Produktpresentasjon Morgan Simonsen Senior Systemkonsulent, Atea Agenda • Introducing Windows 7 • Windows 7 New features and highlights • Windows 7 in the Enterprise • Windows 7 Security • Windows 7 Deployment Windows 7 vs. Windows Vista • The release of Windows Vista fundamentally changed the Windows platform – This caught people by surprise! • Microsoft did not prepare its customers or partners • IT Pros, experts and journalists did not thoroughly review Vista • OEMs and ISVs did not trust Microsoft’s release schedule and no drivers or certified software were available at launch • Result: an unstoppable snowball of bad press and reviews • Conclusion: forget Vista go directly to 7* – But you still have to do appcompat testing Windows 7 Development Process New approach for Windows development and disclosure Planning Predictability Ecosystem Spend more time on planning and vision phase analyzing trends and needs before building features Focus on end-to-end business scenarios – not just new features and technologies Give our customer and partners a timeframe for the release and stick to our plan–3 years for Windows 7 Disclose with higher degree of certainty and minimize changes Engaging with partners earlier and more closely to enable seamless experiences and compatibility across hardware, software and services We are here Vision Development & Test Pre-Beta Beta Release Windows 7 Builds on Windows Vista Deployment, testing, and pilots today will continue to pay off Similar compatibility Most software that runs on Windows Vista will run on Windows 7, exceptions will be low level code (AV, firewall, imaging, etc) Hardware that runs Windows Vista well will run Windows 7 well Few Changes: Focus on quality and reliability improvements Deep Changes: New models for security, drivers, deployment, and networking Windows 7 Editions (SKU) • 2 main SKUs which 80% of the users will choose: – Windows 7 Home Premium – Windows 7 Professional • 4 Additional SKUs for niche markets: – Windows 7 Starter (only OEM) – Windows 7 Home basic (only OEM) – Windows 7 Enterprise (only through Volume License Programs) – Windows 7 Ultimate • Now each SKU is a superset of the previous SKU – You never loose any features • All SKUs are now one image – All bits present on machine Professional vs. Enterprise • Windows® 7 Professional • Ability to join a managed network with Domain Join • Protect data with advanced network backup and Encrypted File System • Print to the right printer at home or work with Location Aware Printing • Windows® 7 Enterprise (only available through Software Assurance (SA)): • BitLocker™ data protection on internal and external drives • DirectAccess provides seamless connectivity to your corporate network • Decrease time branch office workers wait to open file across the network with BranchCache™ • Prevent unauthorized software from running with AppLocker Windows 7 Editions (SKU) cont. • Windows Anytime Upgrade • Windows Live Essentials – Windows Live ID Sign-in Assistant 6.5 (enables linking of Windows 7 user accounts to Live IDs): http://www.microsoft.com/downloads/details.aspx?displaylang=en&F amilyID=5e193cfe-f45a-4e29-b6b7-984e7802c639 – Link ID: http://windows.microsoft.com/enUS/Windows7/OnlineIDProviders • Microsoft Security Essentials – Free anti-virus, anti-malware and anti-spyware from Microsoft • Windows 7 last x86 compatible OS (Windows Server 2008 R2 does not support x86) Windows 7 System Requirements • 1 GHz or faster 32-bit (x86) or 64-bit (x64) processor • 1 GB of RAM (32-bit)/2 GB of RAM (64-bit) • 16 GB of available disk space (32-bit)/20 GB (64-bit) • DirectX 9 graphics device with Windows Display Driver Model 1.0 or higher driver • Windows 7 is faster than Windows Vista (but not by much) Upgrading to Windows 7 • Windows 7 Upgrade Advisor • Upgrade only available from Windows Vista SP1 • Migrating from any other Windows version requires clean install • Data can be migrated: – User State Migration Tool – Windows Easy Transfer • Any clean install preserves data Windows 7 Migration Challenges • Application Compatibility – How to get your LOB applications to run on Windows 7? – Application Compatibility Toolkit (ACT) • Deployment – – – – – – How to install Windows 7 on business machines? DVD/Flash Windows Deployment Services (WDS) System Center Configuration Manager (SCCM) Windows Automated Installation Kit (WAIK) Microsoft Deployment Toolkit (MDT) Microsoft Deployment Guidance Windows 7 Features • GUI Enhancements – Enhanced Aero (Aero Snap/Gestures) – New taskbar (preview) – Jump lists • Gadgets • View Available Network (VAN) • Libraries/Search • Power Management • Trigger-Start Services • Multitouch • Troubleshooting – Troubleshooting Platform Windows 7 Features (cont.) • Device Stage – http://www.microsoft.com/windows/windows-7/devices.aspx • Location Aware Printing • Internet Explorer 8 – Standards compliance – Instant Search – Accelerators – Web Slices – InPrivate browsing/InPrivate Filtering • Mobile Broadband support • Native VHD support Homegroup • Easy sharing of files/media/printers between Windows 7 PCs and compatible hardware • Domain joined machines can join a Homegroup, but not create one – Network location must be Home (not Domain) • Homegroup uses regular SMB file sharing and Windows NTFS and share permissions Homegroup – Media Streaming • Windows 7 fully compatible with Universal Plug and Play (UPnP) and Digital Living Network Alliance (DLNA) • Supports a variety of devices: – – – – – – – TVs Speakers Stereos PVR Cell phones Digital Photo Frames All devices must be DNLA logoed Homegroup – Media Streaming (cont.) • DLNA defines device roles: – – – – Servers Players Renderers Controllers • And protocols that these devices use to discover each other and communicate with each other (e.g. UPnP, HTTP, RTP, etc.) Enterprise Windows 7 for the Enterprise Make Users Productive Anywhere At their desk In a branch On the road Enhance Security & Control Protect data & PCs Built on Windows Vista foundation Streamline PC Management Easy migration Keep PCs running Virtualization Windows 7 Deployment Enhancements IMAGING DELIVERY MIGRATION SOLUTIONS Deployment Image Servicing and Management Windows Deployment Services User State Migration Tool Microsoft Deployment Toolkit Multicast Hardlink Migration Add/Remove Drivers and Packages Multiple Stream Transfer Offline File Gather Application Compatibility Toolkit WIM and VHD Image Management Dynamic Driver Provisioning Improved user file detection Microsoft Assessment and Planning Branch Office Network Performance Make users productive anywhere Situation today Application and data access over WAN is slow in branch offices Slow connections hurt user productivity Improving network performance is expensive and difficult to implement Windows 7 solution BranchCache™ BranchCache Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache Frees up network bandwidth for other uses Search in the Enterprise Make users productive anywhere Situation today Current desktop and Enterprise search solutions are good, but not integrated Users need to take different steps to find data on PC and data on servers Data sources are hard to discover Windows 7 solution Search Federation Consistent user experience for finding data from multiple locations, including SharePoint IT can pre-populate links on Start menu and Explorer to preferred sites with “Enterprise Search Scopes” Windows 7 Federated Search • In a nutshell: Federated Search enables you to search a remote web service from Windows explorer and get results back that you can act on like any normal file • Goals: – Natural for people to use – Easy for IT admins to deploy – Easy for developers to adopt • Content aleady indexed by hosting server or dedicated search solution (Microsoft Search Server) • Federated Search based on OpenSearch 1.1 standard • .osdx files are XML files using the OpenSearch description document to describe how to connect to a web service • .searchconnector-ms (XML) files can be deployed via several techniques to pre-populate machines with search connectors Windows 7 Manageability Windows PowerShell 2.0 Integrated Scripting Environment Group Policy Scripting Windows Troubleshooting Platform Remoteable Reliability Data Problem Steps Recorder Enhanced Group Policy Scenarios Group Policy Preferences PowerShell • Windows 7 includes PowerShell 2.0 • No longer an optional component – Cannot be removed • Many old commands implemented as PowerShell cmdlets: – Netdom.exe: Add-Computer/Remove-Computer – Ping: Test-Connection – Shutdown.exe: Stop-Computer/Restart-Computer PowerShell 2.0 Highlights • Remote execution – Windows Remote Management (WS-Management 2.0) • Background jobs • Integrated Scripting Environment (ISE) Windows Virtual PC • New version of Microsoft Virtual PC • System requirements: – Windows 7 only – 1 GHz 32bit or 64bit processor or better – CPU w/ AMD-VTM or Intel VT features turned on – 2 GB of memory recommended – Additional 15GB of hard disk space per virtual Windows environment recommended Windows Virtual PC Features • Seamless Applications (RemoteApp) • Folder Integration • Clipboard Sharing • Printer Redirection • USB Support Windows Virtual PC • Supported host operating system: – Windows 7 Home Basic – Windows 7 Home Premium – Windows 7 Enterprise – Windows 7 Professional – Windows 7 Ultimate – Note: Windows XP Mode is only available in Windows 7 Enterprise, Windows 7 Professional, and Windows 7 Ultimate. Windows Virtual PC • Supported guest operating system: – Windows XP • Virtual Applications feature is supported only on Windows XP Service Pack 3 (SP3) Professional – Windows Vista • Virtual Applications feature is supported only on Windows Vista Enterprise and Windows Vista Ultimate – Windows 7 • Virtual Applications feature is supported only on Windows 7 Enterprise and Windows 7 Ultimate Windows XP Mode • Enables running older Windows XP productivity applications directly from Windows 7 Desktop (Seamless) • Pre-created Windows XP Service Pack 3 VHD with Terminal Services RAIL components • Targeted at SMB, corporate customers should use MED-V (MDOP) • Works with Windows Vista and Windows 7 guests also Windows XP Mode - Components • Windows Virtual PC (RC): – http://www.microsoft.com/windows/virtual-pc/download.aspx • Windows XP Mode (RC): – http://www.microsoft.com/downloads/details.aspx?familyid=0E8FA9B3-C236-4B77BE26-173F032F5159&displaylang=en • Update for Windows® XP SP3 to enable RemoteApp™(if running own VM): – http://www.microsoft.com/downloads/details.aspx?familyid=E5433D88-685F-4036B435-570FF53598CD&displaylang=en • Windows Virtual PC and Windows XP Mode went RTM 1.10.2009 and will be available for download when Windows 7 is released (today!) Virtual Desktop Infrastructure Streamline PC Management Situation today Windows 7 solution Richer remote experience What is Virtual Desktop Infrastructure? Deploying desktops in virtual machines on server hardware Centralized management & security Users can access their desktop and applications wherever they are Richer graphics with improved multi-monitor support Use voice for telephony and applications with microphone support Improved printing Do more with VHDs Maintain VHD: Offline servicing of VHD images with same tools used for WIM Boot from VHD: Reuse VHD files for deployment to managed desktop PCs Using Windows for VDI scenarios requires additional VECD license Windows Optimized Desktop Core PC Platform Unique Value with SA+MDOP Windows Optimized Desktop: MDOP Better management to save costs; ease future upgrades SA Customer Satisfaction 1 2 3 Provide immediate ROI •Regular updates •Faster upgrade cycle, separate from Windows •Minimal deployment effort Deliver end-to-end solutions •Run out of the box •Integrate with existing management solutions Lower Desktop TCO •>95% of MDOP customers are (very) satisfied •$70$70-$80 net cost savings per PC per year using MDOP* * Gartner, Inc. “Quantifying the Value of Microsoft’s Desktop Optimization Pack”, July 2008 Windows Optimized Desktop: Windows 7 & MDOP Investment areas MDOP Make Users Productive Anywhere Improve Security and Control Streamline PC Management to Save Costs Direct Access BranchCache Federated Search Navigation BitLocker BitLocker To Go AppLocker Security development lifecycle PowerShell Windows Troubleshooting Platform Deployment Tools VDI Enhancements AppApp-V MEDMED-V AIS DEM DART AGPM Performance | Reliability | Compatibility Increased Value in Optimized Desktop Make Users Productive Anywhere • DirectAccess • BranchCache™ BranchCache™ • Enterprise Search Scopes Enhance Security and Protect Data • BitLocker & BitLocker To Go • AppLocker Streamline PC Management • MUI Language Packs • VDI Enhancements (VDI requires VECD license) • Boot from VHD • Subsystem for UNIX • 4 Virtual Operating Systems • Network Boot License Windows Optimized Desktop and Dynamic IT Amplifies the talent and abilities of everyone in the organization… Familiar, Easy to Use Consistent experience for office, mobile, and remote end users Simple management tools for IT Pros Unified, Seamless …with the scale, agility and protection required by the enterprise. Lower TCO Enterprise Ready Breadth of Choice Achieve desktop to datacenter to device oversight of all IT assets Protect existing IT investments by extending hardware life Quickly respond to changing business requirements Broad range of devices, form factors, and price points Manage all clients and applications from a single management console -Stretch IT labor by automating routine tasks and reducing IT complexity Transform software applications into managed services Large ecosystem of trained and certified Microsoft IT professionals and partners Security Windows 7 Security • Builds on the major security improvements of Windows Vista: – – – – – Kernel Patch Protection Service Hardening Data Execution Prevention Address Space Layout Randomization Mandatory Integrity Levels Windows 7 Enterprise Security Building upon the security foundations of Windows Vista, Windows 7 provides IT Professionals security features that are simple to use, manageable, and valuable Fundamentally Secure Platform Windows Vista Foundation User Account Control Enhanced Auditing Securing Anywhere Access Network Security Network Access Protection DirectAccessTM Protect Users & Infrastructure AppLockerTM Internet Explorer 8 Data Recovery Protect Data from Unauthorized Viewing RMS EFS BitLockerTM User Account Control (UAC) • UAC introduced for two reasons: – Incompatibility of software across user types – Lack of user knowledge of system-level changes • UAC introduced the Protected Admin (PA) account type: – An administrative user with 2 security tokens; one for standard user and one for admin • Ecosystem impact: – When Vista was launched users experienced the UAC prompt in 50 % of sessions and 775 312 unique applications produced prompts – 2 years later the numbers were 33 % and 168 149 • Windows impact: – Increased engineering quality; fewer Windows components require admin rights • Impact on Customers: – Deep hatred! User Account Control (cont.) • Improvements to UAC in Windows 7: – Users can tune UAC – Reduce duplicate prompts (IE + UAC) – Better prompt information Data Protection Enhance security and control Situation today Windows 7 solution BitLocker To Go™ Go + Worldwide Shipments (000s) Gartner “Forecast: USB Flash Drives, Worldwide, 2001-2011” 24 September 2007, Joseph Unsworth ; Gartner “Dataquest Insight: PC Forecast Analysis, Worldwide, 1H08” 18 April 2008, Mikako Kitagawa, George Shiffler III Protect data on internal and removable drives Mandate the use of encryption with Group Policies Store recovery information in Active Directory for manageability Simplify BitLocker setup and configuration of primary hard drive BitLocker Drive Encryption • BitLocker Drive Preparation Tool included in Windows 7 setup and volumes automatically created to support BitLocker • Windows 7/Windows Server 2008 R2 introduces BitLocker DRAs to enable recovery of data if BitLocker encryption key is lost – AD key escrow should still be primary recovery mechanism • BitLocker only available in Windows 7 Enterprise and Ultimate Editions BitLocker To Go • Enables encryption of removable devices • Devices can be formatted with exFAT, FAT16, FAT32, or NTFS file system and be at least 128 MB • BitLocker To Go allows read-only access on Windows XP and Windows Vista • Removable driver can be protected with password or smart card • 128-bit AES encryption by default, 256-bit AES available Application Control Enhance security and control Situation today Users can install and run unapproved applications Even standard users can install some types of software Unauthorized applications may: introduce malware increase helpdesk calls reduce user productivity undermine compliance efforts Windows 7 solution AppLocker™ AppLocker Eliminate unwanted/unknown applications in your network Enforce application standardization within your organization Easily create and manage flexible rules using Group Policy DirectAccess DirectAccess – Why? • Mobile workforce steadily increasing – According to IDC, the third quarter of 2008 marked the point at which computer manufacturers began shipping more mobile computers than desktop computers worldwide (IDC Worldwide Quarterly PC Tracker, December 2008). – The number of mobile users is expected to grow; in 2008, mobile workers worldwide will be 26.8% of the total workforce, and that number will increase to 30.4% by 2011 (IDC, "Worldwide Mobile Worker Population 2007–2011 Forecast," Doc #209813, Dec 2007). Granting access to internal resources - VPN • With so many mobile users we need to give access to internal network resources, this means VPNs • VPN technology largely unchanged for a long time • VPNs are problematic: – Complex – Slow – Loss of Internet access means VPN has to be reconnected (Windows 7 supports VPN roaming/reconnect) Granting access to internal resources - Gateways • Outlook Web Access • Outlook Anywhere • OCS Anywhere • SCCM Internet MPs • Common for all these is that there is an ”inside” and an ”outside” DirectAccess • Seamless connection to the corporate network any time users have Internet access (no outside or inside) • Connections automatically established • All communication is bi-directional • A connection is established by the computer (before the user logs on) DirectAccess – Benefits for IT Pros • Improved Manageability of Remote Users • Secure and Flexible Network Infrastructure – Authentication – Encryption – Access Control • IT Simplification and Cost Reduction DirectAccess – Key enablers: • IPv6 – DirectAccess requires globally routable addresses, which IPv6 provides automatically • IPSec – Establishes a tunnel for IPv6 traffic between the client and the DirectAccess server – Authenticates both the user and the computer; Kerberos or certificate (Smart Card) – Encrypts traffic; 3DES or AES • NAP – Optional; can check a clients health before access to DirectAccess is granted • Domain/Server Isolation – Optional; segregate the network DirectAccess Connections • DirectAccess establishes two IPSec tunnels: – IPsec Encapsulating Security Payload (ESP) tunnel using a computer certificate • Connect computer to DNS and DC to download Group Policy and be managed – IPsec ESP tunnel using both a computer certificate and user credentials • Connect the user to the internal resources DirectAccess Scenarios • End-to-End protection (most secure) – Secure, encrypted connections are established through the DirectAccess server directly to application servers – Requires that all application servers run Windows Server 2008/2008 R2 with IPSec and IPv6 • End-to-Edge protection (easiest setup) – A secure, encrypted connection is established with a IPSec Gateway Server which forwards traffic to internal application servers – Does not require IPSec on application servers, but requires (any) IPv6 DirectAccess - Requirements • One or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet • On the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet • DirectAccess clients running Windows 7 • At least one domain controller and Domain Name System (DNS) server running Windows Server 2008 SP2 or Windows Server 2008 R2 • A public key infrastructure (PKI) to issue computer certificates, smart card certificates, and, for NAP, health certificates • IPsec policies to specify protection for traffic • IPv6 transition technologies available for use on the DirectAccess server: ISATAP, Teredo, and 6to4 DirectAccess IPv4 Devices IPv6 Devices Support IPv4 via 6to4 transition services or NAT-PT IT desktop management AD Group Policy, NAP, software updates Native IPv6 with IPSec Supports direct connectivity to IPv6based intranet resources IPv6 Transition Services DirectAccess Server Allows IPSec encryption and authentication DirectAccess provides Allows desktop transparent, secured management of access to intranet DirectAccess clients resources without a VPN Internet Supports variety of remote network Windows 7 protocols Client More info • Windows 7 Blog: http://windowsteamblog.com/blogs/windows7 • Windows 7 Web site: http://www.microsoft.com/windows/windows-7/ • Engineering Windows 7 Blog: http://blogs.msdn.com/e7/ • Official Windows 7 Launch Web site; http://www.win741.com Q&A