Windows 7 Overview

Similar Compatibility: Most software that runs on Windows Vista will run on Windows 7. Exceptions will be low level code (AV, Firewall, Imaging, etc). Hardware that runs Windows Vista well will run Windows 7 well.

Few Changes: Focus on quality and reliability improvements

Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off

Deep Changes: New models for security, drivers, deployment, and networking

Windows 7 for the Enterprise

At their deskIn a branchOn the road

Enhance Security &

Control

Protect data & PCsBuilt on Windows Vista foundation

Streamline PC Management

Easy migration Keep PCs runningVirtualization

Make Users Productive Anywhere

Remote Access for Mobile Workers Make Users Productive Anywhere

Situation Today Windows 7 Solution

New network paradigm enables same experience inside & outside the officeSeamless access to network resources increases productivity of mobile usersInfrastructure investments also make it easy to service mobile PCs and distribute updates and polices

Difficult for users to access corporate resources from outside the officeChallenging for IT to manage, update, patch mobile PCs while disconnected from company network

HomeOffice Home

DirectAccess

Office

IPv6 Devices IPv4 Devices

DirectAccessServer

Windows 7 Client

Native IPv6 with IPSec

IPv6 Transition Services

Supports variety of remote network protocols

DirectAccess

DirectAccess provides transparent, secured

access to intranet resources without a VPN

Allows desktop management of

DirectAccess clients

Allows IPSec encryption and authentication

Supports direct connectivity to IPv6-

based intranet resources

Support IPv4 via 6to4 transition

services or NAT-PTIT desktop manageme

nt

AD Group Policy, NAP,

software updates

Internet

Name Resolution: DNS and the NRPT

Remote DirectAccess clients utilize smart routing by default

The Name Resolution Policy Table allows this to happen efficiently and securely

Sends name queries to internal DNS servers based on pre-configured DNS namespace

DirectAccess Connection

Internet Connection

NRPT

Client side only Requires a leading dot Static table that defines which DNS servers the

client will use for the listed names Configurable via GPO at Computer Configuration |

Policies|Windows Settings|Name Resolution Policy Can be viewed with NETSH name show policy

NRPT

.ad.contoso.com

2001:db8:b90a:c7d8::1782001:db8:b90a:c7d8::183

.lab.contoso.com

2001:db8:b90a:c7a8::202

*.sql.contoso.com

2001:db8:b90a:c7e4::801

Two Factor Authentication (TFA) Not required; fully

supported Edge based

enforcement: a smarter way to enforce TFA

User is assigned a well-known SID when they log on with a smartcard

S-1-5-65-1

User may logon to laptop without TFA

When user accesses corporate resources,

IPsec authorization policy checks for this SID

If SID is not present…

Branch Office Network Performance Make Users Productive Anywhere

Windows 7 Solution

Caches content downloaded from file and Web serversUsers in the branch can quickly open files stored in the cacheFrees up network bandwidth for other uses

BranchCache™

Application and data access over WAN is slow in branch officesSlow connections hurt user productivity Improving network performance is expensive and difficult to implement

Situation Today

Get

GetID

Get

Data

Distributed Cache

Get

IDData

Data

Get

GetID

Put

Data

Hosted Cache

Get

DataID

Search

Get

Searc

h

Request

Offer

ID

ID

ID

Data

ID

Data

Hosted CacheData cached at the host server

Recommended for larger branchesCache stored centrally: can use existing server in the branchCache availability is highEnables branch-wide caching

Hosted cache vs Distributed

Enterprise

Distributed Cache

Recommended for branches without any infrastructureEasy to deploy: enabled on clients through Group PolicyCache availability decreases with laptops that go offline

Distributed CacheData cached amongst clients

IISFile Server

Group PolicyManagement

Install BranchCache™ feature R2 content servers

Group Policy to enable clients

HostedCache

Optionally, install a hosted cache in your branch.

Deployment

Additional configuration options Enable / disable distributed cache mode Enable / disable hosted cache mode Set the cache size Set the location of the hosted cache Clear the cache Create and replicate a shared key for use in

a server cluster And more …

Works in domains and workgroups

Monitoring Event logs - Operational logs & Audit logs

Perfmon counters - Client, hosted cache and Content Server

netsh for querying the infrastructure for potential problems◦ Cache size too small, firewall issues, certificate

problems etc

SCOM Management Pack - for rolling all the information up

Security of Data at Rest Clients

◦ Cache only contains content requested by the client◦ Data in cache ACL’d so that it is only accessible if

authorized by the server◦ If data leakage is a concern, then use BitLocker or EFS

Hosted Cache◦ Cache contains content requested by all branch clients ◦ Use BitLocker or EFS to encrypt cache as necessary

All data can be purged from the cache using netsh

Scale and Performance Scale

◦ Distributed cache scales well to approximately 100 users per branch WS-Discovery traffic is a key consideration Results may vary

Highly dependant on content, workload and usage patterns

◦ Hosted Cache scalability is comparable to standard file server workloads

MSIT pilot in Belgium◦ Approximately 70% reduction in \\products\public

related SMB traffic

Users store increasing volumes of data, including sensitive or data on the removable storage devicesRemovable storage devices are easy to lose and, unlike PC, the loss may go unnoticed for a while

Windows 7 SolutionSituation Today

BitLocker - Data ProtectionEnhance Security & Control

Protect data on internal and removable drivesMandate the use of encryption with Group PoliciesStore recovery information in Active Directory for manageability Simplify BitLocker setup and configuration of primary hard drive

BitLocker To Go™

+

Windows 7 Solution

Application Control Enhance Security and Control

Eliminate unwanted/unknown applications in your networkEnforce application standardization within your organizationEasily create and manage flexible rules using Group Policy

AppLocker™

Users can install and run unapproved applicationsEven standard users can install some types of softwareUnauthorized applications may:

Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts

Situation Today

AppLockerTM

Technical Details

Simple Rule Structure: Allow, Exception & Deny Publisher Rules

◦ Product Publisher, Name, Filename & Version Multiple Policies

◦ Executables, installers, scripts & DLLs Rule creation tools & wizard Audit only mode

Publisher Rules Rules based upon

application digital signatures

Can specify application attributes

Allow for rules that survive application updates

“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft.”

Simple Rule Structure Allow

◦ Limit execution to “known good” and block everything else

Deny◦ Deny “known bad” and

allow execution of everything else

Exception◦ Exclude files from

allow/deny rule that would normally be included

“Allow all versions greater than 12 of the Office Suite to run if it is signed by the software publisher Microsoft EXCEPT Microsoft Access.”

Rule Targeting Per User Rules can be associated

with any user or group

Provides granular control of specific applications

Supports compliance by enforcing who can run specific applications

“Allow users in the Finance Department to run…”

Multiple Rule Sets Rule Types

◦ Executable◦ Installer◦ Script◦ DLL

Allows construction of rules beyond executable only solutions

Provides greater flexibility and enhanced protection

“Allow users to install updates for Office as long as it is signed by Microsoft and is for version 12.*”

Aero Glass for Remote Desktop Server• Uses have the same new Windows 7 look and feel when using Remote

Desktop Server

RemoteApp and Remote Desktop connections• RemoteApp and Remote Desktop icons integrate into the Start menu• Icons refresh and update automatically

Multimedia support and audio input• Experience rich multimedia redirection • Use VoIP applications and speech recognition

True multiple monitor support• Use up to 10 monitors of any size or layout with RemoteApp and Remote

Desktop• Applications behave like users expect – e.g. PowerPoint installing them locally

RemoteApp language bar support• Configure applications that use different language settings than the local

language (such as right-to-left languages)

Full Fidelity RemoteApp and Remote Desktop

Windows 7 SolutionSituation Today

Virtual Desktop InfrastructureStreamline PC Management

Deploying desktops in virtual machines on server hardwareCentralized management & securityUsers can access their desktop and applications wherever they are

Richer Remote Experience

Richer graphics with improved multi-monitor supportUse voice for telephony & applications with microphone supportImproved printing

Using Windows for VDI scenarios requires additional VECD license *

What is Virtual Desktop Infrastructure? Maintain VHD: Offline

servicing of VHD images with same tools used for WIMBoot from VHD: Reuse VHD files for deployment to managed desktop PCs

Do More With VHDs

Search in the EnterpriseMake Users Productive Anywhere

Situation Today Windows 7 Solution

Consistent experience to find data from multiple locations, including SharePoint sitesUsers and IT can pre-populate Favorites in Windows Explorer to remote search sites that support OpenSearch protocol IT can point users to select search sites w/Enterprise Search Scopes   

Search Federation

Current desktop and Enterprise search solutions are good, but not integratedUsers need to take different steps to find data on PC and data on serversData sources are hard to discover

Windows PowerShell 2.0

Integrated Scripting Environment

Windows Troubleshooting

PlatformRemoteable Reliability

DataProblem Steps

Recorder

Enhanced Group Policy Scenarios

Group Policy Scripting Group Policy Preferences

Windows 7 Manageability

Increased Automation

to Reduce Costs

Reduce Help Desk Calls and Keep Users

Productive

Flexible Administrative

Control

What is Windows PowerShell? Console

◦ Interactive commands◦ Query and configure ◦ Run jobs

Scripting language◦ Automate everything ◦ Sharable and reusable

PowerShell Remoting

To use Local and remote computer need:◦ Windows PowerShell 2.0 ◦ Microsoft .NET Framework 2.0 or later◦ Windows Remote Management 2.0

To configure PowerShell remoting: ◦ start PowerShell as admin◦ Use enable-psremoting cmdlet ◦ Configures firewall and Winrm Service

Windows PowerShell Remoting Use the ComputerName parameter with

select cmdlets◦ Get-Process –ComputerName Berlin

Run a command on remote computer◦ Invoke-Command –ComputerName Berlin `

-ScriptBlock { HostName} Open a PowerShell session on remote

computer◦ Enter-PSSession –ComputerName Berlin◦ [berlin]: PS C:\> HostName◦ [berlin]: PS C:\> Exit-PSSession

IMAGING

Deployment Image Servicing and Management

Add/Remove Drivers and Packages

WIM and VHD Image Management

MIGRATION

User State Migration Tool

Hardlink Migration

Offline File Gather

Improved user file detection

INTEGRATED SOLUTIONS CONTINUE

Microsoft Assessment and

Planning

DELIVERY

Windows Deployment Services

Multiple Stream Transfer

Dynamic Driver Provisioning

VHD and WIM Support

Deployment Enhancements

Application Compatibility

Toolkit

Microsoft Deployment

Toolkit

Windows Optimized Desktop

Unique Value with SA+MDOP

Core PC Platform

Make Users Productive Anywhere

Improve Security and

Control

Streamline PC Management to

Save Costs

Direct AccessBranchCacheFederated SearchNavigation

App-VMED-V

BitLocker BitLocker To GoAppLockerSecurity development lifecycle

AIS

PowerShellWindows Troubleshooting PlatformDeployment ToolsVDI Enhancements

DEMDARTAGPM

Windows Optimized Desktop:Windows 7 & MDOP Investment areas

FundamentalsPerformance | Reliability | Compatibility

MD

OP

Why my customers need MED-V?The challenge of upgrading to a new operating system

Upgrade the organization to the new OS

Migrate or replace incompatible applications

Test compatibility of all applications with the new OS

Test Migrate Upgrade

Primary Audience: Developers / ITTypical guest OS: Multiple Guest OS

Scenario: Windows XP Compatibility for small businesses with no IT

Cost: None. Virtual Windows XP is included with Windows 7 Pro

Features: Seamless integration, USB device support

Introducing Windows Virtual PC

Virtual PC 2007 Windows 7 Virtual PC

How MED-V Relates to Windows XP Mode

Windows Virtual PC (“XP Mode”) Provides the Ease of Use for End Users

MED-V – Application-OS compatibility for the Enterprise

A preconfigured virtual Windows XP SP3 (32bit) environment Easy to install your applications on Windows XP and run from Windows 7 desktop Well integrated into Windows 7 Designed for small businesses and consumers

Deploy virtual Windows XP images and customize per user Provision and define applications and websites to users Control Virtual PC settings Maintain and Support endpoints through monitoring and troubleshooting

MED-V will not require PCs to have hardware assisted virtualization (e.g. Intel VT, AMD-V)

MED-V* Centrally Manages Virtual Windows Environments• Deploy – deliver virtual Windows images and customize per user• Provision – define which applications and websites are available• Control – set usage permissions and Virtual PC settings • Maintain and Support - monitor and troubleshoot end points

MED-V will provide a solution for enterprise devices without hardware assisted virtualization (e.g. VT)

MED-V – Deploying Virtual PCs in the Enterprise

Windows Virtual PC Provides the Ease of Use for End Users• Run Windows XP or other Windows environments on Windows 7 • Install and launch Windows XP applications from Win7 Desktop

Architecture and Features

Architecture

MED-V v1 Architecture

Software Distribution

Make Users Productive Anywhere • DirectAccess• BranchCache™• Enterprise Search Scopes

Enhance Security and Protect Data• BitLocker & BitLocker To Go • AppLocker

Streamline PC Management • MUI Language Packs• VDI Enhancements

(VDI requires VECD license)• Boot from VHD• Subsystem for UNIX • 4 Virtual Operating Systems• Network Boot License

Increased Value in Optimized Desktop

MED-V v1 Key Capabilities Deploy IT-managed virtual XP environment to end users Enable customization in heterogeneous desktop environments

Automate first-time virtual PC setup (e.g. initial network setup, computer name, domain join)

Application provisioning based on Microsoft Active-Directory® users/groups Assign a virtual image and define which applications are available to the user

Deploy and provision

Centrally define Virtual PC settings (e.g. Adjust virtual PC memory allocation based on available RAM on host)

Centrally monitor endpoint clients Provide helpdesk tools to diagnose and troubleshoot virtual PCs

Control and Monitor

End users seamlessly use Windows XP applications on their Windows 7 desktop End users automatically see Websites that require Internet Explorer 6 in the virtual

environment

Enable incompatible applications

Typical Virtual Image life-cycle

Create a master image ◦ Include common software, security and management tools

Package the image and distribute ◦ Via existing software distribution (e.g. System Center)

Image is customized and joined to domain ◦ Unique name is assigned for identification

Remotely manage as any Windows XP desktop◦ Install applications◦ Apply patches and updates

APP-V and Windows 7 Overview

Application Virtualization Made Easy

No user learning curve. Click to launch any virtual application anywhereSimplify your next Windows rolloutEasily prepare Virtual Applications and Dependencies for Deployment.

Flexible Management

Built-In

Flexible deployment and streaming options for all business needs.Readily Accessible Applications for Users, Manageable for IT. Virtual Application Management in the box.

Proven. Real Business

Results.

Mature and Proven Save Time & Money. Deploy Applications VirtuallyPartners ready to move you from Proof of Concept to Production

App-V for the EnterprisePackage, Stream, Manage. Application virtualiization isolates applications to create a conflict free environment with manageability as the cornerstone to successful service delivery.

Microsoft Application VirtualizationApplication Sequencing – The gateway to Microsoft Application Virtualization

Microsoft Application

Virtualization Sequencer

Rapidly packages applications through

active watch technology including execution

dependencies.

The Sequencer produces the virtual application

package containing the application and its

dependencies.

The admin has the option to stream the virtual

application or create an MSI wrapper for

Standalone Mode delivery

Windows Application

CD

Windows Application

Installer

Unpackaging

Linearization

Optimization & Compression

Virtualized Application

MSI Standalone

Streaming Server

Dynamic Application InteractionDynamic Suite Composition (DSC)

Administrator controls & configures the virtual application separatelyCreate a “one to one” scenario for single applications that are dependant on each otherCreate a “many to one” scenario where middleware and plug ins components can be reusedReduces the potential package size

Flexible Package Management

Single application with no dependencies still existApplication known to not conflict may be configured to share the same virtual environmentMandatory/Optional dependency configuration optionsVirtual applications can share common dependencies

Virtual Environment

App “A”

Combined Virtual Environment

App “B”App “B”App “A”

System Services

ConfigurationsData

Inter Application Communication

Independent Virtual Environments

Application Sharing Using DSC

Virtualize Middleware once share with many

Microsoft Application Virtualization Deployment OptionsPackage, Deploy, Manage. Conflict free applications with manageability as the cornerstone to successful service delivery.

Enabling Key Scenarios

• Reduce application conflicts• Reduce application compatibility testing

• Remove application related reboots•Dynamic application streaming• Always accessible applications

App-V Client, Management Server, Streaming and

Sequencing

Full Infrastructure

• Desktop Publishing Service• Dynamic Delivery• Package/Active Upgrade• Requires Active Directory

and SQL Server

Configuration Manager + Application Virtualization

• Single Management Console• Single Software distribution

workflow• No additional infrastructure

required• Integrate Virtual applications with

automated OS deployment • Full status and reporting of virtual

applications• Inventory and updating of virtual

applications• User or Machine targeting• Scalable to 100’ s of thousands of

devices

Configuration Manager 2007

R2

Manage virtual & physical applications from

one PC Lifecycle Management solution

Manage, stream and update App-V virtual applications with capabilities in the box

Standalone Mode

• Standalone execution of virtual applications• No server is required• MSI wrapper is the

configuration control• Interoperable with SMS/

SCCM & 3rd party ESD

Lightweight Infrastructure

• Dynamic Delivery• Package/Active Upgrade• No SQL Server required• Allows streaming capability

to be added to SMS/SCCM & 3rd party ESD

Integrate App-V into existing environments and processes

Server Client

3rd Party PC Lifecycle Solution

MED-V and App-V are part of the MDOP subscription

Translating software inventory into business intelligence

Enhancing group policy through change management

Dynamically streaming software as a centrally managed service

Proactively managing application and operating system failures

Powerful tools to accelerate desktop repair

Simplifying deployment and management of Virtual PCs

With Software Assurance, customers can run up to 4 virtual OS on each licensed device

And what about the Windows XP license for the Virtual PC?

The usual answers…Q: When will this be made available for Vista?

A: It won’t. BranchCache in only supported with Windows 7 Enterprise, Ultimate & Windows 2008 R2 editions.

Q: What size content is cached?A: 64 KB and greater.

Q: Is there a peer discovery timeout? A: 300 ms

Q: What kind of encryption is used?A: Custom scheme based on AES128.

Q: Does knowledge of the hash ID grant access?A: No. Access must still be granted by the file server.

The usual answers… (cont’d)Q: Will BranchCache work during WAN outages?

A: No. Clients must be able to contact the content server to get content identifiers.

Q: Can I pre-populate cached files?A: Sure. Consider using scheduled task , PowerShell

Remoting or some other technique. For WSUS & SCCM, consider targeting one client in each remote office before the others.

Q: How doesn’t BC avoid discovery storms?A: Responses to search requests are staggered.

Additionally, if a client detects that many others on the subnet already have a piece of content, it won’t bother caching it too.

The usual answers… (last one)Q: What happens to the local cache if the

BranchCache client mode changes? A: The local cache is unaffected and will still be used by the

client:• Hosted clients that become Distributed clients will begin

responding to WS-D searches, serving data from the same cache.• Distributed client that become Hosted clients will stop responding

to WS-D searchers, but will continue to use the local cache.

Q: How long does data stay in cache? A: Until NetSH is used to flush the cache or until the cache is

full and starts to roll.

Q: Is BranchCache supported on Server Core?A: Absolutely.

RDS & VDIOverview

Remote Desktop Services

Remote Desktop Architecture Overview

RD Web Access

RD GatewayRD Connection

Broker

Active Directory® Licensing

Server

RD Virtualization Host

RD Session Host

RD Client

Remote Desktop Session Host (RDSH)

RD Connection Broker

RD Client

RD Session Host Server Farm(Session-based desktops)

RD Session Host Server Farm(RemoteApp)

App-V for RDS

RD Session Host

App-V Management

Server

RD Client RD Virtualization

Host

Remote Desktop Virtualization Host (RDVH)

RD Client

Personal Virtual Desktops

Active Directory

Pooled Virtual DesktopsRD Connection Broker

Personal / Pooled Virtual Desktops

Personal Virtual Desktops

Pooled Virtual Desktops

Personal Virtual DesktopsOne OS image per userAdministrator access, desktop customizableUser state typically part of the image

Personal Virtual DesktopsShared OS images, identically configuredNo administrator accessUser state temporary )discarded at session end)

RDS Roles ExplainedRole Function

RemoteApp Publishes applications with just the application UI, and not a full desktop UI

RD Session Host Hosts centralized, session-based applications and remote desktops

RD Virtualization Host Hosts centralized, virtual-machine-based (virtual) desktops on top of Hyper-V for VDI environment

RD Connection Broker Creates unified administrator experience for session-based and virtual-machine based remote desktops

RD Gateway Allows connection from clients outside the firewall, using SSL, and proxies those to internal resources

RD Web Access / RemoteApp & Desktop Connections (Windows 7)

RD Web Access provides Web-based connection to resources published by RD Connection Broker. Supports traditional web page, as well as new RemoteApp & Desktop Connections

RD EasyPrint Simplifies printing to a local printer, and supports legacy and new print drivers without the need to install those on the host

Make programs available via RD Web Access or RemoteApp & Desktop Connection (Windows 7)Create MSI or RDP files

RemoteApp Overview

RD Session Host / RD Virtualization Host

NEW in R2:Per-user RemoteAppfiltering

Applications launched from Web Page, RDP files or MSI shortcutsPrograms look like they are running locally

RD Client

RD Gateway – New Features

RD WebAccess

RD Gateway

RD Session Host

RD Client RD Virtualization

Host

User browses to RD Web Access

RDP over HTTP/S established to RD Gateway RDP 3389 to host

User initiates HTTP/S connection to RD Gateway

Silent session re-authentication Secure device redirection Idle & session timeout Pluggable authentication Consent signing

RDS User Experience Enhancements

Multiple Monitor Support

Enhanced Audio Support

Windows Media Redirection

Windows Aero Glass Support

Enhanced Bitmap Acceleration

RD Easy Print Overview

Bad MatchNo Match

?

Close Match TS Easy Print

Historical Issues Solution