Deploying an Optimized Windows Desktop Greg Milligan Microsoft Canada Inc.
Windows 7 SKU Feature Comparison Chart
Command line tools Deployment Image Servicing and Management Tool
Windows 7 Deployment Opportunities Imaging Delivery Migration Deployment Image Servicing and Management Add/Remove Drivers and Packages WIM and VHD Image Management Windows Deployment Services Multiple Stream Transfer Dynamic Driver Provisioning VHD and WIM Support Integrated Solutions User State Migration Tool Hardlink Migration Offline File Gather Improved user file detection Microsoft Assessment and Planning Application Compatibility Toolkit Microsoft Deployment Toolkit
Enhanced Deployment Toolset User State Migration Tool ImageX, Deployment Image Servicing and Management, WinPE Volume Activation
Imaging Strategies
Dependencies Create Complexity Data, User settings AppApplicationsApp OS Hardware 7
8 The market offers a lot of options
One size does not fit all The need for Well Managed Desktop Strategy Mobile Rich Client Contract / Offshore Office TS Remote Client Anywhere -on non company PC Virtualized Applications Task VDI or Blade PC 9
Primary Image Types Near Retail Few or no configuration changes or apps Lightly Customized Includes some applications and other configurations Fully Customized Includes applications, driver payloads, configurations
Windows Image Format (WIM) Capabilities File-based vs. Sector- Based Single instancing Install disk images on partitions of any size Hardware agnostic Modify images offline Non-destructive deployment Benefits 1 to 3 images can be achieved Work on any corporate supported hardware Work in any region Store multiple image in a single WIM Ability to provide the right apps for most users Require minimum labor and downtime Balance static vs. dynamic requirements Drivers Can be injected or serviced offline now
Windows OS Deployment Significant improvements to existing scenarios Increased range of scenario support New machine Wipe-andload Side-byside In-place migration Offline with removable media PXE boot -Clean install -Wipe and Load -No migration considerations - New or repurposed hardware - Target and install new OS to existing H/W - Application reinstall under new OS - Securely save/restore user state & settings - Machine to machine - User and app data migration - Application reinstall -Securely save/restore user state & settings - Scripted, targeted OS upgrade - Not wipe and load - Sent as software distribution package - Install without network - Removable media is source - CD/DVD,USB flash drive - Good for low bandwidth, mobile staff - WDS integration, network boot delivered - PXE style delivery - Lite touch, network connection based 12
Deployment Strategy Lite-Touch, High-Volume Deployment Zero-Touch, High-Volume Deployment High-Touch with Retail Media High Touch with Standard Image
Application Virtualization
Bridging Compatibility Through Virtualization Desktop Virtualization Application Virtualization Hosted Applications
16 Current Deployment vs. App-V Provisioning Process Flow Comparison
Office 2010 Deployment Tools System Readiness Inventory Office Applications Assess hardware & OS readiness Suggests key upgrades Summary proposal of 2010 readiness Microsoft Assessment Planning Toolkit (MAP) Application Compatibility Identify interfacing add-ins & interfaces Tag known compatible apps Mitigate VBA and macro code File Readiness Scan & identify potential format deltas Identify potential macro issues Migrate Office files to OpenXML formats Office Environment Assessment Tool (OEAT) Office Compatibility Code Inspector (OCCI) Guidance Desktop Deployment Planning Service (SA) Training Vouchers (SA) Office Migration Planning Manager (OMPM) Office Resource Kit (ORK) TechNet Resource Centers
Volume Activation
Common Perceptions Perception Fact Evidence Activation is unnecessary and has no benefit to me Helps confirm license integrity, reliability of the software and improves manageability Counterfeit software can infect entire business networks with viruses and install Trojan horses designed to steal data John Gantz CTO -IDC Activation is too complex and hard Transparent to end-users Integrated into deployment with flexible admin control Automated reporting and management Microsoft s Genuine is open and straightforward The Yankee Group 19 We don t have counterfeit software in our environment License compliance continues to be one of the top 10 issues rated by CIOs 2008, U.S. enterprise customers self-report 30% mislicensing SoftSummit 2008 Key Trend Survey
Common Education Questions We are very decentralized how many sets of product keys will I receive? What if a faculty member leaves campus to go on Sabbatical? How can I manage student licenses? How many KMS hosts should I deploy? Should I mix activation types? Can I use only one type? How do I convert from one type to another?
Volume Activation for Windows 7 Multiple Activation Key (MAK) Upper Limit Key Management Service (KMS) No upper limit 21 One time activation against Microsoft 30 day initial activation period. Can be reset up to 3 times (Slmgr rearm) Two methods of activating using a MAK: 1. Individual Activation: Each desktop individually connects and activates with Microsoft 2. Proxy Activation: One centralized activation request on behalf of multiple desktops with one connection to Microsoft Activate against a customer hosted service Systems must re-activate by connecting to corporate networks at least every 6 months Requires 25 Windows 7 machines as a minimum threshold to activate Physical or Virtual
Multiple Activation Key Microsoft Hosted Activation Services MAK key available to volume license customers on request O n e T i m e Intranet Install the MAK on the client Directly Provisioned by the IT Pro (Image or Proxy) Image VAMT Activate with Microsoft Online (directly or via Proxy) Phone Perpetual activation Some conditions may require reactivation 22
MAK Key Groupings Windows Server 2008 R2 Datacenter Windows Server 2008 R2 for Itanium Windows Server 2008 Datacenter Windows Server 2008 for Itanium Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise Windows Server 2008 Standard Windows Server 2008 Enterprise Windows Server Web 2008 R2 Windows Server 2008 R2 HPC Windows Server Web 2008 Windows HPC Server 2008 Windows 7 Professional Windows 7 Enterprise MAK keys are lateral in nature Product keys for MAK activations are directly associated with a single product group and can only activate the Windows editions within that specific product group Each generation has a specific MAK (e.g. Windows 7 client VL MAK will only activate Windows 7, not Windows Vista) Windows Vista Business Windows Vista Enterprise 23
Key Management Service Microsoft Hosted Activation Services KMS key automatically available to customers via normal channels Install KMS key on KMS host machine O n e T i m e Intranet DNS Activate KMS service with Microsoft One-time activation of KMS host KMS host registers SRV with DNS (VLMCS._TCP) KMS client discovers KMS host KMS client activates based on policy - KMS count activation threshold KMS Host Request Count KMS Client KMS client regularly reactivates - Non-perpetual activation (180 days) - Communication between KMS host and KMS client is never exposed to Microsoft 24
KMS Host Key Hierarchy Windows Server 2008 Datacenter Windows Server 2008 for Itanium Windows Server 2008 R2 Datacenter Windows Server 2008 R2 for Itanium KMS keys are hierarchical in nature Windows Server 2008 Standard Windows Server 2008 Enterprise Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise Single KMS host to support multiple products Windows Server Web 2008 Windows HPC Server 2008 Windows Vista Business Windows Vista Enterprise Windows Server Web 2008 R2 Windows Server 2008 R2 HPC Windows 7 Professional Windows 7 Enterprise Each key activates the products in that group, as well as the groups lower in the hierarchy 25
Deployment Improvements Key Management Service (KMS) Single KMS to support Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 KMS host now counts virtual machines Enabled KMS to support multiple applications (i.e. Office 2010) Better Integration with DNS DNS Suffix Search List Handling Priority and Weight 26
Volume Activation Management Tool Simple Graphical User Interface Performs both MAK Proxy and MAK Independent activation Provides activation status of all machines in the environment Enables local reactivation and monitoring of MAK usage Supports discovery of machines in the environment Requires remote WMI access Active Directory (AD), workgroup, and individual (by IP address and Machine Name) discovery of machines in the environment. Stores all data in a well defined XML format Allows for Import/Export of data VAMT allows for Exclude sensitive data option for Computer Information List (CIL) VAMT ver. 3.0 is part of the Windows Automated Installation Kit (AIK) 27
Dogfooding KMS @ Microsoft 28 One KMS host supporting all Windows 7 and Windows Server 2008 R2 RTM The machine started receiving 12290 events 7/23/2009 3:31:53PM and at 7/24/2009 10:42:35AM it had 11,569 events. That's 11569/19.2 = 603.23 hits per hour. 4350 KMS clients have been activated The KMS host machine is a 2.33GHz Core2 Duo with 2GB of RAM. Casually observing CPU usage show it is almost always at 0 with occasional blips to 15 or 28, while the memory usage stays steady at 6.8MB*. One KMS host supporting Office 2010 and Windows * SPPSVC.EXE
Answers to Common Questions We are very decentralized how many sets of product keys will I receive? You will receive 1 KMS key and 1 MAK per license agreement. At this time we cannot assign multiple keys per license agreement. What if a faculty member leaves campus to go on Sabbatical? The member s machine can be MAK activated, allowing it to roam away from the main network. How can I manage student licenses? KMS-activated machines ensure that the student remains on campus during the license term. If the student qualifies for a perpetual license at graduation, the student may receive a unique retail product key and permanently activate their own machine. How many KMS hosts should I deploy? By default, each KMS key allows deployment of 2 KMS hosts. However your account manager can acquire additional activations at your request. You can deploy as many KMS hosts as you like as long as none of them are on unsecured networks allowing unauthorized machines to activate. Should I mix activation types? Can I use only one type? You should use whatever mix of activation types suits your deployment best. How do I convert from one type to another? Conversion from KMS MAK is achieved by changing the PK in the UI or via a script. A machine can switch types as often as you like.
Configuration Recommendations Principles 30 Use KMS as much as possible, and minimize the number of KMS hosts Central KMS for all, if politically possible Two hosts should be sufficient for most Best solution for virtual machines Use MAK only where needed OK in small organizations/deployments In medium and large orgs, use MAK only where you cannot use KMS Customers will probably need to use both methods KMS port (1688 by default) should never be exposed outside the organization Access to a KMS host is the same as handing out free volume licenses
31 If I have problem, who should I call? Volume Activation Centers in Canada Toll Only: (716) 871 2781 Toll Free: 1 (888) 352 7140 Service in French and English Specify if its for Windows or Office issues Have the information from the slmgr.vbs /dlv handy during your call. Mainly important the Installation ID and Activation ID Volume Activation FAQ http://www.microsoft.com/licensing/existing-customers/product-activation-faq.aspx How to troubleshoot activation error codes in Windows 7 http://support.microsoft.com/kb/938450 How to troubleshoot the Key Management Service http://technet.microsoft.com/en-us/library/ee939272.aspx