Planning and Managing Windows® 7 Desktop Deployments and ...

OFFICIAL MICROSOFT LEARNING PRODUCT6294APlanning and Managing Windows® 7Desktop Deployments and Environments

iiPlanning and Managing Windows® 7 Desktop Deployments and EnvironmentsInformation in this document, including URL and other Internet Web site references, is subject to change without notice.Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,places, and events depicted herein are fictitious, and no association with any real company, organization, product, domainname, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyrightlaws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may bereproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of MicrosoftCorporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subjectmatter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of thisdocument does not give you any license to these patents, trademarks, copyrights, or other intellectual property.The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes norepresentations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of theproducts with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement ofMicrosoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control ofMicrosoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or anychanges or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received fromany linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not implyendorsement of Microsoft of the site or the products contained therein.© 2009 Microsoft Corporation. All rights reserved.Microsoft, Microsoft Press, Access, Active Desktop, Active Directory, ActiveSync, ActiveX, Aero,Authenticode, BitLocker, BizTalk,DirectX, Encarta, Excel, Forefront, Hyper-V, Internet Explorer, Microsoft Dynamics, MS, MSDN, MS-DOS, MSN, OneCare,OneNote, Outlook, PowerPoint, ReadyBoost, SharePoint, SmartScreen, SoftGrid, SpyNet, SQL Server, Visio, Visual Basic, VisualC#, Visual Studio, Win32, Windows, Windows Live, Windows Media, Windows Mobile, Windows NT, Windows PowerShell,Windows Server, Windows Vista, and Zune are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.All other trademarks are property of their respective owners.Product Number: 6294APart Number: X17-40182Released: 12/2009

MICROSOFT LICENSE TERMSOFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION –Pre-Release and Final Release VersionsThese license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the LicensedContent named above, which includes the media on which you received it, if any. The terms also apply to any Microsoftupdates,supplements,Internet-based services, andsupport servicesfor this Licensed Content, unless other terms accompany those items. If so, those terms apply.By using the Licensed Content, you accept these terms. If you do not accept them, do not use the LicensedContent.If you comply with these license terms, you have the rights below.1. DEFINITIONS.a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers,press releases, datasheets, and FAQs which may be included in the Licensed Content.b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an ITAcademy location, or such other entity as Microsoft may designate from time to time.c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at orthrough Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft LearningProducts (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products(formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training onthe subject matter of one (1) Course.d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during anAuthorized Training Session, each of which provides training on a particular Microsoft technology subject matter.e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, butis not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv)Software. There are different and separate components of the Licensed Content for each Course.g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be includedwith the Licensed Content.h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.i. “Student Content” means the learning materials accompanying these license terms that are for use by Students andTrainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware filesfor a Course.j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such otherindividual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach orinstruct an Authorized Training Session to Students on its behalf.k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students,as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual HardDisks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual harddisk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order toallow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual HardDisks will be considered “Trainer Content”.m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft Virtual PC orMicrosoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,

and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposesof these license terms, Virtual Hard Disks will be considered “Trainer Content”.n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.2. OVERVIEW.Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content,Student Content, classroom setup guide, and associated media.License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainerbasis.3. INSTALLATION AND USE RIGHTS.a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Studentsenrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in usedoes not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, ORii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices andonly for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that thenumber of Devices accessing the Licensed Content on such server does not exceed the number of Studentsenrolled in and the Trainer delivering the Authorized Training Session.iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the LicensedContent that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordancewith these license terms.i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may notseparate the components and install them on different Devices.ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply tothe use of those third party programs, unless other terms accompany those programs.b. Trainers:i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on aclassroom Device to deliver an Authorized Training Session.ii. Trainers may also Use a copy of the Licensed Content as follows:A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may installand Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use andfor preparation of an Authorized Training Session.B. Portable Device. You may install another copy on a portable device solely for your own personal training Useand for preparation of an Authorized Training Session.4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in this agreement,these terms also apply:a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the sameinformation and/or work the way a final version of the Licensed Content will. We may change it for the final,commercial version. We also may not release a commercial version. You will clearly and conspicuously inform anyStudents who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under noobligation to provide them with any further content, including but not limited to the final released version of theLicensed Content for the Course.b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, withoutcharge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give tothird parties, without charge, any patent rights needed for their products, technologies and services to use or interfacewith any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will notgive feedback that is subject to a license that requires Microsoft to license its software or documentation to third partiesbecause we include your feedback in them. These rights survive this agreement.c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentationthat may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.

i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, youmay not disclose confidential information to third parties. You may disclose confidential information only toyour employees and consultants who need to know the information. You must have written agreements withthem that protect the confidential information at least as much as this agreement.ii.Survival. Your duty to protect confidential information survives this agreement.iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. Youmust first give written notice to Microsoft to allow it to seek a protective order or otherwise protect theinformation. Confidential information does not include information thatbecomes publicly known through no wrongful act;you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers;oryou developed independently.d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end datefor using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whicheveris first (“beta term”).e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and willdestroy all copies of same in the possession or under your control and/or in the possession or under the control of anyTrainers who have received copies of the pre-released version.f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either printand/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, youwill follow any additional terms that Microsoft provides to you for such copies and distribution.5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.a. Authorized Learning Centers and Trainers:i. Software.ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista,Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft productswhich are provided in Virtual Hard Disks.A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher,then these terms apply:Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on theinstall of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice beforeit stops running. You may not be able to access data used or information saved with the Virtual Machineswhen it stops running and may be forced to reset these Virtual Machines to their original state. You mustremove the Software from the Devices at the end of each Authorized Training Session and reinstall and launchit prior to the beginning of the next Authorized Training Session.B. If the Virtual Hard Disks require a product key to launch, then these terms apply:Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing anyVirtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain fromMicrosoft a product key for the operating system software for the Virtual Hard Disks and will activate suchSoftware with Microsoft using such product key.C. These terms apply to all Virtual Machines and Virtual Hard Disks:You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms andconditions of this agreement and the following security requirements:ooYou may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that areaccessible to other networks.You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of eachAuthorized Training Session, except those held at Microsoft Certified Partners for Learning Solutionslocations.

oooYou must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices atthe end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded fromDevices on which you installed them.You will strictly comply with all Microsoft instructions relating to installation, use, activation anddeactivation, and security of Virtual Machines and Virtual Hard Disks.ooYou may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized TrainingSession will be done in accordance with the classroom set-up guide for the Course.iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations,sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an AuthorizedTraining Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for theirpersonal training use.iv. iv Evaluation Software. Any Software that is included in the Student Content designated as “EvaluationSoftware” may be used by Students solely for their personal training outside of the Authorized Training Session.b. Trainers Only:i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks.Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session.If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slidedecks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work iscreated; and (b) to comply with all other terms and conditions of this agreement.ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers maycustomize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that arelogically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoingrights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only beused for providing an Authorized Training Session and (b) to comply with all other terms and conditions of thisagreement.iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the AcademicMaterials. You may not make any modifications to the Academic Materials and you may not print any book (eitherelectronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:The use of the Academic Materials will be only for your personal reference or training useYou will not republish or post the Academic Materials on any network computer or broadcast in any media;You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit inthe format provided below:Form of Notice:© 2010 Reprinted for personal reference use only with permission by Microsoft Corporation. Allrights reserved.Microsoft, Windows, and Windows Server are either registered trademarks or trademarks ofMicrosoft Corporation in the US and/or other countries. Other product and company namesmentioned herein may be the trademarks of their respective owners.6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may changeor cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s useof them. You may not use the services to try to gain unauthorized access to any service, data, account or network by anymeans.7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use theLicensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation,you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with anytechnical limitations in the Licensed Content that only allow you to use it in certain ways. You may not

install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in theAuthorized Training Session;allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer deliveringthe Authorized Training Session if the Licensed Content is installed on a network server;copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior writtenapproval;work around any technical limitations in the Licensed Content;reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable lawexpressly permits, despite this limitation;make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite thislimitation;publish the Licensed Content for others to copy;transfer the Licensed Content, in whole or in part, to a third party;access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorizedby Microsoft to access and use;rent, lease or lend the Licensed Content; oruse the Licensed Content for commercial hosting services or general business purposes.Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disksdoes not give you any right to implement Microsoft patents or other Microsoft intellectual property in software ordevices that may access the server.8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You mustcomply with all domestic and international export laws and regulations that apply to the Licensed Content. These lawsinclude restrictions on destinations, end users and end use. For additional information, seewww.microsoft.com/exporting.9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR”or “Not for Resale.”10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition”or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contactthe Microsoft affiliate serving your country.11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply withthe terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a)expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automaticallyterminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of itscomponent parts.12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services andsupport services that you use, are the entire agreement for the Licensed Content and support services.13. APPLICABLE LAW.a. United States. If you acquired the Licensed Content in the United States, Washington state law governs theinterpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The lawsof the state where you live govern all other claims, including claims under state consumer protection laws, unfaircompetition laws, and in tort.b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that countryapply.14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country.You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement doesnot change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it.Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rightsunder your local laws which this agreement cannot change. To the extent permitted under your local laws,Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and noninfringement.16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT ANDITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES,INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.This limitation applies toanything related to the Licensed Content, software, services, content (including code) on third party Internet sites, orthird party programs; andclaims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to theextent permitted by applicable law.It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation orexclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequentialor other damages.Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreementare provided below in French.Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contratsont fournies ci-dessous en français.EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de cecontenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvezbénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier.La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulieret d’absence de contrefaçon sont exclues.LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vouspouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux,indirects ou accessoires et pertes de bénéfices.Cette limitation concerne:tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sitesInternet tiers ou dans des programmes tiers ; etles réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence oud’une autre faute dans la limite autorisée par la loi en vigueur.Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre paysn’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature quece soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les loisde votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne lepermettent pas.

Planning and Managing Windows® 7 Desktop Deployments and Environments xi

xPlanning and Managing Windows® 7 Desktop Deployments and EnvironmentsAcknowledgementsMicrosoft Learning would like to acknowledge and thank the following for their contribution towardsdeveloping this title. Their effort at various stages in the development has ensured that you have a goodclassroom experience.Conan Kezema – Subject Matter ExpertConan received his Bachelor of Education degree in 1994 and realized the importance of computertechnology and the need for experienced technical educators. He subsequently obtained the MicrosoftCertified Systems Engineer and Microsoft Certified Trainer designations. For the past 15 years, Conan hasbeen involved in the computer technology field as an educator, systems consultant, network systemsarchitect, and technical writer. Currently, Conan is associated with S.R. Technical Services as a subjectmatter expert, instructional designer, and technical writer on numerous Microsoft-related projectsKent Altena – Technical ReviewerKent Altena (MCITP, MCTS, MCSE, VCP, Master CNE) has been involved with IT field for over 15 years. Heholds certifications in the security field, Netware, VMware, Microsoft server and client technologies. Hehas helped develop multiple certification exams (including Windows Server 2008 and Windows 7) for anumber of vendors and has written articles on a variety of server technologies, including Microsoft andNetware. He is currently a systems engineer for multi-state insurance company in West Des Moines, Iowa,specializing in directory services, server and virtualization infrastructure.

Planning and Managing Windows® 7 Desktop Deployments and Environments xiContentsModule 1: Preparing to Deploy Windows® 7 Business DesktopsLesson 1: Overview of the Desktop Lifecycle 1-3Lesson 2: Desktop Deployment: Challenges and Considerations 1-11Lesson 3: Tools and Technologies Used in the DesktopDeployment Lifecycle 1-19Lesson 4: Assessing the Current Computing Environmentfor Deploying Windows 7 1-28Lab A: Assessing the Computing Environment by Usingthe Microsoft Assessment and Planning Toolkit 1-44Lesson 5: Designing Windows Activation 1-49Lab B: Recommending an Activation Strategy 1-61Module 2: Assessing Application Compatibility in Windows 7Lesson 1: Overview of Application Compatibility 2-3Lesson 2: Assessing and Resolving Application Compatibility Issues byUsing ACT 5.5 2-13Lab A: Evaluating Application Compatibility Using the MicrosoftApplication Compatibility Toolkit 2-25Lab B: Creating Application Compatibility Fixes 2-34Module 3: Evaluating Windows® 7 Deployment MethodsLesson 1: Evaluating In-Place Deployment 3-3Lesson 2: Evaluating Side-by-Side Deployment 3-11Lesson 3: Evaluating Lite-Touch Deployment Method 3-17Lesson 4: Evaluating Zero-Touch Deployment Method 3-22Lab: Determining the Windows 7 Deployment Method 3-28Module 4: Designing Standard Windows® 7 ImagesLesson 1: Overview of Windows 7 Installation Architecture 4-3Lesson 2: Overview of Imaging Process 4-11Lesson 3: Determining the Image Strategy 4-16Lesson 4: Selecting the Image Servicing Methods 4-31Lab: Determining the Windows 7 Imaging Strategy 4-37Module 5: Deploying Windows ® 7 by Using Windows AIKLesson 1: Overview of Windows AIK 2.0 5-3Lab A: Installing Windows Automated Installation Kit 5-10Lesson 2: Building a Reference Windows 7 Image by Using Windows SIMand Sysprep 5-13

xiiPlanning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab B: Building a Reference Image Using Windows SIM and Sysprep 5-21Lesson 3: Managing the Windows Pre‐installation Environment 5-28Lab C: Creating Windows PE Boot Media 5-32Lesson 4: Capturing, Applying, and Servicing a Windows 7 Image 5-36Lab D: Capturing and Applying a Windows 7 Image Using ImageX 5-42Lab E: Servicing Images using DISM 5-54Module 6: Deploying Windows® 7 by Using Windows Deployment ServicesLesson 1: Overview of WDS 6-3Lesson 2: Designing and Configuring WDS for Windows 7 Deployment 6-11Lab: Deploying Windows 7 by Using Windows Deployment Services 6-28Module 7: Deploying Windows® 7 by Using Lite Touch InstallationLesson 1: Designing the Lite Touch Installation Environment 7-3Lesson 2: Implementing MDT 2010 for Deploying Windows 7 7-10Lab A: Planning and Configuring MDT 2010 7-22Lab B: Deploying Windows 7 by Using Lite Touch Installation 7-28Module 8: Deploying Windows® 7 by Using Zero Touch InstallationLesson 1: Designing the Zero Touch Installation Environment 8-3Lesson 2: Performing Zero Touch Installation by Using MDT 2010and Configuration Manager 2007 8-17Lab: Deploying Windows 7 by Using Zero Touch Installation 8-31Module 9: Migrating User State by Using WET and USMT 4.0Lesson 1: Overview of User State Migration 9-3Lab A: Migrate User State by Using WET (Optional) 9-10Lesson 2: Overview of USMT 4.0 9-14Lesson 3: Planning User State Migration (USMT 4.0) 9-21Lesson 4: Migrating User State Using USMT 4.0 9-27Lab B: Migrating User State Using USMT 4.0 9-46Lab C: Migrating User State Using Hard-Link Migration 9-53Module 10: Designing, Configuring, and Managing the Client EnvironmentLesson 1: Overview of Planning Client Configuration 10-3Lesson 2: Designing and Configuring Standard System Settings 10-12Lesson 3: Designing and Configuring Internet Explorer Settings 10-24Lesson 4: Designing and Configuring Security Settings 10-40Lesson 5: Designing and Implementing Group Policy 10-66

Planning and Managing Windows® 7 Desktop Deployments and Environments xiiiLab A: Designing and Configuring the Client Environment 10-78Lesson 6: Troubleshooting Group Policy 10-86Lab B: Troubleshooting GPO Issues 10-93Module 11: Planning and Deploying Applications and Updates to Windows® 7 ClientsLesson 1: Determining the Application Deployment Method 11-4Lab A: Determining the Application Deployment Method 11-15Lesson 2: Deploying the 2007 Microsoft Office System 11-18Lab B: Customizing the Microsoft Office Professional Plus2007 Installation 11-34Lesson 3: Planning and Configuring Desktop Updates by Using WSUS 11-37Lab C: Planning and Managing Updates by Using WSUS 11-47Module 12: Deploying Windows 7 – Challenge ScenarioLab A: Planning an End to End Windows 7 LTI Deployment 12-3Lab B: Deploying Windows 7 Using the LTI Deployment Plan 12-8Lab Answer Keys

xivPlanning and Managing Windows® 7 Desktop Deployments and Environments

About This Course xvAbout This CourseThis section provides you with a brief description of the course, audience, suggested prerequisites, andcourse objectives.Course DescriptionThis five-day instructor-led course is intended for desktop administrators who want to specialize indesktop deployment, configuration, and management. In this course, students learn how to plan anddeploy Windows® 7 desktops in large organizations. They also learn how to design, configure, andmanage the Windows 7 client environment. This course helps students prepare for the Exam 70-686, Pro:Windows 7, Enterprise Desktop Administrator.AudienceThis course is intended for IT professionals who are interested in specializing in Windows 7 desktop andapplication deployments and managing the desktop environments for large organizations. Peopleattending this training could be support technicians or currently in deployment roles and are looking attaking the next step in their career or enhancing their skills in the areas of planning and deployingWindows 7 desktops.Student PrerequisitesIn addition to their professional experience, students who attend this training should have the followingprerequisite knowledge and skills:• Solid understanding of TCP/IP and networking concepts• Solid Windows and Active Directory knowledge. For example, domain user accounts, domain vs. localuser accounts, user profiles, and group membership• Good understanding of scripts and batch files• Solid understanding of security concepts such as authentication and authorization• Perform a clean installation of Windows 7, Upgrade to Windows 7, and migrate user-related data andsettings from Windows XP• Configure disks, partitions, volumes, and device drivers to enable Windows 7 to function as desired• Configure and troubleshoot permissions and other settings to allow access to resources andapplications on Windows 7 Systems• Configure settings to enable network connectivity• Configure and troubleshoot a wireless network connection• Configure and troubleshoot Windows 7 security• Configure mobile computers and devices• Familiar with the client administration capabilities of Windows Server® and familiar withmanagement tools such as the System Center suite of products• Familiar with deployment, packaging, and imaging tools• Ability to work in a team or in a virtual team• Good documentation and communication skills to create proposals and make budgetrecommendations• Train and mentor others

xviAbout This CoursePassing the Exam 70-624: TS: Deploying and Maintaining Windows Vista® Client and 2007 MicrosoftOffice System Desktops is preferable but not mandatory.Course ObjectivesAfter completing this course, students will be able to:• Prepare to deploy Windows 7 business desktops• Assess and resolve application compatibility issues with Windows 7• Determine the most appropriate method to deploy Windows 7 based upon specific businessrequirements• Design a standard Windows 7 image by assessing and evaluating the business requirements• Deploy Windows 7 by using WAIK• Deploy Windows 7 by using WDS• Deploy Windows 7 by using Lite Touch Installation• Deploy Windows 7 by using Zero Touch Installation• Migrate user state by using Windows Easy Transfer and User State Migration Tool 4.0• Design, configure, and manage the Windows 7 client environment• Plan and deploy applications and updates to Windows 7 client computersCourse OutlineThis section provides an outline of the course:Module 1: Preparing to Deploy Windows 7 Business DesktopsModule 2: Assessing Application Compatibility in Windows 7Module 3: Evaluating Windows 7 Deployment MethodsModule 4: Designing Standard Windows 7 ImagesModule 5: Deploying Windows 7 by using WAIKModule 6: Deploying Windows 7 by using Windows Deployment ServicesModule 7: Deploying Windows 7 by using Lite Touch InstallationModule 8: Deploying Windows 7 by using Zero Touch InstallationModule 9: Migrating User State by using WET and USMT 4.0Module 10: Designing, Configuring, and Managing the Client EnvironmentModule 11: Planning and Deploying Applications and Updates to Windows 7 ClientsModule 12: Deploying Windows 7 – Challenge Scenario

About This Course xviiCourse MaterialsThe following materials are included with your kit:• Course Handbook A succinct classroom learning guide that provides all the critical technicalinformation in a crisp, tightly-focused format, which is just right for an effective in-class learningexperience.• Lessons: Guide you through the learning objectives and provide the key points that are critical tothe success of the in-class learning experience.• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learnedin the module.• Module Reviews and Takeaways: Provide improved on-the-job reference material to boostknowledge and skills retention.• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’sneeded.Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:Searchable, easy-to-navigate digital content with integrated premium on-line resources designed tosupplement the Course Handbook.• Modules: Include companion content, such as questions and answers, detailed demo steps andadditional reading links, for each lesson. Additionally, they include Lab Review questions and answersand Module Reviews and Takeaways sections, which contain the review questions and answers, bestpractices, common issues and troubleshooting tips with answers, and real-world issues and scenarioswith answers.• Resources: Include well-categorized additional resources that give you immediate access to the mostup-to-date premium content on TechNet, MSDN®, Microsoft Press®Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes theAllfiles.exe, a self-extracting executable file that contains all the files required for the labs anddemonstrations.• Course evaluation At the end of the course, you will have the opportunity to complete an onlineevaluation to provide feedback on the course, training facility, and instructor.• To provide additional comments or feedback on the course, send e-mail tosupport@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mailto mcphelp@microsoft.com.

xviiiAbout This CourseVirtual Machine EnvironmentThis section provides the information for setting up the classroom environment to support the businessscenario of the course.Virtual Machine ConfigurationIn this course, you will use Microsoft Virtual Server 2005 R2 with SP1 to perform the labs.Important: At the end of each lab, you must close the virtual machine and must not save anychanges. To close a virtual machine without saving the changes, perform the following steps: 1. Onthe virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do youwant the virtual machine to do? list, click Turn off and delete changes, and then click OK.1. On the host computer, start Hyper-V Manager.2. Right-click the virtual machine name in the Virtual Machines list, and click Revert. 3. In the RevertVirtual Machine dialog box, click Revert.The following table shows the role of each virtual machine used in this course:Virtual machine6294A-LON-DC16294A-LON-CL16294A-LON-CL26294A-LON-CL36294A-LON-IMG16294A-LON-IMG26294A-LON-VS16294A-LON-VS26294A-LON-VS36294A-LON-SVR1RoleDomain controller in the Contoso.com domainWindows 7 computer in the Contoso.com domainWindows 7 computer in the Contoso.com domainVirtual machine with no operating system installedVirtual machine with no operating system installedVirtual machine with no operating system installedWindows Vista computer in the Contoso.com domainWindows Vista computer in the Contoso.com domainWindows Vista computer in the Contoso.com domainWindows Server 2008 R2 in the Contoso.com domainSoftware ConfigurationThe following software is installed on the VMs:• Windows Server 2008 R2• Windows 7• Windows Vista• System Center Configuration Manager 2007 R2 SP2• Various deployment tools such as the Windows Automated Installation Kit and Microsoft DeploymentToolkit 2010

About This Course xixClassroom SetupEach classroom computer will have the same virtual machine configured in the same way.Course Hardware LevelTo ensure a satisfactory student experience, Microsoft Learning requires a minimum equipmentconfiguration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

xxAbout This Course

Preparing to Deploy Windows® 7 Business Desktops 1-1Module 1Preparing to Deploy Windows® 7 Business DesktopsContents:Lesson 1: Overview of the Desktop Lifecycle 1-3Lesson 2: Desktop Deployment: Challenges and Considerations 1-11Lesson 3: Tools and Technologies Used in the DesktopDeployment Lifecycle 1-19Lesson 4: Assessing the Current Computing Environmentfor Deploying Windows 7 1-28Lab A: Assessing the Computing Environment by Using the MicrosoftAssessment and Planning Toolkit 1-44Lesson 5: Designing Windows Activation 1-49Lab B: Recommending an Activation Strategy 1-61

1-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewRunning a new operating system has many benefits; however, many organizations consider the newoperating system deployment process to becomplicated and expensive. The complexity and cost of amigration may make it difficult for users to quickly realizee new operating system benefits.Additional migration and deployment challenges include:• Application incompatibilities• Complicated user state migrations• Lack of migration resources• Lack of best practices and implementation guides• Deficient end-user training and supportThis course is intended for people who wish to enhance their planning and deploying desktops skills.This module helps you plan and perform effective preparation tasks fordeploying Windows® 7 operatingsystem clients. It begins by discussing client, hardware, and deployment lifecycles. Toprepare a successfuldeployment youmust understand processes associated with lifecycles and the Microsoft tools that areavailable for individual phases.Efficient and automated desktop deployment processes result in significant cost savings to the enterprise.Each step withinthe Desktop Deployment Lifecycle framework incorporates tools andtechnologies tosupport a Lite Touch or Zero Touch deployment process.Before deploying Windows 7,ensure that the computers meet minimum hardware requirements forWindows 7. Youmust decide what edition of Windows 7 best suits organizational requirements andwhether to use the 32-bit or the 64-bit platform of Windows 7.Product activation is a requirement in the Windows 7 operating system. Validation is required for eachWindows 7 license through an online activation service atMicrosoft.

Preparing to Deploy Windows® 7 Business Desktops 1-3Lesson 1Overviewof theDesktop LifecycleThe Desktop Lifecycle (Client Lifecycle) includes:• Planning the deployment• Preparing for the deployment• Deploying the images to the hardware clientsSupport is part of Management and is also a critical phasein the Client Lifecycle.

1-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOverview of the Client LifecycleKey PointsThe first phase in the client lifecycle called Procurement is the completee process of obtaining goods andservices from preparation andprocessing of a requisition through to receipt and approval of the invoicefor payment. The second phase is Deployment which involves the process of installing the operatingsystem and applications on the user computers. Management is the third phase in which updates areapplied and support is provided to end-users. The final phase of the lifecycle is Retirement or the processinwhich the computers are taken out of operation and recycled.• Procurement: The complete action or process of acquiring or obtaining personnel, material, services,or propertyfrom a vendor by means authorized in relevant, specific directives. Itis the action orprocess of acquiring or obtaining itemsat the operational level, for example, purchasing, contracting,and negotiating directly with the supply source for the purchasing of computers.• Deployment: All of the activities that make a software system available for use is called deployment.The general deployment process consists of several interrelated activities with possible transitionsbetween thorough build and test phases, and stabilization.• Management: Consists of updates andsupport. Updates include facilities, software upgrade, andhardware transfer to newusers. Support includes training, IT support, and servicee hardware.• Updates: To keep computers that are running Windows operating systems stable and secure, youmust update them regularly with the latest security updates and fixes. Windows Update enablesyou to download andinstall important and recommended updates automatically, instead ofvisitingthe WindowsUpdate Web site.• Microsoft® Support Lifecycle Policy: The policy applies to mostproducts currently availablethrough retail purchase or volume licensing, andmost future release products.• Retirement: The focus of the retirement phase is thesuccessful removal of a system fromproduction. This is an issue faced by most organizations today; as legacy systemss are phased out andnew systems replace them, you must complete this effort successfully and without a majorinterruptionn to daily organizational business needs.

Preparing to Deploy Windows® 7 Business Desktops 1-5Software systems do not last forever. Eventually, they become obsolete or are superseded by othersystems and must be removed. Systems are removed from production for several reasons:• They are no longer needed for the current business model. For example, legislation was passedrequiring a system update—and now that legislation has been repealed.• They are obsolete (for example, systems created to handle the Y2K issue).• The system is being replaced. For example, it is common to see homegrown systems for humanresource functions being replaced by commercial off-the-shelf (COTS) systems such as MicrosoftDynamics GP or Microsoft Dynamics NAV.Question: Provide a brief description of the activities in the Client Lifecycle’s Management Phase.

1-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOverview of the Hardware LifecycleKey PointsA standardized hardware infrastructure forms the foundation for desktop optimization. It is bystandardizing desktop hardware and software that organizations can ultimately advance toward a moreflexible, agile, and optimized infrastructure.When the entiree span of the PC lifecycle is viewed as a whole, from purchase throughh retirement, itis clearthat purchase price is just onecomponent of PC lifecycle costs. Standardizing and managing hardware sasa fleet, with consistent policies and practices, enables the enterprise to benefit fromits scale. With aconsistent approach to fleet management, organizations can achieve numerous benefits:• Effective PC fleet management: Understanding PClifecycle costss leads to better fleet strategydecisions, such as prioritization of investments and optimal configuration choices. By managing thePC fleet as a whole, the value of these decisions can be leveraged across the entire enterprise.• Reduced costs of IT complexity: As hardware configurations grow, so do costs. A 2004 studyfoundthat each additional hardware configuration introduced into a desktop environment results in a 12United States dollar (USD) increase in yearly support costs for eachdesktop PC, on average.An optimized PC fleet management strategy helps toreduce the complexity of deployment, assetmanagement, system monitoring, and software updates.• AdaptablePC Infrastructure: System flexibility allows users to repurpose hardware to meet theneeds of different roles and business needs across the organization.The Hardware Lifecycle includes the following steps. Some lifecycles merge some of these stages toreduce the number.• Plan – includes hardwarestrategy, demand forecasting, hardware selection, and design configuration• Buy – includes hardware,software image, accessories, and delivery• Deployment – includes logistics, software deployment, configuration, and data migration

Preparing to Deploy Windows® 7 Business Desktops 1-7• Operate – includes facilities, PC security, software upgrade, data protection, and IT administration• Support – includes training, IT support, and service hardware• Upgrade – includes facilities, software upgrade, and hardware transfer to new user• Retire – includes hardware pickup. hardware re-sell preparation, administrative processing, shippingand packing, and residual valueQuestion: What are the main reasons for upgrading or replacing hardware?

1-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOverview of the Desktop Deployment LifecycleKey PointsThe desktop deployment life cycle providesa framework of the tasks needed to successfully deployasoftware application or operating system. You must understand the lifecycle phases to properly plan forresources and tools required to ensure effective implementation. The desktop deployment life cyclephases are: planning, building, and deploying.PlanningDuring the initial planning phase, organizations assess their business needs to determine the value of theirinvestment and define the scope and objectives of the project. In this phase, you assess the currenthardware, software, and network configurations to determine:• Organizational readiness for desktop deployment.• Tools required in the assist of the buildand deploy phases of the project.• Examples of deliverables expected fromthis phase include deployment details, applicationcompatibility and user state migration requirements, a schedule for deployment,an assessment of thecurrent configuration, test and pilot plans, and a rollout plan.BuildingThe building phase provides the opportunity to streamline and simplifythe deployment process. Thisincludes developing the automated solution and procedures to be usedfor the deployment. Developingand testing the baseline operating system images are essential parts ofthis phase; without the testt system,you might fail to identify and correct any errors, and subsequently duplicate these errors to all computersinyour environment during the actual deployment.DeployingAfter thorough build and testt phases, deployment can begin. The deployment phaseis the period duringwhich the team implements the solution and ensures that it is stable and usable. A typical deployment

Preparing to Deploy Windows® 7 Business Desktops 1-9takes place in phases throughout the networking environment, and includes the deployment teamstabilizing each phase before moving on to the next section for upgrade or installation.Question: What are some of the benefits of having a Pilot Plan during the Planning Phase?

1-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion: Desktop LifecycleUse the following questions to encourage discussion:• Discuss the client, hardware, and deployment lifecycles used in your organization.• What best practices haveyou implemented?

Preparing to Deploy Windows® 7 Business Desktops 1-11Lesson 2DesktopDeployment: Challenges and ConsiderationsMany organizations recognizee that there is the potential for significant cost savings when an efficient andautomated desktop deployment process is implemented.To realize this potential, you must identify thechallenges and understand the roadmap tofollow so that your organization can move to a more dynamicnetwork environment. This lesson provides information about some of the challenges you may facewhendeploying new desktops; and guidelines forimplementing an effective desktop deployment process. Thislesson also discusses the Infrastructure Optimization Model; and how automating thedesktopdeployment canprovide cost savings withinyour organization.

1-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion:What Are the Challenges When Deploying a New BusinesssDesktop?Use the following questions to encourage discussion:• Discuss deployment challenges.• How do these challengesrelate to yourexperiences during previous deploymentprojects?

Preparing to Deploy Windows® 7 Business Desktops 1-13Guidelines for an Effective Business Desktop DeploymentKey PointsAn effective desktop deployment process can be accomplished through the implementation of severalbasic guidelines:• Take an inventory and establish a network map of the existing client computers, servers, and otherrelevant networking services, to determine the installed applicationbase and hardware typescurrently deployed.• Determine which hardware can be reused as part of the new computer deployment, and whichh typesmight needto be retired. You must have a full understanding of the new operating system’shardware equirements.• Determine which applications can be redeployed on the new desktop systems, and start a process forpackaging or scripting those applications so that they can be reinstalled quickly and consistentlywithout user intervention.• Define a strategy for addressing applications that cannot be supported on the new platform. Forexample, you may have a business-critical applicationthat is not supported on the new operatingsystem, butmay be a candidate for virtualization technology such as Microsoft Virtual PC 2007,Microsoft Virtual Server, or Microsoft Enterprise Desktop Virtualization (MED-V).With Hyper-V in the Windows Server® and SystemCenter, the virtualization of your enterprise withMicrosoft can cost less than competitive products and help to maximize the return on yourvirtualization investment.• Create an imaging process to produce a standard enterprise imageof a base desktop computer to aidin configuration management and to speed deployments.• Establish a process for capturing the user data, settings, and preferences on the currently deployedsystems, and for restoringthem on thenewly deployed systems.• Provide a method for backing up all relevant data on the current computer before redeployment.

1-14 Planning and Managing Windows® 7 Desktop Deployments and Environments• Provide an end-to-end process for the actual deployment of the new desktops.• Create a plan for training users on the updated desktop system.Question: What is the purpose for creating a hardware and software baseline?

Preparing to Deploy Windows® 7 Business Desktops 1-15What Is theInfrastructure Optimization Model?Key PointsThe Infrastructure Platform Optimization model providesIT organizations with a tool that can helpthemunderstand andadopt a flexible and agile infrastructure platform. Key elements of each of these modelsinclude optimization levels, capabilities, andoptimization-level transition projects.Optimization LevelsWithin each model, there are four optimization levels:• Basic• Standardized• Rationalized or advancedd• DynamicOrganizations fall within one of these four deployment and management network infrastructureoptimization levels. These levels range fromrelatively little automation,to full automation integrated withanoriginal equipment manufacturer (OEM)partner. You must understand the Infrastructure OptimizationModel so you can determine the current maturity of yourorganization, and realize the benefit of a moreautomated deployment process. Common automation levels can be categorized within the InfrastructureOptimization Model, which includes basic, standardized, rationalized, and dynamic environments.Basic LevelAt the basic level, it is assumed that the organization does not maintainn a standardized desktop operatingsystem. The basic automationlevel implies the following general characteristics and issues:• A non-standardized desktop infrastructure results in an environment that is more complex anddifficult to manage.• Patch management is either nonexistent or inconsistent, resulting in an environment that isvulnerable to security issues.

1-16 Planning and Managing Windows® 7 Desktop Deployments and Environments• Deploying or upgrading a new computer system is usually a manual process that is accomplished byusing DVDs or CDs, and which typically results in an inconsistent baseline for business desktops.Standardized LevelOrganizations at the standardized automation level still maintain multiple desktop operating systems;however, desktop installation and upgrades are managed by an automated deployment method using adefined set of base image standards for each platform. The deployment method is considered a LiteTouch approach which requires minimal interaction with the clients on the network.The standardized level assumes that methods are in place for an automated patch management processthat consistently maintains the business desktops’ update status. Application testing is typically at thedepartmental level to ensure compatibility after the desktop deployment or upgrade.Rationalized LevelA rationalized automation level has a fully automated infrastructure with processes in place to implementZero Touch desktop upgrades, new installations, and automated patch management. Zero Touchperforms installations without any manual interaction and requires an enterprise deployment solutionsuch as Microsoft System Center Configuration Manager 2007 or Microsoft Systems Management Server2003, with the Operating System Deployment (OSD) Feature Pack. The rationalized level requires that thedesktop environment follow a common standard, and corporate level defines the common image.Application testing follows structured corporate certification standards and processes.Dynamic LevelThe dynamic automation level automates the entire desktop deployment and management process, andincreases the automation scope-to-server platforms. As new computers are purchased, the OEM partnerensures that a corporate-approved reference image is applied before shipping the computer to theorganization. The dynamic environment also incorporates a structured and more centralized applicationtesting process that is more automated and defined with certification standards and processes.Question: What is the reason for adopting an optimization-level transition project?

Preparing to Deploy Windows® 7 Business Desktops 1-17Consideringthe CostSavings of AutomationKey PointsAn effective desktop deployment strategy must minimizethe costs associated with the implementation.This goal is realized when thedeployment method incorporates tools and processes that are automatedand require minimal resources.Decreasing Desktop Deployment CostsIncreasing the automation level within yourenvironmentcan significantly decrease costs associated withdeployment, installation, and management of your business desktops. The following points describe howdeployment costs inversely relate to the automation level:• Manual-based deployment: the mostexpensive way to implement a new desktop operating systemor softwareapplication. The high costs result from the lack of automation tools and a subsequentincrease in resources required to design, deploy, andmanage the entire installation process.• Lite Touchdeployment: the standardized approachminimizes costs by incorporating an increasedlevel of LiteTouch automation by usingdeployment tools and technologies. A Lite Touchdeployment still requires minimal user interaction and can incorporate multiple operating systemswithin the environment, which can result in moderate organizational costs.• Zero Touchdeployment: the cost for a Zero Touch deployment process based upon a rationalizedor dynamicautomation environment might be initially higher thanother methods; however, theongoing management and subsequentdeployment initiatives will be significantly lower than themanual or Lite Touch deployment methods.Question: What are the financial benefits of changing the optimization level?

1-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion: Determining Your Automation LevelUse the following questions to encourage discussion:• Which automation level describes yourorganization’s current network environment?• Describe the network environment characteristics that determine your automation level.• What can you do to promote your network environment to a higher automation level?

Preparing to Deploy Windows® 7 Business Desktops 1-19Lesson 3Tools and Technologies Used in the DesktopDeployment LifecycleAn effective desktop deployment project follows a framework that outlines specific steps and processesthroughout the task. Each step within the framework incorporates toolsand technologies to support a LiteTouch or Zero Touch deployment process. This lesson describes the desktop deployment lifecycle andprovides information on toolsand technologies used for each step within the process.

1-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsTools Used to Support the Planning PhaseKey PointsOne major challenge in deploying a new business desktop is to determine compatibility with existingsystems that might be upgraded to Windows 7. You might also face challenges whenattempting tomigrate applications and usersettings fromprevious desktop configurations to the new desktopinstallation. Hardware and application compatibility issues can significantly delay an upgrade or migrationtoa new operating system, and the loss of user settings can affect productivity and user satisfaction withdeployment.The key to a successful desktop deployment is to obtain as much information about the existing desktopenvironment aspossible. Also, try to obtainguidance andbest practices to assist youin each of yourdesktop deployment project phases.• Microsoft Assessment andPlanning Toolkit (MAP)• Microsoft Application Compatibility Toolkit (ACT)• Enterprise Learning Framework (ELF)• Microsoft Deployment Toolkit (MDT)• System Center Configuration Manager 2007• Microsoft Desktop Optimization Pack for Asset inventory planningThese tools can be used to support the planning phase tohelp ensure an effective desktop deployment.Microsoft Assessment and PlanningToolkitThe Microsoft Assessment andPlanning Toolkit (MAP) is a powerful inventory, assessment, and reportingtool that can run in small or large IT environments without requiring the installation of agent software onany computers or devices. The data and analysis providedd by this Solution Accelerator can significantlysimplify the planning process for migrating to Windows 7.

Preparing to Deploy Windows® 7 Business Desktops 1-21MAP can be used to scan and assess your organization’s readiness for Windows 7 upgrades. MAP usesseveral agentless methods to connect to computers on the network, assess their hardware and devicecompatibility with Windows 7, and then create comprehensive Microsoft Office Word and MicrosoftOffice Excel® reports.The reports also provide information related to the following:• Deployment blockers: Devices and basic input/output system (BIOS) versions that are notcompatible with Windows 7.• Windows 7 experience: The anticipated Windows 7 experience based on currently available systemresources. The Windows 7 experience includes the availability of the Windows Aero® enhanced userinterface and desktop features.• Upgrade recommendations: Specific recommendations for upgrading computer hardware toimprove the Windows 7 experience.• Device driver availability: Device driver requirements for hardware that is currently installed on thecomputer system that will be upgraded to Windows 7.Microsoft Application Compatibility ToolkitTo help ensure that applications do not break when you deploy the new operating system, you mustcarefully plan for the integration by taking inventory of all applications in the environment, testing themthoroughly, and addressing mitigation requirements as needed. Microsoft’s Application CompatibilityToolkit (ACT) provides the following capabilities:• Data collection and inventory: Compatibility evaluators can be deployed to network clients tocollect an installed applications inventory, and identify compatibility issues related to WindowsInternet Explorer®, User Account Control, security updates, and components that have beendepreciated in the Windows 7 operating system.• Detailed analysis: You can rationalize and prioritize the data and inventory collected to determineand manage issues and mitigations related to application compatibility.• Compatibility mitigation: ACT provides a number of tools that you can use to create mitigationpackages that will address compatibility issues.• Application programming interfaces (APIs) for independent software vendors (ISVs): ACTsupports a software development kit (SDK) that provides extensibility through a set of APIs for ISVsand non-Microsoft applications. This also includes a Web service that can be used to retrieve thelatest compatibility data.Enterprise Learning FrameworkThe Enterprise Learning Framework (ELF) is an online tool that can be used to assist with usercommunication and training. ELF helps users determine the most relevant learning topics on WindowsOnline Help and Microsoft Office Online for different deployment stages and user types. ELF provides anumber of deployment benefits:• Helps prepare employees for deployment, and raises awareness of new features.• Minimizes disruption by bringing employees up to speed with a short list of “must know” topics.• Provides tips and tricks and other productivity topics to help users get the most from the Windows 7and the 2007 Microsoft Office release after deployment.Microsoft Deployment ToolkitThe Microsoft Deployment Toolkit (MDT) consists of a collection of guidance material and tools to helpproduce repeatable and scalable desktop deployment solutions based upon Lite Touch and Zero Touch

1-22 Planning and Managing Windows® 7 Desktop Deployments and Environmentstechnologies. This solution package can assist you throughout the planning phase to help you understandthe requirements, best practices, and methods used to implement an efficient and cost-effective desktopdeployment strategy. More information about MDT is provided throughout the rest of this course.Microsoft Desktop Optimization Pack Asset Inventory ServiceMicrosoft Asset Inventory Service (AIS) provides a comprehensive view of the software installed on clientcomputers in your enterprise. It helps reduce the total cost of managing software by providing acategorized software inventory and translating the inventory data into useful, actionable information.AIS is a core component of the Microsoft Desktop Optimization Pack for Software Assurance, a suite ofadvanced technologies to improve desktop manageability and security and decrease total cost ofownership (TCO).AIS consists of two parts:• A Web-based service onto which Desktop Optimization Pack subscribers can log to view inventoriesof software installed on client computers in their enterprises.• Client software that communicates with the Web-based service and supplies it with an inventory ofprograms that are installed on each client computer.System Center Configuration Manager 2007Microsoft System Center Configuration Manager 2007 provides a comprehensive solution for change andconfiguration management for the Microsoft platform. Configuration Manager 2007 allows you toperform tasks such as:• Deploying operating systems• Deploying software applications• Deploying software updates• Metering software usage• Assessing variation from desired configurations• Taking hardware and software inventory• Remotely administering computersConfiguration Manager 2007 collects information in a Microsoft SQL Server® database, allowing queriesand reports to consolidate information throughout the organization. Configuration Manager 2007 canmanage a wide range of Microsoft operating systems, including client platforms, server platforms, andmobile devices.Question: What is the purpose of the System Configuration Manager 2007?

Preparing to Deploy Windows® 7 Business Desktops 1-23Tools Used to Support the Building PhaseKey PointsDeploying a Windows 7 desktop is now simpler because of a number of enhanced engineering tools usedtocreate and maintain computer images. Windows 7 support for Windows Imaging (WIM) file formatprovides the ability to create and distributehardware-independent images to desktops throughout theorganization. The following sections provide an overviewof the varioustools that areused to buildandmaintain images for a Windows 7 deployment.MDT Deployment WorkbenchThe MDT includes the MDT Deployment Workbench which is the primary tool used to create and managecomponents related to a Windows 7 desktop deployment process.An MDT deployment solutionincludes the following:• Deployment Share: Thiscomponent isused to create and manage the distribution share, whichcontains source files related to the operating systems, applications, packages, and out-of-box driversused in the deployment process.This component also providesthe ability toconfigure various deployment methods such as a single-serverdeployment, a separate deployment share, and removable media such as a USB or DVD image, or theability to createe a directory containing all of the files needed for customizing a Systems ManagementServer deployment program.• Task Sequences: This component is used to create and manage various builds for deploymentthroughoutt the organization.Windows Automated Installation KitThe Windows Automated Installation Toolkit (AIK) is a collection of tools and documentation designed tohelp IT Professionals deploy Windows.

1-24 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWindows AIK is ideal for highly customized environments. The tools in the AIK enable you to configuremany deployment options, and they provide a high degree of flexibility.Windows System Image ManagerWindows System Image Manager (Windows SIM) is a tool for customizing and automating Windows 7installation. Specific features include the following:• Create and edit XML-based unattended configuration files used for automating the installation orpreparation of a Windows 7 deployment.• Add, modify, or delete optional components—such as languages, service packs, updates, and devicedrivers—within an existing image by using an unattend file.• Script Windows SIM from the command line.ImageXImageX is a tool used to create system images. It provides many capabilities that improve the diskimagingexperience which includes the following:• Mount an image file to perform offline updates.• Take an image of an existing computer for distribution or for backup. You can save the image to adistribution share from which users can install the image, or you can push the image out to a targetdesktop.• Use scripting tools to create and edit images.• Minimize the number of standard images by providing hardware abstraction layer (HAL)independence.Deployment Image Servicing and Management (DISM)The tool used to apply updates, drivers, and language packs to a Windows image. DISM is available in allinstallations of Windows 7 and Windows Server 2008 R2.Microsoft Windows Pre-installation EnvironmentWindows Pre-installation Environment (Windows PE) is a bootable environment that provides operatingsystem features for installation, troubleshooting, and recovery. Windows PE is not a general purposeoperating system; instead, it is designed to be used for three specific tasks:• Installing Windows 7• Troubleshooting• RecoveryUser State Migration ToolYou can use the User State Migration Tool (USMT) 4.0 to streamline and simplify user state migrationduring large deployments of Windows 7 operating systems. USMT captures user accounts, user files,operating system settings, and application settings, and then migrates them to a new Windowsinstallation. You can use USMT for both PC replacement and PC refresh migrations.USMT 4.0 enables you to do the following:• Configure the migration according to your business needs by using the migration rule (.xml) files tocontrol exactly which files and settings are migrated and how they are migrated. USMT also allowsyou to configure user account migration on the ScanState and LoadState command lines.• Fit a customized migration into your automated deployment process by using ScanState andLoadState which control collecting and restoring user files and settings.

Preparing to Deploy Windows® 7 Business Desktops 1-25• Perform offline migrations. You can run the ScanState command in Windows PE or you can performmigrations from previous installations of Windows contained in Windows.old directories.USMT provides the following features:• Operating system components migration: There are several operating system components thatmight be included in a USMT migration, such as Internet Explorer settings, Microsoft Outlook®Express mail files, desktop wallpaper and icons, accessibility settings, Favorites, or Microsoft OpenDatabase Connectivity settings.• Application settings migration: A limited type of application settings can be migrated by using theUSMT. Applications include Microsoft Office and MSN® Messenger. USMT does not migrate theapplications, only the application settings.Question: You have decided to use the Windows AIK to deploy Windows 7. What do you use to createthe images for the magazine development group?

1-26 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsTools Used to Support the Deploying PhaseKey PointsDeploying Windows 7 using Lite Touch or Zero Touch requires specific tools to support the technologiesand scripts usedfor the deployment scenario. The following sections provide an overview of tools used forthese types of scenarios.MDT Deployment WorkbenchAs mentioned previously, the Deployment Workbench is also used to configure and manage various LiteTouch or Zero Touch deployment methods.Windows Deployment ServicesWindows Deployment Services can be usedfor storing, managing, and deploying client and serverrimages. Windows Deployment Services uses the Preboot Execution Environment (PXE) boot process toinstall the operating system, including bare-metal installations.System Center Configuration Manager 2007/Systems Management Server 2003 (SMS2003)System Center ConfigurationManager 2007and Systemss ManagementServer 2003 provide acomprehensivesolution for change to and configuration management of the Microsoft platform. Eithermanagement solution can beused for distributing operating systems, applications, and software updates.If your organization uses Systems Management Server 2003, you will need to integrate the SystemsManagement Server 2003 Operating SystemDeployment(OSD) Feature Pack to assist with deploying theoperating systems. The OSD Feature Pack isa Systems Management Server 2003 add-on that is used tocreate operatingsystem images within Systems Management Server 2003, which youcan then deploy toand manage for your clients using Zero Touch installationn methods. The OSD Featuree Pack is free and canbedownloadedd from the Microsoft Web site.

Preparing to Deploy Windows® 7 Business Desktops 1-27Configuration Manager 2007 collects information in a Microsoft SQL Server database, allowing queriesand reports to consolidate information throughout the organization. Configuration Manager 2007 canmanage a wide range of Microsoft operating systems, including client platforms, server platforms, andmobile devices.User State Migration ToolUse the User State Migration Tool (USMT) 4.0 when hardware and/or operating system upgrades areplanned for a large number of computers. The USMT manages the migration of an end-user’s digital userstate by capturing the user’s operating-system settings, application settings, and personal files from asource computer and reinstalling them after the upgrade has occurred. PC refresh refers to when only theoperating system is being upgraded. PC replacement refers to where one piece of hardware is beingreplaced, typically by newer hardware and a newer operating system.Question: You are deploying 500 new computers in the enterprise. What tool do you use to migrate usersettings and user state to the new computers?

1-28 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 4Assessing the Current Computing Environment forDeploying Windows 7Before deploying Windows 7,ensure that your computermeets the minimum hardware requirements. Inaddition, decidee what editionof Windows 7 best suits your organizational needs. Youmust also decidewhich architecture to use, either the 32 or the 64-bit platform of Windows 7.Once you have established your hardware requirements and decide which edition ofWindows 7 todeploy, there are several options to install and deploy Windows 7. Depending on several factors, such asyour organization’s deployment infrastructure, policy andautomation, you may wantto select oneormore installation options.

Preparing to Deploy Windows® 7 Business Desktops 1-29Windows 7 Key FeaturesKey PointsWindows 7 includes many features that enable users to be more productive. It also provides a saferdesktop environment and a higher level of reliability when compared to the previousversions ofWindows.The key features of Windows 7 are categorized as follows:• Usability: Windows 7 includes tools tosimplify a user’s ability to organize, search for, and viewinformation. In addition, Windows 7 communication,mobility, andnetworking features help usersconnect to people, information, and devices by usingsimple tools.• Security: Windows 7 is built on a fundamentally safer platform based on the Windows Vista®foundation. User Account Control (UAC) in Windows 7 adds security by limiting administrator-levelaccess to the computer, restricting most users to run as Standard Users.StreamlinedUAC in Windows 7 reduces the number of operating system applications and tasks thatrequire elevation of privileges and provides flexible prompt behavior for administrators, allowingstandard users to do more and administrators to see fewer UAC elevation prompts.• Multi-tiered data protection: Rights Management Services (RMS), Encrypting File System (EFS),Windows BitLocker Drive Encryption, and Internet Protocol Security (IPsec) provides differentlevelof data protection in Windows 7.• RMS enables organizations to enforce policies regarding document usage.• EFS provides user-based file and directory encryption.• BitLocker and BitLocker To Go provides full-volume encryption of the system volume, includingWindows system filesand removable devices.• IPsec isolates network resources from unauthenticated computers and encrypts networkcommunication.

1-30 Planning and Managing Windows® 7 Desktop Deployments and Environments• Reliability and performance: Windows 7 takes advantage of modern computing hardware, allowingit to run more reliably and provide more consistent performance than previous versions of Windows.• Deployment: Windows 7 is deployed by using an image, which makes the deployment processefficient because of the following factors:• Windows 7 installation is based on the Windows Imaging (WIM), which is a file-based, diskimagingformat.• Windows 7 is modularized, which makes customization and deployment of the images simpler.• Windows 7 uses Extensible Markup Language (XML)-based, unattended setup answer files toenable remote and unattended installations.• Deploying Windows 7 by using Windows Deployment Services in Windows Server 2008 R2 isoptimized with Multicast with Multiple Stream Transfer and Dynamic Driver Provisioning.• Consolidated tool for servicing and managing image in Deployment Image Servicing andManagement (DISM).• Migrating user state is made more efficient with hard-link migration, offline user state capture,volume shadow copy, and improved file discovery in USMT 4.0.• Manageability: Windows 7 introduces several manageability improvements that can reduce cost byincreasing automation.• Microsoft Windows PowerShell 2.0 enables IT professionals to create and run scripts on a localPC or on remote PCs across the network.• Group Policy scripting enables IT professionals to manage Group Policy Objects (GPOs) andregistry-based settings in an automated manner.Windows 7 improves the support tools to keep users productive and reduce help desk calls, including:• Built-in Windows Troubleshooting Packs that enable end-users to solve many common problemson their own.• Improvements to the System Restore tool that informs users of applications that might beaffected when they are returning Windows to an earlier state.• The new Problem Steps Recorder, that enables users to record screenshots, click-by-click, toreproduce a problem.• Improvements to the Resource Monitor and Reliability Monitor, which enable IT Professionals tomore quickly diagnose performance, compatibility, and resource limitation problems.Windows 7 also provides flexible administrative control with the following features:• AppLocker, which enables IT professionals to have more flexibility when setting policy on whichapplications and scripts users can run or install.• Auditing improvements, which enable IT professionals to use Group Policy to configure morecomprehensive auditing of files and registry access.• Group Policy Preferences that define the default configuration, which users can change, andprovide centralized management of mapped network drives, scheduled tasks, and other Windowscomponents that are not Group Policy-aware.• Productivity: Windows 7 improvements to the user interface help users and IT Professionals increasetheir productivity with features such as Windows Search. Windows 7 improves mobile and remoteusers experience by introducing BranchCache, DirectAccess, and VPN Reconnect.• BranchCache increases network responsiveness of applications and gives users in remote officesan experience like working in the head office.

Preparing to Deploy Windows® 7 Business Desktops 1-31• DirectAccess connects mobile workers seamlessly and safely to their corporate network any timethey have Internet access, without the need to VPN.• VPN Reconnect provides seamless and consistent VPN connectivity by automatically reestablishinga VPN when users temporarily lose their Internet connections.• Windows 7 XP Mode: Windows 7 introduces Windows Virtual PC that provides the capability to runmultiple environments, such as Windows XP mode, from Windows 7 computer. This feature enablesyou to publish and launch applications installed on virtual Windows XP directly from Windows 7computer, as if they were installed on the Windows 7 host itself.Question: What key feature of Windows 7 will help your organization to control the applications thatemployees can install on their computers?

1-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsEditions of Windows 7There are six Windows 7 editions: two editions for mainstream consumers and business users and fourspecialized editions for enterprise customers, technical enthusiasts, emerging markets and entry level PCs.The following are the available editions of Windows 7:• Windows 7 Starter: Thisedition is targeted specifically for small form factor PCsin all markets. It isonly available for 32-bit platform. Features include an improved Windows Taskbar and Jump Lists,Windows Search, ability to join a HomeGroup, ActionCenter, Device Stage, Windows Fax and Scan,enhanced media streaming, including Play To, and broad applications and device compatibility.• Windows 7 Home Basic: This edition is targeted forvalue PCs in emerging markets, it is meant foraccessing the internet and running basic productivityapplications. This edition includes all featuresavailable inWindows 7 Starter, and other features, such as Live Thumbnail previews, enhancedvisualexperiencesand advanced networking support.• Windows 7 Home Premium: This is the standard edition for customers. It provides full functionalityon the latest hardware, simple ways to connect, and a visually rich environment. This edition includesall features available in Windows 7 Home Basic and other features,such as Windows Aero, advancedwindows navigation and Aero background, WindowsTouch, abilityto create a HomeGroup, DVDVideo playback and authoring, Windows Media Center, Snipping Tool, Sticky Notes, Windows Journaland Windows Sideshow.• Windows 7 Professional: This edition is the business-focused edition for small and lower mid-market companies and users who havenetworking, backup, and security needs and multiple PCs orservers. It includes all features availablein Windows 7 Home Premium, and otherfeatures, suchascore business features including Domain Join and Group Policy, data protection with advanceddnetwork backup and Encrypted File System, ability toprint to the correct printer at home or workwith Location Aware Printing, Remote Desktop host and Offline folders.• Windows 7 Enterprise: This edition provides advanced data protection and information access forbusinesses that use IT as a strategy asset. It is a business-focused edition, targeted for managedenvironments, mainly large enterprises. This edition includes all features availablein Windows 7

Preparing to Deploy Windows® 7 Business Desktops 1-33Professional, and other features, such as BitLocker, BitLocker To Go, AppLocker, DirectAccess,BranchCache, Enterprise Search Scopes, all worldwide interface languages, Virtual DesktopInfrastructure (VDI) enhancements and ability to boot from a VHD.• Windows 7 Ultimate: This edition is for technical enthusiasts who want all Windows 7 features,without a Volume License agreement. It includes all of the same features as the Windows 7 Enterprise.Windows 7 Ultimate is not licensed for VDI scenarios.Note: Microsoft also produces an N edition of Windows 7 Starter, Windows 7 Home Basic and Windows 7Professional. The N editions of Windows 7 include all of the same features as the corresponding editions,but do not include Microsoft Windows Media® Player and related technologies. This enables you toinstall your own media player and associated components.Note: There are 32 and 64-bit versions available for all editions of Windows 7 except Windows 7 Starter,which is available only as a 32-bit operating system.Question: Which edition of Windows 7 must you choose in the following scenarios?Scenario 1: There are a few users in your organization. Currently, you do not have a centralized file serverand all the computers are not joined to a domain.Scenario 2: Your organization has more than one hundred users who are located in several offices acrossthe country. In addition, you have several users that travel frequently.Question: What is the difference between the Enterprise and the Ultimate edition of Windows 7?

1-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsHardware Requiremeents for Windows 7Key PointsIt is important to know the hardware requirements for Windows 7. Your system mustmeet the minimumrequirements for the edition that you are nstalling. If it does not, you must know what components needtobe upgradedd to meet the requirements. In general, hardware requirements for Windows 7 are the sameasWindows Vista.Hardware Requirements for Specific FeaturesActual requirements and product functionality may vary based on yoursystem configuration. Forexample:• While all editions of Windows 7 can support multiplecore CPUs, only Windows 7 Professional,Ultimate, and Enterprise can support dual processors.• Windows BitLocker DriveEncryption requires a Universal Serial Bus(USB) Flash Drive or a system witha Trusted Platform Module (TPM) 1.2 chip.• Windows XP Mode Requires Windows 7 Professional, Windows 7 Ultimate, or Windows 7 Enterprise.If you plan to implement BitLocker to protect your computer’s system drive, you must create twopartitions on your hard disk when installingthe operatingsystem. Bothpartitions must be formatted forthe NTFS file system. One partition is encrypted while theother remains unencrypted. The unencryptedpartition contains the necessary boot files to initialize theoperating system. The unencrypted partitioncontains the BOOT folder andthe bootmgrfile.Question: What is the typicalcomputer specification within your organization? Contrast that specificationtowhat was available when Windows Vista was released. Do you think Windows 7 can be deployedd to thecomputers within your organization as theycurrently are?

Preparing to Deploy Windows® 7 Business Desktops 1-35Assessment Featuresof the MAP ToolkitKey PointsYou can use MAP to inventory and assess ITenvironments to simplify the planning process for solutionsrelated to the following technologies:• Windows 7• Windows Vista• the 2007 Microsoft Officesystem• The Windows Server 2008operating system• Windows Server 2008 Hyper-V virtualization technology• Microsoft Virtual Server 2005 R2• Microsoft SQL Server 2008• Microsoft Application Virtualization 4.5• Microsoft Online Services• Microsoft ForefrontMAP performs three key functions: hardware inventory, compatibility analysis, and readiness reporting.Hardware InventoryMAP collects hardware inventory throughout your network environment using agentless collectionmethods such as Windows Management Instrumentationn (WMI) the Remote RegistryService, SimpleNetwork Management Protocol (SNMP) Active Directory®Domain Services (AD DS),and the ComputerBrowser Service.MAP can inventory and assess the following Windows platforms:• Windows 7

1-36 Planning and Managing Windows® 7 Desktop Deployments and Environments• Windows Vista• Windows XP Professional operating system• The Windows Server 2003 or Windows Server 2003 R2 operating systems• The Microsoft Windows 2000 Professional or Windows 2000 Server operating systems• Windows Server 2008Compatibility AnalysisAfter the hardware inventory takes place, MAP performs a hardware and device compatibility analysis formigration to Windows 7. If migration is not recommended, a detailed report describes the roadblocks andpossible mediations.Readiness ReportingMAP generates a variety of summary and assessment result reports in Office Excel and Office Wordformat. Some of the Windows 7 or Windows Server 2008 deployment reports that can be generatedinclude:• Details about computers currently installed with Windows client operating systems, andrecommendations for migration to Windows 7.• Details about computers currently installed with Windows server operating systems, andrecommendations for migration to Windows Server 2008.• Details of currently installed Microsoft Office versions, and recommendations for migrating to the2007 Office system.Question: You need to create a hardware inventory throughout the enterprise. This might involve up to800 computers plus peripherals. What is the best tool to accomplish this and why?

Preparing to Deploy Windows® 7 Business Desktops 1-37Demonstration: Assessing the Computing Environment by using the MAPToolkitThis demonstration shows how to use the Microsoft Assessment and Planning Toolkit.Configuring and Running the Microsoft Assessment and Planning Toolkit1.Use the Microsoft Assessment and Planning Toolkit to create an inventory database namedDemonstration and thenstart the Inventory and Assessment Wizard.2.Note the available options on the Computer Discovery Methods page.3.Fill in the Active Directory Credentials page and then review the Active Directory Options.4.Ensure thatt your domain is included in the Workgroups and Windows domains.5.Create a New Account onthe Inventory Account page.6.Complete and close the wizard.Review the Summary Results1.In the Inventory and Assessment pane, review the following:• Windows 7 Readiness Summary Results• Windows Server 2008 R2 Readiness Summary Results• Windows Vista Readiness Summary Results• Windows Server 2008 Readinesss Summary Results• Virtual Machine Discovery Results• Windows Server Roles DiscoveryResults2.Generate a report or proposal.Question: If your company was going to slowly migrate to Windows 7, how do you generate assessmentreports for eachplanned deployment?

1-38 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOverview of Collecting Inventory by Using Configuration Manager 2007Key PointsYou can use Configuration Manager 2007 to collect hardware and software inventoryfrom ConfigurationManager 2007 clients by enabling the client agents on a site-by-site basis.When enabled, the inventory client agents create an inventory report based on the client inventoryinformation collected and then send it to the client’s management point. The management point thenforwards the inventory information to the Configuration Manager site server, which stores the inventoryinformation in the site database.Question: You have decided to use Configuration Manager 2007 to collect inventorydata in theenterprise. Many of the computers are Windows 2003 Server and you are unable to collect data on thosecomputers. What might be the problem?

Preparing to Deploy Windows® 7 Business Desktops 1-39Overview of Collecting Asset Inventory by Using MDOPKey PointsMicrosoft Desktop Optimization Pack (MDOP) helps IT professionals improve controlof their desktopenvironments. MDOP provides a comprehensive set of tools to help IT professionals move theirorganization’s desktop strategy from a basic infrastructure maturity level to a dynamic maturity level.MDOP is a collection of tools that help streamline all aspects of managing a desktop environment. Youcan use the following MDOP tools to make your IT environment more dynamic:• Microsoft Application Virtualization (Formerly SoftGrid)• Microsoft Diagnostics andRecovery Toolset (DaRT)• Microsoft Asset InventoryService (AIS)• Microsoft Advanced Group Policy Management (AGPM)• Microsoft System Center Desktop Errorr Monitoring (DEM)AIS helps you move to the Rationalized IT maturity level by providing up-to-date and insightful reports,thus keeping you informed about your environment.Asset Inventory Service (AIS) is a hosted, Web-based service that collects informationn and provides reportsabout the software being used in your environment. AIS deploys an agent to the computers that you wanttoinventory. The agent then securely reports the software inventory tothe AIS database.How AIS WorksAIS deploys a preconfigured client to target systems. The client can be configured bythe administrator forthe interval of data collectiondesired. The client can be downloaded and installed manually but usuallywill be deployedd by using an automated method, such asa Group Policy Object (GPO) softwareinstallation policy or electronic distribution software.

1-40 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsBenefits of Asset Inventory ServiceAsset Inventory Service is a hosted solution and therefore is accessible from virtually anywhere in theworld. It also helps provide access to the reporting to other managers in your organization, even if theyare not technical. Effectively managing your software-asset inventory is vital to ensuring compliance andoptimizing IT budgets. AIS can help you to identify applications and installations that contradict yourcorporate policies and can report down to the computer name level to help with recovery andtroubleshooting. You can also use AIS to analyze the software to forecast organizational needs.Question: You are responsible for deploying systems at sites in Germany, Japan, India, and the UnitedStates. Why is AIS a good inventory asset tool in this case?

Preparing to Deploy Windows® 7 Business Desktops 1-41Network Infrastructure Requirements for a Desktop DeploymentTypically, the client installation will require an image greater than 2 GB to be copied to the targetcomputer. If thenetwork share or WindowsDeployment Services option is selected, the ideal situation iswhen the targett computer is connected to the deployment share or deployment server by a gigabit-is not usually a requirement for single installations, such as the supportscenario that is the focus of thisswitched network connectionn to maximize the available network bandwidth. However, this ideal scenariocourse.A 100-MB Ethernet connection is more than capable of supporting a single installation. However, thedesktop support technician needs to determine the bandwidth available on the network before startingthe installation. If the networkis already heavily used for large file transfers or real-time data transferssuch as video streaming or Voice over IP (VoIP) traffic, the additional overhead of a network-basedinstallation might be too much.If the connection between thetarget computer and the network share or deployment server is a limited-isbandwidth link such as a remote connection or wide areaa network (WAN), a network-based installationtypically not recommended.Note: If your network infrastructure supports a mechanism to control the bandwidthallocation—such asQuality of Service (QoS)—andthe extendedd installation times are within the support requirements,it ispossible that your network can support a remote deployment solution.

1-42 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConsiderations for Assessing the CurrentNetworkInfrastructureTohelp gather the required information for the assessingof the current network infrastructure phase ofthe project, certain prerequisites for the deployment phase must be met or recognized:Hardware and SoftwareInventoriesThis informationn takes the form of a diagram and must be as current aspossible. It can begin with ageographic map outlining thenumber and function of computers for each site.Prepare Network Infrastructure DiagramThis informationn takes the form of a network diagram and must be as current as possible. This diagramoften includes a geographical network mapoutlining local area network (LAN) and wide area network(WAN) links in addition to speeds and available bandwidth. This diagram also includes remote accessconnections andthe number of remote users and their location. If common traffic patterns, such as peakloads, are identifiable, they are also included. Finally, this diagram includes the network’s addressingscheme.

Preparing to Deploy Windows® 7 Business Desktops 1-43Collect Network Performance StatisticsMost workloads require access to production networks to ensure communication with requiredapplications and services and to communicate with users. Network requirements usually includethroughput—that is, the total amount of traffic that passes a given point on a network connection perunit of time. The presence of multiple network connections is sometimes another requirement, becauseworkloads might require access to multiple networks that must remain secure.Prepare Service Infrastructure DocumentationThis information takes the form of a server diagram and must be as current as possible. This diagramincludes a description of each server located in any site and the server’s function and role in the overallnetwork.Prepare Management Infrastructure DocumentationThis information takes the form of a diagram outlining how network systems are managed within theorganization and must be as current as possible. This includes specific information about the following:• Client computer management, including portable and remote computers.• Management toolkit outlining application names, the number of servers involved in this managementtoolkit, and their role and capacity for growth.• Technical support structure outlining the roles and responsibilities of the staff involved in computermanagement and computer support.• Standards and procedures currently in use for the management of computers, ideally includinginformation such as existing current system builds and build methodology, and application portfoliomanagement and use practices.Question: What is your best option for deployment if you have a large number of customizations at alocation?

1-44 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab A: Assessing the Computing Environment byUsing the Microsoft Assessment andPlanning ToolkitScenarioYou are the team lead for theWindows 7 deployment project at Contoso Ltd. Contoso currently usesWindows Vista on the company desktop computers. You are planning for the Windows 7 deployment totake place within the next month.As part of the deployment process, you need to determine if there are any hardware compatibility issueswith Windows 7. You will use the Microsoft Assessment and Planning Toolkit to help inventory, analyze,and then determine the necessary hardwareupgrades.Computers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-VS1• 6294A-LON-VS2 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

Preparing to Deploy Windows® 7 Business Desktops 1-45Exercise 1: Configure the Microsoft Assessment and Planning ToolkitNote: LON-DC1 is the computer running Windows Server 2008 R2 which is the domain controller andshared network location for the labfiles. LON-CL2 is the client computer running Windows 7. Task 1: Configure the Microsoft Assessment and Planning Toolkit• Log on to the LON-CL2 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.• Launch the Microsoft Assessment and Planning Toolkit from the Start menu.• Specify to Create an inventory database named Contoso Inventory.Results: After this exercise, you will have MAP 4.0 configured on LON-CL2.

1-46 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Use the Microsoft Assessment and Planning Toolkit to Create aClient Assessment ReportNote: LON-DC1 is the computer running Windows Server 2008 R2 which is the domain controller andshared network location for the labfiles. LON-CL2 is the client computer running Windows 7. Task 1: Run the Windows 7 Readiness Assessment Wizard• In the Discovery and Readiness pane, click Inventory and Assessment Wizard.• Configure the Active Directory Credentials page with the following:Domain:Contoso.comDomain Account: Contoso\AdministratorPassword:Pa$$w0rd• On the Windows Networking Protocols page ensure the following:Workgroups and Windows domains to include in the inventory:Contoso• Use the following WMI Credentials:Domain name: ContosoAccount name: AdministratorPassword:Pa$$w0rdConfirm password: Pa$$w0rd• Once the inventory is complete, click Close.Results: At the end of this exercise you will have collected a Windows 7 Readiness assessment and theWizard will have created the Proposal and Assessment documents.

Preparing to Deploy Windows® 7 Business Desktops 1-47Exercise 3: Analyze Inventory and Assessment DataNote: LON-DC1 is the computer running Windows Server 2008 R2 which is the domain controller andshared network location for the labfiles. LON-CL2 is the client computer running Windows 7. Task 1: Review the Windows 7 Readiness Summary Results for Contoso• Expand Discovery and Readiness.• Select Windows 7 Readiness.Question: How many client systems were inventoried?Question: How many systems are ready for Windows 7?Question: How many systems would be ready for Windows 7 with hardware upgrades? Task 2: Review the Windows 7 Readiness Reports for ContosoIn the Actions pane, click Generate report/proposal. After the report is generated perform thefollowing:• From the View menu, click Saved Reports and Proposals.• Open the Windows7Proposal- report just created.Question: How many client systems require two hardware upgrades to meet the Windows 7recommended level?Question: Which client systems require hardware upgrades before upgrading to Windows 7?• Close the Windows7Proposal- report.• Open the Windows7Assessment- report just created.Question: Which clients are in the Meets minimum system requirements Category?Question: Which clients are in the Not Ready for Windows 7 Category?Question: What are the minimum upgrades required to the Not Ready for Windows 7 Categorysystems?• Close all open windows. Task 3: Virtual Machine ShutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

1-48 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab Review: Assessing the Computing Environment by Using the MicrosoftAssessment and Planning ToolkitQuestion: What are the requirements for deploying the Microsoft Assessment and Planning Toolkit?Question: What are the Remote Computer configuration requirements for using the MAP Toolkit?Question: What discovery methods are available for the MAP Toolkit?Question: In addition to the Hardware Analysis, what information is available in a Windows 7 proposalgenerated by the MAP Toolkit?

Preparing to Deploy Windows® 7 Business Desktops 1-49Lesson 5Designing Windows ActivationProduct Activation is a requirement of the Windows 7 operating system. It requires validation for eachWindows 7 license through an online activation service atMicrosoft, orby phone andthrough KMS.Activation is designed to enhance protection from software piracy, andto help better manage theoperating system and application instancess within an environment. In this lesson, youlearn how activationworks and the volume activation models toconsider for an effective Windows 7 desktop deployment.

1-50 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsActivation OptionsAll editions of Windows 7 andWindows Server 2008 require activation.Activation confirms the status of aWindows product, and ensures that the product key has not been compromised. Theactivation processestablishes a relationship between the software’s productkey and a specific installation of that softwareona device.When you first install Windows 7, a grace period is provided for up to 30 days. For Windows 7, if thesystem is not activated withinthe grace period, the computer will be placed within a persistentnotification mode. This modeallows the system to function normally with the following exceptions:• The desktop backgroundis black.• Persistent notifications will alert the user of the need to activate.• Windows update only installs critical updates.There are three main methods for activation:• Retail: AnyWindows 7 product purchased at a retail store comes with one unique product keythat istyped in during product installation. Use the productkey to complete the activation after installingthe operating system.• Original Equipment Manufacturer (OEM): OEM system builders typically sell computer systemsthat includea customizedbuild of Windows 7. OEM activation is performed by associating theoperating system to the computer system BIOS.• Volume Licensing (Volume Activation): Volume licensing is a series of software licensing programsthat are tailored to the size and purchasing methodsof your organization. Volume customers set upvolume license agreements with Microsoft. These agreements include Windows upgrade benefits inaddition to other benefits related to value add software and services. Volume license customers useVolume Activation to assist in activation tasks, which consist of the Key Management System ( KMS)and Multiple Activation Key (MAK) models.Question: What activation method have you used at your company?

Preparing to Deploy Windows® 7 Business Desktops 1-51Overview of Volume ActivationModelsVolume Activation provides a simple and security-enhanced activation experience for enterpriseorganizations, while addressing issues associated with Volume License Keys (VLKs). The previous version(Vista) used volume activation. Volume activation provides system administrators theability to centrallymanage and protect product keys, in addition to several flexible deployment optionsthat activate thecomputers in the organization regardless of the organization size.Volume Activation KeysVolume Activation provides two main typesof models that are used in enterprise environments, and youare able to use any or all of the options associated with these two models, dependingupon yourorganization’s needs and network infrastructure.• MAK activation uses product keys that can activate a specific number of computers. If the use ofvolume-licensed media isnot controlled, excessive activations result in depletionof the activationpool. MAKsare not used to install Windows 7, but rather to activate it after installation. You can useMAKs to activate any Windows 7 volume edition.• The KMS model allows organizations toperform local activations for computers in a managedenvironment without connecting to Microsoft individually. By default, Windows 7 volume editionsconnect to a system that hosts the KMSservice, which in turn requests activation. KMS usage istargeted for managed environments where more than 25 physical and, or virtual computers areconsistentlyconnected tothe organization’s networkor where there are five servers.Note: A computer installed with a Windows 7 retail version must be activated with Microsoft either onlineorover a telephone. Each Windows 7 installation requiresa separate product key. Windows 7 retailversions cannotuse a KMS orMAK for activation purposes.Question: You have already installed multiple instances of the Windows 7 client. Which Volume Licensingmethod do youuse?

1-52 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsMAK ModelMAKs are installed on each volume-licensedcomputer that will activateonce with Miclrosoft over theInternet or by telephone. As each computer contacts Microsoft’s activation servers for activation, yourpre-purchased activation pool is reduced. You can verify the number of remaining activations fromtheMicrosoft Licensing Web site and with the VMAT, and request additional activations by contacting theMicrosoft Activation Call Center.Activating Computers Using MAK ActivationThere are two ways to activate computers using MAK activation:• MAK ProxyActivation: solution that enables a centralized activation request on behalf of multipledesktops with one connection to Microsoft.• MAK Independent Activation: requires that each desktop independently connects and activatesagainst Microsoft activation servers.The primary advantage to using MAK activation is that there is no requirement to periodically renewactivation. However, if significant hardware changes occur on a desktopworkstation, you may be requiredtorenew activation. Another advantage forsmall organizations is that there is no minimal number ofclients required for using MAK as opposed to KMS, whichh requires at least 25 physical and/or virtualdesktop clients or five serverss before activation begins.Implementing MAK ActivationA MAK can be installed on individual computers or included in an image that can be bulk-duplicated, orprovided for download using an enterprise deployment solution. MAKsare recommended for computersthat are rarely or never able to connect to the organization’s network; or for organizations where thenumber of physical and, or virtual computers needing activation does not meet the 25-physical and, orvirtual host activation threshold required for KMS. A MAKcan be installed on a computer that wasoriginally set upto use KMS activation, whose activation is at risk of expiring, or that has actually reachedthe end of its grace period.

Preparing to Deploy Windows® 7 Business Desktops 1-53Question: You are deploying the Windows 7 client to 19 computers. Which volume activation method doyou use?

1-54 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsVolume Activation Management ToolThe Volume Activation Management Tool (VAMT) is the application that can be usedto perform MAKProxy Activationrequests. Youcan use the VAMT to manage and specify a group of computers to beactivated basedupon the following:• AD DS• Workgroupnames• IP addresses• Computer namesThe VAMT receives activationconfirmation codes, and then re-distributes them backto the systems thatrequested activation.An MAK performs a one-timee activation of computers with Microsoft. Once the computers are activatedthey require no further communication with Microsoft. The number of computers that can be activatedwith a specific MAK is based on the type and level of the organization’svolume license agreement withMicrosoft. VAMT version 1.1 enables the following functionality:• MAK Independent Activation: each computer individually connects and activates with Microsofteither online or through telephone• MAK ProxyActivation: activation of multiple computers with oneonline connection to Microsoft• Activation Status: abilityto determinee the activation status of Vista, Windows 7, Windows Server2008 and Windows Server 2008 R2 computers• RemainingMAK activations: the current remainingactivations associated with a MAK key• XML Import/Export: allows for exporting and importing of data in a well- formed XML format toenable activation of systems in disconnected environment scenarios• Local reactivation: enables reactivation of computers based on saved activation data stored in theVAMT XMLcomputer information list

Preparing to Deploy Windows® 7 Business Desktops 1-55• Configure for KMS activation: convert MAK activated volume editions of Vista, Windows 7,Windows Server 2008 and Windows Server 2008 R2 to KMS activationSupported Operating Systems include:• Windows Server 2003 Service Pack 1• Windows Server 2003 Service Pack 2• Windows Server 2008• Windows Server 2008 R2

1-56 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsKMS ModelKMS enables organizations toperform local activations for computers in a managed environment, withoutthe need to connect to Microsoft individually. You can enable KMS functionality on a physical or virtualsystem that is running Windows Server 2008, Windows Server 2003, or a Windows 7 computer.KMS is automatically includedd with Windows Server 2008and Windows 7. After you initialize KMS, theKMS activation infrastructure is self-maintaining. The KMS service does not require dedicated computers,and can be co-hosted with other services.A single KMS host can support hundreds ofthousands ofKMS clients. It is expected that mostorganizations will be able to operate with just two KMS hosts for their entire infrastructure (one main KMShost, and a backup host for redundancy).Implementing KMS ActivationToenable KMS functionality, a KMS key is installed on theKMS host, which is then activated using anonline Web service at Microsoft. Start the command window on the host computer by using elevatedprivileges, and then run the following command:cscript C:\windows\system32\slmgr.vbs -ipk You can then activate the KMS host by using either online or telephonee activation.During installation, a KMS host automatically attempts topublish its existence in Service Location (SRV)resource records within Domain Name System (DNS). This provides theability for both domain membersand stand-alonecomputers toactivate against the KMS infrastructure.Client computers locate the KMS host dynamically by using the SRV records found inthe DNS, orconnection information specified in the registry. The client computers then use information obtained fromthe KMS host toself-activate.

Preparing to Deploy Windows® 7 Business Desktops 1-57KMS Activation ConsiderationsIf you decide to implement KMS activation, consider the following:• Client computers that are not activated attempt to connect with the KMS host every two hours.• Client computers must renew their activation by connecting to the KMS host at least once every 180days to stay activated.• After activation, the client computers attempt to renew their activation every seven days. After eachsuccessful connection, the expiration is extended to the full 180 days.• Client computers connect to the KMS host for activation by using anonymous RPC over TCP/IP, andby using default port 1688. This port information can be configured.The connection is anonymous, enabling workgroup computers to communicate with the KMS host.The firewall and the router network may need to be configured to pass communications for the TCPport that will be used.• A KMS host and KMS clients must use Volume License media, which includes the Windows 7Professional operating system, Windows 7 Business operating system and the Windows 7 Enterpriseoperating system editions.Question: What are the hardware requirements for the KMS host?

1-58 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConfiguringg a KMS HostKMS clients activate only after the activation threshold is met. To ensure that the activation threshold ismet, a KMS host counts the number of physical and virtual computers requesting activation on thenetwork. The count of activation requests isa combination of WindowsVista, Windows 7, Windows Server2008 and Windows Server 2008 R2 computers. However, each of these operating systems beginsactivating after a different threshold is met.The Windows Server 2008 R2 KMS client threshold is five (5) physical and virtual computers. The Windows7 KMS client threshold is twenty-five (25) physical and virtual computers. A KMS hostresponds to eachvalid activation request from a KMS client with the count of how many physical computers have contactedthe KMS host for activation. Clients that receive a count below the activation threshold do not activate.KMS activation works with minimal administrative action.If your network environment has dynamic DNS(DDNS) and allows computersto publish services automatically, you may not need toconfigure your KMShost. If you have more than one KMS host or your network does not support DDNS, you may needtoperform some additional configuration tasks.

Preparing to Deploy Windows® 7 Business Desktops 1-59Troubleshooting Volume ActivationThe troubleshooting volume activation steps you need toperform depend upon whether the problem isassociated with MAK activation or KMS activation.MAK Activation TroubleshootingUse the following list to troubleshoot common issues with MAK activation:• Verify the activation status. You can verify activation status by looking for the “Windows is activated”message in the Windows 7 Welcome Center. You canalso run the slmgr.vbs -dli command.• If your computer will not activate over the Internet, ensure that an Internet connection is available.You may also need to seta proxy configuration fromyour browser. If the computer cannot connectto the Internet, try telephone activation.• If Internet and telephonee activation both fail, you will need to contact the Microsoft Activation CallCenter.• If slmgr.vbs -ato returnsan error code, you can determine the corresponding error message byrunning slui.exe 0x2a 0x .KMS Activation TroubleshootingUse the following list to troubleshoot common issues with KMS activation:• Verify the activation status. You can verify activation status by looking for the “Windows is activated”message in the Windows 7 Welcome Center. You canalso run the slmgr.vbs -dli command.• Ensure thatt the KMS SRV record is present in DNS, and that DNS does not restrict dynamic updates. IfDNS restrictions are intentional, you will have to provide the KMS host write access to the DNSdatabase, or manually create the SRV records.• Ensure thatt your routers do not block TCP port 1688.

1-60 Planning and Managing Windows® 7 Desktop Deployments and Environments• If your computer will not activate, verify that the KMS host is contacted by the minimum number ofclients required for activation. Until the KMS host has a count of 25, Windows 7 clients will notactivate.• Display the client Windows Application event log for event numbers 12288, 12289, and 12290 forpossible troubleshooting information.• If slmgr.vbs -ato returns an error code, you can determine the corresponding error message byrunning slui.exe 0x2a 0x.

Preparing to Deploy Windows® 7 Business Desktops 1-61Lab B: Recommmendingan Activation StrategyComputers inthis labNo virtual machines are necessary for this lab.

1-62 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 1: Review the Activation ScenarioScenario: ADatum CorporationADatum Corporation is a multi-national corporation that maintains three separate networks. A ProductionNetwork for daily operations, a Quality Assurance (QA) network for final testing of patches and changes,and a Test network used for Proof of Concept testing and Internal Development projects.The production network consists of 200 servers and over 3000 desktop client systems in multiplelocations. There are several Regional offices with local servers and approximately 100 Desktop clients. Thebranch offices range in size from a few desktop client systems to locations with a local sever and up to 30Desktop clients. In addition to the desktops systems there are over 200 Laptop systems in use by the Salesand Technical teams. These laptops may be off the corporate network for periods as long as four months.The QA network consists of 10 servers and over 100 Desktop systems. The servers for the QA network arelocated at the Corporate HQ location. The QA network includes clients at each of the regional offices andbranch offices with an IT staff connected to the corporate headquarters through a VPN.The test network is isolated from the production network and the Internet and wholly resides in theCorporate Headquarters location. This network consists of 10 servers and 50 desktop systems. The systemsin the test network are frequently rebuilt due to the nature of their use.The current network was built in a gradual fashion based on both growth and acquisitions. Because of thisgrowth pattern, a consistent licensing model has not been deployed.A recent internal audit has revealed inadequacies with the existing licensing activation. The network is duefor a technology refresh, and because of the issues revealed by the audit upper management has askedyou to recommend an activation model that will provide the most efficient method of activating allsystems while maintaining a documentable method of managing the licenses. Task 1: Discuss Activation RecommendationsRecommendationsUse the space provided to write notes in preparation for a class discussion on the recommendations forthe ADatum scenario.

Preparing to Deploy Windows® 7 Business Desktops 1-63Lab Review: Recommending a Activation StrategyQuestion: What are some of the key decision points between using a Multiple Activation Key or KeyManagement System for Volume licensing?Question: From the client computer, how can an Administrator determine the type of license in use?Question: How long are Windows Clients activated for once they contact a KMS server?Question: How many KMS hosts can be activated from a single KMS Key?Question: What tools are available to manage MAK activation and report current activation state?

1-64 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule Review and TakeawaysReview Questions1.Under which circumstances is it unnecessary to configure KMS?2.What does Microsoft offer through theSupport Lifecycle Policy for Operating Systems?3.What is themain difference between the standardized informationn optimized infrastructure modeland the rationalized optimized Infrastructure model?4.How does the Microsoft Assessment and Planning Toolkit assess your organization’s readiness forWindows 7?5.How does Windows XP Mode benefit Windows 7?Real-world Issues and Scenarios1.If I am using Windows XPand have notlooked at theWindows Vista and Windows Server 2008imaging and deploymenttools over the last few years, what do I need to know about Windows 7deployment?If you have not looked atWindows Vista Deployment Enhancements and imaging, now is a greattime to learn about the enhancements made aroundfile-based, non-destructiveimaging usingtheWindows Imaging Format (WIM), and other advantages, including Hardware Abstraction Layer (HAL)independence and language neutralityin Windows Vista and Windows 7 images.2.What is Hard-Link Migration, and how can I migrate user states from one operating system toanother?The User State Migration Tool for Windows 7 now provides a new feature called Hard-Link Migration.This featuree allows your customers to install Windows Vista or Windows 7 on an existing computer

Preparing to Deploy Windows® 7 Business Desktops 1-65and retain data locally on that computer during operating system installation. Hard-Link Migrationworks by:• Discovering user files and settings.• Creating hard-links to each file in the system that constitutes the user profile, preferences,application settings, and documents.• Applying hard-links to the proper file locations in the new operating system.Although the capability of storing user files locally has been available for some time, the process cantake several hours and files are double-instanced on the local hard drive and require free disk spaceto accommodate them. With hard-links, the files do not move and the index of links can be createdand remapped to the new operating system within a few minutes. The hard-link catalog alsoconsumes little space on the hard drive since files are not double-instanced.Hard-Link Migration can be performed before the operating system installation from within thelegacy operating system. In that case, the index of links is stored in a protected folder while theoperating system is installed and other folders are deleted as part of the install routine. The migrationstore protects files from deletion.This process is how the Microsoft Deployment Toolkit 2010 Beta(http://go.microsoft.com/fwlink/?LinkID=108442) performs a default computer refresh. The secondoption is to perform a clean install of the operating system and by default the new operating systemwill create a “windows.old” folder with user files and settings and retain any legacy folders found inthe root directory. Offline hard-link migration can be used to target files within “windows.old” andmap them to the appropriate locations in the Windows Vista or Windows 7 operating system.This process takes only a few minutes and the risk for data loss using this solution is minimal. Aftermigration has occurred from “windows.old,” the user can use the disk cleanup utility to remove“windows.old,” and hard-link migrated files are protected from deletion.3. Are there any changes in the Windows Deployment Services server role in Windows Server 2008 R2?Windows Deployment Services in Windows Server 2008 R2 enables network deployments of WIMimages or Virtual Hard Disks (VHD) as files used for operating system deployments. The previousrelease of Windows Deployment Services (WDS) in Windows Server 2008 included the capability ofmulticast for image transmission to computers in the deployment pool.This can reduce network bandwidth consumption and increase deployment capacity by using asingle-image transmission to multiple clients; instead of one 5-GB image passing to 100 clients andconsuming 500 GB of network bandwidth. The same deployment using multicast can consume aslittle as five (5) to ten (10) GB of network bandwidth.One consequence of using multicast in Windows Server 2008 is that the slowest client determined thetransfer rate for all client machines. In Windows Server 2008 R2, multicast now supports the use ofMultiple Stream Transfer of two to three speeds to ensure that the fastest clients can receivedeployment images faster. Additionally, using standard multicast (not with Multiple Stream Transfer),you can set minimum transfer thresholds and automatically remove slow clients from the multicastpool.Windows Server 2008 R2 with WDS also enables Dynamic Driver Provisioning. With Dynamic DriverProvisioning, driver files can be stored centrally and outside the image and only the required driversare installed at the time of deployment using Plug and Play device matching. For organizations nowincluding large driver payloads into standard network-installed images, Dynamic Driver Provisioningcan help to reduce image size and ease driver management routines.Best PracticesSupplement or modify the following best practices for your own work situations.

1-66 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsStandard Desktop StrategyThe Standard Desktop Strategy best practice involves deploying a standardized desktop by minimizinghardware and software configurations and implementing a three- to four-year PC lifecycle strategy. Ithelps organizations move from a basic to a standardized level of optimization for desktop, device, andserver management in the Core Infrastructure Optimization model.Centrally Managed PC Settings and ConfigurationThe Centrally Managed PC Settings and Configuration best practice involves keeping deployed PCsstandardized by preventing users from making changes that compromise security, reliability, and theapplication portfolio. It helps organizations move from a standardized to a rationalized level ofoptimization for desktop, device, and server management in the Core Infrastructure Optimization model.Comprehensive PC SecurityThe Comprehensive PC Security best practice involves proactively addressing security with antivirussoftware, anti-spyware software, patching, and quarantine. It helps organizations move from a basic to astandardized, and then from a standardized to a rationalized, level of optimization for security andnetworking in the Core Infrastructure Optimization model.Comprehensive Directory SolutionThe Comprehensive Directory Solution best practice requires a single directory for authentication, singlesign-on capability for all computing resources, and automated password reset. It helps organizationsmove from a basic to a standardized level of optimization for identity and access management in the CoreInfrastructure Optimization model.PCs Managed by Group Policy Objects (GPOs)The PC’s Managed by Group Policy Objects (GPOs) best practice requires PCs to authenticate into ActiveDirectory and individual PCs to receive configuration, software installation, and desktop configurationthrough GPOs. It helps organizations move from a standardized to a rationalized level of optimization foridentity and access management in the Core Infrastructure Optimization model.Reduction of Third-Party Application DirectoriesThe Reduction of Third-Party Application Directories best practice requires the use of a single directoryservice for both operating system management and application directory services. It helps organizationsmove from a standardized to a rationalized level of optimization for identity and access management anddesktop, device, and server management in the Core Infrastructure Optimization model.Automated User ProvisioningThe Automated Packaging Tools and Software Distribution best practice requires a single directory, orsynchronized directories with a meta-directory service, and IT processes for automated user provisioning.Users are provisioned (including adds, removes, and changes) only once in a primary directory, and thechanges are propagated to all related directories. It helps organizations move from a standardized to arationalized level of optimization for identity and access management in the Core InfrastructureOptimization model.Automated Packaging Tools and Software DistributionThe Automated Packaging Tools and Software Distribution best practice involves the use of tools tomaintain software inventories, automate software packaging, and automate software distribution. It helpsorganizations move from a basic to a standardized level of optimization for security and networking in theCore Infrastructure Optimization model.

Preparing to Deploy Windows® 7 Business Desktops 1-67Single Systems Management ToolThe Single Systems Management Tool best practice involves the use of a single software tool formanaging software inventory, hardware inventory, and automated software distribution. It helpsorganizations move from a basic to a standardized level of IT optimization for security and networking inthe Core Infrastructure Optimization model.Centrally Managed PC ApplicationsThe Centrally Managed PC Applications best practice involves keeping deployed PC applicationsstandardized by generating software inventory reports for auditing versus standards and de-installingnon-compliant software. It helps organizations move from a standardized to a rationalized level ofoptimization for security and networking in the Core Infrastructure Optimization model.ToolsTool Use for Where to find itWindows SystemImage Manager(Windows SIM)ImageXDeploymentImage ServicingandManagement(DISM)Windows PreinstallationEnvironment(Windows PE)User StateMigration Tool(USMT)The tool used to open Windows images,create answer files, and manage distributionshares and configuration sets.The tool used to capture, create, modify, andapply Windows images.The tool used to apply updates, drivers, andlanguage packs to a Windows image. DISM isavailable in all installations of Windows 7 andWindows Server 2008 R2.A minimal operating system environmentused to deploy Windows. The AIK includesseveral tools used to build and configureWindows PE environments.A tool used to migrate user data from aprevious Windows operating system toWindows 7. USMT is installed as part of theAIK in the %PROGRAMFILES%\Windows AIK\Tools\USMT directory. For more informationabout USMT, refer to the User StateMigration Tool User’s Guide(%PROGRAMFILES%\Windows AIK\Docs\Usmt.chm).http://go.microsoft.com/fwlink/?LinkID=162632http://go.microsoft.com/fwlink/?LinkID=162633http://go.microsoft.com/fwlink/?LinkID=162634http://go.microsoft.com/fwlink/?LinkID=162635http://go.microsoft.com/fwlink/?LinkID=140374

1-68 Planning and Managing Windows® 7 Desktop Deployments and Environments

Assessing Application Compatibility in Windows 7 2-1Module 2Assessing Application Compatibility in Windows 7Contents:Lesson 1: Overview of Application Compatibility 2-3Lesson 2: Assessing and Resolving Application Compatibility Issues byUsing ACT 5.5 2-13Lab A: Evaluating Application Compatibility Using the MicrosoftApplication Compatibility Toolkit 2-25Lab B: Creating Application Compatibility Fixes 2-34

2-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewApplication compatibility can have a large effect on an organization and it can determine whether anoperating system deployment project is successful. Whether deploying new applications with the newoperating system or using existing applications, the ability of users to log on after a new Windowsdeployment andcontinue with their normal work is a critical goal.This module describes the process for addressing common application compatibility issues experiencedduring a typicaloperating system deployment. The module also explains how to use the Microsoft®Application Compatibility Toolkit (ACT) to help inventory, analyze, and mitigate application compatibilityissues.

Assessing Application Compatibility in Windows 7 2-3Lesson 1Overviewof Application CompatibilityBefore upgrading from its current version of the Windows operating system to Windows® 7, anorganization must test its applications to ensure that theyare compatible with the new operating system.If an organization has several thousand applications installed across its network, compatibility issues withone or many ofthese applications can prevent users fromperforming their roles andaffect core businessfunctions. Therefore it is important to plan for these issues by understanding common problems that canoccur.Windows 7 is highly compatible with most applications written for Windows® XP, Windows Server®2003, Windows Vista®, Windows Server 2008, Windows Server 2008 R2, and their respective service packs.However, some compatibility breaks are inevitable due toinnovations, security tightening, and increasedreliability, so it is important tounderstand how updates to the operating system impact applicationcompatibility.This lesson describes commonapplication compatibility problems and provides guidelines on resolvingany issues usingthe Microsoft Application Compatibility Toolkit (ACT).

2-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion: Which Applications Must Be Tested for Compatibility?You are deploying the Windows 7 operating system throughout your organization. You need to ensurethat all businesss applications continue to function correctly after deployment. Use the following questionsasa guide to discuss commonapplications that must be tested during the planning phase of an operatingsystem deployment project.Question: Which standard desktop core applications must be tested within your environment?Question: Which line-of-business applications must be tested within your environment?Question: Which types of administrative tools or desktop utilities must be tested within yourenvironment?Question: Which custom tools must be tested within your environment?Question: Can you name anyother applications that must be tested?

Assessing Application Compatibility in Windows 7 2-5Guidelines for Testing Commercial ApplicationsKey PointsBefore deploying new operating systems, itis important to test your business applications forcompatibility. New features ina new operating system, such as improved security features, can impact thefunctionality of some applications.Most commercial applications will run on Windows 7 without issue. However, it is recommended thatspecific application-compatibility testing beperformed toensure that all business-critical featurescontinue to function as expected. Commontests to perform include:• Install the application while logged on as a standard user and again as an administrator.• Log on as a standard user and as several members of the Users group to test the features mostimportant to your end users.• Try all the installation options that are used in your business.• Apply Group Policy to users and computers, and verify that the Group Policy settings still apply asexpected.• Test combinations of applications, such as standard desktop configurations.• Run several applications for several days or weeks without stopping them.• Manipulatelarge graphics files.• Perform rapid development sequences of edit, compile, edit, compile.• Test ObjectLinking and Embedding (OLE) custom controls.• Test with hardware, such as scanners and other Plug and Play devices.• Test the applications on a Terminal Services server. Test with multiple users running the same anddifferent applications, and with user-specific settings.

2-6 Planning and Managing Windows® 7 Desktop Deployments and Environments• Test concurrent database use including simultaneous access and update of a record, and performcomplex queries.Question: Why is it recommended that you install an application while logged on as a standard user andagain as an administrator?

Assessing Application Compatibility in Windows 7 2-7Guidelines for Testing Custom ApplicationsKey PointsDuring the planning phase, identify all applications that your organization currently uses, includingcustom software. As you identify custom applications, prioritize them and note whichh ones are requiredfor each business unit in yourorganization.Remember toinclude operational and administrative tools,ncluding antivirus, compression, backup, and remote-control programs.Custom applications can require a more extensive testingstrategy thanpretested commercialapplications. Test custom applications on a clean Windows 7 installation and, if Windows Vista® isdeployed in your organization, on a computer upgraded from the Windows Vista operating system.If these scenarios are successfully completed and the application performed properly, then the applicationfunctions correctly on the Windows 7 platform.

2-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhat Are Common Application Compatibility Problems?Key PointsFrom a security and liability perspective, significant changes were madein Windows Vista to limit howmuch control applications canhave over the operating system. Although those changes continue inWindows 7, newtechnologieswithin the operating systemcan still cause some applications to behavedifferently.When you are deploying Windows 7, compatibility problems will vary depending upon the sourceoperating system. Available migration paths to Windows 7 include:• Migrating from WindowsVista• Migrating from WindowsXPTotroubleshoott and address the problems effectively, you must be aware of general areas that typicallycause the most compatibility issues. When upgrading to Windows 7, most compatibility problems relatetothe followingareas:• Setup and Installation• User Account Control• Kernel-mode drivers• Windows Resource Protection• Internet Explorer® 7 andInternet Explorer 8 Protected mode• Internet Explorer 8 User Agent String• 64-bit architecture• Windows Filtering Platform API• Deprecatedcomponents

Assessing Application Compatibility in Windows 7 2-9Question: How can you mitigate the application compatibility issues related to User Account Control?

2-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsProcess for Resolving Application Compatibility IssuesKey PointsResolving application compatibility issues requires first having to determine which client computers mustbeanalyzed forapplication compatibility issues, and thenmaking a decision on which applicationsmustbetested in thetest environment.Application Compatibiliity Process OverviewThe general process for resolving application compatibility issues includes the following:• Inventory: Identify whichh client computers must be included in your test environment and thencollect your application inventory.• Analyze: After collecting the application inventory, analyze the inventory and determine whichapplications are incompatible with the new operatingsystem.• Mitigate: Create a test environment and begin testing the mitigation strategies identified in theAnalysis phase.

Assessing Application Compatibility in Windows 7 2-11What Are Common Mitigation Methods?Key PointsMitigating an application compatibility issue typically depends upon various factors, such as theapplication type, and current application support. Some of the more common mitigation methods includethe following:• Applying updates or service packs tothe application: Determine if updates or service packs areavailable that address many of the compatibility issues and enable the application to run under thenew operating system environment.• Modifyingthe existing application’sconfiguration: Tools such as the Compatibility Administratoror the Standard User Analyzer can be used to detect and create application fixes(also called shims) toaddress these issues.• Upgradingg the application to a compatible version: If a newer, more compatible applicationversion exists, the best long-term mitigation method is to upgradeto the newer version.• Modifyingthe security configuration: If your compatibility issues appear to bepermissions-related,a short-termsolution is tomodify the application’s security configuration.• Running the applicationin a virtualized environment: If all other methods are unavailable,tryrunning theapplication in an earlier Windows version using virtualization tools such as MicrosoftVirtual PC and Microsoft Virtual Server.• Using application compatibility features: Application issues, such as operatingsystem versioning,can be mitigated by running the application in compatibility mode.• Selecting another application that performs the same business function: If another compatibleapplication is available, consider switching to the compatible application.Question: You have an application that fails to run in Windows 7. What mitigation process can beconsidered if all the other recommended processes are tried on the application and none of themworked?

2-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsGuidelines for Resolving Application Compatibility IssuesKey PointsThe following are general guidelines for deploying a new operating system:• Standardize the list of supported applications: For each supported application, allocate time,training, tools, and resources to plan, test, deploy, and support theapplication. To help reducee thelong-term supported application costs,standardize your organization-approvedapplications.• Identify applications that can be retired: Many organizations accumulate multiple applicationversions and numerous applications that are no longer relevant to current business processes.Eliminate as many applications as possible early in the application compatibility mitigation process.• Ensure that your test environment emulates yourproduction environment: To ensure accuratetest results,your test environment needs to emulate your production environment. The testenvironment needs to bephysically separate from the production environment and consist ofcomputers at the same service pack and hotfix levels. Also ensure that the tests are performed withaccounts that have similar permissions to the production environment.• Do not overlook user training: If the application compatibility mitigation results in a changeinapplication behavior or general application use, provide user training delivered by the mostappropriatemethod. Methods include online training, instructor-led training, or self-paceddocumentation provided to the users.

Assessing Application Compatibility in Windows 7 2-13Lesson 2Assessing and Resolving Application CompatibilityIssues byUsingACT 5. .5Many organizations implement automated methods or use specialized application compatibility tools toassist with the mitigation of inventory, analysis, and application compatibility issues. One such tool is theApplication Compatibility Toolkit (ACT) version 5.5. This lesson provides an overview of ACT, including itsarchitecture andfunctionality.

2-14 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhat Is the Application Compatibility Toolkit?Key PointsThe ApplicationCompatibilityToolkit (ACT)is a set of tools used duringthe Inventory, Analyze, andMitigate phasess of the application compatibility testing process. You can use ACT to do the following:• Identify andmanage your overall application portfolio within your organization.• Verify your application’s, devices, and computer’s compatibility with a new version of the Windowsoperating system, including determining your risk assessment.• Help evaluate the impactof Windows updates.• Reduce thecost and timeinvolved in resolving application compatibility issues.• Create application mitigation packagesto be deployed to client computers.Question: Howdoes the Application Compatibility Toolkit reduce the cost and time involved in resolvingapplication compatibility issues?

Assessing Application Compatibility in Windows 7 2-15ACT 5.5 System RequirementsKey PointsTouse ACT 5.5, the following minimum software and hardware is required.Operating SystemsACT supports the following operating systems:• Windows 7• Windows Vista• Windows Vista with Service Pack 1 (SP1)• Windows XP with Servicee Pack 2 (SP2)• Windows XP with Servicee Pack 3 (SP3)• Windows Server 2003 with Service Pack 2 (SP2)• Windows Server 2008 R2ACT does not support the following operating systems:• Windows NT® Server 4.0• Windows®2000 Professional operating system and earlier versions.Database ComponentsAfter ACT is installed, it requires one of the following database components:• Microsoft®SQL Server® 2008• Microsoft SQL Server 2008 Express• Microsoft SQL Server 2005• Microsoft SQL Server 2005 Express

2-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsFeatures of ACT 5.5Key PointsACT includes the following features:• Application Compatibility Manager (ACM)• Compatibility Administrator• Mitigation and Development Tools• Setup Analysis Tool• Internet Explorer Compatibility Test Tool• Standard User Analyzer (SUA) ToolNew Features in ACT 5.5?Act 5.5 includes the following new features:• Updated issue detection and supported operating systems• Integration of data from the Windows Vista® Compatibility Center• Ability to audit application data and to selectively synchronize your applications with Microsoft• Updated documentation for the Windows compatibility fixes• Ability to customize your Quick Reports view• Ability to label your individual data-collection packages• Removal of the Internet Explorer® Compatibility Evaluator (IECE)• Ability to participate in the Customer Experience ProgramQuestion: What is the benefit provided by running the ACM tool?

Question: What is the benefit provided by running the SUA tool?Assessing Application Compatibility in Windows 7 2-17

2-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsACT 5.5 Architecture OverviewKey PointsThe ACT 5.5 architecture consists of the following major components:• Application Compatibility Manager (ACM): A tool used to configure, collect, and analyze data, tofix any issues before deploying a new operating system or deploying a Windowsupdate in yourorganization.• Data Collection Package (DCP): A Windows Installer (.msi) file created by the ACM for deploymentto each of your client computers. Each DCP can include one or more compatibility evaluators,depending on what is being evaluated.• ACT Log Processing Service: A servicee used to process the ACT log files uploaded from your clientcomputers.It adds the information to your ACT database.• ACT Log Processing Share: A file share, accessed bythe ACT Log Processing Service, to store the logfiles that will be processed and added to the ACT database.• ACT Database: A Microsoft SQL Server database that stores the collected application, computer,device, andcompatibilitydata. The information stored in the ACT database can be viewed as reportsfrom the ACM.• Microsoft CompatibilityExchange: A Web service that propagates application-compatibilityissuesfrom the server to the client and enables the client computers to connect to Microsoft throughh theuse of the Internet to check for updated compatibility information.Question: What is the purpose of the Application Compatibility Manager (ACM)?

Assessing Application Compatibility in Windows 7 2-19Compatibility Evaluators for Windows 7Key PointsThe ApplicationCompatibilityToolkit (ACT)uses compatibility evaluators to collect and process yourapplication information. Eachevaluator performs a set offunctions that provide a specific type ofinformation to ACT. ACT contains the following compatibility evaluators for the Windows 7 operatingsystem:• Inventory Collector: examines each of your organization’s computers that havea Data CollectionPackage installed. For each computer, the Inventory Collector evaluator identifies all of thecomputer’sinstalled applications, devices, and systeminformation.After the dataa is collected, view allthe information from within the Analyze screen of the Application Compatibility Manager.• User Account Control Compatibility Evaluator (UACCE): identifies potential compatibility issuesdue to an application running under a Protected Administrator or Standard Useraccount on theWindows 7 operating system. When running, UACCEmonitors your running applications to verifyinteractionswith the operating system and to identify potentially incompatible activities. UACCEprovides information about both potential application permission issues and ways to fix the problemsso that a new operating system can be deployed.• Update Compatibility Evaluator (UCE): identifies the potential impact from a new Windows update.Use the collected updateimpact data to prioritize your testing andreduce the uncertainty indeploying updates. The compatibility evaluator collects information about the modules loaded, thefiles opened, and the registry entries accessed by theapplications currently running on thecomputers.It then writes that information to .xml files uploaded tothe ACT database.Question: What information does the Update Compatibility Evaluator collect?

2-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsHow Application Compatibility ManagerHelps in Collecting and AnalyzingApplicationDataKey PointsThe ApplicationCompatibilityManager (ACM) is a tool used to configure, collect, and analyze dataa to fixany issues prior to deploying a new operating system in your organization. The functionality performedwithin the ACMis divided intothe followingphases:• Phase 1 – Collect your inventory andcompatibility data: Before analyzing potential compatibilityissues, first collect your organization’s inventory and the associatedcompatibilityissues.After configuring your data collection package, you can save and distribute it to your networkclientsfrom a network share, or from removable media suchas a CD or portable USB drive, or throughActive Directory Group Policy.• Phase 2 – Analyze your compatibilitydata: After collecting inventory and associated compatibilitydata, organize and analyze your issues.This includes categorizing, prioritizing, setting yourdeployment status and application assessment to create customized reports.• Phase 3 – Test and mitigate your issues: After analyzing compatibility issue reports, test yourapplications to determinee if the specified compatibility issues are actually problems within yourorganization.If it is determined that the issues are valid, use the Compatibility Administrator tocreate mitigationpackages tofix the issues, or use the other developertools provided with ACT.These tools, which can beused to determine additional issues and possible mitigation strategies,include theInternet Explorer Compatibility Tool, the Setup Analysiss Tool, and theStandard UserAnalyzer tool.This training focuses on the tasks performed in phases 1 and 2.Question: Afterconfiguring your data collection package, you can saveand distribute it to your networkclients. What are some methods you can use to distributethe DCP to your clients?

Assessing Application Compatibility in Windows 7 2-21Configuringg and Using ACMKey PointsThe ApplicationCompatibilityManager enables you to create new data-collection packages, collect theinventory information, and view the information throughh a series of quick reports. There are a number ofconfiguration tasks that you need to be familiar with to successfully perform these tasks, including:• Modify your configuration settings: The ACM’s Tools menu includes a Settings option used tomodify your database and log-processing service settings, change your membership status in the ACTCommunity, and receive ACT software updates.• Create andconfigure the ACT database: The ACT database is used for storing information relatedto your organization’s inventory, including information about yourcomputers, devices, installedapplications, and associated compatibility issues.• Create andconfigure a data collection package: The DCP is used for collecting the informationthat is stored in the ACT database. EachDCP must beconfigured to identify the scenario related tothe evaluation (such as deploying a newoperating system or service pack, applying Windowsupdates, orupdating to a new version of Internet Explorer), and the starting dateand time formonitoringapplication use.• Analyze your compatibility data using the ACM reports: Once the data has been collected, youcan organize it by using priorities, assessment ratings, categories, and subcategories. After organizingyour data, you can filter it, determine which applications have compatibility issues, and view theinformationn in customized ACM reports.

2-22 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsUsing the Standard User AnalyzerKey PointsThe Standard User Analyzer (SUA) is used totest the Application Compatibility Manager for knownn useraccount control (UAC) issues. The SUA doesthis by monitoring API calls to detect compatibility issuesrelated to the Windows 7 UACfeature. The SUA is also used to apply the recommended fixes and thenexport the fixes to a Microsoft Windows Installer (.msi) file for deployment to all yourorganization’scomputers.Some applications might not run properly under Standard User credentials due to applications thatrequire access to restricted file or registry locations. The SUA monitors and reports many issues, includingissues related tofile, registry keys, .ini files, tokens, privileges, name space, and processes.The ApplicationCompatibilityToolkit includes the following tools that provide standard user analysis:• Standard User AnalyzerTool: used toperform a full-function, in-depth analysis and mitigation forWindows 7 UAC issues.• Standard User AnalyzerWizard: provides a step-by-step processs to locate andmitigate UACissues.The wizard does not include advanced analysis features that are available with the Standard UserAnalyzer Tool.Standard User Analyzer DependenciesTouse the SUA tools, first install the following components:• Application Verifier: This component performs the actual application monitoring that identifiespotential application compatibility, stability, and security issues.• .NET Framework 2.0 or later: This component provides the managed code programmingfoundation used by SUA.

Assessing Application Compatibility in Windows 7 2-23Question: The Standard User Analyzer Wizard provides a step-by-step process to locate and mitigateUAC issues. However, the wizard provides limited functionality when compared to the Standard UserAnalyzer Tool. What is this limitation?

2-24 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsUsing the Compatibility Administrator ToolKey PointsThe same fix tested in the Standard User Analyzer (SUA) tool must be applied to all the computers in yourorganization that are runningthat application. This is done by creating a new, globall fix in theCompatibility Administrator tool that is based on the SUAfix. The Compatibility Administrator Tool helpstoresolve application compatibility issues before deploying a new Windows operating system version.This tool can assist you by:• Providing built-in compatibility fixes, compatibility modes, and Application Help messages used toresolve specific compatibility issues.• Creating customized compatibility fixes, compatibility modes, Application Help messages, andcompatibility databases.• Providing a query tool that can search local computers for installed fixes.

Assessing Application Compatibility in Windows 7 2-25Lab A: Evaluatinng ApplicationCompatibilityUsing theMicrosoft ApplicationCompatibilityToolkit

2-26 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 1: Installing and Configuring ACTScenarioYou are the team lead for the Windows 7 deployment project at Contoso Ltd. The deployment isscheduled to occur within the next month. Contoso Ltd. currently uses Windows Vista on the companydesktop computers.As part of the deployment process, you need to determine application compatibility issues with Windows7. You will use the Application Compatibility Toolkit to help inventory, organize, analyze, and thenmitigate application issues. In this exercise, you will begin by installing and configuring the ApplicationCompatibility Toolkit.The main tasks for this exercise are as follows:1. Install ACT.2. Configure ACT settings.Note: LON-DC1 is the computer running Windows Server 2008 R2. LON-CL1 is the computerrunning Windows 7. LON-VS1 is the computer running Windows Vista.Task 1: Installing and configuring ACT• Log on to the LON-DC1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.• Open Windows Explorer and browse to E:\6294\Labfiles\Mod02\.• Install Application Compatibility Toolkit.msi with all default settings.Ta sk 2: Configure ACT settings• On LON-DC1, click Start, point to All Programs, point to Microsoft Application CompatibilityToolkit 5.5, and then click Application Compatibility Manager. The ACT Configuration Wizardstarts.• Configure the ACT Configuration Wizard with the following options:• Configuration Option: Enterprise configuration• ACT Database Settings:SQL Server: (local)Database: ACTDB (Click Create)• Log File Location:Path: C:\ACTLogsShare as: ACTLogs• Log Processing Service account: Local System• Automatically check for updates on launch: cleared• On the Tools menu, click Settings.• On the Settings tab, review the following configuration settings:• SQL Server name• SQL Database name• Log Processing Service status

Assessing Application Compatibility in Windows 7 2-27• Log Processing Service account• Log Share and Log Share path• On the Preferences tab, review, but do not change, the following default configuration settings:• Community Settings• Update Settings• Open the Services console and confirm that the ACT Log Processing Service has started.Results: After this exercise, ACT 5.5 will be installed and configured on LON-DC1.

2-28 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Collecting Application InventoryScenarioAs part of the Windows 7 deployment, you need to collect application inventory from the existingcomputers within your organization.To collect application inventory, you must create a Data Collection Package. You will then install the DataCollection Package on all client workstations. The installed collection package will then scan and inventorythe applications on the workstation and report it back to the ACT Log processing Service.The main tasks for this exercise are as follows:1. Create the Data Collection Package.2. Install the Data Collection Package.Note: LON-DC1 is the computer configured with the Application Compatibility Toolkit. LON-VS1 is theWindows Vista computer that will have the Data Collection Package installed. Task 1: Create the Data Collection Package• On the navigation pane, click Data Collection Packages.• Create a new Data Collection Package with the following configuration:• Package Name: DataCollectionPKG• Evaluate compatibility when: Deploying a new Operating System or Service Pack• Click Advanced and then verify the following evaluators are enabled:• Inventory Collector – gathers hardware and software inventories.• User Account Control Compatibility Evaluator – evaluates User Access Control issues.• Windows Compatibility Evaluators – looks for specific Windows Vista compatibility issues,including applications that interact with GINA.DLL, applications that depend on deprecatedcomponents, and Session 0 issues.• When to monitor application usage: Duration: 60 Minutes• Where to output collected data: LON-DC1 (\\LON-DC1\ACTLogs)• Save as C:\Data\DataCollectionPKG.msi. Task 2: Install the Data Collection Package• Log on to LON-VS1 as Contoso\Alan using the password Pa$$w0rd.• Open the Start Search box, and then type \\LON-DC1\Data.• Install DataCollectionPKG.• In the User Account Control dialog box provide the following:• User name: Administrator• Password: Pa$$w0rd• Open the Task Manager, click the Processes tab, and then click Show processes from all users.Provide Administrator credentials in the User Account Control box.• On the Processes tab, verify that the data collection is running by looking for the actdcsvc.exeprocess.

Assessing Application Compatibility in Windows 7 2-29Results: After this exercise, a data collection package is created and then it must be installed on LON-VS1.

2-30 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 3: Organizing the Application InventoryScenarioACT produces an application portfolio based upon the inventory scans that occur on your network clients.The inventory collection process collects many types of applications from many different parts of thebusiness. This can include operating system components, applications, hardware applications, ISVapplications, third-party applications, and custom line-of-business applications. Now it is time to beginformulating how to organize and prioritize these applications to reduce the number of applicationsreceiving detailed analysis and mitigation.The main tasks for this exercise are as follows:1. Create and assign custom categories.2. Assign application priorities.3. Create a filter based upon priority.Note: LON-DC1 is the computer configured with the Application Compatibility Toolkit. LON-VS1 is theWindows Vista computer that has reported its application inventory. Task 1: Create and assign custom categories• Switch to LON-DC1.• In the Application Compatibility Manager, click the Analyze button and configure the following:• In the Windows Vista Reports section, verify that LON-VS1 has reported information. Double-clickLON-VS1 to view reported data.• In the Windows Vista Reports section, click Applications. Verify that applications are reported.• Click the Devices tab and verify that devices are reported for LON-VS1.• Click the Applications tab and then select Microsoft Office PowerPoint Viewer 2007(English) and Microsoft Office Word Viewer 2003. On the Actions menu, click AssignCategories.• Create a new category called Line of Business.• Under the Line of Business category, create the Customer Service subcategory.• Assign Microsoft Office PowerPoint Viewer 2007 (English) and Microsoft Office WordViewer 2003 to the Customer Service subcategory.• Select Microsoft BackInfo and Office Diagnostics Service. On the Actions menu, click AssignCategories.• Create a new category called System Utilities. Add a subcategory called Desktops.• Assign BackInfo and Office Diagnostics Service to the Desktops subcategory. Task 2: Assign application priorities• Right-click BackInfo and then click Priority. Set the Priority 3 - Nice to Have option.• Set the following applications priority settings as listed:• Microsoft Office PowerPoint Viewer 2007 (English): Priority 1 - Business Critical• Microsoft Office Word Viewer 2003: Priority 1 - Business Critical• Office Diagnostics Service: Priority 4 – Unimportant

Assessing Application Compatibility in Windows 7 2-31 Task 3: Create a filter based upon priority• On the Analyze pane, under Windows Vista Reports, ensure that Applications is selected.• Click the Toggle Filter button.• Insert and execute a clause with the following settings:• Field: Priority• Value: Priority 1 - Business Critical• Save the filter report as Business Critical Apps in the Documents folder.• Clear the filter to display all applications.• Click the Toggle Filter button to close the Filter pane.Results: After this exercise, application memory will be categorized and prioritized.

2-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 4: Analyzing Application Inventory ResultsScenarioNow that you have organized and prioritized your applications, perform an analysis to determinecompatibility status and issues. This can be determined by internal testing, or by obtaining test resultsfrom the ACT community.Note: An important part of the analysis is your involvement in the ACT community and synchronizingyour database with the Microsoft Compatibility Exchange. Due to Internet requirements, this task will notbe shown in this lab.The main tasks for this exercise are as follows:1. Track application status.2. Create a custom issue.Note: LON-DC1 is the computer configured with the Application Compatibility Toolkit. LON-VS1 is theWindows Vista computer that has reported its application inventory. Task 1: Track application status• In the Application Compatibility Manager, click Analyze.• Under Windows Vista Reports, click Applications.• Right-click Office Diagnostics Service and set an assessment indicating that it does not work.• Right-click Microsoft BackInfo and set an assessment indicating that it works with minor issues orhas solutions.• Set the following Deployment Status entries:• Office Diagnostics Service: Will not Deploy• Microsoft BackInfo: Mitigating Task 2: Create a custom issue• Double-click Office Diagnostics Service, and create a new issue based upon the following options:• Title: Office Diagnostics Service does not function in Windows 7• Priority: Priority 2 - Must Fix• Severity: Severity 2 - Major functionality loss• Symptom: Application functionality impaired on platform upgrade• Cause: Application is not supported on this version of the operating system• Affected Operating System: Windows Vista and Windows 7 RC• Issue Description: Office Diagnostics Service does not work with Windows Vista RTM orWindows 7• Click Save and then click the Solutions tab.• Add a solution with the following options:• Title: Office Diagnostics Service Fix

Assessing Application Compatibility in Windows 7 2-33• Solution Type: Application has an update• Solution Details: Install the latest Service Pack• Close all windows to return to the main Application Compatibility Manager window.Results: After this exercise, the application status is tracked and a custom issue is created.

2-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab B: Creating Application Compatibility Fixes

Assessing Application Compatibility in Windows 7 2-35Exercise 1: Identifying Application Compatibility IssuesScenarioA specific application named Stock Viewer is reported to not be working with Windows 7. Identify thespecific issues to determine the appropriate mitigation plan.In this exercise, you will identify the application compatibility issues related to running Stock Viewer onWindows 7.The main tasks for this exercise are as follows:1. Start the Stock Viewer application to determine application compatibility issues.2. Test elevated privilegesNote: LON-DC1 is the computer running Windows Server 2008 R2. LON-CL1 is the computer runningWindows 7 with the Stock Viewer application installed. Task 1: Start the Stock Viewer application to determine application compatibility issues• Log on to LON-CL1 as Contoso\Alan with the password of Pa$$w0rd.• On LON-CL1, click Start and then click Stock Viewer. Take note of the Permission denied box.• Test the following tasks to determine potential issues:• Click Trends.• Click the Tools menu and then click Options.• Click the Tools menu and then click Show Me a Star.• Close the Stock Viewer application. Task 2: Test elevated privileges• Right-click Stock Viewer, and then click Run as Administrator.• In the User Account Control box, type Administrator, and then type the password: Pa$$w0rd.• Test the following tasks to determine potential issues:• Click Trends.• Click the Tools menu and then click Options.• Click the Tools menu and then click Show Me a Star.• Close the Stock Viewer application.Results: After this exercise, the Stock Viewer application will only run correctly under administrativeprivileges.

2-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Mitigating Application IssuesScenarioNow that you have determined the compatibility issues with Stock Viewer, use the appropriate tools tomitigate the issues. In this exercise, you will use the Standard User Analyzer and the CompatibilityAdministrator to create and apply custom fixes.The main tasks for this exercise are as follows:1. Use SUA to identify and apply fixes.2. Test the fixed application.3. Use the Compatibility Administrator to create custom shims.4. Test the fixed application.Note: LON-DC1 is the computer configured with the Application Compatibility Toolkit. LON-CL1 is theWindows 7 computer that has the Stock Viewer application installed. Task 1: Use SUA to identify and apply fixes• On LON-CL1, click Start, point to All Programs, click Microsoft Application Compatibility Toolkit5.5, click Developer and Tester Tools, and then click Standard User Analyzer.• Configure the App Info tab as follows:• Target Application:C:\Program Files\StockViewer\StockViewer.exe• Launch Options: Elevate – not selected• Click Launch.• In the User Account Control box, type Administrator and then type the password: Pa$$w0rd. ClickYes at the prompt.• Test the following tasks to record compatibility issues:• Click OK on the Permission denied box.• Click Trends.• Click the Tools menu and then click Options.• Click Continue to close the error.• Click the Tools menu and then click Show Me a Star.• Close the Stock Viewer application.• Review the following tabs: File, Registry, Token, Name Space, and Other Objects. Note that theseare the errors that were detected while SUA was monitoring the application.• On the Mitigation menu, apply the mitigations. Task 2: Test the fixed application• On LON-CL1, click Start and then click StockViewer.• Test the following tasks to determine potential issues:• Click Trends.• Click the Tools menu, and then click Options.

Assessing Application Compatibility in Windows 7 2-37• Click the Tools menu, and then click Show Me a Star.• Close the Stock Viewer application.• Close SUA. Task 3: Use the Compatibility Administrator to create a custom shim• On LON-CL1, click Start, point to All Programs, click Microsoft Application Compatibility Toolkit5.5, and then right-click Compatibility Administrator.• Click Run as Administrator.• In the User Account Control box, type Administrator, and then type the password Pa$$w0rd.• In the left pane, expand Installed Databases\AppCompat Shims forStockViewer.exe\Applications\application GUID. Take note of the types of fixes that were appliedby SUA.• Right-click AppCompat Shims for StockViewer.exe and uninstall the fixes.• In the left pane, expand Custom Databases and then click New Database(1) [Untitled_1].• Click Fix and provide the following information:• Name of the program to be fixed: StockViewer• Program file location:C:\Program Files\StockViewer\StockViewer.exe• Compatibility Modes: None• Compatibility Fixes:ElevateCreateProcessForceAdminAccessLocalMappedObjectVirtualizeHKCRLite• Name the database StockViewerFix and save it to C:\Data\StockViewerFix.• Click Fix and provide the following information:• Name of the program to be fixed: Star• Program file location: C:\Program Files\StockViewer\DWM Compositing Rendering Demo.exe• Compatibility Modes: None• Compatibility Fixes:WinXPSP2VersionLie• Click Save.• Right-click StockViewerFix, and then click Install.• Close the Compatibility Administrator. Task 4: Test the fixed application• On LON-CL1, click Start and then click StockViewer.• Test the following tasks to determine potential issues:• Click Trends.• Click the Tools menu, and then click Options.

2-38 Planning and Managing Windows® 7 Desktop Deployments and Environments• Click the Tools menu, and then click Show Me a Star.• Close the Stock Viewer application.• Close SUA.Results: After this exercise, a custom shim is created to fix the Stock Viewer application. Task 5: Virtual machine shutdownWhen the lab is finished, revert each virtual machine to its initial state. To do this, complete the followingsteps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.

Assessing Application Compatibility in Windows 7 2-39ModuleReviewand TakeawaysReview Questions1.You have just installed ACT and configured the initial settings. What final task must be completed toensure thatt inventory collection occurs?2.What are some examplesof common application categories or considerations to use when organizingyour application inventory?3.How can assigning application priorities help in your subsequent application compatibility analysistasks?4.What are some examplesof applications that might be rationalized out of the priority application list?5.During your application analysis, what is the main advantage of adding issue details or certifyingapplications using ACT?6.After analyzing your compatibility issues, what are some examples of ways to mitigate any issuesdiscovered?7.Can a computer or application be deleted from your ACT database?8.Must the client computerbe restarted to get a DCP to collect data?Real-World Issues and Scenarios1.Last year, your customer upgraded its client computers from Windows XP to Windows Vista. Theorganization has since decided to deploy Windows 7, but management has indicated that it does notwant to test applications twice for Windows Vista andthen Windows 7. What arethe implications ofthis decision?2.You have just installed Windows 7 on your organization’s client computers. Howdo you ensure thatthe new Windows 7 features work as expected with your current application portfolio?3.You plan to use the Application Compatibility Toolkit to determine whether your organization’sapplications are compatible with Windows 7. However, you are concerned that the data collection

2-40 Planning and Managing Windows® 7 Desktop Deployments and Environmentsand inventory process will cause performance issues on your client workstations. What can you do tominimize performance issues?Best Practices Related to Implementing the Application Compatibility Toolkit1. In organizations that employ a large number of client computers, it is usually impossible andimpractical to deploy data collection packages (DCPs) to every computer. The following guidelinescan assist in determining which computers to deploy the DCPs to:• Ensure that all device drivers are captured so the proper impact can be assessed during anoperating system or security upgrade, in addition to locating potential issue and solution dataprovided by Microsoft Corporation, Independent Software Vendors (ISVs), and the ACTCommunity.• Sample each unique hardware configuration so that you can synchronize with the MicrosoftCompatibility Exchange and obtain the relevant driver compatibility issues.2. The Application Compatibility Manager is used to restrict access for the testing and remediationprocesses being done by the various application owners throughout your organization. Perform thefollowing steps to enable restricted access:a. Provide read and write access to the database for any users that require access to thecompatibility reports.b. Start the Application Compatibility Manager for the first time, and then select the View andmanage reports only option from the Configuration Type Selection page of the ACTConfiguration Wizard.Selecting this option creates an instance of the ACT that cannot connect to the ACT LogProcessing Service, but enables users to create data collection packages and to analyze their data.The users provided with read and write access will now be able to record their assessment ratings,their issue reproduction steps, and their solutions. In addition, you can create queries for each groupand enable them to review only the relevant information for their specific applications.3. After compatibility analysis using the Application Compatibility Toolkit, vendor and communityassessment, and manual application-to-operating system testing, you can perform the following bestpractices to remediate applications:• The first priority is to locate a compatible version of the application with vendor support for thirdparty applications. This ensures the application will work as intended and support for thatapplication is available.• For in-house developed applications, the best practice is to recode the application for nativecompatibility or in the cases where it exists, use the compatible version. Guidance for recodingapplications can be found in the Application Quality Cookbook for Windows 7.• For third party applications without support (for example, the vendor is no longer in business) orfor in-house developed applications where recoding is not an option, compatibility fixes (orshims) can be used to assist the incompatible application for use with Windows 7. TheCompatibility Administrator tool is part of ACT and can be used to create and edit shim database(SDB) files to mitigate compatibility issues.The Standard User Analyzer also creates SDB files to correct issues it detects where administrativeprivilege (or elevation) is required. SDB files are created to include fixes for as many applicationsas possible, not one for each application. They can be serviced through scripted commands if andwhen updates and additions are needed.• After exhausting ways of making applications run natively inWindows 7 or with the help from Compatibility Fixes, legacy operating system virtualization

Assessing Application Compatibility in Windows 7 2-41(Microsoft Enterprise Desktop Virtualization or Windows XP mode) or Remote Desktop Servicescan be used as a last resort or transitional path while applications are in the process ofcompatibility remediation.4. Establish the Application Lifecycle for ongoing management of application versions. When companiesstay up-to-date on applications and utilities, they usually can avoid these issues.5. Maintain application inventory for future Operating System and Service Pack testing. This is notdisposable work to be used only once.

2-42 Planning and Managing Windows® 7 Desktop Deployments and Environments

Evaluating Windows® 7 Deployment Methods 3-1Module 3Evaluating Windows® 7 Deployment MethodsContents:Lesson 1: Evaluating In-Place Deployment 3-3Lesson 2: Evaluating Side-by-Side Deployment 3-11Lesson 3: Evaluating Lite-Touch Deployment Method 3-17Lesson 4: Evaluating Zero-Touch Deployment Method 3-22Lab: Determining the Windows 7 Deployment Method 3-28

3-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewWhen deploying Windows® 7 in your organization, you must evaluatee the feasibilityof the differentdeployment scenarios and methods available. Suitable deployment methods and scenarios may dependonthe organization’s business environmentand several other considerations, such ascurrentinfrastructure, available budget, and organization policy.This module discusses different deployment scenarios andmethods that are availablewhen deployingWindows 7. It also discusses various tools and technologies to use in the different scenarios andconsiderations for selecting a deployment scenario and method.

Evaluating Windows® 7 Deployment Methods 3-3Lesson 1Evaluating In-Place DeploymentThere are several deploymentscenarios that can be used when you aredeploying theWindows 7operating system. Dependingon the sourceand destination computer,these scenarios are categorized as:new computer, refresh computer, replace computer, and upgrade computer scenarios. Refresh computerand upgrade computer are categorized as in-place deployment scenarios, whereas the replace computeris categorized as a side-by-side deployment scenario.

3-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhat Is an In-Place Deployment?Key PointsIn-place deployment means that the sourceand destination computers are the same computer. There aretwo kinds of in-place deployment methods:• In-place upgrade: upgrade the original operating system, maintaining existing configurations.• Wipe-and-loadconfiguration to the newreplace the original operating system and selectively migrate sections of the oldone.In-Place UpgradeWhen deploying Windows 7 using an in-place upgrade scenario, the installation program runs fullyunattended andit automatically keeps all user settings, data, hardware device settings, applications, andother configuration information.Typical steps in an in-place upgrade scenario include the following:1.Back up computer’s entire hard disk.2.Perform upgrade to Windows 7.3.Upgrade, uninstall, and install additional applications as required.Wipe-and-LoadWhen deploying Windows 7 using the wipe-and-load scenario, you must first performa clean installationofWindows 7, followed by the migration ofuser settings and data fromthe earlier version of Windows.Toperform a clean installation run setup.exe, the Windows 7 installation program, and select Custom. Theoption allows you to install Windows 7 on a partition that already has an operating system, such asearlierversions of Windows. After the installation is done, the earlier version of Windows will be placed in afolder called Windows.old, along with the previous Program Files and Documents and Settings folders.Typical steps in a wipe-and-load scenario include the following:

1. Back up the computer’s whole hard disk.2. Save user settings and data for migration.3. Perform a clean installation of Windows 7 selecting Custom.4. Reinstall applications.5. Restore user settings and data.Evaluating Windows® 7 Deployment Methods 3-5

3-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsAdvantages and Disadvantages of In-Place DeploymentKey PointsThe main advantage of in-place deployment is that you do not have toinvest in purchasing a newcomputer because the sourcecomputer and the destination computer is the same computer. However,this can result inan irreversible process, in which as soon as the in-place deploymentis complete, itcannot be undone or reversed. (You can protect yourself from failed installations, such as this, by beingsure to use a third party backup or imagingg solution prior to deployment.)Inaddition, because the destination computer is the same as the source computer, there is downtimeassociated with in-place deployment for theend-users that may affect productivity.The advantagesand disadvantages of the two kinds of in-place deployment scenarios are summarized inthe following table.ScenarioIn-placeUpgradeWipe-andloadAdvantagesKeeps usersettings,applicationsettings, andfilesand has minimal impact touser productivity.• Allows for cleanup of workstations and creation of morestable andsecure desktopenvironments.• Avoids decrease inperformance issues.• Allows for installation ofanyedition.Disadvantages• Does not start fresh with standardized referenceconfigurations.• Does not allow for edition changes and can only bedeployed on supported operating systems:Windows Vista® SP1 or later versions.• Applications maynot work correctly after upgrade.• Requires migration tools such as Windows® EasyTransfer or User State Migration Tool to saveandrestore user settings and data.• Requires re-installation of applications.• Requires storage space for usersettings and files tobe migrated.• May reduce user productivity as applications and

Evaluating Windows® 7 Deployment Methods 3-7Scenario Advantages Disadvantages• Prevents virus, spyware, andother malicious software frommigrating to the newinstallation.personal settings may have to be reconfigured.At first glance, an in-place upgrade scenario seems to be the best choice. Windows 7 setup runsunattended and users maintain their existing configurations. However, this method is not always attractivewhen the goal is a managed environment and a reduction in the total cost of operation (TCO). The inplaceupgrade scenario does not reset the computer to a reference configuration. And, as mentioned inthe table, some applications may not work correctly after the upgrade is completed.A key benefit of the wipe-and-load scenario over the upgrade scenario is that it does not replicate theexisting configurations’ known and unknown problems. Wipe-and-load is best when you want tostandardize configurations across the organization, as deployment, management, and support costs arereduced because each computer can be deployed with the same reference configuration, applications,files, and settings.

3-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConsiderations for In-Place DeploymentKey PointsThe in-place upgrade scenariois a direct upgrade of the current operating system toWindows 7. Thewipe-and-load scenario (refresh) involves first performinga clean installation of Windows 7, followed bythe migration of user settingss and data froma computer that is runningan earlier version of Windows.In-Place Upgrade ConsiderationsThe following list describes considerations for selecting an in-place upgrade:• Infrastructure: This doesnot require additional computer hardware or storage space. The followingtools can be used:• Windows Setup (setup.exe) to install the Windows operating system or upgrade earlier versionsof the Windows operating system• Windows images through networkshare which uses the ImageX tool that is included in theWindows AutomatedInstallation Kit (Windows AIK)• Windows Deployment Services (WDS), which is a server-based deployment solution that enablesan administrator to set up new client computers over the networkA WDSserver must be at least a member of an Active Directory domain. Youmust also have aworking DHCP and DNS server on the network. In addition, you cannot configure WDS serverrole ona server core installation.Consider using Windows Automated Installation Kit (Windows AIK). This is a collection of tools anddocumentationdesigned to help IT professionals deploy Windows. Thetools in Windows AIK include:• Windows System Image Manager (Windows SIM): The tool used to openWindows images,create answer files, and manage distribution shares and configuration sets.• ImageX: The tool used to capture,create, modify, and apply Windows images.

Evaluating Windows® 7 Deployment Methods 3-9• Deployment Image Servicing and Management (DISM): The tool used to apply updates,drivers, and language packs to a Windows image. DISM is available in all installations ofWindows 7 and Windows Server 2008 R2.• User State Migration Tool (USMT): The tool used to migrate user data from a previousWindows operating system to Windows 7.• Budget: This requires no investment in additional hardware.• The phase of the desktop: This requires no new hardware. Therefore, it is not important to considerthe organizations hardware life cycle.• Valid upgrade options for Windows 7: Only Windows Vista® with SP 1 or later versions supportsin-place upgrades to Windows 7. In-place upgrade also does not support:• Cross architecture: You can only upgrade to the same platform. You cannot upgrade from a 32-bit to a 64-bit or vice versa.• Cross language: You cannot upgrade from one language to another. For example, you cannotupgrade a U.S. English (EN-US) version of Windows to a German (DE-DE) version of Windows.• Edition changes: You cannot upgrade Windows Vista Enterprise to Windows 7 Ultimate.• Amount of interaction: This does not require significant user interaction. You can use the answer fileto minimize user interaction and effort when performing an in-place deployment.• State of user data: This does not require reinstallation of applications, or any of the user settings,data, hardware device settings, applications, or other configuration information.However, some applications may have to be reinstalled after the upgrade is performed.Wipe-and-Load ConsiderationsThe following list describes several considerations when you select wipe-and-load deployment:• Infrastructure: This requires no additional computer hardware. You may need additional space tosave the existing user state data on the computer.• Budget: Because no additional hardware or software is required, there is no additional costassociated with wipe-and-load deployment.• The phase of the desktop: This requires no new hardware.• Amount of interaction: The refresh scenario does not require a lot of user interaction. However, itmay affect user productivity, because users have to reconfigure their settings and reinstall certainapplications manually after deployment. The following tools can be used to help migrate user settingsand data:• Windows Easy Transfer (WET): Supports user settings and data transfer to the destinationcomputer by using the network, WET cable, removable media, or a writable CD or DVD.• User State Migration Tool (USMT): Supports user settings and data transfer for largedeployments.• State of user data: This deployment requires a reinstallation of applications. You can use the UserState Migration Tool (USMT) to create a snapshot of current user data files before reinstallation.This keeps data in the same location on the disk while you are upgrading the system and rebuilds thelinks after Windows 7 is installed. This is also known as a hard-link migration. Hard-link migrationeliminates the need for storage space to store migration data and reduces the time required tomigrate user state.In the wipe-and-load deployment, you can also use the Windows.old folder to recover all personalfiles. The Windows.old folder contains the following folders:

3-10 Planning and Managing Windows® 7 Desktop Deployments and Environments• Windows• Documents and Settings• Program FilesWhen you have moved all important data from the Windows.old folder, remove the folder usingWindows Disk Cleanup.

Evaluating Windows® 7 Deployment Methods 3-11Lesson 2Evaluating Side-by-Side DeploymentThe replace computer scenario is categorized as side-by-side Depending on the existing environment in yourdeployment, where thesource and thedestination computers are different computers.organization and your deployment plan and strategy, youcan select touse in-place deployment, side-by-side deployment, or a combination of both.

3-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhat Is a Side-by-Side Deployment?Key PointsSide-by-side deployment is frequently usedwhen new, or replacement, computers are purchased anddeployed. In this scenario, theuser settings and data must be moved from the sourcecomputer tothenew destinationn computer.Typical steps in a side-by-side deployment scenario include the following:1. Save user settings and data for migration.2. Perform a clean installation of Windows 7.3. Install applications.4. Restore user settings and data.

Evaluating Windows® 7 Deployment Methods 3-13Advantages and Disadvantages of Side-by-Side DeploymentKey PointsThe key benefitof the side-by-side deployment scenario is that it is useful when you have to movetheuser state and files from a source computerto a new, destination computer. For example, if you have acomputer currently running a supported Windows operating system that has to be replaced with anothercomputer, you can save the existing user state data from the original computer and then deploy the newinstallation of Windows to thenew computer. Finally, youcan restore the user state data to the newcomputer. The only requirement from the user in this case is to create an association between the sourceand destinationn computer. The user can then continue towork while the new workstation is installed andconfigured.

3-14 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConsiderations of Side-by-Side DeploymentKey PointsSide-by-side deployment is recommendedwhen you want to achieve a standardizedd environment in alarge enterprisee and need to move applications and user states to new computers. This methodguarantees thatt all systems begin with the same configuration, and that the companyhas a standardizedenvironment for all users whoare running Windows 7.The following list describes several considerations for selecting the side-by-side deployment scenario:• Infrastructure: This deployment requires an existingcomputer, intermediate storage space, and adestinationn computer. You can use the following tools to install Windows 7:• Windows Setup (setup.exe)• Windows images by using networkshare• Windows Deployment Services (WDS)Also consider using Windows AIK to assist in deploying Windows operating system. To migrate usersettings anddata, you can use the following tools:• Windows Easy Transfer (WET) for small volume deployment• User State Migration Tool (USMT) for large volume deployment• Budget: The side-by-sidee deployment scenario requires a new destination computer. This generatesadditional costs in replacing the existing computer hardware.• The phase of the desktop: Because the side-by-sidee deployment scenario is typically used whenreplacing computers in the organization, the hardware life cycle ofyour computers is an importantfactor.• Amount ofinteraction: This deployment method enables users tocontinue working while a newworkstationis installed and configured. You can automate the deployment and minimize the userinteraction by using the following tools:

Evaluating Windows® 7 Deployment Methods 3-15• Answer file: To help configuring Windows settings during Windows installation.• User State Migration Tool (USMT): To perform the migration for many computers.• State of user data: Because side-by-side deployment requires a reinstallation of applications on thedestination computer, before you perform the deployment, identify which elements to migrate to thenew computer. These elements include user accounts, application settings, operating system settingsand file types, folders, and settings.

3-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion: Determining a Deployment ScenarioScenario OneYou work as a Desktop Administrator in a large corporation. The organization has a standardizedcomputer environment, with most of the users running Windows® XP operating systems and somerunning Windows Vista. You have Active Directory and all workstationss are domain joined and centrallymanaged by Group Policy. All the computers have the latest updates and service packs installed.Your organization plans to deploy Windows 7 but you were told that there is no budget available topurchase new hardware for computers thatt are less than three years old. For computers more thanthreeyears old, the general organization policy applies and youcan replace these computers.Your Human Resource Department has indicated that there were somenew employees hired in thepastcouple of months, and there will be more inthe next month. Accordingto company policy, you canpurchase new hardware for new employees, as needed.Question: Howmight you determine the deployment scenarios in your organization?Scenario TwoYou work as a Desktop Administrator in a large corporation. Your organization has a standardizedcomputer environment, with most of the users running Windows XP operating systems and some runningWindows Vista. You have Active Directory and all workstations are domain-joined and centrally managedbyGroup Policy. All the computers are current with the latest updates and service packs installed.You have the budget to buy new computers for 50 managers, and haveto reallocatee the 50 olderportable computers to new employees. All employees need to run Windows 7 since your organization is inthe process of standardizing the computer environment.Question: Howmight you determine the deployment scenarios in your organization?

Evaluating Windows® 7 Deployment Methods 3-17Lesson 3Evaluating Lite-Touch Deployment MethodThere are manytools and strategies available for deploying operating systems. Microsoft® DeploymentToolkit (MDT) 2010 is a unified set of tools and resourcess designed to simplify the complex and time-processconsuming process involved with deployingdesktop and server software. It provides end-to-end guidance, a common deployment console, and tools to automate deployment tasks.Some organizations have deployment processes that require extensive interaction from an administratororend-user, whereas other organizations have their deployment tasks completely automated. WithMDT2010 and the integration withMicrosoft System Center Configuration Manager 2007(for ZTI),organizations can choose between Lite-Touch and Zero-Touch deployment methodologies to performhigh-volume deployment.

3-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion: What Is Lite-Touch Deployment?Key PointsLite-Touch deployment is a deployment methodology that requires light interaction from theadministrator or a user who has administrator access to input customized information during deployment.It is a high-volume deployment strategy and is targeted for medium-sized organizations that haveaninformation technology (IT) staff and sometimes use partners to help with technology adoption.Lite-Touch deployment is based on the Microsoft Deployment Toolkit (MDT) Lite Touch Installationn (LTI)method. With LTI, you start the deployment on each computer and configure deployment settings. Afterthat, the deployment is usually automated and requires no intervention.Lite Touch Installation ScenariosLite Touch Installation supports the following scenarios:• New Computer (Bare Metal): in this scenario, Windows 7 is installed on a new computer. Thisscenario assumes that there is no user data or profileto preserve.• Upgrade Computer: in this scenario, the current Windows operating system on the destinationcomputer is upgraded toWindows 7.• Refresh Computer: in this scenario, a computer is refreshed usingthe wipe-and-load process toremove theexisting operating system completely, and then replaced with Windows 7.• Replace Computer: in this scenario, a computer is replaced with another computer.

Evaluating Windows® 7 Deployment Methods 3-19Advantages of Lite-Touch DeploymentKey PointsLite-Touch deployment provides the following benefits:• Limited interaction: Lite-Touch deployment requires limited interaction, only at the beginning ofthe installation.• Consistentt and standardized configurations: Lite-Touch computers start in the same deployment takes advantage of astandardized image. This means that all state.• Fast deployment and streamlined maintenance: Lite-Touch deployment uses MDT capabilities tohandle the installation ofapplications, device drivers, and updates,which simplifies the deploymentprocess andreduces deployment time.• Minimal infrastructurerequirement:Lite-Touch deployment requires little investment. Theminimum infrastructure requirement isa file server and a local areaa network, andmost organizationsalready have these.Lite-Touch DeploymentLimitationsWhile Lite-Touch deploymentoffers consistent configuration and streamlined deployment experience, ittypically involves administrator interaction at the beginning of the operating system installation.

3-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConsiderations for Lite-Touch DeploymentKey PointsThe following list describes several considerations for Lite-Touch deployment strategy.• Infrastructure: Lite-Touch deployment requires a managed network and a file server to store theWindows images. In addition, the following tools andtechnologiesare available to assist Lite-Touchdeployment:• Microsoft Assessment and PlanningToolkit• Microsoft ApplicationCompatibility Toolkit• Volume-licensed media• Microsoft Deployment Toolkit• Windows AutomatedInstallation Kit• User State Migration Tool• Installation media orWindows Deployment Services to start the client computers duringdeployment.• Budget: Lite-Touch deployment requires no significant investment in additional hardware orsoftware.• IT department skill anddeployment experience: Lite-Touch deployment can be scaled simply. Thismakes it a good choice for small and medium-sized organizations.• Number ofend-users and end-user experience: Lite-Touch deployment requires limitedinteraction at the beginning of installation. This can be done by the IT department or by technicallyknowledgeable users whocan visit each computer tobe deployed.In addition, Lite-Touchdeployment is best suitedfor deployment scenarios of up to 500 client computers.• SupportedDeploymentScenario: Lite-Touch deployment supports the following deploymentscenarios: new computer, upgrade computer, refreshcomputer, and replace computer.

Evaluating Windows® 7 Deployment Methods 3-21Discussion:Determining the Feasibility of Using Lite-Touch DeploymentMethodScenarioYou work as a Desktop Administrator in a large corporation. Your teamconsists of anIT staff that isexperienced in deploying the Windows XP operating system. Your organization has multiple officesaround the country that are connected to the head office, some with high-speed network connectionsand other offices with fairly slow connections, with the slowest being a 256Kbps connection. There is atleast one dedicated IT employee in every remote office.Your organization has a standardized computer environment, with most of the users running Windows XPoperating systems, and some running Windows Vista. Youhave Active Directory and all workstations aredomain joined and centrally managed by Group Policy. All the computers are current with the latestupdates and service packs installed.Your organization plans to deploy Windows 7, a project that will be driven from the head office. Currently,the organization does not have the infrastructure that supports SystemCenter Configuration Manager.The Windows 7 image that aligns with the corporate standard has already been created on the MDTservers in the head office. Youhave to distribute this Windows 7 corporate image to all workstations in alloffices nationwide. This corporate image is almost 7 GB. Your organization has already set aside sufficientbudget for this deployment project to ensure the most efficient and effective deployment experience andfuture maintenance.Question: Howdo you determine the feasibility of using Lite-Touch deployment method to deployWindows 7 to workstations inyour head office and your remote offices, without bringing down thenetwork at the same time?

3-22 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 4Evaluating Zero-Touch Deployment MethodZero-Touch deployment is primarily targeted toward enterprise-class organizations that have deployednetwork infrastructure prerequisites. These organizations can take advantage of robust deploymentautomation capabilities and can select whether any end-user environment can use Zero-Touch deployment, which usesinvolvement is required. Organizations thatalready have a rationalized ordynamic networkautomated deployment capabilities of the Microsoft Deployment Toolkit (MDT) 20100 Zero TouchInstallation (ZTI).

Evaluating Windows® 7 Deployment Methods 3-23Discussion:What Is Zero-Touch Deployment?Key PointsZero-Touch deployment is a deployment methodology that requires nomanual interaction duringtheinstallation process. Zero-Touch deployment builds uponmany techniques and processes that are usedfor Lite-Touch deployment. Itis a high-volume deployment strategy, which is targeted for largeorganizations that have dedicated IT staff that have expertise in deployment and networking.Zero-Touch deployment is based on Microsoft Deployment Toolkit (MDT) Zero Touch Installation (ZTI)method. ZTI requires System Center Configuration Manager 2007 SP2 to provide fully-automateddeployment of the operating system and applications, without the need of user intervention.With ZTI, you deploy operating systems from Configuration Manager distribution points. Theinstallation process can be initiated by Configuration Manager. TheZero-Touch deployment processis initiated automatically, which eliminates the need tovisit each computer.Zero Touch InstallationScenariosByusing MDT and Configuration Manager, the Zero Touch Installation supports newcomputer, refreshcomputer, and replace computer scenarios.Configurationn Manager does not support the upgradecomputer scenario. However, the upgrade scenario can be performed by using the standard softwaredistribution taskfrom within Configuration Manager.

3-24 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsAdvantages of Zero-Touch DeploymentKey PointsZero-Touch deployment provides the following benefits:• Full automation: Zero-Touch deployment requires no interaction,which meansdeployment is fullycostsautomated. You spend more effort up front engineering the process, but overall deployment are less anddeployment rates are much faster.• Consistentt and standardized configurations: Zero-Touch deployment takes advantage ofstandardized image, which means that all computersstart in the same state.• Fast deployment and streamlined maintenance: Zero-Touch deployment uses MDT andConfiguration Manager capabilities to handle installation of applications, device drivers, and updates,which eases deployment process and reduces deployment time.Zero-Touch Deployment LimitationsZero-Touch deployment’s most significant limitations arethe infrastructure and skill level required toimplement it. This strategy relies on integrating MDT 2010 and System Center Configuration Manager2007 SP2.

Evaluating Windows® 7 Deployment Methods 3-25Considerations for Zero-Touch DeploymentKey PointsThe following list describes several considerations for Zero-Touch deployment strategy.• Infrastructure: Zero-Touch deployment requires an in-place rationalized or dynamic networkinfrastructure, which includes the following:• SystemCenter Configuration Manager 2007 SP2: the primary foundationn of the Zero-Touchdeployment is the centralized management and infrastructureprovided by System CenterConfiguration Manager 2007 SP2.• Windows Deployment Services (WDS): this engine can be used by specificc operating systemdeployment scenarios that are managed by Configuration Manager.• ActiveDirectory® Domain Services (AD DS): this is used byclients to findConfigurationManager management points and to store metadata related toWDS. In addition, several networkservices such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP)are required to support ZTI.• Network bandwidth: the target computers must have a high-speed, persistent connection tothe servers used in the deployment process.Inaddition, Zero-Touch deployment also offers several other tools and technologies:• Microsoft Assessment and PlanningToolkit• Microsoft ApplicationCompatibility Toolkit• Volume-licensed media• Microsoft Deployment Toolkit• Windows AutomatedInstallation Kit• User State Migration Tool

3-26 Planning and Managing Windows® 7 Desktop Deployments and Environments• Budget: The cost for a Zero-Touch deployment, based on a rationalized or dynamic automationenvironment, is at first higher than other methods. Costs associated with a Zero-Touch deploymentinclude implementing the infrastructure required and training for the IT staff.• IT department skill and deployment experience: Zero-Touch deployment requires the ITdepartment to have expertise in deployment, networking, and familiarity with ConfigurationManager.• Number of end-users and end-users skill: Zero-Touch deployment requires no interaction duringthe installation process. Therefore, technical knowledge is not required from the end-users.• Supported Deployment Scenario: Zero-Touch deployment does not support the upgrade computerscenario.

Evaluating Windows® 7 Deployment Methods 3-27Discussion:Determining the Feasibility of Using Zero-Touch DeploymentMethodYou work as a Desktop Administrator in a large corporation. Your teamconsists of ITstaff that hasexperience in deploying Windows XP operating system. Your organization has multiple offices around thecountry that areconnected tothe head office, some withhigh-speed network connections and otherswith fairly slow connections, with the slowest being 256Kbps connection. There is at least one dedicated ITstaff in every remote office.Your organization has a standardized computer environment, with most of the users running Windows XPoperating systems, and some running Windows Vista. Youhave Active Directory and all workstations aredomain joined and centrally managed by Group Policy. All the computers are current with the latestupdates and service packs installed.Your organization plans to deploy Windows 7, a project that will be driven from the head office. Currently,the organization does not have the infrastructure that supports SystemCenter Configuration Manager.The Windows 7 image that aligns with the corporate standard has already been created on the MDTservers in the head office. Youhave to distribute this Windows 7 corporate image to all workstations in alloffices nationwide. This corporate image is almost 7 GB. Your organization has already set aside sufficientbudget for this deployment project to ensure that the most efficient and effective deployment experienceand future maintenance.Question: Howdo you determine the feasibility of using Zero-Touch deployment method to deployWindows 7 to workstations inyour head office and your remote offices, without bringing down thenetwork at the same time?

3-28 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab: Determining the Windows 7 DeploymentMethodNote: Your instructor may run this lab as a class discussion.Bobby Moore, the manager of the Production department, wants to replace his existing Windows Vistaworkstations with Windows 7. You are tasked with creating the documents that detail the steps requiredtoenable this deployment. You have been liaising with Charlotte Weiss in the IT Department for moreinformation.

Evaluating Windows® 7 Deployment Methods 3-29Exercise 1: Planning a Windows 7 Deployment for a Small NetworkScenarioBobby has asked that Windows 7 be deployed at the Slough production plant. Because of its relativeproximity to the head office in London, sending someone to the site for a day or so is perfectly workable.You are unfamiliar with the Slough plant and its IT infrastructure, and communicate with Charlotte Weiss,a colleague in IT. She has visited the Slough plant on occasion, and is likely to be involved in the Windows7 rollout.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Update the Slough Production Plant: Windows 7 Upgrade Proposal document with your plannedcourse of action.Supporting DocumentationE-mail thread of correspondence with Charlotte:Ed MeadowsFrom: Charlotte Weiss [charlotte@contoso.com]Sent: 28 June 2009 11:01To:ed@contoso.comSubject: Re: Network ServicesHey Ed,That plant is fairly small, and it is located on the edge of Slough. The computers there all have static IPaddresses as there is no DHCP provision. They have a single server that is running Windows Server 2008®,configured as an RODC. The link to the head office in London is sometimes down, so it helps facilitatelogons. That server also hosts all shared data.I hope that helps.Regards,Charlotte.----- Original Message -----From: Ed Meadows [ed@contoso.com]Sent: 28 June 2009 10:52To:Charlotte@contoso.comSubject: Network ServicesHi Charlotte,As you may be aware, Bobby Moore wants us to come up with a plan for upgrading/migrating hisWindows Vista computers throughout the Production department. Initially, he is talking about around tencomputers in the production plant over at Slough. Can you please advise what network services we havein-place over there?Thanks,Ed

3-30 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsEd MeadowsFrom: Charlotte Weiss [charlotte@contoso.com]Sent: 15 July 2009 09:51To:ed@contoso.comSubject: Re: Slough plant upgradeHey Ed,Well, the departmental and corporate information is on the server, but the users’ Documents folder is notredirected; it is all local.Regarding custom applications, the whole of production uses a number of custom apps. At Slough, theseapplications are installed on some of the workstations, but not all. All workstations are installed with thestandard office productivity suite: Excel, Word, and some with PowerPoint.If you need anything else, let me know.Charlotte.----- Original Message -----From: Ed Meadows [ed@contoso.com]Sent: 15 July 2009 09:30To:Charlotte@contoso.comSubject: Slough plant upgradeHi Charlotte,You mentioned in the last email that Slough has a file server for shared data. What about user data, and Iam especially thinking about application settings (custom dictionaries, email folders, and the like), and anyother personal information? What I am concerned about, is how to deal with user data during theupgrade/migration, depending on the way we decide to go.Oh, and one other thing. Do you know if there are any custom applications installed at Slough?Thanks,EdSlough Production Plant: Windows 7 Upgrade ProposalDocument Reference Number: EM3007Document AuthorDateEd MeadowsJuly 30Requirement OverviewTo replace the Windows Vista operating system with Windows 7 for all computers in the Sloughproduction plant.To migrate applications and user data during the upgrade process.Additional InformationThere are ten computers currently running Windows Vista at the Slough plant.The staff at Slough works in three shifts. This means that at some point in the day, all computers are notbeing used.

Evaluating Windows® 7 Deployment Methods 3-31Slough Production Plant: Windows 7 Upgrade Proposal1. Is deployment by using WDS suitable in this situation? Why or why not?2. Would the use of WAIK be beneficial in the Slough plant upgrade?3. How would you propose to handle the installation of custom applications?4. How would you propose to deploy standard office productivity applications?5. How would you propose to handle user state data and application settings?Proposals. Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Slough Production Plant: Windows 7 Upgrade Proposal document with your plannedcourse of action. Your proposal must include details about the specific services needed to supportyour deployment method. Where appropriate, the proposal must also include details about answerfiles, images, and other related material.Results: After this exercise, you will have a proposal to present to Bobby Moore for the SloughProduction Plant Windows 7 upgrade.

3-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Planning a Windows 7 Deployment for a Larger NetworkScenarioAfter the successful deployment of Windows 7 at Slough, Bobby Moore wants the project to includeupdating all the Production department computers to Windows 7. First, he plans to upgrade thecomputers in the Hammersmith plant. This facility is the closest to the London head office in Kensington.As Hammersmith falls into the west of London area, Charlotte Weiss will be your point of contactregarding any additional information that you might need before creating the upgrade proposal.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Update the Hammersmith Production Plant: Windows 7 Upgrade Proposal document with yourplanned course of action.Supporting DocumentationE-mail thread of correspondence with Charlotte:Ed MeadowsFrom: Charlotte Weiss [charlotte@contoso.com]Sent: 5 August 2009 08:10To:ed@contoso.comSubject: Re: HammersmithAttachment: Hammersmith.doc; Hammersmith.vsdEd,Hammersmith has a larger number of workstations – but there is an opportunity here. Unlike Slough,these machines are quite old and are due for replacement in the coming months. If we are going to bedeploying a new OS, perhaps we can bring that replacement forward?Regarding applications, due to the reasonable link between Hammersmith and the head office, mostsettings are managed through Group Policy – including application deployment. Having said that, mostuser-state data is still local – we have not configured any folder redirection policies.To help with the infrastructure questions, I have attached a Visio diagram of Hammersmith’s network – inaddition to a description of the services provided there. If you need anything else, ping me.Charlotte.----- Original Message -----From: Ed Meadows [ed@contoso.com]Sent: 4 August 19:03To:Charlotte@contoso.comSubject: HammersmithCharlotte,Thanks for getting Slough operational. Quick work! I have just heard from Bobby again. He wants to getHammersmith upgraded as soon as possible. What can you tell me about the infrastructure there? Also, aswith last time – anything I need to know about the applications deployed there, and the location of userrelateddata?Ed

Evaluating Windows® 7 Deployment Methods 3-33Contents of Hammersmith.doc:Twenty-five workstation computers installed with Windows Vista Enterprise edition.A single network printer is required.Windows Server 2008 Enterprise Edition (Server Core) deployed with the following roles:• Domain Controller/Global Catalog• DNS• DHCP – single scope to allocate addresses in the appropriate subnet.• DFS-R – used to distribute SYSVOL and the standard office applications.• Shared folders – used to store departmental data.Hammersmith.vsd network diagram:

3-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsHammersmith Production Plant: Windows 7 Upgrade ProposalDocument Reference Number: EM1008Document AuthorDateEd MeadowsAugust 10Requirement OverviewTo replace the Windows Vista operating system with Windows 7 for all computers in the Hammersmithproduction plant.To ensure that user data is migrated as part of the upgrade process.To ensure that there is minimal downtime of the workstations at the Hammersmith plant, they are inconstant use.Additional InformationThere are 25 computers running Windows Vista at the Hammersmith plant.The computers at Hammersmith are in constant use.1. Is deployment by using WDS suitable in this situation? Why or why not?2. How would you propose to handle the installation of custom applications?3. How would you propose to deploy standard office productivity applications?4. How would you propose to handle user state data and application settings?Proposals Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Hammersmith Production Plant: Windows 7 Upgrade Proposal document with yourplanned course of action. Your proposal must include details about the specific services that you needto support your deployment method. Where appropriate, the proposal must also include detailsabout answer files, images, and other related material.Results: After this exercise, you will have a proposal to present to Bobby Moore for the HammersmithProduction Plant Windows 7 upgrade.

Evaluating Windows® 7 Deployment Methods 3-35Exercise 3: Planning a Windows 7 Deployment for a Large NetworkScenarioBobby Moore is delighted. The computers at Hammersmith, Slough, and the other smaller UK-basedplants are all running Windows 7, and users have access to all their applications and data. Bobby nowwants to complete the project and upgrade the remaining computers in the Production department. Theremaining production department facility is based in Reading, about 40 miles from London. This state-ofthe-artfacility has a high-speed connection to the head office in Kensington. There are significantly morecomputers at Reading. Again, as this particular location is west of London, Charlotte Weiss will be yourcontact within the IT deployment team.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Update the Production Department: Windows 7 Upgrade Proposal document with your plannedcourse of action.Supporting DocumentationE-mail thread of correspondence with Charlotte:Ed MeadowsFrom: Charlotte Weiss [charlotte@contoso.com]Sent: 15 August 11:59To:ed@contoso.comSubject: Re: Reading upgradesAttachment: Reading.doc; Reading.vsdEd,Thanks and it was my pleasure. With regard to Reading, I have attached a couple of files you might finduseful. There are lots of workstations, but all are a standard configuration. They work in three shifts downat Reading, so we need to think of a way of quickly deploying to the available computers during theirrespective downtime. Let me know if you need more information than the attachments provide. User dataand settings are stored locally.Charlotte.----- Original Message -----From: Ed Meadows [ed@contoso.com]Sent: 15 August 10:15To:Charlotte@contoso.comSubject: Reading upgradesCharlotte,Good work down at Hammersmith! Bobby wants to complete the departmental upgrade. It is all at onesite: Reading, or just outside Reading. Before I can complete the plan, I need to know a little more aboutthe site.How many computers are located there? What network services are available? It might be nice if we cango for a little less of a hands-on approach with this deployment. Also, I do not know how muchinformation you have on the location of user related data and settings.Thanks in advance,

3-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsEdts of Reading.doc:One hundred and fifty workstation computers installed with Windows Vista Enterprise in one of threesubnets. A single network printer is provided in each subnet. Fundamental network services are providedon a backbone, including DHCP, DFS with replication from head office, DNS, and there is a local DC/GC.Each subnet hosts a Windows Server 2008 Enterprise Edition (Server Core) server deployed with thefollowing roles:• File Services• Application ServerReading.vsd network diagram:

Evaluating Windows® 7 Deployment Methods 3-37Production Department: Windows 7 Upgrade ProposalDocument Reference Number: EM0109Document AuthorDateEd MeadowsSeptember 1Requirement OverviewTo replace the Windows Vista operating system with Windows 7 for all computers in the rest of theproduction department based at the Reading plant.Additional InformationThere are 150 computers running Windows Vista at the Reading plant. At any time, around one third ofall computers are not in use.The computers are all in one of three subnets, with core services on the backbone. Each subnet has itsown file server that hosts shared data and applications.1. Is deployment by using WDS suitable in this situation? Why or why not?2. How would you propose to handle the installation of custom applications?3. How would you propose to deploy standard office productivity applications?4. How would you propose to handle user state data and application settings?Proposals Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Production Department: Windows 7 Upgrade Proposal document with your plannedcourse of action. Your proposal must include details about the specific services needed to supportyour deployment method. Where appropriate, the proposal must also include details about answerfiles, images, and other related material.Results: After this exercise, you will have a proposal to present to Bobby Moore for the ProductionDepartment Windows 7 upgrade.

3-38 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 4: Planning a Windows 7 Deployment for an Enterprise NetworkScenarioThe board of directors is pleased with the results of the Production department Windows 7 upgrade. Theboard wants you to prepare a proposal for the upgrade of all remaining client workstations—currentlyrunning Windows Vista Enterprise—to Windows 7. Contoso has several departments, most of which areprimarily based at their offices in Kensington.The Production department is the only one with offices distributed around the UK, but the computers inthat department are already running Windows 7. Your project will focus on the remaining workstations inKensington.There is no budget to replace any hardware or purchase additional equipment, although some funds doremain for the purchase of additional software, if it is necessary. This time, Ryan Ihrig will be able to offeradvice and help since he is responsible for user support at the Kensington location.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Update the Contoso: Windows 7 Upgrade Proposal document with your planned course of action.Supporting DocumentationE-mail thread of correspondence with Ryan Ihrig:Ed MeadowsFrom: Ryan Ihrig [Ryan@contoso.com]Sent: 2 December 2009 08:50To:ed@contoso.comSubject: Re: Contoso Windows 7 upgradeAttachment: Kensington.doc; Kensington.vsdHi Ed,The best I can do is send over the network documentation. It is attached to this message. It will answer allof your questions.Regarding the applications, all workstations in each department has a standardized build, although thebuild varies from department to department. Finally, in terms of user data, we use folder redirection tostore user settings and data onto the appropriate server; there is no user data stored locally.Ryan.----- Original Message -----From: Ed Meadows [ed@contoso.com]Sent: 1 December 2009 17:55To:Ryan@contoso.comSubject: Contoso Windows 7 upgradeRyan,I have been working with Charlotte on a project to upgrade the computers in the Production department.We now need to upgrade the rest of the computers in Contoso, and I understand that you head up thesupport team at Kensington.

Evaluating Windows® 7 Deployment Methods 3-39I need to know what network infrastructure we have there so I can determine the appropriate deploymentmethod. I also need an idea of how the workstations are distributed around the network. Finally, can youprovide information about the applications on each computer and information about where user dataresides, in other words, locally or on a server?Many thanks,EdContents of Kensington.doc:Each floor of the head office consists of two VLANs, each with 75 workstations. All workstations areconnected to an Ethernet switch, and each VLAN has a Windows Server 2008 Enterprise Edition (ServerCore) file server to support local data and applications. There are ten floors in the building, so that isapproximately 1,500 workstation computers. To provide for core infrastructure services, there are fourdomain Windows Server 2008 Enterprise edition servers that provide the following services:• DHCP• DNS• AD-DS, Global Catalog• AD-CS• DFS-RIn addition, there are two Windows Server 2008 Enterprise Edition (Server Core) servers installed with theHyper-V role to support additional corporate services.There are three departments in Kensington: IT, Marketing, and Research. Contoso occupy the bottom twofloors, Marketing is on the top four floors, and the rest of the floors are occupied by Research.Applications are deployed as part of a thick operating system build; those applications that fall outside ofthe scope of this departmental build are deployed using an Organizational Unit-based Group PolicyObject (OU-based GPO). All user data is stored on local file servers by using folder redirection settingsfrom GPOs. All workstations support PXE-boot.Kensington.vsd partial network diagram:

3-40 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsContoso: Windows 7 Upgrade ProposalDocument Reference Number: EM1712Document AuthorDateEd MeadowsDecember 17Requirement OverviewTo replace the Windows Vista operating system with Windows 7 for all computers in the Contosoorganization.To deploy applications as part of the upgrade and ensure that all user data and settings are accessibleafter the upgrade.Additional InformationThere are 1,500 computers running Windows Vista at the Kensington head office.The staff at Kensington usually works standard office hours – 9.00 a.m. until 5.30 p.m.1. Do you envisage using deployment images?2. If so, how many images would you propose using?3. What additional services would you need to support your proposal?4. How would you propose to deploy standard office productivity applications?5. How would you propose to handle user state data and application settings?Proposals Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Contoso: Windows 7 Upgrade Proposal document with your planned course of action.Your proposal must include details about the specific services needed to support your deploymentmethod. Where appropriate, the proposal must also include details about answer files, images, andother related material.Results: After this exercise, you will have a proposal to present to the board for the Contoso Windows 7upgrade.

Evaluating Windows® 7 Deployment Methods 3-41ModuleReviewand TakeawaysToolsToolUseforWhere to find itMicrosoft DeploymentToolkit (MDT) 2010• Deploying Microsoft products to desktops Microsoft Download Centerand servers• Creating a single path for image creatingand automated installationSystem CenterConfiguration Manager2007 SP2Windows DeploymentServicesMicrosoft Assessmentand Planning ToolkitApplicationCompatibility ToolkitWindows AutomatedInstallation Kit(Windows AIK)User State MigrationToolAssessing, deploying and updating servers,clients, and devices across a physical, virtual,distributed, and mobile environmentDeploying Windows over the networkAssessing organization readiness forWindows 7Inventorying andanalyzing organizationapplication compatibilitySupporting the deployment ofWindowsoperating systemMigrating user settings and data for a largenumber of computersMicrosoft Download CenterMicrosoft Download Center forWindows Server 2003 SP1Server Rolein Windows Server2008 and Windows Server 2008R2Microsoft Download CenterMicrosoft Download CenterMicrosoft Download CenterWindows AIK

3-42 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsTool Use for Where to find itWindows Easy Transfer(WET)Migrating user settings and data in side-bysidemigration for a single or a fewcomputersWindows 7Windows 7 Product DVD

Designing Standard Windows® 7 Images 4-1Module 4Designing Standard Windows® 7 ImagesContents:Lesson 1: Overview of Windows 7 Installation Architecture 4-3Lesson 2: Overview of Imaging Process 4-11Lesson 3: Determining the Image Strategy 4-16Lesson 4: Selecting the Image Servicing Methods 4-31Lab: Determining the Windows 7 Imaging Strategy 4-37

4-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewSimilar to Windows Vista®, the Windows® 7 setup process relies on image-based installationarchitecture. This architecturee consists of deployment tools and technologies to assist with customizingand deploying Windows 7 throughout the organization. Using these tools, organizations can configure aneffective computer imaging and deployment methodology provides a safe and standardized MicrosoftWindows desktop environment.This module explains the underlying architecture of the computer imaging system that you can usetocreate and deploy a custom image of a Windows 7 desktop. It also discusses the different phases of theimaging process and how to determine imaging strategyand image servicing opportunities in Windows 7.

Designing Standard Windows® 7 Images 4-3Lesson 1Overviewof Windows 7 Installation ArchitectureMany organizations use an image-based model to deploydesktop operating systems. After you installand configure a reference computer, most imaging solutions capture an image basedon a sector-by-sector copy of the reference computer. Thistechnology, though effective, has some disadvantages.The Windows 7 setup processs relies on image-based installation architecture. This is modularized suchthat the setup files are composed of multiple elements instead of a single file. Modularization isadvantageous because additional features, such as imageservicing for example, can be “plugged into” theoperating system.The Windows 7 installation architecture consists of a collection of deployment tools and technologiescompiled in theWindows Automated Installation Kit (Windows AIK). Byusing these tools you can providea safe and standardized deployment of the Microsoft Windows desktopenvironment.

4-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWindows 7 Automated Installation ElementsKey PointsWindows 7 has a unique setup and imagingg process that addresses the deployment challenges of earlieroperating systems.Deploying a Windows 7 image is based on the following major elements:• Windows Imaging (WIM) file format: This is a file-based image format used todeploy Windowsoperating systems.• Tools to create and manage WIM files: Windows 7 provides different kinds oftools to create andmanage a WIM file. The primary tools for creating and managing a WIM file are ImageX andDeployment Image Servicing and Management (DISM). Both are included in Windows AIK.• Imaging application programming interface (API): Windows 7 uses an API named WIMGAPI thatprovides the layer to programmaticallyaccess and manipulate WIMfiles. (Tools such as ImageX andDISM use the WIMGAPI to manipulate WIM files.)• Enabling technologies:This includes the Windows Imaging File System Filter (WIM FS Filter), and theWIM boot filter. The WIMFS Filter enables users to mount and browse the WIM as a file system. TheWIM boot filter enables users to start a computer from a WindowsPreinstallation Environment(Windows PE) image in a WIM file.

Designing Standard Windows® 7 Images 4-5What Is Windows Imaging File Format?Key PointsThe Windows Imaging File format (WIM) file is a file-based disk image format introduced in WindowsVista. WIM files are compressed packages that contain some related files or resources that you use toinstall Windows7.WIM File StructureThe WIM file structure contains up to six types of resources defined as follows:• WIM Header defines the.wim file content, such as memory location of key resources and .wim fileattributes.• File Resource is a series of packages that contain captured data, such as source files.• Metadata Resource stores informationn on how captured data is organized in the .wim file. Thisincludes directory structure and file attributes.• Lookup Table contains the memory location of resource files in the .wim file.• XML Data contains additional miscellaneous data about the WIM image, such as directory andfilecounts, total bytes, creation and modification times, and description information.• Integrity Table contains security hash information that is used to verify the image’s integrity duringan apply operation.

4-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsBenefits of the WIM File FormatKey PointsWIM addresses many challenges experienced with other imaging formats. The benefits of WIM file formatinclude the following:• A single WIM file can address different hardware configurations. Therefore, you only one image toaddress thedifferent hardware configurations.• WIM can store multiple images in a single file, which helps you store images with and without coreapplications in a single image file.• WIM reduces the size of image files significantly by enabling compression and single instancing.• WIM enables you to service an image offline. You can add or remove certain operating systemelements, files, updates, and drivers without creating a new image.• WIM enables you to install an image on a partition that is smaller, equal to, or bigger than theoriginal partition that was captured, as long as the target partition has sufficient space to storetheimage content.• WIM imageformat WIMGAPI provides developers with a layer that can be used to access and changethe WIM image files.• WIM allowsfor nondestructive image deployment. Therefore, you can leave dataa on the volumewhere you apply the image, because when the imageis applied, it does not delete the disk’s existingcontents.• WIM enables you to startt Windows PE from a WIM file.

Designing Standard Windows® 7 Images 4-7How Windows 7 Uses ModularizationKey PointsOne of the complicating factors of using a sector-based disk-imaging system is that adding newhardware, language packs, updates, and drivers usually requires creating a new disk image. When a criticalfixappears, updating multipleimages and testing each of them is costly and time-consuming.Modularization provides the following benefits:• Device drivers and updates can be added to the image file used todeploy Windows 7. You can dothis offline, without deploying the image on a computer.• You can customize some optional Windows 7 elements to your specific requirements.• When Microsoft releases an update forone of the elements, you can update just that feature in theinstallation image without re-creating the whole image.• You can deploy multiple Windows 7 language versions with a single image file.

4-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsThe Windows 7 Imaging and Deployment PlatformThe Windows 7 imaging and deployment platform incorporates a single operating system image, answerfiles, and a collection of imaging and deployment tools. The following list provides a brief overviewofcore technologies in Windows 7 Imaging and Deployment Platform, in addition to the WIM file format:• Windows System ImageManager (Windows SIM) ): Use this to create unattended installationanswer filesand distribution shares, or change the files that are contained in a configuration set.• Answer files: This is an XML file that stores the answers for a series of graphical user interface (GUI)dialog boxes.• Windows Setup: This is a program that installs the Windows operating system or upgrades previousWindows operating system versions.• Windows Preinstallation Environment (Windows PE): This is a minimal operating system thatprepares a computer for Windows installation.• Sysprep: This is a command-line tool that is used to prepare a Windows installation for imaging,system testing, or delivery to end-users.• Diskpart: This is a command-line tool used to configure hard-diskobjects, such as disks, partitions, orvolumes.• Windows Deployment Services (WDS): This is a server-based deployment solution that enables youto set up new client computers over the network.• ImageX: This is a command line tool that enables you to capture, change, and apply WIM images forrapid operating system deployment.• Deployment Image Servicing and Management (DISM): This is a command-line tool used toservice Windows images.

Designing Standard Windows® 7 Images 4-9Windows Setup ConfigurationPassesKey PointsConfiguration passes are the phases of a Windows installation, during which you can customize an image.These phases determine the appropriate modifications that you can make at each point in the installationprocess.This is the key to developing your Windowsdeployment strategy whenyou are deploying using setup.exeorperforming/configuring sysprep. (When you image using ImageX, noconfiguration pass is applied.)When creating an answer file,you specify the setting thatt you want to apply during a specificconfiguration pass. Different settings can beprocessed during differentphases of Windows Setup.The following table describes the modifications that you can perform ineach configuration pass.ConfigurationnPasswindowsPEoffline ServicingspecializegeneralizeauditSystemauditUserDescriptionConfigures Windows PE options andbasic Windows Setup options.Use to apply updates, packages, andother security updates to a Windows image.Use to create and configure information in the Windows image, and is specific tothe hardware that theWindows image is installingto.Enables you to minimally configure sysprep /generalize, and configure otherWindows settings thatt must persist on your reference image.Processes unattendedd Setup settings while Windows is running in system context,before a user logs on to the computer in audit mode.Processes unattendedd Setup settings after a user logs on to the computer in auditmode.

4-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConfigurationPassoobeSystemDescriptionUse to apply settings to Windows before Windows Welcome starts.Configuration Passes Example ScenarioThe following scenario explains how each configuration pass runs. In this scenario, you create a singleWindows reference image that can be reused throughout your environment.This scenario involves the following steps:1. Start with a Windows product DVD and an answer file.2. Windows Setup starts, and the windowsPE and offlineServicing passes run.3. After the Windows image is copied to the hard disk, the system reboots and Windows Setup runs thespecialize pass.4. After Windows Setup Is Finished, Windows Welcome starts and runs the oobeSystem configurationpass.5. After Windows Setup Is Finished, you can make additional modifications to the system.6. When you complete your modifications, run sysprep /generalize /audit /reboot to run thegeneralize pass and remove any system-specific data. This command also configures Windows to runaudit mode on the next start.7. This Windows installation is ready to be captured as an image. The image then becomes yourreference image that you save and then install on computers of the same configuration.

Designing Standard Windows® 7 Images 4-11Lesson 2Overviewof theImaging ProcessBefore deploying Windows 7 operating system, identify the high-level steps in the Microsoft Deploymentprocess. These high-level steps encapsulatee the imaging process of Windows deployment.

4-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsThe Imaging ProcessKey PointsThere are five high-level phases in the Microsoft deployment process. They are as follows:• Envisioning phase: this is the stage ofthe project when you conduct your initial thinking andprojectplanning. This phase ends with the scope of the project defined.• Planning phase: This is the stage of the project when you make several decisions. This includes whichstrategies, scenarios, and methods you will use. This phase ends with the identification of thedeployment scope and objectives. Typically, by the end of this stage, the build lab has also beencreated.• Developing phase: This is the stage ofthe project when most technical work is done. This typicallyinvolves building and creating images. This phase ends with the images capturedand ready fortesting.• Stabilizingphase: This isthe stage of the project when testing theimages in thetest environmentoccurs. Thisphase ends with all the images tested and ready to be deployed.• Deploying phase: This isthe stage of the project when you conduct the actual deployment. Thisphase endswith completion of the deployment based on the project scope defined in the beginningof the project.The imaging process, also known as image engineering process, typically focuses on the planning,developing, andstabilizing phase.

Designing Standard Windows® 7 Images 4-13The Planning PhaseKey PointsThe primary focus of the planning phase is to select the appropriate imaging scenarios and methods. Thesecondary focusis to add sources to the imaging application or server.Typically, the planning phase involves the following tasks:• Select an image strategy: Most of thework in this task is to determine what kind of images to becreated. There are three image strategies to select: thick, thin, and hybrid.• Prepare the build lab: This involves nstalling the Deployment Workbench and adding sources to thedistributionshare. These sources may include boot images, drivers,packages, or operating systems.When you havedefined the deployment scope and objectives, together with the image strategy, andprepared the build lab, you are ready to move to the next phase of thedeployment project.

4-14 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsThe Developing PhaseKey PointsThe focus of thedeveloping phase is to develop the build processes and create images to be used in theimaging environment.The developing phase involves the following tasks:• Populate the imaging application: You can add applications to the distributionshare, includinghardware-specific applications, and specify dependencies betweenapplications, including platform-specific requirements.• Configure builds and packages: Builds and packages operating system and applicationconfigurations that include an unattended setup answer file and task sequence. You can use WindowsSIM to create answer filesand configure task sequences in Deployment Workbench.• Configure deployment points: Deployment points are the originating locations where images andpackages are deployed. The Deployment Workbenchdefines specific types of deployment points touse in the imaging process.• Capture operating system images: The captured images can then be used for customization anddeployment.Completion of the developingphase is marked with the captured images ready for testing.

Designing Standard Windows® 7 Images 4-15The Stabilizing PhaseKey PointsYou can use thestabilizing phase to test all the images inthe test environment and to verify that they areconsistent and will work correctly in the production environment. You need to have a test lab and imagesready to test before beginning this phase of the project.The stabilizing phase involvesthe following tasks:• Perform lab tests and pilot imaging before you deploy to the production environment, verify theimaging process in test labs by conducting pilot imaging. In this phase, user acceptance testingandapplication verification must be performed.• Prepare for deployment once the images are tested, you can prepare for the actual deployment.Typically, a pilot deployment is rolled out, targeting a small, representative population of userss in theproduction environment.At the end of the stabilizing phase, you willl have completed the pilot imaging process, tested all images(including driver packages and applications), and be ready for the deployment.

4-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 3Determining the Image StrategyThe goal of most organizations is to have a standard configuration thatt is based on a common image foreach version of the operatingsystem. Ideally, you use a common imageand apply it to any computer, inany region, at any time, and then customizethat image to provide specific services tousers. In reality,most organizations build and maintain many images, sometimes up to 100 images.The following list describes costs associatedwith building, maintaining, and deploying images:• Development costs include creating a well-engineered image that improves security and reliability,and createsa predictable, flexible, workenvironment.• Test costs include testingtime and labor costs for the standard image and applications, and also thedevelopment time that isrequired to stabilize disk images.• Storage costs include storage of the distribution points, disk images, migration data, and backupimages.• Network costs include moving imagesto distribution points and to computers.When organizations determine their imagestrategy, one of the main objectives can be to reduce thenumber of images they have to maintain. They can do this by making disciplined hardware purchases, useadvanced scripting techniques and implementing enterprise deployment solutions with supportingsoftware distribution infrastructure to deploy operating systems, applications, and updates.

Designing Standard Windows® 7 Images 4-17Types of ImagesKey PointsDuring the planning phase ofa deployment project, you need to determine whetherto create: a thickimage, thin image, or hybrid image. How you will deployapplications differs, depending on the strategyyou selected.• Thick image: thick images are monolithic images that contain core applications, language packs, andother files.• Advantages: Thick images can be deployed in a single step. They can also be less costly todevelop, because advanced scripting techniquesare frequentlynot requiredand because thickimagesare typically quicker to develop and deploy.• Disadvantages: Thick images involve maintenance, storage, and network costs and deploymentis not as flexible. In addition, you have to rebuild, retest, and redistribute theimage every timethere isa new version of an application or language pack.• Thin Image: Thin imagescontain few, if any, core applications or language packs. Organizationsdeploy applications and language packs separately from the image, outside operating systemdeployment.• Advantages: Thin images cost lesss to build, maintain, and test. In addition, network and storagecosts associated withthe disk image are reducedd because the image file is physically smaller. Thinimagesalso provide far more flexibility.• Disadvantages: Thinimages can be more complex to developat first and frequently requirescripting and a software distribution infrastructure to deploy applications and language packs.This also means that core applications and language packs arenot available when the end-userfirst starts the computer.• Hybrid Image: Hybrid images mix thinand thick image strategies. In a hybrid image, the image isconfigured so that applications and language packs are installed atthe first start. The user

4-18 Planning and Managing Windows® 7 Desktop Deployments and Environmentsexperiences this in a manner similar to that of a thick image, even though the applications andlanguage packs are installed from a network source.• Advantages: Hybrid images have the advantages of thin images, but they are not as complex tobuild and do not require a software distribution infrastructure.• Disadvantages: Hybrid images require longer installation time than thin images. This can raiseinitial deployment costs.If you decide to build hybrid images, store applications and language packs on the network andinclude the commands to install them when the images are deployed. This process differs frominstalling the applications and language packs in the image itself.• Alternative Strategy: An alternative strategy is to build one-off thick images from a thin image. Youcan do this by first building a reference thin image. Then, after the thin image is tested, add coreapplications and language packs, capture them, test them, and distribute a thick image based on thethin image.

Designing Standard Windows® 7 Images 4-19What Is an Image Strategy?Key PointsAn image strategy has several key elements:• Type of images: Most elements are closely related to the kinds ofimages you are creating, whetheryou use a thick, thin, or hybrid image strategy. Imagemaintenance, or how long you plan to maintainyour image, will influencee the kind of image that youcreate.• Number ofimages: Different versionss and editions of operating systems frequently result in thecreation and subsequent maintenance of multiple images.• Number ofWIM files: Multiple images can be stored in one actual WIM file.• Preconfigured Settings in an Image: Depending on your organization policy, you can preconfiguresettings in your image sothat every installation is standardized.• AdditionalOperating System Elements: Operatingsystem elements such as drivers, updates, andlanguage packs can be added to an image. During the deployment process, you can determine whichlanguage packs to preserve on the computer and also remove the unwanted language packs.

4-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConsiderations for Designing the Overall Image StrategyKey PointsAs the size of image files increase, costs increase. Consider the following factors when designing theimage strategy:• Geographical distribution of the clients: If the clients are well separated, the network cost ofdistributingthe images may be high. Ifthis is the scenario, a thin image strategymay be morehelpful.• Function specific client requirements: How alignedthe department requirements are in yourorganization can also determine which strategy you use to create an image. For example, if your Salesdepartment requires custom applications preinstalled, and your Finance department requiresadditional security precautions, you might end-up having several images with different preconfiguredoperating system elements to fulfill these requirements.• Dual boot option: Theree may be a need for some users to have multiple operating systems inonecomputer. (You can explore the use of VHD with native boot or MED-V and Windows XP bootoptions, which can be used to work with previous versions of operating system applications.)• Current client and network infrastructure: This affects the network and storage cost of the images.How many clients, how they are located, and the current network infrastructure influence the way youcreate yourimages. For example, if many clients are located remotely with slow or no networkconnection, you must consider reducing the image size or using deployment media to deploy theimages.• Administrative considerations: You have to balance what you put into your images. Operatingsystem settings that can be implemented using group policy is better managed in that manner,therefore reducing the customization in your images.However, settings that cannot be implemented using group policy must be enforcedand incorporatedinto the images. These may include customapplication settings, driver configurations and customizedhelp, and support. Reducing different customized settings is the key to reducing the number of imagesyou need to maintain.

Designing Standard Windows® 7 Images 4-21Determining the Language Packs to be Added to an ImageKey PointsAll installations of Windows 7 contain at least one language pack and language-neutral binaries thatmake up the core operating system. Language packs contain resourcess that are specific to a particularlanguage and are used to localize the user interface (UI).There are two multilingual deployment scenarios:• Deploying an image that contains multiple languages, but only one language is activated asthe default: Most licensing requirements state that Windows 7 caninclude onlya single language,with the exception of Windows 7 Ultimate and Windows 7 Enterprise. Besides these two editions, theremaining Windows 7 editions are known as single-language editions.• Deploying a multilingual image thatt lets the userswitch between differentlanguages:Windows 7 Ultimate and Enterprise editions are multilingual editions that can include multiplelanguages.When planning a multilingual deployment, you must understand whichh multilingual deployment scenariois best to implement. Also, it is beneficial toknow the different kinds oflanguage packs available and howthey differ.Language Pack InstallationA language pack can be added while the Windows imageis offline, during an automated installation, orwhile the operating system is running.Before adding language packs to a Windows image, determine which settings you will need, such as fontsand whether the languages require a parent language, input method editors (IMEs), alternative keyboards,input devices, and so on.Inaddition, consider the following:

4-22 Planning and Managing Windows® 7 Desktop Deployments and Environments• Add language packs as necessary. Your image can contain many language packs. However, eachlanguage pack increases the size of the image and the time that is required to perform some servicingoperations.• Cross-language upgrades are not supported. This means if you are upgrading or migrating anoperating system with multiple language packs, you can only migrate the default UI language. Forexample, if English is the default language, you can upgrade or migrate only to Windows 7 English.• The default language cannot be removed. The default language is used to generate computersecurity identifiers (SIDs).• If you are adding a language pack to a Windows image in a Windows PE environment, you must addpagefile support to Windows PE.• Always install language packs before you install updates.Question: Why might you add language packs to your image?

Designing Standard Windows® 7 Images 4-23Determining the Device Drivers to be Included in an ImageKey PointsYou must include drivers for devices that you support in your organization. These devices can includenetwork adapters, display adapters, and peripherals such as printers and scanners.Digital Signature RequirementsSigned device drivers are a key security feature in Windows. Drivers installed on 64-bit based computersmust have a digital signature,whereas in 32-bit, it is still recommendedd that drivers be signed before theyare installed.Driver ManagementConsider the following when managing your drivers:• If you are adding multiple drivers, create separate folders for each driver or driver category.• If all driversin the specified directory and subdirectory are added to the image, manage the answerfile or your DISM commands and thesee directories carefully to address concerns about increasing thesize of the image with unnecessary driver packages.• If it is not practical to manage your driver shares so that only the required drivers are added toyourimage, you can add non-boot-critical drivers online by calling the Driver Package Installer (DPInst).DPInst selectively installs non-boot-critical drivers only if the hardware is present, or if the driver packageis a better match for the device.Adding DriversYou can add device drivers toa Windows image during various phases of deployment. They can be addedoffline while theWindows image is offline or while the operating systemis running.When a driver is added to an offline image,it is either staged or reflected in the image:

4-24 Planning and Managing Windows® 7 Desktop Deployments and Environments• Non-boot-critical drivers are staged. They are added to the driver store of the offline image. Whenthe computer is started, Plug and Play (PnP) will detect the driver and complete the installation.• Boot-critical drivers are reflected on the system. The critical device database (CDDB) and the registrywill be changed, and files will be copied to the system according to what is specified in the .inf file.

Designing Standard Windows® 7 Images 4-25Determining the Applications to be Included in an ImageKey PointsYou can install additional applications on the Windows image, or you can install themduring unattendedinstallation. If you install applications on theWindows image, you can make sure that all computersinclude the application. However, this may result in bigger image size and users having to installapplications that they may not need.If you decide not to include applications in your images and select to create thin images, there are severalways you can make applications available tobe installed during an unattended installation:• In networked environments, you can create a distribution share. Distribution shares are UniversalNaming Convention (UNC) paths located on a network drive. This can be accessed by a destinationcomputer during Windows Setup.• In non-networked environments, or in environments where you only have a subset of the contentlocated on a distribution share, you cancreate a configuration set. A configuration set copies all theapplications and drivers referenced by a distribution share to media, such as a USB flash drive (UFD).• Create a data .WIM file that contains all the applications, drivers, and other resources that you wantavailable onthe destination computer. During unattended installation, you can configure the data.WIM file tobe applied tothe Windowsinstallation. This only provides the installation files andtheactual installation still needs to take place. A data WIM file does not ensure applications are installedor run correctly.Create an Application InventoryCreating a complete inventory of every application on every computer in the organization can be time-can be automated by using the Microsoft®Application Compatibility consuming. However, the benefits outweighthe costs. The process of collecting the application inventoryToolkit.

4-26 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsPrioritize the Application InventoryAfter creating the application inventory, review and prioritize applications based on the inventory.Address only the applications to be redeployed during the deployment project.Prioritizing application includes the following actions:• Identifying the order that applications will be deployed.• Resolving application compatibility for applications that have known issues.• Resolving application compatibility for applications that have unknown issues.Categorize the Application InventoryOrganizations typically require multiple applications to be deployed to different computers. Categorizethe applications two different categories:• Core applications: any application that is common to the organization’s computers and has to beinstalled on all, or most, of the desktop computers in the enterprise.• Supplemental applications: are not required by most computers and might only be required forone or more groups of computers in the environment.Categorizing the applications helps the organization select the applications for the image and also gives aview of all the applications and where the organization must focus on which applications must beavailable when the image becomes active.Identify Subject Matter ExpertsThe subject matter expert (SME) is the person in the organization that has the most experience with theapplication. Identify a SME for each application in your organization, to address each application in orderof priority.Identify Files and SettingsTogether with the SME, identify which specific files or file types have to be migrated. These settings orpreferences have to be migrated and you need to determine where they are to be stored, and where thefiles will be positioned during the restore process on the new computer.SMEs have to provide assistance on the following key issues:• Locating the software media.• Describing the appropriate configuration, behavior, and use of the application.• Understanding the external interface connectivity requirements, if any, of the application.• Identifying any constraints associated with an application.Automate Application InstallationMost applications provide native support for automation. The following options are available:• Automation of Windows Installer packages• Automation with InstallShield response files• Automation by using scripting

Designing Standard Windows® 7 Images 4-27Determining the Method of Adding Updates to an ImageKey PointsWhen developing an image, ensure that all critical security updates areincluded in the image so thatcomputers deployed with theimage are as current as possible. There are a few options to apply updatesand determine how you add updates to your images. Thedifferent approaches to add updates are:• Slipstreaming updates tothe install source• Adding updates to a master image• Adding updates post deploymentSlipstreaming Updates to the Install SourceStart with your installation media from the product DVD and Microsoftreleases security updates or servicepacks. You can choose to integrate these updates and service packs to your installation source beforebeginning to build an image.The advantage is that all images created from your updated installationn source will be protected fromknown security exploits. The image buildingprocess is faster because all security updates are installedbefore building the image.The disadvantage is that the integration of the security updates may take some effort. In addition, it maynot be obvious which updates can be integrated, as somehave to be installed as part of the unattendedbuild process.Adding Updates to a Master ImageYou can add updates to an image by servicing the imageoffline, online, or by using Windows Setup withanswer file as part of the image build process. The advantage is that this process is fairly simple toperform and additional updates can be added by placingthe downloaded updates inthe distributionshare. The disadvantage is that the image isvulnerable before the updates are installed and the computer

4-28 Planning and Managing Windows® 7 Desktop Deployments and Environmentsis restarted, providing an opportunity for vulnerabilities to be exploited. Also, the update applicationprocess can be time-consuming. Building images in a closed lab environment mitigates this risk.Adding Updates Post DeploymentYou can also add updates after the image is deployed to destination computers. Use Windows ServerUpdate Services (WSUS), Systems Management Server 2003, or System Center Configuration Manager toinstall the security update at post deployment time. The advantage is that this process is simple toperform and collects new updates once they are approved. The disadvantage is that the image isvulnerable before the updates are installed and the computer is restarted.

Designing Standard Windows® 7 Images 4-29Discussion:Sharing Best Practices for Designing ImagesThe following list outlines several best practices for image-based deployment:• Use a singleimage strategy to reduce the number ofimages to maintain and service. In Windows 7,you can take advantage of the redesigned Windows imaging and Windows edition-servicingcommands, which supports changing one edition of Windows 7 toa higher edition within the sameedition family.• Use a multilingual strategy to add multiple languagepacks to your image to reduce the number oflanguage-specific imagesthat you support.• Run the sysprep /generalize command when preparing the Windows image to be captured, even ifall computers have the same hardware configuration. The sysprep/generalize command removesunique information from your Windows installation, which enablesyou to reuse that image ondifferent computers.• Do not deploy the default image (install.wim) file that is included with the Windows product DVDdirectly by using ImageX. You can use the default image only with Windows Setup (setup.exe).• Use the imagex /flags option when capturing a Windows image to create the metadata to apply tothe image that you are capturing.If storing more than one Windows image in a .wim file, you must specify the correct metadata settingin your unattended answer file. For example, if you maintain a single .wim file that has multipleWindows images for different editions and architecture types, you can use the Metadata setting tospecify the exact Windows image to install.• Do not duplicate featuresfor different architecture types in an answer file, if you are performingcross-platform deployments. If there are multiple features that apply to differentarchitecture types inan answer file, there maybe instances when the settings in the features are applied one or moretimes, or are incorrectly applied.• Create architecture-specific settings foreach configuration pass in an answer filefor cross-platformdeployments. For example, for a 32-bitpreinstallation environment and a 64-bit destination

4-30 Planning and Managing Windows® 7 Desktop Deployments and Environmentscomputer, you specify only x86-based features in the windowsPE configuration pass, and x64-basedfeatures in all other configuration passes.

Designing Standard Windows® 7 Images 4-31Lesson 4Selecting the Image Servicing MethodsAfter you createe and capture the Windows image from the reference computer, storethe image ontheserver for the actual deployment. Sometimes, you may have to service the stored images to keep themcurrent with updates and fixes. Servicing the image involves adding or removing packages, drivers,modifying language settings, enabling or disabling Windows features, and upgradingg to a newer editionofWindows.

4-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhy Image Servicing?Key PointsImages are serviced because this ensures that they are have the latest updates and fixes, that theyconform to neworganizational policies, support new devices or hardware, and that they align withchanges in deployment strategies.Examples of common image servicing scenarios are as follows:• Add out-of-box or boot critical drivers to support new hardware• Add operating system updates, such ashot fixes and Windows features• Add or remove a language pack and configure international settingsTypes of Image Servicing MethodsA Windows image can be serviced at various phases of deployment, depending on the deploymentstrategy. The available image servicing strategies are as follows:• Offline servicing involves adding and removing updates, drivers, and language packs, andconfiguringg other settings, without starting up the Window image.• Servicing an image by using Windows setup involves providing an answer file(Unattend.xml) thatWindows Setup uses.• Servicing a running operating system(online servicing) involves starting up Windows in auditmode and adding drivers, applications,and other packages.Image Servicing OpportunitiesThe following table shows theservicing opportunities available in threee typical deployment phases.Reference Image Creation DeploymentImage Management• During automated• Offline servicing while the• Offline servicing while the Windows

Designing Standard Windows® 7 Images 4-33Reference Image Creation DeploymentImage Managementinstallation (WindowsSetup) by usingunattended answer file.• Online servicing inaudit mode on thereference computer.Windows image is applied toa drive or directory.• Online servicing in auditmode on the destinationcomputer.image is mounted to a drive or directory.Servicing an Image Using Windows SetupYou can use an unattended answer file to service an image during the various configuration passes ofWindows Setup. The answer file contains the settings used to configure and update the Windows image.An unattended answer file can be used during Windows setup to perform the following tasks:• Add or remove a language pack and configure international settings• Add and remove drivers and packages• Enable and disable Windows operating system featuresQuestion: Why might you service an image using Windows Setup?

4-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConsiderations for Choosing Offline ServicingKey PointsMost servicing and management operations can be performed on an offline Windows 7 image by usingthe Deployment Image Servicing and Management (DISM) command-line tool.DISM extends the offline servicing functionality to includethe ability toadd and remove drivers withoutusing an unattended answer file, enumeratee drivers and packages, modify configuration settings, andmore.Two scenarios where you can use offline servicing are as follows:• Mount scenario: Done at a technician computer to maintain master images. In this scenario, you useDISM to mount and service the image.• Apply scenario: Done atthe destination computer during deployment. In this scenario, you useImageX to apply the image and then use DISM to service the image.Offline Servicing TasksThe tasks that help you perform offline servicing are as follows:• Collect andstore driver, update packages, and language packs in an accessible location.• Copy an instance of yourmaster imageto the technician’s computer or an accessible share.• Service the image.Question: Whymight you perform offline servicing to a Windows image?

Designing Standard Windows® 7 Images 4-35Considerations for Choosing Online ServicingOnline servicing(on a runningoperating system) is conducted in audit mode and bypasses WindowsWelcome. Auditmode allows you to make additional changes and configurations to a Windowsinstallation before shipping the computer to its final destination.After starting inaudit mode, you can verify and take inventory of the image, add plug and play devicedrivers, install applications and system features, and test the validity of the installation. In addition, onlineservicing can beused to add service packs while the operating system is running.Online Servicing TasksThe tasks that help you perform online servicing are as follows:• Acquire a driver, store it, and update packages and language packs in an accessible location.• Copy an instance of yourmaster imageto the technician’s computer or an accessible share.• Service the image.Online Servicing ToolsSome tools can be used to service an onlineimage. The tools that can be used to update a runningWindows 7 operating system are as follows:• DISM: Enumerate and verify drivers, international settings, packages and features, and applyunattendedd answer file settings.• Windows Optional Component Setup (OCSetup): Add system elements that are provided as .msior .exe files.• Driver Package Installer(DPInst): Add drivers for detected hardware.• Windows Update Standalone installer (WUSA): Add .msu files. WUSA can be used to installWindows service packs inonline servicing.• Language Pack Setup (LPKSetup): Add or remove language packs.

4-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsQuestion: Why might you perform online servicing to a Windows image?

Designing Standard Windows® 7 Images 4-37Lab: Determining the Windows 7 Imaging StrategyNote: Your instructor may run this exercisee as a class discussion.Job AidYou might find the following job aid useful when determining the appropriate imaging strategy.

4-38 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 1: Planning the Imaging Strategy for a Branch Office NetworkScenarioThe deployment plan Ed Meadows designed for the Hammersmith Production plant at Contoso is to beput into effect. You must consider how to implement the desktop upgrades. The 25 desktop machines atHammersmith are being replaced, and you have opted for a side-by-side migration. This will enable youto perform a wipe-and-load deployment and then migrate the user state data and settings after theupgrade.The network infrastructure at Hammersmith does not support WDS as a deployment method. You mustconsider alternative methods for deployment. In addition, since you first started the discussion with Edabout the upgrade, the users’ needs have changed. They now have different application requirementsthan originally stated.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Update the Hammersmith Production Plant: Desktop Image document with your planned course ofaction.Supporting DocumentationE-mail thread of correspondence with Bobby Moore:Charlotte WeissFrom: Bobby Moore [bobby@contoso.com]Sent: 12 August 2009 10:35To:charlotte@contoso.com; ryan@contoso.comSubject: Re: Hammersmith Upgrade: ImagesCharlotte,You are right that many of the computers have an identical build, but not all. Within the 25 computers atthe plant, there are several distinct builds. Although application maintenance is done with GPOs, the linespeed to the head office has proved inadequate for large application installations. It might be worthhaving a word with Ryan Ihrig at Kensington for the technical details. I have copied him in on this.I hope that helps.RegardsBobby.----- Original Message -----From: Charlotte Weiss [charlotte@contoso.com]Sent: 12 August 2009 08:42To:bobby@contoso.comSubject: Hammersmith Upgrade: ImagesBobby,As you know, we are planning to upgrade the Hammersmith plant computers to Windows 7. The newworkstations are arriving next week. Can you help me understand what applications are installed on whichcomputers? The way I remember it, they were all identical and all applications are being deployed withGPOs. Can you confirm this?

Designing Standard Windows® 7 Images 4-39Thanks,CharlotteE-mail thread of correspondence with Ryan Ihrig:Charlotte WeissFrom: Ryan Ihrig [ryan@contoso.com]Sent: 12 August 2009 11:00To:charlotte@contoso.com; bobby@contoso.comSubject: Re: Re: Hammersmith Upgrade: ImagesCharlotte,Bobby is correct; the line speed and reliability prohibit excessive use of GPOs for managing applications.At Hammersmith, they use Microsoft Office 2007 Professional on all computers. They also use a customdesign program on about half of the machines. In addition, some of the computers also use some plantmanagement software that runs in a VM; it is quite old, and the VM provides a DOS/Windows 3environment that enables it to run. One other thing: Hammersmith is rather pressed for storage; theirServer Core box is due for a disk upgrade shortly, so until then, try to conserve space.Good luck.Ryan.----- Original Message -----From: Bobby Moore [bobby@contoso.com]Sent: 12 August 2009 10:35To:charlotte@contoso.com; ryan@contoso.comSubject: Re: Hammersmith Upgrade: ImagesCharlotte,You are right that many of the computers have an identical build, but not all. Within the 25 computers atthe plant, there are several distinct builds. Although application maintenance is done with GPOs, the linespeed to the head office has proved inadequate for large application installations. It might be worthhaving a word with Ryan Ihrig at Kensington for the technical details. I have copied him in on this.I hope that helps.RegardsBobby.Hammersmith Production Plant: Desktop ImageDocument Reference Number: CW1408Document AuthorDateCharlotte WeissAugust 14Requirement OverviewDesign a Windows 7 image strategy that supports the deployment of the new operating system to newlydelivered computers at the Hammersmith plant.Conserve server storage because the server will not be getting a disk upgrade in the near future and haslimited capacity.

4-40 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsHammersmith Production Plant: Desktop ImageMinimize support staff effort during the rollout.There are 25 computers in total, all of which use Office 2007 Professional.All computers connect to a printer, the driver for which is not in the current driver store in Windows 7.Ten computers use a custom line-of-business application that runs within a virtual machine; currently, theguest OS runs within Virtual PC 2007.The remaining group of 15 computers runs another LOB application that runs natively within WindowsVista.Additional Information1. Will you use a standard image(s) or create a custom image(s)?2. How many images do you predict you will need?3. Do you envision using thin, thick, or hybrid images4. How will you handle the printer driver and required updates and patches?5. How will you create the images that you plan to implement?6. Will you deploy the applications as part of the image(s)?Proposals Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Hammersmith Production Plant: Desktop Image document with your planned course ofaction.Results: After this exercise, you will have a proposal for the Hammersmith Production Plant upgrade.

Designing Standard Windows® 7 Images 4-41Exercise 2: Planning the Imaging Strategy for an Enterprise NetworkScenarioEd Meadows’ plan for deploying Windows 7 to the computers at the Kensington Head Office of Contosohas been approved. You are responsible for adding the technical specifics to the plan and starting thedeployment process.Each floor of the head office consists of two VLANs, each with 75 workstations. All workstations areconnected to an Ethernet switch, and each VLAN has a Windows Server 2008 Enterprise Edition (ServerCore) file server to support local data and applications. There are ten floors in the building, so that isabout 1,500 workstation computers. To provide for core infrastructure services, there are four domainWindows Server 2008 Enterprise edition servers that provide the following services:• DHCP, DNS• AD-DS, AD-CS• DFS-R• SCCM R2In addition, there are two Windows Server 2008 Enterprise Edition (Server Core) servers installed with theHyper-V role to support additional corporate services.There are three departments in Kensington: IT, Marketing, and Research. IT occupies the bottom twofloors, Marketing is on the top four floors, and the rest of the floors are occupied by Research.The specification of the computers installed varies from department to department, and within eachdepartment. All departments use departmental LOB applications; consequently, few computers areidentically configured. Most, although not all, computers are installed with some elements of theMicrosoft Office 2007 suite. Specifics depend on many factors, including security group membership ofthe user and the physical location of the computer.All computer settings are managed extensively with GPOs. This includes application deployment, updatemanagement, and security settings.The main tasks for this exercise are as follows:1. Read the scenario.2. Update the Kensington Head Office: Desktop Image document with your planned course of action.Kensington Head Office: Desktop ImageDocument Reference Number: RI0201Document AuthorDateRyan IhrigJanuary 2Requirement OverviewDesign a Windows 7 image strategy that supports the deployment of the Windows 7 operating systemto all computers at the Kensington head office.Storage space on the file servers is not restricted.There is spare network bandwidth to support the deployment process.It is desirable to use GPOs to perform as much centralized management of computers as possible.Additional Information

4-42 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsKensington Head Office: Desktop Image1. Will you use a standard image(s) or create a custom image(s)?2. How many images do you predict you will need?3. Do you envision using thin, thick, or hybrid images?4. How will you handle the various drivers, updates, and patches?5. How will you deploy the images that you plan to implement?6. Will you deploy the applications as part of the image(s)?Proposals Task 1: Read the scenario• Read the scenario. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Kensington Head Office: Desktop Image document with your planned course of action.Your proposal must include details about the specific services you will need to support your imagingmethod.Results: After this exercise, you will have a proposal for the image strategy at the Kensington HeadOffice.

Designing Standard Windows® 7 Images 4-43ModuleReviewand TakeawaysReview Questions1.Describe some of the benefits of using modularization when deploying a sector-baseadd updates to your images. Listdisk imagingsystem.2.There are a few options to apply updates and determine how yousome of thedifferent approaches.3.What is an important keyto developingyour Windows deployment strategy?Best Practices Related to Scenariosand Migration Store Size• Use a singleimage strategy to reduce the number ofimages to maintain and service.• Use a multilingual strategy to add multiple languagepacks to yourimage to reduce the number oflanguage-specific imagesthat you support.• Run the sysprep /generalize command when preparing the Windows image to be captured, even ifall computers have the same hardware configuration.• Do not deploy the default image (install.wim) file that is included with the Windows product DVDdirectly by using ImageX. You can use the default image only with Windows Setup (setup.exe).• Use the imagex /flags option when capturing a Windows image to create the metadata to apply tothe image that you are capturing.• Do not duplicate featuresfor different architecture types in an answer file, if you are performingcross-platform deployments.• Create architecture-specific settings foreach configuration pass in an answer filefor cross-platformdeployments.ToolsToolUse forWhere to find it

4-44 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsTool Use for Where to find itWindowsAutomatedInstallation Kit(Windows AIK)Collection of tools that provide theconceptual and procedural informationrequired for an unattended installation ofWindows operating systems, including:• Windows® PreinstallationEnvironment (Windows PE)• Deployment Image Servicing andManagement (DISM)• Windows System Image Manager(Windows SIM)• ImageX• User State Migration Tool (USMT)http://go.microsoft.com/fwlink/?LinkId=136976Windows® PreinstallationEnvironment(Windows PE)DeploymentImage ServicingandManagement(DISM)WindowsOptionalComponentSetup (OCSetup)Driver PackageInstaller (DPInst)Plug and PlayUtility (PNPUtil)Windows UpdateStandaloneInstaller (WUSA)Language PackSetup (LPKSetup)A minimal operating system environmentthat is part of Windows AIK. It is used todeploy Windows.A command-line tool that is part ofWindows AIK. It can be used to service aWindows image or to prepare a WindowsPE image. (DISM is available in allinstallations of Windows 7 and WindowsServer® 2008 R2.)Use the Ocsetup.exe tool at thecommand prompt to install or removeWindows optional elements and systemfeatures.Tool used to install non-boot criticaldrivers on a running operating system.DPInst is a part of Driver InstallFrameworks (DIFx) version 2.1 which isavailable in the Windows Driver Kit(WDK).Tool used to add, remove and enumeratedrivers when updating Windows 7operating system.This tool uses the Windows UpdateAgent API to install update packages.Update packages must have a.msu fileextension name.Tool used to add or remove languagepacks.Windows AIKWindows AIKWindows 7http://go.microsoft.com/fwlink/?LinkId=163072http://go.microsoft.com/fwlink/?LinkId=163073Windows 7http://go.microsoft.com/fwlink/?LinkId=163074Windows 7

Deploying Windows® 7 by Using Windows AIK 5-1Module 5Deploying Windows ® 7 by Using Windows AIKContents:Lesson 1: Overview of Windows AIK 2.0 5-3Lab A: Installing Windows Automated Installation Kit 5-10Lesson 2: Building a Reference Windows 7 Image by Using Windows SIMand Sysprep 5-13Lab B: Building a Reference Image Using Windows SIM and Sysprep 5-21Lesson 3: Managing the Windows Pre‐installation Environment 5-28Lab C: Creating Windows PE Boot Media 5-32Lesson 4: Capturing, Applying, and Servicing a Windows 7 Image 5-36Lab D: Capturing and Applying a Windows 7 Image Using ImageX 5-42Lab E: Servicing Images using DISM 5-54

5-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewThe installation of the Windows® 7 operating system canbe simplifiedby taking advantage of theimage-based installation architecture foundin the Windows Automated Installation Kit (AIK). Thisarchitecture consists of deployment tools and technologies that assist with customizing the Windows 7installation and deployment throughout anorganization’ ’s user base.Byusing the Windows AIK tools, an organization can configure an effective computer imaging anddeployment methodology that ensures a secure and standardized Windows® desktop environment. Thismodule describes the underlying computerimaging architecture of Windows AIK 2.0, which can beusedtocreate and deploy a customWindows 7 desktop image.

Deploying Windows® 7 by Using Windows AIK 5-3Lesson 1Overviewof Windows AIK 2.0Windows Automated Installation Kit 2.0 is a collection of documentation and tools used to assist inWindows 7 deployments. Themain goal of Windows AIK is to provide a methodology and toolset to helpoptimize the Windows 7 deployment experience, regardless of whether you are deploying 10 or 10,000computers throughout your environment.

5-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsKey Features of Windows AIK 2.0Key PointsWindows AIK 2. .0 is a collection of tools anddocumentation designed to help IT professionals deployWindows. Highly customized environmentsare ideal for using Windows AIK, becausee its tools can be usedtoconfigure many deployment options, and they providea high degree of flexibility. Depending on yourbusiness needs, you can choose to use all or part of the resources available in this installation kit.Windows AIKDocumentationThe following table describes the primary documentationn resources available on the Windows AIK DVDand installed with the Windows AIK tools.DocumentationnDescriptionWindows Automated Installation Kit (Windows Providesthe conceptual and procedural informationAIK) User's Guide (Windows AIK.chm) required for unattended installation of Windowsoperating systems. This user's guide includes informationon:• Planning• Preparing the deployment environment• Creating and customizing an image• Capturing, modifying, and testingthe image• Deploying, maintaining, and servicing the imageImaging APIs for Windows (Wimgapi.chm)Windows Pre-installation Environment(Windows PE) User's Guide (Winpe.chm)Providescomprehensive coverage of all the Windowsimaging application programming interfaces (APIs).Providesinstructions on creating a customized version ofWindows PE and enabling Windows PE to start fromdifferenttypes of media.

Deploying Windows® 7 by Using Windows AIK 5-5DocumentationComponent Platform Interface (CPI) Reference(Cpiapi.chm)Windows® Unattended Setup Reference(Unattend.chm)Step-by-Step: Basic Windows Deployment forIT Professionals (stepbystep_itpro)DescriptionDocuments the APIs that are used in Windows SIM.Provides comprehensive coverage of all thecustomizable settings in the Windows Unattend.xml file.Provides basic instructions on building an end-to-enddeployment. This guide is ideal for new users who wantto learn the basics of Windows deployment.

5-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOverview of Tools Included in Windows AIK 2.0Key PointsBydefault, the Windows AIK is installed to the C:\Program Files\Windows AIK directory. This directorycontains all the tools and documentation included in the Windows AIK 2.0 release. This includes the tools,shown in the following table, that are used in most Windows deployment scenarios:• Windows System ImageManager (Windows SIM) ): The tool used to create unattended installationanswer filesand distribution shares, or to modify the files contained in a configuration set.• ImageX: The Microsoft command-line tool that enables OEMs andcorporationsto capture, modify,and apply file-based diskimages for rapid deployment. ImageX copies Windowsimage (.wim) files toa network.• Deployment Image Servicing and Management (DISM): The tool used to apply updates, drivers,and language packs to a Windows image.• Windows Pre-installatioon Environment (WindowsPE): A minimal operating system designed toprepare a computer for Windows installation.• User State Migration Tool (USMT): A tool used to migrate user data from a previous Windowsoperating system to Windows 7.• Volume Activation Management Tool (VAMT): This tool enables network administrators and otherIT professionals to automate and centrally manage the Windows volume activation process forcomputers in their organization.Windows AIKSample FilesSeveral sample files are included as part of the Windows AIK. The sample files include sample answer files,Oobe.xml customizations, andHelp and support resources.Question: Which Windows AIK 2.0 tool enables OEMs and corporations to capture, modify, and applyfile-based disk images for rapid deployment?

Deploying Windows® 7 by Using Windows AIK 5-7Deployment Phases Supported by Windows AIKKey PointsWindows AIK is organized based on the typical installation phases performed during a Windowsinstallation and includes the following information for each phase:• Phase 1 – Planning your deployment: describes conceptual information abouta Windowsdeployment, including information about managing images, installing applications, and device-drivermanagement.• Phase 2 – Building yourdeploymentenvironment: describes the infrastructure work that can berequired todeploy Windows. For example, this section describes how to create a techniciancomputer, configure a network, and build a Windows PE image.• Phase 3 – Preparing andcustomizingyour Windows image: describes the many configurationoptions available during a Windows deployment. This phase enables creation of an answer filewithspecific unattended settings.• Phase 4 – Deploying your Windows image: describes the process for deploying a Windows image,whether using Windows Setup or ImageX.• Phase 5 – Managing and servicing your Windowsimage: describes the servicing tasks involved inupdating and maintaining a Windows image. This section includes information about usingDeployment Image Servicing and Management (DISM) to install language packs, device drivers, andother updates.

5-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDeployment Scenarios Supported by Windows AIKKey PointsWindows AIK 2. .0 supports thefollowing methods of deploying the Windows operating system:• Using Windows PE and ImageX to deploy a custom Windows installation image from a network share.• Using Windows Deployment Services (WDS) to deploy a custom Windows installation image from aserver.• Installing the Windows operating system from a media device directly on to a new computer.When selecting the deployment method that best satisfies your organization’s needs, you must take intoaccount the following factors:• Speed: Therelative time it takes each deployment method to deploy Windows 7 to theorganization’s client computers.• Volume: The number of computers that require deployment.• Customization: The amount of automated modifications made tothe installed software.The following table summarizes and compares the basic methods according to thesee factors.MethodDescriptionSpeedVolumeCustomizationDeploy froma networkDeploy an image of the referenceinstallation from a network share. Theimage can be customized, ifnecessary.FastHighHighDeploy froma serverConnect blankdestination computer to thenetwork, startt from the network by usingPXE boot, andchoose the image to install.FastMediumHighDeploy frommediaRun Windows Setup from the destinationcomputer by using the Windows productSlowLowLow

Deploying Windows® 7 by Using Windows AIK 5-9Method Description Speed Volume CustomizationDVD; manually customize, audit, and resealthe installation.

5-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab A: Installing the WindowsAutomated InstallationKitComputers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL2 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In theActions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

Deploying Windows® 7 by Using Windows AIK 5-11Exercise 1: Installing the Windows Automated Installation KitScenarioYou have decided to install the Windows Automated Installation Kit (AIK) to use with the base operatingsystems for your deployment. You need to install Windows AIK on a technician’s computer that has thesame architecture that you will be deploying. For the first deployments, you will deploy Windows 7 on anx86 architecture.The main tasks for this exercise are as follows:1. Mount the external media on LON-CL2.2. Install the Windows Automated Installation Kit.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains thedomain services. LON-CL2 is the computer running Windows 7 that will be used as the techniciancomputer. Task 1: Mount the external media on LON-CL2The Windows Automated Installation Kit downloads as an ISO file by default. Since you are working in avirtual environment, you will use this file to install WAIK.• On 6294A-LON-CL2, mount the C:\Program Files\Microsoft Learning\6294\Drives\WAIK.ISO file.Ta sk 2: Install the Windows Automated Installation Kit• Log on to the LON-CL2 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.• On Drive D, run StartCD.exe with elevated administrative rights.• Run Windows AIK Setup using the default settings.Results: After this exercise, you will have installed the Windows Automated Installation Kit on LON-CL2.

5-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Identifying Resources and Tools Included with the WindowsAutomated Installation KitScenarioYour manager has asked you to hold a meeting to explain the functions of the WAIK to the rest of thedepartment. To prepare for this meeting, you need to review the resources and tools that are includedwith the Windows Automated Installation Kit.The main tasks for this exercise are as follows:1. Examine the Windows Automated Installation Kit Start Menu folder.2. Examine the Windows Automated Installation Kit folder structure.3. Examine the Windows Automated Installation Kit User’s Guide.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the domainservices. LON-CL2 is the computer running Windows 7 that will be used as the technician computer. Task 1: Examine the Windows Automated Installation Kit Start Menu folder• Examine the Start menu to determine which of the WAIK tools have shortcuts.Question: Which applications are represented in the Start Menu?• Open the Deployment Tools Command Prompt as administrator and note the environment changesQuestion: Most of the WAIK Tools are command line based, what happened to the PATH when youopened the Deployment Tools Command Prompt? Task 2: Examine the Windows Automated Installation Kit folder structure• Open the C:\Program Files\Windows AIK folder structure.Question: What folders are present?• Make note of the tools available and compare the platform folders.Question: Each folder contains one or more of the WAIK tools. Which folders are present? Task 3: Examine the Windows Automated Installation Kit User’s Guide• Open the Windows Automated Installation Kit User’s Guide.• Use the documentation to review the tools noted in tasks 1 and 2.Results: After this exercise, you will have examined resources and tools provided by the Windows AIK.

Deploying Windows® 7 by Using Windows AIK 5-13Lesson 2Building a Reference Windows 7 Image by Using WindowsSIM and SysprepThe first step in performing an image-baseddeployment is building a reference computer and thencapturing an image of its configuration for use in later deployments. The System Preparation (Sysprep)command line tool and the Windows SIM tool of Windows AIK assist inbuilding and capturing areference computer image. These tools are the focus of this lesson.

5-14 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhat Is Windows SIM?Key PointsWindows SystemImage Manager (Windows SIM) is a tool used for customizing and automating Windows7 installations. Windows SIM enables you tocreate and manage unattended Windows Setup answer files.These answer files are used during the Windows Setup installation phases to apply additionalconfigurations and customizations to the default installation.For example, you can changethe Windows Internet Explorer® home page, configurethe networksettings, enablee or disable Windows Firewall, and partition and format a disk before the Windowsoperating system is installed.Note: WindowsSIM does notmodify the Windows image itself; Windows SIM is usedonly to create ananswer file. Thisanswer file is used during Windows Setupto apply the settings to the Windowsinstallation. Windows SIM does not modify the settings ina Windows image file.Windows SIM provides the following features:• Create a New Answer File for a Windows Image: Windows SIM enables you tocreate an answerfile to be used during Windows Setup. Answer files created in Windows SIM are associated with aparticular Windows image.• Edit an Existing AnswerFile: Windows SIM enables you to add new components, packages, or otherupdates to an existing answer file.• Add Additional DeviceSetup by using WindowsDrivers to anSIM.Answer File: You can add device drivers during Windows• Add Applications or Additional Drivers to an Answer File: You can add applications or drivers tobe installedduring Windows Setup with Windows SIMby using an optional set of folders called adistributionshare.

Deploying Windows® 7 by Using Windows AIK 5-15• Add Updates to a Windows Image Offline: Windows SIM enables the addition of offline updates toa Windows image, including software updates, device drivers, language packs, and other packages.Packages are provided by Microsoft.• Import Packages to a Distribution Share: Windows SIM imports packages that are not part of aWindows image (.wim) file to an optional set of folders called a distribution share.• Create a Configuration Set: A configuration set contains a complete collection of files, drivers,applications, patches, and answer files that are used to customize Windows installations.

5-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Using Windows SIMKey PointsThis demonstration shows how to create ananswer file byusing Windows SIM.Build an Answer File by Using Windows SIM1.Log on to the computer by using the required credentials.2.Open the Windows System Image Manager from Microsoft Windows AIK.3.Open the Select an Image dialog box, browse to the folder containing the WIM file, and select thecatalog file.Note: If a catalog file does not exist for thisedition of Windows 7, follow the prompts to create a catalogfile. The creation process takes several minutes. In this demonstration, there are no prompts to create acatalog file because one already exists.4.Expand Components and expand x86_ _Microsoft-Windows-Setup to configuresettings primarilyused in the windowsPE stage of an unattended installation and fordisk configuration.5.Expand UserData and click ProductKey to configuresettings for unattended installation, whereWindows 7 is installed from the install.wim file on theWindows 7 installation DVD.6.Expand x86_Microsoft-Windows-Shell-Setup and open Add setting to Pass 4 specialize atx86_Microsoft-Windows-Shell-Setupto configure settings that will be appliedafter an operatingsystem has been generalized by using Sysprep.7.Enter a product key in the Microsoft-Windows-Shell-Setup Properties area.Note: Placing a product key in this answer file prevents the need to enter in the product key during theinstallation of a new image.

Deploying Windows® 7 by Using Windows AIK 5-178. Close Windows System Image Manager and do not save any changes.Note: For more information, please refer to Windows SIM Technical Reference athttp://go.microsoft.com/fwlink/?LinkID=154216.Question: Why use an answer file rather than manually completing the installation of Windows 7?

5-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsUsing SysprepKey PointsThe System Preparation (Sysprep) tool is a technology used in conjunction with other deployment tools toinstall Windows7 onto new hardware. The Sysprep tool performs the following functions:• Prepares a computer for disk imaging by configuringg the computer to create a new computer securityidentifier (SID) when the computer is restarted.• Cleans up user-specific and computer-specific settings and data that must not be copied to adestinationn computer.When running Sysprep, consider the following:• Use Sysprepp only to configure new installations of Windows.• Run Sysprep as many times as requiredto build and configure the Windows installation; however,Windows activation can be reset no more than threee times.• Do not use Sysprep to reconfigure an existing installation of Windows which is already deployed.Option/auditSysprep Command-LineOptionsThe following table and command line textt shows the syntax and someof the more common command-line options available for Sysprep.sysprep.exe [/oobe | /audit] [/generalize] [/reboot | /shutdown | /quit][/quiet][/unattend:answerfile]DescriptionRestarts the computer in audit mode. Use auditmode to add drivers orapplications to Windows. An installation of Windows must betested beforee it is

Deploying Windows® 7 by Using Windows AIK 5-19OptionDescriptionsent to an end user.If an unattended Windows setup file is specified, the audit mode ofWindows Setup runs the auditSystem and auditUser configuration passes./generalize/oobe/reboot/shutdown/quiet/quitPrepares the Windows installation to be imaged. If this option is specified, allunique system information is removed from the Windows installation. The securityID (SID) resets, any system restore points are cleared, and event logs are deleted.The next time the computer starts, the specialize configuration pass runs. A newsecurity ID (SID) is created, and the clock for Windows activation resets if the clockis not already reset three times.Restarts the computer in Windows Welcome mode. Windows Welcome enablesend users to customize their Windows operating system, create user accounts,name the computer, and other tasks. Any settings in the oobeSystemconfiguration pass in an answer file are processed immediately beforeWindows Welcome starts.Restarts the computer. Use this option to audit the computer and to verify that thefirst-run experience operates correctly.Shuts down the computer after the Sysprep command finishes running.Runs the Sysprep tool without displaying on-screen confirmation messages. Usethis option if you automate the Sysprep tool.Closes the Sysprep tool after running the specified commands./unattend:answerfile Applies settings in an answer file to Windows during unattended installation.answerfileSpecifies the path and file name of the answer file to use.Common Sysprep ScenariosThe Sysprep tool is commonly used in the following scenarios:• Creating a Build-to-Plan (BTP) Windows Image• Creating a Build-to-Order (BTO) Windows Image• Starting in Audit ModeCreating a Build-to-Plan Windows ImageThe build-to-plan (BTP) scenario creates a single Windows reference image to install on computers thatuse the same hardware configuration. The single Windows reference installation is configured by installingWindows and then adding additional drivers and applications. You then capture the Windows image anduse it to install your computers. No additional modifications are made to this image.Creating a Build-to-Order Windows ImageThe build-to-order (BTO) scenario starts with a Windows reference image. After installing this referenceimage, you can make additional updates to the Windows installations that are unique for the computerthat starts up in Audit mode. If necessary, install additional devices and applications specific to thatcomputer.The difference between the build-to-plan scenario and the build-to-order scenario is that additionalchanges are made to the Windows reference installations which are unique to the computer.

5-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsStarting in Audit ModeAudit mode enables OEMs and corporations to quickly customize a Windows installation. In Audit mode,you can install applications, add device drivers, run scripts, and test the validity of a Windows installation.Audit mode does not require settings in Windows Welcome to be applied.Question: What is the purpose of running Sysprep with the /audit option?

Deploying Windows® 7 by Using Windows AIK 5-21Lab B: Buildinga Reference Image Using WindowsSIM andSysprepComputers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-IMG1• 6294A-LON-IMG2 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

5-22 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 1: Building a Custom Answer File by Using Windows SIMScenarioYou have been asked to customize the support information displayed in the properties on each newWindows 7 computer system at Contoso Ltd. To accomplish this task, you have decided to create ananswer file for deploying the initial Windows 7 images. The answer file needs to answer the generalquestions asked in every setup and modify the support information to include the following:• Specify the Manufacturer as the Contoso IT Group.• Specify that support is available from 09:00 to 17:00.• Specify the support phone number.• Direct users to the Technet.Microsoft.com Web site for technical questions.In addition to these settings, to assist with the customization process, you will need to install the systemin Audit mode and have the system auto-log on five times.The main tasks for this exercise are as follows:1. Mount the external media on LON-CL2.2. Create a new answer file.3. Add and configure windows settings.4. Validate the answer file.5. Unmount the external media on LON-CL2.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the domainservices. LON-CL2 is the computer running Windows 7 that will be used as the technician computer. Task 1: Mount the external media on LON-CL2In this task, you will mount a Windows 7 DVD to use with the WAIK. You will also mount a blank diskettedrive, which will be used to save the answer file.• On LON-CL2, mount the image file C:\Program Files\MicrosoftLearning\6294\Drives\Windows7_32bit.iso to the DVD Drive.• ON LON-CL2, mount the image file C:\Program Files\MicrosoftLearning\6294\Drives\UnattendAnswer.vfd to the Diskette Drive. Task 2: Create a new answer file• Start the Windows System Image Manager, with elevated administrator privileges.• Right-click in the Windows Image pane, choose Select Windows Image, browse to \\LON-DC1\Labfiles\Source\Sources, and then double-click Install_Windows 7 ENTERPRISE.clg.• Create a New Answer File. Task 3: Add and configure Windows settings• In the Windows Image pane of Windows SIM, expand the Components node to display availablesettings.• On the expanded list of components, add the following components to your answer file by rightclickingthe component and then by selecting the appropriate configuration pass.

Deploying Windows® 7 by Using Windows AIK 5-23Componentx86_Microsoft-Windows-Setup \DiskConfiguration\Disk\CreatePartitions\CreatePartitionx86_Microsoft-Windows-Setup \DiskConfiguration\Disk\ModifyPartitions\ModifyPartitionx86_Microsoft-Windows-Setup\ImageInstall\OSImage\InstallTox86_Microsoft-Windows-Setup\UserDatax86_Microsoft-Windows-International-Core-WinPEx86_Microsoft-Windows-Shell-Setup\OEMInformationx86_Microsoft-Windows-Shell-Setup\OOBEx86_Microsoft-Windows-Shell-Setup\AutologonConfiguration PasswindowsPEwindowsPEwindowsPEwindowsPEwindowsPEspecializeoobeSystemauditSystemx86_Microsoft-Windows-Deployment\ResealoobeSystem• All the settings you added must appear in the Answer File pane. Select and configure each setting asspecified in the following table.Componentx86_Microsoft-Windows-International-Core-WinPEMicrosoft-Windows-International-Core-WinPE\SetupUILanguageMicrosoft-Windows-Setup\DiskConfigurationMicrosoft-Windows-Setup\DiskConfiguration\DiskMicrosoft-Windows-Setup\DiskConfiguration\Disk\CreatePartitions\CreatePartitionMicrosoft-Windows-Setup\DiskConfiguration\Disk\ModifyPartitions\ModifyPartitionMicrosoft-Windows-Setup\ImageInstall\OSImageValueInputLocale = en-USSystemLocale = en-USUILanguage = en-USUILanguageFallback = en-USUserLocale = en-USUILanguage = en-USWillShowUI = OnErrorDiskID = 0WillWipeDisk = trueExtend = trueOrder = 1Type = PrimaryActive = trueFormat = NTFSLabel = WindowsLetter = COrder = 1PartitionID = 1WillShowUI = OnError

5-24 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsComponentMicrosoft-Windows-Setup\ImageInstall\OSImage\InstallToMicrosoft-Windows-Setup\UserDataMicrosoft-Windows-Setup\UserData\ProductKeyMicrosoft-Windows-Shell-Setup\OEMInformationMicrosoft-Windows-Shell-Setup\AutoLogonMicrosoft-Windows-Shell-Setup\AutoLogon\PasswordMicrosoft-Windows-Deployment\ResealMicrosoft-Windows-Shell-Setup\OOBEValueDiskID = 0PartitionID = 1AcceptEula = trueFullName = AdministratorOrganization = ContosoWillShowUI = OnErrorHelpCustomized = falseManufacturer = Contoso IT GroupSupportHours = 9 - 5SupportPhone = 555-9988SupportURL = http://Technet.Microsoft.ComEnabled = trueLogonCount = 5Username = AdministratorPassword = Pa$$w0rdForceShutdownNow = falseMode = AuditNetworkLocation = WorkProtectYourPC = 1 Task 4: Validate the answer file• In Windows SIM, validate the answer file. A “No warnings or errors” message will appear in theMessages pane. Fix any errors and then re-validate.• Save the answer file to the root of the A:\ drive as Autounattend.xml. Task 5: Unmount the external media on LON-CL2• On 6294A-LON-CL2, unmount the DVD Drive and Diskette Drive.Results: After this exercise you will have a custom Autoattend.xml answer file saved to a virtual diskettedrive.

Deploying Windows® 7 by Using Windows AIK 5-25Exercise 2: Installing a Reference Computer from a DVD Using a CustomAnswer FileScenarioAfter creating the answer file, you will build the reference computer. To accomplish this, you will installWindows 7 on LON-IMG1 from a DVD and use the answer file that you saved to the Diskette drive inthe previous exercise. When you start a blank computer with a Windows DVD and a completed answerfile, the operating system will be installed without user input.The main tasks for this exercise are as follows:1. Mount the external media on LON-IMG1.2. Start LON-IMG1.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the domainservices. LON-CL2 is the computer running Windows 7 that will be used as the technician computer. LON-IMG1 is the computer that will be used to install a fresh installation of Windows 7 using the customanswer file. Task 1: Mount the external media on LON-IMG1• On 6294A-LON-IMG1 mount the “C:\Program Files\Microsoft Learning\6294\Drives\Windows7_32bit.ISO” and “C:\Program Files\MicrosoftLearning\6294\Drives\UnattendAnswer.vfd” files. Task 2: Start LON-IMG1• Start 6294A-LON-IMG1. Verify that the installation has started. The installation will takeapproximately 30 minutes.• To save time, you can revert 6294A-LON-IMG1 and then start 6294A-LON-IMG2, which is a prestagedvirtual machine saved at the point where the installation has completed. You can either waitfor LON-IMG1 to finish installing or continue on to Exercise 3 with LON-IMG2. The following exerciseassumes that 6294A-LON-IMG2 is used.Results: After this exercise LON-IMG1 will have Windows 7 installed with the customizations specifiedin the Autounattend.xml file.

5-26 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 3: Generalizing a Reference Computer by Using SysprepScenarioManagement has decided that all computers will have a base installation of Windows 7 with Office2007. After installing all necessary applications, prepare the system for imaging by removing all theunique settings with Sysprep. For this lab, Office 2007 Viewers are being used as stand-ins for Office2007.The main tasks for this exercise are as follows:1. Start LON-IMG2 (if necessary).2. Verify custom installation settings.3. Install applications.4. Reseal LON-IMG2 with Sysprep.5. Unmount the external media on LON-IMG1 (if necessary).Exercise 3 can be completed with either 6294A-LON-IMG1 or 6294A-LON-IMG2, depending on availabletime. LON-IMG2 is used as the name in the exercise task steps.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the domainservices. LON-IMG1 or LON-IMG2 is the computer that will be used to install applications and beprepared for imaging using Sysprep. Task 1: Start LON-IMG2 (if necessary)• Start 6294A-LON-IMG2. Task 2: Verify custom installation settings• On the System Preparation Tool 3.14 dialog box, specify System Audit Mode, and then selectQuit.• Open the computer properties and verify that the Manufacturer and IT support information matchthe values used in the UnattendAnswer script. Task 3: Install applications• On LON-IMG2, browse to \\LON-DC1\labfiles\mod05\viewers\.• In the Windows Security box, type Contoso\Administrator with the password of Pa$$w0rd.• Install the following applications:• ExcelViewer with default settings.• PowerPointViewer with default settings.• Visioviewer with default settings.• Wordview_en-us with default settings. Task 4: Reseal LON-IMG2 with Sysprep• Start a Command Prompt with elevated permissions. In the command windows type CDC:\Windows\System32\Sysprep and press ENTER.• Use the System Preparation Tool 3.14 in the Enter System Out-of-Box Experience (OOBE) modeand Generalize and Shutdown the system.• Close the 6294A-LON-IMG2 - Virtual Machine Connection window.

Deploying Windows® 7 by Using Windows AIK 5-27 Task 5: Unmount the external media on LON-IMG1 (if necessary)• Set 6294A-LON-IMG1 to no DVD Drive and Diskette Drive.Results: After this exercise, the LON-IMG2 system will be customized and prepared to be captured to aWIM file.

5-28 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 3Managing the Windows Pre-Installation EnvironmentThe Windows Pre-installationEnvironment (Windows PE)is an important componentfor building thereference computer and deploying an image to new computers. This lesson providesinformation on whatWindows PE is and how you can customize it to meet your specific imaging and deploymentrequirements.

Deploying Windows® 7 by Using Windows AIK 5-29What Is Windows PE?Key PointsWindows Pre-installation Environment (Windows PE) version 3.0 is the core deployment foundation forWindows 7. Windows PE is a compact, special-purpose Windows operating system that prepares andinitiates a computer for Windows setup, maintenance, or imaging tasks, and recoversoperating systemssuch as Windows 7.With Windows PE, you can start a subset ofWindows 7 from a networkor removablee medium, whichprovides network and other resources necessary to install and troubleshoot Windows7. While WindowsPEis not a general-purpose operating system, it can be used to start a computer thatt has no functioningoperating system installed, and it can act asa replacement for MS-DOS®–based boot disks that wereutilized in previous Windows operating system versions.Windows PE is designed to make large-scale, customized deployments of the new Windows 7 operatingsystem notably simpler by addressing the following tasks:• Installing Windows 7: Windows PE runs every time Windows 7 is installed. The graphical tools thatcollect configuration information during the setup phase are running within Windows PE.• Troubleshooting: Windows PE is also useful for automatic and manual troubleshooting. For example,if Windows7 fails to startt because of a corrupted system file, Windows PE can automatically start andlaunch the Windows Recovery Environment.• Recovery: Original Equipment Manufacturers (OEMs) and Independent SoftwareVendors (ISVs) canuse Windows PE to build customized, automated solutions for recovering and rebuilding computersrunning Windows 7.Question: What are some of the tasks in which you can use Windows PE for troubleshooting?

5-30 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWindows PE 3.0 Support UtilitiesKey PointsWindows PE supports the following command-line utilities used for Windows 7 installation and WindowsPEimage creation:• BCDboot Command-Linne Options: BCDboot is a tool used to quickly set up a system partition, or torepair the boot environment located on the system partition.• Bootsect Command-Linne Options: Bootsect.exe updates the master boot code for hard diskpartitions toswitch between Bootmgr and NT Loader (NTLDR).• Drvload Command-LineOptions: The Drvload tool adds out-of-box drivers to a Windows PE image.• Expand Command-LineOptions: Expand.exe expands one or more compressed update files.• Lpksetup Command-Linne Options: Use Lpksetup toperform unattended or silent-mode language-pack operations, such as adding or removing a language pack.• Oscdimg Command-Linne Options: Oscdimg is a command-line tool for creating an image file (.iso)of a customized 32-bit or64-bit version of Windows PE.• Winpeshl.ini Files: Winpeshl.ini controls whether a customized shell is loaded in Windows PE or thedefault Command Prompt window.• Wpeinit Command-LineOptions: Wpeinit is a command-line tool that initializes Windows PE eachtime that Windows PE boots.• Wpeutil Command-LineOptions: The Windows PEutility (Wpeutil) is a command-line tool thatenables youto run various commands in a Windows PE session.Question: Which Windows PE tool adds out-of-box drivers to a Windows PE image?

Deploying Windows® 7 by Using Windows AIK 5-31Demonstration: Customizing a Windows PE Boot DiskThis demonstration shows how to customize a Windows PE boot disk.1.Open Deployment Tools Command Prompt from Microsoft Windows AIK.2.At the command prompt, type copype.cmd to copy the necessary filesfor Windows PE to the destination folder.This also creates the folder, if it does not exist. You will also need tocopy the winpe.wim file to the\Sources folder and rename it to boot.wim.3.At the command prompt, type copy < source> to copy the ImageX tool from thesource folder to the destination folder.4.At the command prompt, type oscdimg –n –b to create an iso file forthe Windows PE from thesource location.Note: For moreinformation on copype, copy, and oscdimg, please refer to:http://go.microsoft.com/fwlink/?LinkID=154217, http://go.microsoft.com/fwlink/?LinkID=154218,http://go.microsoft.com/fwlink/?LinkID=154219

5-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab C: CreatingWindows PE Boot MediaComputers inThis LabBefore you begin the lab, start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-IMG2 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

Deploying Windows® 7 by Using Windows AIK 5-33Exercise 1: Adding Packages to Windows PEScenarioResearch shows that the default Windows PE build does not include ImageX. Since ImageX is needed tocapture and deploy the base operating system image, you have decided to create a custom Windows PEstructure to include ImageX. Also, you have several customization tools that will be located in a \Tempfolder that must not be copied to the system during the customization process. Therefore, configureImageX to skip the \Temp folder that will be located at the root of any drive.The main tasks for this exercise are as follows:1. Set up a Windows PE build environment.2. Add customizations to a Windows PE build environment.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the domainservices. LON-CL2 is the computer running Windows 7 that will be used as the technician computer. Task 1: Set up a Windows PE build environment• On 6294A-LON-CL2, start the Deployment Tools Command Prompt with elevated permissions.• At the command prompt, type Copype.cmd x86 c:\winpe_x86 and press ENTER.• At the command prompt, type copy c:\winpe_x86\winpe.wimc:\winpe_x86\ISO\sources\boot.wim and press ENTER. Task 2: Add customizations to a Windows PE build environment• Copy the imagex.exe file into the Windows PE build environment by running the following command:copy "C:\program files\Windows AIK\Tools\x86\imagex.exe" C:\winpe_x86\iso\• Start Notepad and create a new text file named wimscript.ini. Save the file in C:\winpe_x86\iso.• In wimscript.ini add the following:[ExclusionList]\temp• Save and close Notepad.Results: After this exercise, you will have a custom WinPE folder structure including ImageX ready to becopied to boot media.

5-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Creating a Bootable Windows PE ISO ImageScenarioAfter creating the Windows PE file structure and adding customizations, you need to create the startupmedia. In this exercise, you are creating an ISO file.The main tasks for this exercise are as follows:• Create the ISO file.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the domainservices. LON-CL2 is the computer running Windows 7 that will be used as the technician computer. Task 1: Create the ISO file• At the command prompt, type oscdimg -n -bC:\winpe_x86\etfsboot.com C:\winpe_x86\ISOC:\winpe_x86\winpe_x86.iso and press ENTER.Results: After this exercise, the WindowsPE custom ISO file will be created.

Deploying Windows® 7 by Using Windows AIK 5-35Exercise 3: Starting the Windows PE Operating System EnvironmentScenarioAfter preparing the system with Sysprep, you are ready to capture an image of the system. Toaccomplish this, the system needs to be started in the custom Windows PE environment that youcreated. Note that you will use an ISO file that has been provided, which is the same as the one youcreated in Exercise 2.The main tasks for this exercise are as follows:1. Mount the Windows PE ISO.2. Start LON-IMG2.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the domainservices. LON-CL2 is the computer running Windows 7 that will be used as the technician computer. LON-IMG1 or LON-IMG2 is the computer that will be used as the reference system. Task 1: Mount the Windows PE ISO• On LON-IMG2, mount the C:\Program Files\Microsoft Learning\6294\drives\winpe_x86.iso. Task 2: Start LON-IMG2• Start 6294A-LON-IMG2 and boot using the winpe_x86.iso DVD. Press a key when prompted andthen verify that Windows PE has started.Results: After this exercise LON-IMG2 is started in the Windows PE Environment and is ready forcapture.

5-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 4Capturing, Applying, and Servicing a Windows 7ImageThe Windows Automated Installation Kit (Windows AIK) includes the tools needed tocreate, build, deploy,and manage a Windows 7 image. This lesson examines the key Windows AIK components used incapturing and deploying a Windows image, and managing and servicing the image once it has beendeployed.This lesson begins by introducing the command-line toolknown as ImageX. This tool enables you tocapture a Windows 7 installation image from the Windows Pre-installation Environment (WindowsPE).Once the operating system image is captured, it can thenbe deployed on another computer.Once a Windows 7 image hasbeen deployed, you can service the image by adding or removing languagepacks or drivers, and updatingan existing offline or online image whennew softwareand hardwarebecome available. The recommended way to service a Windows imageis offline withthe DeploymentImage Servicingand Management (DISM) tool, which is examined at the end of this lesson.

Deploying Windows® 7 by Using Windows AIK 5-37What Is ImageX?Key PointsImageX is a command-line tool that enables the creation, modification, and deployment of file-basedWindows 7 images in a manufacturing or corporate IT environment. ImageX works with Windows image(.wim) files for copying to a network.ImageX is commonly used in a Windows PEenvironmentduring image-based deployments. Start yourtechnician computer in the Windows PE environment, and then run ImageX to capture your Windows 7image.The ImageX tool is used to perform the following tasks:• View WIM file contents: ImageX provides the ability to view WIMfile contents and shows theavailable images and those images that can be deployed from within the WIM file.• Capture images: A source computer image can be captured and then saved in a WIM file format.The image can be saved to a distribution share from which users can employ Windows 7 Setuptoinstall it, or pushed out tothe desktopss using variousdeployment techniques.• Mount images for offline image editing: Use ImageX to customize an existingimage, includingupdating files and folders. This involvesadding, removing, editing, and copying files from the imageby using the Windows Imaging File System Filter (WIM FS filter). ImageX can alsobe used to updateand edit anoffline imagewithout creating a new image for distribution.• Store multiple images in a single file: Use ImageX to store multiple images in a single WIM file,which minimizes the image file size. This makes it much simpler to deploy multiple images across aslower network connection, or by usingremovable media.When Windows 7 is installed using a file with multiple images, users can select which image toapply.For example, it is possibleto have a WIM file that contains several role-based configurations, orimages that contain bothpre-update and post-update versions.

5-38 Planning and Managing Windows® 7 Desktop Deployments and Environments• Compress the image files: ImageX supports two different compression algorithms, Fast andMaximum, to further reduce the image size.• Implement scripts for image creation: Use scripting tools to create and edit images.Question: ImageX provides the ability to store multiple images in a single WIM file. What benefitdoes this provide?

Deploying Windows® 7 by Using Windows AIK 5-39Managing WIM Files by Using ImageXKey PointsThe ImageX tool captures a source computer image and saves it in a Windows Imaging (.wim) file for laterdeployment.Capturing a .wim File Image Using ImageXPerform the following steps tocapture a .wim file image using ImageX:1.Start your reference computer by usingWindows PE.2.If any of the partitions that need to be captured do not already have a drive letter assigned, assign aletter usingthe DiskPartcommand.a. At the Windows PE command prompt, type diskpart to open the DiskPart tool.X:> diskpartDISKPART>b. Select the hard disk with the select disk command. For example:DISKPART> select disk 0c. View the partitions with the list volume command. For example:DISKPART> list volumeVolume ### Ltr LabelFsTypeSizeStatusInfo----------------------------------------------------------------------------------------------------------------------------Volume 0CNTFSPartition 49GB HealthyWindowsVolume 1FAT32Partition 300 MB HealthySystem

5-40 Planning and Managing Windows® 7 Desktop Deployments and Environmentsd. Select the partition with the select volume command. For example:DISKPART> select volume 1e. Assign a letter to the partition with the assign letter command. For example:DISKPART> assign letter=Sf. Type exit to return to the Windows PE command prompt.3. DISKPART> exit4. X:\>3. At the Windows PE command prompt, open the directory that contains the ImageX tool. For example:cd C:\Windows\System324. Capture images for each customized partition. To capture the images, use the ImageX commandwith the /capture option. For example:imagex /capture c:\ c:\my-windows-partition.wim "My Windows partition"imagex /capture s:\ c:\my-system-partition.wim "My system partition5. Connect to your distribution share by using the net use command. For example:net use n: \\MyNetworkShare\Images6. Copy the partitions to your network share. For example:copy c:\my-windows-partition.wim n:\copy c:\my-system-partition.wim n:\After the image is captured and stored, you can:• Mount it to your reference computer for modification.• Split the file into smaller files.• Apply the images to a destination computer.• Set up a network-based installation of Windows.• Set up Windows on a Virtual Hard Disk.• Set up Windows using other deployment options.• Service the image.ImageX Command-Line OptionsThe following command line options are available when running the ImageX command:ImageX [/flags] [{/append | /apply | /capture | /cleanup | /commit | /delete | /dir |/export | /info | /mount | /mountrw | /unmount | /split} [Parameters]CommandflagsappendDescriptionSpecifies the version of Windows that needs to be captured. This is required whenredeploying a custom Install.wim with Windows Setup.Adds a volume image to an existing .wim file. Creates a single instance of the file,comparing it against the resources that already exist in the .wim file, so the same file is

Deploying Windows® 7 by Using Windows AIK 5-41CommandDescriptionnot captured twice.When running this command, ensure there is sufficient disk space for the /appendoption to run. If available disk space runs out during the /append option, the appended.wim file may become corrupted.applycapturecleanupcommitdeletedirexportinfomountmountrwunmountsplitApplies a volume image to a specified drive. All hard disk partitions must be createdbefore users begin this process. Run this option from Windows PE.The parent directory must be included for the /apply option. Otherwise, when theimage is applied, it will overwrite everything in that location. For example, if you areapplying the image to the C drive, the /apply option overwrites everything that existson the C drive with your image files.Captures a volume image from a drive to a new .wim file. Captured directories includeall subfolders and data.Deletes all the resources associated with a mounted image that is abandoned.Saves changes to a mounted .wim file without unmounting the .wim file.Deletes the specified volume image from a .wim file with multiple volume images. Thisoption must be run from Windows PE. There must always be at least one volume imagein a .wim file, so you can only delete a volume image if more than one image exists.Display a list of files and folders within a volume image.Exports a copy of a .wim file to another .wim file. Ensure there is sufficient disk space forthe /export option to run. If available disk space runs out while the /export optionruns, the Destination.wim file may become corrupted.Returns information about the .wim file. Information includes total file size, the imageindex number, the directory count, file count, and a description.Mounts a .wim file with read or read/write permission. Once the file is mounted, all theinformation contained in the directory can be viewed but not modified. The WIMMountfilter must be installed before an image can be mounted.Mounts a .wim file with read/write permission to a specified directory. Once the file ismounted, all the information contained in the directory can be viewed and modified.The WIMMount filter must be installed before an image can be mounted.Unmounts a mounted image from a specified directory. If a mounted image is modified,the /commit option must be applied to save the changes.Splits large .wim files into multiple read-only .wim files. This option generates the .swmfiles into the specified directory, naming each file the same as the specified image_file,but with an appended number and the .swm file-name extension. For example, ifchoosing to split a file named Data.wim, this option creates a Data.swm file, aData2.swm file, a Data3.swm file, and so on, defining each portion of the split .wim file.Note: The preceding table is only a subset of the tools and functionality provided by ImageX. For a moredetailed list of syntax commands, refer to the “ImageX Technical Reference” document included in the“Windows Automated Installation Kit User’s Guide.”

5-42 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab D: Capturinng and Applying a WindowsUsing ImageX7 ImageComputers inThis LabBefore you begin the lab, start the virtual machines. The virtual machines used at thestart of this lab are:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-IMG2• 6294A-LON-CL3 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

Deploying Windows® 7 by Using Windows AIK 5-43Exercise 1: Capturing an Image Using ImageXScenarioNow that the system has started in the custom Windows PE environment, you can run the ImageX tooland capture the image for further deployment.The main tasks for this exercise are as follows:1. Create a share on LON-CL2.2. Run ImageX with the Capture option.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the domainservices. LON-CL2 is the computer running Windows 7 that will be used as the technician computer. LON-IMG1 or LON-IMG2 is the computer that will be used as the reference system. Task 1: Create a share on LON-CL2• On LON-CL2, create a folder named C:\Images and share it with everyone with Read\Write access. Task 2: Run ImageX with Capture option• On 6294A-LON-IMG2, map drive Z to the images folder on LON-CL2. Use the following command:Net Use Z: \\LON-CL2\Images• When prompted for credentials, type Contoso\Administrator with Pa$$w0rd as the password.• At the command prompt, type the following command and then press ENTER:D:\imagex /check /capture C: Z:\LON-REF.wim "Contoso Client Image"Note: The capture process will take approximately 20 minutes. To save time, the remainder of the lab willuse an image that has already been prepared.• Turn off LON-IMG2.Results: After this exercise, LON-IMG2 will be captured and a WIM file will be created on the LON-CL2system.

5-44 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Apply an Image Using ImageXScenarioAfter capturing the LON-IMG2 image, you will deploy the image to additional systems using theWindow PE startup media and ImageX. For this exercise,LON-CL3 is started with Windows PE and then will have the image applied.The main tasks for this exercise are as follows:1. Mount the Windows PE ISO.2. Start LON-CL3.3. Format the C: drive on LON-CL3.4. Run ImageX with the Apply option.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the domainservices. LON-CL2 is the computer running Windows 7 that will be used as the technician computer. LON-CL3 is the computer that will receive the new image. Task 1: Mount the Windows PE ISO• On 6294A-LON-CL3, mount the C:\Program Files\Microsoft Learning\6294\drives\winpe_x86.iso image file. Task 2: Start LON-CL3• Start 6294A-LON-CL3 and continue after Windows PE has started. Task 3: Format the C: drive on LON-CL3• On LON-CL3, type Diskpart and perform the following disk tasks:• Type Select disk=0 and press ENTER.• Type Create partition primary and press ENTER.• Type Format FS=NTFS Quick and press ENTER.• Type Select Partition 1 and press ENTER.• Type Active and press ENTER.• Type Assign letter=C and press ENTER.• Type Exit and press ENTER. Task 4: Run ImageX with the Apply option• On LON-CL3, map a drive by typing the following command:Net Use Z: \\LON-DC1\labfiles\Mod05\Image.• When prompted, type Contoso\Administrator with Pa$$w0rd as the password.• Type d:\imagex /apply Z:\LON-REF.wim 1 C: and press ENTER.The image application takes approximately ten minutes.• After the Image is applied, type Exit and then press ENTER to restart the computer.• When LON-CL3 restarts, complete the Set Up Windows wizard:• Country or region: Default• User Name: LocalAdmin

Deploying Windows® 7 by Using Windows AIK 5-45• Computer name: LON-CL3• Password: Pa$$w0rd• I accept the license terms: Selected• Updates: Use recommended settings• Time and date: Default• Location: Work network• After the installation is complete, verify the following:• Open computer properties to determine if the manufacturer and IT support information matchthe values used in the UnattendAnswer script.• The custom applications are installed.• Shutdown LON-CL3.Results: After this exercise, the image will be deployed to LON-CL3 and the customizations verified.

5-46 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhat Is DISM?Key PointsDeployment Image Servicing and Management (DISM) isa new command-line tool in Windows 7 andWindows Server® 2008 R2 that combines separate Windows platform technologies into a single, cohesivetool for servicing Windows images. DISM enables IT professionals to view components of an applied ormounted operating system image and add or remove packages, software updates, and drivers. DISM canbeused to service Windows images offline before deployment or to prepare a Windows Pre-installationEnvironment (Windows PE) image.Related Technologies Used by DISMDISM is a command-line tool that combines separate Windows platformtechnologies into a single,cohesive tool for servicing Windows images. The following technologies are used by DISM:• Unattended Installationn Answer File: When an answer file is applied by using DISM, the updatesthat are specified in the answer file are implemented on the Windows image or the running operatingsystem. Configure default Windows settings, add drivers, packages, software updates, and otherapplications by using thesettings in ananswer file.• Windows System ImageManager: Windows SystemImage Manager (Windows SIM) is used tocreate unattended answer files that areused with DISM. It is also used to create distribution sharesand modifythe files contained in a configuration set.• ImageX: ImageX is a command-line tool that can beused to mount an image or to apply an imageto a drive so that it can be modified with the DISM command-lineutility. After the image is modified,use ImageXto capture the image, append the imageto a WIM, or export the image as a separate file.If there is no need to capture, append, or export the image after you modify it, use DISM to mountthe image instead of using ImageX.• OCSetup: OCSetup is a command-line tool that can be used whenyou are applying updates to anonline Windows image. Itinstalls or removes Component-Based Servicing (CBS) packages online bypassing packages to DISMfor installation or removal.

Deploying Windows® 7 by Using Windows AIK 5-47OCSetup can also be used to install Microsoft System Installer (.msi) files by calling the Windows Installerservice (MSIExec.exe) and passing Windows Installer components to it for installation or removal. Inaddition, OCSetup can be used to install packages that have custom installers such as .exe files.Question: How does DISM use ImageX technology?

5-48 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Servicing Windows 7 Images by Using DISMThe commands and options that are available for servicing an image depend on which Windowsoperating system is being serviced (Windows 7, WindowsVista® with Service Pack 1 (SP1), WindowsServer 2008 R2, Windows Server 2008, or Windows PE), and whether the image is offline or a runningoperating system. All commands work on an offline Windows image. Subsets of the commands areavailable for servicing a running operating system.The DISM command-line options are global and can be used with most servicing command-line options.The servicing command-line options work individually and cannot be used in combination with otherservicing command-line options. To servicee a Windows image offline, itmust be applied or mounted.WIM images can be mountedusing the Windows Image (WIM) commands within DISM, or appliedandrecaptured using ImageX.The base syntaxfor nearly all DISM commands is the same. After mounting or applying your Windowsimage so that itis available offline as a flat file structure, you can specify any DISM options, the servicingcommand that will update your image, andthe location of the offline image. You canuse only oneservicing command on each command line. If a running computer is being serviced, you can use the/Online option instead of specifying the location of the offline Windows Image.The base syntaxfor DISM is as follows:DISM.exe {/Image: | /Online} [dism_options] {servicing_command}[]The following DISM options are available for an offline image:DISM.exe /image: [/WinDir:< ][/LogPath:] [/LogLevel:>] [SysDriveDir:][/Quiet] [/NoRestart] [/ScratchDir:

Deploying Windows® 7 by Using Windows AIK 5-49DISM.exe /online [/LogPath:] [/LogLevel:] [/Quiet] [/NoRestart][/ScratchDir:]The following table shows some of the more common command-line options available for DISM:Option/Commit-WimDescriptionApplies the changes that are made to the mounted image. The image remainsmounted until the /unmount option is used.Example:Dism /Commit-Wim /MountDir:C:\test\offline/Get-Help/?Displays information about available DISM command-line options and arguments.The options available for servicing an image depend on the servicing technologythat is available in your image. Specifying an image, either an offline image or therunning operating system will generate information about specific options that areavailable for the image currently being serviced.Example:Dism /?Dism /image:C:\test\offline /?Dism /online /?/Get-MountedWimInfoLists the images currently mounted and information about the mounted imagesuch as read/write permissions, mount location, mounted file path, and mountedimage index.Example:Dism /Get-MountedWimInfoImageThis is the full path to the root directory of the offline Windows image that will beserviced. If the directory named Windows is not a subdirectory of the rootdirectory, /WinDir must be specified.This option cannot be used with /Online.LogLevel Specifies the maximum output level shown in the logs. The default log level is 3.The accepted values are:1 = Errors only2 = Errors and warnings3 = Errors, warnings, and informational4 = All the above and debug outputExample:Dism /image:C:\test\offline /LogPath:AddPackage.log /LogLevel:1/AddPackage /PackagePath:C:\packages\package.cab/LogPathSpecifies the full path and file name to log to. If not set, the default is:%WINDIR%\Logs\Dism\dism.log. In Windows PE, the default directory is theRAMDISK scratch space which can be as low as 32 MB.The log file will automatically be archived. The archived log file will be saved with.bak appended to the file name and a new log file will be generated. Each time thelog file is archived the .bak file will be overwritten.

5-50 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOption/Mount-WimDescriptionMounts the WIM file to the specified directory so that it is available for servicing./ReadOnly sets the mounted image with read-only permissions. Optional.An index or name value is required for most operations that specify a WIM file.Example:Dism /Mount-Wim /WimFile:C:\test\images\install.wim /index:1/MountDir:C:\test\offline /ReadOnlyDism /Mount-Wim /WimFile:C:\test\offline\install.wim /name:"Windows7 Enterprise" /MountDir:C:\test\offline/Online/NoRestart/Quiet/ScratchDir/Unmount-WimSpecifies that the action is to be taken on the operating system that is currentlyrunning.This option cannot be used with the /Image or the /WinDir option. When/Online is used the Windows directory for the online image is automaticallydetected.Suppresses restart. If a restart is not necessary, then this command does nothing.This option will keep the application from prompting for a restart (or keep it fromrestarting automatically if the /Quiet option is used).Turns off information and progress output to the console. Only error messages willbe displayed.To run in quiet mode, this option must be set every time that the command-lineutility is run. It must be present before the servicing command.Specifies a temporary directory to be used when extracting files for temporary useduring servicing. The directory must exist locally. If not specified, the\Windows\%Temp% directory will be used, with a subdirectory name of randomlygenerated hexadecimal value for each run of DISM. Items in the scratch directoryare deleted after each operation.Do not use a network share location as a scratch directory to expand a package(.cab or .msu file) for installation. The directory used for extracting files fortemporary usage during servicing must be a local directory.Unmounts the WIM file and either commits or discards the changes made whilethe image was mounted.Example:Dism /unmount-Wim /MountDir:C:\test\offline /commitDism /unmount-Wim /MountDir:C:\test\offline /discard/WinDirUsed with the /Image option to specify the path to the Windows directory relativeto the image path. This cannot be the full path to the Windows directory; it mustbe a relative path. If not specified, the default is the Windows directory in the rootof the offline image directory.This option cannot be used with the /Online option.DemonstrationThis demonstration shows how to modify an image by using DISM.Servicing Windows 7 Images by Using DISM1. Log on to the computer by using the required credentials.

Deploying Windows® 7 by Using Windows AIK 5-512. Open the Deployment Tools Command Prompt from Microsoft Windows AIK.3. At the command prompt, type dism to display help information for the command.4. At the command prompt, type CD C:\Program Files\Windows AIK\Tools\Servicing.5. At the command prompt, type MD C:\Servicing.6. At the command prompt, type DISM /get-wiminfo /wimfile:C:\Images\LON-REF.wim.7. At the command prompt, type DISM /mount-wim /wimfile:C:\Images\LON-REF.wim /index:1 /mountdir:C:\Servicing.8. At the command prompt, type cd C:\Servicing.9. At the command prompt, type dir.10. At the command prompt, type CD “C:\Program Files\Windows AIK\Tools\Servicing”.11. At the command prompt, type DISM /get-mountedwiminfo to display information about themounted image.12. At the command prompt, type DISM /image:c:\servicing /?.13. At the command prompt, type DISM /Unmount-Wim /Mountdir:C:\Servicing /commit to displaya list of available servicing options. Discuss the available options.

5-52 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsServicing Windows PE ImagesKey PointsA Windows PE image can be mounted, andpackages, drivers, and language packs can be added orremoved in the same way anyWindows 7 image is, by using the appropriate driver, package, orinternational-servicing commands. There are also commands that are specific to a Windows PE image,which can be used to preparee the WindowsPE environment. These commands enable profiling, listpackages, and preparing the Windows PE image for deployment.The base syntaxfor servicing a Windows PEimage is:DISM.exe /Image:

Deploying Windows® 7 by Using Windows AIK 5-53In addition to the DISM options, the following Windows PE servicing options are available for an offlineimage.DISM.exe /Image: [/Get-PESettings | /Get-Profiling | /Get-ScratchSpace | /Get-TargetPath | /Set-ScratchSpace: | /Set-TargetPath : | /Enable-Profiling | /Disable-Profiling | /Apply-Profiles]Note: These options cannot be used with an online, running version of Windows PE. A Windows PE imagemust be specified using the /Image: option.

5-54 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab E: ServicingImages by Using DISMExercise 1: Service anOffline WIM ImageScenarioAfter creating the reference image for your Windows 7 deployment, management implemented astandard to useMicrosoft input devices. They have asked you to include the Microsoft Intellipoindrivers in the image so users will have full functionality. Instead of going through the complete imagingprocess, you have decided tomodify the image while it is offline.The main tasks for this exercise are as follows:1.Mount the WIM image for servicing.2.Add driversto an offline image.3.Commit changes to an offline WIM image.Note: LON-DC1is the computer running Windows Server 2008 R2 andwhich contains the domainservices. LON-CL2 is the computer running Windows 7 that will be usedas the technician computer.SetupBefore starting this lab, copy the LON-REF.wim file from the\\LON-DC1\Labfiles\Mod5\Image folder to the C:\Imagesfolder on LON-CL2. Task 1: Mount the WIM image for servicing• On 6294A-LON-CL2, start the Deployment Tools Command Prompt: with elevated permissions.• At the command prompt, type CD “C:\Program Files\Windows AIK\Tools\Servicing” and press ENTER.• At the command prompt, type MD C:\ \Servicing andpress ENTER.

Deploying Windows® 7 by Using Windows AIK 5-55• At the command prompt, type DISM /get-wiminfo /wimfile:C:\Images\LON-REF.wim and pressENTER.• At the command prompt, type DISM /mount-wim /wimfile:C:\Images\LON-REF.wim /index:1/mountdir:C:\Servicing and press ENTER.• At the command prompt, type DISM /get-mountedwiminfo and press ENTER.• To view a list of available servicing options, type DISM /image:c:\servicing /? and press ENTER. Task 2: Add drivers to an offline image• At the command prompt, type Net Use Z: \\Lon-DC1\Labfiles\Mod05\LabE and press ENTER.• At the command prompt, type CD C:\Program Files\Windows AIK\Tools\Servicing and pressENTER.• At the command prompt, type DISM /Image:C:\Servicing /Add-Driver /Driver:Z:\ipoint /recurseand press ENTER. Task 3: Commit changes to an offline WIM image• At the command prompt, type DISM /Unmount-Wim /Mountdir:C:\Servicing /commit and pressENTER.Results: After this exercise, the custom Windows 7 image will include the Microsoft Intellipoint drivers. Task 4: Virtual machine shutdownWhen the lab is finished, revert each virtual machine to its initial state. To do this, complete the followingsteps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list, and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.

5-56 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModuleReviewand TakeawaysReal-World Issues and Scenarios1.Joseph is project managing the deployment of Windows 7 across Fabrikam’s network of clientcomputers.He wants to improve upon the deployment experiencee that they previously had withWindows XP several years ago by ensuring that the client installations are fast and consistent, andthat multiple computers can be duplicated quickly.Since Fabrikam is giving its users a choice from a standardized range of applications that can bedeployed along with Windows 7, Joseph wants to stage all of thesee applications in the referenceinstallation. Based on these requirements, what deployment method does Josephneed to employ?Manisha is the IT Manager for a small wholesale distributor. She wants to deployWindows 7 acrossthe eight client computers in the organization’s warehouse. She has the computers set up on aninternal network, but sheis not familiarwith creatingimages. Which deployment method do yourecommendManiah use, and why?You have installed Windows 7 on your company’s client computers. However, you are later informedthat one ofthe computers has a corrupted system file and will not start. From the list of tools coveredin this module, which tool can you use to help fix thecomputer?Paul is the lead technologist at London-based Tailspin Toys Inc. Heis assigned the task of deployingWindows 7 across each of the organization’s client computers. In an effort to decrease costs andscheduling risks, Paul plans to install Windows as rapidly as possible, including all relevant updates,applications, and settings.To accomplish this objective, he has decided to use ImageX to capture WindowsImage (.wim) files forlater deployment. What steps must Paul perform to prepare for theimage capture?2.In Paul’s hurry to get his Windows 7 image deployedd as quickly as possible at Tailspin Toys, hefailedto considerany security threats to his images. Why isthis concern a serious shortcoming in hisplanning efforts?

Deploying Windows® 7 by Using Windows AIK 5-57Best Practices Related to the Windows AIK1. When building your deployment environment, it is recommended that you create a lab environmentdedicated to developing and testing your Windows 7 deployment. The lab must mirror theproduction environment as closely as possible to ensure that all aspects of this environment can beaccounted for in the development process.2. Deploying Windows 7 images from a network is ideal for corporate deployments. Using an imagebaseddeployment over a network ensures that your installations are faster and consistent across allyour systems. This method provides maximum flexibility and enables you to duplicate multiplecomputers quickly.After creating a base image, you can install it on multiple computers so that all clients end up withidentical configurations. You can also customize the base image to meet the requirements of aspecific user or group of users.Best Practices Related to the Servicing Images1. Elevate Permissions for Command-Line Tools: All deployment command-line tools, includingDeployment Image Servicing and Management (DISM), require elevated permissions. To ensure thatyou have elevated permissions, click Start, point to All Programs, point to Windows OPK (orWindows AIK), right-click Deployment Tools Command Prompt, and then select Run asadministrator. This must be done even if you are logged on as an administrator.2. Servicing an Image: The best way to service a Windows image is offline with the DISM tool. DISMcan be used to install, uninstall, configure, and update drivers, features, and packages in Windowsimages and Windows Pre-installation Environment (Windows PE) images without starting the image.3. Package Locations: Do not put a package you intend to install directly at the root of a partition on aWindows 7 installation.4. Use Log Files: By default DISM will log verbose information to %WINDIR%\Logs\Dism\Dism.log.You can also specify a name and location of your choice for the log file and set the /loglevelparameters so that only the information you are interested in is logged.When an error occurs, the console will display the error code, error message, and the location of thelog file. The log file will automatically be archived. The archived log file will be saved with .bakappended to the file name, and a new log file will be generated.Each time the log file is archived, the .bak file will be overwritten. The log file provides the history ofthe operations performed, which can help you troubleshoot problems.ToolsThe following table provides a consolidated list of the tools covered in this module.Tool Use for Where to find itWindows PreinstallationEnvironment(Windows PE)Windows PE is a compact, special-purposeWindows operating system that prepares andinitiates a computer for Windows Setup,maintenance, or imaging tasks, and recoversoperating systems such as Windows 7. WithWindows PE, a subset of Windows 7 can bestarted from a network or removablemedium, which provides network and otherresources necessary to install andtroubleshoot Windows 7. Windows PE canalso start a computer that has no functioningoperating system installed, and act as aLocated in the Windows AIK, which isinstalled to the C:\Program Files\Windows AIK directory.

5-58 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsTool Use for Where to find itreplacement for MS-DOS®–based boot disksthat were utilized in previous Windowsoperating system versions.System Preparation tool(Sysprep)Windows System ImageManager (WindowsSIM)Sysprep prepares a Windows image for diskimaging, system testing, and delivery to anend user. Sysprep can remove any systemspecificdata from a Windows image, such asthe security identifier (SID). After removingunique system information from an image,you can capture that Windows image and useit to deploy on multiple systems.In addition, Sysprep can configure theWindows image to start to audit mode. Auditmode enables you to test the integrity of thesystem and install additional applications anddevice drivers. Sysprep is also used toconfigure Windows to start toWindows Welcome the next time the systemstarts.Windows SIM is a tool used for customizingand automating Windows 7 installations.Windows SIM enables you to createand manage unattended Windows Setupanswer files. These answer files are usedduring the Windows Setup installation phasesto apply additional configurations andcustomizations to the default installation.Windows command line tool. Syntax:sysprep.exe [/oobe | /audit][/generalize] [/reboot | /shutdown |/quit] [/quiet] [/unattend:answerfil]Located in the Windows AIK, which isinstalled to the C:\Program Files\Windows AIK directory.ImageXDeployment ImageServicing andManagement tool(DISM)ImageX is a command-line tool that enablesthe creation, modification, and deployment offile-based images by using a shared imagingformat across operating system images,including applications. ImageX works withWindows image (.wim) files for copying to anetwork. The .wim files contain one or morevolume images for a Windows operatingsystem. A volume image represents thecaptured volume or partition of a Windowsoperating system. The primary purpose of theImageX tool is to capture, modify, and applyimages for deployment in a manufacturing orcorporate IT environment.DISM is a new command-line tool in Windows7 and Windows Server 2008 R2. DISMconsolidates the core image managementfunctions of multiple tools found in theWindows Automated Installation Kit (AIK).DISM enables IT professionals to viewcomponents of an applied or mountedoperating system image and add or removepackages, software updates, and drivers. DISMcan service Windows images offline beforedeployment or to prepare a Windows Pre-Located in the Windows AIK, which isinstalled to the C:\Program Files\Windows AIK directory.Located in the Windows AIK, which isinstalled to the C:\Program Files\Windows AIK directory.

Deploying Windows® 7 by Using Windows AIK 5-59Tool Use for Where to find itinstallation Environment (Windows PE) image.The following table describes the documentation resources available on the Windows AIK DVD andinstalled with the Windows AIK tools. Additional documentation can be included on the Windows AIKDVD but not listed in this table.DocumentationWindows Automated InstallationKit (Windows AIK) User's Guide(Windows AIK.chm)Imaging APIs for Windows(Wimgapi.chm)Windows Pre-installationEnvironment (Windows PE) User'sGuide (Winpe.chm)Component Platform Interface(CPI) Reference (Cpiapi.chm)Windows Unattended SetupReference (Unattend.chm)Step-by-Step: Basic WindowsDeployment for IT Professionals(stepbystep_itpro)DescriptionProvides the conceptual and procedural information required forunattended installation of Windows operating systems. This user'sguide includes information on:• Planning• Preparing the deployment environment• Creating and customizing an image• Capturing, modifying, and testing the image• Deploying, maintaining, and servicing the imageProvides comprehensive coverage of all the Windows imagingapplication programming interfaces (APIs).Provides instructions on creating a customized version of Windows PEand enabling Windows PE to start from different types of media.Documents the APIs that are used in Windows SIM.Provides comprehensive coverage of all the customizable settings inthe Windows Unattend.xml file.Provides basic instructions on building an end-to-end deployment.This guide is ideal for new users who want to learn the basics ofWindows deployment.

5-60 Planning and Managing Windows® 7 Desktop Deployments and Environments

Deploying Windows® 7 by Using Windows Deployment Services 6-1Module 6Deploying Windows® 7 by Using Windows DeploymentServicesContents:Lesson 1: Overview of WDS 6-3Lesson 2: Designing and Configuring WDS for Windows 7 Deployment 6-11Lab: Deploying Windows 7 by Using Windows Deployment Services 6-28

6-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewDeploying a newoperating system is a balancing act. On one side of the scale are thebenefits of the newoperating system. On the other side are thecosts to deploy the new operating system. When youcompare the two, deployment complexitiesmay make it hard to quickly realize the benefits of the newoperating system because of the following challenges:• Time, cost, and effort required to deploy a new operating system• Compatibility issues between applications and the new operating system• Ambiguousand error-prone deployment processes that increase costs• Lack of best practices for deploying desktop operating systems• Lack of a comprehensivesuite of deployment toolsWindows Deployment Services (WDS) addresses these challenges by enabling you toremotely deployWindows® 7 and custom system images toclient computers located within the network infrastructure.WDS can now deploy images using multicast in standalone mode usingTransport Server. The TransportServer is a new Trivial File Transfer Protocol(TFTP) server with better performance, support for ExtensibleFirmware Interface (EFI)-basedx64 systems,and enhanced installation metrics reporting. Multicasting isuseful for the point-to-multipoint delivery of informationn on an Internet work.

Deploying Windows® 7 by Using Windows Deployment Services 6-3Lesson 1Overviewof WDSByusing WDS, the IT professional can deploy Windows 7 over the network. This means that they do nothave to install each operatingsystem directly at the computer from a CD or DVD.WDS can be used for storing, managing, and deploying client and server images, using the PrebootExecution Environment (PXE) startup process to install theoperating system over thenetwork. WDS canalso deploy to new computers that do not have a formatted hard drive. This is called bare-metalinstallations.

6-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhat Is WDS?Key PointsInWindows Server® 2008 and later, WDS is a configurable server role. The following are the main WDSelements:• Server Elements: Use to network boot a client and install an operating system.• Client Elements: Communicates with server elements and used to select and install an operatingimage.• Management Elements: Use this set of tools to manage the server, operating system images, andclient computer accounts.What’s New in WDS?WDS in Windows Server 2008 R2 contains the following improvements:• VHD support: Provides support for deploying virtual hard disk (.vhd) images as part of anunattendedd installation.• Multicasting: Provides the ability to transmit install images using multicasting. This includes theability to automatically disconnect slowclients and the ability to transfer images using multiplestreams of varying speeds.• IPv6: Provides support for multicasting in environments that use IPv6.• Driver Provisioning: Provides the ability to add andconfigure driver packages on the server, andthen deploythem to client computers during installations based on their hardware.• Extensibility: Provides support for transmitting dataa and images using multicasting on a stand-aloneserver (Transport Server). This version contains a PXE provider, which allows you to start clients.• Extensible Firmware Interface (EFI) support: Provides support for network booting x64-basedcomputers with EFI, including support for the Auto-Add policy andthe ability to deploy boot imagesusing multicasting.

Deploying Windows® 7 by Using Windows Deployment Services 6-5WDS Role ServicesKey PointsWDS consists oftwo role services: Deployment Server and Transport Server. While you are installing WDS,there are two options. You can install:• Both the Deployment Server and Transport Server role services (default)• Only the Transport Server role serviceFull WDSSelecting both the Deployment Server and Transport Server role services is also calledthe Full WDSoptionwhich provides the full functionality of WDS. This option requires that Active Directory Domain Services(AD DS), DHCP, and DNS be available in theenvironment.Features provided by the Full WDS role include:• PXE boot services• Microsoft Management Console (MMC) tools• The ability for the client to select which image to install from a presented list• Unicast andmulticast deploymentsTransport Server OnlyThe Transport Server Only option provides only the core networking components required for creatingand managing a multicast stream. A multicast stream allows multiple clients to tune into a stream of datawithout requiring the data to be sent individually to eachclient on a separate unicaststream. TheTransport Servedoes not require AD DS, DHCP, or DNS. Additionally, without writing a custom PXE bootprovider, PXE startup is not supported.

6-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsYou must select this option when Active Directory, DHCP, or DNS are not available in the environment.For example, a data center that blocks DHCP within the server room may use this method to deploy serverimages.Because of the lack of PXE boot, all machines that must be imaged will be manually started using acustom boot image that is tied to the server and the multicast stream. This adds a level of cost andcomplexity around boot image management and the requirement for manual intervention to thedeployment process.The following table contains requirements for installing these roles, depending on whether you select thedefault installation (both Deployment Server and Transport Server), or only the Transport Server roleservice.Full WDS• AD DS: A WDS server must be eithera member of an AD DS domain or adomain controller for an AD DSdomain. The AD DS domain andforest versions are irrelevant; alldomain and forest configurationssupport WDS.• DHCP: You must have a workingDHCP server with an active scope onthe network because WDS uses PXE,which relies on DHCP for IPaddressing.• DNS: You must have a working DNSserver on the network before runningWDS.• NTFS volume: The server runningWDS requires an NTFS file systemvolume for the image store.• Credentials: To install this role, youmust be a member of the LocalAdministrators group on the server.To initialize the server, you must be amember of the Domain Users group.Transport Server Only• For Windows Server 2008: The only prerequisite is thatyou must be a member of the Local Administrators groupon the server to install the Transport Server role service. APXE provider is not installed with Transport Server, so youmust create a custom PXE provider to perform a networkboot.• For Windows Server 2008 R2: You must be a member ofthe Local Administrators group to install the TransportServer role service. In addition, if you are using TransportServer to network boot, your environment must containDHCP (Windows Server 2008 R2 contains a PXE provider,which allows you to network boot).

Deploying Windows® 7 by Using Windows Deployment Services 6-7Types of Images Supported by WDSKey PointsWDS uses two basic image types, both of which use the Windows Image (.wim) file format:• Install image• Boot imageYou can also create two additional types of boot images:• Capture image• Discover imageInmost cases, use the standard boot imageincluded on the Windows 7media (located at\Sources\boot.wim). You can use the tools in the Windows Automated Installation Kit (AIK) to createcustom boot images. You may want to create custom boot images for different taskss and architecturetypes.Capture imagesare boot images that contain Windows PE and the WDS Image Capture Wizard. Whenyou start a computer into a capture image, the wizard creates an install image of thecomputer andsavesit as a .wim file. Then you canupload the image to the WDS server or copy them to bootable media.Capture imagesprovide a subset of the functionality included in the ImageX /capturecommand. Forexample, the Image Capture Wizard does not capture and image directly to a network location withoutmaking a local image copy and also does not capture a partial volume.Discover images are generallyused in scenarios where the client cannot perform a network boot usingPXE. These images enable a computer to locate a WDS server and use it to install an image. Use a discoverimage in the following scenarios:• A client is not PXE-enabled• A client is on a different subnet and there is no method of getting PXE to the client

6-8 Planning and Managing Windows® 7 Desktop Deployments and Environments• You have many WDS servers and want to target a specific serverQuestion: How is an install image different from a boot image?

Deploying Windows® 7 by Using Windows Deployment Services 6-9Process of Deploying Windows 7 by Using WDSKey PointsThe process of deploying Windows 7 by using WDS involves multiple steps.Planning andDesigning the WDS EnvironmentThe tasks involved in planning and designing WDS for the Windows 7 deployment are examined in thenext lesson.Install WDSYou can install WDS by using the Initial Configuration Wizard, Server Manager, or the command line.During the installation, select a role service as follows:• Deployment Server: To install this option, ensure that Deployment Server and Transport Serverare selectedon the second screen of the installation wizard.• Transport Server: To install this option, clear the Deployment Server check box on the secondscreen of the installation wizard.Configure WDSThe following are the key steps of this phase:• Create a shared folder that contains thefollowing:• Files necessary for PXE boot• Files for starting Windows PE into RAMDISK• Windows PE boot images• Install images• Configure the answer settings of the PXE listener to control whether and how the server servicesincoming client start requests.

6-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsIf Microsoft DHCP is installed on the same physical computer as WDS, the configuration wizard allows youto do the following:• Add DHCP option tag 60, with the PXE client setting selected, to all DHCP scopes (as a DHCP globaloption). This is necessary so that a starting PXE client can be notified that there is a listening PXEserver on the network.• Select the Do not Listen on port 67 option. This is necessary so that starting clients can find theDHCP server on the network.Add Boot and Install ImagesYou must add at least one boot image and one install image before you can PXE boot a computer toinstall an operating system (unless you use RIS). Once you have added the default images you are readyto deploy operating systems.Configure Boot MenuWhen there are multiple Windows 7 boot images available to client computers, they are presented with aboot menu that displays the boot images. Users select a boot image, then the computer starts intoWindows PE and the install images are displayed. The boot menu allows having boot images for differenttasks and architecture types.Prestaging Clients for DeploymentsYou can use WDS to link physical computers to computer account objects in AD DS. This is calledprestaging the client. Prestaged clients are also called known computers. Prestaging the client allows youto configure properties to control the installation for Windows 7.Deploying the Operating System on clients by using WDSWDS supports the following deployment methods:• Manual deployment• Lite Touch deployment• Zero Touch deploymentTo deploy a Windows 7 to a large set of available machines, the simplest approach consists of three steps:1. Prepare an initial computer with Windows 7 and perform the software configuration required.2. Use WDS to create an image.3. Use WDS to deploy the image onto the target computers.

Deploying Windows® 7 by Using Windows Deployment Services 6-11Lesson 2Designing andDeploymentConfiguring WDS for Windows 7Tosuccessfully deploy Windows 7, you need to understand how to design and configure WDSdeployment. Some of the prerequisite decisions and activities important for a successful deploymentinclude the determination of WDS servers that will be used, whether there is a WDS or remote installationinfrastructure, server resourcee requirements, and the WDS server roles.Knowing which boot and install images are needed, and in what situations, may lead you to decidee tocapture a custom image for deployment byusing the Image Capture Wizard. Finally, you need tounderstand howto deploy a Windows 7 client using WDS, including prestaging clients and approving andrejecting client deployment requests.

6-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConsiderations for Designing a WDS EnvironmentKey PointsThe following steps representthe critical design decisions and activities in a successful, well-planned WDSimplementation.Step 1: Determine the Number of WDS Instances RequiredThis step provides guidance on identifying the locations that require a WDS instance. Each WDS instanceconsists of a WDS server with access to an image storage system. The number of instances identifieddetermines the number of times the designprocess is applied. User or business requirements may drivemultiple instances of WDS within a single physical location.Task 1: IdentifyLocations Requiring Access to a WDS InstanceFor every location in the environment that requires image deployments to a client, access to at least oneWDS instance isrequired. If the clients are separated by a WAN from the planned WDS instance, ensurethat the WAN provides low latency and enough availablebandwidth for WDS to function properly.Task 2: Determine the Needfor Multiple WDS Installations in a Single LocationAlthough a single WDS instance may be sufficient to meet the image deployment requirements of alocation, additional requirements may forcethe architectt to plan for multiple WDS instances withinasingle physical location for reasons such as isolated networks and low bandwidth or high latency.Step 2: Determine if there is an Existing WDS or RIS InfrastructureThe next step isto identify whether a new WDS 2008 instance is necessary or whether an existing WDS2003 or RIS infrastructure willl be upgraded for each WDSinstance identified in step 1. In locationsrequiring a WDS instance withno legacy infrastructure, a new WDS 2008 instance will be planned.However, locations with existing legacy infrastructure need to be evaluated for replacement or upgrade.

Deploying Windows® 7 by Using Windows Deployment Services 6-13Step 3: Select between Full WDS or Transport Server RoleFor each instance, determine whether a Full WDS server will be deployed or only the Transport Server role.This information is used when determining the server requirements later in the process.Option 1: Full WDSThe Full WDS option provides the full functionality of WDS. This option requires that AD DS, DHCP, andDNS be available in the environment.Option 2: Transport Server RoleThe Transport Server role provides a subset of the functionality of WDS. It contains only the corenetworking parts. You can use Transport Server to create multicast namespaces that transmit data from astandalone server. Use this option when you want to transmit data by using multicasting, but you do notwant to incorporate all of WDS.Step 4: Determine the Server Resource RequirementsThis step determines the size and number of WDS servers required for each WDS instance. Deploymentrequirements are identified for the instances, and the servers are then scaled, both up and out, to meetthose requirements.To determine the number of servers and the form factor of the servers, several key pieces of informationmust be gathered for each WDS instance including the total number of computers, image deploymentspeed, and the size and number of images.Determine Whether Virtualization Is UsedFor each instance, determine whether the WDS infrastructure is physical or virtual and record the decision.Determine WIM Storage LocationWhile the boot image files are always stored locally on the WDS server, a decision needs to be made onwhether the operating system WIM-based image files are stored locally or on a remote file server. This isdone for each instance.Scale the ServersFor each instance, the WDS servers and remote file servers, if used, need to be scaled to handle theexpected load. For the best performance in large organizations, it is recommended that WDS be deployedto its own server.CPUWDS is primarily input/output (I/O) bound by the network and the speed that the image data file can beread from the disk. If additional services are placed on the same server as WDS, then the type, number,and speed of processors can be adjusted to handle the additional load.MemoryWDS attempts to cache the operating system image files in memory after the initial client request for theimage. This decreases the response time for additional requests of the image as the server does not readthe image from disk again. Increasing the memory capacity of the server to allow for more images to becached can improve the performance of the server.Use the size and number of images required for a location to help determine how much RAM to allocateto the server above the base requirements for the operating system.

6-14 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsNetworkFor each server, determine the size and number of network adapters. The available bandwidth and thelatency of the network between the clients and the location of the WIM-based images have the greatestimpact on the performance of the infrastructure. WDS performs best using a 1 Gb per second networkadapter.DiskDisk performance has the second greatest impact on the performance of the infrastructure. The disksubsystem is scaled to handle the expected number of IOs per second (IOPS) generated by the clientrequests. The capacity of each spindle, numbers of spindles, speed of the spindles, and RAID configurationof the spindles all have an effect on the number of IOPS that can be handled at a given time.The choice to use unicast versus multicast streaming can also affect the performance requirements of thedisk system. A multicast stream requires less performance around IOPS than a unicast SMB streamhandling the same number of clients.Step 5: Determine the File Share Fault Tolerance and Consistency MechanismTo increase the availability of the infrastructure, the share through which the WIM-based images areaccessed can be made fault tolerant. The shares that are made fault tolerant include the REMINST shareon the WDS server and any shares used on remote file servers.Option 1: Distributed File System (DFS)DFS can be used to provide a fault tolerant method for accessing file shares. DFS allows the administratorto define a file namespace and provide multiple targets for folders contained within the namespace.Option 2: Server ClusteringServer clustering can increase the fault tolerance of a single content storage system file share. The fileshare becomes a clustered resource running on a cluster with two or more computers.WIM-based Image ConsistencyAlthough the file system or remote share is made fault tolerant, it is possible that images that are sharedacross systems may become inconsistent with respect to each other. This step identifies the method formaintaining and managing the consistency of the images.Option 1: Manual Copy/Manage Image LocallyImages are managed locally at each server. To share images with other WDS servers, the images aremanually copied to the target machines.Option 2: DFS with ReplicationIf DFS is being used to provide the namespace fault tolerance for the images, then the built-in DFSReplication (DFS-R), provided in Windows Server 2008, can be used to keep all targets within the DFS treesynchronized with each other.Option 3: Third-Party ReplicationThird-party replication systems can be used to provide the image consistency.Step 6: Determine the Client WDS Discovery MethodFor each new WDS instance, determine the method used by clients to discover the WDS servers. Clientsdiscover WDS servers through a PXE boot request, which is a modified DHCP request that is broadcastedon the network. When the WDS server and the PXE client reside on the same network segment, noadditional changes to the infrastructure are required. The broadcast is heard by the WDS server.

Deploying Windows® 7 by Using Windows Deployment Services 6-15On networks where the clients and the WDS server are located on separate subnets, a mechanism fordiscovering the WDS server is required. Clients can discover WDS servers through network boot referralsor through IP helper updates.Option 1: Using Network Boot ReferralsNetwork boot referrals use DHCP options 66 and 67 configured on the DHCP server to notify the PXEclient where to download the network boot program.Option 2: Using IP Helper UpdatesIP helper updates involve configuring router and switching hardware to forward DHCP and PXE bootrequests from the network segment where the client is located to the DHCP and WDS server’s segment. Inlocations where the clients and WDS servers are separated by a router, a mechanism for discovering theWDS servers must be determined.Question: What are the image requirements for Windows 7 in WDS?

6-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Configuring the WDS Server RoleThis demonstration shows you how to install and configure the WDS server role.Install the WDS Server Role1.Use the Server Manager console to addd a new role by using the Add Roles Wizard.2.On the Select Server Roles page, specify the role as WDS.3.On the Select Role Services page, specify both Deployment Server and Transport Server.4.Complete the wizard to install the role.Configure the WDS Server Role1.In the WDSconsole, expand the Servers node and select the WDS server that you want to configure.2.On the Remote Installation Folder Location page, under path, specify the folder where the boot andinstall images will be stored.3.On the DHCP Option 60 page, select the following options based on your requirements:• Do notlisten on port 67: Select this if you are installing the WDS server role on a server thatalso hosts the DHCP server role.• Configure DHCP option 60 to ‘PXEClient’: Select this to provide DHCP scope information forlocating the PXE server.4.On the PXEServer Initial Settings page,select the option based on your requirements:• Do notrespond to any clients: Select this to disable the PXE services from providing boot orinstall images to clients.• Respond only to known clients: Select this if you want only those clients that are pre-stagedinto Active Directoryto use PXE services. (Knownn and unknown)• Respond to all client computers (Known and unknown): Select this if you want both knownand unknown clientsto use PXE services. This requires you to select the Require administratorapproval for unknown computers option for additional security.

Deploying Windows® 7 by Using Windows Deployment Services 6-175. On the Operation Complete page, do not add images to the server.6. In the Windows Deployment Services console, right-click the WDS server and then click Properties toview the properties that can be configured for the server. Take note of the following tabs:• General: Contains information about the Computer name, location of the remote installationfolder, and the Server mode.• PXE Response: Contains options for configuring the PXE Response Policy• AD DS: Contains options for defining how to name unknown computers and for specifyingwhere computer accounts should be created.• Boot: Contains options for providing default PXE boot settings and default boot imageselections.• Client: Contains options for providing an unattend file, joining a domain, and client logging.• DHCP: Contains options for configuring DHCP integration.• Multicast: Contains options for configuring multicast IP Addresses and transfer settings.• Advanced: Contains options for integrating with domain controllers and DHCP authorization.• Network: contains options for configuring the UDP Port Range.Question: What is the difference between the Deployment Server and the Transport Server?

6-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsAdding Boot and Install ImagesKey PointsYou must add at least one boot image and one install image before booting to the WDS server andnstalling an image.Perform the following procedure to add the Install.wim from the product DVD:1. In the Windows Deployment Services MMC snap-in, right-click the Install Images node, and thenclick Add Install Image.2. Specify a name for the image group, and then click Next.3. Browse to select the default install image (Install.wim), which is located in the \Sources folder of theproduct DVD, and then click Open.4. To add a subset of the images includedd in the Install. .wim file, clearthe check boxes for the imagesthat will not be added to the server. Add only those images for which you have licenses.5. Follow the instructions in the wizard to add the images.6. Click the image group to verify that the correct images are added.7. Repeat this procedure to add other install images.Perform the following steps toadd the default boot image included on the product DVD:1.In the left pane of the Windows Deployment ServicesMMC snap-in, right-click the Boot Imagesnode, and then click Addd Boot Image. .2.Browse to choose the default boot image (Boot.wim)on the product DVD, located in the \Sourcesfolder.3.Click Open and then clickNext.4.Follow the instructions inthe wizard toadd the image.

Deploying Windows® 7 by Using Windows Deployment Services 6-195. Repeat this procedure to add other boot images. When multiple boot images are available to clientcomputers, clients are presented with a boot menu that displays the boot images.6. To modify any of the settings of the server, right-click the server in the MMC-snap in and then clickProperties.7. Now that there is at least one boot and install image on the server, you can perform a PXE boot on aclient computer to install an operating system using the steps in the following section.Deploying the install imageUse the following steps to perform a PXE boot on a computer to install an image:1. Configure the BIOS of the computer to enable PXE booting and set the boot order so that it is startsfrom the network first.2. Restart the computer, and when prompted, press F12 to start the network boot.3. Select the appropriate boot image from the boot menu. This boot image selection menu is availableonly if you have two or more boot images on the server.4. Follow the instructions in the WDS user interface.5. When the installation is completed, the computer restarts and Setup continues.

6-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsCreating a Custom Install Image by Using the Image Capture WizardKey PointsYou can create custom install images for Windows 7. To do this, create a capture image, prepare areference computer using Sysprep, and then capture the operating system using the Image CaptureWizard.Steps for Creating a Capture ImageTocreate an install image, you must first create a captureimage. Use the following procedure to create acapture image:1.In the Windows Deployment Services MMC snap-in, expand the Boot Images node.2.Right-click the image that you want to use as a capture image. In most cases, use the Boot.wim fromthe media.3.Click Create Capture Boot Image.4.Type a name, description, and the location to save a local copy of the file. You must specify a locationin case there is a problemwith the network when you deploy the capture image.5.Continue tofollow the instructions in the wizard, andwhen it is complete, click Finish.6.Right-click the boot image folder and then click Addd Boot Image. .7.Browse to select the new capture image.8.Follow the instructions inthe wizard.9.Once you have created the capture image, follow theinstructions in the next section to start a clientcomputer into the capture image and capture the operating systeminto a .wim file.Steps for Creating a Custom Installl ImageNow that there is a capture image, you need to prepare a reference computer and then create the installimage. The reference computer can be a computer with a standard Windows 7 installation or a Windows

Deploying Windows® 7 by Using Windows Deployment Services 6-21installation that has been configured for your environment. Use the following procedure to create acustom install image:1. Create a reference computer (install the operating system, applications, and make any other changesdesired).2. Ensure that the correct version of Sysprep.exe on the computer.3. From a command prompt on the reference computer, change directories to\Windows\System32\Sysprep or a directory containing Sysprep.exe and Setupcl.exe.4. Type run sysprep /oobe /generalize /reboot. If you prefer, you can also use the Sysprep graphicaluser interface by double-clicking Sysprep.exe.5. When the reference computer restarts, network boot the computer by pressing F12.6. In the boot menu, select the capture image created in the previous procedure.7. In the Volume to Capture drop-down list, choose the appropriate volume, and then enter a nameand description for the image.8. On the Image Capture Destination page, browse to the location where you want to store thecaptured image.9. In the File name text box, type a name for the image using the .wim file name extension.10. Click Upload image to WDS server.11. Type the name of the WDS server and then click Connect.12. If prompted for credentials, enter a user name and password for an account with sufficient privilegeto connect to the WDS server.13. In the Image Group drop-down list, choose the image group to store the image in.Now you can PXE boot a client computer to install this image.Question: What are the prerequisites for creating custom install images?

6-22 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Provisioning Drivers by Using WDSThis demonstration shows you how to add and filter drivers using WDS.Add Drivers to WDS1.Create a new driver package using the Add Driver Package Wizard in the Windows DeploymentServices MMC snap-in.2.Specify the location of the driver package in the Location text box.3.On the Available Driver Packages page, accept the default selections and then review the summaryinformation. After this step is complete, driver packages are addedd to WDS.Create a Driver Deployment FilterThere might be a number of scenarios that require different drivers. For example, youcan have laptopsthat require specific multimedia drivers that differ from your desktop images. You can create filterstoensure that onlysystems that meet specific requirements receive drivers from WDS.1.Create a new driver group named VX 6000 Lifecam.2.In the Drivers node, modify the filters for the VX 6000 Lifecam driver group.3.Add a filterusing the following information:• Filter Type: Chassis Type• Operator: Equal to• Value: LaptopQuestion: You have a driver package for a specific manufacturer that needs be deployed. Which type offilter do you configure?

Deploying Windows® 7 by Using Windows Deployment Services 6-23Configuringg WDS to Manage Client Computer RequestsKey PointsThe following client management tasks are done as part of the WDS configuration:• Prestaging clients• Enabling the Auto-Add policy• Approving and rejecting pending computers• Specifying settings for pre-staged client computersPrestage a Client ComputerPerform the following steps to prestage a client computer with the MMC snap-in:1.On the server running Active Directory Users and Computers, openthe Active Directory Users andComputers MMC snap-inn by clicking Start, clicking Run, typing dsa.msc, and thenclicking OK.2.In the console tree, right-click the organizational unit that will contain the new client computer.3.Click New and then click Computer.4.Type the client computer name, click Next, and then click This is a managed computer.5.In the text box, type the client computer’s MAC address preceded with twenty zeros or the globallyunique identifier (GUID) in the format: {XXXXXXXX-XXXX-XXXX-XXX-XXXXXXXXXXXX}.6.Click Next and click one of the following options to specify which server or servers support this clientcomputer:• Any available remotee installation server• The following remotee installation server7.Click Next and then click Finish.

6-24 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConfigure the Auto-Add PolicyWhen the Auto-Add policy is enabled, administrative approval is required before unknown clients (clientsthat are not prestaged) can install an image. To enable this policy, do one of the following:• With the MMC snap-in:1. Right-click the server in the MMC snap-in, and then click Properties.2. On the PXE Response settings tab, click Respond to all (known and unknown) clientcomputers, and then select the For unknown clients, notify administrator and respond afterapproval check box.• With the WDSUTIL tool:Run the following command at an elevated command prompt:WDSUTIL /Set-Server /AutoAddPolicy /Policy:AdminApprovalIf this policy is enabled, when an unknown computer attempts to start against the server, the computerappears in the Pending Devices node of the MMC snap-in. The computer remains in this pending queueuntil it is approved or rejected, the time-out is reached, or the user cancels the attempt.• If the computer is approved, the computer continues to start from the network, and a computeraccount object is created in AD DS to represent the physical computer.• If the computer is rejected, the network start aborts, the computer starts from the next item in theboot order, and a computer account is not created.If this policy is not enabled, WDS does not create a computer account for unknown clients. It does,however, still answer clients according to the settings on the server.The Auto-Add policy applies only when the WDS server is set to answer all clients, and WDS does not finda prestaged computer account for a booting computer. In all other cases, this policy is not in effect. Alsonote that this policy does not pertain to computers that use EFI.Approve and Reject Pending ComputersUse the following steps to approve a pending computer by using the default settings and the MMC snapin:1. Select the Pending Devices node.2. Right-click the computer you want to approve, and then click Approve.Perform the following steps to reject a pending computer using the MMC snap-in:1. Select the Pending Devices node.2. Right-click the computer and then click Reject or Reject All.Specify Settings for Pending ComputersSpecifying settings for pending computers is only available using WDSUTIL. Some of the settings you canspecify for the pending computers include:• Change the rate at which pending computers are polled• Set the default network boot program• Set the default boot image• Set the domain join options for pending computers

Deploying Windows® 7 by Using Windows Deployment Services 6-25Question: You want to configure properties on the computer account to control the installation for theclient. What do you need to do to the client?

6-26 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDeploying VHD Images by Using WDSKey PointsYou can deployvirtual hard disk (.vhd) images of Windows 7 to a physical (not virtual) computer usingWDS. In general, you deploy .vhd images inthe same waythat you deploy .wim images. Using WDSUTILatthe commandline is the only supported method of adding and configuring the .vhd images. Inaddition, the deployment must be part of an automated installation.Deploying a virtual hard disk image is as follows:1. Add a .vhd image to the server.2. Configure an unattended installation for the .vhd image.3. Deploy the .vhd image.Adding a .vhd image to the serverPerform the following steps to add a .vhd image to the server:1. Open an elevated command prompt.2. Create an image group. You need an image group specifically for .vhd images because they cannotbe in imagegroups with .wim images. To create an image group for the .vhd image, use the followingsyntax:WDSUTIL /Add-ImageGrooup /ImageGroup:3.To add the .vhd image tothe server, use the following syntax:WDSUTIL /Verbose /Progress /Add-Image name>Configuring an unattended installation for a .vhd image/ImageFile:/ImageType:Install/ImageGroup:

Deploying Windows® 7 by Using Windows Deployment Services 6-27• Prestage a specific client with a client unattend file.• Enable the Auto-Add policy and assign the client unattend file when you approve the installation.• Associate the client unattend file for all architectures.• Create an image unattend file, which automates the later phases of setup.Deploying a VHD ImageDuring the initial stages of .vhd deployment, the installation progress screen on the destination computeris identical to the screen when deploying .wim images. Use the following steps to deploy a .vhd image:1. Configure the BIOS of the computer to enable PXE booting and set the boot order so that it bootsfrom the network first.2. Restart the computer, and when prompted, press F12 to start the network boot.3. The installation proceeds using the settings from the unattend files.4. When the installation is completed, the computer restarts and Setup continues.Question: In general, you deploy .vhd images the same way that you deploy .wim images. What WDScommand-line tool do you use to do this?

6-28 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab: DeployingWindows 7 byUsing WindowsDeployment ServicesComputers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL1• 6294A-LON-CL2• 6294A-LON-CL3 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.Exercise 1: Designingg the Windows Deployment Services EnvironmentScenarioYou are the team lead for theWindows 7 deployment project at Contoso Ltd. Adam Carter, the ITManager of theMarketing department, hassuggested using WDS as the deployment method for thedepartment. If all works well, you will then expand the service to other departments within theorganization.

Deploying Windows® 7 by Using Windows Deployment Services 6-29Adam has sent an email to you describing some of his thoughts and requirements for the WDSdeployment method.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Update the Windows Deployment Services Design and Configuration Sheet.Supporting DocumentationE-Mail from Adam Carter:Ed MeadowsFrom: Adam Carter [Adam@contoso.com]Sent: 28 June 2009 11:01To:ed@contoso.comSubject: Re: Windows Deployment Services for the Marketing DepartmentHey Ed,Since the Marketing department has been chosen for the Windows 7 deployment pilot program, I think itwould be great if we could deploy a Windows Server 2008 R2 Windows Deployment Services server role.We have a server named LON-DC1 that can be used for the server role. All of the new client computerswill be PXE-enabled. However there are some considerations that I will list below:• LON-DC1 also hosts the DHCP server role for the department.• LON-DC1 has two volumes: Drive C: which is 80 percent full, and Drive E:, which is only 10 percentfull.• The Marketing department does not have any special image requirements other than a defaultinstallation (all settings will be configured post-deployment).• We do plan on deploying 64-bit laptops in the next few weeks. I have an updated driver for the VX6000 Lifecam that I will have available for when we need it.• To ensure security, we need to make sure that only known or approved computers can be installedover the network.• We will start off with only a couple of computers, but do think about how we can scale WDS so thatwe have availability and also minimize network congestion.If you have any questions please let me know.Regards,Adam.Windows Deployment Services Design and ConfigurationDocument Reference Number: WDS2009Document AuthorDateEd Meadows2 nd AugustRequirement OverviewTo install and configure Windows Deployment Services server role.To deploy Windows 7 to the new Marketing department computers.

6-30 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWindows Deployment Services Design and ConfigurationAdditional InformationYou have purchased 10 new computers for the Marketing department.The Marketing department has a single server name LON-DC1.Since LON-DC1 also hosts the DHCP server role, how does this affect the Windows Deployment Servicesserver role?1. Where do you configure the Remote Installation Folder Location?2. What types of images are required for your deployment? How can you organize the install imagesfor future deployment with other departments?3. How will you configure WDS to ensure security?4. What specific platform considerations do you have for your deployment?5. What are some ways that you can provide availability and minimize network congestion? Task 1: Read the supporting documentation• Read the scenario and supporting documentation. Task 2: Update the design and configuration document with your planned course ofaction• Answer the questions in the additional information section of the document.Results: After this exercise, you have the main points of how the WDS sever role is configured for theMarketing department.

Deploying Windows® 7 by Using Windows Deployment Services 6-31Exercise 2: Installing and Configuring the Windows Deployment ServicesServer RoleScenarioYour first step for the Windows 7 deployment is to install and configure the WDS server role.You will use the information gathered from the Windows Deployment Services Design and Configurationdocument.The main tasks for this exercise are as follows:1. Install the Windows Deployment Services server role.2. Configure Windows Deployment Services.Note: LON-DC1 is the computer that is to be configured with the WDS server role. Task 1: Install the Windows Deployment Services server role• Log on to LON-DC1 as Contoso\Administrator using the password Pa$$w0rd.• Start Server Manager.• Add the Windows Deployment Services server role.• Select Role Services:• Deployment Server• Transport Server Task 2: Configure Windows Deployment Services• Start the Windows Deployment Services console.• Expand the Servers node and then click LON-DC1.Contoso.com.• Right-click LON-DC1.Contoso.com and configure the server as follows:• Remote Installation Folder Location: E:\RemoteInstall• DHCP Option 60:• Do not listen on port 67: selected• Configure DHCP option 60 to ‘PXEClient’: selected• PXE Server Initial Settings: Respond to all client computers (known and unknown)• Require administrator approval for unknown computers: selected• Add images to server now: Not selectedResults: After this exercise, you have installed and performed initial configuration tasks for the WDSserver role.

6-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 3: Adding Boot and Install Images to WDSScenarioNow that WDS has been configured, your next step is to add the required boot and install images.The main tasks for this exercise are as follows:1. Add a boot image to WDS.2. Add an install image to WDS.Note: LON-DC1 is the computer that is configured with the WDS server role. Task 1: Add a boot image to WDS• In the Hyper-V Virtual Machine Connection window, click the Media menu option, point to DVDDrive, and then click Insert Disk.• Browse to C:\Program Files\Microsoft Learning\6294\Drives, click Windows7_32bit.iso, and thenclick Open. Close the AutoPlay window.• In the Windows Deployment Services console, right-click Boot Images and add a boot image withthe following configuration:• Image file location: D:\sources\boot.wim• Image Metadata: Leave at default name and description. Task 2: Add an install image to WDS• In the Windows Deployment Services console, right-click Install Images and add an install imagewith the following configuration:• Image Group: Marketing• Image File: D:\sources\install.wim• Available Images: Windows 7 ENTERPRISE• Use the default name and description for each selected image: selectedResults: After this exercise, you have added the default boot and install images from the Windows 7DVD media to WDS.

Deploying Windows® 7 by Using Windows Deployment Services 6-33Exercise 4: Provisioning Drivers by Using WDSScenarioAdam has asked you to ensure that VX 6000 Lifecam drivers are available for the 64-bit laptops that willbe deployed in a few weeks. You need to import the required drivers and configure a filter to ensure thatonly laptops receive the driver package during deployment.The main tasks for this exercise are as follows:1. Add drivers to WDS.2. Create a driver deployment filter.Note: LON-DC1 is the computer that is configured with the WDS server role. Task 1: Add drivers to WDS• In the left-hand console pane, expand LON-DC1.Contoso.com and then click Drivers.• Right-click Drivers and add a new driver package with the following configuration:• Driver Package Location:• Select all driver packages from a folder: selected• Location: E:\Labfiles\Drivers\VX6000• Available Driver Packages: Accept default selections.• Driver Groups: Create a new driver group named: VX6000 Lifecam Task 2: Create a driver deployment filter• In the left-hand console pane, expand LON-DC1.Contoso.com and then expand Drivers.• Click the VX 6000 Lifecam node.• Right-click VX 6000 Lifecam and then modify the filters for this group as follows:• Filter Type: Chassis Type• Operator: Equal to• Value: LaptopResults: After this exercise, you have added a driver package to WDS and created a driver deploymentfilter.

6-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 5: Deploying a Desktop Operating System Using WDSScenarioWDS has now been configured and you are ready to deploy Windows 7 to a network client.The main tasks for this exercise are as follows:• Install Windows 7 using WDS.Note: LON-DC1 is the computer that is configured with the WDS server role. LON-CL3 is a network clientthat does not contain any operating system. Task 1: Install Windows 7 using WDS• In the Hyper-V Manager console, start 6294A-LON-CL3.• When you are prompted, press F12. A pending request ID appears followed by Message fromAdministrator.• Switch to LON-DC1 and then name and approve the pending request asLON-CL3.• On LON-CL3, configure the Windows Deployment Services box as follows:• Accept the default Locale and Keyboard or input method• Connect to LON-DC1.Contoso.com as Contoso\Administrator with the password of Pa$$w0rd.• Accept all other defaultsResults: After this exercise, you have deployed Windows 7 to LON-CL3. Task 2: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list, and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.

Deploying Windows® 7 by Using Windows Deployment Services 6-35ModuleReviewand TakeawaysReview Questions1.Windows 7 needs to be deployed to a variety of clients in a heterogeneous computer environment.How do you handle the creation of multiple images for deployment to each kindof client?2.You are tasked with deploying Windows 7 to clients in several countries. Is it necessary to create adifferent install image foreach language?3.How does drive provisioning assist the WDS project?4.What type of image mustbe used to capture the operating systemof a client as a .wim file?Troubleshooting Performance ProblemsIssueTroubleshooting TipPerformance decreases: WDS can handle several hundred network bootrequests per second in sustained throughput. Slight performance decreases canoccur if the domain controller is located across a latent network link or isoverloaded.You diagnose long download times (observed from the client computer as aprogress bar below an IP address).Multicast transmissions are running slowly.After enablingmulticasting, there is excessive traffic on the network.Best PracticesSupplement or modify the following best practices for your own work situations:

6-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsReduce the Size of the Boot Image to Speed Up TFTP Downloads• Use the tools in the Windows AIK to create a custom boot image that contains the Windows Setupbinary files and Windows PE. Ensure this image is prepared by using PEIMG.exe /prep.• Ensure that the .wim file that contains the boot image does not contain extra space. A best practice isto use the ImageX /export command to export your boot image to a clean .wim file before adding theimage to the WDS server.• Ensure that the .wim file that contains the boot image is using the maximum compression format,LZX. To do this, run ImageX /info ImageFile .• In situations where a server is overburdened, configure a network boot referral to direct startingclients to different WDS servers for TFTP downloads.• Alter your physical network topology by doing one or more of the following:• Add a WDS server closer to the client computer.• Move the client computer closer to the WDS server.• Repair the existing network infrastructure (in the case of high-packet loss).• Upgrade to better cabling (Cat 5e is recommended).• Check the condition of the switches between the client computer and the WDS server to ensurethat packets are not being dropped.Reduce Network Congestion or Inadequate Resources on the Server or Client• Create more bandwidth on the network: This might mean upgrading your network infrastructureto support greater bandwidth and higher throughput. For example, it might mean moving from 100Mb to 1 Gb, upgrading cabling, replacing hubs with routers or switches, or reducing the number ofclients that can access a particular network segment simultaneously.• Add WDS servers to the network to handle the network demand: This means segmentingnetwork infrastructure so that smaller groups of clients are answered by each server.• Balance the server load by adding dedicated image servers.• Reduce image size: Because larger images mean longer installation times and greater network strain,consider creating images that contain minimum customization, drivers, and applications; or considercreating specialized images for each department, hardware type, or function.Use Performance MonitoringWindows Reliability and Performance Monitor can be a powerful and quick tool for identifying resourceissues on services associated with WDS. The following are useful counters for diagnosing WDSperformance:• Network Interface (Bytes Sent/sec)• PhysicalDisk (Avg. Disk sec/Read, Avg. Disk sec/Write, and Current Disk Queue Length )• Process (Page Faults/sec)• Processor (% Processor Time)• WDS Multicast Server (all counters)• WDS TFTP Server (all counters)• WDS Server (all counters)

Deploying Windows® 7 by Using Windows Deployment Services 6-37Use Deployment LogsYou can enable tracing and logging for all WDS components for troubleshooting purposes. Theinstallation logs are stored at %windir%\logs\cbs\cbs.log. Other than displaying a message that indicateswhether the operation succeeded or failed, WDSUTIL shows minimal screen output (by default). However,you can specify two additional options to enable more output. You can specify/Verbose to show detailedinformation about a task, and specify /Progress to use ellipses to indicate that a long-running process (forexample, adding an image) is running and is not stalled. When these options are used, it is still possible toredirect the WDSUTIL output to a file.Use Dynamic Driver Provisioning in Windows 7 to Reduce the Size of the Images and Reduce theNumber of Images to Maintain• It is not necessary to update images when you introduce new hardware into the environment. Bystoring drivers centrally on deployment servers, separate from images, you can install driversdynamically or assign sets of drivers based on information contained in the BIOS.• If you choose to install drivers dynamically, Windows 7 enumerates Plug and Play devices duringinstallation. Then, it chooses drivers based on the Plug and Play IDs of the actual devices on the PC.• Reducing the number of drivers on individual PCs reduces the number of potential driver conflicts.This ultimately streamlines installation and setup times, and improves the reliability of the PC.Avoid Performance and Scalability Problems• Ensure that the network interface between the server and client has sufficient bandwidth.• Use high-quality Ethernet cabling.• Use network switches.• Partition network segments to distribute the load across multiple servers.• Keep network latency to a minimum to optimize TFTP transfers.• Ensure that the disk that contains the remote install folder has enough throughput to meet the clientdemand.• Ensure that there is sufficient memory on the server to handle the demands.• Ensure that there is enough processor bandwidth on the server to handle the demands.Configure the Server for Performance and ScalabilityA key benefit of using WDS is the ability to deploy to several clients simultaneously. Many factorsinfluence the solution’s ability to scale, but the most important ones are the following (in order from mostto least influential):1. Network bandwidth: WDS performs best using a 1 Gb-per-second network adapter.2. RAM on the server: If the computer has enough available memory, it is possible to cache an entireimage into memory. This reduces the number of disk read/write operations and, in turn, speeds upthe process. If several different images are being deployed concurrently, you likely need more RAM.3. Disk speed on the server: The install image must be read from the disk at least once, and a fasterdisk speed can accelerate this process.4. Disk speed on the client: A bottleneck in the client computer’s disk may keep it from achieving theshortest possible installation times.

6-38 Planning and Managing Windows® 7 Desktop Deployments and Environments

Deploying Windows® 7 by Using Lite Touch Installation 7-1Module 7Deploying Windows® 7 by Using Lite Touch InstallationContents:Lesson 1: Designing the Lite Touch Installation Environment 7-3Lesson 2: Implementing MDT 2010 for Deploying Windows 7 7-10Lab A: Planning and Configuring MDT 2010 7-22Lab B: Deploying Windows 7 by Using Lite Touch Installation 7-28

7-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewnThe Microsoft®Deployment Toolkit (MDT)2010 deliversend-to-end guidance for efficient planning,building, and deploying of the Windows® 7 operating system. MDT 2010, together with several relatedtechnologies, allows you to deploy Windows 7 using a Lite Touch Installation (LTI) methodology, or a ZeroTouch Installation (ZTI) methodology.This module describes how todesign the LTI environment, and provides an overviewof the techniquesthat you can use to build anddeploy Windows 7 using the MDT and the LTI scenario.

Deploying Windows® 7 by Using Lite Touch Installation 7-3Lesson 1Designing the Lite Touch Installation EnvironmentThe Windows 7 operating system deployment method that you use depends primarily on theinfrastructure management processes in place within your organization. Some organizations havedeployment processes that require extensive interaction with an administrator or end-user, whereas otherorganizations have their deployment tasks completely automated.Many organizations that still maintain a standardized environment but have not yet deployed theinfrastructure equired for ZTI will likely take advantage of the functionality contained in MDT 2010 tosupport the LiteTouch Installation scenarios.This lesson provides an overview of the LTI requirements and the tasks that take place within the LTIprocess. It also explains considerations for designing the LTI environment and implementing MDT 2010for the Lite Touch Installationn of Windows 7.

7-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsProcess of Deploying Windows 7 by Using LTIKey PointsLTI may requiree an administrator or user with administrative access, to customize theinformation duringdeployment. The setup process is usually started manually, and custominformation is provided by apreconfigured answer file, or by a deployment wizard that appears when the installation process starts.Organizations that use the LTI deployment method are typically in a standardized network environment.This consists of the Active Directory® Domain Services (AD DS), and prerequisites that are in place soWindows 7 can be implemented by using the automatedtechniques provided by MDT 2010.The process of deploying Windows 7 using LTI consists of the following high-level steps:• Design theLTI environment: The initial planning involves ensuring that the required infrastructureto support LTI tools exists. This part of the process results in a set of design documents that areusedto build theMDT 2010 deployment infrastructure, and to perform automated operating systemandapplication deployments.• Implementthe LTI infrastructure: Several server roles may be required to support the Lite-Touchdeployment process. These roles can reside on a single server or separate serverss as required. Theseroles may include:• Build server: This is the source for custom deployment images, including out-of-box drivers, servicepacks, and additional language packs.• Data server: This is used to store computer backups and user state migration data.• Application installationn server: This is used to store the source files for core and supplementalapplication installations.• Microsoft Windows Deployment Services (WDS) server: This is the engine for Pre-boot ExecutionEnvironment (PXE) booting.

Deploying Windows® 7 by Using Lite Touch Installation 7-5• Database server: This optional component can be used as a centralized repository for managingdeployment configuration settings.• Install MDT 2010: After installing the prerequisite software, including the Microsoft® ManagementConsole (MMC) 3.0, Microsoft .NET Framework 2.0 or higher, Windows PowerShell version 2.0 andthe Windows Automated Installation Kit (Windows AIK) version 2.0, you can install a new instance ofMDT 2010 on each computer where you want to manage MDT 2010 deployment shares. Typically,MDT 2010 is installed on the build server. MDT 2010 may also be installed on a technician computerand configured to point the deployment share to the build server or the data server.After MDT is installed, you can open the Deployment Workbench. The Deployment Workbench is theadministration console for MDT 2010 and the LTI deployment process. Most of the daily MDT 2010management tasks are performed in Deployment Workbench.• Create and populate a deployment share: A deployment share is a storage location for all thescripts, operating systems, applications, drivers, and other files that are necessary to perform anoperating system deployment. Typically, the deployment share is created on the build server, but itcan also be located on the data server.The deployment share is created by using the MDT 2010 Deployment Workbench. You can use theNew Deployment Share Wizard to create the deployment share and to store the source files in thedeployment share folder. (You will associate these stored items with task sequences later in theconfiguration process.)• Create and customize a task sequence: The task sequences in MDT 2010 contain the stepsperformed during the LTI deployment.Task sequences are stored in the deployment share. You create and manage the task sequences thatare used to perform the deployments to the reference and destination computers in yourorganization by using Deployment Workbench. You can use the New Task Sequence Wizard to createnew task sequences.MDT 2010 includes task sequence templates that are used to perform common deploymentscenarios. In many instances, you can perform deployments using the templates without anymodification to the task sequence.Task sequences consist of a combined series of steps that are designed to complete an action. Eachtask sequence step performs a specific task, such as validating that the target computer is capable ofreceiving the deployment image, storing user data in a safe location, deploying an image to a targetcomputer, restoring saved user data, and so on.Task sequence steps can be added to a task sequence group, which help keep similar task sequencesteps together for better organization and error control.• Create Windows PE and Windows 7 images: After the LTI infrastructure is in place, you can use theDeployment Workbench to manage the Windows® PE boot images, and the operating systemimages that will be deployed. You can create the Windows PE image to be used to initiate the LTIdeployment process by updating the deployment share. For the operating system images, you canuse the default image from the product DVD or you can install Windows 7 to a reference computer,capture the image of the reference computer, and deploy this custom image as a standardizeddeployment throughout your organization.• Deploy the operating system images to the client computers: Deploying the operating system toa client computer is a matter of having an administrator or a user who has administrative rights runthe deployment wizard.

7-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConsiderations for Designing an LTI EnvironmentKey PointsWhen designingg the LTI environment, you must consider the following:• Infrastructure: At a minimum, LTI requires a managed network and a file server. In addition, youmust consider where youshould store distribution files and images, user data, and applicationinstallation sources. Thesee files may usea great deal of storage space.• Deployment scenario: LTI supports the new computer, upgrade computer, refresh computer,andreplace computer scenarios. There are three things that may influence your decision: whether topreserve user state, whether to preserve the file system, including currently installed applications, andwhether to deploy to thesame computer where the previous operating system resides.• Deployment method: LTI with MDT 2010 supports both the deployment share method, which uses anetwork shared folder to store all the deployment files, and the deployment media method, whichcreates an image that you can use to perform deployments from removable media. Based on thenetwork connectivity, youmay choose between these two deployment methods.• WDS: If you choose to deploy the images by using WDS, you mustensure that there is a high-speed,from thepersistent connection to the WDS servers that are used in the deployment processdestinationn computers. This is because the size of theimages beingdistributed isgenerally quitelarge.The WDS servers must beon subnets adjacent to thedestination computers to ensure high-speedconnectivity to the computers. If this is not possible, you can consider the following:• Temporarily positioning the servers closer to thetarget computers during migration• Movingthe computers to a stagingg area for deployment• Storinguser state migration data locally on the destination computer• Performing LTI locally by using deployment media

Deploying Windows® 7 by Using Lite Touch Installation 7-7• User data: If you decide to migrate user settings and data, you must determine the amount ofstorage space required. When this is known, you can designate local storage on the target computers,or on the shared folders that are located on a local server.Also consider the security and privacy of the user data and profile placed in the temporary storagelocation, whether it is a local storage or a shared folder on a network drive.• If you are using Windows Easy Transfer, you can protect the migration file with a password• If you are using User State Migration Tool, you can encrypt the migration store with an encryptionkey• If you use network share for the temporary storage location, ensure the security and permission forthe network share, so that the respective users will have access to only the share where their user datais located• Custom images: LTI supports deploying custom images or default images from the Windowsproduct DVD, depending on the business need. However, you will rarely be able to take the imagesfrom the Windows product DVD and deploy them unmodified to the reference and destinationcomputers.Typically, you have to create customized images that include the Windows operating system,language packs, applications, device drivers, software updates, and software. The MDT 2010 processallows the creation of customized images that are first deployed to a reference computer, capturedfrom the reference computer, and then deployed to the destination computers.• Deployment share: MDT 2010 deployment shares can be stored on the computer that is runningMDT 2010, or in any network shared folder. The computer that is running MDT 2010 has thefollowing storage requirements:• At least 4 GB of free space is required on the drive containing the %TEMP% folder if you plan tocreate a media deployment International Organization for Standardization (ISO) image.Otherwise, 1 GB of free space is required on the drive containing the %TEMP% folder.• Free space of 1 GB is required on the drive containing the MDT 2010 program files.You must also determine the size of each image, how many images are required in the deploymentand ensure that sufficient space is available for storing the distribution files, which include operatingsystem images, language packs, and device drivers used in Deployment Workbench. Thesedistribution files are stored in the MDT 2010 deployment shares created in Deployment Workbench.You need to decide where to create the deployment share, whether in the local computer (localdeployment share) or in a network shared folder (remote deployment share).• Scalability: To support deployment load, you can implement the LTI infrastructure to be highlyscalable. To scale the LTI infrastructure, you must have several technologies in place, such as WDSserver, SQL Server, and Distributed File System Replication (DFS-R) technologies. You can use SQLserver and create MDT Database (MDT DB) as a solution to centralize configuration settings that aredynamic and extensible.The highly scalable LTI deployment infrastructure uses a hub-and-spoke topology for replication ofcontent. Therefore, you must nominate a deployment server in the production environment that willperform the role of the master deployment server. Each of the child deployment servers will act asspokes. To enable this architecture, you need to use DFS-R to replicate the deployment share to eachof your deployment servers. Then, use SQL Server snapshot replication to provide a copy of thedeployment database to each of the child deployment servers.

7-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion:Designing a Lite Touch Installation Environment for a GivenScenarioKey PointsRead the following scenario and answer thefollowing questions.ScenarioYou work as a Desktop Administrator in a large multi-national corporation, which is headquarteredd inCalifornia. Your organization has decided todeploy Windows 7 throughout the enterprise. You areincharge of the deployment project for the European offices, which are located in Copenhagen, London,and Paris.You work at themain office inCopenhagen, which has around 50 users. The offices in London and Parishave approximately 20 users each. The Paris office is connected with a high-speed internet link to theCopenhagen office, whereas the London office has a slower internet connection. Most of the users inEurope are using fairly new computers due to a hardwarerefresh that was completedin the Europeanoffices less thana year ago. Ineach office, there is a sole IT support person that helpstroubleshoott dailycomputer issuess on-site.You have received a custom Windows 7 image from yourcorporate headquarters in California. Youhavebeen tasked with deploying this custom image to all employees in Europe. All required applications areincluded in the custom image, and any software updates are managed by Group Policy. You have twoservers that youcan use for this deployment project. Youhave decidedd to deploy this custom image byusing the Lite Touch Installation process.Question: What elements in your current infrastructure support Lite Touch Installations?Question: Howmight you use your currentresources to perform LTI deployment?Question: What deployment method do you choose for the three offices?

Question: How do you optimize the user data migration in this scenario?Deploying Windows® 7 by Using Lite Touch Installation 7-9

7-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 2Implementing MDT 2010 forDeploying Windows7After you design and implement the infrastructure to support the LTI tools, the next step in the LTIdeployment process is to install and configure MDT 20100 for LTI deployments. You can then use MDT2010 Deployment Workbenchto create a deployment share, add operating system files and deviceedrivers, create task sequencess to deploy andcapture reference installation, and deploy the capturedimage to destination computers.This lesson provides an overview of the requirements andinstallation of MDT 2010, and how to usetheMDT 2010 Deployment Workbench to deploy Windows 7 with a Lite Touch Installation.

Deploying Windows® 7 by Using Lite Touch Installation 7-11Installing and Configuring MDT 2010Key PointsThe following list shows the software requirements and files required to install MDT 2010:Microsoft Management Console (MMC) 3.0Microsoft .NET Framework 2.0or higherWindows PowerShell command-line interface version 2.0Windows AIK version 2.0MDT 2010 installation fileWindows installation files to be deployedInstall MDT 2010Use the following steps to install MDT 2010:1.Open the MicrosoftDeploymentToolkit_platform.msi (where platform is either x86 or x64).2.On the Welcome to the Microsoft Deployment Toolkit 2010 Setup Wizard page, accept thelicense agreement, custom page setup,and select Install.3.Complete the Microsoft Deployment Toolkit Setup Wizard.Install Windows AIKUse the following steps to install Windows AIK:1.Mount the Windows AIK distribution files on a physical or virtual CD drive.2.In WindowsExplorer, locate the root ofthe CD drive,and start the Welcome to Windows AutomatedInstallation Kit by selecting the Windows AIK Setuplink.3.Complete the Windows Automated Installation Kit Setup Wizard.

7-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDeployment WorkbenchAfter installing MDT 2010, use the Deployment Workbench to perform LTI-based deployments. The toplevelnodes in the Deployment Workbench and the kinds of tasks that can be performed in each are asfollows:• Information center node: Provides access to documentation, displays breaking news aboutMDT 2010, and lists the requirements for using the Deployment Workbench.• Deployment share node: Lists operating systems, applications, operating system packages, tasksequences, and out-of-box drivers populated in the Deployment Workbench.The Deployment Workbench uses component files to help perform LTI-based deployments. Perform thefollowing steps to make sure that the required components are installed:1. Open the Microsoft Deployment Toolkit and select the Deployment Workbench.2. Select Components in the Information Center, and in the Installed section, confirm that either theWindows Automated Installation Kit (x86) 2.0, or the Windows Automated Installation Kit (x64) 2.0 isinstalled.Perform the following steps to download and install Deployment Workbench components:1. In the Deployment Workbench, expand the Information Center, and select Components. Select thename of the component that you want to download from the Available for Download section.2. Use the Details pane to download the component from the Internet, browse for the installation file ofthe component, and complete the installation process by using the instructions that are provided.3. After the component is installed, it appears in the Installed section of the Details pane.After you prepare the MDT 2010 environment and install the Deployment Workbench components,perform the following steps in the Deployment Workbench:1. Create an MDT 2010 deployment share.2. Add operating system files to the deployment share.3. Add device drivers to the deployment share.4. Create task sequences.5. Update the deployment share.

Deploying Windows® 7 by Using Lite Touch Installation 7-13Demonstration: Configuring a Deployment ShareKey PointsThis demonstration shows how to create the deploymentshare, how toadd an operating system to thedeployment share, and how to add device drivers to the deployment share.Create an MDT 2010 Deployment ShareYou can create a deploymentshare by using the New Deployment Share Wizard in the DeploymentWorkbench.1.Open the New Deployment Share Wizard from the Deployment Shares console tree, in theDeployment Workbench.2.Use the New Deployment Share Wizardto create a folder to store the deployment share on the localdisk and to specify the deployment share path to that folder. The folder may alsobe created earlier.The only requirement forthe deployment share is that it starts withan empty folder.3.Specify the share name for the deployment share. Regardless of the folder namespecified, the defaultshare is \\< \DeploymentShare$.4.Specify a descriptive name for the deployment share. This name is used to identify the share in theDeployment Workbench console.5.Select whether or not to ask to capturean image. Typically, you are prompted tocapture an imagefrom systems installed in a workgroup. Clearing this check box allows you to skipthis step.6.Select whether or not to ask users to set a local administrator password. You canselect this check boxto allow users to set the Local Administrator password when an image is deployed from this share.7.Select whether or not to ask users for a product key. Selecting this check box will allow the users tospecify an installation key.8.Review the Summary page and the summary information, and continue with the creation of thedeployment share.

7-14 Planning and Managing Windows® 7 Desktop Deployments and Environments9. Review the Confirmation page and review the log file for any errors that occurred during thecreation of the deployment share. In addition, you can view the PowerShell code used to create thedeployment share. Upon completion, the deployment share is created in the target folder that youdefined in the wizard and shown in the Deployment Workbench.10. Review the properties of the deployment share that you have created.On the General tab, there is a check box to enable multicast support on this deployment share. Thisrequires the deployment share to be created on a Windows 2008 server with WDS installed.On the Rules tab, you can adjust the behavior of this deploymentshare. You can see some of the settings specified earlier such as SkipAdminPassword=YES. (Refer tothe MDT Documentation for the available options on this tab.)On the Windows PE x86 Settings tab, you can configure the boot images created for thisdeployment share. The Windows PE x64 Settings tab contains the same settings for the 64-bitenvironment.On the Windows PE x86 Components tab, you can specify additional components for the WindowsPE boot environment. The Windows PE x64 Components tab contains the same settings for the 64-bit environment.Add Operating System Files to the Deployment ShareBefore an operating system can be deployed, the deployment share must contain the operating systemfiles. You can add the operating system files by using the Import Operating System Wizard in theDeployment Workbench.1. Open the Import Operating System Wizard from the Operating Systems console tree, in theDeployment Workbench.2. Select the type of operating system to add. The option selected depends on the type of installation tobe performed. For example, to build a new reference computer you may want to start with the full setof source files. After capturing a customized installation, import the custom image for deployment.You can also import images from a previous WDS deployment.3. Specify the path for the operating system files. If you choose to import the full set of source files, youare prompted for the source files location. If you import a custom image file, this step is skipped, andyou are prompted for the image location instead.4. Specify the directory name that should be created for the operating system files5. Review the Summary page and the summary information and continue with the import of theoperating system files.6. Review the Confirmation page and review the log file for any errors that occurred during the importof operating system files. Similar to the other wizards, this page allows you to view the PowerShellcode run to complete the previous steps.Add Device Drivers to the Deployment ShareDevice driver packages that include an .inf file can be imported to the Deployment Workbench andinstalled automatically as a part of the deployment process. To implement this, first add the device driverto the Deployment Workbench.1. Open the Import Drivers Wizard from the Out-of-Box Drivers console tree, in the DeploymentWorkbench.2. Specify the directory where the device driver is located.

Deploying Windows® 7 by Using Lite Touch Installation 7-153. Review the Summary page and the summary information and continue with the import of the devicedriver.4. Review the Confirmation page, and review the log file for any errors that occurred during the importof the device driver. Similar to the other wizards, this page allows you to view the PowerShell coderun to complete the previous steps.Question: How do you create a deployment share on a Server (such as LON-DC1) if the MDT wasdeployed to a workstation (such as LON-CL2)?

7-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Creating a Task SequenceKey PointsThis demonstration shows you how to create a task sequence for a deployment share.Create a TaskSequence for the Reference Computer1.Open the New Task Sequence Wizard from the Task Sequences console tree, in the DeploymentWorkbench.2.Specify the Task sequence ID and Task sequence name. The Task sequence ID must be unique in adeployment share. Plan your Task Sequence ID carefully as it cannot be modifiedd later. The Tasksequence name and comments are displayed by the deployment wizard and canbe modified at alater time ifnecessary.3.Select the template to create the task sequence. There are seven available templates. Take the timehere to select each template and reviewtheir purpose.4.Select the operating system to be installed. You can only install Operating Systems that have beenpreviously imported.5.Select whether or not to specify product key. The option selected here depends on how theorganization is licensed.6.Specify the user name and organization.7.Select whether or not to specify an Administrator password. If this system is to be deployed intoproduction, you may want to specify a password here, or in a custom setup file.8.Review the Summary page, proceed and confirm the wizard, and complete the New Task SequenceWizard.Question: Howdo you deploy Windows 7 to three different departments with different applicationneeds?

Deploying Windows® 7 by Using Lite Touch Installation 7-17Demonstration: Updating a Deployment ShareKey PointsThis demonstration shows you how to update a deployment share.Update the DeploymentShareUpdating a deployment sharecreates the Windows PE boot images (WIM and ISO files) necessary to startthe LTI deployment process.1.Open the Update Deployment Share Wizard from the deployment share console tree that needs tobe updated, in the Deployment Workbench.2.Select whether to optimize and compress the boot images or to completely regenerate the bootimages. You only need tocompletely regenerate the boot images if you have changed the WindowsPE settings in the deployment share properties.3.Review the Summary page, proceed and confirm the wizard, and complete the Update DeploymentShare Wizard.Question: When might you decide to completely regenerate the boot images when updating adeployment share?

7-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsInstalling Windows 7 by Using the Windows Deployment WizardYou can initiatethe deployment of Windows to destination computers by running the WindowsDeployment Wizard. Each deployment scenario (upgradecomputer, replace computer, new computer, orrefresh computer) uses a different process.You can select to initiate the deployment from Windows Deployment Services, a network share, from localdrives, or by using a bootablemedia. Windows PE starts on the destination computer and initiates theMDT 2010 deployment process. The Windows Deployment Wizard displays different wizard pagesdepending on the task sequence and the configuration options specified in CustomSettings.ini. Forexample, if a product key is specified in thetask sequence, the wizard will not prompt for a product key.The following shows the pages available in Windows Deployment Wizard:• Welcome to the Windows Deployment Wizard: Select whether to deployWindows usingWindows Deployment Wizard, go to Windows Recovery Environment or to the commandprompt.• Specifycredentials for connecting to networkshares: Specify credentialsto connect tonetwork shares. These credentials are used to access network shared folders used during thedeployment process.• Select a task sequence to execute on this computer: This page shows the task sequencesavailable.• Specifythe productkey needed to install thisoperating system: Enter the product key to beassigned to the destination computer or select MAK activationmethod.• Select a migration type: Select between refreshcomputer and upgrade computer scenario.• Configure the computer name: Enter the computer name to be assigned to the destinationcomputer.

Deploying Windows® 7 by Using Lite Touch Installation 7-19• Join the computer to a domain or workgroup: Specify workgroup or domain information forthe destination computer.• Specify where you should save your data and settings: Specify whether to save data andsettings and determine the storage location.• Specify whether to restore user data: Specify whether to restore user data and from whichlocation.• Specify where you should save a complete computer backup: Specify whether to back upyour computer and determine the backup location.• Specify the product key needed to install this operating system: Assign the product key if itis required.• Packages: Specify language packs to be installed on the destination computer.• Locale selection: Here you can set the locale of the destination computer.• Set the time zone: Set the time zone of the destination computer.• Select one or more applications to install: Specify which applications are to be installed on thedestination computer.• Administrator password: Set administrator password for the destination computer.• Specify whether to capture an image: Specify whether to capture the image of the destinationcomputer and set the location to store the WIM file, prepare the computer for image capturingat later time, or not to capture the image of the computer for typical deployment.• Specify the BitLocker configuration: Enable BitLocker drive encryption on destinationcomputer.• Ready to begin: The Windows Deployment Wizard finishes and deployment of the newoperating system begins.

7-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsAdvanced Configuration Options for LTI DeploymentsThe Deployment Workbench includes advanced configuration options that extend the features providedinbasic LTI deployments. These configuration options provide you withmore granular support in thedeployment process. They canbe used, for example, to support deployments in larger organizations, ordeployments using stand-alone media, without the need to connect toa deployment share.The advanced configuration tasks include more detailed management of the following:• Selection profiles: Selection profiles enable you to select one or more folders inDeploymentWorkbenchthat contain one or more items. These items include: applications, device drivers,operating systems, operating system packages, and task sequences.You can also use the selection profiles to group items. MDT 2010 creates several default selectionprofiles including: Everything, All drivers, All drivers and packages, Nothing, and Sample.• Linked deployment shares: Linked deployment shares provide a logical connection between twodeployment shares, a source and a target deployment share. The items to be linked between thesource and target deployment share is determined by a selection profile. You can create linkeddeployment shares in theDeployment Workbench by using the New Linked Deployment ShareWizard.Linked deployment shares enable you to easily replicate an entire deployment share or parts of adeployment share to another deployment share. Thisenables you to change onedeployment shareand then update others based on the selection profiles that you selected when you create the linkeddeployment shares.• Deployment media: Deployment media enables you to perform LTI-based deployments solely fromlocal media, without connecting to a deployment share. After creating the deployment media,generate bootable WIM images that enable the deployment to be performed from portable mediadevices locally available on the destination computer.

Deploying Windows® 7 by Using Lite Touch Installation 7-21The items to be included on the deployment media are determined by a selection profile specifiedwhen the media is created. Deployment media lets you easily generate stand-alone media that can beused to perform LTI-based deployments. Deployment Workbench automatically includes Windows PEin the media so that Windows PE is started from the media at the destination computer. WhenWindows PE starts, the Windows Deployment Wizard is automatically started as in any LTI-baseddeployment.You can generate media images of the media content in Deployment Workbench by using theGenerate Media wizard. This wizard creates WIM file images of the media content that can be used toperform stand-alone, LTI-based deployments from media.• MDT database: Use the MDT database (MDT DB) to provide configuration settings for LTI-based andZTI-based deployments. The MDT DB provides centralized configuration and management ofconfiguration settings for the destination computers. Conceptually, the MDT DB can be viewed as acentralized version of the CustomSettings.ini file.The main advantage of using the MDT DB is that it provides a centralized repository for managingdeployment configuration settings. This eases large-scale deployments. Although large-scaledeployments can be performed by using the CustomSettings.ini file, it is recommended that you useMDT DB for large-scale deployments, especially in ZTI-based deployments.You can configure the MDT DB through Deployment Workbench in MDT 2010 or any other datamanagement tools that can change information stored in Microsoft® SQL Server®. The MDT DB canbe stored on the same SQL Server used for Configuration Manager, on an SQL Server on the samecomputer where MDT 2010 is installed, or any other SQL Server in your organization.

7-22 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab A: Planning and Configuring MDT 2010Computers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL2 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

Deploying Windows® 7 by Using Lite Touch Installation 7-23Exercise 1: Planning the MDT Lite Touch EnvironmentScenarioJonas Brandel, the manager of the Contoso IT department, has asked that you evaluate the capabilities ofthe Microsoft Deployment Toolkit for deploying Windows 7.Contoso Ltd. has not had a major client system deployment since you were hired and Jonas is looking fora fresh set of eyes on the process. You know that all the client systems had to be reimaged in Seattlerecently and that it did not go as smoothly as desired.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Complete the Microsoft Deployment Toolkit Job Aid to help plan the deployment.Supporting DocumentationE-mail thread with Jonas:Adam CarterFrom:Sent:To:Subject:Jonas Brandel [jbrandel@contoso.com]17 July 2009 2:30 PMAdam Carter [acarter@contoso.com]Re: Automated Windows 7 deploymentAdam,You know my philosophy on this, keep it uncomplicated and reduce the opportunity for errors. I knowthere were a few complaints when we had to re-image several systems in Seattle after that virus outbreakbut the company policy remains, all Contoso related files are to be stored on a server. Since we useroaming profiles I do not see the need to migrate profiles for users. Since there is nothing critical on theclient systems I do not think we need to worry about that feature either.For the time being we are going to continue deploying applications to the client systems post installation.Unless purchasing changes their policies we do not want to deploy any applications until the requestingdepartment has secured their licenses.As for the rest of the features, I like the idea of deploying from a central image and since we are notgiving the users local administrative rights we need to include any drivers they might need, for instancethe IntelliPoint drivers for the Microsoft Mice we use in our department.Keep in mind not all the custom applications have been tested in a 64 bit environment yet. If anythingelse comes up just use your best judgment and we can discuss it at the next meeting.Thanks,Jonas----- Original Message -----From: Adam Carter [acarter@contoso.com]Sent:17 July 2009 11:15 AMTo:Jonas Brandel [jbrandel@contoso.com]Subject: Re: Automated Windows 7 deploymentJonas,

7-24 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsI have had a chance to download the Microsoft Deployment Toolkit. I am not sure if you are aware of allthe features in the Toolkit. Besides deploying Windows 7 we could do the following:• Partially Automated Deployment of Windows 7 (Lite-Touch)• Fully Automated Deployment of Windows 7 (Zero-Touch)• Deploy Windows 7 from an Image• Deploy Applications• Pre-Install device Drivers• Migrate User Profiles• Enable BitLocker on deployed systemsI know you want a report at the next department meeting. Do you have a preference for the features thatwe evaluate before then?Thanks,Adam----- Original Message -----From: Jonas Brandel [jbrandel@contoso.com]Sent:15 July 2009 09:30 AMTo:Adam Carter [acarter@contoso.com]Subject: Automated Windows 7 deploymentAdam,As discussed in the last planning meeting we are looking at rolling out Windows 7 next quarter. I wantyou to download the Microsoft Deployment Toolkit and evaluate it for use in automating the deploymentof Windows 7.Thanks,Jonas Task 1: Read the supporting documentationRead the supporting documentation. Task 2: Complete the Microsoft Deployment Toolkit Job Aid to help plan thedeploymentFill out the attached Microsoft Deployment Toolkit Job Aid.Use the check boxes to indicate your decision.In the “Rationale for the Decision” section, list your supporting reason for this decision.Be prepared to discuss your answers with the class.Microsoft Deployment Toolkit Planning–Job AidQuestion Information Rationale for the DecisionWhat Operating System are yougoing to deploy?32 bit Windows 7 64 bit Windows 7 32 Windows Server 2008R2

Deploying Windows® 7 by Using Lite Touch Installation 7-25Microsoft Deployment Toolkit Planning–Job AidQuestion Information Rationale for the Decision64 bit Windows Server2008 R2What System is going to be deployedas the Technician’s system?Are you going to be deployingApplications?What MDT additional componentsare you going to install?Where will you store yourdistribution files?Will you be deploying any drivers notincluded with Windows 7?Windows 7 clientWindows 2008 R2 serverYes NoMAP WAIKUSMTLocal Deployment ShareRemote Deployment ShareYesNoWill you deploy across the network,with removable media, or both?Which Deployment Scenario will youuse?NetworkRemovable MediaNew Computer Upgrade Existing Computer Refresh Computer Replace Computer Will you deploy a full set ofoperating system files or a customWindows Imaging Format (WIM)?Full OS File SetCustom WIMWhich product editions will youdeploy?How will you handle product keysand licensing?Professional UltimateBusinessEnterpriseMultiple Activation Key(MAK}Key ManagementService(KMS)Results: After this exercise you have planned your MDT 2010 deployment.

7-26 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Installing MDT 2010 and Additional Component FilesScenarioAs part of your evaluation you will need to install the MDT 2010 Toolkit and related components you aregoing to use.The main tasks for this exercise are as follows:1. Install MDT 2010.2. Mount the external media on LON-CL2.3. Install Windows AIK.4. Verify Windows AIK installation.Note: LON-DC1 is the computer running Windows Server 2008 R2. LON-CL2 is the computer runningWindows 7 that will contain MDT 2010. Task 1: Install MDT 2010• Log on to the LON-CL2 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.• Install the MDT Toolkit with the default settings using the following path:\\LON-DC1\Labfiles\Mod07\MicrosoftDeploymentToolkit2010_x86.msi. Task 2: Mount the external media on LON-CL2The Windows Automated Installation Kit downloads as an ISO file by default. Since you are working in avirtual environment you will attach this file toLON-CL2.• Attach the image file C:\Program Files\Microsoft Learning\6294\Drives\WAIK.ISO to LON-CL2. Task 3: Install Windows AIK• Browse to the DVD drive and run StartCD.exe with elevated permissions to start Windows AIK Setup.• Complete to the Windows Automated Installation Kit Setup Wizard with default settings. Task 4: Verify Windows AIK installation• Open the Deployment Workbench and verify the WAIK is listed as an installed component.• In the Deployment Workbench console tree, go to Deployment Workbench/Information Center/Components.Question: What category is the Windows Automated Installation Kit in and what is the status?Results: After this exercise you should have installed Windows AIK and verified the installation.

Deploying Windows® 7 by Using Lite Touch Installation 7-27Exercise 3: Creating an MDT 2010 Deployment ShareScenarioAs part of your evaluation you will need to configure the MDT 2010 environment. Before deployment canbegin with MDT 2010, you have to create an MDT 2010 deployment share in Deployment Workbench.This deployment share is the repository for the operating system images, language packs, applications,device drivers, and other software deployed to the target computers.The main task for this exercise is:• Create a deployment share in Deployment Workbench.Note: LON-DC1 is the computer running Windows Server 2008 R2. LON-CL2 is the computer runningWindows 7 that contains MDT 2010. Task 1: Create a deployment share in Deployment Workbench• On LON-CL2, in the Deployment Workbench console tree, create a new deployment share.• Complete the New Deployment Share Wizard with the following information:On this wizard pagePathShareDescriptive NameAllow Image CaptureAllow Admin PasswordAllow Product KeySummaryConfirmationDo thisC:\DeploymentshareAccept the default selections.Accept the default selections.Accept the default selections.Accept the default selections.Accept the default selections.Review the summary.Click Finish.Results: After this exercise you should have created a new deployment share.

7-28 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab B: Deployinng Windows 7Installationby Using Lite TouchExercise 1: Configuring the MDT 2010 Deployment ShareScenarioAfter installing the MDT 20100 and creating the Deployment share you are ready to prepare the Lite TouchInstallation.The main tasks for this exercise are as follows:1.Add operating system files to the deployment share.2.Add devicee drivers to thedeployment share.3.Create a task sequence for the reference computer.4.Update thedeployment share.Note: LON-DC1is the computer running Windows Server 2008 R2. LON-CL2 is the computer runningWindows 7 thatt contains MDT2010. Task 1: Add operating system files tothe deployment shareAs part of your planning you have decided to install the 32 bit version of Windows 7. You need to copythe files from the DVD to the deployment share.On LON-CL2, mount the “C:\Program Files\ \Microsoft Learning\6294\Drives\Windows7_32bit.iso”.Inthe Deployment Workbench import the full set of operating system files from the D:\ drive.Finish the wizard with the default settings.

Deploying Windows® 7 by Using Lite Touch Installation 7-29 Task 2: Add device drivers to the deployment shareIn the Deployment Workbench, import the IntelliPoint drivers from “\\LON-DC1\Labfiles\Mod05\LabE\ipoint”.Finish the wizard with the default settings. Task 3: Create a task sequence for the reference computerCreate a New Task Sequence with the following information:On this wizard page Do thisGeneral SettingsSelect TemplateSelect OSSpecify Product KeyOS SettingsAdmin PasswordSummaryConfirmationTask sequence ID: WIN7_REFERENCETask sequence name: Deploy Windows 7 to LON-IMG1Standard Client Task SequenceWindows 7 Enterprise in Windows 7 x86 install.wimAccept the default selections.Full Name: AdminOrganization: Contoso LTD.Do not specify an Administrator password at this timeReview the Summary.Click Finish. Task 4: Update the deployment shareIn the Deployment Workbench, update the deployment share.Finish the wizard with the default settings. The update takes approximately 10 to 15 minutes.Results: After this exercise you should have configured the deployment share to contain operatingsystem files, device drivers, and a task sequence.

7-30 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Deploying Windows 7 and Capturing an Image of the ReferenceComputerScenarioYou have configured the MDT deployment point and are ready to deploy and capture a referencecomputer. After creating the task sequence to deploy Windows 7 to the reference computer, initiate theoperating system deployment and capture by starting the reference computer with the LTI bootablemedia.The main tasks for this exercise are:1. Create the LTI bootable media.2. Start the reference computer with the LTI bootable media.Note: LON-DC1 is the computer running Windows Server 2008 R2. LON-CL2 is the computer runningWindows 7 that contains MDT 2010. Task 1: Create the LTI bootable mediaOpen the C:\DeploymentShare\Boot folder.Verify the LiteTouchPE_X86.iso file was created.Note: For the Lab the LiteTouchPE_x86.iso file has already been copied to the host machine. Task 2: Start the reference computer with the LTI bootable mediaTo deploy using the Lite Touch Installation you need to mount the boot image to the reference computerand boot it into the WinPE environment.• On LON-IMG1, mount C:\Program Files\Microsoft Learning\6294\drives\LiteTouchPE_x86.iso.• Start LON-IMG1.• Complete the Windows Deployment Wizard with the following information:On this wizard pageWelcome to DeploymentDo thisRun the Deployment Wizard to install a new Operating System.Specify Credentials forconnecting to network sharesUsername:Password:Domain:AdministratorPa$$w0rdContosoSelect a task sequence toexecute on this computerConfigure the computer nameJoin the computer to a Domainor workgroupSpecify whether to restore userdataDeploy Windows 7 to LON-IMG1LON-IMG1Accept the default selections.Accept the default selections.

Deploying Windows® 7 by Using Lite Touch Installation 7-31On this wizard pageLanguage and otherpreferencesSet the Time ZoneSpecify whether to capture animageReady to beginDo thisAccept the default selections.Accept the default selections.Capture an image of this reference computerClick Begin.Note: The entire process takes approximately 1 hour to complete.• Review the Deployment Summary page for any errors, click Finish, and turn off LON-IMG1.Results: After this exercise you should have created the LTI bootable media and started LON-IMG1 tocomplete the deployment wizard.

7-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 3: Configuring MDT 2010 to Deploy Windows 7 to the TargetComputerScenarioYou have created and captured a reference computer. You now need to add the reference computerimage to the MDT Deployment Share so that you can use it for the deployment evaluation.The main tasks for this exercise are as follows:1. Add the captured image of the reference computer to Deployment Workbench.2. Create a task sequence for the target computer.Note: LON-DC1 is the computer running Windows Server 2008 R2. LON-CL2 is the computer runningWindows 7 that contains MDT 2010. Task 1: Add the captured image of the reference computer to Deployment WorkbenchOn LON-CL2, in the Deployment Workbench import the wim file created during Exercise 2.Complete the Import Operating System Wizard with the following information:On this wizard page Do thisOS TypeSourceSetupDestinationSummaryConfirmationCustom image fileC:\DeploymentShare\Captures\WIN7_REFERENCE.wimAccept the default selection.Accept the default name.Review the summary.Click Finish. Task 2: Create a task sequence for the target computerIn the Deployment Workbench create a new task sequence.Complete the New Task Sequence Wizard with the following information:On this wizard page Do thisGeneral Settings Task sequence ID: WIN7_TARGETTask sequence name: Deploy Windows 7 to ClientsSelect TemplateSelect OSSpecify Product KeyStandard Client Task SequenceWIN7_REFERENCEDDRIVE in WIN7_REFERENCEWIN7_REFERENCE.wimAccept the default selections.OS Settings Full Name: AdminOrganization: Contoso LTD.Admin PasswordAdministrator Password: Pa$$w0rd

Deploying Windows® 7 by Using Lite Touch Installation 7-33On this wizard page Do thisPlease confirm Administrator Password: Pa$$w0rdSummaryConfirmationReview the summary.Click Finish.Results: After this exercise you should have added the captured image to the deployment workbenchand created a task sequence for the target computer.

7-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 4: Deploying Windows 7 to the Target ComputerScenarioOnce you have configured MDT to use the reference image you captured, you are ready to deploy theimage to a test computer.The main tasks for this exercise are as follows:1. Start LON-CL3 with the LTI bootable media.2. Virtual machine shutdown.Note: LON-DC1 is the computer running Windows Server 2008 R2. LON-CL2 is the computer runningWindows 7 that contains MDT 2010. LON-CL3 is the computer that will be installed with a new copy ofWindows 7. Task 1: Start LON-CL3 with the LTI bootable mediaTo deploy using the Lite Touch Installation you need to mount the boot image to the computer and bootit into the WinPE environment.Mount the C:\Program Files\Microsoft Learning\6294\Drives\LiteTouchPE_x86.iso on LON-CL3.Start LON-CL3.Complete the Windows Deployment Wizard with the following information:On this wizard pageWelcome to DeploymentDo thisRun the Deployment Wizard to install a new Operating System.Specify Credentials forconnecting to networksharesUsername:Password:Domain:AdministratorPa$$w0rdContosoSelect a task sequence toexecute on this computerConfigure the computernameJoin the computer to aDomain or workgroupSpecify whether to restoreuser dataLanguage and otherpreferencesSet the Time ZoneSpecify the BitLockerconfigurationReady to beginDeploy Windows 7 to ClientsLON-CL3Join a domainDomain: “Contoso”Accept the default selections.Accept the default selections.Accept the default selections.Accept the default selections.Click Begin.

Deploying Windows® 7 by Using Lite Touch Installation 7-35Note: The entire process takes approximately 20 minutes to complete.Review the Deployment Summary page for any errors; and then click Finish and turn off LON-CL3. Task 2: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list, and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.Results: After this exercise you should have deployed Windows 7 to LON-CL3.

7-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule Review and TakeawaysBest Practices for Implementing Lite Touch Installation• Ensure thatt you have met the requirement of implementing LTI, which includes the availabilityof amanaged network and a file server, andall the software requirements for MDT 2010.• Ensure thatt you have sufficient storagespace for deployment shares and migration data.• Use WDS todeploy to network computers and deployment media for computers with slow or nonetwork connectivity.• For highly scalable LTI environments, implement replication using MDT Database, SQL Server andDistributed File System (DFS) technologies.Best Practices for User Data Considerations• When you use the refreshcomputer scenario and have determinedd the storage requirements for theuser state migration data, store your data on the local computer. This reduces the time it takestodeploy Windows 7 and reduces network utilization.• Consider the security andprivacy of the user data and profiles located in the temporary storagelocation.ToolsToolMicrosoft DeploymentToolkit (MDT) 2010Use• Deploys Microsoft productsto desktops and serverss• Creates a single path forimage creating andautomated installationWhere to find itMicrosoft Download Center

Deploying Windows® 7 by Using Lite Touch Installation 7-37Tool Use Where to find itMicrosoft WindowsDeployment Services (WDS)Stores both boot andinstallation images fordeploymentMicrosoft Download CenterWindows PreinstallationEnvironment (Windows PE)Deployment WorkbenchWindows PowerShellUser State Migration Tool(USMT)Windows AutomatedInstallation Kit (WindowsAIK)Windows 7 installation filesDeploys Windows. (The AIKincludes several tools used tobuild and configureWindows PE environments.)An administration console forMDT 2010Provides an environment toperform administrative tasksby execution of cmdletsMigrates user settings anddata for a large number ofcomputers)Supports the deployment ofWindows operating systemInstalls Windows or upgradingprevious Windows versionsMicrosoft Download CenterMicrosoft Deployment ToolkitMicrosoft Deployment ToolkitWindows 7Windows AIKMicrosoft Download CenterWindows 7 Product DVD

7-38 Planning and Managing Windows® 7 Desktop Deployments and Environments

Deploying Windows® 7 by Using Zero Touch Installation 8-1Module 8Deploying Windows® 7 by Using Zero Touch InstallationContents:Lesson 1: Designing the Zero Touch Installation Environment 8-3Lesson 2: Performing Zero Touch Installation by Using MDT 2010and Configuration Manager 2007 8-17Lab: Deploying Windows 7 by Using Zero Touch Installation 8-31

8-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewOrganizations that have achieved a rationalized or dynamic network environment can benefit fromtheautomated capabilities of theZero Touch Installation (ZTI). A Zero Touch solution is primarily targetedtoward enterprise-class organizations that have deployedd network infrastructure prerequisites. Theseorganizations can take advantage of robustdeployment automation capabilities, andcan choose whetherany end-user involvement is required. This module explains the necessary prerequisites and proceduresfor deploying the Windows® 7 operating system by using a ZTI methodology.

Deploying Windows® 7 by Using Zero Touch Installation 8-3Lesson 1Designing the Zero Touch Installation EnvironmentAfter the decision to implement a Zero Touch solution is made, you must begin to design the ZeroTouchenvironment. You must ensure that your organization supports the necessary prerequisites, includingstorage capabilities and an understanding of the current network connection capabilities and limitations.Two important steps of the design phase are:1.Identifying business requirements and how they mapto the ZTI features, processes, and outcomes2.Ensure thatt the required infrastructure exits and is considered a highly scalable ZTI deploymentinfrastructureMore specifically you must:• Meet the equirements of the WDS environment• Design anddetermine required images and the process for how they are to be deployed• Determine the deployment scenario(s) that matches business requirements• Determine the storage requirements for user data migration• Define distribution pointsand task sequencesThis lesson provides considerations for these topics as you begin to design your ZeroTouch solution.Once the ZTI infrastructure has been implemented, then a Zero Touch deployment process can begin.

8-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsProcess of Deploying Windows 7 by Using ZTIKey PointsWindows 7 ZTI-based deployments are performed by using System Center Configuration Manager2007SP2 and Microsoft Deployment Toolkit 2010. The processs of deploying Windows 7 byusing ZTI with MDT2010 consists ofseveral high-level steps as follows.Design the ZTI EnvironmentDesigning the ZTI environment is a planning process. Thedesign process consists of the following high-if you are using MDT orlevel steps:1.Select the appropriate deployment scenarios.2.Select the deployment methods.3.Ensure thatt the required infrastructure exists.4.Determine the appropriate processing rules. These are only neededdConfiguration Manager.5.Determine a monitoring plan.6.Train team members.For most production environments, the majority of services required for deployment already exist.However, you must verify that that the required infrastructure exists to support ZTI-based deploymentsbefore continuing the deployment process.Designing the ZTI environment starts with conceptual designs, which are proven andrefined in a testenvironment. The result of the planning process is a set of design documents you canuse to build aConfiguration Manager infrastructure and to perform automated operating system and applicationdeployments in a production environment.

Deploying Windows® 7 by Using Zero Touch Installation 8-5Implement the ZTI InfrastructureSeveral server roles may be required to support the Zero Touch deployment process. These server rolesmay include the following:• Build server: This is the source for custom deployment images.• Data server: This is used to store computer backups and user state migration data.• Application installation server: This is used to store the source files for core and supplementalapplication installations.• Microsoft Windows® Deployment Services (WDS) server: This is the engine for Pre-bootExecution Environment (PXE) booting. In the ZTI deployment, the WDS servers are responsible forinstalling Windows PE on the target computers. Start Windows PE from WDS to prepare the targetcomputer for operating system image deployment.• Database server: This optional server can be used as a centralized repository for managingdeployment configuration settings.Install and Configure Configuration Manager 2007To set up a new Configuration Manager 2007 site, you can use either the Configuration Manager 2007Setup Wizard or perform an unattended installation using a scripted installation method. ConfigurationManager is a service that can be installed in anyone of the server roles depending on your infrastructureneeds. After Configuration Manager is installed, you can open the Configuration Manager console.Note: Typically, the design and installation of Configuration Manager 2007 environment is doneby the infrastructure team. The Operating System Deployment team does any additional design.Install MDT 2010After you ensure that all prerequisites are met, install a new instance of MDT 2010 on each computerwhere you want to manage MDT 2010 deployment shares. MDT 2010 is used to provide setup andconfiguration files that are integrated into the operating system deployment functionality provided byConfiguration Manager. To install MDT 2010, run the MDT installer(MicrosoftDeploymentToolkit_platform.msi).Integrate Configuration Manager and MDT 2010You can integrate Configuration Manager and Microsoft Deployment Toolkit 2010 to make Zero Touchdeployments of the Window 7 operating system quicker and easier to configure as well as contributingadditional functionality to the deployment process. The process of creating and implementing new tasksequences for deploying operating systems is greatly enhanced by the Import Microsoft Deployment TaskSequence Wizard. MDT 2010 adds new scripts to Configuration Manager.Configure the PXE ServiceThe PXE service point is a Configuration Manager 2007 site role that responds to PXE requests fromcomputers that have been imported into Configuration Manager. The PXE service point must beconfigured to respond to PXE boot requests by Configuration Manager clients so that they can interactwith the Configuration Manager infrastructure to determine the appropriate installation actions to take.To provide PXE boot services, you must configure the WDS server role. When you perform the WDSinstallation, configure WDS to not respond to clients.After the installation, all WDS tasks are performedfrom within the Configuration Manager console.

8-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsCreate and Distribute Images and PackagesOperating system and boot images are used to deploy an operating system to a Configuration Managerclient. You can add operating system and boot images to use with your deployments by using theConfiguration Manager console.When you create the operating system image to deploy to target computers, the image contains theoperating system and related files. Other applications and tools can be installed:• As a separate task sequence step• Manually, after the operating system is installed• Pre-installed as part of the imageBoot images contain the appropriate version of Windows PE and are stored with the .WIM file nameextension. These .WIM files are supplied and customized by the Configuration Manager administrator, orobtained from an external source. Configuration Manager includes two boot images: one to support x86platforms and one to support x64 platforms. It is recommended that you use these images unless youhave specific drivers that you need to include.Boot images are distributed to distribution points like operating system images. Configuration Manageruses distribution points to store files needed for packages to run on client computers. These distributionpoints function as distribution centers for the files that a package uses, allowing users to download andrun these files, programs, and scripts when a package is advertised.To run advertised programs requiring files that do not reside on the local computer, clients must haveaccess to at least one distribution point from which they can download or run those files.Configure and Advertise a Task SequenceYou can create task sequences that allow you to install an existing image package, build and capture areference operating system image, or create a custom task sequence to perform a customized task usingvariables. You create a task sequence to deploy an existing operating system image to a target computerby using the New Task Sequence Wizard in the Configuration Manager console.You advertise task sequences to collections by using the New Advertisement wizard in the ConfigurationManager console. Before you run the New Advertisement Wizard, you need to know what targetcollections and desired run-time behavior you want for the advertisement. Read access to the tasksequence is required to advertise the task sequence, and the task sequence must exist prior to creatingthe advertisement.Create Collections as NeededCollections provide you with the means to organize resources into manageable units, enabling you tocreate an organized structure that logically represents the kinds of tasks that you want to perform.Collections also serve as targets for performing Configuration Manager operations on multiple resourcesat one time. By default, Configuration Manager provides 16 default collections.To create a new collection, you must have Create permission for collections. To advertise a program to acollection, you must have Advertise permission for collections.Before you distribute operating system images, examine all of the collections in your ConfigurationManager hierarchy and adjust them if necessary. Prepare the collections you want to use at thepreliminary stage of the process so you can select from existing collections when you deploy a Windows 7image.Question: What is the main benefit of integrating MDT2010 and Configuration Manager?

Deploying Windows® 7 by Using Zero Touch Installation 8-7Packages and ImagesRequiredby the Task Sequence ProcessKey PointsDepending upon your deployment scenario, a Configuration Manager task sequencee may reference anumber of packages during installation. These packages can be pre-configured before you create a tasksequence, or you can use the Import Microsoft Deployment Task Sequence command to automaticallycreate the packages that are needed. Packages that may be referencedwithin a task sequence are listed inthe following table:Package or ImageBoot image packageMicrosoft Deployment FilespackageOS imageClient packageDevice driver packageUSMT packageCustom Settings packageContainsBoot image used to initiate the ZTI deployment process.Contents of the Microsoft Deployment distribution share directory. Thefiles used from the distribution share directory are thescripts and controlfiles.Image of theoperating system to be deployed to the target computer.Configuration Manager client installation files.Configuration Manager uses driver packages to control the distribution ofdrivers to distribution points.USMT files used to capture and restore user state.Unattended files and customsettings.ini.Sysprep files packageSpecific Sysprep files defined for a package.Inaddition to the packages and images required by the task sequence templates, consider creatingandncluding the following elements in the tasksequences toprovide similar functionality in MDT 2010Deployment Workbench 4.2 (Deployment Workbench):

8-8 Planning and Managing Windows® 7 Desktop Deployments and Environments• Application packages: These packages include any applications that the deployment team wants toinstall as part of the operating system deployment.• Windows package file packages: These packages include any Windows package files that thedeployment team wants to install as part of the operating system deployment.• Device driver package: Configuration Manager uses driver packages to control the distribution ofdrivers to distribution points.Question: What is the purpose of the boot image?

Deploying Windows® 7 by Using Zero Touch Installation 8-9Considerations for Designing a ZTI EnvironmentKey PointsDesigning the ZTI environment correctly is critical to a successful deployment of Windows 7. Thefollowing are considerations for designing a ZTI environment.Infrastructure and Network RequirementsImages distributed to target computers canbe quite large—from 500 megabytes (MB) to 4 gigabytes(GB). In a Wide Area Network(WAN) environment, ensure that the target computers have a high-speed,persistent connection to the servers that arebeing used in the deployment process. These servers include:• Configuration Manager site servers anddistribution points• WDS ServerNote: Multicasting is a new feature in Configuration Manager. Multicast allows for image deploymentwith a much reduced network load.Deployment ScenariosDeployment scenarios determine whether user states need to be migrated. The following are fourdeployment scenarios:• New Computer: A new installation of Windows is deployed to a new computer.• Upgrade Computer: Thecurrent Windows operating system on the target computer is upgraded tothe deployed operating system.• Refresh Computer: A computer that iscurrently running a supported Windows operating system isrefreshed.• Replace Computer: A computer that is currently running a supported Windows operating system isreplaced with another computer.

8-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsBased on the existing environment, the deployment team can select any combination of these scenarios inthe deployment.WDS Environment ConsiderationsBefore you deploy images by using WDS, ensure that there is a high-speed, persistent connection to theWDS servers that are used in the deployment process from the destination computers. If the organizationcannot provide sufficient network capacity to deploy images, software, and migration data to computers;perform one of the following actions:• Temporarily place the appropriate servers closer to the destination computers for the duration of themigration• Temporarily move the destination computers to a staging area where the computers can be deployed• Store user state migration data locally on the destination computers• Perform ZTI locally by using deployment mediaUser Data MigrationIf you decide to migrate user settings and data, you must determine how much storage is required for themigration data. When the storage requirement is known, designate local storage on the destinationcomputers or shared folders to temporarily store the migration data. If you are deploying with the refreshcomputer scenario, consider the hard-link migration using the User State Migration Tool (USMT) 4.0.For planning purposes, estimate the user state migration storage requirements by performing thefollowing tasks:• Run Scanstate.exe in the USMT with the /p option to estimate the size of the user state migrationdata.• View the size of the contents of the folders in the user profile.After determining the storage requirements for the user state migration data, determine where to storethe data. Also consider the security and privacy for the user data and profile in the temporary storagelocation, be it in a local storage or shared folders in a network drive. If you are using Windows EasyTransfer, you can protect the migration file with a password. If you are using USMT, you can encrypt themigration store with an encryption key. In addition, if you use a network share for the temporary storagelocation, ensure the security and permission for the network share so that the respective users have accessto only the share where their user data is located.Image TypesThe deployment team must decide whether their deployment scenario requires a standard or customizedimage for the Windows 7 deployment. Zero Touch deployment uses two basic image types, both of whichuse the Windows Image (.wim) file format:• Capture image: A type of boot image that you start a client computer into to capture the operatingsystem as a .wim file. You must first create a capture image when you are creating custom installimages.• Discover image: A type of boot image that you can use to install an operating system on a computerthat is not Pre-Boot Execution Environment (PXE) enabled. When you start a computer into a discoverimage, a server will be located, and then you can choose the install image you want to install.Image customization invariably brings up discussions of whether images need to contain the operatingsystem files only (thin image) or the line of business application software as well (thick image).

Deploying Windows® 7 by Using Zero Touch Installation 8-11Distribution PointsSome planning considerations are necessary to effectively deliver software packages to the appropriateclients. These considerations include:• Choose between a server and a server share distribution point• Choose between a standard and branch distribution point• Decide whether to enable BITS on a distribution point• Decide whether to protect the distribution pointChoose Between a Server and a Server Share Distribution PointA distribution point is the only site system role that can be created as a server share. The main reason foryou to create a share on a server and define that share as a distribution point is that this allows you tochoose a specific drive where Configuration Manager creates and writes the support files for thedistribution point role.The following table describes the advantages and disadvantages of opting for a server versus a servershare.Option Advantage DisadvantageServerConfiguration Manager automaticallycreates a common package share whenthe first package is copied to thedistribution point.There is less chance of failing to copy apackage because ConfigurationManager 2007 creates a newSMSPKGx$ share when more space isneeded.The server can be configured as abranch distribution point.The server can be configured tosupport Internet-based clients.Every time Configuration Manager copies apackage to the distribution point, it chooses theNTFS drive with the most free disk space, making itdifficult to determine which drive letter will holdthe new package.Configuration Manager 2007 can take over allavailable NTFS disk space on the server.ServershareConfiguration Manager does not usespace reserved for other functions onother partitions.Administrators must manually create a sharedfolder before creating the new site system servershare.Configuration Manager might fail to create apackage if there is no free space on the partitionwhere the shared folder was created.Configuration Manager does not create a datadiscovery record (DDR) to monitor the health of thesite system.The server share cannot be configured as a branchdistribution point.The server share cannot be configured to supportInternet-based clients.Choose Between a Standard and Branch Distribution PointConfiguration Manager branch distribution points are specifically designed to support branch offices,which typically have fewer clients and use a slow network connection. Configure a distribution point as abranch distribution point if any of the following conditions apply:

8-12 Planning and Managing Windows® 7 Desktop Deployments and Environments• You have a remote location connected to the main Configuration Manager site location by a slowconnection and want to optimize software distribution to clients in that location without creating aprimary or secondary site for that location.• You do not have a server that can function as a distribution point in a branch location, but you wantto allow clients in that office to access content from a local distribution point.• You want to use a client operating system to provide the distribution point function and do not needmore than ten concurrent connections.• You want the package to be copied to the distribution point only when a client actually requests toinstall the package.Decide Whether to Enable BITS on a Distribution PointEnabling BITS on a Configuration Manager distribution point helps control bandwidth when you aredownloading content from a standard distribution point to a Configuration Manager client. When acomputer is downloading from a BITS-enabled distribution point and is interrupted, it can resume whereit left off, even if the client computer connects to a different distribution point.You must enable BITS if the Configuration Manager distribution point supports the following clients:• Mobile device clients• Internet-based clientsIf you have branch distribution points, you must have at least one BITS-enabled standard distributionpoint from which to download content.Decide Whether to Protect the Distribution PointWhen you protect a Configuration Manager site system, only clients in that boundary can access thedistribution point or state migration point role on that site system. You protect these site roles to helpcontrol network utilization.Before deciding to protect any distribution points, you need to know the following information:• The location of all distribution points in the site• The location of all distribution points in the hierarchy, if you support roaming• The location and available bandwidth of any slow network links• The largest package sizes you tend to distributeYou should consider protecting a distribution point if any of the following are true:• The distribution point is across a slow network link from other clients in the site.• The distribution point is a branch distribution point.• You frequently distribute large packages and want only clients closest to the distribution point todownload content from it.You should be careful about protecting all distribution points in the site. If you protect distribution pointsfor each advertisement or software update deployment that you create, you must consider whether toallow clients to fall back to unprotected distribution points when the content is not available on theprotected distribution point.Task SequencesTask sequences provide the mechanism for performing multiple steps or tasks on a client computer at thecommand-line level without requiring user intervention. Task sequences do not represent a full scriptinglanguage.

Deploying Windows® 7 by Using Zero Touch Installation 8-13Task Sequences and the Network Access AccountIn Configuration Manager 2007, task sequences run only in the context of the local system account. TheNetwork Access account is used to access required packages located on Configuration distribution points.You must configure the Network Access account correctly or the task sequence fails because it is not ableto access the required Configuration Manager packages to complete the associated task. In ConfigurationManager 2007 R2, the task sequence can be modified to run as a different account.When you use a boot image to initiate an operating system deployment, Configuration Manager uses theWindows PE environment. The Windows PE environment uses an automatically generated, random namethat is not a member of any domain. Without configuring the Network Access account properly, thecomputer may not have the necessary permissions to access Configuration Manager packages tocomplete the task sequence.Capture Operating System Image Task Sequence ActionTask sequence variables govern the operation of the task sequence action. Input variables are read orused by the task sequence action and correspond to task sequence action fields in the task sequenceeditor.The following variables are written or set by the task sequence action to be read by later actions in thetask sequence:• OSDCaptureAccount (input): Specifies a Windows account name that has permissions to thenetwork share where the captured image will be stored.• OSDCaptureAccountPassword (input): Specifies the password for the Windows account used tostore the captured image on a network share.• OSDCaptureDestination (input): Specifies the location where a captured operating system imagewill be saved.• OSDImageCreator (input): An optional name of the user that created the image, stored in the WIMfile.• OSDImageDescription (input): An optional user-defined description of the captured operatingsystem image that is stored in the WIM file.• OSDImageVersion (input): An optional user-defined version number to assign to the capturedoperating system image.• OSDTargetSystemRoot (input): Specifies the path to the Windows directory of the installedoperating system on the reference computer.The Operating System Image Task Sequence can be used to capture an image for deploying to a new(bare metal) computer, refresh computer, in-place upgrade, and replace.Editing a Task SequenceYou can use the Task Sequence Editor to:• Update or change the task sequence run-time actions• Change the order of the task sequence steps by changing the assigned priority• Specify how the task sequence handles errors for failed steps• Add conditions by using If statements on the Options tabIf the task sequence has any unassociated references to a package or a program as a result of the edit,you must fix the reference, delete the unreferenced program from the task sequence, or temporarilydisable the failed task sequence step until the broken reference has been fixed or removed.

8-14 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsTask Sequence GroupsGroups are multiple steps within a task sequence. Groups can be nested within each other, and a groupcan contain a mixture of steps and subgroups. You can also configure the group failure behavior as youdo with individual steps.To allow the task sequence to continue to the next step if one of the steps fails, use the Options tab to setthe task sequence to Continue on error.Running Task SequencesBefore the program begins to run, the task sequence checks for referenced packages. If a referencedpackage is not validated or available on a distribution point, the task sequence returns an error for theassociated task sequence step.If an advertised task sequence has been configured to download and run, all dependent programs aredownloaded to the Configuration Manager client cache. The necessary packages and programs areobtained from distribution points, and if the Configuration Manager client cache size is too small or theprogram cannot be found, the task sequence fails and a status message is generated.You can also specify if the content must be downloaded as needed by selecting Download content fromdistribution point and run locally, or you can use the Run program from distribution point option tospecify that the installations must run across the network.Highly Scalable ZTI Deployment Infrastructure ConsiderationsTo support deployment load, you can implement the ZTI infrastructure to be highly scalable. Thefollowing table describes the high-level challenges, applicable solutions, and benefits of moving to therationalized level in desktop, device and server management.Challenges Solutions BenefitsBusiness Challenges• Little protection fromunauthorized mobile networkaccess• Limited security options formobile e-mail• Inability to delegate standardmobility-related support incidentsto help deskIT Challenges• Deployments are partially manualand PCs are exposed to attacks orvirus infections• Not using automated tools fordesktop testing, deployment, andsupport• Inaccurate knowledge ofhardware, software, and desktopsincreases maintenance costsProjects• Automate OS distribution andinstallation• Automate asset life-cyclemanagement of hardware andsoftware• Install latest two OS versions ondesktops• Implement standardcompatibility testing andcertification of new software• Extend automated patchmanagement to servers• Help guarantee securecommunications with mobiledevicesBusiness Benefits• Mobile, secure, centrallymanaged desktopenvironment• Reduced user downtimeby maintaining patchand operating systemupdates• Users spend less timewith first-line support,resulting fromapplication testing• Highly automated ITservices lead to lowercosts and improvedconsistencyIT Benefits• Automated deploymentof new desktops, desktoprebuilds, and usermigrations• More effective desktopsecurity• Consistent security and

Deploying Windows® 7 by Using Zero Touch Installation 8-15Challenges Solutions Benefits• Securing servers, PCs, and mobiledevices from wired or wirelessnetworks with varying securitylevels• Provide access to Webapplications by using WAP orHTTP• Begin using virtualization toconsolidate servers• Implement a layered-imageapproach for desktopdeploymentstability of desktop andmobile environmentsinside and outside theorganizational firewallQuestion: Your network manager is concerned about the over-subscription rate on the closet switches tosupport your deployment. What technology do you use to ease this concern?

8-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion:Designing a Zero Touch Installation Environment for a GivenScenarioScenarioYou are a Desktop Administrator in a large multi-national corporation. Your organization has decided todeploy Windows 7 throughout the organization. You are in charge of the deployment project in Europe.Your company has three offices in the region: Paris, London, and Berlin.You work at themain office inParis, which has around 300 users and three servers. The offices in Berlinand London have around 50 users and one server each. The London office is connected with a high-speedinternet link to the Paris office, whereas theBerlin office has a slower internet connection. Most of theusers in Western Europe havefairly new computers because the hardware refresh forthese offices wasdone less than a year ago. In each office, there are three IT support technicians that help troubleshootdaily computer issues on-site.You have received a custom Windows 7 image from the corporate office in Seattle. Your task is to deploythis custom image to all employees in your region. All required applications are shipped in the customimage and any software updates are managed by Group Policy. You decide to deploy this custom imagebyusing ZTI. You have five servers that youcan use for this deployment project.Question: What must you consider when designing yourZTI deployment infrastructure to deployWindows 7 to all employees in the European offices?Question: Howdo you deploy the image effectively to the Berlin officeto mitigate the slow connection?

Deploying Windows® 7 by Using Zero Touch Installation 8-17Lesson 2Performing Zero Touch Installation by Using MDT2010 and Configuration Manager 2007After you design and implement the infrastructure to support the ZTI tools, the next step in the ZTIdeployment process is to install and configure PXE service point for ZTI deployments. You can installConfiguration Manager, add operating system files and device drivers, create task sequences to deployand capture thereference installation, and deploy the captured image to destinationn computers.This lesson provides an overview of the requirements to install MDT 2010 and Configuration Manager,how to install MDT 2010 and Configurationn Manager to deploy Windows 7 by using ZTI.

8-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: The Configuration Manager ConsoleKey PointsConfiguration Manager 2007 is a collectionof features that help you fulfill your business requirements.After you deploy your site and install clients, Configuration Manager will not fulfill any business functionsunless you enable the features. Some features can be used individually with little or no dependence onother features.Demonstration StepsThis demonstration provides an introduction to the Configuration Manager Console.Overview of the Configuration Manager Console1.Open the Configuration Manager Console and then expand the Site Database Site Settings to viewBoundaries. The following nodes are displayed:• Boundaries: Used todefine IP subnets, Active Directory sites, IPv6 prefixes, or IP ranges thatmust be assigned to the Configuration Managersite. Only clients that are within the Boundarycan be managed by Configuration Manager 2007.• Client Agents: Client componentsthat can be enabled, disabled, and configured to performvarioustasks within the Configuration Manager environment. For example, the Hardware andSoftware Inventory Client Agents specify settingss related to collecting hardware and softwareinstalled on each Configuration Manager client.• Site Systems: Displays the site system roles installed on a specific server. You can add or removesite systems as needed.2.Expand Computer Management and open Collections. Collections are used to target tasks such assoftware orsoftware update deployment.3.Expand Operating System Deployment and view the following options:• Boot Images: Displays a list of Operating Systemboot imagesthat have been created. These areWindows PE based images that areused to bootcomputers during operating system deployment

Deploying Windows® 7 by Using Zero Touch Installation 8-19tasks. By default, an x86 and an x64 images is provided. You can add your own custom images asneeded.• Computer Association: Helps with two main tasks: migrating user state and settings from asource computer to a destination computer, and importing unknown computers into theConfiguration Manager database.• Operating System Images: Displays a list of the Operating System images that have been addedto the Configuration Manager environment. You can add the default WIM file from the Windowsmedia or you can add your own customized WIM files as needed.• Operating System Install Packages: Lists the installation packages that have been configured tobe deployed to client workstations.• Task Sequences: Provides a list of the task sequences that have been created.• Drivers: Provides a list of the drivers that have been imported into the Configuration Managerenvironment.• Driver Packages: Provides a list of driver packages that can be deployed to clients. Thesepackages refer to the drivers listed in the Drivers node.• Unprovisioned Computers: Lists computers that have been discovered by ConfigurationManager as an unknown computer and that do not have the Configuration Manager Clientinstalled.Question: To create an Operating System Install Package, what must you first import into theConfiguration Manager environment?

8-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Installing Prerequisite Components for ZTIKey PointsToprepare the deployment environment torun ZTI with Configuration Manager, complete the followingsteps:• Install the PXE Service Point• Install Configuration Manager• Install MDT2010• Enable Microsoft Deployment integration with the Configuration Manager console in ConfigurationManager 2007Install the PXE Service PointInstallation of the PXE Servicee Point occurs in the Distribution Share of the Deployment Workbench.Expand this itemto view the operating systems, applications, operatingsystem packages, and out-of-boxShare to view its(OOB) drivers that the distribution share contains. Click any item beneath Distributioncontents in the details pane.Install Configuration ManagerThe following checklist is intended to provide a high-level list of items to consider and outlines the stepsyou should taketo install Configuration Manager 2007 R2:• Ensure thatt your computing environment meets the supported configurations required for installingthe Configuration Manager 2007 R2 feature update release.• Verify that you do not have any unresolved operational issues withthe site by checking the site statusmessages.• Install any critical Windows updates onthe site server and site systems.• Install any critical Microsoft® SQL Server® updates on the site database server.

Deploying Windows® 7 by Using Zero Touch Installation 8-21• If you are using SQL Server Database Replication, disable it before upgrading.• Back up the site to be upgraded.• No additional schema updates are required for Configuration Manager 2007 R2.• Restart the site server and site systems to ensure that there are no pending actions from installingupdates or prerequisites.• Run Configuration Manager 2007 R2 Setup from the Configuration Manager installation media, froma copy of the installation media located on a network shared folder, or other storage media to startthe Configuration Manager R2 Setup Wizard.After installing the Configuration Manager 2007 R2 feature update release on the primary site server,Configuration Manager 2007 R2 Setup must be run on secondary site server computers and on anyassociated Configuration Manager consoles to allow Configuration Manager 2007 R2 features to bedisplayed.Install MDTIn most instances, MDT is already installed on the deployment server. In instances where this task has notyet been completed, install MDT. For integrated Configuration Manager support with DeploymentWorkbench, install MDT on each computer that is running the Configuration Manager console. This allowsyou to run the Configuration Manager 2007 Integration option and specify data for MDT packages.Configure the appropriate processing rules based on the environment in the MDT database. The ZTIdeployment process uses rules defined in the MDT database to configure target computers.Enable Configuration Manager Console IntegrationBefore the deployment team can use the Configuration Manager integration features, run the ConfigureConfiguration Manager 2007 Integration script. The script copies the appropriate Configuration Managerintegration files to the Configuration Manager 2007_root (where root is the folder in which ConfigurationManager is installed). The script also adds Windows Management Instrumentation (WMI) classes for MDTcustom actions. The classes are added by compiling a new Managed Object Format (MOF) file thatcontains the new class definitions.Demonstration StepsThis demonstration shows how to install and configure MDT 2010 and the PXE Service Point.Install MDT 2010The Microsoft Deployment Toolkit is available for x86 and x64 environments. The 64-bit version is used inthis demonstration.. The setup includes tools and documentation on how to use the tool.1. Launch the Microsoft Deployment Toolkit and select the 64-bit version.2. Start the Setup Wizard and accept the default setting on the Custom Setup page; finish theinstallation and close the MDT window.3. From the Start menu, open the Configure ConfigMgr Integration tool. The ConfigMgr extensionfiles are used to provide MDT functionality to the Configuration Manager console.4. Ensure that the Install the ConfigMgr extensions option is selected with the site server name andsite code, and complete the wizard.Install the WDS Server RoleWDS is required to provide the PXE boot capabilities of ZTI. You can install the server role using the ServerManager in Windows Server 2008. Once WDS is installed, all configuration settings take place from within

8-22 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConfiguration Manager 2007. You do not configure any WDS settings from within the WindowsDeployment Services console.1. Open Server Manager.2. Add a Role using the Add Roles Wizard.3. Select Windows Deployment Services on the Select Server Roles page.4. Complete the installation process and review the Installation Results page.Configure the PXE Service Point RoleThe PXE Service point role takes over the WDS installation and provides PXE boot services for clients.1. Open the Configuration Manager Console to view information for the server. Take note of theconfigured roles on the server.2. Start the New Site Role Wizard. Make sure to specify a fully qualified domain name.3. Open required ports by using the PXE Service Point Configuration box.4. Configure the following general PXE information:• Allow this PXE service point to respond to incoming requests: Enable• Enable unknown computer support: Enabled• Require a password for computers to boot using PXE: Not Enabled• Respond to PXE requests on all network interfaces: Selected• Delay (seconds): 05. Use default PXE database settings and complete the wizard.Question: What are ways that you can help ensure security within your Operating system deploymentsolution?

Deploying Windows® 7 by Using Zero Touch Installation 8-23Demonstration: Configuring Deployment Packages and ImagesKey PointsZero Touch deployment uses a number of images and packages during the deployment process. Theimages that areused by the ZTI process include:• Boot images that are used to initiate the ZTI deployment process.• Images of the operating system to be deployed to the target computer.Additionally, packages may be needed, depending on your ZTI scenario. These packages include:• Deployment files package• Client package• Device driver package• USMT package• Custom settings package• Sysprep files packageAdd Boot and OperatingSystem Images and PackagesThe operating system WIM files you importcan be used as part of an operating system deployment tasksequence. You can add operating system install packagesfor use with your setup-initiated operatingsystem deployments. The operating system install packages can be copied to distribution points sothatthey are available for Configuration Manager 2007 computers to install them.Add Drivers and Driver PackagesYou can importdevice driversfor use in your Configuration Manager 2007 site. Imported device driverscan be added toboot image packages or driver packages and can be installed as part of an OperatingSystem Deployment task sequence. Configuration Manager 2007 readsthe provider, class, version,signature, supported hardware, and supported platform information associated with the device as part of

8-24 Planning and Managing Windows® 7 Desktop Deployments and Environmentsthe import process. By default, the driver is named after the first hardware device it supports, however thedevice driver can be renamed later. The supported platforms list is determined based on the devicedriver’s definition. However, the accuracy of this can vary; therefore, manually verify if the device driver issupported after it has been imported.A driver package contains the content associated with one or more device drivers. Device drivers must tobe added to a driver package and copied to a distribution point before Configuration Manager 2007clients can install them.Driver packages that are made available to Windows 7-based Configuration Manager 2007 clients mustnot contain more than 150 device drivers in a single driver package.You can add Windows device drivers that have been imported into the driver catalog to an existing driverpackage.Configuration Manager Client PackageThe client package contains Configuration Manager client installation files. You can install ConfigurationManager 2007 client software on desktop and laptop computers. In addition, you can install ConfigurationManager 2007 client software on server computers and manage them as clients of Configuration Manager2007. While servers often have specific operational requirements, for example the times you are allowedto restart server computers might be more limited than desktop computers, Configuration Manager 2007makes no functional distinction between server or client computers.Client computers typically connect into the organization network directly, either by being attacheddirectly to the network or by using VPN or dial-up access. In Configuration Manager 2007, clientcomputers can also be managed by Configuration Manager 2007 sites if they have a connection to theInternet but never connect directly to the organization network. These clients are called Internet-basedclients, and they require additional infrastructure support.Use the CCMSetup.exe command to manually install the Configuration Manager 2007 client softwareonto computers in your enterprise.Demonstration StepsThis demonstration shows how to configure boot and operating system images and packages.Deploy Boot ImagesConfiguration Manager 2007 R2 SP2 provides two initial boot images that can be used for basic operatingsystem deployments. You can also import your own custom boot images and deploy them as required.For both boot images you have to ensure that they are available on all distribution points, including theWDS related distribution point.1. In the console pane, expand Computer Management\Operating System Deployment, and open BootImages.2. Open the Boot image (x86) node and use the New Distribution Points Wizard to add new distributionpoints.3. On the Copy Package page, select to copy the package to both the standard distribution point andthe WDS distribution point.4. Repeat steps 2-3 for the Boot image (x64).5. Open the Boot image (x86) Package Status folder to determine the state of the package distribution.

Deploying Windows® 7 by Using Zero Touch Installation 8-25Add Operating System ImagesBefore deploying an operating system, you need to add the operating system images to ConfigurationManager. You can either add the default WIM from the Windows media or you can add your own customWIM files.1. Open the Add Operating System Image Wizard.2. On the Data Source page enter the path of the install.wim file.3. Use the following information to complete the General page:• Name: Windows 7 ENTERPRISE• Version: RTM• Comment: 4. Complete the wizard.After adding the operating system image, you need to deploy the image to the distribution points.You only need to deploy the image to the standard distribution point. There is no need to deploy theimage to the WDS distribution point.5. Open the New Distribution Points Wizard.6. On the Copy Package page, select to copy the package to the standard distribution point (do notcopy to the WDS distribution point) and complete the wizard.Add Operating System Install PackagesTo deploy an operating system that is available in the Operating System Images node, you need tocreate an Operating System Install Package.1. Open the Add Operating System Install Package Wizard.2. Enter the path of the Source Directory on the Data Source page.3. Use the following information to complete the General page:• Name: Windows 7 ENTERPRISE• Version: RTM• Comment: 4. Complete the wizard.5. Deploy the package to all standard distribution points using the New Distribution Points Wizard.6. On the Copy Package page, select to copy the package to the standard distribution point (do notcopy to the WDS distribution point) and complete the wizard.7. Complete and close the wizard.8. If you have any additional drivers that need to be deployed to the operating system, you can add thedrivers to the Drivers node and then create a Driver Package. The process is similar to what has beendemonstrated for the other packages.Adding the Configuration Manager Client PackageThere may be some packages that you need to deploy as standard software distribution packages. Onepackage that needs to be deployed as a standard software distribution package is the ConfigurationManager Client Package.1. Open the Configuration Manager Console and create a new Package.2. Select to create a Package from Definition.3. On the Package Definition page, select Configuration Manager Client Upgrade.4. On the Source Files page, select Always obtain files from a source directory.

8-26 Planning and Managing Windows® 7 Desktop Deployments and Environments5. Enter the path of the package on the Source Directory page and complete the package creationprocess.6. Use the New Distribution Points Wizard to deploy the new package.Question: What other types of packages do you deploy from the Software Distribution node?

Deploying Windows® 7 by Using Zero Touch Installation 8-27Demonstration: Configuring and Advertising Task SequencesKey PointsTask sequences provide the mechanism for performing multiple steps or tasks on a computer withoutrequiring user intervention. You can create a task sequence to deploy an existing operating systemimagetoa target computer, and canmodify the task sequence after it is created. The boot image you specifymust match thechip architecture installed on the target computer or the task sequence fails.Type of TaskSequence TemplatesTask sequences are created by the Task Sequence Editor and consist ofa combined series of steps that aredesigned to complete an action. Task sequence steps canbe added to a task sequence group, which helpskeep similar task sequence steps together for better organization and error control. The following TaskSequence Templates are available for Zero Touch Deployment:• Apply Network Settings: Configures the network adapter on the target computer.• Configure ADDS: Configures the target computer as an AD directory service domain controller.• Enable BitLocker: Configures BitLocker Drive Encryption on the target computer.• Format and Partition Disk: Partitions and formats disks on the target computer.• Gather: Gathers data andprocessing rules for the target computer.• Install Operating System: Installs an operating system on the target computer.• Install Roles: Installs the selected rolesand features on the target computer.• Install Updates Offline: Installs updates to the image on the target computer after the operatingsystem has been deployed, but before the target computer has been restored.• Restart Computer: Restarts the target computer.• Run Command Line: Runs the specified command line on the target computer.

8-28 Planning and Managing Windows® 7 Desktop Deployments and Environments• Run Command Line As: Runs the specified command in on the target computer and does so whileimpersonating the specified user.• Set Task Sequence Variable: Sets the specified task sequence variable to the specified value.• Validate: Validates that the target computer meets the specified deployment prerequisite conditions.Task sequence template files that can be imported into Configuration Manager from MDT include:• Standard Client Task Sequence: This task sequence is used for deploying client operating systems.• Standard Server Task Sequence: This task is used for deploying server operating systems.• Standard Client Replace Task Sequence: This task is used to capture the user state data from anexisting computer so that it can be restored on a user’s new destination computer.• Custom Task Sequence: This task is used to install applications and can be customized to performadditional actions.Advertize Task SequencesConfiguration Manager Task Sequences must be advertised explicitly for initiating deployments. This isunlike MDT task sequences, which can be advertised as the last step of the wizard that is used toconfigure them. In Configuration Manager you can advertise task sequences to collections by using theNew Advertisement wizard.Before you run the New Advertisement Wizard, you must to know what target collections and desiredrun-time behavior you want for the advertisement you are creating. Read access to the task sequence isrequired to advertise the task sequence, and the task sequence must exist prior to creating theadvertisement.When you have created a successful advertisement, it is located under the SoftwareDistribution/Advertisements node.Note: Task sequence advertisement names do not need to be unique; you can assign the same name tomore than one task sequence advertisement.Demonstration StepsThis demonstration shows how to configure boot and operating system images and packages.Overview of Configuration Manager Task Sequence OptionsThe Task Sequence Wizard provides a number of task sequence types that can be created.1. Start the Task Sequence Wizard.2. View the following task sequence options:• Install an existing image package• Build and capture a reference operating system image.• Create a new custom task sequenceCreating the Microsoft Deployment Task SequenceThis option uses the integrated MDT functionality to create task sequences based upon the ones availablefrom within MDT 2010. The wizard automatically does the following:• Associates a boot image• Creates a package that contains the required MDT files

Deploying Windows® 7 by Using Zero Touch Installation 8-29• Associates an operating system image• Associates or creates a client package• Associates and creates a USMT package• Configures Sysprep options1. Start the Microsoft Deployment Operating System Wizard.2. On the Choose Template page, select Client Task Sequence.3. On the General page, specify a descriptive name for the task sequence and add an optional comment.4. On the Details page, specify the following details:• Join a domain: Select this option if you want the target computer to join to a domain.• Domain: Enter the name of the domain that you wish to add the target computer to.• Account: Specify the user account name and password that will be used to join the targetcomputer to the domain. The account you specify must have domain join permissions in theWindows domain you want to add the computer to.• User name: Specify the user name of the target computer.• Organization name: Specify the organization’s name.5. On the Capture Settings page, select This task sequence may be used to capture an image andconfigure the following settings:• Capture destination: Specify the location where you want to store the captured WIM file.• Capture account: Specify the user account name and password that will be used capture theimage.6. On the Boot image page, select Specify an existing boot image package option, and browse to selectthe boot image.7. On the MDT Package page, select Create a new Microsoft Deployment Toolkit Files package.8. In the Package source folder to be created field, specify the location for the MDT package.9. On the MDT Details page, fill in the following information that describes the package:• Name: Specify the name of the package• Version: Specify the version number of the package• Language: Specify the language of the package• Manufacturer: Specify the OS manufacturer’s name.• Comments: Specify any additional comments10. On the OS Image page, select Specify an existing OS install package, and browse to select an existingOS package.11. On the Client Package page, ensure that Specify an existing ConfigMgr client package is selected, andbrowse to select the SCCM client package.12. On the USMT Package page, select Create a new USMT package and specify the path to the USMTexecutables and related files.13. Under Package source folder to be created, type the location where you want to store the USMTpackage.14. On the USMT Details page, fill in the following information for the USMT package:• Name: Specify the name of the package• Version: Specify the version of the package

8-30 Planning and Managing Windows® 7 Desktop Deployments and Environments• Language: Specify the language of the package• Manufacturer: Specify the OS manufacturer’s name• Comments: Specify any additional comments15. On the Settings Package page, create a new settings package and enter a path for the packagesource folder.16. On the Settings Details page fill in the following information:• Name: Specify the name of the new settings package• Version: Specify the version of the new settings package• Language: Specify the version of the new settings package• Manufacturer: Specify the OS manufacturer’s name• Comments: Specify any additional comments17. On the Sysprep Package page, select No Sysprep package is required and finish the wizard.18. After the wizard is finished, view the various tasks that make up the Windows 7 task sequence.Question: What are the final tasks after creating the MDT task sequence?

Deploying Windows® 7 by Using Zero Touch Installation 8-31Lab: DeployingInstallationWindows 7 byUsingZero TouchComputers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-SVR1 Start the Virtual Machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

8-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 1: Planning the Zero Touch Installation EnvironmentScenarioYou are the team lead for the Windows 7 deployment project at Contoso Ltd. Max Stevens, the ITManager of the Research department, suggests using ZTI to install 50 new computers within thedepartment.Max has sent an email to you describing requirements for the ZTI deployment method.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Update the Zero Touch Installation Design and Configuration Sheet.Supporting DocumentationE-Mail from Max Stevens:Ed MeadowsFrom: Max Stevens [Max@contoso.com]Sent: 3 August 2009 08:01To:ed@contoso.comSubject: Re: Zero Touch Deployment for the Research DepartmentHi Ed,For the pending Windows 7 deployment for the Research Department, I think we should take advantageof our existing Configuration Manager environment and use Zero Touch Installation. Here are someconsiderations for you to think about:• The current Configuration Manager solution uses Configuration Manager 2007 SP1 R2. We havenot used operating system deployment features previously and so we will need to install andconfigure all that is required. You do not have to be concerned about the ConfigurationManager architecture, however you do need to consider what is required for operating systemdeployments. I think we should also integrate MDT 2010 functionality in order to use some of itsadvanced task sequences.• The Configuration Manager site server is called LON-SVR1. It contains Windows Server 2008 R2.• LON-DC1 is the domain controller, which also hosts the DHCP server role.• We will start off with a pilot deployment of 5 computers. I have already created a Collectionnamed Windows 7 Pilot Deployment that we can use.• We will be initially deploying 50 bare metal computers using a custom image, however for thepilot deployment, we will just use the standard Windows 7 media and default boot images.• We plan on deploying 64-bit laptops in the next few months. I have an updated driver for theVX 6000 Lifecam that I would like to have available for when we need it.• All newly deployed clients need to be managed by Configuration Manager 2007.Before you start to configure the Zero Touch Installation solution, can you please answer the questions onthe Zero Touch Installation Design and Configuration worksheet for me to review?Thanks and regardsMax.

Deploying Windows® 7 by Using Zero Touch Installation 8-33Zero Touch Installation Design and ConfigurationDocument Reference Number: ZTI2009Document AuthorDateEd Meadows3 rd AugustRequirement OverviewTo install and configure a ZTI using MDT 2010 and System Center Configuration Manager 2007 SP2.To deploy Windows 7 to the new Research department computers.Additional InformationYou have purchased 50 new computers for the Research department.1. Given the high-level explanation of the existing Configuration Manager environment, is the currentversion of Configuration Manager sufficient? What do you need to do in order to incorporate MDT2010 into the solution?2. What do you need to do to LON-SVR1 in order to support clients booting over the network?3. How do you ensure that all newly deployed clients are managed by Configuration Manager?4. What steps must you perform from the Configuration Manager Console to prepare the OperatingSystem Image to be deployed to clients?5. What is your final main task for configuring ZTI from within the Configuration Manager console? Task 1: Read the supporting documentation• Read the scenario and supporting documentation. Task 2: Update the design and configuration document with your planned course ofaction• Answer the questions in the additional information section of the document.Results: After this exercise, you have the main points of how ZTI is to be configured for the Researchdepartment.

8-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Preparing the Zero Touch Installation EnvironmentScenarioYou have determined that several modifications need to take place to the existing Configuration Managerdeployment in your organization in order to support ZTI. You must perform these modifications inpreparation for your Windows 7 ZTI deployment.The main tasks for this exercise are as follows:1. Install MDT 2010.2. Configure Configuration Manager Integration.3. Install the WDS server role.4. Verify Configuration Manager settings and add the PXE service point role.Note: LON-DC1 is the computer configured as a domain controller. LON-SVR1 is the computer that is tobe configured with MDT 2010 and installed with the WDS server role. LON-DC1 is also assigned the PXEservice point role. Task 1: Install MDT 2010• Log on to LON-SVR1 as Contoso\Administrator using the password Pa$$w0rd.• Connect to \\LON-DC1\Labfiles\MDT and double-click MicrosoftDeploymentToolkit2010_x64.• Install the Microsoft Deployment Toolkit 2010 with default settings. Task 2: Configure Configuration Manager Integration• On LON-SVR1, from the Microsoft Deployment Toolkit program group, run the ConfigureConfigMgr Integration tool with the following options:• Site Server Name: LON-SVR1• Site code: S01 Task 3: Install the Windows Deployment Services server role• On LON-SVR1, click the Server Manager button in the task bar.• Install the Windows Deployment Services server role with the following options:• Select role services: Deployment Server; Transport Server• All other options with default selections Task 4: Verify Configuration Manager settings, and add the PXE service point role• On LON-SVR1, click Start, point to All Programs, click Microsoft System Center, clickConfiguration Manager 2007, and then click ConfigMgr Console.• Analyze and verify the following:• Boundaries• Computer Client Agent Settings• Existing Site System roles• On LON-SVR1, under the Site Systems node, install the PXE service point role with the followingoptions:• Fully Qualified Domain Name: LON-SVR1.CONTOSO.COM

Deploying Windows® 7 by Using Zero Touch Installation 8-35• System Role Selection: PXE service point• PXE Service Point Configuration: open all required ports• Allow this PXE service point to respond to incoming requests: Enabled• Enable unknown computer support: Enabled• Require a password for computers to boot using PXE: Not Enabled• Respond to PXE requests on all network interfaces: Selected• Delay (seconds): 0• Configure all other settings as default selections.Results: After this exercise, you have integrated MDT 2010 with Configuration Manager 2007 and youhave installed WDS and configured the PXE service point role.

8-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 3: Configuring Deployment Packages and System ImagesScenarioThe MDT task sequence requires the deployment packages and system images as building blocks for theWindows 7 deployment. In this exercise you add the required images and create the required packages tobe used in the deployment task sequence.The main tasks for this exercise are as follows:1. Set up the Configuration Manager client package.2. Add boot and operating system images.3. Create an Operating System Install Package.4. Add drivers.5. Create a driver package.Note: LON-DC1 is the computer configured as a domain controller. LON-SVR1 is the computer that isconfigured with Configuration Manager 2007. Task 1: Set up the Configuration Manager client package• On LON-SVR1, in the console pane, expand Computer Management\Software Distribution, andthen click Packages.• Right-click Packages and then create a new package from definition with the following options:• Package Definition: Configuration Manager Client Upgrade• Source Files: Always obtain source files from a source directory• Source directory: \\LON-SVR1\SMS_S01\Client• Expand Packages, expand Microsoft Configuration Manager Client Upgrade 4.0 ALL, and thenclick Distribution Points.• Right-click Distribution Points and then use the New Distribution Points Wizard to distribute thepackage to the LON-SVR1 distribution point. (Do not select the LON-SVR1\SMSPXEIMAGES$distribution point because this one is used for the PXE boot environment.) Task 2: Add boot and operating system images• In the console pane, expand Computer Management\Operating System Deployment, and thenclick Boot Images. Notice that default boot images are already available for both x86 and x64installations.• Expand Boot Images, expand Boot image (x86), and then click Distribution Points.• Right-click Distribution Points, and then use the New Distribution Points Wizard to distribute bootimage (x86) to the all distribution points.• Repeat the above three steps for Boot image (x64).• In the console pane, right-click Operating System Images, and then click Add Operating SystemImage. The Add Operating System Image Wizard starts.• Configure the following wizard settings:• Data source: \\LON-DC1\Labfiles\Source\sources\install.wim• Name: Windows 7 ENTERPRISE

Deploying Windows® 7 by Using Zero Touch Installation 8-37• Version: RTM• Comment: • Expand Operating System Images, expand Windows 7 ENTERPRISE, and then click DistributionPoints.• Right-click Distribution Points, and then use the New Distribution Points Wizard to distribute thepackage to the LON-SVR1 distribution point. (Do not select the LON-SVR1\SMSPXEIMAGES$distribution point because this one is used for the PXE boot environment.) Task 3: Create an operating system install package• In the console pane, click the Operating System Install Packages node.• Use the Add Operating System Install Package Wizard to create an install package using the followingwizard settings:• Source Directory: \\LON-DC1\Labfiles\Source• Name: Windows 7 ENTERPRISE• Version: RTM• Comment: • Expand Operating System Install Packages, expand Windows 7 ENTERPRISE, and then clickDistribution Points.• Right-click Distribution Points and then use the New Distribution Points Wizard to distribute thepackage to the LON-SVR1 distribution point. (Do not select the LON-SVR1\SMSPXEIMAGES$distribution point because this one is used for the PXE boot environment.) Task 4: Add drivers• In the console pane, click the Drivers node.• Use the Import New Driver Wizard to import drivers.• Configure the following wizard settings:• Locate Driver: Source Folder:\\LON-DC1\Labfiles\Drivers\VX6000• Driver Details: Leave default settings• Add Driver to Packages: Do not select any options• Add Driver to Boot Images: Do not select any options Task 5: Create a driver package• In the console pane, click the Driver Packages node.• Create a New Driver Package with the following settings:• Name: Driver List• Comment: Current date• Driver package source: \\LON-DC1\Labfiles\Drivers• In the console pane, click the Drivers node.• In the details pane, select both drivers. Right-click the selected drivers and then click Add or RemoveDrivers to Packages.

8-38 Planning and Managing Windows® 7 Desktop Deployments and Environments• In the Add or Remove Drivers to Packages dialog box, select the check box next to Driver List.• Select the check box next to Update distribution points when finished, and then click OK.Results: After this exercise, you have added all required images and created required packages for theclient deployment task sequence.

Deploying Windows® 7 by Using Zero Touch Installation 8-39Exercise 4: Configuring and Advertising a Client Task SequenceScenarioNow that the building blocks are in place, you are ready to configure and advertise the task sequence tothe client workstation.The main tasks for this exercise are as follows:1. Import the Microsoft Deployment task Sequence.2. Update package distribution points.3. Advertise the task sequence.4. Install Windows 7.Note: LON-DC1 is the computer configured as a domain controller. LON-SVR1 is the computer that isconfigured with Configuration Manager 2007. Task 1: Import the Microsoft Deployment task sequence• In the console pane, expand Computer Management\Operating System Deployment, and thenclick Task Sequences.• Right-click Task Sequences, and then click Create Microsoft Deployment Task Sequence.• Create a task sequence with the following options:• Template: Client Task Sequence• Task sequence name: Windows 7• Task sequence comments: Current Date• On the Details page, configure the following options:• Join a domain: Selected• Domain: Contoso.com• Account: Username: Contoso\AdministratorPassword: Pa$$w0rd• User name: Client1• Organization name: Contoso• On the Capture Settings page, select This task sequence may be used to capture an image, andconfigure the following settings:• Capture destination: \\LON-DC1\Labfiles\Source\Win7.wim• Capture account: Username: Contoso\AdministratorPassword: Pa$$w0rd• On the Boot Image page, configure the following options:• Specify an existing boot image package: Boot image (x86)• On the MDT Package page, configure the following options:• Create a new Microsoft Deployment Toolkit Files Package: selected• Package source folder to be created: \\LON-DC1\Labfiles\MDTFiles• On the MDT Details page, configure the following options:

8-40 Planning and Managing Windows® 7 Desktop Deployments and Environments• Name: MDT Source Files• Version: 1.0• Language: English• Manufacturer: Microsoft• Comments: • On the OS Image page, configure the following options:• Specify an existing OS install package: Selected• Select a Package: Windows 7 Enterprise• On the Client Package page, configure the following options:• Specify an existing ConfigMgr client package: Selected• Select a Package: Configuration Manager Client Upgrade• On the USMT Package page, configure the following options:• Create a new USMT package: Selected• Path to USMT executables and related files:C:\Program Files\Windows AIK\tools\USMT• Package source folder to be created: \\LON-DC1\Labfiles\USMT• On the USMT Details page, configure the following options:• Name: MDT USMT Package• Version: 1.0• Language: English• Manufacturer: Microsoft• Comments: Current Date• On the Settings Package page, configure the following options:• Create a new settings package: Selected• Package source folder to be created: \\LON-DC1\Labfiles\MDTFiles• On the Settings Details page, configure the following options:• Name: MDT Settings Files• Version: 1.0• Language: English• Manufacturer: Microsoft• Comments: • On the Sysprep Package page, select No Sysprep package is required.• Click Next to begin the creation of the packages and task sequence.• After the Task Sequence is created, click the Task Sequences node, right-click Windows 7, and thenclick Edit. Take note of, but do not change, the various tasks that make up the Windows 7 tasksequence.

Deploying Windows® 7 by Using Zero Touch Installation 8-41 Task 2: Update package distribution points• In the console pane, expand Computer Management\Software Distribution, and then expandPackages. If necessary, refresh the Packages node.• Use the New Distribution Points Wizard to distribute the following packages to the LON-SVR1distribution point.• Microsoft MDT Settings Files 1.0 English• Microsoft MDT Source Files 1.0 English• Microsoft MDT USMT Package 1.0 English• Do not select the LON-SVR1\SMSPXEIMAGES$ distribution point because this one is used for thePXE boot environment.• Wait a few minutes before continuing with the next task. Task 3: Advertise the task sequence• In the console pane, expand Computer Management\Operating System Deployment, and thenclick Task Sequences.• In the details pane, right-click Windows 7, and then click Advertise.• Configure the advertisement settings as follows:• General• Name: Windows 7 Deployment• Collection: All Unknown Computers• Make this task sequence available to boot media and PXE: Enabled• Leave all other defaults.• Schedule• Mandatory assignments: As soon as Possible• Ignore maintenance windows when running program: Enabled• Program rerun behavior: Always rerun program• Leave all other defaults• Distribution Points• Access content directly from a distribution point when needed by the running task sequence:Enabled• Leave all other defaults• Interaction: Leave all defaults• Security: Leave all defaults• In the console pane, expand the Computer Management\Collections node.• Right-click the Unknown Computers collection and verify that the Windows 7 Deployment tasksequence has been advertised to this collection. Task 4: Install Windows 7• From the Hyper-V Manager, start 6294A-LON-CL3.• The task sequence begins the installation. The installation can take up to 60 minutes to complete.

8-42 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsResults: After this exercise, you have configured and advertised a client task sequence and thendeployed Windows 7 on a client computer. Task 5: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list, and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.

Deploying Windows® 7 by Using Zero Touch Installation 8-43ModuleReviewand TakeawaysReview Questions1.You have decided to migrate user settings and data, but you need to determine how much storage isrequired for the migration data. What tool do you use to do this?2.How can you run the Configuration Manager 2007 Integration option and specify data for MDTpackages?3.What kind of infrastructure model is required by Zero Touch?Common Issues Relatedto Zero Touch DeploymentIdentify the causes for the following common issues related to Zero Touch Deployment.IssueTroubleshooting tipThe OperatingSystem Images Zero Touchdeployment is pushing outto theclients at a newdivision do not recognize the video cardin the targettcomputers.You have obtained the correct drivers for the video cardbut you are unable toupdate the distribution point from the Configuration Manager Console.You have configured Zero Touch deployment to a hardware refresh at a divisionin the enterprise. Users report that the deployed image cannot start.You need to configure a Zero Touch deployment using a remote ConfigurationManager Console. You are unable to access the Console.Best Practices Related to Zero Touch DeploymentThe TechNet Desktop Deployment Center is structured around the Microsoft Solution Accelerator forBusiness Desktop Deployment (BDD) 2007. BDD 2007 is the recommended best practice methodology for

8-44 Planning and Managing Windows® 7 Desktop Deployments and Environmentsconsistent, repeatable, and cost-effective deployments. BDD delivers end-to-end guidance to efficientlyplan, build, test, and deploy operating systems and applications. Microsoft has been working with leadingdeployment partners to enhance and develop this industry guidance in addition to providing Microsoft’simplementations of BDD methodology.While Configuration Manager provides technology for performing desktop deployment, its larger focus ison methodology and best practices. Microsoft solutions, such as System Center Configuration Manager,are implementations of industry-standard methodologies and best practices. These solutions provideopportunities for Microsoft partners and independent software vendors (ISVs) to learn how to build theirown solutions too. Deployment is not just a Microsoft standard but is also becoming an industry standardwith the input that Microsoft partners and ISVs provide.By following the guidance in System Center Configuration Manager, you are implementing thesemethodologies and best practices to manage complex projects. Configuration Manager enables you tobuild best practice oriented solutions to do the following:• Manage teams and processes to produce a comprehensive and integrated deployment based ontechnology solutions.• Set up lab and test environments that the development teams share.• Create software and hardware inventories for deployment planning.• Test applications for compatibility with Windows 7 and mitigate the compatibility issues discoveredduring the process.• Automate applications’ installations, customize their configurations, and repackage applications, ifnecessary, to achieve a fully automated installation.• Develop strategies and solutions for migrating users’ documents and settings.• Create an automated process for developing and deploying computer images.• Develop an imaging strategy that requires fewer flexible images to deploy dynamic builds todestination computers.• Deploy computer images using Lite Touch and Zero Touch solutions; deploy computer imagesremotely to branch offices and mobile users.• Harden deployment servers and computer images against security threats.• Disable antivirus programs on the lab computer before capturing an image of the lab computer’sdisk.Antivirus programs can interfere with the configuration of the image and installation of applicationsduring deployment.After deployment, enable the antivirus program. Test the interaction of antivirus programs withSystem Center Configuration Manager.Decide Whether Clients Must Download Content if They Are on a Slow or Unreliable NetworkBoundaryThe default for every Configuration Manager 2007 advertisement and software update deployment is tonot download software packages and software updates when the client is connected within a slow orunreliable network boundary. This default assumes that you do not want clients downloading contentover slow or unreliable network connections, thereby saving network bandwidth.However, in some scenarios, this default setting might unexpectedly prevent clients from installing thesoftware packages and software updates that you want them to have. Consider changing this default if

Deploying Windows® 7 by Using Zero Touch Installation 8-45you want to ensure that clients always install software packages and software updates when requestedand if any of the following scenarios apply:• Clients are not within a configured boundary for their assigned site because boundaries are notconfigured correctly or because the clients have been incorrectly assigned.In this scenario, clients never install the software package or software updates. For these clients to installthe software package or software update with the default configuration, all boundaries must beconfigured correctly.• Clients are within a boundary that is configured as slow or unreliable, such as a virtual private network(VPN) or wireless network.In this scenario, clients are not able to install the software package or software updates unless theirnetwork location changes to a fast and reliable boundary. Alternatively, reconfigure the slow orunreliable boundary to be fast and reliable.• Clients have roamed into another site that does not host the content.In this scenario, clients are not able to install the software package or software updates until theyreturn to their assigned site.Choose Between Updating and Refreshing a PackageUpdating and refreshing Microsoft System Center Configuration Manager 2007 packages are twodifferent operations. Use the following table to help decide when to update and when to refresh apackage.Criterion Package Update Package RefreshUse whenWhat it doesResets access controllist (ACL)Resets the VirtualDirectoryUpdates the packagesource versionIncrements packageversion in clientpolicyYou make a modification to the packagesource, such as adding, changing, ordeleting a file or folder.Builds a new, complete, compressedpackage file and a delta compressedpackage file from the updated packagesource files. The delta file is passed to alldistribution points.No.Yes, if you have enabled or disabled BITSon the distribution point since the lastpackage update.Yes.Yes.You need to repair a package at aspecific distribution point.Recopies the compressed packagefrom the local site server to thedistribution point but does notcopy files from the package source.Yes, if you have made changes tothe Package Access Accounts.Yes, if you have enabled ordisabled BITS on the distributionpoint since the last packagerefresh.No.No.

8-46 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsToolsTool Use for Where to find itMDT 2010ConfigurationManager 2007Integration to Configuration Manger 2007 andprovision of deployment templatesManages Zero Touch deployment projectshttp://go.microsoft.com/fwlink/?LinkID=160877http://go.microsoft.com/fwlink/?LinkID=162645USMT 4.0 Migrates user profiles to a new computer http://go.microsoft.com/fwlink/?LinkID=140374Sysprep Prepares files for a package http://go.microsoft.com/fwlink/?LinkID=156807AD DSFinds the Configuration Manager managementpoints and stores metadata for the deploymenthttp://go.microsoft.com/fwlink/?LinkID=162646

Migrating User State by Using WET and USMT 4.0 9-1Module 9Migrating User State by Using WET and USMT 4.0Contents:Lesson 1: Overview of User State Migration 9-3Lab A: Migrate User State by Using WET (Optional) 9-10Lesson 2: Overview of USMT 4.0 9-14Lesson 3: Planning User State Migration (USMT 4.0) 9-21Lesson 4: Migrating User State Using USMT 4.0 9-27Lab B: Migrating User State Using USMT 4.0 9-46Lab C: Migrating User State Using Hard-Link Migration 9-53

9-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewMany users spend significant time customizing and configuring items such as desktop wallpaper, screensavers, and other unique profile-based Windows® operating system elements. During a new operatingsystem deployment, your organization mayfind it necessary to migratethese settings to the newcomputer configuration to maintain user productivity andsatisfaction. This module explains user statemigration, and how to use tools, such as Windows® EasyTransfer (WET) and the Windows® User StateMigration Tool (USMT), in various migrationscenarios.

Migrating User State by Using WET and USMT 4.0 9-3Lesson 1Overviewof User State MigrationA successful desktop deployment takes intoconsiderationn the impact on and satisfaction of the end-user.A significant factor in end-user satisfaction is the migration of data anduser preferences. This lessondescribes the tools, process, and considerations for performing an efficient and successful user statemigration task.

9-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhat Is User State Migration?Key PointsA user state migration captures all custom settings on existing computers (source computers) and restoresthese settings tonewly deployed computers (destination computers). A user state migration is typicallyperformed during or after deployment of the new operating system. Itspurpose is toenable users to bemore productive as quickly aspossible, because they do not have to spend time reconfiguring settings orlooking for personal data after the deployment.User State Migration ElementsUser state migration includes the following elements:• User preferences: Thesee include user profile features, Internet browser settings, and mail settings.Consider which user accounts, operating system settings, and user preferences you want to migrateor standardize.• User accounts: Computers may have settings related to domain and local user accounts. Youmust determine whether local useraccounts must be migrated. Your consideration must alsoincludewhether the account must be enabled on the destination computer and how you willdeal with password requirements.• Operating system settings: Identify which operating system settings to migrate and to whatextent you want to create a new standard environment on thecomputers. Operating systemsettings may include appearance, mouse actions(for example, single-click or double-click)andkeyboard settings, Internet settings, E-mail account settings, dial-up connections, accessibilitysettings, and fonts.• User data: This includes data that is stored on local hard drives. Typically, critical data is storedoncorporate file servers. However, there may be situations in which users store dataa on local harddrives.• Application settings: These include application-specific configuration settings, preferences, anddatafiles. (User state migration does not include migrating the actual application.)

Migrating User State by Using WET and USMT 4.0 9-5Determine and locate the application settings that you want to migrate. This information can beacquired when you are testing the new applications for compatibility with the new operating system.Considerations include whether the destination version of the application is newer than the sourceversion and where the specific application settings are stored.Settings may be stored in the registry, .ini files, or a text or binary file. To determine the location of anapplication setting, review the vendor’s documentation or Web site. Migration does not includemigrating the actual application itself.User State Migration in the Replace and Refresh Computer ScenarioUser state migration can occur in different stages of deployment, depending on your deploymentscenario:• Replace scenario: When deploying a new operating system to new computers, you can capture theuser state from the source computers before or after you deploy the operating system to destinationcomputers. After the operating system is deployed on the destination computers, you can restore theuser state on these computers.• Refresh scenario: When deploying a new operating system to computers that already haveoperating systems, you can capture the user state, store it in temporary storage, deploy the operatingsystem, and then restore the user state on the computers. (In this scenario the source and destinationcomputers are the same computers.)When you deploy Windows 7 to computers that already have a supported Windows operating system, theWindows.old folder is created and you can migrate user settings from that folder. Windows 7 enablesnon-destructive deployment, because a Windows 7 installation does not wipe out the target partition andallows user data to be preserved in its original location.The previous Windows installation, the Program Files folder, and the Documents and Settings folder, aremoved to the Windows.old folder, whereas user data in the root folder will be preserved as is. However,you will not be able to start your computer using the previous Windows installation.In addition, if you use the User State Migration Tool (USMT) 4.0, you can use the hard-link migration.Hard-link migration creates a duplicate symbolic link to the specific file in the file system that bypassesthe need for temporary storage when you migrate the user state in refresh computer scenario. This resultsin increased migration performance.

9-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsTools for Migrating User StateKey PointsYou can use the following tools to perform migration.• Windows Easy Transferr (WET): Use toperform migration for a single computer, or just a fewcomputers.WET supportss data transfers by using an Easy Transfer cable, over thenetwork, removablemedia, or a network share.• User State Migration Tool (USMT): Use to performmigration formany computers and to automatethe processs as much as possible. USMTuses a two-stage process tomigrate the user state. In the firststage, USMT captures theuser state to the appropriate media or a network shared folder. During thesecond stage, USMT restores the user state to the destination computer.Question: Howdo you migrate applications to Windows 7?

Migrating User State by Using WET and USMT 4.0 9-7Migrating User Stateby Using WETKey PointsThe WET tool isused in scenarios in which there are only have a limitednumber of computers to migrate.WET can be used to transfer user accounts and settings, files and folders, e-mail settings, contacts andmessages, application settings, Internet settings and favorites. WET cannot be used totransfer programfiles or applications. Applications must already be installed on the Windows 7 computer before you cantransfer the application settings using WET.While you can still use Windows Vista® WET to migrate user state to Windows 7, youmay want touse thelatest functionality of Windows 7 WET. Windows 7 WET contains a newfile explorer that enables you toselect which files to copy to your new PC. IfWindows finds a file or setting it cannot work with, Windows 7WET prevents delays by completing the transfer and providing you with a full report of anything that failstomigrate.If the source computer is already running Windows 7, you do not have to include thefollowingprocedure.Store Windows 7 WET Files to be Used on the Source ComputerTostore Windows 7 WET filesso that you can use them on a source computer that does not have WET,you must first start WET on the destination computer, and perform thefollowing steps:1.Close all active programs.2.Click Start, All Programs, Accessories, System Tools, and then Windows Easy Transfer. TheWindows Easy Transfer window opens.3.Click Next and select themethod to use to transfer files and settings from the source computer.4.Click This is my new computer.5.Click I needto install it now.6.Select the destination media where youwant to storethe Windows Easy Transfer wizard files.

9-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsA Browse to Folder window opens.7. Type the path and folder name where you want to store the Windows Easy Transfer wizard files, andthen click Next.Restart the source computer to install Windows Easy Transfer.Note: If Windows Firewall is enabled on your computer, a prompt will appear asking you toenable an exception to allow WET to work over the network. Accepting this prompt opens aprogram exception for %SystemRoot%\System32\MigWiz\MigWiz.exe, the executable for WET.Migrate Files and Settings from the Source Computer to the Destination ComputerIf using WET, you can select one of the following transfer methods to transfer files and settings from asupported operating system to Windows 7:• Use an Easy File Transfer cable (a WET cable)• Use a network connection• Use removable media such as a USB flash drive or an external hard diskMethod 1: Transfer Files and Settings Using a WET Cable1. Connect the two computers using the WET cable and install the drivers for that cable.2. Start Windows Easy Transfer on the computer from which you want to migrate settings and files bybrowsing to the removable media or network drive that contains the wizard files, and then double-clicking migsetup.exe. The program may also start automatically when you insert the removablemedia. (If your computer already has WET you can run it from the System Tools program groupfolder.)3. Click Next.4. Click An Easy Transfer cable.5. Click This is my old computer and complete the Windows Easy Transfer wizard.Method 2: Transfer Files and Settings Using a Network1. Start Windows Easy Transfer on the computer from which you want to migrate settings and files bybrowsing to the removable media or network drive that contains the wizard files, and then double-clicking migestup.exe. The program may also start automatically when you insert the removablemedia. (If your computer already has WET you can run it from the System Tools program groupfolder.)2. Click Next.3. Click A network.4. Click This is my old computer. WET creates a Windows Easy Transfer key. The Windows EasyTransfer key functions like a password to protect files and settings and is used to link the source anddestination computer.5. Follow the steps to enter the Windows Easy Transfer key on your destination computer to enable thenetwork connection.6. On your destination computer, after you enter the WET key, click Next.A connection is establishedand Windows Easy Transfer checks for updates and compatibility.

Migrating User State by Using WET and USMT 4.0 9-97. Click Transfer to transfer all files and settings. You can determine which files must be migrated byselecting only the user profiles that you want to transfer, or by clicking Customize.8. Click Close after Windows Easy Transfer has completed the migration of files and settings to thedestination computer.Method 3: Transfer Files and Settings Using Removable Media or a Network ShareFirst, copy files from the source computer.1. Start Windows Easy Transfer on the computer from which you want to migrate settings and files bybrowsing to the removable media or network drive that contains the wizard files, and then doubleclickingmigsetup.exe. (If your computer already has WET you can run it from the System Toolsprogram group folder.)2. Click Next.3. Click An external hard disk or USB flash drive.4. Click This is my old computer. Windows Easy Transfer scans the computer.5. Click Next. You can determine which files must be migrated by selecting only the user profiles thatyou want to transfer, or by clicking Customize.6. Enter a password to protect your Easy Transfer file, or leave the box blank, and then click Save.7. Browse to the location on the network or the removable media where you want to save your EasyTransfer file and then click Save.8. Click Next. WET displays the file name and location of the Easy Transfer file that you just created.Then, copy files to the destination computer.1. Connect the removable media to the destination computer.2. Start Windows Easy Transfer, and then click Next.3. Click An external hard disk or USB flash drive.4. Click This is my new computer.5. Click Yes, open the file.6. Click Browse to locate where the Easy Transfer file was saved. Click the file name, and then clickOpen.7. Click Transfer to transfer all files and settings. You can also determine which files must be migratedby selecting only the user profiles that you want to transfer, or by clicking Customize.8. Click Close after WET has completed moving your files.

9-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab A: MigrateUser State byUsing WET (Optional))Computers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL1• 6294A-LON-VS1 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In theActions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

Migrating User State by Using WET and USMT 4.0 9-11Exercise 1: Preparing the WET Source FilesScenarioYou are deploying a new Windows 7 computer to a user named Don in the Marketing department.As part of the deployment process, you need to migrate several user state settings from Don’s oldcomputer to the new computer. You have the following requirements:• WET source files should be put on a network share located at \\LON-DC1\Data so that other computers can be migrated using this tool if it is necessary.The main tasks for this exercise are as follows:• Put WET on a network share.Note: LON-DC1 is the computer that is running Windows Server 2008 R2. LON-CL1 is the computerrunning Windows 7, and LON-VS1 is the computer running Windows Vista. Task 1: Place WET on a network share• Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.• From the Accessories\System Tools program group, start Windows Easy Transfer.• Provide the following responses to the options in the Windows Easy Transfer Wizard:• What do you want to use to transfer items to your new computer?: An external hard disk orUSB flash drive• Which computer are you using now?: This is my new computer• Has Windows Easy Transfer already saved your files from your old computer to an external harddisk or USB flash drive?: No• Do you need to install Windows Easy Transfer on your old computer?: I need to install it now• How do you want to install Windows Easy Transfer on your old computer?: External hard disk orshared network folder• Browse for folder: \\LON-DC1\Data• Close Windows Easy Transfer.Results: After this exercise, you have put the Windows 7 WET files on a shared network location.

9-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Capturing User State Information from a Source ComputerScenarioAs part of the deployment process you must migrate several user state settings from Don’s old computerto the new computer. To meet standardization requirements, you have to ensure the following:• Only Don’s profile is to be captured.• Any files located in the Music, Saved Games, or Videos folders should not be migrated to the newcomputer.The main tasks for this exercise are as follows:• Capture settings from LON-VS1.Note: LON-DC1 is the computer that is running Windows Server 2008 R2. LON-CL1 is the computerrunning Windows 7, and LON-VS1 is the computer running Windows Vista. Task 1: Capture settings from LON-VS1• Log on to the LON-VS1 virtual machine as Contoso\Don with the password Pa$$w0rd. Note theComputer and Documents icons on the desktop and then log off LON-VS1.• Log on to the LON-VS1 virtual machine as Contoso\Administrator with the password Pa$$w0rd.• From the Start Search box, type \\LON-DC1\Data and then press ENTER to open the network sharethat contains the WET source files.• Double-click the Windows Easy Transfer shortcut and provide the following responses to theoptions in the Windows Easy Transfer Wizard:• What do you want to use to transfer items to your new computer?: An external hard disk orUSB flash drive• Which computer are you using now?: This is my old computer• Profiles to be migrated: Contoso\Don• Excluded items from the profile: Music, Saved Games, Videos• Password: Pa$$w0rd• Save your Easy Transfer file: \\LON-DC1\Data\DonProfile• Close WET.Results: After this exercise, you should have captured user state information for Don and stored theinformation at \\LON-DC1\Data.

Migrating User State by Using WET and USMT 4.0 9-13Exercise 3: Loading User State Information to a Destination ComputerScenarioThe final task of migrating the user state to Don’s new computer is to run the Windows Easy TransferWizard and import the configuration settings that were saved on the shared network location.The main tasks for this exercise are as follows:1. Import the configuration settings on LON-CL1.2. Verify the migration.Note: LON-DC1 is the computer that is running Windows Server 2008 R2. LON-CL1 is the computerrunning Windows 7. And LON-VS1 is the computer running Windows Vista. Task 1: Import the configuration settings on LON-CL1• On LON-CL1, from the Accessories\System Tools program group, start Windows Easy Transfer.• Provide the following responses to the options in the Windows Easy Transfer Wizard:• What do you want to use to transfer items to your new computer?: An external hard disk orUSB flash drive• Which computer are you using now?: This is my new computer• Has Windows Easy Transfer already saved your files from your old computer to an external harddisk or USB flash drive?: Yes• Open an Easy Transfer File: \\LON-DC1\Data\DonProfile.MIG• Password: Pa$$w0rd• Select what to transfer to this computer: Contoso\Don• Use the Windows Easy Transfer Reports to view the Transfer report and the Program report.• Log off LON-CL1. Task 2: Verify the migration• On LON-CL1, log on as CONTOSO\Don with a password of Pa$$w0rd.• Verify that the Computer and Documents icons are located on the desktop for Don.Results: After this exercise, you have imported user state configuration information to the newcomputer and verified that Don’s profile contains the changes. Task 3: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, follow these steps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list, and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.

9-14 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 2Overviewof USMT 4.0USMT is used tomigrate userstate during large Windows7 deployments. This lessondescribes thefeatures, scenarios, and considerations for using USMT tohelp with your desktop deployments andmigrations.

Migrating User State by Using WET and USMT 4.0 9-15Process of Migrating User State by UsingUSMT 4. 0Key PointsUSMT includes two tools: ScanState and LoadState. It alsoincludes a set of the following modifiable .xmlfiles: MigApp.xml, MigUser.xml, and MigDocs.xml. Use USMT to migrate user settingss and data in a two-stage process:• Collect filesand settings from the source computer that has the ScanState command• Restore files and setting on the destination computer that has the LoadState commandCollect Files and Settings from the Source Computer1.Close all applications on the source computer.2.Run the ScanState command on the source computer to collect files and settings. Specify all the .xmlfiles that you want the ScanState command to use.Prepare and Restore Files and Settings on the Destination ComputerToprepare the destination computer:1.Install the operating system on the destination computer.2.Install all applications that were on the source computer before you restore the user state toguarantee that migrated settings are preserved.Torestore files and settings on the destination computer:1.Run the LoadState command on the destination computer. Specifythe same set of .xml files that youspecified when you use the ScanState command. (However, you donot have to specify the Config.xmlfile, unless you want to exclude some files and settings that you migrated to the store.)2.Log off after running the LoadState command. Somesettings (for example, fonts, wallpaper, andscreensaverr settings) will not take effect until the next time the user logs on.

9-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsFeatures ofUSMT 4.0Key PointsUSMT 4.0 is a scriptable command-line tool that gives you a highly-customizable user-profile migrationexperience.Benefits of USMT 4.0USMT 4.0 provides the following benefits tobusinesses that are deploying Windows operating systems:• It safely migrates user accounts, operating system, and application settings. It is customizable andhighly-scriptable, which increases automation for large deployment scenarios.• It reduces the cost of deploying the Windows operating system bypreserving the user state. Thisreduces thetime needed for users to become familiar with the newoperating system and the timethat is required to customize desktops and locate missing files and settings.• It reduces end-user downtime, which reduces help desk calls and increases employee satisfaction withthe migration experience.New Features of USMT 4.0USMT 4.0 also introduces several new features. This includes the following:• Hard-link migration store: Used in refresh computer scenarios tomigrate user settings and data inless time and requiring less storage space. It drastically improves migration performance andsignificantlyreduces hard-disk utilization, reduces deployment costs, and enables new migrationscenarios.Hard-link migration storediffers from other migration store in thatt hard links areutilized to keep filesstored on the source computer during the migration. Keeping the files in place on the sourcecomputer eliminates the redundant work of duplicating files and enables the performance benefitsand reduction in disk utilization.

Migrating User State by Using WET and USMT 4.0 9-17• Offline migration: Enables you to collect data from offline Windows operating systems by using theScanState command in Windows PE.Note: For complete information on new features of USMT 4.0, refer to “What’s New in USMT 4.0” athttp://go.microsoft.com/fwlink/?LinkID=163075&clcid=0x409.Limitations of USMT 4.0USMT is intended for administrators who are performing large-scale automated deployments. If you areonly migrating the user states of a few computers, use Windows Easy Transfer instead. There are somescenarios in which the use of USMT 4.0 is not recommended. These include the following:• Migrations that require end-user interaction• Migrations that require customization on a machine-by-machine basis

9-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsElements of USMT 4.0Key PointsUSMT 4.0 includes the following elements:• ScanState: This tool scans the source computer, collects files and settings, compresses them into atemporary location, and then copies them to the migration store.• LoadState:This tool migrates the files and settings, one-by-one, from the store to a temporarylocation onthe destination computer.• Migration .xml files: The .xml files used by USMT for migrations. They are the MigApp.xml,MigUser.xml, or MigDocs.xml files, and any custom .xml files that you create.• MigApp.XML: This contains rules for migrating application settings.• MigDocs.XML: This contains rulesthat utilize the MigXmlHelper.GenerateDocPatterns helperfunction, which can be used to automatically finduser documents on a computer withouttcreating extensive custom migration .xml files.• MigUser.XML: This contains rules for migrating user profiles and data.• Config.xml: To exclude certain elements from the migration, you can create andchange theConfig.xml file by using the /genconfigg option with the ScanState tool.• Component Manifests for Windows Vista and Windows 7: If the source or destination computeris running Windows Vistaor Windows 7, the component-manifestfiles control which operatingsystem settings are migrated and how they are migrated.• Down-level Manifest files: If the source computer is running a supported version of Windows XP,these manifest files control which operating-system and Internet Explorer settings are migrated andhow they are migrated.• USMT internal files: All other .dll, .xml, .dat, .mui, and .inf files included with USMT are for USMTinternal use. You cannot change these files.

Migrating User State by Using WET and USMT 4.0 9-19User State Data that Can be Migrated by Using USMT 4.0Key PointsUSMT controls what to migrate by using the migration .xml files (MigApp.XML, MigDocs.XML andMigUser.XML) and any custom.xml files that you create.User DataScanState uses rules in MigUser.xml to collect everything in a user’s profile. It then performs a fileextension-basedsearch on most of the system for other user data.Bydefault, USMT migrates the following user data and ACLs by using the MigUser.xml:• Folders from each user profile: USMTmigrates everything in a user’s profile ncluding MyDocuments, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, andFavorites.• Folders from the All Users and Public profiles: USMT also migrates the following from the AllUsers profile in Windows XP, or the Public profile in Windows Vistaor Windows 7: Shared Documents,Shared Video, Shared Music, Shared desktop files, Shared Pictures, Shared Start menu, and SharedFavorites.• File types: The ScanStatetool searchess the fixed drives, collects and migrates files that have any ofthe following file name extensions: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp,.one*, .oqy,.or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy,.rtf, .scd, .sh3,.slk,.txt, .vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, .xls*.• Access Control List: USMT migrates the access control list for specified files and folders fromcomputers that are running Windows XP and Windows Vista.The following data does not migrate by using MigUser.xml:• Files outside the user profile that do not match one of the file name extensions in MigUser.xml• Access Control Lists for folders outside the user profile

9-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOperating-System ElementsBy default, USMT migrates most standard operating-system features to destination computers runningWindows 7 from computers running Windows XP, Windows Vista, or Windows 7. Some settings, such asfonts, are not available for an offline migration, until after the destination computer is restarted.Supported ApplicationsWe recommend that you install all applications on the destination computer before restoring the userstate to make sure that migrated settings are preserved. The versions of installed applications must matchon the source and destination computers.USMT does not support migrating the settings of an earlier version of an application to a later version,except for the Microsoft Office system. In addition, USMT migrates only the settings that were used orchanged by the user. If there is an application setting on the source computer that was not touched bythe user, it may not migrate.What USMT does not MigrateThe following are settings that USMT does not migrate.• Application Settings: USMT 4.0 does not migrate settings from earlier versions of an application. Italso does not migrate application settings, and some operating-system settings, when a local accountis created, or for Microsoft® Office Project when you migrate from the 2003 Microsoft®Office system to the 2007 Microsoft® Office system.• Existing Applications: USMT 4.0 does not migrate the existing applications. You have to re-install allapplications on the destination computer, before restoring the application settings.• Operating-System Settings: USMT 4.0 does not migrate the following operating-system settings:• Mapped network drives, local printers, hardware-related settings, drivers, passwords, applicationbinary files, synchronization files, DLL files, or other executable files• Shared folders permissions• Files and settings migrating between operating systems with different languages• Customized icons for shortcuts• Taskbar settings, when the source computer is running Windows XP• Several network printers and firewall settings when the destination computer is runningWindows XPNote: For more information about specific feature and application settings that are migrated, refer to“What Does USMT Migrate?” at http://go.microsoft.com/fwlink/?LinkID=163076&clcid=0x409.

Migrating User State by Using WET and USMT 4.0 9-21Lesson 3PlanningUser State Migration (USMT 4.0)Planning the migration carefully can ensuree that the migration proceeds smoothly and reduces therisk ofmigration failure.Inmigration planning, organizations and individuals must first identify what to migrate. This includes usersettings, applications and application settings, and personal data files and folders. Identifying theapplications to be migrated helps you avoidcapturing data about applications that is expected to bephased out.One of the most important requirements for migrating settings and data is to restoree only the informationrequired by thedestination computer. Evenif the data captured on thesource computer is morecomprehensivethan the restore for backup, it is redundant to restore data or settings for applications thatwill not be installed on the destination system, and it can introduce instability in the newly deployedcomputer.

9-22 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOverview of PlanningUser State MigrationKey PointsThere are several factors you need to consider when planning for user state migration.• Select a migration scenario. Dependingon whether you are using the refresh or replace computerscenario, you can chose an online migration or an offline migrationusing Windows PE orWindows.old.• Determine what to migrate. Consider migrating user state elements, which include end-userinformation, applicationssettings, operating system settings, files, folders, and registry keys.• Determine where to storeyour data. Depending on the size of your migration store, you can store thedata remotely, locally in a hard-link migration store, on a local external storage device, or directly onthe destination computer.• Use the /genmigxml command-line option to determine which files will be included in yourmigration and to determine whether any modifications are necessary. The /genmigxml optionspecifies that the ScanState command must use the document finder to create and export an XMLfile that defines how to migrate all of the files on thecomputer on which the ScanState command isrunning.• Modify the migration .xml files and create custom .xml files, if necessary. To modify the migrationbehavior, you can create a custom .xmlfile or modifythe rules in the existing migration .xml files. Forexample, anorganizationn may want to migrate the C:\Data folder but not the C:\ \Data\tmp folder.• Create a Config.xml file toexclude any elements fromthe migration. To create this file, specifythe/genconfigg option and the other .xml files when youuse the ScanState command.• Review the migration state in the Config.xml file, andspecify migrate=no for any element that you donot want tomigrate.

Migrating User State by Using WET and USMT 4.0 9-23Determining What toMigrateKey PointsThe Microsoft Windows User State Migration Tool (USMT) 4.0 migrates users, application settings,operating system settings, filetypes, files and folders.These default settings are frequently enough for a basic migration. However, when you consider whatsettings to migrate, consider what settings you want the user to be ableto configure, and what settingsyou want to standardize.Identify the UsersCarefully consider how to migrate users. You can specify what to include and exclude on the commandline with the User options.Before migration consider thefollowing user accounts:• Local accounts: To migrate local accounts that do not exist on thedestination computer, use the /lacoption when using the LoadState command. If you do not, USMT will not migrate these accounts.Consider whether to enable new user accounts on the destination computer. The/lae option enablesthe account that was created by using the /lac option. However, if you create a disabled local accountby using only the /lac option, a local administrator must enable the account on the destinationcomputer.Be careful when specifying a password for the local accounts. If you create a local account thatt has ablank password, anyone can log on to that account on the destination computer. If you createe a localaccount that has a password, the password is available to anyone with access to the USMT command-line tools.• Domain accounts: The source and destination computers do not have to be connected to thedomain fordomain user profiles to be migrated.

9-24 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsIdentify Applications and SettingsThe following process may help you decide which applications to redeploy and which applications todiscontinue, and also determine which application settings to migrate.1. Create and prioritize a list of applications to be migrated.2. Identify an application owner with the most experience with the application to provide insight intohow the organization installs, configures, and uses the application.3. Determine and locate the application settings to be migrated.4. After you complete the list of applications to be migrated, review the list and work with eachapplication owner to develop a list of settings to be migrated.5. Consider whether the destination version of the application is newer than the source version, if theexisting settings work with the new version, and if they do, whether they work correctly.6. Create a custom .xml file to migrate the settings and work with the application owner to develop testcases. Typically, you then continue to perform migration testing for application settings to determineif the application settings are migrated successfully.Identify Operating System SettingsWhen planning for your migration, identify which operating system settings you want to migrate and towhat extent you want to create a new standard environment on the computers. USMT 4.0 enables you tomigrate select settings and keep the default values for all the other operating system settings.Among other things, the operating system settings include: the appearance of the desktop, such aswallpaper or taskbar location; actions, such as double-clicking or single-clicking to open an item; theInternet settings and the information to connect to your mail server.Consider the following when deciding which settings to migrate:• Any previous migration experiences or results of any surveys and tests that you have conducted.• The number of help-desk calls related to operating system settings that you have had in the past, andcan handle in the future.• How much of the new operating system functionality that you want to use.• What user settings and preferences users must have to do their work, as migrating these items canincrease user productivity and overall satisfaction with the migration process.Identify File Types, Files, and FoldersWhen planning for your migration, if you are not using MigDocs.xml, identify the file types, files, folders,and settings to migrate. It is important to perform the following:1. Determine the standard file locations on each computer.2. Determine and locate the nonstandard locations. Consider the file types you want to include andexclude in the migration, the excluded locations that should be excluded, and new locations, such aswhere you want to migrate files on the destination computer.3. After verifying which files and file types the end-users work with regularly, you need to locate them.Question: How do you decide which application settings to migrate?

Migrating User State by Using WET and USMT 4.0 9-25Choosing a Migration Store Type and LocationKey PointsWhen planning your migration, you must determine which migration store suits you best. To do this,consider your migration scenario, how much space is required to run the USMT 4.0 on the source anddestination computers, and whether to use a local share, network share, or other storage devices tostorethe user state.Migration Store TypesThe following are migration store types available in USMT4.0:• Uncompressed (UNC): The uncompressed (UNC) migration store is an uncompressed directory witha mirror image of the folders hierarchythat is being migrated. Youcan use Windows® Explorer toview this migration store type.• Compressed: The compressed migration store is a single, frequently encrypted, image file thatcontains alll files and settings being migrated and a catalog file.• Hard-link: A hard-link migration store functions as a map that defines how a collection of bitson thehard disk are “wired” intothe file system. You can only use the newUSMT 4.0 hard-link migrationstore in therefresh computer scenario. This is because the hard-link migration store is maintained onthe local computer while the old operating system is removed andthe new operating system isinstalled.Estimate Migration Store SizeTodetermine how much space that is needed to store the migrated data, base your calculations onthevolume of e-mail, personal documents, andsystem settings for each user. The best way to estimatee theseis to survey several computers to arrive at an average for the size of thestore required.

9-26 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLocal Store vs. Remote StoreIf you select the refresh computer scenario and there is sufficient space on the local computer, the bestoption is to store the user state data on a local device. This reduces server storage costs and eliminatesnetwork performance issues.If you select the replace computer scenario, or there is insufficient space in the local computer, then youmust store the user state data remotely.Hard Disk Space RequirementsThe hard disk space requirements for a migration depend on the size of the migration store and the typeof migration. You can estimate the disk space that you need for computers in your organization based oninformation about your organization's infrastructure. You can also calculate the disk space requirementsusing the ScanState tool.• Migration Store: For non-hard-link migrations, ensure that there is enough available space at thelocation where you want to store the data being migrated. You can save your migration store toanother partition or to an external storage device such as a USB flash drive or a server.• Source computer: The source computer must have enough available space for the following:• 250 megabytes (MB) minimum of hard disk space• Temporary space for USMT to run• Hard-link migration store• Destination computer: The destination computer must have enough available space for theoperating system, applications, data being migrated and temporary space for USMT to run.Calculate Disk Space Requirements using the ScanState ToolYou can use the ScanState tool to calculate the disk space requirements for a particular compressed oruncompressed migration. You do not have to estimate the migration store size for a hard-link migrationbecause this method does not create a separate migration store.The ScanState tool also allows you to estimate disk space requirements for a customized migration. Forexample, if you do not want to migrate the My Documents folder to the destination computer, you canspecify this in a configuration file when you run the ScanState tool.To create an XML file that includes an improved space estimate for the migration store, use the /p optionof the ScanState tool. This option creates an XML file in the path specified. The following example showsthe ScanState command to create this .xml file:Scanstate.exe C:\MigrationLocation [additional parameters]/p:”C:\MigrationStoreSize.xml”Question: Which migration store best suits your organization?

Migrating User State by Using WET and USMT 4.0 9-27Lesson 4Migrating UserState by Using USMT 4.0User State Migration Tool (USMT) is the recommended tool for scenarios in which you have manycomputers to migrate. You must spend time configuring the migration .xml files, andmay have to createConfig.xml and custom .xml files to further customize your migration. After configuring your migrationsettings, migrate the user state by using USMT and running the ScanState and the LoadState tools tocapture and restore user state, respectively.This lesson describes how to edit the USMTmigration scripts. Typically,the basic settings for USMTmigration scripts are automatically configured when performing Light Touch Installation (LTI) and ZeroTouch Installation (ZTI) deployments by using MDT 2010 and Configuration Manager 2007 SP2.Therefore, you might only have to manuallyedit the scripts for the advanced settings.

9-28 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsCreating the Config.xml FileKey PointsThe Config.xml is an optional USMT 4.0 file that you can create using the /genconfigg option with theScanState.exe tool. To includeall of the default elements,and to not change the default store-creation orprofile-migration behavior, you do not need to create a Config.xml file.However, if youare satisfied with the default migration behavior defined in the MigApp.xml, MigUser.xmland MigDocs.xml files, but you want to exclude certain elements, you can create andmodify theConfig.xml file and leave the other .xml filesunchanged.The Config.xml file has a different format than the other migration .xml files becausee it does not containany migration rules. It only contains a list of the operating-system features, applications, user documentsthat can be migrated, in addition to user-profile policy and error-control policy. For this reason, excludingfeatures using the Config.xml file is easier than modifyingthe migration.xml files, because you do notneed to be familiar with the migration rulesand syntax. However, you cannot use wildcard characters inthis file.

Migrating User State by Using WET and USMT 4.0 9-29Creating a Custom XML FileKey PointsYou can create a custom XMLfile to migrate specific line-of-business application settings, or to changethe default migration behavior. You can also use it to migrate settings for applications that are notsupported by the MigApp.xml file. For ScanState and LoadState to use this file, you must specify thecustom XML fileon both command lines. Migrate the settings after youinstall the application, but beforethe user runs the application for the first time.XML File RequirementsWhen you create custom .xml files, note the following requirements:• The file must be in Unicode Transformation Format-8 (UTF-8)• The file must have a unique migration urlid• Each element in the file must have a display name for it to appear in the Config.xml fileCreate an XML File to Migrate Application SettingsIt is recommended that you create a separate custom .xml file instead of adding script to the MigApp.xmlfile to migrate custom application settings. This is because the MigApp.xml file is a large file and it will bedifficult to read and edit. Also, if you reinstall USMT, the MigApp.xml file will be overwritten by thedefaultversion of the file and you will lose your customized version. You can use the MigApp.xml file as anexample to create the custom.xml file.Your script must perform the following:1.Check whether the application and correct version is installed by:• Searching for the installation uninstall key underHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall by usingthe DoesObjectExist helper function.

9-30 Planning and Managing Windows® 7 Desktop Deployments and Environments• Checking for the correct version of the application executable file that uses theDoesFileVersionMatch helper function.2. If the correct version of the application is installed, make sure that each setting is migrated to theappropriate location on the destination computer.

Migrating User State by Using WET and USMT 4.0 9-31Capturing User Stateby Using ScanStateUse ScanState command to scan the sourcecomputer, collect the files and settings and create a store.This topic explains the syntax and usage of the ScanStatecommand-line options. Theoptions can bespecified in anyorder. If the option contains a parameter, you can use either a colon or space separator.The ScanState tool provides various optionsrelated to specific categories. These categories are explainedinthe followingsections.Storage OptionsThe following table describes the storage options you canconfigure byusing ScanState.OptionStorePath/o/vsc/hardlinkDescriptionIndicatesa folder in which to save files and settings. StorePath cannotbe c:\. You must specify the StorePath option in the ScanStatecommand line, except when you usethe /genconfig option. Youcannot specify more than one StorePath location.Overwrites any existingdata in the migration storeor Config.xml file. Ifnot specified, the ScanState command will fail if the migration storealready contains data. You cannot use this option more than once on acommand line.Enables the volume shadow-copy service to migrate files that arelocked orin use and eliminates mostfile-locking errors that aretypically encountered by the section.Can be used only with the ScanState executable file and cannot becombined with the /hardlink option.Enables you to create a hard-link migration store at the specifiedlocation. The /nocompress option must be specified with the/hardlink option.

9-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOption/encrypt /key: KeyStringor/encrypt /key: "Key String"or/encrypt/keyfile:[Path\]FileName/encrypt:"encryptionstrength"/nocompressDescriptionEncrypts the store with the specified key (password). Encryption isdisabled by default. When you use this option, you have to specify theencryption key in one of the following ways:• /key: KeyString specifies the encryption key. If there is a space inKeyString, you must enclose it in quotation marks.• /keyfile: [Path\]FileName specifies a .txt file that contains theencryption key.Accepts a command-line parameter to define the encryption strengthto be used for encryption of the migration store.Disables data compression and saves the files to a hidden folder namedFile" at StorePath\USMT4. Compression is enabled by default. Use thisoption only in testing environments.Offline Migration OptionsThe Performing an Offline Migration topic describes the offline migration options that you can configureby using ScanState.Migration Rule OptionsThe following table describes the migration rule options you can configure by using ScanState.Option/i:[Path\]FileName/genconfig:[Path\]FileName/config:[Path\]FileName/auto: path to script files/genmigxml: path to a file/targetvista/localonlyDescriptionSpecifies an .xml file that contains rules that define what state to migrate.You can specify this option multiple times to include all the .xml files.Generates the optional Config.xml file, but does not create a migrationstore.Specifies the Config.xml file that ScanState must use to create the store. Youcannot use this option more than once on the command line.Enables you to specify the location of the default .xml files and then startthe migration. If no path is specified, USMT 4.0 will reference the directorywhere the USMT binaries are located.Specifies that ScanState must use the document finder to create and exportan .xml file that defines how to migrate all the files on the computer onwhich ScanState is running.Optimizes ScanState.exe to migrate a user state to Windows Vista® insteadof to Windows 7. You should use this command-line option in the followingscenarios:• To create a Config.xml file by using the /genconfig option• To create a migration storeOnly migrates files that are stored on the local computer, regardless of therules in the .xml files that you specify. Use this option to exclude the datafrom external drives on the source computer, such as USB flash drives(UFDs), external hard disk drives, and so on, and when there are networkdrives mapped on the source computer. If the /localonly option is notspecified, then ScanState will copy files from these drives into the store.

Migrating User State by Using WET and USMT 4.0 9-33Monitoring OptionsUSMT 4.0 provides several options you can use to analyze problems that occur during migration. Thefollowing table describes the monitoring options you can configure by using ScanState.Option/listfiles:FileName/l:[Path\]FileName/v: VerbosityLevel/progress:[Path\]FileNameDescriptionGenerates a text file that lists all the files that are included in themigration.Specifies the location and name of the ScanState log. You cannot storeany of the log files in StorePath.Enables verbose output in the ScanState log file. The default is 0. You canspecify any number from 0 to 13. For more information about theverbosity levels, refer to the USMT Help files.Creates the optional progress log. You cannot store any of the log files inStorePath./c Specifies that ScanState will continue to run, even if nonfatal errors occur.Any files or settings that cause an error are logged in the progress log./r: TimesToRetry/w: SecondsBeforeRetry/p: "pathtoafile"Specifies the number of times to retry when an error occurs while savingthe user state to a server. The default is three times. This option is usefulin environments where network connectivity is not reliable.Specifies the time to wait, in seconds, before retrying a network fileoperation. The default is 1 second.Creates an .xml file in the path that is specified. This .xml file includesimproved space estimations for the migration store./? or /help Displays Help at the command line.User OptionsBy default, all users are migrated. The only way to specifically include or exclude users is with the useroptions. You cannot exclude users in the migration .xml files or by using the Config.xml file. The followingtable describes the user options you can configure with ScanState.Option/all/ui: DomainName\UserNameor/ui: DomainName\”UserName”or/ui: LocalUserName/uel: NumberOfDaysor/uel: YYYY/MM/DDorDescriptionMigrates all the users on the computer. /all is the default option ifyou do not specify other options.Migrates the specified user(s). By default, all users are included inthe migration. Therefore, this option is helpful only when you use itwith the /ue or /uel options. When you specify a user name thatcontains spaces, you must surround it with quotation marks.Migrates the users who logged on to the source computer withinthe specified time period, based on the Last Modified date of theNtuser.dat file on the source computer. You can specify a number ofdays or you can specify a date. You cannot use this option with the/all option or in offline migrations.

9-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOptionDescription/uel:0/ue: DomainName\UserNameor/ue: DomainName\”UserName”or/ue: LocalUserNameExcludes the specified users from the migration.Encrypted File OptionsUse the following options to migrate encrypted files. By default, USMT 4.0 fails if an encrypted file isfound unless you specify an /efs option. The following table describes the encrypted file options you canconfigure by using ScanState.Option/efs:hardlink/efs:abort/efs:skip/efs:decryptcopy/efs:copyrawExplanationCreates a hard link to the EFS file instead of copying it. Use only with the/hardlink and the /nocompress options.Causes ScanState to fail with an error code, if an Encrypting File System (EFS)file is found on the source computer. Enabled by default.Causes the ScanState command to ignore EFS files.Causes the ScanState command to decrypt the file, if it is possible, before itsaves it to the migration store, and to fail if the file cannot be decrypted.Causes ScanState to copy the files in the encrypted format. The files will beinaccessible on the destination computer until the EFS certificates aremigrated.Note: Use caution when migrating encrypted files. If you migrate an encrypted file without also migratingthe certificate, end-users cannot access the file after the migration.ScanState Syntax ExampleThe following syntax provides an example of how ScanState is configured to scan a source computer:Scanstate \\SEA-DC1\DesktopMigration /i:migapp.xml /i:miguser.xml /config:config.xml /o/ui:DBService /ue:Contoso\DonFrom this example, answer the following questions.Question: Where will the scanned user state results be stored?Question: Which parts of the syntax controls application settings and user settings?Question: What does the /ue option do in this example?

Migrating User State by Using WET and USMT 4.0 9-35Restoring User State by Using LoadStateKey PointsThe LoadState command is used to restore files and settings from the migration storeto the destinationcomputer. This topic explains the syntax and usage of theLoadState command-line options. The optionscan be specifiedin any order.If the option contains a parameter, you can specify either a colon or spaceseparator.The LoadState tool provides various options related to specific categories. These categories are similar tothose on ScanState and are explained in thefollowing sections.Storage OptionsThe following table describes the storage options you canconfigure byusing LoadState.OptionStorePath/decrypt /key:KeyStringor/decrypt /key:"KeyString"or/decrypt/keyfile:[Path\]FileName/decrypt: "encryptionstrength"DescriptionIndicates the folder where thefiles and settings data is stored. You mustspecify StorePath when you use the LoadState command. You cannot specifymore than one StorePath.Specify the encryption key in one of the following ways:• /key: KeyString specifies the encryption key. If there isa space in KeyString,you must surround the argument with quotation marks.• /keyfile: FilePathAndName specifies a text (.txt) file that contains theencryption key.Accepts a command-line parameter to define the encryption strengthspecified for themigration store encryption.

9-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOption/hardlink/nocompressDescriptionEnables user-state data to be restored from a hard-link migration store. The/nocompress parameter must be specified with /hardlink option.Specifies that the store is not compressed. Only use this option in testingenvironments.Migration Rule OptionsThe following table describes the monitoring options you can configure by using LoadState.Option/i:[Path\]FileName/config:[Path\]FileName/auto: "path to script files"DescriptionSpecifies an .xml file that contains rules that define what state tomigrate. You can specify this option multiple times to include all the.xml files (MigApp.xml, MigSys.xml, MigUser.xml and any custom .xmlfiles that you create).Specifies the Config.xml file that the LoadState command must use.You cannot specify this option more than once on the command line.Path can be either a relative or full path. If you do not specify thePath variable, then the FileName must be located in the currentdirectory.Enables you to specify the location of the default .xml files and thenlaunch your migration. If no path is specified, USMT will use thedirectory where the USMT binaries are located.Monitoring OptionsUSMT 4.0 provides several command-line options that you can use to analyze problems that occur duringmigration. The following table describes the monitoring options you can configure by using LoadState.Option/l:[Path\]FileName/v: VerbosityLevel/progress:[Path\]FileName/r: TimesToRetry/w: SecondsBeforeRetryDescriptionSpecifies the location and name of the LoadState log. You cannotstore any of the log files in StorePath. Path can be either a relative orfull path. If you do not specify the Path variable, then the log will becreated in the current directory. You can specify the /v option toadjust the amount of output.Enables verbose output in the LoadState log file. The default value is0. The available VerbosityLevel settings are the same with theScanState tool.Creates the optional progress log. You cannot store any of the logfiles in StorePath. Path can be either a relative or full path. If you donot specify the Path variable, then FileName will be created in thecurrent directory.Specifies the number of times to retry when an error occurs while youare migrating the user state from a server. The default is three times.This option is useful in environments where network connectivity isnot reliable.Specifies the time to wait, in seconds, before retrying a network fileoperation. The default is 1 second.

Migrating User State by Using WET and USMT 4.0 9-37OptionDescription/? or /help Displays Help on the command line.User OptionsBy default, all users are migrated. The only way to specifically include or exclude users is with the useroptions. You cannot exclude users in the migration .xml files or by using the Config.xml file. The followingtable describes the user options that you can configure with LoadState.Option/all/ui: DomainName\UserNameor/ui: DomainName\"UserName"or/ui: LocalUserName/uel:NumberOfDaysor/uel:YYYY/MM/DDor/uel:0/ue:DomainName\UserNameor/ue:DomainName\"UserName"or/ue:LocalUserName/md: OldDomain:NewDomainor/md:LocalComputerName:NewDomain/mu: OldDomain\OldUserName:[NewDomain\]NewUserNameor/mu:OldLocalUserName:NewDomain\NewUserNameDescriptionMigrates all the users on the computer. This option behaves the sameway as in the ScanState command.Migrates the specified users. This option behaves the same way as inthe ScanState command.Migrates the users who logged on to the source computer within thespecified time period, based on the Last Modified date of theNtuser.dat file on the source computer. This option behaves the sameway as in the ScanState command.Excludes the specified users from the migration. You can specifymultiple /ue options. This option behaves the same way as in theScanState command.Specifies a new domain for the user. Use this option to change thedomain for users on a computer or to migrate a local user to a domainaccount. You can specify this option more than once.Specifies a new user name for the specified user. If the store containsmore than one user, you can specify multiple /mu options. You cannotuse wildcard characters with this option./lac: [Password]Specifies that if a user account is a local (non-domain) account, and itdoes not exist on the destination computer, USMT will create the

9-38 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsOptionDescriptionaccount on the destination computer . However, it will be disabled. Toenable the account, you must also use the /lae option.• Note: Use the Password variable with caution because it is providedin plain text and can be obtained by anyone with access to thecomputer that is running the LoadState command. In addition, ifthe computer has multiple users, all migrated users will have thesame password./laeEnables the account that was created by using the /lac option. Youmust specify the /lac option with this option.LoadState Syntax ExampleThe following syntax provides an example of how to configure LoadState to migrate user state to adestination computer:Loadstate \\SEA-DC1\DesktopMigration /i:migapp.xml /i:miguser.xml /ue:Contoso\Don/ui:DBService /lac:Pa$$w0rd /laeFrom this example, answer the following questions.Question: Where will the user state be retrieved from?Question: What does the /ui option do in this specific example?Question: What will occur if the /lae switch was not provided in this example?

Migrating User State by Using WET and USMT 4.0 9-39Performingan Offline MigrationKey PointsUSMT 4.0 enables you to perform an offlinemigration. With USMT 4.0,you can run the ScanState toolinside a different Windows operating systemthan the Windows operating system from which ScanState iscollecting files and settings.The following are offline scenarios that use USMT 4.0:• Running ScanState in Windows PE• Running ScanState to scan Windows.oldOffline Migration BenefitsThe offline migration feature of USMT 4.0 has a direct effect on reducing the cost of deployingWindows 7. This includes the following:• Reduce complexity: In refresh computer scenarios, migrations from the Windows.old directoryreduce complexity by eliminating the need for the ScanState tool to be run before the operatingsystem is deployed. Also, migrations from the Windows.old directory enable ScanState and LoadStateto be run successively.• Improve performance:Ehen USMT runs in a Windows PE environment, it has better access tothehardware resources. The file system creates links to the files as opposed to moving or copying them,which may increase performance on older machines with limited hardware resources and numerousinstalled software applications.• New recovery scenario:In scenarios where a machine no longer starts correctly, you can startWindows PE on that machine and collect user state information with the ScanState tool inWindows PE.• Improved success of migration: The migration success rate is increased because files will notbelocked for editing while the operating system is offline. In addition, Windows PE provides

9-40 Planning and Managing Windows® 7 Desktop Deployments and Environmentsadministrator access to files in the offline Windows file system. This eliminates the need foradministrator-level access.Command-Line OptionsAn offline migration can be either enabled by using a configuration file on the command line, or by usingone of the following command-line options.Tool Option DescriptionScanState.exe /offline: Enables the offline-migration mode and requires apath to an Offline.xml configuration file.ScanState.exe /offlineWinDir: ScanState.exe /OfflineWinOld:Enables the offline-migration mode and starts themigration from the location that is specified. It is onlyfor use in Windows PE offline scenarios where themigration is occurring from a Windows directory.Enables the offline migration mode and starts themigration from the location that is specified. It is onlyintended to be used in Windows.old migrationscenarios, where the migration is occurring from aWindows.old directory.Scenario: Migrating from Windows XP to Windows 7 using USMT 4.0Offline Migration and Hard-link Migration storeUSMT 4.0 hard-link migration can be used with online and offline migration scenario. If you have acomputer that is running a previous version of Windows, such as Windows XP, you can use USMT 4.0 tomigrate user settings and data by using offline migration and hard-link migration store, by performingthe following steps:1. Run the Windows 7 installation program on an existing Windows XP computer. You can run theinstallation program from the product DVD, removable media or Windows Deployment Services.It is recommended that you backup your files before installing a new operating system. Backup is notmandatory in this scenario and backed-up files will typically not be required on completing thisprocess.2. Select to install Windows 7 on the same partition as the Windows XP installation. Follow the defaultinstallation instructions and do not delete or format partitions containing the operating system ordata.3. Once you have completed the Windows 7 installation, open Windows Explorer and browse toComputer > Local Disk (C:\) (or if not installed on “C:\”, browse to the drive letter containing theWindows 7 operating system).If there were folders already on the C:\ root directory in the Windows XP operating system, thosefolders will still be there, because Windows 7 installation does not delete user data.You will also find a Windows.old folder. Windows.old contains the files and settings to be migratedfrom the Windows XP operating system to the newly installed Windows 7 operating system.4. Run ScanState and LoadState with administrator privileges, with the following options:scanstate.exe c:\store /v:13 /o /c /hardlink /nocompress /efs:hardlink /i:MigApp.xml/i:MigDocs.xml /offlineWinOld:c:\windows.old\windowsloadstate.exe c:\store /v:13 /c /lac /lae /i:migapp.xml /i:migdocs.xml /sf /hardlink/nocompress

Migrating User State by Using WET and USMT 4.0 9-41The scanstate.exe command creates the hard-link migration store at C:\store from the Windows.olddirectory and the loadstate.exe command will remap the hard-link files to their appropriate locationsin Windows 7.5. Browse to Computer > Local Disk (C:\) > Users. You will see the user folders in Windows 7 and all userfiles in corresponding file libraries. If you had favorites defined in Internet Explorer, you can openInternet Explorer in Windows 7 to ensure that the application settings have been migrated.

9-42 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsBest Practices When Using USMT 4.0Key PointsThe following are considered best practices when using USMT 4.0:• Install applications before running the LoadStatetool: Install all applicationson the destinationcomputer before restoring the user state. This helps to ensure that migrated settings are preserved.• Do not useMigUser.xml and MigDocs.xml together: Using both .xml files cancause duplication ofsome migrated files if conflicting instructions are given about the destination locations.• Close all applications before runningeither the ScanState or LoadState tools: It is recommendedthat you close all applications to ensuree all files and settings are migrated.• Log off after running the LoadState tool: Some settings, such asfonts, wallpaper, and screensaversettings, will not take effect until the user logs on.• Create a managed environment: To create a managed environment, you can move all of the enduser’s documents into MyDocuments (%CSIDL_PERSONAL%).• Run the Chkdsk.exe tool before running the ScanState and LoadState tools: Chkdsk.exe createsa status report for a hard disk drive andlists and corrects common errors.• Migrate ingroups and phases: If youto perform the migration while users are using the network, itis recommended that youmigrate useraccounts in groups. Migrating in phases also allows you tomake sure each phase is successful before starting the next phase.Security BestPracticesYou must protect the privacy of the users and maintain security during and after the migration. Inparticular, consider the following issues:• EncryptingFile System (EFS): Use caution when you migrate encrypted files because the end-userdoes not have to be logged on to capture the user state. By default, USMT 4.0 fails if an encrypted fileis found.

Migrating User State by Using WET and USMT 4.0 9-43• Migration store encryption: Consider using the /encrypt option with the ScanState command andthe /decrypt option with the LoadState command. However, use extreme caution with this set ofoptions, because anyone who has access to the ScanState command-line script also has access to theencryption key.• Virus scan: To help protect data from viruses, run an antivirus utility on the source and destinationcomputers before migration.• Security of the file server and the deployment server: Transmit data over a secure Internetconnection, such as a virtual private network.• Password migration: Make sure that end-users know their passwords because USMT does notmigrate passwords to ensure user privacy.• Local accounts migration: If you are migrating local accounts and the local account does not existon the destination computer, you must use the /lac option when you use the LoadState command. Ifthe /lac option is not specified, no local user accounts will be migrated. In addition, consider whetherto enable user accounts that are created on the destination computer.

9-44 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion: Troubleshooting Common Issues During MigrationKey PointsWhen you encounter a problem or error message during migration, you can use the following generalguidelines to help determine the source of the problem.• Examine the ScanState and LoadState logs to obtain the exact USMT error message and Win32errormessage.• You can usethe /v:13 option when testing your migration. Running the ScanState and LoadStatetools with the /v:13 option creates a detailed log file. Although this option makes the log file large, itis helpful indetermining where migration errors occurred.• Create a progress log by using the /progress option to help you monitor your migration.The following list shows the common issuess when you perform migration. Discuss these issues withtheclass and fill in the resolution column.ProblemCause / ResolutionNot all user accounts were migrated to the destination computerExcluded user accounts are migrated to thedestination computerYou used the /uel option, butmany accounts are still included in the migrationThe LoadState tool reports anerror and returns code 71 and fails to restore a userprofile during a migration testFiles that were not encrypted before the migration are now encrypted with theaccount used torun the LoadState toolYou received the following error message: Usage Error: You cannot specify a filepath with any of the command-line optionsthat exceeds 256 characters

Migrating User State by Using WET and USMT 4.0 9-45ProblemCause / ResolutionYou received the following error message: USMT was unable to create the logfile(s). Ensure that you have write access to the log directoryYou used the /genconfig option to create a Config.xml file, but can see only a fewapplications and features that are in MigApp.xml. Why does Config.xml notcontain all of the same applications?You have problems with a custom .xml file that a user authored, and the usercannot verify that the syntax is correctYou used a MigXML helper function, but the migration is not working the wayyou expected it toFiles that you specified to exclude are still being migratedYou specified rules to move a folder to a specific location on the destinationcomputer, but it has not migrated correctly

9-46 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab B: Migrating User State by Using USMT 4.0Computers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL1• 6294A-LON-VS1 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

Migrating User State by Using WET and USMT 4.0 9-47Exercise 1: Planning for the User State MigrationScenarioYou are the team lead for the Windows 7 deployment project at Contoso Ltd. Max Stevens, the ITManager of the Research department, has asked you to use the USMT to migrate the user state for severalusers who are receiving new computers installed with Windows 7.Max has sent an e-mail to you specifying the requirements.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Update the USMT Planning Job Aid.Supporting DocumentationE-mail from Max Stevens:Ed MeadowsFrom: Max Stevens [Max@contoso.com]Sent: 10 August 2009 08:01To:ed@contoso.comSubject: Re: User State Migration for the new Research Department Windows 7 computersHi Ed,We have 10 new Windows 7 computers that are being deployed within the Research department. Thepeople that are receiving the new computers have asked whether they can have their user state migratedfrom their old computers. What I want you to do is use USMT 4.0 to help with the user state migration.Here are some additional things to consider:• The old computers are all Windows Vista 32-bit computers.• All computers have the 2007 Office system installed.• Windows Vista Gadget settings should not be migrated from Windows Vista to the newWindows 7 computers.• The contents of the Shared Video, Shared Music, and Shared Pictures folders should not bemigrated from Windows Vista to the new Windows 7 computers.

9-48 Planning and Managing Windows® 7 Desktop Deployments and Environments• We have a custom folder named ResearchApp that has to be migrated from all the oldcomputers to the new Windows 7 computers.• All domain profiles that are on each existing computer should be migrated to the new system.• There is a local service account on each Windows Vista computer called DBService that will alsohave to be migrated to the new Windows 7 computers.• Each Windows Vista computer has a local account called LocalAdmin. This account should notbe migrated to the new Windows 7 computers.• Please make sure that all encrypted files are also migrated from the old computers to the newcomputers.• You can use \\LON-DC1\Data as a location to store the data store during the migration task. Thedata store should be compressed in order to minimize space. Since there is no confidentialinformation on these specific computers, we do not need the migration store encrypted.To help you organize your migration plan, please use the USMT Planning Job Aid before you start themigration task.Thanks and regardsMax. Task 1: Read the supporting documentation• Read the scenario and supporting documentation. Task 2: Update the USMT Planning Job Aid• Complete the USMT Planning Job Aid.User State Migration Planning–Job Aid – Department Name: __________________Question Information DetailsPC Refresh Migration ScenarioPC ReplacementWhich Operating System are youmigrating user state from?Which Operating System are youmigrating user state to?32 bit Windows XP 64 bit Windows XP 32 bit Windows Vista 64 bit Windows Vista 32 bit Windows 7 64 bit Windows 7 32 bit Windows XP 64 bit Windows XP 32 bit Windows Vista 64 bit Windows Vista

Migrating User State by Using WET and USMT 4.0 9-49User State Migration Planning–Job Aid – Department Name: __________________Question Information Details32 bit Windows 7 64 bit Windows 7 Local Store Migration Store TypeRemote Store Encrypted? Accounts to be migratedLocal accounts Domain accounts Application settings to be migratedCustom files or folders to migrateAre there any encrypted files to consider?YesNoOperating system settings to migrateConfig.xml MigApp.xml XML files to be used in the migrationMigUser.xml MigDocs.xml Custom xml file

9-50 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsUser State Migration Planning–Job Aid – Department Name: __________________Question Information DetailsCustom xml fileResults: After this exercise, you have a plan on how you will migrate the user state from the oldWindows Vista computers to Windows 7.

Migrating User State by Using WET and USMT 4.0 9-51Exercise 2: Creating USMT Migration ScriptsScenarioYour user state migration plan states that several Windows features should not be migrated. You alsohave to migrate a custom folder from the old computers to the new Windows 7 computers. Your first taskwill be to create the xml files that address these custom requirements. Max has already provided an xmlfile to migrate the custom folder. You need to modify the file to reflect the correct folder name.The main tasks for this exercise are as follows:1. Create a Config.xml file.2. Modify a custom XML file.Note: LON-DC1 is the computer that is running Windows Server 2008 R2. LON-CL1 is the computerrunning Windows 7 and LON-VS1 is the computer running Windows Vista. Task 1: Create a Config.xml file• Log on to LON-VS1 as Contoso\Administrator using the password Pa$$w0rd.• Open a command prompt and map a network drive located on LON-DC1 by using the followingcommand:• Net Use F: \\LON-DC1\Labfiles\USMT40• Change to drive F and then create a Config.xml file by using the following command:• scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml• At the command prompt type notepad config.xml to view the config.xml file.• Modify the xml code to exclude the following from the migration:• Gadgets• Shared Video• Shared Music• Shared PicturesHint: For each of the folders, look for component displayname and then change the migrate attributeto No. Task 2: Modify a custom XML file• At the command prompt, type notepad folders.xml, and then press ENTER. Maximize the Notepadwindow. This is a custom XML file that was used to migrate a specific folder named ResearchApp tothe new workstation.• Change the variable to ResearchApp. The entire line should read:C:\ResearchApp\* [*]Results: After this exercise, you have created and modified XML files that you need for the User statemigration task.

9-52 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 3: Capturing and Restoring User State by Using USMTScenarioNow that you have the required custom xml files needed, you can now perform the USMT migration task.The main tasks for this exercise are as follows:1. Capture user state on the source computer.2. Restore user state on the destination computer.3. Verify the migration.Note: LON-DC1 is the computer that is running Windows Server 2008 R2. LON-CL1 is the computerrunning Windows 7 and LON-VS1 is the computer running Windows Vista. Task 1: Capture user state on the source computer• On LON-VS1, switch to the command prompt.• Change to drive F if it is necessary and capture user state by using the following command:Scanstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml/config:config.xml /o /ui:DBService /ue:LocalAdmin /efs:copyraw Task 2: Restore user state on the destination computer• Log on to LON-CL1 as Contoso\Administrator using the password Pa$$w0rd.• Open the command prompt and map network drive F to \\LON-DC1\Labfiles\USMT40. Use the following command:Net Use F: \\LON-DC1\Labfiles\USMT40• Change to drive F and restore user state on the destination computer by using the followingcommand:Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml /ue:LocalAdmin/ui:DBService /lac:Pa$$w0rd /lae• Log off LON-CL1. Task 3: Verify the migration• On LON-CL1, log on as CONTOSO\Don with a password of Pa$$w0rd.• Verify that the Computer and Documents icons are located on the desktop for Don.• Verify that the DBService account has migrated successfully.• Verify that the C:\ResearchApp folder has migrated successfully.Results: After this exercise, you have migrated user state from Don’s older computer to his newcomputer. Task 4: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, follow these steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

Migrating User State by Using WET and USMT 4.0 9-53Lab C: Migratinng UserMigrationState Using Hard-LinkComputers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-VS1 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

9-54 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 1: Performing a Hard-Link MigrationScenarioYou are asked to perform an in-place Windows 7 refresh migration on a computer that contains WindowsVista.You also are asked to transfer the user state to the refreshed installation by using the USMT hard-linkmigration feature. This feature allows for a refresh installation of Windows 7, and importing the user statefrom the Windows.old folder that is created during the installation.The main tasks for this exercise are as follows:1. Upgrade LON-VS1 to Windows 7.2. Perform a user state hard-link migration.3. Verify the migration.Note: LON-DC1 is the computer that is running Windows Server 2008 R2. LON-VS1 is the computer thatis running Windows Vista. Task 1: Upgrade LON-VS1 to Windows 7• Log on to LON-VS1 as Contoso\Administrator using the password Pa$$w0rd.• Attach the Windows7_32bit.iso file to LON-VS1 by performing the following:• In the Hyper-V Virtual Machine Connection window, click the Media menu, point to DVD Drive,and then click Insert Disk.• In the Open box, browse to C:\Program Files\Microsoft Learning\6294\Drives and then click Windows7_32bit.iso. Click Open. After several moments theAutoPlay dialog box appears.• Click Run setup.exe.• Click Install now.• Install Windows 7 using the following options:• Do not get the latest updates for installation• Installation type: Custom (advanced)• After the installation is complete, provide the following options:• Default Country, Time and currency, and Keyboard layout• User name: Alan• Computer name: LON-VS1• Password: Pa$$w0rd• Help protect your computer: Use recommended settings• Time and date settings: default• Computer’s current location: Work network Task 2: Perform a user state hard-link migration• Open a command prompt with elevated permissions (Run as Administrator).

Migrating User State by Using WET and USMT 4.0 9-55• Open the command prompt and map network drive F to \\LON-DC1\Labfiles\USMT40. Use the following command:Net Use F: \\LON-DC1\Labfiles\USMT40• Change to drive F and capture user state with the following command:Scanstate C:\store /o /hardlink /nocompress /i:migapp.xml /i:miguser.xml/offlineWinOld:c:\Windows.old\Windows• At the command prompt load user state by using the following command:Loadstate C:\store /lac /lae /i:migapp.xml /i:miguser.xml /sf /hardlink /nocompress Task 3: Verify the migration• On LON-VS1, click the Windows Explorer button.• Verify that user profiles are migrated to C:\Users including Don, LocalAdmin, and Student.Results: After this exercise, you have migrated user state to a refreshed computer by using hard-linkmigration. Task 4: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, follow these steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

9-56 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModuleReviewand TakeawaysReview Questions1.List three main considerations when you are planning a user state migration task.2.You must estimate the size of the stored user state on the networkserver. Which USMT tool canprovide this estimate?3.You must modify the operating systemelements that are transferred from a Windows XP computer toa Windows Vista computer. Which USMT file do you modify?4.You must secure the dataa store that is generated with USMT. What can you do to accomplish thistask?5.Which files can be modified during a user state migration by using USMT 4.0?6.You migrated a user account to a new computer by using the /lac option. However, when attemptingto log on, the user receives an error message and is prevented fromlogging on to the computer.What is themost likely cause of the issue?Best Practices Related to Scenariosand Migration Store Size1.Local storeversus remote store: If you select the refresh computer scenario and there is enoughspace on the local computer, the best option is to store the user state data on a local device. Thisreduces server storage costs and eliminates network performance issues. If you select the replacecomputer scenario, or have insufficientspace on the local computer, then you must store the userstate data remotely.2.Estimate migration store size: A good method for determining how much space you have tostorethe migrated data is to base your calculations on thevolume of e-mail, personal documents, andsystem settings for each user. You can survey several computers toarrive at an average for thesize ofthe store that you will need.

Migrating User State by Using WET and USMT 4.0 9-57Best Practices Related to the Use of USMT 4.0• Install applications before you run the LoadState tool• Do not use MigUser.xml and MigDocs.xml together• Close all applications before running either the ScanState or LoadState tools• Log off after running the LoadState tool• Create a managed environment• Run Chkdsk.exe before running the ScanState and LoadState tools• Migrate in groups and phases if users are using the networkSummary of Security Best PracticesBest practices for maintaining privacy and security of your users during migration are summarized in thefollowing:• Encrypting File System (EFS): Migrate encrypted files with caution, because the end-user does nothave to be logged on to capture the user state. (By default, USMT 4.0 fails if an encrypted file isfound.)• Encrypt the store: Consider using the /encrypt option with the ScanState command and the/decrypt option with the LoadState command. However, be careful with these options, becauseanyone who has access to the ScanState command-line script also has access to the encryption key.• Virus scan: Run an antivirus utility on the source and destination computers before migration.• Maintain security of the file server and the deployment server: transmit data over a secureInternet connection, such as a virtual private network.• Password migration: Be sure end-users know their passwords because USMT does not migratepasswords to ensure user privacy.ToolsTool Use for Where to find itWindows Easy Transfer(WET)Windows PreinstallationEnvironment(Windows PE)User State MigrationTool (USMT)Use to perform migration for a single computer,or only a few computers.A minimal operating system environment used todeploy Windows.Use to migrate user data from previous Windowsoperating system to Windows 7 for multiplecomputers.Windows 7 product DVDWindows AIKWindows AIK

9-58 Planning and Managing Windows® 7 Desktop Deployments and Environments

Designing, Configuring, and Managing the Client Environment 10-1Module 10Designing, Configuring, and Managing the Client EnvironmentContents:Lesson 1: Overview of Planning Client Configuration 10-3Lesson 2: Designing and Configuring Standard System Settings 10-12Lesson 3: Designing and Configuring Internet Explorer Settings 10-23Lesson 4: Designing and Configuring Security Settings 10-39Lesson 5: Designing and Implementing Group Policy 10-65Lab A: Designing and Configuring the Client Environment 10-77Lesson 6: Troubleshooting Group Policy 10-85Lab B: Troubleshooting GPO Issues 10-92

10-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewThere are numerous situations in which users can, unintentionally, become adversaries of theirinformation technology (IT) organization. These situations usually involve users installing their ownsoftware, requiring support for this software, inadvertently allowing viruses onto their computers and thenetwork, and failing to protect their data bynot performing proper maintenance tasks, such as periodicbackups.Because of these situations, and for securityand cost reasons, many organizations establish and maintainstandard client configurations. In doing so, this process must begin by determining the method forimplementing the client configurations. Next, the organization must design and configure a varietyofsettings for its standard clientconfiguration. This includesstandard system settings, Internet Explorersettings, security settings, andthe use of Group Policy Settings to effectively and efficiently implementthese configurations.This module addresses these concerns by examining how to design, configure, and manage Windows® 7client configurations.

Designing, Configuring, and Managing the Client Environment 10-3Lesson 1Overviewof Planning Client ConfigurationAfter identifyingyour organization’s business needs and deciding which features of Windows 7 to use,determine how to implementthese features to simplify the management of users and computers. Animportant means to simplification is standardization. Standardizing desktop configurations makes it easiertoinstall, update, manage, support, and replace computers that run Windows 7. Standardizing users’configuration settings, software, hardware, and preferences makes it easier to deployoperating systemand applicationupgrades, and configuration changes canbe guaranteed to work on all computers. Thislesson identifiesthe benefits and methods of deploying standard clientconfigurations across anorganization.

10-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsThe Need for Planning Client ConfigurationKey PointsConfiguring client computer standards requires technical and organizational knowledge. Understandingyour current computing environment is necessary to identify the needsof your users and organization.Equipped with this knowledge, you can decide which Windows 7 capabilities to enable and thendocument the changes needed to meet these goals.Depending on the size of an organization, the number ofusers it employs, the number of sites involved,and the business requirements of each usergroup, configuring client computers can range from a simpleprocess to an extremely complex one. As organizations grow, the need for comprehensive clientconfiguration planning becomes even moreimportant due to the following factors:• Users in large organizations typically have a wide variety of skill levels.• Users oftenwork in widely distributed locations.• A variety ofapplications and hardware are employed across the user base.• A growing percentage ofusers work off-site and connect to the network intermittently, in many casesacross slowlinks.Benefits of Effective PlanningEffective client configurationplanning provides a variety of benefits to your users and organization,ncluding:• Reduced administrative efforts• Reduced total cost of ownership (TCO)• Minimized security risks• Minimized training requirements• Consistent user experience

Designing, Configuring, and Managing the Client Environment 10-5If users have standardized configuration settings, it is simpler to deploy operating system and applicationupgrades and configuration changes that can be guaranteed to work on all computers. For supportpersonnel, deploying standard desktop configurations simplifies the task of identifying and resolvingproblems that users can encounter when they are all working from a consistent user experience. Problemscan occur when users install operating system upgrades, applications, device drivers, settings, preferences,and hardware devices that are not approved for use in the organization. Creating standards helpseliminate these potential problem areas. If a computer fails, having a standard configuration to install on anew computer minimizes downtime by ensuring that users have the same settings, applications, drivers,and preferences they had before the problem occurred.Deploying a standard desktop configuration across an organization also equates to a more securedeployment. In this environment, security risks are minimized because everyone is working from the sameconfiguration that is tested and approved by IT administration. In organizations where planning isminimized and customized configurations appear across a network, security testing and overall securitylevels are compromised.Similarly, a standard desktop configuration equates to minimized training, because groups of users can betrained simultaneously on the standard configuration. The benefits realized from a standard trainingapproach are negated when users have custom configurations that require customized training.

10-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsMethods for Implementing Client ConfigurationKey PointsThe following methods can be used for implementing the client configuration:• Group Policy Settings: Group Policy isa management tool used to deliver and apply one or moredesired configurations orpolicy settings to a set of targeted users and computers within an ActiveDirectory environment. Administrators define these settings within Group Policy Objects (GPOs) usingthe Group Policy Management Console(GPMC) or the Local GroupPolicy Editor.Configuringg settings within Group Policy Objects (GPOs) enables an organizationn to impose certainbehaviors on a variety of features for the computers and users linked to its ActiveDirectorycontainers, such as sites, domains, or Organizational Units (OUs). GPOs define computer settingsranging from the computer desktop toscreen saver timeouts. This enables administrators toconfigure the users’ workenvironment once and relyon the systemto enforce the policies as defined.With the introduction of Windows 7, Group Policy can be used to centrally manage a greater numberof features and behaviorsthan were possible in previous Windows versions. The number of GroupPolicy settings has increased from approximately 1,800 in Windows Server® 2003 Service Pack1 toover 2,500 in Windows 7 and WindowsServer 2008 R2.• Group Policy Preferences: Organizations typically deploy two types of settings: managed andunmanaged.• Managed settings are Group Policysettings enforced by administrators, and cannot be changedby users.• Unmanaged settingss are preferences. In contrast to policy settings, users can change preferencesafter they are deployed.Organizations deploy preferences in a variety of ways, but the most common aredefault user profiles,registrationentry (.reg) files, and logonscripts. Including preferences in Windows images is alsocommon. Most methods for deploying preferences are decentralized and unwieldy.

Designing, Configuring, and Managing the Client Environment 10-7Preferences can also be deployed within Group Policy. In contrast to the less IT-friendly methods fordeploying preferences, Group Policy preferences add to Group Policy a centralized system fordeploying preferences. This provides the means to simplify deployment, reduce configuration errors,and reduce IT costs.Unlike Group Policy settings, users are allowed to change Group Policy preferences after they aredeployed by tailoring their client configurations to match their individual requirements. This is anecessity even in most locked-down environments where users cannot change many settings.• Local Group Policies: Local Group Policy is a subset of the Group Policy technology. Group Policy isdomain based while Local Group Policy is specific to the local computer. Both technologies allowadministrators to configure specific settings in the operating system and then force those settings tocomputers and users.• Logon scripts: Technically, a logon script is nothing more than a script that runs whenever a userlogs on to a network or, less commonly, whenever a user logs on to a local computer. Logon scriptsare not new; they have existed almost as long as computer networks have. However, logon scriptsremain one of the primary methods that system administrators use to ensure that users haveconsistent access to resources each time they log on.Providing access to resources is extremely important in itself, but logon scripts simultaneously helpautomate many other management tasks. For example, logon scripts can inventory computerhardware, perform audits of installed software, ensure that antivirus software is installed and up-todate,and verify that applications such as Internet Explorer are properly configured.Note: There are some client configuration settings that cannot be configured through group policy. As aresult, these settings become part of the image that gets deployed. For example, custom applicationsettings are typically deployed in the image because there are no Group Policy settings for these customoptions.Question: Which type of settings provides an unmanaged method of client configuration that allowsusers to change system settings?

10-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion:Advantages and Disadvantages of Client ConfigurationImplementation MethodsThe following table outlines the advantagesand disadvantages of eachclient configuration method.Review the advantages and disadvantages and answer the questions displayed on the slide.ClientConfigurationMethodGroup PolicySettingsGroup PolicySettings(continued)Group PolicyPreferencesAdvantages• Enables centralized desktopmanagement.• Decreases total cost of ownership.• Over 2500 Group Policy settingsenable youto standardize almostevery specific computer feature.• Reduces losses in productivity bydefining policy settings andallowed actions for userss andcomputers.• Settings are enforced, soendusers cannot change settings.• Settings are refreshed, andoriginal settings are not changed.• Defines thedefault desktopconfiguration and providescentralizedmanagementofmapped network drives,scheduled tasks, and otherWindows features that are notDisadvantages• Over 2500 Group Policy settings can beoverwhelming from a planning andimplementation perspective.• Some applications do not have settings thatcan be configured throughh group policy.• Only available in domain-based GPOs.• Preferences are not enforced, so end users canchange preference options.• Original settings are overwritten.

Designing, Configuring, and Managing the Client Environment 10-9ClientConfigurationMethod Advantages DisadvantagesGroup Policy-aware.• Reduces the time spentmaintaining and troubleshootingdesktop configurations, and allowsIT departments to better meetcompliance requirements.• Preferences can be easily createdfor registry settings, files, and soon.Local GroupPolicyLogon scripts• Allows computer settings to betailored to the needs of eachspecific user.• Multiple Local Group PolicyObjects (MLGPO) in Windows 7give stand-alone computeradministrators the ability to applydifferent Group Policy objects tostand-alone users.• Supports any language supportedby Windows Script Host, inaddition to VBScript, JavaScript,PERL, and MS-DOS®-style batchfiles (.bat and .cmd).• Not as robust as Group Policy.• For domain-based computers, local grouppolicies can be overridden by domain GroupPolicy.• Less comprehensive and flexible approach tomanaging computers than Group Policy.• Requires scripting/programming knowledge tocreate scripts.• Most common tasks performed by logonscripts are installing printers, mapping networkdrives, configuring registry settings, andcopying files and folders. Often, these tasksrequire complex scripting, testing, anddebugging.

10-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion: Categories of Client Configuration SettingsDiscussionQuestion: What are some examples of client configuration settings that you typicallyconfigure inyour organization to manage user desktops?Client Configurationn SettingsClient configuration settings are configured using theLocal Group Policy Editor. The console tree ofthe Local Group Policy Editor separatess the group policy settings into two main parent nodes:• Computer Configuration: Settings apply to all users who logon to the computer.• User Configurationn: Settings apply to users regardless of which computer they log on to.The Computer Configuration and User Configurationn nodes include the following child nodes:• Software Settings• Windows Settings• Administrative TemplatesThe client configuration settings for computers and users are defined in the Windows Settings andAdministrative Templatesnodes.WindowsSettingsThe client settings that are configured in the Windows Settings node are primarily related to:• Security• Internet Explorer maintenanceAll security policies are computer-based policies. From a client configuration perspective, the primarysecurity settings relate toaccount policies and local policies.

Designing, Configuring, and Managing the Client Environment 10-11Account PoliciesAccount policies are defined on computers, yet they affect how user accounts can interact with thecomputer or domain. Account policies contain the following subsets:• Password Policy: Used for domain or local user accounts. Determines settings for passwords,such as enforcement and lifetimes.• Account Lockout Policy: Used for domain or local user accounts. Determines thecircumstances and length of time that an account will be locked out of the system.Local PoliciesThese policies apply to a computer and contain these subsets:• Auditing Policy: Determines whether security events are logged into the Security log on thecomputer. Also determines whether to log successful attempts, failed attempts or both. (TheSecurity log is part of Event Viewer.)• User Rights Assignment: Determines which users or groups have logon rights or privileges onthe computer.• Security Options: Enables or disables security settings for the computer, such as digital signingof data, Administrator and Guest account names, floppy drive and CD-ROM access, driverinstallation, and logon prompts.Administrative TemplatesThere are several categories of Administrative templates in the Computer and User Configurationnodes, including:• In Computer and User Configuration:• Control Panel• Network• System• Windows Components• All Settings• In Computer Configuration only:• Printers• In User Configuration only:• Desktop• Shared Folders• Start Menu and TaskbarAdministrative templates (or .admx files) are used by administrators to control registry settings usingGroup Policy.

10-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 2Designing and Configuring Standard System SettingsOnce an organization determines the method for implementing its standard Windows 7 clientconfiguration, itis ready to begin designingg and configuring the standard system settings that best meetitsbusiness requirements.This process must begin with a complete review of the standard systemsettings that can be configured inWindows 7. It must also take into account the desktop usage scenario that best fits the organizationalstructure. Once the planning is completed, the standard system settings can be configured using any ofthe client configuration methods.This lesson examines each of these steps in the design and configuration process for standard systemsettings.

Designing, Configuring, and Managing the Client Environment 10-13Standard System SettingsKey PointsInthe Group Policy Editor, the standard system settings for computers and users are defined in theWindows Settings and Administrative Templates nodes of the console tree.Standard System Settings Available In Windows SettingsThe standard system settings that can be configured in the Windows Settings node are related to:• Security• Internet Explorer maintenanceStandard System Settings Available In Administrative TemplatesThe following list displays some of the morecommon system settings that can be configured for eachWindows 7 client computer using Administrative templates (the complete list of settings is too longtodisplay here).• Control Panel:• Remove Control Panel items (such as Mouse, System, or Programs and Features) from the ControlPanel window and the Start menu.• Prevent Control.exe, the program file for Control Panel, from starting. As a result, users cannotstart Control Panel or run any Control Panel items. This settingalso removesControl Panel fromthe Start menu and from WindowsExplorer.• Printers:• Enable Internet printing, which displays printers on Web pages so that printers can be viewed,managed, and used across the Internet or an intranet.• Enable the Add Printer Wizard to automatically publish all shared printers.• Windows Explorer (under Windows Components):

10-14 Planning and Managing Windows® 7 Desktop Deployments and Environments• Users can configure their system to open items by single-clicking.• Require Windows Explorer to display a confirmation dialog whenever a file is deleted or movedto the Recycle Bin.• Desktop:• Specify wallpaper for a group.• Prevent users from changing the desktop wallpaper.• Start Menu and Taskbar:• Determine whether the recent programs list in the Start menu is blank for each new user.• Prevent the Start menu from including a link to the Games folder.• Logon (under System):• Require the user to log on to the computer using the classic logon screen.• Do not display the Getting Started welcome screen at logon.

Designing, Configuring, and Managing the Client Environment 10-15Determining the Standard System SettingsKey PointsOrganizations must consider a variety of issues when determining how they will configure the standardsystem settings.One of the key considerations is the desktop usage scenario employed by theorganization. Inmany cases, a scenario can deliver a specific computer and user configuration thatt is closetothe organization’s requiredproduction environment and might not need significant changes. In othercases, it might be necessary tosubstantiallymodify the GPOs provided to ensure alignment with theorganization’s business goals.Common Desktop Usage ScenariosThe following isa list of common desktop usage scenarios that affect how an organization configures itsstandard systemsettings, along with typical usage examples.Lightly ManagedThis scenario is used for power users or developers who require considerable control over theircomputers. Thisscenario can also be used in an organization where tightly managed desktops are notacceptable to users or where desktop management is highly delegated.MobileThe Mobile scenario is relevant to mobile/laptop computers and their users. This scenario pays particularattention to thedisconnectedd user who frequently needs to work offline and occasionally “resynchronize”with the corporate network.Multi-UserThis scenario is typically used in environments such as a university computer laboratory or library whereusers can save some customizations, such as desktop wallpaper and color scheme preferences, but are notallowed to change hardware or connection settings.

10-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsAppStationThe AppStation scenario is used when highly restricted configurations are required with only a fewapplications. This scenario is typically used in “vertical” applications such as marketing, claims and loanprocessing, and customer-service scenarios.TaskStationThe TaskStation scenario is used when an organization needs a computer dedicated to running a singleapplication, such as on a manufacturing floor, as an entry terminal for orders, or in a call center.KioskThis scenario is typically used in a public area, such as in an airport where passengers check in and viewtheir flight information. Because the computer is normally unattended, it needs to be highly secure.Common Standard System SettingsThe following tables provide examples of specific settings that are typically configured in each usagescenario based on the characteristics of the scenario.Windows SettingsThe following settings are located in the following Group Policy Object Editor node: ComputerConfiguration\Windows Settings Security Settings\Local Policies\Security Options.Policy SettingDevices: Prevent usersfrom installing printerdriversDevices: Restrict CD-ROMaccess to locally loggedonuser onlyDevices: Restrict floppyaccess to locally loggedonuser onlyLightlyManaged andMobile AppStation Multi-User Task Station KioskDisabled Enabled Enabled EnabledDisabled Enabled Enabled EnabledDisabled Enabled Enabled EnabledDevices: Unsigned driverinstallation behaviorWarn but allowinstallationDo not allowinstallationDo not allowinstallationDo not allow installationDomain member: Digitallyencrypt or sign securechannel data (always)DisabledDomain member: Digitallyencrypt secure channeldata (when possible)Interactive logon: Do notdisplay last user nameEnabled Enabled Enabled EnabledDisabled Enabled Enabled Enabled

Designing, Configuring, and Managing the Client Environment 10-17(continued)PolicySettingLightlyManaged andMobileAppStation Multi-User Task Station KioskInteractive logon:Number of previouslogons to cache (incase domaincontroller is notavailable)Interactive logon:Prompt user tochange passwordbefore expiration10 logons 10 logons 10 logons 10 logons14 days 14 days 14 days 14 daysNetwork security:LAN Managerauthentication levelSend NTLMresponse onlySend NTLMv2 Response only\refuse LM & NTLMShutdown: Clearvirtual memorypagefileDisabled Enabled Enabled EnabledAdministrative TemplatesThe following settings are located in the following Group Policy Object Editor node: ComputerConfiguration\Administrative Templates\System\Logon.Policy SettingDon’t display the GettingStarted welcome screen atlogonRun these programs at userlogonDo not process the run oncelistLightly Managedand Mobile AppStation Multi-User Task Station KioskEnabled Enabled EnabledDisabled Disabled DisabledEnabledDo not process the legacy runlistEnabledEnabledThe following settings are located in the following Group Policy Object Editor node: ComputerConfiguration\Administrative Templates\Windows Components\Internet Explorer.Policy SettingLightlyManaged andMobileAppStationMulti-User Task Station KioskSecurity Zones: Useonly machinesettingsEnabledEnabledSecurity Zones: Do Enabled Enabled Enabled

10-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsPolicy SettingLightlyManaged andMobileAppStationMulti-User Task Station Kiosknot allow users tochange policiesSecurity Zones: Donot allow users toadd/delete sitesEnabled Enabled EnabledDo not process thelegacy run listEnabled Enabled EnabledDisable showing thesplash screenEnabled Enabled EnabledThe following settings are located in the following Group Policy Object Editor node: UserConfiguration\Administrative Templates\Start Menu and Taskbar.Policy SettingLightlyManaged andMobileAppStationMulti-User Task Station KioskRemove user’sfolders from theStart MenuRemove links andaccess to WindowsUpdateRemove commonprogram groupsfrom Start MenuRemove MyDocuments iconfrom Start MenuRemove Documentsmenu from StartMenuRemove NetworkConnections fromStart MenuAdd Logoff to theStart MenuRemove Logoff onthe Start MenuDo not keep historyof recently openeddocumentsEnabled Disabled Enabled EnabledEnabled Enabled Enabled Enabled EnabledEnabled Disabled Enabled EnabledEnabledEnabled Disabled Enabled EnabledDisabled Enabled Enabled Enabled EnabledEnabled Enabled EnabledEnabled Disabled Enabled EnabledEnabled Disabled Enabled EnabledClear history of Enabled Disabled Enabled Enabled

Designing, Configuring, and Managing the Client Environment 10-19Policy SettingLightlyManaged andMobileAppStationMulti-User Task Station Kioskrecently openeddocuments on exitPrevent changes toTaskbar and StartMenu SettingsEnabled (Mobileonly)Enabled Enabled Enabled EnabledPolicy SettingLightlyManaged andMobileAppStationMulti-User Task Station KioskRemove access tothe context menusfor the taskbarTurn off personalizedmenusEnabled (Mobileonly)Enabled Enabled Enabled EnabledEnabled Disabled Enabled EnabledThe following settings are located in the following Group Policy Object Editor node: UserConfiguration\Administrative Templates\Desktop.Policy SettingLightlyManaged andMobileAppStationMulti-User Task Station KioskHide My NetworkPlaces icon ondesktopEnabledHide InternetExplorer icon ondesktopEnabledProhibit user fromchanging MyDocuments pathPrevent adding,dragging, droppingand closing theTaskbar’s toolbarsProhibit adjustingdesktop toolbarsRemove NetworkConnections fromStart MenuEnabled Enabled Enabled Enabled EnabledEnabled Enabled Enabled Enabled EnabledEnabled Enabled Enabled EnabledDisabled Enabled Enabled Enabled EnabledThe following settings are located in the following Group Policy Object Editor node: UserConfiguration\Administrative Templates\Control Panel\Add or Remove Programs.

10-20 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsPolicy SettingLightlyManaged andMobileAppStationMulti-User Task Station KioskRemove Add orRemove ProgramsHide Add/RemoveWindowsComponents pageHide the “Add aprogram from CD-ROM or floppy disk”optionEnabled (LMonly)Enabled (LMonly)Enabled Disabled Enabled EnabledEnabledEnabledThe following settings are located in the following Group Policy Object Editor node: UserConfiguration\Administrative Templates\Systems.Policy SettingPrevent access to thecommand promptPrevent access to registryediting toolsLightly Managed andMobile AppStation Multi-User Task Station KioskEnabled (Mobile only) Enabled Disabled Enabled EnabledEnabled Enabled Enabled Enabled EnabledTurn off Autoplay Enabled Enabled Enabled Enabled EnabledCustom user interface Enabled Enabled

Designing, Configuring, and Managing the Client Environment 10-21Demonstration: Configuring the Standard System Settings by Using LocalPoliciesThis demonstration examines how to configure standard system settings by using theLocal Group PolicyEditor. This demonstration does not cover every standardd setting; instead, it providesan introduction intolocal group policy configuration by updating a few grouppolicy settings.Configure Computer-Related Standard Settings1.Start the Local Policy Editor and open Computer Configuration. There are no Preferences availablein the local policy editor.2.Navigate toAdministrative Templates/Control Panel/ Regional and Language Options andconfigure the setting Restricts the UI language Windows uses for all logged users. This setting, ifenabled, restricts the user interface to the specified language for computers withmore than onelanguage installed.3.Navigate toAdministrative Templates/Network/Offline Files and configure the setting Allow orDisallow use of the Offline Files feature. This setting enables or disables offline file caching; byselecting Disabled, offlinecaching is unavailable.4.Navigate toPrinters in the navigation tree, and in the results pane, configure the Pre-populateprinter search location text. This setting can be used to enable users to quicklylocate adjacentprinters; to function, it requires that Active Directory objects, such as Sites and Subnets, areconfigured with location strings.5.Navigate toSystem/User Profiles in the navigation tree. These settings enable an administrator tocontrol user profile behavior. In the results pane, configure the Only allow locall user profiles. Thissetting could be used on a computer ina public area, such as a library, to prevent use of roamingprofiles.6.Navigate toWindows Components/Backup/Client. In the resultss pane, configure Prevent backingup to optical media (CD/DVD). This setting could be used to prevent users fromarchiving toopticalmedia.

10-22 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConfigure User-Related Standard Settings1. In Local Group Policy Editor, navigate to User Configuration/ Windows Settings/Internet ExplorerMaintenance/URLS and display Important URLs dialog box. These settings could be used toconfigure the default home page, search pages, and other URLs for users. For example, you can selectthe Customize Home page URL check box, and in the Home page URL: box, type the URL for thehome page.2. Set the Home page URL: box to “http://lon-dc1”.3. In the Administrative Templates section, navigate to Control Panel/Personalization. In the resultspane, configure the Load a specific theme setting. This setting is used to configure the desktoptheme.4. Close the editor.Question: The Local Group Policy Editor is used in this demonstration. What other tool can you use toconfigure multiple computers in a single step?

Designing, Configuring, and Managing the Client Environment 10-23Lesson 3Designingg and Configuring Internet Explorer SettingsA browser is likeany other application; it can be well managed and secure or poorly managed. If abrowser is poorly managed, ITprofessionalss and enterprises risk spending more timeand moneysupporting users and dealing with security infiltrations, malware, and loss of productivity.Windows Internet Explorer® 8 (IE 8) helps users browse more safely, which, in turn helps to maintaincustomer trust in the Internett and helps protect the IT environment from the evolving threats presentedonthe Web. IE 8 specifically helps users maintain their privacy with features such as InPrivate Browsingand InPrivate Filtering. The new SmartScreen® Filter provides protection against social engineeringgattacks.IE8 helps prevent the browser from becoming an attack agent; it is built with the Secure DevelopmentLifecycle (SDL) and provides more granular control over the installationn of ActiveX controls with per-siteand per-user ActiveX features. The Cross Site Scripting Filter protects against attacks against Web sites.This lesson reviews these features and the settings that enable this security control.

10-24 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion: The Need for Configuring IE SettingsDiscussion Question: For the question displayed, present and discuss your ideas with the class.

Designing, Configuring, and Managing the Client Environment 10-25Privacy Features of IE 8.0Key PointsOne of the greatest concerns for users and organizations is the issue ofsecurity and privacy when usingthe Internet. Internet Explorerr 8 helps userss maintain their security and privacy. For enterprises thatt needusers to be ableto browse without collecting browsing history, Internett Explorer 8 has a privacy modethat allows themto surf the Web without leaving a trail. There is also a privacy modethat helps preventthird-party sitess from trackinguser actions. Delete Browsing History is now improvedand allows users todelete browsinghistory without losing site functionality.InPrivate BrowsingInPrivate Browsing helps protect data and privacy by preventing browsing history, temporary Internetfiles, form data, cookies, usernames, and passwords from being stored or retained locally by the browser.This leaves virtually no evidence of browsing or search history as the browsing session does not storesession data.From the enterprise and IT professional perspective, InPrivate Browsingis inherently more secure thanusing Delete Browsing Historyto maintain privacy because there are nologs kept or tracks made duringbrowsing. InPrivate Browsing is a proactive feature because IT professionals can control what is tracked ina browsing session.InPrivate Browsing can be used by some in an attempt toconceal theirtracks when browsing toprohibited or non-work Web sites. However, IT professionals have full manageability control and can useGroup Policies to configure how InPrivate Browsing is used in their enterprise. Default configurationsettings can be specified in the Internet Explorer Administration Kit for Internet Explorer 8.InPrivate FilteringEvery piece of content that a browser requests from a Web site discloses informationn to that site,sometimes evenif the user has blocked all cookies. Often, users are notfully aware that their Webbrowsing activities are trackedby Web sitess other than those they haveconsciously chosen to visit.

10-26 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsInPrivate Filtering is designed to monitor the frequency of all third-party content as it appears across allWeb sites visited by the user. An alert or frequency level is configurable and is initially set to three. Thirdpartycontent that appears with high incidence is blocked when the frequency level is reached. InPrivateFiltering does not discriminate between different types of third-party content. It blocks content only whenit appears more than the predetermined frequency level.Enhanced Delete Browsing HistoryCookies and cookie protection are one aspect of online privacy. Some organizations write scripts to cleanup cookies and browsing history at the end of a browsing session. This type of environment might beneeded for sensitive data, regulatory or compliance reasons, or private data in the healthcare industry.Enhanced Delete Browsing History in Internet Explorer 8 enables users and organizations to selectivelydelete browsing history. For example, history can be removed for all Web sites except those in the user’sFavorites. This feature is switched on and off in the Delete Browsing History dialog box and is calledPreserve Favorites website data.Question: Describe the difference between InPrivate Browsing and InPrivate filtering.

Designing, Configuring, and Managing the Client Environment 10-27Demonstration: Security Features of IE 8.0Key PointsInternet Explorer provides thefollowing features that help protect user privacy and help enhance thesafety and security of their computing experience:• URL Security Zones: URL security zones group URL namespaces according to their respective levelsof trust. A URL policy setting for each URL action enforces these levels of trust. Administrators cancustomize the default URL security zones by changing the URL policy setting for each URL action,using the default URL security zone manager and URL security zone templates. Additionally, asupplied API provides developers with the tools to either interact with the default URL securityzonemanager or to create a custom URL security zone manager.Internet Explorer includesthe followingpredefined security zones:• Internet: This zone is for Internet websites, except those listedin trusted and restricted zones.• Local Intranet: This zone is for all websites that are found on your intranet.• Trusted Sites: This zone contains websites that you trust not to damage your computer or yourfiles.• Restricted Sites: This zone is for websites that might damage your computer or your files.• Local Machine: Thiszone is like the Trusted Sites zone. It includes all the content on the localcomputer, except fordata that is stored in the Temporary Internet Files webcache, or classes thathave been specifically signed with local machineprivileges.• URL Security Zone Templates: Templates provide an easy way for IT administrators to set thelevelof security they want for a particular URL security zone. The High template contains settings thatprovide thehighest level of security byrestricting Web sites from performing potentially damagingoperations.The Low template containssettings that provide the lowest level of security, allowing Websites more access to the user’s system.Internet Explorer provides thefollowing fiveseparate security zone templates:

10-28 Planning and Managing Windows® 7 Desktop Deployments and Environments• High Template: Used for URL security zones that contain Web sites that can cause damage tothe computer or data. The settings used by this template restrict sites from performingpotentially damaging operations.• Medium-High Template: With this template, per-application override settings that disableMicrosoft ActiveX warnings in certain situations are not allowed.• Medium Template: Used for URL security zones that contain Web sites that are neither trusted,nor untrusted.• Medium-Low Template: Used for URL security zones that contain Web sites that are unlikely tocause damage to your computer or data.• Low Template: Used for URL security zones that contain Web sites that are fully trusted by theuser.• IE Enhanced Security Configuration: A group of preconfigured IE settings that reduce thelikelihood of a user or administrator downloading and running malicious Web content.• Microsoft Active X Controls: IT professionals can increase security and trust through improvementsin ActiveX controls that enable command of how and where an ActiveX control loads and which userscan load them.• Per-User ActiveX: Like Internet Explorer 7, Internet Explorer 8 by default employs ActiveX Opt-In, which disables most controls on a user’s machine. In Internet Explorer 8, per-user ActiveXmakes it possible for standard users to install ActiveX controls in their own user profile, withoutrequiring administrative privileges.• Per-Site ActiveX: When a user navigates to a Web site containing an ActiveX control, InternetExplorer 8 performs a number of checks, including a determination of where a control ispermitted to run. If a control is installed but is not permitted to run on a specific site, anInformation Bar appears asking the user’s permission to run on the current Web site or on allWeb sites.• XSS Filter: The XSS Filter in Internet Explorer 8 helps block Cross-Site Scripting (XSS) attacks, one ofthe most common Web site vulnerabilities today.• Data Execution Prevention (DEP): DEP is enabled by default to help prevent system attacks wheremalicious data exploits memory-related vulnerabilities to execute code.• SmartScreen Filter: With the introduction of the SmartScreen Filter, Internet Explorer 8 builds on thePhishing Filter technology introduced in Internet Explorer 7. The Phishing Filter warned users whenthey attempted to visit known phishing sites. The SmartScreen Filter replaces the Phishing Filter andhelps protect against phishing Web sites, other deceptive sites, and sites known to distribute malwareby:• Identifying malicious Web sites trying to trick people into providing personal information orinstalling malicious software.• Blocking the download of malicious software.• Providing enhanced anti-malware support.DemonstrationThis demonstration examines how to configure the security zones in Internet Explorer.Open Internet Explorer and Locate the Security Settings• On the client computer, access Internet Options, and display the Security tab.

Designing, Configuring, and Managing the Client Environment 10-29View the Security Zones1. Display the security level for the Internet zone. Notice the zone template is Medium-high, and thatthis zone operates in Protected Mode.2. Display the security level for the Local intranet zone. Notice the zone template is Medium-low, andthat this zone does not operate in Protected Mode.3. Display the security level for the Trusted sites zone. Notice that the zone template is Medium, andthis zone does not operate in Protected Mode. By using the Trusted Sites dialog box, trusted sites canbe added to the sites list, but by default, sites must implement HTTPS, although this can be changed.Add a Site to the Restricted Sites List1. Display the security level for the Restricted sites zone. Notice the zone template is High, and thatthis zone operates in Protected Mode.2. Add a Web site to the list of restricted sites by using the Restricted sites dialog box.Add a Site to the Trusted Sites List• Add a Web site to the list of trusted sites by using the Trusted sites dialog box.Change the Zone Template for the Trusted Sites Zone1. Display the security level for the Trusted Sites zone. Display the Security Setting - Trusted SitesZone dialog box.2. In the Security Setting - Trusted Sites Zone dialog box, you can configure individual elements ofthe security settings.Question: Which sites does a user typically add to his or her trusted sites list, and what are theimplications?

10-30 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion: Compatibility Features in Internet Explorer 8.0Key PointsInternet Explorer 8 includes advancementsin compliancewith Web standards. This enables Web sites tobecreated more efficiently and operate more predictably. Microsoft embraces new Web standards;however, they also have a responsibility to maintain compatibility with existing Web sites.Internet Explorer 8:• Includes multiple layout engines, and places the decision on whether it needs to support legacybehaviors or strict standards with Web developers, who can specifywhich layoutengine to useon apage-by-page basis.• Provides a Compatibility View that usess the Internet Explorer 7 engine to displayWeb pages. Thishelps improve compatibility with applications writtenfor Internet Explorer 7.Compatibility ViewInternet Explorer 8 has a Compatibility Viewthat helps display a Web page as it is meant to be viewed.This view provides a straightforward way tofix display problems such as out-of-placemenus, images, andtext.The Compatibility View button only displays if is not clearly stated how the Web site is to be rendered. Inother cases, such as viewing intranet sites or viewing sitess with a tag / HTTPheader indicatingInternet Explorer 7 or Internet Explorer 8 Standards, the button is hidden.When Compatibility View is activated, the page refresh will appear, depending on the speed of thecomputer. A balloon tip indicates that the site is now running in Compatibility View.Configuring Compatibility ViewA new entry on the Tools menu allows for advanced configuration of the Compatibility View whichhenables IT professionals to customize the view to meet enterprise requirements. For example, IT

Designing, Configuring, and Managing the Client Environment 10-31professionals can configure it so that all intranet sites display in Internet Explorer 8 mode instead of thedefault Internet Explorer 7 mode.Application Compatibility ToolsThe Application Compatibility Tools (ACT) is a set of tools to help IT professionals identify potentialapplication compatibility issues. The Internet Explorer Compatibility Evaluator feature of ACT is designedto help identify potential compatibility issues with Web sites. In Internet Explorer 8, new events are addedto ACT to help detect and resolve potential issues between Internet Explorer 8 and internal applicationsand Web sites. In addition, Group Policy settings are provided to help IT administrators control settingsthat impact compatibility with a high degree of granularity.Discussion Question: What compatibility issues can you encounter when updating Internet Explorer?Discussion Question: Do you envision your organization implementing ACT as a means to identifypotential compatibility issues? Why or why not?

10-32 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsWhat Are Accelerators?Key PointsWhether findingdirections, posting blog entries, or performing other common actions, today’s Web usersoften copy and paste information from oneWeb page toanother. Now, Internet Explorer 8 brings thesepowerful Web services one step closer through a new feature called Accelerators. Accelerators arecontextual services that provide quick access to external site services from any Web page. They typicallyinvolve one of two types of actions:• Look up information related to data in the current Web page.• Send content from the current Web page to anotherapplication.The new Accelerators in Internet Explorer 8 help users quickly perform everyday browsing tasks withoutnavigating to other Web sitess to get things done. To use an Accelerator:• Select the text on which to use an accelerator. Click the blue arrow Accelerator button which appears.This will display a list of Accelerators.• When the mouse pointeris rested overeach Accelerator, a preview of the content is displayed. Thenclick the Accelerator to learn more.Accelerators areused to obtain driving directions, translate and define words, email content to others,search with ease, and more. For example, with the “Map with Bing” Accelerator in Internet Explorerr 8, youcan get an in-place view of a map displayedd directly on the page.IE8 comes witha default set of Accelerators, although additional Accelerators can beadded from acollection of add-on Accelerators in the Internet Explorerr Gallery. Userss can customize the browserr so thatit works for themby adding Accelerators from Bing.com and other sites.

Designing, Configuring, and Managing the Client Environment 10-33Discussion:Determining the IE 8.0 SettingsDiscussion ScenarioAs a senior member of Tailspin Toys’ IT Department you are responsible for determining the IE settingsthat will be configured for each user. The majority of users at Tailspin Toys are powerusers who requireconsiderable control over their computers and do not appreciate tightly managed desktops. Because oftheir experience, Tailspin Toyshas allowed these users to control most of the IE settings that affect themduring past Windows client deployments. However, this situation has lead to a number of problems thatyou plan to address with the implementation of Internet Explorer 8.0.• During previous Internet Explorer implementations, Tailspin Toys asked users to manage their ownbrowsing experience by using the Delete Browsing History feature to maintain their privacy. However,because most users were not diligent inmanaging this information, they becamee susceptible tomalicious sites accessing personal information storedby their browsers.• In addition,the companyhas experienced a large number of malware infections due to users’ accessof non-work related websites.• Finally, your testing has identified at least six of your vendors’ Websites that do not render asexpected inIE 8.0. If left unaddressed, this will result in performance issues with the buyers in yourPurchasing Department.You have decided to address these concerns by configuring IE 8.0 settings during your Windows 7 rollout.DiscussionQuestion: How can you prevent users’ personal information from being collected whilethey are browsing the Internet?DiscussionQuestion: Which new IE 8. .0 feature do you implementthat blocks user access tomalicious sites? What must you do to prevent users from disregarding notifications that a site hasbeen blocked and must not be accessed?

10-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion Question: What recommendation must you make to the buyers in the PurchasingDepartment to address the compatibility issues related to the six vendor sites that do not render asexpected?

Designing, Configuring, and Managing the Client Environment 10-35Demonstration: Configuring IE 8.0 SettingsKey PointsThere are approximately 13000 Group Policies for managing Windows Internet Explorer 8. This topicdisplays the newgroup policies added in IE8.0 and provides a list of key recommendations for thefollowing areas:security, performance, and compatibility with Internet Explorer 7.Recommended High-Security SettingsBydefault, Internet Explorer 8 settings are configured to balance security, privacy, and compatibility. Youcan restrict users from makingconfiguration changes by configuring the following policy: Disable theSecurity Page.Byenabling theSmartScreen Filter, users can be protected from malicious sites that conduct phishingattacks or attempt to download malicious software. By configuring the Prevent bypassing SmartScreenFilter Warning setting, users can be prevented from inadvertently ignoring SmartScreen warningsforknown-malicious sites.Malicious or defective add-ons can cause browser performance or security problems. Group Policies canbeconfigured to restrict which add-ons canbe installed or run.Recommended Performance SettingsCertain Group Policies can beused to help improve performance withinyour environment. Asperformance is affected by factors like bandwidth availability, specific sites, and network infrastructure,this section onlylists Group Policies that anIT professional typically investigates.The Add-ons and Third-PartyBrowser Extensions are usually provided by third-parties, and sometimes donot share the same performance goals as Internet Explorer. Add-ons and browser extensions are known tohave the potential for significant performance impact.The following Group Policies can be used tomanage add-ons and browser extensions in yourenvironment:

10-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsPolicy Setting NameAllow third-party browser extensionsAdd-on ListScopeUser, ComputerUser, ComputerDeny all add-ons unless specifically allowed in the Add-on List User, ComputerAll ProcessesProcess ListDo not allow users to enable or disable add-onsUser, ComputerUser, ComputerUser, ComputerRecommended Compatibility SettingsTo reduce application and Web site compatibility issues, or to reduce the learning curve for users as theyencounter new features, you may want to make Internet Explorer 8 behave as closely as possible toprevious versions. The following recommended settings for Group Policies will make Internet Explorer 8behave as closely as possible to Internet Explorer 7.Policy Setting Name Settings ScopeTurn off Accelerators Enabled User, ComputerTurn off COM Activities Enabled User, ComputerTurn off Connection Scaling Enabled User, ComputerTurn off Automatic Crash Recovery Prompt Enabled User, ComputerTurn on Caret Browsing support Disabled User, ComputerTurn on Internet Explorer 7 Standards Mode Enabled User, ComputerTurn off Developer Tools Enabled User, ComputerTurn off InPrivate Enabled User, ComputerConfigure new tab page default behavior Enabled User, ComputerTurn off suggestions for all user-installedprovidersEnabledUser, ComputerTurn off the activation of the quick pick menu Enabled User, ComputerTurn on Suggested Sites Enabled UserTurn off background synchronization forfeeds and Web SlicesTurn off addition and removal of feeds andWeb SlicesEnabledEnabledUser, ComputerUser, ComputerTurn off feed and Web Slices discovery Enabled User, Computer

Designing, Configuring, and Managing the Client Environment 10-37DemonstrationThis demonstration examines how to configure Internet Explorer settings by using the Local Group PolicyEditor.Configure Compatibility View Settings1. Open the Local Policy Editor. Local policies are enforced first, and then group policies appliedsubsequently with a higher priority.2. Compatibility View determines how Internet Explorer identifies itself to a Web server and howcontent is rendered. This can help ensure that some Web sites display properly in Internet Explorer 8.Navigate to Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Compatibility View to view and configure the compatibility settings. These settings can also beconfigured on the User Configuration folder.3. Open the Tools menu in Internet Explorer. Select the Compatibility View option to view the Webpage in the compatibility view.4. Configure the Compatibility View Settings by using the Compatibility View Settings dialog box.In this dialog box, you can add or remove sites, and configure intranet sites settings.5. In the Local Group Policy Editor, if you enable the Turn off Compatibility View option underComputer Configuration/Administrative Templates/Windows Components/InternetExplorer/Compatibility View, users will not be able to use the Compatibility View feature.Configure InPrivate Settings1. Configure the InPrivate Filtering Settings in Internet Explorer by first clicking the Safety button.When you visit Websites, some information about your visit is collected by the content provider.InPrivate Filtering enables you to control which providers receive information about the Websites thatyou visit.2. Switch to Local Group Policy Editor. In the navigation tree, select InPrivate. In the results paneconfigure Turn off InPrivate Filtering. If you enable this policy, then InPrivate Filtering is notavailable.3. In Internet Explorer configure the InPrivate Browsing setting by first clicking the Safety button.InPrivate Browsing prevents Internet Explorer from storing session data such as cookies, temporaryInternet files, and history.4. In the Local Group Policy Editor, in the results pane, configure Turn off InPrivate Browsing. If youenable this policy, InPrivate Browsing is unavailable.Configure SmartScreen settings1. Configure the SmartScreen Filter settings in Internet Explorer by clicking the Safety button.SmartScreen filtering warns the user if the Website being visited is known for fraudulent attempts togather personal information – known as phishing sites – or if the site is known to contain malicioussoftware.2. In the Local Group Policy Editor, in the navigation tree, click Internet Explorer. In the results pane,click Turn off Managing SmartScreen Filter. This setting enables you to control SmartScreenFiltering.Configure Search Providers1. In Local Group Policy Editor, navigate to User Configuration/Windows Settings/Internet ExplorerMaintenance/URLS. Configure the Internet Explorer Important URLs setting. Aside from the defaulthome page, you can also configure search provider URLs here.

10-38 Planning and Managing Windows® 7 Desktop Deployments and Environments2. Navigate to Computer Configuration/Administrative Templates/WindowsComponents/Internet Explorer. Configure the Restrict search providers to a specific list ofproviders setting. This setting can also be used to control search providers.Configure Accelerators1. The new Accelerators in Internet Explorer 8 help users quickly perform everyday browsing taskswithout navigating to other websites to get things done. Simply highlight text from any webpage,and then click on the blue Accelerator icon that appears above the selection to obtain drivingdirections, translate and define words, email content to others, search with ease, and more. Forexample, with the “Map with Live Search” Accelerator in Internet Explorer 8, an in-place view of a mapcan be displayed directly on the page.2. In the Local Group Policy Editor, in the results pane, configure the Accelerators settings. Acceleratorscan be configured by using these Group Policy settings.Configure Security Settings• In Local Group Policy Editor, configure the Security Features settings. The following range of foldersand policies can be added to configure all the security settings in Internet Explorer 8.Question: Do you always need to enable SmartScreen? Explain why.

Designing, Configuring, and Managing the Client Environment 10-39Lesson 4Designingg and Configuring Security SettingsWith users becoming increasingly computer-savvy, they expect more from the technology they useatwork, home, a branch office, or on the road, without experiencing a decrease in productivity. WithWindows 7, IT professionals can meet users’ diverse needs in a way that is more manageable.• Businesses can have employees work more productively at their desks, at home, on the road, or in abranch office.• Security andcontrol are enhanced, reducing the risk associated with data on lost computers orexternal hard drives.• Desktop management is streamlined, so it takes less work to deploy Windows 7 and keep it runningsmoothly.This lesson introduces the following new security featuresin Windows 7, which describe how to safeguardcomputers while ensuring that usability is not sacrificed inthe process:• Fundamentally Secure Platform: The Windows 7 operating systemprovides an assortment of toolsand features designed tomaximize platform and client security.• Helping Secure Anywhere Access: Windows 7 provides the appropriate securitycontrols so thatusers can access the information they need to be productive whenever they needit whether they arein the officeor not.• Protecting Users and Infrastructure: Windows 7 provides flexible security protection againstmalware and intrusions so that users can achieve their desired balance between security, control, andproductivity.• Protecting Data from Unauthorized Viewing: Windows 7 extends BitLocker Drive Encryption tohelp protect data stored on portable media (for example, USB Flash Drives and USB Portable HardDrives) so that only authorized users can read the data, even if the media is lost, stolen, or misused.

10-40 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDetermining the AppLocker RulesKey PointsThe ability to control which applications a user, or set of users, can run offers significant increases in thereliability and security of enterprise desktops. Overall, an application lockdown policycan lower the totalcost of computer ownership in an enterprise.Windows 7 and Windows Server® 2008 R2 adds Windows AppLocker. This new feature controlsapplication execution and simplifies the ability to author an enterprise application lockdown policy.AppLocker addresses the growing need forapplication control solutions in the enterprise. It does this byproviding a simple and flexible mechanism used by administrators to specify exactly what is allowed torun in their desktop environment.AppLocker RulesThe ability to control what applications a user can run helps to preventmany problems. AppLockerprovides this ability through the use of rules that specify exactly what applications a user is allowedto run,and are resilientto application updates.Creating Default AppLocker RulesMany organizations are implementing standard user policies that enable users to logon to theircomputers onlyas a standardd user. With Windows 7, this task became simpler. However, moreindependent software vendors (ISVs) are creating applications for each user that do not requireadministrative rights to be installed and canbe installed and run in theuser profile folder. As a result,standard users can install many applications and circumvent the application lockdown policy.When AppLocker is enabled, only applications that are specified will beallowed to run. When you firstcreate rules, AppLocker will prompt you to create the default rules. Default rules ensure that key Windowssystem files andall files in theProgram Files directory arepermitted to run for all users. While the defaultrules are not mandatory, it is recommendedd that you start with the default rules as a baseline and thenedit them or create your ownto ensure that Windows functions properly.

Designing, Configuring, and Managing the Client Environment 10-41Creating Custom AppLocker RulesCustom application rules can be created once the default rules are created. There are two methods ofcreating custom rules:• Rules can be automatically generated for one of the rule types (executable rules, Windows installerrules, and script rules).• A new rule can be manually created.AppLocker Rule BehaviorIf no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run.However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowedin a rule are permitted to run. For example, if you create an executable rule that allows .exe files in%SystemDrive%\FilePath to run, only executable files located in that path are allowed to run.A rule can be configured to use either an allow or deny action:• Allow: Specify which files are allowed to run in your environment and for which users or groups ofusers. Exceptions can be configured to identify files that are excluded from the rule.• Deny: Specify which files are not allowed to run in your environment and for which users or groupsof users. You can also configure exceptions to identify files that are excluded from the rule.AppLocker Rule ConditionsRule conditions are properties of files that AppLocker uses to enforce rules. Each AppLocker rule can useone primary rule condition. AppLocker supports the following rule conditions:• Publisher: Can only be used for files that are digitally signed by a software publisher. This conditiontype uses the digital certificate (publisher name and product name) and properties of the file (filename and file version). This type of rule can be created for an entire product suite, which allows therule in most cases to still be applicable when the application is updated.• Path: Based on the file or folder path of where specific applications are installed.• File hash: Based on the unique file hash that Windows cryptographically computes for each file. Thiscondition type is unique, so each time that a publisher updates a file, you must create a new rule.AppLocker Usage ScenariosApplication security scenarios addressed by AppLocker can be categorized as follows:• Application inventory: AppLocker has the ability to enforce its policy in an audit-only mode whereall application access activity is collected in event logs for further analysis.• Protection against unwanted software: AppLocker has the ability to deny applications fromrunning simply by excluding them from the list of allowed applications for each business group oruser. If an application is not specifically identified by its publisher, installation path, or file hash, theattempt to run the application fails.• Licensing conformance: AppLocker has the ability to inventory software usage within anorganization so the software that corresponds to the organization’s software licensing agreementscan be identified.• Software standardization: AppLocker policies can be configured to allow by group only supportedor approved applications to run.• Manageability improvement: AppLocker policies can be modified and deployed through existingGroup Policy infrastructure. As you manage ongoing change in support of a business group’sapplications, modify policies and then test them for the expected results with the tools provided with

10-42 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsAppLocker. Application control policies can also be designed for situations in which users sharecomputers.Considerations for Controlling ApplicationsBefore implementing AppLocker, an organization must determine which applications it must controlbased on its business requirements. For example, an organization might need to control a limited numberof applications because they access sensitive data, or exclude all applications except those sanctioned forbusiness purposes. There might be certain departments that require strict control and others that promoteindependent application usage.The following table provides possible answers to the question “Which applications do you need to controlin your organization?”Possible AnswersControl all applicationsControl specificapplicationsUnderstand applicationusage but no need tocontrol any applicationsyetControl applications bybusiness group and userControl applications bycomputer, not userDesign ConsiderationsAppLocker policies can be set to control applications by file type with aspecific condition applied to the file type and a permission control on thatcondition. Exceptions are also possible. Application control can be global orspecific. AppLocker policies can be only applied to applications running onWindows Server 2008 R2 and Windows 7 computers. If versions of Windowsoperating systems earlier than Windows Server 2008 R2 or Windows 7 aredeployed, use Software Restriction Policies (SRP).AppLocker policies can be set to control applications by file type with aspecific condition applied to the file type and a permission control on thatcondition. Exceptions are also possible. Application control can be specific.AppLocker policies can be set to audit application usage so you canunderstand your organization’s application usage for future policyimplementation.AppLocker policies can be set to control applications by executable file,publisher, or path for each business group or organizational unit.For organizational structures not based on a logical user structure, considersetting up that structure before beginning with AppLocker planning.Otherwise, identify users and their requirements with their correspondingcomputers.Question: When testing AppLocker, you must carefully consider how to organize rules between linkedGPOs. What do you do if a GPO does not contain the default AppLocker rules?

Designing, Configuring, and Managing the Client Environment 10-43Demonstration: Configuring and Enforcing AppLocker RulesKey PointsAfter creating new AppLocker rules configure enforcement for the rule collections and refresh thecomputer’s policy. Enforcement is configured in the Local Security Policy console in the Configure RuleEnforcement area.The following table outlines the three enforcement options for each rule type.Enforcement modeEnforce rules with GroupPolicy inheritanceEnforce rulesDescriptionDefault setting. If linked GPOs contain a different setting, that setting isused. If any rules are present in the corresponding rule collection, they areenforced.Rules are enforced.Audit onlyToview information about applications that are affected by AppLockerrules, use theEvent viewer. Eachevent in the AppLocker operational log contains detailed information such as the following:• Which file is affected and the path of that file.• Whether thefile is allowedor blocked.• The rule type: Path, File Hash, or Publisher.• The rule name.Rules are audited, but not enforced.• The security identifier (SID) for the user that is targeted in the rule.Review the entries in the log to determine if any applications are not included in the rules.

10-44 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstrationThis demonstration examines how to create the default AppLocker rules and a custom AppLocker rule.Configure an Executable Rule1. Open the Default Domain Policy for editing in the Group Policy Management Console.2. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/ApplicationControl Policies/AppLocker. In Group Policy Management Editor open the Executable Rules.3. Open the Create Executable Rules Wizard.4. In the Permission page of the wizard, you can configure the action to deny or allow, and specifywhich users or groups are affected.5. On the Conditions page of the wizard, you can select the rule condition: Publisher, Path, or File Hash.If you select Publisher, on the Publisher page, browse for a signed file and select it as the referencefile. You can be very targeted and identify a specific version of a specific program from a specificpublisher. You can use the slider bar to make the rule slightly less specific. If you select Path, then onthe Path page, specify the file or folder path that this rule should affect. If you select File Hash, thenon the File Hash page, select a file from which the file hash will be created.6. After you select the rule condition, you can configure exceptions if necessary.7. You can also enable the default rules at this point. In the AppLocker dialog box, click Yes.Configure enforcement• In the navigation tree, select AppLocker, and in the results pane, select Configure ruleenforcement. In the AppLocker Properties dialog box, under Executable rules, select theConfigured check box. Notice that you can select the option Audit only. This enables you todetermine which applications users are running before you lock down the application environment.Start services and refresh group policy1. Start the Application Identity service. Without this service running on the client computer,AppLocker will not function correctly. You can use Group Policy to configure this service toautomatically start.2. Force a refresh of the group policy; sometimes you must refresh the policy twice.Creating and testing a script rule1. On the domain controller, navigate to C:\users\Public. Create and save a .vbs file in this folder.2. Switch to Group Policy Management Editor. In the navigation tree, right-click Script Rules, andselect Create New Rule.3. Create a script rule that denies permissions to the Everyone group. Use a file hash and browse andlocate the script file you just created. Activate the default rules when prompted.4. On the client computer, force a refresh of the group policy.5. On the client computer, at the command prompt, specify the path to the script file and press ENTER.Question: What are the advantages of using a published rule for executable AppLocker rules?

Designing, Configuring, and Managing the Client Environment 10-45Determining the BitLocker SettingsKey PointsWindows BitLocker Drive Encryption offers protection for the entire Windows operating system drive, inaddition to fixedand removable data drives by encrypting the drive and locking it sothat it can only beunlocked when the proper keys are provided. BitLocker ensures that data stored on a computer remainsencrypted, evenif the computer is tampered with when the operating system is not running. BitLockerprovides a closely integrated solution in Windows 7 to address the threats of data theft or exposure fromlost, stolen, or inappropriatelydecommissioned personal computers.BitLocker in Windows 7The core functionality in Windows 7 BitLocker now includes enhancements, such as the ability to right-click a drive to enable BitLocker protection to the automatic creation of the required hidden bootpartition.Using BitLocker To Go with Removable DrivesWith the increased use of removable storage devices, data can be lost without the loss of a PC. BitLockerToGo provides enhanced protection against data theft and exposuree by extendingBitLocker driveencryption support to removable storage devices such asUSB flash drives, and is manageable throughGroup Policy.BitLocker ModesBitLocker can run on two types of computers:• Those that are running Trusted PlatformModule (TPM) version 1.2x.• Those without TPM version 1.2, but have a removable Universal Serial Bus (USB) memory device.

10-46 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsComputers with TPM Version 1.2When BitLocker is used to encrypt the Windows operating system drive, a Trusted Platform Module (TPM)version 1.2 hardware component can be used by BitLocker to validate that the boot components, such asthe system BIOS, the hardware profile, and the operating system, have not been modified from theconfiguration that was present when the drive was locked. A TPM is a microchip that stores keys,passwords, and digital certificates. It typically is affixed to the motherboard of a computer.Computers without TPM version 1.2By default, BitLocker is configured to search for and use a TPM. Group Policy can be used to allowBitLocker to work without a TPM and store keys on an external USB flash drive; however, BitLocker cannotthen verify the early startup features.If a TPM is not present on the computer, the operating system drive may be encrypted by using anencryption key that is stored on removable media, such as a USB flash drive, which must then be presentevery time the drive is unlocked.Unlocking BitLocker-protected drivesWhen a BitLocker-protected drive is inserted into a computer, Windows automatically detects that thedrive is encrypted and prompts the user to unlock it. The BitLocker unlock method that is chosen must bebased on the most likely usage scenario and the security needs of the drive being protected.Considerations for Configuring BitLocker SettingsYou must take into account a variety of considerations to effectively implement BitLocker. The followingsections examine these issues.Special Considerations When Using BitLocker To GoWhen a BitLocker-protected removable drive is unlocked on a computer running Windows 7, the drive isautomatically recognized and the user is either prompted for credentials to unlock the drive or the drive isunlocked automatically if configured to do so. Computers running Windows XP or Windows Vista® donot automatically recognize that the removable drive is BitLocker protected. To allow users of theseoperating systems to read content from BitLocker-protected removable drives if the drive is formatted byusing the FAT file system, an additional FAT32 drive is created that is hidden on computers runningWindows 7 but is visible on computers running Windows XP or Windows Vista. This hidden drive is calledthe discovery drive.Methods for Unlocking BitLocker-Protected DrivesThe following table provides a reference to the different unlock methods available for each drive.Drive TypeOperating System DrivesFixed and Removable Data DrivesUnlock Methods• TPM• TPM+PIN• TPM+startup key• TPM+PIN+startup key• Startup key• Password• Smart card• Automatic unlocking

Designing, Configuring, and Managing the Client Environment 10-47Preparing to Deploy Windows 7 BitLocker Drive EncryptionBefore deploying BitLocker Drive Encryption in your organization, it is recommended that you create adeployment plan that covers the essential supporting infrastructure for BitLocker. Having thisinfrastructure in place will help users become more confident in their use of BitLocker on their removabledrives, desktop computers, and mobile computers. This will enable users to understand why BitLockerprovides protection for their computers, how to enable BitLocker, and that drives protected by BitLockercan be accessed through administrative methods if a problem occurs.Question: What is the advantage of encrypting the Windows operating system drive when a TPMmicrochip is installed on the computer?

10-48 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Configuring BitLocker SettingsKey PointsInWindows 7, BitLocker can be enabled from either System and Settings in Control Panel or by right-Preparation tool validates system requirements. During the preparationphase, the second partitionisclicking the volume to be encrypted. This initiates the BitLocker Setup Wizard, and the BitLocker Drivecreated if it does not already exist.ITprofessionals can manage BitLocker by using the BitLocker control panel, accessible from the Securityitem in the Windows 7 Control Panel. A command-line management tool, manage-bde.wsf, is alsoavailable to perform scriptingfunctionality remotely.Once the volume is encryptedand protected with BitLocker, local and domain administrators can use theManage Keys page in the BitLocker control panel to duplicate keys and reset the PIN.Turning on BitLocker with TPM ManagementThe BitLocker control panel displays BitLocker’s status and provides thefunctionality to enable or disableBitLocker. If BitLocker is actively encrypting or decryptingdata due to a recent installation or uninstallrequest, the progress status appears. IT professionals can also use the BitLocker control panel to access theTPM Microsoft Management Console (MMC).Byturning on BitLocker, the operating system volume becomes encrypted and a recovery passwordunique to the volume is created. No changewill be evident the next time the user logs on. If the TPM everchanges or cannot be accessed, if there arechanges to key system files, or if someone tries to startt thecomputer from a product CD or DVD to circumvent the operating system, the computer will switchtorecovery mode until the recovery passwordis supplied.Turning on BitLocker without TPMManagementBitLocker Drive Encryption can be turned on without a TPM. Instead ofa TPM, a startup key must be usedfor user authentication. The startup key is located on a USB flash drive inserted into the computer beforethe computer isturned on.

Designing, Configuring, and Managing the Client Environment 10-49Configuring BitLocker To GoConsider the following scenario. An administrator configures Group Policy to require that data can onlybe saved on data volumes protected by BitLocker. Meanwhile, an end user inserts a USB flash drive. Sincethe USB flash drive is not protected with BitLocker, Windows 7 displays an informational dialog indicatingthat the device must be encrypted with BitLocker. From this dialog, the user chooses to launch theBitLocker Wizard to encrypt the volume or continues working with the device as read-only.Configuring Group Policy Settings for BitLockerBitLocker in Windows 7 introduces several new Group Policy settings that permit straightforward featuremanagement. For example, administrators are able to:• Require that all removable drives be BitLocker-protected before data can be saved on them.• Require or disallow specific methods for unlocking BitLocker-protected drives.• Configure methods to recover data from BitLocker-protected drives if the user’s unlock credentials arenot available.• Require or prevent different types of recovery password storage, or to make them optional.• Prevent BitLocker from being enabled if the keys cannot be backed up to Active Directory.DemonstrationThis demonstration examines how to configure BitLocker settings. The virtual environment does notprovide for a TPM platform. Consequently, the demonstration will show the settings, but they will not bechanged.Open the Local Policy• On the client computer, start the Local Group Policy Editor and open the BitLocker Drive Encryptionpolicy by navigating to Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption.View BitLocker policies1. Select the Store BitLocker recovery information in Active Directory Domain Services (WindowsServer 2008 and Windows Vista).2. In the results pane, select Choose drive encryption method and cipher strength. This settingenables you to configure the algorithm used to encrypt specified drives.3. In the results pane select Operating System Drives.4. In the results pane, select Choose how BitLocker-protected operating system drives can berecovered setting. This setting enables you to define the way in which operating system drives can berecovered in the absence of key information; for example, you can specify that a data recovery agentcan be used in these circumstances. Close Local Group Policy Editor.

10-50 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Determining and Configuring the UAC SettingsKey PointsThere are two general types of user groups in Windows 7: standard users and administrative users. UserAccount Control (UAC) simplifies a user’s ability to run as a standard user and performall of his or hernecessary daily tasks. Administrative users also benefit from UAC because administrative privileges areavailable only after UAC requests permission from the user for that instance.There are 10 Group Policy settings that canbe configuredfor User Account Control. The followingsections identifythe differentUAC group policy settings and provide recommendations andconsiderations.These policy settings are located in Computer Configuration\Windows Settings\SecuritySettings\Local Policies\Securitty Options in the Group Policy Editor.User Account Control: Admin Approval Mode for the Built-In Administrator AccountThis policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.The options are:• Enabled• DisabledBydefault, this setting is set to Disabled, which means that users who log on with theAdministratoraccount have full permissionss on the system. In general, it is recommended that the default Administratoraccount not be used. Organizations that need to enable the Administrator account can add security byenabling this policy setting.User Account Control: Allow UIAccess Applications to Prompt for Elevation WithoutUsing the Secure DesktopThis policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs canautomatically disable the secure desktop for elevation prompts used bya standard user.

Designing, Configuring, and Managing the Client Environment 10-51UIA programs are designed to interact with Windows and application programs on behalf of a user. Thispolicy setting allows UIA programs to bypass the secure desktop to increase usability in certain cases;however, allowing elevation requests to appear on the interactive desktop instead of the secure desktopcan increase your security risk.User Account Control: Only Elevate UIAccess Applications That Are Installed inSecure LocationsThis policy setting disables the requirement to be run from a protected path. While this policy settingapplies to any UIA program, it is primarily used in certain remote assistance scenarios, including theWindows Remote Assistance program in Windows 7.User Account Control: Behavior of the Elevation Prompt for Administrators in AdminApproval ModeThis policy setting controls the behavior of the elevation prompt for administrators.The default setting provides a balance between security and usability. To improve security, you canrequire that administrators provide a user name and password to elevate permissions. Alternatively, youcan choose to eliminate the prompt altogether.User Account Control: Behavior of the Elevation Prompt for Standard UsersThis policy setting controls the behavior of the elevation prompt for standard users.User Account Control: Detect Application Installations and Prompt for ElevationThis policy setting controls the behavior of application installation detection for the computer.When users attempt to install an application, Windows 7 automatically attempts to elevate privileges. Thisis a useful feature, because most setup and installation programs require access to the file system andother protected areas of the computer. The default setting for consumer-focused editions of Windows 7 isfor this option to be enabled. This means that users automatically see an elevation.User Account Control: Only Elevate Executables That Are Signed and ValidatedThis policy setting enforces public key infrastructure (PKI) signature checks for any interactive applicationsthat request elevation of privilege. Enterprise administrators can control which applications are allowed torun by adding certificates to the Trusted Publishers certificate store on local computers.One important potential security risk related to working with applications and software is in trusting thepublisher of the application. Malware could easily create a new executable or shortcut that appears to bea familiar application (such as Microsoft Word), but that actually launches malicious code that coulddamage the system. One way to validate a program is to use a method based on Public Key Infrastructure(PKI) technology. This method allows trusted third parties to validate whether the publisher of thesoftware is who it claims to be.User Account Control: Only elevate UIAccess Applications That Are Installed inSecure LocationsThis policy setting controls whether applications that request to run with a User Interface Accessibility(UIAccess) integrity level must reside in a secure location in the file system.Some applications must run with elevated privileges on Windows 7. Developers of these applications cancreate a setting that instructs the operating system to prompt for elevated privileges automaticallywhenever the program is launched. One potential problem is for malware (such as programs downloadedfrom the Internet) to request full permissions and then make undesired changes to the system. Thissetting specifies that only applications that are located within known secure file system locations (such as

10-52 Planning and Managing Windows® 7 Desktop Deployments and Environmentsthe Program Files folder and subfolders of the Windows folder) are able to request elevation. This helpsensure that only properly installed programs are able to run with elevated permissions. The setting can bedisabled, although this will reduce overall security.User Account Control: Run All Administrators in Admin Approval ModeThis policy setting controls the behavior of all UAC policy settings for the computer. Modifying this settingrequires a computer restart before the setting becomes effective.Consider this setting a “master switch” that determines whether UAC is enabled on the local computer.The status of this setting corresponds to the Turn User Account Control (UAC) On Or Off setting in ControlPanel. When this setting is Disabled, Admin Approval Mode, file system and registry virtualization, and allrelated settings are effectively disabled. It is important to consider that the other settings might appear tobe properly configured, but they do not have any effect when this setting is disabled.When this setting is disabled and UAC is turned off, all local administrators are automatically logged onwith a full administrative access token. Disabling this setting causes Windows 7 to revert to the WindowsXP user model. Because Windows 7 includes folder and registry virtualization for applications that are notUAC compliant by default, it is unnecessary to turn UAC off even when some applications that areincompatible with UAC recommend it. Turning UAC off opens a computer to system-wide malwareinstallations.User Account Control: Switch to the Secure Desktop When Prompting for ElevationThis policy setting controls whether the elevation request prompt is displayed on the interactive user’sdesktop or the secure desktop.One method that malware authors have at their disposal is the possibility of tricking a user into providingsensitive information to a program. For example, a program can be designed to appear very similar to thestandard UAC elevation prompt. A user might provide a user name and password for privilege escalation,but the application itself is recording or sending this information elsewhere.User Account Control: Virtualize file and Registry Write Failures toPer-User LocationsThis policy setting controls whether application write failures are redirected to defined registry and filesystem locations. This policy setting mitigates applications that run as administrator and write run-timeapplication data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.This setting provides compatibility with legacy applications that request direct access to the file system orto the registry. When a program attempts to perform one of these actions, Windows 7 automaticallyredirects the request to a safe, virtual location. The benefit is that applications that are not UACcompatible can still run successfully in Windows 7, but all write operations occur safely. When this settingis disabled, earlier applications are prevented from directly writing to file system and registry locations. Inmost cases, this means that the applications fail to run correctly. This Group Policy setting is unnecessaryand can be disabled if an organization only uses UAC-compatible applications.DemonstrationThis demonstration examines two of the UAC group policy settings in the Local Group Policy Editor.Create a UAC Group Policy Setting Preventing Access Elevation1. On the client computer, open the Local Group Policy Editor.2. Navigate to Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.

Designing, Configuring, and Managing the Client Environment 10-533. In the results pane, configure the User Account Control: Behavior of the elevation prompt forstandard users setting by selecting the Automatically deny elevation requests option to ensurethat the elevation requests are not presented to the standard user.Create a UAC Group Policy Setting Prompting for Credentials for administrator users1. On the client computer, open the Local Group Policy Editor.2. Navigate to Computer Configuration/ Windows Settings/ Security Settings/Local Policies/ SecurityOptions.3. In the results pane, configure the User Account Control: Behavior of the elevation prompt foradministrators in Admin Approval Mode setting by selecting the Prompt for credentials optionto ensure when an operation requires elevation of privilege, the user is prompted on the securedesktop to enter a privileged user name and password.

10-54 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDetermining the Firewall Rules and SettingsKey PointsA firewall is software or hardware that checks informationn coming fromthe Internet or a network, andthen either blocks it or allowsit to pass through to a computer. Firewalls provide the following networksafeguards:• Prevent hackers or malicious software from gaining access to the computer through a networkor theInternet.• Help stop a computer from sending malicious software to other computers.• Protect computers and networks, although no firewall makes a computer completely impenetrable toan attack.• Make computers less attractive to attackers by creating barriers that make it difficult for attackers toget into thecomputer.Firewall TypesThe two main firewall types are network firewalls and host-based firewalls. Network firewalls are located atthe network’s perimeter, and host-based firewalls are located on individual hosts within the network.Network Perimeter FirewallsNetwork perimeter firewalls are either hardware-based, software-based, or a combination of both andprovide a variety of services, including the following:• Management and control of network traffic• Stateful connection analysis• Virtual private network (VPN) gateway functionality

Designing, Configuring, and Managing the Client Environment 10-55Host-Based FirewallsNetwork perimeter firewalls cannot provide protection for traffic generated inside a trusted network. Forthis reason, host-based firewalls that run on individual computers are needed. Host-based firewalls, suchas Windows Firewall with Advanced Security, protect a host from unauthorized access and attack, and canoften be configured to block specific types of outgoing traffic. Host-based firewalls provide an extra layerof security in a network and function as integral features in a complete defense strategy.Windows Firewall with Advanced SecurityWindows Firewall with Advanced Security in Windows 7, Windows Vista, Windows Server 2008 R2, andWindows Server 2008 is a stateful, host-based firewall that filters incoming and outgoing connectionsbased on its configuration. While typical end-user configuration of Windows Firewall still takes placethrough the Windows Firewall Control Panel, advanced configuration now takes place in a MicrosoftManagement Control (MMC) snap-in named Windows Firewall with Advanced Security.Considerations When Planning Basic Firewall Policy SettingsAfter identifying requirements and collecting information about the network layout, begin designing theGPO settings and rules that enable enforcement of a firewall policy. Rules can be created for eitherinbound traffic or outbound traffic. The rule can be configured to specify the computers or users,program, service, or port and protocol. You can specify which type of network adapter the rule will beapplied to: local area network (LAN), wireless, remote access, such as a virtual private network (VPN)connection, or all types. You can also configure the rule to be applied when any profile is being used oronly when a specified profile is being used. As your IT environment changes, you might have to change,create, disable, or delete rules.The following sections identify several important considerations that must be taken into account whencreating firewall rules and configuring firewall settings.Firewall Rule PriorityBecause rules can be created that conflict with one another, it is important to consider the order in whichrules are processed when creating firewall rules.1. Authenticated bypass: These are rules in which the Override block rules option is selected. Theserules allow matching network traffic that is otherwise blocked. The network traffic must beauthenticated by using a separate connection security rule. You can use these rules to permit accessto the computer to authorized network administrators and authorized network troubleshootingdevices.2. Block connection: These rules block all matching inbound network traffic.3. Allow connection: These rules allow matching inbound network traffic. Because the default behavioris to block unsolicited inbound network traffic, you must create an allow rule to support any networkprogram or service that must be able to accept inbound connections.4. Default profile behavior: The default behavior is to block unsolicited inbound network traffic, but toallow all outbound network traffic. You can change the default behavior on the Domain Profile,Private Profile, and Public Profile tabs of the Windows Firewall with Advanced SecurityProperties dialog box.Once a network packet matches a rule, that rule is applied, and processing stops. For example, an arrivingnetwork packet is first compared to the authenticated bypass rules. If it matches one, that rule is appliedand processing stops. The packet is not compared to the block, allow, or default profile rules. If the packetdoes not match an authenticated bypass rule, then it is compared to the block rules. If it matches one, thepacket is blocked, and processing stops, and so on.

10-56 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsConfiguring Inbound RulesInbound rules explicitly allow, or explicitly block, inbound network traffic that matches the criteria in therule. For example, you can configure a rule to explicitly allow traffic secured by IPsec for Remote Desktopthrough the firewall, but block the same traffic if it is not secured by IPsec.Configuring Outbound RulesOutbound rules explicitly allow, or explicitly block, network traffic originating from the computer thatmatches the criteria in the rule. For example, you can configure a rule to explicitly block outbound trafficto a computer (by IP address) through the firewall, but allow the same traffic for other computers.Configuring Connection Security RulesFirewall rules and connection security rules are complementary, and both contribute to a defense-indepthstrategy to help protect your computer. Connection security rules secure traffic by using IPsecwhile it crosses the network. Use connection security rules to specify that connections between twocomputers must be authenticated or encrypted.Configuring Program or Service SettingsTo add a program to a firewall rule, you must specify the full path to the executable (.exe) file used by theprogram. A system service that runs within its own unique .exe file and is not hosted by a service containeris considered to be a program and can be added to the rules list. In the same way, a program thatbehaves like a system service and runs whether or not a user is logged on to the computer is alsoconsidered a program, as long as it runs within its own unique .exe file.Configuring Port and Protocol SettingsIn some cases, if you cannot add a program or system service to the rules list, you must determine whichport or ports the program or system service uses, and then add the port or ports to the Windows Firewallwith Advanced Security rules list. When you add a port to the rules list, you must specify the protocol andport number. When creating a custom rule, you can specify any protocol number and port number. Whencreating a port rule, you can specify TCP and UDP ports only.Configuring User or Computer SettingsYou can configure the firewall rule to be applied only if specified users or groups request a connection orif a specified computer or group of computers request a connection. These settings will be added to anyother restrictions you have specified for the rule.Configuring Scope SettingsYou can configure the firewall rule to be applied only if the Internet Protocol version 4 (IPv4) or InternetProtocol version 6 (IPv6) addresses match specified local and remote addresses. You can also specifygroups of computers by IP subnet address, IP address range, or keyword (WINS computers, for example);however, you cannot specify an Active Directory group.Configuring Advanced SettingsYou usually configure Windows Firewall with Advanced Security on a global basis. For example, when youturn on Windows Firewall with Advanced Security, it is enabled on all of the network connections thatalready exist on your computer and all network connections that you create on your computer. Likewise,when you create a rule, the rule applies to all network connections that already exist on the computer andall network connections that you create on the computer.Question: Why are host-based firewalls that run on individual computers needed in an organization?

Designing, Configuring, and Managing the Client Environment 10-57Demonstration: Configuring Firewall SettingsKey PointsInWindows 7 basic firewall information is centralized in Control Panel in the Network and SharingCenter and System and Security.• In System and Security, basic Windows Firewall settings can be configured and the Action Center candisplay notifications for firewall alerts.• In the Network and Sharing Center, all types of network connections can be configured, such aschanging the network location profile.Network Location ProfilesThe first time that a computer connects to a network, users must selecta network location. Thisautomatically sets appropriatefirewall and security settings for that type of network. When users areconnecting to networks in different locations, choosing a network location can help ensure that thecomputer is always set to an appropriate security level. Administratorsmust take intoaccount thefollowing considerations for each of the available network location profiles:• Home or work (private)networks: Network Discovery is turned on. Computers on a home networkcan belong to a HomeGroup.• Domain networks: Network Discoveryis turned on. HomeGroup is not available.• Public networks: Network Discovery isturned off. HomeGroup is not available.Firewall ExceptionsWhen a programis added to the list of allowed programsor a firewall port is opened, that programisallowed to sendinformation to or from thecomputer. Continuing with the scenario from the previoustopic, allowing a program to communicate through a firewall is like unlocking a doorin the firewall. Eachtime the door isopened, the computer becomes less secure.

10-58 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsMultiple Active Firewall PoliciesIn previous versions of Windows, only one firewall profile can be active at once. If multiple profiles exist,Windows Firewall enforces the most restrictive profile. When remote users try to connect through a VPN,a cumbersome workaround is required. An administrator must deploy multiple firewall rules for the sameapplication. One profile is designed for a public profile and one is designed for a private profile, with bothrestricted to their corresponding VPN interface type.Windows Firewall NotificationsIn addition to the notification setting available when Windows Firewall is turned on or off, firewallnotifications can be displayed in the taskbar. In the All Control Panel Items area of Control Panel, clickNotification Area Icons. Alternatively, click the up arrow in the taskbar and then click Customize. Selectthe firewall icon and then choose the desired behavior:• Show icon and notifications• Hide icon and notifications• Only Show notificationsWindows Firewall with Advanced Security RulesRules are a collection of criteria that define which traffic are allowed, blocked, or secured with the firewall.The following types of rules can be configured:• Inbound• Outbound• Connection SecurityMonitoringWindows Firewall uses the monitoring interface to display information about current firewall rules,connection security rules, and security associations. The Monitoring overview page displays which profilesare active (domain, private, or public) and the settings for the active profiles.DemonstrationThis demonstration examines how to configure Windows Firewall with Advanced Security by using GroupPolicy settings.Configure an Inbound Rule1. From the LON-DC1 virtual machine ping lon-cl1.2. Log on to the client computer as Contoso\Administrator and open the Local Group Policy Editor.3. Open the Local Group Policy Editor, and navigate to Computer Configuration/WindowsSettings/Security Settings/Windows Firewall with Advanced Security/Windows Firewall withAdvanced Security – Local Group Policy Object. In the navigation tree choose to create a new rule.4. Create a new custom rule called “allow ping” that allows ICMPv4 packets for all profiles.5. Switch to the LON-DC1 virtual machine and verify that you can now pinglon-cl1.6. Switch to the LON-CL1 computer and modify the properties of the Allow Ping rule. On the Generalpage select Allow the connection if it is secure.7. Switch to the LON-DC1 virtual machine and verify that you cannot pingLON-CL1. You can see that ping is now prevented again because there is no way to authenticate.

Designing, Configuring, and Managing the Client Environment 10-59Configure a connection security rule1. Switch to the LON-CL1 computer.2. In Local Group Policy Editor, in the navigation tree, select Connection Security Rules.3. Create a new custom security rule that Requests authentication for inbound and outboundconnections. Specify that the rule applies only to ICMPv4 traffic, and that the default authenticationmechanism be used. The rule should apply to all profiles. Call the rule “Authenticate ping”.4. Switch to the LON-DC1 computer. Open the Local Group Policy Editor, and navigate to ComputerConfiguration/Windows Settings/Security Settings/Windows Firewall with Advanced Security/Windows Firewall with Advanced Security – LocalGroup Policy Object and then repeat steps 2 and 3.5. Try to ping LON-CL1. You can see that ping is now enabled again because of the connection securityrule. Close all open windows.Monitoring the rules1. Switch to the LON-CL1 computer. Open Windows Firewall with Advanced Security and navigate toMonitoring/ Security Associations/ Main Mode. You can see that the two computers areauthenticating with Computer (Kerberos V5) authentication. Select Quick Mode. You can see theprotocol being used in ICMPv4.2. Close all open windows.Question: What can you use to configure authentication besides the Connection Security Rules?

10-60 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Determining and Configuring Windows Defender SettingsKey PointsWindows Defender helps protect computers from spyware and malicious software. Although it is not anti-virus software, Windows Defender offers three ways to help keep spyware from infecting the computer:• Real-time protection (RTP) is the mechanism that actively monitorsfor malware and alerts youwhenpotentially unwanted software attempts to install itself or run on the computer. It also alerts youwhen programs attempt to change important Windows settings.• The SpyNetcommunity helps you see how other people respond to software that is not yet classifiedfor risks. When you participate in this community, your choices areadded to thecommunity ratingsto help other people choose what to do.• Scanning options are used to scan for unwanted software on the computer, to schedule scans on aregular basis, and to automatically remove any malicious software that is detected during a scan.Windows Defender OverviewWhen WindowsDefender is opened from the Control Panel, the Homepage displays currentnotifications, the status of thelast scan, when the next scan is scheduled, if real-time protection is on oroff, and when the antispywaredefinitions were last updated (including the version).AntispywareDefinitionsAntispyware definitions are files that act likean ever-growing encyclopedia of potential software threats.Windows Defender uses definitions to determine if software it detects is unwanted and to alert youtopotential risks. To help keep definitions up-to-date, as theyare released. Windows Defender can be set to make onlinechecks for updated definitions before scanning. Alternatively, you can manually check for definitionupdates by clicking the arrownext to the Help icon and then clicking Check for updates.Windows Defenderworks with Windows Update toautomatically install new definitions

Designing, Configuring, and Managing the Client Environment 10-61Scan OptionsIn Windows Defender, run a quick, full, or custom scan. If it is suspected that spyware has infected aspecific area of the computer, customize a scan by selecting specific drives and folders.Group Policy Settings for Windows DefenderThe following Group Policy settings that can be configured for Windows Defender. These settings arelocated in Computer Configuration\Administrative Templates\Windows Components\Windows Defender in the Group Policy Editor.• Turn on definition updates through both WSUS and Windows: The signatures stored withindefinition files help Windows Defender detect spyware. Periodically, Microsoft releases new definitionfiles, which contain new signatures. The Check for New Signatures Before Schedule Scans policysetting controls when Windows Defender checks for new signatures. More often, corporate networksdistribute operating system updates using Windows Server Update Service (WSUS). Additionally,WSUS is capable of distributing definition files used by Windows Defender.The Turn on definition updates through both WSUS and Windows Update policy setting controlshow Windows Defender retrieves new definition files. When enabled, this setting allows corporatecomputers to retrieve new definition files from Windows Update when an attempt to use corporateWSUS server fails. This is especially useful for laptop computers, which often times are disconnectedfrom corporate networks.You can configure the Automatic Updates client to connect to the Windows Update Web site or to alocally managed WSUS server. When a computer cannot connect to an internal WSUS server, you canconfigure Windows Defender to use Windows Update to help make sure that definition updates aredelivered to these computers. For example, a portable computer that is roaming outside thecorporate network can benefit from this configuration.If you disable this policy setting, Windows Defender checks for definition updates only on a locallymanaged WSUS server. However, you must configure the Automatic Updates client to use a managedWSUS server. Otherwise, the Automatic Updates client uses the Windows Update Web site.• Turn on definition updates through both WSUS and Microsoft Malware Protection Center: Thispolicy setting allows you to configure Windows Defender to check and install definition updates fromWindows Update and the Microsoft Malware Protection Center when a locally managed WindowsServer Update Services (WSUS) server is not available.Windows Defender checks for definition updates using the Automatic Updates client. The AutomaticUpdates client can be configured to check the public Windows Update Web site, a locally managedWSUS server, or the Microsoft Malware Protection Center. When a computer is unable to connect toan internal WSUS server or the locally managed WSUS server (such as when a portable computer isroaming outside of the corporate network), Windows Defender can be configured to also check theMicrosoft Malware Protection Center Windows Update to ensure definition updates are delivered tothese roaming machines..If you enable or do not configure this policy setting, by default Windows Defender will check fordefinition updates from Windows Update and the Microsoft Malware Protection Center, ifconnections to a locally managed WSUS server fail.If you disable this policy setting, Windows Defender checks for definition updates only on a locallymanaged WSUS server, if the Automatic Updates client is so configured.• Check for New Signatures Before Scheduled Scans: Windows Defender scans the registry and filesystem for patterns that match the signatures in the definition file during scheduled times. This policysetting can force Windows Defender to check Windows Update or a corporate Windows ServerUpdate Service (WSUS) server for new signatures before it starts its scheduled scan of the computer.

10-62 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsYou can use this policy setting to ensure Windows Defender uses the newest signatures whenscanning for spyware.• Turn off Windows Defender: When enabled, Windows Defender does not provided any real-timemonitoring nor does it scan at regulated scheduled intervals. Computers are not scanned for spywareor other potentially unwanted software. You can use this policy setting if your company uses analternative antispyware solution.If you disable or do not configure this policy setting, Windows Defender runs, and computers arescanned for spyware and other potentially unwanted software.• Turn off Real-Time Monitoring: Windows Defender uses a definition file to determine potentialforms of Spyware. The definition file contains patterns or “signatures” of common implementations ofspyware. However, newer forms of spyware attempt to perform potentially unauthorized operations,which are not included in the definition file.Windows Defender monitors for this type of behavior and it prompts the user with an UnknownDetection dialog box. This dialog box remains on the screen until the user responds by clicking Allow,to allow the operation to proceed, or Block, which prevents the operation from completing. Thispolicy setting allows you to control this behavior. When enabled, Windows Defender does notprompt the user to allow or block the unknown activity.• Turn off Routinely Taking Action: This policy setting allows you to configure whether WindowsDefender will automatically take action on all detected threats. The action to be taken on a particularthreat will be determined by the combination of the policy-defined action, user-defined action, andthe signature-defined action.If you enable this policy setting, Windows Defender will not automatically take action on the detectedthreat, but will prompt users to choose from the actions available for each threat.If you disable or do not configure this setting, Windows Defender will automatically take action on alldetected threats after a non-configurable delay of approximately ten minutes.• Configure Microsoft SpyNet Reporting: This setting adjusts membership in Microsoft SpyNet.Microsoft SpyNet is the online community that provides recommendations on how to respond topotential spyware threats. The community also helps stop the spread of new spyware infections.When Windows Defender detects software or changes by software that is not yet classified for risks,you see how other members have responded to the alert. In turn, the other members see how yourespond to the alert. The actions that you apply help other members decide how to respond. Youractions also help Microsoft determine which software to investigate for potential threats.You can decide to send basic information or additional information about detected software.Additional information helps improve how Windows Defender works. For example, additionalinformation can include the location of detected items on the computer if Windows Defenderremoved harmful software. Windows Defender automatically collects and sends this information.By Default, membership to Microsoft SpyNet is disabled. However, once you enable this policysettings you have two three choices:• No Membership: Forces the “No Membership” setting to all computers that receive the policysetting.• Basic: Forces the “Basic” setting to all computer that received the policy setting.• Advanced: Forces the “Advanced” setting to all computers that receive the policy setting.DemonstrationThis demonstration examines how to use Group Policy settings to configure Windows Defender.

Designing, Configuring, and Managing the Client Environment 10-63Configure Windows Defender Options with Group Policy1. On the client computer, open Local Group Policy Editor and navigate to ComputerConfiguration/Administrative Templates/Windows Components/Windows Defender.2. In the results pane, choose to Turn off Windows Defender. If this setting is enabled, WindowsDefender does not run and your computer will not be scanned for malicious software.3. In the results pane, choose to Turn off Real-Time Monitoring. If this setting is enabled, WindowsDefender does not prompt you when it discovers malicious software.4. In the results pane, choose to Turn on definition updates through both WSUS and WindowsUpdate. Enable this option if you want Windows Defender to be able to obtain definition updateseven during the temporary absence of a local WSUS server. Close Local Group Policy Management.Question: Does Windows Defender provide for antivirus protection?

10-64 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 5Designing and ImplementingGroup PolicyThe Group Policy Management Console (GPMC) is used to manage andview GPOs, and the GroupPolicyObject Editor is used to edit policy settings.With more than 2,500 policy settings in Windows 7 andWindows Server 2008 R2, knowing where tobegin can bechallenging. This lesson describes how GPOsare processed and applied and describes considerations and best practices for implementing a GroupPolicy environment.

Designing, Configuring, and Managing the Client Environment 10-65How are GPOs ProcessedKey PointsThe client components of Group Policy architecture, known as Group Policy client-side extensions (CSEs),initiate Group Policy by requesting Group Policy Objects (GPOs) from the domain controller thatauthenticated the client computer. The CSEs interpret andapply the GPOs.Group Policy Objects are processed in the following order:1.Local GPOs2.Site-level GPOs3.Domain-level GPOs4.Organizational Unit (OU) GPOs, including any nested OUs, starting with the OU further from the useror computer objectIf policy settings are applied at multiple levels, the user or computer receives the effects of all policysettings. In caseof a conflict between policysettings, the policy setting applied last isthe effective policy.Initial Processing and Background Refresh of Group PolicyWindows 7 applies Group Policy for computers when thecomputer startup, and Group Policy for userswhen the user logs on to the computer. In addition, Group Policy is applied subsequently in thebackground on a periodic basis, and can also be triggered on demand from the command line.Periodic Refresh ProcessingComputer and user settings are refreshed at regular, configurable intervals. The default refresh interval isevery 90 minutes.Question: When a client computer is connected to a domain, which GPO takes precedence – the localGPO or the domain-based GPOs?

10-66 Planning and Managing Windows® 7 Desktop Deployments and Environments

Designing, Configuring, and Managing the Client Environment 10-67Synchronous and Asynchronous Processing of GPOsKey Points• Synchronous processes can be described as a series of processes where one process must finishrunning before the next one begins.• Asynchronous processes can run on different threads simultaneously because their outcome isindependent of other processes.• By default, the processingof Group Policy on Windows servers is synchronous, and the processing ofGroup Policy on client computers is asynchronous. Typically, client computers donot wait for thenetwork to be fully initialized at startupand logon. Existing users are logged on using cachedcredentials,which results in a shorter logon period. Group Policy isapplied in thebackground afterthe network becomes available.Time Limit for Processing of Group PolicyUnder synchronous processing, there is a time limit of 60minutes for all of Group Policy to finishprocessing on the client. Any client-side extensions that are not finishedafter 60 minutes are signaled tostop, in which case the associated policy settings might not be fully applied. There is no setting to controlthis time-out period or behavior.

10-68 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsGroup Policy InheritanceKey PointsWhen multiple GPOs are applied to users and computers, the settings in the GPOs are aggregated. GPOsthat are processed the last have highest precedence. GPOs follow the SDOU rule for processing; site first,then domain and followed byOU includingnested OUs. A nested OU is an OU that has another OUas itsparent. In the case of nested OUs, GPOs associated with the parent OUs are processed prior to GPOsassociated with the child OUs. In this processing order, sites are appliedfirst but havethe leastprecedence. OUs are processed last and have the highestprecedence.There are several Group Policy options thatt can alter this default inheritance behavior. These optionsinclude:• Link Order: The precedence order for GPOs linked toa given container. The GPO link with Link Orderof one has the highest precedence on that container.• Enforced: The ability to specify that a GPO takes precedence over any GPOs that are linked tochildcontainers. Enforcing a GPO link works by moving that GPO to theend of the processing order.• Block Inheritance: The ability to prevent an OU or domain from inheriting GPOs from any of itsparent container. Note that Enforced GPO links will always be inherited.• Link Enabled: The abilityto specify whether a given GPO link is processed or not for the container towhich it is linked.Question: You created a GPOthat is linkedto a container. How do youprevent the settings in thisGPOfrom being overwritten by settings linked toGPOs in child containers (which generally have a higherprecedence)?

Designing, Configuring, and Managing the Client Environment 10-69Loopback ProcessingKey PointsWhen you applyGPOs to users, generally the same set ofuser policy settings appliesto those users whenthey log on to any computer. The Group Policy loopbackfeature provides the ability to apply user GroupPolicy, based upon the computer that the user is logging onto.Byenabling theloopback processing policysetting in a GPO, you can configure user policy settings to beapplied regardless of which user logs on, based on the computer that they log on to.This means that youcan apply alternate user settings when a user logs on to a computer affected by this setting. When youuse this option, you must ensure that the computer and user sections of the GPO areenabled.There are two modes available:• Merge mode: In this mode, the list of GPOs for the user is gathered during the logon process. Then,the list of GPOs for the computer is gathered. Next, the list of GPOs for the computer is addedd to theend of the GPOs for the user. As a result, the computer’s GPOs have a higher precedence than theuser’s GPOs.• Replace mode: In this mode, the list of GPOs for theuser is not gathered. Instead, only the listofGPOs basedon the computer object is used. The User Configuration settings from this list are appliedto the user.Enabling the loopback processing is appropriate in certain closely managed environments, such as forservers and terminal servers. This setting is also intended for special-usee computers, such as those inpublic places, laboratories, and classrooms, where you must modify theuser setting based on thecomputer that is being used.

10-70 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsGroup Policy Planning ConsiderationsKey PointsThere are several considerations when you plan to implement Group Policy in your organization.• Designing an OU Structure That Supports Group Policy: You must ensure that your OU structuresupports your Group Policy-based client-management strategy. A well-designedd OU structure,reflecting the administrative structure of your organization and taking advantage of GPO inheritance,simplifies the application of Group Policy. The following OU designrecommendations addressdelegation and scope issues:• Delegating administrative authority: You can create OUs within a domainand delegateadministrative control for specific OUs to particular users or groups.• Applying Group Policy: An OU is the lowest-level Active Directory container to which you canassign Group Policy settings. Thinkprimarily about the objectsyou want to manage whenyouapproach the design of an OU structure.• Complyingwith Servicee Level Agreements: Service-level agreements often set standards for serviceresponsiveness. To reduce the amount of time required to process a GPO, consider using one of thefollowing options:• If a GPO contains only computer or user settings, disable the section of the policy that does notapply.• When possible, combine smaller GPOs to form a consolidated GPO.• The changes you make to GPOs are replicated todomain controllers and result in new downloadsto client or destination computers.If you have large or complex GPOs that require frequentchanges, consider creating a new GPO that contains only the sections that you update regularly.• Defining Your Group Policy Objectives: The objectives for each Group Policy implementation varydepending on user location, job needs,computer experience, and corporate security requirements.For example, in some cases, functionality might be removed from users’ computers to preventthemfrom modifying system configuration files (which might disrupt computer performance), or

Designing, Configuring, and Managing the Client Environment 10-71applications might be removed that are not essential for users to perform their jobs. In other cases,Group Policy might be used to configure operating system options, specify Internet Explorermaintenance settings, or establish a security policy.Identify your specific business requirements and how Group Policy can help achieve them and thendetermine the most appropriate policy settings and configuration options to meet your requirements.Having a clear understanding of your current organizational environment and requirements helpsyou design a plan that best meets your organization’s requirements.• Establishing Group Policy Operational Guidelines: Establishing administrative procedures to trackand manage GPOs can ensure that all changes are implemented in a prescribed manner. To simplifyand regulate ongoing management of Group Policy, it is recommended that you do the following:• Always stage Group Policy deployments using the following pre-deployment process:• Use Group Policy Modeling to understand how a new GPO will interoperate with existingGPOs• Deploy new GPOs in a test environment that is modeled after your production environment• Use Group Policy Results to understand which GPO settings actually are applied in your testenvironment• Use GPMC to make backups of your GPOs on a regular basis.• Use GPMC to manage Group Policy across the organization.• Do not modify the default domain policy or default domain controller policy unless necessary.Instead, create a new GPO at the domain level and set it to override the default settings in thedefault policies.• Define a meaningful naming convention for GPOs that clearly identifies the purpose of eachGPO.• Designate only one administrator per GPO. This prevents one administrator’s work from beingoverwritten by another’s work.• Identifying Interoperability Issues: Windows Server 2008 R2 and Windows 7 include many newGroup Policy settings that are not used on previous versions of Windows. However, even if the clientand server computers in your organization run primarily earlier versions of Windows, you should usethe GPMC included in Windows Server 2008 R2 because it contains the latest policy settings.• Defining the scope of application of Group Policy: To define the scope of application of GPOs,consider the following questions:• Where will your GPOs be linked? To apply the policy settings of a GPO to users and computers,you need to link the GPO to a site, domain, or OU.• What security filtering on the GPOs will you use? Security filtering enables you to refine whichusers and computers will receive and apply the policy settings in a GPO.• What WMI filters will be applied? WMI filters allow you to dynamically determine the scope ofGPOs based on attributes of the target computer.• Determining the Number of Required GPOs: The number of GPOs that you need depends on yourapproach to design, the complexity of the environment, your objectives, and the scope of the project.In general, group policy settings that apply to a given set of users or computers and are managed bya common set of administrators into a single GPO. Also consider that the number of GPOs applied toa computer affects startup time, and the number of GPOs applied to a user affects the amount oftime needed to log on to the network.

10-72 Planning and Managing Windows® 7 Desktop Deployments and Environments• Designing your Group Policy model: Your primary objective is to design the GPO structure basedon your business requirements.• Layered GPO Design Model: The objective of this design model is to create GPOs based on alayered approach. This approach optimizes maintenance of GPOs and facilitates delegation.• Monolithic GPO Design Model: The objective of this design is to create GPOs based on amonolithic design—an approach that reduces the number of GPOs that apply to a user and/orcomputer but may not be optimal for delegation.Question: What are two of the most important considerations that must be taken into account whendesigning an organization’s Active Directory structure?

Designing, Configuring, and Managing the Client Environment 10-73Demonstration: Configuring Group Policy Settings and PreferencesThis demonstration examines how to configure Group Policy and Preference settings by using GroupPolicy Management console.Create and link a GPO1.Log on to the domain controller and open Group Policy Management.2.Create a new GPO and link it to the existing domain.Edit the settings and preferences in the GPO1.Open the Group Policy Management Editor for the GPO.2.In the Group Policy Management Editor, navigate to User Configuration/ Policies/ WindowsSettings/ Scripts (Logon/Logoff).3.Create a new logon script that will mapa drive letterto a shared network folder with the followingcontent:a. Set oNet=Wscript.CreateObject((“Wscript.Network”)b. oNet.Mapnetworkdrive “:”, “\\\“4.Rather thanuse a policy setting for configuring a drive mapping, we could use a user preference.Open the new policy for editing, and navigate to User Configuration/Preferences/ WindowsSettings/ Drive Maps.5.Create a new drive mapping with the following properties:a. Location: \\\b. Reconnect: selectc. Drive letter: You can configure Item-level targeting in the Targeting Editor. Youcan use targeting to specify acondition, or conditions, that must be met in order that the preference applies. You could, for

10-74 Planning and Managing Windows® 7 Desktop Deployments and Environmentsexample, specify domain level targeting which applies the preference only when the user is loggedonto the domain.6. Close Group Policy Management Editor.7. Log on to the client computer and force refresh the group policy settings.8. Restart the client computer, and then log on using the required credentials.9. Acknowledge the logon script welcome message.10. Open the Computer window and view the drive mapping.Question: What does using Preference targeting do?

Designing, Configuring, and Managing the Client Environment 10-75Best Practices for Implementing Group PolicyThe following list identifies several best practices an organization needs to consider when implementingGroup Policy:• Editing Group Policies on the PDC Emulator: By default, a new domain is added to the console,GPMC usess the PDC emulator in that domain for operations in that domain. For managing sites, bydefault, GPMC uses the PDC emulator in the user’s domain. The choice of domain controllers isimportant for administrators to avoid replication conflicts. Especially because GPO data is locatedboth in Active Directory and in Sysvol, which rely on independent replication mechanisms to replicateGPO data to the various domain controllers in the domain. If two administrators simultaneously editthe same GPO on different domain controllers, it is possible for thechanges written by oneadministrator to be overwritten by another administrator, depending on replication latency.To avoid this, GPMC usess the Operations Master token for the PDCemulator in each domain as thedefault. This helps ensuree that all administrators are using the samedomain controller and guardsagainst data loss.• Editing Group Policy Offline: Microsoft Advanced Group Policy Management (AGPM) is an integralcomponentof the Microsoft® DesktopOptimizationPack (MDOP)for Software Assurance. AGPMhelps organizations control their GroupPolicy environment by providing offline storage for GPOs.Changes made to GPOs in the archive do not affect the productionenvironmentuntil the GPOs aredeployed. By limiting changes to the archive, GPOs can be edited and tested without affectingtheproduction environment.After reviewing and approving the changes, they can be deployed knowingthat they can be quickly rolled back if they have an undesirable effect.• Testing GPO in Test or Pilot Environments: GPOs must be fully tested in safe (nonproduction)environments prior to production deployment. The more you plan, design, and test GPOs prior todeployment, the easier it is to create, implement, andmaintain an optimal GroupPolicy solution. Theimportanceof testing andpilot deployments in this context cannot be overemphasized. Your testsneed to closely simulate the productionenvironment.• Backing-Up and Archiving GPO Before Editing: GPMC providesmechanisms for backing up,restoring, migrating, and copying existing GPOs. Thisis important for maintaining your Group Policy

10-76 Planning and Managing Windows® 7 Desktop Deployments and Environmentsdeployments in the event of error or disaster. It helps avoid having to manually recreate lost ordamaged GPOs and then go through the planning, testing, and deployment phases again.• Importing Test GPO to Production Domains: The Import operation transfers settings into anexisting GPO in Active Directory using a backed-up GPO in the file system location as its source.Import operations can be used to transfer settings:• From one GPO to another GPO within the same domain.• To a GPO in another domain in the same forest.• To a GPO in a domain in a different forest.The import operation always places the backed-up settings into an existing GPO. It erases any preexistingsettings in the destination GPO.• Using GPO Accelerators: The GPO Accelerator creates all the GPOs that are needed to deploy therecommended security settings for your environment. This functionality can save many hours of workthat is otherwise needed to configure and deploy security settings manually. The GPO Accelerator canimplement a security baseline and create GPOs for a domain-based environment or local clientcomputer.

Designing, Configuring, and Managing the Client Environment 10-77Lab A: Designinng and Configuring the ClientEnvironmentNote: Your instructor may run elements of this lab as a class discussion.Computers inThis LabBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start ofthis lab are as follows:• 6294A-LON-DC1• 6294A-LON-CL1• 6294A-LON-CL2 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

10-78 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 1: Designing a Client EnvironmentScenarioIn an attempt to design an effective managed client environment, you have asked Ryan Ihrig to interviewvarious departments on their management requirements. Ryan has provided you with a summarydocument regarding the requirements that have been determined for each department.The main tasks for this exercise are as follows:1. Rad the supporting documentation.2. Answer the questions in the Group Policy Objects for Contoso document, and then update thedocument with your planned course of action.Supporting DocumentationContents of Summary.doc:Contoso implements a standard desktop build across the various departments within the organization;each department has a slightly different initial desktop build. Many standard office productivityapplications are deployed as part of this build; however, some line-of-business applications must beadditionally deployed after the desktop deployment process.The following table summarizes the Contoso domain-level settings; these settings must not be overriddenby lower-level settings—that is, they must be enforced.SettingEnforce password historyMinimum password lengthAccount lockout durationAccount lockout thresholdReset account lockout counter afterInbound firewall ruleApplication RestrictionsSystem ServicesInternet Explorer home pageValue12 passwords remembered6 characters30 minutes3 attempts30 minutesEnable ICMPv4 on only domain profileOnly allow scripts signed by Microsoft to executeAuto-start Application identityhttp://lon-dc1Aside from these domain-level settings, it is important that the following departmental settings areobserved where they do not conflict with the domain settings.Department ApplicationsDrive mappingsSecuritysettingsDesktopIT Office Visio \\lon-dc1\Data Documents redirected to departmentalshared folder on LON-DC1ResearchOne Note andOffice Visio\\lon-dc1\DataMarketing None \\lon-dc1\Data

Designing, Configuring, and Managing the Client Environment 10-79Department ApplicationsDrive mappingsSecuritysettingsDesktopProduction Custom App None InternetExplorerblocked.Note: It is vital that IT department users can run scripts than are not signed by Microsoft.

10-80 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsContoso GPO.vsd diagram:

Designing, Configuring, and Managing the Client Environment 10-81Group Policy Objects for ContosoDocument Reference Number: EM1109Document AuthorDateEd MeadowsNovember 2009Requirement OverviewTo determine which Group Policy Objects are required, and linked to which Active Directory objects, inorder to address the domain and departmental requirements in the Summary document. You may usethe Contoso GPO.vsd diagram to sketch your answer if you wish.Your plan should include how you intend to address each desired setting; that is, which policy or, wherenecessary, which preference setting.Additional Information1. Where will you configure the domain-level settings outlined in the Summary document?2. What impact does the fact that IT users must be able to run unsigned scripts have on your GPOstrategy?3. How will you handle application deployment for the various departments?4. How will you restrict the Production department users from running Internet Explorer?5. Will you handle drive mappings using preferences or a logon script?6. How do you intend to manage the IT department’s requirement for a standard Documents folder?7. Sketch, or document, the intended GPO and how they are linked to AD DS objects on the supplieddiagram. Indicate which settings will be configured by which object.Note: It is not necessary to detail the precise GPO settings.ProposalsEither complete this section, or else use the Contoso GPO.vsd diagram to document your plan. Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Group Policy Objects for Contoso document with your planned course of action.Results: After this exercise, you have completed Group Policy Objects for Contoso project planningdocument.

10-82 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 2: Implementing a Client ConfigurationScenarioYour plan has been accepted by the department heads, and you are now tasked with implementing thedomain-level elements of your plan.The main tasks for this exercise are as follows:1. Create a new GPO and link it to the domain.2. Configure the AppLocker policy on this new GPO.3. Modify the Default Domain Policy to include the required settings.4. Enforce this GPO.5. Block inheritance on the IT OU.6. Move the two desktop computers into the appropriate OUs.7. Refresh policies on client computers.8. Test the settings on the departmental computers.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which is the domain controller forContoso. LON-CL1 and LON-CL2 are both computers running Windows 7. Task 1: Create a new GPO and link it to the domain• Log on to the LON-DC1 virtual machine as CONTOSO\administrator with a password of Pa$$w0rd.• Open Group Policy Management.• Create a new GPO called “Script Restriction Policy” and link it to the Contoso.com domain. Task 2: Configure the AppLocker policy on this new GPO• Edit the “Script Restriction Policy” GPO.• In Group Policy Management Editor, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Application Control Policies/AppLocker.• Create a new Script Rule with the following properties:• Permissions: Deny, Everyone• Conditions: Publisher• Reference file: C:\windows\system32\slmgr.vbs• Level: Any publisher• Exceptions:• Reference file: C:\windows\system32\slmgr.vbs• Level: Publisher• Enable default rules.• Close Group Policy Management Editor.

Designing, Configuring, and Managing the Client Environment 10-83 Task 3: Modify the Default Domain Policy to include the required settingsNote: You will not be configuring all policy settings planned in the last exercise.• Edit the Default Domain Policy.• In Group Policy Management Editor, navigate to User Configuration/Policies/Windows Settings/Internet Explorer Maintenance/URLS.• From Important URLs, configure the Home page URL: http://lon-dc1• In Group Policy Management Editor, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with AdvancedSecurity/Windows Firewall with Advanced Security – LDAP://CN={GUID}.• Create a new custom inbound rule that allows ICMPv4 packets for the domain profile. Call the rule“Allow ping”.• In the Group Policy Management Editor, navigate to User Configuration/Preferences/Windows Settings/Drive Maps.• Create a new Mapped Drive:• Location box, type \\lon-dc1\data.• Select the Reconnect check box.• In the Use list, click G.• Click the Common tab.• Configure Item-level targeting for Domain.• NetBIOS domain name: CONTOSO.• In the Group Policy Management Editor, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services.• Configure the Application Identity service to start automatically.• Close Group Policy Management Editor. Task 4: Enforce this GPO• In Group Policy Management, right-click Default Domain Policy, and then click Enforced. Task 5: Block inheritance on the IT OU• In the navigation tree, right-click IT, and then click Block Inheritance.• Close Group Policy Management. Task 6: Move the two desktop computers into the appropriate OUs• Open Active Directory Users and Computers.• Move the LON-CL1 computer from the Computers container to the IT organizational unit.• Move the LON-CL2 computer from the Computers container to the Production organizational unit.• Close Active Directory Users and Computers.

10-84 Planning and Managing Windows® 7 Desktop Deployments and Environments Task 7: Refresh the group policy on the client computers• Switch to the LON-CL1 computer and log on to the LON-CL1 virtual machine asCONTOSO\administrator with a password of Pa$$w0rd.• Open a command prompt, and in the Command Prompt, type gpupdate /force and then pressENTER.• At the OK to logoff? (Y/N) prompt, type N and press ENTER.• Restart the computer.• Log on to the LON-CL1 virtual machine as CONTOSO\Ryan with a password of Pa$$w0rd.• Switch to the LON-CL2 computer and log on to the LON-CL2 virtual machine asCONTOSO\administrator with a password of Pa$$w0rd.• Open a command prompt, and in the Command Prompt, type gpupdate /force and then pressENTER.• At the OK to logoff? (Y/N) prompt, type N and press ENTER.• Restart the computer.• Log on to the LON-CL2 virtual machine as CONTOSO\Jens with a password of Pa$$w0rd. Task 8: Test the settings on the departmental computers• Switch to the LON-CL1 computer.• Confirm the presence of the mapped drive.• Confirm that the Application Identity service is started.• Verify that the home page is http://lon-dc1.• Verify that you can ping lon-cl2, indicating that the new firewall rule is configured.• Open a command prompt, and at the Command Prompt, type copy con test.vbs and press ENTER.• At the Command Prompt, type msgbox “test” and press ENTER.• At the Command Prompt, press F6, and then press ENTER.• At the Command Prompt, type test.vbs and press ENTER. Verify that an unsigned script ransuccessfully.• Close all open windows.• Switch to the LON-CL2 computer.• Open a command prompt, and at the Command Prompt, type copy con test.vbs and press ENTER.• At the Command Prompt, type msgbox “test” and press ENTER.• At the Command Prompt, press F6, and then press ENTER.• At the Command Prompt, type test.vbs and press ENTER. Verify that an unsigned script did not run.Click OK.• Close all open windows.Results: After this exercise, you have implemented the domain-level elements of your GPO plan.Important: Do not restart the virtual machines. You will need them for the subsequent lab.

Designing, Configuring, and Managing the Client Environment 10-85Lesson 6TroubleshootingGroup PolicyThere are manymoving partswithin GroupPolicy, especially in regard to the way it interfaces withtheoverall Active Directory design and implementation. When troubleshooting many kinds of access andnetwork issues, you must always include Active Directory and the basics of Group Policy implementationatthe Windows7 client level in your searchfor a solution.Tobegin the troubleshootingprocess, it is recommendedd to begin looking at Group Policy settings thatcan be configured incorrectly, then move on to more complex issues that might cause Group Policy tomalfunction. This lesson examines the problems that are typically encountered in a Group Policyenvironment, along with the methods and tools that can be used in troubleshootingthese issues.

10-86 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDiscussion:Reasons for Group Policy Application FailuresKey PointsDiscussion Question: For thequestion displayed, present and discuss your ideas with the class.Some of the most common reasons for Group Policy application failures relate to network, processes,scope, or infrastructure. Present and discusss your ideas with the class.

Designing, Configuring, and Managing the Client Environment 10-87Discussion:Fixing Common Group PolicyProblemsKey PointsProblems with the applicationof Group Policy often involve the technologies on which Group Policydepends, or implementation errors.Identify and fix the following Group Policy problems:1.Group Policy changes need to be applied immediately.2.Some policy areas are missing when the Local Group Policy Editor is opened.3.Some settings are missing in the Local Group Policy Editor.4.Some policies are not applied over dial-up connections.5.Security Options are not applied.6.Account Policies are not applied for domain users.

10-88 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsGroup Policy TroubleshootingToolsKey PointsGroup Policy Management Console (GPMC) is the preferred tool for administering Group Policy and it isanexcellent tool for troubleshooting GroupPolicy. GPMCprovides thefollowing reporting functionality:• Group Policy Modeling reports: Predict the policies that will be applied at a specific client.• Group Policy Results reports: Collect information directly from the client to show the policies ineffect, and include key policy events that are logged at that client.Windows 7 provide the following tools to troubleshoot Group Policy:• RsoP in Management Console: RsoP in Management Console is an addition toGroup Policy thatmakes policy implementation and troubleshooting easier. RsoP is a query enginee that polls existingpolicies andplanned policies that can be used to seee what policy isin effect and to troubleshootproblems. It polls existingpolicies based on:• Site• Domain• Domain controller• Organizational unit• RSoP provides the following information about Group Policy:• The last time a policy was applied and the domain controller that applied the policy, for theuser and computer.• The complete list of applied Group Policy objects and their details, including a summary oftheextensions that each Group Policy object contains.• Registry settingss that are applied and their details.• Folders that are redirected andtheir details.

Designing, Configuring, and Managing the Client Environment 10-89• Software management information detailing assigned and published applications.• Disk quota information.• IP Security settings.• ScriptsPerform the following steps to collect RSoP data that can be later used in an RSoP query:1. In the RSoP snap-in, right-click Resultant Set of Policy, and then click Generate RSoP Data.2. After the RSoP Wizard starts, click Next.3. Click Logging mode, and then click Next.4. Specify the computer on which you want to run RSoP, and then click Next.5. Specify the user for which you want to collect RSoP data, and then click Next.6. Review the summary of settings, click Next, and then wait for RSoP to finish processing thedata.7. Click Finish.8. In the RSoP snap-in, click the newly created RSoP query in the console tree to view the data.• GPResult.exe: Intended for administrators, the Group Policy Results (GPResult.exe) command linetool displays the Resultant Set of Policy (RSoP) information for a specific user or computer.Administrators can run GPResult on any remote computer within their scope of management.To access GPResult, open a Command Prompt window. At the command line, type gpresult.• GPOTool.exe: Is a command-line tool to be used in replicated domains that contain more than onedomain controller.To access GPOTool, open a Command Prompt window. At the command line, type gpotool/verbose. Gpotool performs a complete check of each domain controller and GPO and providessummary information about each object.• Event Viewer: Is a Microsoft Management Console (MMC) snap-in that enables you to browse andmanage event logs and the Event Viewer lets you easily see all events that relate only to GP.The Event Viewer can be found in the Administrative Tools folder of the Control Panel.• Software Installation Diagnostics Tool (Addiag.exe): Collects additional diagnostic informationwhen troubleshooting Software Installation policy issues. It displays detailed information about theapplications visible in Windows and installations for the current user, and also general diagnosticinformation and related Event Log entries.To access Addiag.exe, open a Command Prompt window. At the command line, type addiag, or foradditional usage syntax, type addiag /?.Group Policy Inventory (GPInventory.exe) allows administrators to collect Group Policy and otherinformation from any number of computers in their network by running multiple RSOP or WindowsManagement Instrumentation (WMI) queries.To access Addiag.exe, open a Command Prompt window. At the command line, type gpinventory.Question: What is the purpose of GPOTool.exe?

10-90 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsProcess forResolvingGroup Policy Application FailuresKey PointsGroup policy application failures can be caused by incorrect policy settings, incomplete policy settings, orlack of policy application to the computer or the user.Perform the following steps tohelp resolve Group Policy application failures:1.Enable verbose debug logging on the client computerA log file (Userenv.log) points to the cause of a general failure to enumerate the list of Group PolicyObjects (GPOs) that applyto the user.2.Verify connectivity and DNS resolutionIf connectivity to domaincontrollers is causing the problem, the debug log usually detects theproblem and records specific locations in Windows and on network shares.Dcdiag.exe and Netdiag.exe are used to test networkconnectivity and DNS resolution. Dcdiag.exe isused to testt Domain Controllers, and Netdiag.exe is used to test workstations and servers.3.Verify thatt Group Policymust be applied to the clientWindows determines what kind of policy to apply, whether it is down-level policy or Group Policy,based on the location of the computerand user account.4.Run GPResultPay attention to the order in which theGPOs are applied. If the same setting is specified in multipleGPOs, those applied laterin the process (lower in thelog files) are authoritative and override settingsin GPOs higher in the list.5.Run GPOToolGPOTool determines whether there is an inconsistency between Windows and SYSVOL versions of thesame GPO across peer domain controllers. This information can help determine whether replicationlatency is causing Windows to receive an incorrect policy.6.View the Userenv.log fileVerify that the Distinguished Name (DN) of the computer/user is being determined. If Windows does

Designing, Configuring, and Managing the Client Environment 10-91not determine the DN, it cannot correctly parse Windows to determine which GPOs to apply to theuser or computer.7. View the Userenv.log fileAll entries for each GPO that is evaluated are recorded in this file. Determine whether any GPOs arebeing skipped because the user does not have the correct permissions on the GPO (the user musthave Read and Apply Group Policy permissions).8. Determine whether loopback processing is in effectThis causes the user components of GPOs that apply to the computer to be applied to the user. Todetermine this, look for a line in the Userenv.log file for ordinary policy processing rules that applydisplayed as:USERENV(e8.128) 15:46:17:234 ProcessGPOs: Calling GetGPOInfo for normal policy modeQuestion: When resolving Group Policy application failures, what is the purpose of running GPResult?

10-92 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab B: Troubleshooting GPOIssuesComputers inThis LabYou continue touse the virtual machines from the previous lab. The virtual machines used in this lab areasfollows:• 6294A-LON-DC1• 6294A-LON-CL1• 6294A-LON-CL2

Designing, Configuring, and Managing the Client Environment 10-93Exercise 1: Resolving a GPO Application ProblemScenarioStaff in the IT department have been complaining about unexpected computer behavior since somerecent changes were made by another member of the GPO management team. You must investigate thecause of these problems, and resolve them.The main tasks for this exercise are as follows:1. Reconfigure the GPO settings to simulate a problem.2. Refresh the group policy on the client computers.3. Test the group policy settings.4. Enable necessary programs through the firewall.5. Run the Group Policy Results Wizard.6. Examine the Group Policy Results.7. Reconfiguring enforcement.8. Re-Run the query.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which is the domain controller forContoso. LON-CL1 and LON-CL2 are both computers running Windows 7. Task 1: Reconfigure the GPO settings to simulate a problem• Switch to the LON-DC1 computer and load Group Policy Management and navigate to Forest:Contoso.com/Domains/Contoso.com. Remove the Enforced setting from the Default DomainPolicy link. Task 2: Refresh the group policy on the client computers• Switch to the LON-CL1 computer and log off. And then log on to theLON-CL1 virtual machine as CONTOSO\administrator with a password of Pa$$w0rd.• Open a command prompt, and in the Command Prompt, type gpupdate /force and then pressENTER.• At the OK to logoff? (Y/N) prompt, type N and press ENTER.• Restart the computer.• Log on to the LON-CL1 virtual machine as CONTOSO\Ryan with a password of Pa$$w0rd.• Switch to the LON-CL2 computer and log off. And then log on to theLON-CL2 virtual machine as CONTOSO\administrator with a password of Pa$$w0rd.• Open a command prompt, and in the Command Prompt, type gpupdate /force and then pressENTER.• At the OK to logoff?. (Y/N) prompt, type N and press ENTER.• Restart the computer.• Log on to the LON-CL2 virtual machine as CONTOSO\Jens with a password of Pa$$w0rd.

10-94 Planning and Managing Windows® 7 Desktop Deployments and Environments Task 3: Test the group policy settings• On the LON-CL2 computer, open a command prompt and attempt to ping lon-cl1. Is the ping issuccessful?• Close all open windows.• Switch to the LON-CL1 computer, and determine if the Application Identity service is started.• Open Internet Explorer. Is the home page http://lon-dc1?• Close all open windows.• What do these tests suggest? Task 4: Enable necessary programs through the firewall• Open Windows Firewall and allow the following programs/features through the firewall:• Windows Management Instrumentation (WMI)• Remote Service Management• Close Windows Firewall. Task 5: Run the Group Policy Results Wizard• Switch to the LON-DC1 computer, and in Group Policy Management, in the navigation tree, clickGroup Policy Results.• Right-click Group Policy Results, and then click Group Policy Results Wizard.• In the Group Policy Results Wizard, click Next. Complete the wizard with the following information:• Computer: CONTOSO \LON-CL1• User: CONTOSO\ryan• In the Internet Explorer dialog box, click Add.• In the Trusted sites dialog box, click Add, and then click Close. Task 6: Examine the Group Policy results• In Group Policy Management, in the results pane, click show all.• Study the report. Looking at the Denied GPOs section, what is the reason that no GPOs are applied tothe computer? Task 7: Reconfiguring enforcement• In Group Policy Management, navigate to Forest: Contoso.com/Domains/Contoso.com. Enable the Enforced setting for the Default Domain Policy.• Switch to the LON-CL1 computer and open a command prompt.• In the Command Prompt, type gpupdate /force and then press ENTER.• At the OK to logoff?. (Y/N) prompt, type N and press ENTER.• Switch to the LON-DC1 computer. Task 8: Re-Run the query• In Group Policy Management, in the navigation tree, right-click ryan onlon-cl1, and then click Rerun query.• In Group Policy Management, in the results pane, click show all.

Designing, Configuring, and Managing the Client Environment 10-95• Study the report. Are any GPOs applying now?• Click the Settings tab, and then click show all.• Which settings are being applied by the Default Domain Policy? Task 9: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list, and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.Results: After this exercise, you have resolved the reported GPO problem.

10-96 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule Review and TakeawaysReview Questions1.What benefit does implementing Multiple Local Group Policy Objects (MLGPO) in Windows provideover previous Windows versions? Whatare the threee layers of local GPOs provided by MLGPO(forbonus points, list them inthe order in which they areapplied)?2.What are some of the advantages to configuring Windows 7 clients using Group Policy Settings?3.When configuring IE8.0 settings, what benefit is provided when enabling InPrivate Browsing, andwhat improvement does it provide over the Delete Browsing History option?4.What are the two main firewall types, and how are they different from one another?5.When implementing AppLocker, what must you do before manually creating new rules orautomatically generate rules for a specific folder, andwhy?6.What are the two modes in which you can run BitLocker? Which is the most secure, and why?7.How does the SmartScreen Filter work in Internet Explorer 8?8.What network firewall shortcoming does the Windows Firewall with Advanced Security address?9.GPO A is linked to Organizational Unit (OU) 1 and GPO B is linked to OU 2. OU 2 is nested under OU1 in the domain. Computer policy setting X is definedd in both GPOA and B with different values, andcomputer policy setting Y is defined only in GPO A. What will be the result of setting X and Y on thefollowing computers:• Computer K is located on OU 1.• Computer L is located on OU 2.Real-world Issues and Scenarios1.An administrator configures Group Policy to require that data can only be saved on data volumesprotected by BitLocker. Specifically, theadministrator enables the Deny write access to removabledata drives not protectedby BitLocker policy and deploys it to the domain. Meanwhile, an enduserinserts a USB flash drive that is not protected with BitLocker. What happens, and how can the userresolve the situation?

Designing, Configuring, and Managing the Client Environment 10-972. Trevor has implemented Windows AppLocker. Before he created the default rules, he created acustom rule that allowed all Windows processes to run except for Regedit.exe. Because he did notcreate the default rules first, he is blocked from performing administrative tasks. What does he needto do to resolve the issue?3. A server has multiple network interface cards (NICs), but one of the NICs is not connected. InWindows Vista, this caused the machine to be stuck in the public profile (the most restrictive rule).How is this issue resolved in Windows 7?4. Peter recently upgraded to Internet Explorer 8. Ever since the upgrade, he has noticed that several ofthe sites that he normally visits are no longer being rendered as expected. What action does Peterneed to take?5. John’s organization is interested in implementing the Group Policy loopback feature across a series ofcomputers in their Production Department. During their pilot project, they configured differentsettings for two managers based on the computers in their Assembly, Fabrication, and WarehouseDepartments. They discovered during their testing that the same policy settings were applied to bothmanagers at each computer, when in fact, each manager needed to experience different settings atthe same computer. What might be the probable cause for this error?6. Paul modified several Group Policies, but during his testing he noticed that his changes did not takeeffect immediately. Working from a domain connected client, Paul had to wait approximately 90minutes for his policy changes to take effect. What can Paul do to remedy this situation?Common Issues Related to Internet Explorer 8 Security SettingsIT professionals must familiarize themselves with the common issues that are related to Internet Explorer 8security settings.IssueTroubleshooting tipDiagnose Connection ProblemsButtonResetting Internet Explorer 8SettingsBest Practices for User Account Control• UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the LocalGroup Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is preferredbecause it can be centrally managed and controlled. There are nine Group Policy object (GPO)settings that can be configured for UAC.• Because the user experience can be configured with Group Policy, there can be different userexperiences, depending on policy settings. The configuration choices made in your environmentaffect the prompts and dialog boxes that standard users, administrators, or both, can view.For example, you might require administrative permissions to change the UAC setting to “Alwaysnotify me” or “Always notify me and wait for my response.” With this type of configuration, a yellownotification appears at the bottom of the User Account Control Settings page indicating therequirement.Best Practices for Windows BitLocker• Because BitLocker stores its own encryption and decryption key in a hardware device that is separatefrom the hard disk, you must have one of the following:

10-98 Planning and Managing Windows® 7 Desktop Deployments and Environments• A computer with Trusted Platform Module (TPM).• A removable Universal Serial Bus (USB) memory device, such as a USB flash drive. If yourcomputer does not have TPM version 1.2 or higher, BitLocker stores its key on the memorydevice.• The most secure implementation of BitLocker leverages the enhanced security capabilities of TrustedPlatform Module (TPM) version 1.2.• On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windowsoperating system volume. However, this implementation will require the user to insert a USB startupkey to start the computer or resume from hibernation and does not provide the pre-startup systemintegrity verification offered by BitLocker that is working with a TPM.Best Practices for Windows AppLocker• Before manually creating new rules or automatically generating rules for a specific folder, create thedefault rules. The default rules ensure that the key operating system files are allowed to run for allusers.• When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If aGPO does not contain the default rules, then either add the rules directly to the GPO or add them toa GPO that links to it.• After creating new rules, enforcement for the rule collections must be configured and the computer’spolicy refreshed.• By default, AppLocker rules do not allow users to open or run any files that are not specificallyallowed. Administrators must maintain a current list of allowed applications.• If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensureinteroperability between Software Restriction Policies rules and AppLocker rules, define SoftwareRestriction Policies rules and AppLocker rules in different GPOs.• When an AppLocker rule is set to Audit only, the rule is not enforced. When a user runs an applicationthat is included in the rule, the application is opened and runs normally and information about thatapplication is added to the AppLocker event log.• At least one Windows Server 2008 R2 domain controller is required to host the AppLocker rules.Best Practices for Windows Defender• When using Windows Defender, you must have current definitions.• To help keep your definitions current, Windows Defender works with Windows Update toautomatically install new definitions as they are released. You can also set Windows Defender tocheck online for updated definitions before scanning.• When scanning your computer, it is recommended to select the advanced option to Create a restorepoint before applying actions to detected items. Because Windows Defender can be set toautomatically remove detected items, selecting this option allows system settings to be restored ifsoftware that is unintentionally removed needs to be used.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-1Module 11Planning and Deploying Applications and Updates toWindows® 7 ClientsContents:Lesson 1: Determining the Application Deployment Method 11-3Lab A: Determining the Application Deployment Method 11-15Lesson 2: Deploying the 2007 Microsoft Office System 11-18Lab B: Customizing the Microsoft Office Professional Plus2007 Installation 11-34Lesson 3: Planning and Configuring Desktop Updates by Using WSUS 11-37Lab C: Planning and Managing Updates by Using WSUS 11-47

11-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewEmployees needapplications that support their business requirements so that they can be productive inreaching company goals. Application Virtualization (App-V) also increasing. The complexity and costof an applicationdeployment canmake it difficult to quickly realize productivity benefits.This module helps you plan and deploy the 2007 Microsoft® Office system to Windows® 7 clients. Theis becoming more widelyadopted andtheremote user access to hosted applications isfollowing application deployment tools and topics are discussed:• Configuration Manager 2007 provides several tools to enable the deployment of applicationsthroughoutt the enterprise.• Group Policy Object (GPO) deployment provides application deployment at the departmental level.• App-V and Terminal Server (TS) RemoteApp deployment tools enable deployment to remote hosts.• Windows Server Update Services (WSUS) deliver updates and hot fixes that are critical to the securityof the application.• File Types provide a variation of capabilities for application deployment.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-3Lesson 1Determining the Application Deployment MethodSoftware distribution requires several tools and applications, such as:• Configuration Manager which uses packages to deploy software applications, and within thosepackages, commands called programs that tell the client what executable file to run.• Group Policy deployment is configuredthrough the Group Policy Management Console (GPMC) andis used to deploy msi files. GPMC is available on Windows Server®2008.• TS RemoteApp hosts remote applications making them available from any Windows platform ordevice.• App-V simplifies IT management because the virtualized application does not interface with the hostoperating system.Understandinghow these elements are used in deployment enables you to choose the right tool forspecific deployment projects.

11-4 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsSoftware Distribution in Configuration Manager 2007Key PointsThe Configuration Manager 2007 software distribution feature provides a set of toolsand resources thatcan help manage the complex task of creating, modifying, and distributing software packages to clientcomputers in your enterprise.Creating a PackageWithin Configuration Manager, packages provide one of the foundations of distributing software toclients. Although the specific software beingdelivered is contained in the programs within a package, thepackage itself provides:• A wrapper that dictates where source files are stored on the site server and distribution points• The schedule the package is updated on the distribution points• Other settings related to the overall packageCreating Oneor More Programs for the PackageWithin Configuration Manager, programs contain the applications, tools, or commands being delivered toclients. Packages provide a wrapper for the software, dictating how thesoftware is passed betweensiteservers and distribution points. Conversely, programs provide a wrapper for the software, telling theclients how the application needs to interface and run onthose computers. Advertisements are used tospecify which collections receive the program and the package.Distributing the Package to Distribution Points for DisseminationWithin Configuration Manager, once a software package has been created with its attendant programs,the package must then be disseminated to distribution points to convey it to clients. The distributionpoint site role can be configured as a distribution point tosupport various functions. There is only one siterole called distribution point, but you can configure the distribution point to supportvarious functions.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-5Whether a standard distribution point or a branch distribution point is used, from the softwaredistribution point of view, this software distribution process is done in the same manner.Creating an Advertisement to Distribute the Programs to Specific Clients at a GivenTimeWithin Configuration Manager, once a package and its associated programs have been created anddistributed to its various distribution points, you need to get it to the clients. Advertisements do this intwo ways:• Alerting clients that the specific package is available for them to download and install• Providing clients with a path to download and install the packageAdditionally, advertisements provide the administrator with a means to push mandatory programs toclients.Prerequisites for Configuring the Software Distribution Feature to DistributeApplicationsUnlike many features of Configuration Manager, software distribution does not have any specificprerequisites beyond a functional installation of Configuration Manager.Some dependencies exist within the Configuration Manager software distribution feature. The followingtable lists the dependencies internal to software distribution:DependencySoftware distributioncomponentconfigurationAdvertised ProgramsClient AgentDistribution pointsCollectionsPackage AccessAccountsConsiderationsBefore software packages can be distributed, the software distributioncomponent settings must be configured if necessary.The Advertised Program Client Agent, which manages the software distributionfeature’s client connection, must be enabled.Before any packages can be sent to clients, at least one distribution point mustbe designated. By default, the site server has a distribution point site roleenabled during a standard installation. The distribution point must be moved toanother site server (or server share) to allow for network traffic. The number andlocation of distribution points (and for distributed offices, branch distributionpoints) vary with the specifics of your enterprise.Although not specifically internal to software distribution, collections areessential to this feature, as they contain the clients to which the softwaredistribution packages are conveyed. A number of default collections areinstalled with Configuration Manager, or you can set your own collections tomore effectively administer your enterprise.For clients and administrators to access the packages once they are copied todistribution points, they must have adequate rights to do so. In most cases, thedefault settings are sufficient, but care must be taken to ensure this in yoursituation.Question: What is the purpose of advertisements in the Configuration Manager deployment method?

11-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsSoftware Deployment by Using GPOsKey PointsEnterprise applications can be deployed through Active Directory Group Policy by creating a Group PolicyObject (GPO).Create Software Distribution PointsTopublish or assign a computer program, you must create a distribution point on the publishing server.Follow these steps to create a software distribution point:1.Log on to the server computer as an administrator.2.Create a shared network folder to put the Microsoft Windows Installer package (.msi file) that youwant to distribute.3.Set permissions on the share to allow access to the distribution package.4.Copy or install the package to the distribution point.Create a GPOfor Software DeploymentGroup Policy Software Installation is an extension of the Group Policy Object Editor MicrosoftManagement Console (MMC)snap-in that administratorss can use to manage software. Administrators canassign applications to users or computers, or publish applications for users.Tocreate a Group Policy object (GPO) with the GPMC to use for software package distribution, such asdeploying an update for Office, follow these steps:1.Open Group Policy Management console. Click Start, click Control Panel, click AdministrativeTools, and then click Group Policy Management.2.In the console tree, double-click GroupPolicy Objects in the forest and domainthat contain theGPO that you want to edit. This is located in Forest name, Domains, Domain name, Group PolicyObjects.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-73. Right-click the GPO you want to modify, and then click Edit. This opens Group Policy Object Editor.4. In the left pane of Group Policy Object Editor, expand the Computer Configuration tree.5. In the left pane, expand Software Settings and then select Software Installation.6. Right-click in the right pane, point to New and then click Package.7. In the Open dialog box, browse to the network installation point you created and select the WindowsInstaller (MSI) file in the main product folder of the Office product that you are installing.8. Click OK.Group Policy is extensible, allowing you to manage most software applications elements, users, andhardware defined as Group Policy objects. The most basic limitation is that you can use Group Policy tomanage only those computers running Windows 2000 or later that are joined to Active Directory domainsand only those users logged on to Active Directory through those computers. Other devices andplatforms are not supported.Group Policy’s extensibility is based on the specification for plugging functionality into the policy editor,client-side processing, and the reporting system. These plug-ins are called extensions, and they determineeverything that you can manage using Group Policy. Windows 7 ships with extensions, including one fordeploying software packages and several for managing security settings.Assign/Publish a PackageAfter you create distribution points on the publishing server and create GPOs in the GPMC, you can assignand publish a package. Specifically, you assign a program to computers that are running Windows 7 or tousers who are logging on to one of these workstations in the GPMC. In Active Directory Users andComputers, publish a package to computer users and make it available for installation from the Add orRemove Programs tool in Control Panel.Prerequisites for GPO Software DeploymentAfter you have created distribution points on publishing servers, create a GPO. To create a GPO with theGPMC to use for software distribution through Group Policy requires the following elements:• Group Policy Management Console (GPMC)• Active Directory• Client operating system that supports Group Policy• Software that contains or can be packaged into an MSI file (Group Policy only supports MSI files fordeployment)• Appropriate permissions to the software distribution pointQuestion: You are tasked with creating a GPO object for Office deployment. Where do you create theGPO for the deployment?

11-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsApplication Virtualization and TS RemoteAppKey PointsApplication Virtualization (App-V) and RemoteApp are ways applications are made available remotely.App-V decouples applicationsfrom the operating systemand enables them to run asnetwork services.App-V and RemoteApp are part of Terminal Services in Windows Server 2008 and provides access toWindows-basedd programs from almost anylocation to almost any computing device.Application VirtualizatioonApp-V can be layered on top of other virtualization technologies—network, storage, machine—to createa fully virtual IT environment where computing resourcess can be dynamically allocated in real-timee basedonreal-time needs. App-V includes these features:• Virtualization: Enable applications to run without the need to visit a desktop, laptop, or terminalserver.• Dynamic streaming delivery: Applications are rapidly delivered, when needed, to laptops, desktops,and terminal servers.• Centralized, policy-based management: Virtual application deployments, hotfixes, updates, andterminations are more easily managed by using policies, and administered through the App-Vconsole.Virtualized application environments enable each application to bring its own set of configurationsandrun without anyinstallation within a virtual run-time abstraction layer on the client, so dependencies oreffects on the configuration of the operating system are minimized. However, since applications executelocally, they runwith full performance, functionality, and access to local services including cut and paste,OLE, printing, network drives,and attacheddevices.RemoteApp ProcessRemoteApp programs are programs that are accessed remotely through Terminal Services and appear asif they are running on the enduser’s local computer. Instead of being presented to the user in the

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-9desktop of the remote terminal server, the RemoteApp program is integrated with the client’s desktop,running in its own resizable window with its own entry in the taskbar. Users can run RemoteApp programsside-by-side with their local programs. If a user is running more than one RemoteApp program on thesame terminal server, the RemoteApp programs share the same Terminal Services session.You can use several different methods to deploy RemoteApp programs, such as Terminal Services WebAccess (TS Web Access).Users can access RemoteApp programs in several ways, depending on the deployment method. Users can:• Access a link to the program on a Web site by using TS Web Access.• Double-click a Remote Desktop Protocol (.rdp) file that has been created and distributed by theiradministrator.• Double-click a program icon on their desktop or Start menu that has been created and distributed bytheir administrator with a Windows Installer (.msi) package.• Double-click a file where the file name extension is associated with a RemoteApp program.The .rdp files and Windows Installer packages contain the settings that are needed to run RemoteAppprograms.Prerequisites for Application Virtualization and RemoteAppApp-V prerequisites are different based upon how it is deployed. It can be deployed with a managementserver or it can be deployed as an integration with Configuration Manager 2007.Client Requirements for RemoteAppTo access RemoteApp programs that are deployed as .rdp files or as Windows Installer packages, theclient computer must be running Remote Desktop Connection (RDC) 6.0 or 6.1. A supported version ofthe RDC client is included with Windows Server 2008 and Windows 7.To access RemoteApp programs through TS Web Access, the client computer must be running RDC 6.1.This version is included with the following operating systems:• Windows Server 2008• Windows 7• Windows Vista® with Service Pack 1 (SP1)• Windows XP with Service Pack 3 (SP3)Question: How does application virtualization affect application access?

11-10 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsComparing the Application DeploymentMethodsKey PointsChoosing the right deployment method is an important task when preparing to deploy an application.Use the table tocompare thefollowing deployment methods:• Configuration Manager• Group Policy• ApplicationVirtualization• RemoteApppWhen selecting a deploymentmethod, keep in mind the hardware andsoftware requirements of eachtechnology in addition to system dependencies. These topics have been discussed throughout this course.The following information provides additional deployment method details that you can use to contrastthe methods.Configuration ManagerUnlike the other deployment methods, withConfiguration Manager 2007, you can perform ALL of thefollowing tasks:• Collect hardware and software inventory• Distribute and install software applications• Distribute and install software updates such as security fixes• Deploy operating systems• Specify configurations for one or more computers and monitor adherence to that configuration• Meter software usage

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-11• Remotely control computers to provide troubleshooting supportAdditionally, you can use Configuration Manager 2007 with the Network Policy Server on Windows Server2008 to prevent specific computers from accessing the network if they do not meet specifiedrequirements.Group PolicyGroup Policy-based deployments are well suited to department-level deployments instead of enterprisewidedeployments. This is because some limitations apply to the technology that might affect yourdecision to use it for large scale deployments. For example, the way in which deployed applications aresent over the network can also be a limitation.With Configuration Manager, you can schedule application deployment and use multicasting. Thesecapabilities are not as readily available or easily configured when performing a Group Policy-basedInstallation deployment. Also, remember that it is not possible to use Setup.exe in a Group Policydeployment scenario.Note: If you manage large numbers of clients in a complex environment, consider usingConfiguration Manager instead of Group Policy Software Installation to install and maintain the2007 Office release. Configuration Manager offers more sophisticated functionality, includinginventory, scheduling, and reporting features.You are also limited to the amount of customization that you can do with the Group PolicySoftware Installation method, whereas Configuration Manager uses the standard Setup.exeinstallation engine which provides full customization advantages.Application VirtualizationSimilar to Configuration Manager, App-V includes capabilities designed to help IT support large-scalevirtualization implementations across many sites, these include:• Multiple delivery options• Support for 11 new languages• Dynamic Suite Composition (DSC) for administrator-controlled virtual application communication andinteraction• Compliance with Microsoft’s Trustworthy Computing and Secure by Default initiatives• Integration with Microsoft System Center Management products and infrastructure updates throughWindows UpdateApp-V’s main advantage is that it can help solve business challenges in the following ways:• Centralized management and scalable infrastructure• Readily accessible applications• Simplify application deployment and reduce end user interruptions• Dynamic application virtualizationUnlike ConfigurationManager, App-V does not include a means to collect hardware and softwareinventories.

11-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsRemoteAppSimilar to App-V, RemoteApp programs are programs that are accessed remotely. In this case, they areaccessed through Terminal Services and appear as if they are running on the end user’s local computer.The major benefits of TS RemoteApp are that it can reduce complexity and reduce administrativeoverhead in many situations, including:• Branch offices where there may be limited local IT support and limited network bandwidth.• Situations where users need to access applications remotely.• Deployment of line-of-business (LOB) applications.• Environments, such as “hot desk” or “hoteling” workspaces, where users do not have assignedcomputers.• Deployment of multiple versions of an application, particularly if you are installing multiple versionslocally will cause conflicts.Similar to App-V, RemoteApp does not provide functionality to collect hardware and software inventories.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-13Considerations for Using Different Types of Application Installation FileFormatsKey PointsBefore you startt the software distribution process, determine which installation file format to use for eachnew application, hotfix, or upgrade.Considerations for .EXE FilesSetup.exe is a common file type, but is not used in some deployment scenarios such as Group Policy.Considerations for MSI–Preferred Installer PackageAn installation package contains all of the information that the Windows Installer requires to install oruninstall an application or product and to run the setup user interface. Each installation package includesan.msi file that contains:• An installation database• A summaryinformation stream• Data streams for various parts of the installationThe .msi file canalso contain one or more transforms, internal source files, and external source files orcabinet files required by the installation.Application developers must author an installation to usethe installer. The installer organizes installationsaround the concept of elements and features and stores all informationn about the installation in arelational database. The process of authoring an installation package broadly entails the following steps:• Identify thefeatures to be presented tousers• Organize the application into components• Populate the installation database withinformation

11-14 Planning and Managing Windows® 7 Desktop Deployments and Environments• Validate the installation packageIf the application you are installing includes a built-in .msi package, deploy the software as-is or customizeit further. Re-authoring the setup program to include a native .msi is not recommended except for expertWindows Installer package authors.Considerations for MSP PatchesAdministrators can use the Office Customization Tool (OCT) to deploy multiple customization patches(MSP files) to configure the Office system. Administrators can create a basic customization patch (MSP),and this initial MSP can be used to create another customization patch that includes all the settings in theoriginal MSP and additional applications and modified settings. The second MSP can be applied to a newset of users or to existing installations.Using this approach is useful in phased deployments or in cases where you are deploying a standard coreconfiguration with variations for different departments in your organization.Considerations for MST – Transformation FilesA Windows Installer transform (.mst) file provides configuration settings for a customized Officeinstallation.A transform file contains information about components, features, setup properties, and changes to use tocustomize an Office installation. For example, if there are groups of computers in your organization thatall require Microsoft® Office Word and Microsoft Office Excel® to be installed locally, but MicrosoftOffice Access® and Microsoft Office PowerPoint® are set to install on demand, you can use a singletransform file to configure the installation state you want for that entire collection.Once you have set the properties, save the changes in a custom transform (.MST) file that customizesWindows Installer execution when you supply it on the Office Setup command line.Considerations for ZAP – Alternate Packaging TechnologyA .zap file is a text file, similar to an .ini file, which contains instructions that allow Windows to publish anapplication (Setup.exe) for users to install by using Add or Remove Programs in Control Panel. To publishapplications that do not install by using Windows Installer, create a .zap file; copy the .zap file to thesoftware distribution point servers, and then use Group Policy-based software deployment to publish theapplication for users. You cannot use .zap files for assigned applications.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-15Lab A: Determining the Application DeploymentMethodExercise 1: Determining the ApplicationDeployment MethodScenarioYou are the team lead for theWindows 7 deployment project at Contoso Ltd. Adam Carter, the ITManager of theMarketing department, hasasked you to determine the most effective method fordeploying several applications to the members of the department.Adam has sent an email to you describing some of his thoughts and requirements for the applicationdeployment method.The main tasks for this exercise are as follows:1.Read the supporting documentation.2.Update theApplication Deployment Worksheet.Supporting DocumentationE-Mail from Adam Carter:Ed MeadowsFrom:Sent:To:Subject:Adam Carter [Adam@contoso.com]01 Sept 2009 10:05ed@contoso.comRe: Application Deployment for the Marketing DepartmentHi Ed,Along with the Windows 7 deployment, theMarketing department hasa number of applicationrequirements. I know that there are a number of options for providing these applications. I need you to

11-16 Planning and Managing Windows® 7 Desktop Deployments and Environmentsdetermine the most appropriate method. I have outlined a list of requirements for you to assist in yourplanning. I am also providing a worksheet for you to fill out that will help organize and document yourdecisions. Here is the list of comments and requirements:• All members of the Marketing department need to have Microsoft Office 2007 Professional Plusinstalled on their workstations. We have a network installation point already set up in thedepartment, and so we want to be able to maintain full control of the customization anddeployment processes for this application.• All members of the Marketing department need to have Adobe Reader installed on theirworkstations. This is actually an organization-wide policy and so you have to consider the bestmethod to deploy this throughout the entire company.• Several users have reported that they use customized templates that required Office 2003. I wantthem all upgraded to the 2007 Office system, however you need to think of a way that we canstill provide Office 2003 to these users for when they need it.• Contoso has an Active Directory domain.• Contoso has deployed Configuration Manager 2007, although it is currently only used forinventory reports. We do not administer the Configuration Manager 2007 environment.If you have any questions please let me know.RegardsAdam.Application Deployment WorksheetDocument Reference Number: AD2009Document AuthorEd MeadowsRequirement OverviewDetermine the most appropriate method for deploying corporate and departmental applications.Questions1. Does the current infrastructure support any automated deployment methods?2. What are the advantages and disadvantages of the current deployment options available toContoso?3. Based upon Adam’s requirements, which method should you consider to deploy the 2007 Officesystem?4. Based upon Adam’s requirements, which method should you consider to deploy Adobe Reader?5. What can you do to ensure that Office 2003 is still available for users that require the use of thecustomized templates? Task 1: Read the supporting documentation• Read the scenario and supporting documentation. Task 2: Update the Application Deployment Worksheet• Answer the questions on the Application Deployment Worksheet.Results: After this exercise, you have evaluated the most appropriate methods to deploy applicationsfor the Marketing department.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-17Lesson 2Deploying the 2007 Microsoft Office SystemThe 2007 Officesystem setuparchitecture has changed significantly from that of previous versionss ofOffice. The requirement of a local installation source, in addition to a more streamlined setup andcustomization process, helps to ensure an efficient and reliable deployment. This lesson explains thebenefits and considerations for using and deploying the local installation source in addition to the generalsetup sequencee of events for the 2007 Office system.

11-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsThe 2007 Office System Deployment ProcessKey PointsThe 2007 Officesystem deployment process must follow specific milestones that integrate with overalldeployment milestones and objectives.Planning PhaseDuring the planning phase, the team must look at all the locations anddepartments whose computers willbeupgraded and decide in which order theupgrades occur.High level stepss for this phase:• Determinee Microsoft Office application installation requirements: Work with the organization’sSMEs and develop a planthat specifiess which 2007 Office system programs are deployed and whichsettings areconfigured as part of a 2007 Office system deployment.• Create a data migrationplan: The Microsoft Office deployment team inventories existing MicrosoftOffice System data and develops a planto migrate data to the newapplications.• Choose a thick or thin image deployment plan: Incooperation with the computer imaging systemfeature team, decide whether Microsoft Office will bedeployed as part of the desktop image (thickimage) or after operatingsystem imagedeployment (thin image).Office Migration Planning ManagerThe Office Migration PlanningManager is a command-line tool with which desktop administratorss scanany client computer, file server, Microsoft®Office SharePoint® Server 2007 computer, or any other Web-Planning Manager takes an inventory of all Microsoft Office system files and determines their properties.Known issues are identified within those files so that theycan be addressed before they are openedwithbased Distributed Authoring and Versioning (WebDAV)-enabled document library. The Office Migrationorconverted tothe MicrosoftOffice system.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-19Developing PhaseDuring this phase, determine if the software installation point is available. Use Distributed File System(DFS) as a backup or use multiple installation points as discussed in the OCT customization.High level steps for this phase include:• Configure Microsoft Office deployment and customization• Integrate the Microsoft Office deployment with Configuration ManagerOffice Customization ToolUse the Office Customization Tool (OCT) to define 2007 Office system features, user settings, and securitysettings for use during 2007 Office system installation. Use the OCT to save settings by application orgroup of applications. This feature is particularly useful when staging the deployment.Config.xml FileThe Config.xml file is used to configure installation tasks and is used only while running Setup; it is notinstalled or cached on users’ computers. Administrators can edit the Config.xml file to customize theinstallation. By default, the Config.xml file that is stored in the core product folders(core_product_folder_name.WW folder, for example, Enterprise.WW or Pro.WW) directs Setup to installthat product.You use the Config.xml file to perform the following installation tasks:• Specifying the path to the network installation point• Selecting which product to install• Customizing Setup options such as logging and the location of the Setup customization file andsoftware updates• Setting installation options such as user and company name• Copying the local installation source (LIS) to the user’s computer without installing Office• Adding or removing languages from the installationThe Config.xml file can also be used for maintenance operations such as adding or removing features, andrepairs and uninstalls. To do this, administrators must rerun Setup.exe from the original source. TheConfig.xml is required to customize an installation that you deploy with Group Policy Software Installation.Creating Network and Local Installation PointsTypically, the first step in a corporate deployment of the Office system is to create a network installationpoint. To do this, copy all the source files from the Office CD to a shared location on the network. Usersrun Setup from the network installation point or you use the installation point as a starting place to createa hard-disk image, a custom CD, or to distribute Office by using a deployment tool such as Group Policyor Configuration Manager.After Office is installed, users do not typically need to rely on the network source for tasks such asupdating, modifying, or reinstalling Office. Setup automatically creates a local installation source on eachuser’s computer. If the local source is corrupted or deleted, however, Setup returns to the original networksource to recreate the local source on the user’s computer.Replicating the network source to multiple locations is recommended for the following reasons:• Availability• Proximity to users

11-20 Planning and Managing Windows® 7 Desktop Deployments and Environments• Consistency• FlexibilityStabilizing PhaseThe high level step for this phase is to test Microsoft Office installation as part of the overall desktopdeployment process, resolving any issues that arise during this phase.Divide the testing tasks by functional area and perform testing on a variety of hardware that representsthe hardware present throughout the organization. Document all test results for review.When you are satisfied that the Office system installation is working as planned, the 2007 Office systempackage is ready for pilot testing. During this phase, focus on quickly resolving issues found in thecustomized installations.Test Existing Macros, Databases, and Add-ins Used in Production with the 2007 Office SystemTesters should follow the test plan to identify issues for other members of the team to resolve. Use theissue-tracking procedures created during the planning phase to document issues.Create and Finalize User TrainingFactors that may influence how training is carried out include user knowledge, time, budget, andavailability of skilled trainers and people to develop training. The organization’s culture and type ofbusiness may dictate particular training vehicles, the duration, or technical level of training.Consider the following options when creating your training plan:• Hands-on training, in which the user learns the software by using it• Presentation-style training, in which the user takes classes in using the software• Computer-based training (CBT) or Web-based training (WBT), in which special training softwareeducates the user• One-on-one training• Job aids or handoutsWhen designing training for IT staff, consider whether they must understand the entire unattendedinstallation process or just portions of it and whether they need to understand how to return a computerto the baseline configuration. The documents the team creates as part of the functional specification canbe invaluable teaching aids for IT staff.Monitoring PhaseAfter the initial deployment is complete, the project is transitioned from the deployment feature team toIT operations. The IT operations group is responsible for ongoing computer maintenance and support.This process is typically well-structured and formal, and documentation, knowledge, and other materialsare formally transferred from one group to another.High level steps for this phase include:• Monitor the 2007 Office system deployment• Manage Microsoft Office system data conversions

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-21Monitor DeploymentsSoftware update deployments in Configuration Manager 2007 can be best monitored by using the builtinsoftware updates reports. These reports are in the Software Updates - C. Deployment Statescategory in the Reports console tree node.There are two main phases for a deployment:• Evaluation phase: Includes when client computers determine whether the software updates in thedeployment are required.• Enforcement phase: Includes when client computers report the compliance state for thedeployment.To monitor client evaluation for software update deployments, the following reports must be used:• States 2 – Evaluation state for a deployment• States 4 – Computers in a specific state for a deployment • States 7 – Error status messages for a computerTo monitor client enforcement for software update deployments, three main reports must be used.• States 1 – Enforcement states for a deployment report• States 4 – Computers in a specific state for a deployment • States 7 – Error status messages for a computerMonitor Data Conversion to New File FormatsWhile the best way to minimize compatibility issues is to standardize your environment on a single fileformat, many organizations need to deploy the 2007 Office system in a phased rollout, or need tocollaborate with other companies. For this reason, Office Excel 2007, Office Word 2007, and OfficePowerPoint 2007 contain features to ensure compatibility with previous versions of the Microsoft Officesystem. Use the Microsoft Office Compatibility Pack to allow backward compatibility so previous versionsof Office can open and save files in the new file format. In addition, the openness of the new file formatmakes it more compatible with non-Office programs.

11-22 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsDemonstration: Using the Office Customization ToolKey PointsThe OCT is usedto customizethe installation process andprovide a standard defaultconfigurationn of theproduct for all users. Using the OCT, you can specify a number of properties or actions including thefollowing:• Choose the2007 Office system installation location• Specify whether to remove earlier versions• Set feature installation states• Configure default application settings• Add customfiles, registryentries, and shortcuts• Specify Office security settings• Customize the default Office Outlook profileUse the OCT to provide customization settings for Office and then savethe customizations in a Setupcustomization file (MSP file). You can then place the file in the Updatesfolder on thenetwork installationpoint. Customizations are applied from thislocation. If you put the customization filesomewhere otherthan the Updates folder, you can use the Setup command-line option /adminfile to specify the fullyqualified path to the file.The Setup customization file is also used to modify an existing installation. Because a Setup customizationfile is an expanded form of a Windows Installer MSP file, apply the customization file to the user’scomputer just as you do for a software update, and the user’s existing Office installation is updatedd withthe modifications.Demonstration StepsThis demonstration introduces the Office Customization Tool.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-23Overview of the Office Customization Tool Setup Category1. Start the Office Customization Tool (OCT) using the Start menu and launch the OCT setup file tocreate a new customization file for the Microsoft Office Professional Plus 2007 product. If you havemultiple products available on the network installation point, each customizable product is listed. Ifyou have an existing Setup customization file to modify, you can select it from this dialog box.2. The left-hand console pane displays four main sections:• Setup: Provides a number of options related to general setup of the Office system.• Features: Use to configure user settings and to select the Office features that are to be installed.• Additional content: Provides options for adding or removing custom files and registry entriesduring the installation.• Outlook: Use to customize the default Microsoft Office Outlook® 2007 profile and set OfficeOutlook 2007 and Microsoft Exchange Server 2007 options.3. In the left-hand pane of the OCT, use the Install location and organization name option to specify thedefault folder in which to install Microsoft Office on the user’s computer. The default setting is tohave it install in the Program Files folder. This option is recognized only when you first install Officeon a user’s computer; you cannot change the installation path without uninstalling and reinstallingOffice.4. Specify an Organization name. This name appears in the About box (Help menu) and on the bannerpages of Office applications.5. Use the Additional network sources setting to specify additional servers that have a copy of thenetwork installation point. Setup looks for servers in this list, in the order specified, if it is installing afeature on demand or repairing Office and the original network installation point is unavailable.6. Use the Licensing and user interface setting to enter the product key and accept the end-user licenseagreement (EULA) on behalf of each user who installs Office with this Setup customization file. Youcan also use this setting to select how the user interface is displayed during installation. The optionsinclude:• Full (default): Setup displays all of the user interface and messages.• Basic: Setup displays the Welcome screen, prompts for the product key and end-user licenseagreement (if needed), and displays a progress bar and the completion notice.• None: Setup runs quietly, which means that it does not display any user interface or messages.The Completion notice option provides the ability to enable or disable the display of a message tothe user when installation is complete.Select the Suppress Modal option if you do not want Setup to display error messages and otherdialog boxes that might interrupt the installation. If you set Display level to Full, error messages andother dialog boxes are displayed regardless of the state of this check box.Select the No cancel option if you want to disable the cancel button on the progress dialog box. Thisapplies only if Display level is set to Full or Basic.7. The Remove previous installations option allows you to specify which previous versions of MicrosoftOffice programs to keep or remove.8. The Add installation and run programs option enables you to run additional programs before or afterthe Office installation is complete. A program file can have one of the following extensions: .exe,.com, .bat, .scr, or .msi.9. The Office security settings option is used to configure security settings such as trusted sources fordigitally signed macros, add-ins, Microsoft ActiveX® controls, and other executable code. You can

11-24 Planning and Managing Windows® 7 Desktop Deployments and Environmentsalso configure a list of trusted locations from which any file can be opened without being checked bythe Trust Center security feature.10. The Modify Setup properties option provides the ability to set properties to be applied during theOffice installation. You can customize Setup properties only when you first install Office on a user’scomputer; properties configured in a setup customization file do not take effect if you apply the fileto an existing installation. The following properties can be used when you customize a 2007 Officerelease installation:• HIDEUPDATEUI: If set to True, hides the Check for Updates button on the completion dialog.This property is ignored if the completion dialog is not displayed. The default value is False.• PRIMARYFOLDER: Designates a primary folder for the installation.• ROOTDRIVE: Specifies the default drive for the destination folder of the installation. The valuefor this property must end with ‘\’.• SETUP_REBOOT: Determines how Setup restarts the computer after installation.• AutoAlways: Always initiate a reboot. Do not prompt the user.• Always: Always prompt for a reboot at the end of setup.• IfNeeded: Prompt for a reboot at the end of setup if setup requires a reboot. (Default).• AutoIfNeeded: Initiate a reboot if setup requires a reboot. Do not prompt the user.• Never: Never initiate or prompt for a restart.Overview of the Office Customization Tool Features Category1. In the left-hand pane, use the Modify user settings option to specify the default values of Officeapplication settings for users who install Office with this customization file. The Show All Settingsoption displays all available user settings. The Show Configured Settings option displays only thosesettings that you have configured.2. Use the Places Bar Locations setting to configure specific save locations to be available on the Placesbar in the Microsoft Office applications. This option allows you to configure custom settings for theinstallation.3. Use the Set feature installation states setting to customize how the 2007 Office release features areinstalled on the user’s computer. Options include:• Run from My Computer: Setup copies files and writes registry entries and shortcuts associatedwith the feature to the user’s hard disk and the application or feature runs locally.• Run All from My Computer: This is the same as Run from My Computer, except that all childfeatures belonging to the feature are also set to this state.• Installed on First Use: Setup leaves components for the feature and all its child features on theinstallation source until the user attempts to use the feature for the first time, at which time thecomponents are copied to the local hard disk. This is also known as an advertised feature.• Not Available: The components for the feature and all of the child features belonging to thisfeature are not installed on the computer.• Hidden: Setup does not display the feature in the feature tree during installation if Setup is runinteractively. The feature is not hidden when Setup is run in maintenance mode after Office isinstalled.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-25The best use of this setting is to simplify the feature tree for users. For example, you might hidethe Office Tools branch of the feature tree so that users do not have to decide which tools theyneed; only the tools that you select are installed.• Locked: The installation state you choose for this feature cannot be changed by the user duringinstallation or in maintenance mode after Office is installed.• Reset: The feature is returned to its default installation state.Overview of the Office Customization Tool Additional Content Category1. In the left‐hand pane, the Add files and Remove files sections are used to add or remove filesto users’ computers when Office is installed. When you add files to an Office installation, thefiles are copied into the Setup customization file when you save the customization file andexit the OCT. Large files increase the size of the Setup customization file.2. The Add registry entries and Remove registry entries sections are used to add, modify, orremove registry entries on users’ computers when Office is installed.3. Use Configure shortcuts to modify or remove default shortcuts for installed Officeapplications and to add shortcuts to any files installed with the 2007 Office release or alreadyon the user’s computer. You can configure shortcuts only when you first install Office on auser’s computer; this option is ignored if you apply the Setup customization file to an existinginstallation.Overview of the Office Customization Tool Outlook Category1. In the left-hand pane, use Outlook profiles to customize a user’s default Office Outlook profile.Options include:• Use existing profile: Use the profile already configured on the user’s computer or prompt theuser to create a profile the first time Office Outlook is started. Choosing this option disables theother Office Outlook sections of the OCT.• Modify profile: Modify the default profile on the user’s computer, or define changes to existingprofiles located on the local computer. If no default profile exists or there is no profile by thename that you specify, Office Outlook creates a profile based on the options you choose in theother Office Outlook sections of the OCT. Office Outlook uses the default profile name (Outlook)or uses the profile name you have specified.• New profile: Create a new profile on the user’s computer and make it the default profile; anyexisting profiles are not removed and remain available to users. You must type a name in theProfile name box. This name appears in the E-mail Accounts dialog box in Office Outlook.Office Outlook creates the profile based on the options you choose in the other Office Outlooksections of the OCT.• Apply PRF: Import an Office Outlook profile file (PRF file) to create a new default profile.Selecting this option disables the other Office Outlook sections of the OCT but does not updatethe OCT with the settings in the PRF file.You can use any profile created for Office Outlook 2007. Type a name and path for the profile inthe Apply the Following Profile (PRF File) box. If you created a PRF file for a previous versionof Office Outlook, you can import it to Office Outlook 2007, provided that the profile uses onlyMAPI services.2. When using the Modify Profile setting, only new or modified default profiles can have Exchangesettings configured in the next section.

11-26 Planning and Managing Windows® 7 Desktop Deployments and Environments3. Use the Specify Exchange Server settings option to configure an Exchange Server connection fornew or existing profiles. You can also configure the default behavior for Cached Exchange Mode,which is used to create a local cached copy of your Outlook profile on your workstation.4. Use the Add accounts option to include new Office Outlook e-mail accounts in the user’s profile.5. Use the Remove accounts & export settings option to remove existing Lotus cc:Mail or MicrosoftMail accounts. This option is also used to export Office Outlook settings to a PRF file.6. Use Specify Send/Receive groups to set up Send/Receive groups for Exchange accounts and foldersand specify the tasks that are performed on each group during a Send/Receive operation in OfficeOutlook. A Send/Receive group contains a collection of Office Outlook accounts and folders. You canspecify different options for Send/Receive groups for when Office Outlook is online and offline.7. Save the changes. The file is saved in the Updates folder as with an MSP file extension. When Office isinstalled from this network installation point, the MSP file is automatically applied.Question: You need to customize your Microsoft Office installation so that it does not install MicrosoftOffice Publisher. Which Office Customization Tool category do you configure?

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-27Methods toDeploy the 2007 Office SystemKey PointsThe method used to deploy the 2007 Officerelease throughout your organization depends upon manyfactors. These factors include the size of theorganization and the current infrastructure management styleused within the organization. A specific infrastructure level ensures thatt the appropriate prerequisites areinplace so you can perform your chosen deployment method.Precache or Local Installation SourceThis type of deployment minimizes the demand on the network by deploying the local installation sourceasa separate installation task. Using the usual method for running Setup on users’ computers, you candistribute the local installationn source to one group of users at a time. Once all users have a precachedsource, you canhave everyone run Setup toinstall Office at the same time. In this scenario, most of theinstallation activity takes place on the local computer instead of over the network.Employing the usual method for running Setup on users’ computers, you can distribute the localinstallation source to one group of users at a time. Once all users have a precached source, you canhaveeveryone run Setup to install Office at the same time. In this scenario, most of the installation activitytakes place on the local computer instead of over the network. The following steps describe at a high levelhow to precache the local installation source:1.On the network installation point, openthe Config.xml file.2.Find the element and then uncomment the line.3.Set the attribute to CacheOnly.4.Save the Config.xml file and then run Setup.exe onthe users’ computers. Specify the path to themodified Config.xml file.The local installation source provides a number of benefits for users and administrators:• Minimizes the impact on the network

11-28 Planning and Managing Windows® 7 Desktop Deployments and Environments• Eliminates the need to connect to a source CD or network location during maintenance tasks• Provides efficient installation options for traveling users or users with slow or intermittent networkconnections• Makes the process of distributing software updates more efficientNetwork Installation PointThe network installation point is created by copying the compressed installation files from the sourcemedia to a network share available on the server. Use the installation point as a starting place to create ahard-disk image or a custom CD or to distribute Office by using a deployment tool such as ConfigurationManager.The amount of space required on the network installation point varies by product and by language. Theinstallation point contains only one copy of the language-neutral core product. Each language that youadd requires additional space only for the language-specific components.In most enterprise organizations, after Office is installed, users do not typically need to rely on thenetwork source for tasks such as updating, modifying, or reinstalling Office. Setup automatically creates alocal installation source on each user’s computer. If the local source is corrupted or deleted, however,Setup returns to the original network source to recreate the local source on the user’s computer.Replicating the network source to multiple locations is recommended for the following reasons:• Availability• Proximity to users• Consistency• FlexibilityGroup Policy ObjectsOrganizations that have Active Directory can use Group Policy Software Installation to assign the Officesystem products to computers located within a specific site, domain, or OU. Group Policy SoftwareInstallation is a good choice for the following scenarios:• A small-sized to medium-sized organization that has deployed an Active Directory infrastructure.• Organizations or departments located within a single geographical area.• Organizations that have standardized on hardware and software configurations on client and servercomputer systems.The 2007 Office release contains a number of Microsoft Installer (MSI) files that work together torepresent a complete installation. Assign the 2007 Office system by assigning only the main product MSIfile. After the computer restarts, the MSI file is accessed and a Windows Installer Custom Actionrecognizes that Office is deploying using the Group Policy method. The additional MSI and support filesare retrieved and the complete product is installed.Group Policy Software Installation has a number of limitations on the installation options that you cancustomize during deployment of the 2007 Office release:• Difficulties with scheduling installation, consistently managing network bandwidth, and providingfeedback on the status of the installation.• Some difficulties might occur during Group Policy Software Installation deployment of the 2007Office system to more than 200 computers simultaneously; this depends largely on networkbandwidth availability.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-29• All customizations must be made in the Config.xml file. Setup does not apply Setup customizationfiles that you create using the OCT.• The customized Config.xml file must be located in the main product folder of the product you areinstalling.• You can customize only the following Config.xml elements: INSTALLOCATION, OptionState, PIDKEY,AddLanguage, and RemoveLanguage.• Group Policy Software Installation can only be used for per-computer installations for the 2007 Officesystem.• It is not possible to use the Updates folder to apply security updates or service packs for initialdeployment of the GPO.Configuration Manager 2007Organizations that maintain a rationalized or dynamic IT environment may have the prerequisites in placeto implement a Zero Touch deployment of the 2007 Office system. Those that maintain a standardized orrationalized IT environment may implement a Lite Touch deployment of the 2007 Office system.One of the main prerequisites for this type of deployment is the implementation of a ConfigurationManager infrastructure and the processes in place to configure and deploy Microsoft Office. The followingcan be done with Configuration Manager:• Provide a distribution point that Setup can use to begin the installation process• Prestage the local installation Source (LIS) and then execute Setup• Prestage the LIS and execute Setup as a separate taskQuestion: List some reasons why you might choose to precache the local installation source during a2007 Office system deployment.Question: List two methods that can be used to precache the local installation source.

11-30 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsTroubleshooting a 2007 Office System DeploymentKey PointsIssues may occur throughout the deployment of Office.Activation IssuesWhen you try toactivate a 2007 Office product, you may experience one of the following symptoms:• You receive the following error message: Your software cannot be activated because the ProductKey you installed with is not valid. Please uninstall the software andreinstall it using a valid ProductKey.• Activation fails: Additionally, you receive a messagee that states that you have reached the limit ofcomputers on which you can activate the Office product.• When you start an Office product that worked correctly in thepast, you receive an errormessage: The error message states that significant changes were made to the computer’sconfiguration.Use the following methods toresolve thesee issues:• Verify that the time and date settings are correct on the computer.• Determine whether you are running a trial version of a 2007 Office product• Delete the Opa12.dat file. Do not delete the Opa12.bak file.• Check the Internet connection.Multilanguage IssuesThe following Multilanguageproblems mayoccur:Some FeaturesStill Appear in English in Microsoft Excel when the MUI is InstalledWhen you use Excel with the Multilingual User Interface (MUI), the following features still appear inEnglish:

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-31• Add-ins• Samples• Templates• Microsoft Visual Basic® for Applications (VBA) HelpThis behavior occurs because of a limitation in the design of the MUI feature. To work around thisbehavior, obtain a localized version of Office. Because not all features have plug-in language capability,Office is localized in many languages for people who want to use all Office features in their own language.The Office 2003 MUI is not Removed when Upgrading to the 2007 Office Language PackWhen you try to upgrade the Microsoft Office 2003 Multilanguage User Interface Pack (MUI) to theMicrosoft Office 2007 Language Pack, the following symptoms may occur:• The Upgrade button is unavailable in the 2007 Office Setup program. Instead, the Install Nowbutton is available.• The Upgrade tab is unavailable if you perform a custom installation.• The Office 2003 MUI is not removed when you install the Office 2007 Language Pack.To work around this issue, use one of the following methods:• Remove the Office 2003 MUI when you install the 2007 Office programs• Remove the Office 2003 MUI after you install the 2007 Office programsError Message When Installing Specific Language VersionUse a Multilanguage version of a Microsoft Select License DVD to install a non-English Microsoft Officesuite or to install a non-English Office program. When you do this on an operating system that has theUser Locale set to English, you receive the following error message:Error: Cannot find resource ShellUI.MST. Download does not exist for package {90120000-0115-0409-0000-0000000FF1CE} on drive C:\Program Files\Microsoft Office Type: FileNotFound.This problem occurs because the Setup program tries to match your Setup user experience to your UserLocale.To work around this problem, use one of the following methods:• Change the User Locale• Edit the custom Config.xml fileUnavailable East Asian or Complex Script LanguageWhen you install a 2007 Office suite or program, an East Asian language or a Complex Script languagemay be unavailable on the Languages tab in the Setup program. This issue may occur if the East Asiansupport files or the Complex Script support files are not installed.To resolve this issue, install the East Asian support files or the Complex Script support files in the version ofthe Windows operating system that you are using.Upgrade and Setup IssuesThe following issues must be addressed when upgrading from earlier Microsoft Office versions to the2007 Office system:• Feature installation states• Settings migration

11-32 Planning and Managing Windows® 7 Desktop Deployments and Environments• File-conversion issues• Custom Microsoft Office–based solutions, such as macros and Microsoft Visual Basic for Applications(VBA)• File coexistence with multiple versions of Microsoft OfficeFile Version IssuesThe 2007 Office system uses a new, Extensible Markup Language (XML)-based file format—Office OpenXML Formats. The new XML-based file formats in these programs enable broader integration andinteroperability between Microsoft Office documents and enterprise applications. In addition, system filesare wrapped by using extraction technologies, which allows for quick access to the content parts andstandard compression, reducing file sizes and improving reliability and data recovery.Users can migrate files created in earlier versions of Microsoft Office programs to Office Open XMLFormats by using the Office File Conversion Tool.When identifying file-conversion issues, consider the following:• Previous versions of Office, prior to the 2007 Office system, share the same file format.• For backward compatibility, the 2007 Office system can be configured in compatibility mode so thatfiles saved in Word, Excel, and PowerPoint can use the same binary format used by earlier versions ofthose Microsoft Office programs.• For interoperability, apply updates to computers running Microsoft Office XP and Microsoft Office2003 to allow those versions to save files in Office Open XML Formats.• Office Access 2007 uses a new file format: .accdb. For interoperability, save Office Access 2007 files inthe Microsoft Office Access 2003 or Office Access 2000 format (.mdb).Question: When you try to upgrade the Microsoft Office 2003 Multilanguage User Interface Pack (MUI)to the Office Language Pack, you learn that the Upgrade button is unavailable in the 2007 Office Setupprogram. Instead, the Install Now button is available. How do you correct this situation?Question: You have deployed the 2007 Office system to end-users at your enterprise who have manydocuments in Microsoft Office 2003 files. How do you move these files to the new format?

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-33Lab B: Customizing the Microsoft Office ProfessionalPlus 2007 InstallationComputers inThis LabBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL1 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect. Lab Setup: Remove the 2007 Office system fromLON-CL11.Log on to LON-CL1 with the user name Administrator and the password Pa$$w0rd.2.Click Start and then clickControl Panel.3.Under Programs, click Uninstall a program.4.Click Microsoft Office Professional Plus 2007 and then click Uninstall.5.Click Yes. Click Close andthen reboot LON-CL1.

11-34 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 1: Creating a Setup Customization FileScenarioAs part of your Windows 7 deployment tasks for the Research department, you need to deploy MicrosoftOffice 2007 Professional Plus. You need to configure a Setup Customization File that contains a number ofsettings to be configured during the application installation. You have already deployed the networkinstallation point, which has been shared as \\LON-DC1\Labfiles\Office2007. You need to configure theSetup Customization File to meet the following requirements:• Microsoft Office is installed in the default installation path.• A second network installation point needs to be added called LON-SVR2.• There is a basic installation dialog box shown which finishes with a completion notice.• All previous Office installations must be removed.• A trusted location needs to be added that points to \\LON-DC1\Data.• The Check for Updates button on the completion dialog must be hidden.• The default save format must be configured as Word 97-2003 Document (*.doc).• Links must be disabled in Microsoft Outlook e-mail messages.• The ability to convert documents must be disallowed.• Microsoft Office Publisher and Microsoft Office Access must not be installed with this setup.• The sample files included with Microsoft Office Excel must not be installed.The main tasks for this exercise are as follows:1. Configure the Setup category.2. Configure the Features category.3. Install the 2007 Office system using the Setup Customization File.Note: LON-DC1 is the computer running Windows Server 2008 R2 and which contains the MicrosoftOffice network installation point. LON-CL1 is the computer running Windows 7. Task 1: Configure the Setup category• Log on to LON-DC1 with the user name Administrator and the password Pa$$w0rd.• Start the OCT by starting the Run command and providing the following command:• E:\Labfiles\Office2007\setup.exe /admin• Create a new setup customization file for the Microsoft Office Professional Plus 2007 product.• Configure the following for the Setup category:• Default installation path: ProgramFilesFolder\Microsoft Office• Organization: Contoso• Additional network sources: LON-SVR2• Licensing and user interface:• I accept the terms in the License Agreement: selected• Display level: Basic

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-35• Completion notice: selected• Remove previous installations: Default• Office Security Settings: Add \\LON-DC1\Data and all subfolders as a trusted location.• Modify Setup Properties: HIDEUPDATEUI configured to be True. Task 2: Configure the Features category• Configure the following for the Features category:• Modify user settings:• Microsoft Office Word 2007\Word Options\Save: Configure all files to be saved in Word97-2003 Document (*.doc) format.• Microsoft Office Outlook 2007\Security\Trust Center: Disable links in e-mail messages.• Microsoft Office 2007 system\Miscellaneous: Disable document conversion capabilities.• Clear the Migrate user settings configuration.• Feature installation states: Configure Microsoft Office Publisher and Microsoft Office Access asNot Available. Also configure Microsoft Office Excel Sample Files as Not Available.• Save the setup customization file as E:\Labfiles\Office2007\Updates\Research. Task 3: Install the 2007 Office System using the Setup Customization File• Log on to LON-CL1 as Contoso\Administrator with the password of Pa$$w0rd.• Install the 2007 Office system from the following location:\\LON-DC1\Labfiles\Office2007\setup.exe.• After the installation is complete, verify that your customizations are implemented.Results: After this exercise, you have created a Microsoft Office setup customization file and saved it in theUpdates folder on the network installation point. You then installed the 2007 Office system and verifiedthat the setup customization file was applied during installation. Task 4: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list, and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.

11-36 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLesson 3Planningand Configuring Desktop Updatesby UsingWSUSWindows Server Update Services (WSUS) is a tool for managing and distributing software updates thatresolve security vulnerabilitiesand other stability issues. Itenables you to deploy many of the latestMicrosoft product updates published to theMicrosoft Update site. By using WSUS, you can fully managethe distribution of updates released through Microsoft Update to clients in your environments, after yourtesting, and on your schedule.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-37What Is WSUS?Key PointsWSUS is an update component of WindowsServer and offers an effective and quick way to help keepsystems up-to-date. WSUS provides a management infrastructure consisting of the following:• Microsoft Update• WSUS serve• Automatic UpdatesHow WSUS WorksWSUS simplifiess update management by automating client updates. You subscribe toupdates, configuretarget groups for clients, and approve updates. WSUS enables the rest of the process. The process bywhich WSUS performs updates on servers and clients is as follows:1.Administrator subscribes to update categories.2.Server downloads updates from Microsoft Update.3.Clients register with the server.4.Administrator puts clients in different target groups.5.Administrator approves updates.6.Agents install administrator-approvedupdates.New Features in Windows Server Update Services 3.0 SP2New Windows server and client version support includes the following:• Integration with Windows Server® 2008 R2• Support forBranchCacheon Windows Server 2008 R2• Support forWindows 7 client

11-38 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsServer-Side Features• Updates for Windows, Office, Exchange Server, and Microsoft SQL Server®, with additional productsupport over time• Specific updates can be set to download automatically• Automated actions for updates determined by administrator approval• Ability to determine the applicability of updates before installing them• Targeting• Replica synchronization• Reporting• ExtensibilityClient-Side Features• Powerful and extensible management of the Automatic Updates service• Self-updating for client computers• Automatic detection of applicable updatesWSUS feature improvements include the following:• Auto-Approval Rules• Update Files and Languages• Easy Upgrade• Reports• Software Updates

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-39Update Management ProcessKey PointsIt is essential to repeat the update management process on an ongoingg basis, as new updates becomeavailable that can enhance and protect the production environment.Assess PhaseThe goal for theassess phase is to set up a production environment that supports update managementfor routine and emergency scenarios. The assess phase is an ongoing process that you use to determinethe most efficient topology for scaling the WSUS components.WSUS provides numerous options for setting up its components, including the abilityto store updatecontent locally on WSUS servers or download content ondemand fromMicrosoft Update. Additionally,you can configure Automatic Updates to download and install missing updates automatically. WSUSprovides options for managing client computers in ActiveDirectory andnon–Active Directoryenvironments.WSUS provides standardized aggregate reports that provide comprehensive information about all WSUSimplementationn activity, including information about updates that have synchronizedto a WSUS serverand which updates are installed or missing from each computer.Identify PhaseThe goals for the identify phase are as follows:• Discover new updates in a convenient manner.• Determine whether updates are relevant to the production environment.WSUS enables you to determine which types of updates you want to synchronize from Microsoft Updateand when to synchronize them. WSUS gathers data automatically about all computers known to theWSUS server to determine whether an update is relevant.Therefore, you can determine immediately how

11-40 Planning and Managing Windows® 7 Desktop Deployments and Environmentsmany computers require the update and how the update’s deployment impacts the network before youinstall it in the production environment.Evaluate and Plan PhaseThe goals for the evaluate and planning phase are as follows:• Test updates in an environment that is separate from but resembles the production environment.• Determine the tasks necessary to deploy updates into production, plan the update releases, build thereleases, and then conduct acceptance testing of the releases.When evaluating updates in a test environment, you can run many of the WSUS features used in theactual deployment:• Set the criteria and schedule for automatically synchronizing WSUS servers• Create computer groups• Target updates for those groups by approving updates for installThe following are the key things to remember from the evaluate and plan phase:• You need a formal process to determine whether it is in the best interests of the business to deploythe software update.• You need to have an identified owner of the software update who is responsible for ensuring that it isdeployed.• When you have an approved software update, plan how to get it into production.You need to test the package in a lab and, if needed, pilot test it in a production environment to confirmthat it does not compromise LOB applications. During and after testing, you can use the standardizedreports that WSUS provides to monitor the success of the test.Deploy PhaseThe goals for the deploy phase are to:• Approve and schedule update installations• Review the process after the deployment is completeWSUS allows you to specify target groups of computers and approve deployment of updates to thosegroups. To establish the order in which updates are deployed, use WSUS to create the most efficientupstream and downstream WSUS server configuration for network and staffing resources. Additionally,configure how client computers communicate with WSUS servers or Microsoft Update by using GroupPolicy or by scripting with the WSUS API. Use reporting to determine the update deployment’s success bycomputer or target group.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-41Considerations for Managing UpdatesKey PointsA request for change (RFC) documents a change requiredin the production environment and describesthe required change so others can act on it. The entry point for the evaluate and planphase is a requestfor change (RFC) for a software update thatt has been identified as relevant to your productionenvironment.Bythe end of the evaluate and plan phase, you should have:• Determinedwhether the change request needs to be classified as an emergency• Reviewed and approved the request• Determinedthe tasks necessary to deploy the approved changes into productionYou must also have tested thesoftware update in a production-like environment to confirm that it doesnot compromise business-critical systems and applications.The RFC determines the sort of change required in the production environment—such as deploying asoftware update, applying countermeasures that diminisha vulnerability, or both—and describes therequired change so others can act on it.Prioritizing and Categorizing a Request for an UpdateThe first step in evaluating and planning is to review the RFC and determine the most appropriateresponse to a software vulnerability or threat. This involves:• Prioritizing and categorizing the request• Obtaining authorization to deploy the software updateBefore a request for a software update can be authorized, its priority and category need to bedetermined. Although priorityand categoryare initially assigned by thechange initiator and included in

11-42 Planning and Managing Windows® 7 Desktop Deployments and Environmentsthe RFC, those assignments have to be reviewed and either agreed to or changed before the changerequest can be authorized.The level of priority is particularly important because it determines how quickly a software update passesthrough the change process. The category of a software update is important, because it helps thosereviewing the change to understand the impact it will have on systems and services within the productionenvironment.Obtaining Authorization to Deploy the UpdateOnce the change request has been prioritized and categorized, it needs to be reviewed and authorized,before the software update can be deployed into production. To get the change request authorized, youneed to:• Determine who must be involved in the decision-making process.• Review the change request, assess the risks and consequences of deploying the software update, andselect the most appropriate course of action.• Identify who is responsible for getting the software update deployed to all impacted systems.Planning the Release of UpdatesRelease planning is the process of working out how to release the software update into the productionenvironment. There are essentially three stages involved when planning the release of a new softwareupdate:• Determining what needs to be updated• Identifying the key issues and constraints• Building the release planQuestion: An end-user at your company is repairing an installation of Office, when the user is promptedfor the original installation media or network location of the original installation files. Why is thishappening?

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-43Demonstration: Configuring the Automatic Updates Client by Using GroupPolicyThis demonstration shows how to use Group Policy Settings to configure the Automatic Updates featureonnetwork clients.Use Group Policy to Deploy Automatic Updates Client SettingsThe GPMC is used to either create a new GPO or edit an existing GPO with the required settings. Inthisdemonstration,you will see how to create a new GPO that contains theAutomatic Updates configurationsettings and link it to an OU.1.Open the Group Policy Management console and locate the Group Policy Objects.2.Create a new Group Policy Object with a meaningful name.3.You can edit the new group policy to configure the following Automatic Updates configurationsettings by navigating to Computer Configuration/Policies/Administrative Templates/ /Windows Components/Windows Update:• Do notdisplay ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box• Do notadjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialogbox• Enable Windows Update Power Management to automatically wake up the system to installscheduled updates• Configure Automatic Updates• Specifyintranet Microsoft update service location• Automatic Updates detection frequency• Allow non-administrators to receive update notifications• Turn on Software Notifications

11-44 Planning and Managing Windows® 7 Desktop Deployments and Environments• Allow Automatic Updates immediate installation• Turn on recommended updates via Automatic Updates• No auto-restart with logged on users for scheduled automatic updates installations• Re-prompt for restart with scheduled installations• Delay Restart for scheduled installations• Reschedule Automatic Updates scheduled installations• Enable client-side targeting• Allow signed updates from an intranet Microsoft update service location4. Enable the Configure Automatic Updates option and configure the following:• Configure automatic updating: Specify how to download and install the updates• Scheduled install day: Specify the day for installing the updates• Scheduled install time: Specify the time for installing the updates5. Enable the Specify intranet Microsoft update service location option and configure the following:• Set the intranet update service for detecting updates• Set the intranet statistics server6. Enable the Enable client-side targeting option and enter the Target group name for this computer.7. Close the Group Policy Management Editor.8. In the Group Policy Management console, link the GPO just created to an existing GPO.9. Open Active Directory Users and Computers and move the server from the Computers container tothe OU.Question: Which setting is required to ensure that client computers contact a local WSUS server?

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-45Demonstration: Managing Updates by Using the WSUS AdministrationConsoleThis demonstration shows how to use WSUS to view and approve updates for network clients.Use WSUS toApprove and Deploy Updates to Network ClientsWSUS is used toview, approve, and deployupdates to network clients. In this demonstration, you see howtodetermine if a client computer requires any updates, and then approve and deploy any requiredupdates.1.Open Windows Server Update Services and select the required Computer Group name. Thecomputer names in that group appear in the details pane.2.Generate a report for therequired client computer to view which updates are required on thecomputer.3.View the critical updates.4.Right-click an update to approve the installation of the update.5.On the client computer, open Windows Update and check for the updates to be installed.Question: Fromthe WindowsUpdate page, how do you know if the updates are coming from theInternet or being managed from your IT department?

11-46 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsLab C: Planning and Managing Updates by UsingWSUSComputers inThis LabBefore you begin the lab, youmust start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL1 Start the virtual machines1.On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2.In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3.To connectto the virtual machine, clickthe virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-47Exercise 1: Planning Group Policy Automatic Update SettingsScenarioYou are the team lead for the Windows 7 deployment project at Contoso Ltd. Adam Carter, the ITManager of the Marketing department, has asked you to plan for the approval and deployment ofWindows updates to the new Windows 7 computers.Adam has sent an email to you describing requirements.The main tasks for this exercise are as follows:1. Read the supporting documentation.2. Update the Group Policy Settings Configuration Request Worksheet.Supporting DocumentationE-Mail from Adam Carter:Ed MeadowsFrom: Adam Carter [Adam@contoso.com]Sent: 15 Sept 2009 9:00To:ed@contoso.comSubject: Re: Windows updates for the Marketing DepartmentHi Ed,Now that we have deployed Windows 7, we need to determine how to best deploy operating system andsoftware updates to the client computers. Here is a summary of my thoughts and requirements:• There is a Windows Server Update Services 3.0 deployment project underway. We shouldrequest for our department to be included.• I would like all of our department computers to have their own approval and deployment ofsoftware updates.• All of our department client computers need to contact the WSUS server instead of the Internetin order to receive updates. Please research which Group Policy settings need to be configuredand fill out the Group Policy Settings Configuration Request attached to this email.• All updates need to be automatically downloaded and installed on client computers every day at5:00PM.• All client computers should check for updates at least every 8 hours.If you have any questions please let me know.RegardsAdam.Group Policy Settings Configuration RequestIndividual requestingGPO changesTechnical reason forGPO changeDetails

11-48 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsGroup Policy Settings Configuration RequestDetailsScope ofmanagement for therequested GPOSetting NameConfigurationGroup Policy SettingRequested Task 1: Read the supporting documentation• Read the scenario and supporting documentation. Task 2: Update the Group Policy Settings Configuration Request Worksheet• Fill out the Group Policy Settings Configuration Request to match the requirements outlined in thesupporting documentation.Results: After this exercise, you have determined the settings required to configure Windows updateon the client computers using Group Policy.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-49Exercise 2: Configuring Automatic Update Settings by Using Group PolicyScenarioYou are the Active Directory administrator at Contoso. You have received and approved a request forconfiguring a GPO to deploy automatic update settings to network clients.The main tasks for this exercise are as follows:1. Configure Automatic Update Settings.2. Verify that the Automatic Updates policy settings have applied.Note: LON-DC1 is the computer running Windows Server 2008 R2 where you configure the GPO. LON-CL1 is the client computer running Windows 7. Task 1: Configure Automatic Update Settings• Log on to LON-DC1 as Contoso\Administrator with the password of Pa$$w0rd.• On LON-DC1, open the Group Policy Management console.• Expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Group PolicyObjects. Right-click Default Domain Policy and edit the policy.• In the Group Policy Management Editor, browse to Computer Configuration\Policies\Administrative Templates\Windows Components, and then click Windows Update.• Configure the following settings:• Configure Automatic Updates:• Configure automatic updating: 4 – Auto download and schedule the install• Scheduled install day: 0 – Every day• Scheduled install time: 17:00• Specify intranet Microsoft update service location:• Set the intranet update service for detecting updates:http://LON-DC1• Set the intranet statistics server: http://LON-DC1• Automatic Updates detection frequency: 8 hours Task 2: Verify that the Automatic Updates policy settings have applied• Log on to LON-CL1 with the user name Administrator and the password Pa$$w0rd.• Open a command prompt and type gpupdate /force to update Group Policy.• Open Windows Update and click Change settings. Notice the information message at the top ofthe window stating that some settings are managed by the system administrator. Also notice thatsome of the configuration settings are grayed out.Results: After this exercise, you have configured Group Policy to automatically apply Windows Updateconfiguration settings to client computers.

11-50 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 3: Approving and Deploying an Update by Using WSUSScenarioNow that you have configured the Windows Update settings, you can now view, approve, and thendeploy required updates.The main tasks for this exercise are as follows:1. Initializing Windows Update.2. Approve and Deploy an Update.Note: LON-DC1 is the computer running Windows Server 2008 R2 which has WSUS installed. LON-CL1 isthe client computer running Windows 7. Task 1: Initializing Windows Update• On LON-CL1, click Start, and then in the Search programs and files box, type cmd and then pressENTER.• At the command prompt, run the following commands:• wuauclt /detectnow• wuauclt /r /reportnow Task 2: Approve and deploy an update• On LON-DC1, start Windows Server Update Services.• Verify that LON-CL1.contoso.com appears under All Computers. If no results are shown, wait for afew minutes. If after a few minutes no results are shown, repeat Task 1.• Double-click LON-CL1.contoso.com to generate a report. Verify which critical updates are requiredon LON-CL1.• Approve the installation for the following Critical Updates:• Update for the Office System (KB967642)• On LON-CL1, use Windows Update to check for updates. Install any updates that are found.Results: After this exercise, you have approved and deployed an update usingWSUS 3.0. Task 3: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list, and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-51ModuleReviewand TakeawaysReview Questions1.Within Configuration Manager, packages provide one of the foundations of distributing software toclients. What is the purpose of the package?2.What must an administrator do before any update is sent to clients and servers by using WSUS?3.What is thereason for setting a deadline for an automatic installation to a past date?Best PracticesSupplement or modify the following best practices for your own work situations:Best Practices for Deploying Software Through Group Policy• Test all software installation packages before you deploy them.• Use and enforce standard configurations for applications, if possible.• It is recommended that you deploy software as high in the Active Directory hierarchy or tree as youcan. Software must be deployed close to the root in the Active Directory tree because it allowsyou touse one GPO to deploy software to multiple users.• A WindowsInstaller package must be assigned and published only once in the identical GPO.• Create application categories when youhave a large quantity of published applications within yourorganization. This simplifies a user’s ability to find applications in Add or Removee Programs in ControlPanel.Best Practices for Securing an OperatingSystem• Install all operating system patches.• Verify user account security.• Eliminate unnecessary applications andnetwork services.

11-52 Planning and Managing Windows® 7 Desktop Deployments and Environments• Install and configure necessary applications and network services.• Configure system logging to record significant events.• Keep applications and operating system patches up to date.Best Practices to Help Secure the Network Installation Point for Office• Make sure that access to source files is read-only.• The Setup.xml and Package.xml files are digitally signed and cannot be modified.• Save all customization files that you create, including Setup customization files and customConfig.xml files, as read-only.• If you are centralizing log files on the network, make sure that users have read/write access to thatlocation.ToolsTool Use for Where to find itGroup PolicyManagementConsole(GPMC)Provides unified managementof all aspects of Group Policyacross multiple forests in anorganization.http://go.microsoft.com/fwlink/?LinkId=154249OfficeCustomizationTool (OCT)Use to customize an installationof the Office system. The OCT ispart of the Setup program andis the recommended tool formost customizationshttp://go.microsoft.com/fwlink/?LinkId=162306Windows ServerUpdate Services(WSUS)Use for managing anddistributing software updatesthat resolve securityvulnerabilities and otherstability issues.http://go.microsoft.com/fwlink/?LinkId=159626

Planning and Deploying Applications and Updates to Windows® 7 Clients 11-53Course EvaluationYour evaluationof this course helps Microsoft understand the quality of your learning experience.Please work with your training provider to access the course evaluation form.Microsoft keepsyour answerss to this surveyprivate and confidential, and uses your responses to improveyour future learning experience. Your open and honest feedback is valuable and appreciated.

11-54 Planning and Managing Windows® 7 Desktop Deployments and Environments

Deploying Windows 7 – Challenge Scenario 12-1Module 12Deploying Windows 7 – Challenge ScenarioContents:Lab A: Planning an End to End Windows 7 LTI Deployment 12-3Lab B: Deploying Windows 7 Using the LTI Deployment Plan 12-9

12-2 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsModule OverviewThis module is an extensive lab which provides an opportunity to perform an end-to-end deployment ofWindows 7 by using the LTI.

Deploying Windows 7 – Challenge Scenario 12-3Lab APlanningan End to End Windows 7 LTI DeploymentExercise 1: Planning the MDT Lite Touch EnvironmentScenarioJonas has tasked you with planning the migration/upgrade of the Akron Office to Windows 7 and Office2007.Wendy Richardson, the IT Vice President (VP) for Contosoo Ltd. has a project in development that willrequire Windows 7 and Office2007. She has asked your group to facilitate this installation as quickly aspossible.The main tasks for this exercise are as follows:1.Read the supporting documentation.2.Create a deployment plan for a Windows 7 LTI deployment.Supporting DocumentationE-Mail from Jonas:Adam CarterrFrom:Sent:To:Subject:Jonas Brandel [jbrandel@ contoso.com]17 July 20092:30 PMAdam Carter [acarter@contoso.com]Re: Automated Windows 7 deploymentAdam,Your MDT presentation was impressive. I apologize for notifying you on such short notice, but WendyRichardson, the IT VP, has decided that the Akron office needs to be upgraded immediately to Windows 7

12-4 Planning and Managing Windows® 7 Desktop Deployments and Environmentsto support another initiative she has in the works. Unfortunately, this upgrade will need to occur beforethe end of the fiscal year and there is simply not a lot of budget dollars left to make this happen, so youwill need to do everything remotely.I know you are not familiar with the Akron office, so here is a quick rundown. There are 30 desktopsystems in the office and one Domain Controller. Currently, all users save all their work locally. The officehas a budget for a file sever next fiscal year. As a result, you will need to preserve everyone’s localinformation during the migration because there is not enough bandwidth to have the users save their filesto the corporate servers.We need a migration plan from you by the end of the week that includes the following:1) A plan for assessment of the systems in the Akron office.2) A list of criteria for determining if systems need to be upgraded or replaced in the Akron office. Theoffice manager is definitely getting a new system; however, there is only 5000 U.S. dollars budgetedfor hardware upgrades to get all systems to a level where they can run Windows 7 effectively. If amemory and/or hard drive upgrade will get a user’s system to a Windows 7 recommended level, thatwill be preferred instead of replacement.3) A plan to deploy all systems over the course of a single weekend. There will be local assistanceavailable, but do not plan for any technical savvy. The local support person will probably not be a lotof assistance beyond unpacking and plugging in new systems, power cycling the systems, andpushing a few keys. In addition, the office manager does not want to keep this person in the office ona weekend any longer than is absolutely necessary.4) New systems will require Office 2007 to be deployed.5) Include drivers for all client hardware not included in Windows 7.6) A recovery plan if anything goes awry.Thanks,Jonas Brandel Task 1: Read the supporting documentation• Read the scenario and supporting documentation. Task 2: Use the following decision tree and checklist to help facilitate the creation of thedeployment plan• Create a deployment plan using the following aids.

Deploying Windows 7 – Challenge Scenario 12-5Technician Computer Decision TreeBuild x64 bases Windows 2003(or above) system64 BitWhat Type ofClient is beingDeployed?32 BitBuild x86 bases Windows 2003(or above) systemRequired ComponentsInstall MDTInstall WAIKPlanning ComponentsPerformingNetworkAssessment?YESInstall MAPNOPerformingOffice 2007Migration?YESOffice MigrationPlanning ManagerNOInstallation ComponentsApplicationCompatibilityknown?YESNOInstall ACTPrepare CD/DVD’sMediaDeploying OSthrough?NETWORKConfigure DHCPBoot ClientSystem?PXE BootPrepare PXEEnvironmentMediaMultiCastDeployment?YESPrepare WDSNOMigratingpre SP1 VISTAUser State?NOYESInstall USMT 3.01To Page 2

12-6 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsTechnician Computer Decision Tree – Cont.From Page 1Post Installation ComponentsInstalling Windows2003 with KMS?YESInstall KMS 1.1 for Windows2003NOInstalling Windows 7with MAK?YESInstall Volume ActivationManagement ToolNOUsing SecurityComplianceManagement?YESInstall Security ComplianceManagement ToolkitNOMDT InstallationComplete

Deploying Windows 7 – Challenge Scenario 12-7Microsoft Deployment Toolkit Job AidMicrosoft Deployment Toolkit PlanningMicrosoft Deployment Toolkit Planning–Job AidQuestion Information Details32 bit Windows 7 What Operating System are you going todeploy?64 bit Windows 7 32 Windows Server 2008 R2 64 bit Windows Server 2008 R2 What System is going to be deployed asthe Technician’s system?Are you going to be deployingApplications?What MDT additional components areyou going to install?Where will you store your distributionfiles?What is your imaging and sourcefile strategy?Do you want to back up computersbefore deployment?Windows 7 clientWindows 2008 R2 serverYesNoMAPWAIKUSMTACTLocal Deployment ShareRemote Deployment ShareCDNetwork ShareYesNoWill you be deploying any drivers notincluded with Windows 7?Will you deploy across the network withremovable media, or both?Which Deployment Scenario will you use?YesNoNetworkRemovable MediaNew ComputerUpgrade Existing Computer

12-8 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsMicrosoft Deployment Toolkit Planning–Job AidQuestion Information DetailsRefresh ComputerReplace ComputerWill you deploy a full set of operatingsystem files or a custom WindowsImaging Format (WIM)?Full OS File SetCustom WIMAre you going to allow users tochoose their own operating system,applications, locale, time zone, andadministrative password?YesNoWhich product editions will you deploy?How will you handle product keys andlicensing?ProfessionalUltimateBusinessEnterpriseMultiple Activation Key (MAK)Key Management Service(KMS)

Deploying Windows 7 – Challenge Scenario 12-9 Task 1: Start the computers• Start the following systems:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-VS1Lab BDeploying Windows 7 Using the LTI Deployment PlanExercise 1: Performing a Network AssessmentJonas Brandel, the manager of the Contosoo IT department, has reviewed the plan youput together for theAkron office migration to Windows 7 and Office 2007. You have been tasked with implementing this plan.As part of your deployment plan, you need to determine which, if any, systems require upgrades tobeable to run Windows 7. To accomplish this task, you will use the Microsoft Assessment and PlanningToolkit.The main tasks for this exercise are as follows:1.Start the computers.2.Configure the Microsoft Assessment and Planning Toolkit.3.Run the Windows 7 Readiness Assessment Wizard.4.Review the Windows 7 Readiness Assessment Reports.5.Shut down the Vista computers.Note: LON-DC1is the computer running Windows Server 2008 R2 which provides domain services. LON-CL2 is the clientcomputer that will contain the MicrosoftAssessment and Planning Toolkit. LON-VS1, andLON-VS2 are both client computers to be assessed.

12-10 Planning and Managing Windows® 7 Desktop Deployments and Environments• 6294A-LON-VS2 Task 2: Configure the Microsoft Assessment and Planning Toolkit• Log on to the LON-CL2 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.• Start the Microsoft Assessment and Planning Toolkit and create an inventory database named AkronInventory. Task 3: Run the Windows 7 Readiness Assessment Wizard• Configure and run the Inventory and Assessment Wizard using the Contoso\Administrator accountwhen an account is requested. Task 4: Review the Windows 7 Readiness Assessment Reports• Review the Readiness Assessment Reports and assess whether any systems require hardwareupgrades or replacement. Task 5: Shut down the Vista Desktops• Shut down the following computers:• 6294A-LON-VS1• 6294A-LON-VS2• Open Hyper-V Manager and modify the RAM allocation for 6294A-LON-VS2 to be 768MB.Results: After this exercise, you have installed and run the Microsoft Assessment and Planning Toolkit andcustomized the administrators profile on the Vista systems.

Deploying Windows 7 – Challenge Scenario 12-11Exercise 2: Configuring MDT 2010 for an LTI DeploymentAs part of your deployment plan, you are going to perform a Lite Touch Installation for the Akronsystems. In this exercise, you will deploy and configure the Microsoft Deployment Toolkit for this purpose.The main tasks for this exercise are as follows:1. Install MDT 2010.2. Mount the WAIK Media on LON-CL2.3. Install Windows AIK.Note: LON-DC1 is the computer running Windows Server 2008 R2 which provides domain services. LON-CL2 is the client that will be used as the technician computer. Task 1: Install MDT 2010• Install the \\LON-DC1\Labfiles\Mod07\MicrosoftDeploymentToolkit2010_x86.msi file on LON-CL2. Install the MDT with default settings. Task 2: Mount the WAIK Media on LON-CL2• Mount the C:\Program Files\Microsoft Learning\6294\Drives\WAIK.iso image file to the DVDdrive for LON-CL2. Task 3: Install Windows AIK• Run the D:\StartCD.exe program as administrator to install the WAIK. Install using the defaultsettings.Results: After this exercise, you have the Microsoft Deployment Toolkit and the Windows AutomatedInstallation Kit on LON-CL2.

12-12 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 3: Configuring WDS for a PXE and Multicast DeploymentThe scenario specifies 30 systems, limited help available on site, and a short time to work with. Whilecreating boot disks will accomplish the task, boot disks alone will probably not allow you to complete thetask in the allotted time given the available resources. To enable a more efficient rollout, you will use theWindows Deployment Services.The main tasks for this exercise are as follows:1. Install WDS on LON-DC12. Configure WDS on LON-DC13. Create a share on LON-DC1Note: LON-DC1 is the computer running Windows Server 2008 R2 which provides domain services andWDS services. Task 1: Install WDS on LON-DC1• Log on to the LON-DC1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.• Add the Windows Deployment Services role to LON-DC1. Task 2: Configure WDS on LON-DC1• Configure the WDS server settings as follows:• Remote Installation Folder Location: E:\RemoteInstall• Do not listen on port 67• Configure DHCP option 60 to: PXE Client• Respond to all client computers (known and unknown)• Do not Add images to the server now Task 3: Create a share on LON-DC1• Create a folder called E:\DeploymentShare and share it as DeploymentShare$.• Grant Everyone Read/Write permissions to the share.Results: After this exercise, the Windows Deployment Services has been installed and configured onLON-DC1 and a share for the deployment share has been created.

Deploying Windows 7 – Challenge Scenario 12-13Exercise 4: Configuring an MDT 2010 Deployment ShareSince the Akron office is in a remote location, you will need to use a deployment share that is located onthe same subnet as the systems for a quicker deployment. While a workstation can be used, this will limitthe number of systems that are able to be deployed at the same time. Given the constraints of thedeployment, you will use the only available server in the Akron office—the domain controller—to host thedeployment share.The main tasks for this exercise are as follows:1. Create a deployment share in Deployment Workbench on LON-CL2.2. Configure the deployment share to use WDS on LON-DC1.3. Configure WDS on LON-DC1.4. Add applications to the deployment share.5. Customize the Office 2007 application.6. Add operating system files to the deployment share.7. Add device drivers to the deployment share.8. Create a task sequence for the reference computer.9. Update the deployment share.Note: LON-DC1 is the computer running Windows Server 2008 R2 which provides domain services andWDS services. LON-CL2 is the client used as the technician computer. Task 1: Create a deployment share in Deployment Workbench on LON-CL2• Open the Deployment Workbench on LON-CL2.• Create a new deployment share from the \\LON-DC1\DeploymentShare$ shared folder.• Use the default settings for the new share. Task 2: Configure the deployment share to use WDS on LON-DC1• In the Deployment Workbench, configure the properties of the MDT Deployment Share (\\LON-DC1\DeploymentShare$) as follows:• Local Path: E:\DeploymentShare• Enable multicast for this deployment share (requires Windows Server 2008 WindowsDeployment Services) Task 3: Configure WDS on LON-DC1• Run the following command on LON-DC1:“wdsutil.exe /new-namespace /friendlyname:“MDT DeploymentShare” /server:LON-DC1/namespace:“DeploymentShare” /contentprovider:WDS /configstring:“\\LON-DC1\DeploymentShare$”/namespacetype:AutoCast” Task 4: Add applications to the deployment share• On LON-CL2, in the Deployment Workbench, create a New Application using the \\LON-DC1\Labfiles\Office2007 source files.• Provide the command line Setup.exe. Task 5: Customize the Office 2007 application• Right-click Microsoft Office 2007 and select Properties.

12-14 Planning and Managing Windows® 7 Desktop Deployments and Environments• On the Office Products tab configure the following:• Office 2007 product to Install: ProPlus• Config.xml settings:• Office 2007 Languages: en-us• Customer Name: Contoso• Display level: None• Check the Accept EULA check box Task 6: Add operating system files to the deployment share• Mount the C:\Program Files\Microsoft Learning\6294\Drives\Windows7_32bit.iso on LON-CL2.• In the Deployment Workbench, run the Import Operating System Wizard to import Windows 7. Task 7: Add device drivers to the deployment share• In the Deployment Workbench, Import Drivers from \\LON-DC1\Labfiles\Drivers.• In the Deployment Workbench, Import Drivers from \\LON-DC1\Labfiles\Mod05\LabE\ipoint. Task 8: Create a task sequence for the reference computer• In the Deployment Workbench, create a New Task Sequence with the following settings:• Task sequence ID: AKRON_REFERENCE• Task sequence name: Deploy Windows 7 to LON-IMG1• Standard Client Task Sequence• Windows 7 Enterprise in Windows 7 x86 install.wim• Do not specify a product key• Full Name: Admin• Organization: Contoso LTD.• Do not specify an Administrator password at this time Task 9: Update the deployment share• In the Deployment Workbench, select Deployment Workbench/Deployment Shares/MDTDeployment Share (\\LON-DC1\DeploymentShare) and in the Actions pane, click UpdateDeployment Share.• Use the default settings to complete the wizard.Results: After this exercise, a Deployment Share has been created and configured on the LON-DC1system.

Deploying Windows 7 – Challenge Scenario 12-15Exercise 5: Creating the Reference ComputerFor ease of deployment, you are going to create a custom image to deploy to Akron. Given theconstraints in the scenario, you need to pre-configure the systems with the applications that are required.Additional applications can then be installed after the systems are deployed.The main tasks for this exercise are as follows:1. Configure the PXE boot settings on LON-DC1.2. Deploy the reference computer.Note: LON-DC1 is the computer running Windows Server 2008 R2 which provides domain services andWDS services. LON-CL2 is the client used as the technician computer. Task 1: Configure the PXE boot settings on LON-DC1• On LON-DC1, start Windows Deployment Services management console.• Load the Image File, E:\DeploymentShare\Boot\LiteTouchPE_x86.wim into the Boot Imagesfolder.• In the LON-DC1.Contoso.com Properties, on the Boot tab, set Always continue the PXE boot forboth known and unknown systems. Task 2: Deploy the reference computer• On the host computer, connect to the 6294A-LON-IMG1 - Virtual Machine and start it.• After the PXE boot is finished, complete the Deployment Wizard with the following (use defaultswhere not specified):• Install a new Operating System• Username: Administrator• Password: Pa$$w0rd• Domain: Contoso• Deploy Windows 7 to LON-IMG1• Computer name: LON-IMG1• Join the computer to a workgroup• Do not restore user data• Install Microsoft Office 2007• Capture an image of this reference computerNote: For this lab a license key is not be provided when installing Microsoft Office 2007. Because of thisyou are prompted to perform the Microsoft Office installation manually.• Turn off LON-IMG1Results: After this exercise, a reference computer has been created and captured.

12-16 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 6: Preparing the Deployment Task SequencesThe scenario requires the User State be saved and the systems to be backed up prior to deployment incase you need to back out of the deployment. To accomplish these tasks, you will create and use severaltask sequences.The main tasks for this exercise are as follows:1. Add the custom image to the Deployment Workbench.2. Create a task sequence to capture user state.3. Create a standard client task sequence to install the new OS.4. Update the deployment share.Note: LON-DC1 is the computer running Windows Server 2008 R2 which provides domain services andWDS services. LON-CL2 is the client used as the technician computer. Task 1: Add the custom image to the Deployment Workbench• Use the Import Operating System Wizard to import the \\LON-DC1\DeploymentShare\Captures\AKRON_REFERENCE.wim file as a Custom image file. Task 2: Create a task sequence to capture user state• Create a New Task Sequence with the following settings:• Task sequence ID: AKRON_USMT• Task sequence name: Akron USMT Capture• Standard Client Replace Task Sequence• Customize the Akron USMT Capture properties with the following:Disable the Wipe Disk task.Note: The Wipe Disk task is disabled in order to save time in the lab environment.• On the MDT Deployment Share (\\LON-DC1\DeploymentShare$) Properties, edit theCustomSettings.ini file as follows:[Settings]Priority=DefaultProperties=MyCustomProperty[Default]OSInstall=YUserDataLocation=NETWORKSkipAppsOnUpgrade=NOSkipCapture=NOSkipAdminPassword=YESSkipProductKey=YES Task 3: Create a standard client task sequence to install the new operating system• Create a New Task Sequence with the following settings:• Task sequence ID: AKRON_DEPLOY• Task sequence name: Deploy Windows 7 to Akron• Standard Client Task Sequence

Deploying Windows 7 – Challenge Scenario 12-17• AKRON_REFERENCEDDRIVE in AKRON_REFERENCE• KRON_REFERENCE.wim• Do not Specify a Product Key• Full Name: Admin• Organization: Contoso LTD.• Administrator Password: Pa$$w0rd Task 4: Update the deployment share• In the Deployment Workbench, select Deployment Workbench/Deployment Shares/MDTDeployment Share (\\LON-DC1\DeploymentShare) and in the Actions pane, click UpdateDeployment Share.• Use the default settings to complete the wizard.Results: After this exercise, the tasks used to capture the user state and deploy the new images havebeen created.

12-18 Planning and Managing Windows® 7 Desktop Deployments and EnvironmentsExercise 7: Performing an Upgrade on Target ComputersOnce all preparations are complete, the task sequences can be executed to complete the deployment.The main tasks for this exercise are as follows:1. Capture user state on the Vista systems.2. Deploy the Akron systems.Note: LON-DC1 is the computer running Windows Server 2008 R2 which provides domain services andWDS services. LON-CL2 is the client used as the technician computer. LON-VS1, LON-VS2, and LON-VS3are the computers that will be upgraded. Task 1: Capture user state on the Vista systems• Start and log on to the LON-VS1 and LON-VS2 virtual machines as Contoso\Administrator with apassword of Pa$$w0rd.• On each system, run the \\LON-DC1\DeploymentShare\Scripts\LiteTouch.wsf script.• Complete the Windows Deployment Wizard with the following:Akron USMT CaptureSave the user data to: \\LON-DC1\Data\VSx (where x represents the system number).• Do not back up the existing computer• Username: Administrator• Password: Pa$$w0rd• Domain: ContosoNote: While the scenario calls for a backup, you are not creating a backup as a time-saving step.Note: If you receive an 800704C3 error, use the IP Address 10.10.0.10 instead of Contoso for the Domainname. Task 2: Deploy the Akron systemsTo take advantage of multicast, do not begin any deployment until all the systems are at the Ready tobegin page.Perform the following steps for LON-VS1 and LON-VS2:• On the host computer, change the BIOS settings of each of the Vista systems used as follows:• Set the Legacy Network Adapter as the first boot device.• On the host computer, connect to each Vista - Virtual Machine and start it.• On the host computer, start the virtual machine to be deployed.• After the PXE boot is finished, complete the Deployment Wizard with the following, use defaultswhere not specified:• Install a new Operating System• Username: Administrator• Password: Pa$$w0rd

Deploying Windows 7 – Challenge Scenario 12-19• Domain: Contoso• Deploy Windows 7 to Akron• Configure the computer name: LON-VS1a and LON-VS1b• Join the Contoso domain• Restore user data from \\LON-DC1\Data\VS1 and\\LON-DC1\Data\VS2Note: To re-use the computer name, reset or delete the existing computer object in Active Directory.Note: To monitor the multicast environment, on LON-DC1, open the Windows Deployment ServicesConsole. Expand LON-DC1.Contoso.com, expand Multicast transmissions, and select MDTDeploymentShare. You may have to refresh the node to view the multicast entries.Perform the following steps while the image is deploying to the systems.• On LON-DC1, in the WDS Console, configure LON-DC1.Contoso.com Properties with the following:• On the Boot tab, set Always continue the PXE boot for both known and unknown systems.Note: Failing to complete this step will cause the deployed system to re-enter the PXE environment onstartup. Task 3: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:• On the host computer, start Hyper-V Manager.• Right-click each virtual machine name in the Virtual Machines list, and then click Revert.• In the Revert Virtual Machine dialog box, click Revert.Results: After this exercise, the Vista systems have been replaced with Windows 7 and the user profileshave been migrated.

12-20 Planning and Managing Windows® 7 Desktop Deployments and Environments

Lab A: Assessing the Computing Environment by Using the Microsoft Assessment and Planning Toolkit L1-1Module 1: Preparing to Deploy Windows® 7 Business DesktopsLab A: Assessing the Computing Environmentby Using the Microsoft Assessment andPlanning ToolkitScenarioYou are the team lead for the Windows 7 deployment project at Contoso Ltd. Contoso currently uses WindowsVista on the company desktop computers. You are planning for the Windows 7 deployment to take place withinthe next month.As part of the deployment process you need to determine if there are any hardware compatibility issues withWindows 7. You will use the Microsoft Assessment and Planning Toolkit to help inventory, analyze, and thendetermine the necessary hardware upgrades.Computers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-VS1• 6294A-LON-VS2 Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

L1-2 Lab A: Assessing the Computing Environment by Using the Microsoft Assessment and Planning ToolkitExercise 1: Configure the Microsoft Assessment and Planning Toolkit Task 1: Configure the Microsoft Assessment and Planning Toolkit1. Log on to the LON-CL2 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.2. Click Start, point to All Programs, click Microsoft Assessment and Planning Toolkit, and thenclick Microsoft Assessment and Planning Toolkit.3. After the Microsoft Planning and Assessment Toolkit starts, on the Create or select a database touse dialog box, select the Create an inventory database radio button. Type Contoso Inventory andthen click OK.

Lab A: Assessing the Computing Environment by Using the Microsoft Assessment and Planning Toolkit L1-3Exercise 2: Use the Microsoft Assessment and Planning Toolkit to Create a ClientAssessment Report Task 1: Run the Windows 7 Readiness Assessment Wizard1. In the Discovery and Readiness pane, click Inventory and Assessment Wizard.2. Review the Computer Discovery Methods page and then click Next.3. Configure the Active Directory Credentials page with the following:Domain:Contoso.comDomain Account: Contoso\AdministratorPassword:Pa$$w0rdClick Next.4. Review the Active Directory Options page and then click Next.5. On the Windows Networking Protocols page ensure the following:Workgroups and Windows domains to include in the inventory:ContosoClick Next.6. On the WMI Credentials page, click New Account.7. Fill in the Inventory Account page with the following:Domain name: ContosoAccount name: AdministratorPassword:Pa$$w0rdConfirm password: Pa$$w0rdClick Save.8. On the WMI Credentials page, click Next.9. On the Summary page, click Finish.10. Once the inventory is complete, on the Status page, click Close.

L1-4 Lab A: Assessing the Computing Environment by Using the Microsoft Assessment and Planning ToolkitExercise 3: Analyze Inventory and Assessment Data Task 1: Review the Windows 7 Readiness Summary Results for Contoso1. In the Inventory and Assessment pane expand Discovery and Readiness.2. In the Inventory and Assessment pane click Windows 7 Readiness.Q. How many client systems were inventoried?A. FiveQ. How many systems are ready for Windows 7?A. ThreeQ. How many systems would be ready for Windows 7 with hardware upgrades?A. Four Task 2: Review the Windows 7 Readiness Reports for Contoso1. In the Actions pane, click Generate report/proposal. After the report is prepared, click Close.2. Click the View menu, and then click Saved Reports and Proposals.3. Open the Windows7Proposal- report just created.Q. How many client systems require 2 hardware upgrades to meet the Windows 7 recommendedlevel?A. ThreeQ. Which client systems require hardware upgrades before upgrading to Windows 7?A. Individual clients are not listed in this report.4. Close the Windows7Proposal- report.5. Open the Windows7Assessment- report just created.Q. Which clients are in the Meets minimum system requirements Category?A. LON-CL1, LON-CL2 and LON-VS1Q. Which client are in the Not Ready for Windows 7 Category?A. LON-VS2Q. What are the minimum upgrades required to the Not Ready for Windows 7 Category systems?A. Answers will vary based on the final VM’s6. Close the Windows7Assessment- report.7. Close all open windows. Task 3: Virtual Machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

Lab A: Assessing the Computing Environment by Using the Microsoft Assessment and Planning Toolkit L1-5Lab B: Recommending an Activation StrategyComputers in this labNo virtual machines are necessary for this lab.Exercise 1: Review the Activation ScenarioScenario: ADatum CorporationADatum Corporation is a multi-national corporation that maintains includes three separate networks. A ProductionNetwork for day to day operations, a Quality Assurance (QA) network for final testing of patches and changes anda Test network used for Proof of Concept testing and Internal Development projects.The production network consists of 200 servers and over 3000 desktop client systems in multiple locations. Thereare several Regional offices with local servers and approximately 100 Desktop clients. The branch offices range insize from a few desktop client systems to locations with a local sever and up to 30 Desktop clients. In addition tothe desktops systems there are over 200 Laptop systems in use by the Sales and Technical teams. These laptopsmay be off the corporate network for periods as long as 4 months.The QA network consists of 10 servers and over 100 Desktop systems. The servers for the QA network are locatedat the Corporate HQ location. The QA network includes clients at the each of the regional offices and branchoffices with an IT staff connected to the corporate headquarters through a VPN.The test network is isolated from the production network and the internet and wholly resides in the CorporateHeadquarters location. This network consists of 10 servers and 50 desktop systems. The systems in the test networkare frequently rebuilt due to the nature of their use.The current network was built in a piecemeal fashion based on both growth and acquisitions. Due to this growthpattern a consistent licensing model has not been deployed.A recent internal audit has revealed inadequacies with the existing license activation. The network is due for atechnology refresh and due to the issues revealed by the audit Upper Management has asked you to recommendan activation model that will provide the most efficient method of activating all systems while maintaining adocumentable method of managing the licenses. Task 1: Discuss activation recommendationsRecommendationsThere are several possible methods for license activation throughout the various networks at ADatumCorporation. One possible solution would include:• Use KMS on the production network deploying the KMS Hosts at the Corporate Headquarters,Regional Offices and Branch offices with an IT Staff. The smaller branch offices can activate againsttheir parent Regional Office.• Use MAK licenses for the Laptops.• Use KMS for the QA network with a single host in the Corporate Headquarters.• Use KMS for the Test network with a single KMS Host.

L1-6 Lab A: Assessing the Computing Environment by Using the Microsoft Assessment and Planning Toolkit

Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility Toolkit L2-1Module 2: Assessing Application Compatibility in Windows 7Lab A: Evaluating Application CompatibilityUsing the Microsoft Application CompatibilityToolkitComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1• 6294A-LON-CL1• 6294A-LON-VS1 Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

L2-2 Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility ToolkitExercise 1: Installing and Configuring ACT Task 1: Install ACT1. Log on to LON-DC1 as Contoso\Administrator using the password Pa$$w0rd.2. Right click Start, click Open Windows Explorer, and browse to E:\Labfiles\Mod02\.3. Double-click Application Compatibility Toolkit.msi.4. On the Welcome page, click Next.5. On the License Agreement page, select I accept the terms in the license agreement, and thenclick Next.6. On the Installation Folder page, click Next.7. On the Ready to Install the Program page, click Install.8. On the Installation Wizard Completed page, clear the check box next to Start a quick tour, andthen click Finish.9. Close the Explorer window. Task 2: Configure ACT settings1. On LON-DC1, click Start, point to All Programs, click Microsoft Application Compatibility Toolkit5.5, and then click Application Compatibility Manager. The Welcome to the ACT ConfigurationWizard starts.2. On the Welcome page, click Next.3. On the Select the Configuration Option page, ensure that Enterprise configuration is selected,and then click Next.4. On the Configure Your ACT Database Settings page, next to SQL Server, select (local).5. Click Connect.6. On the Configure Your ACT Database Settings page, next to Database, type ACTDB, and thenclick Create. The database is created. Click Next.7. On the Configure Your Log File Location page, next to Path, type C:\ACTLogs.8. On the Configure Your Log File Location page, next to Share as, ensure the ACTLogs is entered,and then click Next.9. On the Configure Your ACT Log Processing Service Account page, ensure that Local System isselected, and then click Next.10. On the Congratulations page, clear the check mark next to Automatically check for updates onlaunch, and then click Finish. The Microsoft Application Compatibility Manager console opens.11. On the Tools menu, click Settings.12. In the Settings box, on the Settings page, verify that LON-DC1 is configured as the SQL Server, andthat ACTDB is configured as the Database.13. Under Log Processing Settings, verify that a check mark is visible next to This computer isconfigured as a Log Processing Service.14. Verify that the Log Processing Service Account is configured as a Local System Account.15. Verify that the Log Share is configured to be \\LON-DC1\ACTLogs.16. Click the Preferences tab.17 Under Community Settings, verify that a check mark is visible next to Yes, I want to join the ACTCommunity.18. Under Update Settings, ensure that the check box next to Notify me when a newer version ofACT is available is cleared. Normally you would select this; however, the virtual computer is notconnected to the Internet, so it will remain cleared for this exercise.19 To close the Settings box, click OK.20. Click Start, point to Administrative Tools, and then click Services.

Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility Toolkit L2-321. Verify that the Act Log Processing Service has started. If it is not started, right-click the service, andthen click Start.22. Close the Services console.

L2-4 Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility ToolkitExercise 2: Collecting Application Inventory Task 1: Create a Data Collection Package1. In the Microsoft Application Compatibility Manager, on the Navigation pane, click Data CollectionPackages.2. On the File menu, click New to create a new Data Collection Package.3. On the Settings tab, in the Package Name section, type DataCollectionPKG.4. In the Evaluate compatibility when section, ensure that the option is selected next to Deploying anew Operating System or Service Pack, and then click Advanced.5. On the Advanced Settings dialog box, make sure the following items are enabled, and then click OK:• Inventory Collector – gathers hardware and software inventories.• User Account Control Compatibility Evaluator – evaluates User Access Control issues.• Windows Compatibility Evaluators – looks for specific Windows Vista compatibility issues,including applications that interact with GINA.DLL, applications that depend on deprecatedcomponents, and Session 0 issues.6. Under When to monitor application usage, for Duration, configure 60 Minutes. In production,you will want to set this for at least 3–5 days to capture sufficient detail.7. Under Where to output collected data, ensure that the Output Location shows LON-DC1 (\\LON-DC1\ACTLogs).8. From the File menu, click Save and Create Data Collection Package. Save the file asDataCollectionPKG.msi in C:\Data. Task 2: Install the Data Collection Package1. Log on to LON-VS1 as Contoso\Alan using the password Pa$$w0rd.2. Click Start, and then in the Start Search box type \\LON-DC1\Data, and then press ENTER.3. Double-click DataCollectionPKG.4. In the User Account Control dialog box, provide the following credentials and then click OK:• User name: Administrator• Password: Pa$$w0rd5. The DataCollectionPKG installation runs. Close the Explorer window.6. Right-click the Taskbar, and then click Task Manager. Click the Processes tab.7. Click Show processes from all users.8. In the User Account Control dialog box, provide the following credentials and then click OK:• User name: Administrator• Password: Pa$$w0rd9. On the Processes tab, verify that the data collection is running by looking for the actdcsvc.exeprocess.10. Close the Windows Task Manager.

Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility Toolkit L2-5Exercise 3: Organizing the Application Inventory Task 1: Create and assign custom categories1. Switch to LON-DC1.2. In the Microsoft Application Compatibility Manager, click the Analyze button.3. Under the Windows Vista Reports section, click Computers. Notice that LON-VS1 has reportedinformation.4. Double-click LON-VS1. Notice the inventory information that is reported on the Details tab.5. Click the Applications tab. Notice the applications that are installed onLON-VS1.6. Click the Devices tab. Notice the devices that have been reported forLON-VS1.7. Close the LON-VS1 window.8. Under the Windows Vista Reports section, click Applications. Take note of the My Assessment,Vendor Assessment, and Community Assessment columns. These columns would show statusindicators as each application is assessed and reported to the online Compatibility Exchange site.9. Select Microsoft Office PowerPoint Viewer 2007 (English), hold down the CTRL key, and then clickMicrosoft Office Word Viewer 2003.10. Click the Actions menu, and then click Assign Categories.11. In the Assign Categories dialog box, click the Category List button.12. Click Add on the Categories side, and then type Line of Business.13. Click Add on the SubCategories side, type Customer Service, and then click OK.14. In the Assign Categories box, select the Customer Service sub-category, and then click OK.15. Select the following applications:• Microsoft BackInfo• Office Diagnostics Service16. Click the Actions menu, and then click Assign Categories.17. In the Assign Categories dialog box, click the Category List button.18. Click Add on the Categories side, and then type System Utilities.19. Click Add on the SubCategories side, type Desktops, and then click OK.20. In the Assign Categories box, select the Desktops sub-category, and then click OK. Task 2: Assign application priorities1. In the Analyze pane, under Windows Vista Reports, ensure that Applications is selected.2. Right-click Microsoft BackInfo, and then click Set Priority.3. In the Set Priority dialog box, click Priority 3 - Nice to Have, and then click OK.4. Set the following applications priority settings as listed:• Microsoft Office PowerPoint Viewer 2007 (English) - Priority 1 - Business Critical• Microsoft Office Word Viewer 2003 - Priority 1 - Business Critical• Office Diagnostics Service - Priority 4 – Unimportant Task 3: Create a filter based upon priority1. In the Analyze pane, under Windows Vista Reports, ensure that Applications is selected.2. Click the Toggle Filter button in the menu bar.3. Click Field, and then select Priority.4. Click Value, and then select Priority 1 - Business Critical.

L2-6 Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility Toolkit5. Right-click anywhere in the Filter pane, and then click Execute. You should now see a list with onlyBusiness Critical applications.6. To save this new report, from the File menu, select Save.7. In the Save As window, save the report as Business Critical Apps. Notice that all custom reports aresaved by default in the Documents library.8. Right-click anywhere in the Filter pane, click Clear, and then execute the query. You should now seethe entire list.9. Click the Toggle Filter button to close the Filter pane.

Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility Toolkit L2-7Exercise 4: Analyzing Application Inventory Results Task 1: Track application status1. In the Application Compatibility Manager, click Analyze.2. Under Windows Vista Reports, click Applications.3. Right-click Office Diagnostics Service, and then click Set Assessment.4. In the Set Assessment box, click Does not work, and then click OK.5. Right-click Microsoft Backinfo, and then click Set Assessment.6. In the Set Assessment box, click Works with minor issues or has solutions, and then click OK.7. Right-click Office Diagnostics Service, and then click Set Deployment Status.8. In the Set Deployment Status box, click Will Not Deploy, and then click OK.9. Right-click Microsoft Backinfo, and then click Set Deployment Status.10. In the Set Deployment Status box, click Mitigating, and then click OK. Task 2: Create a custom issue1. Double-click Office Diagnostics Service.2. Click the Issues tab.3. On the toolbar, click the Add Issue button.4. In the New Issue box, enter the following information, and then click Save:• Title: Office Diagnostics Service does not function in Windows 7• Priority: Priority 2 - Must Fix• Severity: Severity 2 - Major functionality loss• Symptom: Application functionality impaired on platform upgrade• Cause: Application is not supported on this version of the operating system• Affected Operating System: Windows Vista and Windows 7 RC• Issue Description: Office Diagnostics Service does not work with Windows Vista RTM orWindows 75. After you have saved the new issue, click the Solutions tab.6. On the toolbar, click Add Solution.7. In the Add Solution dialog box, enter the following, and then click Save:• Title: Office Diagnostics Service Fix• Solution Type: Application has an update• Solution Details: Install the latest Service Pack8. Close all windows to return to the main Microsoft Application Compatibility Manager window.9. Close the Microsoft Application Compatibility Manager.10. Click Yes to save changes.

L2-8 Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility ToolkitLab B: Creating Application Compatibility FixesComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL1 Start the virtual machinesThe virtual machines should already be started from Lab A. However, if the virtual machines were shutdown perform the following steps:1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility Toolkit L2-9Exercise 1: Identifying Application Compatibility Issues Task 1: Start the StockViewer application to determine application compatibility issues1. Log on to LON-CL1 with as Contoso\Alan and the password Pa$$w0rd.2. Click Start and then click StockViewer.3. On the Permission denied box, click OK.4. On the Stock Viewer toolbar, click Trends. An error appears.5. On the Error box, click OK.6. Click the Tools menu and then click Options. An unhandled exception error appears.7. Click Continue to close the error.8. Click the Tools menu and then click Show Me a Star. An error appears stating that the applicationrequires Windows XP.9. Click OK to close the Unsupported Version box.10. Close the Stock Viewer application. Task 2: Test elevated privileges1. On LON-CL1, click Start, right-click StockViewer, and then click Run as Administrator.2. In the User Account Control box, provide the following credentials, and then click Yes:• User name: Administrator• Password: Pa$$w0rd3. On the Stock Viewer toolbar, click Trends.4. Click the Tools menu, click Options, and then click OK.5. Click the Tools menu, and then click Show Me a Star.6. Click OK to close the Unsupported Version box.7. Close the Stock Viewer application.

L2-10 Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility ToolkitExercise 2: Mitigating Application Issues Task 1: Use SUA to identify and apply fixes1. On LON-CL1, click Start, point to All Programs, click Microsoft Application Compatibility Toolkit5.5, click Developer and Tester Tools, and then click Standard User Analyzer.2. On the App Info tab, next to Target Application, click Browse.3. Browse to C:\Program Files\StockViewer\StockViewer.exe, and then click Open.4. Under Launch Options, clear the check box next to Elevate.5. Click the Launch button.6. In the User Account Control box, provide the following credentials, and then click Yes:• User name: Administrator• Password: Pa$$w0rd7. On the Warning dialog box, click Yes.8. On the Permission denied dialog box, click OK.9. On the Stock Viewer toolbar, click Trends. An error appears.10. On the Error box, click OK.11. Click the Tools menu and then click Options. An unhandled exception error appears.12. Click Continue to close the error.13. Click the Tools menu, and then click Show Me a Star. An error appears stating that the applicationrequires Windows XP.14. Click OK to close the Unsupported Version box.15. Close the Stock Viewer application.16. In the Standard User Analyzer window, review the following tabs: File, Registry, Token, Name Space,Other Objects. Note that these are the errors that were detected while SUA was monitoring theapplication.17. Click the Mitigation menu, and then click Apply Mitigations.18. On the Mitigate AppCompat Issues, click Apply. Task 2: Test the fixed application1. On LON-CL1, click Start, and then click Stock Viewer.2. On the Stock Viewer toolbar, click Trends.3. Click the Tools menu, click Options, and then click OK.4. Click the Tools menu, and then click Show Me a Star.5. Click OK to close the Unsupported Version box.6. Close the Stock Viewer application.7. Close the Standard User Analyzer. Task 3: Use the Compatibility Administrator to create a custom shim1. On LON-CL1, click Start, point to All Programs, click Microsoft Application Compatibility Toolkit5.5, and then right-click Compatibility Administrator.2. Click Run as administrator.3. In the User Account Control box, provide the following credentials, and then click Yes:• User name: Administrator• Password: Pa$$w0rd4. In the left pane, expand Installed Databases.

Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility Toolkit L2-115. Under Installed Databases, expand AppCompat Shims for StockViewer.exe. Notice that this wasinstalled by the SUA.6. Expand Applications and then click the application GUID entry. Notice the types of compatibilityfixes that were applied when the SUA was used.7. Right-click AppCompat Shims for StockViewer.exe, click Uninstall, and then click OK.8. In the left pane, expand Custom Databases, and then click New Database(1) [Untitled_1].9. On the toolbar, click Fix.10. In the Create New Application Fix box, on the Program Information page, provide the followingand then click Next:• Name of the program to be fixed: StockViewer• Program file location: C:\Program Files\StockViewer\StockViewer.exe11. On the Compatibility Modes page, click None, and then click Next.12. On the Compatibility Fixes page, select the following, and then click Next:• ElevateCreateProcess• ForceAdminAccess• LocalMappedObject• VirtualizeHKCRLite13. On the Matching Information page, click Finish.14. On the toolbar, click Save.15. In the Database Name box, type StockViewerFix, and then click OK.16. In the Save Database box, type C:\Data\StockViewerFix, and then click Save.17. On the toolbar, click Fix.18. In the Create New Application Fix box, on the Program information page, provide the followinginformation, and then click Next:• Name of the program to be fixed: Star• Program file location: C:\Program Files\StockViewer\DWM Compositing RenderingDemo.exe19. On the Compatibility Modes page, click None, and then click Next.20. On the Compatibility Fixes page, select WinXPSP2VersionLie, and then click Next.21. On the Matching Information page, click Finish.22. On the toolbar, click Save.23. Right-click StockViewerFix, click Install, and then click OK.24. Close the Compatibility Administrator. Task 4: Test the fixed application1. On LON-CL1, click Start, and then click Stock Viewer.2. On the Stock Viewer toolbar, click Trends.3. Click the Tools menu, click Options, and then click OK.4. Click the Tools menu, and then click Show Me a Star.5. Click the star to close the graphic.6. Close the Stock Viewer application. Task 5: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:

L2-12 Lab A: Evaluating Application Compatibility Using the Microsoft Application Compatibility Toolkit1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

Lab: Determining the Windows 7 Deployment Method L3-1Module 3: Evaluating Windows® 7 Deployment MethodsLab: Determining the Windows 7 DeploymentMethodExercise 1: Planning a Windows 7 Deployment for a Small Network Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Slough Production Plant: Windows 7 Upgrade Proposal document with your plannedcourse of action. Your proposal should include details about the specific services you would need tosupport your deployment method. Where appropriate, the proposal should also include details aboutanswer files, images, and other related material.Slough Production Plant: Windows 7 Upgrade ProposalDocument Reference Number: EM3007Document AuthorDateEd Meadows30 th JulyRequirement OverviewTo replace the Windows Vista operating system with Windows 7 for all computers in the Sloughproduction plant.To migrate applications and user data during the upgrade process.Additional InformationThere are 10 computers running Windows Vista at the Slough plant.Following research with the staff at Slough, you have determined that they work in three shifts; thismeans that at some point in the day, all computers are not being used.1. Is deployment by using WDS suitable in this situation? Why or why not?Answer. WDS is not suitable; the network is not provided with a DHCP server, which is arequirement of deploying WDS.2. Would the use of WAIK be beneficial in the Slough plant upgrade?Answer. Depending upon the deployment method selected, it might be helpful to use WindowsSIM, a Windows AIK tool, to help to automate the installation of Windows 7. By associating ananswer file with a standard image (.WIM file in the \sources folder) Windows 7 could more easily bedeployed. The answer file could be saved to a memory stick for use during an interactive installation.The degree of automation depends upon the options configured in the answer file.3. .How would you propose to handle the installation of custom applications?Answer. Assuming that you decide to perform an in-place upgrade, there would be no need to reinstallapplications; they would still be present on the system.If you opted to perform a wipe and load installation, it would be necessary to deploy the customapplications. Since not all workstations at Slough have these applications installed, it might beeasiest to install them manually where necessary. However, existing GPO might be responsible forthese custom application deployments.

L3-2 Lab: Determining the Windows 7 Deployment MethodSlough Production Plant: Windows 7 Upgrade Proposal4. How would you propose to deploy standard office productivity applications?Answer. Assuming that you decide to perform an in-place upgrade, there would be no need to reinstallapplications; they would still be present on the system.If you opted to perform a wipe and load installation, it would be necessary to deploy the standardoffice productivity applications. An existing GPO might be responsible for deploying standard officeproductivity applications.5. How would you propose to handle user state data and application settings?Answer. If an in-place upgrade is performed, then user data and application settings would beretained.If a wipe and load deployment is performed, then it will be necessary to migrate user data andsettings by using either USMT or WET. The file server at Slough could be used to store the data andsettings during the migration process.ProposalsThe infrastructure does not support the use of WDS. However, you could still choose to deploy anoperating system image locally, perhaps by using imageX. Given that there are a small number ofcomputers, and that each computer has a slightly different build, creating a single, standard imagemight prove challenging.The easiest approach would be to perform either an in-place upgrade in which all applications, userdata, and settings are retained. Alternatively, a wipe and load deployment could be implemented; thiswould necessarily involve backing up user data and settings, re-installing the required applications, andthen restoring the user data and settings. Either USMT or WET could be used to migrate these data andsettings.

Lab: Determining the Windows 7 Deployment Method L3-3Exercise 2: Planning a Windows 7 Deployment for a Larger Network Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Hammersmith Production Plant: Windows 7 Upgrade Proposal document with yourplanned course of action. Your proposal should include details about the specific services you wouldneed to support your deployment method. Where appropriate, the proposal should also includedetails about answer files, images, and other related material.Hammersmith Production Plant: Windows 7 Upgrade ProposalDocument Reference Number: EM1008Document AuthorDateEd Meadows10 th AugustRequirement OverviewTo replace the Windows Vista operating system with Windows 7 for all computers in the Hammersmithproduction plant.To ensure that user data is migrated as part of the upgrade process.To ensure that there is minimal downtime of the workstations at the Hammersmith plant; they are inconstant use.Additional InformationThere are 25 computers running Windows Vista at the Hammersmith plant.Following research with the staff at Hammersmith, you have determined that their computers are inconstant use.1. Is deployment by using WDS suitable in this situation? Why or why not?Answer. No. Although DHCP and DNS are both present on the network, Server Core does notsupport the WDS Server role.ersmith Production Plant: Windows 7 Upgrade Proposal2. How would you propose to handle the installation of custom applications?Answer. Application deployment is currently configured through GPO. There is no need to deploythe custom applications manually.3. How would you propose to deploy standard office productivity applications?Answer. Application deployment is currently configured through GPO. There is no need to deploythe office productivity applications manually.4. How would you propose to handle user state data and application settings?Answer. User data and settings must be migrated as these exist locally on each computer. Theprecise method depends upon which deployment method is selected. As Charlotte has suggested thecomputers are due to be replaced, it would be possible to perform a clean installation or apply a localimage to each new computer. After applications are deployed by GPO, user data and settings couldbe migrated by using either USMT (using the local server for storage during migration), or else byusing WET—with a direct cable connection between the computers.

L3-4 Lab: Determining the Windows 7 Deployment MethodHammersmith Production Plant: Windows 7 Upgrade ProposalProposalsEither perform a local installation from DVD, perhaps using an answer file generated from Windows SIM,or else create a standard desktop image using a source computer, sysprep, and imageX. Essentially, youare creating a thin image as all applications are deployed by GPO. Once each computer has beendeployed, migrate the user data from the old desktop computer to the new desktop computer.

Lab: Determining the Windows 7 Deployment Method L3-5Exercise 3: Planning a Windows 7 Deployment for a Large Network Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Production Department: Windows 7 Upgrade Proposal document with your plannedcourse of action. Your proposal should include details about the specific services you would need tosupport your deployment method. Where appropriate, the proposal should also include details aboutanswer files, images, and other related material.Production Department: Windows 7 Upgrade ProposalDocument Reference Number: EM0109Document AuthorDateEd Meadows1 st SeptemberRequirement OverviewTo replace the Windows Vista operating system with Windows 7 for all computers in the rest of theproduction department based at the Reading plant.Additional InformationThere are 150 computers running Windows Vista at the Reading plant. At any one time, around a thirdof all computers are not in use.The computers are all in one of three subnets, with core services on the backbone. Each subnet has itsown file server that hosts shared data and applications.1. Is deployment by using WDS suitable in this situation? Why or why not?Answer. Yes, the WDS role could be deployed onto one of the servers on the backbone network;Server Core does not support the WDS role, so they could not provide the WDS service.2. How would you propose to handle the installation of custom applications?Answer. The desktop computers are using a standard configuration. This means that theapplications could be included as part of the OS deployment. A custom image file could contain allthe custom applications required by the workstations.3. How would you propose to deploy standard office productivity applications?Answer. Standard office productivity applications can be included in the custom build.4. How would you propose to handle user state data and application settings?Answer. Given the large number of users involved, and the fact that user data is stored locally,USMT would be the preferred method of migrating user data. The adjacent file server could storethe settings during the migration process.ProposalsGiven the large number of standard workstations, creating a custom image that includes the requiredapplications would seem the sensible deployment method. Implement WDS on one of the backboneservers, and then create a custom image for deployment. Add the image, and a relevant boot image, tothe server. Configure the appropriate method of deployment on WDS; choose either scheduled-cast, orauto-cast. Visit the appropriate workstation, and connect it to the WDS server by using PXE-boot.

L3-6 Lab: Determining the Windows 7 Deployment MethodExercise 4: Planning a Windows 7 Deployment for an Enterprise Network Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Contoso: Windows 7 Upgrade Proposal document with your planned course of action.Your proposal should include details about the specific services you would need to support yourdeployment method. Where appropriate, the proposal should also include details about answer files,images, and other related material.Contoso: Windows 7 Upgrade ProposalDocument Reference Number: EM1712Document AuthorDateEd Meadows17 th DecemberRequirement OverviewTo replace the Windows Vista operating system with Windows 7 for all computers in the Contosoorganization.To deploy applications as part of the upgrade, and to ensure that all user data and settings areaccessible after the upgrade.Additional InformationThere are 1,500 computers running Windows Vista at the Kensington head office.Staff at Kensington usually work only standard office hours—9.00 am until 5.30pm.1. .Do you envisage using deployment images?Answer. Yes—it enables the deployment to take place more quickly. Performing an interactiveinstallation on 1,500 computers would not be efficient.2. If so, how many images would you propose using?Answer. There are three departments at Kensington. Assuming they all have differentrequirements, three images would be logical. It would be worth investigating how different thebuilds are, as GPO has been used for application deployment in the Production department; asingle corporate image might be feasible.3. What additional services would you need to support your proposal?Answer. Given the large number of workstations, and the possibility of multiple images, using MDTmight be sensible. At the very least, WDS should be considered to help with image deployment. IfZTI is envisaged, either SCCM or SMS would be required.4. How would you propose to deploy standard office productivity applications?Answer. MDT supports the deployment of applications. Alternatively, the image deployed couldcontain the necessary applications..How would you propose to handle user state data and application settings?5. Answer. LTI deployments support Upgrade deployment methods, as well as Refresh computermethods. In the case of the Upgrade method, user data and settings are retained. However, most, ifnot all, user data and settings are stored in redirected folders configured through GPO.ProposalsUse MDT to create either LTI or ZTI installations depending upon the degree of automation required.

Lab: Determining the Windows 7 Deployment Method L3-7Contoso: Windows 7 Upgrade ProposalMDT supports the degree of customization and the diversification of the different computers installedthroughout the head office. Features such as support for additional Out-of-box drivers, applicationdeployment, and the management of user state data make it the logical choice for larger deployments.

L3-8 Lab: Determining the Windows 7 Deployment Method

Lab: Determining the Windows 7 Imaging Strategy L4-1Module 4: Designing Standard Windows® 7 ImagesLab: Determining the Windows 7 Imaging StrategyExercise 1: Planning the Imaging Strategy for a Branch Office Network Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Hammersmith Production Plant: Desktop Image document with your planned course ofaction.Hammersmith Production Plant: Desktop ImageDocument Reference Number: CW1408Document AuthorDateCharlotte Weiss14 th AugustRequirement OverviewDesign a Windows 7 image strategy that supports the deployment of the new operating system tonewly delivered computers at the Hammersmith plant.Conserve server storage as the server won’t be getting a disk upgrade in the near future and has limitedcapacity.Minimize support staff effort during the rollout.There are 25 computers in total, all of which use Office 2007 Professional.All computers connect to a printer, the driver for which is not in the current driver store in Windows 7.Requirement Overview (continued)10 computers use a custom line-of-business application that runs within a virtual machine; currently, theguest operating system runs within Virtual PC 2007.The remaining group of 15 computers runs another LOB application that runs natively within WindowsVista.Additional Information1. Will you use a standard image(s), or else create a custom image(s)?Answer. Standard images require no storage on the server as you can use the images in thesources folder on the product DVD. An answer file could be used to automate the installationprocess. However, following deployment of the image, two separate builds would need to becreated to support the two distinct sets of users; those with the Linux application, and those withthe Windows custom LOB application. In addition, the standard image would not include theprinter driver or the Office 2007 application. A custom image would be a suitable choice.2. How many images do you envisage needing?Answer. One hybrid image. This image would contain the operating system, the required drivers,and the Office 2007 application.3. Do you envisage using thin, thick, or hybrid images?Answer. A hybrid image balances disk consumption on the server, and the need to deployapplication with the OS. To support the two distinct sets of users with a thick image would require

L4-2 Lab: Determining the Windows 7 Imaging StrategyHammersmith Production Plant: Desktop Imagetwo images – one with the DOS application, and the other with the Windows LOB application.These applications could be deployed post-installation, possibly by using GPO.4. How will you handle the printer driver and required updates and patches?Answer. These would be included as part of the hybrid image.5. How will you create the images that you plan to implement?Answer. A source computer is built, and relevant drivers, patches, updates, and commonapplications are installed. Sysprep.exe is run to remove identifying characteristics, and thenimageX.exe is used to capture the image, possibly to the server. If storage is very scarce, then theimage could be stored on removable media.6. Will you deploy the applications as part of the image(s)?Answer. The common applications will be part of the hybrid image. The custom LOB applicationswill be deployed by using GPOs from the local file server.ProposalsThe server lacks sufficient storage to host multiple images. The line speed prohibits extensive use ofGPOs to initially deploy larger applications. Two standard builds exist. To balance these requirements, asingle hybrid image should be used that includes the necessary drivers, updates, patches, and the Officeapplications used on all computers. Once the deployment is complete, GPO settings will be used todeploy the custom LOB applications to the appropriate computers. GPOs will also be used to configureand maintain the computers after deployment.

Lab: Determining the Windows 7 Imaging Strategy L4-3Exercise 2: Planning the Imaging Strategy for an Enterprise Network Task 1: Read the scenario• Read the scenario. Task 2: Update the proposal document with your planned course of action• Answer the questions in the additional information section of the document.• Update the Kensington Head Office: Desktop Image document with your planned course of action.Your proposal should include details about the specific services you would need to support yourimaging method.Kensington Head Office: Desktop ImageDocument Reference Number: RI0201DocumentAuthorDateRyan Ihrig2 nd JanuaryRequirement OverviewDesign a Windows 7 image strategy that supports the deployment of the Windows 7 operating system toall computers at the Kensington head office.Storage space on the file servers is not restricted.There is spare network bandwidth to support the deployment process.It is desirable to use GPOs to perform as much centralized management of computers as possible.Additional Information1. Will you use a standard image(s), or else create a custom image(sAnswer. Some degree of customization might be desirable.2. How many images do you envisage needing?Answer. A single thin image.3. Do you envisage using thin, thick, or hybrid images?Answer. Thin images, using System Center Configuration Manager and supporting infrastructure todeploy applications, updates, drivers, and patches after the installation of the image.4. How will you handle the various drivers, updates, and patches?Answer. By using Configuration Manager and supporting technologies.5. How will you deploy the images that you plan to implement?Answer. ZTI by implementing MDT with Configuration Manager.6. Will you deploy the applications as part of the image(s)?Answer. No. They will be deployed post-installation.ProposalsSince Configuration Manager exists on the network, and GPOs are used to manage client computers, andgiven also that many builds exist within the Contoso head office, it is suggested that the use of thin clientimages is appropriate. Applications, updates, and drivers can be deployed after the images are deployed.In addition, MDT and SCCM can migrate the user state data and settings to complete the deploymentprocess.

L4-4 Lab: Determining the Windows 7 Imaging Strategy

Lab A: Installing the Windows Automated Installation Kit L5-1Module 5: Deploying Windows® 7 by Using Windows AIKLab A: Installing the Windows AutomatedInstallation KitComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start ofthis lab are:• 6294A-LON-DC1• 6294A-LON-CL2 Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

L5-2 Lab A: Installing the Windows Automated Installation KitExercise 1: Installing the Windows Automated Installation Kit Task 1: Mount the external media on LON-CL21. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL2 and then click Settings.2. In the Settings for 6294A-LON-CL2 dialog box click DVD Drive.3. Select the Image File: radio button and specify the image file C:\Program Files\MicrosoftLearning\6294\drives\WAIK.ISO.4. In the Settings for 6294A-LON-CL2 dialog box click OK. Task 2: Install the Windows Automated Installation Kit1. Log on to the LON-CL2 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.2. Click Start then click Computer.3. Right-click D:\ and click Open, right-click StartCD and click Run as administrator.4. On the Welcome to Windows Automated Installation Kit page click Windows AIK Setup.5. On the Welcome to the Windows Automated Installation Kit Setup Wizard page, click Next.6. On the License Terms page select the I Agree radio button and then click Next.7. On the Select Installation Folder page review the defaults and then click Next.8. On the Confirm Installation page click Next.9. On the Installation Complete page click Close.10. Close the Welcome to Windows Automated Installation Kit page.11. Close the Explorer window.

Lab A: Installing the Windows Automated Installation Kit L5-3Exercise 2: Identifying Resources and Tools included with the WindowsAutomated Installation Kit Task 1: Examine the Windows Automated Installation Kit Start Menu folder1. Click Start, point to All Programs, click Microsoft Windows AIK.Question: Which applications are represented in the Start Menu?Answer: Deployment Tools Command Prompt, Windows System Image Manager and the VolumeActivation Management Tool.2. Right-click Deployment Tools Command Prompt select Run as Administrator.Question: Most of the WAIK Tools are command line based, what happened to the PATH when youopened the Deployment Tools Command Prompt?Answer: The path was updated to include the dism, oscdimg and imagex tools.3. Close the Administrator: Deployment Tools Command Prompt. Task 2: Examine the Windows Automated Installation Kit folder structure1. Click Start then click Computer.2. Double-click Local Disk (C:), and then drill down to C:\Program Files\Windows AIK.Question: What folders are present?Answer: Docs, Samples, SDKs and Tools.3. Double-click the Tools folder.Question: Each folder contains one or more of the WAIK tools. Which folders are present?Answer: amd64, IA64, Image Manager, PETools, Servicing, USMT, VAMT, x86.4. Double-click one of the platform folders (such as the x86 folder).Question: Which executables are present in the platform folder?Answer: bcdboot.exe, imagex.exe, intlcfg.exe, oscdimg.exe, wdsmcast.exe, WimMountInstall.exe andwimserv.exe. Task 3: Examine the Windows Automated Installation Kit User’s Guide1. Click Start, point to All Programs, click Microsoft Windows AIK, click Documentation, and thenclick Windows Automated Installation Kit User’s Guide.2. Expand Windows Automated Installation Kit (Windows AIK) User’s Guide.3. In the content pane, select Overview of the Windows AIK.4. Review the Overview.5. Click the Search tab.6. Type bcdboot.exe and click List Topics.7. Double-click Command-Line Tools Technical Reference.8. Review the descriptions of the Command-Line tools include with the WAIK.

L5-4 Lab A: Installing the Windows Automated Installation KitLab B: Building a Reference Image UsingWindows SIM and SysprepComputers in this lab6294A-LON-IMG2 is an optional system that is a pre-built for the lab that is in the state LON-IMG1 wouldbe at the end of exercise 2. Do not start 6294-LON-IMG1 or 6294-LON-IMG2 at the beginning of the lab.The virtual machines used in this lab are:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-IMG1• 6294A-LON-IMG2Exercise 1: Building a Custom Answer File by Using Windows SIM Task 1: Mount the external media on LON-CL21. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL2 and click Settings.2. In the Settings for 6294A-LON-CL2 dialog box select DVD Drive.3. Select the Image File: radio button specify the image file C:\Program Files\Microsoft Learning\6294\Drives\Windows7_32bit.iso.4. In the Settings for 6294A-LON-CL2 dialog box, select Diskette Drive.5. Select the Virtual floppy disk (.vfd) file: radio button and specify the file: C:\ProgramFiles\Microsoft Learning\6294\Drives\UnattendAnswer.vfd.6. In the Settings for 6294A-LON-CL2 dialog box click OK. Task 2: Create a new answer file1. Switch back to LON-CL2 and close the Autoplay dialog box for the Windows 7 DVD.2. Click Start, point to All Programs, click Microsoft Windows AIK, right-click Windows SystemImage Manager and then click Run as Administrator.3. Right-click in the Windows Image pane, and then click Select Windows Image.4. Browse to \\LON-DC1\Labfiles\Source\Sources and then double-click Install_Windows 7ENTERPRISE.clg.5. On the File menu, click New Answer File. Task 3: Add and configure Windows settings1. In the Windows Image pane of Windows SIM, expand the Components node to display availablesettings.2. On the expanded list of components, add the following components to your answer file by rightclickingthe component and then by selecting the appropriate configuration pass.Componentx86_Microsoft-Windows-Setup\DiskConfiguration\Disk\CreatePartitions\CreatePartitionx86_Microsoft-Windows-Setup \DiskConfiguration\Disk\ModifyPartitions\ModifyPartitionConfiguration PasswindowsPEwindowsPE

Lab B: Building a Reference Image Using Windows SIM and Sysprep L5-5Componentx86_Microsoft-Windows-Setup\ImageInstall\OSImage\InstallTox86_Microsoft-Windows-Setup\UserDatax86_Microsoft-Windows-International-Core-WinPEx86_Microsoft-Windows-Shell-Setup\OEMInformationx86_Microsoft-Windows-Shell-Setup\OOBEx86_Microsoft-Windows-Shell-Setup\AutologonConfiguration PasswindowsPEwindowsPEwindowsPEspecializeoobeSystemauditSystemx86_Microsoft-Windows-Deployment\ResealoobeSystem3. All the settings you added must appear in the Answer File pane. Select and configure each setting asspecified below.Componentx86_Microsoft-Windows-International-Core-WinPEMicrosoft-Windows-International-Core-WinPE\SetupUILanguageMicrosoft-Windows-Setup\DiskConfigurationValueInputLocale = en-USSystemLocale = en-USUILanguage = en-USUILanguageFallback = en-USUserLocale = en-USUILanguage = en-USWillShowUI = OnErrorMicrosoft-Windows-Setup\DiskConfiguration\Disk DiskID = 0WillWipeDisk = trueMicrosoft-Windows-Setup\DiskConfiguration\Disk\CreatePartitions\CreatePartitionMicrosoft-Windows-Setup\DiskConfiguration\Disk\ModifyPartitions\ModifyPartitionMicrosoft-Windows-Setup\ImageInstall\OSImageMicrosoft-Windows-Setup\ImageInstall\OSImage\InstallToMicrosoft-Windows-Setup \UserDataMicrosoft-Windows-Setup \UserData\ProductKeyMicrosoft-Windows-Shell-Setup \OEMInformationExtend = trueOrder = 1Type = PrimaryActive = trueFormat = NTFSLabel = WindowsLetter = COrder = 1PartitionID = 1WillShowUI = OnErrorDiskID = 0PartitionID = 1AcceptEula = trueFullName = AdministratorOrganization = ContosoWillShowUI = OnErrorHelpCustomized = false

L5-6 Lab A: Installing the Windows Automated Installation KitComponentValueManufacturer = Contoso ITGroupSupportHours = 9 - 5SupportPhone = 555-9988SupportURL =http://Technet.Microsoft.ComMicrosoft-Windows-Shell-Setup\AutoLogonMicrosoft-Windows-Shell-Setup\AutoLogon\PasswordMicrosoft-Windows-Deployment\ResealMicrosoft-Windows-Shell-Setup\OOBEEnabled = trueLogonCount = 5Username = AdministratorPassword=Pa$$w0rdForceShutdownNow = falseMode = AuditNetworkLocation = WorkProtectYourPC = 1 Task 4: Validate the answer file1. In Windows SIM, click Tools, and then click Validate Answer File.2. A “No warnings or errors” message should appear in the Messages pane.3. If an error occurs, double-click the error in the Messages pane to navigate to the incorrect setting.Change the setting to fix the error, and then revalidate.4. On the File menu, click Save Answer File As. Save the answer file to the root of the A:\ drive asAutounattend.xml.5. Close Windows SIM. Task 5: Unmount the external media on LON-CL21. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL2, and then selectSettings.2. In the Settings for 6294A-LON-CL2 dialog box select DVD Drive.3. Select the None radio button.4. In the Settings for 6294A-LON-CL2 dialog box select Diskette Drive.5. Select the None radio button.6. In the Settings for 6294A-LON-CL2 dialog box click OK.

Lab B: Building a Reference Image Using Windows SIM and Sysprep L5-7Exercise 2: Installing a Reference Computer from a DVD Using a Custom AnswerFile Task 1: Mount the external media on LON-IMG11. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-IMG1 and click Settings.2. In the Settings for 6294A-LON-IMG1 dialog box select DVD Drive.3. Select the Image File: radio button and specify the image file C:\Program Files\MicrosoftLearning\6294\Drives\Windows7_32bit.ISO.4. In the Settings for 6294A-LON-IMG1 dialog box select Diskette Drive.5. Select the Virtual floppy disk (.vfd) file: radio button and specify the file: C:\ProgramFiles\Microsoft Learning\6294\Drives\UnattendAnswer.vfd.6. In the Settings for 6294A-LON-IMG1 dialog box click OK. Task 2: Start LON-IMG11. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-IMG1 and select Connect.2. In the 6294A-LON-IMG1 - Virtual Machine Connection window click the Start button.3. Verify the installation has started. The installation will take approximately 30 minutes.In order to save time, you can revert 6294A-LON-IMG1 and then start 6294A-LON-IMG2 which is a prestagedvirtual machine saved at the point where the installation has completed. You can either wait forLON-IMG1 to finish installing or continue on to Exercise 3 with LON-IMG2. The following exerciseassumes that 6294A-LON-IMG2 is used.

L5-8 Lab A: Installing the Windows Automated Installation KitExercise 3: Generalizing a Reference Computer by Using SysprepExercise 3 can be completed with either 6294A-LON-IMG1 or 6294A-LON-IMG2 depending on available time.LON-IMG2 is used as the name in the exercise task steps. Task 1: Start LON-IMG2 (if necessary)1. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-IMG2 and then clickConnect.2. In the 6294A-LON-IMG2 - Virtual Machine Connection window click the Start button. Task 2: Verify custom installation settings1. In the System Preparation Tool 3.14 dialog box select Enter System Audit Mode and then underShutdown Options, select Quit. Click OK.2. Click Start then right-click Computer and select Properties.3. Verify the Manufacturer and IT support information match the values used in the UnattendAnswerscript. Task 3: Install applications1. Click Start, and in the Search programs and files box, type \\LON-DC1\labfiles\mod05\viewers\. Press ENTER.2. In the Windows Security box, type Contoso\Administrator with the password of Pa$$w0rd. ClickOK.3. Double-click ExcelViewer and install with default settings.4. Double-click PowerPointViewer and install with default settings.5. Double-click Visioviewer and install with default settings.6. Double-click Wordview_en-us and install with default settings. Task 4: Reseal LON-IMG2 with Sysprep1. Click Start, point to All Programs, click Accessories, right-click Command Prompt and select Runas Administrator.2. In the command prompt window type CD C:\Windows\System32\Sysprep and press ENTER.3. In the command prompt window, type Sysprep and press ENTER.4. In the System Preparation Tool 3.14 dialog box, select Enter System Out-of-Box Experience(OOBE), select the Generalize checkbox, and then select Shutdown. Click OK.5. Close the 6294A-LON-IMG2 - Virtual Machine Connection window. Task 5: Unmount the external media on LON-IMG1 (if necessary)1. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-IMG1 and select Settings.2. In the Settings for 6294A-LON-IMG1 dialog box select DVD Drive.3. Select the None radio button.4. In the Settings for 6294A-LON-IMG1 dialog box select Diskette Drive.5. Select the None radio button.6. In the Settings for 6294A-LON-IMG1 dialog box click OK.

Lab C: Creating Windows PE Boot Media L5-9Lab C: Creating Windows PE Boot MediaComputers in this lab6294A-LON-IMG2 represents the VM that was used in Lab B exercise 3. Do not start 6294-LON-IMG2until instructed. The virtual machines used in this lab are:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-IMG2Exercise 1: Adding Packages to Windows PE Task 1: Set up a Windows PE build environment1. On 6294A-LON-CL2, click Start, point to All Programs, click Microsoft Windows AIK, right-clickDeployment Tools Command Prompt and click Run as Administrator.2. At the command prompt, type Copype.cmd x86 c:\winpe_x86 and press ENTER.3. At the command prompt, type copy c:\winpe_x86\winpe.wimc:\winpe_x86\ISO\sources\boot.wim and press ENTER. Task 2: Add customizations to a Windows PE build environment1. At the command prompt, type copy “C:\program files\Windows AIK\Tools\x86\imagex.exe” C:\winpe_x86\iso\ and press ENTER.2. Click Start, point to All Programs, click Accessories, right-click Notepad and select Run asAdministrator.3. Type the following:[ExclusionList]\temp4. In Notepad, click the File menu, and select Save As.5. In the Save as Type field, select All Files.6. Browse to the C:\winpe_x86\iso\ folder.7. In the File name: field type wimscript.ini and click Save.8. Close Notepad.

L5-10 Lab A: Installing the Windows Automated Installation KitExercise 2: Creating a Bootable Windows PE ISO Image Task 1: Create the ISO file• At the command prompt, type oscdimg -n -bC:\winpe_x86\etfsboot.com C:\winpe_x86\ISOC:\winpe_x86\winpe_x86.iso and press ENTER.Exercise 3: Starting the Windows PE Operating System Environment Task 1: Mount the Windows PE ISO1. On the host computer, in the Hyper-V Manager, right-click 6294-LON-IMG2 and then click Settings.2. In the Settings for 6294A-LON-IMG2 dialog box select DVD Drive.3. Select the Image File: radio button and specify the image file C:\Program Files\MicrosoftLearning\6294\Drives\winpe_x86.iso.4. In the Settings for 6294A-LON-IMG2 dialog box select Diskette Drive.5. Select the None radio button.6. In the Settings for 6294A-LON-IMG2 dialog box click OK. Task 2: Start 6294A-LON-IMG21. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-IMG2 and select Connect.2. In the 6294A-LON-IMG2 - Virtual Machine Connection window click the Start button.3. Click in the 6294A-LON-IMG2 on hostname – Virtual Machine Connection window. When promptedto press any key to boot from CD or DVD, press the space bar.4. Verify Windows PE has started.

Lab D: Capturing and Applying a Windows 7 Image Using ImageX L5-11Lab D: Capturing and Applying a Windows 7Image Using ImageXComputers in this labDo not start 6294A-LON-CL3 until instructed. The virtual machines used in this lab are:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-IMG2• 6294A-LON-CL3Exercise 1: Capturing an Image Using ImageX Task 1: Create a share on LON-CL21. On LON-CL2, click Start, click Computer, and then double-click Local Disk (C:).2. Right-click in the C: drive, point to New, and then select Folder.3. Type Images.4. Right-click the Images folder and point to Share with and select Specific people.5. Type “Everyone” and click Add.6. Click the down arrow next to Read and select Read/Write.7. Click the Share button, and then click Done. Task 2: Run ImageX with Capture option1. Switch to the 6294A-LON-IMG2 - Virtual Machine Connection window.2. Type Net Use Z: \\LON-CL2\Images and press ENTER.3. When prompted, type Contoso\Administrator and press ENTER.4. Type Pa$$w0rd and press ENTER.5. Type D:\imagex /check /capture C: Z:\LON-REF.wim “Contoso Client Image” and press ENTER.Note: The capture process will take approximately 20 minutes. To save time, the remainder ofthe lab will use an image that has already been prepared.6. Turn off LON-IMG2.

L5-12 Lab A: Installing the Windows Automated Installation KitExercise 2: Apply an Image Using ImageX Task 1: Mount the Windows PE ISO1. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL3 select Settings.2. In the Settings for 6294A-LON-CL3 dialog box select DVD Drive.3. Select the Image File: radio button and specify the image file C:\Program Files\MicrosoftLearning\6294\drives\winpe_x86.iso.4. In the Settings for 6294A-LON-CL3 dialog box click OK. Task 2: Start LON-CL31. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL3 select Connect.2. In the 6294A-LON-CL3 - Virtual Machine Connection window, click the Start button.3. Continue after Windows PE has started. Task 3: Format the C: drive on LON-CL31. In the command prompt on LON-CL3, type Diskpart and press ENTER.2. Type Select disk=0 and press ENTER.3. Type Create partition primary and press ENTER.4. Type Format FS=NTFS Quick and press ENTER.5. Type Select Partition 1 and press ENTER.6. Type Active and press ENTER.7. Type Assign letter=C and press ENTER.8. Type Exit and press ENTER. Task 4: Run ImageX with Apply option1. On LON-CL3, type Net Use Z: \\LON-DC1\labfiles\Mod05\Image, and then press ENTER.2. When prompted, type Contoso\Administrator and press ENTER.3. Type Pa$$w0rd and press ENTER.4. Type d:\imagex /apply Z:\LON-REF.wim 1 C: and press ENTER.Note: The image application takes approximately 10 minutes.5. After the Image is applied, type Exit and then press ENTER to restart the computer.6. When LON-CL3 restarts, complete the Set Up Windows Wizard with the following options:• Country or region: Default• User Name: LocalAdmin• Computer name: LON-CL3• Password: Pa$$w0rd• I accept the license terms: Selected• Updates: Use recommended settings• Time and date: Default• Location: Work network7. Open computer properties to verify the Manufacturer and IT support information match the valuesused in the UnattendAnswer script.

8. Verify the custom applications are installed.9. Shutdown LON-CL3.Lab D: Capturing and Applying a Windows 7 Image Using ImageX L5-13

L5-14 Lab A: Installing the Windows Automated Installation KitLab E: Servicing Images by Using DISMComputers in this labBefore you begin the lab, you must start the virtual machines. 6294A-LON-IMG2 represents the VM thatwas used in Lab B exercise 3. Do not start 6294-LON-IMG2 until instructed. The virtual machines used inthis lab are:• 6294A-LON-DC1• 6294A-LON-CL2SetupBefore starting this lab, copy the LON-REF.wim file from the\\LON-DC1\Labfiles\Mod5\Image folder to the C:\Images folder on LON-CL2.Exercise 1: Service an Offline WIM Image Task 1: Mount the WIM image for servicing1. On the 6294A-LON-CL2 desktop, click Start, point to All Programs, click Microsoft Windows AIK,right-click Deployment Tools Command Prompt, select Run as Administrator.2. At the command prompt, type CD “C:\Program Files\Windows AIK\Tools\Servicing” and press ENTER.3. At the command prompt, type MD C:\Servicing and press ENTER.4. At the command prompt, type DISM /get-wiminfo /wimfile:C:\Images\LON-REF.wim and press ENTER.5. At the command prompt, type DISM /mount-wim /wimfile:C:\Images\LON-REF.wim /index:1 /mountdir:C:\Servicing and press ENTER.6. At the command prompt, type DISM /get-mountedwiminfo and press ENTER.7. To see a list of available servicing options type DISM /image:c:\servicing /? and press ENTER. Task 2: Add Drivers to an Offline Image1. At the command prompt, type Net Use Z: \\Lon-DC1\Labfiles\Mod05\LabE and press ENTER.2. At the command prompt, type CD “C:\Program Files\Windows AIK\Tools\Servicing” and press ENTER.3. At the command prompt, type DISM /Image:C:\Servicing /Add-Driver /Driver:Z:\ipoint /recurseand press ENTER. Task 3: Commit changes to an Offline WIM Image• At the command prompt, type DISM /Unmount-Wim /Mountdir:C:\Servicing /commit and pressENTER. Task 4: Virtual machine shutdownWhen you finish the lab, you should revert each virtual machine back to its initial state. To do this,complete the following steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

Lab: Deploying Windows 7 by Using Windows Deployment Services L6-1Module 6: Deploying Windows® 7 by Using Windows DeploymentServicesLab: Deploying Windows 7 by Using WindowsDeployment ServicesComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1 Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

L6-2 Lab: Deploying Windows 7 by Using Windows Deployment ServicesExercise 1: Designing the Windows Deployment Services Environment Task 1: Read the supporting documentation• Read the scenario and supporting documentation in the course workbook. Task 2: Update the Windows Deployment Services Design and Configuration sheet• Answer the questions in the additional information section of the document.Windows Deployment Services Design and ConfigurationDocument Reference Number: WDS2009Document AuthorDateEd Meadows2 nd AugustRequirement OverviewTo install and configure Windows Deployment Services server role.To deploy Windows 7 to the new Marketing department computers.Additional InformationYou have purchased 10 new computers for the Marketing department.The Marketing department has a single server name LON-DC1.1. Since LON-DC1 also hosts the DHCP server role, how does this affect the Windows DeploymentServices server role.Answer. During the WDS configuration you will need to select the Do not listen on port 67 checkbox and configure DHCP option 60.2. Where should you configure the Remote Installation Folder Location?Answer. Since Drive C is 80% full, the Remote Installation Folder Location will be placed atE:\RemoteInstall.3. What types of images are required for your deployment? How can you organize the install imagesfor future deployment with other departments?Answer. For this deployment you will need the default boot image and the default install imagefrom the Windows 7 media. The install image will be placed within a Marketing Image Groupspecifically for the Marketing department.4. How will you configure WDS to ensure security?Answer. You will configure WDS to respond to all known and unknown computers. However toincrease security, you will require administrator approval for all unknown computers.5. What specific platform considerations do you have for your deployment?Answer. All 64-bit laptops will have the VX 6000 Lifecam Drivers installed. Desktop computers donot require this driver.6. What are some ways that you can provide availability and minimize network congestion?Answer. Install the Transport Server role service to provide multitasking capabilities. This will helpminimize network congestion. To provide availability you can use Distributed File System to helpreplicate and provide availability for the Remote Installation Folder. Multiple WDS servers may alsohelp in providing a distributed WDS environment.

Lab: Deploying Windows 7 by Using Windows Deployment Services L6-3Exercise 2: Installing and Configuring the Windows Deployment Services ServerRole Task 1: Install the Windows Deployment Services server role1. Log on to LON-DC1 as Contoso\Administrator using the password Pa$$w0rd.2. In the Task Bar, click the Server Manager button.3. In the Server Manager console, in the left-hand console pane, click Roles.4. In the details pane, in the Roles Summary section, click Add Roles. The Add Roles Wizard starts.5. On the Before You Begin page, click Next.6. On the Select Server Roles page, select the check box next to Windows Deployment Services andthen click Next.7. On the Overview of Windows Deployment Services page, click Next.8. On the Select Role Services page, ensure that both Deployment Server and Transport Server areselected and then click Next.9. On the Confirm Installation Selections page, click Install.10. On the Installation Results page, click Close.11. Close the Server Manager console. Task 2: Configure Windows Deployment Services1. On LON-DC1, click Start, point to Administrative Tools, and then click Windows DeploymentServices.2. In the Windows Deployment Services console, in the left-hand console pane, click the plus sign toexpand the Servers node and then click LON-DC1.Contoso.com.3. Right-click LON-DC1-Contoso.com and then click Configure Server. The Windows DeploymentServices Configuration Wizard starts.4. On the Before you Begin page, click Next.5. On the Remote Installation Folder Location page, under Path type E:\RemoteInstall and thenclick Next.6. On the DHCP Option 60 page, select the following options and then click Next:• Do not listen on port 67• Configure DHCP option 60 to ‘PXEClient’7. On the PXE Server Initial Settings page, select Respond to all client computers (Known andunknown). Also select the check box next to Require administrator approval for unknowncomputers. Click Next.8. On the Operation Complete page, remove the check mark next to Add images to the server nowand then click Finish.

L6-4 Lab: Deploying Windows 7 by Using Windows Deployment ServicesExercise 3: Adding Boot and Install Images to Windows Deployment Services Task 1: Add a Boot Image to Windows Deployment Services1. In the Hyper-V Virtual Machine Connection window, click the Media menu option, point to DVDDrive, and then click Insert Disk.2. Browse to C:\Program Files\Microsoft Learning\6294\Drives, click Windows7_32bit.iso, and thenclick Open. Close the AutoPlay window.3. If necessary, open the Windows Deployment Services console.4. In the left-hand console pane, expand LON-DC1.Contoso.com and then click Boot Images.5. Right-click Boot Images and then click Add Boot Image. The Add Image Wizard starts.6. On the Image File page, under File location, type D:\sources\boot.wim and then click Next.7. On the Image Metadata page, accept the default Image name and description. Click Next.8. On the Summary page, click Next. The boot image is added to Windows Deployment Services.9. Click Finish. Task 2: Add an Install Image to Windows Deployment Services1. In the left-hand console pane, expand LON-DC1.Contoso.com and then click Install Images.2. Right-click Install Images and then click Add Install Image. The Add Image Wizard starts.3. On the Image Group page, next to Create an image group named, type Marketing. Click Next.4. On the Image File page, under File location, type D:\sources\install.wim and then click Next.5. On the Available Images page, under Name, ensure that Windows 7 ENTERPRISE is selected.6. Ensure that the check box is selected next to Use the default name and description for each of theselected images. Click Next.7. On the Summary page, click Next. The install image is added to Windows Deployment Services.8. Click Finish.

Lab: Deploying Windows 7 by Using Windows Deployment Services L6-5Exercise 4: Provisioning Drivers by Using Windows Deployment Services Task 1: Add drivers to Windows Deployment Services1. In the left-hand console pane, expand LON-DC1.Contoso.com and then click Drivers.2. Right-click Drivers and then click Add Driver Package. The Add Driver Package Wizard starts.3. On the Driver Package Location page, click the Select all driver packages from a folder option.4. In the Location text box, type E:\Labfiles\Drivers\VX6000, and then click Next.5. On the Available Driver Packages page, accept the default selections and then click Next.6. On the Summary page, click Next. The driver packages are added to Windows Deployment Services.7. On the Task Progress page, click Next.8. On the Driver Groups page, select Create a new driver group named: and then type VX6000Lifecam. Click Next.9. On the Task Complete page, remove the check mark next to Modify the filters for this group nowand then click Finish. Task 2: Create a driver deployment filter1. In the left-hand console pane, expand LON-DC1.Contoso.com and then expand Drivers.2. Click the VX 6000 Lifecam node.3. Right-click VX 6000 Lifecam and then click Modify Filters for this Group.4. In the VX 6000 Lifecam Properties box, on the Filters tab, click Add.5. In the Add Filter box, configure the following and then click Add:• Filter Type: Chassis Type• Operator: Equal to• Value: Laptop6. In the Add Filter box, click OK.7. In the VX 6000 Lifecam Properties box, click OK.

L6-6 Lab: Deploying Windows 7 by Using Windows Deployment ServicesExercise 5: Deploying a Desktop Operating System Using Windows DeploymentServices Task 1: Install Windows 7 using Windows Deployment Services1. In the Hyper-V Manager console, start 6294A-LON-CL3.2. When prompted press F12. A pending request ID will appear followed by Message fromAdministrator.3. Switch to LON-DC1 and then in the Windows Deployment Services console, click the PendingDevices node.4. In the details pane, right-click the Request ID entry and then click Name and Approve.5. In the Approve Pending Device box, type LON-CL3 and then click OK.6. On the Pending Device prompt, click OK. LON-CL3 will continue with the connection to theWindows Deployment Services server.7. On LON-CL3, in the Windows Deployment Services box, accept the default Locale and Keyboard orinput method and then click Next.8. In the Connect to LON-DC1.Contoso.com credentials box, type the following and then click OK:• User name: Contoso\Administrator• Password: Pa$$w0rd9. In the Select the Operating system you want to install page, click Next.10. In the Where do you want to install Windows? page, click Next. The Windows 7 installation begins.It will take approximately 20 minutes to complete the installation. Task 2: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

Lab A: Planning and Configuring MDT 2010 L7-1Module 7: Deploying Windows® 7 by Using Lite Touch InstallationLab A: Planning and Configuring MDT 2010Computers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1• 6294A-LON-CL2 Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

L7-2 Lab A: Planning and Configuring MDT 2010Exercise 1: Planning the MDT Lite Touch Environment Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Complete the Microsoft Deployment Toolkit Job Aid to help plan thedeployment1. Fill out the attached Microsoft Deployment Toolkit Job Aid.2. Use the check boxes to indicate your decision.3. In the “Rationale for the Decision” section list your supporting reason for this decision.4. Be prepared to discuss your answers with the class.Microsoft Deployment Toolkit Planning–Job AidQuestion Information Rationale for the DecisionWhat Operating Systemare you going to deploy?What System is going tobe deployed as theTechnician’s system?Are you going to bedeploying Applications?What MDT additionalcomponents are yougoing to install?Where will you storeyour distribution files?Will you be deployingany drivers not includedwith Windows 7?Will you deploy acrossthe network, withremovable media, orboth?32 bit Windows 7 We are going to be deploying the 32 bit64 bit Windows 7version of Windows 7 Enterprise Edition.32 Windows Server2008 R264 bit Windows Server2008 R2Windows 7 clientLON-CL2 since we are deploying the 32 bitversion of Windows 7 Enterprise Edition.Windows 2008 R2serverYes Per Jonas’s E-mail application deployment isNonot required.MAP Since you are evaluating automatedWAIKinstallations you need to install the WAIK. PerJonas’s E-mail user state will not be migrated.USMTSince we are deploying new systems we do notneed to use the Assessment and Planningtoolkit.Local DeploymentFor this evaluation you will create theSharedeployment share on the LON-CL2 system.Remote DeploymentShareYes Per Jonas’s e-mail the Microsoft IntelliPointdrivers will be pre-installed.NoNetworkBoth, removable media will be used to startthe evaluation systems and the files will bedeployed across the network.Removable MediaWhich DeploymentScenario will you use?New ComputerUpgrade ExistingComputerRefresh ComputerA new installation of a Windows operatingsystem is deployed to a new computer. Userstate is not migrated.The current Windows operating system on thetarget computer is upgraded to the deployedoperating system.A computer is refreshed, including computersthat must be re-imaged. User state may bemigrated.

Lab A: Planning and Configuring MDT 2010 L7-3Microsoft Deployment Toolkit Planning–Job AidQuestion Information Rationale for the DecisionOne computer replaces another computer.Replace Computer User state is migrated.Full OS deployment for the referenceWill you deploy a full set Full OS File Set computer and a custom WIM file for the clientof operating system files(target) computers.or a custom WindowsImaging Format (WIM)? Custom WIMWhich product editionswill you deploy?How will you handleproduct keys andlicensing?Professional UltimateBusinessEnterpriseMultiple Activation Key(MAK}Key ManagementService(KMS)A license key will not be provided in theAnswer file. KMS would be used to activateany systems required longer than 3 days.

L7-4 Lab A: Planning and Configuring MDT 2010Exercise 2: Installing MDT 2010 and Additional Component Files Task 1: Install MDT 20101. Log on to the LON-CL2 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.2. Click Start then click Computer.3. Click in the Address bar, type \\LON-DC1\Labfiles\Mod07\, and press ENTER.4. Double-click MicrosoftDeploymentToolkit2010_x86.msi. In the Open File - Security Warningdialog box, click Run.5. On the Welcome to the Microsoft Deployment Toolkit 2010 (5.0.1631.0) Setup Wizard page,click Next.6. On the End-User License Agreement page, review the license agreement, select the I accept theterms in the License Agreement radio button, and then click Next.7. Review the Custom Setup page, click Next.8. Click Install.9. On the Completing the Microsoft Deployment Toolkit 2010 (5.0.1631.0) Setup Wizard page,click Finish.10. Close the Explorer window. Task 2: Mount the external media on LON-CL21. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL2 and then click Settings.2. In the Settings for 6294A-LON-CL2 dialog box, click DVD Drive.3. Select the Image File: radio button and specify the image file C:\Program Files\MicrosoftLearning\6294\Drives\WAIK.ISO.4. In the Settings for 6294A-LON-CL2 dialog box click OK. Task 3: Install Windows AIK1. On LON-CL2, in the Autoplay box select Open folder to view files, right-click StartCD.exe, andselect Run as administrator.2. On the Welcome to Windows Automated Installation Kit page click Windows AIK Setup.3. On the Welcome to the Windows Automated Installation Kit Setup Wizard page click Next.4. On the License Terms page select the I Agree radio button, and then click Next.5. On the Select Installation Folder page, review the defaults and then click Next.6. On the Confirm Installation page, click Next.7. On the Installation Complete page, click Close.8. Close the Welcome to Windows Automated Installation Kit page.9. Close the Explorer window. Task 4: Verify Windows AIK installation1. Click Start, click All Programs, click Microsoft Deployment Toolkit, and then click DeploymentWorkbench.2. In the Deployment Workbench console tree, go to Deployment Workbench/InformationCenter/Components.Question: What category is the Windows Automated Installation Kit in and what is it’s status?Answer: The WAIK is listed in the Installed category with a status of Required.

Lab A: Planning and Configuring MDT 2010 L7-5Exercise 3: Creating an MDT 2010 Deployment Share Task 1: Create a deployment share in Deployment Workbench1. On LON-CL2, in the Deployment Workbench console tree, click Deployment Shares.2. In the console tree, right-click Deployment Shares, and then click New Deployment Share.3. In the New Deployment Share Wizard, on the Path page click Browse.4. Expand Computer and then click Local Disk.5. Click Make New Folder.6. Type DeploymentShare, and then click OK.7. In the New Deployment Share Wizard, on the Path page, ensure that C:\DeploymentShare is listed,and then click Next.8. In the New Deployment Share Wizard, on the Share page click Next.9. In the New Deployment Share Wizard, on the Descriptive Name page click Next.10. In the New Deployment Share Wizard, on the Allow Image Capture page click Next.11. In the New Deployment Share Wizard, on the Allow Admin Password page click Next.12. In the New Deployment Share Wizard, on the Allow Product Key page click Next.13. In the New Deployment Share Wizard, review the Summary page and then click Next.14. In the New Deployment Share Wizard, review the Confirmation page and then click Finish.

L7-6 Lab A: Planning and Configuring MDT 2010Lab B: Deploying Windows 7 by Using LiteTouch InstallationComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-IMG1• 6294A-LON-CL3 Start the virtual machines• Do not start LON-IMG1 or LON-CL3 until instructed to do so.Exercise 1: Configuring the MDT 2010 Deployment Share Task 1: Add operating system files to the deployment share1. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL2 and click Settings.2. In the Settings for 6294A-LON-CL2 dialog box, click DVD Drive.3. Select the Image File: radio button; specify the image file C:\Program Files\MicrosoftLearning\6294\Drives\Windows7_32bit.iso.4. In the Settings for 6294A-LON-CL2 dialog box, click OK.5. In LON-CL2, close the Autoplay window.6. In the Deployment Workbench console tree, go to Deployment Workbench/DeploymentShares/MDT Deployment Share (C:\DeploymentShare)/Operating Systems.7. In the Actions pane, click Import Operating System.8. In the Import Operating System Wizard, on the OS Type page select the Full set of source filesradio button and then click Next.9. In the Import Operating System Wizard, on the Source page type D:\ and then click Next.10. In the Import Operating System Wizard, on the Destination page, click Next.11. In the Import Operating System Wizard, on the Summary page, click Next.Note: The import takes approximately 3 minutes.12. In the Import Operating System Wizard, review the Confirmation page, and then click Finish. Task 2: Add device drivers to the deployment share1. In the Deployment Workbench console tree, go to Deployment Workbench/DeploymentShares/MDT Deployment Share (C:\DeploymentShare)/Out-of-Box Drivers.2. In the Actions pane, click Import Drivers.3. In the Import Driver Wizard, on the Specify Directory page; type \\LON-DC1\Labfiles\Mod05\LabE\ipoint and then click Next.4. In the Import Driver Wizard, on the Summary page, click Next.5. In the Import Driver Wizard, review the Confirmation page, and then click Finish.

Lab A: Planning and Configuring MDT 2010 L7-7 Task 3: Create a task sequence for the reference computer1. In the Deployment Workbench console tree, go to Deployment Workbench/DeploymentShares/MDT Deployment Share (C:\DeploymentShare)/Task Sequences.2. In the Actions pane, click New Task Sequence.3. In the New Task Sequence Wizard, on the General Settings page set the following:Task sequence ID: WIN7_REFERENCETask sequence name: Deploy Windows 7 to LON-IMG1and then click Next.4. In the New Task Sequence Wizard, on the Select Template page, specify the Standard Client TaskSequence, and then click Next.5. In the New Task Sequence Wizard, on the Select OS page, specify the Windows 7 Enterprise inWindows 7 x86 install.wim, and then click Next.6. In the New Task Sequence Wizard, on the Specify Product Key page, click Next.7. In the New Task Sequence Wizard, on the OS Settings page set the following:Full Name: AdminOrganization: Contoso LTD.and then click Next.8. In the New Task Sequence Wizard, on the Admin Password page, select the Do not specify anAdministrator password at this time radio button, and then click Next.9. In the New Task Sequence Wizard, on the Summary page, click Next.10. In the New Task Sequence Wizard, on the Confirmation page, click Finish. Task 4: Update the deployment share1. In the Deployment Workbench console tree, go to Deployment Workbench/DeploymentShares/MDT Deployment Share (C:\DeploymentShare).2. In the Actions pane, click Update Deployment Share.3. In the Update Deployment Share Wizard, review the Options page, and then click Next.4. In the Update Deployment Share Wizard, on the Summary page, click Next.5. In the Update Deployment Share Wizard, on the Confirmation page, click Finish.Note: The update takes approximately 10 to 15 minutes.

L7-8 Lab A: Planning and Configuring MDT 2010Exercise 2: Deploying Windows 7 and Capturing an Image of the ReferenceComputer Task 1: Create the LTI bootable media1. Click Start then click Computer.2. Click in the Address bar, type C:\DeploymentShare\Boot, and press ENTER.3. Verify the LiteTouchPE_X86.iso file was created.Note: For the Lab the LiteTouchPE_x86.iso file has already been copied to the host machine. Task 2: Start the reference computer with the LTI bootable media1. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-IMG1, and then clickSettings.2. In the Settings for 6294A-LON-IMG1 dialog box, click DVD Drive.3. Select the Image File: radio button and specify the image file C:\Program Files\MicrosoftLearning\6294\drives\LiteTouchPE_x86.iso.4. In the Settings for 6294A-LON-IMG1 dialog box, click OK.5. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-IMG1 and then clickConnect.6. In the 6294A-LON-IMG1 - Virtual Machine Connection window, click the Start button.7. In the Welcome Windows Deployment page, click Run the Deployment Wizard to install a newOperating System.8. On the User Credentials page, specify the following:Username: AdministratorPassword: Pa$$w0rdDomain: ContosoClick OK.9. On the Windows Deployment Wizard Select a task sequence to execute on this computer page,select Deploy Windows 7 to LON-IMG1, and then click Next.10. On the Windows Deployment Wizard Configure the computer name page, type LON-IMG1, andthen click Next.11. On the Windows Deployment Wizard Join the computer to a domain or workgroup page, clickNext.12. On the Windows Deployment Wizard Specify whether to restore user data page, click Next.13. On the Windows Deployment Wizard, Language and other preferences page click Next.14. On the Windows Deployment Wizard Set the Time Zone page, click Next.15. On the Windows Deployment Wizard Specify whether to capture an image page, select Capturean image of this reference computer, and then click Next.16. On the Windows Deployment Wizard Ready to begin page, click Begin.Note: The entire process takes approximately 1 hour to complete.17. Review the Deployment Summary page for any errors, click Finish, and then turn off LON-IMG1.

Lab A: Planning and Configuring MDT 2010 L7-9Exercise 3: Configuring MDT 2010 to Deploy Windows 7 to the Target Computer Task 1: Add the captured image of the reference computer to Deployment Workbench1. On LON-CL2, in the Deployment Workbench console tree, go to DeploymentWorkbench/Deployment Shares/MDT Deployment Share (C:\DeploymentShare)/OperatingSystems.2. In the Actions pane, click Import Operating System.3. In the Import Operating System Wizard, on the OS Type page, select the Custom image file radiobutton and then click Next.4. In the Import Operating System Wizard, on the Image page, typeC:\DeploymentShare\Captures\WIN7_REFERENCE.wim and then click Next.5. On the Setup page, accept the default selection and then click Next.6. In the Import Operating System Wizard, on the Destination page, click Next.7. In the Import Operating System Wizard, on the Summary page, click Next.Note: The import takes approximately 3 minutes.8. In the Import Operating System Wizard, review the Confirmation page, and then click Finish. Task 2: Create a task sequence for the target computer1. In the Deployment Workbench console tree, go to Deployment Workbench/DeploymentShares/MDT Deployment Share (C:\DeploymentShare)/Task Sequences.2. In the Actions pane, click New Task Sequence.3. In the New Task Sequence Wizard, on the General Settings page set the following:Task sequence ID: WIN7_TARGETTask sequence name: Deploy Windows 7 to Clientsand then click Next.4. In the New Task Sequence Wizard, on the Select Template page, specify the Standard Client TaskSequence, and then click Next.5. In the New Task Sequence Wizard, on the Select OS page, specify the WIN7_REFERENCEDDRIVE inWIN7_REFERENCE WIN7_REFERENCE.wim, and then click Next.6. In the New Task Sequence Wizard, on the Specify Product Key page, click Next.7. In the New Task Sequence Wizard, on the OS Settings page set the following:Full Name: AdminOrganization: Contoso LTD.and then click Next.8. In the New Task Sequence Wizard, on the Admin Password page, specify Pa$$w0rd as theAdministrator Password and Please confirm Administrator Password, and then click Next.9. In the New Task Sequence Wizard, on the Summary page, click Next.10. In the New Task Sequence Wizard, on the Confirmation page, click Finish.

L7-10 Lab A: Planning and Configuring MDT 2010Exercise 4: Deploying Windows 7 to the Target Computer Task 1: Start LON-CL3 with the LTI bootable media1. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL3 and click Settings.2. In the Settings for 6294A-LON-CL3 dialog box, click DVD Drive.3. Select the Image File: radio button and then specify the image file C:\Program Files\MicrosoftLearning\6294\Drives\LiteTouchPE_x86.iso.4. In the Settings for 6294A-LON-CL3 dialog box, click OK.5. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL3 and click Connect.6. In the 6294A-LON-CL3 - Virtual Machine Connection window, click the Start button.7. In the Welcome Windows Deployment page, click Run the Deployment Wizard to install a newOperating System.8. On the User Credentials page; specify the following:Username: AdministratorPassword: Pa$$w0rdDomain: ContosoClick OK.9. On the Windows Deployment Wizard Select a task sequence to execute on this computer page,select Deploy Windows 7 to Clients, and then click Next.10. On the Windows Deployment Wizard Configure the computer name page, type LON-CL3, andthen click Next.11. On the Windows Deployment Wizard Join the computer to a domain or workgroup page, selectthe Join a domain radio button. In the Domain: field, type Contoso, and then click Next.12. On the Windows Deployment Wizard Specify whether to restore user data page, click Next.13. On the Windows Deployment Wizard Language and other preferences page, click Next.14. On the Windows Deployment Wizard Set the Time Zone page, click Next.15. On the Windows Deployment Wizard Specify the BitLocker configuration page, click Next.16. On the Windows Deployment Wizard Ready to begin page, click Begin.Note: The entire process takes approximately 20 minutes to complete.17. Review the Deployment Summary page for any errors, and then click Finish and turn off LON-CL3. Task 2: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

Lab: Deploying Windows 7 by Using Zero Touch Installation L8-1Module 8: Deploying Windows® 7 by Using Zero TouchInstallationLab: Deploying Windows 7 by Using ZeroTouch InstallationComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this labare:• 6294A-LON-DC1• 6294A-LON-SVR1Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtual machinename, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under the virtualmachine name, click Connect.

L8-2 Lab: Deploying Windows 7 by Using Zero Touch InstallationExercise 1: Planning the Zero Touch Installation Environment Task 1: Read the supporting documentation• Read the scenario and supporting documentation in the course workbook. Task 2: Update the Zero Touch Installation Design and Configuration Sheet• Answer the questions in the additional information section of the document.Zero Touch Installation Design and ConfigurationDocument Reference Number: ZTI2009Document AuthorDateEd Meadows3rd AugustRequirement OverviewTo install and configure a Zero Touch Installation using MDT 2010 and System Center ConfigurationManager 2007 SP2.To deploy Windows 7 to the new Research department computers.Additional InformationYou have purchased 50 new computers for the Research department.1. Given the high-level explanation of the existing Configuration Manager environment, is the currentversion of Configuration Manager sufficient? What do you need to do in order to incorporate MDT2010 into the solution?Answer. You will need to upgrade the existing Configuration Manager installation to SP2 in order tosupport Windows 7 ZTI deployments. In order to integrate MDT 2010, you will need to install theMicrosoft Deployment Toolkit and then run the Configure ConfigMgr Integration wizard.2. What do you need to do to LON-SVR1 in order to support clients booting over the network?Answer. You will need to install the Windows Deployment Services server role on LON-SVR1. Youwill also need to install the Configuration Manager PXE service point.3. How will you ensure that all newly deployed clients are managed by Configuration Manager?Answer. You will create a Software Distribution Package that contains the Configuration ManagerClient. This package will be referenced during the deployment and installed on the client.4. What steps must you perform from the Configuration Manager Console to prepare the OperatingSystem Image to be deployed to clients?Answer. Your first step is to add the operating system image to the Configuration Managerenvironment. Your second step is to distribute the images to all required distribution points.5. Your next series of tasks is to create and distribute an Operating System Install Package.What will be your final main task for configuring LTI from within the Configuration Managerconsole?Answer. You need to create a Microsoft Deployment Task Sequence that will reference pre-createdpackages and images as required. You will then advertise the task sequence to the Windows 7 PilotDeployment Collection.

Lab: Deploying Windows 7 by Using Zero Touch Installation L8-3Exercise 2: Preparing the Zero Touch Installation Environment Task 1: Install MDT 20101. Log on to LON-SVR1 as Contoso\Administrator using the password Pa$$w0rd.2. Click Start, and then click Run.3. In the Run box, type \\LON-DC1\Labfiles\MDT\, and then click OK.4. In the MDT window, double-click MicrosoftDeploymentToolkit2010_x64.5. In the Open File – Security Warning box, click Run. The Setup Wizard starts.6. On the Welcome page, click Next.7. On the End-User License Agreement page, click the option next to I accept the terms in theLicense Agreement, and then click Next.8. On the Custom Setup page, accept the default settings, and then click Next.9. On the Ready to Install page, click Install.10. On the Completing the Microsoft Deployment Toolkit 2010 Setup Wizard page, click Finish.11. Close the MDT window. Task 2: Configure Configuration Manager Integration1. On LON-SVR1, click Start, point to All Programs, click Microsoft Deployment Toolkit, and thenclick Configure ConfigMgr Integration.2. On the Options page, ensure that Install the ConfigMgr extensions is selected with the followingoptions, and then click Next.• Site Server Name: LON-SVR1• Site code: S013. Click Finish. Task 3: Install the Windows Deployment Services server role1. On LON-SVR1, click the Server Manager button in the task bar.2. In the console pane, click Roles.3. In the details pane, click Add Roles. The Add Roles Wizard starts.4. On the Before You Begin page, click Next.5. On the Select Server Roles page, select the check box next to Windows Deployment Services, andthen click Next.6. On the Overview of Windows Deployment Services page, click Next.7. On the Select Role Services page, accept the default selections, and then click Next.8. On the Confirm Installation Selections page, click Install.9. On the Installation Results page, click Close.10. Close the Server Manager. Task 4: Verify Configuration Manager settings, and add the PXE service point role1. On LON-SVR1, click Start, point to All Programs, click Microsoft System Center, clickConfiguration Manager 2007, and then click ConfigMgr Console.2. In the console pane, expand Site Database (S01 – LON-SVR1, Contoso), and then expand SiteManagement\S01 - Contoso\Site Settings.3. Click the Boundaries node. Take note of the configured boundary for the Configuration Managersite.

L8-4 Lab: Deploying Windows 7 by Using Zero Touch Installation4. Click the Client Agents node, and then double-click Computer Client Agent. Take note of theNetwork Access Account that is configured on the General tab. Also take note—but do not changethe settings on the Customization and Reminders tabs.5. Click OK to close the Computer Client Agent Properties window.6. In the console pane, expand the Site Systems node.7. In the console pane, click \\LON-SVR1, and then take note of the configured roles on the server. ThePXE service point role needs to be installed in order to support PXE boot requests.8. In the console pane, right-click \\LON-SVR1 and then click New Roles. The New Site Role Wizardstarts.9. On the General page, ensure that Specify a fully qualified domain name is selected, and that LON-SVR1.CONTOSO.COM is entered in the Intranet FQDN text box. Leave all other default selections,and then click Next.10. On the System Role Selection page, select the check box next to PXE service point, and then clickNext.11. On the PXE Service Point Configuration box, click Yes to open the required ports.12. On the PXE – General page, configure the following, and then click Next:• Allow this PXE service point to respond to incoming requests: Enabled• Enable unknown computer support: Enabled• Require a password for computers to boot using PXE: Not Enabled• Respond to PXE requests on all network interfaces: Selected• Delay (seconds): 013. On the PXE – Database page, leave all default settings, and then click Next.14. On the Summary page, click Next.15. On the Wizard Completed page, click Close.

Lab: Deploying Windows 7 by Using Zero Touch Installation L8-5Exercise 3: Configuring Deployment Packages and System Images Task 1: Set up the Configuration Manager client package1. On LON-SVR1, in the Configuration Manager Console, expand Computer Management\SoftwareDistribution, and then click Packages.2. Right-click Packages, point to New, and then click Package from Definition.3. On the Welcome page, click Next.4. On the Package Definition page, select Configuration Manager Client Upgrade, and then clickNext.5. On the Source Files page, select Always obtain files from a source directory, and then click Next.6. On the Source Directory page, under Source directory, type\\LON-SVR1\SMS_S01\Client, and then click Next.7. On the Summary page, click Finish. The Configuration Manager Client Upgrade package is nowvisible in the details pane.8. In the console pane, expand the Packages node, and then expand the Microsoft ConfigurationManager Client Upgrade 4.0 ALL node.9. Under the Configuration Manager Client Upgrade 4.0 ALL node, right-click Distribution Points,and then click New Distribution Points. The New Distribution Points Wizard starts.10. On the Welcome page, click Next.11. On the Copy Package page, select LON-SVR1, and then click Next. (Do not select LON-SVR1\SMSPXEIMAGES$ as this is the PXE boot distribution point.)12. On the Wizard Completed page, click Close. Task 2: Add boot and operating system images1. In the console pane, expand Computer Management\Operating System Deployment, and thenclick Boot Images. Notice that default boot images are already available for both x86 and x64installations.2. In the console pane, expand the Boot Images node, and then expand the Boot image (x86) node.3. Under the Boot image (x86) node, right-click Distribution Points, and then click New DistributionPoints. The New Distribution Points Wizard starts.4. On the Welcome page, click Next.5. On the Copy Package page, select the check box next to both LON-SVR1 and LON-SVR1\SMSPXEIMAGES$, and then click Next.6. On the Wizard Completed page, click Close.7. Repeat steps 2-6 for Boot image (x64).8. In the console pane, right-click Operating System Images, and then click Add Operating SystemImage. The Add Operating System Image Wizard starts.9. On the Data Source page, under Path, type \\LON-DC1\Labfiles\Source\sources\install.wim, and then click Next.10. On the General page, fill in the following information, and then click Next:• Name: Windows 7 ENTERPRISE• Version: RTM• Comment: 11. On the Summary page, click Next.12. On the Wizard Completed page, click Close.13. In the console pane, expand the Operating System Images node, and then expand the Windows 7ENTERPRISE node.

L8-6 Lab: Deploying Windows 7 by Using Zero Touch Installation14. Under the Windows 7 ENTERPRISE node, right-click Distribution Points, and then click NewDistribution Points. The New Distribution Points Wizard starts.15. On the Welcome page click Next.16. On the Copy Package page, select LON-SVR1, and then click Next. (Do not select LON-SVR1\SMSPXEIMAGES$ as this is the PXE boot distribution point.)17. On the Wizard Completed page, click Close. Task 3: Create an Operating System Install Package1. In the console pane, click the Operating System Install Packages node.2. Right-click Operating System Install Packages, and then click Add Operating System InstallPackage. The Add Operating System Install Package Wizard starts.3. On the Data Source page, under Source Directory, type \\LON-DC1\Labfiles\Source, and then click Next.4. On the General page, fill in the following information, and then click Next:• Name: Windows 7 ENTERPRISE• Version: RTM• Comment: 5. On the Summary page, click Next.6. On the Wizard Completed page, click Close.7. In the console pane, expand the Operating System Install Packages node, and then expand theWindows 7 ENTERPRISE node.8. Under the Windows 7 ENTERPRISE node, right-click Distribution Points, and then click NewDistribution Points. The New Distribution Points Wizard starts.9. On the Welcome page, click Next.10. On the Copy Package page, select LON-SVR1, and then click Next. (Do not select LON-SVR1\SMSPXEIMAGES$ as this is the PXE boot distribution point.)11. On the Wizard Completed page, click Close. Task 4: Add Drivers1. In the console pane, click the Drivers node.2. Right-click Drivers, and then click Import. The Import New Driver Wizard starts.3. On the Locate Driver page, next to Source folder, type \\LON-DC1\Labfiles\Drivers\VX6000\, and then click Next.4. On the Driver Details page, click Next.5. On the Add Driver to Packages page, click Next.6. On the Add Driver to Boot Images page, click Next.7. On the Summary page, click Next.8. On the Wizard Completed page, click Close. Task 5: Create a driver package1. In the console pane, click the Driver Packages node.2. Right-click Driver Packages, point to New, and then click Driver Package. The New DriverPackage dialog box opens.3. Fill in the following information:• Name: Driver List• Comment: 4. In the Driver package source field, type \\LON-DC1\Labfiles\Drivers, and then click OK.

Lab: Deploying Windows 7 by Using Zero Touch Installation L8-75. In the console pane, click the Drivers node.6. In the details pane, select the two drivers that are listed. Right-click the selected drivers and then clickAdd or Remove Drivers to Packages.7. In the Add or Remove Drivers to Packages dialog box, select the check box next to Driver List.8. Select the check box next to Update distribution points when finished, and then click OK.

L8-8 Lab: Deploying Windows 7 by Using Zero Touch InstallationExercise 4: Configuring and Advertising a Client Task Sequence Task 1: Import the Microsoft Deployment Task Sequence1. In the console pane, expand Computer Management\Operating System Deployment, and thenclick Task Sequences.2. Right-click Task Sequences, and then click Create Microsoft Deployment Task Sequence.3. On the Choose Template page, select Client Task Sequence, and then click Next.4. On the General page, fill in the following information, and then click Next:• Task sequence name: Windows 7• Task sequence comments: 5. On the Details page, fill in the following information, and then click Next:• Join a domain: Selected• Domain: Contoso.com• Account: Username: Contoso\AdministratorPassword: Pa$$w0rd• User name: Client1• Organization name: Contoso6. On the Capture Settings page, select This task sequence may be used to capture an image,configure the following settings, and then click Next:• Capture destination: \\LON-DC1\Labfiles\Source\Win7.wim• Capture account: Username: Contoso\AdministratorPassword: Pa$$w0rd7. On the Boot Image page, ensure that Specify an existing boot image package is selected, andthen click Browse.8. On the Select a Package dialog box, select Boot image (x86), click OK, and then click Next.9. On the MDT Package page, select Create a new Microsoft Deployment Toolkit Files package.10. In the Package source folder to be created field, type \\LON-DC1\Labfiles\MDTFiles, and thenclick Next.11. On the MDT Details page, fill in the following information, and then click Next:• Name: MDT Source Files• Version: 1.0• Language: English• Manufacturer: Microsoft• Comments: 12. On the OS Image page, select Specify an existing OS install package, and then click Browse.13. On the Select a Package dialog box, select Windows 7 ENTERPRISE, click OK, and then click Next.14. On the Client Package page, ensure that Specify an existing ConfigMgr client package is selected,and then click Browse.15. On the Select a Package dialog box, select Configuration Manager Client Upgrade, click OK, andthen click Next.16. On the USMT Package page, select Create a new USMT package.

Lab: Deploying Windows 7 by Using Zero Touch Installation L8-917. Under Path to USMT executables and related files, ensure that C:\Program Files\WindowsAIK\tools\USMT is entered.18. Under Package source folder to be created, type \\LON-DC1\Labfiles\USMT, and then click Next.19. On the USMT Details page, fill in the following information, and then click Next:• Name: MDT USMT Package• Version: 1.0• Language: English• Manufacturer: Microsoft• Comments: 20. On the Settings Package page, select Create a new settings package.21. In the Package source folder to be created field, type \\LON-DC1\Labfiles\MDTFiles, and then click Next.22. On the Settings Details page, fill in the following information, and then click Next:• Name: MDT Settings Files• Version: 1.0• Language: English• Manufacturer: Microsoft• Comments: 23. On the Sysprep Package page, select No Sysprep package is required, and then click Next.24. On the Summary page, click Next.25. After the wizard is finished, click the Task Sequences node, and then right-click Windows 7. ClickEdit. Take note of—but do not change—the various tasks that make up the Windows 7 tasksequence.26. Click Cancel to close the Windows 7 Task Sequence Editor. Task 2: Update package distribution points1. In the console pane, expand Computer Management\Software Distribution, and then expandPackages. Refresh the Packages node.2. In the console pane, expand the Microsoft MDT Settings Files 1.0 English node.3. Under the Microsoft MDT Settings Files 1.0 English node, right-click Distribution Points, and thenclick New Distribution Points. The New Distribution Points Wizard starts.4. On the Welcome page, click Next.5. On the Copy Package page, select LON-SVR1, and then click Next. (Do not select LON-SVR1\SMSPXEIMAGES$ as this is the PXE boot distribution point.)6. On the Wizard Completed page, click Close.7. In the console pane, expand the Microsoft MDT Source Files 1.0 English node.8. Under the Microsoft MDT Source Files 1.0 English node, right-click Distribution Points, and thenclick New Distribution Points. The New Distribution Points Wizard starts.9. On the Welcome page, click Next.10. On the Copy Package page, select LON-SVR1, and then click Next. (Do not select LON-SVR1\SMSPXEIMAGES$ as this is the PXE boot distribution point.)11. On the Wizard Completed page, click Close.12. In the console pane, expand the Microsoft MDT USMT Package 1.0 English node.

L8-10 Lab: Deploying Windows 7 by Using Zero Touch Installation13. Under the Microsoft MDT USMT Package 1.0 English node, right-click Distribution Points, andthen click New Distribution Points. The New Distribution Points Wizard starts.14. On the Welcome page, click Next.15. On the Copy Package page, select LON-SVR1, and then click Next. (Do not select LON-SVR1\SMSPXEIMAGES$ as this is the PXE boot distribution point.)16. On the Wizard Completed page, click Close.17. Wait a few minutes before continuing with the next task. Task 3: Advertise the Task Sequence1. In the console pane, expand Computer Management\Operating System Deployment, and thenclick Task Sequences.2. In the details pane, right-click Windows 7, and then click Advertise.3. On the General page, configure the following, and then click Next:• Name: Windows 7 Deployment• Collection: All Unknown Computers• Make this task sequence available to boot media and PXE: Enabled4. On the Schedule page, configure the following, and then click Next:• Mandatory assignments: As soon as possible• Ignore maintenance windows when running program: Enabled• Allow system restart outside of maintenance windows: Enabled• Program rerun behavior: Always rerun program5. On the Distribution Points page, select Access content directly from a distribution point whenneeded by the running task sequence, and then click Next.6. On the Interaction page, leave the default settings, and then click Next.7. On the Security page click Next.8. On the Summary page, click Next.9. On the Wizard Completed page, click Close.10. In the console pane, expand the Computer Management\Collections node.11. Click the All Unknown Computers collection.12. Right-click the All Unknown Computers collection, and then click Properties.13. Click the Advertisements tab. Verify that the Windows 7 Deployment task sequence has beenadvertised to this collection.14. Click OK to close the All Unknown Computers Properties page. Task 4: Install Windows 71. From the Hyper-V Manager, start 6294A-LON-CL3.2. The task sequence begins the installation. The installation can take up to 60 minutes to complete. Task 5: Virtual Machine ShutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.3. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.4. In the Revert Virtual Machine dialog box, click Revert.

Lab A: Migrating User State by Using Windows Easy Transfer (Optional) L9-1Module 9: Migrating User State by Using WET and USMT 4.0Lab A: Migrating User State by Using WindowsEasy Transfer (Optional)Computers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this labare:• 6294A-LON-DC1• 6294A-LON-VS1• 6294A-LON-CL1 Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.

L9-2 Lab A: Migrating User State by Using Windows Easy Transfer (Optional)Exercise 1: Preparing the Windows Easy Transfer Source Files Task 1: Place Windows Easy Transfer on a network share1. Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.2. Click Start, point to All Programs, click Accessories, click System Tools, and then click WindowsEasy Transfer.3. In the Windows Easy Transfer window, click Next.4. Click An external hard disk or USB flash drive.5. Click This is my new computer.6. Click No, because the files have not been saved from the old computer yet.7. Click I need to install it now.8. Click External hard disk or shared network folder.9. In the Browse for Folder dialog box, in the Folder field, type \\LON-DC1\Data and then click OK.The Windows Easy Files are copied to the Data folder.10. Click Open the folder where you saved Windows Easy Transfer. In the Data folder, verify that thefiles have been copied to the shared folder.11. Close the Data folder.12. Close Windows Easy Transfer.

Lab A: Migrating User State by Using Windows Easy Transfer (Optional) L9-3Exercise 2: Capturing User State Information from a Source Computer Task 1: Capture settings from LON-VS11. Log on to the LON-VS1 virtual machine as Contoso\Don with a password of Pa$$w0rd.2. Notice the Computer and Documents items on the desktop.3. Log off of LON-VS1.4. Log on to the LON-VS1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.5. Click Start, and then in the Start Search box, type \\LON-DC1\Data\, and then press ENTER.6. Double-click the Windows Easy Transfer shortcut. Windows Easy Transfer starts.7. In the Windows Easy Transfer window, click Next.8. Click An external hard disk or USB flash drive.9. Click This is my old computer. Windows Easy Transfer begins to scan the computer to check whatcan be transferred.10. Clear all of the checkboxes except for CONTOSO\Don.11. Under CONTOSO\Don, click Customize.12. Remove the check mark next to the following options:• Music• Saved Games• Videos13. Close the Customize list and then click Next.14. In the Password and Confirm Password boxes, type Pa$$w0rd and then click Save.15. In the Save Your Easy Transfer File window, in the File name box, type \\LON-DC1\Data\DonProfileand then click Save. Windows Easy Transfer begins to save the files to the Data folder.16. When the save is complete, click Next.17. Click Next and then click Close.18. Log off of LON-VS1.

L9-4 Lab A: Migrating User State by Using Windows Easy Transfer (Optional)Exercise 3: Loading User State Information to a Target Computer Task 1: Import the configuration settings on LON-CL11. On LON-CL1, click Start, point to All Programs, click Accessories, click System Tools, and then clickWindows Easy Transfer.2. In the Windows Easy Transfer window, click Next.3. Click An external hard disk or USB flash drive.4. Click This is my new computer.5. Click Yes to indicate that the settings from the old computer have been saved.6. In the Open an Easy Transfer File window, in the File name box, type\\LON-DC1\Data\DonProfile.MIG and then click Open.7. Type Pa$$w0rd as the password and then click Next.8. Click Transfer to begin importing Don’s profile. Wait until the transfer completes.9. When the transfer is complete, click See what was transferred.10. In the Windows Easy Transfer Reports box, take note of what was transferred successfully as listedon the Transfer report tab.11. Click the Program report tab and take note of the information related to programs. Close theWindows Easy Transfer Reports box.12. In the Windows Easy Transfer box, click Close.13. Log off of LON-CL1. Task 2: Verify the migration1. On LON-CL1, log on as CONTOSO\Don with a password of Pa$$w0rd.2. Notice the Computer and Documents items on the desktop. Task 3: Virtual Machine ShutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

Lab A: Migrating User State by Using Windows Easy Transfer (Optional) L9-5Lab B: Migrating User State by Using the UserState Migration Tool 4.0Computers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1• 6294A-LON-VS1• 6294A-LON-CL1 Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.Exercise 1: Planning for the User State Migration Task 1: Read the supporting documentation• Read the scenario and supporting documentation in the course workbook. Task 2: Update the USMT Planning Job Aid• Fill out the USMT Planning Job Aid.User State Migration Planning–Job Aid – Department Name: ___Research Department__Question Information DetailsMigration ScenarioPC Refresh Computers are being replaced with new hardwarecontaining Windows 7.PCReplacement 32 bitAs per the email message from Max Stevens, all ofWindows XP the old computers are Windows Vista 32-bit64 bitcomputers.Windows XP Which Operating 32 bitSystem are you Windows Vista migrating user state 64 bitfrom?Windows Vista 32 bitWindows 7 64 bitWindows 7 32 bitAs per the email message from Max Stevens, theWindows XP new operating system will be 32-bit Windows 7.Which Operating 64 bitSystem are you Windows XP migrating user state 32 bitto?Windows Vista 64 bitWindows Vista

L9-6 Lab A: Migrating User State by Using Windows Easy Transfer (Optional)User State Migration Planning–Job Aid – Department Name: ___Research Department__Question Information Details32 bitWindows 7 64 bitWindows 7 Migration Store TypeLocal Store Remote migration store location:\\LON-DC1\DataRemote Store Migration Store Compressed? Compression is enabled by default, we will leave it atthe default settings. Encryption is not required as perOptionsEncrypted? the email from Max Stevens.Local accounts Local account named DBService needs to bemigrated.Accounts to bemigratedApplication settings tobe migratedCustom files or foldersto migrateAre there anyencrypted files toconsider?Operating systemsettings to migrateXML files to be used inthe migrationDomainaccountsMicrosoftOffice 2007ResearchAppAll domain accounts will be migrated.Local account named LocalAdmin must NOT bemigrated.All computers have Microsoft Office 2007 installed.The settings will be migrated, but not theapplications themselves. The applications will needto be installed on the new computers.Custom folder to be migrated.Yes Enable encrypted file migration in the ScanStatescript.NoAll Settingsexcept forcomponentslisted in thedetails section.Config.xmlMigApp.xmlWindows Vista Gadgets should not be migrated.Shared Video folder should not be migrated.Shared Music folder should not be migrated.Shared Pictures folder should not be migrated.Needed to specify exceptions such as the gadgets,and shared folders.Needed on both the ScanState and LoadStatecommands in order to migrate application settings.

Lab A: Migrating User State by Using Windows Easy Transfer (Optional) L9-7User State Migration Planning–Job Aid – Department Name: ___Research Department__Question Information DetailsMigUser.xml Needed on both the ScanState and LoadState tomigrate the user profile information such as userfolders, files, and file types.MigDocs.xml Not required.Custom xmlfileCustom xmlfileCreate a custom xml file called folders.xml that willcontain information on migrating the Researchappfolder.

L9-8 Lab A: Migrating User State by Using Windows Easy Transfer (Optional)Exercise 2: Creating USMT Migration Scripts Task 1: Create a config.xml file1. Log on to LON-VS1 as Contoso\Administrator using the password Pa$$w0rd.2. Click Start, and then in the Start Search box, type cmd and then press ENTER.3. At the command prompt, type Net Use F: \\LON-DC1\Labfiles\USMT40, and then press ENTER.4. At the command prompt, type F:, and then press ENTER.5. At the command prompt, typescanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml, and then press ENTER. Thecreation of the Config.xml file begins. This can take several minutes to complete.6. At the command prompt, type notepad config.xml, and then press ENTER. Maximize the Notepadwindow.7. To exclude Windows Gadgets from migrating, under the WindowsComponents node, find theelement with a component displayname of gadgets. Change the value of the migrate attributefrom “yes” to “no” so that the line reads as follows:8. Under the Documents node, modify the line to match the code shown below:component displayname="Shared Video" migrate="no"9. Under the Documents node, modify the line to match the code shown below:component displayname="Shared Music" migrate="no"10. Under the Documents node, modify the line to match the code shown below:component displayname="Shared Pictures" migrate="no"11. Save your changes, and then close Notepad. Task 2: Modify a custom XML file1. At the command prompt, type notepad folders.xml, and then press ENTER. Maximize the Notepadwindow. This is a custom XML file used to migrate a specific folder called ResearchApp to the newworkstation.2. Change the variable to ResearchApp. The entire line should read:C:\ResearchApp\* [*]3. Save your changes, and then close Notepad.

Lab A: Migrating User State by Using Windows Easy Transfer (Optional) L9-9Exercise 3: Capturing and Restoring User State by Using USMT Task 1: Capture User State on the Source Computer1. On LON-VS1, switch to the command prompt.2. If necessary, change to drive F.3. At the command prompt, type the following and then press ENTER:Scanstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml /config:config.xml/o /ui:DBService /ue:LocalAdmin /efs:copyrawThis will take several minutes to complete. Task 2: Restore User State on the Target Computer1. Log on to LON-CL1 as Contoso\Administrator using the password Pa$$w0rd.2. Click Start, in the Search programs and files text box type cmd, and then press ENTER.3. At the command prompt, type Net Use F: \\LON-DC1\Labfiles\USMT40, and then press ENTER.4. At the command prompt, type F:, and then press ENTER.5. At the command prompt, type the following and then press ENTER:Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml /ue:LocalAdmin/ui:DBService /lac:Pa$$w0rd /laeThis will take several minutes to complete.6. When the Loadstate task completes, log off of LON-CL1. Task 3: Verify the migration1. Log on to LON-CL1 as Contoso\Don using the password Pa$$w0rd.2. Notice the Computer and Documents items on the desktop.3. Right-click Computer, and then click Manage. At the User Account Control prompt, typeAdministrator with the password of Pa$$w0rd.4. Verify that the local DBService account has been migrated and is enabled.5. Open Windows Explorer, and verify that C:\ResearchApp has been migrated. Task 4: Virtual Machine ShutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

L9-10 Lab A: Migrating User State by Using Windows Easy Transfer (Optional)Lab C: Migrating User State Using Hard-LinkMigrationComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1• 6294A-LON-VS1 Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.Exercise 1: Performing a Hard-Link Migration Task 1: Upgrade LON-VS1 to Windows 71. Log on to LON-VS1 as Contoso\Administrator using the password Pa$$w0rd.2. In the Hyper-V Virtual Machine Connection window, click the Media menu point to DVD Drive, andthen click Insert Disk.3. In the Open box, browse to C:\Program Files\Microsoft Learning\6294\Drives and then click Windows7_32bit.iso. Click Open. After a few moments the AutoPlaydialog box opens.4. In the AutoPlay dialog box, click Run setup.exe. The Install Windows box opens.5. In the Install Windows box, click Install now. Setup begins by copying temporary files.6. On the Get important updates for installation page, click Do not get the latest updates forinstallation.7. On the Please read the license terms page, click the check box next toI accept the license terms and then click Next.8. On the Which Type of installation do you want? page, click Custom (advanced).9. On the Where to you want to install Windows? page, click Next.10. At the Install Windows warning prompt, click OK. Windows begins the installation. This will takeapproximately 30 minutes.11. After the installation is complete, at the Set Up Windows page, click Next to accept the defaultCountry, Time and currency, and Keyboard layout.12. In the Type a user name box type Alan.13. In the Type a computer name box, type LON-VS1. Click Next.14. In the Set a password for your account page, type Pa$$w0rd in all three text boxes. Click Next.15. On the Help protect your computer and improve Windows automatically page, click Userecommended settings.16. On the Review your time and date settings page, click Next.17. On the Select your computer’s current location page, click Work network. Windows 7 starts. Task 2: Perform a User State Hard-Link Migration1. Click the Start button, point to All Programs, and then click Accessories.

Lab A: Migrating User State by Using Windows Easy Transfer (Optional) L9-112. Right-click Command Prompt and then click Run as Administrator. At the User Account Controlprompt, click Yes.3. At the command prompt, type Net Use F: \\LON-DC1\Labfiles\USMT40, and then press ENTER.4. At the command prompt, type F:, and then press ENTER.5. At the command prompt, type the following and then press ENTER:Scanstate C:\store /o /hardlink /nocompress /i:migapp.xml /i:miguser.xml/offlineWinOld:c:\Windows.old\WindowsThis will take several minutes to complete.6. At the command prompt, type the following and then press ENTER:Loadstate C:\store /lac /lae /i:migapp.xml /i:miguser.xml /sf /hardlink /nocompressThis will take several minutes to complete. Task 3: Verify the migration1. On LON-VS1, click the Windows Explorer button.2. In Windows Explorer, browse to C:\Users.3. Verify that the User profiles have been migrated including Don, LocalAdmin, and Student. Task 4: Virtual Machine ShutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

L9-12 Lab A: Migrating User State by Using Windows Easy Transfer (Optional)

Lab A: Designing and Configuring the Client Environment L10-1Module 10: Designing, Configuring, and Managing the ClientEnvironmentLab A: Designing and Configuring the ClientEnvironmentComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab areas follows:• 6294A-LON-DC1• 6294A-LON-CL1• 6294A-LON-CL2 Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtualmachine name, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under thevirtual machine name, click Connect.Exercise 1: Designing a Client Environment Task 1: Read the supporting documentation• Read the supporting documentation. Task 2: Update the proposal document with your planned course of action1. Answer the questions in the additional information section of the document.2. Update the Group Policy Objects for Contoso document with your planned course of action.Group Policy Objects for ContosoDocument Reference Number: EM1109Document AuthorDateEd MeadowsNovember 2009Requirement OverviewTo determine which Group Policy Objects are required, and linked to which Active Directory objects, inorder to address the domain and departmental requirements in the Summary document. You may usethe Contoso GPO.vsd diagram to sketch your answer if you wish.Your plan should include how you intend to address each desired setting; that is, which policy or, wherenecessary, which preference setting.Additional Information1. Where will you configure the domain-level settings outlined in the Summary document?Answer. Most of those settings can be configured as part of the default domain policy.

L10-2 Lab A: Designing and Configuring the Client EnvironmentGroup Policy Objects for ContosoWhat impact does the fact that IT users must be able to run unsigned scripts have on your GPOstrategy?Answer. It will be necessary to create an additional policy that contains the Application Restrictionsas these cannot apply to the IT department, but all other settings must be enforced down the tree.1. How will you handle application deployment for the various departments?Answer. No two departments have the same application requirements; Marketing has no specialapplication needs, but the other three departments do. Create a GPO for application deploymentand link it to the relevant organizational units.2. How will you restrict the Production department users from running Internet Explorer?Answer. Modify the GPO linked to the Production department OU to have an Application ControlPolicy (AppLocker) that blocks Internet Explorer.3. Will you handle drive mappings using preferences or a logon script?Answer. Either would work. The advantage of using a preference is that a single preference on theDefault Domain Profile could be targeted to particular organizational units. This negates the needto duplicate the setting in three different GPOs.4. How do you intend to manage the IT department’s requirement for a standard Documents folder?Answer. Folder redirection on the IT department GPO.5. Sketch, or document, the intended GPO and how they are linked to AD DS objects on the supplieddiagram. Indicate which settings will be configured by which object.Note: it is not necessary to detail the precise GPO settings.Proposals1. Modify the Default Domain Policy:a. Configure account policiesb. Configure firewall rule to allow ping on domain profilec. Configure Application Identity service to automatic startupd. Configure Internet Explorer homepagee. Configure targeted preference for computers in all but Production department for a drivemapping2. Enforce this policy3. Create a new domain-level policy with an AppLocker policy that prevents all scripts except thosesigned by Microsoft from running.4. Block inheritance on the IT OU to ensure the script restriction does not apply.5. Create departmental level GPO for Research:a. Deploy Apps (One Note and Visio)6. Create departmental level GPO for IT:a. Deploy Visiob. Configure folder redirection for Documents7. Create departmental level GPO for Production:

Lab A: Designing and Configuring the Client Environment L10-3Group Policy Objects for Contosoa. Deploy custom appb. Block Internet Explorer from running

L10-4 Lab A: Designing and Configuring the Client EnvironmentExercise 2: Implementing a Client Configuration Task 1: Create a new GPO and link it to the domain1. Log on to the LON-DC1 virtual machine as CONTOSO\administrator with a password of Pa$$w0rd.2. Click Start, point to Administrative Tools, and then click Group Policy Management.3. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expandContoso.com, right-click Contoso.com, and then click Create a GPO in this domain, and link ithere.4. In the New GPO dialog box, type Script Restriction Policy and click OK. Task 2: Configure the AppLocker policy on this new GPO1. Right-click Script Restriction Policy, and then click Edit.2. In Group Policy Management Editor, under Computer Configuration, expand Policies, expandWindows Settings, expand Security Settings, expand Application Control Policies, and thenexpand AppLocker.3. Under AppLocker, click Script Rules, right-click Script Rules, and click Create New Rule. Click Next.4. In the Create Script Rules Wizard, on the Permissions page, click Deny, and then click Next.5. On the Conditions page, click Publisher, and then click Next.6. On the Publisher page, click Browse, in the File name box, type C:\windows\system32\slmgr.vbs,and then click Open.7. On the Publisher page, drag the slider to Any Publisher, and then click Next.8. On the Exceptions page, click Add.9. In the Publisher Exception dialog box, click Browse.10. In the File name box, type C:\windows\system32\slmgr.vbs, and then click Open.11. In the Publisher Exception dialog box, drag the slider to Publisher, and then click OK.12. On the Exceptions page, click Next.13. On the Name and Description page, click Create.14. In the AppLocker dialog box, click Yes.15. Close Group Policy Management Editor. Task 3: Modify the Default Domain Policy to include the required settingsNote: You will not be configuring all policy settings planned in the last exercise.1. In Group Policy Management, right-click Default Domain Policy, and then click Edit.2. In Group Policy Management Editor, expand User Configuration, expand Policies, expand WindowsSettings, expand Internet Explorer Maintenance, and then click URLS.3. In the results pane, double-click Important URLs.4. Select the Customize Home page URL check box, and in the Home page URL: box, typehttp://lon-dc1, and then click OK.

Lab A: Designing and Configuring the Client Environment L10-55. Under Computer Configuration, expand Policies, expand Windows Settings, expand SecuritySettings, expand Windows Firewall with Advanced Security, and then expand Windows Firewallwith Advanced Security – LDAP://CN={GUID}.6. In the navigation tree, click Inbound Rules, and then right-click Inbound Rules.7. Click New Rule.8. On the Rule Type page of the New Inbound Rule Wizard, select Custom and then click Next.9. On the Program page, click Next.10. On the Protocol and Ports page, in the Protocol type list, click ICMPv4, and then click Next.11. On the Scope page, click Next.12. On the Action page, click Allow the connection and then click Next.13. On the Profile page, clear the Private and Public check boxes, and then click Next.14. On the Name page, in the Name box, type Allow Ping, and then click Finish.15. In the Group Policy Management Editor, under User Configuration, expand Preferences, expandWindows Settings, and click Drive Maps.16. Right-click Drive Maps, click New, and then click Mapped Drive.17. In the New Drive Properties dialog box, in the Location box, type\\lon-dc1\data.18. Select the Reconnect check box.19. In the Use list, click G.20. Click the Common tab.21. Select the Item-level targeting check box, and then click Targeting.22. In the Targeting Editor dialog box, click New Item.23. In the list, click Domain.24. In the NetBIOS domain name box, type CONTOSO, and then click OK.25. In the New Drive Properties dialog box, click OK.26. Under Computer Configuration, expand Policies, expand Windows Settings, expand SecuritySettings, and click System Services.27. In the results pane, double-click Application Identity.28. In the Application Identity Properties dialog box, select the Define this policy setting check box,click Automatic, and then click OK.29. Close Group Policy Management Editor. Task 4: Enforce this GPO• In Group Policy Management, right-click Default Domain Policy, and then click Enforced. Task 5: Block inheritance on the IT OU1. In the navigation tree, right-click IT, and then click Block Inheritance.2. Close Group Policy Management.

L10-6 Lab A: Designing and Configuring the Client Environment Task 6: Move the two desktop computers into the appropriate OUs1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.2. In Active Directory Users and Computers, in the navigation tree, expand Contoso.com, and then clickComputers.3. In the results pane, right-click LON-CL1, and then click Move.4. In the Move dialog box, click IT, and then click OK.5. In the results pane, right-click LON-CL2, and then click Move.6. In the Move dialog box, click Production, and then click OK.7. Close Active Directory Users and Computers. Task 7 Refresh the group policy on the client computers1. Switch to the LON-CL1 computer.2. Log on to the LON-CL1 virtual machine as CONTOSO\administrator with a password of Pa$$w0rd.3. Click Start, and in the Search programs and files box, type cmd, and press ENTER.4. In the Command Prompt, type gpupdate /force and then press ENTER.5. At the OK to logoff? (Y/N) prompt, type N and press ENTER.6. Restart the computer.7. Log on to the LON-CL1 virtual machine as CONTOSO\Ryan with a password of Pa$$w0rd.8. Switch to the LON-CL2 computer.9. Log on to the LON-CL2 virtual machine as CONTOSO\administrator with a password of Pa$$w0rd.10. Click Start, and in the Search programs and files box, type cmd, and press ENTER.11. In the Command Prompt, type gpupdate /force, and then press ENTER.12. At the OK to logoff? (Y/N) prompt, type N and press ENTER.13. Restart the computer.14. Log on to the LON-CL2 virtual machine as CONTOSO\Jens with a password of Pa$$w0rd. Task 8 Test the settings on the departmental computers1. Switch to the LON-CL1 computer.2. Click Start, and then click Computer. Confirm the presence of the mapped drive.3. Click Start, and in the Search programs and files box, type services.msc and press ENTER. Confirmthat the Application Identity service is started.4. From Quick Launch, click Internet Explorer. In the Set Up Windows Internet Explorer 8 Wizard, clickAsk me later. Verify that the home page ishttp://lon-dc1.5. Click Start, and in the Search programs and files box, type cmd and press ENTER.6. At the Command Prompt, type ping lon-cl2 and press ENTER. Verify the ping was successfulindicating that the new firewall rule is configured.7. At the Command Prompt, type copy con test.vbs and press ENTER.8. At the Command Prompt, type msgbox “test” and press ENTER.

Lab A: Designing and Configuring the Client Environment L10-79. At the Command Prompt, press F6, and then press ENTER.10. At the Command Prompt, type test.vbs and press ENTER. Verify that an unsigned script ransuccessfully. Click OK.11. Close all open windows.12. Switch to the LON-CL2 computer.13. Click Start, and in the Search programs and files box, type cmd and press ENTER.14. At the Command Prompt, type copy con test.vbs and press ENTER.15. At the Command Prompt, type msgbox “test” and press ENTER.16. At the Command Prompt, press F6, and then press ENTER.17. At the Command Prompt, type test.vbs and press ENTER. Verify that an unsigned script failed to run.Click OK.18. Close all open windows.Important: Do not restart the virtual machines. You will need them for the subsequent lab.

L10-8 Lab A: Designing and Configuring the Client EnvironmentLab B: Troubleshooting GPO IssuesComputers in this labYou continue to use the virtual machines from the previous lab. The virtual machines used in this lab are as follows:• 6294A-LON-DC1• 6294A-LON-CL1• 6294A-LON-CL2Exercise 1: Resolving a GPO Application Problem Task 1: Reconfigure the GPO settings to simulate a problem1. Switch to the LON-DC1 computer.2. Click Start, point to Administrative Tools, and then click Group Policy Management.3. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expandContoso.com, right-click the Default Domain Policy link and click Enforced.Note: This should clear the check mark. Task 2: Refresh the group policy on the client computers1. Switch to the LON-CL1 computer.2. Log off, and then log on to the LON-CL1 virtual machine as CONTOSO\administrator with apassword of Pa$$w0rd.3. Click Start, and in the Search programs and files box, type cmd and press ENTER.4. In the Command Prompt, type gpupdate /force and then press ENTER.5. At the OK to logoff? (Y/N) prompt, type N and press ENTER.6. Restart the computer.7. Log on to the LON-CL1 virtual machine as CONTOSO\Ryan with a password of Pa$$w0rd.8. Switch to the LON-CL2 computer.9. Log off, and then log on to the LON-CL2 virtual machine as CONTOSO\administrator with apassword of Pa$$w0rd.10. Click Start, and in the Search programs and files box, type cmd and press ENTER.11. In the Command Prompt, type gpupdate /force and then press ENTER.12. At the OK to logoff? (Y/N) prompt, type N and press ENTER.13. Restart the computer.14. Log on to the LON-CL2 virtual machine as CONTOSO\Jens with a password of Pa$$w0rd. Task 3: Test the group policy settings1. On the LON-CL2 computer, click Start, and in the Search programs and files box, type cmd andpress ENTER.2. At the Command Prompt, type ping lon-cl1 and press ENTER. Ping was unsuccessful.

Lab A: Designing and Configuring the Client Environment L10-93. Close all open windows.4. Switch to the LON-CL1 computer, click Start, and in the Search programs and files box, typeservices.msc and press ENTER. The Application Identity service is not started.5. From Quick Launch, click Internet Explorer. The home page is no longer http://lon-dc1.6. Close all open windows.7. What do these tests suggest?Answer: The Default Domain Policy settings are not being applied to the LON-CL1 computer. Task 4: Enable necessary programs through the firewall1. In the Notification area, right-click Network, and then click Open Network and Sharing Center.2. In the See also list, click Windows Firewall.3. In Windows Firewall, click Allow a program or feature through Windows Firewall.4. In Allowed Programs, click Change settings.5. In the User Account Control dialog box, in the User name box, type Administrator.6. In the Password box, type Pa$$w0rd, and then click OK.7. In the Allowed programs and features list, select the Windows Management Instrumentation(WMI) check box.8. Select the Remote Service Management check box, and then click OK.9. Close Windows Firewall. Task 5: Run the Group Policy Results Wizard1. Switch to the LON-DC1 computer, and in Group Policy Management, in the navigation tree, clickGroup Policy Results.2. Right-click Group Policy Results, and then click Group Policy Results Wizard.3. In the Group Policy Results Wizard, click Next.4. On the Computer Selection page, click Another computer, and then click Browse.5. In the Select Computer dialog box, in the Enter the object name to select (examples): box, typeLON-CL1, click Check Names, and then click OK.6. On the Computer Selection page, click Next.7. On the User Selection page, click CONTOSO\ryan, and then click Next.8. On the Summary of Selections page, click Next.9. Click Finish, and in the Internet Explorer dialog box, click Add.10. In the Trusted sites dialog box, click Add twice, and then click Close. Task 6: Examine the Group Policy Results1. In Group Policy Management, in the results pane, click show all.2. Study the report. Looking at the Denied GPOs section, what is the reason that no GPOs are applied tothe computer?Answer: They are blocked.

L10-10 Lab A: Designing and Configuring the Client Environment Task 7: Reconfiguring enforcement1. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expandContoso.com, right-click Default Domain Policy, and click Enforced.2. Switch to the LON-CL1 computer.3. Click Start, and in the Search programs and files box, type cmd and press ENTER.4. In the Command Prompt, type gpupdate /force and then press ENTER.5. At the OK to logoff? (Y/N) prompt, type N and press ENTER.6. Switch to the LON-DC1 computer. Task 8: Re-Run the query1. In Group Policy Management, in the navigation tree, right-click ryan onlon-cl1, and then click Rerun query.2. In Group Policy Management, in the results pane, click show all.3. Study the report. Are any GPOs applying now?Answer: Yes, the Default Domain Policy.4. Click the Settings tab, and then click show all.5. Which settings are being applied by the Default Domain Policy?Answer:• Account Policies• Account Policies• Local Policies• System Services\Application identity• Public Key Policies• Windows Firewall with Advanced Security\inbound rule• Internet Explorer Maintenance\home page• Preferences\drive mapping Task 9: Virtual Machine ShutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

Lab A: Determining the Application Deployment Method L11-1Module 11: Planning and Deploying Applications and Updates toWindows® 7 ClientsLab A: Determining the ApplicationDeployment MethodExercise 1: Determining the Application Deployment Method Task 1: Read the supporting documentation• Read the scenario and supporting documentation in the course workbook. Task 2: Update the Application Deployment Worksheet• Answer the questions on the Application Deployment Worksheet.Application Deployment WorksheetDocument Reference Number: AD2009Document AuthorEd MeadowsRequirement OverviewDetermine the most appropriate method for deploying corporate and departmental applications.Questions1. Does the current infrastructure support any automated deployment methods?Answer. Yes, the current infrastructure has an Active Directory infrastructure which supports GroupPolicy software deployment. The infrastructure also contains Configuration Manager 2007, whichincludes software deployment features.2. What are the advantages and disadvantages of the current deployment options available toContoso?Answer. Active Directory Group Policy is a relatively simple method for deploying software, howeverit does have a couple of disadvantages such as the lack of reporting and it only supports MSI or ZAPfiles.Configuration Manager 2007 provides extensive reporting and supports all types of installation files,however it is quite a bit more complex to deploy and configure than Group Policy.3. Based upon Adam’s requirements, which method should you consider to deploy the 2007 Officesystem?Answer. Configuration Manager would be the best way to deploy the 2007 Office system; howeverAdam states that he wants to maintain full control of the customization and deployment processes.In this case, it is best to store the setup files on a network installation point, create a customizedinstallation file that will provide silent installation capabilities, and perform installation tasks from theinstallation point itself. Group Policy might be considered, however the 2007 Office system is notrecommended to be deployed using Group Policy.4. Based upon Adam’s requirements, which method should you consider to deploy Adobe Reader?Answer. Since Adobe Reader is an organization-wide requirement, the best method would be todeploy this application using Configuration Manager 2007. However since it is currently only beingused for inventory purposes, Group Policy would be the next best method as long as an MSI file isavailable for the application. You may also consider installing the application in the desktop image,since it is quite a small application.5. What can you do to ensure that Office 2003 is still available for users that require the use of the

L11-2 Lab A: Determining the Application Deployment MethodApplication Deployment Worksheetcustomized templates?Answer. Since the 2007 Office system does not easily co-exist with multiple versions, there are anumber of ways to provide access to Office 2003. One method is to use application virtualization toprovide Office 2003 applications. This will ensure that all versions do not interfere with each otherand allow for the use of all customized templates. Another method is to publish Office 2003applications as a Terminal Services RemoteApp. An added advantage of using RemoteApp is thatusers will be able to access Office 2003 over the Internet if needed.One final method might be the use of Windows XP mode for Windows 7. This would allow for thepublishing and usage of Office 2003 from a virtual machine installed on the Windows 7 desktop.

Lab A: Determining the Application Deployment Method L11-3Lab B: Customizing the Microsoft OfficeProfessional Plus 2007 InstallationComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1• 6294A-LON-CL1Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtual machinename, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under the virtualmachine name, click Connect.Lab Setup: Remove the 2007 Office system from LON-CL11. Log on to LON-CL1 with the user name Administrator and the password Pa$$w0rd.2. Click Start and then click Control Panel.3. Under Programs, click Uninstall a program.4. Click Microsoft Office Professional Plus 2007 and then click Uninstall.5. Click Yes. Click Close and then reboot LON-CL1.

L11-4 Lab A: Determining the Application Deployment MethodExercise 1: Creating a Setup Customization File Task 1: Configure the Setup Category1. Log on to LON-DC1 with the user name Administrator and the password Pa$$w0rd.2. On the Start menu, click Run.3. In the Open box, type E:\Labfiles\Office2007\setup.exe /admin, and then click OK. The OfficeCustomization Tool starts.4 In the Select Product box, ensure that Create a new Setup customization file for the followingproduct is selected and that Microsoft Office Professional Plus 2007 is shown as the Product, andthen click OK.5. In the left pane, click Install location and organization name.6. In the details pane, leave the Default installation path as [ProgramFilesFolder]\Microsoft Office.7. Under Organization name, type Contoso.8. In the left pane, click Additional network sources, and then click Add.9. In the Add Network Server Entry box, under Network server, typeLON-SVR2, and then click OK.10. In the left pane, click Licensing and user interface.11. Select the I accept the terms in the License Agreement check box.12. Next to Display level, select Basic, and then ensure that the check mark next to Completion noticeis enabled. Note that usually you would also enter a volume license key; however, for this exercise itwill not be configured in the Setup customization file.13. In the left navigation pane, click Remove previous installations. Ensure that Default Setupbehavior is selected, which will remove all earlier versions of installed programs.14. In the left navigation pane, click Office security settings.15. Under Add the following paths to the Trusted Locations list, click Add.16. In the Specify Security Locations dialog box, in the Application drop-down menu, select MicrosoftOffice Word. In the Path box type,\\LON-DC1\Data.17. Click to enable the check box next to Subfolders of this location are also trusted. Click OK.18. In the left navigation pane, click Modify Setup Properties and then click Add.19. In the Name box type HIDEUPDATEUI.20. In the Value box type True and then click OK. Task 2: Configure the Features Category1. In the left navigation pane, under Features, click Modify user settings.2. In the details pane, expand Microsoft Office Word 2007\Word Options, and then click Save.3. Double-click Save files in this format.4. In the Save files in this format Properties box, click Enabled.5. Under Save files in this format, click the drop down arrow and select Word 97-2003 Document(*.doc), and then click OK.6. In the details pane, expand Microsoft Office Outlook 2007\Security and then click Trust Center.7. Double-click Enable links in e-mail messages.8. In the Enable links in e-mail messages Properties box, click Disabled, and then click OK.9. In the details pane, expand Microsoft Office 2007 system and then click Miscellaneous.10. Double-click Disallow Convert Document (Excel, PowerPoint, Word).11. In the Disallow Convert Document (Excel, PowerPoint, Word) Properties box, click Enabled, andthen click OK.12. At the bottom of the details pane, clear the Migrate user settings check box.13. In the left navigation pane, click Set feature installation states.

Lab A: Determining the Application Deployment Method L11-514. In the details pane, expand Microsoft Office, click the grey box next to Microsoft Office Publisher,and then click Not Available.15. In the details pane, click the grey box next to Microsoft Office Access, and then click Not Available.16. In the details pane, expand Microsoft Office Excel, click the grey box next to Sample Files, and thenclick Not Available.17. On the File menu, click Save.18. Browse to E:\Labfiles\Office2007\Updates. Name the file Research, and then click Save.19. Close the Office Customization Tool, and then click Yes to quit. Task 3: Install the 2007 Office System Using the Setup Customization File1. Log on to LON-CL1 as Contoso\Administrator with the password of Pa$$w0rd.2. Click Start, and then in the Search programs and files box type\\LON-DC1\Labfiles\Office2007\setup.exe, and then press ENTER. The installation begins. This willtake 10-15 minutes to complete.3. After the installation is complete, verify that your customizations are implemented. Task 4: Virtual Machine ShutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

L11-6 Lab A: Determining the Application Deployment MethodLab C: Planning and Managing Updates byUsing WSUSComputers in this labBefore you begin the lab, you must start the virtual machines. The virtual machines used at the start of this lab are:• 6294A-LON-DC1• 6294A-LON-CL1Start the virtual machines1. On the host computer, click Start, point to Administrative Tools, and click Hyper-V Manager.2. In the Virtual Machines pane, click the virtual machine name. In the Actions pane, under the virtual machinename, click Start.3. To connect to the virtual machine, click the virtual machine name, and in the Actions pane, under the virtualmachine name, click Connect.Exercise 1: Planning Group Policy Automatic Update Settings Task 1: Read the supporting documentation• Read the scenario and supporting documentation in the course workbook. Task 2: Update the Group Policy Settings Configuration Request Worksheet• Fill out the Group Policy Settings Configuration Request to match the requirements outlined in thesupporting documentation.Group Policy Settings Configuration RequestDetailsIndividual requestingGPO changesTechnical reason forGPO changeScope of managementfor the requested GPOEd MeadowsConfiguration of the Windows Update client to point to the internalWSUS server instead of the Internet.Marketing DepartmentSetting NameConfigurationGroup Policy SettingRequestedConfigure AutomaticUpdatesSpecify intranetMicrosoft updateservice locationAutomatic Updatesdetection frequencyConfigure automatic updating: 4 – Autodownload and schedule the installScheduled install day: 0 – Every dayScheduled install time: 17:00Set the intranet update service for detectingupdates: http://LON-DC1Set the intranet statistics server: http://LON-DC18 hours

Lab A: Determining the Application Deployment Method L11-7Exercise 2: Configuring Automatic Update Settings by Using Group Policy Task 1: Configure Automatic Update Settings1. Log on to LON-DC1 as Contoso\Administrator with the password of Pa$$w0rd.2. On LON-DC1, click Start, point to Administrative Tools, and then click Group Policy Management.The Group Policy Management console opens.3. Expand Forest: Contoso.com, expand Domains, expand Contoso.com, and then click Group PolicyObjects.4. In the details pane, right-click Default Domain Policy and then click Edit. The Group PolicyManagement Editor opens.5. Under Computer Configuration expand Policies, expand Administrative Templates, expandWindows Components, and then click Windows Update.6. In the details pane, double-click Configure Automatic Updates.7. In the Configure Automatic Updates dialog box, click Enabled.8. Under Options configure the following and then click OK:• Configure automatic updating: 4 – Auto download and schedule the install• Scheduled install day: 0 – Every day• Scheduled install time: 17:009. In the details pane, double-click Specify intranet Microsoft update service location.10. In the Specify intranet Microsoft update service location dialog box, click Enabled.11. Under Options configure the following and then click OK:• Set the intranet update service for detecting updates: http://LON-DC1• Set the intranet statistics server: http://LON-DC112. In the details pane, double-click Automatic Updates detection frequency.13. In the Automatic Updates detection frequency dialog box, click Enabled.14. Under Options configure the following and then click OK:• Interval (hours): 815. Close the Group Policy Management Editor.16. Close Group Policy Management. Task 2: Verify that the Automatic Updates policy settings have applied1. Log on to LON-CL1 with the user name Administrator and the password Pa$$w0rd.2. Click Start, and then in the Search programs and files box, type cmd and then press ENTER.3. At the command prompt type gpupdate /force and then press ENTER.4. Close the command prompt.5. Click Start, and then in the Search programs and files box, type Windows Update.6. In the search results, under Programs, click Windows Update.7. On the Windows Update page, click Change settings. Notice the information message at the top ofthe window stating that some settings are managed by the system administrator. Also notice thatsome of the configuration settings are grayed out.8. On the Change settings page, click Cancel and then close Windows Update.9. Close the Control Panel.

L11-8 Lab A: Determining the Application Deployment MethodExercise 3: Approving and Deploying an Update by Using WSUS Task 1: Initializing Windows Update1. On LON-CL1, click Start, and then in the Search programs and files box, type cmd and then pressENTER.2. At the command prompt type wuauclt /detectnow and then press ENTER.3. At the command prompt type wuauclt /r /reportnow and then press ENTER.4 Close the command prompt. Task 2: Approve and Deploy an Update1. On LON-DC1, click Start, point to Administrative Tools, and then click Windows Server UpdateServices.2. In the left-hand pane, expand LON-DC1, expand Computers and then click All Computers. LON-CL1.contoso.com should appear in the details pane. If no results are shown, wait for a few minutes. Ifafter a few minutes no results are shown, repeat Task 1.3. Double-click lon-cl1.contoso.com. A report is generated to show which updates are required on thiscomputer.4. Click the Next Page button. Notice that five critical updates are reported.5. Close the report.6. In the left-hand pane, expand Updates and then click Critical Updates. Notice the critical updatesthat are listed.7. Right-click Update for the 2007 Microsoft Office System (KB967642) and then click Approve.8. In the Approve Updates dialog box, click the arrow next to All Computers and then click Approvedfor Install. Click OK.9. In the Approval Progress dialog box, click Close.10. Close the Update Services console.11. On LON-CL1, click Start, and then in the Search programs and files box, type Windows Update.12. In the search results, under Programs, click Windows Update.13. On the Windows Update page, click Check for updates.14. Click Install Updates. Task 3: Virtual Machine ShutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:1. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

Lab A: Planning an End to End Windows 7 LTI Deployment L12-1Module 12 : Deploying Windows 7 – Challenge ScenarioLab A: Planning an End to End Windows 7 LTIDeploymentExercise 1: Planning the MDT Lite Touch Environment Task 1: Read the supporting documentation• Read the scenario and supporting documentation in the course workbook. Task 2: Use the following decision tree and checklist to help facilitate the creation of thedeployment plan• Create a deployment plan using the following aids.

L12-2 Lab A: Planning an End to End Windows 7 LTI DeploymentTechnician Computer Decision TreeBuild x64 bases Windows 2003(or above) system64 BitWhat Type ofClient is beingDeployed?32 BitBuild x86 bases Windows 2003(or above) systemRequired ComponentsInstall MDTInstall WAIKPlanning ComponentsPerformingNetworkAssessment?YESInstall MAPNOPerformingOffice 2007Migration?YESOffice MigrationPlanning ManagerNOInstallation ComponentsApplicationCompatibilityknown?YESNOInstall ACTPrepare CD/DVD’sMediaDeploying OSthrough?NETWORKConfigure DHCPBoot ClientSystem?PXE BootPrepare PXEEnvironmentMediaMultiCastDeployment?YESPrepare WDSNOMigratingPre SP1 VISTAUser State?NOYESInstall USMT 3.01To Page 2

Lab A: Planning an End to End Windows 7 LTI Deployment L12-3Technician Computer Decision Tree – Cont.From Page 1Post Installation ComponentsInstalling Windows2003 with KMS?YESInstall KMS 1.1 for Windows2003NOInstalling Windows 7with MAK?YESInstall Volume ActivationManagement ToolNOUsing SecurityComplianceManagement?YESInstall Security ComplianceManagement ToolkitNOMDT InstallationComplete

L12-4 Lab A: Planning an End to End Windows 7 LTI DeploymentMicrosoft Deployment Toolkit Job AidMicrosoft Deployment Toolkit PlanningMicrosoft Deployment Toolkit Planning–Job AidQuestion Information Details32 bit Windows 7 32 bit Windows 7 Enterprise EditionWhat OperatingSystem are yougoing to deploy?64 bit Windows 7 32 Windows Server 2008R264 bit Windows Server2008 R2What System isgoing to bedeployed as theTechnician’ssystem?Windows 7 clientWindows 2008 R2 serverLON-CL2 is a 32 bit Windows 7 Enterprise EditionAre you going tobe deployingApplications?YesNoOffice 2007 needs to be deployed to all systems.What MDTadditionalcomponents areyou going toinstall?Where will youstore yourdistribution files?MAP System compatibility needs to be checked. WAIKWAIKcontains the ImageX and USMT 4.0 files.USMTACTLocal Deployment Share The Remote Server LON-DC1 is going to be used as thedeployment ShareRemote DeploymentShareWhat is yourimaging andsource filestrategy?CD All systems will be PXE booted and deployed from anetwork share.Network ShareDo you want toback upcomputers beforedeployment?YesNoSystems should be captured prior to deployment.Will you bedeploying anyYesYes Windows IPoint and LifeCam drivers need to beinstalled.

Lab A: Planning an End to End Windows 7 LTI Deployment L12-5Microsoft Deployment Toolkit Planning–Job AidQuestion Information Detailsdrivers notincluded withWindows 7?NoWill you deployacross thenetwork, withremovable media,or both?NetworkRemovable MediaAll systems will be PXE booted and deployed from anetwork share.WhichDeploymentScenario will youuse?New Computer Some computers are scheduled to be upgraded toWindows 7 and some are scheduled for replacement.Upgrade ExistingComputerRefresh ComputerReplace ComputerWill you deploy afull set ofoperating systemfiles or a customWindows ImagingFormat (WIM)?Full OS File SetCustom WIMA Full OS Set will be used to create the ReferenceComputer and the Custom WIM created from thereference computer will be used for the generaldeployment.Are you going toallow users tochoose their ownoperating system,applications,locale, time zone,andadministrativepassword?YesNoThese settings will be set in the Reference Image.Which producteditions will youdeploy?Professional 32 bit Windows 7 Enterprise EditionUltimateBusinessEnterpriseHow will youhandle productkeys andlicensing?Multiple Activation Key(MAK)Key ManagementService(KMS)KMS will be used for activating the systems.

L12-6 Lab A: Planning an End to End Windows 7 LTI DeploymentLab B: Deploying Windows 7 Using the LTIDeployment PlanExercise 1: Performing a Network Assessment Task 1: Start the computersStart the following systems.:• 6294A-LON-DC1• 6294A-LON-CL2• 6294A-LON-VS1• 6294A-LON-VS2 Task 2: Configure the Microsoft Assessment and Planning Toolkit1. Log on to the LON-CL2 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.2. Click Start, point to All Programs, click Microsoft Assessment and Planning Toolkit, and clickMicrosoft Assessment and Planning Toolkit.3. After the Microsoft Planning and Assessment Toolkit starts, in the Create or select a database to usedialog box, select the Create an inventory database radio button, type Akron Inventory, and thenclick OK. Task 3: Run the Windows 7 Readiness Assessment Wizard1. In the Discovery and Readiness pane, click Inventory and Assessment Wizard.2. Review the Computer Discovery Methods page, and then click Next.3. Fill in the Active Directory Credentials page with the following:Domain:Contoso.comDomain Account: Contoso\AdministratorPassword:Pa$$w0rdClick Next.4. Review the Active Directory Options page, and then click Next.5. On the Windows Networking Protocols page ensure the following:Workgroups and Windows domains to include in the inventory:ContosoClick Next.6. On the WMI Credentials page, click New Account.7. Fill in the Inventory Account page with the following:Domain name: ContosoAccount name: AdministratorPassword:Pa$$w0rdConfirm password: Pa$$w0rdClick Save.8. On the WMI Credentials page, click Next.9. On the Summary page, click Finish.10. Once the inventory is complete, on the Status page, click Close. Task 4: Review the Windows 7 Readiness Assessment Reports1. In the left-hand pane, expand the Discovery and Readiness node.

Lab A: Planning an End to End Windows 7 LTI Deployment L12-72. Review the Readiness Assessment Reports and assess whether or not any systems require hardwareupgrades or replacement before installing Windows 7. Task 5: Shutdown the Vista computers1. Shutdown the following systems:• 6294A-LON-VS1• 6294A-LON-VS22. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-VS2, and then click Settings.3. In the Settings for 6294A-LON-VS2 dialog box, click Memory.4. In the RAM field, type 768.5. In the Settings for 6294A-LON-VS2 dialog box, click OK.

L12-8 Lab A: Planning an End to End Windows 7 LTI DeploymentExercise 2: Configuring MDT 2010 for an LTI Deployment Task 1: Install MDT 20101. On LON-CL2, browse to \\LON-DC1\Labfiles\Mod07 and press ENTER.2. Double-click MicrosoftDeploymentToolkit2010_x86. Click Run.3. On the Welcome to the Microsoft Deployment Toolkit 2010 (5.0.1641.0) Setup Wizard page,click Next.4. On the End-User License Agreement page, review the license agreement, select the I Accept theterms in the License Agreement radio button, and then click Next.5. Review the Custom Setup page, click Next.6. Click Install.7. On the Completing the Microsoft Deployment Toolkit 2010 (5.0.1641.0) Setup Wizard page,click Finish.8. Close the Explorer window. Task 2: Mount the WAIK media on LON-CL21. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL2, and then click Settings.2. In the Settings for 6294A-LON-CL2 dialog box, click DVD Drive.3. Select the Image File: radio button and then specify the image file C:\Program Files\MicrosoftLearning\6294\Drives\WAIK.iso.4. In the Settings for 6294A-LON-CL2 dialog box, click OK. Task 3: Install Windows AIK1. On LON-CL2, in the Autoplay box, click Open folder to view files, right-click StartCD.exe, and clickRun as administrator.2. On the Welcome to Windows Automated Installation Kit page click Windows AIK Setup.3. On the Welcome to the Windows Automated Installation Kit Setup Wizard page click Next.4. On the License Terms page, select the I Agree radio button, and then click Next.5. On the Select Installation Folder page, review the defaults and then click Next.6. On the Confirm Installation page, click Next.7. On the Installation Complete page click Close.8. Close the Welcome to Windows Automated Installation Kit page.9. Close the Explorer window.

Lab A: Planning an End to End Windows 7 LTI Deployment L12-9Exercise 3: Configuring WDS for a PXE and Multicast Deployment Task 1: Install WDS on LON-DC11. Log on to the LON-DC1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.2. In the task bar, click the Server Manager button.3. In the left-hand pane, click Roles, and then under Roles Summary, click Add Roles.4. In the Add Roles Wizard, on the Before You Begin page, click Next.5. On the Select Server Roles page, select the checkbox for Windows Deployment Services and thenclick Next.6. On the Overview of Windows Deployment Services page click Next.7. On the Select Role Services page click Next.8. On the Confirm Installation Selections page click Install.9. On the Installation Results page click Close.10. Close the Server Manager. Task 2: Configure WDS on LON-DC11. Click Start, point to Administrative Tools, and then click Windows Deployment Services.2. Expand Servers, right-click LON-DC1.Contoso.com and then click Configure Server.3. In the Windows Deployment Services Configuration Wizard, on the Before You Begin page, clickNext.4. On the Remote Installation Folder Location page, type E:\RemoteInstall, and then click Next.5. On the DHCP Option 60 page, select both the Do not listen on port 67 and Configure DHCPoption 60 to ‘PXE Client’ checkboxes, and then click Next.6. On the PXE Server Initial Settings page, select the Respond to all client computers (known andunknown) radio button, and then click Next.7. On the Operation Complete page, clear the Add images to the server now check box, and thenclick Finish.8. Close the Windows Deployment Services MMC. Task 3: Create a share on LON-DC11. Click Start, click Computer, and then double-click Allfiles (E:).2. Right-click in the Explorer window, point to New, and then click Folder.3. Type DeploymentShare, and then press ENTER.4. Right-click E:\DeploymentShare, point to Share with, and then click Specific People.5. In the File Sharing dialog box, select Everyone from the dropdown, and then click Add.6. Set the Everyone Permission Level to Read/Write.7. In the File Sharing dialog box, click Share.8. In the File Sharing dialog box, click Done.9. Close Explorer.

L12-10 Lab A: Planning an End to End Windows 7 LTI DeploymentExercise 4: Configuring an MDT 2010 Deployment Share Task 1: Create a deployment share in Deployment Workbench on LON-CL21. On LON-CL2, click Start, point to All Programs, click Microsoft Deployment Toolkit, and then clickDeployment Workbench.2. In the Deployment Workbench console tree, select Deployment Workbench/Deployment Shares.3. In the console tree, right-click Deployment Shares, and then click New Deployment Share.4. In the New Deployment Share Wizard, on the Path page, type\\LON-DC1\DeploymentShare and then click Next.5. In the New Deployment Share Wizard, on the Descriptive Name page, click Next.6. In the New Deployment Share Wizard, on the Allow Image Capture page, click Next.7. In the New Deployment Share Wizard, on the Allow Admin Password page, click Next.8. In the New Deployment Share Wizard, on the Allow Product Key page, click Next.9. In the New Deployment Share Wizard, review the Summary page, and then click Next.10. In the New Deployment Share Wizard, review the Confirmation page, and then click Finish. Task 2: Configure the deployment share to use WDS on LON-DC11. In the Deployment Workbench, right-click the MDT Deployment Share (\\LON-DC1\DeploymentShare), and select Properties.2. In the Local Path field, type E:\DeploymentShare, check the Enable multicast for this deploymentshare (requires Windows Server 2008 Windows Deployment Services) checkbox, and then clickOK. Task 3: Configure WDS on LON-DC11. On LON-DC1, click Start and in the Search programs and files box, type cmd, and then pressENTER.2. In the Command Prompt, type wdsutil.exe /new-namespace /friendlyname:“MDTDeploymentShare” /server:LON-DC1 /namespace:”DeploymentShare” /contentprovider:WDS/configstring:“\\LON-DC1\DeploymentShare /namespacetype:AutoCast, and then press ENTER.3. After the command completes successfully close the command prompt. Task 4: Add applications to the deployment share1. On LON-CL2, in the Deployment Workbench console tree, go to DeploymentWorkbench/Deployment Shares/MDT Deployment Share (\\LON-DC1\DeploymentShare)/Applications.2. In the Actions pane, click New Application.3. In the New Application Wizard, on the Application Type page, select the Application with sourcefiles radio button, and then click Next.4. In the New Application Wizard, on the Details page, type Microsoft Office 2007 in the ApplicationName field, and then click Next.5. In the New Application Wizard, on the Source page, type \\LON-DC1\Labfiles\Office2007 in the Source directory field, and then click Next.6. In the New Application Wizard, on the Destination page, click Next.7. In the New Application Wizard, on the Command Details page,in the Command line field, type Setup.exe, and then click Next.8. In the New Application Wizard, on the Summary page, click Next.9. In the New Application Wizard, review the Confirmation page, and then click Finish.

Lab A: Planning an End to End Windows 7 LTI Deployment L12-11 Task 5: Customize the Office 2007 application1. In the Deployment Workbench console tree, under Deployment Workbench/DeploymentShares/MDT Deployment Share (\\LON-DC1\DeploymentShare)/Applications, right-click Microsoft Office 2007 and click Properties.2. Click the Office Products tab.3. In the Office 2007 product to Install: field, select ProPlus.4. In the Config.xml settings section, select the check box and configure for each of the following:5. Office 2007 Languages: en-us6. Customer Name: Contoso7. Display level: None8. Check the Accept EULA checkbox.9. Click Apply.10. Click OK. Task 6: Add operating system files to the deployment share1. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-CL2, and click Settings.2. In the Settings for 6294A-LON-CL2 dialog box, click DVD Drive.3. Select the Image File: radio button, specify the image file C:\Program Files\MicrosoftLearning\6294\Drives\Windows7_32bit.iso.4. In the Settings for 6294A-LON-CL2 dialog box, click OK.5. In LON-CL2, close the Autoplay window.6. In the Deployment Workbench console tree, go to Deployment Workbench/Deployment Shares/MDTDeployment Share (\\LON-DC1\DeploymentShare)/Operating Systems.7. In the Actions pane, click Import Operating System.8. In the Import Operating System Wizard, on the OS Type page, select the Full set of source filesradio button, and then click Next.9. In the Import Operating System Wizard, on the Source page, type D:\, and then click Next.10. In the Import Operating System Wizard, on the Destination page, click Next.11. In the Import Operating System Wizard, on the Summary page, click Next.12. In the Import Operating System Wizard, review the Confirmation page, and then click Finish. Task 7: Add device drivers to the deployment share1. In the Deployment Workbench console tree, go to Deployment Workbench/Deployment Shares/MDTDeployment Share (\\LON-DC1\DeploymentShare)/Out-of-Box Drivers.2. In the Actions pane, click Import Drivers.3. In the Import Driver Wizard, on the Specify Directory page, type \\LON-DC1\Labfiles\Drivers, and then click Next.4. In the Import Driver Wizard, on the Summary page, click Next.5. In the Import Driver Wizard, review the Confirmation page, and then click Finish.6. Repeat steps 1-5 for the following path: \\LON-DC1\Labfiles\Mod05\LabE\ipoint. Task 8: Create a task sequence for the reference computer1. In the Deployment Workbench console tree, go to Deployment Workbench/Deployment Shares/MDTDeployment Share (\\LON-DC1\DeploymentShare)/Task Sequences.2. In the Actions pane, click New Task Sequence.

L12-12 Lab A: Planning an End to End Windows 7 LTI Deployment3. In the New Task Sequence Wizard, on the General Settings page, set the following:Task sequence ID:AKRON_REFERENCETask sequence name: Deploy Windows 7 to LON-IMG1and then click Next.4. In the New Task Sequence Wizard, on the Select Template page, specify the Standard Client TaskSequence, and then click Next.5. In the New Task Sequence Wizard, on the Select OS page, specify the Windows 7 Enterprise inindows 7 x86 install.wim, and then click Next.6. In the New Task Sequence Wizard, on the Specify Product Key page, click Next.7. In the New Task Sequence Wizard, on the OS Settings page configure the following:Full Name: AdminOrganization: Contoso LTD.and then click Next.8. In the New Task Sequence Wizard, on the Admin Password page, select the Do not specify anAdministrator password at this time radio button, and then click Next.9. In the New Task Sequence Wizard, on the Summary page, click Next.10. In the New Task Sequence Wizard, on the Confirmation page, click Finish. Task 9: Update the deployment share1. In the Deployment Workbench console tree, go to Deployment Workbench/DeploymentShares/MDT Deployment Share (\\LON-DC1\DeploymentShare).2. In the Actions pane, click Update Deployment Share.3. In the Update Deployment Share Wizard, review the Options page, and then click Next.4. In the Update Deployment Share Wizard, on the Summary page, click Next.5. In the Update Deployment Share Wizard, on the Confirmation page, click Finish.

Lab A: Planning an End to End Windows 7 LTI Deployment L12-13Exercise 5: Creating the Reference Computer Task 1: Configure the PXE boot settings on LON-DC11. On LON-DC1, click Start, point to Administrative Tools, and then click Windows DeploymentServices.2. Expand Servers, and then expand LON-DC1.Contoso.com.3. In the console tree, right-click Boot Images, and then click Add Boot Image.4. In the Add Image Wizard, on the Image File page, browse toE:\DeploymentShare\Boot\LiteTouchPE_x86.wim, and then click Open.5. In the Add Image Wizard, on the Image File page, click Next.6. In the Add Image Wizard, on the Image Metadata page, click Next.7. In the Add Image Wizard, on the Summary page, click Next.8. In the Add Image Wizard, on the Task Progress page, click Finish.9. Right click LON-DC1.Contoso.com, and select Properties.10. Select the Boot tab, and then select both Always continue the PXE boot radio buttons.11. Click OK. Task 2: Deploy the reference computer1. On the host computer, in the Hyper-V Manager, right click 6294A-LON-IMG1, and then selectConnect.2. In the 6294A-LON-IMG1 - Virtual Machine Connection window; click the Start button.3. In the Welcome Windows Deployment page, click Run the Deployment Wizard to install a newOperating System.4. On the User Credentials page specify the following:Username: AdministratorPassword: Pa$$w0rdDomain: ContosoClick OK.5. On the Windows Deployment Wizard, Select a task sequence to execute on this computer page,select Deploy Windows 7 to LON-IMG1, and then click Next.6. On the Windows Deployment Wizard, Configure the computer name page, type LON-IMG1, andthen click Next.7. On the Windows Deployment Wizard, Join the computer to a domain or workgroup page, clickNext.8. On the Windows Deployment Wizard, Specify whether to restore user data page, click Next.9. On the Windows Deployment Wizard, Language and other preferences page, click Next.10. On the Windows Deployment Wizard, Set the Time Zone page, click Next.11. On the Windows Deployment Wizard, Select one or more applications to install page, checkMicrosoft Office 2007, and then click Next.12. On the Windows Deployment Wizard, Specify whether to capture an image page, click Capture animage of this reference computer, and then click Next.13. On the Windows Deployment Wizard, Ready to begin page, click Begin.Note: The installation and WIM file create can take up to two hours. For this lab, a license key willnot be provided when installing Microsoft Office 2007. Because of this you will be prompted toperform the Microsoft Office installation manually. To view the Microsoft Office installationwindow, you may need to move the Installation Progress dialog box.

L12-14 Lab A: Planning an End to End Windows 7 LTI Deployment14. Review the Deployment Summary page for any errors and then click Finish.15. Turn off LON-IMG1.

Lab A: Planning an End to End Windows 7 LTI Deployment L12-15Exercise 6: Preparing the Deployment Task Sequences Task 1: Add the custom image to the Deployment Workbench1. On LON-CL2, in the Deployment Workbench console tree, go to DeploymentWorkbench/Deployment Shares/MDT Deployment Share (\\LON-DC1\DeploymentShare)/Operating Systems.2. In the Actions pane, click Import Operating System.3. In the Import Operating System Wizard, on the OS Type page, select the Custom image file radiobutton, and then click Next.4. In the Import Operating System Wizard, on the Image page, type \\LON-DC1\DeploymentShare\Captures\AKRON_REFERENCE.wim and then click Next.5. In the Import Operating System Wizard, on the Setup page, click Next.6. In the Import Operating System Wizard, on the Destination page, click Next.7. In the Import Operating System Wizard, on the Summary page, click Next.8. In the Import Operating System Wizard, review the Confirmation page, and then click Finish. Task 2: Create a task sequence to capture user state1. In the Deployment Workbench console tree, go to Deployment Workbench/DeploymentShares/MDT Deployment Share (\\LON-DC1\DeploymentShare)/Task Sequences.2. In the Actions pane, click New Task Sequence.3. In the New Task Sequence Wizard, on the General Settings page, set the following:Task sequence ID:AKRON_USMTTask sequence name: Akron USMT Captureand then click Next.4. In the New Task Sequence Wizard, on the Select Template page, specify the Standard ClientReplace Task Sequence, and then click Next.5. In the New Task Sequence Wizard, on the Summary page, click Next.6. In the New Task Sequence Wizard, on the Confirmation page, click Finish.7. Right-click Akron USMT Capture, and select Properties.8. Select the Task Sequence tab, and select the Wipe Disk task.9. Select the Options tab.10. Check the Disable this Step check box.11. Click OK.Note: The Wipe Disk task is disabled in order to save time in the lab environment.12. Right-click MDT Deployment Share (\\LON-DC1\DeploymentShare) and select Properties.13. On the Rules tab, modify the CustomSettings.ini file as follows:[Settings]Priority=DefaultProperties=MyCustomProperty[Default]OSInstall=YUserDataLocation=NETWORKSkipAppsOnUpgrade=NOSkipCapture=NOSkipAdminPassword=YES

L12-16 Lab A: Planning an End to End Windows 7 LTI DeploymentSkipProductKey=YES14. On the MDT Deployment Share (\\LON-DC1\DeploymentShare) Properties window, click OK. Task 3: Create a standard client task sequence to install the new operating system1. In the Deployment Workbench console tree, go to Deployment Workbench/DeploymentShares/MDT Deployment Share (\\LON-DC1\DeploymentShare)/Task Sequences.2. In the Actions pane, click New Task Sequence.3. In the New Task Sequence Wizard, on the General Settings page, set the following:Task sequence ID:AKRON_DEPLOYTask sequence name: Deploy Windows 7 to Akronand then click Next.4. In the New Task Sequence Wizard, on the Select Template page, specify the Standard Client TaskSequence, and then click Next.5. In the New Task Sequence Wizard, on the Select OS page, specify the AKRON_REFERENCEDDRIVEin AKRON_REFERENCE AKRON_REFERENCE.wim, and then click Next.6. In the New Task Sequence Wizard, on the Specify Product Key page, click Next.7. In the New Task Sequence Wizard, on the OS Settings page set the following:Full Name: AdminOrganization: Contoso LTD.and then click Next.8. In the New Task Sequence Wizard, on the Admin Password page, specify Pa$$w0rd as theAdministrator Password and Please confirm Administrator Password, and then click Next.9. In the New Task Sequence Wizard, on the Summary page, click Next.10. In the New Task Sequence Wizard, on the Confirmation page, click Finish. Task 4: Update the deployment share1. In the Deployment Workbench console tree, go to Deployment Workbench/DeploymentShares/MDT Deployment Share (\\LON-DC1\DeploymentShare).2. In the Actions pane, click Update Deployment Share.3. In the Update Deployment Share Wizard, review the Options page, and then click Next.4. In the Update Deployment Share Wizard, on the Summary page, click Next.5. In the Update Deployment Share Wizard, on the Confirmation page, click Finish.

Lab A: Planning an End to End Windows 7 LTI Deployment L12-17Exercise 7: Performing an Upgrade on Target Computers Task 1: Capture user state on the Vista systems1. Start and log on to the LON-VS1 and LON-VS2 virtual machines as Contoso\Administrator with apassword of Pa$$w0rd.2. On each system, click Start and then type \\LON-DC1\DeploymentShare\Scripts\LiteTouch.wsf, and press ENTER.3. On the Windows Deployment Wizard, Select a task sequence to execute on this computer page,select Akron USMT Capture, and then click Next.4. On the Windows Deployment Wizard, Specify where to save your data and settings page, type\\LON-DC1\Data\VS1 (“\\LON-DC1\Data\VS2” for LON-VS2), and then click Next.5. On the Windows Deployment Wizard, Specify where to save a complete computer backup page,select Do not back up the existing computer and then click Next.Note: While the scenario calls for a backup, you are not creating a backup as a time saving step.6. On the Specify credentials for connecting to network shares page; specify the following:Username: AdministratorPassword: Pa$$w0rdDomain: ContosoClick Next.Note: If you receive an 800704C3 error, use the IP Address 10.10.0.10 instead of Contoso for the Domainname.7. On the Windows Deployment Wizard, Ready to begin page, click Begin.Note: If you receive an error message indicating that a connection cannot be made to the deploymentshare, you will need to start over with step 2 above. Instead of using the \\LON-DC1\DeploymentShare\Scripts\LiteTouch.wsf path, use\\10.10.0.10\DeploymentShare\Scripts\LiteTouch.wsf. If you do this, you will need to click Open torun the remote script. You will also receive error messages indicating that you have multiple connectionsto a server using the same user name. The installation should complete successfully.8. Review the Deployment Summary page for any errors, and then click Finish and turn off the system. Task 2: Deploy the Akron systemsTo take advantage of multicast do not begin any deployment until all the systems are at the Ready tobegin page.1. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-VS1, and click Settings.2. Click BIOS.3. Select the Legacy Network Adapter, use the arrow buttons to move it to the top of the list, and thenclick OK.4. On the host computer, in the Hyper-V Manager, right-click 6294A-LON-VS1, select Connect.5. In the 6294A-LON-VS1 - Virtual Machine Connection window; click the Start button.6. Repeat steps 1 through 5 for 6294A-LON-VS2.

L12-18 Lab A: Planning an End to End Windows 7 LTI Deployment7. In the Welcome Windows Deployment page, click Run the Deployment Wizard to install a newOperating System.8. On the User Credentials page specify the following:Username: AdministratorPassword: Pa$$w0rdDomain: ContosoClick OK.9. On the Windows Deployment Wizard, Select a task sequence to execute on this computer page;select Deploy Windows 7 to Akron, and then click Next.10. On the Windows Deployment Wizard, Configure the computer name page, type LON-VS1a, andthen click Next.Note: To re-use the computer name reset or delete the existing computer object in Active Directory.11. On the Windows Deployment Wizard, Join the computer to a domain or workgroup page, selectthe Join a domain radio button. In the Domain: field type Contoso, and then click Next.12. On the Windows Deployment Wizard, Specify whether to restore user data page, select theSpecify a location radio button and type \\LON-DC1\Data\VS1 and then click Next.13. On the Windows Deployment Wizard, Language and other preferences page, click Next.14. On the Windows Deployment Wizard, Set the Time Zone page, click Next.15. On the Windows Deployment Wizard, Select one or more applications to install page, click Next.16. On the Windows Deployment Wizard, Specify the BitLocker configuration page, click Next.17. On the Windows Deployment Wizard, Ready to begin page, click Begin.18. Repeat steps 7 through 17 on 6294A-LON-VS2 replacing the references to VS1 in steps 10 and 12with VS2.Note: To monitor the multicast environment, on LON-DC1 open the Windows Deployment ServicesConsole. Expand LON-DC1.Contoso.com, expand Multicast transmissions and select MDTDeploymentShare. You may have to refresh the node to view the multicast entries.Perform the following steps while the image is deploying to the systems:19. On LON-DC1; click Start, point to Administrative Tools, and click Windows Deployment Services.20. Right click LON-DC1.Contoso.Com, and select Properties.21. Select the Boot tab, and then select both Require the user to press the F12 key to continue thePXE boot radio buttons.22. Click OK.Note: Failing to complete this step will cause the deployed systems to re-enter the PXE environment onreboot.After the image has completed deploying:23. Review the Deployment Summary page for any errors and then click Finish. Task 3: Virtual machine shutdownWhen you finish the lab, revert each virtual machine back to its initial state. To do this, complete thefollowing steps:

Lab A: Planning an End to End Windows 7 LTI Deployment L12-191. On the host computer, start Hyper-V Manager.2. Right-click each virtual machine name in the Virtual Machines list, and then click Revert.3. In the Revert Virtual Machine dialog box, click Revert.

L12-20 Lab A: Planning an End to End Windows 7 LTI Deployment