Preview only show first 10 pages with watermark. For full document please download

Risk Assessment Of Cal Poly Pomona

Rating
Date

November 2018
Size

1.5MB
Views

1,894
Categories

Computers & electronics Software Operating systems

Transcript

INTIAL OVERVIEW AND RESOURCE GUIDE FOR WINDOWS VISTA By Marcy Wright February 2007 CONTENTS EXECUTIVE SUMMARY ....................................................................................................................................... 1 INTRODUCTION.................................................................................................................................................. 1 BACKGROUND ................................................................................................................................................... 2 FEATURES OF VISTA ........................................................................................................................................... 2 WINDOWS VISTA ENTERPRISE ADDITION ........................................................................................................... 3 SECURITY ........................................................................................................................................................... 5 USER ACCOUNT CONTROL .................................................................................................................................5 WINDOWS FIREWALL .......................................................................................................................................5 MALICIOUS AND POTENTIALLY UNWANTED SOFTWARE ............................................................................................6 INTERNET EXPLORER ENHANCEMENTS .................................................................................................................7 NETWORK ACCESS PROTECTION .........................................................................................................................7 ROUTING COMPARTMENTS ...............................................................................................................................8 WIRELESS SINGLE SIGN‐ON ...............................................................................................................................8 BROAD SUPPORT FOR WIRELESS SECURITY PROTOCOLS...........................................................................................9 PLATFORM IMPROVEMENTS...............................................................................................................................9 MULTI‐TIERED DATA PROTECTION ....................................................................................................................10 RELIABILITY AND PERFORMANCE ......................................................................................................................10 Automatic Recovery .............................................................................................................................11 Built‐in Diagnostics ..............................................................................................................................11 Startup Repair Tool ..............................................................................................................................12 Application Reliability ..........................................................................................................................12 Performance Improvements ................................................................................................................13 ii DEPLOYMENT ...............................................................................................................................................13 Modularization ....................................................................................................................................14 Windows Imaging ................................................................................................................................14 Nondestructive Imaging.......................................................................................................................15 Unattended Installations .....................................................................................................................16 MANAGEABILITY ............................................................................................................................................16 Configuration Management ................................................................................................................16 Group Policy .........................................................................................................................................17 Policy‐based Quality of Service ............................................................................................................17 Eventing, Instrumentation, and Error Reporting..................................................................................17 Automation ..........................................................................................................................................18 Supportability.......................................................................................................................................18 PRODUCTIVITY ..............................................................................................................................................19 Usability and End‐User Productivity.....................................................................................................19 AERO ....................................................................................................................................................20 Explorers ..............................................................................................................................................20 Information Visualization.....................................................................................................................20 Search ..................................................................................................................................................21 Start Menu ...........................................................................................................................................21 Sharing.................................................................................................................................................21 Mobility Improvements........................................................................................................................22 IPv6 ......................................................................................................................................................23 WINDOWS VISTA LICENSING .............................................................................................................................23 MULTIPLE ACTIVATION KEY ..............................................................................................................................24 KEY MANGEMENT SERVICE .............................................................................................................................25 iii VIEWING VOLUME LICENSING INFORMATION ......................................................................................................27 MEDIA CONSIDERTIONS ..................................................................................................................................28 THE FIVE LICENSING STATES .............................................................................................................................29 REDUCED FUNCTINALITY MODE ........................................................................................................................30 Reduced Functionality Mode Scenarios ...............................................................................................31 Remeding Reduced Functinality Mode ................................................................................................31 RESOLVING NON‐GENUINE ISSUES ....................................................................................................................32 HARDWARE ......................................................................................................................................................33 WINDOW VISTA HARDWARE ASSESSMENT .........................................................................................................35 LINKS TO MANUFACTURER INFORMATION ABOUT CPU.........................................................................................35 LINKS TO MANUFACTURER INFORMATION ABOUT GRAPHICS PROCESSOR .................................................................36 WINDOWS VISTA HARDWARE COMPATIBILITY LIST...............................................................................................36 WINDOWS VISTA UPGRADE ADVISOR .................................................................................................................37 NETWORKING ...................................................................................................................................................45 TCP/IP STACK AND THE WINDOWS FILTERING PLATFORM ....................................................................................45 NETWORKING: KERNEL MODE IP HELPER APIS ...................................................................................................47 NETWORKING: IPV6 ......................................................................................................................................48 NETWORKING: TURNING OFF THE WINDOWS FIREWALL ........................................................................................49 WIRELESS ....................................................................................................................................................51 SOFTWARE........................................................................................................................................................51 PROGRAM COMPATIBILITY ASSISTANT (PCA) IN WINDOWS VISTA ..........................................................................51 THIRTY‐MINUTE COMPATIBILITY CHECK .............................................................................................................54 Working with a Clean Installation of Windows Vista...........................................................................54 Working with an Upgrade from Windows XP Service Pack 2...............................................................55 iv OPERATING SYSTEM VERSIONING .....................................................................................................................56 USER ACCOUNT CONTROL ...............................................................................................................................57 COMPATIBILITY RISKS .....................................................................................................................................60 VISTA SOFTWARE COMPATIBILITY LIST ................................................................................................................61 CONCLUSION ....................................................................................................................................................62 RECCOMENDATIONS .........................................................................................................................................63 APPENDIX A ‐ WINDOWS VISTA MIGRATION STEP‐BY‐STEP GUIDE.....................................................................65 WINDOWS VISTA MIGRATION SCENARIOS ..........................................................................................................65 REQUIREMENTS FOR INSTALLING WINDOWS VISTA ..............................................................................................65 OVERVIEW OF SCENARIOS ...............................................................................................................................66 UPGRADING TO WINDOWS VISTA .....................................................................................................................66 Avoiding Software Conflicts .................................................................................................................66 Steps for Upgrading to Windows Vista ................................................................................................67 Step 1: Assess Hardware Requirements...............................................................................................67 Step 2: Backup Important Data ...........................................................................................................68 Step 3: Upgrade to Windows Vista ......................................................................................................68 MIGRATING TO WINDOWS VISTA .....................................................................................................................69 Steps for Migrating to Windows Vista .................................................................................................70 Step 1: Migrate User Settings Using the User State Migration Tool....................................................70 Step 2: Migrate User Settings Using Windows Easy Transfer..............................................................71 APPENDIX B ‐ 10 THINGS YOU NEED TO KNOW ABOUT DEPLOYING WINDOWS VISTA........................................78 TOOLS YOU NEED; TOOLS TO FORGET ...............................................................................................................82 v Date: February 1, 2007 To: Denton Mosier; Director of Support, I&IT From: Marcy Wright; 2nd Tier Information Technology Consultant Subject: Assessment of Windows Vista EXECUTIVE SUMMARY As part of my role as a member of the second tier support group of the instructional and information technology support department (I&IT), I was asked to evaluate the newest Windows operating system named Vista. My charge was to investigate the new Microsoft licensing model, learn the new features of the product, test commonly used campus applications, and make recommendations about how the campus could transition to the Vista platform. For the past three months, I have been researching licensing rights and processes, reviewing driver conflict issues, reading internet reports and blogs, speaking with other techs on campus, and since its Volume Licensing release on November 30, 2006, running Vista on my own laptop. From the information gathered from these resources, I have amassed hundreds if not thousands of pages of information about the issues surrounding Vista. All of these too many to include in this report so my focus will be to document my main findings with regard to the original scope of my investigation and provided additional supporting information upon request, along with recommendations for campus use of Vista as can be made at this early stage. After using Vista for the past few weeks, reading, and listen to others experiences, I can say that Vista has a lot to offer. The initial trial and error with finding drivers and software to work with Vista has seems to lessen as time passes. I think this trend will continue and the availability of needed software and drivers will stabilize as developers have more time with Vista to program and test their products. Due to the need for increased hard drive, processor speed, memory and graphics capabilities the standard consensus is most users will not move to Vista until the need to purchase a new computer arises. For those who do not wish to wait the Windows Vista Update Advisor tool does a good job of letting the end user know if and how Vista will perform on their existing system. Most of the existing systems on campus do not meet the preferred requirements to run all of the new features found within Vista, but many will run the basis Vista configuration. There are known issues with existing software, but they change every day as developers fine‐tune their products. A good resource for current issues with Vista bugs, hardware and software can be found at: http://www.iexbeta.com/wiki/index.php/Windows_Vista_Software_Compatibility_List Many applications and feature that are used by the campus have been tested and found to work. As Vista becomes more visible on campus, this list will grow and compatibility issues will need to be addressed. For example, one issue mentioned here under the Networking section is the need for wireless software that provides 1 LEAP authentication for the campus. Users may also struggle with the lack of a built it video decoders in the Enterprise addition. DVD decoders will need to be added to run most DVD’s, K‐Lite Codec Pack is one option that is free and has been tested. Over all my thoughts about Vista is that it is here now and working. I think it is working better than most expected. We will need to continue to investigate how it runs in our environment and make careful decisions on deployment, support and training as a campus. As users transitions over to Vista and we see Vista more and more on campus our need for a Vista plan increases. In my view, steps can be taken to help immediately in the support of Vista on campus. • • • • • • • • • • • • • • Share what we know. This paper can be a start to provide an overview of Vista to the local campus tech community. eHelp ‐ http://www.csupomona.edu/~ehelp/software/vista.html Software Compatibility: This page can be expanded to show many of the software titles already tested on Vista. This link from Carnegie Mellon already includes the software they have tested and is a good example of what might work here. http://www.cmu.edu/computing/msvista/index.html Hardware Issues: This page could also list know hardware issues and machine types know to run Vista well. Bugs & Fixes: As issues arise, regarding Vista this page could communicated them to the campus and list the fixes when found. Find out what we don’t know: As all of us use Vista, find out what works, and does not work a convenient way to share this information within the campus would be helpful. This could save time and help in learning the new platform. Provide training to campus techs to help mitigate potential support problems. Provide training to end users through handouts, Breeze tutorials, and in a classroom setting. Detailed planning at the centralized level to decided what feature of Vista would be helpful to use and work within our existing systems. Decide how licensing of Vista is best supported on campus. MAK use is necessary for laptops, but a KMS server would allow for instant activation and motoring of license use and system resources. Discuss wide deployment of Vista in departments and labs before it happens to evaluate the impact on other campus departments. Regroup every few months, evaluate the impact Vista has made on the campus, and see if our efforts need to be redirected. 2 INTRODUCTION As part of my role as a member of the second tier support group of the instructional and information technology support department (I&IT), I was asked to evaluate the newest Windows operating system named Vista. My charge was to investigate the new Microsoft licensing model, learn the new features of the product, test commonly used campus applications, and make recommendations about how the campus could transition to the Vista platform. For the past three months, I have been researching licensing rights and processes, reviewing driver conflict issues, reading internet reports and blogs, speaking with other techs on campus, and since Vista’s Volume Licensing release on November 30, 2006, running it on my own laptop. From the information gathered from these resources, I have amassed hundreds if not thousands of pages of information about the issues surrounding Vista. All of these too many to include in this report so my focus will be to document my main findings with regard to the original scope of my investigation and provided additional supporting information upon request, along with recommendations for campus use of Vista as can be made at this early stage. Most of the information included in this report has been taken from many Microsoft websites, article and guidelines. I have included much of it as written as to be sure of capturing the exact intent and context. References have been provide along the way to allow readers to research information in more detail. The intent was only to provide a compressed document that is easy to refer to and allow many different sources to be condensed into a usable reference. The computer used in this evaluation was originally a Dell Latitude D610 laptop 1.6GHz computer with 1GB of RAM and then a Dell Latitude D620 laptop with 2GB of memory. At the end of November, my first attempt at installation of the Vista operating system was through upgrading the existing D610 laptop from the Windows XP platform. The update went smoothly, with the exception of the video display. The same was true for a clean installation on a wiped drive on the D620 laptop. 1 BACKGROUND Microsoft’s release of Windows Vista on November 30, 2006 to Volume Licensing and third party vendors and then their release to the public on January 30, 2007 was their first major operating system update since Windows XP was released in 2001. Microsoft offers five different editions of Vista to choose from, Ultimate, Home Premium, Home Basic, Business, and Enterprise. These offerings are similar to those found for Windows XP. Vista Enterprise is only available to Microsoft Volume License customers and is the version used for this report. FEATURES OF VISTA The features of Vista are too numerous to explain in detail within this report. A few will be highlighted here and the rest can be reviewed online starting on the main Windows Vista page at: http://www.microsoft.com/windows/products/windowsvista/default.mspx. The instant search feature helps to locate information quickly and allows you to save the format of your most used searches for future use. 2 • Windows Aero allows users to navigate open files and programs with glass‐like visuals. • Windows Sidebar holds mini programs (Gadgets) to provide information at a glance. • Windows Complete PC Backup and Restore backs up everything on the hard drive to a place you choose. • Encrypting File System allows you to password protect shared documents. • Windows Defender protects your system from unwanted software and blocks spyware. • User Account Control prevents changes to your computer without consent. • Windows Easy Transfer allows you to transfer data and setting to a new computer. • Windows Mobility Center allows you to adjust display, presentation and power settings easily. WINDOWS VISTA ENTERPRISE ADDITION Windows Vista Enterprise is designed to help organizations with complex IT infrastructures lower IT costs, reduce risk, and stay connected. Windows Vista Enterprise provides higher levels of data protection, improve application compatibility, and enables an organization to standardize by using a single deployment image. Windows Vista Enterprise is available only to Volume License customers who have PCs covered by Microsoft Software Assurance. These customers are also eligible to acquire an optional subscription license for the Microsoft Desktop Optimization Pack for Software Assurance. This software extends the value of Windows Vista Enterprise by reducing application deployment costs, enabling delivery of applications as services, and allowing for better management and control of enterprise desktop environments. The Enterprise edition is a beefed up version of the Business edition with added enhancements specific to large organization need. Additional details about the Windows Vista Enterprise Edition can be found at: http://www.microsoft.com/windows/products/windowsvista/editions/enterprise/default.mspx 3 Windows Vista Enterprise includes Windows BitLocker Drive Encryption. Windows BitLocker uses hardware‐based data encryption technology to encrypt the entire hard drive. Windows Vista Enterprise includes built‐in tools to improve application compatibility with previous versions of Microsoft operating systems, as well as with UNIX operating systems. It also provides the right to run four virtual operating system sessions, which enables you to run a legacy application in a virtual environment on top of Windows Vista Enterprise. Additionally, Windows Vista Enterprise includes Subsystem for UNIX‐based Applications (SUA), which enables you to run UNIX applications unchanged on a Windows Vista Enterprise‐based PC. Whereas today a UNIX database administrator or system administrator needs to have a UNIX workstation in addition to a Windows‐based PC. Windows Vista Enterprise enables you to consolidate both functions into a single Windows Vista‐based PC. Windows Vista Enterprise customers that subscribe to the Desktop Optimization Pack for Software Assurance have additional options for minimizing application compatibility challenges. This service can accelerate deployment with tools such as SoftGrid for application virtualization, which can reduce application‐to‐application conflicts, and with Asset Inventory Services, to help you more quickly compile information about applications running inside your organization. An interface language controls which language a user sees in the Windows Start menu, in the help system, in built‐in management tools, and in Windows dialog boxes. Windows Vista Enterprise includes all available interface languages in one offering. Access to all worldwide Windows interface languages enables organizations to build a single deployment image that can be used worldwide and to deploy individual PCs that simultaneously offer different interface languages for different users. Parts of this section were taken from: http://www.microsoft.com/windows/products/windowsvista/editions/enterprise/default.mspx 4 SECURITY With Windows Vista, Microsoft is making fundamental investments in technology to help make customers more secure. Efforts include using a security development lifecycle to develop more secure software and providing technology innovation in the platform to provide layered defense, or defense‐in‐depth. Windows Vista includes many security features and improvements to protect client computers from the latest generation of threats, including spyware and other types of malware. USER ACCOUNT CONTROL With Windows XP and earlier operating systems, IT departments had to choose between the application compatibility and convenience of having users log on as an administrator, and the security and stability provided by having users log on as a standard user. User Account Control in Windows Vista gives administrators the option of restricting permissions while still enabling most applications to run. To help provide this combination of security and compatibility, File and Registry Virtualization automatically redirects writes and subsequent reads to areas that the standard user does not have access to. Changes made to the virtualized registry settings and folders are visible to only that user account and the applications the user runs, so the integrity of the computer is protected. If an application does require administrator credentials, Windows Vista will prompt the user for the credentials before allowing the application to run. WINDOWS FIREWALL The personal firewall built into Windows Vista builds on the functionality that is included with Microsoft Windows XP Service Pack 2. For example, Windows Vista's firewall blocks all inbound traffic until a computer has the latest security updates installed. The bi‐directional firewall also includes outbound filtering that enables users 5 to configure it to selectively block both outbound traffic and inbound traffic. Every aspect of Windows Vista's firewall can be configured using Group Policy settings, so client security settings remain constant. For the first time in a Windows operating system, Windows Vista firewall management is integrated with IPsec. The firewall works closely with Windows Service Hardening to restrict what services can do on the system, providing defense‐ in‐depth and reducing opportunities for attackers to compromise vulnerable computers. Windows Service Hardening restricts critical Windows services from doing abnormal activities in the file system, registry, network, or any other resources that could be used to allow malware to install itself or attack other computers. For example, the Remote Procedure Call (RPC) service can be restricted from replacing system files or modifying the registry. In Windows Vista, Internet Protocol security (IPsec) and firewall management are integrated in a single console, known as Windows Firewall with Advanced Security. This console centralizes inbound and outbound traffic filtering along with IPSec server and domain isolation settings in the user interface, enabling increased visibility into security settings. MALICIOUS AND POTENTIALLY UNWANTED SOFTWARE User Account Control and security improvements to Internet Explorer can reduce the impact of malicious and unwanted software in Windows Vista. In addition to these features, Windows Vista can detect and clean many malware applications including spyware and other potentially unwanted software using Windows Defender and the monthly delivery of the Malicious Software Removal Tool (MSRT) through Automatic Updates (AU). These technologies help protect the integrity of the operating system and the privacy of users' data. Although Windows Vista includes many anti‐malware technologies, a full anti‐virus solution is still recommended for the best protection. Note that the built‐in anti‐malware detection, cleaning, and real‐time blocking is primarily targeted at unmanaged users. Windows Vista does not include enterprise management level support for anti‐malware via group policy beyond troubleshooting and enabling/disabling Windows Defender. 6 INTERNET EXPLORER ENHANCEMENTS Windows Vista builds upon the User Account Control initiative to limit Internet Explorer to just enough privileges to browse the Web, but not enough to modify user files or settings by default. This Windows Vista‐only feature, known as Protected mode, will be in Beta 2. As a result, even if a malicious site attacks a potential vulnerability in Internet Explorer, the site's code won't have enough privileges to install software, copy files to the user's Startup folder, or hijack the settings for the browser's homepage or search provider. • To help protect a user's personal information, Internet Explorer: • Highlights the new security status bar when visiting a Secure Sockets Layer‐protected site and lets the user easily check the validity of a site's security certificate. • Has a phishing filter, which helps users browse more safely by advising them when Web sites may be attempting to steal their confidential information. The filter works by analyzing Web site content, looking for known characteristics of phishing techniques and using a global network of data sources to decide if the Web site should be trusted. Filter data is updated several times an hour, which is important given the speed with which phishing sites can appear and potentially collect a user's data. • Clears all cached data with a single click. NETWORK ACCESS PROTECTION Windows Vista includes an agent that can provide information about a client’s health state and configuration to network access servers or peers. With Network Access Protection, clients that lack current security updates, lack virus signatures, or otherwise fail to meet your computer health requirements cannot communicate on your private network. Network Access Protection can be used to protect your network from remote access clients as well as local area network (LAN) clients using wired or wireless connections. The agent reports Windows Vista client health status, such as having current updates and up‐to‐date virus signatures 7 installed, to a server‐based Network Access Protection enforcement service. A Network Access Protection infrastructure, included with Windows Server "Longhorn", determines whether to grant the client access to your private network or to a restricted network. ROUTING COMPARTMENTS To prevent unwanted forwarding of traffic between interfaces for virtual private network (VPN), Terminal Server, and multi‐user logon configurations, the Next Generation TCP/IP stack supports routing compartments. A routing compartment is the combination of a set of interfaces with a login session that has its own IP routing tables. A computer can have multiple routing compartments that are isolated from each other. Each interface can only belong to a single compartment. For example, when a user initiates a VPN connection across the Internet with the current TCP/IP stack, the user's computer has partial connectivity to both the Internet and a private intranet by manipulating entries in the IPv4 routing table. In some situations, it is possible for traffic from the Internet to be forwarded across the VPN connection to the private intranet. Routing compartments in the Next Generation TCP/IP stack isolate the Internet connectivity from the private intranet connectivity with separate IP routing tables. WIRELESS SINGLE SIGN‐ON The deployment of wireless networks has promoted the use of Layer 2 network authentication, such as 802.1X, to ensure that only an appropriate user or device is allowed on the protected network and that their data is secure at the radio transmission level. The Single Sign‐On feature executes Layer 2 network authentication at the appropriate time given the network security configuration, while at the same time seamlessly integrating with the user's Windows log‐on experience. Administrators can use Group Policy or the Command Line Interface to deploy Single Sign‐On profiles to client machines. Once a Single Sign‐On profile is configured, 802.1X authentication will precede the Windows logon. This feature enables scenarios such GPO updates, Log‐On scripts and wireless Bootstrap, which require network connectivity prior to user logon. 8 BROAD SUPPORT FOR WIRELESS SECURITY PROTOCOLS The native WiFi architecture in Windows Vista has wide support for the latest security protocols, including WiFi Protected Access (WPA), WiFi Protected Access 2 (WPA2), Extensible Authentication Protocol (EAP), Protected Extensible Authentication Protocol‐Transport Layer Security (PEAP‐TLS), Wired Equivalent Privacy (WEP), and others. This broad support ensures interoperability between Windows Vista and almost any wireless infrastructure. Personal networks at home or in small businesses can also be more secure through WPA‐PSK and WPA2‐PSK using a pre‐shared key. The capabilities of the wireless network card are examined by Windows Vista, and the most secure protocol is chosen by default when creating a new wireless network Security in Windows Vista is also extensible. Using the EAP‐HOST framework, Windows Vista is able to support custom authentication mechanisms defined by a hardware vendor or by an organization itself. PLATFORM IMPROVEMENTS Windows Vista's authentication capabilities are more flexible, providing a variety of choices for customized authentication mechanisms such as fingerprint scanners and smart cards. Deployment and management tools, such as self‐service personal identification number (PIN) reset tools, make smart cards easier to manage and deploy. Smart cards can now be used to log on to Windows Vista, too. Further, Windows Vista enables authentication using Internet Protocol version 6 (IPv6) or Web services. Certificate enrollment is made easier because Windows Vista includes Credential Manager enhancements that enable backing up and restoring credentials stored on the local computer. The new Digital Identity Management Service (DIMS) provides certificate and credential roaming within an Active Directory forest and end‐ to‐end certificate life cycle management scenarios. Windows Vista's auditing capabilities make it easier to track what users do. Auditing categories now include multiple subcategories, reducing the number of irrelevant events. Windows Vista integrated audit event 9 forwarding collects and forwards critical audit data to a central location, enabling enterprises to better organize and analyze audit data. http://technet.microsoft.com/en‐us/windowsvista/aa906027.aspx#EBB MULTI‐TIERED DATA PROTECTION Theft or loss of corporate intellectual property is an increasing concern for organizations. Windows Vista has improved support for data protection at the document, file, directory, and machine levels. The integrated Rights Management client allows organizations to enforce policies around document usage. The Encrypting File System, which provides user‐based file and directory encryption, has been enhanced to allow storage of encryption keys on smart cards, providing better protection of encryption keys. In addition, the new BitLocker™ Drive Encryption enterprise feature adds machine‐level data protection. It provides full volume encryption of the system volume, including Windows system files and the hibernation file, which helps protect data from being compromised on a lost, stolen or decommissioned machine. In order to provide a solution that is easy to deploy and manage, a Trusted Platform Module (TPM) 1.2 chip is used to store the keys that encrypt and decrypt sectors on the Windows hard drive. It requires the TPM and an enterprise management infrastructure to ensure that the feature is easy to use for end users. http://technet.microsoft.com/en‐us/windowsvista/aa906027.aspx#ELC RELIABILITY AND PERFORMANCE While Windows Vista takes advantage of modern computing hardware, it also runs faster and more reliably on the same computers used to run Windows XP. The operating system is more dependable, and Restart Manager reduces the number of times users need to restart their computers. Applications that run on Windows Vista are more reliable too, because applications can recover from deadlocked situations and improved error 10 reporting enables developers to fix common problems. Windows Vista can even help detect and recover failing hard disks and memory. AUTOMATIC RECOVERY With Windows XP and earlier operating systems, recovering from a service failure typically required users to restart their computers. With Windows Vista, most service failures are not noticeable to users, because Windows Vista will automatically restart most services in the unlikely event that they fail. If necessary, Windows Vista can automatically address service dependencies and restart multiple services to maintain the reliability of the operating system. Because users often restarted their computer to resolve problems with failed services, automatic recovery also reduces the number of restarts. BUILT‐IN DIAGNOSTICS Windows Vista can self‐diagnose and resolve a number of common problems. For example, Windows Disk Diagnostics proactively detects impending disk failures and can alert the support center to replace the failing hard disk before total failure occurs. For administrators, Windows Vista will guide them through the process of backing up their data so the hard disk can be replaced without data loss. Windows Vista also includes memory diagnostics to help administrators track down problems with unreliable memory. Previously, memory diagnostics were available only as a download and were difficult for many IT professionals to use. In Windows Vista, if Windows Error Reporting (WER) or Microsoft Online Crash Analysis (MOCA) determines that a failure may be caused by failing memory, Windows Vista prompts the user to perform memory diagnostics without requiring an additional download or separate boot disk. If memory diagnostics identifies a memory problem, Windows Vista can avoid using the affected portion of physical memory to enable the operating system to start successfully and to avoid application crashes. Upon startup, Windows Vista provides an easy‐to‐understand report detailing the problem. Windows Vista also includes the Network Diagnostics 11 Framework (NDF). The NDF provides users with advanced means to assist in problem resolution for network‐ related issues. When unable to connect to a network resource, the user is presented with clear repair options rather than error messages which can be difficult to understand. If Windows Vista can repair the issue automatically, it will; if not, the user is directed to perform simple steps to correct the problem without having to call for support. STARTUP REPAIR TOOL Windows Vista includes the Startup Repair Tool (StR) to automatically fix many common problems and enable end users and IT professionals to quickly diagnose and repair more complex startup problems. When a startup failure is detected, the system fails over into StR. Once started, StR performs diagnostics to determine the cause of the startup failure. StR even analyzes startup log files so that you don't have to. Once StR determines the cause of the failure, it attempts to fix the problem automatically. The entire process requires little to no user input. Problems StR can automatically repair include: • Incompatible drivers • Missing or corrupted startup configuration settings • Corrupted disk metadata After the operating system has been repaired, Windows Vista notifies the user of the repairs and provides logging so that IT professionals can determine exactly which steps StR performed. StR also includes tools to assist IT professionals in manually troubleshooting startup problems. StR reduces support calls related to startup problems, and when users do need assistance, StR enables you to quickly solve the problem. APPLICATION RELIABILITY Windows Vista is engineered to reduce the frequency and impact of user disruptions. It includes fixes for known crashes and hangs, and enhanced instrumentation that will provide greater insight into what causes unresponsive conditions. 12 Windows Vista will offer improved application reliability from the first day that businesses deploy it, and the new error reporting capabilities will enable applications to continue to become more reliable over time. With earlier versions of Windows, application hangs were very hard for developers to troubleshoot because error reporting provided limited or no information about hangs. Windows Vista improves error reporting to give developers the information they need identify the root cause of problems. This enables continuous improvements in reliability. PERFORMANCE IMPROVEMENTS Windows Vista offers improved performance and responsiveness compared with Windows XP. For example, Windows Vista can automatically detect problems related to long startup times or an unresponsive user interface, and add an event to the event log that describes the condition and that possibly provides information about the root cause of the performance problem. Administrators can use this information to troubleshoot problems on a case‐by‐case basis, or aggregate the event log data by using a tool such as Microsoft Operations Manager (MOM) to analyze performance for the entire enterprise. The Next‐Generation TCP/IP stack automatically senses the network environment and adjusts key performance settings, such as the TCP receive window. Improved stack auto‐tuning and configuration reduces the need for manual configuration of TCP/IP settings. It enables faster network transfers, more intelligent bandwidth usage, and fewer retransmissions of lost data on the network. This can lead to a significant reduction in the time required to transfer a large file or back up a hard drive across the network. http://technet.microsoft.com/en‐us/windowsvista/aa906027.aspx#EOC DEPLOYMENT Deploying a new operating system to an enterprise is no small task, but Windows Vista image‐based deployment makes the process as efficient as possible. Images are the most reliable and quickest way to deploy an 13 operating system, but they have not historically been part of the standard Windows operating system installation, requiring additional software and many hours of labor to maintain. To help reduce the complexity of the deployment process, Microsoft based the installation of Windows Vista on the file‐based disk imaging technology called Windows Imaging (WIM); modularized Windows Vista to make customization and deployment of the images easier; and made significant other deployment enhancements to the core operating system. MODULARIZATION Windows Vista is modularized, which makes it easier to customize. When preparing to distribute Windows Vista to an organization, IT professionals configure and add optional components to distribute to a given set of computers. Languages, for example, are components, so the English language can be distributed to one set of computers, while French, German, and Spanish go to a different group. Drivers and updates are also components, making it easy to update images as hardware and software requirements change. WINDOWS IMAGING WIM is a file‐based image format, which provides significant benefits as compared to the more common sector‐based image formats. The WIM image format is hardware‐agnostic, enabling you to maintain only a single image for multiple hardware configurations. WIM can also store multiple images within a single image file, making image management easier and saving disk space by storing only a single copy of each file. For example, you might store two images in a single WIM file — one image that contains only the Windows Vista operating system and a second image that also contains core applications. The WIM format reduces image file sizes significantly by using a compressed file format and single‐instance storage techniques. (The image file contains one physical copy of a file for each instance of it in the image file, which significantly reduces the size of image files that contain multiple images.) 14 Maintaining WIM images is easy, because drivers, updates, and some other Windows components can be added and removed offline without ever starting the operating system image. Windows Vista includes tools to directly edit images to change general and regional settings, apply operating system updates, add drivers, and install updates. This feature saves hours of work maintaining setup images, because there is no need to start the image to make configuration changes. Additionally, the WIM image format allows for non‐destructive deployment. This means that you can leave data on the volume to which you apply the image because the application of the image does not erase the disk's existing contents. Either modularization or WIM alone can dramatically simplify deployment; but together, they revolutionize the way client operating systems are installed. In other words, the combination of the two technologies provides a greater benefit than the two technologies would if offered separately. Most notably, the two technologies significantly reduce the number of operating system images that must be maintained. In other words, IT departments that previously maintained different images for each language and computer type can probably use just one or two Windows Vista images, thereby freeing the staff for other priorities. NONDESTRUCTIVE IMAGING With previous versions of Windows, imaging could only be used for new Windows installations since deploying an image would overwrite the computer's hard disk. To upgrade a user's computer, IT professionals had to copy the user's files and settings to a different computer, and then restore the files and settings after deploying the image. Windows Vista includes nondestructive imaging using the WIM image format, which copies files and settings to a reserved portion of the computer's hard disk before deploying the Windows Vista image. After the Windows Vista image is deployed, Windows Vista migrates the files and settings and then restores the portion of the computer's hard disk that had been reserved. Overall, migrating to Windows Vista is much more reliable than migrating to Windows XP. 15 UNATTENDED INSTALLATIONS Most Windows Vista administrative tools, including Windows System Image Manager and the Microsoft Windows User State Migration Tool (USMT), can be controlled from a command line or script. This functionality saves time when the user must repeatedly perform the same, or similar, tasks. IT departments that do not use scripting will still save time configuring unattended setup by editing a single file: Unattend.xml. Windows Vista includes graphical tools that make it simple to configure an unattended installation without manually editing the file. Because Extensible Markup Language (XML) files are text‐based, they can be edited manually or programmatically using a script. http://technet.microsoft.com/en‐us/windowsvista/aa906027.aspx#EMD MANAGEABILITY Monitoring, maintaining, and troubleshooting hundreds or thousands of computers can be both time‐ consuming and expensive. Windows Vista represents a significant step forward in Microsoft's commitment to reducing Windows computers' total cost of ownership (TCO). Windows Vista is designed to reduce the cost of desktop support, to simplify desktop configuration management, to enable better centralized management of the desktop and to decrease the cost of keeping systems updated. Expanded Group Policy settings make almost every aspect of Windows Vista centrally configurable, and powerful command‐line and scripting tools enable IT professionals to automate monotonous tasks. Monitoring and reporting are designed to be centralized as well. CONFIGURATION MANAGEMENT Windows Vista technology ensures that changes to Windows files and settings happen in a predictable and reliable way. Windows Resource Protection (WRP) technology allows the system to protect itself from undesirable changes to system files, folders, or registry keys — changes that could render a computer or application inoperable. System settings in the registry are protected from inadvertent changes by users or 16 unauthorized software; only the Windows trusted installer can make changes to protected system files and settings. GROUP POLICY Almost every new configuration setting in Windows Vista can be controlled using Group Policy. Additionally, Group Policy Management Console (GPMC) is now included with Windows Vista. To make Windows Vista more flexible in environments in which multiple users use a single computer, such as schools and libraries, Windows Vista can have multiple Local Group Policy objects applied. This feature improves security and manageability in such shared‐use environments as libraries and schools. POLICY‐BASED QUALITY OF SERVICE With Policy‐based QoS, an IT department will be able to define flexible QoS policies to prioritize and/or throttle outbound network traffic without requiring modifications to applications. These QoS policies will apply to outbound traffic based on any or all of the following conditions: sending application; deployment through Group Policy (such as a set of users, machines); source/destination IP address; source/destination port; and protocol. EVENTING, INSTRUMENTATION, AND ERROR REPORTING Windows Vista is easier to manage, saving IT professionals both time and effort. Event descriptions contain more data to help you identify the root cause of a problem and include event information in XML format, making it easy to expose events data to be leveraged by the management tools. For common problems, the process can be automated to launch tasks when a specific event appears. Windows Vista makes manually analyzing events easier, too, by enabling you to customize how the Event Viewer displays them. Additionally, Windows Vista can forward events to a central location to make identifying, tracking, and troubleshooting problems easier. 17 AUTOMATION Windows Vista automation capabilities let repetitive management tasks be performed without human intervention, reducing the likelihood of manual errors. Windows Vista adds several key automation capabilities: Web Services for Management (WS‐Management), an industry‐standard Web services protocol for protected remote management of hardware and software components, makes Windows Vista easier to manage across a network by allowing administrators to remotely run scripts and perform other management tasks. Key administrative tasks that can be performed from a user interface (UI) can also be completed from a command line, expanding the Windows XP command‐line interface even further. This feature enables scripting and one‐to‐many administration. An improved Task Scheduler lets administrators launch a set of tasks in a specific sequence, ensuring they do not run simultaneously, and automatically launch tasks in response to events or when the computer is idle. The credentials used to launch the tasks can now be stored in Active Directory rather than on the local computer in order to improve the security of the passwords and simplify mandatory password changes. SUPPORTABILITY Windows Vista is designed to drive down user support costs in four key ways: • Reduce the number of incidents. Windows Vista features such as Windows Resource Protection and User Account Control help users be productive while preventing them from making system changes that would affect the system's performance. Additionally, Windows Vista's failure recovery automatically resolves many common problems. • Help users help themselves. Windows Vista is engineered to help users help themselves, greatly reducing the need for support from IT administrators or support center professionals. User 18 Assistance — Windows Vista's version of help files — in Windows Vista provides better search capabilities, is easier for end users to understand, and can be customized by the IT department. • Reduce support time. When problems occur, Windows Vista provides IT and support center professionals with tools, detailed events, and performance counters to make it easier to determine what happened and how to fix it. The ability to detect failing disks and memory allows IT professionals to proactively replace hardware before a problem becomes catastrophic, enabling the problem to be resolved in a few minutes rather than several hours. • Reduce the cost of supporting remote users. Windows Vista's improved Remote Assistance tool makes it easier and less costly to service computers in remote locations. To reduce bandwidth costs, the greatly improved Background Intelligent Transfer Service (BITS) enables clients on a local area network (LAN) to share updates directly, instead of downloading the same files repeatedly across wide area networks (WANs). http://technet.microsoft.com/en‐us/windowsvista/aa906027.aspx#E5D PRODUCTIVITY User productivity is still one of the key considerations for IT departments evaluating a new operating system. Windows Vista seeks to add value to enterprises by substantially improving user productivity. Improvements to the user interface help both end users and skilled IT professionals become more productive. By allowing users to easily find what they need, Windows Vista helps users focus on what is most important for them to get job done. USABILITY AND END‐USER PRODUCTIVITY Microsoft has improved the usability of almost every aspect of Windows Vista, including the Start menu, Windows Explorer, and Control Panel. For example, the Control Panel now lists specific tasks that the user may want to perform, such as changing the screen's resolution. Users can even use the Quick Search text box to search 19 for applications on the Start menu or for specific Control Panel tasks. These usability improvements mean users spend less time figuring out how to use the operating system and more time completing their work. AERO Windows Vista's user interface, code‐named "AERO" (Authentic, Energetic, Reflective, and Open), is easier and more fun, even as it makes users more productive. Computers designed for Windows Vista create a professional and attractive environment based on a theme of translucent glass. Even applications created before Windows Vista become more attractive because Windows Vista has improved wizards and common dialog boxes that are shared by all applications. Users with high‐resolution monitors can finally take full advantage of their displays because Windows Vista smoothly scales icons and windows. As a result, users do not have to squint to read an e‐mail message on their new 1600x1200 laptop display. Users who have previously used lower resolutions to make text more readable can increase the display resolution for added clarity and sharpness without decreasing readability. EXPLORERS Windows XP includes several specialized Explorers to enhance users' experience when interacting with specific types of content, such as Documents, Photos, and Music. Windows Vista builds on this concept by including layout, command, and organizational tools that are appropriate for the information the Explorer displays onscreen. INFORMATION VISUALIZATION Windows Vista has amazing information management capabilities that enable users to find documents, e‐ mail messages, and other information in seconds and then to work with that data in ways that are most intuitive to 20 them. In fact, Windows Vista's new tools are so flexible and so easy to use that users will rarely need to search for information on their computers. First, the new Document Explorer, replacing the My Documents folder in Windows XP, is much more powerful. Instead of simply showing icons for documents, the Explorer shows high‐resolution thumbnails that preview the document's content. Users can dynamically adjust the size of these thumbnails up to 256x256 pixels, which is large enough for users to know whether they've found the right document without opening it. SEARCH Users can search documents, e‐mail, contacts, and Web sites right from their desktop. Windows Vista searches are not limited to the local computer and can include shared folders, and other network resources. For all those times users think, "I know I've seen that somewhere, but where was it?" search capability makes it easy to find the content that user is looking for. START MENU The Windows Vista Start menu makes it easier to open specific applications and browse all applications. Users can type part of the application's name in the Start menu's Quick Search box to launch the application. For example, to launch the Calculator tool, users press the Windows key, type Calc, and press Enter. Windows Vista makes it easier to browse the applications installed on the computer by replacing the Windows XP All Programs menu with a tree view, similar to Windows Explorer. This feature helps users find applications that are nested in folders several levels deep. SHARING Windows Vista makes it easy for users to share files, whether on a single computer or network. First, Windows Vista gives users the option to save their files into a personal or public profile, thereby differentiating 21 whether the content will be available for personal or public use. Next, the new Sharing Wizard shows every person who has an account on that computer or in the Active Directory, enabling the user to choose which individual can access which files. Finally, Windows Vista enables users to more easily keep track of shared content by showing two Search Folders: one that displays all shared content and one that displays all content that has been taken offline. MOBILITY IMPROVEMENTS Windows Vista provides a single, easy interface for connecting to any type of network, including wireless local area networks (WLANs), wireless wide area networks (WWANs), ad hoc wireless networks, and Virtual Private Networks (VPNs). Once connected, the Windows Vista Network Explorer enables users to visually browse all network resources, including computers and devices, people on the network, and shared folders. The speed and reliability of discovering networked computers, servers, and devices is improved significantly over that provided by Windows XP. Windows Vista provides a single user interface for managing all types of data and device synchronization called SyncManager. SyncManager is capable of managing almost any type of device synchronization, including music files to a portable audio player, calendar information and e‐mail messages to a PDA, contact information to a mobile phone, files between two networked computers and lies between a network computer and a file server. Windows Vista's new default power‐off state is Sleep mode. Sleep combines the resume speed of the Windows XP Standby mode with the data protection and low power‐consumption characteristics of Hibernate. In the Sleep state, Windows Vista records the contents of memory to the hard disk, just as it would with Hibernate. However, it also maintains the memory for a short period of time, just as Windows XP maintains the memory in Standby mode. 22 IPV6 IPv6 support in Windows Vista enables enterprises to support a larger network address space while eliminating the need for NAT or other workarounds. IPv6 scales well beyond the IPv4 address space, and provides additional security with full support for IPSec. Enterprises can deploy IPv6 within their infrastructure without having to completely upgrade their network with IPv6 transition tunneling mechanisms to support the tunneling of IPv6 traffic across an IPv4‐only infrastructure. http://technet.microsoft.com/en‐us/windowsvista/aa906027.aspx#EPF WINDOWS VISTA LICENSING As a member of the California State University System (CSU) Cal Poly Pomona’s Microsoft licensing falls under a CSU wide volume licensing agreement. Each campus signs up for their own access to this master agreement rights so that tracking of access and use can be associated with each campus. The agreements are renegotiated every three years and are handled at the Chancellor’s office level. Once a new agreement is in place, a main Microsoft contact at each campus is then passed the information to handle campus needs. Each product from Microsoft may have different licensing guidelines. Most fall into groups of guidelines that overtime users on campus become aware of and comfortable with. Amid the release of Windows Vista a change in the way licensing operating system licensing has been done was introduced. Vista is based on a Volume Activation 2.0 process (VA 2.0). This type of volume licensing involves the use of two types of keys; Multiple Activation Keys and Key Management Service. 23 MULTIPLE ACTIVATION KEY The Multiple Activation Key (MAK) is the most similar to what the campus has used in the past. Each product key can activate a specific number of computers. For our campus, we have 500 activations available per key. If the use of volume‐licensed media is not controlled, excessive activations result in depletion of the activation pool. The MAK numbers are activation keys only. They are not used to install Vista but rather to activate it after installation. You can use them to activate any volume edition of Windows Vista. A MAK is used to activate each system under MAK management. This key activates a single computer by directly contacting Microsoft’s activation servers through the internet or by telephone. The Multiple Activation Key (MAK), although on the individual computer, is encrypted and kept in a trusted store so that users are not able to obtain the key once it has been installed on the computer. Volume licensing editions do not require a product key to be entered during setup, but the computer must be activated during a 30‐day grace period or the system will fall into a degraded mode. There are two ways to activate computers using MAKs: • MAK Proxy Activation: A solution that enables a centralized activation request on behalf of multiple desktops with one connection to Microsoft. MAK Proxy Activation will be available in the solution code name Volume Activation Management Tool (VAMT) which is currently under development with expected availability in 2007. • MAK Independent Activation: Each desktop independently connects and activates against Microsoft’s servers. The number of MAK’s currently activated can be seen on the MVLS page by the campus Microsoft contact. As each computer contacts Microsoft’s, the activation pool is reduced. After 500 activations the MAK will no longer work. The campus can immediately request a new MAK through the Microsoft Volume Licensing 24 Site (MVLS) managed by the local campus Microsoft contact. The new MAK will have another 500 activations possible. Again, when those run out, another MAK can be requested. With the use of MAK activation there is no requirement to periodically renew activations. Reactivation will only be needed when significant hardware changes occur. More details about the MAK processes can be view at: http://www.microsoft.com/licensing/resources/vol/default.mspx and http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx KEY MANGEMENT SERVICE The Key Management Service (KMS) activation process involves the use of a local campus server to act as a host to activate Vista systems. And is targeted for managed environments where more than 25 computers are consistently connected to an organization’s network. A KMS host must have at least 25 physical Windows Vista clients connected to it before any of them will activate. Systems operating in virtual machine (VM) environments can also be activated using KMS, but they do not contribute to the system count. The Key Management Service (KMS) key used for KMS activation is only installed on the KMS host and never on individual computers which provides for control of the key and less risk of key piracy. Initial KMS keys allow for 1000 activations. If additional activations are needed the local campus Microsoft contact requests that the activation number be increased through the MVLS page. The KMS service can easily be co‐hosted with other services, and it does not require any additional software for downloading or installing. KMS can coexist with common server roles, including domain controllers. It has a small resource footprint during normal operation, although it can become compute‐bound after a large deployment of KMS clients or if most users start their computers in a short period. If CPU consumption is an issue, KMS supports a low priority option. Currently the KMS software needed to run this service will only run on the Vista or Longhorn Windows Server operating systems. The Windows Server 2003 KMS service for Volume Activation 2.0 is currently under development with expected availability in 2007. A single KMS host can support 25 hundreds of thousands of KMS clients. It is expected that most organizations will be able to operate with just two KMS hosts for their entire infrastructure (one main KMS host and one backup host for redundancy). With a server in place, local machines will contact the server for activation instead of Microsoft and will need to contact the server every six months at least to keep their activation current. Clients not yet activated will attempt to connect with the KMS host every two hours (value configurable). Once activated, they will attempt to connect to the KMS host every seven days (value configurable) and if successful will renew their 180‐day activation life span. Clients locate the KMS host using one of the two methods: • Auto‐Discovery, in which a KMS client uses domain name service records to automatically locate a local KMS host. • Direct connection, where a system administrator specifies the KMS host location and communication port. Clients have a 30‐day grace period to complete activation. Clients not activated within this time period will go into Reduced Functionality Mode (RFM) which will be discussed later. A KMS clients activated with KMS will periodically try to renew their activation. If they are unable to connect to a KMS host for more than 180 days, they enter a 30‐day grace period, after which they enter RFM until a connection can be made with a KMS host, or until a MAK is installed and the system and activated online or via telephone. This feature prevents computers that have been removed from the campus from functioning indefinitely without adequate license coverage. KMS activation requires TCP/IP connectivity (port TCP/1688 default). A KMS activation request and response takes approximately 450 bytes. Consider the impact of periodic activation for slow and/or high‐latency links. Dynamic DNS and SRV record support are required for the default auto‐publishing and auto‐discovery functionality used by KMS. Both Microsoft Windows 2000 or later DNS and BIND 8.x or newer fully support these features. 26 KMS requests are only a few hundred bytes each and when attempting to activate, the client computers make a KMS request every two hours (default) and only once every seven days when activated. Normally, a client computer activates with the initial request. Following are some considerations for planning a KMS host: • • • • • • KMS is compute‐cycle intensive while actively processing requests. CPU usage can momentarily reach 100 percent on a single‐processor computer during request processing. KMS memory usage can vary from approximately 10 MB to around 25 MB, depending on the number of incoming requests. Network overhead is minimal Less than 250 bytes are sent in each direction for a complete client‐KMS exchange, plus TCP session setup and teardown. The only additional network traffic is for auto‐discovery, which usually occurs only once per client computer, as long as the same KMS continues to be available for subsequent renewals Large organizations may want multiple KMS hosts for load‐balancing and redundancy purposes System Administrators of the KMS server can count KMS activations using standard system management software, such as, Microsoft Operations Manager (MOM) and others in the future. Windows Management Infrastructure (WMI), extensive event logging, and built‐in Application Programming Interfaces (APIs) may provide details about installed licenses and about the license state and current grace or expiration period of MAK and KMS‐activated computers. According to Microsoft Volume Activation 2.0 products, such as Vista, also may provide enhanced security through frequent background validations for Genuine modules. This is currently limited to critical software, but may be expanded greatly over time. More details about the KMS processes can be view at: http://www.microsoft.com/licensing/resources/vol/default.mspx and http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx VIEWING VOLUME LICENSING INFORMATION You can display information about your Volume License computers using the slmgr.vbs –dli script. This provides general information about the current license, including the license state and remaining expiration time or grace period, and information for KMS clients or KMS hosts. You can view more licensing information by using the slmgr.vbs –dlv. Activation information is unavailable in Safe Mode. 27 The following procedure helps display Volume License information. 1. 2. 3. 4. 5. Launch the command window. (Administrator privilege is not required here.) Run the following script: cscript \windows\system32\slmgr.vbs –dli Information displayed includes the following: Global information (example) Name: Windows(TM) Vista, Enterprise edition Description: Windows Operating System ‐ Vista, ENVIRONMENT channel Partial Product Key: RHXCM License Status: Licensed Volume activation expiration: 43162 minutes (29 days) Evaluation End Date: 8/29/2007 4:59:59 PM For KMS clients (example) Key Management Service client information Client Machine ID (CMID): 45d450a8‐2bef‐4f04‐9271‐6104516a1b60 DNS auto‐discovery: KMS name not available from DNS KMS machine extended PID: 11111‐00140‐008‐805425‐03‐1033‐5384.0000 1752006 Activation interval: 120 minute(s) Renewal interval: 10080 minute(s) For KMS machines (example) Key Management Service is enabled on this machine Current count: 7 Listening on Port: 1688 DNS Publishing: Enabled KMS priority: Normal Run the following script to display more licensing support information that may be useful for support purposes: cscript \windows\system32\slmgr.vbs –dlv For example: Software licensing service version: 6.0.5384.4 ActivationID: 14478aca‐ea15‐4958‐ac34‐359281101c99 ApplicationID: 55c92734‐d682‐4d71‐983e‐d6ec3f16059f Extended PID: 11111‐00140‐009‐000002‐03‐1033‐5384.0000‐1942006 Installation ID: 000963843315259493598506854253663081409973656140419231 Run the following script to display more licensing support information for all installed licenses: cscript \windows\system32\slmgr.vbs ‐dlv all Note: Only one license can be in use, namely the one that has a partial product key. http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx#GeneralConsiderations MEDIA CONSIDERTIONS Volume License Product Use Rights require that you have a previous qualifying operating system license for each copy of Windows Vista you deploy. The default 32‐bit Volume License media are upgrade‐only and are not bootable (64‐bit Volume License media are not restricted in this way, since there is no supported upgrade 28 path). You must first boot a previous version of Windows and then run the setup to install Windows Vista. Bootable media is also available on request through your Volume License portal. Volume editions of Windows Vista default to KMS‐based activation and do not require a product key to be entered during setup. Windows Vista Volume License editions use a specific pre‐defined setup key in the sources\pid.txt file. MAKs can be specified with a variety of methods during deployment or post deployment. THE FIVE LICENSING STATES Windows Vista utilizes five license states to track activation. The five states are: • • • • • Licensed o A“Licensed” computer has been properly activated. Activation can happen in several ways including Internet and phone activation. Additionally, KMS clients can activate themselves after contacting an activated KMS. Initial Grace o Initial Grace (or OOB Grace) starts the first time you start your computer after you install the operating system. It provides 30 days for the computer to be activated. The Initial Grace period can only be restarted by running sysprep /generalize, or by using slmgr.vbs –rearm. These processes reset the Initial Grace timer to 30 days. This will only work three times. Non‐Genuine Grace o Non‐Genuine Grace occurs only on a computer that has the Windows Genuine ActiveX control installed, and then fails Genuine Validation. The computer is marked non‐ Genuine, and the License State may be changed to non‐Genuine Grace. If this happens, non‐Genuine Grace provides 30 days for the computer to be re‐activated and validated Genuine by re‐visiting the WGA website at http://www.microsoft.com/genuine. Out of Tolerance Grace o Out of Tolerance Grace begins when cumulative hardware changes on an activated computer push it beyond a tolerance level, or when a KMS client goes for 180 days without contacting a KMS. OOT Grace provides 30 days for a computer to be re‐ activated. A computer may be activated and then fall into OOT grace any number of times, and each time the OOT Grace timer will be reset to 30 days. Unlicensed o When any grace period is allowed to expire, the computer becomes Unlicensed. An Unlicensed computer runs in Reduced Functionality Mode (RFM), which provides users very limited access to the system in one‐hour increments, and presents a window containing links to properly license and activate the computer. If the computer falls into RFM from non‐Genuine Grace, the user is presented with a window containing links and solutions specific to recovery from non‐Genuine RFM. The term “grace period” refers to a length of time provided to allow any necessary actions to return the computer to the licensed state. All grace periods last 30 days. 29 To tell if a computer is already licensed look for “Windows is activated” in the Welcome Center or in System under Control Panel. http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx#GeneralConsiderations REDUCED FUNCTINALITY MODE Failure to activate the Vista software within 30 days will result in it being placed in Reduced Functionality Mode (RFM). In RFM there is no start menu, no desktop icons, and the desktop background is changed to black. After one hour, the system will log the user out without warning. It will not shut down the computer, and the user can log back in. Once a copy of Windows Vista has moved into RFM, the user will be presented the four options listed in the following figure, at their next logon attempt: Users who already have a product key but have not activated their computer should click Activate Windows online now. By clicking Access your computer with reduced functionality, the default Web browser is started and the user is presented with an option to purchase a new product key. The Web browser will fully function and Internet connectivity will not be blocked. 30 If the user has acquired another product key (either through eligibility for a MAK or by purchasing a key online), they can use the new key to activate by clicking Retype your product key. If no Internet connection is detected, the user can click Show me other ways to activate to use telephone activation. This option will not be active if an Internet connection is present on the system. REDUCED FUNCTIONALITY MODE SCENARIOS A copy of Windows Vista can go into RFM under the following two scenarios: Scenario 1: If any of the following events occurs for the given license type: • • For MAK activated and KMS host computers: Failure to activate within the grace period (that is, 30 days after installation) or failure to renew activation within 30 days of a major hardware replacement For KMS activated computers: Failure to activate with a KMS within 30 days of installation, failure to renew activation with KMS within 210 (180 days plus 30 days grace period) days of previous renewal, or failure to renew activation with KMS within 30 days of hard drive replacement Scenario 2: A copy of Windows Vista may be required to reactivate for the following reasons, and failure to successfully reactivate during the 30‐day grace period will cause the copy of Windows Vista to go into RFM: • • • • • • • The activation process has been determined to have been tampered with or worked around, or other tampering of license files is detected. A leaked, stolen, or prohibited product key is detected and blocked by Microsoft Product Activation servers. Product keys may be prohibited for any of the following reasons: The product key is abused, stolen, or pirated; the product key is seized as a result of anti‐piracy enforcement efforts; the key is beta or test key and has been disabled; there was a manufacturing error in the key; or the key has been returned. When a copy of Windows enters RFM as a result of this scenario, the user is notified of this status via a message pop‐up. REMEDING REDUCED FUNCTINALITY MODE In the event that a system is placed into RFM, the following remedies are available: 31 If a client has exceeded the grace period, the Windows Activation dialog box appears, as shown in the figure above. Follow the prescribed activation process and the options already described. • • • • • • • • Entering a new product key, Obtaining a new product key, Re‐entering the original product key. Reconnect a KMS‐activated client to the network that houses the KMS host. The client automatically contacts the KMS host to renew its activation. If a KMS client cannot be returned to its home network but is able to access the Internet, it can be activated using a MAK. In the RFM dialog box, click Change Product Key to type the MAK. If the client is unable to connect to the Internet, you can also use telephone activation. Changing to a MAK does not provide an additional grace period. The client remains in RFM until the computer is activated—either via the Internet or by telephone. You can also supply the MAK through scripting by using the slmgr.vbs script with the ‐ipk option. A client can be returned to its initial activation state for the current license by using the slmgr.vbs script with the ‐rearm option. This option resets the computer’s activation timer and reinitializes some activation parameters, including a KMS client’s unique machine ID (also known as client machine ID, or CMID). The number of times this can be repeated is limited and depends on how many times sysprep /generalize is run to create the distribution media. The maximum number of rearms possible is three. Note that rearm requires administrator privilege. However, an Administrator can enable use by ordinary users by creating the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\SL\UserOperations (REG_DWORD) to 1. http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx#GeneralConsiderations RESOLVING NON‐GENUINE ISSUES If either our campus or Microsoft detects that a KMS key or a MAK has been misused, after discussions between Microsoft, and us the product key can be marked as invalid for activation and as non‐Genuine. When a volume edition client visits Microsoft Web sites requiring Genuine Validation, it will have to download and run either an ActiveX control or a small .exe application to access the download. If the computer is 32 configured with an invalid key or tampered files are detected, the computer will fail Genuine Validation. The user will be notified by a watermark on the desktop and periodic notifications to validate the Genuine status of the system by visiting a Microsoft Web site. In addition, the computer may be placed in a 30‐day non‐Genuine grace period during which it needs to be configured with a new product key or reinstalled if tampered files are detected. For MAK configured systems, a new MAK must be installed and activated on the computer. For computers activated with an invalid KMS key, the KMS host must first be activated with a new KMS key. KMS clients will then reactivate themselves after contacting the reconfigured KMS host. In both scenarios, computers that have downloaded the Genuine Advantage ActiveX control must also visit the Genuine Advantage Web site to change their Genuine status from non‐Genuine to Genuine after being activated with a new product key. If a new product key has not been installed and activated, and the status has not changed during the 30‐ day non‐Genuine grace period, the computer will start in non‐Genuine RFM. In RFM, a user will only have options to access Web sites using their browser for an hour, before being logged off by the system. http://www.microsoft.com/technet/windowsvista/plan/volact1.mspx#GeneralConsiderations HARDWARE A Windows Vista Capable PC logo identifies hardware that meets or exceeds the requirements to deliver core experiences such as security, reliability, organizing and finding information. All Windows Vista Capable PCs will run these core experiences, at a minimum. 33 Some premium features may require advanced or additional hardware. A Windows Vista Premium Ready program denotes hardware that can deliver these premium experiences, including Windows Aero, and BitLocker Drive Encryption. Windows Vista Capable PC Windows Vista Premium Ready Processor Modern processor (at least 800 MHz2) CPU Manufacturer Information Intel AMD Via 1 GHz 32‐bit (x86) or 64‐bit (x64) processor 2 System Memory 512 MB 1 GB GPU SVGA (800x600) DirectX 9 Capable (WDDM Driver Support recommended) Windows Aero Capable DirectX 9‐class GPU that supports: A WDDM Driver Pixel Shader 2.0 in hardware 32 bits per pixel 3 Adequate graphics memory Graphics Memory 128 MB HDD 20 GB 40 GB HDD Free Space 15 GB >15 GB Optical Drive CD‐ROM Drive DVD‐ROM Drive4 Other Meets criteria for "Designed for Windows XP" or "Designed for Windows XP x64" logo BitLocker Drive Encryption requires a TPM 1.2 chip or a USB 2.0 flash drive Processor speed is specified as the nominal operational processor frequency for the device. Some processors have power management, which allows the processor to run at lower rate to save power. • • • • • • • • Adequate graphics memory is defined as: 64 MB of graphics memory to support a single monitor at 1,310,720 or less 128 MB of graphics memory to support a single monitor at resolutions 2,304,000 pixels or less 256 MB of graphics memory to support a single monitor at resolutions higher than 2,304,000 pixels Graphics memory bandwidth, as assessed by Windows Vista Upgrade Advisor, of at least 1,600 MB per second A DVD‐ROM may be external (not integral, not built into the system) A CD‐ROM may be external (not integral, not built into the system) If the GPU uses shared memory, then no additional graphics memory is required beyond the 1 GB system memory requirement; If the GPU uses dedicated memory then 128MB is required. http://technet.microsoft.com/en‐us/windowsvista/aa905075.aspx 34 WINDOW VISTA HARDWARE ASSESSMENT The Windows Vista Hardware Assessment is an assessment and inventory tool designed to help customers quickly assess their PCs’ readiness for Windows Vista upgrades network‐wide with a single networked PC. It is designed to remotely connect to PCs on a network, assess their hardware and device compatibility with Windows Vista, and automatically create a comprehensive report with assessment results and upgrade recommendations for each PC. The Windows Vista Hardware Assessment does not require the installation of any software agents on PCs to perform the assessment. The Windows Vista Hardware Assessment will provide the following information in two output documents in Microsoft Word and Microsoft Excel: • Deployment Blockers: Devices and BIOS versions that are not compatible with Windows Vista. • Windows Vista Experience: Windows Vista experience based on currently available system resources • Upgrade Recommendations: Specific recommendations for upgrading PC hardware to improve the Windows Vista experience. LINKS TO MANUFACTURER INFORMATION ABOUT CPU Current CPU Guidelines Get a list of Intel CPUs Intel is supplying this data and is solely responsible for its contents; please look for CPUs. Get a list of AMD CPUs Note: AMD is supplying this data and is solely responsible for its contents. Get a list of Via CPUs Note: Via is supplying this data and is solely responsible for its contents. 35 LINKS TO MANUFACTURER INFORMATION ABOUT GRAPHICS PROCESSOR Current GPU Guidelines Get a list of Intel GPUs that would support WDDM Note: Intel is supplying this data and is solely responsible for its contents; please look for GPUs. Get a list of ATI GPUs that would support WDDM Note: ATI is supplying this data and is solely responsible for its contents. Get a list of NVIDIA GPUs that would support WDDM Note: NVIDIA is supplying this data and is solely responsible for its contents. Get a list of S3 Graphics GPUs that would support WDDM Note: S3 Graphics is supplying this data and is solely responsible for its contents. Get a list of Via GPUs that would support WDDM Note: Via is supplying this data and is solely responsible for its contents. Microsoft is currently working with other graphic vendors to provide a comprehensive list of GPUs that would support WDDM. http://technet.microsoft.com/en‐us/windowsvista/aa905088.aspx#ERB WINDOWS VISTA HARDWARE COMPATIBILITY LIST Logo Tier Devices Systems Premium Logo for premium experiences: In addition to passing Microsoft standards of compatibility, reliability, and security, products with these logos take advantage of Windows Vista features and provide the richest PC experience possible. 36 Basic Logo for basic experiences Products with these logos have been tested to pass Microsoft standards of compatibility, reliability, and security and will work with all PCs running Windows Vista. To search the Windows Vista Hardware Compatibility List visit: http://winqual.microsoft.com/hcl/ WINDOWS VISTA UPGRADE ADVISOR Windows Vista Upgrade Advisor is a downloadable web application that helps Windows XP users identify which edition of Windows Vista meets their needs, whether their PCs are ready for an upgrade to Windows Vista, and which features of Windows Vista will be able to run on their PCs. The Windows Vista Upgrade Advisor depends on technology that only runs on computers with these editions of Windows: • • All 32‐bit editions of Windows XP All 32‐bit editions of Windows Vista, except Enterprise edition To install and run the Windows Vista Upgrade Advisor, you will need: • • • • • Administrator privileges .NET 2.0* MSXML6* 20 MB of free hard disk space An internet connection Below is a sample report run on a campus Dell Latitude D610: 37 38 39 40 41 42 43 44 NETWORKING Windows Vista includes innovations in networking technologies, including: • Streamlined user interface • A high‐performance, auto‐tuning TCP/IP stack • Integrated support for both IPv4 and IPv6 • End‐to‐end security solutions • Network diagnostics • Manageability features such as policy‐based Quality of Service, Windows Firewall with IPsec integration, and wireless network configuration The description of these new features and general networking in Vista are too numerous to describe within this document only a few are covered here. Detailed information can be found at: http://technet.microsoft.com/en‐us/windowsvista/aa905087.aspx TCP/IP STACK AND THE WINDOWS FILTERING PLATFORM The Windows Vista networking stack has been completely rewritten. Instead of the dual stack model that exists in Windows XP or Windows Server 2003 (to support IPv4 and IPv6), Windows Vista implements a new architecture whereby there is a single transport and framing layer that support multiple IP layers. There are several new features and protocols enhancements. The new stack is very modular, flexible, and extensible. While all attempts have been made to maintain application compatibility with the existing applications that interface with the stack at various layers, nevertheless, there are changes (that are mostly side‐effects of the improvements) that may have potential application compatibility issues and that application developers must carefully evaluate to understand the impact of these changes on their applications. 45 The Microsoft Windows Filtering Platform (WFP) API allows developers to create code that interacts with the filtering that takes place at several layers in the Windows Vista and Microsoft Windows Server Code Name "Longhorn" operating system networking stack and throughout the operating system. WFP also integrates with and provides support for firewall features, such as authenticated communication and dynamic firewall configuration, based on an application's use of the sockets API. Note: WFP is not a firewall itself. It is a set of system services and APIs that enable firewalls to be implemented. The following elements of the TCP/IP stack will not be supported on Windows Vista: • The firewall‐hook driver functions and the filter‐hook driver functions have been deprecated. • The R‐series tools, including rexec, rsh, finger, and so on. These tools are available from the Services For Unix components, if needed. • The Internetwork Packet Exchange (IPX) protocol. IPX has been deprecated and is not used much, if at all. There should be no or minimal application compatibility impact because of this change. If an application built for Windows XP was using only public functions for networking, it should not see any break in functionality. It should be tested on Windows Vista to verify its functionality. Applications using any of the firewall‐hook driver or filter‐hook driver functions will not work. Applications relying on internal structures and functions calls that were never published by Microsoft will fail. Transport Driver Interface (TDI) filter drivers written in Kernel mode may not work properly after an OS upgrade. Note: The TDI interface is on a path to deprecation in a future release. However, these drivers will still work on Windows Vista. Leverage Windows Vista capability solution: 46 • The WFP exposes a rich set of functions and services for the network security developers and provides guidance and documentation on the available feature sets. Note: Applications and scripts that rely on Services for Unix and R‐series must now install these tools first. http://msdn2.microsoft.com/en‐us/library/aa480152.aspx#appcomp_topic11 NETWORKING: KERNEL MODE IP HELPER APIS In prior releases of Windows, Winsock clients did not have an API set to access the kernel. This will change in Windows Vista. Also, Windows Vista now supports IPv6 by default. Instead of providing separate APIs for IPv4 and IPv6, a new Helper API set was designed to provide a common functionality across all the new technologies, as follows: • Kernel mode functions for Windows Sockets in Kernel (WSK) clients. • IPv6 support. • Single set of functions for IPv4 and IPv6 addressing. • Provides a consistent, extensible object model. • Provides a well‐defined security model based on the network service interface. • Exposes new stack functionality, such as compartments and subinterfaces. Applications using the older Helper APIs or undocumented kernel function calls will fail to function and may become unstable. Applications need to support and implement the new kernel mode IP helper APIs. http://msdn2.microsoft.com/en‐us/library/aa480152.aspx#appcomp_topic12 47 NETWORKING: IPV6 The TCP/IP stack in Windows Vista has IPv6 enabled by default. IPv6 connectivity is preferred, if available. This has the following implications for applications that hook into the TCP/IP stack: • IPv6 traffic will be sent by the Windows Vista stack regardless of whether the network supports IPv6 or not. Therefore, for example, router solicitation and neighbor discovery messages will be generated by default. • IPv6 addresses will be present and on by default. There may be multiple IPv6 addresses associated with link‐local, global, temporary, or transition technologies like 6to4, 6over4, ISATAP, or Teredo. Note: Teredo will be enabled by default. • Windows Vista will allow a system to be configured in an IPv6‐only mode. In this case, no IPv4 support will be available. The TCP/IP stack in Windows Vista supports a strong host routing model. This means that packets are routed from a multi‐homed machine not only based on the destination address but also based on the source address of a packet. This change is needed because in IPv6, each machine gets multiple IP addresses and, with transition technologies, essentially appears as a multi‐homed machine as far as routing is concerned. To ensure proper connectivity happens in these scenarios, the networking stack has to implement a strong host routing model. Applications using the Windows XP TCP/IP stack and/or unaware of the IPv6 protocol will not function properly and may crash or create an unstable system. The implication of the strong host routing model for the applications is as follows: • Connection from a non‐loopback address to a loopback address and vice‐versa will fail. 48 • Packets with a source address of 127.0.0.0/8 will not be allowed to be sent by a Windows Vista machine on a network. Applications will need to be re‐authored as follows: • Any application that hooks into the stack must be capable of handling IPv6 traffic. Minimally, it should not crash on receiving IPv6 traffic. • Any application that relies on there being a single IPv4 address will need to be modified to handle multiple IPv6 addresses. Further, any application that picked the first address may have to more carefully identify the IPv6 address to use. This is because an IPv6 link‐local address is not routable and hence, the application may not work. Instead, the application should use functions that allow connection by name and choose the most appropriate address automatically. • Applications must handle and support IPv6‐only scenarios. • Applications must support and implement the strong host routing model. http://msdn2.microsoft.com/en‐us/library/aa480152.aspx#appcomp_topic13 NETWORKING: TURNING OFF THE WINDOWS FIREWALL In order to avoid the situation where a user–installed firewall (which is compatible with Windows XP but is incompatible with Windows Vista) attempts to turn off the Windows Firewall in Windows Vista, Microsoft has deprecated the Windows Firewall XP SP2 INetFwProfile.put_FirewallEnabled(VARIANT_FALSE) function in Windows Vista. When called on Windows Vista, this function will return and error code of E_NOTIMPL, show a message to the user and will log an appropriate event in the Windows event log. Applications using the Windows XP SP2 INetFwProfile.put_FirewallEnabled(VARIANT_FALSE) function to turn‐off the Windows Firewall on Windows Vista will receive an error code. 49 Applications (typically firewalls) replacing the Windows Firewall with their own firewall solution, must carefully consider the following security‐related points: • Windows Vista supports IPv6 and IPv4 out‐of‐the‐box and will automatically have link local IPv6 address; therefore, it is essential that your firewall solution filters BOTH IPv4 & IPv6. • Windows Vista also supports additional IP protocols (e.g., GRE, L2TP, PGM & ICMPv6); therefore, it is essential that your firewall solution filters arbitrary protocol filtering (IANA Protocol 0‐255) & ICMP type and code filtering. • In Windows Vista there are listening processes in both user mode and kernel mode (i.e., system process, http.sys, smb.sys); therefore, it is essential to filter BOTH User mode and Kernel mode network traffic. • Microsoft further recommends that these applications: • Do not replace the Windows Firewall unless all of the security‐related points specified above are addressed. • Check the firewall status before your application turns‐off or disables Windows Firewall with Advanced Security. • Do not turn off the firewall service (mpssvc) since this is the service that enforces Windows Service Hardening restrictions. • Allow their firewall solution to overlap with Windows Firewall with Advanced Security in order to minimize your customers' exposure to security threats. Applications can disable Windows Firewall with Advanced Security by using the following code example. To protect users, they you should only disable Windows Firewall with Advanced Security after: (1) you have successfully turned on your firewall solution with the recommended settings; and (2) you have notified the user that Windows Firewall with Advanced Security is going to be disabled. http://msdn2.microsoft.com/en‐us/library/aa480152.aspx#appcomp_topic13a 50 WIRELESS Currently know issues related to networking on the Cal Poly Pomona campus using Vista center around LEAP authentication. The build in wireless interface in Vista does not allow for this form of authentication and our current vendor product was recently purchased by Cisco. Currently the availability of a viable product from Cisco is being researched. Vista users will only be able to access the campus wireless system through a guest account. SOFTWARE PROGRAM COMPATIBILITY ASSISTANT (PCA) IN WINDOWS VISTA The Program Compatibility Assistant (PCA) is a new feature in Windows Vista that can make older programs that have compatibility problems work better, in an automated manner. PCA monitors programs for known issues. If an issue is detected, it notifies the user of the problem and offers to apply solutions that will be effective before the user runs the program the next time. Note: PCA is a client‐only feature and is not available on the Server. One of the main scenarios for PCA is to detect setup programs failing to install on Windows Vista and to provide the solution of applying the Windows XP compatibility mode. The most common setup failure is due to installers hard coding the check for the Windows OS version that they can run on. These installers will typical fail with an error message saying that the current version of Windows is not supported and terminate. Below is an example of such error message, illustrated by a test program. 51 Programs commonly use GetVersion or the GetVersionEx APIs to get information on the Windows OS version that they are running on. In Windows Vista these APIs will return 6 as the major version. If the program is hard coded to look for the XP version, which is major version 5, then it will fail in Windows Vista. The XPVersionLie fix included in the Windows XP compatibility mode will provide the XP version of the OS to the program, when it calls GetVersion or GetVersionEx APIs. PCA targets to detect this scenario and will display a user interface similar to the one below after the installer is terminated. This scenario also covers uninstallers and a similar dialog bog will show be shown. When the user selects the option to Reinstall using recommended settings, the WINXPS2 compatibility mode will be applied to the installer program and the installer will be automatically restarted. 52 PCA does not specifically look for the setup's failing due to version problems. The logic used by PCA is to detect if a setup did not complete successfully. It monitors a program detected as setup by Windows Vista and checks if the program registers an entry in Add or Remove Programs (ARP). If no entries are created in ARP then PCA concludes that the installer did not complete successfully. It will then wait for the install program to terminate before displaying the UI. If it is an uninstaller then the detection looks for whether an entry is deleted from ARP. PCA relies on the User Access Control (UAC) feature in Windows Vista to know if a program is setup. UAC includes detection for setup programs and will make sure the detected setup programs will be run as administrator. This includes getting administrative credentials or confirmation from the user before launching the program. In Windows Vista. PCA detects programs that are trying to access a DLL or a COM object removed in Windows Vista. If a program is detected to access a known DLL/COM object, PCA will show up an UI at the program termination to inform the user about the same and provide options to check online for a solution. The following is an example of a PCA dialog box that will show up in this scenario, illustrated by a test program. Windows Vista does not support unsigned drivers on the 64 bit platform and enforces a policy that all drivers should be signed. If an unsigned driver is installed into the system with a 64 bit platform it will not be loaded. After the user reboots the machine, the system will not start if it a boot time driver. The device or 53 program trying to use the driver may experience failures which may also result in a system crash. In order to prevent this, PCA monitors installation of unsigned drivers and whenever PCA detects installation of an unsigned driver it will notify the user, as shown in the following figure. For more information on PCA go to: http://msdn2.microsoft.com/en‐ us/library/aa480152.aspx#appcomp_topic18 THIRTY‐MINUTE COMPATIBILITY CHECK This section provides guidance on how to test and evaluate the compatibility of an application on Windows Vista. There are two primary scenarios to test for compatibility on Windows Vista, as follows. WORKING WITH A CLEAN INSTALLATION OF WINDOWS VISTA 1. Install Windows Vista on a test machine. 2. Install the application on Windows Vista. If a prompt is displayed requesting permission to install the application, click Permit and continue. If installation succeeds, go to step 6. 3. If the application installation failed and no installation permission prompt was displayed, then right‐click the installer EXE and choose Run this program as administrator and re‐install the 54 application. If the install succeeds, go to step 6. Note This step is not necessary if an MSI is used to install. 4. If you receive any errors, such as OS version, CLSID registration, or file copy, then right‐click the installer EXE file, choose the Compatibility tab, and choose the Windows XP SP2 compatibility mode. 5. Go back to step 2. If you cannot install the application, go to step 9. 6. The application should now be installed. 7. Launch the application. If the application did not launch properly or if errors are displayed, apply the Windows XP SP2 compatibility mode to the application EXE and try again. 8. If the application launches successfully, run through the full suite of tests that would typically be used to test the application on Windows XP. Verify your application functionality and confirm that the application performs properly. If all major functionality tests pass, go to step 10. 9. If the application does not install, launch successfully, crashes, encounters an error, or fails major functionality tests, it may be one of the small set of applications that are impacted by Windows Vista changes. Use the topics in this document to check your application. 10. You have completed the scenario. WORKING WITH AN UPGRADE FROM WINDOWS XP SERVICE PACK 2 1. Install Windows XP SP2 on a test machine and then install the application. Verify all the functionality of the application before proceeding. 2. Upgrade the test machine to Windows Vista. Follow the Windows Vista setup and upgrade instructions. Once the upgrade is complete, log on as you would on Windows XP. 3. Launch the application. If the application did not launch properly or if errors are displayed, apply the Windows XP SP2 compatibility mode to the application EXE and try again. 55 4. If the application launches successfully, run through the full suite of tests that would typically be used to test the application on Windows XP. Verify your application functionality and confirm that the application performs properly. If all major functionality tests pass, go to step 6. 5. If the application does not install, launch successfully, crashes, encounters an error, or fails major functionality tests, it may be one of the small set of applications that are impacted by Windows Vista changes. Use the topics in this document to check your application. 6. You have completed the scenario. If both scenarios have been completed and the application has performed properly, then the application functions correctly under Windows Vista. For information about obtaining certification for your application, see the Windows Vista Home Page. http://msdn2.microsoft.com/en‐us/library/aa480152.aspx#appcomp_topic2 OPERATING SYSTEM VERSIONING The internal version number for Windows Vista is 6. The GetVersion function will now return this version number to applications when queried. Note: This is the next major version number from Windows XP (version 5.x). The manifestation of this version change is very application‐specific, as follows: • Any application that specifically checks for the OS version will get a higher version number. • Application installers may prevent themselves from installing the application and applications may prevent themselves from starting. • Applications may warn users and continue to function properly. • Some applications may become unstable or crash. 56 Most applications will function properly on Windows Vista because the application compatibility in Windows Vista is very high. However, for applications and installers that check for OS version, a Compatibility mode is provided in Windows Vista. Users can right‐click the shortcut or the EXE and apply the Windows XP SP2 compatibility mode from the Compatibility tab. In most cases, this should enable the application to work as it did on Windows XP without a need for any changes to the application. • Generally, applications should not perform OS version checks or, at minimum, always accept version 6 or later for the OS. This behavior should be followed unless there is a very specific legal, business, or system‐component need to do this version check. • Application installers should not use 16‐bit installers to ensure 64‐bit system compatibility. • Ensure that any drivers an application uses are user mode drivers as much as possible to maintain multiplatform (32‐bit and 64‐bit) compatibility. http://msdn2.microsoft.com/en-us/library/aa480152.aspx#appcomp_topic3 USER ACCOUNT CONTROL A fundamental step toward increasing the security of Windows is enabling interactive users to run with a standard user account, which gives them access to only a limited set of permissions and privileges. By default, Windows Vista will run every application as a standard user even if you log on as a member of the administrator's group. Conversely, when users attempt to launch an application that has been marked as requiring administrator permissions, the system will explicitly ask them to confirm their intention to do so. Only applications running with administrator privileges can modify system and global settings and behavior. This feature of Windows Vista is the User Account Control (UAC). • Custom installers, uninstallers, and updaters may not be detected and elevated to run as administrator. 57 • Standard user applications that require administrative privileges to perform their tasks may fail or not make this task available to standard users. • Applications that attempt to perform tasks for which the current user does not have the necessary permissions, may fail. How the failure manifests itself is dependent upon how the application was written. • Control panel applications that perform administrative tasks and make global changes may not function properly and may fail. • DLL applications that run using RunDLL32.EXE may not function properly if they perform global operations. • Standard user applications writing to global locations will be redirected to per‐user locations through virtualization. Quick solution for custom installers: • A user can launch the installer or updater by right‐clicking and selecting Run this program as administrator. • Apply an application compatibility fix to indicate that specific installers require elevation. To do so, right‐click the shortcut or the EXE and apply the Windows XP SP2 compatibility mode from the Compatibility tab. Quick solution for applications that require administrative privileges to perform system modifications or write to privileged areas: • Corporate users will be able to apply an application compatibility fix to indicate that the legacy application requires administrator permissions or privileges to run correctly. • Reducing the restrictions of access control lists (ACLs) on certain restricted files may help applications that attempt to write these files. 58 o Check the virtualized folders or registry keys to see if applications are accessing something that requires administrator privileges. This information can be used to remove the requirements of accessing administrator‐protected locations from future versions of the application. For more information about virtualized files, folders, and locations, see the "Links" section. • Wrap a "Run DLL as an app" DLL call in a separate EXE and include a manifest for this EXE to require elevated privileges. Compatibility test: • Any install, uninstall, or update scenario should prompt the user for consent or credentials. Upon receiving user approval, the action should succeed. • Attempt to reproduce the failing scenario as the built‐in‐administrator. If this scenario passes, the failure is probably due to a lack of privileges. • Use the User Account Control predictor tool of the Application Compatibility Toolkit's Compatibility Administrator to identify those areas of an application that are performing administrator operations. Leverage Windows Vista capability solution: • Windows Vista based applications need to: o Follow the prescribed guidelines found in the Windows Vista LOGO program and user experience (UX) guidelines documentation (see the "Links" section). o Use embedded manifests to indicate their specific requestedExecutionLevel (formerly known as RunLevel). o Separate all administrative and non‐administrative functions into separate EXEs. All functions that need higher privileges should be in a separate executable EXE with 59 manifested execution level or a COM object running with administrative privileges. Launch the administrative tasks only when required. This holds true for all applications. • For applications that are not specifically administrative in nature, modify code to eliminate need for administrator permissions or privileges. • For applications that are only used by administrators, mark the application so it will run with administrator permissions or privileges. • When updating an application, use a separate updater EXE to update the target application. • Control panel applications must move away from .cpl files to .exe files, and include a manifest for their EXE‐based control panel applications that specifies the execution level required. • DLLs running under RunDLL32.EXE that need elevation should be modified into an executable EXE with its elevation level indicated in its manifest. • Always open files and registry keys with read‐only access when possible. Use read‐write access only when needed and revert the permissions back to read‐only once the operation is complete. http://msdn2.microsoft.com/en‐us/library/aa480152.aspx#appcomp_topic4 COMPATIBILITY RISKS Deprecated Components: The following components from earlier Windows releases will not be present in Windows Vista: • Kernel mode Printer driver support: All printer drivers will now have to follow the User mode driver framework. All kernel mode printer drivers will be blocked from loading on Windows Vista. For more information, see the User-Mode Driver Framework (UMDF) site. • Windows Help (WinHelp.exe and WinHlp32.exe) is being deprecated for Windows Vista. Windows Help is not supported in Beta 2 and some of the Windows Help code has been removed for the release. To view Help files with the .HLP file name extension in Windows Vista, you will need to download and install Windows Help from the Microsoft Download Center. This 60 download will not be available for Beta 2 or RC1. For more information, see Help Engine Support. Note HTML Help and .CHM files will continue to be supported for Windows Vista. • Microsoft FrontPage server extensions. Windows SharePoint Services now provides an enhanced feature set to the developer community. • Services for Macintosh. • D3DRM. DirectX will be the only supported graphics package for Windows Vista. • Web Publishing Wizard. • NetDDE—For security reasons, Windows Vista does not support NetDDE. (NetDDE is disabled by default on Windows XP SP 2 and Windows Server 2003.) Regular DDE is still supported. NetDDE is a technology that allows applications that use the DDE transport to transparently exchange data over a network. The result is the application fails to exchange data over the network. To workaround, use a different networking technology, such as DCOM or Windows Communication Foundation. For more information about NetDDE, see http://support.microsoft.com/default.aspx?scid=kb;en-us;125703. http://msdn2.microsoft.com/en‐us/library/aa480152.aspx#appcomp_topic14 VISTA SOFTWARE COMPATIBILITY LIST These are two resources to find Vista software compatibility lists: http://www.iexbeta.com/wiki/index.php/Windows_Vista_Software_Compatibility_List http://forumz.tomshardware.com/software/List‐Vista‐Supported‐Hardware‐amp‐Software‐ ftopict232602.html 61 CONCLUSION After using Vista for the past few weeks, reading, and listen to others experiences, I can say that Vista has a lot to offer. The initial trial and error with finding drivers and software to work with Vista has seems to lessen as time passes. I think this trend will continue and the availability of needed software and drivers will stabilize as developers have more time with Vista to program and test their products. Due to the need for increased hard drive, processor speed, memory and graphics capabilities the standard consensus is most users will not move to Vista until the need to purchase a new computer arises. For those who do not wish to wait the Windows Vista Update Advisor tool does a good job of letting the end user know if and how Vista will perform on their existing system. Most of the existing systems on campus do not meet the preferred requirements to run all of the new features found within Vista, but many will run the basic Vista configuration. There are known issues with existing software, but they change every day as developers fine‐tune their products. A good resource for current issues with Vista bugs, hardware and software can be found at: http://www.iexbeta.com/wiki/index.php/Windows_Vista_Software_Compatibility_List Many applications and feature that are used by the campus have been tested and found to work. The lists below are those programs or features that have been used by me or reported to me as currently working: Adobe Acrobat 7, 8 Breeze/Acrobat Connect Adobe Acrobat Reader 8 Bronco Direct Adobe Captivate 2 Firefox Adobe Designer 7 IE7 Adobe Illustrator CS2 Macromedia Flash 8 Adobe ImageReady CS2 Macromedia Dreamweaver 8 Adobe InDesign CS2 Macromedia Fireworks 8 Adobe Photoshop CS2 Macromedia Contribute 3 Adobe Premiere Pro 2 Macromedia Flashpaper 2 Blackboard/WebCT McAfee VirusScan 8.5i 62 Office 2007 WIN Domain Connection Remote Desktop Connection Windows Vista VPN NOTE: All campus applications are under‐going extensive testing. Results that will verify compatibility or report any known issues will be published on a separate web page. As Vista becomes more visible on campus, this list will grow and compatibility issues will need to be addressed. For example, one issue mentioned here under the Networking section is the need for wireless software that provides LEAP authentication for the campus. Users may also struggle with the lack of a built it video decoders in the Enterprise addition. DVD decoders will need to be added to run most DVD’s, K‐Lite Codec Pack is one option that is free and has been tested. Over all my thoughts about Vista is that it is here now and working. I think it is working better than most expected. We will need to continue to investigate how it works in our environment and make careful decisions on deployment, support and training as a campus. RECCOMENDATIONS As users transitions over to Vista and we see Vista more and more on campus our need for a Vista plan increases. In my view, steps can be taken to help immediately in the support of Vista on campus. • Share what we know. • This paper can be a start to provide an overview of Vista to the local campus tech community. • eHelp ‐ http://www.csupomona.edu/~ehelp/software/vista.html o Software Compatibility: This page can be expanded to show many of the software titles already tested on Vista. 63 This link from Carnegie Mellon already includes the software they have tested and is a good example of what might work here. http://www.cmu.edu/computing/msvista/index.html o Hardware Issues: This page could also list know hardware issues and machine types know to run Vista well. o Bugs & Fixes: As issues arise, regarding Vista this page could communicated them to the campus and list the fixes when found. • Find out what we don’t know: o As all of us use Vista, find out what works, and does not work a convenient way to share this information within the campus would be helpful. This could save time and help in learning the new platform. • Provide training to campus techs to help mitigate potential support problems. • Provide training to end users through handouts, Breeze tutorials, and in a classroom setting. • Detailed planning at the centralized level to decided what feature of Vista would be helpful to use and work within our existing systems. • Decide how licensing of Vista is best supported on campus. MAK use is necessary for laptops, but a KMS server would allow for instant activation and motoring of license use and system resources. • Discuss wide deployment of Vista in departments and labs before it happens to evaluate the impact on other campus departments. • Regroup every few months, evaluate the impact Vista has made on the campus, and see if our efforts need to be redirected. 64 APPENDIX A ‐ WINDOWS VISTA MIGRATION STEP‐BY‐STEP GUIDE Windows Vista introduces new setup methods and processes, based on the new image‐based setup feature of Windows Vista. This document provides the steps to use when upgrading a computer from the Microsoft Windows XP Professional operating system or the Microsoft Windows XP Home Edition operating system to Windows Vista, and also how to migrate existing files and settings from Windows XP to Windows Vista. WINDOWS VISTA MIGRATION SCENARIOS This document covers two primary scenarios for installing Windows Vista: upgrading an existing Windows XP computer "in‐place" on the same computer hardware, and migrating user settings to a new computer running Windows Vista. If you purchase a new computer to run Windows Vista and want to move your files and settings from Windows XP to the new computer running Windows Vista, refer to the "Migrating to Windows Vista" scenario. If you are planning to install Windows Vista on a computer running Windows XP, refer to the "Upgrading to Windows Vista" scenario. Upgrading to Windows Vista This scenario assumes that you are installing Windows Vista on a computer running Windows XP Professional or Windows XP Home Edition. Migrating to Windows Vista This scenario assumes that you are installing Windows Vista on a new computer, and then transferring your user settings and files from a computer running Windows XP Professional or Windows XP Home Edition. REQUIREMENTS FOR INSTALLING WINDOWS VISTA Hardware requirements for Windows Vista are as follows: 65 • A 32‐bit (x86) or 64‐bit (x64) computer with 800 megahertz or higher processor clock speed (single or dual processor system); Intel Pentium/Celeron family, or AMD Athlon/Duron family, or compatible processor recommended. • 512 megabytes (MB) of RAM or higher recommended • At least 15 gigabytes (GB) of available hard disk space • A video adapter capable of supporting the Windows Display Driver Model (WDDM) drivers used in Windows Vista • CD‐ROM drive (a DVD drive is strongly recommended). Drives may be internal or external. OVERVIEW OF SCENARIOS These scenarios cover the steps required to install Windows Vista as either an upgrade to an existing operating system, or on a new computer to which you will transfer settings and files. The steps are very similar for the Windows Vista setup in both scenarios; the scenarios differ in the state of the computer at the beginning of the procedures, and the transfer of data after the Windows Vista installation. UPGRADING TO WINDOWS VISTA AVOIDING SOFTWARE CONFLICTS This section addresses a temporary issue that may be present when you upgrade from Windows XP to Windows Vista. If you are upgrading a computer running Windows XP and Windows AntiSpyware Beta 1, you may see software conflicts with Windows Defender when you upgrade to Windows Vista. To avoid this, uninstall Windows AntiSpyware Beta 1 before starting the upgrade process described in this section. 66 STEPS FOR UPGRADING TO WINDOWS VISTA Step 1: Assess Hardware Requirements Step 2: Backup Important Data Step 3: Upgrade to Windows Vista STEP 1: ASSESS HARDWARE REQUIREMENTS The above‐noted hardware requirements for Windows Vista are general guidelines only. For better performance, consider the following "minimum recommended" configuration: • A computer with a modern CPU, as detailed in the Windows Vista Capable PC Hardware Guidelines (http://go.microsoft.com/fwlink/?LinkID=54987). One gigahertz or higher processor clock speed recommended. • 512 megabytes (MB) of RAM or higher recommended • At least 15 gigabytes of available hard disk space (exact amount depends upon several factors, including features installed and virtual memory settings selected) • A DirectX 9–class graphics adapter that supports WDDM and Pixel Shader 2.0, capable of supporting the Windows Display Driver Model (WDDM) drivers used in Windows Vista • A DVD writer is required by the Windows DVD Maker program included with Home Premium and Ultimate editions. To determine if your PCs meet the hardware requirements for Windows Vista network‐wide, you are recommended to use the Windows Vista Hardware Assessment. 67 STEP 2: BACKUP IMPORTANT DATA You should back up files, or save them to a safe location, before upgrading to Windows Vista. While this step is optional, it is important to have a current backup of important data before making significant changes to the computer to prevent data loss. To save your important data to a safe location, your options will depend on the original operating system and the backup options available to you. The following list provides a few suggestions: • Windows Backup, or other backup software • Copy the important data to a network folder • Burn the data to a CD or DVD • Backup to an external hard disk STEP 3: UPGRADE TO WINDOWS VISTA The procedure for upgrading to Windows Vista assumes that you are already running a previous version of Windows on your computer. Upgrades are supported for the following versions of Windows: • Windows XP SP 2 • Windows Vista UPGRADE TO WINDOWS VISTA 1. Start Windows Vista Setup by inserting the DVD while running Windows, and click Install Now. If the autorun program does not open the Install Windows screen, browse to the root folder of the DVD and double click setup.exe. 2. Click Next to begin the Setup process. 68 1. Click Go online to get the latest updates (recommended) to retrieve any important updates for Windows Vista. This step is optional. If you choose not to check for updates during Setup, click Do not get the latest updates. 2. In Product key, type your product ID exactly as it appears on your DVD case. Click Next to proceed. 3. Read and accept the License Terms. Click I accept the License Terms (required to use Windows), and then click Next. If you click I decline (cancel installation) Windows Vista Setup will exit. 4. Click Upgrade (recommended) to perform an upgrade to your existing installation of Windows. 5. Windows Vista Setup will proceed without further interaction. Note: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. MIGRATING TO WINDOWS VISTA To migrate to Windows Vista from a previous version of Windows, you should have a computer running a supported version of Windows that contains applications, settings, and data to be moved to a new computer running Windows Vista. The migration tools in Windows Vista provide three options for migrating your settings and files: • Network connection • Removable media (such as a USB flash drive or external hard disk) • CD or DVD In addition to a choice of transfer method, you have a choice of migration tools. Windows Easy Transfer, included in Windows Vista, can be used to migrate settings and files for all of the users on a single computer to a 69 new computer. If you want to migrate files and settings for a number of users on multiple computers, use the User State Migration Tool (USMT). STEPS FOR MIGRATING TO WINDOWS VISTA Step 1: Migrate User Settings Using the User State Migration Tool Step 2: Migrate User Settings Using Windows Easy Transfer STEP 1: MIGRATE USER SETTINGS USING THE USER STATE MIGRATION TOOL You can use Microsoft Windows User State Migration Tool (USMT) 3.0 to migrate user accounts during large deployments of Microsoft Windows XP and Windows Vista operating systems. USMT captures user accounts including desktop, and application settings, as well as a user's files, and then migrates them to a new Windows installation. Using USMT can help you improve and simplify your migration process. You can use USMT for both side‐by‐side (where you are copying the data from the old computer to a new computer) and wipe‐and‐load (where you are saving the data and then formatting the computer's hard disk and performing a clean install) migrations. If you are only upgrading your operating system, USMT is not needed. USMT is intended for administrators who are performing automated deployments. If you are migrating the user states of only a few computers, you can use Windows Easy Transfer. For more information about USMT, see "Step‐by‐Step Guide to Migrating Files and Settings" on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=37680). USMT allows you to do the following: • Configure USMT for your unique situation, using the migration rule (.xml) files to control exactly which user accounts, files and settings are migrated and how they are migrated. 70 • Automate your migration using the two USMT command‐line tools, which control collecting and restoring the user files and settings. USMT is described in full detail in "Getting Started with User State Migration Tool" on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=56578). STEP 2: MIGRATE USER SETTINGS USING WINDOWS EASY TRANSFER You can use Windows Easy Transfer to move user accounts, files and folders, program settings, Internet settings and favorites, and e‐mail settings from an existing Windows computer to a new computer running Windows Vista. Step 1: Preparing for the Transfer Step 2: Capturing Files and Settings from the Existing Computer STEP 1: PREPARING FOR THE TRANSFER Windows Easy Transfer in Windows Vista supports the following operating systems: 1. Windows 2000 SP 4 2. Windows XP SP 2 3. Windows Vista PREPARING WINDOWS EASY TRANSFER 1. Open Windows Easy Transfer on your Windows Vista computer: click Start, click All Programs, click Accessories, click System Tools, and then click Windows Easy Transfer. Click Next to proceed. 71 2. If you have any programs open, you will be prompted to close them. You can opt to save your work in each program, and then close them individually, or you can click Close All in Windows Easy Transfer to close all running programs at once. Click Next. 3. Click Start new to begin the process of preparing Windows Easy Transfer to gather information from existing computers. 4. Click This is my new computer. 5. Select the destination for Windows Easy Transfer files. You have the option of creating the wizard files on CD or DVD, removable media, or a network drive. To use removable media or CD/DVD, you must have a drive in your computer that supports writing data to the appropriate media. Click Network drive. Note: Both computers must support the transfer method you choose. For example, if you write the data to CD or DVD, the destination computer must also have a CD or DVD drive. If you choose to transfer the data across the network, both computers must be connected on the same network. 6. Type a path and folder name in which you will store the Windows Easy Transfer files. The default value is C:\migwiz. Click Next. STEP 2: TRANSFERRING FILES AND SETTINGS Perform this step on the existing computer from which you are migrating user settings and files. Once the files and settings have been collected from your old computer and saved, you will move to the new computer to complete the wizard. TRANSFER FILES AND SETTING USING A NETWORK 72 1. Start Windows Easy Transfer on the computer from which you wish to migrate settings and files by browsing to the removable media or network drive containing the wizard files, and then double clicking migwiz.exe. 2. If you have any programs open, you will be prompted to close them. You can opt to save your work in each program, and then close them individually, or you can click Close All in Windows Easy Transfer to close all running programs at once. Click Next. 3. Determine the transfer method to use. Click Through a network. Note: Both computers must support the transfer method you choose. For example, both computers must be connected to the same network. 4. Click Connect directly via network to begin the transfer. Alternately, click Save to network location if you want to store the files and settings in a file to be loaded later. If you choose to store the data in a network location, you will be prompted to provide the path. 5. Click Everything ‐ all user accounts, files, and program settings (recommended) to transfer all files and settings. You can also choose to determine exactly which files should be migrated by clicking either Only my user account, files, and program settings, or Custom. 6. Review the list of files and settings to be transferred, and then click Start to begin the transfer. Click Customize if you want to add or remove files or settings. TRANSFER FILES AND SETTINGS USING REMOVABLE MEDIA 1. Start Windows Easy Transfer on the computer from which you wish to migrate settings and files by browsing to the removable media or network drive containing the wizard files, and then double clicking migwiz.exe. 73 2. If you have any programs open, you will be prompted to close them. You can opt to save your work in each program, and then close them individually, or you can click Close All in Windows Easy Transfer to close all running programs at once. Click Next. 3. Determine the transfer method to use. Click On a CD or other removable media, such as a flash drive. Note: Both computers must support the transfer method you choose. For example, both computers must support the same type of removable media. 4. Click To a network drive to save the files to either a network folder or a folder on a removable drive. 5. In Where do you want to save your files, type the path to a folder on the removable drive, and then click Next. 6. Click Everything ‐ all user accounts, files, and program settings (recommended) to transfer all files and settings. You can also choose to determine exactly which files should be migrated by clicking either Only my user account, files, and program settings, or Custom. 7. Review the list of files and settings to be transferred, and then click Start to begin the transfer. Click Customize if you want to add or remove files or settings. 8. Click Close once Windows Easy Transfer has completed moving files. 9. Move the removable media to the new computer and launch Windows Easy Transfer. Click Next. 10. Click Continue a transfer in progress. 11. In Where did you copy your files, click Removable media. If Removable Media is unavailable, click Network Drive. Click Next. 74 12. In Locate your saved files, type the path to your saved files or click Browse. Click Next once you have located the files. 13. Choose user names on your new computer that match the names on the old computer. You may have to create new accounts in this step. Type in a user name to create an account on the local computer. Type in a user name in the format domain\user to create a profile for a domain user. 14. In Choose the drives for files on your new computer, select the destination drive for each source drive location. For example, for files that came from the D: drive on your old computer, you must determine which drive they should be moved to on the new computer. 15. Review the list of files and settings to be transferred, and then click Start to begin the transfer. Click Customize if you want to add or remove files or settings. 16. Click Close once Windows Easy Transfer has completed moving files. TRANSFER FILES AND SETTINGS USING A WRITABLE CD OR DVD 1. Start Windows Easy Transfer on the computer from which you wish to migrate settings and files by browsing to the removable media or network drive containing the wizard files, and then double clicking migwiz.exe. 2. If you have any programs open, you will be prompted to close them. You can opt to save your work in each program, and then close them individually, or you can click Close All in Windows Easy Transfer to close all running programs at once. Click Next. 3. Determine the transfer method to use. Click Burn a CD or DVD. Note: Both computers must support the transfer method you choose. For example, both computers must have a working CD or DVD drive. 4. In Choose your media, type the path to the writeable CD or DVD media. Click Next. 75 5. Click Everything ‐ all user accounts, files, and program settings (recommended) to transfer all files and settings. You can also choose to determine exactly which files should be migrated by clicking either Only my user account, files, and program settings, or Custom. 6. Review the list of files and settings to be transferred, and then click Start to begin the transfer. Click Customize if you want to add or remove files or settings. If there is not enough free space on the writeable media, Windows Easy Transfer will tell you how many blank discs will be required. 7. Click Next once the CD or DVD burn process has completed. 8. Click Close once Windows Easy Transfer has completed moving files. 9. Move the CD or DVD media to the new computer and launch Windows Easy Transfer. Click Next. 10. Click Continue a transfer in progress. 11. In Where did you copy your files, click Read CD or DVD. 12. In Choose your media, select the drive letter for your CD or DVD drive where the disc is located. Click Next once you have located the files. 13. Choose user names on your new computer that match the names on the old computer. You may have to create new accounts in this step. Type in a user name to create an account on the local computer. Type in a user name in the format domain\user to create a profile for a domain user. 14. In Choose the drives for files on your new computer, select the destination drive for each source drive location. For example, for files that came from the D: drive on your old computer, you must determine which drive they should be moved to on the new computer. 15. Review the list of files and settings to be transferred, and then click Start to begin the transfer. Click Customize if you want to add or remove files or settings. 76 16. Click Close once Windows Easy Transfer has completed moving files. http://technet.microsoft.com/en‐us/windowsvista/aa905082.aspx 77 APPENDIX B ‐ 10 THINGS YOU NEED TO KNOW ABOUT DEPLOYING WINDOWS VISTA You've deployed Windows XP in the past, and now you're thinking ahead to Windows Vista. Whether you'll be deploying to 10, 100, or 100,000 computers, just knowing how the process has changed from Windows XP will make the deployment run much more smoothly. So here are 10 deployment differences between Windows® XP and Windows Vista™ that you'll be glad you discovered when it's time to make the move. 1. Windows Vista Images Are Bigger With Windows XP and Windows 2000, it was possible to create images that would fit easily on a single CD (less than 700MB). Even organizations that added applications, drivers, and utilities to their image typically ended up with an operating system image in the 1GB to 3GB range. With Windows Vista, image size begins at about 2GB—compressed. Once this image is deployed, the size is often around 5GB or more, and there's no way to reduce it. If you add additional applications, drivers, or other files, this image obviously grows even larger. So how will you deploy the image? Does your network have the necessary capacity? (10MB networks or non‐ switched networks are not sufficient.) If you want to use CDs, how many can you deal with? You'll need three or four. DVDs (with a capacity of 4.7GB each) are now easy to create, so you can deploy using DVD drives if you have them. (If not, consider adding DVD drives when buying the next round of PCs.) 78 With USB memory keys growing in size (as large as 4GB or more) and shrinking in price, it would be quite easy to use one for deploying Windows Vista, since you can make a bootable key as long as the computer's BIOS supports it. Finally (though this doesn't relate to image size), take note that there is no longer an I386 directory. Instead, all components, whether installed or not, reside in the Windows directory (although not in the standard SYSTEM32 directory). When installing a new component, the necessary files will be pulled from this location. 2. Security Is Enhanced A number of Windows Vista security enhancements will impact deployment. For example, configuring Windows Vista to support "low rights" users, where the logged‐on user does not have administrator rights, is easier. Some applications failed to work on Windows XP when users did not have administrator access because they assumed they would have full access to the C: drive and all parts of the registry. With Windows Vista, applications that attempt to write to restricted areas will have those writes transparently redirected to other locations in the user's profile. The second big change here is that non‐administrators can load drivers. This lets users attach new devices without needing to call the help desk in tears. The third difference you'll find is that Internet Explorer® can automatically install ActiveX® controls using elevated rights. A new service can perform these installations on the user's behalf (if, of course, the IT administrator allows this via Group Policy). Some of you may currently be using Power User rights on Windows XP, but this really does not offer many benefits (in terms of restricting user rights) over simply granting full Administrator privileges. Because of this, the Power 79 Users group in Windows Vista has been removed, although it can be put back if required using a separate security template that can be applied to an installation of Windows Vista. Sometimes you will need administrator rights, but this doesn't mean you want to run with admin rights all the time. So Windows Vista adds User Access Control (UAC), which causes most user applications—even for Administrators—to run with restricted rights. For applications that require additional rights, UAC will prompt for permission, asking either for permission to run with elevated privileges or for other user credentials that can replace the logged‐on users. There are also enhancements to the firewall built into Windows Vista. The new firewall can now control both inbound and outbound traffic, while still being fully configurable via Group Policy. Finally, BitLocker™ full‐volume encryption, which is included with Windows Vista Enterprise and Ultimate, allows the entire operating system volume to be encrypted. The volume can then be read only from within Windows Vista and only when the right keys are provided, either from the computer's built‐in Trusted Platform Module (TPM) 1.2 chip, a USB key, or typed into the keyboard. (Note that only TPM 1.2 or later is supported.) 3. Windows Vista Is Componentized One of the biggest architectural changes in Windows Vista is that it is now a completely componentized operating system. This affects deployment in the following ways. Configuring which Windows Vista features should be installed requires configuring the components to be enabled. New tools, like the Windows System Image Manager, shown in Figure 1, assist with this. Security updates, language packs, and service packs are simply components. Tools such as Package Manager (PKGMGR) can be used to apply these to Windows Vista. 80 In addition, all servicing can be performed offline or online. You can even apply changes to Windows Vista or a Windows Vista image when Windows Vista is not currently running. This is ideal for deployments: the operating system can be patched before it boots onto your network for the first time. Drivers are also treated as components, so they can be added and removed easily—even offline. This means you can add drivers to existing images, even just‐in‐time (as the machine boots for the first time) during the deployment process. And this applies to mass‐storage drivers as well; no longer do you need to create a new image just to add a new mass storage driver. Windows Vista exposes more settings, with most components providing configurable options, so it's easier to set installation defaults that can be managed on an ongoing basis using Group Policy. For a rundown of new tools in Windows Vista, see the sidebar "Tools You Need; Tools to Forget." 81 TOOLS YOU NEED; TOOLS TO FORGET Here’s a rundown of the tools you’ll be using when you roll out Windows Vista, followed by a list of the tools you can retire for good once Windows Vista arrives. USE THESE: • SYSPREP This is the updated version, modified for Windows Vista. • SETUP A new installation tool for Windows Vista, replaces WINNT and WINNT32. • IMAGEX The new command‐line tool for creating WIM images. • Windows System Image Manager A tool for creating and modifying unattend.xml files. • PEIMG The tool for customizing Windows PE 2.0 images. • Windows Deployment Services The new version of RIS, which adds the ability to deploy Windows Vista and Windows XP images, as well as Windows PE 2.0 boot images. • PNPUTIL This is the new tool for adding and removing drivers from the Windows Vista driver store. • PKGMGR Also new, this Windows Vista tool is used for servicing the operating system. • OCSETUP This replaces SYSOCMGR and is used for installing Windows components. • BCDEDIT A new Windows Vista tool for editing boot configuration data. • Application Compatibility Toolkit 5.0 This updated tool lets you assess whether your applications are compatible with Windows Vista. • User State Migration Tool 3.0 An updated tool for capturing and restoring user state, supports Windows XP and Windows Vista, as well as all versions of Office including 2007. • BitLocker The full‐volume drive encryption capability included in Windows Vista Enterprise and Ultimate editions. FORGET THESE: • Remote Installation Services RIS has been replaced by Windows Deployment Services (WDS) but still offers legacy support on Windows Server 2003; RIPREP and RISETUP are not possible with Windows Vista. • Setup Manager/Notepad Use Windows System Image Manager instead for editing unattended setup configuration files. • WINNT.EXE and WINNT32.EXE Use SETUP instead. • SYSOCMGR Replaced by OCSETUP, PKGMGR. • MS‐DOS Boot Floppies Forget them. Use Windows PE! 82 4. Text-Mode Installation Is Gone The basic process used to install Windows XP has been unchanged since the earliest days of Windows NT®. This time‐consuming procedure involved an initial text‐mode installation step in which every operating system file was decompressed and installed, all registry entries were created, and all security was applied. Now with Windows Vista, this text‐mode installation phase is completely gone. Instead, a new setup program performs the installation, applying a Windows Vista image to a computer. Once this image is applied, it needs to be customized for the computer. This customization takes the place of what was called mini‐setup in Windows XP and Windows 2000. The purpose is the same: the operating system picks the necessary settings and personality for the specific computer it was deployed to. The image preparation process has also changed. With Windows XP, you would "Sysprep" a machine to prepare the reference operating system for deployment. With Windows Vista, you'll still run Sysprep.exe (installed by default in C:\Windows\System32\Sysprep), which will "generalize" the machine for duplication. Windows Vista (any version) is provided on the DVD as an already‐installed, generalized (Sysprepped) image, ready to deploy to any machine. Some customers may choose to deploy this image as‐is (possibly injecting fixes or drivers using the servicing capabilities described earlier). 5. Boot.ini Is History That's right, the Boot.ini file is not used in Windows Vista or in the new Windows PE 2.0. Instead, a new boot loader, bootmgr, reads boot configuration data from a special file named BCD. A brand new tool called bcdedit.exe (or a separate Windows Management Instrumentation or WMI provider) is used to maintain the contents of the BCD. A Windows PE 2.0 boot image can be configured in BCD too, making it easy to boot into either Windows Vista 83 or Windows PE without making any other changes to the machine. This flexibility can be useful in recovery or maintenance scenarios. 6. Settings Are Configured in XML With Windows XP (and previous versions of Windows PE) configuration information was stored in various text files. These text files have been replaced with an XML file. Unattend.txt, which was used to configure how Windows XP is installed, has been replaced by unattend.xml. Unattend.xml also replaces three other files: • Sysprep.inf, which was used to configure how a Windows XP image is customized when deployed to a machine using a mini‐setup. • Wimbom.ini, which was used to configure Windows PE. • Cmdlines.txt, which was used to specify a list of commands to execute during mini‐setup. An example of unattend.xml can be downloaded from TechNet Magazine at microsoft.com/technet/technetmag/code06.aspx. You may still use separate files if you want, though. You don't need to put all configuration items in a single unattend.xml file. The high‐level schema of the new XML configuration file is well defined, with each phase of the deployment process represented. The actual configuration items are specified on the appropriate operating system components and these items are dynamically discovered from the components themselves. With Windows XP, most IT professionals used Notepad to edit the various configuration files. You can still do that, but the Windows System Image Manager tool I discussed earlier can be used to inspect the Windows Vista image, determine what settings are available, and allow you to configure each one. 84 Another tool to aid deployment is the User State Migration Tool (USMT) 3.0, which is expected to be released at the same time as Windows Vista. It will also use XML configuration files in place of the .inf files that were used in previous versions. See "Migrating to Windows Vista Through the User State Migration Tool" for more information. 7. No More HAL Complications With Windows XP, technical restrictions prevented the creation of a single image that could be deployed to all computers. Different hardware abstraction layers (HALs) meant you had to maintain multiple images. (For more on this see the Knowledge Base article "HAL options after Windows XP or Windows Server 2003 Setup") Most organizations needed two or three images per platform (x86 and x64) and some chose to have even more—though each image brings added costs and complexity. In Windows Vista, those technical restrictions are gone; the operating system is able to detect which HAL is required and automatically install it. 8. Windows PE Rules Windows PE 2.0, the new version that will be released with Windows Vista, is a key part of the deployment process. Even the standard DVD‐based installation of Windows Vista uses Windows PE 2.0, and most organizations will be using it (often customized for the organization's specific needs) as part of their deployment processes. Compared to MS‐DOS®‐based deployment, Windows PE 2.0 brings numerous benefits, including less time spent trying to find 16‐bit real‐mode drivers. (It's not even possible to find these any more for some newer network cards and mass storage adapters.) Better performance from 32‐bit and 64‐bit networking stacks and tools, as well 85 as large memory support are also advantages. And don't forget support for tools such as Windows Scripting Host, VBScript, and hypertext applications. Windows PE has been available for a few years (the latest version, Windows PE 2005, was released at the same time as Windows XP SP2 and Windows Server 2003 SP1), but not all organizations could use it; it required that you have Software Assurance on your Windows desktop operating system licenses. With Windows PE 2.0, that's no longer the case. All organizations will be able to download Windows PE 2.0 from microsoft.com and use it freely for the purposes of deploying licensed copies of Windows Vista. Like Windows Vista itself, Windows PE 2.0 is provided as an image that is componentized and can be serviced both online and off. As with Windows PE 2005, several optional components can be added, although Windows PE 2.0 includes some new ones: MSXML 3.0, Windows Recovery Environment, language packs, font packs, and so on. New tools like peimg.exe are provided for servicing Windows PE 2.0. Peimg.exe can also be used for adding drivers—including mass storage devices, which no longer require any special handling. For more information on Windows PE 2.0, see Wes Miller's article in this issue of TechNet Magazine. 9. It's All about Images With Windows XP, some companies used the image creation capabilities of the Systems Management Server (SMS) 2003 OS Deployment Feature Pack or third‐party image creation tools. There was no generic image creation tool available from Microsoft. That's changed with Windows Vista: new tools have been created to support the Windows Imaging (WIM) file format. Unlike many other image formats, WIM images are file‐based, enabling them to be applied to an existing partition non‐destructively. This has great advantages in deployment processes, since user state can be saved locally instead of on a network server, eliminating what is frequently the largest source of network traffic during a deployment. 86 Because WIM files are file‐based images, they (obviously) are not sector‐based, so there are no issues around different‐sized disks or partitions. A WIM image contains only the contents of a single disk volume or partition, so if you have multiple partitions to capture, you create a separate image for each one. But each of these images can be stored in the same WIM file, since the WIM file format supports multiple images per file. The WIM file format also supports single‐instance storage, so duplicate files (even from different images) are automatically removed. Between this and the advanced compression techniques employed, WIM images are typically smaller than images created by other tools. However, because of the extra processing, they do take longer to create. This size versus performance trade‐off is fair enough; since you typically capture the image only once and then deploy it many times, the network traffic savings can be substantial. The IMAGEX command‐line tool interfaces with the lower‐level WIMGAPI API (which is fully documented for use in custom tools too), and is used to create and manipulate WIM images. It also provides a mechanism for mounting a WIM image as a file system. Once mounted, the image can be read and modified using standard Windows tools since it looks like a normal removable media drive. This facility opens up whole new servicing opportunities. 10. Deployment Is Language-Neutral Windows XP supported different languages in two ways. You could either deploy localized versions of Windows XP, requiring a different image for each language, or you could deploy an English Multilanguage User Interface (MUI) version with added language packs. There were advantages and disadvantages to each approach, but in most cases organizations that needed to support multiple languages took the MUI route, dealing with the limitations of running with an operating system that was effectively English at its core. Organizations that worked only with one language typically chose to use only the localized versions. 87 Now with Windows Vista, the entire operating system is language‐neutral. One or more language packs are added to this language‐neutral core to create the image that is deployed (although only some versions of Windows Vista support multiple languages). Servicing of Windows Vista is also language‐neutral, so in many cases only one security update is needed for all languages. And configuration is language‐neutral, so one unattend.xml can be used for all languages. Help Is Available The changes I've described mean that the image creation and deployment processes you've been using for Windows XP will need to be updated. In some cases, these updates might be minor; in others (such as an MS‐DOS‐ based process using cmdlines.txt), significant changes may be required. To help, Microsoft has created new tools, guidance, and step‐by‐step procedures. These are included in the Solution Accelerator for Business Desktop Deployment (BDD) 2007. BDD 2007 breaks down the deployment process into more manageable pieces, with different teams managing each component. Guidance, checklists, and tools are provided for each team to help with the tasks they need to perform (see Figure 2). 88 BDD 2007 is currently available for download from connect.microsoft.com after you sign up for the open beta program. Contained in the download are all the required Windows Vista deployment tools, including Windows PE 2.0, ImageX, Windows System Image Manager, and USMT 3.0, along with documentation explaining how to use them in an end‐to‐end process. The final version of BDD 2007 will be released at about the same time as Windows Vista. For a look at BDDWorkbench, see Figure 3. The goal of BDD 2007 is simplification. Even if you don't have an existing image creation and deployment process, you should be able to use BDD to set one up quickly. Two deployment methods are provided: • Lite Touch, which was completely rewritten, requires user interaction to start deployment. It doesn't require any special infrastructure although it can utilize Windows Deployment Services, the next version of Remote Installation Service (RIS). • Zero Touch, which requires no user intervention, is layered on top of the SMS 2003 OS Deployment Feature Pack. 89 The new features in BDD 2007 include driver repository and injection, full computer backup processing, integration of all the Windows Vista deployment tools, and more. BDD 2007 will include all the source code for all of its automation tools, so you can modify it to meet your specific needs or copy and paste it into your own solutions. The source code is provided without restriction. http://www.microsoft.com/technet/technetmag/issues/2006/11/Deployment/default.aspx For more information on BDD 2007, see the TechNet Desktop Deployment center. Michael Niehaus Michael Niehaus is a Systems Design Engineer in the Core Infrastructure Solutions group at Microsoft. He is responsible for developing best practices, tools, and scripts for Business Desktop Deployment. Reach him at [email protected]. 90

Risk Assessment Of Cal Poly Pomona

Rating

Date

Size

Views

Categories

Share

Transcript