Supporting Windows 7, for XP Experts

The complete technical support professional's guide to deploying, managing, troubleshooting and just plain getting the most out of Windows 7... for those of us who skipped Vista

 “From 'XP Expert' to 'Windows 7 Wizard' in two days, avoiding the need for a stop in Vistaville along the way!”

a two-day course by Mark Minasi, author of many of the Mastering series of Windows books

Schedule of dates and cities •  Course Objectives  •  Prerequisites •  Course Outline  •   Course Materials  •  Bring a Class to Your Site • About the Instructor  •  buy this course on audio CD

Course Objectives:  The Best of Our Popular "Vista Support" and "Windows 7 Support" Classes, in Just Two Days

Most of the Windows-using world relies upon XP Professional, and has for nearly ten years.  Most of that world has also avoided XP's would-be replacement Vista, as Vista offered a lot of great new abilities... but was a marketing failure that attracted few converts.  For many organizations, however, it's time for a change, and Vista's successor -- Windows 7 -- seems to fill the bill with its vastly improved deployment tools, a completely revised and faster network stack, a dozen or so new built-in security technologies, much more complete central administration possibilities thanks to Windows 7's nearly one thousand new group policy settings and far superior group policy infrastructure, several big improvements in storage, and of course how could we forget "Aero glass," the shiny new graphical user interface?

Yes, Windows 7 offers a wealth of upgrades from XP, but it also does many things quite differently than XP did.  Learning what's new, better, worse, and different than XP, as well as how to support all of those new, better, worse and different things can be quite time-consuming -- unless you let veteran Windows techie Mark Minasi guide you through that thicket.  Since 2006, Mark's been offering a two-day class on Vista and then another two-day class on Windows 7, but many customers have asked us, "can you combine the Vista and Windows 7 classes so that we can see how to skip Vista and make the move from XP to Windows 7 easily," and so we've distilled the best two days out of the two classes to produce this one.  So, instead of needing four days and two classes, Mark will help you convert your XP expertise into Windows 7 savvy in just two days.  (And of course, Mark delivers that information with his distinctly entertaining style, with a host of illuminating demonstrations and trademark humor!)

Key Seminar Benefits

  • Hear the good news and bad news about supporting Windows 7, from an independent source who's been analyzing, supporting, writing and teaching about Windows for a quarter-century
  • Discover the new deployment tools in Microsoft's Windows Automated Installation Kit (WAIK) and how they can save you time and money
  • Learn all of Windows 7's new security technologies so that you're ready to solve application compatibility and "why doesn't this work any more?" problems.
  • Know how to control and repair Windows boot parameters with the new BCDEDIT, BOOT.INI's replacement.
  • Use Windows' new GUI and command-line tools to control volumes, partitions and the new built-in virtual hard drive support
  • Find out exactly what that annoying User Account Control thing's doing, how it works... whether or not to disable it!
  • Avoid the dread possibility of malware (or other files or registry keys) that can't be deleted by understanding and controlling Windows Integrity Levels
  • Grasp the essentials of file and Registry virtualization to enable "legacy" (that is, pre-October 2006) applications to run under Windows 7
  • Simplify your support tasks and keep from losing company data by exploiting CompletePC backup and Previous Versions on your systems
  • Get the most out of Windows 7's changes to group policies
  • Get the details on how Windows 7 lets your users organize their files in completely new, faster and more efficient ways with libraries, stacks, and the new Windows Search Service (and the sneaky trick to get Windows to allow you to add a non-indexed file share to a library)
  • Ensure that when you lose a laptop, you lose only the hardware, not the data, with BitLocker
  • Keep your company's data safe even when it's on a USB stick with BitLocker To Go
  • Block users from installing particular types of hardware through group policies
  • Lock down services with Windows 7 and sc.exe's new (and largely unknown) ability to bolster system security against buffer overflow vulnerabilities.

Prerequisites

Anyone taking this class should have at least a basic knowledge of Windows support, Windows networking and security.  For example, you'll get the most out of this class if you know that Active Directory lets us centrally administer user accounts and machine settings, if you know what the Registry does, and have some familiarity with group policies.  And, of course, all attendees must have a solid knowledge of the .NET CLR, C# and APL programming.  (Okay, we're just kidding on that last point; no programming experience necessary!)

Course Outline

  1. Introduction:  Windows 7 in Perspective

    Vista's perceived failure in the marketplace, coupled with XP's time-tested reliability has made many folks a bit gun-shy about adopting a new Windows.  Will Windows 7 require major hardware upgrades?  Can you find drivers for it?  32-bit or 64-bit?  Will my apps run on it?  Which one of Windows 7's 283 versions should I adopt?  We'll look at all of these issues in this section.

    1. Why consider an upgrade from XP?
    2. SKUs:  Win 7 Pro versus Win 7 Enterprise/Ultimate
    3. Upgrade paths (good news and bad news)
    4. 32 or 64 bit? Some candid advice
    5. Making the Win 7 Pro/Win 7 Enterprise choice
    6. Hardware compatibility and requirements
    7. Software compatibility

  2. Post-XP Windows Deployment:  Almost Everything You Know Is Wrong, But That's All Right

    For years, Microsoft was never really been successful in developing popular tools for automating Windows, whether for Windows 3.1 or Windows XP.  While scripted installs and Remote Installation Service are good technologies, they've never really caught on amongst support professionals, and in truth the most-used Microsoft deployment tool in the XP world was Sysprep, and then only to facilitate using Ghost or similar products.  Since 2006, though, Microsoft has re-thought deployment and given us a whole new arsenal of rollout tools.  Are they the answer, or will they just be another case of "nice try, Redmond?"  In this section, you'll meet Win 7's new "rollout team" and decide for yourself.

    1. New concepts
      1. Windows image (WIM) files
      2. The Windows Automated Installation Kit (WAIK) 2.0
      3. The "repair OS," Windows Preinstallation Edition version 3.0
    2. WIMs versus Ghost
      1. Mountable
      2. Delivering patches
      3. Deployment tools
    3. WAIK Tools
      1. Imagex
      2. Windows System Image Manager
      3. Windows PE 3.0
      4. Sysprep
      5. Windows Deployment Services
      6. USMT and upgrades
      7. Deployment Image Servicing Manager (DISM)
    4.  Working With WIMs
      1. What's a WIM?
      2. Peeking into WIMs with System Image Manager
      3. Working the WIM with imagex
      4. Deploying a WIM with WinPE and Imagex
      5. Deployment's all-new tool:  the Deployment Image System Manager (DISM) replaces pkgmgr, intlcfg and peimg
        1. DISM goals: feature activation, image servicing
        2. Online versus offline behavior
        3. DISM examples: image mounting, offline hotfix installs, feature enable/disable, driver installs, image unmounting
    5. Awful activation: key management service (KMS) overview
      1. Windows activation in Windows 7
      2. Multiple Access Key (MAK) activation versus KMS activation
      3. What KMS does
      4. Finding a KMS server

  3.  Windows' New Boot Structure:  BOOT.INI's Gone, BCDEDIT's Here

    Once you've got Windows 7 deployed, you'll start it up... and that's where we've got some new things to learn.  Part of running any system involves controlling how it starts up in the first place.  Ever since NT 3.1, we've controlled how the NT part of the Windows family boots through a simple text file called boot.ini.  Vista, however, retires boot.ini and replaces it with a more flexible, architecture-independent tool:  the boot configuration database, or BCD.  But don't reach for Notepad to edit BCD... you'll need to learn BCDEDIT, a whole new tool.  And while we're at it, Windows 7 likes to chop up your system's boot disk in a somewhat new way with a 100 MB "hidden partition" but, then it won't be hidden to you once we've covered it!

    1. Talkin' BCD:  new terminology
      1. The "store"
      2. Boot entries
      3. Entry options
    2. Global bcdedit settings
    3. Boot entries, GUIDs and well-known GUIDs
    4. A guide to the most useful entry options 
    5. New disk layout: booting from the "unlettered drive"
    6. Implications for new disk layout and Windows 7 deployment

  4. Finding and Storing Things Made Easier:  Libraries, Tags, and the Search Index

    Over the years, Microsoft has experimented with different ways of letting your users store and organize their data.  Windows 7 introduces a  new, more flexible concept in the form of libraries, which you might think of as a sort of "My Documents" done better.   If you choose to adopt Windows 7, then you should understand how these work and how to get the most out of them. 

    1. Data organizing help:  keywords, group by, ratings
    2. Libraries explained
      1. A sort of "super folder"
      2. Much more comprehensive search-wise
      3. Adding networked resources to libraries
      4. Deployment issues
    3. Search basics in Windows 7: XP's "index service" becomes the "Windows Search" service, but with important changes
    4. Reconfiguring Search Service (and why you'd want to)

  5. Windows Storage News

    One of the sources of big changes in post-XP Windows comes from an often-overlooked area:  storage.  Windows 7 includes a completely different set of backup tools than those found in XP, a number of data integrity tools, and built-in support for creating and managing virtual hard disks (VHDs) which, despite their name, aren't just for virtual machines.  You can even boot a physical Windows 7 system from a VHD, as you'll see in this section.

    1. Resizable volumes:  no more Partition Magic needed
    2. Windows Backup
      1. Completely new backup system
      2. No tapes... but supports DVD and CD
      3. Data organization
      4. Windows Backup problems
    3. Recovering from catastrophic failure:  CompletePC backup
      1. How CompletePC backup works
      2. Restoring CompletePC backups:  the Windows Recovery Environment
    4. Getting Data Back
      1. Volume shadow copies
      2. Undelete comes to Windows 7:  "Previous Versions" with no server needed
      3. Configuring "Previous Versions"
    5. NTFS and Registry change:  transactions
      1. How transaction-based changes work
      2. Implications for patches
    6. Optical disk support via "isoburn"

  6. User Account Control

    Once we've mastered storage, it's time to start working with everyone's favorite Windows headache:  security. You may not know of every post-XP feature, but there's at least one new Windows feature you probably know: User Account Control.  Known informally as "the Vista feature that everyone loved to hate," UAC was intended as an anti-malware tool that actually didn't really work, but we think it's useful for other reasons, as you'll learn here.  The key to UAC lies in understanding it, and understanding how it can contribute to application compatibility problems.  Additionally, UAC contains a very important and useful patch that actually solves many app compat problems automatically, allowing you to run older applications that would otherwise fail when run as a standard user rather than an administrator.  Yes, UAC can be annoying, but to know it is to love it -- and in this section, we'll show you more about UAC than you can find anywhere else!

    1. UAC component overview
      1. Administrator Approval Mode
      2. "Standard user"
      3. "Elevation"
      4. Split token
      5. Deciding which token to offer
      6. File and Registry virtualization
    2. What are administrators made of?  How UAC creates the split token
      1. The Notorious Nine
      2. The Fearsome Four
      3. Integrity levels
    3. Controlling UAC and elevation
      1. UAC's seven rules to elevate
      2. How to override UAC's defaults
      3. Understanding manifests
    4. File and Registry virtualization
      1. What it is, how it works, seeing it in action
      2. Rules for virtualizing
      3. Fine-tuning Registry virtualization
      4. Monitoring virtualization:  virtualization as an inventory tool

  7. Windows Integrity Levels

    Perhaps Windows 7's least-known but most potentially scary new feature is something called Windows Integrity Levels (WILs).  WIL is a concept intended to protect your files from malware by identifying different levels of "trustworthiness" on users, processes, and objects (files and folders, for example).   Once those levels of trustworthiness — "integrity" is Microsoft's phrase — are established, then higher-integrity objects (like your personal data) can be shielded from lower-integrity objects (like any malware derived from the Internet).  That sounds like file permissions, yes, but it's more than that, as "integrity permissions" always beat file permissions.  The sad news is that Microsoft implemented integrity levels, but didn't do much with it, nor did they tell anyone about it.  The bad news is that malware writers can, using these integrity levels, create malware that cannot be deleted by an administrator... yikes!  But after completing this section, you'll know how to control WILs so as to combat those kinds of attacks, as well as get some ideas about how to use this new tool to protect your data and applications.

    1. The basics:  mandatory access controls and integrity levels
    2. How integrity levels affect object access in Windows
    3. Extending the integrity model
    4. chml, a tool to let you modify integrity levels
    5. Integrity levels versus permissions

  8. Windows and Physical Security I:  BitLocker

    Years back, Microsoft offered a set of ideas that they called the Next Generation Secure Computing Base initiative, or you may recall its code name "Palladium."  About the only thing that's actually seen the light of day from the Palladium ideas is a terrific anti-data-theft tool called BitLocker.  This section shows you what BitLocker does, but, better, it shows you how to do the extra BitLocker stuff that Microsoft would prefer that you didn't know.  If you have laptops, then you need to understand BitLocker, as it's the tool that ensures that when you lose a laptop, then you lose only the hardware... not the data.

    1. BitLocker basics:  full volume encryption
    2. How is it uncrackable?  Is it uncrackable?
    3. Getting your system ready for BitLocker
    4. Setting up BitLocker with a "TPM" chip
    5. Setting up BitLocker without a TPM chip
    6. Choosing the level of encryption
    7. What to do when your laptop's toast and you need your data
    8. Configuring BitLocker with manage-bde

  9. Windows and Physical Security II:  Plug and Play Restrictions

    Ever since the movie The Recruit, people have worried about data theft from USB devices.  What keeps an unhappy employee or a visitor from popping a USB memory stick into a USB slot and siphoning off your company's data?  Windows 7, that's what, with a new set of group policies controlling hardware installation.

    1. New hardware installation controls
    2. Creating whitelists or blacklists
    3. Understanding and finding hardware IDs, compatible IDs, and class GUIDs
    4. Steps to blocking a piece of hardware from installing

  10. Windows and Physical Security III:  BitLocker To Go, Encryption for Portable Devices

    Vista and Server 2008 brought BitLocker, a tool that let you encrypt any or all of your internal hard disks.  It slowed your drives down a bit, but ensured that if you left your laptop on an airplane then no one could peek at your data.  With Windows 7, Microsoft has extended Bitlocker's job to enable you to use it to encrypt USB sticks and other portable data devices.  Why do this?  USB sticks worry many folks, as they fear that users might copy important company data onto a USB stick and then accidentally leave it where someone could find it and read that data.  With BitLocker To Go, you can instruct one of your computers to only permit a user to copy data onto a USB stick if that USB stick's encrypted.  That way, if the user loses the USB stick, then whoever finds it won't be able to read its data.  This section explains how to make BitLocker To Go work, and what limitations it presents. 

    1. BitLocker To Go overview and limitations
    2. Encrypting a USB stick
    3. Decrypting a USB stick
    4. Forcing systems to require BitLocker To Go

  11. Windows Service Architecture Changes Under Windows 7

    Windows services are an important pillar of Windows' architecture... but they've been a source of security nightmares, as evidenced by Code Red, SQL Slammer, Nimda, Blaster, Sasser and others. In Windows 7, Microsoft has completely re-engineered how services work under-the-hood to allow developers to build services that are far more worm-resistant. But what about when those developers are a bit lazy? With the right knowledge, a savvy admin can tighten up many Windows services... without having to know how to write a line of C++!

    1. Review:  why services offer vulnerabilities
    2. Service session isolation
      1. How it works
      2. Solving potential compatibility issues arising from it
    3. Reduced service privileges:  "least privilege" and the new services
      1. How it works
      2. How to see if a service has been "least privileged"
      3. Dialing down a service's privileges without being a programmer
    4. Service isolation
      1. How it works:  the new "restricted SID"
      2. Service SIDs
      3. How to restrict a service when the coders haven't bothered
    5. Service bounce:  new Service Restart settings
    6. Why's that not up yet?  Auto-delay services, a new type of service

  12. Short Post-XP Windows Security Items

    This section ends our look at Windows security with a roundup of short Windows 7 security topics.

    1. Changes to group policy security default settings
    2. Potential incompatibilities
    3. Administrator account disabled
    4. Folders and groups eliminated
    5. Windows Firewall changes

  13. Windows 7 Gets More (Remote) Controlling

    While running around to user's desks to fix things might be a good way to stay in shape, it's not really productive, particularly given the fact that there are an awful lot of users out there and fewer and fewer of us support folks -- so remote control's a good idea.  Fortunately, Windows 7's got some nice upgrades for Remote Desktop and a completely new remote control protocol and tool, WinRM and Windows Remote Shell.  This section shows you how to extend your reach with these new tools!

    1. Remote Desktop gets better in Windows 7
      1. New name: Remote Desktop Services (RDS)
      2. More secure, if you opt for it
      3. Bandwidth throttling between interactive and noninteractive parts of RDS sessions
      4. EasyPrint simplifies remote desktop printing
      5. Block transfers speed up RDS sessions, if enabled
    2. Windows' RPC replacement:  WinRM
      1. Why WinRM is replacing RPC
      2. WinRM essentials
      3. WinRM setup and security
      4. Where WinRM's currently in use in Vista, Server 2008, Windows 7 or Server 2008 R2
      5. WinRM troubleshooting
      6. Secure remote control with winrs, "Windows Remote Shell"
      7. Back-porting WinRM to XP and 2003
      8. Solving Windows 7/XP WinRM compatibility issues

  14. SMB2: File Sharing Gets Better... If Less Secure

    Microsoft's two oldest protocols -- RPC and their file sharing system, SMB -- have both been in need of some serious revision for quite some time, and Microsoft's been busy seeing to that.  You will have already learned about RPC's changes in the previous section, and in this short section, you'll learn about SMB's "SMB2" upgrade.

    1. SMBv2 performance improvements
    2. SMBv2 security improvements
    3. The bad news: the SMBv2 denial-of-service attack
    4. The latest news:  is SMBv2 safe yet?
    5. Disabling SMBv2, if necessary

  15. What's Changed in Windows 7's TCP and IP

    XP's network software has served us well, but the Internet's realities have changed between XP's 2001 debut and now, and Windows' networking software has changed to reflect that.  Surprisingly, though, this has led to a situation wherein Windows up-to-date network software is showing up some older, less with-the-times network stacks, often leading to interoperability problems that seem to be caused by Windows 7, but that are actually the fault of the older stuff.  In this section, you'll learn how to recognize and troubleshoot  these problems.  We'll also spend a little time talking about another Internet change that we will all be dealing with in a year or two -- IPv6.  In this section, we'll explain a bit about why IPv6 is imminent and pass along just a few "must-know" IPv6 pointers.

    1. Post-XP TCP:  RFC 1323 and what it means
      1. Where you'll see performance improvements
      2. Problems arising from networks with older networking hardware
      3. Troubleshooting procedures and workarounds
    2. A few words on IPv6
      1. Why IPv6 is (finally) coming, whether we like it or not
      2. De-weirding IPv6
        1. What's in an IPv6 address
        2. High-level view of IPv6 auto-configuration
          1. Where systems get IPv6 addresses, routers
          2. Where IPv6 systems get DNS addresses
          3. Anatomy of an IPCONFIG output:  what is all that new stuff in IPCONFIG?

  16. Short Network Items

    Simply focusing on the big changes to post-XP Windows networking would lead us to miss out on some of Win 7's small but likeable additions to Windows networking, which we cover in this short section.

    1. Wireless UI changes and faster wireless connection
    2. Network and Sharing Center
    3. In the box:  setspn, whoami, robocopy, klist, sc and more

  17. Group Policies in Windows 7

    From networking, we move next to Windows 7's many new management tools and management infrastructures.  The premier Windows central management tools is group policies.  Group policies are a great idea, but ever since they appeared in Windows 2000 they've been a bit clunky:  useful, but hard to administer and troubleshoot.  To combat that, Microsoft completely rebuilt the group policy engine, added 900 new group policy settings, changed how group policies are defined, and made a host of other changes to make group policies more useful and more of a "must-use" tool.  And they did it all without sacrificing backward compatibility, mostly.  Find out about these changes in this section.

    1. What group policies needed in XP
    2. The group policy engine
      1. New service rather than part of Winlogon
      2. Hardened service isolates third party client side extensions
      3. Improved GP refresh methods
    3. Multiple local GPOs
    4. Network Location Awareness service 2.0
    5. Completely revised group policy engine logging
    6. New administrative templates
      1. XML based
      2. Centralized store of admin templates reduces "Sysvol bloat"
      3. Implementing the Central Store
    7. Getting the Group Policy Management Console onto Windows 7
    8. New group policy settings areas
    9. GPMC improvements
      1. Comments (hey, don't laugh until you have to look at a ten-year-old group policy object!)
      2. Keyword searches
      3. Starter GPOs

  18. Win 7's New Event Viewer

    Who would have imagined that the Event Viewer would play a minor starring role in Windows 7?  While uprooting and rebuilding pieces of Windows, Microsoft decided (rightly) that Event Viewer was way overdue for a facelift.  The new Event Viewer bears very little resemblance to the tool that changed very little between Windows NT 3.1 and Windows Server 2003 R2.  This section examines its extensive set of new capabilities and how to exploit them.

    1. Windows 7 Event Viewer features
      1. Completely restructured logs
      2. New urgency level "critical"
      3. Event triggers
      4. Events can be collected at a central system
      5. Log size limits gone
    2. Creating event triggers
    3. Centralizing events
      1. Configuration setup
      2. Security setup
    4. Command-line Event Viewer:  wevtutil

  19.  Windows' New Management and Reliability Tools

    Windows 7 comes with a number of tools intended to help you keep your system running in peak shape and, given how hardware-intensive Windows 7 can be, that's a good thing!   In this section, we'll meet those tools.

    1. Performance rating tool
    2. Reliability Monitor:  quick answers to "when did the problem start?"
    3. Problem Steps Recorder:  Windows 7's most-beloved unknown feature
    4. Action Center: provider of security advice, blue screen tracker, and the "mute button" for a lot of irritating notifications
    5. Resource Monitor
    6. System tray squelch:  pop those balloons!
    7. ReadyBoost and ReadyDrive
    8. Getting green: using powercfg to monitor energy use and suggest new ways to save energy

Course Materials and Course Format

The class works from PowerPoint presentations.  Every attendee gets a printed copy of the PowerPoints.  To make it possible to run this course in just two days, this runs in mainly lecture format.

Arranging a Course At Your Location

We offer this class as a public seminar about a half-dozen times a year; you can view the current schedule www.minasi.com/pubsems.htm.  But you needn't wait — Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs.

Please contact our office at (757) 426-1431 between 12 Noon-5 Eastern time or email Assistant@Minasi.com to discuss scheduling and fees.