. In the Group Policy Management Editor window, navigate to Computer Configuration\Policies
\Administrative Templates\System\User Profiles. Double-click the Download roaming profiles
on primary computers only policy setting, click Enabled, and then click OK.
13. In the Group Policy Management Editor window, navigate to User Configuration\Policies
\Administrative Templates\System\Folder Redirection. Double-click the Redirect folders on
primary computers only policy setting, click Enabled, and then click OK.
14. Close the Group Policy Management Editor window and the GPMC.
Task 6: Verify Primary Computer setting for user Adam Barr
1.
Switch to LON-SVR1, and on the taskbar, click Windows PowerShell. Type gpupdate /force, and
then press Enter.
2.
3.
Sign in to LON-SVR1 as Adatum\Adam with password Pa$$w0rd.
4.
Verify that the This PC icon, Presentations folder, and Local Disk (C:) shortcut are not on the desktop.
This is because LON-SVR1 is not set as one of Adam Barrs primary computers and his roaming user
profile is not available on LON-SVR1.
5.
On the taskbar, click the Start icon.
6.
On the Start screen, type Notepad, and then press Enter. On the File menu, click Open. Verify that
Documents is selected in the navigation pane, but the file with your name is not available. This is
because LON-SVR1 is not set as one of Adam Barrs primary computers, and his redirected folders are
not available on LON-SVR1. Click Cancel and sign out of LON-SVR1.
7.
On LON-DC1, maximize the Active Directory Users and Computers window. Click the Marketing OU
in the navigation pane. Right-click Adam Barr in the details pane, and then click Properties.
8.
On the Attribute Editor tab, in the Attributes section, click the msDS-PrimaryComputer attribute,
and then click Edit.
9.
In the Multi-valued String Editor dialog box, click the value that starts with CN=LON-CL2, and then
click Remove.
10. In the Value to add box, replace LON-CL2 with LON-SVR1, click Add, and then click OK twice.
11. Sign in to LON-SVR1 as Adatum\Adam with password Pa$$w0rd.
12. Verify that the Presentations folder is on the desktop, as well as Local Disk (C:) shortcut. This is
because you configured LON-SVR1 as Adam Barrs Primary Computer and roaming user profile is
effective.
13. On the taskbar, click the File Explorer icon. In This PC, in the details pane, double-click Documents.
Double-click the file with your name in the details pane. The file opens in Notepad. Because you
configured LON-SVR1 as Adam Barrs Primary Computer, redirected folders now are available.
14. In Notepad, on the File menu, click Exit, and then sign out of LON-SVR1.
Results: After completing this exercise, you should have configured roaming user profiles and Folder
Redirection. You also should have configured the user Adam Barr with the Primary Computer setting.
Exercise 2: Implementing and Configuring UE-V

Task 1: Prepare the environment for deploying Microsoft User Experience
L4-21
1.
2.
Type UEVdata as the folder name, and then press Enter. Right-click the UEVdata folder, and then
click Properties.
3.
On the Security tab, click Edit. Click Add, type Domain in the Enter the object names to select
box, and then click OK. Click Domain Users, and then click OK.
4.
In the Permissions for Domain Users section, click Full control in the Allow column, and then
click OK.
5.
On the Sharing tab, click Advanced Sharing. Select the Share this folder check box, and then click
Permissions.
6.
In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK
twice.
7.
In the UEVdata Properties dialog box, click Close.
8.
In File Explorer, in the details pane, right-click on an empty space, point to New, and then click
Folder. Type UEVTemplates as the folder name, and then press Enter. Right-click the UEVTemplates
folder, and then click Properties.
9.
On the Security tab, click Edit. Click Add, type Domain in Enter the object names to select box,
and then click OK. Click Domain Users, and then click OK.
10. In the Permissions for Domain Users section, click Full control in the Allow column, and then
click OK.
11. On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click
Permissions.
12. In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK
twice.
13. In the UEVTemplates Properties dialog box, click Close.
14. Minimize the File Explorer window.
Task 2: Configure UE-V Group Policy settings

1.
2.
In the GPMC, in the navigation pane, expand Forest: Adatum.com, expand Domains, and then
expand Adatum.com. Right-click Default Domain Policy, and then click Edit.
3.
expand Policies, Administrative Templates, and then expand Windows Components. Verify that
there is no Microsoft User Experience Virtualization node.
4.
Close the Group Policy Management Editor window.
5.
Use File Explorer to copy file UserExperienceVirtualization.admx from E:\Labfiles\Mod03 to folder

C:\Windows\PolicyDefinitions, and then copy file UserExperienceVirtualization.adml to folder
C:\Windows\PolicyDefinitions\en-US.
6.
In the GPMC, right-click the Adatum.com domain in the navigation pane, and then click Create a
GPO in this domain, and Link it here. In the Name field, type UE-V, and then click OK.
7.
In the GPMC, in the navigation pane, right-click the UE-V Group Policy, and then click Edit.
8.
expand Policies, expand Administrative Templates, expand Windows Components, and then click
the Microsoft User Experience Virtualization node.
9.
In the details pane, right-click Settings storage path, click Edit, click Enabled, in Settings storage
path, type \\LON-DC1\UEVData\%username%, and then click OK.
10. In the Group Policy Management Editor window, under Computer Configuration in the navigation
pane, expand Policies, expand Administrative Templates, expand Windows Components, and
then click the Microsoft User Experience Virtualization node.
11. In the details pane, right-click Settings template catalog path, click Edit, click Enabled, in Settings
template catalog path, type \\LON-DC1\UEVTemplates, and then click OK.
12. Close the Group Policy Management Editor window and the GPMC.
Task 3: Install UE-V agents

1.
2.
On the Start screen, type Explorer, and then click File Explorer.
3.
In File Explorer, navigate to the E:\Labfiles\Mod03 folder, and then double-click AgentSetup.exe.
4.
On the Welcome to the Microsoft User Experience Virtualization Agent Setup Wizard page,
click Next.
5.
On the End-User License Agreement page, select the I accept the terms in the License
Agreement check box, and then click Next.
6.
On the Microsoft Update page, select Do not use Microsoft Update, and then click Next.
7.
On the Customer Experience Improvement Program page, select Do not join the program at
this time, and then click Next.
8.
On the Begin Installation page, click Install.
9.
On the Completed the Microsoft User Experience Virtualization Agent Setup Wizard page, click
Finish, and then click Restart.
10. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd.

11. On the Start screen, type cmd, and then click Command Prompt.
12. At the command prompt, run the following command:
E:\Labfiles\Mod03\AgentSetup.exe SyncMethod=None
13. Repeat steps 4 through 9 on LON-CL2.
Task 4: Configure UE-V to synchronize settings immediately

1.
On LON-DC1, in File Explorer, verify that the C:\UEVdata folder is empty.
2.
Sign in to LON-CL1 and LON-CL2 as Adatum\Brad with password Pa$$w0rd.
3.
On LON-CL1, verify that the UE-V configuration is effective. On the Start screen, type Windows
PowerShell, and then press Enter.
L4-23
4.
In Windows PowerShell, run Get-UevConfiguration, and then press Enter. You will see that values
for SettingsStoragePath and SettingsTemplateCatalogPath are configured as you set them in
Group Policy. You also will see that the current SyncMethod is set to SyncProvider.
5.
You can view other UE-V Windows PowerShell cmdlets by running the Get-Command Module UEV
cmdlet.
6.
Close the Windows PowerShell window.
7.
On LON-CL2, on the Start screen, type Calculator. Verify that desktop app is selected, and then press
Enter. On the View menu, click Date calculation. The Calculator is extended with options for date
calculation. Close Calculator.
8.
Enter. Verify that the Calculator is not extended with options for date calculation, as the local cache is
used and it has not yet been synchronized with the settings storage location. Close Calculator.
9.
On LON-CL1, on the Start screen, type Company, and the press Enter. Click Close in the dialog box.
10. In Company Settings Center, click Sync Now. By doing that, you manually trigger synchronization of
the local cache, which happens automatically every 30 minutes.
11. In Company Settings Center, click Close.
12. On LON-CL1, on the Start screen, type Calculator, and then press Enter. Verify that Calculator is now
extended with options for date calculation, as you configured it on LON-CL2.
13. On LON-CL1, on the Start screen, type PowerShell, and then press Enter.
14. In Windows PowerShell, disable the use of local cache by running the following cmdlet:
Set-UevConfiguration SyncMethod None
Task 5: Use UE-V to synchronize settings

1.
On LON-CL2, on the Start screen, type WordPad, and then press Enter.
2.
In WordPad, click the View tab, and then verify that the Ruler and Status bar check boxes are
selected by default. Clear the Ruler and Status bar check boxes, and then close WordPad.
3.
On the desktop, right-click anywhere, point to New, and then select Shortcut. Click Browse, expand
This PC, click Local Disk (C:), click OK, click Next, and then click Finish.
Note: A shortcut to Local Disk (C:) is added to the desktop.
4.
On the Start screen, type Notepad, and then press Enter. On the Format menu, select Font, select 20
as Size, and then click OK. Type your name in Notepad. On the File menu, click Save As, type your
name in the File Name box, and then click Save. Close Notepad.
5.
On LON-DC1, in File Explorer, verify that the UEVdata folder now has a brad subfolder.
6.
On the View tab, click Hidden items, double-click the Brad folder, and then verify that it contains
the SettingsPackages subfolder. Double-click the SettingsPackages folder, and then verify that it
contains multiple subfolders for the applications and Windows settings that UE-V synchronizes.
7.
Enter.
8.
In Calculator, on the View menu, click Programmer, and then click Unit conversion. Close
Calculator.
9.
Sign in to LON-CL1 as Adatum\Brad with password Pa$$w0rd.
10. On LON-CL1, from the Start screen, type Calculator. Verify that desktop app is selected, and then
press Enter. The Calculator is in Programmer mode and extended with Unit conversion, as you
configured it on LON-CL2. Close Calculator.
11. On LON-CL1, open WordPad.
12. On the View tab, verify that the Ruler and Status bar check boxes are not selected, which is not the
default configuration, but it is exactly as you configured it on LON-CL2. Close WordPad.
13. On LON-CL1, verify that a shortcut to Local Disk (C:) is not present on the desktop. You created it on
the desktop on LON-CL2, and it is stored in that user profile. UE-V does not synchronize the contents
of the desktop; instead, you should use Folder Redirection or roaming user profiles to make data
roam between computers.
14. On LON-CL1, on the Start screen, open Notepad. On the Format menu, select Font, verify that font
size 20 is selected, and then click OK.
15. On the File menu, click Open. In the navigation pane, expand This PC, and then select Documents.
16. Verify that the file with your name is not available in the details pane. You created a file with your
name on LON-CL2, and it is stored in that user profile. UE-V synchronizes settings only, not data. You
should use Folder Redirection or roaming user profiles to make data roam between computers. Click
Cancel, and then close Notepad.
Task 6: Restore app settings

1.
On LON-CL1, on the Start screen, open Calculator. Verify that Calculator is in Programmer view and
extended with Unit conversion. Close Calculator.
2.
On the Start screen, type and run Windows PowerShell.
3.
At the Windows PowerShell command prompt, run Get-UevTemplate *calc* to view which settings
location template TemplateId is used for Calculator.
4.
Restore initial Calculator settings by running the Restore-UevUserSetting MicrosoftCalculator6

cmdlet.
5.
On the Start screen, open Calculator, and then verify that is in default Standard mode, the way it was
before the first UE-V synchronization.
6.
Sign out of LON-CL1 and LON-CL2.
Task 7: Create a UE-V settings location template

1.
2.
On the Start screen, click the Desktop tile.
3.
Open File Explorer, and then double-click ToolsSetup.exe in the E:\Labfiles\Mod03 folder.
4.
On the Welcome to the Microsoft User Experience Virtualization Generator Setup Wizard page,
click Next.
5.
Select the I accept the terms in the License Agreement check box, and then click Next.
6.
Select the Do not use Microsoft Update check box, and then click Next.
7.
On the Customer Experience Improvement Program page, select Do not join the program at
this time, and then click Next.
L4-25
8.
On the Begin Installation page, click Install.
9.
On the Completed the Microsoft User Experience Virtualization Generator Setup Wizard page,
click Finish, and then click Restart.
10. After LON-CL1 restarts, sign in as Adatum\Administrator with password Pa$$w0rd.

11. On the Start screen, type generator, and then click Microsoft User Experience Virtualization
Generator.
12. In Microsoft User Experience Virtualization Generator, click Create a settings location template.
13. Click Browse for the File path, browse to C:\Program files (x86)\Remote Desktop Connection
Manager, click RDCMan.exe, and then click Open.
14. On the Specify Application page, click Next.
Note: You will create a settings location template for Remote Desktop Connection
Manager.
15. After a few seconds, Remote Desktop Connection Manager will start. In Remote Desktop Connection
Manager, on the Tools menu, click Options.
16. In the Options dialog box, select Click to select gives focus to remote client, and then click OK.
Close Remote Desktop Connection Manager.
17. In the Discover Locations dialog box, click Next.
18. On the Review Locations page, select the Files tab, click Nonstandard (1), select File path, and
then click Next.
19. On Edit Template page, view settings location template properties. You could modify the registry
and files that are used for storing configuration data on this page. Click Create, and in the File name
box, type \\LON-DC1\UEVTemplates\RDCMan.xml, and then click Save.
20. In the Create a Settings Location Template Wizard, click Close, and then close the Microsoft User
Experience Virtualization (UE-V) Generator page.
Task 8: Using UE-V to synchronize custom app settings

1.
On LON-CL1, from the Start screen, run Windows PowerShell.
2.
At the Windows PowerShell command prompt, run the following cmdlet:

Get-UevTemplate *rdc*
Note: Output shows that no settings location template that contains string rdc is
registered.
3.
Register the Remote Desktop Connection Manager settings location template by running following
cmdlet: Register-UevTemplate \\LON-DC1\UEVTemplates\RDCMan.xml.
Note: By default, settings location templates updates are registered once per day; by
running the cmdlet, you manually register the template.
4.
To verify that the template is registered, run following cmdlet: Get-UevTemplate *rdc*. You can see
that Remote Desktop Connection Manager (with TemplateId Remote-Desktop-RDCMan-v-2-2) is
listed.
5.
6.
On the Start screen, click the Desktop tile, and then click File Explorer on the taskbar.
7.
In File Explorer, in the C:\Program Files\Microsoft User Experience Virtualization\Agent\x64

folder, double-click the ApplySettingsTemplateCatalog file.
8.
On LON-CL1, on the Start screen, type remote, and then click Remote Desktop Connection
Manager.
9.
In Remote Desktop Connection Manager, on the Tools menu, select Options.
10. In the Options dialog box, select Auto save interval, and then type 3 in the minute(s) box. Click
OK, and then close Remote Desktop Connection Manager.
11. On LON-CL2, on the Start screen, type remote, and then click Remote Desktop Connection
Manager.
12. In Remote Desktop Connection Manager, on the Tools menu, select Options, and then verify that
Auto save interval is selected and configured to 3 minute(s). Click OK, and then close Remote
Desktop Connection Manager.
Results: After completing this exercise, you should have successfully implemented and configured UE-V
for synchronizing apps and Windows settings.

following steps:
1.
2.
3.
4.
Repeat steps 2 through 3 for 20687D-LON-CL1, 20687D-LON-CL2, and 20687D-LON-SVR1.
L4-27

Exercise 1: Creating and Customizing USMT XML Files
Task 1: Read the supporting documentation
Read the supporting documentation provided in the exercise scenario.
Task 2: Create a Config.xml file

1.
2.
Verify that Don has a black desktop and that the Computer and Don Funk folders are on the desktop.
3.
On the desktop, right-click anywhere, select New, select Text Document, and then type your name.
4.
Sign out of LON-CL3, and then sign back in to LON-CL3 as Adatum\Administrator with password
Pa$$w0rd.
5.
Click Start, type cmd, and then press Enter.
6.
7.
At the command prompt, type F:, and then press Enter.
8.
At the command prompt, type the following, and then press Enter:
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
Note: The creation of the Config.xml file will begin. Wait until the command finishes.
9.
At the command prompt, type notepad config.xml, and then press Enter.
10. To exclude Shared Video, under the Documents node, modify the line to match the following code:
component displayname="Shared Video" migrate="no"
11. Under the Documents node, modify the line to match the following code:
component displayname="Shared Music" migrate="no"
12. Under the Documents node, modify the line to match the following code:
component displayname="Shared Pictures" migrate="no"
13. Save your changes, and then close Notepad.
Task 3: Modify a custom migration XML file

1.
At a command prompt, type notepad folders.xml, and then press Enter.
2.
Maximize the Notepad window. This is a custom XML file that is used to migrate a specific folder
called ResearchApps to the new workstation.
3.
Change the variable <Foldername> to ResearchApps. The entire line should read as follows:
<pattern type= "File">C:\ResearchApps\* [*]</pattern>
4.
Save your changes, and then close Notepad.
5.
On the taskbar, click the File Explorer icon.
6.
In Windows Explorer, in the navigation pane, expand Computer, and then click Local Disk (C:). In the
details pane, double-click ResearchApps, and then verify that there are several files in the folder.
7.
In Windows Explorer, right-click in the details pane, select New, select Text Document, and then
type your name.
8.
Results: After completing this exercise, you should have created and customized XML files to use with the
User State Migration Tool (USMT).
Exercise 2: Capturing and Restoring User State to a Target Computer

Task 1: Capture user state on the source computer
1.
On LON-CL3, switch to the command prompt.
2.
Verify that there is no content on the \\LON-DC1\Data share by running the following command:
Dir \\lon-dc1\data
3.
Capture the state of LON-CL3 by running the following command:

F:\Scanstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
/config:config.xml /o /efs:copyraw
4.
Wait until the ScanState process completes, and then verify that the state is captured on the network
share by running the following command:
Dir \\lon-dc1\data /s
Task 2: Restore user state on the destination computer

1.
2.
From the Start screen, type cmd, and then press Enter.
3.
Click the File Explorer icon on the taskbar. Go to C:\Users, and then verify that there is no subfolder
named Ed or Don.
4.
In File Explorer, click Local disk (C:), and then verify that there is no ResearchApps folder on drive C.
5.
At the command prompt, run the following command:

6.
At the command prompt, type F:, and then press Enter.
7.
At the command prompt, type the following, and then press Enter:
Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
8.
When the LoadState task completes, In File Explorer, in the C:\Users folder, verify that there are
subfolders named Ed and Don.
9.
Task 3: Verify the user state migration
L4-29
1.
2.
From the Start screen, click the Desktop tile.
3.
Notice the Computer and Don Funk folders on the desktop, in addition to a text document with your
name.
4.
On the taskbar, click the File Explorer icon.
5.
In File Explorer, in the details pane, double-click Local Disk (C:), double-click ResearchApps, and
then verify that all the files from LON-CL3 have migrated, including the file with your name.
Results: After completing this exercise, you should have captured and restored user states by using USMT.

1.
2.
3.
4.
Repeat steps 2 and 3 for 20687D-LON-CL1 and 20687D-LON-CL3.

L5-31
Module 5: Managing Disks and Device Drivers

Exercise 1: Creating Volumes
Task 1: Create a simple volume by using Disk Management
1.
2.
On the Start screen, type diskmgmt.msc, and then press Enter.
3.
In the Initialize Disk dialog box, click OK.
4.
Right-click the unallocated space on Disk 2, and then click New Simple Volume.
5.
In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click
Next.
6.
On the Specify Volume Size page, change the Simple volume size in MB value to 5103, and then
click Next.
7.
On the Assign Drive Letter or Path page, click Next.
8.
On the Format Partition page, in the Volume label text box, type Simple1, and then click Next.
9.
On the Completing the New Simple Volume Wizard page, click Finish.
10. In the Microsoft Windows dialog box, click Format disk, then in the Format Simple 1 (F:) dialog
box, click Start, then click OK twice.
11. When the New Simple Volume Wizard is complete, close Disk Management and any open windows.
Task 2: Create a simple volume by using Windows PowerShell 4.0

1.
Open the Start screen, type pow, right-click Windows PowerShell, and then select Run as
administrator.
2.
In the Administrator: Windows PowerShell window, type get-disk, and then press Enter.
3.
In the Administrator: Windows PowerShell window, type Get-Disk -Number 3 | New-Partition Size
(5GB) | Format-Volume -Confirm:$false FileSystem NTFS NewFileSystemLabel Simple2, and
then press Enter.
4.
In the Administrator: Windows PowerShell window, type Get-Partition, and then press Enter. Make
note of the PartitionNumber of the volume you just created on Disk Number 3. You will use this
information in the next step.
5.
In the Administrator: Windows PowerShell window, type Set-Partition -DiskNumber 3

-PartitionNumber x -NewDriveLetter H (where x is the results of the previous step), and then press
Enter.
6.
In File Explorer, verify the visibility of the volume that you created, and then close File Explorer.
7.
Minimize the Administrator: Windows PowerShell Command Prompt window.
Task 3: Resize a simple volume by using Disk Management

1.
Open the Start screen, type diskmgmt.msc, and then press Enter.
2.
Right-click Simple1 on Disk 2, and then click Extend Volume.
3.
In the Extend Volume Wizard, on the Welcome to the Extend Volume Wizard page, click Next.
4.
On the Select Disks page, select Disk 2, in the Select the amount of space in MB text box, type
500, and then click Next.
5.
On the Completing the Extend Volume Wizard page, click Finish.
6.
When the Extend Volume Wizard is complete, close Disk Management.
Task 4: Resize a simple volume by using Windows PowerShell version 4.0
L5-32 Managing Disks and Device Drivers
1.
Restore the Administrator: Windows PowerShell Command Prompt window.
2.
At the Administrator: Windows PowerShell command prompt, type Get-Partition, and then press
Enter.
3.
Note the disk number, partition number, and size for drive H.
4.
At the Administrator: Windows PowerShell command prompt, type Resize-Partition -DiskNumber 3

PartitionNumber 1 Size (5.5GB), and then press Enter.
5.
At the Administrator: Windows PowerShell command prompt, type Get-Partition, and then press
Enter.
6.
7.
Minimize the Administrator: Windows PowerShell Command Prompt window.
Task 5: Create a spanned volume by using Disk Management

1.
2.
Right-click the unallocated space on Disk 2, and then click New Spanned Volume.
3.
In the New Spanned Volume Wizard, on the Welcome to the New Spanned Volume Wizard page,
click Next.
4.
On the Select Disks page, select Disk 3. Hold down the Shift key, select Disk 4, and then click Add.
5.
On the Select Disks page, select Disk 2, and in the Select the amount of space in MB text box,
type 2000.
6.
On the Select Disks page, select Disk 3, and in the Select the amount of space in MB text box,
type 1500.
7.
On the Select Disks page, with Disk 4 selected, in the Select the amount of space in MB text box,
type 4000, and then click Next.
8.
9.
On the Format Volume page, in the Volume label text box, type SpannedVol.
10. Select the Perform a quick format check box, and then click Next.
11. On the Completing the New Spanned Volume Wizard page, click Finish.
12. Review the Disk Management warning, and then click Yes.
Task 6: Create a striped volume by using Disk Management

1.
Right-click the unallocated space on Disk 2, and then click New Striped Volume.
2.
In the New Striped Volume Wizard, on the Welcome to the New Striped Volume Wizard page,
click Next.
3.
On the Select Disks page, click Disk 3. Hold down the Shift key, click Disk 4, and then click Add.
4.
On the Select Disks page, in the Select the amount of space in MB text box, type 2000, and then
click Next.
5.
6.
On the Format Volume page, in the Volume label text box, type StripedVol.
7.
Select the Perform a quick format check box, and then click Next.
8.
On the Completing the New Striped Volume Wizard page, click Finish.
9.
L5-33
Results: After completing this exercise, you should have created several volumes on a client computer.
Exercise 2: Configuring Disk Quotas

Task 1: Create disk quotas on a volume
1.
On LON-CL2, click the File Explorer icon on the taskbar.
2.
Click This PC, right-click StripedVol (I:), and then click Properties.
3.
In the StripedVol (I:) Properties dialog box, click the Quota tab.
4.
On the Quota tab, select the Enable quota management check box, and then select the Deny disk
space to users exceeding quota limit check box.
5.
Click Limit disk space to, in the adjacent box, type 6, and then in the KB list, click MB.
6.
In the Set warning level to box, type 4, and then in the KB list, click MB.
7.
Select the Log event when a user exceeds their warning level check box, and then click OK.
8.
In the Disk Quota dialog box, review the message, and then click OK.
9.
Task 2: Create test files

1.
Open the Start screen, type com, and in the Everywhere search screen, click Command Prompt.
2.
At the command prompt, type I:, and then press Enter.
3.
At the command prompt, type fsutil file createnew 2mb-file 2097152, and then press Enter.
4.
At the command prompt, type fsutil file createnew 1kb-file 1024, and then press Enter.
5.
6.
Open the Start screen, click Administrator, and then click Sign out.
Task 3: Test the disk quota

1.
Sign in to LON-CL2 as Adatum\Alan with password Pa$$w0rd.
2.
Click the Desktop.
3.
Click the File Explorer icon on the taskbar.
4.
Click This PC, and then double-click StripedVol (I:).
5.
On the toolbar, click Home, and then click New Folder.
6.
Type Alans files, and then press Enter.
7.
In File Explorer, in the details pane, copy the 2mb-file and the 1kb-file, and then paste both files in
Alans files.
8.
Double-click the Alans files folder.
9.
In the Alans files folder, right-click 2mb-file, click Copy, and then press Ctrl+V.
10. Repeat step 9.

11. In the Copy Item dialog box, review the message, and then click Cancel.
12. Open the Start screen, click Alan Steiner, and then click Sign out.
Task 4: Review quota alerts and logging

1.
2.
Click the Desktop tile.
3.
Click the File Explorer icon on the taskbar.
4.
Click This PC, right-click StripedVol (I:), and then click Properties.
5.
In the StripedVol (I:) Properties dialog box, click the Quota tab, and then click Quota Entries.
6.
In the Quota Entries for StripedVol (I:) dialog box, in the Name column, double-click Alan Steiner.
7.
Review the entries in the Quota Settings for Alan Steiner dialog box, and then click OK.
8.
Close the Quota Entries for StripedVol (I:) and Striped Volume (I:) Properties dialog boxes.
9.
10. Open the Start screen, type eventvwr, and then press Enter.
11. Maximize the Event Viewer desktop app window.
12. In the Event Viewer (Local) list, expand Windows Logs, and then click System.
13. Right-click System, and then click Filter Current Log.
14. In the <All Events IDs> box, type 36, and then click OK.
15. Examine the listed entry.
Results: After completing this exercise, you should have created and tested a disk quota.
Exercise 3: Managing Virtual Hard Disks

1.
If necessary, sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd.
2.
3.
In Disk Management, click the Action menu, and then click Create VHD.
4.
In the Create and Attach Virtual Hard Disk dialog box, in the Location text box, type
I:\DemoDisk.vhdx.
5.
In the Virtual hard disk size section, type 100, and then select MB from the drop-down list.
6.
Select the VHDX option in the Virtual hard disk format section.
L5-35
7.
Select the Dynamically expanding option in the Virtual hard disk type section, and then click OK.
8.
Leave Disk Management open.
9.
Select Command Prompt (Admin) from the Administrative menu by pressing Windows logo
key+X.
10. In the Administrator: Command Prompt window, type DiskPart, and then press Enter.
11. In the Administrator: Command Prompt window, type create vdisk file=I:\virtualdisk2.vhdx
maximum=1048 type=expandable, and then press Enter.
12. Leave the Administrator: Command Prompt window open, and then proceed to the next task.
Task 2: Mount the virtual hard disk file, browse to the virtual hard disk file, and
create files on the drive
1.
If Disk Management is still open, skip to step 4.
2.
3.
4.
In Disk Management, next to Disk 5, right-click the Disk, and then click Initialize Disk.
5.
In the Initialize Disk dialog box, select Disk 5, select the Master Boot Record option, and then
click OK.
6.
Disk 5 is now online.
7.
In Disk Management, right-click the unallocated space on Disk 5, and then click New Simple
Volume.
8.
In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click
Next.
9.
On the Specify Volume Size page, change the Simple volume size in MB value to 97, and then
click Next.
10. On the Assign Drive Letter or Path page, click Next.
11. On the Format Partition page, in the Volume label text box, type SimpleVHD1, and then click
Next.
12. On the Completing the New Simple Volume Wizard page, click Finish.
Note: When the New Simple Volume Wizard is complete, the drive is ready to use.
13. Close the Disk Management and the Microsoft Windows dialog box.
14. Open File Explorer, and then verify that the new drive named SimpleVHD1 has been created.
15. Select the new virtual drive, and then click New Folder on the File Explorer ribbon.
16. Name the new folder Test.
17. Create a new Notepad document named Test.txt, and then save it on the new drive.
19. If the Administrator: Command Prompt window is still open, skip to step 22.
20. Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt,
and then click Run as administrator.
21. In the Administrator: Command Prompt window, type DiskPart, and then press Enter.
22. In the Administrator: Command Prompt window, type select vdisk file=I:\virtualdisk2.vhdx, and
then press Enter.
23. In the Administrator: Command Prompt window, type attach vdisk, and then press Enter.
24. In the Administrator: Command Prompt window, type List Disk, and then press Enter. Make note of
the Disk### of the disk that has an asterisk (*) next to it and has a size of 1,048 MB. You will use this
information in the next step.
25. In the Administrator: Command Prompt window, type create partition primary, and then press
Enter.
26. In the Administrator: Command Prompt window, type format fs=ntfs label=SimpleVHD2 quick,
27. In the Administrator: Command Prompt window, type assign, and then press Enter.
28. Close the Administrator: Command Prompt window.
29. Open File Explore, and then verify the visibility of the new virtual drive volume that you created.
30. Select the new virtual drive, and then click New Folder on the File Explorer ribbon.
31. Name the new folder Test.
32. Create a new Notepad document named Test.txt, and then save it on the new drive.
Task 3: Remove a mounted virtual hard disk file

1.
2.
3.
In Disk Management, right click Disk 5, and then select Detach VHD.
4.
Verify that the file name provided in the Detach Virtual Hard Disk dialog box is I:\DemoDisk.VHDX,
and then click OK.
5.
Verify that the virtual disk is no longer mounted.
6.
Open File Explorer, and then navigate to drive I.
7.
Verify that I:\DemoDisk.VHDX is still present.

Note: Removing a mounted virtual disk does not delete the underlying virtual hard disk.
8.
Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt,
9.
In the Administrator: Command Prompt window, type DiskPart, and then press Enter.
10. In the Administrator: Command Prompt window, type List vdisk, then press Enter.
11. In the Administrator: Command Prompt window, type select vdisk file=I:\virtualdisk2.vhdx, and
then press Enter.
12. In the Administrator: Command Prompt window, type detach vdisk, and then press Enter.
13. Open File Explorer, and then verify that the new virtual drive is no longer visible as a volume.
14. Open the Start screen, type diskmgmt.msc, and then press Enter.
15. In Disk Management, verify that Disk 6 is no longer visible.
16. Close the Disk Management window.
L5-37
Results: After completing this exercise, you should have created, mounted, and then deleted a virtual
hard disk file.
lab.

Exercise 1: Installing Device Drivers
Task 1: Install a device driver into the protected store
1.
2.
Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt,
3.
In the Administrator: Command Prompt window, type pnputil a E:\Labfiles\Mod05\Intellipoint

\ipoint\setup64\files\driver\point64\point64.inf, and then press Enter.
4.
In the Administrator: Command Prompt window, type pnputil e, and then press Enter. Take note of
the published name for the driver you just installed into the store.
5.
Close the Administrator: Command Prompt window.
Results: After completing this exercise, you should have installed a driver into the protected driver store.
Exercise 2: Managing Device Drivers

Task 1: Install a device driver
1.
2.
Select Device Manager from the Administrative menu by pressing the Windows logo key+X.
3.
In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update
Driver Software.
4.
In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.
5.
On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
6.
In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key), click
Next, and then click Close.
7.
In the System Settings Change dialog box, click Yes to restart the computer.
Task 2: Roll back a device driver

1.
2.
3.
In Device Manager, expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key),
and then click Properties.
4.
In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab,
and then click Roll Back Driver.
5.
In the Driver Package rollback dialog box, click Yes, and then click Close.
6.
When prompted to restart the computer, click Yes.
7.
8.
9.
In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click
Properties.
L5-39
10. In the Standard PS/2 Keyboard Properties dialog box, click the Driver tab, and then verify that the
driver has been rolled back to the Standard PS/2 Keyboard version.
11. Close Device Manager.
Results: After completing this exercise, you should have installed and rolled back a device driver.

1.
2.
3.
4.

L6-41
Module 6: Configuring Network Connectivity

Exercise 1: Enabling Automatic IPv4 Configuration
Task 1: Verify the current IPv4 configuration
1.
2.
On the Start screen, click the down arrow in the bottom left of the screen to display Apps by name,
scroll to the far left and then click Command Prompt.
3.
o
What is the current Internet Protocol version 4 (IPv4) address?

Answer: 172.16.0.50

Answer: 255.255.0.0

Answer: 172.16.0.0/16
Is Dynamic Host Configuration Protocol (DHCP) enabled?

Answer: No
Task 2: Configure the computer to obtain an IPv4 address automatically

1.
Right-click the Start charm, and then click Network Connections.
2.
In the Network Connections window, right-click Ethernet, and then click Properties.
3.
In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
4.
Click Obtain an IP address automatically, click Obtain DNS server address automatically, click
OK, and then click Close to close the Ethernet Properties window.
Task 3: Verify the new IPv4 configuration

1.
In the Network Connections window, right-click Ethernet, and then click Status, and then click
Details.
o

Answer: Answers will vary, but will be in the range of 172.16.0.x.

Answer: 255.255.0.0

Answer: 172.16.0.0/16
Is DHCP enabled?
Answer: Yes
When does the DHCP lease expire?

Answer: Eight days from now.
2.
Click the Close button.
Results: After completing this exercise, you should have configured LON-CL1 to obtain an IPv4
configuration automatically from a DHCP server.
Exercise 2: Configuring IPv4 Manually

Task 1: Deactivate the DHCP scope
1.
On LON-DC1, sign in as Adatum\Administrator with the password Pa$$w0rd.
2.
In Server Manager, click Tools, and then click DHCP.
3.
Expand lon-dc1.adatum.com, expand IPv4, and then click Scope [172.16.0.0] Adatum.
4.
Right-click Scope [172.16.0.0] Adatum, and then click Deactivate.
5.
Click Yes to confirm deactivation of the scope.
6.
Close the DHCP window.
Task 2: Obtain a new IPv4 address

1.
On LON-CL1, switch to the Command Prompt window.

Note: This process can take several minutes to complete.
2.
3.
At the command prompt, type ipconfig /renew, and then press Enter. The command will fail.
4.
o

Answer: Answers will vary, but the address will be in the range of 169.254.x.x.

Answer: 255.255.0.0

Answer: 169.254.0.0

Answer: An Automatic Private IP Addressing (APIPA) address
Task 3: Configure an alternate IPv4 address

1.
In the Ethernet Status window, click Properties.
2.
Properties.
3.
Click the Alternate Configuration tab, click User configured, and then enter the following:
o
IP address: 172.16.16.10
L6-42 Configuring Network Connectivity
L6-43
4.
Clear the Validate settings, if changed, upon exit check box, and then click OK to save the settings.
5.
In the Ethernet Properties window, click Close.
6.
7.
At the command prompt, type ipconfig /renew, and then press Enter.
8.
o

Answer: 172.16.16.10

Answer: 255.255.0.0

Answer: 172.16.0.0/16

Answer: An alternate configuration address
9.
Task 4: Configure a static IPv4 address

1.
2.
Properties.
3.
Click Use the following IP address, type the following, and then click OK:
o
IP address: 172.16.16.10
4.
5.
Results: After completing this exercise, you should have tested various scenarios for dynamic IP address
assignment and then configured a static IP address.
When you have finished the lab, leave the virtual machines running, as you will need them for the
next lab.
Lab B: Resolving Network Connectivity

Issues
Exercise 1: Creating a Simulated Network Connectivity Problem
Task 1: Verify connectivity to LON-DC1
1.
On LON-CL1, on the taskbar, click File Explorer.
2.
In the navigation pane, right-click This PC, and then click Map network drive.
3.
In the Drive box, select P:.
4.
In the Folder box, type \\LON-DC1\Data, and then click Finish.
5.
Close the Data window.

1.
On LON-CL1, point to the lower-right corner of the desktop, and then click Settings.
2.
In the list, click Control Panel.
3.
In Control Panel, click Network and Internet.
4.
In Network and Internet, click View network status and tasks.
5.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet.
6.
7.
Clear the Internet Protocol Version 6 (TCP/IPv6) check box, and then click OK.
8.
In the Ethernet Status window, click Close, and then close Network and Sharing Center.
9.
In File Explorer, click This PC and then double-click Allfiles (E:).
10. Double-click Labfiles, double-click Mod06, and then double-click mod6-script.bat.
Task 3: Test connectivity to LON-DC1

1.
In File Explorer, in the navigation pane, click This PC.
2.
Double-click Data(\\LON-DC1)(P:).
3.
Click OK to clear the error message.
4.
Are you able to access mapped drive P?

Answer: No
Task 4: Gather information about the problem

1.
On LON-CL1, click the Start charm.
2.
On the Start screen, type CMD, and then click Command Prompt.
3.
At the command prompt, type ping lon-dc1, and then press Enter.
4.
At the command prompt, type ping 172.16.0.10, and then press Enter.
5.
At the command prompt, type ipconfig /all, and then press Enter.
6.
What IP address is the computer using?

Answer: 172.16.16.50
7.
What subnet mask is the computer using?

Answer: 255.255.255.255
8.
What network should the computer be on?

Answer: 172.16.0.0/16
L6-45
Results: After completing this exercise, you should have created a connectivity problem between LONCL1 and LON-DC1.
Exercise 2: Resolving a Network Connectivity Problem

Task 1: Resolve the first problem
1.
Right-click the Start charm, and then click Network Connections.
2.
Right-click Ethernet, and then click Properties.
3.
Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4.
In the Subnet mask box, type 255.255.0.0, and then click OK.
5.
Task 2: Test the resolution

1.
In the This PC window, double-click Data(\\lon-dc1)(P:).
2.
Are you able to access mapped drive P?

Answer: Yes.
3.
At the command prompt, type ping lon-dc1, and then press Enter.
4.
At the command prompt, type ping 172.16.0.10, and then press Enter.
5.
At the command prompt, type ipconfig /all, and then press Enter.
6.
What Domain Name System (DNS) servers is the computer using?

Answer: 172.16.16.10 and 172.16.0.10
Task 3: Resolve the DNS problem

1.
Point to the lower-right corner of the display, and then click Settings.
2.
In the list, click Control Panel.
3.
In Control Panel, click Network and Internet.
4.
In Network and Internet, click View network status and tasks.
5.
In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet.
6.
7.
Properties.
8.
In the Preferred DNS server box, type 172.16.0.10.
9.
Delete the Alternate DNS Server setting IPv4 address, and then click OK.
10. In the Ethernet Properties window, click Close.

11. In the Ethernet Status window, click Close.
Results: After completing this exercise, you should have resolved the connectivity problem between LONCL1 and LON-DC1.

1.
2.
3.
4.

L7-47
Module 7: Configuring File Access and Printers on

Windows 8.1 Clients

Exercise 1: Creating a Shared Folder for the Marketing Group
Task 1: Create a Marketing folder
1.
Sign on to LON-CL1 as Adatum\Administrator.
2.
Click the Desktop tile, and then click the File Explorer icon on the taskbar.
3.
Navigate to E:\Labfiles\Mod09.
4.
In the Mod09 window, right-click, point to New, and then click Folder.
5.
Name the folder Marketing.
Task 2: Share the Marketing folder for Everyone

1.
Click the Marketing folder.
2.
On the menu bar, click Share, and then click Specific people.
3.
In the File Sharing Wizard, click the drop-down list, select Everyone, and then click Add.
4.
Verify that the Permission Level for Everyone is Read, and then click Share.
5.
In the File Sharing Wizard, click Done.
Task 3: Configure File Permissions for the Marketing folder

1.
Right-click the Marketing folder, and then click Properties.
2.
In the Marketing Properties dialog box, click the Security tab, and then click Advanced.
3.
In the Advanced Security Settings for Marketing dialog box, click Add.
4.
In the Permission Entry for Marketing dialog box, click the Select a principle link.
5.
In the Enter the object name to select field, type Marketing, and then click OK.
6.
In the Basic permissions section, select the Modify check box.
7.
In the Permission Entry for Marketing dialog box, click OK.
8.
In the Advanced Security Settings for Marketing dialog box, click OK.
9.
In the Marketing Properties dialog box, click OK.
Task 4: Attempt to access the Marketing folder as Ed

1.
On LON-CL2, sign in as Adatum\Ed with password Pa$$w0rd.
2.
Click the Desktop tile, and then on the taskbar, click File Explorer.
3.
In the Address bar, type \\LON-CL1\Marketing, and then press Enter.
4.
In the Marketing window, right-click, point to New, and then click Text Document.
5.
In the Destination Folder Access Denied window, click Cancel.
6.
Close the Marketing window.
7.
Open the Start screen, click Ed Meadows, and then click Sign out.
Task 5: Sign in to LON-CL2 as Adam
Task 6: Attempt to access the Marketing folder as Adam

1.
On the Start screen, click the Desktop tile, and then on the taskbar, click File Explorer.
2.
In the Address bar, type \\LON-CL1\Marketing, and then press Enter.
3.
In the Marketing window, right-click, point to New, and then click Text Document.
4.
Name the file your name.
5.
Close all windows, and then sign out.
Results: After completing this exercise, you should have created and shared a folder for the Marketing
department.
Exercise 2: Configuring File and Folder Compression

Task 1: Compress a folder
1.
Switch to LON-CL1.
2.
In File Explorer, navigate to E:\Labfiles\Mod09.
3.
Right-click the Windows8Docs folder, and then select Properties.
4.
Note the Size and Size on disk attributes.
5.
On the General tab, click Advanced.
6.
Select the Compress contents to save disk space check box.
7.
In the Advanced Attributes dialog box, click OK.
8.
In the Windows8Docs Properties dialog box, click Apply.
9.
In the Confirm Attribute Changes dialog box, ensure that the Apply changes to this folder,
subfolders and files option is selected, and then click OK.
10. Note the change in the Size on disk attribute.

11. Click OK to close the Windows8Docs Properties dialog box.
12. Note that the Windows8Docs folder has changed colors.
13. Double-click the Windows8Docs folder.
14. Note that all the files are now blue.
Results: After completing this exercise, you will have compressed a folder.
L7-48 Configuring File Access and Printers on Windows 8.1 Clients

Exercise 1: Creating and Sharing a Local Printer
Task 1: Add and share a local printer
L7-49
1.
2.
On the Start screen, type control, and then click Control Panel in the Apps search results.
3.
In Control Panel, click the View devices and printers link.
4.
In Devices and Printers, click the Add a printer link.
5.
In the Add Printer Wizard, click The printer that I want isnt listed.
6.
On the Find a printer by other options page, select the Add a local printer or network printer
with manual settings option, and then click Next.
7.
On the Choose a printer port page, select the drop-down list for Use an existing port, select nul:
(Local Port), and then click Next.
8.
On the Install the printer driver page, in the Manufacturer list, select Microsoft.
9.
In the Printers list, select Microsoft OpenXPS Class Driver, and then click Next.
10. On the Type a printer name page, in the Printer name field, type ManagersPrinter, and then click
Next.
11. Review the Printer Sharing page, and then click Next.
12. Review the Youve successfully added ManagersPrinter page, and then click Finish.
Task 2: Configure printer security

1.
Open the Start screen.
2.
Type Printmanagement.msc, and then press Enter.
3.
In the navigation pane, click All Printers.
4.
Right-click ManagersPrinter, and then select Properties.
5.
In the ManagersPrinter Properties dialog box, click the Security tab.
6.
Select Everyone, and then click Remove.
7.
Click Add, in the Enter the object names to select field, type Managers, and then click OK.
8.
In the ManagersPrinter Properties dialog box, click OK.
9.
Right-click ManagersPrinter, and then select Pause Printing.
10. Leave the Print Management console open.
Task 3: Sign in to LON-CL2 as Ed
Sign in to LON-CL2 as Adatum\Ed with password Pa$$w0rd.
Task 4: Connect to a network printer

1.
On the Start screen, type control, and then click Control Panel in the Apps search results.
2.
In Control Panel, click the View devices and printers link.
3.
In Devices and Printers, click the Add a printer link.
L7-50 Configuring File Access and Printers on Windows 8.1 Clients
4.
In the Add Printer Wizard, click The printer that I want isnt listed.
5.
On the Find a printer by other options page, select the Select a shared printer by name option,
and then click Browse.
6.
In the Printer field, type \\LON-CL1, and then press Enter.
7.
Double-click ManagersPrinter.
8.
On the Find a printer by other options page, click Next.
9.
Review the Youve successfully added ManagersPrinter on LON-CL1 page, and then click Next.
10. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Print a test page.
11. Review the ManagersPrinter on LON-CL1 dialog box, and then click Close.
12. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Finish.
13. Close Devices and Printers.
14. On LON-CL1, in the Print Management app, verify that the Jobs In Queue column displays 1 for
ManagersPrinter.
15. Right-click ManagersPrinter, and then select Resume Printing.
Results: After completing this exercise, you should have created, shared, and tested a printer.

1.
2.
3.
4.

L8-51
Module 8: Implementing Network Security
Lab A: Configuring Inbound and Outbound

Firewall Rules
Exercise 1: Creating an Inbound Windows Firewall Rule
1.
2.
On the Start screen, type Remote, and then click Remote Desktop Connection.
3.
In the Computer field, type LON-CL1, and then press Enter.
4.
Sign in to LON-CL1 as Adatum\Administrator with the course password.
5.
Open the Start screen on LON-CL1, click Administrator, and then click Sign out.
Task 2: Configure an inbound firewall rule

1.
2.
3.
Open the Settings charm, and then click Control Panel.
4.
Click System and Security, and then click Windows Firewall.
5.
In the left pane, click Advanced settings, right-click Inbound Rules, and then click New Rule.
6.
In the New Inbound Rule Wizard window, select Predefined, click the drop-down list, click Remote
Desktop, and then click Next.
7.
On the Predefined Rules page, select all available rules, and then click Next.
8.
On the Action page, select Block the connection, and then click Finish.
9.
Minimize the Windows Firewall with Advanced Security window.
Task 3: Test the inbound firewall rule

1.
Switch to LON-CL2.
2.
From the Start screen, type Remote, and then click Remote Desktop Connection.
3.
In the Computer field, type LON-CL1, and then press Enter.
4.
In the Remote Desktop Connection window, click OK.
5.
Results: After completing this exercise, you should have created an inbound Windows Firewall rule.
Exercise 2: Create an Outbound Firewall Rule

1.
Switch to LON-CL1.
2.
On the Start screen, type Remote, and then click Remote Desktop Connection.
3.
In the Computer field, type LON-DC1, and then press Enter.
4.
Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.
5.
Open the Start screen on LON-DC1, click Administrator, and then click Sign out.
Task 2: Configure an outbound rule
L8-52 Implementing Network Security
1.
On LON-CL1, on the taskbar, click the Windows Firewall with Advanced Security window, and then
click Outbound Rules.
2.
In the Actions pane, click New Rule.
3.
On the Rule Type page, verify that you are creating a Program rule, and then click Next.
4.
On the Program page, browse and select C:\Windows\System32\mstsc.exe, click Open, and then
click Next.
5.
On the Action page, verify that the action is Block the Connection, and then click Next.
6.
On the Profile page, verify that all profiles are selected, and then click Next.
7.
On the Name page, type Block Outbound RDP to LON-DC1 in the Name field, and then click
Finish.
8.
In the Windows Firewall with Advanced Security window, click the Block Outbound RDP to
LON-DC1 rule, and then in the Actions pane click Properties.
9.
Click the Scope tab, and then under the Remote IP address heading, select the These IP addresses
option.
10. Under the Remote IP address heading, click Add, in the This IP address or subnet field, type
172.16.0.10, and then click OK.
11. In the Block Outbound RDP to LON-DC1 Properties dialog box, click OK.
Task 3: Test the outbound rule

1.
From the Start screen, type Remote, and then click Remote Desktop Connection.
2.
In the Computer field, type LON-DC1, and then press Enter.
3.
In the Remote Desktop Connection dialog box, click OK.
4.
Results: After completing this exercise, you should have configured and tested an outbound firewall rule.

Exercise 1: Creating and Configuring IPsec Rules
Task 1: Create an Internet Protocol security (IPsec) rule on LON-CL1
L8-53
1.
Switch to LON-CL1.
2.
Open the Settings charm, and then on the Desktop menu, click Control Panel.
3.
4.
In the left pane, click Advanced settings, and then click Connection Security Rules.
5.
In the Actions pane, click New Rule.
6.
On the Rule Type page, verify that Isolation is selected, and then click Next.
7.
On the Requirements page, select Require authentication for inbound connections and request
authentication for outbound connections, and then click Next.
8.
On the Authentication Method page, select Computer and user (Kerberos V5), and then click
Next.
9.
On the Profile page, click Next.
10. On the Name page, in the Name text box, type Authenticate all inbound connections, and then
click Finish.
11. Close the Windows Firewall with Advanced Security window.

1.
Switch to LON-CL2.
2.
Open a Command Prompt window, type ping LON-CL1, and then press Enter.
3.
Verify that the ping generated four Request timed out messages.
4.
Task 3: Create a IPsec rule on LON-CL2 by using the Windows PowerShell

command-line interface
1.
On LON-CL2, from the Start screen, type Power, right-click Windows PowerShell, and then click
Run as administrator.
2.
In the Administrator: Windows PowerShell window, type the following, and then press Enter:

UserKerberos
Note: The monitoring component for the newly created Connections Security Rule might
not be created in a timely fashion. To force the creation of the monitoring component, perform
1.
2.
3.
In the left pane, click Advanced settings.
4.
Click Connection Security Rules.
5.
Double-click Authenticate all inbound connections.
6.
In the Description field, type Requires inbound authentication, and then click OK.
L8-54 Implementing Network Security
1.
In the Administrator: Windows PowerShell window, type ping LON-CL1, and then press Enter.
2.
Verify that the ping generated four Reply from 172.16.0.50: bytes=32 time=xms TTL=128 messages
(your times might vary).
3.
Open the Settings charm, click Control Panel, click System and Security, and then click Windows
Firewall.
4.
In the left pane, click Advanced settings.
5.
In the left pane, expand Monitoring, and then expand Security Associations.
6.
Click Main Mode, and then examine the information in the center pane.
7.
Click Quick Mode, and then examine the information in the center pane.
8.
9.
In the host system, click the 20687D-LON-CL1 window.
10. From the Start screen, type Power, right-click Windows PowerShell, and then click Run as
administrator.
11. To examine the Main Mode Security Associations (SAs), run the following cmdlet:
12. To examine the Quick Mode SAs, run the following cmdlet:
Results: After completing this exercise, you should have created and tested IPsec rules.

Exercise 1: Configuring Windows Defender
Task 1: Perform a Quick scan
1.
Switch to LON-CL1.
2.
3.
Click View by:, then select Large Icons, and then click Windows Defender.
4.
On the Windows Defender Home tab, ensure that the Quick scan option is selected.
5.
Click Scan now, and then review the results.
6.
Task 2: Test malware detection
L8-55
1.
Open File Explorer, and then browse to E:\Labfiles\Mod08\Malware.
2.
In the Malware folder, open sample.txt in Notepad. The sample.txt file contains a text string to test
malware detection.
3.
In the sample.txt file, delete both instances of <remove>, including the brackets and any extra lines
or blank spaces.
4.
Save and close the file. Immediately, Windows Defender detects a potential threat.
5.
Shortly thereafter, sample.txt will be removed from the Malware folder.
Task 3: Examine the Windows Defender history

1.
2.
Click Windows Defender.
3.
In Windows Defender, click the History tab.
4.
Click View details, and then review the results.
5.
Select the check box for Virus:DOS/EICAR_Test_File, and then click Remove.
6.
Results: After completing this exercise, you should have configured and used Windows Defender.

When you finish the lab, revert the virtual machines to their initial state:
1.
2.
3.
4.

L9-57
Module 9: Configuring Resource Access for Domain-Joined

Devices and Devices That Are Not Domain Members
Lab: Configuring Resource Access for

Devices That Are Not Domain Members
Exercise 1: Implementing Workplace Join
Task 1: Verify Workplace Join prerequisites
1.
On LON-DC1, on the Start screen, type users, and then run Active Directory Users and Computers.
2.
In Active Directory Users and Computers, on the View menu, select Advanced Features.
3.
In Active Directory Users and Computers, in the navigation pane, click Marketing. In the details pane,
right-click Adam Barr, and then select Properties.
4.
In the Adam Barr Properties dialog box, click the Account tab. Verify that User logon name is
Adam@Adatum.com, and then click Cancel.
5.
In Active Directory Users and Computers, in the navigation pane, click RegisteredDevices, and then
verify that no object is listed in the details pane.
6.
On the Start screen, type pkiview.msc, and then press Enter.
7.
In the Pkiview [Enterprise PKI] console, in the navigation pane, click AdatumCA (V0.0). In the
details pane, verify that AIA Location #2, CDP Location #2, and DeltaCRL Location #2 have a
location that is accessible over http protocol.
Note: CDP Location and Delta CRL Location have a short validity period and their status
could be shown as Expiring. You can ignore their value in the Status column.
8.
Close pkiview.
9.
On the Start screen, type dns, and then click DNS console.
10. In DNS Manager, in the navigation pane, expand LON-DC1, expand Forward Lookup Zones, and
then click Adatum.com. In the details pane, verify that there is an Enterpriseregistration CNAME
record that points to LON-SVR1.adatum.com.
11. Close DNS Manager.
12. On LON-SVR1, on the Start screen, type ad fs, and then run AD FS Management.
13. In AD FS Management, in the navigation pane, select Authentication Policies, right-click
Authentication Policies, and then select Edit Global Primary Authentication.
14. In the Edit Global Primary Authentication dialog box, on the Primary tab, verify that the Enable
device authentication check box is selected, and then click OK.
15. In AD FS Management, in the navigation pane, expand Service, and then click Certificates. In the
details pane, right-click CN-LON-SVR1.adatum.com under Service communications, and then
select View Certificate.
16. In the Certificate dialog box, click the Details tab. Select Subject Alternative Name,
and then verify that has values DNS Name=LON-SVR1.adatum.com and
DNS Name=Enterpriseregistration.adatum.com.
L9-58 Configuring Resource Access for Domain-Joined Devices and Devices That Are Not Domain Members
17. Select the CRL Distribution Points field, and then verify that one of the URLs is accessible over http
protocol.
18. Select the Authority Information Access field, and then verify that one of the URLs is accessible over
http protocol. Click OK.
19. Close AD FS Management.
Task 2: Workplace Join a Windows 8.1 computer

1.
On LON-CL4, sign in as Admin with the password Pa$$w0rd.
2.
On LON-CL4, on the Start screen, type command, and then click Command Prompt.
3.
At the command prompt, run nslookup enterpriseregistration.adatum.com. Verify that the name
is resolved to an IP address, and then close the Command Prompt window.
4.
On LON-CL4, on the Start screen, type \\LON-DC1\certificate, and then press Enter.
5.
In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password
field, type Pa$$w0rd, and then click OK.
6.
In certificate, in the details pane, right-click Root-CA, and then click Install Certificate.
7.
In the Certificate Import Wizard, select Local Machine, and then click Next. Click Yes in the User
Account Control dialog box.
8.
On the Certificate Store page, select Place all certificates in the following store, click Browse,
select Trusted Root Certification Authorities, click OK, and then click Next.
9.
In the Certificate Import Wizard, on the Completing the Certificate Import Wizard page, click
Finish, and then click OK.
10. On the taskbar, click the Internet Explorer icon.
11. In Internet Explorer, in the address box, type https://LON-SVR2.adatum.com/claimapp, and then
press Enter to access the internal company web app.
12. In the Windows Security dialog box, in the User name field, type adatum\adam, and in the
Password field, type Pa$$w0rd, and then click OK. Confirm that the webpage opens and Adams
claims are displayed.
13. Verify that no Claim Type starts with http://schemas.microsoft.com/2012/01/devicecontext.
15. On the taskbar, click the Internet Explorer icon. In the Internet Explorer address box, type
https://LON-SVR2.adatum.com/claimapp, and then press Enter.
16. Verify that the Windows Security dialog box opens again. In the Windows Security dialog box, in
the User name field, type adatum\adam, and in the Password field, type Pa$$w0rd, and then click
OK. This confirms that you are asked for credentials each time you access the company web app from
a device that is not a domain member
18. On the Start screen, type settings, and then click PC settings.
19. On the PC settings bar, select Network.
20. On the Network bar, select Workplace. In Enter your user ID to get workplace access or turn on
device management field, type adam@adatum.com, and then click Join.
L9-59
21. Under Connecting to Adatum, verify that adam@adatum.com is in the first textbox. Enter
Pa$$w0rd in the second textbox, and then click Sign in. Confirm that the device has joined your
workplace network and that the button label changed from Join to Leave.
22. Move the pointer to the upper-left edge of LON-CL4, and then click the desktop tile.
Task 3: Explore Workplace Join effects

1.
On LON-DC1, in Active Directory Users and Computers, in the navigation pane, right-click
RegisteredDevices, and then select Refresh. Confirm that one object of type msDS-Device is listed
in the details pane. This object represents the LON-CL4 computer that you enabled for Workplace
Join. Make note of the name of the msDS-Device object.
2.
On LON-CL4, on the taskbar, click the Internet Explorer icon.
3.
In Internet Explorer, press the Alt key. On the Tools menu, select Internet options.
4.
In the Internet Options dialog box, click the Content tab. In the Certificates section, click
Certificates.
5.
In the Certificates dialog box, on the Personal tab, verify that one certificate is listed and that it has
a GUID in the Issued To field. This is the certificate that Device Registration Service provided to the
user when device was enabled for Workplace Join. Verify that the GUID is the same as the name of
the msDS-Device object from Active Directory Users and Computers. Click Close, and then click OK
in the Internet Options dialog box.
6.
In Internet Explorer, in the address box, type https://LON-SVR2.adatum.com/claimapp, and then

press Enter to access the internal company web app.
7.
In the Windows Security dialog box, in the User name field, type adatum\adam, and in the
Password field, type Pa$$w0rd, verify that the Remember my credentials check box is not selected,
and then click OK. Confirm that the webpage opens and that Adams claims are displayed.
8.

Computers.
9.
10. Open Internet Explorer, and then access the same company app at https://LON-SVR2.adatum.com
/claimapp.
11. Verify that a webpage opens without asking you for credentials. You were not asked for credentials
because you accessed it from the device that was enabled for Workplace Join.
Results: After completing this exercise, you should have successfully implemented and tested the
Workplace Join feature.
Exercise 2: Configuring Work Folders

Task 1: Install the Work Folders feature and create a sync share
1.
On LON-DC1, on the taskbar, click the Windows PowerShell icon, and type the following cmdlet,
Install-WindowsFeature FS-SyncShareService
Note: After the feature is installed, you will get a warning because Windows automatic
updating is not enabled. You can ignore the warning.
2.
Minimize the Windows PowerShell window, and then click the Server Manager icon on the taskbar.
3.
In Server Manager, in the navigation pane, click File and Storage Services, click Work Folders, click
TASKS in WORK FOLDERS section, and then select New Sync Share.
4.
In the New Sync Share Wizard, on the Before you begin page, click Next.
5.
On the Select the server and path page, in the Enter a local path field, type C:\syncshare1, click
Next, and then click OK.
Note: If LON-DC1 is not listed in Servers section, click Cancel. In Server Manager, click
Refresh, then repeat this task from step 3 on.
6.
On the Specify the structure for user folders page, verify that User alias is selected, and then click
Next.
7.
On the Enter the sync share name page, click Next to accept the default sync share name.
8.
On the Grant sync access to groups page, click Add, and in the Enter the object name to select
field, type Marketing, click OK, and then click Next.
9.
On the Specify device policies page, verify the two available options. Clear the Automatically lock
screen, and require a password policy, and then click Next.
10. On the Confirm selections page, click Create.

11. On the View Results page, click Close.
12. In Server Manager, verify that syncshare1 is listed in the WORK FOLDERS section and that user Adam
Barr is listed in the USERS section.
Task 2: Bind an SSL certificate for Work Folders

1.
On LON-DC1, on Start screen, type iis, and then run Internet Information Services (IIS) Manager.
2.
In Internet Information Services (IIS) Manager, in the navigation pane, expand LON-DC1
(ADATUM\Administrator).
3.
Expand Sites, right-click Default Web Site, and then select Edit Bindings.
4.
In Site Bindings, click Add.
5.
In Add Site Binding, select https as Type. In the SSL certificate box, select LON-DC1.adatum.com,
click OK, click Yes and then click Close.
6.
Close Information Services (IIS) Manager.
Task 3: Configure Group Policy to deploy Work Folders
L9-61
1.
On LON-DC1, in Server Manager, click the Tools menu, and then select Group Policy Management.
2.
In the Group Policy Management console, in the navigation pane, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, and then select Marketing.
3.
Right-click Marketing, and then select Create a GPO in this domain, and Link it here. In the Name
field, type Deploy Work Folders, and then click OK.
4.
Right-click Deploy Work Folders, and then select Edit.
5.
In the Group Policy Management Editor, under User Configuration, in the navigation pane, expand
Policies, Administrative Templates, Windows Components, and then click the Work Folders
node.
6.
In the details pane, right-click Specify Work Folder settings, and then select Edit.
7.
In the Specify Work Folder settings dialog box, select Enabled. In the Work Folders URL field, type
https://lon-dc1.adatum.com, select the Force automatic setup check box, click OK, and then close
the Group Policy Management Editor.
8.
On LON-CL1, sign out, and then sign in as adatum\adam with the password Pa$$w0rd.
9.
10. On the toolbar, click the File Explorer icon.
11. In This PC, in the navigation pane, click Work Folders. Right-click in the details pane, select New,
select Text Document, and then name the file On LON-CL1.
Task 4: Deploy Work Folders on a device that is not a domain member

1.
On LON-CL4, on taskbar, right-click the Start icon, and then click Control Panel.
2.
In Control Panel, in the Search Control Panel field, type work, and then click Work Folders.
3.
On the Manage Work Folders page, click Set up Work Folders, and then on the Enter your work
email address page, click Enter a Work Folders URL instead.
4.
On the Enter a Work Folders URL page, in the Work Folders URL box, type
https://lon-dc1.adatum.com, and then click Next.
5.
In the Windows Security dialog box, in the User name field, type adatum\adam, and in the
Password field, type Pa$$w0rd, and then click OK.
6.
On the Introducing Work Folders page, review the local Work Folders location, and then click Next.
7.
On the Security policies page, select the I accept these policies on my PC check box, and then
click Set up Work Folders.
8.
On the Work Folders has started syncing with this PC page, click Close.
9.
On the Work Folders page, verify that the On LON-CL1.txt file is displayed.
Task 5: Use Work Folders to synchronize files

1.
On LON-CL4, in Work Folders, right-click in the details pane, select New, select Text Document,
and then name the file On LON-CL4.
2.
On LON-CL1, in Work Folders, verify that only the On LON-CL1 file is displayed.
Note: Work Folders synchronizes every 10 minutes automatically. You also have an option to trigger
synchronization manually.
3.
In File Explorer, in the navigation pane, right-click Work Folders, and then click Sync Now. Press F5
to refresh the view, and then verify that both files, On LON-CL1.txt and On LON-CL4.txt, are displayed
in the details pane.
4.
On the taskbar, right-click the Start button, and then select Control Panel.
5.
In Control Panel, in the Search Control Panel field, type network, and then click View network
connections. Right-click Ethernet, and then select Disable. In the User Account Control dialog box,
type Administrator as User name, Pa$$w0rd as Password, and then click Yes.
6.
On LON-CL1, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
7.
In Notepad, type Modified offline, close Notepad, and then click Save.
8.
In Work Folders, right-click in the details pane, select New, select Text Document, and then name
the file Offline LON-CL1.
9.
On LON-CL4, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
10. In Notepad, type Online modification, close Notepad, and then click Save.
11. On LON-CL1, in Network Connections, right-click Ethernet, and then select Enable. In the User
Account Control dialog box, type Administrator as User name, Pa$$w0rd as Password, and then
click Yes.
12. Switch to Work Folders. Verify that four files are displayed in the details pane, including
On LON-CL1 and On LON-CL1-LON-CL1. Because the file was modified at two locations, a conflict
occurred, and one of the copies was renamed.
Results: After completing this exercise, you should have successfully configured the Work Folders feature.
To prepare for the next module

1.
2.
3.
4.
Repeat steps 2 and 3 for 20687D-LON-SVR1, 20687D-LON-SVR2, 20687D-LON-CL1, and

20687D-LON-CL4.
L10-63
Module 10: Securing Windows 8.1 Devices

Exercise 1: Restricting the Use of Registry Editing Tools
Task 1: Edit the local GPO to restrict use of registry editing tools
1.
2.
On the Start screen, type group, click Settings, and then click Edit group policy.
3.
In the Local Group Policy Editor, under User Configuration, expand Administrative Templates,
click System, and then double-click Prevent access to registry editing tools.
4.
In the Prevent access to registry editing tools window, click Enabled, and then click OK.
5.
Close the Local Group Policy Editor, and then restart LON-CL1.
6.
7.
On the Start screen, type regedit, and then click regedit.exe.
8.
In the Registry Editor window, click OK.
Task 2: Edit the local GPO to allow administrators to use registry editing tools
1.
On the Start screen, type mmc, and then click mmc.exe.
2.
In the Microsoft Management Console, click File, and then click Add/Remove Snap-in.
3.
In the Add or Remove Snap-ins window, in the Available snap-ins box, click Group Policy Object
Editor, and then click Add.
4.
In the Select Group Policy Object window, click Browse.
5.
In the Browse for a Group Policy Object dialog box, click the Users tab, click Administrators, and
then click OK.
6.
In the Select Group Policy Object window, click Finish.
7.
In the Add or Remove Snap-ins window, click OK.
8.
In the Microsoft Management Console, expand Local Computer\ Administrators Policy, expand
User Configuration, expand Administrative Templates, click System, and then double-click
Prevent access to registry editing tools.
9.
In the Prevent access to registry editing tools window, click Disabled, and then click OK.
10. Close the Microsoft Management Console, and then click No to not save the settings.
11. On the Start screen, type regedit, click regedit.exe, and then verify that the administrator can start
Regedit.exe.
12. Close the Registry Editor.
Results: After completing this exercise, you should have created and configured multiple local Group
Policy Objects (MLGPOs).
next lab.
L10-64 Securing Windows 8.1 Devices

Exercise 1: Protecting Files with BitLocker
Task 1: Configure GPO settings for BitLocker
L10-65
1.
2.
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Administrative
Templates, expand Windows Components, and then expand BitLocker Drive Encryption.
4.
Click Operating System Drives, and then double-click Require additional authentication at
startup.
5.
In the Require additional authentication at startup dialog box, click Enabled, and then click OK.
6.
7.
On the Start screen, type cmd.exe, and then press Enter.
8.
At the command prompt, type gpupdate /force, and then press Enter.
9.
Task 2: Enable BitLocker

1.
On LON-CL1, on the taskbar, click File Explorer.
2.
In the navigation pane, click This PC, right-click Allfiles (E:), and then click Turn on BitLocker.
3.
In the BitLocker Drive Encryption (E:) dialog box, click Use a password to unlock the drive. This is
necessary because the virtual machine does not support USB flash drives.
4.
On the Choose how you want to unlock this drive page, in the Enter your password and Reenter
your password boxes, type Pa$$w0rd, and then click Next.
5.
On the How do you want to back up your recovery key? page, click Save to a file.
6.
In the Save BitLocker recovery key as dialog box, click Local Disk (C:).
7.
On the File Explorer toolbar, click New folder, type BitLocker, and then press Enter
8.
In the Save BitLocker recovery key as dialog box, click Open, click Save, click Yes, and then click
Next.
9.
On the BitLocker Drive Encryption (E:) page, click Start encrypting, and then click Close.
Note: The drive will be encrypted as a background process; you do not need to wait for the
process to complete to continue the lab.
10. Restart LON-CL1.
Task 3: Unlock the BitLocker encrypted drive

1.
2.
3.
On the taskbar, click File Explorer.
4.
In the navigation pane, click This PC.
5.
Right-click Allfiles (E:), click Open, verify that the drive is encrypted, and then click OK.
6.
Right-click Allfiles (E:), and then click Unlock Drive.
7.
Enter password Pa$$w0rd, press Enter to unlock the drive, and then verify access to the drive
contents.
8.
Results: After completing this exercise, you should have encrypted the hard drive.
next lab.
L10-67

Exercise 1: Modifying UAC Prompts
Task 1: Modify the User Account Control (UAC) prompts
1.
2.
3.
expand Security Settings, expand Local Policies, and then click Security Options.
4.
In the results pane, double-click User Account Control: Behavior of the elevation prompt for
standard users.
5.
In the User Account Control: Behavior of the elevation prompt for standard users dialog box,
click Prompt for credentials on the secure desktop, and then click OK.
Task 2: Modify the UAC notification level

1.
In the results pane, double-click User Account Control: Only elevate executables that are signed
and validated.
2.
In the User Account Control: Only elevate executables that are signed and validated dialog box,
click Enabled, and then click OK.
3.
In the results pane, double-click User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode.
4.
In the User Account Control: Behavior of the elevation prompt for administrators in Admin
Approval Mode dialog box, click Prompt for consent on the secure desktop, and then click OK.
5.
Close the Local Group Policy Editor, and then sign out.
Task 3: Test the UAC settings

1.
2.
3.
Open the Administrative menu by pressing the Windows logo key+X, and then click Command
Prompt (Admin). The Windows operating system displays the User Account Control prompt.
4.
In the User name field, type Administrator, in the Password field, type Pa$$w0rd, and then
click Yes.
5.
Close the Command Prompt (Admin) window.
6.
Sign out.
7.
8.
Open the Administrative menu by pressing the Windows logo key+X, and then click Control Panel.
9.
In Control Panel, click System and Security.
10. In System and Security, click Change User Account Control settings.
11. Verify that the slider is configured for Always notify.
Results: After completing this exercise, you should have reconfigured UAC notification behavior and
prompts.

When you are finished the lab, revert all virtual machines back to their initial state:
1.
2.
3.
4.
L11-69
Module 11: Configuring Applications for Windows 8.1
Lab A: Configuring Internet Explorer

Security
Exercise 1: Configuring Internet Explorer
Task 1: Enable Compatibility View in Internet Explorer
1.
2.
3.
On the taskbar, click Internet Explorer.
4.
Right-click the bar to the left of the home symbol, and then click Menu bar.
5.
On the Menu bar, click Tools, and then click Compatibility View settings.
6.
Verify that Internet Explorer uses Microsoft compatibility lists, and then click Close.
Task 2: Delete browsing history

1.
On the Tools menu, click Internet options.
2.
On the General tab, under Browsing history, click Delete.
3.
In the Delete Browsing History dialog box, select the Preserve Favorites website data and History
check boxes. Clear all other options, click Delete, and then click OK.
4.
5.
On LON-CL1, click the Internet Explorer icon on the taskbar.
6.
7.
Click the Down Arrow next to the Address bar to confirm that the address you typed is stored.
8.
In Internet Explorer, on the Tools menu, click Internet options.
9.
Click the General tab. Under Browsing History, click Delete.
10. In the Delete Browsing History dialog box, clear the Preserve Favorites website data check box,
select the Temporary Internet files and website files, Cookies and website data, and History
check boxes, and then click Delete.
11. Click OK to close the Internet Options dialog box.
12. Confirm that there are no addresses stored in the Address bar by clicking on the Down Arrow next to
the Address bar.
Task 3: Configure InPrivate Browsing

1.
On the Tools menu, click InPrivate Browsing.
2.
3.
Confirm that the address that you typed is not stored by clicking the Down Arrow next to the
Address bar.
4.
Close the InPrivate Browsing window.
5.
Task 4: Configure intranet security settings
L11-70 Configuring Applications for Windows 8.1
1.
On LON-CL1, click the Internet Explorer icon on the taskbar.
2.
3.
4.
On the Security tab, click Local intranet, under Security level for this zone, move the slider to
High, and then click OK.
5.
On the A. Datum intranet home page, click Current Projects.
6.
Close the new tab.
7.
8.
On the Security tab, click Trusted sites, and then click Sites.
9.
In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this
zone check box, click Add, and then click Close.
10. In the Internet Options dialog box, click OK.

11. On the A. Datum intranet home page, click Current Projects.
Task 5: View the add-on management interface

1.
2.
In the left navigation pane, click Search Providers.
3.
In the right navigation pane, click Bing.
4.
In the left navigation pane, click Accelerators.
5.
In the left navigation pane, click Tracking Protection.
6.
Click Close.
Task 6: Download a file

1.
In the Address bar, type http:// LON-DC1, and then press Enter.
2.
Click Download Current Projects.
3.
In the Internet Explorer dialog box, click Save.
4.
In the banner, click View downloads.
5.
In the View Downloads Internet Explorer dialog box, click Open.
6.
The file opens in Microsoft Office Excel.
7.
Close Excel and Internet Explorer.
8.
Results: After completing this exercise, you should have successfully configured security and compatibility
settings in Internet Explorer.
lab.

Exercise 1: Configuring AppLocker Rules
Task 1: Create a new executable rule
L11-71
1.
2.
3.
4.
Right-click Executable Rules, and then click Create New Rule.
5.
In the Create Executable Rules Wizard, click Next.
6.
On the Permissions page, click Deny, and then click Select.
7.
In the Select User or Group dialog box, in the Enter the object names to select (examples) box,
type IT, click Check Names, click OK, and then click Next.
8.
On the Conditions page, click Path, and then click Next.
9.
Click Browse Files, in the File name box, type C:\Program Files\Windows Media Player
\wmplayer.exe, and then click Open.
10. Click Next twice, and then click Create.

11. Click Yes when prompted to create default rules.
Task 2: Enforce AppLocker rules

1.
In the Local Group Policy Editor, right-click AppLocker, and then click Properties.
2.
On the Enforcement tab, under Executable rules, select the Configured check box, click Enforce
rules, and then click OK.
3.
4.
Select Windows PowerShell from the Administrative menu by pressing the Windows logo key+X.
5.
At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait for
the policy to update.
6.
Results: After completing this exercise, you should have created the required AppLocker rule.
Exercise 2: Testing the AppLocker Rules

Task 1: Confirm the executable rule enforcement
1.
2.
Select Computer Management from the Administrative menu by pressing the Windows logo
key+X. Expand Event Viewer, expand Windows Logs, and then click System.
3.
In the results pane, locate and click the latest event with Event ID 1502.
4.
Review event message details under the General tab.
5.
Expand Services and Applications, and then click Services.
6.
Right-click the Application Identity service, and then click Start.
7.
Task 2: Test the enforcement
L11-72 Configuring Applications for Windows 8.1
1.
Sign in to LON-CL1 as Adatum\Holly with password Pa$$w0rd.
2.
Type Media Player at the Start screen, and then click Windows Media Player.
3.
Sign out, and then sign in as Adatum\Administrator with password Pa$$w0rd.
4.
Select Event Viewer from the Administrative menu by pressing the Windows logo key+X.
5.
In Event Viewer, expand Application and Services Logs, expand Microsoft, expand Windows,
expand AppLocker, and then click EXE and DLL.
6.
Review the entries in the results pane. Locate Event ID 8004. This shows that Holly attempted to run a
prohibited application.
7.
Close Event Viewer.
8.
Sign out.
Results: After completing this exercise, you should have verified the function of your executable
AppLocker rule.

When you have finished the lab, revert all virtual machines to their initial state:
1.
2.
3.
4.
L12-73
Module 12: Optimizing and Maintaining Windows 8.1

Computers
Lab A: Optimizing Windows 8.1

Performance
Exercise 1: Creating a Performance Baseline
Task 1: Establish a performance baseline
1.
2.
In the lower-left corner, right-click the Windows icon, and then click Control Panel.
3.
Click System and Security, and then click Administrative Tools.
4.
Double-click Performance Monitor.
5.
In Performance Monitor, in the navigation pane, expand Data Collector Sets.
6.
Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
7.
In the Create new Data Collector Set Wizard, on the How would you like to create this new data
collector set? page, in the Name box, type Adatum Baseline.
8.
Click Create manually (Advanced), and then click Next.
9.
On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
10. On the Which performance counters would you like to log? page, in the Sample interval box,
type 1, and then click Add.
11. In the Available counters list, expand Memory, select Pages/sec, and then click Add.
12. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add.
13. In the Available counters list, expand PhysicalDisk, select % Disk Time, and then click Add.
14. Under PhysicalDisk, select Avg. Disk Queue Length, and then click Add.
15. In the Available counters list, expand Processor, select % Processor Time, and then click Add.
16. In the Available counters list, expand System, select Processor Queue Length, click Add, and then
click OK.
17. On the Which performance counters would you like to log? page, click Next.
18. On the Where would you like the data to be saved? page, click Next.
19. On the Create the data collector set? page, click Finish.
20. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start.
21. Pause the pointer over the lower-right corner of the desktop, and then click Start.
22. On the Start screen, click the Down Arrow, and then in Apps, click Word 2013.
23. In the User Name dialog box, click OK.
24. In Microsoft Word 2013, if prompted to Help Protect and Improve Microsoft Office, click Dont
make changes, and then click OK.
26. On the Start screen, click the Down Arrow, and then in Apps, click Excel 2013.
28. On the Start screen, click the Down Arrow, and then in Apps, click PowerPoint 2013.
29. Close all open Microsoft Office apps, and then switch to Performance Monitor.
30. In the navigation pane, right-click Adatum Baseline, and then click Stop.
Task 2: View the baseline report

1.
In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the report that has a name that begins with LON-CL1.
2.
View the chart. On the menu bar, click the drop-down arrow, and then click Report.
3.
Record the following values:

o
Memory\Pages/sec
Results: After completing this exercise, you should have created a performance baseline.
Exercise 2: Introducing Additional Workload

Task 1: Create a load on the computer
L12-74 Optimizing and Maintaining Windows 8.1 Computers
1.
On LON-CL1, in Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then
click Start.
2.
From the Start screen, type cmd, and then click Command Prompt.
3.
In the Administrator: Command Prompt window, type E:\Labfiles\Mod12\Load.cmd, and then press
Enter.
Results: After completing this exercise, you should have generated additional load on the computer.
Exercise 3: Measuring System Responsiveness Under Load

Task 1: Identify performance bottlenecks on the computer
1.
Switch to the Administrative Tools window.
2.
Double-click Resource Monitor.
3.
In Resource Monitor, which components are under strain?
L12-75
Answer: Answers will vary depending on the usage scenario and host configuration, although the
central processing unit (CPU) and network likely are being used heavily.
4.
After a few minutes, click OK at the prompt, and then close the instance of
C:\Windows\System32\Cmd.exe that the script launched, if necessary.
5.
Switch to Performance Monitor.
6.
In the navigation pane, right-click Adatum Baseline, and then click Stop.
7.
In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the second report that has a name that begins with LON-CL1.
8.
View the chart. On the menu bar, click the drop-down arrow, and then click Report.
9.
Record the component details:

o
Memory\Pages/sec
10. In your opinion, which components are affected the most?
Answer: The script is affecting the CPU and network. However, no resources are approaching limits.
11. Close all open windows and programs, and then go back to the Start screen.
Results: After completing this exercise, you should have identified the computers performance
bottleneck.
Task 2: Prepare for the next lab
lab.

Exercise 1: Configuring Windows Update
Task 1: Verify that Automatic Updates are disabled
1.
Switch to LON-CL1, and from the Start screen, click Desktop.
2.
Pause the pointer in the lower-right corner of the display, and then click Settings.
3.
Click Control Panel, and then click System and Security.
4.
Click Windows Update, and then click Change settings.
5.
Click Never check for updates (not recommended), and then click OK.
Task 2: Enable Automatic Updates in Group Policy
L12-76 Optimizing and Maintaining Windows 8.1 Computers
1.
Switch to LON-DC1, and then sign in as Adatum\Administrator with password Pa$$w0rd.
2.
Pause the pointer over the lower-right corner of the desktop display, and then click Start.
3.
On the Start screen, click Administrative Tools, and then double-click Group Policy Management.
4.
If necessary, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
5.
Right-click Default Domain Policy, and then click Edit.
6.
Under Computer Configuration, expand Policies, expand Administrative Templates, expand

Windows Components, and then click Windows Update.
7.
In the results pane, double-click Configure Automatic Updates.
8.
In the Configure Automatic Updates window, click Enabled.
9.
In the Configure automatic updating box, click 4 Auto download and schedule the install, and
then click OK.

11. Close the Group Policy Management window.
Task 3: Verify that the Automatic Updates setting from the Group Policy Object is
being applied
1.
Switch to LON-CL1.
2.
Pause the pointer in the lower-right corner of the display, and then click Start.
3.
On the Start screen, type Command, and then click Command Prompt.
4.
At the command prompt, type gpupdate /force, and then press Enter.
5.
6.
Switch to Windows Update.
7.
Notice that your computer is now configured for Automatic Updates.
Results: After completing this exercise, you should have configured Windows Update settings by using
Group Policy Objects.
Task 4: Prepare for the next module

1.
2.
3.
4.
L12-77
L13-79
Module 13: Configuring Mobile Computing and Remote

Access

Exercise 1: Creating and Configuring a New Power Plan
Task 1: Create a power plan on Adams laptop computer
1.
2.
On the Start screen, type Control Panel.
3.
Click Control Panel.
4.
Click System and Security, and then click Power Options.
5.
On the left, click Create a power plan.
6.
On the Create a power plan page, click Power saver.
7.
In the Plan name box, type Adams power-saving plan, and then click Next.
8.
On the Change settings for the plan: Adams power-saving plan page, click Create.
Task 2: Configure the power plan

1.
On the Power Options page, next to Adams power-saving plan, click Change plan settings.
2.
On the Change settings for the plan: Adams power-saving plan page, click Change advanced
power settings.
3.
Configure the following properties for the plan, and then click OK:
o
4.
On the Change settings for the plan: Adams power-saving plan page, click Cancel.
5.
Close Power Options.
6.
Sign out from LON-CL1.
Results: After completing this exercise, you should have successfully created and configured a suitable
power plan for Adams laptop computer.
lab.
L13-80 Configuring Mobile Computing and Remote Access
Lab B: Implementing DirectAccess by Using

the Getting Started Wizard
Exercise 1: Configuring DirectAccess
Task 1: Install the Remote Access server role
1.
On LON-SVR2, in Server Manager, click Manage, and then click Add Roles and Features.
2.
In the Add Roles and Features Wizard window, click Next.
3.
On the Select installation type page, click Next.
4.
On the Select destination server page, click Next.
5.
On the Select server roles page, click Remote Access, and then click Next.
6.
On the Select features page, click Next.
7.
On the Remote Access page, click Next.
8.
On the Select role services page, click DirectAccess and VPN (RAS).
9.
In the Add Roles and Features Wizard window, click Add Features, and then click Next.
10. On the Confirm installation selections page, click Install.

11. After the installation finishes, click Close.
Task 2: Create a security group for DirectAccess clients

1.
On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2.
In Active Directory Users and Computers, right-click the Users container, click New, and then click
Group.
3.
In the New Object Group window, type DA_Clients in the Group name box, and then click OK.
4.
Double-click the Users container.
5.
Right-click DA_Clients, and then click Properties.
6.
In the Properties dialog box, click the Members tab, and then click Add.
7.
Click Object Types, select Computers, and then click OK.
8.
Type LON-CL1, and then click OK.
9.
In the DA_Clients Properties dialog box, click OK.
10. Close Active Directory Users and Computers.
Task 3: Configure DirectAccess by using the Getting Started Wizard

1.
Switch to LON-SVR2.
2.
On LON-SVR2, in Server Manager, click Tools, and then select Remote Access Management.
3.
In the Remote Access Management console, under Configuration, click DirectAccess and VPN.
4.
Click Run the Getting Started Wizard.
5.
6.
Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients to
connect to the Remote Access server box, type 131.107.0.2, and then click Next.
L13-81
7.
On the Configure Remote Access page, click the here link.
8.
On the Remote Access Review page, verify that two Group Policy Objects (GPOs have been created:
DirectAccess Server Settings and DirectAccess Client Settings.
9.
Next to Remote Clients, click Change.
10. In the Remote Access Setup window, click Domain Computers (ADATUM\Domain Computers),
and then click Remove.
11. Click Add.
12. In the Select Groups window, type DA_Clients, and then click OK.
13. Clear the Enable DirectAccess for mobile computers only check box, and then click Next.
14. On the DirectAccess Client Setup page, click Finish.
15. On the Remote Access Review page, click OK.
16. On the Configure Remote Access page, click Finish to finish the DirectAccess wizard.
17. In the Applying Getting Started Wizard Settings dialog box, click Close.
18. Restart LON-SVR2.
19. Wait for LON-SVR2 to restart, and then sign in as Adatum\Administrator with password Pa$$w0rd.
20. In Server Manager, click Tools, and then click Remote Access.
21. In the Remote Access Management console, click Operations Status.
22. All components should have a Status of Working and a green check mark beside them. If this is not
the case, click Refresh to update the Operations Status view. You might have to do this several times.
Results: After completing this exercise, you should have configured DirectAccess by using the Getting
Stared Wizard.
Exercise 2: Validating the DirectAccess Deployment

Task 1: Verify the DirectAccess GPO deployment
1.
When you configured the DirectAccess server, the wizard created two Group Policies and linked them
to the domain.
2.
Restart LON-CL1, and then sign in as Adatum\Administrator with password Pa$$w0rd to apply the
GPOs.
3.
On LON-CL1, from the Start screen, type cmd, and then press Enter.
4.
gpresult /R
5.
Under the Computer Settings section, verify that the DirectAccess Client Settings GPO is applied.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as
Adatum\Administrator with password Pa$$w0rd, and then repeat steps 3 and 4 on LON-CL1.
6.
netsh name show effectivepolicy
7.
Verify that the following message displays: DNS Effective Name Resolution Policy Table Settings.
Note: DirectAccess settings are inactive when this computer is inside a corporate network.
8.
To move the client from the intranet to the public network, go to the Start screen, type ncpa.cpl, and
then press Enter.
9.
In the Network Connections window, right-click the Ethernet connection, and then click Disable.
10. In the Network Connections window, right-click the Ethernet 2 connection, and then click Enable.
11. Close the Network Connections window.
Task 2: Test DirectAccess connectivity

1.
Switch to LON-SVR1.
2.
Click the File Explorer icon on the taskbar, and in the This PC window, double-click Local Disk (C:).
3.
In the Local Disk (C:) window, right-click in the empty space in the details pane, click New, click
Folder, type Data, and then press Enter.
4.
In the Local Disk (C:) window, right-click Data, click Share with, and then click Specific people.
5.
In the File Sharing window, from the drop-down list, select Everyone, click Add, click Share, and then
click Done.
6.
Switch to LON-CL1.
7.
On the Start screen, type \\LON-SVR1\Data, and then press Enter. Note that you are able to access
the folder content.
8.
9.
Move the pointer to the lower-right corner of the screen, and in the notification area, click Search,
and in the Search box, type cmd.
10. At the command prompt, type ipconfig, and then press Enter.
Note: Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an
Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) address.
11. At the command prompt, type the following, and then press Enter:
Netsh name show effectivepolicy
12. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.
13. At the command prompt, type the following command, and then press Enter:
Powershell
L13-83
14. At the command prompt in the Windows PowerShell command-line interface, type the following
command, and then press Enter:
Note: Notice the DirectAccess client settings.

15. Switch to LON-SVR2.
16. Switch to the Remote Access Management console.
17. In the Remote Access Management console, click Remote Client Status.
Note: Notice that Client is connected via IPHttps. In the Connection Details pane, in the
lower-right of the screen, note the use of the Kerberos version 5 protocol for the Machine and
the User.
Results: After completing this exercise, you should have validated the DirectAccess deployment.

1.
2.
3.
4.
Repeat steps 2 and 3 for 20687D-LON-SVR1, 20687D-LON-SVR2, and 20687D-LON-DC1.

Exercise 1: Configuring a Remote Desktop Connection
Task 1: Enable Remote Desktop through the firewall, and enable Remote Desktop on
Adams office computer
1.
On LON-CL1, from the Start screen, type Control Panel, and then click the Control Panel tile.
2.
Click System and Security.
3.
Under Windows Firewall, click Allow an app through Windows Firewall.
4.
In the Name list, select Remote Desktop, and then enable the application for each of the network
profiles: Domain, Private, and Public. Click OK.
5.
In System and Security, click Allow remote access.
6.
In the System Properties dialog box, under Remote Desktop, click Allow remote connections to
this computer.
7.
Click Select Users, and then click Add.
8.
In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box,
type Adam, click Check Names, and then click OK.
9.
In the Remote Desktop Users dialog box, click OK.
10. In the System Properties dialog box, click OK.

12. Switch to LON-CL2, and then sign in as Adatum\Administrator with password Pa$$w0rd.
13. On the Start screen, type mstsc, and then click Remote Desktop Connection.
14. In the Remote Desktop Connection dialog box, in the Computer box, type lon-cl1, and then click
Show Options.
15. Click the Advanced tab.
16. Under Server authentication, in the If server authentication fails drop-down list, click Connect
and dont warn me.
Task 2: Connect to the remote computer with Remote Desktop

1.
On LON-CL2, in the Remote Desktop Connection dialog box, click Connect.
2.
In the Windows Security dialog box, click Use another account.
3.
In the User name box, type Adatum\Adam, in the Password box, type Pa$$w0rd, and then
click OK.
4.
When prompted, click Yes to proceed with the logon.
5.
On the Start screen, type This PC, right-click This PC, and then click Properties.
6.
Notice the computer name.
7.
Close the Remote Desktop session. In the Remote Desktop Connection dialog box, click OK.
8.
9.
Switch to LON-CL1.
10. Notice that you have been signed out.
Results: After completing this exercise, you should have verified that Remote Desktop is functional.

1.
2.
3.
4.
L13-85
L14-87
Module 14: Recovering Windows 8.1

Exercise 1: Configuring and Using File History
Task 1: Create a share for File History
1.
2.
Type FileHistory as the folder name, and then press Enter.
3.
Right-click the FileHistory folder, and then click Properties.
4.
In the FileHistory Properties dialog box, on the Security tab, click Edit. Click Add, enter Domain in
the Enter the object names to select box, and then click OK. Click Domain Users, and then click
OK.
5.
In the Permissions for Domain Users section, in the Allow column, select the Full control check box,
and then click OK.
6.
On the Sharing tab, click Advanced Sharing.
7.
Select the Share this folder check box, and then click Permissions. In the Permissions for Everyone
section, in the Allow column, click Full Control, and then click OK twice.
8.
In the FileHistory Properties dialog box, click Close.
Task 2: Configure and use File History

1.
On LON-CL1, on the Start screen, type file, and then click File Explorer.
2.
In File Explorer, in the navigation pane, expand This PC, and then click Documents.
3.
Right-click in the details pane, point to New, click Microsoft Word Document, and then name the
document Recovery file.
4.
Double-click Recovery file.docx.
5.
In the First things first. dialog box, select the Ask me later check box, and then click Accept.
6.
Close the Welcome to your new Office window.
7.
In Word, type This document is modified.
8.
In Word, save the file by pressing Ctrl+S, and then close Word.
9.
On the desktop, right-click the Start icon, and then click Control Panel.
10. In Control Panel, in the Search Control Panel field, type history, and then click File History.
11. In the File History dialog box, in the navigation pane, click the Select drive link.
12. In Select Drive, click Add network location, in the Folder field, type \\LON-DC1\FileHistory, click
Select Folder, and then click OK.
13. In the File History dialog box, in the details pane, click Turn on.
14. In the File History dialog box, in the navigation pane, click Advanced settings. Review the options,
and then click Cancel.
15. In File Explorer, in the navigation pane, click Documents.
L14-88 Recovering Windows 8.1
16. In File Explorer, right-click Recovery file.docx, press the Shift key, and then select Delete. Click Yes
in the Delete File dialog box.
17. In File Explorer, click the Home tab, and then click History.
18. In Documents File History, right-click Recovery file.docx, and then click Restore.
19. In File Explorer, notice that the Word document has been recovered.
20. Double-click Recovery file.docx, and then verify that it has the content that you typed earlier.
21. Close File Explorer and the Documents File History window.
Task 3: Protect an additional folder with File History

1.
On LON-CL1, In the File History dialog box, in the navigation pane, click Restore personal files.
2.
In the Home File History window, verify that three file folders and four libraries are shown. Doubleclick Documents, and then verify that only Recovery file is shown. Close Documents File History.
3.
In File Explorer, click the View tab, select Options, and then select Change folder and search
options.
4.
In the Folder Options dialog box, in the Navigation pane section, select Show libraries, and then
click OK.
5.
In File Explorer, in the navigation pane, expand Libraries. Right-click the Documents library, and
then click Properties.
6.
In the Documents Properties dialog box, click Add. In the Folder field, type E:\Labfiles\Docs, click
Include folder, and then click OK.
7.
In the File History dialog box, in the details pane, click Run now.
8.
In File Explorer, navigate to the E:\Labfiles\Docs folder. Right-click Windows.docx, press the Shift
key, and then select Delete. In the Delete File dialog box, click Yes.
9.
In the File History dialog box, in the navigation pane, click Restore personal files.
10. In Home File History, double-click Documents. Right-click Windows.docx, select Restore to, in
the Folder field type E:\Labfiles, and then click Select Folder.
11. In File Explorer, verify that file Windows.docx is restored to the E:\Labfiles folder.
12. Close File Explorer, File History, and the Documents File History window.
Results: After completing this exercise, you should have configured and used the File History feature.
Exercise 2: Exploring Windows 8.1 Recovery Options

Task 1: Configure System Restore
1.
On LON-CL1, open File Explorer, in the navigation pane, right-click This PC, and then click
Properties.
2.
In the System window, in the navigation pane, click System protection.
3.
In the System Properties dialog box, in the Protection Settings section, select Local Disk (C:)
(System), click Configure, select Turn on system protection, and then click OK.
L14-89
4.
In the System Properties dialog box, click Create. Type Initial settings in the System Protection
dialog, click Create, and then click Close.
5.
In the System Properties dialog box, click OK.
6.
In File Explorer, navigate to the E:\Labfiles\Mod14 folder, and then double-click XmlNotepad.msi.
7.
In the XML Notepad 2007 Setup Wizard, click Next, select I accept the terms in the License
Agreement, click Next two times, click Install, and then click Finish.
8.
9.
Verify that an XML Notepad 2007 shortcut is on the desktop.
10. Right-click the desktop, point to New, click Text Document, type My document as its name, and
then press Enter.
11. On the toolbar, right-click the Start icon, and then click Device Manager.
12. In Device Manager, expand Keyboards, right-click Microsoft Hyper-V Virtual Keyboard, and then
select Update Driver Software.
13. In the Update Driver Software dialog box, select Browse my computer for driver software. Select
Let me pick from a list of device drivers on my computer, and then clear the Show compatible
hardware check box. In the Model section, select Microsoft Wireless Keyboard 700 v2.0
(106/109), click Next, click Yes in the Update Driver Warning box, and then click Close.
14. In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) is shown with an
exclamation point (!).
Task 2: Use System Restore

1.
In File Explorer, in the navigation pane, right-click This PC, and then select Properties.
2.
In the System window, in the navigation pane, click System protection.
3.
In the System Properties dialog box, click System Restore.
4.
In the System Restore dialog box, click Next.
5.
Select the Initial settings restore point, and then click Scan for affected programs. Verify that XML
Notepad 2007 is shown, as you installed it after the restore point was created. Click Close.
6.
In the System Restore dialog box, click Next, click Finish, and then click Yes. Wait until LON-CL1 is
restarted and System Restore is performed.
7.
8.
9.
In the System Restore dialog box, click Close. Verify that My document.txt is still on desktop and
that the XML Notepad 2007 shortcut is no longer present on the desktop.
10. On the toolbar, right-click the Start icon, and then click Device Manager.
11. In Device Manager, expand Keyboards, and then verify that Microsoft Hyper-V Virtual Keyboard is
present. Microsoft Wireless Keyboard 700 v2.0 (106/109) was removed, as you add it after the restore
point was created.
12. On the toolbar, click the File Explorer icon.
13. In File Explorer, in the navigation pane, right-click This PC, and then click Properties.
14. In the System window, in the navigation pane, click System protection.
15. In the System Properties dialog box, click System Restore.
16. In the System Restore dialog box, select Choose a different restore point, and then click Next.
17. In the System Restore dialog box, verify that the additional restore point with the description
Restore Operation and Type of Undo was created. Click Cancel.
18. On the toolbar, right-click the Start icon, select Shut down or sign out, and then select Shut down.
Wait until LON-CL1 is turned off.
Task 3: Access Windows RE tools

1.
On your host computer, in the 20687D-LON-CL1 on localhost Virtual Machine Connection

dialog box, on the Media menu, point to DVD Drive, and then click Insert Disk.
2.
In the Open dialog box, in the File name box, type D:\Program Files\Microsoft Learning
\20687\Drives\Win81Ent_Eval.iso, and then click Open.
3.
On the Action menu, click Start.
4.
When you see the Press any key to boot from CD or DVD message, press Spacebar, and then Setup
loads.
5.
When prompted, in the Windows Setup dialog box, click Next.
6.
On the Windows Setup page, click Repair your computer.
7.
On the Choose an option page, click Troubleshoot.
8.
On the Troubleshoot page, click Advanced options.
9.
On the Advanced options page, click System Restore.
10. On the System Restore page, select Windows 8.1.
11. In the System Restore dialog box, click Next. Select the Restore Operation restore point, and then
click Scan for affected programs. Verify that XML Notepad 2007 is listed as a program that might
be restored. Click Close, and then click Cancel.
Note: You can use System Restore from the Windows Recovery Environment (RE).
12. On the Choose an option page, click Troubleshoot, and then click Advanced options.
13. On the Advanced options page, click Command Prompt.
14. At the command prompt, type bcdedit /enum, and then press Enter. Review the output and verify
that Windows 8.1 is listed as the default Windows Boot Loader operating system.
15. At the command prompt, type Bootrec /scanos, and then press Enter.
16. At the command prompt, type diskpart, and then press Enter.
17. At the command prompt, type list disk, and then press Enter.
18. At the command prompt, type list volume, and then press Enter.
19. At the command prompt, type exit, and then press Enter.
20. At the command prompt, type exit, and then press Enter.
21. On the Choose an option page, click Troubleshoot.
22. On the Troubleshoot page, click Advanced options.
23. On the Advanced options page, click Startup Repair.
24. On the Choose a target operating system page, click Windows 8.1. Startup Repair starts.
L14-91
25. After a few seconds, the Startup Repair couldnt repair your PC page appears. This is because there
is nothing wrong with your computer. Click Advanced options.
26. On the Choose an option page, click Continue. Windows starts normally.
Task 4: Create a duplicate boot entry in the boot store

1.
On LON-CL1, sign in as Adatum\Administrator with the password Pa$$w0rd.
2.
On the Start screen, type cmd, and then click Command Prompt.
3.
4.
Verify the presence of Duplicate boot entry in the store by running the following command:
bcdedit /enum
5.
At the command prompt, type shutdown /r, press Enter, and then click Close.
Task 5: Enable advanced boot options

1.
When the Windows operating system restarts, wait until the Choose an operating system menu
appears, and then click Change defaults or choose other options.
2.
On the Options page, click Choose other options.
3.
4.
5.
On the Advanced options page, click Startup Settings.
6.
On the Startup Settings page, click Restart.
7.
In the Startup Settings menu, type 4 to select and enable Safe Mode.
8.
On LON-CL1, sign in as Adatum\Administrator with the password Pa$$w0rd.
9.
On your host computer, switch to Hyper-V Manager.
10. In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Revert.
11. In the Revert Virtual Machine dialog box, click Revert.
12. In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Start.
13. In the Virtual Machines list, right-click 20687D-LON-CL1, and then click Connect.
Results: After completing this exercise, you should have used various Windows 8.1 operating system
startup-recovery tools.
Exercise 3: Introducing a Simulated Problem

Task 1: Read the help-desk Incident Record for Incident 161071
Read the help-desk Incident Record (in the exercise scenario in the student handbook) for Incident
161071.
Task 2: Update the Plan of Action section of the Incident Record

1.
Read the Additional Information section of the Incident Record.
2.
Update the Plan of Action section of the Incident Record with your recommendations.
Plan of Action:
Visit with the user, and then view the error on his computer.
Insert product installation DVD, and then restart the computer.
Use Windows RE to recover the startup environment by using the Command Prompt tool, and then
running Bootrec.exe /RebuildBCD to repair the boot store.

1.
Switch to LON-CL1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
2.
3.
From the taskbar, click File Explorer.
4.
Browse to, and run, the E:\Labfiles\Mod14\Scenario1.vbs script.
5.
Wait while LON-CL1 restarts.
Results: After this exercise, you should have reproduced the reported startup problem on Adams
computer.
Exercise 4: Resolving a Problem

Task 1: Attempt to resolve the problem
1.
Switch to LON-CL1.
2.
On your host computer, in the 20687D-LON-CL1 on localhost Virtual Machine Connection

dialog box, on the Media menu, point to DVD Drive, and then click Insert Disk.
3.
In the Open dialog box, in the File name box, type D:\Program Files\Microsoft Learning
\20687\Drives\ Win81Ent_Eval.iso, and then click Open.
4.
On the Action menu, click Reset. In the dialog box, click Reset.
5.
When you see the Press any key to boot from CD or DVD message, press Spacebar, and then Setup
loads.
6.
When prompted, in the Windows Setup dialog box, click Next.
7.
On the Windows Setup page, click Repair your computer.
8.
9.
10. On the Advanced options page, click Command Prompt.
11. At the command prompt, type Bootrec /Scanos, and then press Enter.
12. At the command prompt, type Bootrec /RebuildBCD, and then press Enter.
13. At the command prompt, type A, and then press Enter.
L14-93
14. At the command prompt, type exit, press Enter and then click Continue to restart LON-CL1. When
LON-CL1 starts, do not press any keys.
15. Sign in to LON-CL1 by using the following credentials:
o
Password: Pa$$w0rd
16. Update the Plan of Action section of the Incident Record.
17. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.
Results: After completing this exercise, you should have resolved the startup problem and documented
your solution.

1.
2.
3.
4.
L15-95
Module 15: Configuring Client Hyper-V

Exercise 1: Installing Client Hyper-V
Task 1: Install the Client Hyper-V feature
1.
On LON-CL5, from the Start screen, type Hyper-V, and then confirm that no match is found.
2.
On the Start screen, type powershell, right-click Windows PowerShell, and then select Run as
administrator. Click Yes in the User Account Control dialog box.
3.
At the Windows PowerShell command-line interface command prompt, run the following cmdlet,
and then verify that no cmdlet is listed:
Get-Command Module Hyper-V
4.
From the Start screen, type features, and then click Turn Windows features on or off.
5.
In the Windows Features window, select the Hyper-V check box, and then click OK.
6.
On the Windows completed the requested changes page, click Restart Now.
7.
When prompted during startup, select 20687D-LON-CL5.
8.
9.
After a second restart, repeat steps 7 and 8.
10. On the Start screen, type powershell, right-click Windows PowerShell, and then select Run as
administrator. Click Yes in the User Account Control dialog box.
11. At the Windows PowerShell command prompt, run the following cmdlet:
Get-Command Module Hyper-V
Note: The output shows many cmdlets, which confirms that the Hyper-V module is
installed and available.
Results: After completing this exercise, you should have installed the Client Hyper-V feature.
Exercise 2: Creating a Virtual Switch, a Virtual Hard Disk, and a Virtual

Machine
Task 1: Create a virtual switch
1.
On LON-CL5, from the Start screen, type Hyper-V, and then click Hyper-V Manager.
2.
In Hyper-V Manager, right-click LON-CL5, and then click Virtual Switch Manager.
3.
In the Virtual Switch Manager window, in the Create virtual switch section, click Private, and then
click Create Virtual Switch.
4.
In the Virtual Switch Properties section, type Private Network in the Name field, and then click OK.
L15-96 Configuring Client Hyper-V
1.
On LON-CL5, open Hyper-V Manager.
2.
In Hyper-V Manager, select LON-CL5, and then in the Actions pane, click New, and then click Hard
Disk.
3.
In the New Virtual Hard Disk Wizard, on the Before You Begin page, click Next.
4.
On the Choose Disk Format page, confirm that VHDX is selected, and then click Next.
5.
On the Choose Disk Type page, confirm that the default disk type for virtual hard disk is
Dynamically expanding, and then click Next.
6.
On the Specify Name and Location page, in the Name field, type Dynamic.vhdx. In the Location
field, type C:\VM, and then click Next.
7.
On the Configure Disk page, confirm that Create a new blank virtual hard disk is selected, in the
Size field, type 100, and then click Next.
8.
On the Completing the New Virtual Hard Disk Wizard page, click Finish.
9.
On LON-CL5, in Hyper-V Manager, in the Actions pane, click New, and then click Hard Disk.
10. In the New Virtual Hard Disk Wizard, on the Before You Begin page, click Next.
11. On the Choose Disk Format page, select VHD, and then click Next.
12. On the Choose Disk Type page, click Differencing, and then click Next.
13. On the Specify Name and Location page, in the Name field, type Differencing.vhd. In the
Location field, type C:\VM, and then click Next.
14. On the Configure Disk page, click Browse, and then browse to F:\Program Files
\Microsoft Learning\Base\.
15. In the Base folder, click Base14C-W81-Office2013.vhd, click Open, and then click Next.
16. On the Completing the New Virtual Hard Disk Wizard page, click Finish.
17. On LON-CL5, in Windows PowerShell, create a fixed-size virtual hard disk by running the following
cmdlet:
New-VHD Path C:\VM\Fixed.vhdx -SizeBytes 1GB Fixed
18. On LON-CL5, on the taskbar, click the File Explorer icon.

19. In the This PC window, browse to the C:\VM folder.
20. In the VM folder, confirm that the three virtual hard disks that you created in the previous task
display.
21. In the VM folder, right-click Fixed.vhdx, select Properties, confirm that its size on the disk is
1.00 GB, and then click OK.
22. In the VM folder, verify that Dynamic.vhdx and Differencing.vhd are allocated much less space on
the disk, even though you configured Dynamic.vhdx with 100 gigabytes (GB).
Task 3: Create a virtual machine

1.
On LON-CL5, in Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine.
2.
In the New Virtual Machine Wizard, on the Before You Begin page, click Next.
3.
On the Specify Name and Location page, in the Name field, type LON-VM2, and then click Next.
4.
On the Specify Generation page, click Generation 2, and then click Next.
L15-97
5.
On the Assign Memory page, in the Startup memory field, type 1024, select the Use Dynamic
Memory for this virtual machine check box, and then click Next four times.
6.
On the Competing the Virtual Machine Wizard page, click Finish. A virtual machine named
LON-VM2 is created.
7.
On LON-CL5, in Windows PowerShell, create a Generation 1 virtual machine, and then attach it to a
virtual hard disk by running the following two cmdlets:
New-VM Name LON-VM1 MemoryStartupBytes 1GB Generation 1 BootDevice IDE
Add-VMHardDiskDrive VMName LON-VM1 ControllerType IDE Path C:\VM\Differencing.vhd
8.
In Hyper-V Manager, double-click the LON-VM1 virtual machine, and then from the Action menu,
select Start. Verify that the virtual machine starts.
Results: After completing this exercise, you should have created a virtual network and a virtual machine in
Client Hyper-V.

20687D ENU TrainerHandbook

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

20687D ENU TrainerHandbook

Uploaded by

Copyright:

Available Formats

M I C R O S O F T

Configuring Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

Product Number: 20687D

MCT USE ONLY. STUDENT USE PROHIBITED

MICROSOFT LICENSE TERMS

MCT USE ONLY. STUDENT USE PROHIBITED

a. If you are a Microsoft IT Academy Program Member:

MCT USE ONLY. STUDENT USE PROHIBITED

b. If you are a Microsoft Learning Competency Member:

MCT USE ONLY. STUDENT USE PROHIBITED

If you are a MPN Member:

d. If you are an End User:

MCT USE ONLY. STUDENT USE PROHIBITED

LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

MCT USE ONLY. STUDENT USE PROHIBITED

modify or create a derivative work of any Licensed Content,

work around any technical limitations in the Licensed Content, or

MCT USE ONLY. STUDENT USE PROHIBITED

DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS

This limitation applies to

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Windows 8.1

Configuring Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

Slavko Kukrika Content Developer

Jason Kellington Content Developer

Andrew Bettany Subject Matter Expert

Elias Mereb Technical Reviewer

Lesson 2: Overview of Windows 8.1

Module 2: Installing and Deploying Windows 8.1

Lesson 2: Installing Windows 8.1

Lab A: Installing Windows 8.1

Lesson 3: Customizing and Preparing a Windows 8.1 Image for

Lab B: Customizing and Capturing a Windows 8.1 Image

Lesson 4: Volume Activation for Windows 8.1

Lab C: Deploying a Windows 8.1 Image

Module 3: Tools Used for Configuring and Managing Windows 8.1

Lesson 2: Using Windows PowerShell to Configure and Manage

Lesson 3: Using Group Policy to Manage Windows 8.1

Lab: Using Management Tools to Configure Windows 8.1 Settings

Module 4: Managing Profiles and User State in Windows 8.1

Lab A: Configuring Profiles and User State Virtualization

Lesson 3: Migrating User State and Settings

Lab B: Migrating User State by Using USMT

Module 5: Managing Disks and Device Drivers

Lesson 2: Maintaining Disks, Partitions, and Volumes

Lesson 3: Working with Virtual Hard Disks

Lab A: Managing Disks

Lesson 4: Installing and Configuring Device Drivers

Lab B: Configuring Device Drivers

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Windows 8.1

Configuring Windows 8.1

Module 6: Configuring Network Connectivity

Lesson 3: Implementing Automatic IP Address Allocation

Lab A: Configuring a Network Connection

Lesson 4: Implementing Name Resolution

Lab B: Resolving Network Connectivity Issues