71-686 Study notes

SmootCIS

Here are my notes I am coming up with as I study for the 71-686. If anyone wants to look them over for a quick guide, or add something that is not covered feel free to do so. I will be adding each section as I finish them. I know it is not all inclusive as in how but covers a basic understanding of terms and such.

SmootCIS

1. Plan and manage client licensing and activation.

Windows 7 system requirements:
1 gigahertz (GHz) or faster 32-bit (x86) or 64-bit (x64) processor
1 gigabyte (GB) RAM (32-bit) or 2 GB RAM (64-bit)
16 GB available hard disk space (32-bit) or 20 GB (64-bit)
DirectX 9 graphics device with WDDM 1.0 or higher driver

To use all features available in Windows 7:
Depending on resolution, video playback may require additional memory and advanced graphics hardware
For some Windows Media Center functionality a TV tuner and additional hardware may be required
Windows Touch and Tablet PCs require specific hardware
HomeGroup requires a network and PCs running Windows 7
BitLocker requires Trusted Platform Module (TPM) 1.2
BitLocker To Go requires a USB flash drive
Windows XP Mode requires an additional 1 GB of RAM, an additional 15 GB of available hard disk space, and a processor capable of hardware virtualization with Intel VT or AMD-V turned on

Choosing the correct SKU for your deployment.

SKU (Stock Keeping Unit) is a unique identifier for each distinct Windows 7 version that can be purchased.

Windows 7 Starter
Made with the Netbook market in mind, It has very basic features. It is not available for retail. Starter edition will be found pre-installed from the OEM on select machines.

• 32-bit only support: - does not have a 64 bit version.
• HomeGroup join only: - In Windows 7 Starter you can’t create or manage home groups, you can only join them.
• Windows Internet Explorer 8: - Microsoft’s standard web browser
• Windows Media Player 12: - Microsoft’s standard music/video player
Does not have Aero Effects, DVD Playback, Personalization features and more. It is for basic web browsing and email.


Windows 7 Home Premium

• 32-bit and 64-bit compatibility: - You can choose to install Home Premium in a 32-bit or 64-bit edition.
• Internet Explorer 8: - Microsoft’s web browser
• Full Windows Aero features: - Features such as

o Aero Peek: Allows you a preview of a window in a thumbnail without actually opening them by simply hovering over the icon in the taskbar.
o Aero Shake: If you have lots of windows open on your desktop and you only want to look at one, click and hold its window and shake it! All the other windows will minimize, simply shake the window again and all the other windows will restore.
o Aero Snap: click and drag a window up to the top of the screen it will automatically maximize itself. If you have two windows open, and want to view them side by side. Click and drag one to the right edge of the screen and the other to the left. They will both resize automatically to fit the screen
o Aero Flip: This Aero effect was in Windows Vista but not in XP. Activate it by pressing the windows key and tab at the same time. It will give you a 3D effect that will allow you to “Flip” between the different windows


• Windows Mobility Center: - This center is used for managing screen brightness, audio, presentations , battery and more on mobile devices like laptops
• Create and Join Home group: - The Windows 7 Home group really improves networking and allows you to easily share files and printers between computers.
• Multi-touch: - Windows 7 supports multi-touch for all you users with touch screen computers.
• Premium Games: Some Familiar to XP and Vista already, some new.
• Windows Media Center: - The Windows Media Center manages all of your music, video and pictures. It allows you to watch and record Live TV as well as other features

Windows 7 Professional

Windows 7 Professional has all the features that Home Premium and added features geared toward business, and professional use.
• Windows Server Domain support: – Makes it easier to connect to Microsoft server domain environments, instead of home group environments
• Remote Desktop Server Support: – Remote desktop allows you to connect and access all files and programs on another computer
• Location aware printing: – If you are using printers at home and at work, you don’t have to change which printer you’re using. Windows 7 will automatically change the printer depending on your location.
• Encrypting the file system: – This allows you to encrypt files on your PC which can only be accessed with the correct key/password
• Presentation mode: – If you are giving presentations, activating presentation mode will change your background for you and disable your screen saver for you
• XP Mode: – XP Mode supplies the user with a copy of XP and runs it in a virtual box, so you can run Windows 7 and XP at the same time

Windows Enterprise
• includes all end users features available in Windows 7 Professional, in addition to DVD playback Codec and Windows Media Center.

Windows 7 Ultimate

Windows 7 Ultimate is the complete package of everything Microsoft offers in Windows 7.
• AppLocker: – This allows Administrators to specify which applications can run on the machine.
• BitLocker Drive Encryption: – This allows you to easily encrypt hard drives and USB devices. Also found in Vista Ultimate.
• DirectAccess: – an easier method of accessing file and internal company websites from home
• BranchCache Distributed Cache: –Allows information to load faster on the network while using DirectAccess
• Multilingual User Interface Pack: – Allows the installation of multilingual profiles changing the default langue for multiple users and the same machine.
• Virtual Hard Disk Booting: – Allows you to boot your computer with an OS installed on a virtual hard disk

Windows 7 Activation

KMS (Key Management Service) Vs. MAK (Multiple Key Management)

Key Management Service: (Enterprise Environment)
Centralizes the Activation process in a enterprise environment, by running a Key Management Server which does all the communicating with Microsoft about Windows 7 keys. To run this service you are required to have one of the following Windows Operating Systems: Windows 2008 R2 or higher server edition, Windows Microsoft 7 on a machine within your network, a minimum of 25 clients running Windows 7, and DDNS (Dynamic Domain Name System) running within the domain. KMS must be repeated every 180 days.

Multiple Activation Key(Home or Small Business Environment)

MAK is used for one-time activation with Microsoft’s hosted activation services. There are two ways to activate computers using MAK. The first method is MAK Independent activation, which requires that each computer independently connect and be activated with Microsoft either over the Internet or by telephone. The second method is MAK Proxy activation. With this method, a computer acting as a MAK proxy gathers activation information from multiple computers on the network, and then sends a centralized activation request on their behalf. MAK Proxy activation is configured using the Volume Activation Management Tool (VAMT).

Windows 7 licensing auditing

WMI (Windows Management Instrumentation)
WMI allows Administrators to write WMI scripts or applications to automate administrative tasks on remote computers within the network. Data gathered during activation is accessible by using WMI console.

SMS (Systems Management Server)sp3, Microsoft System Center Configuration Manager 2007
Using either SMS 2003 sp3 or, Microsoft System Center Configuration Manager 2007 administrators can monitor the license conditions of their network’s clients.

KMS Management Pack
Can be downloaded from the Microsoft website, and used to monitor the KMS service. Logs from the KMS service can be manually viewed using the management pack.

VAMT (Volume Activation Management Tool)
VAMT monitors the KMS and MAK activations over the network. Can give a MAK activation count for clients on network, as well as tell you condition of the license of all clients using volume activation.

mrmcmint

Thanks for sharing this! much appreciated!

SmootCIS

2. Plan and manage software updates.

Application Updates and Operating System updates

Automatic update (Home or Small Business)
Can be used to schedule updates on a local system automatically or manually.
Choose one of the 4 download methods
• Install Updates Automatically(Recommended setting)
• Download Updates but let me choose whether to install them
• Check for Update but let me choose whether to download and install them
• Never Check for Updates(Not Recommended) This setting will be used if you choose to centralize the update process
You can also set up how you receive recommended updates, who can update, and to receive featured updates from this option.

WSUS(Microsoft Windows Server Update Services)(Enterprise)
Allows administrators to deploy the latest updates to clients running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network.
• Requires Application Server and Web Server (IIS) to be running on system.
• Make sure port 80 for HTTP protocol and port 443 for HTTPS protocol are open on your firewall.

Administrators can set up Updates for Windows 7, and Software by using either the WSUS Configuration Wizard or the WSUS Administration Console.

Save and download information about your upstream server and proxy server.
Choose the language of the updates.
Select the products for which you want to receive updates.
Choose the classifications of updates.
Specify the synchronization schedule for this server.

Using the Windows Server Update Services Configuration Wizard

To save and download your upstream server and proxy information
1. On the Connect to Upstream Server page of the configuration wizard, click the Start Connecting button. This both saves and uploads your settings and collects information about available updates.
2. While the connection is being made, the Stop Connecting button will be available. If there are problems with the connection, click Stop Connecting, fix the problems, and restart the connection.
3. After the download has completed successfully, click Next.

To choose update languages
1. The Choose Languages page lets you receive updates from all languages or from a subset of languages. Selecting a subset of languages will save disk space, but it is important to choose all of the languages that will be needed by all the clients of this WSUS server.
If you choose to get updates only for specific languages, select Download updates only in these languages, and select the languages for which you want updates.
2. Click Next.

To choose update products
1. The Choose Products page lets you specify the products for which you want updates. Select product categories, such as Windows, or specific products, such as Windows Server 2008. Selecting a product category will cause all the products in that category to be selected.
2. Click Next.

To choose update classifications
1. The Choose Classifications page allows you to specify the update classifications you want to obtain. Choose all the classifications or a subset of them.
2. Click Next

To configure the synchronization schedule
1. On the Set Sync Schedule page, you choose whether to perform synchronization manually or automatically.
If you choose Synchronize manually, you must start the synchronization process from the WSUS Administration Console.
If you choose Synchronize automatically, the WSUS server will synchronize at set intervals. Set the time of the First synchronization and specify the number of Synchronizations per day that you want this server to perform. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M.
2. Click Next.
3. On the Finished page, you can start the WSUS Administration Console by leaving the Launch the Windows Server Update Services Administrations snap-in check box selected, and you can start the first synchronization by leaving the Begin initial synchronization check box selected.
4. Click Finish.

Using the WSUS Administration Console

To choose products and update classifications
1. In the Options panel, click Products and Classifications. A dialog box appears with Products and Classifications tabs.
2. In the Products tab, select the product category or specific products for which you want this server to receive updates, or else select All Products.
3. In the Classifications tab, select the update classifications you want, or else select All Classifications.
4. Click OK to save your selections.

To choose update files and languages
1. In the Options panel, click Update Files and Languages. A dialog box appears with Update Files and Update Languages tabs.
2. In the Update Files tab, choose whether to Store update files locally on this server or to have all client computers install from Microsoft Update. If you decide to store update files on this server, you also decide whether to download only those updates that are approved or to download express installation files.
3. In the Update Languages tab, if you are storing update files locally, you choose to Download updates for all languages (the default), or to Download updates only in the specified languages. If this WSUS server has downstream servers, they will receive updates only in the languages specified by the upstream server.
4. Click OK to save these settings.

To synchronize the WSUS server
1. In the Options panel, click Synchronization Schedule.
2. In the Synchronization Schedule tab, you choose whether to perform synchronization manually or automatically.
If you choose Synchronize manually, you will have to start the synchronization process from the WSUS Administration Console.
If you choose Synchronize automatically, the WSUS server will synchronize at set intervals. Set the time of the First synchronization and specify the number of Synchronizations per day that you want this server to perform. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M.
3. Click OK to save your selections.
4. In the navigation pane of the WSUS Administration Console, select Synchronizations.
5. Right-click or move to the Actions pane on the right side, and then click Synchronize Now.
If you do not see the Actions pane on the right side of the console, on the console toolbar click View, click Customize, and ensure that the Action pane check box is selected.
6. After the synchronization is complete, in the left panel, click Updates to view the list of updates.

To set up the client to receive the updates or service packs in an environment that uses Active Directory, you can use an existing domain–based Group Policy object (GPO) or create a new GPO. In an environment without Active Directory, use the Local GPO. You will need to configure Automatic Updates and then point the client computers to the WSUS server.

To approve and deploy an update

1. On the WSUS Administration Console, click Updates. An update status summary is displayed for All Updates, Critical Updates, Security Updates, and WSUS Updates.
2. In the All Updates section, click Updates needed by computers.
3. On the list of updates, select the updates that you want to approve for installation on your test computer group. Information about a selected update is available in the bottom pane of the Updates panel. To select multiple contiguous updates, hold down the SHIFT key while clicking updates; to select multiple noncontiguous updates, press down the CTRL key while clicking updates.
4. Right-click the selection and click Approve.
5. In the Approve Updates dialog box, select your test group, and then click the down arrow.
6. Click Approved for Install and then click OK.
7. The Approval Progress window appears which shows progress of the tasks that affect update approval. When approval is completed, click Close.

After 24 hours, you can use the WSUS Reports feature to determine whether the updates were deployed to the test group computers.
To check the status of an update

1. In the navigation pane of the WSUS Administration Console, click Reports.
2. On the Reports page, click the Update Status Summary report. The Updates Report window appears.
3. If you want to filter the list of updates, select the criteria that you want to use, for example, Include updates in these classifications, and then click Run Report on the window's toolbar.
4. You will see the Updates Report pane. You can check the status of individual updates by selecting the update in the left section of the pane. The last section of the report pane shows the status summary of the update.
5. You can save or print this report by clicking the applicable icon on the toolbar.
6. After you test the updates, you can approve the updates for installation on the applicable computer groups in your organization.

SmootCIS

Plan and manage a physical hardware and virtualization strategy

Tradeoffs of Physical vs. VDI environment

VDI (Virtual Desktop Infrastructure) is a Domain network designed to give system administrators and end-users the best of both worlds: the ability to host and centrally manage desktop virtual machines in the data center while giving end users a full PC desktop experience

Microsoft VDI solution comprises of following Technologies

• Windows Server 2008 with Hyper-V – Used to enable administrators to virtualize their desktop infrastructure.
• System Center Virtual Machine Manager 2008 – Used for deployment, provisioning, and management of virtualized desktops.
• Windows Server 2008 Terminal Services - virtualizes the presentation of entire desktops or specific applications in a virtualized desktop.
• Microsoft Application Virtualization (App-V) - is part of the Microsoft Desktop Optimization Pack and delivers desktop applications that are never installed, and are dynamically delivered on demand.
• Windows Vista Enterprise Centralized Desktop - is a unique licensing option of Windows 7 for VDI


Advantages of VDI
• Reduced cost in purchasing desktop computers, as thin clients often last two to three times longer than a desktop computer
• Centralized Client OS Management
• Reduction in electricity costs, as thin client computers use only a fraction of amount of energy that is used by a desktop computer.
• Improved Data Security
• Secure Remote Access, as most connection brokers offer an SSL VPN Component and Web Portal
• Fewer Application Compatibility Problems than with Terminal Server and Citrix, as users have their own, single user OS.
• Instant provisioning of new desktops
• Near-zero downtime in the event of hardware failures
• Significant reduction in the cost of new application deployment
• Robust desktop image management capabilities
• Normal 2-3 year PC refresh cycle extended to 5–6 years or more
• Existing desktop-like performance including multiple monitors, bi-directional audio/video, streaming video, USB support etc.
• Ability to access the users' enterprise desktop environment from any PC, (including the employee's home PC)
• Desktop computing power on demand
• Multiple desktops on demand
• Self provisioning of desktops (controlled by policies)
• Zero downtime in the event of client failure

Disadvantages of VDI
• Many items that are problematic in Terminal Server and Citrix environments exist in VDI
1. Printing often requires a 3rd party add-on
2. PDA Sync not supported
3. Scanning is not natively supported
4. Bi-Directional Audio is not natively supported
5. Display protocols not suitable for Graphics Design
6. Requires low-latency connection between the client and virtual infrastructure
• Requires Enterprise Class Server Hardware and Storage Area Network
• For VMs permanently assigned to specific users, these machines need to be patched just like a physical client computer.

Requirements for Windows 7 VDI Server (To run Windows Server 2008 with Hyper-V service) Remember the MS7 Hard disk requirement of 16 GB available hard disk space (32-bit) or 20 GB (64-bit) for the client

• 1 host for VDI Core
• At least one 2.0GHz x86 CPU
• At least 4GB RAM
• At least 32GB disk space


VHD: (Virtual Hard Disk) is a file formatted to be structurally identical to a physical Hard Disk Drive.(Image, Clone)

Native VHD Boot: the ability of a physical computer to mount and boot from an operating system contained within a VHD. Windows 7 supports this ability, both with and without a host operating system to be present.


To Create and Add the VHD to Boot From

1. Insert your Windows 7 installation disk into the CD/DVD drive, and restart the computer.

2. When you are at the start of the Windows 7 installation screen, press the Shift+F10keys.
/Alternate method/ Boot into the command prompt from the Start Recovery Options screen.

3. In the command prompt, type diskpart and press Enter.

Decide whether you want a Fixed disk or Expandable disk: An expandable VHD file will only be as large as the amount of data that is saved in the VHD file, but still can get as large as the maximum size.

4. In the command prompt, type in the option you choose below and press Enter

Fixed Disk 40GB being optimal size
create vdisk file=C:\Windows7ClientX.vhd maximum=40960
NOTE: You can substitute the Windows7ClientX name with any name you would like for the VHD file instead. You can also substitute the maximum size of 40960 MB for the VHD to the maximum size you want instead in MB (1GB = 1024MB).

or

Expandable VHD 40GB being optimal size
create vdisk file=C:\Windows7ClientX.vhd maximum=40960 type=expandable
NOTE: You can substitute the Windows7ClientX name with any name you would like for the VHD file instead. You can also substitute the maximum size of 40960 MB for the VHD to the maximum size you want instead in MB (1GB = 1024MB).

5. In the command prompt, type select vdisk file=C:\Windows7ClientX.vhd and press Enter

6. In the command prompt, type attach vdisk and press Enter

7. type exit and press Enter

8. Close the command prompt window and Close the System Recovery Options window (Only close do not restart or shut down)

9. Click on the Install Now Button

10. Accept the license terms and click Next

11. Choose the Custom(advanced) option and click next

12. Choose either the fixed or expandable disk you set up earlier

13. Do a Clean install of Windows 7
Restart your computer and you should have the option to boot from Windows 7 to select from at boot to start natively from the VHD file

Choosing 32 bit vs. 64 bit
• Most computers that have 4GB or more have a 64 bit compatible processor and can run a 64 bit OS
• All 64 bit OS require 64 bit device drivers in order for their hardware to work. 32 bit device drivers will not work correctly
• You CANNOT upgrade a 32 bit OS to a 64 bit OS. You must format and install the 64 bit OS fresh
• Most 32 bit software programs will run fine on a 64 bit OS but NOT the other way around

Always remember a 32 bit operating system works well when you have a small amount of memory (RAM) and 64 bit operating systems work well with large amounts of RAM.


Links

Demonstration: Windows 7 VHD Boot

or copy and paste address below to browser

www.microsoft.com/downloads/details.aspx?FamilyID=80EDE31D-3509-407B-A896-0BEEA8705589&displaylang=en

SmootCIS

Design an image creation strategy

Thin Client (lean client or slim client) A Client in a Domain Network which depends on the server for processing activities, and mainly focuses on conveying input and output between the user and the remote server.

• Lower IT administration costs
• Easier to secure
• Enhanced data security
• Lower hardware costs
• Less energy consumption.
• Easier hardware failure management
• More efficient use of computing resources.


Thick Client (fat client, rich client) Client in a Domain Network which typically provides full functionality independently of the central server.

• Fewer server requirements. A thick client server does not require as high a level of performance as a thin client server (since the thick clients themselves do much of the application processing). This results in drastically cheaper servers.
• Offline working. Thick clients have advantages in that a constant connection to the central server is often not required.
• Better multimedia performance. Thick clients have advantages in multimedia-rich applications that would be bandwidth intensive if fully served. For example, thick clients are well suited for video gaming.
• More flexibility. On some operating systems software products are designed for personal computers that have their own local resources. Running this software in a thin client environment can be difficult.
• Using existing infrastructure. As many people now have very fast local PCs, they already have the infrastructure to run thick clients at no extra cost.
• Higher server capacity. The more work that is carried out by the client, the less the server needs to do, increasing the number of users each server can support

Hybrid Client (diskless node or diskless workstation) Client without disk drives, which employs network booting to load its operating system from a server.

Advantages over Thin Client
• Distributed load: The processing load of diskless nodes is distributed. Each user gets its own processing isolated environment
• Better multimedia performance
• Peripheral: Thin client software might not support peripherals beyond the basic input and output devices

Disadvantages compared to Thin Client

• Hardware is cheaper for thin clients
• Thin Clients use less Network Bandwidth
• Thin Clients place less burden upon the server




DISM (Deployment Image Servicing and Management)
Replaces the Package Manager, PEimg, and Intlcfg tools used with previous versions of Windows.

You can use DISM to:
• Add, remove, and enumerate packages and drivers.
• Enable or disable Windows features.
• Apply changes based on the offline servicing section of an unattend.xml answer file.
• Configure international settings.
• Upgrade a Windows image to a different edition.
• Prepare a Windows PE image.
• Service all platforms (32-bit, 64-bit)
• Service a 32-bit image from a 64-bit host and service a 64-bit image from a 32-bit host.
• Make use of old Package Manager scripts.

/Warning/ the next section is based upon and educated guess of what they were looking for with “role-based or geographic-based images vs. single core image” I was not able to find any documentation to confirm my definitions. If you have a better understanding of this section I would appreciate any updates to what should be here /Warning/

Single Core image: A single core client cannot use the HAL (hardware abstraction layer) of a dual core image, making it important to remember to make your image from a single core machine for single core images.

Role-Based Image: an Image of a client shared by clients that are used in the same role as the original image. Used in sharing access to applications for groups that share similar job functions.

Geographical-Based Image: an image created of a client and shared by clients in the same geographical area as the original imaged machine, created to share, shared network configurations needed to access network resources.

/Warning/ the previous section is based upon and educated guess of what they were looking for with “role-based or geographic-based images vs. single core image” I was not able to find any documentation to confirm my definitions. If you have a better understanding of this section I would appreciate any updates to what should be here /Warning/


Links
Windows 7 Walkthrough: Deployment Image Servicing and Management

Or copy and paste following url into your browser

www.microsoft.com/downloads/details.aspx?familyid=886CD1DD-91AA-4BF4-8557-DECEDEF7FA5D&displaylang=en

Hyper-Me

I think your definition for the Single Core image is wrong. The ability to detect HAL during mini setup was builtin starting with Vista and ive seen "single core" images boot fine for multi-core machines.

I think what that section is getting at is using a single (as in, ONE) image for everything and using task sequences to customize after the fact VERSUS using multiple images that are customized for either certain roles (role-based) or for a certain office location (geographic).

SmootCIS

Hyper-Me wrote: »

I think your definition for the Single Core image is wrong. The ability to detect HAL during mini setup was builtin starting with Vista and ive seen "single core" images boot fine for multi-core machines.

I think what that section is getting at is using a single (as in, ONE) image for everything and using task sequences to customize after the fact VERSUS using multiple images that are customized for either certain roles (role-based) or for a certain office location (geographic).

Yeah I am not sure on this one, can you cite any documentation for this?

It just don't make sense to me that MS would call these single core images being they are calling them Windows PE Images through out the rest of the documentation

Yeah Multi core boxes should be fine this single core minus CPU affinity I am not sure if that will defaultly set your computer to use all your CPUs for processes and applications.

From my experience (which has been predominantly XP for a while now) trying to load multi core images on single core boxes will not happen.

If what your saying is all they are talking about though it should be pretty much common sense on the exam when a generic image or a PE image should be used over a need specific image. All documentation I have been able to come across so far for single core images, has been for CPU affinity and that is why I included that definition. Like I said though that it was an educated guess it may be completely wrong or misguided.

Revenue

Great thanks for this . Well done!

SmootCIS

Deployment Image Servicing and Management (DISM) is a command line management tool used for performance optimization, security updates for Windows 7 VHDs. DISM provides various tools to make your Windows 7 imaging experience as efficient as possible.


The base syntax for DISM is as follows


DISM.exe { /Image: < path to image > /Online } [ dism options ] { servicing command } [< servicing argument >]

1. DISM.exe ¬- Executable file for Deployment Image Servicing and Management

2. /Image: < path to image > - Specifies the full path and file name of the image whether stored locally or over the network.

3. /Online - Specifies that the action applies to the online Windows installation.
This option cannot be used with the /Image or the /WinDir options. When you use /Online the Windows directory for the online image is automatically detected.

4. [ dism options ]
• /WinDir - Specifies the path to the Windows directory.
• /SysDriveDir - Specifies the path to the system-loader file named BootMgr.
• /LogPath - Specifies the log file path.
• /LogLevel - Specifies the output level shown in the log (1-4).
• /NoRestart - Suppresses automatic reboots and reboot prompts.
• /Quiet - Suppresses all output except for error messages.
• /ScratchDir - Specifies the path to a scratch directory

5. { servicing command }[< servicing argument >]
• /Apply-Unattend - Applies an unattend file to an image
• /Remove-Driver - Removes driver packages from an offline image.
• /Add-Driver - Adds driver packages to an offline image.
• /Get-DriverInfo - Displays information about a specific driver in an offline image or a running operating system.
• /Get-Drivers - Displays information about all drivers in an offline image or a running operating system.
• /Set-LayeredDriver - Sets keyboard layered driver.
• /Set-UILang - Sets the default system UI language that is used in the mounted offline image.
• /Set-UILangFallback - Sets the fallback default language for the system UI in the mounted offline image.
• /Set-UserLocale - Sets the user locale in the mounted offline image.
• /Set-SysLocale - Sets the language for non-Unicode programs (also called system locale) and font settings in the mounted offline image.
• /Set-InputLocale - Sets the input locales and keyboard layouts to use in the mounted offline image.
• /Set-TimeZone - Sets the default time zone in the mounted offline image.
• /Set-AllIntl - Sets all international settings in the mounted offline image.
• /Set-SKUIntlDefaults - Sets all international settings to the default values for the specified SKU language in the mounted offline image.
• /Gen-LangIni - Generates a new lang.ini file.
• /Set-SetupUILang - Defines the default language that will be used by setup.
• /Get-Intl - Displays information about the international settings and languages.
• /Check-AppPatch - Displays information if the MSP patches are applicable to the mounted image.
• /Get-AppPatchInfo - Displays information about installed MSP patches.
• /Get-AppPatches - Displays information about all applied MSP patches for all installed applications.
• /Get-AppInfo - Displays information about a specific installed MSI application.
• /Get-Apps- Displays information about all installed MSI applications.
• /Add-Package - Adds packages to the image.
• /Remove-Package - Removes packages from the image.
• /Enable-Feature - Enables a specific feature in the image.
• /Disable-Feature - Disables a specific feature in the image.
• /Get-Packages - Displays information about all packages in the image.
• /Get-PackageInfo - Displays information about a specific package.
• /Get-Features - Displays information about all features in a package.
• /Get-FeatureInfo - Displays information about a specific feature.

For a list of available servicing arguments for specific servicing command type /? in place of the servicing argument after the servicing command.

The following DISM options are available for an offline image:
DISM.exe /image: < path_to_offline_image_directory > [ /WinDir: < path_to_%WINDIR% >] [ /LogPath: < path_to_log_file.log >] [ /LogLevel: <n>] [SysDriveDir: < path_to_bootMgr_file >] [ /Quiet ] [ /NoRestart ] [ /ScratchDir: < path_to_scratch_directory >]


The following DISM options are available for an online Windows image:
DISM.exe /online [ /LogPath: < path_to_log_file >] [ /LogLevel: < n >] [ /Quiet ] [ /NoRestart ] [ /ScratchDir: < path_to_scratch_directory >]

SmootCIS

Create an Optimized Windows PE Image

Optimized PE (Preinstallation Environment) Image: an image that has been modified to support the needs of a client by removing any files not needed for job functionality. This can be done in three steps.

STEP 1. Build a Base Image

1) Click Start,

2) Click All Programs,

3) Click Windows OEM Preinstallation Kit (OPK) or Windows Automated Installation Kit (AIK),

4) Right-click Windows PE Tools Command Prompt,

5) Select Run as administrator.
By default, all tools are installed at C:\Program Files\Version\Tools

6) At the command prompt, run the Copype.cmd script.
This script requires two arguments: hardware architecture and destination location. For example,

copype.cmd <architecture> <destination>
<architecture> x86 for 32 bit versions or AMD64, IA64 for 64 bit versions
<destination> is a path to the local directory.

7) Copy the base image (winpe.wim) into \Winpe_x86\ISO\sources folder and rename the file to boot.wim by typing.

copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim

8 ) Use the DISM tool to mount the image by typing

Dism /Mount-Wim /WimFile:c:\winpe_x86\ISO\sources\boot.wim /index:1 /MountDir:c:\winpe_x86\mount

9) Add WMI support using Dism /Add-Packages

10) Use the DISM /enable-profiling option to enable profiling. You must specify both the path to the image and a location to save the profile when using the /Enable-profiling option

11) Commit the changes to the original image file by using the DISM /unmount option with the /commit option


STEP 2. Build a profile

1) Boot a computer with your custom Windows PE image.

2) From a running Windows PE session, test the scenario on how your custom image will be used. If multiple applications are used, you must run all of the desired commands for each application.

3) After running all of the desired commands for all applications, run the wpeutil saveprofile <path to profile> command. Save the profile to an external source. For example,

wpeutil saveprofile E:\Optimize_Profile.txt "Image Optimization Profile"

4) End the Windows PE session.


STEP 3. Build an optimized image

1) Mount the original test image you created in Step 1.
Dism /Mount-Wim /WimFile:C:\winpe_x86\iso\sources\boot.wim /index:1 /MountDir:C:\winpe_x86\mount

2) Use DISM to apply the profiles to the test image,
Dism /image:C:\winpe_x86\mount /Apply-Profiles:E:\Optimize_Profile.txt

3) Commit the changes using the DISM /unmount-Wim option with the /commit option.
Dism /Unmount-Wim /MountDir:C:\winpe_x86\mount /Commit

4) Optimize the image by exporting to a new image file. When you modify an image, ImageX and DISM stores additional resource files that increase the overall size of the image. Exporting the image using ImageX will remove unnecessary resource files.
imagex /export C:\winpe_x86\iso\sources\boot.wim 1 C:\winpe_x86\iso\sources\boot2.wim

5) Delete the original boot.wim and rename boot2.wim to boot.wim.

mr_zzz

thanks alot for the info!

SmootCIS

mr_zzz wrote: »

thanks alot for the info!

NP if you see any info you think needs to be added make sure to tell me this is kinda a work in progress

SmootCIS

Security Considerations


Improving Security for Answer Files
Answer files store sensitive data, including product keys, passwords, and other account information.

• Restrict access to answer files. Depending on your environment, you can edit the access control lists (ACLs) or permissions on a file. Only approved accounts can have access to answer files.
• To improve the security in answer files, you can hide the passwords for local accounts by using Windows System Image Manager (Windows SIM). For more information, see Hide Sensitive Data in an Answer File.
• During unattended Windows installation, answer files are cached to the computer. For each configuration pass, sensitive information such as domain passwords and product keys are deleted in the cached answer file. However, other information is still readable in the answer file. Before you deliver the computer to a customer, delete the cached answer file in %WINDIR%\panther.

Delete the answer file only if there are no settings to be processed during the oobeSystem pass. The oobeSystem configuration pass is processed immediately before Windows Welcome begins. This is typically the first time a customer turns on the computer. If you delete the answer file from this directory, those settings will not be processed.

Improving Security for Windows Images
Your Windows images contain custom configuration data, custom applications, and other intellectual property. There are several ways to improve the security of your Windows images, both online and offline.

• Restrict access to Windows images. Depending on your environment, you can edit the access control lists (ACLs) or permissions on a file. Only approved accounts can have access to Windows images.
• Update your Windows images with the latest fixes and software updates. There are many ways you can service a Windows image. For more information, see Phase 5: Managing and Servicing Your Windows Image. After servicing your Windows image, test the validity and stability of the computer.
• During Windows installation, configure the computer to automatically download and install Windows updates. This extends installation time, but ensures that the Windows image that you are installing contains the latest updates. For more information, see the DynamicUpdate setting in the Microsoft-Windows-Setup component in the Unattended Windows Setup Reference.

Improving Security for Distribution Shares and Configuration Sets
Your distribution shares and configuration sets contain private data that only a few members of your organization can access. The following are recommendations for improving security for distribution shares and configuration sets.

• Restrict access to distribution share contents. Depending on your environment, you can edit the access control lists (ACLs) or permissions on a distribution share. Only approved accounts must have access to distribution shares.
• Keep applications and device drivers updated with the latest fixes and patches.

Improving Security for Windows PE and Network Boot Scenarios

• The following recommendations apply to Windows PE or network boot scenarios.
• Review the documentation for your network boot tools for information about how to improve the security for your network boot infrastructure.
• Use a wired network. Wireless networks are a security risk.


/These are the security considerations Microsoft wants you to be aware of I did not change these at all being that I am sure we will see these on the test
To see the full text go to Security Considerations /



Designing Client Configurations

Design standard system settings

Logon script – A script that run when a user logs on to Windows 7, these scripts run on the User account.

Startup scripts – A script that load and run during the start up process of Windows 7, these scripts run on the Local System account.

Group Policy – Group Policy provides an infrastructure for centralized configuration management of the operating system and applications that run on the operating system.

Changes in Group Policy found in Windows 7

1) Ability to manage Group Policy from the Windows PowerShell command line and to run PowerShell scripts during logon and startup
• Maintaining GPOs: GPO creation, removal, backup, and import.
• Associating GPOs with Active Directory® containers: Group Policy link creation, update, and removal.
• Setting inheritance flags and permissions on Active Directory organizational units (OUs) and domains.
• Configuring registry-based policy settings and Group Policy Preferences Registry settings: Update, retrieval, and removal.
• Creating and editing Starter GPOs.

2) System Starter Group Policy objects (GPOs) for the following scenarios are available in Windows 7 with Remote Server Administration Tools (RSAT):
• Windows Vista Enterprise Client (EC)
• Windows Vista Specialized Security Limited Functionality (SSLF) Client
• Windows XP Service Pack 2 (SP2) EC
• Windows XP SP2 SSLF Client

3) The following changes are available in Windows available in Windows 7 with Remote Server Administration Tools (RSAT):
• Improved user interface
• Support for multi-string registry and QWORD value types

SmootCIS

• Lite Touch deployment: (Small/Medium Sized business)
“Minimizes costs by incorporating an increased level of Lite Touch automation by using deployment tools and technologies. A Lite Touch deployment still requires minimal user interaction and can incorporate multiple operating systems within the environment, which can result in moderate organizational costs.”


Supports
• Clean Installs
• Upgrades
• wipe-and-load
• Cloning (Ghosting)

Infrastructure Requirements
• File Server
• LAN


1. Geared toward high-volume deployment
2. Targeted for medium-sized organizations that have an information technology (IT) staff
3. Based on the Microsoft Deployment Toolkit (MDT) Lite-Touch Installation (LTI) method.
4. Start the deployment on each computer and configure deployment settings. After that, the deployment is usually automated and requires no intervention.
5. Less Expensive than Zero Touch Deployment in initial cost

Advantages
o Only Requires the initial interaction in the beginning
o All Clients start in the initial same state
o Streamlines Process decreasing deployment time.
o Requires a file server and LAN placing a low demand upon infrastructure

Disadvantages
o Does Require initial interaction
o Designed for networks with 200-500 clients

Microsoft suggested steps of Lite Touch Deployment

1. If your organization is deploying a new version of Windows, determine your organization’s readiness for the new version by using the Microsoft Assessment and Planning Toolkit.

2. Use the ACT to prioritize your organization’s applications, determine your compatibility status, and consolidate applications. The ACT can help organizations triage and remediate applications that have compatibility problems.

3. Prepare the infrastructure for MDT 2010 by creating a file server for the distribution shared resource. Optionally, install and configure the Windows Deployment Services role in Windows Server 2008 R2. Starting client computers by using Windows Deployment Services is the easiest way to start a network deployment.

4. Install MDT 2010 on the file server along with additional components, including the USMT.

5. Create a distribution share that contains operating systems, applications, device drivers, and updates.

6. In MDT 2010, create and customize a task sequence for each configuration that you want to deploy. Task sequences have instructions for installing and configuring Windows.

7. In MDT 2010, create and update a deployment point. Deployment points describe how to connect to the files in the distribution shared resource (or a copy of those files). By customizing the deployment point, you can specify to what extent users interact with MDT 2010 during deployment. Updating a deployment point creates Windows PE images that you use to start client computers during deployment.

8. Create a device to start the Windows PE image by preparing a removable storage device with the images created by MDT 2010 when you update a deployment point. Optionally, add the Windows PE image to Windows Deployment Services, which makes starting the image quick and easy during deployment.

9. Start each client computer by using the Windows PE image, and then follow the instructions to log on to the distribution shared resource, choose a task sequence, and install Windows.

Tech net Lite Touch Deployment


• Zero Touch deployment: (Enterprise)
“Primarily targeted toward enterprise-class organizations that have deployed network infrastructure prerequisites. These organizations can take advantage of robust deployment automation capabilities, and can select whether any end-user involvement is required.”

Supports
• Clean Installs
• Parallel Installs
• wipe-and-load
o /DOES NOT SUPPORT UPGRADES/

Infrastructure Requirements
• LAN
• System Center Configuration Manager 2007 SP2
• Windows Deployment Services (WDS)
• Active Directory Domain Services (AD DS)
• High Network bandwidth


1. Geared toward Enterprise organizations that have a skilled information technology (IT) staff
2. Based on the Microsoft Deployment Toolkit (MDT) Zero-Touch Installation (ZTI) method.
3. Start the deployment and configure deployment settings. After that, the deployment is usually automated and requires no intervention.
4. Less Expensive than Lite Touch Deployment in overall cost

Advantages
o Full automation
o All Clients start in the initial same state
o Streamlines Process decreasing deployment time.

Disadvantages
o Requires large infrastructure
o Requires Skilled IT Department

Microsoft suggested steps of Zero Touch Deployment

1. Review the available planning guidance for using the Zero-Touch, High-Volume Deployment strategy with MDT 2010. This guidance includes detailed information about the infrastructure that is required to deploy Windows 7 by using this strategy.

2. Determine your organization’s readiness for Windows 7 by using the Microsoft Assessment and Planning Toolkit or a similar assessment tool.

3. Use the ACT to prioritize your organization’s applications, determine your compatibility status, and consolidate applications. The ACT can help organizations triage and remediate applications that have compatibility problems.

4. Prepare the infrastructure for the Zero-Touch, High-Volume Deployment strategy with MDT 2010, including installing and configuring Configuration Manager 2007 R2 and its prerequisites, creating the required user and service accounts, and configuring Active Directory Domain Services.

5. Install MDT 2010, and configure the Configuration Manager 2007 R2 integration. This process includes configuring how to define new computers in the site database and creating additional packages that Configuration Manager 2007 R2 requires during deployment (USMT package, Custom Settings package, and so on).

6. Optionally, create a custom master image by using Configuration Manager 2007 R2 to deploy Windows 7 to a master computer, customize the configuration, and then capture the custom image.

7. Configure Configuration Manager 2007 R2 to deploy Windows. This includes preparing the Microsoft Deployment Toolkit Management Pack to monitor the deployment with Operations Manager 2007 R2. This management pack helps detect and alert you when critical events occur during the deployment process.


Tech net Zero Touch Deployment


• Local install deployment:
“The most expensive way to implement a new desktop operating system or software application. The high costs result from the lack of automation tools and a subsequent increase in resources required to design, deploy, and manage the entire installation process.”

Supports
• Clean Installs
• Upgrades
• wipe-and-load
• Cloning (Ghosting)

Infrastructure Requirements
• Client


1. Geared toward very small-volume deployment
2. Targeted for small-sized organizations that have an information technology (IT) staff
3. More Expensive than Zero Touch and Lite Touch Deployment.

Advantages
o Requires no infrastructure

Disadvantages
o Requires Full Interaction
o All Clients start in different states
o Increased deployment time.

mr_zzz

Again thanks very much for the effort SmootCIS.
From tonight on I will be studying for the exam, mine is scheduled for october 7th. I will give feedback asap.

SmootCIS

mr_zzz wrote: »

Again thanks very much for the effort SmootCIS.
From tonight on I will be studying for the exam, mine is scheduled for october 7th. I will give feedback asap.

No problem while in the course of studying you find something I need to add please let me know

Piers

fantastic stuff Smoot, many thanks!

RobertKaucher

I call for a sticky!!!!

RobertKaucher

Smoot, how are you an Alpha Geek if this is a Beta Exam?

SmootCIS

Well I took the exam on Friday, and I must say not as hard as I thought it was going to be. There were 77 questions the VAST MAJORITY was on Deployment I am going to get the rest up on here soon bare with me I have been busy with work.

mr_zzz

Nice to hear it's not thAt hard SmootCIS.
Mine is scheduled for wendnesday. I think I've studied enough, also mostly on deployment, IE, ... .
Now I'll try to get the new Win 7 group policy stuff, I know MS likes GPO questions on those exams ... .
It would be nice to hear the full feedback when you have some time, thank you!

RobertKaucher

SmootCIS wrote: »

Yeah I am not sure on this one, can you cite any documentation for this?

It just don't make sense to me that MS would call these single core images being they are calling them Windows PE Images through out the rest of the documentation

Yeah Multi core boxes should be fine this single core minus CPU affinity I am not sure if that will defaultly set your computer to use all your CPUs for processes and applications.

From my experience (which has been predominantly XP for a while now) trying to load multi core images on single core boxes will not happen.

If what your saying is all they are talking about though it should be pretty much common sense on the exam when a generic image or a PE image should be used over a need specific image. All documentation I have been able to come across so far for single core images, has been for CPU affinity and that is why I included that definition. Like I said though that it was an educated guess it may be completely wrong or misguided.

Smoot, I think that what they are saying is "single, core image" meaning a single, generic image containing the core applications and other services required by most employees in the Enterprise.

Piers

Big thanks, all this info is very much appreciated.. it's my last hour review before hitting up the test, 1/2 hour to go

mrmcmint

Piers wrote: »

Big thanks, all this info is very much appreciated.. it's my last hour review before hitting up the test, 1/2 hour to go

Good Luck! Let us know how you get on

Piers

mrmcmint wrote: »

Good Luck! Let us know how you get on

man, that test was all over the place.. LOTS of deployment scenarios, a little of everything else, heck I even had a question on NPS! Some questions complicated, others simple.. it's going to be a long 8 weeks

mrmcmint

Thanks for that Piers! sounds like quite a tough test! I have both the 685 and 686 tomorrow - I will report back my opinion!

Hyper-Me

These different reviews are interesting. We seem to have all had different experiences with the same test (at least I assume its the same)

littlehoops

I Guess we all just pick up on what we found the hardest. So it seems they are different.

Hoops

aaronchristenson

I almost wonder if that last question in the begining servey had anything to do with the category of questions you got.

Piers

the questions about whether you consider yourself proficient at such and such, windows 7 admin, deployment, ad etc etc? Yeah, I wondered about halfway through if I'd put "I'm just starting to learn this" for all the answers if the test might have been different