Windows 7 & 10 Tips and notes

New Windows 7 & WS 2008 important tools and it’s function

Is a new feature in Windows 7 and Windows Server 2008 R2 that builds on this by bringing RemoteApp programs to the Start menu, giving them the same launch experience as local applications.

RemoteApp and Desktop Connections works with a new feature of Remote Desktop Web Access (RD Web Access)--the RemoteApp and Desktop Connection feed. Instead of presenting RemoteApp programs in the form of a web page, this feed presents them in a software-parsable XML document.

With RemoteApp and Desktop Connections, the user subscribes to a feed of RemoteApp programs by supplying the client software with its URL. After the user has subscribed to the feed (that is, created a “connection”), his work is done. From then on, the RemoteApp and Desktop Connections client software will make sure that the resources in this connection are placed in the user’s Start menu.

The RemoteApp and Desktop Connections feature offers several benefits:

RemoteApp programs launch from the Start menu just like any other application.

Published Remote Desktop connections are included alongside RemoteApp programs on the Start menu.

Changes to the published connection (such as newly published RemoteApp programs) are automatically reflected on the user’s Start menu, without any effort on the user’s part.

RemoteApp programs can be easily launched with Windows Search.

Users only have to log on once, to create the connection. From that point on, updates happen with no prompt for user credentials.

RemoteApp and Desktop Connections does not require domain membership for client computers.

RemoteApp and Desktop Connections benefits from new features in Windows Server 2008 R2, such as Personal Desktop assignment or per-user application filtering.

RemoteApp and Desktop Connections is built on standard technologies such as XML and HTTPS, making it possible for developers to build solutions around it. It also offers APIs that allow the client software to support other types of resources, in addition to RemoteApp programs and Remote Desktop connections.

Remote Desktop Gateway

Also known as RD Gateway, can tunnel the Remote Desktop Protocol session using a HTTPS channel. This increases the security of Remote Desktop Services by encapsulating the session with Transport Layer Security (TLS). This also allows the option to use Internet Explorer as the RDP client.

RemoteApp or TS RemoteApp

Is a special mode of Remote Desktop Services, available only in Remote Desktop Connection 6.1 and above (with Windows Server 2008 being the RemoteApp server), where remote session configuration is integrated into the client operating-system.

A RemoteApp can be packaged either as a .rdp file or distributed via an .msi Windows Installerpackage. When packaged as an .rdp file (which contains the address of the RemoteApp server, authentication schemes to be used, and other settings), a RemoteApp can be launched by double clicking the file. It will invoke the Remote Desktop Connection client, which will connect to the server and render the UI. The RemoteApp can also be packaged in a Windows Installer database, installing which can register the RemoteApp in the Start Menu as well as create shortcuts to launch it. A RemoteApp can also be registered as handler for filetypes or URIs. Opening a file registered with RemoteApp will first invoke Remote Desktop Connection, which will connect to the terminal server and then open the file. Any application which can be accessed over Remote Desktop can be served as a RemoteApp.

Windows 7 includes built-in support for RemoteApp publishing but it has to be enabled manually in registry, since there is no RemoteApp management console in client versions of Microsoft Windows.

WDS vs MDT 2010 vs SCCM

We can run MDT2010 "over" WDS so that you can PXE-boot clients and multicast over your network (with the WDS base infrastructure being necessary for the PXE-booting and multicasting as MDT2010 cannot do that on it's own), but using MDT2010 as opposed to WDS by itself provides you with much more options and functionality (what with the task sequencing features and utilities such as ImageX and DISM for example)

SCCM R3 has all from both and more.

is best used when the applications cannot be run on the OS and needs an older OS version.

How to create and deploy an Med-V image

MED-V Trim Transfer Technology – technology uses existing local data to build the virtual machine image, leveraging the fact that in many cases, much of the virtual machine (for example, system and application files) already exists on the end user's disk. For example, if a virtual machine containing Windows XP is delivered to a client running a local copy of Windows XP, MED-V will automatically remove the redundant Windows XP elements from the transfer. To ensure a valid and functional workspace, the MED-V client cryptographically verifies the integrity of local data before it is utilized, guaranteeing that the local blocks of data are absolutely bit-by-bit identical to those in the desired virtual machine image. Blocks that do not match are not used.

The process is bandwidth-efficient and transparent, and transfers run in the background, utilizing unused network and CPU resources.

When updating to a new image version (for example, when administrators want to distribute a new application or patch), only the elements that have changed ("deltas") are downloaded, and not the entire virtual machine, significantly reducing the required network bandwidth and delivery time.

You can configure which folders are indexed on the host as part of the Trim Transfer protocol, based on the host operating system. These settings are configured in the ClientSettings.xml file, which can be found in theServers\Configuration Server\ folder.

Select this check box to enable Trim Transfer (for more information, see MED-V Trim Transfer Technology) when downloading images associated with this MED-V workspace. If this check box is cleared, the full image will be downloaded.

Trim Transfer requires indexing the hard drive, which might take a considerable amount of time. It is recommended to use Trim Transfer when indexing the hard drive is more efficient than downloading the new image version, such as when downloading an image version that is similar to the existing version.


Is best used for applications that do run on the current or target OS but have conflict issues either will other applications or some installed files.

Windows Virtual PC for Windows 7

Ships with Windows 7 Professional and Ultimate.

· Requires AMD-V or Intel VT.

· Not supported by MED-V.

· Used by Windows XP Mode feature.

Microsoft Virtual PC 2007 Service Pack 1

Available for Windows XP, Vista, and Windows 7.Does not require hardware virtualization.

Required by the current MED-V Release Candidate.

KMS and MAK activations

MAK allows you to activate multiple machines over the Internet with that one key, the total is dependent on the licensing program with which you acquired the product key.

MAK use Microsoft's Volume Activation Management Tool (VAMT) which provide us with activation management capability.

KMS activation allows you to activate your machine internally against a KMS host which you set up on your internal network. For Windows Server 2008 and Windows Server 2008 R2 you would need 5 machines before the count would be high enough to activate.

Hosts activated via a KMS have to report back to that key server once every 180 days.

1) The administrator can easily monitor computers on the network by using the Volume Activation Management Tool (VAMT)

2) The KMS host service is included as part of Windows 7 and Windows Server 2008 R2. Therefore, these two operating systems can be configured as a KMS host without having to install additional software

3) To activate the KMS host on the telephone or manually, and to configure the KMS host, use the slmgr.vbs script.

4) When the KMS host is activated, existing KMS clients activate automatically. Certain instances require KMS clients to be configured by using the ospp.vbs script. – for Office

Starting with Windows Vista, Microsoft replaced VLKs with Multiple Activation Keys (MAK) or with Key Management Server (KMS) keys.

User GPO Loopback Processing Mode

It should be used when a computer object resides in a specific OU, and the user settings of a policy should be applied based on the location of the computer object instead of the user object.

Note You cannot filter the user settings that are applied by denying or removing the AGP and Read rights from the computer object specified for the loopback policy.

Normal user Group Policy processing specifies that computers located in their organizational unit have the GPOs applied in order during computer startup. Users in their organizational unit have GPOs applied in order during logon, regardless of which computer they log on to.

In some cases, this processing order may not be appropriate. For example, when you do not want applications that have been assigned or published to the users in their organizational unit to be installed when the user is logged on to a computer in a specific organizational unit. With the Group Policy loopback support feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific organizational unit:

· Merge Mode

In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.

· Replace Mode

In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

1) Replace - You need to enable this policy setting using the Replace mode on GPO linked to OU, where the Terminal Server's computer accounts are (without folder redirection enabled). When users log on to Terminal Servers, the policy folder redirection is not applied.

2) Marge - Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.

User Configuration -> The configuration created in GPO linked to OU-TSSERVER.


User Configuration -> The configuration created in GPO linked to OU-SUPPORT. (This is the difference in Merge Mode.)

Shim or Database fix

It is another alternative for Windows 7 incompatible application.

App-V helps if an application has compatibility issue with other apps but id compatible with Windows 7 OS.

Med-V cam to play if application isn’t compatible with windows 7 OS

It’s a metaphor based on the English language word shim, which is an engineering term used to describe a piece of wood or metal that is inserted between two objects to make them fit together better. In computer programming, a shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.

The Shim solution allows an application to be physically installed on Win 7 and to mitigate incompatibility issues.

It leverages the nature of linking to redirect API calls from Windows to alternative code—the Shim. Calls to external binary files take place through the Import Address Table (IAT).

This redirection happens for statically linked .dll files when the application is loaded. You can also shim dynamically linked .dll files by hooking the GetProcAddress API.

For example, a very commonly used shim is a version-lie shim. To implement this shim, we intercept several APIs that are used to determine which version of Windows the application is running on. Normally, this information is passed on to Windows itself, and it answers truthfully. With the shim applied, however, these APIs are intercepted.

1) shims run as user-mode code inside a user-mode application process, you cannot use a shim to fix kernel-mode code

2) The Shim Infrastructure implements a form of application programming interface (API) hooking. Specifically, it leverages the nature of linking to redirect API calls from Windows itself to alternative code—the shim itself.

3) The Shim technologies can be used to make an app compatible with other OS platforms.

a. Wine is a shim that allows running many Microsoft Windows applications on Linux, BSD, Solaris, and Mac OS X based operating systems.

4) Once you used the MS ACT to create new Shim for particular app, you can either install it by right-clicking on the shim and pressing the install button, or by using a command-line option, sdbinst.exe <database.sdb>. Here is an example how to used ACT.

Best practice to deploy custom Shim:

You use one of the following two approaches:

Packaging the *.sdb file and a script in an .msi file and then deploying the .msi file, making sure to mark the custom action not to impersonate the calling user. For example, if using Microsoft Visual Basic® Scripting Edition (VBScript) script, the custom action type would be msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal.

Placing the *.sdb file on a network share, and then calling a script on target computers, making sure to call the script at a time when it will receive elevated rights (for example, from a computer start-up script instead of a user log-in script)

This example script is taken from the custom action of a Windows Installer (MSI-based) installation of a custom shim database:


Function Install
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "sdbinst.exe -q " & CHR(34) & "%ProgramFiles%\MyOrganizationSDB\MyOrg.sdb" & CHR(34), 0, true
WshShell.Run "cmd.exe /c " & CHR(34) & "del " & CHR(34) & "%ProgramFiles%\MyOrganizationSDB\MyOrg.sdb" & CHR(34) & CHR(34), 0
WshShell.Run "reg.exe delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{guidFromMyOrgsSdb}.sdb /f", 0
End Function
Function UnInstall
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "sdbinst.exe -q -u -g {guidFromMyOrgsSdb}", 0
End Function

Standard User Analyzer (SUA)

Standard User Analyzer tool - SUA. A full-function version of the tool that enables you to perform an in-depth analysis and to fix your issue.

1) Detect and analyze compatibility of App that require elevated privileges to bypass UAC - User Account Control

Standard User Analyzer Wizard. A tool that enables you to follow a step-by-step process to locate and to fix your issues without the analysis options.

Initial deployment and updates

Because testing and mitigation of application compatibility issues typically happens prior to the deployment of Windows 7, a common approach is to include the custom shim database containing all known issues at the time of deployment with the corporate image. Then, as you need to update your custom shim database, you could provide these updates using one of the mechanisms described above. This is the methodology that Microsoft uses to manage the System shim database. The initial version was released with the Release to Manufacturing (RTM) version of Windows 7, and updates are provided with Windows Update. When you use this approach, you are using a methodology proven at a very large scale.

AppLocer or previous Software Restriction Policies (SRP)

Only available in Enterprise and Ultimate, but you can manage it from Windows 7 Professional but not apply AppLocker policies to those machines.

SRP or Software Restriction Policies (SRP), in Windows XP and Windows Vista, gave IT administrators a mechanism to define and enforce application control policies. However, SRP could become a management burden in a very dynamic desktop environment where applications were installed and updated on a constant basis because the application control policies predominantly used hash rules. With hash rules, a new hash rule needs to be created every time an application is updated.


Windows 7 and Windows Server 2008 R2 introduce support for Domain Name System Security Extensions (DNSSEC), a set of specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. DNSSEC employs digital signatures to ensure the authenticity of DNS data received from a DNS server, which protect against DNS cache poisoning attacks.

Migration Store Types

Uncompressed (UNC)

The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Microsoft® Windows® Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer.


The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer.


A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT 4.0 hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration.

You use a command-line option, /hardlink, to create a hard-link migration store, which functions the same as an uncompressed migration store.

PowerShell and RemoteSigned policy

- Scripts created locally will run, but those downloaded from the Internet will not (unless they are digitally signed by a trusted publisher).

By default, the execution policy is set to Restricted, which means that PowerShell scripts will not run. You can determine the current execution policy by using the following cmdlet:


You can set PowerShell’s execution policy by using the following cmdlet:

Set-ExecutionPolicy <policy name>

Reset DCOM security

If you have trouble to add or remove the WS 2008 roles and features, you can try to reset DCOM security.

Event ID 1601 occurs: “Error 0x80070543 Cannot open an anonymous level security token.”

Steps to reset the DCOM authentication and impersonation level to the default:

1. Click Start, right click the Command Prompt and click Run as administrator. Click Continue if being prompted.

2. In the Command Prompt, type the following command and press Enter:


Click to expand Component Services and then expand Computers.

Right click "My Computer" and click Properties.

3. Click on the Default Properties tab.

In the "Default Authentication Level" drop down list, if it is set to "None", change it to "Connect".

In the "Default Impersonation Level" drop down list, select "Identify".

Click Apply and click OK.

Remove an update

1. Type at a command prompt:

expand /f:* <update>.msu c:\test

2. Navigate to c:\test\ and open <update>.xml in a text editor.

3. In <update>.xml, replace Install with Remove and save the file.

4. At a command prompt, type:

pkgmgr /n:<update>.xml


GPRESULT /H c:\%computername%_GPReport.html

or in more detils

GPRESULT /SCOPE COMPUTER /Z >c:\%computername%_GPResult_Z.log

Run CMD as System

psexec -i -s cmd.exe