MIT AITI 2004 – Lecture 14 Exceptions Handling Errors with Exceptions.
Overview. Similar Compatibility: Most software that runs on Windows Vista will run on Windows 7....
-
Upload
tamsin-armstrong -
Category
Documents
-
view
214 -
download
2
Transcript of Overview. Similar Compatibility: Most software that runs on Windows Vista will run on Windows 7....
Windows 7 Overview
Similar Compatibility: Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc). Hardware that runs Windows Vista well will run Windows 7 well.
Few Changes: Focus on quality and reliability improvements
Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off
Deep Changes: New models for security, drivers, deployment, and networking
Windows 7 for the Enterprise
At their deskIn a branchOn the road
Enhance Security &
Control
Protect data & PCsBuilt on Windows Vista foundation
Streamline PC Management
Easy migration Keep PCs runningVirtualization
Make Users Productive Anywhere
Remote Access for Mobile Workers Make Users Productive Anywhere
Situation Today Windows 7 Solution
New network paradigm enables same experience inside & outside the officeSeamless access to network resources increases productivity of mobile usersInfrastructure investments also make it easy to service mobile PCs and distribute updates and polices
Difficult for users to access corporate resources from outside the officeChallenging for IT to manage, update, patch mobile PCs while disconnected from company network
HomeOffice Home
DirectAccess
Office
IPv6 Devices IPv4 Devices
DirectAccessServer
Windows 7 Client
Native IPv6 with IPSec
IPv6 Transition Services
Supports variety of remote network protocols
DirectAccess
DirectAccess provides transparent, secured
access to intranet resources without a VPN
Allows desktop management of
DirectAccess clients
Allows IPSec encryption and authentication
Supports direct connectivity to IPv6-
based intranet resources
Support IPv4 via 6to4 transition
services or NAT-PTIT desktop manageme
nt
AD Group Policy, NAP,
software updates
Internet
Name Resolution: DNS and the NRPT
Remote DirectAccess clients utilize smart routing by default
The Name Resolution Policy Table allows this to happen efficiently and securely
Sends name queries to internal DNS servers based on pre-configured DNS namespace
DirectAccess Connection
Internet Connection
NRPT
Client side only Requires a leading dot Static table that defines which DNS servers the
client will use for the listed names Configurable via GPO at Computer Configuration |
Policies|Windows Settings|Name Resolution Policy Can be viewed with NETSH name show policy
NRPT
.ad.contoso.com
2001:db8:b90a:c7d8::1782001:db8:b90a:c7d8::183
.lab.contoso.com
2001:db8:b90a:c7a8::202
*.sql.contoso.com
2001:db8:b90a:c7e4::801
Two Factor Authentication (TFA) Not required; fully
supported Edge based
enforcement: a smarter way to enforce TFA
User is assigned a well-known SID when they log on with a smartcard
S-1-5-65-1
User may logon to laptop without TFA
When user accesses corporate resources,
IPsec authorization policy checks for this SID
If SID is not present…
Branch Office Network Performance Make Users Productive Anywhere
Windows 7 Solution
Caches content downloaded from file and Web serversUsers in the branch can quickly open files stored in the cacheFrees up network bandwidth for other uses
BranchCache™
Application and data access over WAN is slow in branch officesSlow connections hurt user productivity Improving network performance is expensive and difficult to implement
Situation Today
Get
GetID
Get
Data
Distributed Cache
Get
IDData
Data
Get
GetID
Put
Data
Hosted Cache
Get
DataID
Search
Get
Searc
h
Request
Offer
ID
ID
ID
Data
ID
Data
Hosted CacheData cached at the host server
Recommended for larger branchesCache stored centrally: can use existing server in the branchCache availability is highEnables branch-wide caching
Hosted cache vs Distributed
Enterprise
Distributed Cache
Recommended for branches without any infrastructureEasy to deploy: enabled on clients through Group PolicyCache availability decreases with laptops that go offline
Distributed CacheData cached amongst clients
IISFile Server
Group PolicyManagement
Install BranchCache™ feature R2 content servers
Group Policy to enable clients
HostedCache
Optionally, install a hosted cache in your branch.
Deployment
Additional configuration options Enable / disable distributed cache mode Enable / disable hosted cache mode Set the cache size Set the location of the hosted cache Clear the cache Create and replicate a shared key for use in
a server cluster And more …
Works in domains and workgroups
Monitoring Event logs - Operational logs & Audit logs
Perfmon counters - Client, hosted cache and Content Server
netsh for querying the infrastructure for potential problems◦ Cache size too small, firewall issues, certificate
problems etc
SCOM Management Pack - for rolling all the information up
Security of Data at Rest Clients
◦ Cache only contains content requested by the client◦ Data in cache ACL’d so that it is only accessible if
authorized by the server◦ If data leakage is a concern, then use BitLocker or EFS
Hosted Cache◦ Cache contains content requested by all branch clients ◦ Use BitLocker or EFS to encrypt cache as necessary
All data can be purged from the cache using netsh
Scale and Performance Scale
◦ Distributed cache scales well to approximately 100 users per branch WS-Discovery traffic is a key consideration Results may vary
Highly dependant on content, workload and usage patterns
◦ Hosted Cache scalability is comparable to standard file server workloads
MSIT pilot in Belgium◦ Approximately 70% reduction in \\products\public
related SMB traffic
Users store increasing volumes of data, including sensitive or data on the removable storage devicesRemovable storage devices are easy to lose and, unlike PC, the loss may go unnoticed for a while
Windows 7 SolutionSituation Today
BitLocker - Data ProtectionEnhance Security & Control
Protect data on internal and removable drivesMandate the use of encryption with Group PoliciesStore recovery information in Active Directory for manageability Simplify BitLocker setup and configuration of primary hard drive
BitLocker To Go™
+
Windows 7 Solution
Application Control Enhance Security and Control
Eliminate unwanted/unknown applications in your networkEnforce application standardization within your organizationEasily create and manage flexible rules using Group Policy
AppLocker™
Users can install and run unapproved applicationsEven standard users can install some types of softwareUnauthorized applications may:
Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts
Situation Today
AppLockerTM
Technical Details
Simple Rule Structure: Allow, Exception & Deny Publisher Rules
◦ Product Publisher, Name, Filename & Version Multiple Policies
◦ Executables, installers, scripts & DLLs Rule creation tools & wizard Audit only mode
Publisher Rules Rules based upon
application digital signatures
Can specify application attributes
Allow for rules that survive application updates
“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft.”
Simple Rule Structure Allow
◦ Limit execution to “known good” and block everything else
Deny◦ Deny “known bad” and
allow execution of everything else
Exception◦ Exclude files from
allow/deny rule that would normally be included
“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft EXCEPT Microsoft Access.”
Rule Targeting Per User Rules can be associated
with any user or group
Provides granular control of specific applications
Supports compliance by enforcing who can run specific applications
“Allow users in the Finance Department to run…”
Multiple Rule Sets Rule Types
◦ Executable◦ Installer◦ Script◦ DLL
Allows construction of rules beyond executable only solutions
Provides greater flexibility and enhanced protection
“Allow users to install updates for Office as long as it is signed by Microsoft and is for version 12.*”
Aero Glass for Remote Desktop Server• Uses have the same new Windows 7 look and feel when using Remote
Desktop Server
RemoteApp and Remote Desktop connections• RemoteApp and Remote Desktop icons integrate into the Start menu• Icons refresh and update automatically
Multimedia support and audio input• Experience rich multimedia redirection • Use VoIP applications and speech recognition
True multiple monitor support• Use up to 10 monitors of any size or layout with RemoteApp and Remote
Desktop• Applications behave like users expect – e.g. PowerPoint installing them locally
RemoteApp language bar support• Configure applications that use different language settings than the local
language (such as right-to-left languages)
Full Fidelity RemoteApp and Remote Desktop
Windows 7 SolutionSituation Today
Virtual Desktop InfrastructureStreamline PC Management
Deploying desktops in virtual machines on server hardwareCentralized management & securityUsers can access their desktop and applications wherever they are
Richer Remote Experience
Richer graphics with improved multi-monitor supportUse voice for telephony & applications with microphone supportImproved printing
Using Windows for VDI scenarios requires additional VECD license *
What is Virtual Desktop Infrastructure? Maintain VHD: Offline
servicing of VHD images with same tools used for WIMBoot from VHD: Reuse VHD files for deployment to managed desktop PCs
Do More With VHDs
Search in the EnterpriseMake Users Productive Anywhere
Situation Today Windows 7 Solution
Consistent experience to find data from multiple locations, including SharePoint sitesUsers and IT can pre-populate Favorites in Windows Explorer to remote search sites that support OpenSearch protocol IT can point users to select search sites w/Enterprise Search Scopes
Search Federation
Current desktop and Enterprise search solutions are good, but not integratedUsers need to take different steps to find data on PC and data on serversData sources are hard to discover
Windows PowerShell 2.0
Integrated Scripting Environment
Windows Troubleshooting
PlatformRemoteable Reliability
DataProblem Steps
Recorder
Enhanced Group Policy Scenarios
Group Policy Scripting Group Policy Preferences
Windows 7 Manageability
Increased Automation
to Reduce Costs
Reduce Help Desk Calls and Keep Users
Productive
Flexible Administrative
Control
What is Windows PowerShell? Console
◦ Interactive commands◦ Query and configure ◦ Run jobs
Scripting language◦ Automate everything ◦ Sharable and reusable
PowerShell Remoting
To use Local and remote computer need:◦ Windows PowerShell 2.0 ◦ Microsoft .NET Framework 2.0 or later◦ Windows Remote Management 2.0
To configure PowerShell remoting: ◦ start PowerShell as admin◦ Use enable-psremoting cmdlet ◦ Configures firewall and Winrm Service
Windows PowerShell Remoting Use the ComputerName parameter with
select cmdlets◦ Get-Process –ComputerName Berlin
Run a command on remote computer◦ Invoke-Command –ComputerName Berlin `
-ScriptBlock { HostName} Open a PowerShell session on remote
computer◦ Enter-PSSession –ComputerName Berlin◦ [berlin]: PS C:\> HostName◦ [berlin]: PS C:\> Exit-PSSession
IMAGING
Deployment Image Servicing and Management
Add/Remove Drivers and Packages
WIM and VHD Image Management
MIGRATION
User State Migration Tool
Hardlink Migration
Offline File Gather
Improved user file detection
INTEGRATED SOLUTIONS CONTINUE
Microsoft Assessment and
Planning
DELIVERY
Windows Deployment Services
Multiple Stream Transfer
Dynamic Driver Provisioning
VHD and WIM Support
Deployment Enhancements
Application Compatibility
Toolkit
Microsoft Deployment
Toolkit
Windows Optimized Desktop
Unique Value with SA+MDOP
Core PC Platform
Make Users Productive Anywhere
Improve Security and
Control
Streamline PC Management to
Save Costs
Direct AccessBranchCacheFederated SearchNavigation
App-VMED-V
BitLocker BitLocker To GoAppLockerSecurity development lifecycle
AIS
PowerShellWindows Troubleshooting PlatformDeployment ToolsVDI Enhancements
DEMDARTAGPM
Windows Optimized Desktop:Windows 7 & MDOP Investment areas
FundamentalsPerformance | Reliability | Compatibility
MD
OP
Why my customers need MED-V?The challenge of upgrading to a new operating system
Upgrade the organization to the new OS
Migrate or replace incompatible applications
Test compatibility of all applications with the new OS
Test Migrate Upgrade
Primary Audience: Developers / ITTypical guest OS: Multiple Guest OS
Scenario: Windows XP Compatibility for small businesses with no IT
Cost: None. Virtual Windows XP is included with Windows 7 Pro
Features: Seamless integration, USB device support
Introducing Windows Virtual PC
Virtual PC 2007 Windows 7 Virtual PC
How MED-V Relates to Windows XP Mode
Windows Virtual PC (“XP Mode”) Provides the Ease of Use for End Users
MED-V – Application-OS compatibility for the Enterprise
A preconfigured virtual Windows XP SP3 (32bit) environment Easy to install your applications on Windows XP and run from Windows 7 desktop Well integrated into Windows 7 Designed for small businesses and consumers
Deploy virtual Windows XP images and customize per user Provision and define applications and websites to users Control Virtual PC settings Maintain and Support endpoints through monitoring and troubleshooting
MED-V will not require PCs to have hardware assisted virtualization (e.g. Intel VT, AMD-V)
MED-V* Centrally Manages Virtual Windows Environments• Deploy – deliver virtual Windows images and customize per user• Provision – define which applications and websites are available• Control – set usage permissions and Virtual PC settings • Maintain and Support - monitor and troubleshoot end points
MED-V will provide a solution for enterprise devices without hardware assisted virtualization (e.g. VT)
MED-V – Deploying Virtual PCs in the Enterprise
Windows Virtual PC Provides the Ease of Use for End Users• Run Windows XP or other Windows environments on Windows 7 • Install and launch Windows XP applications from Win7 Desktop
Architecture and Features
Architecture
MED-V v1 Architecture
Software Distribution
Make Users Productive Anywhere • DirectAccess• BranchCache™• Enterprise Search Scopes
Enhance Security and Protect Data• BitLocker & BitLocker To Go • AppLocker
Streamline PC Management • MUI Language Packs• VDI Enhancements
(VDI requires VECD license)• Boot from VHD• Subsystem for UNIX • 4 Virtual Operating Systems• Network Boot License
Increased Value in Optimized Desktop
MED-V v1 Key Capabilities Deploy IT-managed virtual XP environment to end users Enable customization in heterogeneous desktop environments
Automate first-time virtual PC setup (e.g. initial network setup, computer name, domain join)
Application provisioning based on Microsoft Active-Directory® users/groups Assign a virtual image and define which applications are available to the user
Deploy and provision
Centrally define Virtual PC settings (e.g. Adjust virtual PC memory allocation based on available RAM on host)
Centrally monitor endpoint clients Provide helpdesk tools to diagnose and troubleshoot virtual PCs
Control and Monitor
End users seamlessly use Windows XP applications on their Windows 7 desktop End users automatically see Websites that require Internet Explorer 6 in the virtual
environment
Enable incompatible applications
Typical Virtual Image life-cycle
Create a master image ◦ Include common software, security and management tools
Package the image and distribute ◦ Via existing software distribution (e.g. System Center)
Image is customized and joined to domain ◦ Unique name is assigned for identification
Remotely manage as any Windows XP desktop◦ Install applications◦ Apply patches and updates
APP-V and Windows 7 Overview
Application Virtualization Made Easy
No user learning curve. Click to launch any virtual application anywhereSimplify your next Windows rolloutEasily prepare Virtual Applications and Dependencies for Deployment.
Flexible Management
Built-In
Flexible deployment and streaming options for all business needs.Readily Accessible Applications for Users, Manageable for IT. Virtual Application Management in the box.
Proven. Real Business
Results.
Mature and Proven Save Time & Money. Deploy Applications VirtuallyPartners ready to move you from Proof of Concept to Production
App-V for the EnterprisePackage, Stream, Manage. Application virtualiization isolates applications to create a conflict free environment with manageability as the cornerstone to successful service delivery.
Microsoft Application VirtualizationApplication Sequencing – The gateway to Microsoft Application Virtualization
Microsoft Application
Virtualization Sequencer
Rapidly packages applications through
active watch technology including execution
dependencies.
The Sequencer produces the virtual application
package containing the application and its
dependencies.
The admin has the option to stream the virtual
application or create an MSI wrapper for
Standalone Mode delivery
Windows Application
CD
Windows Application
Installer
Unpackaging
Linearization
Optimization & Compression
Virtualized Application
MSI Standalone
Streaming Server
Dynamic Application InteractionDynamic Suite Composition (DSC)
Administrator controls & configures the virtual application separatelyCreate a “one to one” scenario for single applications that are dependant on each otherCreate a “many to one” scenario where middleware and plug ins components can be reusedReduces the potential package size
Flexible Package Management
Single application with no dependencies still existApplication known to not conflict may be configured to share the same virtual environmentMandatory/Optional dependency configuration optionsVirtual applications can share common dependencies
Virtual Environment
App “A”
Combined Virtual Environment
App “B”App “B”App “A”
System Services
ConfigurationsData
Inter Application Communication
Independent Virtual Environments
Application Sharing Using DSC
Virtualize Middleware once share with many
Microsoft Application Virtualization Deployment OptionsPackage, Deploy, Manage. Conflict free applications with manageability as the cornerstone to successful service delivery.
Enabling Key Scenarios
• Reduce application conflicts• Reduce application compatibility testing
• Remove application related reboots•Dynamic application streaming• Always accessible applications
App-V Client, Management Server, Streaming and
Sequencing
Full Infrastructure
• Desktop Publishing Service• Dynamic Delivery• Package/Active Upgrade• Requires Active Directory
and SQL Server
Configuration Manager + Application Virtualization
• Single Management Console• Single Software distribution
workflow• No additional infrastructure
required• Integrate Virtual applications with
automated OS deployment • Full status and reporting of virtual
applications• Inventory and updating of virtual
applications• User or Machine targeting• Scalable to 100’ s of thousands of
devices
Configuration Manager 2007
R2
Manage virtual & physical applications from
one PC Lifecycle Management solution
Manage, stream and update App-V virtual applications with capabilities in the box
Standalone Mode
• Standalone execution of virtual applications• No server is required• MSI wrapper is the
configuration control• Interoperable with SMS/
SCCM & 3rd party ESD
Lightweight Infrastructure
• Dynamic Delivery• Package/Active Upgrade• No SQL Server required• Allows streaming capability
to be added to SMS/SCCM & 3rd party ESD
Integrate App-V into existing environments and processes
Server Client
3rd Party PC Lifecycle Solution
MED-V and App-V are part of the MDOP subscription
Translating software inventory into business intelligence
Enhancing group policy through change management
Dynamically streaming software as a centrally managed service
Proactively managing application and operating system failures
Powerful tools to accelerate desktop repair
Simplifying deployment and management of Virtual PCs
With Software Assurance, customers can run up to 4 virtual OS on each licensed device
And what about the Windows XP license for the Virtual PC?
The usual answers…Q: When will this be made available for Vista?
A: It won’t. BranchCache in only supported with Windows 7 Enterprise, Ultimate & Windows 2008 R2 editions.
Q: What size content is cached?A: 64 KB and greater.
Q: Is there a peer discovery timeout? A: 300 ms
Q: What kind of encryption is used?A: Custom scheme based on AES128.
Q: Does knowledge of the hash ID grant access?A: No. Access must still be granted by the file server.
The usual answers… (cont’d)Q: Will BranchCache work during WAN outages?
A: No. Clients must be able to contact the content server to get content identifiers.
Q: Can I pre-populate cached files?A: Sure. Consider using scheduled task , PowerShell
Remoting or some other technique. For WSUS & SCCM, consider targeting one client in each remote office before the others.
Q: How doesn’t BC avoid discovery storms?A: Responses to search requests are staggered.
Additionally, if a client detects that many others on the subnet already have a piece of content, it won’t bother caching it too.
The usual answers… (last one)Q: What happens to the local cache if the
BranchCache client mode changes? A: The local cache is unaffected and will still be used by the
client:• Hosted clients that become Distributed clients will begin
responding to WS-D searches, serving data from the same cache.• Distributed client that become Hosted clients will stop responding
to WS-D searchers, but will continue to use the local cache.
Q: How long does data stay in cache? A: Until NetSH is used to flush the cache or until the cache is
full and starts to roll.
Q: Is BranchCache supported on Server Core?A: Absolutely.
RDS & VDIOverview
Remote Desktop Services
Remote Desktop Architecture Overview
RD Web Access
RD GatewayRD Connection
Broker
Active Directory® Licensing
Server
RD Virtualization Host
RD Session Host
RD Client
Remote Desktop Session Host (RDSH)
RD Connection Broker
RD Client
RD Session Host Server Farm(Session-based desktops)
RD Session Host Server Farm(RemoteApp)
App-V for RDS
RD Session Host
App-V Management
Server
RD Client RD Virtualization
Host
Remote Desktop Virtualization Host (RDVH)
RD Client
Personal Virtual Desktops
Active Directory
Pooled Virtual DesktopsRD Connection Broker
Personal / Pooled Virtual Desktops
Personal Virtual Desktops
Pooled Virtual Desktops
Personal Virtual DesktopsOne OS image per userAdministrator access, desktop customizableUser state typically part of the image
Personal Virtual DesktopsShared OS images, identically configuredNo administrator accessUser state temporary )discarded at session end)
RDS Roles ExplainedRole Function
RemoteApp Publishes applications with just the application UI, and not a full desktop UI
RD Session Host Hosts centralized, session-based applications and remote desktops
RD Virtualization Host Hosts centralized, virtual-machine-based (virtual) desktops on top of Hyper-V for VDI environment
RD Connection Broker Creates unified administrator experience for session-based and virtual-machine based remote desktops
RD Gateway Allows connection from clients outside the firewall, using SSL, and proxies those to internal resources
RD Web Access / RemoteApp & Desktop Connections (Windows 7)
RD Web Access provides Web-based connection to resources published by RD Connection Broker. Supports traditional web page, as well as new RemoteApp & Desktop Connections
RD EasyPrint Simplifies printing to a local printer, and supports legacy and new print drivers without the need to install those on the host
Make programs available via RD Web Access or RemoteApp & Desktop Connection (Windows 7)Create MSI or RDP files
RemoteApp Overview
RD Session Host / RD Virtualization Host
NEW in R2:Per-user RemoteAppfiltering
Applications launched from Web Page, RDP files or MSI shortcutsPrograms look like they are running locally
RD Client
RD Gateway – New Features
RD WebAccess
RD Gateway
RD Session Host
RD Client RD Virtualization
Host
User browses to RD Web Access
RDP over HTTP/S established to RD Gateway RDP 3389 to host
User initiates HTTP/S connection to RD Gateway
Silent session re-authentication Secure device redirection Idle & session timeout Pluggable authentication Consent signing
RDS User Experience Enhancements
Multiple Monitor Support
Enhanced Audio Support
Windows Media Redirection
Windows Aero Glass Support
Enhanced Bitmap Acceleration
RD Easy Print Overview
Bad MatchNo Match
?
Close Match TS Easy Print
Historical Issues Solution