JPWhite's Tech Blog

Vista was a flop for Microsoft with its corporate customers. Microsoft have worked hard to correct this with Windows 7 bringing a slew of new features that will appeal to corporate users. To achieve this Windows 7 is tightly integrated with Server 2008 R2.

I attended the Windows 7 Launch in Nashville TN on Friday the 13th 2009. This event was presented at the Microsoft offices and sponsored by CoreBTS. The launch was primarily targeted at corporations and topics covered were appropriate to that audience.

Here are the highlights of the presentation.

• VDI capabilities are built diretly into Windows 7. Extra features include the ability to have multiple monitors on a virtual desktop, support for VoIP allowing for microphones/headsets and improved local printing capabilities.
• Search can be configured to extend beyond the desktop to the intranet and internet directly from the operating system without the need to open a browser.
• Direct Access provides a capability similar to GoToMyPC such that VPN software is no longer required to access computers at work while one is out of the office. The access is controlled by group policy with control, visibility and tracking for the administrator. The gotcha with this solution is that it addresses the PC’s using IPV6, so if you don’t have IPV6 implemented on your LAN, then a IPV6 to IPV4 conversion device at the gateway will be required. Server 2008 R2 is also reqired to provide the gateway access to the corporate LAN via direct access.
• Branch Cache allows an network admin to cache internet traffic on a server on the LAN. Therefore only one copy of a file is downloaded from outside the LAN and all subsequent requests for those files are serviced across the LAN. This can significantly reduce traffic on the WAN. The cache solution can implemented in one of two ways. Either hosted on a 2008 R2 server or on a peer-to-peer basis with each client on the LAN taking on some of the cache requests and storage. Peer-to-peer is best used on fixed desktops that won’t be taken off the local LAN frequently.
• UAC is something Vista users loved to hate. With Windows 7 four configurable levels of protection can be selected. Ranging from full (just like Vista) down to none (Like XP). The default is one notch below full protection and can be configured through group policy.
• Applocker is a network tool that allows the administrator to control what applications can and cannot run on the LAN clients. The administrator can chosse between a white list approach, where only listed applications can run or a blacklist approach where al apps except those listed can run. The ability to prevent appilcations from being installed at all is also configurable via group policy.
• Better VHD support.  The ability to create and maintain VHD images has been enhanced. For example a previosuly configured system can be imaged to a VHD and later security and update patches applied to the VHD without the need to run the VHD on a system. This vastly simplifies updating machine images. A computer can boot to a VHD image rather than use a local OS. Booting via PXE is also supported.
• Terminal Services has now been renamed Remote Desktop Services. Remote Desktop Services scales up to about 500 desktops. For larger networks Direct Access is a better choice.
• PowerShell 2.0 is built into the client OS and is much less verbose to code than VB Script.

• Optimized Desktop is a architectural feature of Windows 7, whereby the Data, Apps, Operating system and hardware are abstracted into separate layers. Each layer can be managed and configured independently of each other. To manage these layers one needs to aquire Microsoft Desktop Optimization pack. The optimization pack includes :-
  1. Asset inventory hardware and software of network client computers.
  2. Application Virtulization (see below for explanation).
  3. Centralized Diagnostics
  4. Enterprise Desktop Virtulization (New to Windows 7)
  5. Error monitoring. Event logs from each client are consolidated centraly for admin review and action.
  6. Advanced Group Policy. Group policy is now workflow based so that group policy changes are isolated and go through review and approval prior to being applied to the live network.
• Application Virtulization. Applications are not installed locally during system setup but instead are delivered across the LAN, such that a user can login at any compter on the LAN and get the same applications they have been granted no matter where they login. One advantage of this approach is that client computers only need to have a  basic operating system image without applications. Should a system fail any number of backup computers can be substituted and the user is back up and running immediately. Application compatibility can also be enforced, so if two applications are know to conflict, then they can be configured to never run simultaneously on the same desktop. A local copy of the applications is stored so that mobile users can still run their apps when disconnected from the network.
• MED-V is a specialized type of virtual machine. It executes dynamically whenever it needs to do so, for example if an application does not perform well on Windows 7 an XP virtual machine can be executed to run the application to ensure that it performs well. So if a corporation has some websites that require IE6 then the virtual machine executes whenever IE6 is needed, but IE8 can run alongside on the host Windows 7 client. Note therefore the trigger for the MED-V virtual machine can be based on the application or a specific URL.
• Client computers that appear on the network can be quarantined if they are not recognized *or* if the computer has out-of-date AV signatures or OS patches. Once the machine meets the specified criteria, it is granted access to the local LAN. Rouge laptops plugged in by visitors no longer need to be a threat to the LAN.
• Rights Management Services provides the admin with the ability to control documents stored on the network. A document can be prevented from being copied or saved and only be viewable if the corporations so wishes. At last Microsoft have something equivalent to rights management features found on Novell Networks decades ago.
• EFS encrypts individual files or folders. Should the document be moved/copied, credentials are required to access it. Credentials can be passwords or the implementation of hardware security fobs. This protects data against accidental loss or intentional theft of the corporations intellectual property.
• Bitlocker has been enhanced to provide Bitlocker-to-go capabilities. USB drives can be encrypted by the user or enforced via group policy. Therefore corporate data stored on USB draves is safe against unauthorized access or theft/loss of the USB drive. This can apply to any USB device such as external hard drives.

Tips and Tricks

• Pressing ‘Windows’ plus ‘+’ zooms in on the desktop, good for the visually impaired. The corresponding ‘-‘ zooms back out. The zooming is achieved through the magnifier application built into Windows 7.
• Pressing ‘Windows’ plus right or left arrows docks the current selected application to the left or right margin of the desktop and is adjusted to fit exactly half of the screen. This a neat way to put two applications side by side with very few keystrokes or mouse clicks.
• Dragging and ‘Bumping’ an application into the top of the screen causes it to be maximized.
• Hovering over applications docked into the tool bar provides a small preview of all current windows for that application. Clicking on the preview restores the application window.
• Hovering over the tiny ‘show desktop’ icon at the extreme bottom right of the screen temporarily minimizes all applications. When you mouse off the icon al windows are restored. If you click on the show desktop icon, then all active windows are minimized.