Deploying Windows 7 from an Architect's Perspective

Deploying Windows 7 An Architect’s Perspective October 28th, 2009 Doug Klokow – Microsoft Agenda       Developing Business Justification Current Desktop Environment Application Readiness Deployment Readiness Employee Training The Windows Optimized Desktop Developing Business Justification 3 Developing Business Justification What is Business Value? • Providing business decision makers with a clear and concise predictive view of the strategic value to the business of an IT investment How do you quantify value? • By using objective identification and measurement of the costs and benefits, both tangible and intangible, that are associated with an IT investment. A Number of Factors Drive the Need to Identify the Business Value of IT Investments Increasing need for IT investments to deliver measurable value to the business Increasing size, duration, and complexity of projects, which increases risk and impact for IT development IT developments generating cross-functional and businessboundary focus: need to understand impact Senior managers looking to identify technology-enabled business opportunities IT unable to align programs/projects to the business to create and gain proposal acceptance A Benefit Example Windows 7 will help increase overall effectiveness of our Help Desk and Accelerate Problem Resolution Problem Steps Recorder Records events leading up to a customer problem, which are then reproduced and sent to the helpdesk, improving diagnosis capabilities— saving you time Action Center Provides a central Automatically detects location for notifications and attempts to repair and troubleshooting, problems, such as display where users can fix basic or networking issues— problems—saving you you can extend the time platform with your own troubleshooting packs Windows Troubleshooting Platform Problem Steps Recorder Business Value • Reduce support incident length by XX% by allowing the user to capture the issue and send it to the Help Desk Benefits • Eliminates time to establish a remote session ($) • Eliminates time for desk-side visit ($$$) • Accurately communicate the issue to application owner/developer ($$$) • Decreases total time to remediate the ticket ($$) Action Center Business Value • Reduce Help Desk calls by XX% by providing easy to use intuitive tools for our users Benefits • Provides a single location to users for maintenance and security issues ($) • Allows a end-user to run resolution scripts to resolve an issue to avoid creating a help desk ticket ($$$) • Notifies users of security compliance variances (AntiMalware, Firewall, Network Access Protection, Virus Definitions, Windows Update, User Access Control) ($$) Windows Troubleshooting Platform Business Value • Reduce Help Desk calls by XX% for common problems that can be resolved using built-in or custom scripts Benefits • Provides a solution to automatically detect and attempt common repairs ($$) • Allows for the development of custom scripts to support in-house developed applications or organization unique configurations ($$$) • Automates typically step-by-step problem resolution sequences ($$) All Benefits Can Be Measured and Structured to One Degree or Another Degree of Explicitness Financial Do New Things Do Things Better Stop Doing Things Can you convert it to money? Have you got the figures available now? Quantifiable Measurable Observable Can you measure it? Can you observe it? Additional Materials Windows 7 Case Studies http://www.microsoft.com/windows/business/casestudies.aspx Business Value Planning Services https://iwsolve.partners.extranet.microsoft.com/BVPS / Current Client OS Environment Saturday, October 31, 2009 12 Current Client Environment Windows XP Clients  Business needs did not warrant move to Windows Vista  Performance of Windows Vista on existing hardware did not meet user’s performance expectations  Application compatibility prevented the migration to Windows Vista  We decided to wait for Windows 7 Mix of Windows Vista and Windows XP  Deployment of Windows Vista started but ran into blockers which prevented us from migrating certain users  Replace XX% of our client machines every year and only deployed Windows Vista to new machines  Started Windows Vista deployment but pulled back to wait for Windows 7  Funding for the Windows Vista project was pulled due to the economy downturn Majority of Users Running Windows Vista  Completed Windows Vista application compatibility tests and are ready for Windows 7  Use an Application Lifecycle program to support a rapid migration to new operating system platforms  Utilize virtualization technologies to transition the application compatibility burden  Many business applications are web-based to reduce the impact of moving to new operating systems Action Plan Evaluate the Application Compatibility testing completed and determine if adjustments are needed to support Windows 7 testing Identify key blockers preventing the move to Windows Vista and determine if any adjustments are needed for Windows 7 Evaluate your hardware readiness for Windows 7 using Microsoft Assessment Planning Toolkit (MAP) and/or Application Compatibility Toolkit (ACT) Evaluate other dependent projects which may define business value for Windows 7 clients (DirectAccess, Virtualization, etc.) and plan accordingly Review client management tools for Windows 7 supportability Action Plan Conduct a rapid assessment of application status using third party tools such as ChangeBase or AppDNA products • Create and ‘order-of-magnitude’ estimate for the amount of work required to prepare for Windows 7, Internet Explorer 8 or Application Virtualization Application Readiness Application Readiness  What applications are in use in your environment?  What applications are important to move to the new operating system?  What applications are ready for Windows 7?  How much remediation will be required for my applications to work on Windows 7? Windows 7 Goals Applications and hardware that worked on Windows Vista® and Windows Server® 2008 continue to work on Windows® 7 / Windows Server 2008 R2 Broad ISV/IHV outreach for critical applications and drivers What’s Changed since Windows XP? Top Areas of Focus with Windows Vista • User Account Control (UAC) • Windows Resource Protection (WRP) • Internet Explorer® 7 Protected Mode • Windows Vista 64-bit • Windows Filtering Platform • Operating System Version Change • Deprecations/GINA/Session 0 (High Impact/Low Frequency) User Account Control (UAC) Description – Enabling users to run with a standard user account – Security feature to reduce introduction of vulnerabilities (Malware, Trojan, Viruses) – File and registry virtualization – Windows 7 adds virtualization of root C:\ Issues – Custom installers and updaters need administrator privileges – Unnecessary administrator checks or administrative actions – Writing to file or registry locations that are not virtualized Mitigation – Some common shims - Virtualization shims, Force Admin Access – Applications needing to run as administrator should manifested or use RunAsAdmin or RunAsHighestAvailable – Relax ACL's on files and folders Windows Resource Protection (WRP) Description – Increase system stability by protecting Windows resources (files, folders, registry). Issues – Application installers that attempt to replace, modify, or delete OS files and/or registry keys that are protected will fail with an access denied error message because the resource could not be updated. Remedies – Never repackage Microsoft redistributables (use the Microsoft provided redistributable package instead). – Do not write to system files and registry keys. – New shim added to in Windows 7 to mitigate WRP issues Internet Explorer 7 Protected Mode Description – Internet Explorer 7 runs in Protected Mode, with greatly restricted privileges Issues – Internet Explorer cannot modify user files, registry keys – Applications may not know how to handle new prompts requesting user permissions Mitigation – Add the site in question to the trusted sites list. – Internet Explorer 8 now removes local Intranet from Protected Mode 64-bit Operating Systems Description – Windows Vista and newer operating systems fully support the 64-bit architecture processors from AMD and Intel. – The 64-bit version of Windows Vista can run all 32-bit applications with the help of the WOW64 emulator. Issues – Applications or components that use 16-bit executables, 16-bit installers or 32bit kernel drivers will either fail to start or will function improperly on a 64-bit edition of Windows Vista. Remedies – – – – Remove all 16-bit components. Convert 16-bit installers to 32-bit or 64-bit installers Ensure that all 64-bit drivers are digitally signed Proactive outreach by Microsoft to IHV’s to sign all drivers Windows Filtering Platform Description – The Windows Filtering Platform (WFP) API allows developers to create code that interacts with the filtering that takes place at several layers in the networking stack and throughout the operating system . – Publicly supported APIs. Issues – Network scanning anti-virus and firewall applications will fail Remedies – Update applications to use the new WFP APIs – Microsoft is engaged with networking, firewall and anti-virus vendors to adopt the new platform Deprecations Description – Deprecations – removal of APIs or DLLs from Windows Vista that existed in Windows XP Issues – Applications lose functionality or don’t start up correctly Remedies – Search MSDN® to look for replacement of API – Some of the removals are available as OOB downloads, for example msagent and winhelp. Graphical Identification and Authentication (GINA) Description – Windows Vista introduces a new Credential Provider framework Issues – Users will not be able to logon using Custom logon applications. These may include: • Biometric devices (fingerprint reader) • Custom UI for logon • Virtual private network (VPN) solutions for remote users with custom logon UI Remedies – The applications or components that used the GINA technology will need to be re-authored Operating System Version Change Description – The internal version number for Windows Vista is changed to 6. The GetVersion function will now return this version number to applications when queried. Issues – Any application that specifically checks for the OS version will get a higher version number which it may not be designed to handle – Application installers may prevent themselves from installing and applications may prevent themselves from starting. Mitigation – Recommendation to avoid OS version checks – Use compatibility administrator and apply OS version layer or version lie shim What About Changes from Windows Vista to Windows 7?      Operating System Versioning Security Class Applications Removal of Windows Mail Removal of Windows Movie Maker National Language Support (NLS) Sorting Changes  Internet Explorer 8 - User Agent String  Removal of Windows Registry Reflection  Microsoft Message Queuing (MSMQ) - SHA-2 Is the Default Hash Algorithm Operating System Version Change Description – The internal version number for Windows 7 is changed to 6.1. – dwMajorVersion still works – dwMinorVersion changes Issues – Any application that specifically checks for the OS version will get a higher version number which it may not be designed to handle – Application installers may prevent themselves from installing and applications may prevent themselves from starting. Mitigation – Check for features instead of versions – Apply version lie layer or shim – Look for OS versions greater than (>) compatible OS version Security Class and Deeply OS-tied Applications Description – Antivirus, firewall and other security class applications often have a hard dependency against the operating system version they are protecting – These applications should not be mitigated without ISV testing and approval – OS-tied applications can have structures of private data and data types, execute non-deterministic events, and often have OS version check Issues – Installation or operation of these applications may be blocked by the application. Mitigation – Use applications approved for Windows 7 – http://www.microsoft.com/windows/antivirus-partners/windows-7.aspx Removal of Windows Mail Description – Windows Mail utility (aka Outlook® Express) has been deprecated from Windows 7 – CoStartOutlookExpress API is disabled – EML and NWS file types will require another client Issues – All entry points to Windows Mail and Contacts (for example, Start Menu, user-created Shortcuts, Start -> Run, etc.) are removed or disabled. – File types (.eml, .nws, .contact, .group, .wab, .p7c, .vfc) will need to be associated with another email client Mitigation – Install Windows Live™ Mail or email client of your choice – Remove application calls to API CoStartOutlookExpress or any other API calling Windows Mail Removal of Windows Movie Maker Description – Removal of all entry points to Windows Movie Maker (for example, Start Menu, Start > Run, etc.) – Removal of all binaries that were used by Windows Movie Maker (everything that was in %ProgramFiles%\Movie Maker) Issues – Any attempt to launch Windows Movie Maker with its command line arguments will fail – Any plug-ins that were installed to enable new transforms and animations will remain installed but will not be exposed to the end user Mitigation – Install Windows Live Movie Maker or similar application of your choice National Language Support (NLS) Sorting Changes Description – The National Language Support (NLS) functions help applications support the different language- and locale-specific needs. – This change affects collation and sorting, and therefore applications that have persistent indexes. Issues – Applications (such as databases) with persistent indexes that do not check the NLS version and re-index upon version change will fail to sort correctly or may fail to provide requested results. – Some user interfaces, lists (for example, alphabetical, numeric, alphanumeric, symbols, etc.) may sort incorrectly. Mitigation – Use GetNLSVersionEx (Windows Vista or later) and GetNLSVersion (prior to Windows Vista) – Either APIs retrieve both the defined version and the NLS version for a collation table. Internet Explorer 8 - User Agent String Description – The User Agent String is the Internet Explorer identifier that provides data about its version and other attributes to Web servers. – Many Websites and applications rely on the User Agent String – Internet Explorer 8 released prior to Windows 7 release – allowing ecosystem mitigation Issues – Web pages that explicitly check the User Agent String and do not support the Internet Explorer 8 User Agent String may not run properly. – Applications that host Trident will default to Internet Explorer 7 using the Web Optional Component, but will not have access to Internet Explorer 8 features. Mitigation – Ensure that your applications properly handle the new 'MSIE 8.0' version in the User Agent String. – Use Internet Explorer 7 Compatibility View for those applications based on Internet Explorer 7. This can be done with meta tags… Removal of Windows Registry Reflection Description – The registry reflection process copies registry keys and values between two registry views to keep them in synch. Sometimes there were inconsistencies. – Starting with Windows 7, we have removed registry reflection. Issues – The only known consumer of registry reflection was COM. We have updated COM so that it does not assume that registry reflection occurs. – Certain sets of registry keys that previously were reflected, can now have different data in the 32-bit and 64-bit registry views. Mitigation – Use non-redirected registry keys – Explicitly use KEY_WOW64_64KEY to access the registry, so that both 32bit and 64-bit applications will use only the 64-bit key – Read the information from a known correct location MSMQ - SHA-2 Is the Default Hash Algorithm Description – In Windows 7, Microsoft Message Queuing (MSMQ) uses the Secure Hash Algorithm-2 (SHA) as the default when signing an outgoing message. – SHA-2 signatures are required for all incoming messages. Issues – MSMQ in Windows 2003 or below will not accept signed messages originating from MSMQ in Windows 7. – MSMQ in Windows 7 will not accept signed messages originating from Windows 2008 or below. Mitigation – For seamless signed message exchange between Windows 7 and a downlevel OS, add appropriate exceptions on the MSMQ machines. IE DEP Enabled by Default Data Execution Prevention (NX) now enabled by default – Windows Vista – required elevation of IE to enable Issues – Plug-ins that have an issue with DEP may cause the browser to crash Remediation: – Use DEP-compatible versions of frameworks • http://support.microsoft.com/kb/948468 – Use the /NXCOMPAT linker option That’s great… but where do I start preparing for Application Compatibility? After Analyzing 3,000 Collect Inventory – Use ACT, MAP, SCCM or other software management tools to collect existing software inventory Analyze After Rationalizing 1,000 500 – Eliminate Noise (duplicate entries, one-off applications, operating system specific, etc.) – Rationalize (Consolidate and rationalize remaining applications.) – Prioritize applications (Mission Critical, # of Users) Mitigate – Research Vendor Compatibility statements – Run remaining applications through standard application compatibility testing procedures After Prioritizing Consider Using Third Party Tools  When using Microsoft Resources – ChangeBase AOK ( http://www.changebase.com ) • Assess-It (Limited Edition) – AppDNA ( http://www.app-dna.com ) • Apptitude (Limited Edition) – Conduct a Static Assessment of Applications to gain a work estimate for Application Compatibility – For more information contact your Microsoft Services Executive or Engagement Manager Additional Materials ACT 5.5 Download: http://www.microsoft.com/downloads/details.aspx?FamilyID=24da89e9-b58147b0-b45e-492dd6da2971&displaylang=en For IT Professionals: Application Compatibility for Windows 7 - Springboard http://technet.microsoft.com/appcompat For Developers: – Application Quality Cookbook (Windows 7) http://code.msdn.microsoft.com/Windows7AppQuality – Application Compatibility Cookbook (Windows Vista) http://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/enus/dnlong/html/AppComp.asp – Application Compatibility in Internet Explorer 8 http://msdn.microsoft.com/enus/ie/cc405106.aspx – Application Compatibility Forum http://social.msdn.microsoft.com/forums/enUS/windowscompatibility/threads/ Windows 7 Compatibility Center – http://www.microsoft.com/windows/compatibility/windows-7/en-us/default.aspx Deployment Readiness Deployment Readiness The fine art of developing an automated process to avoid human contact wherever possible when deploying an operating system. Where are you now?  Some automation, but most work done by desk side/depot based technicians  Lite Touch Deployment Solutions  Zero Touch Deployment Solutions Consider the Variations Refresh Operating System – Moving from Windows XP to Windows 7 – Moving from Windows Vista to Windows 7 – Refreshing Windows 7 with Windows 7 Hardware Replace – Move user data from old hardware to new hardware running Windows 7 – Pre-staged client specific image installed by Vendor (OEM imaging) Deployment Method – – – – Network Boot USB/UFD/Media Boot SCCM Package Deployment (Zero Touch) Online/Offline mode Drive Encryption – Third Party Tools – BitLocker Deployment Scenarios New Computer – New Computer unattended installation – Reference Computer image creation Refresh Computer – Includes User State Migration during re-imaging process Replace Computer – Includes User State Migration from the old Computer to the new Computer Upgrade Computer – In-Place upgrade from Windows Vista to Windows 7 Windows 7 Deployment Enhancements Deployment Image Servicing and Management Add/Remove Drivers and Packages WIM and VHD Image Management Windows Deployment Services Multicast Multiple Stream Transfer Dynamic Driver Provisioning User State Migration Tool Hardlink Migration Offline File Gather Improved user file detection Microsoft Deployment Toolkit Application Compatibility Toolkit Microsoft Assessment and Planning Deployment Tools  DISM (Deployment Image Servicing and Management)  WDS (Windows Deployment Services)  MDT 2010 (Microsoft Deployment Toolkit)  USMT 4 (User State Migration Toolkit) Deployment Image Servicing And Management  Enable and disable, enumerate, add, remove packages and updates  Add, remove, enumerate drivers  WIM and VHD support  OEMs can select OS editions offline  Command line execution Windows Deployment Services Multicast Enhancements Multiple Stream Transfer – Multiple bands to broadcast images to clients – Optimized rates per client connection Fast Client Auto Removal Medium – Slower clients can be dropped to unicast or entirely (only in standard multicast) Boot Image Multicast Slow – Windows PE boot images can use multicast (clients with EFI) MDT 2010 Overview  Import components needed to create Windows 7 into the Workbench – – – – Operating System Source Files Application Source Files Drivers OS Packages (Updates, Language Packs)  Automate the reference image build – Promotes regular build refresh on monthly basis  Support Numerous Deployment Scenarios – Lite Touch – Zero Touch (when integrated with SCCM 2007) – Windows Deployment Services  Customizable task sequences, rule sets, deployment wizard, and database integration for targeted deployments User State Migration Tool 4 USMT captures user accounts, user files, operating system settings, and application settings. It then migrates them to a new Windows installation. Scanstate.exe – tool to capture user data • Supports NTFS hard-link migration – user data stays “on disk” during an OS deployment • Supports “offline” data gathering Loadstate.exe – tool used to restore user data • Supports hard-link migration – restores user data from a hardlink store. USMTutils.exe • Command is used for deleting hard-link stores that cannot otherwise be deleted due to a sharing lock. Deployment Action Plan  Develop deployment business requirements – – – – – Required Deployment Scenarios Thick/Thin/Hybrid Image Machine Make Model support Minimum Hardware Configurations 32 vs 64 bit support  Create a Image Engineering Environment – Single Server Virtual Environment  Establish an iterative timeline to support early release of core build and then focus on deployment solutions with future releases  Consider the use of MDT Linked Deployment Shares to reduce custom copy jobs to sync deployment shares throughout the organization  Determine Integration with Software Distribution and Management Products (SCCM 2007) Deployment Resources Choosing a Deployment Strategy http://technet.microsoft.com/en-us/library/dd919185(WS.10).aspx Windows 7 Deployment on TechNet http://technet.microsoft.com/en-us/library/dd349337(WS.10).aspx Windows 7 Deploy TechCenter http://technet.microsoft.com/en-us/windows/dd641427.aspx USMT Resources    USMT Support USMT documentation online at http://go.microsoft.com/fwlink/?LinkId=140373. You can download a .doc, .xps or .pdf version of the USMT XML Elements Library at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=140375.   USMT 4.0 Release Notes: http://go.microsoft.com/fwlink/?LinkId=140374. You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®. For more information about XML Tools in Microsoft® Visual Studio®, see http://go.microsoft.com/fwlink/?LinkId=140247. For more information about automating your deployment (including best practices, migration sample scripts, and information about application compatibility, imaging, and remote deployments), see http://go.microsoft.com/fwlink/?LinkId=56488. For more information about planning for user-state migration, see User State Migration: Overview at http://go.microsoft.com/fwlink/?LinkId=56489 USMT 4.0 XML Elements Library is available at http://go.microsoft.com/fwlink/?LinkId=140375. USMT newsgroup, see http://go.microsoft.com/fwlink/?LinkId=64934. USMT Team Blog, see http://blogs.technet.com/usmt/.      Employee Training Audiences  End Users – Classroom based, self-directed, or short duration videos focused on using new capabilities  Operations – Hands on deep dive into tools, troubleshooting and problem identification methods  Technical Subject Matter Experts – Deep technical focus, Certification planners and advanced remediation techniques Resources  Learning Snacks from Springboard – Less than 30 minutes – Web based Silverlight presentation – Good high level overview  Microsoft Press Books – Tools for Operations and SME resources – eBook format  Classroom Based Training – Provided by Microsoft Certified Partners – Focused depth training for technical resources  Microsoft E-Learning – – – – Web based self-paced with self-testing Offline capability Targeted at end users and operations support resources Defined Learning Plans Links Windows Client TechCenter http://technet.microsoft.com/en-us/windows/dd361745.aspx Windows 7 Training Kit For Developers http://www.microsoft.com/downloads/details.aspx?familyid=1C333F06 -FADB-4D93-9C80-402621C600E7&displaylang=en Windows 7 Training Portal http://www.microsoft.com/learning/en/us/training/windows.aspx Deploying Windows 7 Essential Guidance http://www.microsoft.com/downloads/details.aspx?displaylang=en&Fa milyID=ee2a1d38-88a9-43b3-95bc-7e962f0b6030 Microsoft Learning Portal http://www.microsoft.com/learning/en/us/default.aspx The Windows Optimized Desktop Windows 7 for do today faster and easier, and new things possible Enterprise Windows 7 makes the things you Make Users Productive Anywhere • Everyday Tasks are Faster & Easier • • Enhance Security & Control • Protect Data on PCs & Devices • BitLocker & BitLocker ToGo encryption and key management helps protect data on PCs and removable drives • • • Streamline PC Management • Easier Deployment from Win Vista High compatibility with Windows Vista eases migration to the new OS Offline image servicing helps keep images up to date efficiently Fast, reliable migration of users data and settings with User State Migration Improved fundamentals mean your PC is more reliable, faster and more responsive UI advancements and Multi-Touch make it easier to navigate Windows • Remove Barriers to Information • • • Search Federation gives consistent experience across SharePoint & PC Libraries enable a single view of content across multiple sources. IE8 Accelerators and Web Slices let you reach beyond the page • Protect Users and Infrastructure • • Application blocking lets IT control exactly what is allowed to run on a PC IE 8 provides defense from malicious Web sites and keeps data private • Keep PCs Running Smoothly • • • PowerShell & Group Policy management ease configuration Troubleshooting platform reduces help desk issues DirectAccess helps IT keep mobile PCs up-to-date • Build on Windows Vista Security Foundation • • • UAC refinements give fewer prompts for users and more flexibility for IT Enhanced auditing platform enables better monitoring to ease compliance Security development lifecycle provides defense in depth • Access Information From Anywhere • • • Performance improvements make mobile PCs start faster and work longer DirectAccess links you to corporate resources from the road, without VPN BranchCache makes it faster to open files & web pages from a branch office • Better Support for Client Virtualization • • VDI enhancements improve user experience VHD support enables consistent servicing for physical &virtual images • Optimize Your Desktops for More Flexible Ways to Work, w/ MDOP • • App-V gives you access to your applications from any PC Med-V lets you use a compatible corporate image on any PC • Optimize Your Desktops to Get More Control, w/ MDOP • • Asset Inventory Service let’s you know what’s installed Advanced Group Policy Management provides greater flexibility & control • Optimize Your Desktops to streamline management, w/ MDOP • • DART get’s PCs running again DEM let’s you spot potential support issues early so you can take action Client, server, security, and management infrastructure The Windows Optimized Desktop Windows 7 and Microsoft Desktop Optimization Pack                   Q&A © 2009 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.