Implementing WindowsVista-eBook-Complete by guga

VIEWS: 118 PAGES: 74

									Contents

Chapter 1 Introduction .................................................................................................1 Chapter 1 What is Microsoft® Windows® Vista™?...................................2 Background ..........................................................................................2 What’s new ...........................................................................................2

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

New User-Visible Features ...........................................................................5

The Vista “experience”..................................................................................2 Packaging and Editions.................................................................................3

User Interface ................................................................................................5 Productivity ...........................................................................................................8 Security ........................................................................................................10 Reliability .....................................................................................................12 Performance................................................................................................13

Feature Assessment..........................................................................16 Vista’s new features—summary. .......................................................16

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

i

Contents

Chapter 2 Selected Vista Features?.........................................................................17 Introduction ...............................................................................................17 Security .......................................................................................................17

Networking..................................................................................................27

Security Development Lifecycle..................................................................17 Windows Services Hardening.....................................................................18 User Account Control .........................................................................................18 Windows Defender ......................................................................................20 Network Access Protection................................................................................22 Data Protection and Encryption .................................................................23 Other Security Enhancements ...................................................................25

Microsoft Management Console (MMC) ..........................................................29 Windows Eventing Architecture.........................................................................29 Increased Automation.................................................................................................32 New Group Policy Management........................................................................33 Reliability and Performance Monitoring ...........................................................35

Management and Control .........................................................................29

New TCP/IP Stack .......................................................................................27 Simpler connectivity ..........................................................................................28 Higher security ...................................................................................................28 Improved Manageability ....................................................................................28

Feature Assessment ..................................................................................38 Vista’s new features. .................................................................................39 Summary. ...........................................................................................40

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

ii

Contents

Chapter 3 Preparing and Planning for Deployment ..............................................41 Introduction..............................................................................................41 Tell me again: why are we doing this?.............................................41 Planning Methodology......................................................................43 Application Compatibility..................................................................44 Application Management/Deployment ...........................................46 Define Computer Imaging System ...................................................47 Deployment Planning .......................................................................48 Infrastructure Remediation (Preparation) ......................................49 Security Planning..............................................................................49
Select the appropriate deployment scenarios. ........................................48 Ensure that the required infrastructure exists.........................................48 Determine the monitoring plan.................................................................49 Choosing an Image Strategy .....................................................................47

System Security Settings...........................................................................50 Planning User Account Control..................................................................51 Planning Windows Firewall ........................................................................51 Planning Data Encryption..........................................................................52 Restricting the Use of Removable Storage Devices ................................53 Planning Windows Defender .....................................................................53 Third-part Security Applications................................................................53 Infrastructure and Deployment Security ..................................................53

Gather and Analyze Infrastructure Inventories ........................................49 Propose Infrastructure Modifications.......................................................49

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

iii

Contents

Chapter 3 continued Testing ...............................................................................................54

Training..............................................................................................55

Lab Requirements .....................................................................................54 Bug Rating, Reporting, and Tracking ........................................................54 Change Control ..........................................................................................54 Test Schedules...........................................................................................54 Training Requirements ..............................................................................55 Training Schedule ......................................................................................55 Training Methods .......................................................................................55 Materials and Resources ..........................................................................56

User State Migration ........................................................................56

Summary...........................................................................................58

Application Inventory and Prioritization....................................................56 Identify Application Files and Settings .....................................................56 Identifying Operating System Settings......................................................57 Develop and Test........................................................................................57

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

iv

Contents

Chapter 4 Deployment ..............................................................................................59 Introduction.......................................................................................59 Vista Deployment Technologies.......................................................59

The Windows Automated Installation Kit (WAIK)............................62

Modularization ...........................................................................................59 Windows Image Format (WIM)..................................................................60 Nondestructive imaging ............................................................................61 XML-based answer files.............................................................................61 Script-based installations..........................................................................62

Light Touch Installation (LTI) .....................................................................66 Zero Touch Installation (ZTI) ............................................................................66 Comparing LTI and ZTI ...............................................................................67

Windows Business Desktop Deployment........................................66 Summary...........................................................................................68

ImageX........................................................................................................63 Windows Preinstallation Environment (WinPE)........................................63 Windows System Image Manager.............................................................63 Windows Deployment Services (WDS). ....................................................65

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

v

Chapter 1

Providing information that will help IT professionals decide when to deploy Vista, and what methodologies to use, is the overall objective of this eBook. We are especially interested in providing information to IT organizations that manage a large population of desktops across an enterprise. These organizations are responsible for maintaining (or increasing) satisfaction and productivity of the user community, reducing costs, and hitting bottom-line budgets, all while performing what is probably the largest operating environment migration in any organization’s history.

These are tough questions to answer, especially for IT professionals responsible for hundreds or thousands of Windows desktops in an enterprise environment. Not only is Vista the most complex release of Windows in Microsoft’s history, but it will also have a huge impact on infrastructure of an enterprise. Vista requires a lot more computing power, memory, and graphics than its predecessors. On the upside, it contains features that increase security, improve end users’ productivity, and tools that simplify and accelerate deployment and maintenance.

Even before its release for mainstream consumer use, much of the hype behind the launch of Microsoft’s latest operating system—Windows Vista—has settled. Five years of development and millions in marketing have come to an end, now it’s time to get down to some serious evaluations and answer some serious questions: When should we deploy Windows Vista? What’s our return on investment? What kind of resources will it take to implement it?

Introduction

In this eBook we will cover some basics, such as “What exactly is Windows Vista?” and “How should we plan for deployment?” Looking deeper into the impact on an enterprise, we’ll cover significant areas of change, including security, management and operations, and networking differences. Finally, we’ll discuss specific deployment methodologies, tools that are available, and different ROI scenarios. So buckle up, grab some manuals, and let’s begin!

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

1

Chapter 1

Microsoft released various beta releases to developers throughout 2003-2005, with initial public release to volume licensed users on November 30, 2006. During the preview period, Microsoft was making decisions on what functionality would be included in the final release, and a fair number of features never made the final release (or were packaged differently, more on that later). A new underlying file system (WinFS), and a security framework based on the Next-Generation Secure Computing Base (NGSCB) were notable omissions from the final release. It is generally acknowledged that Microsoft scaled back the introduction of new technology in the interest of security and reliability of the initial release of Vista.

Vista development began in late 2001, and was based on the then-Windows XP code base. Microsoft had multiple goals in the next release of Windows, notably 64-bit capabilities, a new file system, improved reliability and security, and a revamped user interface. However, in mid-2004, Microsoft reset the code base, largely because of difficulties in keeping up with the rapid changes that were occurring in Windows XP (e.g., Service Pack 2). With the reset, Windows Server 2003 became the new base for Vista (codenamed “Longhorn1”). Vista ended up being based upon large portions of Windows XP with Service Pack 2, especially in the area of security, and Windows Server 20032.

Windows Vista is the latest release of Microsoft’s Windows operating environment. According to Microsoft, the name “Vista” was chosen because it delivers a “personal vista” for its users. Referencing the Merriam-Webster dictionary, a vista (noun) is “a distant view through or along an avenue or opening”—although the best definition we’ve seen is more along the lines of “a pleasing view, especially one seen through a long, narrow opening.” Regardless, the implication is that the experience will be pleasing, productive, and safe. Microsoft wants consumers to think of Vista as something that will bring clarity to their world, allowing the users to focus on what’s important (instead of the focusing on the tools that get them there).

Chapter 1 What is Microsoft® Windows® Vista™? Background

While there is a long list of new-and-improved features, Windows Vista is more than that. Microsoft has gone to great lengths to improve overall acceptance of a computer, and its operating system, as an integrated part of a user’s work and entertainment. Before we begin a feature-by-feature list, a short discussion about the overall “experience” of using Vista is in order. Microsoft uses the word “experience” often in their Vista marketing materials. There is obviously a concerted effort to more fully engage end users—to give them the feeling that the operating environment is their friend (not dissimilar to what Apple has done with the Macintosh over the years). From the box it
The Windows XP codename was “Whistler,” and the codename for Vista was originally “Blackcomb”—both ski areas in British Colombia. The current release of Vista was intended to be an interim release between the two; the codename “Longhorn” came from a bar that is between the two resorts. 2“Windows Vista Product Guide,” November 2006.
1

What’s new

The Vista “experience”

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

2

Chapter 1
comes in, to the startup screen, to the translucent, glass-like windows on the desktop, Vista has a much more “modern” look to it (although you can dumb it down to the good old Windows XP look if you’re inclined). There are new high-quality wallpapers, system icons, and new system sounds (composed by Robert Fripp, one of the founders of progressive rock group King Crimson3)—all of which are design to give users a feeling that Vista is designed for them, and will provide security, a pleasant experience, and, well, a great vista of their computing world (sorry). The experience isn’t limited to end user consumers. Vista sports a wide collection of new features, cleverly packaged and marketed, to assure businesses of increased security, reliability, and productivity. The “experience” is intentionally extended to include business owners and IT professionals.

A last important word about the Vista experience: it’s not free. All of this technology requires a great deal of computing power. The new user interface takes one or more graphics cards that just a few years ago would be considered high-end. And, of course, a basic premise of Vista is that the system is connected to the Internet with a high-speed connection (although it’s not necessary, things work a lot more smoothly with such a connection). However, Microsoft has cleverly made the need for new hardware less painful by providing different experience levels based on your system’s hardware configuration (processor speed, memory size and speed, etc.). In fact, there is a software tool that will measure your “Vista experience index” based upon an inventory of the hardware available on your system4. Marketing 101 dictates that consumers are presented with a choice of options for a particular product. First, it increases the likelihood of a sale when the consumer is asked to choose between option “A” or option “B,” second, multiple options offer the vendor multiple price points and an opportunity to increase profits. For example, many consumers were willing to pay incrementally more for Windows XP Professional Edition over Windows XP Home Edition.

Packaging and Editions

For the release of Vista, Microsoft stepped up the multiple-options concept a notch, and releases Vista in multiple option levels, or “editions.” Conceptually, the different editions address different needs of the diverse user base, allowing consumers to somewhat tailor the release to their specific needs. There are essentially six editions of Vista5, described briefly below. For an overview of the feature set in each, see Table 1. “Starter” is designed for beginning PC users and low-cost, lower-level functionality. It is not currently available in the United States or “other high income markets as defined by the World Bank.6” Windows Vista Starter

® 2007 ScritpLogic®

http://www.microsoft.com/whdc/resources/news/newsletters/MHN_012006.html http://windowshelp.microsoft.com/Windows/en-US/Help/f59082f4-6385-4a61-ba7e-2de9625a780a1033.mspx 5There are actually more, including some European editions that ship without Windows Media-related technologies. 6http://www.microsoft.com/windowsvista/getready/editions.
3 4

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

3

Chapter 1
Table 1. An overview of new features and Vista editions

Windows Vista Home Premium Home Premium contains nearly everything an average home user would need, including the Aero user interface, digital media features (including Windows Media Center), and scheduled backup utility. Home Premium is the “standard” home edition, and is roughly equivalent to Windows XP Media Center Edition.

Windows Vista Home Basic A stripped-down edition, “Basic” is for the cheapest of buyers. With a full price of $199 (only $40 less than Home Premium, below) and much of the useful functionality removed, Basic is for users that need simple Internet access (e.g., a browser) and email.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

4

Chapter 1
Windows Vista Business Vista Business is equivalent to Windows XP Pro, and contains all of the manageability, security, and reliability features that business users expect from the Windows OS. Microsoft touts the Business edition as being designed to “meet the needs of business organizations of all sizes,” although large installations would probably deploy Enterprise.

Because our emphasis is on Windows deployment within an enterprise, the Vista Business and Vista Enterprise editions will be our focus for the remainder of this book.

Windows Vista Ultimate Vista Ultimate combines all of the features of Home Premium and Business. In an enterprise environment, Ultimate provides the security and manageability of Vista Business with the digital entertainment features required by only a small percent of business users.

Windows Vista Enterprise Vista Enterprise is similar to Business, with nearly the same feature list. However, Enterprise is oriented toward large, global organizations and is available only to volume license customers that have systems covered by Microsoft Software Assurance programs. Enterprise has one major feature that Business does not: Windows BitLocker Drive Encryption. BitLocker Drive Encryption encrypts and entire Windows volume, and includes integrity checking to detect tampering.

New User-Visible Features

Well begin our exploration of Vista Business and Enterprise editions with an overview of the new features. While this list is not exhaustive, we will present what are arguably some of the more important, consumer-oriented features. Because there are so many things “new and improved,” we’ve broken them into some rudimentary categories—most of which contain features that are directly (or nearly directly) observable by end users. In a later chapter, we will delve into the changes that are important to IT professionals and are more behind the scenes: security, networking, management and operations, and performance features.

User Interface

Underlying many of the appearance changes is the Windows Display Driver Model (WDDM). WDDM anticipates additional functionality from next-generation graphics devices, and allows for scalability of graphics functionality based on available hardware. For example, if a WDDM-capable graphics card is present, Vista will use the Windows Aero interface (see below); if not, Vista will run but without the Aero user interface. Desktop and Appearance There are many changes (over Windows XP) in the overall appearance of Vista. Most of the changes are to improve the “experience” and make interacting with Vista more appealing and personal. While concepts such as the Start Menu and Explorer Windows
® 2007 ScritpLogic®

The changes that are most noticeable in Vista (obviously) are the visual ones—changes in where items appear on screens, methods of navigation and/or colors and textures. Appearance and user interface (UI) improvements are generally to increase productivity, and in most cases, to influence the user’s experience (see The Vista “experience”, above).

Other new interface and productivity features are described in the following sections.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

5

Chapter 1
remain the same, interaction with them has become more intuitive and consistent across the entire system. For example, the start menu is still in the lower left corner (sporting a new icon) and its basic functionality remains the same.

The main windows navigation tool—Explorer Windows—have been completely revamped to be more streamlined, easier to use, and incorporate instant search.

The new Start Menu does have some improvements however; it features an interface to Desktop Search (more on that, below), and access to applications has been streamlined away from the cascading “All Programs” menu in Windows XP.

Figure 1. New Explorer Windows features

Windows Aero Aero (Authentic, Energetic, Reflective and Open7) is large part of the Vista experience. On hardware that supports WDDM, users are presented with a variety of professional visual effects, including translucent windows (“glass”), dynamically minimizing windows, and live taskbar thumbnails. WDDM and Aero provide higher screen resolutions, and smoother movement of windows as they are resized or moved.

Windows Sidebar and Gadgets are a way of managing “lightweight” utility applications from the desktop. The translucent sidebar contains a user-selectable collection of mini-applications that provide information or execute simple tasks (in fact, gadgets can be scripts) without opening an application. For example, there are gadgets to provide current weather information, stock prices, and news headlines. All are accessible from the sidebar, which can be hidden, on the desktop and resting below windows, or always on top.

7

® 2007 ScritpLogic®

http://windowsvistablog.com/blogs/windowsvista/archive/2006/11/09/the-sounds-of-windows-vista.aspx

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

6

Chapter 1
Figure 2. Sample of the 3D Aero interface.

Every Explorer Window contains an Instant Search field where the user may enter a word, part of a word, or a phrase. Instant Search uses the index and performs a context-sensitive search based on the current navigation location and the current activity, returning the results immediately in the open window. The search can be cleared and a new one begun, or the user has the option of invoking an advanced search (Figure 3), which allows further refinement of the search.
® 2007 ScritpLogic®

Instant Search and Search Folders Instant Search, and its related feature Search Folders, is an integrated search facility based on a behindthe-scenes indexing capability. The indexing capability provides instant access to filenames, file properties, and text within files.

Windows Flip 3D, activated with the Start+Tab keys, dynamically displays all the open windows in a three-dimensional stacked view. Even live processes (such as a video that is playing) are shown in the thumbnails. The entire set of panes can be rotated and scrolled (in fact, you can even view the panes from “the back”—seeing the live thumbnails in reverse!). Navigation is by arrow keys, mouse, or the scroll wheel on the mouse.

Perhaps one of the more appealing Aero effects is Windows Flip and Windows Flip 3D. Windows Flip is an update to Alt+Tab feature in Windows XP, used to navigate open applications. Windows Flip shows live thumbnails of open windows instead of generic icons, making it easier to identify windows.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

7

Chapter 1
Figure 3. Instant Search Feature

XML Paper Specification Windows Vista introduces The XML Paper Specification (XPS), which is used as a document format, a Windows spool file format, and a page description language (PDL) for printers. XPS is the basis for entirely rewritten document handling and printing subsystems in Vista. Microsoft Office 2007 is based on XPS, but XPS itself is platform independent, openly published, and available royalty-free. Changes in the UI are generally for productivity, however we also include a category of new features specifically designed to increase users’ productivity. In many cases, these features are have similar counterparts in Windows XP but with improvements and extensions.

Instant Search criterion can be saved by creating a Search Folder—a virtual folder where the results of the search are kept. Search Folders are updated in real-time, such that changes in files and folders are immediately reflected in the Search Folder itself. For example, we could create a Search Folder that contains documents that have been updated today; as document modification dates change (and obviously the system time changes), different documents will appear in the Search Folder.

Productivity

Network and Sharing Center As its name implies, the Network and Sharing Center brings all network and sharing configuration options into one central location. It allows users to verify that they are connected to a network and whether their system can successfully reach the Internet. The user’s view of the network can be graphically displayed via a Network Map (Figure 4), which visually describes the systems, switches, and routers on the network and how everything is interconnected.
® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

8

Chapter 1
Network settings can also be saved to a portable USB flash drive to make adding additional desktops to the network a quick and easy process. Desktops can be configured to interrogate the configuration data on the flash drive, allowing the desktop to join the network.

Figure 4. Network and Sharing Center—Network Map

Windows Meeting Space takes advantage of the People Near Me feature, which allows a user to check who is available on the network and invite them to join their collaboration group. People Near Me (PNM) is a new capability of Vista that uses the Microsoft® Windows® Peer-to-Peer Networking platform. It allows applications to discover people connected to the local subnet and invite them into a collaborative activity.
® 2007 ScritpLogic®

Windows Meeting Space allows participants to start a meeting that enables multi-party file sharing. Users can add a file to the handouts area and everyone instantly receives a copy. If one member of the group makes a change to a file and saves it in the session, those changes are replicated to everyone else in the session. When users leave, they can save a “final” copy of the handout to their local hard drive.

Windows Meeting Space Windows Meeting Space is a new tool that facilitates collaboration amongst small groups of users. One user initiates a session in Windows Meeting Space; others can join the meeting (with proper authentication) and share files, desktop views, and exchange text messages.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

9

Chapter 1
Corporate Roaming and Offline Files and Folders As with Windows XP, corporate IT administrators can store selected users (and users’ data) on a central server, and have these users access the data remotely. In Windows XP, this was accomplished with Roaming User Profiles and Folder Redirection. However, both of these are inefficient; RUP copied all of the remote data to the mobile device, limiting the amount of roaming data, and FR limits the number (and type) of files roamed.

An additional improvement to FR with client caching is support for the “ghosting” of unavailable content. As a user logs on to a PC that is not connected to the network and opens the Documents Explorer, instead of seeing only the files that have been downloaded from the server, the user sees both downloaded files and ghosted items. The ghosted items represent the files that have not been downloaded, preserving the context of the user’s files.

For organizations that use Group Policy, Windows Vista addresses these issues by allowing the deployment of RUP and FR with local caching enabled. Deploying all of these technologies concurrently achieves the goal of seamless data roaming without sacrificing usability. An administrator can choose to roam only certain user settings but not the bulk of a user’s data, such as documents or application data. The roamed user settings will contain the appropriate FR settings, so when a user logs on for the first time, his or her documents will start to synchronize with the PC’s local cache. All of that synched content works with the new search and organization features in Windows Vista.

FR with client caching in Windows Vista also supports a new feature—Delta Sync—that streamlines the overall sync experience. Delta Sync synchronizes only the changes to a document rather than the entire document when synchronizing from client to server. One of the driving forces behind Vista is to improve security over Windows XP. Many of the improvements include extending and improving upon security features from Windows XP SP2. However, as Microsoft states, major improvements require architectural changes that can only be introduced with a new operating system release.

Security

An additional feature of UAC is providing feedback whenever a user attempts to perform a task that requires administrator rights. In such a condition, the user is either notified that the task is prohibited, or that administrative credentials are required to proceed (depending on how UAC is configured). Either way, notification of the violation is unmistakable—the entire screen is dimmed and the verification dialog box appears in the center of the screen (Figure 5).

User Account Control (UAC) User Account Control increases security by allowing users to execute commonly used tasks without requiring administrator privileges. In Windows XP, many of these tasks (e.g., changing time zones, and accessing the system clock and calendar) required administrative privileges. IT managers were faced with giving users full rights to users to allow them to perform these functions, or restrict their rights and face complaints about being too restrictive. With Vista, users are able to accomplish these tasks without having administrator privileges.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

10

Chapter 1
Figure 5. User Account Control dialog

Windows Firewall Windows Firewall is based on the Firewall found in XP SP2 with some important improvements. First, Windows Firewall has a new management console snap-in named Windows Firewall with Advanced Security (Figure 6), which provides access to many advanced options and enables remote administration via group policy. An important addition is the ability to filter outbound traffic (although it is disabled by default) to thwart “phone home” spyware and viruses.
® 2007 ScritpLogic®

Windows Defender Windows Defender (formerly known as Microsoft AntiSpyware) has been updated for Vista to include real-time protection against threats. Windows Defender uses nine security agents to monitor different parts of the system for application behavior that is characteristic of spyware. Generally, Windows Defender is more oriented to individual users whose systems are not centrally managed.

Windows Security Center The Windows Security Center (originally implemented in Windows XP SP2) has been updated to include display of antispyware software status, IE security settings, and status of the UAC. Third party security solutions may also be accessed through the security center, as can Windows Defender and Windows Firewall, explained below.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

11

Chapter 1
Figure 6. Windows Firewall with Advanced Security snap-in dialog

Shadow Copy An innovation first introduced in Windows Server 2003 is that of Shadow Copy—incrementally saving files that are changed or deleted with an easy-to-use interface that allows the user to selectively and easily restore them. Shadow Copy creates copies of changed files on a scheduled basis, only saving incremental changes to save disk space.

Backup and Restore Center The Backup and Restore Center is a one-stop place to manage local backup and restore activities. For users that do not have a centrally managed backup/restore process, it makes system backups easy and automatic. The Backup and Restore Center allows users to specify a regular backup schedule, and to backup selected files and folders, or to backup the entire system. Backup can be to CD, DVD, another hard drive, or to another system over the network.

Windows Vista has multiple improvements to reliability utilities, as well as some new functionality.

Reliability

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

12

Chapter 1
Figure 7. Illustration of Shadow Copy on a file.

Shadow copy is accessed by right-clicking a file or folder and selecting Restore Previous Versions. It allows the user to go back in time and access files and folders as they were on previous dates. Users are provided with a read-only preview each file to determine which file to restore. When accessing a previous version of a folder, users can browse the folder hierarchy as it was in a previous point in time. Windows Vista supports multiple new features aimed at performance. Like much of the rest of Vista, these features scale with the available hardware, and in some cases, anticipate hardware that will be available in the future.

Performance

Startup, sleep, and shutdown performance Improvements have been made in startup and shutdown performance (over Windows XP). A new state— sleep—provides a mechanism for turning the computer off without requiring a reboot to restart. The system state is written to memory and disk, and will remain in memory as long as there is power to the system. To save power, the disks and processor(s) are powered off. The benefit of Sleep mode is an operational system within a few seconds after the user pushes the power button.
® 2007 ScritpLogic®

Vista incorporates a new control panel that provides a central point for maintenance of performance issues, including an analysis of the system to determine the Windows Vista Experience Index (described earlier).

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

13

Chapter 1
Windows SuperFetch A new technology with Vista, SuperFetch is an intelligent memory management mechanism that attempts to keep most-often used memory pages in memory. However, it goes beyond a simple last-used algorithm; SuperFetch understands which applications are most often used (and even when certain applications are accessed), and preloads these applications into memory to make their invocation faster.

Vista has introduced low-priority I/O, the ability for a process to voluntarily have lower-priority access to the I/O subsystem. Some of Vista’s internal processes, such as search indexing, disk defragmentation, and Windows Defender’s system scan are written to utilize low-priority I/O.

Low-priority I/O On most desktop systems, multiple applications all have equal priority to the I/O system (especially the disk drives). For example, if a virus scan program is running in the background, disk accesses made by that program have equal priority to other running user applications, and will typically slow down response time to those applications.

ReadyBoost still writes data to disk though, to prevent data loss if the memory device is removed. In addition, the data on the memory device is encrypted to ensure that unauthorized access to the device will not result in a security breach.

Windows ReadyBoost ReadyBoost is a quick way of making the system appear as if it has additional memory. ReadyBoost uses a removable flash memory device, such as a USB thumb drive, to keep data that would normally be placed out on a hard drive. System performance is improved because data on the memory device can be accessed faster than out on the disk.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

14

Chapter 1

Feature Assessment

We will wrap up this overview of Vista’s new features with an admittedly subjective assessment of the impact each feature has on an enterprise. We are assuming a “typical” hypothetical end-user environment, specifically: • The majority of end users have a few specific applications that are the core of their workload. These applications are centrally managed with some sort of enterprise desktop management tool such as ScriptLogic’s Desktop Authority, or are browser-based. • Most of the remaining time is spent with Office applications, including word-processing, creating presentations, and working with email.

• A large part of the remaining workload is browser-based, searching the Internet and/or executing webbased applications for the enterprise. For each of the features described in the preceding sections, we make an assessment on the feature’s impact on the bottom line; a return on the investment in upgrading the desktop to Windows Vista.

Table 2. An assessment of Vista’s new features on end-user productivity.
Feature Impact on productivity/usefulness neutral + Comments
The new appearance features, while cool, have little effect on end-user productivity. In fact, users will undoubtedly spend time playing with the new features when Vista is first installed. Same as Appearance

User Interface

Desktop and Appearance

Windows Aero

Instant Search and Search Folders XML Paper Specification Productivity

Instant search will be useful for typical users that often need to find files.

XML will, at first, be a detriment to productivity as MS Office documents (and documents outside of MS Windows environment) are converted. For most enterprise users, the network and sharing center will be of little use.

Network and Sharing Center Windows Meeting Space Corporate Roaming/ Offline Files and Folders

Windows Meeting Space will be useful for those enterprise users that do not have their own collaboration tools. If it works as advertised, Roaming Profiles will be very useful for mobile users.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

15

Chapter 1
Impact on productivity/usefulness neutral +

Feature
Security User Account Control (UAC)

-

Comments
User Account control will have little use for in an enterprise environment that is centrally managed. However, if left activated, it may have a slightly negative effect, since it requests verification for almost any control panel activity. Windows Security Center is very similar to the XP SP2 feature. However, increased security will undoubtedly help the enterprise in general, and should reduce incidents caused by malware on end users’ systems.the XP SP2 feature. However, increased security will undoubtedly help the enterprise in general, and should reduce incidents caused by malware on end users’ systems. Ditto Ditto Backup and Restore center may help some enterprise users, but in general, this function is centrally managed and will have little impact.

Windows Security Center

Windows Defender Windows Firewall Reliability

Backup and Restore Center Shadow Copy Performance

Shadow Copy could quite well positively impact end users that are prone to deleting files inadvertently and/or need to retrieve past editions of documents. Performance in startup, sleep, etc. will have a minor effect on productivity, more so for mobile users.

Startup, sleep, and shutdown performance Windows SuperFetch Windows ReadyBoost Low-priority I/O

It is doubtful that enterprise end users will use an external USB device to increase the performance of their system.

SuperFetch will have only a minor affect on end users’ performance.

Low-priority I/O will be most useful for background virus protection software, which can rob a system of performance. However, third-party software vendors will have to release new versions of their software to use this feature.

® 2007 ScritpLogic®

In subsequent chapters, we will examine new features that have more of an impact on the enterprise— security, networking, and management and operations.

In this first chapter, we’ve taken a high-level look at Windows Vista, and reviewed many of the features that will be most visible to enterprise users and consumers. Many of the features are designed to make the end user feel more “at one” with his/her PC, that is, to improve their “experience.” However, except for a few clever features (e.g., Instant Search) these features will probably have minimal impact on the typical enterprise user that is simply trying to improve the bottom line of a corporation.

Vista’s new features—summary.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

16

Chapter 2

Chapter 2 Selected Vista Features Introduction
In the previous chapter, we reviewed and evaluated the features that are most visible to an end user. In this chapter, we will delve deeper into Vista, uncovering features that are less visible but no less important. These “deeper” features are generally more important to, and have more of an impact on, an IT professional that is responsible for the maintenance of desktops and mobile systems in an enterprise setting. This chapter will focus on new and improved security, new networking features, and management and operations features.

The new Aero user interface is quite entertaining, and the instant search feature is certainly helpful; however, ultimately one of the primary reasons to implement Vista is its design for security. While Windows XP Service Pack 2 made substantial progress in increased security, Vista’s security enhancements go beyond that, and are so fundamental to the architecture that they could only be implemented through extensive changes to core operating system functions. During the design and coding of Vista, Microsoft placed security as the number one priority8. In fact, development methodologies were significantly revamped to conform to new processes, collectively known as the Security Development Lifecycle (SDL).

Security

Security Development Lifecycle

Although not a feature per se, the SDL plays an important role in increasing Vista security. It mandates that security reviews be built into every step of the development cycle. For example, during Vista development a review team (the Secure Windows Initiative Attack Team—SWIAT) was chartered with conducting extensive design reviews and testing, with the goal of identifying parts of the product’s code or design that needed additional work. The in-house SWIAT analysts were supplemented by reviewers drawn from security research firms and penetration-testing companies. Their sole job was to ferret out potential security flaws, assess their impact, and pass the information back to the development teams.

8

® 2007 ScritpLogic®

“Microsoft® Windows® Vista™ Security Advancements,” June 2006

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

17

Chapter 2

SDL also enforces coding design rules and testing scenarios that reduce opportunities for attacks and streamline security management functions. The SDL employs software development tools that analyze code for logic and code constructs that would not be detectable by standard compilers. The tools search for certain kinds of code vulnerabilities, such as overruns caused by string copies and unexpected combinations of conditions that result in the execution of obscure code paths. Finally, since Vista was being developed concurrent with the deployment of Windows XP Service Pack 2, the SDL processes took vulnerabilities that were being exposed in Windows XP and tested them against Vista, with development implementing appropriate patches to both systems when appropriate.

Windows Services Hardening

The Windows operating systems utilize background processes called services. Services are managed through the Microsoft Management Console (MMC) to start, pause, and stop them.

In Windows XP, services run with the highest possible system privileges (LocalSystem), and are an easy target for malicious attack. Windows Vista has made substantial changes to Windows services to reduce the opportunity for attack—generally referred to as services hardening. The primary concept behind services hardening is that of restricting services to run under the least possible privilege level needed. To help accomplish this reduction in privilege level, services no longer run as a user session, and in fact they no longer have access to video drivers, nor can they request or receive input from any user interface.

In addition to changes how services run, Core Windows services each have profiles that define the necessary security privileges for that service. These profiles include rules for accessing system resources and inbound/outbound network ports that the service is allowed to use (monitored and enforced via Windows Firewall). During execution, service activities are checked against this profile, and any attempt to perform an unassigned activity is disallowed.

Services hardening can affect some existing applications that run as services or interface with services. Any service that assumes it is running in a user session (e.g., one that attempts to create a user interface, such as a dialog box) will not execute correctly, or will hang, because it is waiting for a user response that will not occur.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

18

Chapter 2

UAC is based on reducing the “normal” privilege level for users and administrators. In past versions of Windows, to perform any administrative function required administrator privileges—even for routine tasks such as changing the system’s time zone or power management settings. As a result, administrators simply allowed all users administrative privileges. While this situation is more convenient, it also allows users to perform administrative functions like installing and configuring applications, modifying device drivers, and changing system configuration parameters. Not only could users damage their system configuration (which potentially could propagate and damage systems on the network), but also administrator-level user accounts can cause great damage when exploited by malware. Enter UAC, which separates standard user privileges and those that require administrator access. A subset of administrative activities, which are deemed to pose no security risk—such as changing time zones or adding a printer, are allowed to execute in user mode. Should a user attempt a task that truly requires administrative access, the user is prompted for an administrator password. The bottom line is that administrators can safely prevent users from executing tasks that require administrative privileges, while still providing them with the convenience of making routine configuration changes.

A significant advancement in security is the separation of administrator and user privileges through a new feature called User Account Control (UAC)—briefly covered in Chapter 1. Let’s examine this new feature in more detail—additional information is available at http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx

User Account Control

A side effect of UAC is that older applications, which were often designed based on the assumption that users would always have administrator privileges, may not execute correctly because Vista does not allow them write access to critical system files (such as the registry). To maximize compatibility, Vista includes file system and registry “virtualization”—a process that redirects writes from protected areas to a virtual location within the user’s profile. Subsequent reads access the virtual location, allowing an application to function properly while eliminating access to resources that would otherwise require administrative access. To help determine whether an existing application will execute correctly when executed as a standard user, Microsoft provides the Application Compatibility Toolkit (ACT)9.

9

® 2007 ScritpLogic®

See http://www.microsoft.com/downloads

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

19

Chapter 2

A second feature of UAC is that all processes with administrator privileges will by default start with standard user access. When logging in, an administrative user is granted two levels of access (called Administrator Approval Mode): full administrator and standard user. However, the standard user level is the default, reducing the opportunity for malware to obtain administrator privileges. Should the administrator attempt a task that truly requires administrative privileges, he or she is prompted for the administrator password. UAC is highly configurable, and administrators are generally able to configure it to suite their unique circumstances. However, as with all things Vista, the default is to protect the user and the operating system, and provide the maximum practical protection against malware attacks.

First introduced in 2005 as “Microsoft Windows AntiSpyware,” Windows Defender provides an antispyware capability to Windows XP and Windows Vista. Windows Defender is based upon a product from Giant Company Software, which Microsoft acquired in 2004. According to Microsoft, “Windows Defender helps protect against and remove spyware, adware, rootkits, bots, keystroke loggers, control utilities, and some other forms of so-called ‘malware.’ (Windows Defender does not provide preventive protection against malware that is classified solely as a worm or virus.)10” Note that Microsoft specifically states that Windows Defender is targeted at individual users and does not include enterprise management tools; typically an enterprise has other means or uses other third-party desktop management tools to manage anti-spyware. Scheduled system scans are based upon spyware definitions kept up-to-date by the Automatic Updates capability of Vista. Scans can be scheduled or initiated manually. Enhancements in Vista (beyond the capabilities provided in Windows XP) provide additional performance and security enhancements, including the ability to scan only files that have changed, to run under a security-enhanced account, and to scan executables when invoked. Windows Defender also allows files to be scanned as they are downloaded by Internet Explorer 7. Windows Defender protects a Vista system through several methods, including scheduled system scans for spyware, a real-time monitoring function, and a “software explorer” user interface.

Windows Defender

10

® 2007 ScritpLogic®

See http://www.microsoft.com/athome/security/spyware/software/default.mspx

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

20

Chapter 2

Real-time monitoring employs a set of agents that continually check for unauthorized access to file system elements, changes to system configurations, and the like. There is a long list of agents available (Table 3); although configurable through the Windows Defender Options dialog, Microsoft recommends that all agents be enabled.

Auto Start

Real-time protection agent

Table 3. Realtime protection agents supported by Vista’s Windows Defender11
Monitors lists of programs that are allowed to automatically run when the computer is started. Spyware and other potentially unwanted software can be set to run automatically when Windows starts, running without the user’s knowledge.

Purpose

System Configuration (Settings) Internet Explorer Add-ons

Monitors security-related settings in Windows. Spyware and other potentially unwanted software can change hardware and software security settings, and then collect information that can be used to further undermine the computer's security. Monitors programs that automatically run when Internet Explorer is started. Monitors browser security settings, which are the first line of defense against malicious content on the Internet.

Internet Explorer Configurations (Settings) Internet Explorer Downloads Services and Drivers Application Execution

Monitors files and programs that are designed to work with Internet Explorer, such as ActiveX controls and software installation programs. These files can be downloaded, installed, or run by the browser itself. Spyware and other potentially unwanted software can be included with these files and installed without the user’s knowledge.

Monitors services and drivers as they interact with Windows and other programs. Because services and drivers perform essential computer functions they have access to important software in the operating system. Spyware and other potentially unwanted software can use services and drivers to gain access to a computer or to try to run undetected on a computer like normal operating system components.

Application Registration

Monitors when programs start and any operations they perform while running. Spyware and other potentially unwanted software can use vulnerabilities in programs to run malicious or unwanted software. For example, spyware can run itself in the background when a program is started. Windows Defender monitors programs and alerts the user if suspicious activity is detected. Monitors tools and files in the operating system where programs can register to run at any time, not just when programs are started. Spyware and other potentially unwanted software can register a program to start without notice and run, for example, at a scheduled time each day. This allows the program to collect information about the computer or gain access to important software in the operating system without your knowledge. Monitors add-on programs (also known as software utilities) for Windows. Add-ons are designed to enhance the user’s computing experience in areas such as security, browsing, productivity, and multimedia. However, add-ons can also install programs that will collect information that could expose sensitive, personal information, often to advertisers.

Windows Add-ons

Software explorer is a user interface that provides users with visibility in a system’s software and system state. Software Explorer provides detailed information about currently running software that can affect system security or user privacy. For example, the user can view which programs run automatically
11

® 2007 ScritpLogic®

Adapted from Windows Defender>Options Help

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

21

Chapter 2

Software Explorer helps the user monitor the following items:

when Windows is started, and information about how these programs interact with other Windows programs and services (Figure 8).

• Startup programs, which are programs that run automatically (with or without the user’s knowledge) when Vista starts. • Currently running programs, which are programs that are running onscreen or in the background. • Network-connected programs, which are programs or processes that can connect to the Internet or to the local area network.

• Winsock service providers, which are programs that perform low-level networking and communication services for Windows and programs that run on Windows.

Figure 8. The Software Explorer UI of Windows Defender

Windows Defender is designed to augment third-party anti-malware products. Network administrators in an enterprise environment can use Group Policy to enable or disable Windows Defender; computer manufacturers can choose to have it turned off by default on new systems.
® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

22

Chapter 2

Network Access Protection (NAP) is a new platform that performs computer health policy validation, ensures compliance with health policies, and optionally restricts the access of computers that do not comply with system health requirements. NAP is a client-server architecture; the client-side agent is provided on Windows Vista. The server-side will be provided in the upcoming release of Windows Vista Server (in Microsoft’s inimitable fashion, also code-named “Longhorn”). NAP is an infrastructure and an application programming interface (API) that allows vendors and software developers to build their own network policy validation, ongoing network policy compliance, and network isolation components.

Network Access Protection

Figure 9. The NAP Client Configuration snap-in

Client-side NAP is configurable through the NAP Client Configuration snap-in to the MMC (Figure 9).

NAP prevents Vista-based clients from connecting to a private network if the system lacks current security updates or virus signatures, or otherwise fails to meet defined health requirements. The NAP agent also reports system health status, such as having current updates installed, back to the enforcement service in the server. The server then determines whether to grant the client access to the network.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

23

Chapter 2

A major security issue relates to unauthorized access to data that could be obtained by physically acquiring a computer. Examples include lost, stolen, or decommissioned systems that contain critical data. Vista includes technologies that allow users to protect their data through encryption at the file, folder, or system level. The Encrypting File System (EFS) in Vista is redesigned (from Windows XP) to support storing private keys on smart cards, a new user interface (Figure 10), and tighter integration with Public Key Infrastructure12. The new EFS allows administrators to store their domain recovery keys on a smart card. To recover users files, the administrator need only log in (either locally or via Remote Desktop) and use the recovery card to access the files.

Data Protection and Encryption

Encrypting File System (EFS)

Figure 10. The new Certificates snap-in for the Microsoft Management Console (MMC)

The new Certificates snap-in for the Microsoft Management Console provides tools to backup keys and migrate existing EFS files to new keys. Administrators have the capability to set requirements such as minimum encryption strength and the use of smart cards.

12

® 2007 ScritpLogic®

See http://en.wikipedia.org/wiki/Public_key_infrastructure

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

24

Chapter 2

Several new Group Policy options have been added to help administrators define and implement organizational policies for EFS. These include the ability to require smart cards for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, and enforce encryption of the user’s Documents folder. BitLocker Drive Encryption is a data protection feature that encrypts an entire Windows volume, preventing access to the data on the volume even if the disk drive is physically in the hands of an unauthorized user. Additionally, BitLocker enables integrity checking on early boot components, preventing the computer from booting if it detects tampering with system files or data. Note that BitLocker is only available on Vista Ultimate and Vista Enterprise editions.

BitLocker Drive Encryption

BitLocker uses the v1.2 TPM security hardware13—available on most new systems—to help secure the encryption keys and to prevent software-based attacks on system integrity or security of other data, applications, DLL files, and files stored on the operating system volume. Protection is achieved by encrypting the entire Windows system volume, including all user files, system files, swap, and hibernation files.

BitLocker may optionally be configured to lock the normal boot process until the user supplies a PIN or inserts a USB flash drive that contains keys to unlock the system.

To provide system integrity protection, BitLocker uses the TPM to collect and store measurements from multiple sources within the boot process to create a system “fingerprint.” This fingerprint remains the same unless the boot system is tampered with. Once the integrity of the boot process is proven, BitLocker uses the TPM to unlock the rest of the data. The system then continues startup and system protection is handed over to the running operating system.

Once BitLocker authenticates access to the protected operating system volume, a driver in the Vista file system encrypts and decrypts disk sectors transparently as data is written to and read from the protected volume. When the computer hibernates, the hibernation file is also saved encrypted to the protected volume. According to Microsoft, the performance penalty for encryption and decryption is minimal.

Other Security Enhancements
To make it more difficult to attack operating system functions, Vista has a defense capability called Address Space Layout Randomization (ASLR). ASLR randomly assigns operating system executable pages to different physical memory locations at system boot time. Randomly assigning these locations reduces the likelihood that malicious code can exploit a specific system function based on location alone.
See http://www.trustedcomputinggroup.org/

Address Space Layout Randomizer

13

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

25

Chapter 2

Vista’s Internet Explorer 7, when running on Vista, supports a new feature called Protected mode. In Protected Mode, Internet Explorer 7 runs with reduced rights to help prevent user or system files or settings from being changed without the user’s explicit permission. Even if a malicious site attacks a vulnerability in Internet Explorer, the site's code will not have enough privileges to install software, copy files to the user's Startup folder, or hijack browser settings. A new version of the Internet Explorer Administration Kit (IEAK) simplifies the creation of customized deployment packages. With Internet Explorer 7, administrators have centralized control over settings through Group Policy in the Active Directory® directory service.

Internet Explorer Enhancements

Integrated Rights Management Services Client

Microsoft’s Rights Management Services (RMS) helps protect the security and integrity of sensitive information in an enterprise. Vista includes an integrated RMS client that reduces the number of additional components that must be installed on the desktop, reducing IT intervention for deployment.

The Vista implementation of RMS also includes smart card integration and longer encryption key lengths. When combined with the Windows Server Longhorn release RMS will be integrated with Active Directory Federation Services, allowing companies to share sensitive information in the same manner as they would protected internal information. RMS also comprehends the new XML Paper Specification, and has deeper integration with Microsoft SharePoint®—Microsoft’s suite of content management software.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

26

Chapter 2

Microsoft Windows Vista includes significantly improved networking technology, including a new TCP/IP stack, improved wireless networking management, and multiple security enhancements. According to Microsoft, Vista’s improvements represent the largest set of networking innovations since Windows 9514, and benefit users as well as administrators.

Networking

The TCP/IP protocol stack has been completely rewritten for Vista, and includes redesigns of both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) stacks. According to Microsoft, the redesigns address connectivity, ease of use, management, reliability, and security15.

New TCP/IP Stack

IPv6 Support

Vista supports both IPv4 and IPv6 through a dual IP layer architecture. IPv6 is enabled by default without any additional steps necessary by the administrator. The dual IP layer support enables a gradual migration using IPv6 transition technologies that tunnel IPv6 traffic across private IPv4 networks or the IPv4 Internet. Applications and services that support both IPv4 and IPv6 will by default prefer the use of IPv6 to IPv4 (although this behavior can be configured by the administrator). The Vista networking stack has multiple performance improvements. In a high-loss environment such as sending/receiving audio and video files, throughput is improved by a new algorithm that allows a sender to send more data while simultaneously retrying a partial acknowledgement.

Higher performance

Another significant change is the automatic resizing of the TCP receive window. Vista networking performs auto tuning by continually monitoring the bandwidth and latency of a TCP connection, and optimizing the receive window size for each connection. For example, in a high-bandwidth, high-latency situation the window size will be increased to allow more data to be transferred in each block, increasing overall throughput16.

To improve overall performance, Vista is capable of distributing TCP traffic processing across multiple system processors, and supports certain network cards that have hardware-accelerated TCP/IP processing on the card.

® 2007 ScritpLogic®

See http://technet.microsoft.com/en-us/windowsvista/aa905086.aspx See http://www.microsoft.com/technet/network/evaluate/new_network.mspx 16 See http://www.microsoft.com/technet/community/columns/cableguy/cg1105.mspx
14 15

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

27

Chapter 2

Lastly, Windows Vista supports Microsoft’s NetDMA architecture (Direct Memory Access), which reduces the number of data copies in the system by allowing data transfers directly to/from a network card to users’ buffers. It requires specific hardware DMA architectures, such as Intel I/O Acceleration to be enabled.

Simpler connectivity

Vista contains a new Network Center (discussed in Chapter 1). The Network and Sharing Center provides a clear view of the current connection status, available wireless networks, a network map to show surrounding network resources, and easy methods to create or join ad-hoc wireless networks. Diagnostic tools built into Network Center simplify troubleshooting connectivity problems and users can browse network resources.

The proliferation of mobile computer systems requires much more flexibility in acquiring network connectivity “on the fly,” while maintaining a seamless workplace environment and its related security.

Higher security

Wireless security has been enhanced, with support for more protocols and standards, and tight integration with other related security features. For example, the capabilities of the wireless network adapter are examined by Vista, and the most secure protocol is chosen by default when connecting to or creating wireless networks.

Vista networking uses the updated Windows Firewall (discussed in Chapter 1) to create network filtering rules or require authentication. Network data can be encrypted, and through Network Access Protection (see “Security” section in Chapter 2) clients that are deemed unhealthy can be banned from the network.

Improved Manageability

Vista’s wireless features can be managed via Group Policy or command-line scripting to deploy configuration settings and security requirements across an entire organization.

Vista includes a native wireless networking architecture (Native Wi-Fi) as part of its core networking support17. Native Wi-Fi provides many benefits, including deployment across many hardware brands and models and more reliable third-party wireless adapter drivers.

Networking manageability has been improved in Vista, largely for management of wireless devices and the inclusion of additional group policy settings.

17

® 2007 ScritpLogic®

See http://www.microsoft.com/technet/technetmag/issues/2006/11/VistaNetworking

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

28

Chapter 2

Management and Control

New management and control tools in Windows Vista are aimed at lowering cost of ownership by increasing efficiency of administration, reducing the number of administrative support incidents, and streamlining deployment. The Microsoft Management Console (MMC) is the main administrator interface for managing Windowsbased environments. The new MMC provides a simpler and more consistent user interface across a wider range of tasks. The new interface provides an Action pane—a list of all actions that are available to the user based on the currently selected items in the tree or results pane. This allows administrators to more easily discover the capabilities of any management tool that uses the MMC framework. The new MMC interface also provides “an add or remove snap-ins” dialog to make it easier to organize snap-ins.

Microsoft Management Console (MMC)

Figure 11. The “add or remove snap-ins” dialog for the MMC.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

29

Chapter 2

Event tracing now provides asynchronous publishing of events, greatly reducing the performance impact to instrumented processes. Some events, especially analytic and debugging events that are generally high volume, are immediately saved to a file with minimal processing to avoid affecting system performance. Administration and Operational events, which are less frequent, are tagged with information about the current user context and the publishing process, then delivered to their respective subscribers. New grouping of events for faster access. To improve reporting and analysis, Microsoft analyzed common event types and applied five different event types to each event (Table 4). Every event is assigned a designated type to quickly narrow down report queries. The new Event Viewer is a snap-in for the revised Microsoft Management Console (MMC), described above. New features include:

The event log service and event viewer have been completely rewritten in Vista to improve event management in an enterprise setting. The eventing architecture18 features increased security, increased performance, and increased scalability.

Windows Eventing Architecture

18

® 2007 ScritpLogic®

See http://www.microsoft.com/technet/technetmag/issues/2006/11/EventManagement

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

30

Chapter 2

Table 4. New Windows Eventing Architecture event types and typical users
Admin

Event Type

Operational

The Admin type will suffice for the majority of system administrators. These events are very high level and they often provide enough information to identify a problem and determine its solution. At the very least, Admin events should identify when an issue occurs or indicate when an application, a component, or the system as a whole is in or has recovered from an unhealthy state. Most Admin events are errors or warnings, and they are usually actionable.. Like Admin events, Operational events enable problem diagnosis. Operational events consist of more than just errors and warnings. They also inform users about normal operation of an application or OS component. The volume of these events is kept quite low so Operational events can be enabled without affecting system performance. The Operational events—along with the Admin events—are used by support personnel, monitoring utilities, and administrators..

Description

Administrators, support personnel, and Monitoring and analysis programs

Used By

Advanced administrators, support personnel, and monitoring and analysis programs

Audit

Analytic

Audit events provide a historical record of any resource access or actions taken by the users. These events do not in themselves represent failure or success of the program, but indicate a failure or success of the action. Audit events can be completely disabled or selectively enabled with varying levels of granularity. Security auditing at the OS level is supported (the events can be found in the Security log of the Event Log). Analytic events, which are not very different from Operational events, are logged during normal operation of applications and components. But the volume and detail of Analytic events is much greater than Operational events and therefore there is a potential of them having a negative effect on system performance. Thus, Analytic events are normally disabled. To make use of Analytic events, enable them before a diagnostic session and then disable them before examining the trace.

Advanced administrators, security auditors, and Forensics specialists

Support personnel Monitoring and analysis programs

Debug

Debug events are also high-volume events that are normally disabled. They are used mainly by developers and are seldom viewed by IT professionals.

Developers

New appearance. The event viewer has been improved to provide additional information (Figure 12) while retaining the structure of the Windows XP GUI, allowing administrators familiar with Windows XP to easily begin using it. The viewer provides a new preview pane that will display event information in a “friendly view” or the raw XML.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

31

Chapter 2

Figure 12. The redesigned event viewer snap-in for the MMC.

A new event structure based on XML. The standards-based event structure and publishing the schema simplifies reporting and manipulation of events. The new structure also facilitates automation and integration with the Windows Task Scheduler. New event query capability based on the XPath language and a user interface for creating queries. An important query improvement is the ability to securely forward events, generally to a system that is dedicated to collecting them.

Additional event attributes for queries and reporting. Events now contain additional information, including the time at which the event occurred, the process ID, the thread ID, the computer name, and the Security Identifier (SID) of the user. The XML provides additional details, including the EventID, Level, Task, an Opcode, and Keywords properties.

The task scheduler is used to automate management and configuration tasks. Vista features a completely redesigned task scheduler interface and a snap-in for the MMC, which combines multiple UIs into a single and consistent interface (Figure 13).
® 2007 ScritpLogic®

Increased Automation

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

32

Chapter 2

Figure 13. The redesigned task scheduler snap-in for the MMC.

The Task Scheduler supports new security features, including employing the new Credentials Manager for storing passwords, and running tasks at a reduced privilege level (by running the task as its own session instead of in the same session as the administrator).

Scheduling tasks is much more flexible and comprehensive than in Windows XP. Tasks can be scheduled to run at predefined times, or configured to run when specific events occur. In addition, multiple triggers may be configured to initiate one or more tasks, which may run simultaneously or in a predetermined sequence. Tasks can also be configured to run based on a system status, such as being idle for a preconfigured amount of time, startup, logoff, or other triggers.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

33

Chapter 2

Group policies can be set and edited via the Group Policy Management Console (GPMC) MMC snap-in, or by using the Group Policy editor object.

Group Policy template files, previously known as ADM files, have a new format based on XML. The new template files have the ADMX suffix. For domain based group policy objects (GPOs), the ADMX files can be centrally stored, and all computers on the domain use the File Replication Service to retrieve and configure themselves.

Vista expands the number of features and components that can be managed with Group Policies, from approximately 1,800 in Windows Server 2003 Service Pack 1 to approximately 2,500 in Vista and the forthcoming Windows Server “Longhorn.” New policies, which are primarily security-related, are group by categories as summarized in Table 518-2.

New Group Policy Management

Table 5. New or Expanded Group Policy Settings
Antivirus

Group Policy Category

Background Intelligent Transfer Service (BITS) Client Help Deployed Printer Connections Device Installation Disk Failure Diagnostic DVD Video Burning Hybrid Hard Disk Enterprise Quality of Service (QoS) Internet Explorer 7 Networking: Quarantine Networking: Wired Wireless Power Management Removable Storage Security Protection
18-2

Configures the new BITS Neighbor Casting feature to facilitate peer-to-peer file transfer within a domain. This feature is supported in Windows Vista and Windows Server "Longhorn." Determines where users access Help systems that may include untrusted content. Allows or denies a device installation, based upon the device class or ID.

Manages behavior for evaluating high-risk attachments.

Description

Debug events are also high-volume events that are normally disabled. They are used mainly by developers and are seldom viewed by IT professionals. Controls the level of information displayed by the disk failure diagnostics. Customizes video disc authoring.

Alleviates network congestion issues by enabling central management of Windows Vista network traffic. Configures the hybrid hard disk (with non-volatile cache) properties. Replaces and expands the current settings in the Internet Explorer Maintenance extension to allow administrators the ability to read the current settings without affecting values. Manages three components: Health Registration Authority (HRA), Internet Authentication Service (IAS), and Network Access Protection (NAP). Applies a generic architecture for centrally managing existing and future media types. Configures any current power management options in the Control Panel.

Allows administrators to protect corporate data by limiting the data that can be read from and written to removable storage devices.

Combines the management of both the Windows Firewall and IPsec technologies to reduce the possibility of creating conflicting rules.

® 2007 ScritpLogic®

See http://technet2.microsoft.com/WindowsVista/en/library/a8366c42-6373-48cd-9d11-2510580e48171033.mspx

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

34

Chapter 2

Table 5. New or Expanded Group Policy Settings. Continued.
Shell Application Management

Group Policy Category

Shell First Experience, Logon, and Privileges Shell Sharing, Sync, and Roaming Shell Visuals Tablet PC

Manages access to the toolbar, taskbar, Start menu, and icon displays.. Customizes selected schedules and behaviors. Configures desktop display attributes. Configures Tablet PC.

Description

Configures the logon experience to include expanded Group Policy settings.

Terminal Services Troubleshooting and Diagnostics User Account Protection Windows Error Reporting

Controls the diagnostic level from automatically detecting and fixing problems to indicating to the user that assisted resolution is available. Disables Windows Feedback only for Windows or for all components. By default, Windows Feedback is turned on for all Windows components. Configures selected properties of user accounts.

Configures features to enhance security, ease-of-use, and manageability of Terminal Services remote connections.

Reliability and Performance Monitoring

The new Resource View screen provides a real-time overview of CPU, disk, network, and memory usage (Figure 14). Each of these metrics can be expanded upon, providing per-process information that can be sorted on multiple keys. The detailed report provides at-a-glance usage by process.

Data Collector Sets group data collectors into reusable elements, allowing scheduled collection of a Data Collector Set to create logs, loading it in Performance Monitor to see the data in real time, or save it as a template to use on other computers.

The reliability and performance monitoring utilities have been substantially rewritten for Vista to make analysis more comprehensive, and to make it easier to pinpoint bottlenecks or misbehaving processes. New features have been added, and the performance and monitoring tools have been consolidated into the MMC19. Some of the major new reliability and performance features include those described below.

19

® 2007 ScritpLogic®

See http://technet2.microsoft.com/WindowsVista/en/library/ab3b2cfc-b177-43ec-8a4d-0bfac62d88961033.mspx

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

35

Chapter 2

Figure 14. The new at-a-glance resource view screen.

A new Reliability Monitor calculates a System Stability Index that reflects whether unexpected problems reduced the reliability of the system. See details in the Reliability section below.

Unified property configuration for data collection and scheduling consolidates the interface for creation and modification of data collector sets. Sets that are useful can be saved or propagated to other systems for analyzing performance and reliability of user populations.

A new reporting interface, largely based on the Server Performance Advisor in Windows Server 2003. The new user interface is more flexible and thorough, allowing reports to be quickly generated from any Data Collector Set. Of course, Vista includes preconfigured performance and diagnosis reports for quick analysis and troubleshooting.

The performance monitor is a component of the Windows Performance Diagnostic Console, a snap-in for MMC (Figure 15). The console displays real-time information, allows for alerts and automatic actions, and report generation. It can also be used to recall historical data.
® 2007 ScritpLogic®

The performance monitoring tools for Vista combines multiple Windows XP utilities (Performance Logs and Alerts, Server Performance Advisor, Performance Monitor, and System Monitor) and wraps them in the new standard MMC GUI. Using the performance monitor, administrators can monitor nearly every aspect of system performance, presenting the information graphically or in report format.

Performance Monitor

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

36

Chapter 2

Figure 15. A sample of the Vista Performance monitor.

Configuring the performance monitor to sample selected metrics is a drag-and-drop interface. Multiple metrics can be combined and saved as custom data collector sets, which can be recalled at any time. The reliability monitor offers a graph of the system’s stability over time, and generates a “stability index” that quickly quantifies the overall reliability of the system, it’s software, and applications (Figure 16). The user can quickly zoom in on each day and/or event and generate a snapshot stability report, which provides details on the incident.

Reliability Monitor

For example, a user can view a graphical log of changes to the system (installation or removal of applications or updates to the operating system) side by side with a similar log of failures (application, operating system, or hardware failures). The comparison helps quickly pinpoint events that lead to reliability issues.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

37

Chapter 2

Figure 16. A view of the reliability monitor snap-in to the MMC.

We will wrap up this chapter with an admittedly subjective assessment of the impact the features discussed in this chapter might have on a typical enterprise. For this assessment, we will assume a hypothetical enterprise environment, specifically: • Desktops are centrally managed, either with Microsoft’s Group Policy infrastructure, some sort of enterprise desktop management tool such as ScriptLogic’s Desktop Authority, or a combination of both. • Most desktop users have a fairly static environment—a collection of corporate and third-party applications, and are continuously connected to the corporate network.

Feature Assessment

• The enterprise has a moderate number of mobile users that move about within the enterprise, with a subset that travels worldwide. For each of the features described in the preceding sections, we make an assessment on the feature’s impact on the bottom line; a return on the investment in upgrading the desktop to Windows Vista.
® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

38

Chapter 2

Table 6. An assessment of Vista’s new features on enterprise productivity.
Feature
Security Security Development Lifecycle Windows Services Hardening User Account Control

-

Impact on productivity/usefulness neutral +

Comments
The improved development methodologies won’t have a direct impact on productivity, however in the long run SDL should produce higherquality code Hardening should go a long way in reducing malware-induced incidents; we expect a substantial impact. This could be offset by its affects on certain applications.

Windows Defender Network Access Protection Data Protection and Encryption Other Security Enhancements Networking

The reduced privilege level of users should reduce malware-induced incidents, however this could be offset by the sheer annoyance of UAC, and by its affects on applications that assumed administrator priveleges. Defender will probably not have a substantial impact on an enterprise since most environments already employ a third-party anti-spyware product.

Properly implemented, NAP will improve overall security. However, we will have to wait for Vista Server “Longhorn” for implementation. Data protection features, especially on mobile systems, should dramatically improve data security and reduce lawsuits.

The miscellaneous security enhancements described in this chapter should benefit overall security. The new TCP/IP stack won’t be outwardly noticeable, but should help migration to IPv6, improve performance, and improve mobility and security for mobile users. For most administrators, simpler connectivity shouldn’t have much of an impact.

New TCP/IP Stack Simpler connectivity Higher security Improved Manageability

Higher security networking will be beneficial for mobile users. Manageability options, especially new Group Policy settings, will provide administrators with additional control options.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

39

Chapter 2

Table 6. An assessment of Vista’s new features on enterprise productivity. Continued.
Feature Impact on productivity/usefulness neutral + Comments
The new MMC provides a consistent interface, however most administrators are familiar with the old ones. The new Eventing Architecture will provide administrators with additional information when diagnosing performance or application problems.

Management and Control

Microsoft Management Console (MMC) Windows Eventing Architecture Increased Automation New Group Policy Management Reliability and Performance Monitoring

For administrators that use GP, the new settings will provide additional ways of managing desktops, however sorting through the 800odd new settings will require research.

Much-needed improvements to task scheduling will open up new ways of automating today’s manual chores.

The new reliability and performance monitoring tools will provide administrators with additional information when diagnosing performance or application problems

That said, the deployment of Vista, and related activities, are not for the faint of heart, as we shall see in the next chapter, “Preparing for Vista Deployment.”

Features of particular note are Network Access Protection (once “Longhorn” is available and an enterprise is able to implement it), increased automation, and improved networking for mobile users. Group Policy improvements also enhance an administrator’s control over a large population of desktops, improving security and ostensibly reducing user incidents.

In contrast to the user-visible features reviewed in Chapter 1, it is our opinion that the core improvements covered in this chapter have more of an impact on an enterprise. As might be expected, improvements in security, networking, and management tools should substantially improve an IT manager’s life.

Summary

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

40

Chapter 3

Chapter 3 Preparing and Planning for Deployment Introduction
In previous chapters we’ve reviewed the new features in Microsoft® Windows® Vista™, and provided a cursory analysis of the benefits of each feature. In this chapter, we will make a “plan for a plan,” that is, discuss what it will take to migrate to Vista and what the process might look like.

Much of the migration to Vista involves analyzing and inventorying the installed base (both hardware and software components), and determining impacts on the enterprise infrastructure. An additional, and non-trivial, aspect is taking inventory of applications and determining their readiness for the new operating environment. Lastly, we must not forget preparing end users for the change—educating them, garnering buy-in, and generating enthusiasm for the change. Tell me again: why are we doing this?

While the benefits of implementing Vista might be obvious to an IT manager, it is probably not obvious to the end user or mid-level manager. In fact, just the opposite—any change is regarded as disruptive and looked upon with suspicion and trepidation. For that reason it is imperative to create and manage a detailed plan, train and inform clients, and maintain constant communication to the affected population.

Let’s begin our plan with the obvious: the business case for doing a lot of work, spending a lot of money, and potentially disturbing the user base. Every situation will be different, but Vista provides improvements in many areas, including benefits as outlined below (straight from Microsoft20). IT Department Benefits • PC Recycling • Reduced Security Mgmt

• Reduced Information Theft

• Automated Desktop Management • Reduced Image Management • Reduced Help Desk Support • Third-Party Application Savings

20

® 2007 ScritpLogic®

http://www.microsoft.com/technet/desktopdeployment/bdd/2007/WdBusCase_9.mspx

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

41

Chapter 3

• Performance and Reliability • Power Management • Computer Failures • Application Responsiveness • Information Management Of course, all of these benefits are offset by the time, cost, and effort required to deploy a new operating system. Thus, the first step in our plan is to develop a business case. The business case will help garner the crucial buy-in from management, as well as provide insight into the scope of the project.

Business Benefits

At a minimum, the business case should develop a clear-cut and easily expressed reason for the new deployment. For example, “Substantially improve productivity, security, and maintainability of enterprise desktops by standardizing on the Windows Vista operating environment.” The business case will quantify what is meant by “substantially improve,” as well as outline project scope and objectives, costs, risks, and schedule. Microsoft provides an in-depth example case study with the Solution Accelerator for Business Desktop Deployment (BDD) 2007 toolkit. For our purposes, a successful plan is one where the right things (and no more) were at the right place at the right time.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

42

Chapter 3

Microsoft recommends using BDD 2007 for planning, building, testing, and deployment of Vista (See Figure 17). BDD 2007 is a downloadable collection of sample templates, technology files (such as scripts and configuration files), and a case study. It also documents software that must be downloaded from Microsoft to assist in Vista deployment. BDD assumes a Microsoft Windows Server® 2003 or Windows Server (“Longhorn”) server domain.

Planning Methodology

Figure 17. Microsoft’s Business Desktop Deployment (BDD) model21

Microsoft breaks the project tasks into cross-organizational teams that are responsible for individual parts of the overall project; however, each team is responsible for all phases of the project, including planning, development, stabilization, and deployment.

Generally, other tools will be used to complement BDD, including Microsoft’s Systems Management Server (SMS), the Windows User State Migration Tool (USMT), and/or third-party products. While it is obviously not necessary to employ BDD, we will use the model as the basis for developing our Vista deployment plan22.

21

® 2007 ScritpLogic®

22

http://www.microsoft.com/technet/desktopdeployment/bdd/2007/default.mspx We use BDD as model only loosely; for brevity some of Microsoft’s recommended tasks are omitted in this document.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

43

Chapter 3

The cross-organizational teams recommended by Microsoft, and used here as a template for planning, are: • Application Compatibility • Deployment Planning • Operations Readiness • Testing • User State Migration • Application Management/Deployment • Define Computer Imaging System • Infrastructure Remediation (Preparation) • Security Assessment

Application compatibility is one the most important challenges faced by organizations when deploying new operating systems. An organization is typically supported by hundreds or thousands of in-house and third-party applications, many of which are critical to the conduct of the business. These applications can be categorized as:

Application Compatibility

Since these planning activities are somewhat independent, they are presented (and can generally be executed) in no particular order. Staffing requirements and availability will dictate the scheduling of each activity.

• Desktop applications such as office productivity suites and other third-party suites like Adobe Photoshop and the like. • Administrative tools, such as antivirus, file management, and backup/restore utilities. • Custom tools such as logon scripts.

• Core line-of-business applications, such as Enterprise Resource Planning, accounting, and customer relationship management applications. Further, these applications are generally supported by some kind of database management system(s).

Some of the interactions between applications and the operating system have changed with Windows Vista; these changes can result in behaviors from not executing at all to running but producing incorrect results. To help plan and manage the migration to Vista, Microsoft provides the Application Compatibility Toolkit (ACT).

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

44

Chapter 3

Figure 18. The Microsoft Application Compatibility Toolkit (ACT) process

ACT is a comprehensive tool that allows administrators to deploy “compatibility evaluator” agents to the client desktops to collect information on applications’ compatibility, analyze the information, and manage test results (Figure 18). Administrators can select different agents, depending upon the type of information desired: • Inventory Collector: Examines client computers to identify the installed applications and system information. • User Account Control Compatibility Evaluator (UACCE): Enables identification of potential compatibility issues that are due to permission restrictions enforced by the User Account Control (UAC). UACCE provides information about both potential application permission issues and suggests ways to fix the problems.

• Windows Vista Compatibility Evaluator: Enables identification of issues that relate to the Graphical Identification and Authentication (GINA) DLLs, to services running in Session 0 in a production environment, and to any application components made obsolete by changes in the Windows Vista operating system (Figure 19).
® 2007 ScritpLogic®

• Internet Explorer Compatibility Evaluator (IECE): Enables identification of potential Web application and Web site issues that occur due to the release of a new operating system. IECE works by enabling compatibility logging in Internet Explorer, parsing logged issues, and creating a log file for uploading to the ACT Log Processing Service.

• Update Compatibility Evaluator (UCE): Provides insight and guidance about the potential effects of a Windows operating system security update on installed applications. The compatibility evaluator collects information about the modules loaded, the files opened, and the registry entries accessed by the applications currently running on the computers and writes that information to log files that are uploaded to the ACT database.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

45

Chapter 3

Figure 19. Sample ACT client analysis for Windows Vista Compatibility

ACT allows administrators to maintain an application inventory, test and assess applications, and log results in a sharable database.

Application Management/Deployment

Prioritize applications. After applications have been identified, prioritize them and create packages based on the established priority.
23

Inventory applications. Identify all applications that must be packaged for deployment before starting to create packages.

Understand packaging techniques. Understand the different ways an application can be packaged for deployment and whether the package can be incorporated in the base operating system image.

Identify core and supplemental applications. An enterprise environment typically requires multiple applications to be deployed to different computers. Some applications, such as office productivity applications, may be required on the majority of the computers. Others may be required on a small set of computers. Applications should be categorized as core or supplemental. Core applications, such as Microsoft Office programs, are built into the client computer images that organizations deploy so that all users in the organization have the application. Supplemental applications, such as line-of-business applications, are installed on a user-by-user basis as necessary.

Once applications have been inventoried, the next step is to determine priorities and deployment mechanisms. Microsoft recommends23:

® 2007 ScritpLogic®

From the BDD 2007 documentation.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

46

Chapter 3

Identify application subject matter experts (SMEs). The deployment team may not be aware of all the intricacies of the various applications that will be deployed in the enterprise architecture. SMEs for the different applications can help the team understand installation and migration needs for the applications. Additionally, SMEs can help develop end-user training materials to help users adapt to any changes that influence them. Identify files and settings. Different applications may contain settings that must be implemented or migrated. SMEs can help with the identification of such settings and files that may be necessary for deploying the applications. Choose distribution techniques. Determine and document how to distribute enterprise applications.

A specific solution is recommended for imaging the operating systems and the core applications that are part of a standard desktop. The solution should be modular to allow team members to separately manage each system component. The advantage of the modular approach is that when changes occur, team members do not have to re-engineer the entire process. The solution should also provide the tools and scripts to install, configure, and customize the Windows platforms and incorporate device drivers and updates. Most organizations strive for a standard desktop configuration based on a common image for each operating system version. Of course, a single image is rarely attainable; however it is a worthy goal to minimize the number of images. The tradeoffs between many, more specialized, images against fewer, more general images involve development, testing, storage, and networking costs. Microsoft suggests categorizing images by size and complexity of deployment24:

Define Computer Imaging System

Choosing an Image Strategy

The primary disadvantages of thin images are that they can be more complex to develop initially, and core applications and language packs are not available on first start.

Thin Image. Thin images contain few core applications and/or language packs; these will be installed separately from the OS disk image. There are several advantages to thin images, including less cost to build, maintain, and test, and lower bandwidth requirements during deployment.

The disadvantages of thick images are increased costs. For example, updating a thick image with a new version of an application or language packs requires rebuilding, retesting, and redistributing the entire image.

Thick Image. Thick images are monolithic images that contain core applications, language packs, and other files. Part of the image development process is installing core applications and language packs prior to capturing the disk image. Thick images are simpler to create, because the image contains all core applications and language packs and can be deployed in a single (albeit large) step.

24

® 2007 ScritpLogic®

From BDD 2007 documentation, “Computer Imaging System Feature Team Guide.doc”

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

47

Chapter 3

Hybrid Image. As the name implies, a hybrid image mixes thin and thick strategies. In a hybrid image, the disk image is configured to install applications and language packs on first run, giving the illusion of a thick image but applications and language packs are installed from a network source. Hybrid images have most of the advantages of thin images; however, they are not quite as complex to develop. They do require longer installation times, , which can raise initial deployment costs.

High-level steps in the deployment Planning Phase include those described below.

Deployment planning involves examining the existing production environment and deciding how to approach deployment. Considerations include determining the deployment scenario and deployment methods, insuring the required infrastructure is in place, and establishing a monitoring and feedback mechanism.

Deployment Planning

Select the appropriate deployment scenarios.

Different deployment scenarios are used depending upon each desktop’s current state and the deployment method (Table 7). The deployment scenario is logged with all of the other information collected during the client population inventory.

Table 7. Deployment scenarios depending upon current system state.25
Scenario Description User state migrated

New Computer Upgrade Computer Refresh Computer

Replace Computer

A computer currently running a supported Windows operating system is refreshed. This scenario includes computers that must be re-imaged for image standardization or to address a problem. This scenario assumes that the team is preserving the existing user state data on the computer..

The current Windows operating system on the target computer is upgraded to the new operating system. The existing user state migration data, user profile, and applications are retained (as supported by the new operating system).

A new installation of Windows is deployed to a new computer This scenario assumes that there is no user data or profile to preserve.

No Yes

No

Uses existing client computer

File system preserved
No Yes

Yes

Yes

Yes

No

A computer currently running a supported Windows operating system is replaced with another computer. The existing user state migration data is saved from the original computer. Then, a new installation of Windows is deployed to a new computer. Finally, the user state data is restored to the new computer.

Yes

No

No

25

® 2007 ScritpLogic®

Microsoft, “Deployment Feature Team Guide.doc”

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

48

Chapter 3

Ensure that the required infrastructure exists.

Deployment planning also includes determining if the required infrastructure exists for the upgrade or replacement. This includes storage requirements for deployment images, user state migration, backups, and deployment logs. (Deployment logs can be centrally located if sufficient network bandwidth exists to/from the target systems).

Determine the monitoring plan.

Similarly, each deployment point needs access to the application and operating system source files to be used in the deployment process. These can be located on either a common network shared folder that is accessible to all servers hosting the deployment points, or individual servers hosting deployment points.

Obviously, progress should be monitored and packaged for management review. Teams can use tools such as Microsoft Systems Management Server (SMS) 2003, Microsoft Operations Manager (MOM) 2005, and the BDD 2007 Management Pack for MOM 2005. Examining and preparing the infrastructure (systems, networking, etc.) is a key activity in planning the Vista deployment. The first step of this planning element is critical to the entire project—accurately describing the physical location of assets, performing an inventory of systems and software, and determining infrastructure changes to execute the deployment plan. Assessments from this phase of planning are provided to other phases, especially deployment planning (above).

Infrastructure Remediation (Preparation)

Gather and Analyze Infrastructure Inventories

• The number of computers being deployed

The information gathering phase of defining the infrastructure produces a geographical description of the business, inventories of hardware and software, and network infrastructure. The ultimate purpose of all of this information is to create an analysis document that will become the basis for recommendations to infrastructure changes. At a minimum, the inventory should produce:

• The number of computers requiring upgrades to existing hardware

Analysis of the inventory should be combined with the Application inventory taken in the Application Management activity; the combination of the two will produce data required to determine infrastructure modifications.

Inventory data collection can use the new Application Compatibility Testing (ACT) tool, as discussed in the section “Application Compatibility” above.

• The number of computers that must be replaced before the new Vista image is deployed

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

49

Chapter 3

Propose Infrastructure Modifications

Additional organizational changes that should be considered—include; preparing the IT organization for increased service calls (perhaps even preparing a dedicated staff to handle migration issues), and examining risks and remedies that might (will) be encountered during deployment.

The inventory analysis determines the scope of the deployment itself, along with suggested modifications to the infrastructure. These modifications can include hardware upgrade/replacement, and/or modifications to the network infrastructure.

Security Planning

The easiest method to approach security planning is to assume a default baseline configuration, and make adjustments to the baseline as exceptions. Microsoft BDD 2007 provides three baseline configurations26: Default Configuration. In this grouping, the Windows image is essentially unchanged. It is configured with the same features and security settings that are provided when Windows is installed from the original media.

Given the benefits that Vista provides in the security arena, security planning occupies a large part of the overall planning budget. As we’ve seen in previous chapters, Vista provides extensive security technology; each of these technologies should be tested for their applicability for each desktop (or group of desktops) in an enterprise. At a minimum (and not a trivial task), a risk assessment must be made for each desktop that involves weighing increased security against possibly reduced functionality and/or user efficiency.

Enterprise Client. In this grouping, security policies are applied that are more restrictive than the default Windows configuration; these policies are targeted at a typical corporate enterprise computer. Generally, these settings best suit most enterprise users. Specialized Security–Limited Functionality (SSLF). In this grouping, security policies are applied that are the most restrictive of the three options. This option focuses on securing the computer and requires significant compromises; while security is increased, engineering time will be increased and usability will be decreased.

Administrators should review required system security settings for a variety of categories (Table 8). Changes should be carefully weighed, and described in the security plan as differences from the baseline security configuration.

There are literally thousands of different settings that can be changed that will affect the security of an individual desktop. These settings can be managed in a number of ways, including the use of Group Policies in an Active Directory domain, third-party software such as ScriptLogic’s Desktop Authority, or (more commonly) a combination of both.

System Security Settings

26

® 2007 ScritpLogic®

Adapted from BDD 2007 Documentation, “Security Feature Team Guide,” p. 19

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

50

Chapter 3

Table 8. Security settings and considerations when planning for deployment.27
User Accounts

Security Category

Group Memberships and Limited Users Password Settings File Permissions Registry Permissions Service Permissions Event Log and Auditing Settings User Rights Settings Other Security Options

Vista includes multiple built-in groups, and different users can be made members of different groups. Some groups (e.g., Administrators) have elevated security privileges; care must be taken in assigning users to these groups. Pay particular attention to elevating security levels just to run legacy applications which made the assumption that all users executing the application would have administrator rights (see User Account Control in Chapter 2 for additional information on UAC).

The Windows operating system includes several default user accounts. Care should be used if additional accounts are added.

Considerations

Passwords are the most popular authentication mechanism for desktops. Administrators may want to change password requirement properties, including password length, complexity, and frequency of change. Generally, Vista’s default file permissions are sufficient to provide a level of security without limiting users’ functionality or ease-of-use. However, some legacy applications may make assumptions on file permissions; see information on User Account Control and Application Compatibility Testing (ACT) in Chapter 2.

The system’s registry is a critical repository of operating system and application configuration information. Similar to password settings and file permissions, care must be used in granting access to the registry, especially just to allow a legacy application to execute.

Services executing in the background traditionally (under Windows XP) had elevated permission levels; Windows Vista dramatically changed this model by running services with minimal privileges by default. See Chapter 2 for additional information on Services. While the default settings for Event Logging and Auditing are generally sufficient, security planners might want to employ third-party software that analyzes these logs to provide intrusion detection capabilities.

There are a myriad of additional security options. Often the default settings will suffice, however, each situation should be reviewed and documented to insure that security settings are not changed “on the fly,” potentially opening a security loophole that goes undetected.

User Rights describe what actions users are allowed to take (e.g., program debugging, system profiling, system shutdown). Planners will need to consider changing user rights for some selected users, especially application development users.

User Account Control (Chapter 2) has the potential to change the way a legacy application executes, largely because the application now no longer has write access to key system files (e.g. the registry). Planners should work with application compatibility testers to insure the proper UAC security settings are enabled for users that will be using such applications. Vista made some significant changes to the firewall functionality, notably blocking some outbound communications (see Chapter 2). The effect of this change may cause some applications to require nonbaseline firewall settings to execute successfully.

Planning User Account Control

Planning Windows Firewall

27

® 2007 ScritpLogic®

Adapted from BDD 2007 Documentation, “Security Feature Team Guide,” pp. 20-25

One of the mechanisms to help manage the non-baseline settings is firewall profiles (Figure 20). Profiles allow administrators to create pre-packaged firewall settings and deploy them as necessary. Similarly, firewall port exceptions may need to be configured to allow communications traffic through the firewall for applications that make assumptions about network availability. Firewall settings may be managed through Group Policy objects or on individual systems via the Windows Firewall MMC Snap-in.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

51

Chapter 3

Figure 20. Sample profile settings for Windows Firewall

Vista provides three methods of protecting data through encryption (RMS, EFS, and BitLocker Drive Encryption; see Chapter 2 for additional information). Planners must work with management to determine data sensitivity, where the data resides, and the type of encryption that is applicable. Sometimes the need for encryption may not be obvious; even if the data on a lost or stolen computer is not sensitive in itself, it could provide information that would allow access to an enterprise network that does contain sensitive data. Table 9 shows the data security scenarios that each technology supports.

Planning Data Encryption

Table 9. Data encryption and security scenarios28
Remote document policy enforcement Protect content in transit Protect content during collaboration Remote file and folder protection Portable computer protection Branch office computers

Scenario

RMS

EFS

BitLocker

Local multi-user file and folder protection Untrusted network administration

Local single-user file and folder protection
28

® 2007 ScritpLogic®

From Microsoft Vista BDD 2007 Documentation, “Security Feature Team Guide.”

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

52

Chapter 3

To prevent users from installing such devices on Windows Vista, configure Group Policy settings to allow or deny installation of specific device IDs or device classes or to deny installation of removable devices. Alternatively, third party tools like ScriptLogic’s Desktop Authority provide extensive tools for managing removable storage devices.

The myriad of portable storage mediums today make it essential for corporations to prohibit or monitor the use of certain devices on the company network. These devices can allow confidential data to easily be copied to any portable device, viruses can be introduced to the network and spread corporate wide, and illegal software can be copied to the company network.

Restricting the Use of Removable Storage Devices

If the decision is made to deploy and activate Windows Defender, Group Policy objects or third-party software may be used to enable and configure it within the enterprise.

Windows Defender helps protect users from spyware and other potentially unwanted software by detecting and removing known spyware on users’ computers. Defender is most often used in conjunction with third-party tools as part of a comprehensive anti-spyware solution.

Planning Windows Defender

Third-party Security Applications

Most organizations complement Microsoft’s security applications with additional applications for virus protection and/or backup. Generally, and enterprise will enforce the use of a comprehensive antivirus solution that gives administrators centralized control over the antivirus configuration and that automatically updates antivirus signatures. (See http://www.microsoft.com/security/partners/antivirus.asp for a list of Microsoft partners). Lastly, Vista deployment planning must comprehend the deployment itself. Staging areas, servers, and infrastructure should be examined for enforcement of security policies, both during initial deployment and ongoing updates.

Infrastructure and Deployment Security

Protecting Production Deployment Servers. Similarly, deployment servers must be protected during deployment. Microsoft recommends protecting deployment servers with physical controls and physically isolating them29. They also recommend limiting the services that are running, disallowing remote login (if possible), and enforcing collaboration such that no single administrator can make critical changes to images.

Protect Deployment Staging Areas. Staging areas where images are created, updated, and maintained pose a significant potential vulnerability. Computers in the staging area contain critical information, including credentials used to automatically authenticate computers during the setup process. Also, because the staging area contains images that are distributed enterprise-wide, a compromised image can have a widespread effect and incur very high costs.

29

® 2007 ScritpLogic®

From Microsoft Vista BDD 2007 Documentation, “Security Feature Team Guide.”

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

53

Chapter 3

Other Infrastructure Security Considerations. Microsoft includes planning on additional security considerations during deployment; see the Microsoft BDD 2007 documentation for additional information.

Protecting Windows PE and Client Deployment Scripts. If an organization uses the Microsoft Windows Preinstallation Environment (Windows PE) during the client deployment process, keep Windows PE updated and thoroughly tested. In addition, consider security in developing Windows PE scripts, including the avoidance of including user credentials in clear text and using file and share permissions to protect the scripts.

A large part of a successful deployment is testing target configurations, applications, and security settings. The testing team should develop an in-depth test plan and use that plan to establish lab requirements, risks, and schedule. The Microsoft BDD 2007 documentation provides a detailed sample test plan, as well as a template that follows the BDD 2007 testing methodology. An abbreviated discussion of the most relevant topics of the test plan is discussed below.30

Testing

To keep the scope of the project manageable, it is generally simpler to assume that applications themselves are tested independently (probably by the vendor). Assuming the application works correctly reduces testing to those components that are sensitive to the application environment. To accurately test applications, the test plan should specify a lab environment that closely matches the production environment. The lab environment should reflect software packages, operating system image(s), and networking components to insure that application behavior will be consistent after deployment.

Lab Requirements

Bug Rating, Reporting, and Tracking

Bug reporting, rating, and tracking will allow problems to be tackled quickly and by the right development team or SME. Issues should be prioritized and tracked, with periodic reports to the other deployment teams. The test plan should concisely define these teams and mechanisms for communicating with them. Change control centralizes management of issues and permits collaboration on changes to infrastructure, system images, or processes. The test plan should put in place change control procedures to insure accurate and timely communication of changes and/or proposed changes.

Change Control

30

® 2007 ScritpLogic®

Adapted from BDD 2007 Documentation “Test Feature Team Guide,” pp 14-16

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

54

Chapter 3

The testing schedule should include, at minimum, the following tasks: • Test environment setup • Documentation review • Preparation of high-level test scenarios

A big part of the test plan is the testing schedule. Much of testing is dependent upon other planning activities, depending on the types of tests and whether tests are done piecemeal (as items are released), or testing is done on complete system images prior to deployment.

Test Schedules

• Test case preparation • Test execution

• Number and duration of testing cycles Training IT staff and end users plays a critical role in a successful deployment. Planners should develop a base set of training requirements; from that they should develop a plan that comprehends the schedule, training methods, and the materials and resources that will be required.

Training

At a minimum, users should be trained on the new productivity and security features in Windows Vista. Additionally, if line-of-business applications have any externally visible changes, training will be required to avoid surprises after deployment. For example, an enterprise will generally deploy Office 2007 with Vista; users will need training on the new user interface that those applications offer. Initial steps in planning training should define the baseline requirements; given the staff and user base, what are the minimum training requirements for testing, deployment, and ongoing operations? Application SMEs should be consulted for materials on user visible changes to applications and enterprise-developed tools.

The IT staff will need training on new deployment methods, security features, and changes in networking and configuration tools. Training planners should work closely with other deployment team members to insure consistency across teams and to minimize impact on schedule.

Training Requirements

Training Schedule

Given requirements, planners should develop a schedule that takes into account the user base, deployment schedule, staff and materials availability, and budget. Certainly, IT Staff will be trained first as planning and testing proceeds, with the user base trained in parallel as staff gains experience during testing.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

55

Chapter 3

Training Methods

• Hands-on Training • Presentations • Handouts

Once requirements and schedule are scoped, the training methods may be determined. Depending upon the subject matter, there are many methods for training. Microsoft offers extensive training opportunities (especially for developers ). Additionally, there are any number of third-party training organizations that support multiple delivery methods. Consider the following training methods31: • Computer-based training (CBT), Web-based training (WBT)

Materials and Resources

• Certification (identify training requirements that will require certification to demonstrate a specified level of proficiency).

Resources also need to be scheduled, including staff to provide the training, facilities, and budget requirements. If travel is required, the schedule and budget will need to reflect the appropriate resources. The user state on a system is the user’s preferences (such as screen savers, browser favorites, etc.), documents, and applications data. Retaining this information through an upgrade or system replacement to Vista is obviously critical to the operation of the enterprise.

Planners will need to make decisions on the materials and resources required to carry out the training as it is scoped. Considerations include whether the materials need to be developed or purchased, and timing for obtaining the materials (make sure they show up on time).

User State Migration

Systems that are to be upgraded in-place, using the standard Vista upgrade process, will not need state migration because the data remains on the system throughout the upgrade. (Of course, it is advisable to perform a system backup before any upgrade.)

A side note here—preserving users’ states on top of a standard system image (by whatever method) almost guarantees that the resulting images will not adhere to a standard. Consider third-party tools that manage enterprise-wide user settings.
Adapted from BDD 2007 documentation “Training Plan.doc” “Migrating to Windows Vista Through the User State Migration Tool” at www.microsoft.com 33 Windows Vista technical library at http://technet2.microsoft.com/WindowsVista/en/library/
31 32

It is expected that in-place upgrades will be the exception, however, and most systems will be upgraded either through a “wipe and load” (use the same computer, but wipe it clean and load the system image from scratch), or a “side-by-side” upgrade (where the user’s state is moved to a new system)32. Automating this process is almost a necessity, since it is time-consuming and error-prone. Microsoft recommends using the User State Migration Tool (USMT 3.033), updated to version 3.0 for Windows Vista.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

56

Chapter 3

As with other aspects of the deployment planning, the first step is to review the application inventory to determine application migration requirements. Once the list of applications is created, it should be prioritized to help focus the migration work. Prioritization can be on the importance of the application to the enterprise, how prevalent an application is in the environment, and/or the complexity of the application. For each application, the files and settings that require migration should be documented. The best place to start is the SME (see the section “Application Management/Deployment”) for that particular application. The SME should assist with several key issues34: • Locating the software media (Often, the SME is the best source of information on where the source media, such as CDs and floppy disks, can be found.) • Describing the appropriate configuration, behavior, and usage of the application • Identifying which data files (if any) must be migrated • Identifying which preferences or settings (if any) must be migrated

Application Inventory and Prioritization

Identify Application Files and Settings

Carefully document files and settings that need to be migrated as input to the process of creating migration scripts or USMT configuration files.

• Identifying any constraints associated with restructuring file locations during the restoration

Identifying Operating System Settings

Most user preferences settings seem trivial, but nothing scares users like logging on and seeing a different wallpaper image. Even if they understand what happened, often they forget how to recreate their familiar environment. Action. Includes items such as key repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether users must click or double-click an item to open it Appearance. Includes items such as wallpaper, colors, sounds, and the location of the taskbar Key system settings that should be migrated (for each user on a system) include35:

Internet. Includes Internet connection settings and controls how the browser operates; additional items include home page, favorites or bookmarks, cookies, security settings, and proxy settings

34 35

® 2007 ScritpLogic®

BDD 2007 Documentation, “User State Migration Feature Team Guide.doc” BDD 2007 Documentation, “User State Migration Feature Team Guide.doc,” p. 14

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

57

Chapter 3

If USMT is employed, the ScanState process of USMT is an automated method of determining which items will be migrated. As with applications state migration, document which of these items will be moved during the upgrade. User state migration plans should be handed off to the testing teams to test the migration scripts. As mentioned in the Test planning section, testing in an accurate lab setting reduces surprises during deployment.

Mail. Includes the information required to connect to mail servers, signature files, views, mail rules, local mail, and contact lists

Develop and Test

Summary

An obvious alternative is the range of third-party tools that are available. If an organization already has a third-party desktop management toolset in place, check with the vendor(s) to get the details on Vista migration. For example, ScriptLogic, Altiris, and LANDesk have been working with Vista beta releases for several years, and their products are already Vista compatible. Most of these vendors offer tools that allow a proactive approach to deployment—begin planning now for future Vista deployment.

Microsoft has developed a huge toolset to help with the migration. While many IT organizations may “roll their own” migration toolset, it wouldn’t hurt to take a look at the Microsoft SMS (Systems Management Server) 2003, and all of its related tools.

Migrating to Vista could quite possibly be the largest project an IT organization has ever undertaken. If migration is years away, or will take place over the next few years, it is advisable to be proactive and put a plan in place. Even if it’s a back-of-the-envelope plan, the organization needs estimated duration, budget, manpower, and IT resources that will be required.

Lastly, because Vista can require extensive infrastructure changes, the tools are only a part of the plan. Determining when to upgrade is just as important. It is advisable to work with lifecycle management teams within the organization; upgrading to Vista when a desktop is replaced makes a lot of sense. Resist the urge to make a wholesale upgrade within the organization—Vista migration is a big enough challenge without trying to tackle the entire enterprise at once.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

58

Chapter 4

Chapter 4 Deployment
In previous chapters, we reviewed some of Vista’s improvements to desktop lifecycle management, especially in the areas of planning and migration. In this chapter we’ll examine the deployment tools themselves, providing a foundation for the methodologies used to deploy Vista into an enterprise environment with minimal costs and user disruption.

Introduction

Note that this chapter assumes that extensive planning has already taken place (Chapter 3); systems are inventoried, applications are identified, and a deployment laboratory has been created and sufficiently equipped for testing.

Deployment can take place over days, months, or years; however, a few basic deployment concepts remain the same. Microsoft developers examined these concepts, and, in an attempt to standardize and streamline processes, developed sweeping changes to the underlying Windows deployment technologies. This chapter examines these technologies and evaluates several different rollout scenarios.

During the development of Vista, Microsoft addressed one of the more common complaints about Windows—the lack of deployment tools and technology. In previous versions of Windows, a few basic rollout concepts were common, but Microsoft provided only rudimentary higher-level mechanisms for software deployment across an enterprise. Out of necessity, most organizations developed “roll your own” techniques, or employed third-party software, to deploy new versions of applications and the operating system. These techniques have been tweaked and tuned over multiple Windows releases, and generally work quite well in the organizations’ specific environment.

Microsoft has made a considerable effort to implement a deployment solution that reduces the cost and complexity of operating system and application deployment. Even though IT professionals will be tempted to stick with their homemade or third-party techniques, Vista’s completely redesigned deployment environment warrants a closer look. Of course, nothing takes the place of meticulous and thorough planning (as described in Chapter 3); the new tools in Vista complement the planning, testing, and deployment workflow. A typical enterprise environment requires a relatively large number of variations on a core configuration, including different hardware, language packs, drivers and the like. In past versions of Windows, a deployment engineer would have to design installation images for each combination of variables, resulting in a large number of different images and increased complexity and cost of deployment.

Vista Deployment Technologies

Modularization

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

59

Chapter 4

In developing Vista, Microsoft took a much more modular approach. Rather than deploying a single monolithic block of code that accepts different configuration parameters, Vista is based on a relatively small block of code that contains about 95% of core Vista functionality; additional functionality is attained by adding code modules. Not only is this a more reliable way to develop code (it tends to isolate the effects of bugs to a single module), but it also is an effective way to introduce configuration flexibility. • It is easier to add device drivers, service packs, updates, and languages to a Vista distribution. • Microsoft can service an individual component without breaking the whole operating system. It turns out that even the commercial Vista distribution uses this mechanism—there is only one Vista core, combined with different modules, to produce the different end-user editions of Vista (see Chapter 1 for information on editions). Similarly, releases of Vista for different languages simply include the desired language modules when the distribution disk image is created (the Vista core has no reliance on languages whatsoever). The modularization of Vista is complemented by a completely new (to Microsoft) deployment mechanism using a file-based (as opposed to sector-based) imaging format. Windows Imaging format (WIM—the file suffix “WIF” was taken, and besides, it just didn’t sound right as a file type for deploying system images). Using a file-based imaging format has multiple advantages, including37: • Hardware-agnostic (only one image is needed as long as the target hardware understands a standard file system). • It reduces testing during deployment. • It is easier to customize certain optional Windows Vista component to specific requirements. Modularization (combined with the new Windows Image Format, below) enables a more streamlined approach to deployment. It also provides a selective customization capability, enabling36:

Windows Image Format (WIM)

• The WIM image format enables compression and “single instancing,” which reduces the size of image files significantly. Single instancing allows storage of two or more copies of a file for the space cost of a single copy. For example, if images 1, 2, and 3 all contain file A, single-instancing stores a single copy of the file A and points images 1, 2, and 3 to that copy.

• Allows multiple images to be stored in a single file. This is how Microsoft distributes Vista; a single WIM image file contains multiple Microsoft SKUs (Stock Keeping Unit—in this case multiple editions) of Vista. It also allows for one of the images to be marked as bootable, allowing a system to be booted from a disk image contained in a WIM file.

36 37

® 2007 ScritpLogic®

Based on http://technet.microsoft.com/en-us/windowsvista/aa905119.aspx Largely taken from http://technet.microsoft.com/en-us/windowsvista/aa905070.aspx

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

60

Chapter 4

• Developers have access to WIM image files through an API (“WIMGAPI”), allowing application developers to become more standardized and deployments more integrated. Management of WIM files is performed through a set of tools provided by Microsoft in the Windows Automated Installation Kit (WAIK). The WAIK contains a collection of tools, including: • ImageX—a command-line tool that captures and modifies WIM-based disk images.

• Allows for a disk image to be installed on a partition of any size (that will hold it); sector-based images require deployment to a partition that is the same size or larger than the original source disk.

• Allows for offline “servicing.” Certain operating system components, patches, and drivers can be added without creating a new image. For example, to add a patch to a Windows XP image, the master image needs to be booted, the patch added, then the image prepared again. With Windows Vista, the image can be service offline, without the need to be prepared a second time.

• Allows for non-destructive deployment. That is, because the image is filesystem-based, application of the image does not erase the disk’s existing contents (see below).

The WAIK toolset is discussed in greater detail in a following section.

• Windows Deployment Services (WDS)—a new tool that replaces the Microsoft Remote Installation Services (RIS) in previous versions of Windows. WDS provides for the storage, management, and deployment of images.

• Windows System Image Manager—a tool that builds answer files, which Windows Setup uses to apply custom settings for hands-off Vista installs.

• Windows Preinstallation Environment (WinPE)—a miniature, bootable version of Vista that can exist in RAM and bootstrap the Vista install process.

Vista’s modularity and the file-based imaging changes the way systems are upgraded in place. Instead of upgrades in which registry settings and partial files are replaced and edited (a tricky business), Vista is always cleanly installed. After the install, data settings, and applications are applied to the new operating system. As a by-product, if anything goes wrong with the install (prior to the first logon), the installation can automatically be rolled back and the system restored to its original state38.

Nondestructive imaging

XML-based answer files

Answer files are used by the installation process to customize and installation. In previous versions of Windows, multiple, text-based answer files were needed to create an automated installation environment. Since Vista standardizes on XML for many applications (e.g., Office 2007), it makes sense that XML is used during the setup process as well. The use of XML allows additional automation of the deployment process, and provides for consolidation into a single file that supports the entire deployment process. Employing XML also makes editing the answer file more consistent (hopefully reducing errors introduced during editing), and is supported by a more user- (or rather, administrator-) friendly interface.
38

® 2007 ScritpLogic®

Windows Vista Product Guide,” November 2006

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

61

Chapter 4

Windows Vista includes extensive support for using the command line and scripting that enables remote, automated, and repeatable deployment scenarios. For example, ImageX, Migration and Windows System Image Manager are completely scriptable.

Script-based installations

Table 10. Deployment Tools summary.39
Feature

APIs for ISVs Compatibility mitigation Filtering analysis reports Software Inventory Analyzer Customization of images Desktop image creation Hardware abstraction layer (HAL) independence Offline image servicing Scripting support in image creation

Windows Vista provides extensibility and an application programming interface (API) set for independent software vendors (ISVs) and third-party applications through a software development kit (SDK). Windows Vista creates custom compatibility databases based on analysis and tests the fixes to make sure they will work. Reports provide information about application compatibility issues and mitigation information. This information is improved with user input.

Application and Migration Planning

Brief Description

Inventories all the applications installed on user desktops across the enterprise, stores them in a central location, and performs compatibility analysis against a compatibility database.

Takes an image of an existing PC for distribution or for backup. You can save to a distribution share, from which users can install the gold image or IT professionals can push the image to the desktop. Retail versions of Windows Vista can be HAL-independent.

Add, update, and remove optional components (including languages, drivers, and service packs) to create a custom image.

Engineering Desktop

Patch and service an offline image without creating a new image for distribution. Scripting tools can be used to create and edit images.

Unattended file manipulation Critical update installation Non-destructive imaging Multiple boot options Scripting support PXE server support

Create and edit XML-based configuration files for unattended installation. Add critical updates to the standard image at installation by using image-based setup.

Implementing the Deployment Process

Allows for system upgrades in-place by using a wipe-and-reload (clean install) of the operating system that stores existing data locally or remotely on a network share. Boot from the network (PXE boot), CD, DVD, hard disk, or RAM disk. Allows remote installations using the PXE boot process to install the operating system.

The Windows Automated Installation Kit (WAIK)
39 40

Secure remote deployment

Enables administrators to script and automate large wipe-and-reload deployments, installations, and migrations. IT professionals can install the new desktop remotely.

For Vista, Microsoft rolled a collection of deployment tools into a single, downloadable kit called the Windows Automated Installation Kit, or WAIK . The WAIK40 consists of the components described below.
Adapted from the BDD 2007 documentation; this is a subset of the BDD-recommended teams. The WAIK may be obtained from www.microsoft.com/downloads/

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

62

Chapter 4

ImageX is a command-line tool that captures and modifies WIM-based disk images. It allows an engineer to view and modify Vista install images so they can be deployed either from a custom installation DVD or from a network file share. ImageX mounts and unmounts an installation image (see Figure 1).

ImageX

Figure 21. Options available for the ImageX command-line image manager.

Windows Preinstallation Environment (WinPE)

Windows PE 2.0 is the core deployment foundation for Windows Vista, and replaces MS DOS as the preinstallation environment. Windows PE is built from Windows Vista components; it can run many Windows Vista applications, detect and enable most modern hardware, and communicate across networks. Windows PE can run entirely from system memory, freeing up the optical drive for a second CD that contains drivers or software.

The System Image Manager (see Figure 1) is a graphical user interface that allows a deployment engineer to manipulate components of a Vista installation. The Image Manager creates an XML-based answer file that, when combined with an image, result in a customized yet fully automated Vista install.
® 2007 ScritpLogic®

Windows System Image Manager

Like Vista, Windows PE can be contained within a WIM file, however, Windows PE can start directly from a WIM file without being copied to a hard disk. This functionality enables a WIM file to be store on bootable media such as a CD or USB flash drive, and Windows PE to be directly started from that medium. Microsoft uses this ability to load Windows PE into RAM and launch Windows PE when Vista is installed on a new computer.

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

63

Chapter 4

Figure 22. The Windows System Image Manager

The Image Manager accepts an installation image (named install.wim) and an associated Windows catalog file (if the catalog file is not available, the Image Manager can create one). Once opened, all of the available configurable components are available in the Image Manager’s GUI; the deployment engineer can now customize the image by selecting each component, and specifying the desired configuration parameters (see Figure 3).

Figure 23. Using the System Image Manager, individual components may be configured.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

64

Chapter 4

After all of the desired changes have been made, the Image Manager generates and saves and XMLbased answer file. The answer file itself can subsequently be edited with the Image Manager, or any XML editor. Windows Deployment Services is an updated version of Remote Installation Services (RIS) in Windows Server 2000 and Windows Server 2003. (In fact, an installed version of Windows Server 2003 RIS is a requirement to downloading WDS). WDS provides a mechanism for systems to connect to a networked server during initial boot-up, allowing the server to then perform a local installation of Windows Vista.

Windows Deployment Services (WDS)

The WDS update to RIS is included in the Windows Automated Installation Kit (WAIK), and includes the WDS snap-in to the Microsoft Management Console. The WDS snap-in enables deployment engineers to manage all of the WDS features from a single GUI. The WDS enhancements to RIS include41: • Support for the Windows Imaging (WIM) format. • Support for Windows PE as a boot operating system. • Ability to deploy Windows Vista and Windows Server "Longhorn".

WDS represents a suite of components, and are organized into three categories:

• A new graphical user interface used to select and deploy images and to manage Windows Deployment Services servers and clients.

• A new boot menu format for selecting boot operating systems.

• An extensible and higher-performing PXE server component.

• Ability to transmit data and images using multicast functionality on a standalone server (when Transport Server role service is installed).

• Ability to transmit data and images using multicast functionality.

Management components: These components are a set of tools used to manage the server, operating system images, and client computer accounts.

Client components: These components include a graphical user interface that runs within the Windows Pre-Installation Environment (Windows PE) and communicates with the server components to select and install an operating system image.

Server components: These components include a Pre-Boot Execution Environment (PXE) server and Trivial File Transfer Protocol (TFTP) server for network booting a client to load and install an operating system. Also included is a shared folder and image repository that contains boot images, installation images, and files needed for a network boot.

41

® 2007 ScritpLogic®

“Windows Deployment Services Update Step-by-Step Guide for Windows Server 2003,” April, 2007

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

65

Chapter 4

In both cases, the installation is initially configured by using the BDD 2007 Deployment Workbench (Figure 4), with further customization in the CustomSettings.ini scripts.

The Microsoft Windows Business Desktop Deployment package (extensively reviewed in Chapter 3) provides two different deployment methods to deploy the target operating systems to the target computers: Lite Touch Installation (LTI) and Zero Touch Installation (note that the “touch” refers to how much IT has to touch the installation process, not how much is touched on the target systems). In most cases a combination of these two methods would be used. In BDD 2007, LTI and ZTI use the same common set of scripts and configuration files for deploying the target operating system.

Windows Business Desktop Deployment

Figure 24. Using the System Image Manager, individual components may be configured.

Light Touch Installation (LTI)

In LTI deployment, the team provides configuration settings for groups of computers. The configuration settings for each individual computer are usually provided manually during the deployment process. As a result, customizing LTI usually takes less effort than customizing ZTI. ZTI requires SMS 2003, SMS 2003 SP2, and the SMS 2003 OSD Feature Pack. The ZTI deploys target operating systems from SMS 2003 distribution points, and can be started automatically by SMS 2003 or by Windows DS.

LTI supports deployment of the target operating systems over the network (via a shared folder) or locally by using removable storage such as a CD, DVD, or USB-based storage. The deployment process can be initiated automatically (using a Windows Deployment Services server) or manually.

Zero Touch Installation (ZTI)

In ZTI deployment, the deployment team provides all configuration settings for each target computer being deployed. As a result, customizing ZTI usually takes more effort than customizing LTI.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

66

Chapter 4

Comparing LTI and ZTI
Parameter

Table 11 compares the use of LTI and ZTI in the deployment.

Table 11. Comparison of LTI and ZTI Deployments42
Configuration settings Time required Network connection Infrastructure requirements Deployment medium
Provide configuration settings that are common to a group of target computers. Requires less up-front configuration time. Can be used with slow-speed connections or in instances where no network connectivity exists.

LTI deployment

Provide all necessary configuration settings for each target computer. Requires more up-front configuration time. Requires a high-speed, persistent connection. Requires an infrastructure sufficient to deploy operating system images by using SMS 2003 OSD Feature Pack. Target computers must be managed by SMS 2003. Supports only security where automatic software installation is allowed. Supports only network deployments.

ZTI deployment

Requires little or no infrastructure to support deployment.

SMS 2003 requirements Security policy handling Firewall requirements Upgrade vs. Clean Install

Supports deployment over the network or locally.

Supports security policies where automatic software installation is prohibited.

Target computers are not required to be managed by SMS 2003 (or other software management tools).

Supports deployment of target computers isolated by firewalls. Supports Upgrade Computer deployment scenario. LTI does not support the BDD management pack

Requires Remote Procedure Call (RPC) communication with the target computers (and as such usually requires too many ports to be opened through firewalls). Upgrade Computer scenario is not supported. Supports the BDD management pack

Management Pack support

42

® 2007 ScritpLogic®

Adapted from the BDD 2007 “Deployment Feature Team Guide”

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

67

Chapter 4

Having said that “everything will be ‘easy,’” it is vital that planning begin now. For example, if it hasn’t been done already, the enterprise desktop should be standardized well before the deployment process begins. After all, the best operating system image can be overlaid with the messiest of user states if the user state is that way initially. Windows deployment tools and/or other third party products that manage existing operating environments (e.g. Windows XP) can greatly aid in pre-deployment planning and standardization. Finally, the migration to Vista is by definition methodical; plan, plan, and plan some more—then take a measured approach to bringing the enterprise into the Vista world.

The migration to Vista is not to be taken lightly (as if any Windows migration might be!). However, Microsoft has developed an extensive toolset—beyond anything in any previous version of Windows—to aid in the deployment process. The new modular architecture greatly facilitates flexibility in deployment while simplifying the entire process. At the same time, the new WAIK, WDS, and user migration tools provide a more powerful deployment environment without adding a great deal of complexity.

Summary

® 2007 ScritpLogic®

The Expert’s Guide to Implementing Microsoft® Windows® Vista™

68


								
To top