Deploying an Optimized Windows Desktop. Greg Milligan Microsoft Canada Inc.

Deploying an Optimized

Windows Desktop

Greg Milligan

Command line tools

Windows 7 Deployment Opportunities

Imaging

Deployment Image Servicing and Management

Add/Remove Drivers and Packages

WIM and VHD Image Management

Delivery

Windows

Deployment Services

Multiple Stream Transfer Dynamic Driver Provisioning

VHD and WIM Support

Migration

User State Migration Tool

Hardlink Migration Offline File Gather Improved user file detection

Microsoft Assessment and Planning Application Compatibility Toolkit Microsoft Deployment Toolkit

Integrated Solutions

Enhanced Deployment Toolset

User State Migration Tool Volume Activation

ImageX, Deployment Image Servicing and Management, WinPE

7

Dependencies Create Complexity

Hardware

OS

Data, User

settings

8

9

One size does not fit all

The need for Well Managed Desktop Strategy

Rich Client TS Remote Client Virtualized Applications VDI or Blade PC Contract / Offshore Task Mobile Office Anywhere -on non company PC

Primary Image Types

Near Retail Few or no configuration changes or apps Fully Customized Includes applications, driver payloads, configurations Lightly Customized Includes some applications and other

Windows Image Format (WIM)

Capabilities

• File-based vs.

Sector-Based

• Single instancing

• Install disk images on

partitions of any size

• Hardware agnostic

• Modify images offline

• Non-destructive

deployment

Benefits

• 1 to 3 images can be

achieved

• Work on any corporate

supported hardware

• Work in any region

• Store multiple image in a

single WIM

• Ability to provide the right

apps for most users

• Require minimum labor

and downtime

• Balance static vs. dynamic

requirements

• Drivers – Can be injected

or serviced offline now

12

Significant improvements to existing scenarios

Increased range of scenario support

Windows OS Deployment

New machine

-Clean install -Wipe and Load -No migration considerations - New or repurposed hardware Wipe-and-load - Target and install new OS to existing H/W - Application reinstall under new OS - Securely save/restore user state & settings

Side-by-side

- Machine to machine

- User and app data migration

- Application

reinstall -Securely save/restore user state & settings In-place migration - Scripted, targeted OS upgrade

- Not wipe and load - Sent as software distribution package Offline with removable media - Install without network - Removable media is source - CD/DVD,USB flash drive

- Good for low

bandwidth, mobile staff PXE boot - WDS integration, network boot delivered - PXE style delivery - Lite touch, network connection based

Deployment Strategy

Lite-Touch, High-Volume

Deployment

Zero-Touch, High-Volume

Deployment

High-Touch with

Retail Media

High Touch with

Standard Image

Bridging Compatibility Through Virtualization

Hosted

Applications

Desktop

Virtualization

Application

Virtualization

16

Current Deployment vs. App-V Provisioning

Office 2010 Deployment Tools

System Readiness

• Inventory Office Applications • Assess hardware & OS readiness • Suggests key upgrades

• Summary proposal of 2010 readiness

Application Compatibility

• Identify interfacing add-ins & interfaces • Tag known compatible apps

• Mitigate VBA and macro code

File Readiness

• Scan & identify potential format deltas • Identify potential macro issues

• Migrate Office files to OpenXML formats • Microsoft Assessment

Planning Toolkit (MAP)

• Office Environment Assessment

Tool (OEAT)

• Office Compatibility Code

Inspector (OCCI)

• Office Migration Planning

Manager (OMPM)

Guidance

• Desktop Deployment Planning Service (SA)

• Training Vouchers (SA)

• Office Resource Kit (ORK) • TechNet Resource Centers

19

Common Perceptions

Activation is

unnecessary and has

no benefit to me

We don’t have

counterfeit software

in our environment

License compliance continues

to be one of the top 10 issues

rated by CIOs

Perception

Fact

Evidence

Helps confirm license integrity,

reliability of the software and

improves manageability

2008, U.S. enterprise

customers self-report 30% mislicensing

SoftSummit– 2008 Key Trend Survey

“Counterfeit software…can infect entire business

networks with viruses and install Trojan horses

designed to steal data”

John Gantz CTO -IDC

Activation is too

complex and hard

• Transparent to end-users

• Integrated into deployment

with flexible admin control

• Automated reporting and

management

The Yankee Group

“Microsoft’s Genuine is open and straightforward”

Common Education Questions

We are very decentralized – how many sets of

product keys will I receive?

What if a faculty member leaves campus to go on

Sabbatical?

How can I manage student licenses?

How many KMS hosts should I deploy?

Should I mix activation types? Can I use only one

type?

21

Volume Activation for Windows 7

Multiple Activation Key

(MAK) – Upper Limit

One time activation against

Microsoft

30 day initial activation period.

Can be reset up to 3 times

(Slmgr

–rearm)

Two methods of activating using a

MAK:

1.

Individual Activation: Each

desktop individually connects

and activates with Microsoft

2.

Proxy Activation: One

centralized activation request

on behalf of multiple desktops

with one connection to

Microsoft

Key Management Service

(KMS) – No upper limit

Activate against a customer

hosted service

Systems must re-activate by

connecting to corporate

networks at least every 6

months

Requires 25 Windows 7

machines as a minimum

threshold to activate

22

Multiple Activation Key

MAK key available to volume

license customers on request

Install the MAK on the client

Directly

Provisioned by the IT Pro

(Image or Proxy)

Activate with Microsoft

Online (directly or via Proxy)

Phone

Perpetual activation

Some conditions may require

reactivation

Microsoft Hosted Activation Services Intranet

VAMT

Image

O n e T i m e

23

MAK Key Groupings

Windows Vista Business Windows Vista Enterprise

MAK keys are

lateral

in nature

Product keys for MAK activations

are

directly associated with a

single product group

and can

only activate the Windows

editions

within

that specific

product group

Each “generation” has a

specific

MAK (e.g. Windows 7 client VL

MAK will only activate Windows 7,

not Windows Vista)

Windows 7 Professional Windows 7 Enterprise

Windows Server Web 2008 Windows HPC Server 2008

Windows Server Web 2008 R2 Windows Server 2008 R2 HPC

Windows Server 2008 Standard Windows Server 2008 Enterprise

Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise

Windows Server 2008 Datacenter Windows Server 2008 for Itanium

Windows Server 2008 R2 Datacenter Windows Server 2008 R2 for Itanium

24

Count

Request

KMS Host

Key Management Service

Microsoft

Hosted Activation Services

KMS key automatically available to

customers via normal channels

Install KMS key on KMS host machine

Activate KMS service with Microsoft

One-time activation of KMS host KMS host registers SRV with DNS

(VLMCS._TCP)

KMS client discovers KMS host

KMS client activates based on policy

- KMS count ≥ activation threshold

KMS client regularly reactivates

- Non-perpetual activation (180 days)

- Communication between KMS host and

KMS client is never exposed to Microsoft

KMS Client

Intranet

O n e T i m e

25

Windows Server 2008 Standard Windows Server 2008 Enterprise

Windows Server Web 2008 Windows HPC Server 2008

Windows Vista Business Windows Vista Enterprise

KMS Host Key Hierarchy

Windows Server 2008 Datacenter Windows Server 2008 for Itanium

Windows Server 2008 R2 Datacenter Windows Server 2008 R2 for Itanium

Windows 7 Professional Windows 7 Enterprise

Windows Server Web 2008 R2 Windows Server 2008 R2 HPC Windows Server 2008 R2 Standard Windows Server 2008 R2 Enterprise

KMS keys are

hierarchical

in

nature

Single KMS host

to support

multiple products

Each key

activates the

products

in that

group

, as well as

the groups

lower

26

Deployment Improvements

Key Management Service (KMS)

• Single KMS to support Windows Vista, Windows

Server 2008, Windows 7 and Windows Server 2008

R2

• KMS host now counts virtual machines

• Enabled KMS to support multiple applications (i.e.

Office 2010)

Better Integration with DNS

• DNS Suffix Search List

27

Volume Activation Management Tool

Simple Graphical User Interface

Performs both MAK Proxy and MAK Independent activation

Provides activation status of all machines in the environment

Enables local reactivation and monitoring of MAK usage

Supports discovery of machines in the environment

Requires remote WMI access

Active Directory (AD), workgroup, and individual (by IP address and

Machine Name) discovery of machines in the environment.

Stores all data in a well defined XML format

Allows for Import/Export of data

VAMT allows for “Exclude sensitive data” option for Computer

Information List (CIL)

VAMT ver. 3.0 is part of the Windows Automated Installation Kit

(AIK)

28

Dogfooding KMS @ Microsoft

One KMS host supporting all Windows 7 and

Windows Server 2008 R2 RTM

The machine started receiving 12290 events 7/23/2009

3:31:53PM and at 7/24/2009 10:42:35AM it had 11,569

events.

That's 11569/19.2 = 603.23 hits per hour.

4350 KMS clients have been activated

The KMS host machine is a 2.33GHz Core2 Duo with

2GB of RAM. Casually observing CPU usage show it is

almost always at 0 with occasional blips to 15 or

28, while the memory usage stays steady at

6.8MB*.

One KMS host supporting Office 2010 and

Windows

Answers to Common Questions

We are very decentralized – how many sets of product keys will I receive?

You will receive 1 KMS key and 1 MAK per license agreement. At this time we cannot assign multiple keys per license agreement.

What if a faculty member leaves campus to go on Sabbatical?

The member’s machine can be MAK activated, allowing it to roam away from the main network.

How can I manage student licenses?

KMS-activated machines ensure that the student remains on campus during the license term. If the student qualifies for a perpetual license at graduation, the

student may receive a unique retail product key and permanently activate their own machine.

How many KMS hosts should I deploy?

By default, each KMS key allows deployment of 2 KMS hosts. However your account manager can acquire additional activations at your request. You can deploy as many KMS hosts as you like as long as none of them are on unsecured networks allowing unauthorized machines to activate.

Should I mix activation types? Can I use only one type?

You should use whatever mix of activation types suits your deployment best.

How do I convert from one type to another?

Conversion from KMS  MAK is achieved by changing the PK in the UI or via a script. A machine can switch types as often as you like.

30

Configuration Recommendations

Principles

Use KMS as much as possible, and minimize the

number of KMS hosts

Central KMS for all, if politically possible

Two hosts should be sufficient for most

Best solution for virtual machines

Use MAK only where needed

OK in small organizations/deployments

In medium and large orgs, use MAK only where you

cannot use KMS

Customers will probably need to use both methods

KMS port (1688 by default) should never be

exposed outside the organization

Access to a KMS host is the same as handing out

free volume licenses

31

If I have problem, who should I call?

Volume Activation Centers in Canada

Toll Only: (716) 871 2781

Toll Free: 1 (888) 352 7140

Service in French and English

Specify if its for Windows or Office issues

Have the information from the slmgr.vbs /dlv handy during your

call. Mainly important the Installation ID and Activation ID

Volume Activation FAQ

http://www.microsoft.com/licensing/existing-customers/product-activation-faq.aspx

How to troubleshoot activation error codes in

Windows 7

http://support.microsoft.com/kb/938450

How to troubleshoot the Key Management Service

http://technet.microsoft.com/en-us/library/ee939272.aspx