660 likes | 916 Views
Windows 7 . Overview. Windows 7 Builds on Windows Vista Deployment, Testing, and Pilots Today Will Continue to Pay Off. Similar Compatibility: Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc).
E N D
Windows 7 Overview
Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off • Similar Compatibility: • Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc). • Hardware that runs Windows Vista well will run Windows 7 well. Few Changes: Focus on quality and reliability improvements Deep Changes: New models for security, drivers, deployment, and networking
Windows 7 for the Enterprise Make Users Productive Anywhere Enhance Security & Control Streamline PC Management • At their desk • In a branch • On the road • Protect data & PCs • Built on Windows Vista foundation • Easy migration • Keep PCs running • Virtualization
Remote Access for Mobile Workers Make Users Productive Anywhere Situation Today DirectAccess Office Home Office Home • New network paradigm enables same experience inside & outside the office • Seamless access to network resources increases productivity of mobile users • Infrastructure investments also make it easy to service mobile PCs and distribute updates and polices • Difficult for users to access corporate resources from outside the office • Challenging for IT to manage, update, patch mobile PCs while disconnected from company network Windows 7 Solution
DirectAccess • Support IPv4 via 6to4 transition services or NAT-PT IPv4 Devices IPv6 Devices IT desktop management • DirectAccess provides transparent, secured access to intranet resources without a VPN • Allows desktop management of DirectAccess clients Native IPv6 with IPSec AD Group Policy, NAP, software updates IPv6 Transition Services • Supports direct connectivity to IPv6-based intranet resources DirectAccess Server Internet Supports variety of remote network protocols • Allows IPSec encryption and authentication Windows 7 Client
Name Resolution: DNS and the NRPT • Remote DirectAccess clients utilize smart routing by default • The Name Resolution Policy Table allows this to happen efficiently and securely • Sends name queries to internal DNS servers based on pre-configured DNS namespace DirectAccess Connection Internet Connection
NRPT • Client side only • Requires a leading dot • Static table that defines which DNS servers the client will use for the listed names • Configurable via GPO at Computer Configuration |Policies|WindowsSettings|Name Resolution Policy • Can be viewed with NETSH name show policy
Two Factor Authentication (TFA) • Not required; fully supported • Edge based enforcement: a smarter way to enforce TFA • User is assigned a well-known SID when they log on with a smartcard S-1-5-65-1 • User may logon to laptop without TFA • When user accesses corporate resources, • IPsec authorization policy checks for this SID • If SID is not present…
Branch Office Network PerformanceMake Users Productive Anywhere Situation Today BranchCache™ • Application and data access over WAN is slow in branch offices • Slow connections hurt user productivity • Improving network performance is expensive and difficult to implement • Caches content downloaded from file and Web servers • Users in the branch can quickly open files stored in the cache • Frees up network bandwidth for other uses Windows 7 Solution
Distributed Cache Main Office Data Get Get ID ID Data Data Branch Office Get Get
Hosted Cache Main Office Get Get ID ID ID ID ID Data ID Data Data Data Search Get Search Put Offer Get Request Branch Office
Hosted cache vs Distributed Distributed Cache Distributed Cache Data cached amongst clients • Recommended for branches without any infrastructure • Easy to deploy: enabled on clients through Group Policy • Cache availability decreases with laptops that go offline Enterprise Hosted Cache Data cached at the host server • Recommended for larger branches • Cache stored centrally: can use existing server in the branch • Cache availability is high • Enables branch-wide caching
Deployment Group Policy to enable clients Branch Office Branch Office Install BranchCache™ feature R2 content servers Hosted Cache Branch Office IIS File Server • Optionally, install a hosted cache in your branch. Group Policy Management Main Office
Additional configuration options • Enable / disable distributed cache mode • Enable / disable hosted cache mode • Set the cache size • Set the location of the hosted cache • Clear the cache • Create and replicate a shared key for use in a server cluster • And more … • Works in domains and workgroups
Monitoring • Event logs - Operational logs & Audit logs • Perfmon counters - Client, hosted cache and Content Server • netsh for querying the infrastructure for potential problems • Cache size too small, firewall issues, certificate problems etc • SCOM Management Pack - for rolling all the information up
Security of Data at Rest • Clients • Cache only contains content requested by the client • Data in cache ACL’d so that it is only accessible if authorized by the server • If data leakage is a concern, then use BitLocker or EFS • Hosted Cache • Cache contains content requested by all branch clients • Use BitLocker or EFS to encrypt cache as necessary • All data can be purged from the cache using netsh
Scale and Performance • Scale • Distributed cache scales well to approximately 100 users per branch • WS-Discovery traffic is a key consideration • Results may vary • Highly dependant on content, workload and usage patterns • Hosted Cache scalability is comparable to standard file server workloads • MSIT pilot in Belgium • Approximately 70% reduction in \\products\public related SMB traffic
BitLocker - Data ProtectionEnhance Security & Control • Users store increasing volumes of data, including sensitive or data on the removable storage devices • Removable storage devices are easy to lose and, unlike PC, the loss may go unnoticed for a while Situation Today BitLocker To Go™ + • Protect data on internal and removable drives • Mandate the use of encryption with Group Policies • Store recovery information in Active Directory for manageability • Simplify BitLocker setup and configuration of primary hard drive Windows 7 Solution
Application Control Enhance Security and Control Situation Today AppLocker™ • Eliminate unwanted/unknown applications in your network • Enforce application standardization within your organization • Easily create and manage flexible rules using Group Policy • Users can install and run unapproved applications • Even standard users can install some types of software • Unauthorized applications may: • Introduce malware • Increase helpdesk calls • Reduce user productivity • Undermine compliance efforts Windows 7 Solution
AppLockerTM Technical Details • Simple Rule Structure: Allow, Exception & Deny • Publisher Rules • Product Publisher, Name, Filename & Version • Multiple Policies • Executables, installers, scripts & DLLs • Rule creation tools & wizard • Audit only mode
Publisher Rules • Rules based upon application digital signatures • Can specify application attributes • Allow for rules that survive application updates “Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft.”
Simple Rule Structure “Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft EXCEPT Microsoft Access.” • Allow • Limit execution to “known good” and block everything else • Deny • Deny “known bad” and allow execution of everything else • Exception • Exclude files from allow/deny rule that would normally be included
Rule Targeting Per User • Rules can be associated with any user or group • Provides granular control of specific applications • Supports compliance by enforcing who can run specific applications “Allow users in the Finance Department to run…”
Multiple Rule Sets “Allow users to install updates for Office as long as it is signed by Microsoft and is for version 12.*” • Rule Types • Executable • Installer • Script • DLL • Allows construction of rules beyond executable only solutions • Provides greater flexibility and enhanced protection
Full Fidelity RemoteApp and Remote Desktop • RemoteApp and Remote Desktop connections • RemoteApp and Remote Desktop icons integrate into the Start menu • Icons refresh and update automatically • Multimedia support and audio input • Experience rich multimedia redirection • Use VoIP applications and speech recognition • True multiple monitor support • Use up to 10 monitors of any size or layout with RemoteApp and Remote Desktop • Applications behave like users expect – e.g. PowerPoint installing them locally • Aero Glass for Remote Desktop Server • Uses have the same new Windows 7 look and feel when using Remote Desktop Server • RemoteApp language bar support • Configure applications that use different language settings than the local language (such as right-to-left languages)
Virtual Desktop InfrastructureStreamline PC Management Situation Today • Richer Remote Experience • Richer graphics with improved multi-monitor support • Use voice for telephony & applications with microphone support • Improved printing Do More With VHDs • What is Virtual Desktop Infrastructure? • Maintain VHD: Offline servicing of VHD images with same tools used for WIM • Boot from VHD: Reuse VHD files for deployment to managed desktop PCs • Deploying desktops in virtual machines on server hardware • Centralized management & security • Users can access their desktop and applications wherever they are * • Using Windows for VDI scenarios requires additional VECD license Windows 7 Solution
Search in the EnterpriseMake Users Productive Anywhere Situation Today Search Federation • Consistent experience to find data from multiple locations, including SharePoint sites • Users and IT can pre-populate Favorites in Windows Explorer to remote search sites that support OpenSearch protocol • IT can point users to select search sites w/Enterprise Search Scopes • Current desktop and Enterprise search solutions are good, but not integrated • Users need to take different steps to find data on PC and data on servers • Data sources are hard to discover Windows 7 Solution
Windows 7 Manageability • Flexible Administrative Control • Increased Automation to Reduce Costs • Reduce Help Desk Calls and Keep Users Productive • Windows PowerShell 2.0 • Integrated Scripting Environment • Windows Troubleshooting Platform • Remoteable Reliability Data • Problem Steps Recorder Enhanced Group Policy Scenarios Group Policy Scripting • Group Policy Preferences
What is Windows PowerShell? • Console • Interactive commands • Query and configure • Run jobs • Scripting language • Automate everything • Sharable and reusable
PowerShell Remoting • To use Local and remote computer need: • Windows PowerShell 2.0 • Microsoft .NET Framework 2.0 or later • Windows Remote Management 2.0 • To configure PowerShellremoting: • start PowerShell as admin • Use enable-psremotingcmdlet • Configures firewall and Winrm Service
Windows PowerShellRemoting • Use the ComputerName parameter with select cmdlets • Get-Process –ComputerName Berlin • Run a command on remote computer • Invoke-Command –ComputerName Berlin ` -ScriptBlock { HostName} • Open a PowerShell session on remote computer • Enter-PSSession –ComputerName Berlin • [berlin]: PS C:\> HostName • [berlin]: PS C:\> Exit-PSSession
Deployment Enhancements IMAGING DELIVERY MIGRATION Deployment Image Servicing and Management Add/Remove Drivers and Packages WIM and VHD Image Management Windows Deployment Services Multiple Stream Transfer Dynamic Driver Provisioning VHD and WIM Support User State Migration Tool Hardlink Migration Offline File Gather Improved user file detection INTEGRATED SOLUTIONS CONTINUE Microsoft Assessment and Planning Application Compatibility Toolkit Microsoft Deployment Toolkit
Windows Optimized Desktop Unique Value with SA+MDOP Core PC Platform
Windows Optimized Desktop:Windows 7 & MDOP Investment areas Make Users Productive Anywhere • Improve Security and Control Streamline PC Management to Save Costs Direct Access BranchCache Federated Search Navigation App-V MED-V • BitLocker • BitLocker To Go • AppLocker • Security development lifecycle • AIS PowerShell Windows Troubleshooting Platform Deployment Tools VDI Enhancements DEM DART AGPM • MDOP Fundamentals Performance | Reliability | Compatibility
Why my customers need MED-V?The challenge of upgrading to a new operating system First upgrade – then migrate! Test Migrate Upgrade Test compatibility of all applications with the new OS Migrate or replace incompatible applications Upgrade the organization to the new OS
Virtual PC 2007 Introducing Windows Virtual PC Windows 7 Virtual PC • Primary Audience: Developers / IT • Typical guest OS: Multiple Guest OS • Scenario: Windows XP Compatibility for small businesses with no IT • Cost: None. Virtual Windows XP is included with Windows 7 Pro • Features: Seamless integration, USB device support
How MED-V Relates to Windows XP Mode Windows Virtual PC (“XP Mode”) Provides the Ease of Use for End Users • A preconfigured virtual Windows XP SP3 (32bit) environment • Easy to install your applications on Windows XP and run from Windows 7 desktop • Well integrated into Windows 7 • Designed for small businesses and consumers MED-V – Application-OS compatibility for the Enterprise • Deploy virtual Windows XP images and customize per user • Provision and define applications and websites to users • Control Virtual PC settings • Maintain and Support endpoints through monitoring and troubleshooting • MED-V will not require PCs to have hardware assisted virtualization (e.g. Intel VT, AMD-V)
MED-V – Deploying Virtual PCs in the Enterprise • MED-V* Centrally Manages Virtual Windows Environments • Deploy – deliver virtual Windows images and customize per user • Provision – define which applications and websites are available • Control – set usage permissions and Virtual PC settings • Maintain and Support - monitor and troubleshoot end points • MED-V will provide a solution for enterprise devices without hardware assisted virtualization (e.g. VT) • Windows Virtual PC Provides the Ease of Use for End Users • Run Windows XP or other Windows environments on Windows 7 • Install and launch Windows XP applications from Win7 Desktop
MED-V v1 Architecture SoftwareDistribution
Increased Value in Optimized Desktop • Make Users Productive Anywhere • DirectAccess • BranchCache™ • Enterprise Search Scopes • Enhance Security and Protect Data • BitLocker & BitLocker To Go • AppLocker • Streamline PC Management • MUI Language Packs • VDI Enhancements (VDI requires VECD license) • Boot from VHD • Subsystem for UNIX • 4 Virtual Operating Systems • Network Boot License
MED-V v1 Key Capabilities Deploy and provision • Deploy IT-managed virtual XP environment to end users • Enable customization in heterogeneous desktop environments • Automate first-time virtual PC setup (e.g. initial network setup, computer name, domain join) • Application provisioning based on Microsoft Active-Directory® users/groups • Assign a virtual image and define which applications are available to the user Control and Monitor Enable incompatible applications • Centrally define Virtual PC settings (e.g. Adjust virtual PC memory allocation based on available RAM on host) • Centrally monitor endpoint clients • Provide helpdesk tools to diagnose and troubleshoot virtual PCs • End users seamlessly use Windows XP applications on their Windows 7 desktop • End users automatically see Websites that require Internet Explorer 6 in the virtual environment
Typical Virtual Image life-cycle • Create a master image • Include common software, security and management tools • Package the image and distribute • Via existing software distribution (e.g. System Center) • Image is customized and joined to domain • Unique name is assigned for identification • Remotely manage as any Windows XP desktop • Install applications • Apply patches and updates
App-V for the EnterprisePackage, Stream, Manage. Application virtualiization isolates applications to create a conflict free environment with manageability as the cornerstone to successful service delivery. Application Virtualization Made Easy Flexible Management Built-In Proven. Real Business Results. • No user learning curve. Click to launch any virtual application anywhere • Simplify your next Windows rollout • Easily prepare Virtual Applications and Dependencies for Deployment. • Flexible deployment and streaming options for all business needs. • Readily Accessible Applications for Users, Manageable for IT. • Virtual Application Management in the box. • Mature and Proven • Save Time & Money. Deploy Applications Virtually • Partners ready to move you from Proof of Concept to Production
Microsoft Application Virtualization Application Sequencing – The gateway to Microsoft Application Virtualization Windows Application CD Streaming Server Linearization Virtualized Application Windows Application Installer Microsoft Application Virtualization Sequencer Optimization & Compression MSI Standalone The admin has the option to stream the virtual application or create an MSI wrapper for Standalone Mode delivery Unpackaging The Sequencer produces the virtual application package containing the application and its dependencies. Rapidly packages applications through active watch technology including execution dependencies.
Combined Virtual Environment Independent Virtual Environments Application Sharing Using DSC Inter Application Communication Virtual Environment • Administrator controls & configures the virtual application separately • Create a “one to one” scenario for single applications that are dependant on each other • Create a “many to one” scenario where middleware and plug ins components can be reused • Reduces the potential package size • Single application with no dependencies still exist • Application known to not conflict may be configured to share the same virtual environment • Mandatory/Optional dependency configuration options • Virtual applications can share common dependencies Flexible Package Management Dynamic Application InteractionDynamic Suite Composition (DSC) App “A” App “A” App “B” App “B” Virtualize Middleware once share with many Data System Services Configurations
Manage virtual & physical applications from one PC Lifecycle Management solution Manage, stream and update App-V virtual applications with capabilities in the box Integrate App-V into existing environments and processes Microsoft Application Virtualization Deployment Options Package, Deploy, Manage. Conflict free applications with manageability as the cornerstone to successful service delivery. App-V Client, Management Server, Streaming and Sequencing • Reduce application conflicts • Reduce application compatibility testing • Remove application related reboots • Dynamic application streaming • Always accessible applications Configuration Manager + Application Virtualization • Single Management Console • Single Software distribution workflow • No additional infrastructure required • Integrate Virtual applications with automated OS deployment • Full status and reporting of virtual applications • Inventory and updating of virtual applications • User or Machine targeting • Scalable to 100’ s of thousands of devices • Standalone execution of virtual applications • No server is required • MSI wrapper is the configuration control • Interoperable with SMS/SCCM & 3rd party ESD • Dynamic Delivery • Package/Active Upgrade • No SQL Server required • Allows streaming capability to be added to SMS/SCCM & 3rd party ESD • Desktop Publishing Service • Dynamic Delivery • Package/Active Upgrade • Requires Active Directory and SQL Server Standalone Mode Full Infrastructure Lightweight Infrastructure Server Client 3rd Party PC Lifecycle Solution Configuration Manager 2007 R2 Enabling Key Scenarios
MED-V and App-V are part of the MDOP subscription And what about the Windows XP license for the Virtual PC? • Translating software inventory into business intelligence • Enhancing group policy through change management • Dynamically streaming software as a centrally managed service • With Software Assurance, customers can run up to 4 virtual OS on each licensed device • Proactively managing application and operating system failures • Powerful tools to accelerate desktop repair • Simplifying deployment and management of Virtual PCs