The Springboard Series program was developed in response to primary research conducted with IT Pros worldwide (direct interviews, focus groups) and key MS field roles (TSPs, ATSs, ITEs, PAMs, TAMs, Architects). The findings fell into two areas—the need to make learning about how a new OS environment directly impacts the IT Pro more consumable (and the messages more relevant), and how the mis-handling of Vista to this audience has cost us in poor NSAT and perceptionsTo remedy this situation, the Win Client IT pro audience developed a program to provide the right information, at the right technical level, at the right point in the adoption lifecycle, and to do so in a frank, open and honest tone. This program has two major components—a breadth effort that touches IT pros directly (through Technet and related properties), and a depth component that supports field and partner engagements
So what are the technologies within MDOP? Application Virtualization: this solves for application to application conflict issues within your organization. So say, for example, you’ve got a line of business application that will not run on your operating system. Using Application Virtualization you can sequence those applications. You can stream them to the desktops within your organization and there is no conflict with the applications, as nothing is actually installed on the desktop. The Asset Inventory Service: this is a hosted service that enables you to collect software inventory data, as well as limited hardware data. And you can translate that data into actionable business intelligence. There is a catalog component to AIS, which assigns intuitive categorization to the information that’s flowing through the service. And it is the same catalog in AIS that is leveraged by Systems Center. The Diagnostics and Recovery tool set: DART can reduce your users’ down time by accelerating your desktop repair process. So using the DART CD you can perform such tasks as resetting administrator passwords, scanning and solving for malware on your users’ desktops, repairing those desktops and even wiping those desktops. Systems Center Desktop Error Monitoring: this enables proactive help desk problem management by allowing you to see the errors that are occurring within your organization at an aggregate level and reporting on application and system crashes as they’re occurring within your organization. So having visibility to those errors helps you solve for those errors occurring in future. AGPM: We hear from our customers that they struggle with managing group policy within their organizations. With AGPM you can assign roles to people within your organization. For example, you can have some people that are reviewers of policies. You can have some people that are approvers of policies and you can also have people, for example, that have the ability to edit policies. In that way you can control who is managing group policy within your organization and you can also ensure that there is audit trail for group policy that is being deployed within your organization. MED-V: MED-V enables you to solve for application to operating system conflicts within your organization. So using virtual PC at technology you can address key Enterprise scenarios and resolve for those application compatibility issues with new versions of Windows.
UAC was introduced in Windows Vista to help provide customers more control of their system by enabling IT administrators to lock down the system for certain users by running them within standard, non privileged user accounts and to influence the ecosystem to write software that does not need administrative rights. Transitioning the ecosystem to create software that does not require administrative changes to the machine is a very good thing for overall reliability of the machine as well as for the overall security of the machine since it limits the potential damage. UAC has delivered successfully on this in the Windows Vista timeframe and customers continue to value the ability to create a standard user and be confident an administrator can make the decisions on what software is added to the system and what changes should be allowed. However, we have received substantial feedback about the number of notifications for change. In Windows 7, we have invested in addressing the key customer feedback around UAC, while still maintaining the ability for IT administrators to be confident about a standard user environmentand still maintaining the influence on the ecosystem to create software that does not require administrative rights.We have enabled the Windows operations that users do often to be done in a standard user environment with the goal of providing prompt free daily activities. For example, a standard user can now adjust the readability of the screen (dpi) without having to change it for the entire system. Additionally, we have reduced key duplicate notifications for common activities such as installing applications from IE. We have also made it easier for IT to look at key setting on the system without needing administrative privileges by refactoring many of our control panel applications into read only and write sections.In line with our overall Windows 7focus on user-in-control, we have enabled a person running as a protected administrator to determine the range of notifications s/he receives. Based on customer feedback and actual instrumented data from our customers’ response to UAC prompts, we default the initial setting for UAC such that administrators are notified when software other than Windows is requesting to change the overall system and such that standard users will receive a request for administrator authorization for any change to the overall system. We believe this default setting has the right balance of establishing an ecosystem where a broad range of ISV software can be run in a standard user environment while providing administrators with control over the experience of configuring Windows.
Welcome to Windows 7 Stephen L Rose Worldwide Community Manager – Windows Client firstname.lastname@example.org http://microsoft.com/springboard Blog- http://windowsteamblog.comTwitter- @stephenlrose / @MSspringboard
Agenda Who Am I? Resources, Resources, Resources Windows 7 Overview Windows 7 Anywhere Security and Control in Windows 7 Windows 7 Deployment Wrap-up
What is the Springboard Series? The Springboard Series is the resource for desktop IT pros www.microsoft.com/springboard Springboard is localized in 10 languages Over 50 video walkthroughs on Windows 7 features, tools and tasks Dedicated zones for Application Compatibility, Migration, Deployment and more Straight-talk Monthly Feature Articles & Overview Guides Springboard Insider Monthly Newsletter and Windows Team Blog Virtual Roundtable Events The Springboard Series IT pro experience offers IT Pros dynamic content and structured guidance across the adoption lifecycle Follow us on Twitter @ MSSpringboard
Windows 7 Versions Windows 7 Starter NoAero No 64 Bit Windows 7 Home Basic Emerging Markets only Windows 7 Home Premium Includes Aero, Media Center and Touch Windows 7 Professional Does not support Direct Access, BitLocker, BitLocker To Go, BranchCache. Does have XP Mode Windows 7 Enterprise Supports all features. Only available via Volume License to Software Assurance customers. Windows 7 Ultimate Supports all features.
Understanding VL and SA What is Volume Licensing? Volume Licensing is the most affordable way to upgrade your existing PCs to Windows 7Enterprise. Windows licenses available through Volume Licensing are upgrade-only licenses. They do not replace purchasing the initial Windows licenses for software that comes pre-installed on new PCs. Each desktop that runs the Windows 7 upgrade must first be licensed to run one of the qualifying operating systems (Windows Vista (Enterprise/Business/Ultimate) or Windows XP (Professional)—otherwise the PC will not have a valid, legal Windows license. What is Software Assurance? When you acquire Windows 7 Professional licenses, either through Volume Licensing upgrades or through an OEM, you can cover those licenses with Software Assurance to get rights to Windows 7 Enterprise. SA also applies to Office and other Microsoft products.
What Else Do I Get With SA? Microsoft Desktop Optimization Pack (MDOP) - MDOP is an add-on subscription license that provides innovative technologies to help better control the desktop PC, accelerate and simplify desktop PC deployments and management, and create a dynamic infrastructure by turning software into centrally-managed services. Windows Virtual Enterprise Centralized Desktop (VECD) for Software Assurance - Windows VECD is an annual device-based subscription that enables organizations to license virtual copies of Windows 7 (or prior OS versions) in a variety of user scenarios. Windows Fundamentals for Legacy PCs - Available exclusively to Microsoft Software Assurance customers, this small-footprint, Windows-based operating system solution is for customers with legacy computers running early operating systems who are not in a position to purchase new hardware. Virtual OS Rights - Use up to four instances of Windows in virtual OS environments for each license that has active Software Assurance coverage. New Version Rights - Receive new versions of licensed software released during the term of your coverage. If you have Software Assurance coverage for your PCs when Windows 7 is released, you will automatically receive rights to use Windows 7 Enterprise on those PCs.
MDOP Technologies App-V turns applications into centrally managed services that are never installed, never conflict, and are streamed on demand to end users AIS is a hosted service that collects software inventory data and translates it into actionable business intelligence DART reduces downtime by accelerating desktop repair, recovery, and troubleshooting unbootable Windows-based desktops DEM enables proactive helpdesk problem management by analyzing and reporting on application and system crashes AGPM enhances governance and control over Group Policy through robust change management and role-based administration MED-V enables deployment and management of Microsoft Virtual PC to address key enterprise scenarios, primarily resolving application compatibility with a new version of Windows
What’s The Killer Feature In Windows 7? “I Don’t Care How It Works. I Just Want It To Work.” Mobility Direct Access / VPN Reconnect/Mobile Broadband / BranchCache Security and Control BitLocker/BitLocker To Go / Improved UAC Desktop Auditing / NAP / AppLocker / IE8 GUI New Aero Features / Search / Wireless support / Device Stage / Location Aware Printing / Home Groups / Libraries General Speed / Efficiency / Capabilities / Flexibility / Reliability
DirectAccess Technical Details IPsec/IPv6 Internet Compliant Client Compliant Client NAP / NPS Servers IPsec/IPv6 IPsec/IPv6 Tunnel over IPv4 UDP, HTTPS, etc. DirectAccess Server Intranet User Assume the underlying network is always insecure Data Center and Business Critical Resources Intranet User Redefine enterprise network edge to insulate the datacenter and business critical resources Enterprise Network Security policies based on identity, not location
DirectAccess & IPv6 Internet DirectAccessServer DirectAccessClient Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP Native IPv6 6to4 Teredo IP-HTTPS
DirectAccess & IPsec EnterpriseNetwork Line of Business Applications DirectAccess Server No IPsec IPsec Integrity Only (Auth) IPsec Integrity + Encryption
DirectAccess Deployment Get ready step by step Determine your strategy Be ready to monitor IPv6 traffic Choose an Access Model: Full Intranet Access vs. Selected Server Access? Assess deployment scale Get your infrastructure ready Windows 7 clients Windows Server 2008 R2 DirectAccess Server DC, DNS Server, Active Directory, PKI, Application Servers, etc. During deployment Use DirectAccess configuration wizard to setup DirectAccess Server and generate policies for clients, application servers, and DC/DNS Customize policies as needed
IT Pro Benefits Improved manageability of remote users IT simplification and cost reduction Consistent security for all access scenarios Seamless & secure access to corporate resources Consistent connectivity experience in / out office Combined with other Windows 7 features enhances the end to end IW experience DirectAccess Benefits End User Benefits
IHVs can integrate devices using Windows 7 platform
No need for users to install3rd party software
End users have same connectivity experience across WiFi and WWAN
Branch Office Enhancements Windows 7 Solution Situation Today BranchCache™ Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache Frees up network bandwidth for other uses Application and data access over WAN is slow in branch offices Slow connections hurt user productivity Improving network performance is expensive and difficult to implement
Windows 7 Enterprise Security Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable. Fundamentally Secure Platform Helping Protect Users & Infrastructure Helping Secure Anywhere Access Helping Protect Data Windows Vista Foundation Streamlined User Account Control Enhanced Auditing Network Security Network Access Protection DirectAccessTM AppLockerTM Internet Explorer 8 Data Recovery RMS EFS BitLocker & BitLocker To GoTM
Fundamentally Secure Platform Windows Vista Foundation Enhanced Auditing Streamlined User Account Control Make the system work well for standard users Administrators use full privilege only for administrative tasks File and registry virtualization helps applications that are not UAC compliant Group Policy Configurable XML based Granular audit categories Detailed collection of audit results Simplified compliance management Security Development Lifecycle process Kernel Patch Protection Windows Service Hardening DEP & ASLR IE 8 inclusive Mandatory Integrity Controls
User Account Control Windows Vista System Works for Standard User All users, including administrators, run as Standard User by default Administrators use full privilege only for administrative tasks or applications Influence the ecosystem to write software that does not need administrative rights Streamlined UAC Reduce the number of OS applications and tasks that require elevation Refactor applications into elevated/non-elevated pieces Flexible prompt behavior for administrators Continued ecosystem influence for standard user applications Challenges Customer Value User provides explicit consent before using elevated privilege Disabling UAC removes protections, not just consent prompt Users can do even more as a standard user Administrators will see fewer UAC Elevation Prompts Windows 7
Desktop Auditing Windows Vista Enhanced Auditing New XML based events Fine grained support for audit of administrative privilege Simplified filtering of “noise” to find the event you’re looking for Tasks tied to events Simplified configuration results in lower TCO Demonstrate why a person has access to specific information Understand why a person has been denied access to specific information Track all changes made by specific people or groups Challenges Granular auditing complex to configure Auditing access and privilege use for a group of users Windows 7
Securing Anywhere Access Network Security DirectAccess Network Access Protection Ensure that only “healthy” machines can access corporate data Enable “unhealthy” machines to get clean before they gain access Security protected, seamless, always on connection to corporate network Improved management of remote users Consistent security for all access scenarios Policy based network segmentation for more secure and isolated logical networks Multi-Home Firewall Profiles DNSSec Support
Network Access Protection Remediation Servers Example: Patch Restricted Network Corporate Network Policy Servers such as: Patch, AV Health policy validation and remediation Helps keep mobile, desktop and server devices in compliance Reduces risk from unauthorized systems on the network Not policy compliant Policy compliant DHCP, VPN Switch/Router Windows Client NPS Windows 7
Protect Users & Infrastructure AppLockerTM Data Recovery Internet Explorer 8 Protect users against social engineering and privacy exploits Protect users against browser based exploits Protect users against web server exploits File back up and restore CompletePC™ image-based backup System Restore Volume Shadow Copies Volume Revert Enables application standardization without increasing TCO Increase security to safeguard against data and privacy loss Support compliance enforcement
Help Desk Made Easier Problem Steps Recorder Windows Troubleshooting Platform
Application Control Situation Today AppLocker Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy Users can install and run non-standard applications Even standard users can install some types of software Unauthorized applications may: Introduce malware Increase helpdesk calls Reduce user productivity Undermine compliance efforts Windows 7 Solution
BitLocker / BitLocker To Go Situation Today BitLocker To Go + Worldwide Shipments (000s) Extend BitLocker drive encryption to removable devices Create group policies to mandate the use of encryption and block unencrypted drives Simplify BitLocker setup and configuration of primary hard drive
Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth
Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III
Windows 7 Solution
BitLocker /BitLocker To Go Technical Details BitLocker Enhancements Automatic 200 Mb hidden boot partition New Key Protectors Domain Recovery Agent (DRA) Smart card – data volumes only BitLocker To Go Support for FAT* Protectors: DRA, passphrase, smart card and/or auto-unlock Management: protector configuration, encryption enforcement Read-only access on Vista & XP SKU Availability Encrypting – Enterprise, Ultimate Unlocking – All
Microsoft Learningwww.microsoft.com/learning Springboard Serieswww.microsoft.com/springboard