Contents

The Expert’s Guide to Implementing Microsoft®

Windows® Vista™
Chapter 1
Introduction .................................................................................................1
Chapter 1 What is Microsoft® Windows® Vista™?...................................2
Background ..........................................................................................2
What’s new ...........................................................................................2
The Vista “experience”..................................................................................2
Packaging and Editions.................................................................................3
New User-Visible Features ...........................................................................5
User Interface ................................................................................................5
Productivity ...........................................................................................................8
Security ........................................................................................................10
Reliability .....................................................................................................12
Performance................................................................................................13
Feature Assessment..........................................................................16
Vista’s new features—summary. .......................................................16

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ i
 Contents

Chapter 2
Selected Vista Features?.........................................................................17
Introduction ...............................................................................................17
Security .......................................................................................................17
Security Development Lifecycle..................................................................17
Windows Services Hardening.....................................................................18
User Account Control .........................................................................................18
Windows Defender ......................................................................................20
Network Access Protection................................................................................22
Data Protection and Encryption .................................................................23
Other Security Enhancements ...................................................................25
Networking..................................................................................................27
New TCP/IP Stack .......................................................................................27
Simpler connectivity ..........................................................................................28
Higher security ...................................................................................................28
Improved Manageability ....................................................................................28
Management and Control .........................................................................29
Microsoft Management Console (MMC) ..........................................................29
Windows Eventing Architecture.........................................................................29
Increased Automation.................................................................................................32
New Group Policy Management........................................................................33
Reliability and Performance Monitoring ...........................................................35
Feature Assessment ..................................................................................38
Vista’s new features. .................................................................................39
Summary. ...........................................................................................40

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ ii
 Contents

Chapter 3
Preparing and Planning for Deployment ..............................................41
Introduction..............................................................................................41
Tell me again: why are we doing this?.............................................41
Planning Methodology......................................................................43
Application Compatibility..................................................................44
Application Management/Deployment ...........................................46
Define Computer Imaging System ...................................................47
Choosing an Image Strategy .....................................................................47
Deployment Planning .......................................................................48
Select the appropriate deployment scenarios. ........................................48
Ensure that the required infrastructure exists.........................................48
Determine the monitoring plan.................................................................49
Infrastructure Remediation (Preparation) ......................................49
Gather and Analyze Infrastructure Inventories ........................................49
Propose Infrastructure Modifications.......................................................49
Security Planning..............................................................................49
System Security Settings...........................................................................50
Planning User Account Control..................................................................51
Planning Windows Firewall ........................................................................51
Planning Data Encryption..........................................................................52
Restricting the Use of Removable Storage Devices ................................53
Planning Windows Defender .....................................................................53
Third-part Security Applications................................................................53
Infrastructure and Deployment Security ..................................................53

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ iii
 Contents

Chapter 3 continued
Testing ...............................................................................................54
Lab Requirements .....................................................................................54
Bug Rating, Reporting, and Tracking ........................................................54
Change Control ..........................................................................................54
Test Schedules...........................................................................................54
Training..............................................................................................55
Training Requirements ..............................................................................55
Training Schedule ......................................................................................55
Training Methods .......................................................................................55
Materials and Resources ..........................................................................56
User State Migration ........................................................................56
Application Inventory and Prioritization....................................................56
Identify Application Files and Settings .....................................................56
Identifying Operating System Settings......................................................57
Develop and Test........................................................................................57
Summary...........................................................................................58

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ iv
 Contents

Chapter 4
Deployment ..............................................................................................59
Introduction.......................................................................................59
Vista Deployment Technologies.......................................................59
Modularization ...........................................................................................59
Windows Image Format (WIM)..................................................................60
Nondestructive imaging ............................................................................61
XML-based answer files.............................................................................61
Script-based installations..........................................................................62
The Windows Automated Installation Kit (WAIK)............................62
ImageX........................................................................................................63
Windows Preinstallation Environment (WinPE)........................................63
Windows System Image Manager.............................................................63
Windows Deployment Services (WDS). ....................................................65
Windows Business Desktop Deployment........................................66
Light Touch Installation (LTI) .....................................................................66
Zero Touch Installation (ZTI) ............................................................................66
Comparing LTI and ZTI ...............................................................................67
Summary...........................................................................................68

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ v
 Chapter 1

Introduction
Even before its release for mainstream consumer use, much of the hype behind the launch of Microsoft’s
latest operating system—Windows Vista—has settled. Five years of development and millions in
marketing have come to an end, now it’s time to get down to some serious evaluations and answer some
serious questions: When should we deploy Windows Vista? What’s our return on investment? What kind
of resources will it take to implement it?
These are tough questions to answer, especially for IT professionals responsible for hundreds or
thousands of Windows desktops in an enterprise environment. Not only is Vista the most complex release
of Windows in Microsoft’s history, but it will also have a huge impact on infrastructure of an enterprise.
Vista requires a lot more computing power, memory, and graphics than its predecessors. On the upside, it
contains features that increase security, improve end users’ productivity, and tools that simplify and
accelerate deployment and maintenance.
Providing information that will help IT professionals decide when to deploy Vista, and what
methodologies to use, is the overall objective of this eBook. We are especially interested in providing
information to IT organizations that manage a large population of desktops across an enterprise. These
organizations are responsible for maintaining (or increasing) satisfaction and productivity of the user
community, reducing costs, and hitting bottom-line budgets, all while performing what is probably the
largest operating environment migration in any organization’s history.
In this eBook we will cover some basics, such as “What exactly is Windows Vista?” and “How should
we plan for deployment?” Looking deeper into the impact on an enterprise, we’ll cover significant areas
of change, including security, management and operations, and networking differences. Finally, we’ll
discuss specific deployment methodologies, tools that are available, and different ROI scenarios. So
buckle up, grab some manuals, and let’s begin!

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 1
 Chapter 1

Chapter 1
What is Microsoft® Windows® Vista™?
Background
Windows Vista is the latest release of Microsoft’s Windows operating environment. According to
Microsoft, the name “Vista” was chosen because it delivers a “personal vista” for its users. Referencing
the Merriam-Webster dictionary, a vista (noun) is “a distant view through or along an avenue or
opening”—although the best definition we’ve seen is more along the lines of “a pleasing view, especially
one seen through a long, narrow opening.” Regardless, the implication is that the experience will be
pleasing, productive, and safe. Microsoft wants consumers to think of Vista as something that will bring
clarity to their world, allowing the users to focus on what’s important (instead of the focusing on the
tools that get them there).
Vista development began in late 2001, and was based on the then-Windows XP code base. Microsoft had
multiple goals in the next release of Windows, notably 64-bit capabilities, a new file system, improved
reliability and security, and a revamped user interface. However, in mid-2004, Microsoft reset the code
base, largely because of difficulties in keeping up with the rapid changes that were occurring in Windows
XP (e.g., Service Pack 2). With the reset, Windows Server 2003 became the new base for Vista
(codenamed “Longhorn1”). Vista ended up being based upon large portions of Windows XP with Service
Pack 2, especially in the area of security, and Windows Server 20032.
Microsoft released various beta releases to developers throughout 2003-2005, with initial public release
to volume licensed users on November 30, 2006. During the preview period, Microsoft was making
decisions on what functionality would be included in the final release, and a fair number of features
never made the final release (or were packaged differently, more on that later). A new underlying file
system (WinFS), and a security framework based on the Next-Generation Secure Computing Base
(NGSCB) were notable omissions from the final release. It is generally acknowledged that Microsoft
scaled back the introduction of new technology in the interest of security and reliability of the initial
release of Vista.
What’s new
While there is a long list of new-and-improved features, Windows Vista is more than that. Microsoft has
gone to great lengths to improve overall acceptance of a computer, and its operating system, as an
integrated part of a user’s work and entertainment.
The Vista “experience”
Before we begin a feature-by-feature list, a short discussion about the overall “experience” of using Vista
is in order. Microsoft uses the word “experience” often in their Vista marketing materials. There is
obviously a concerted effort to more fully engage end users—to give them the feeling that the operating
environment is their friend (not dissimilar to what Apple has done with the Macintosh over the years).
From the box it

1The Windows XP codename was “Whistler,” and the codename for Vista was originally “Blackcomb”—both ski areas in
British Colombia. The current release of Vista was intended to be an interim release between the two; the codename
“Longhorn” came from a bar that is between the two resorts.
2“Windows Vista Product Guide,” November 2006.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 2
 Chapter 1

comes in, to the startup screen, to the translucent, glass-like windows on the desktop, Vista has a much
more “modern” look to it (although you can dumb it down to the good old Windows XP look if you’re
inclined). There are new high-quality wallpapers, system icons, and new system sounds (composed by
Robert Fripp, one of the founders of progressive rock group King Crimson3)—all of which are design to
give users a feeling that Vista is designed for them, and will provide security, a pleasant experience, and,
well, a great vista of their computing world (sorry).
The experience isn’t limited to end user consumers. Vista sports a wide collection of new features,
cleverly packaged and marketed, to assure businesses of increased security, reliability, and productivity.
The “experience” is intentionally extended to include business owners and IT professionals.
A last important word about the Vista experience: it’s not free. All of this technology requires a great deal
of computing power. The new user interface takes one or more graphics cards that just a few years ago
would be considered high-end. And, of course, a basic premise of Vista is that the system is connected to
the Internet with a high-speed connection (although it’s not necessary, things work a lot more smoothly
with such a connection). However, Microsoft has cleverly made the need for new hardware less painful
by providing different experience levels based on your system’s hardware configuration (processor
speed, memory size and speed, etc.). In fact, there is a software tool that will measure your “Vista
experience index” based upon an inventory of the hardware available on your system4.
Packaging and Editions
Marketing 101 dictates that consumers are presented with a choice of options for a particular product.
First, it increases the likelihood of a sale when the consumer is asked to choose between option “A” or
option “B,” second, multiple options offer the vendor multiple price points and an opportunity to increase
profits. For example, many consumers were willing to pay incrementally more for Windows XP
Professional Edition over Windows XP Home Edition.
For the release of Vista, Microsoft stepped up the multiple-options concept a notch, and releases Vista in
multiple option levels, or “editions.” Conceptually, the different editions address different needs of the
diverse user base, allowing consumers to somewhat tailor the release to their specific needs. There are
essentially six editions of Vista5, described briefly below. For an overview of the feature set in each, see
Table 1.
Windows Vista Starter
“Starter” is designed for beginning PC users and low-cost, lower-level functionality. It is not currently
available in the United States or “other high income markets as defined by the World Bank.6”

3http://www.microsoft.com/whdc/resources/news/newsletters/MHN_012006.html
4http://windowshelp.microsoft.com/Windows/en-US/Help/f59082f4-6385-4a61-ba7e-2de9625a780a1033.mspx
5There are actually more, including some European editions that ship without Windows Media-related technologies.
6http://www.microsoft.com/windowsvista/getready/editions.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 3
 Chapter 1

Table 1. An overview of new features and Vista editions

Windows Vista Home Basic

A stripped-down edition, “Basic” is for the cheapest of buyers. With a full price of $199 (only $40 less
than Home Premium, below) and much of the useful functionality removed, Basic is for users that need
simple Internet access (e.g., a browser) and email.
Windows Vista Home Premium
Home Premium contains nearly everything an average home user would need, including the Aero user
interface, digital media features (including Windows Media Center), and scheduled backup utility. Home
Premium is the “standard” home edition, and is roughly equivalent to Windows XP Media Center Edition.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 4
 Chapter 1

Windows Vista Business

Vista Business is equivalent to Windows XP Pro, and contains all of the manageability, security, and
reliability features that business users expect from the Windows OS. Microsoft touts the Business edition
as being designed to “meet the needs of business organizations of all sizes,” although large installations
would probably deploy Enterprise.
Windows Vista Enterprise
Vista Enterprise is similar to Business, with nearly the same feature list. However, Enterprise is oriented
toward large, global organizations and is available only to volume license customers that have systems
covered by Microsoft Software Assurance programs. Enterprise has one major feature that Business does
not: Windows BitLocker Drive Encryption. BitLocker Drive Encryption encrypts and entire Windows
volume, and includes integrity checking to detect tampering.
Windows Vista Ultimate
Vista Ultimate combines all of the features of Home Premium and Business. In an enterprise
environment, Ultimate provides the security and manageability of Vista Business with the digital
entertainment features required by only a small percent of business users.
Because our emphasis is on Windows deployment within an enterprise, the Vista Business and Vista
Enterprise editions will be our focus for the remainder of this book.
New User-Visible Features
Well begin our exploration of Vista Business and Enterprise editions with an overview of the new
features. While this list is not exhaustive, we will present what are arguably some of the more important,
consumer-oriented features. Because there are so many things “new and improved,” we’ve broken them
into some rudimentary categories—most of which contain features that are directly (or nearly directly)
observable by end users. In a later chapter, we will delve into the changes that are important to IT
professionals and are more behind the scenes: security, networking, management and operations, and
performance features.
User Interface
The changes that are most noticeable in Vista (obviously) are the visual ones—changes in where items
appear on screens, methods of navigation and/or colors and textures. Appearance and user interface (UI)
improvements are generally to increase productivity, and in most cases, to influence the user’s experience
(see The Vista “experience”, above).
Underlying many of the appearance changes is the Windows Display Driver Model (WDDM). WDDM
anticipates additional functionality from next-generation graphics devices, and allows for scalability of
graphics functionality based on available hardware. For example, if a WDDM-capable graphics card is
present, Vista will use the Windows Aero interface (see below); if not, Vista will run but without the Aero
user interface.
Other new interface and productivity features are described in the following sections.
Desktop and Appearance
There are many changes (over Windows XP) in the overall appearance of Vista. Most of the changes are
to improve the “experience” and make interacting with Vista more appealing and personal. While
concepts such as the Start Menu and Explorer Windows

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 5
 Chapter 1

remain the same, interaction with them has become more intuitive and consistent across the entire
system. For example, the start menu is still in the lower left corner (sporting a new icon) and its basic
functionality remains the same.
The new Start Menu does have some improvements however; it features an interface to Desktop Search
(more on that, below), and access to applications has been streamlined away from the cascading “All
Programs” menu in Windows XP.
The main windows navigation tool—Explorer Windows—have been completely revamped to be more
streamlined, easier to use, and incorporate instant search.

Figure 1. New Explorer Windows features

Windows Sidebar and Gadgets are a way of managing “lightweight” utility applications from the
desktop. The translucent sidebar contains a user-selectable collection of mini-applications that provide
information or execute simple tasks (in fact, gadgets can be scripts) without opening an application. For
example, there are gadgets to provide current weather information, stock prices, and news headlines. All
are accessible from the sidebar, which can be hidden, on the desktop and resting below windows, or
always on top.
Windows Aero
Aero (Authentic, Energetic, Reflective and Open7) is large part of the Vista experience. On hardware that
supports WDDM, users are presented with a variety of professional visual effects, including translucent
windows (“glass”), dynamically minimizing windows, and live taskbar thumbnails. WDDM and Aero
provide higher screen resolutions, and smoother movement of windows as they are resized or moved.

7 http://windowsvistablog.com/blogs/windowsvista/archive/2006/11/09/the-sounds-of-windows-vista.aspx

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 6
 Chapter 1

Figure 2. Sample of the 3D Aero interface.

Perhaps one of the more appealing Aero effects is Windows Flip and Windows Flip 3D. Windows Flip
is an update to Alt+Tab feature in Windows XP, used to navigate open applications. Windows Flip shows
live thumbnails of open windows instead of generic icons, making it easier to identify windows.
Windows Flip 3D, activated with the Start+Tab keys, dynamically displays all the open windows in a
three-dimensional stacked view. Even live processes (such as a video that is playing) are shown in the
thumbnails. The entire set of panes can be rotated and scrolled (in fact, you can even view the panes from
“the back”—seeing the live thumbnails in reverse!). Navigation is by arrow keys, mouse, or the scroll
wheel on the mouse.
Instant Search and Search Folders
Instant Search, and its related feature Search Folders, is an integrated search facility based on a behind-
the-scenes indexing capability. The indexing capability provides instant access to filenames, file
properties, and text within files.
Every Explorer Window contains an Instant Search field where the user may enter a word, part of a word,
or a phrase. Instant Search uses the index and performs a context-sensitive search based on the current
navigation location and the current activity, returning the results immediately in the open window. The
search can be cleared and a new one begun, or the user has the option of invoking an advanced search
(Figure 3), which allows further refinement of the search.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 7
 Chapter 1

Figure 3. Instant Search Feature

Instant Search criterion can be saved by creating a Search Folder—a virtual folder where the results of
the search are kept. Search Folders are updated in real-time, such that changes in files and folders are
immediately reflected in the Search Folder itself. For example, we could create a Search Folder that
contains documents that have been updated today; as document modification dates change (and
obviously the system time changes), different documents will appear in the Search Folder.
XML Paper Specification
Windows Vista introduces The XML Paper Specification (XPS), which is used as a document format, a
Windows spool file format, and a page description language (PDL) for printers. XPS is the basis for
entirely rewritten document handling and printing subsystems in Vista. Microsoft Office 2007 is based on
XPS, but XPS itself is platform independent, openly published, and available royalty-free.
Productivity
Changes in the UI are generally for productivity, however we also include a category of new features
specifically designed to increase users’ productivity. In many cases, these features are have similar
counterparts in Windows XP but with improvements and extensions.
Network and Sharing Center
As its name implies, the Network and Sharing Center brings all network and sharing configuration
options into one central location. It allows users to verify that they are connected to a network and
whether their system can successfully reach the Internet. The user’s view of the network can be
graphically displayed via a Network Map (Figure 4), which visually describes the systems, switches, and
routers on the network and how everything is interconnected.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 8
 Chapter 1

Network settings can also be saved to a portable USB flash drive to make adding additional desktops to
the network a quick and easy process. Desktops can be configured to interrogate the configuration data
on the flash drive, allowing the desktop to join the network.

Figure 4. Network and Sharing Center—Network Map

Windows Meeting Space

Windows Meeting Space is a new tool that facilitates collaboration amongst small groups of users. One
user initiates a session in Windows Meeting Space; others can join the meeting (with proper
authentication) and share files, desktop views, and exchange text messages.
Windows Meeting Space allows participants to start a meeting that enables multi-party file sharing. Users
can add a file to the handouts area and everyone instantly receives a copy. If one member of the group
makes a change to a file and saves it in the session, those changes are replicated to everyone else in the
session. When users leave, they can save a “final” copy of the handout to their local hard drive.
Windows Meeting Space takes advantage of the People Near Me feature, which allows a user to check
who is available on the network and invite them to join their collaboration group. People Near Me
(PNM) is a new capability of Vista that uses the Microsoft® Windows® Peer-to-Peer Networking
platform. It allows applications to discover people connected to the local subnet and invite them into a
collaborative activity.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 9
 Chapter 1

Corporate Roaming and Offline Files and Folders

As with Windows XP, corporate IT administrators can store selected users (and users’ data) on a central
server, and have these users access the data remotely. In Windows XP, this was accomplished with
Roaming User Profiles and Folder Redirection. However, both of these are inefficient; RUP copied all of
the remote data to the mobile device, limiting the amount of roaming data, and FR limits the number
(and type) of files roamed.
For organizations that use Group Policy, Windows Vista addresses these issues by allowing the
deployment of RUP and FR with local caching enabled. Deploying all of these technologies concurrently
achieves the goal of seamless data roaming without sacrificing usability. An administrator can choose to
roam only certain user settings but not the bulk of a user’s data, such as documents or application data.
The roamed user settings will contain the appropriate FR settings, so when a user logs on for the first
time, his or her documents will start to synchronize with the PC’s local cache. All of that synched content
works with the new search and organization features in Windows Vista.
An additional improvement to FR with client caching is support for the “ghosting” of unavailable
content. As a user logs on to a PC that is not connected to the network and opens the Documents
Explorer, instead of seeing only the files that have been downloaded from the server, the user sees both
downloaded files and ghosted items. The ghosted items represent the files that have not been
downloaded, preserving the context of the user’s files.
FR with client caching in Windows Vista also supports a new feature—Delta Sync—that streamlines the
overall sync experience. Delta Sync synchronizes only the changes to a document rather than the entire
document when synchronizing from client to server.
Security
One of the driving forces behind Vista is to improve security over Windows XP. Many of the
improvements include extending and improving upon security features from Windows XP SP2. However,
as Microsoft states, major improvements require architectural changes that can only be introduced with a
new operating system release.
User Account Control (UAC)
User Account Control increases security by allowing users to execute commonly used tasks without
requiring administrator privileges. In Windows XP, many of these tasks (e.g., changing time zones, and
accessing the system clock and calendar) required administrative privileges. IT managers were faced
with giving users full rights to users to allow them to perform these functions, or restrict their rights and
face complaints about being too restrictive. With Vista, users are able to accomplish these tasks without
having administrator privileges.
An additional feature of UAC is providing feedback whenever a user attempts to perform a task that
requires administrator rights. In such a condition, the user is either notified that the task is prohibited, or
that administrative credentials are required to proceed (depending on how UAC is configured). Either
way, notification of the violation is unmistakable—the entire screen is dimmed and the verification
dialog box appears in the center of the screen (Figure 5).

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 10
 Chapter 1

Figure 5. User Account Control dialog

Windows Security Center

The Windows Security Center (originally implemented in Windows XP SP2) has been updated to include
display of antispyware software status, IE security settings, and status of the UAC. Third party security
solutions may also be accessed through the security center, as can Windows Defender and Windows
Firewall, explained below.
Windows Defender
Windows Defender (formerly known as Microsoft AntiSpyware) has been updated for Vista to include
real-time protection against threats. Windows Defender uses nine security agents to monitor different
parts of the system for application behavior that is characteristic of spyware. Generally, Windows
Defender is more oriented to individual users whose systems are not centrally managed.
Windows Firewall
Windows Firewall is based on the Firewall found in XP SP2 with some important improvements. First,
Windows Firewall has a new management console snap-in named Windows Firewall with Advanced
Security (Figure 6), which provides access to many advanced options and enables remote administration
via group policy. An important addition is the ability to filter outbound traffic (although it is disabled by
default) to thwart “phone home” spyware and viruses.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 11
 Chapter 1

Figure 6. Windows Firewall with Advanced Security snap-in dialog

Reliability
Windows Vista has multiple improvements to reliability utilities, as well as some new functionality.
Backup and Restore Center
The Backup and Restore Center is a one-stop place to manage local backup and restore activities. For
users that do not have a centrally managed backup/restore process, it makes system backups easy and
automatic. The Backup and Restore Center allows users to specify a regular backup schedule, and to
backup selected files and folders, or to backup the entire system. Backup can be to CD, DVD, another
hard drive, or to another system over the network.
Shadow Copy
An innovation first introduced in Windows Server 2003 is that of Shadow Copy—incrementally saving
files that are changed or deleted with an easy-to-use interface that allows the user to selectively and
easily restore them. Shadow Copy creates copies of changed files on a scheduled basis, only saving
incremental changes to save disk space.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 12
 Chapter 1

Figure 7. Illustration of Shadow Copy on a file.

Shadow copy is accessed by right-clicking a file or folder and selecting Restore Previous Versions. It
allows the user to go back in time and access files and folders as they were on previous dates. Users are
provided with a read-only preview each file to determine which file to restore. When accessing a
previous version of a folder, users can browse the folder hierarchy as it was in a previous point in time.
Performance
Windows Vista supports multiple new features aimed at performance. Like much of the rest of Vista,
these features scale with the available hardware, and in some cases, anticipate hardware that will be
available in the future.
Vista incorporates a new control panel that provides a central point for maintenance of performance
issues, including an analysis of the system to determine the Windows Vista Experience Index (described
earlier).
Startup, sleep, and shutdown performance
Improvements have been made in startup and shutdown performance (over Windows XP). A new state—
sleep—provides a mechanism for turning the computer off without requiring a reboot to restart. The
system state is written to memory and disk, and will remain in memory as long as there is power to the
system. To save power, the disks and processor(s) are powered off. The benefit of Sleep mode is an
operational system within a few seconds after the user pushes the power button.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 13
 Chapter 1

Windows SuperFetch
A new technology with Vista, SuperFetch is an intelligent memory management mechanism that attempts
to keep most-often used memory pages in memory. However, it goes beyond a simple last-used
algorithm; SuperFetch understands which applications are most often used (and even when certain
applications are accessed), and preloads these applications into memory to make their invocation faster.
Windows ReadyBoost
ReadyBoost is a quick way of making the system appear as if it has additional memory. ReadyBoost uses
a removable flash memory device, such as a USB thumb drive, to keep data that would normally be
placed out on a hard drive. System performance is improved because data on the memory device can be
accessed faster than out on the disk.
ReadyBoost still writes data to disk though, to prevent data loss if the memory device is removed. In
addition, the data on the memory device is encrypted to ensure that unauthorized access to the device
will not result in a security breach.
Low-priority I/O
On most desktop systems, multiple applications all have equal priority to the I/O system (especially the
disk drives). For example, if a virus scan program is running in the background, disk accesses made by
that program have equal priority to other running user applications, and will typically slow down
response time to those applications.
Vista has introduced low-priority I/O, the ability for a process to voluntarily have lower-priority access to
the I/O subsystem. Some of Vista’s internal processes, such as search indexing, disk defragmentation,
and Windows Defender’s system scan are written to utilize low-priority I/O.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 14
 Chapter 1

Feature Assessment
We will wrap up this overview of Vista’s new features with an admittedly subjective assessment of the
impact each feature has on an enterprise. We are assuming a “typical” hypothetical end-user
environment, specifically:
• The majority of end users have a few specific applications that are the core of their workload. These
applications are centrally managed with some sort of enterprise desktop management tool such as
ScriptLogic’s Desktop Authority, or are browser-based.
• A large part of the remaining workload is browser-based, searching the Internet and/or executing web-
based applications for the enterprise.
• Most of the remaining time is spent with Office applications, including word-processing, creating
presentations, and working with email.
For each of the features described in the preceding sections, we make an assessment on the feature’s
impact on the bottom line; a return on the investment in upgrading the desktop to Windows Vista.

Table 2. An assessment of Vista’s new features on end-user productivity.

Impact on productivity/usefulness

Feature - neutral + Comments

User Interface
Desktop and Appearance The new appearance features, while cool, have
little effect on end-user productivity. In fact,
users will undoubtedly spend time playing with
the new features when Vista is first installed.

Windows Aero Same as Appearance

Instant Search and Search Folders Instant search will be useful for typical users
that often need to find files.

XML Paper Specification XML will, at first, be a detriment to productivity

as MS Office documents (and documents out-
side of MS Windows environment) are con-
verted.

Productivity
Network and Sharing Center For most enterprise users, the network and
sharing center will be of little use.

Windows Meeting Space Windows Meeting Space will be useful for those
enterprise users that do not have their own col-
laboration tools.

Corporate Roaming/ If it works as advertised, Roaming Profiles will

Offline Files and Folders be very useful for mobile users.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 15
 Chapter 1

Impact on productivity/usefulness
Feature - neutral + Comments
Security
User Account Control (UAC) User Account control will have little use for in an
enterprise environment that is centrally man-
aged. However, if left activated, it may have a
slightly negative effect, since it requests verifi-
cation for almost any control panel activity.

Windows Security Center Windows Security Center is very similar to the

XP SP2 feature. However, increased security
will undoubtedly help the enterprise in general,
and should reduce incidents caused by mal-
ware on end users’ systems.the XP SP2 fea-
ture. However, increased security will
undoubtedly help the enterprise in general,
and should reduce incidents caused by mal-
ware on end users’ systems.

Windows Defender Ditto

Windows Firewall Ditto

Reliability
Backup and Restore Center Backup and Restore center may help some en-
terprise users, but in general, this function is
centrally managed and will have little impact.

Shadow Copy Shadow Copy could quite well positively impact

end users that are prone to deleting files inad-
vertently and/or need to retrieve past editions
of documents.

Performance
Startup, sleep, and shutdown performance Performance in startup, sleep, etc. will have a
minor effect on productivity, more so for mobile
users.

Windows SuperFetch SuperFetch will have only a minor affect on end

users’ performance.

Windows ReadyBoost It is doubtful that enterprise end users will use

an external USB device to increase the per-
formance of their system.

Low-priority I/O Low-priority I/O will be most useful for back-

ground virus protection software, which can rob
a system of performance. However, third-party
software vendors will have to release new ver-
sions of their software to use this feature.

Vista’s new features—summary.

In this first chapter, we’ve taken a high-level look at Windows Vista, and reviewed many of the features
that will be most visible to enterprise users and consumers. Many of the features are designed to make
the end user feel more “at one” with his/her PC, that is, to improve their “experience.” However, except
for a few clever features (e.g., Instant Search) these features will probably have minimal impact on the
typical enterprise user that is simply trying to improve the bottom line of a corporation.
In subsequent chapters, we will examine new features that have more of an impact on the enterprise—
security, networking, and management and operations.
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 16
 Chapter 2

Chapter 2
Selected Vista Features

Introduction
In the previous chapter, we reviewed and evaluated the features that are most visible to an end user.
In this chapter, we will delve deeper into Vista, uncovering features that are less visible but no less
important. These “deeper” features are generally more important to, and have more of an impact on, an
IT professional that is responsible for the maintenance of desktops and mobile systems in an enterprise
setting.
This chapter will focus on new and improved security, new networking features, and management and
operations features.

Security
The new Aero user interface is quite entertaining, and the instant search feature is certainly helpful;
however, ultimately one of the primary reasons to implement Vista is its design for security. While
Windows XP Service Pack 2 made substantial progress in increased security, Vista’s security
enhancements go beyond that, and are so fundamental to the architecture that they could only be
implemented through extensive changes to core operating system functions.

Security Development Lifecycle

During the design and coding of Vista, Microsoft placed security as the number one priority8. In fact,
development methodologies were significantly revamped to conform to new processes, collectively
known as the Security Development Lifecycle (SDL).
Although not a feature per se, the SDL plays an important role in increasing Vista security. It mandates
that security reviews be built into every step of the development cycle. For example, during Vista
development a review team (the Secure Windows Initiative Attack Team—SWIAT) was chartered with
conducting extensive design reviews and testing, with the goal of identifying parts of the product’s code
or design that needed additional work. The in-house SWIAT analysts were supplemented by reviewers
drawn from security research firms and penetration-testing companies. Their sole job was to ferret out
potential security flaws, assess their impact, and pass the information back to the development teams.

8 “Microsoft® Windows® Vista™ Security Advancements,” June 2006

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 17
 Chapter 2

SDL also enforces coding design rules and testing scenarios that reduce opportunities for attacks and
streamline security management functions. The SDL employs software development tools that analyze
code for logic and code constructs that would not be detectable by standard compilers. The tools search
for certain kinds of code vulnerabilities, such as overruns caused by string copies and unexpected
combinations of conditions that result in the execution of obscure code paths.
Finally, since Vista was being developed concurrent with the deployment of Windows XP Service Pack
2, the SDL processes took vulnerabilities that were being exposed in Windows XP and tested them
against Vista, with development implementing appropriate patches to both systems when appropriate.

Windows Services Hardening

The Windows operating systems utilize background processes called services. Services are managed
through the Microsoft Management Console (MMC) to start, pause, and stop them.
In Windows XP, services run with the highest possible system privileges (LocalSystem), and are an easy
target for malicious attack. Windows Vista has made substantial changes to Windows services to reduce
the opportunity for attack—generally referred to as services hardening.
The primary concept behind services hardening is that of restricting services to run under the least
possible privilege level needed. To help accomplish this reduction in privilege level, services no longer
run as a user session, and in fact they no longer have access to video drivers, nor can they request or
receive input from any user interface.
Services hardening can affect some existing applications that run as services or interface with services.
Any service that assumes it is running in a user session (e.g., one that attempts to create a user interface,
such as a dialog box) will not execute correctly, or will hang, because it is waiting for a user response
that will not occur.
In addition to changes how services run, Core Windows services each have profiles that define the
necessary security privileges for that service. These profiles include rules for accessing system resources
and inbound/outbound network ports that the service is allowed to use (monitored and enforced via
Windows Firewall). During execution, service activities are checked against this profile, and any attempt
to perform an unassigned activity is disallowed.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 18
 Chapter 2

User Account Control

A significant advancement in security is the separation of administrator and user privileges through a
new feature called User Account Control (UAC)—briefly covered in Chapter 1. Let’s examine this new
feature in more detail—additional information is available at
http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx
UAC is based on reducing the “normal” privilege level for users and administrators. In past versions of
Windows, to perform any administrative function required administrator privileges—even for routine
tasks such as changing the system’s time zone or power management settings. As a result, administrators
simply allowed all users administrative privileges. While this situation is more convenient, it also allows
users to perform administrative functions like installing and configuring applications, modifying device
drivers, and changing system configuration parameters. Not only could users damage their system
configuration (which potentially could propagate and damage systems on the network), but also
administrator-level user accounts can cause great damage when exploited by malware.
Enter UAC, which separates standard user privileges and those that require administrator access.
A subset of administrative activities, which are deemed to pose no security risk—such as changing time
zones or adding a printer, are allowed to execute in user mode. Should a user attempt a task that truly
requires administrative access, the user is prompted for an administrator password. The bottom line is
that administrators can safely prevent users from executing tasks that require administrative privileges,
while still providing them with the convenience of making routine configuration changes.
A side effect of UAC is that older applications, which were often designed based on the assumption that
users would always have administrator privileges, may not execute correctly because Vista does not
allow them write access to critical system files (such as the registry). To maximize compatibility, Vista
includes file system and registry “virtualization”—a process that redirects writes from protected areas to
a virtual location within the user’s profile. Subsequent reads access the virtual location, allowing an
application to function properly while eliminating access to resources that would otherwise require
administrative access. To help determine whether an existing application will execute correctly when
executed as a standard user, Microsoft provides the Application Compatibility Toolkit (ACT)9.

9 See http://www.microsoft.com/downloads

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 19
 Chapter 2

A second feature of UAC is that all processes with administrator privileges will by default start with
standard user access. When logging in, an administrative user is granted two levels of access (called
Administrator Approval Mode): full administrator and standard user. However, the standard user level is
the default, reducing the opportunity for malware to obtain administrator privileges. Should the
administrator attempt a task that truly requires administrative privileges, he or she is prompted for the
administrator password.
UAC is highly configurable, and administrators are generally able to configure it to suite their unique
circumstances. However, as with all things Vista, the default is to protect the user and the operating
system, and provide the maximum practical protection against malware attacks.

Windows Defender
First introduced in 2005 as “Microsoft Windows AntiSpyware,” Windows Defender provides an anti-
spyware capability to Windows XP and Windows Vista. Windows Defender is based upon a product from
Giant Company Software, which Microsoft acquired in 2004. According to Microsoft, “Windows
Defender helps protect against and remove spyware, adware, rootkits, bots, keystroke loggers, control
utilities, and some other forms of so-called ‘malware.’ (Windows Defender does not provide preventive
protection against malware that is classified solely as a worm or virus.)10” Note that Microsoft
specifically states that Windows Defender is targeted at individual users and does not include enterprise
management tools; typically an enterprise has other means or uses other third-party desktop management
tools to manage anti-spyware.
Windows Defender protects a Vista system through several methods, including scheduled system scans
for spyware, a real-time monitoring function, and a “software explorer” user interface.
Scheduled system scans are based upon spyware definitions kept up-to-date by the Automatic Updates
capability of Vista. Scans can be scheduled or initiated manually. Enhancements in Vista (beyond the
capabilities provided in Windows XP) provide additional performance and security enhancements,
including the ability to scan only files that have changed, to run under a security-enhanced account,
and to scan executables when invoked. Windows Defender also allows files to be scanned as they are
downloaded by Internet Explorer 7.

10 See http://www.microsoft.com/athome/security/spyware/software/default.mspx
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 20
 Chapter 2

Real-time monitoring employs a set of agents that continually check for unauthorized access to file
system elements, changes to system configurations, and the like. There is a long list of agents available
(Table 3); although configurable through the Windows Defender Options dialog, Microsoft recommends
that all agents be enabled.

Table 3. Realtime protection agents supported by Vista’s Windows Defender11

Real-time protection agent Purpose

Auto Start Monitors lists of programs that are allowed to automatically run when the computer is started. Spyware and
other potentially unwanted software can be set to run automatically when Windows starts, running without
the user’s knowledge.

System Configuration (Settings) Monitors security-related settings in Windows. Spyware and other potentially unwanted software can change
hardware and software security settings, and then collect information that can be used to further undermine
the computer's security.

Internet Explorer Add-ons Monitors programs that automatically run when Internet Explorer is started.

Internet Explorer Configurations Monitors browser security settings, which are the first line of defense against malicious content on the Inter-
(Settings) net.

Internet Explorer Downloads Monitors files and programs that are designed to work with Internet Explorer, such as ActiveX controls and
software installation programs. These files can be downloaded, installed, or run by the browser itself. Spy-
ware and other potentially unwanted software can be included with these files and installed without the
user’s knowledge.

Services and Drivers Monitors services and drivers as they interact with Windows and other programs. Because services and driv-
ers perform essential computer functions they have access to important software in the operating system.
Spyware and other potentially unwanted software can use services and drivers to gain access to a computer
or to try to run undetected on a computer like normal operating system components.

Application Execution Monitors when programs start and any operations they perform while running. Spyware and other potentially
unwanted software can use vulnerabilities in programs to run malicious or unwanted software. For example,
spyware can run itself in the background when a program is started. Windows Defender monitors programs
and alerts the user if suspicious activity is detected.

Application Registration Monitors tools and files in the operating system where programs can register to run at any time, not just
when programs are started. Spyware and other potentially unwanted software can register a program to start
without notice and run, for example, at a scheduled time each day. This allows the program to collect informa-
tion about the computer or gain access to important software in the operating system without your knowl-
edge.

Windows Add-ons Monitors add-on programs (also known as software utilities) for Windows. Add-ons are designed to enhance
the user’s computing experience in areas such as security, browsing, productivity, and multimedia. However,
add-ons can also install programs that will collect information that could expose sensitive, personal informa-
tion, often to advertisers.

Software explorer is a user interface that provides users with visibility in a system’s software and
system state. Software Explorer provides detailed information about currently running software that can
affect system security or user privacy. For example, the user can view which programs run automatically

11 Adapted from Windows Defender>Options Help

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 21
 Chapter 2

when Windows is started, and information about how these programs interact with other Windows
programs and services (Figure 8).
Software Explorer helps the user monitor the following items:
• Startup programs, which are programs that run automatically (with or without the user’s knowledge)
when Vista starts.
• Currently running programs, which are programs that are running onscreen or in the background.
• Network-connected programs, which are programs or processes that can connect to the Internet or to
the local area network.
• Winsock service providers, which are programs that perform low-level networking and communication
services for Windows and programs that run on Windows.

Figure 8. The Software Explorer UI of Windows Defender

Windows Defender is designed to augment third-party anti-malware products. Network administrators in

an enterprise environment can use Group Policy to enable or disable Windows Defender; computer
manufacturers can choose to have it turned off by default on new systems.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 22
 Chapter 2

Network Access Protection

Network Access Protection (NAP) is a new platform that performs computer health policy validation,
ensures compliance with health policies, and optionally restricts the access of computers that do not
comply with system health requirements. NAP is a client-server architecture; the client-side agent is
provided on Windows Vista. The server-side will be provided in the upcoming release of Windows Vista
Server (in Microsoft’s inimitable fashion, also code-named “Longhorn”). NAP is an infrastructure and an
application programming interface (API) that allows vendors and software developers to build their own
network policy validation, ongoing network policy compliance, and network isolation components.
Figure 9. The NAP Client Configuration snap-in

NAP prevents Vista-based clients from connecting to a private network if the system lacks current
security updates or virus signatures, or otherwise fails to meet defined health requirements. The NAP
agent also reports system health status, such as having current updates installed, back to the enforcement
service in the server. The server then determines whether to grant the client access to the network.
Client-side NAP is configurable through the NAP Client Configuration snap-in to the MMC (Figure 9).

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 23
 Chapter 2

Data Protection and Encryption

A major security issue relates to unauthorized access to data that could be obtained by physically
acquiring a computer. Examples include lost, stolen, or decommissioned systems that contain critical
data. Vista includes technologies that allow users to protect their data through encryption at the file,
folder, or system level.
Encrypting File System (EFS)
The Encrypting File System (EFS) in Vista is redesigned (from Windows XP) to support storing private
keys on smart cards, a new user interface (Figure 10), and tighter integration with Public Key
Infrastructure12. The new EFS allows administrators to store their domain recovery keys on a smart card.
To recover users files, the administrator need only log in (either locally or via Remote Desktop) and use
the recovery card to access the files.
Figure 10. The new Certificates snap-in for the Microsoft Management Console (MMC)

The new Certificates snap-in for the Microsoft Management Console provides tools to backup keys and
migrate existing EFS files to new keys. Administrators have the capability to set requirements such as
minimum encryption strength and the use of smart cards.

12 See http://en.wikipedia.org/wiki/Public_key_infrastructure

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 24
 Chapter 2

Several new Group Policy options have been added to help administrators define and implement
organizational policies for EFS. These include the ability to require smart cards for EFS, enforce page
file encryption, stipulate minimum key lengths for EFS, and enforce encryption of the user’s Documents
folder.
BitLocker Drive Encryption
BitLocker Drive Encryption is a data protection feature that encrypts an entire Windows volume,
preventing access to the data on the volume even if the disk drive is physically in the hands of an
unauthorized user. Additionally, BitLocker enables integrity checking on early boot components,
preventing the computer from booting if it detects tampering with system files or data. Note that
BitLocker is only available on Vista Ultimate and Vista Enterprise editions.
BitLocker uses the v1.2 TPM security hardware13—available on most new systems—to help secure the
encryption keys and to prevent software-based attacks on system integrity or security of other data,
applications, DLL files, and files stored on the operating system volume. Protection is achieved by
encrypting the entire Windows system volume, including all user files, system files, swap, and
hibernation files.
Once BitLocker authenticates access to the protected operating system volume, a driver in the Vista file
system encrypts and decrypts disk sectors transparently as data is written to and read from the protected
volume. When the computer hibernates, the hibernation file is also saved encrypted to the protected
volume. According to Microsoft, the performance penalty for encryption and decryption is minimal.
To provide system integrity protection, BitLocker uses the TPM to collect and store measurements from
multiple sources within the boot process to create a system “fingerprint.” This fingerprint remains the
same unless the boot system is tampered with. Once the integrity of the boot process is proven,
BitLocker uses the TPM to unlock the rest of the data. The system then continues startup and system
protection is handed over to the running operating system.
BitLocker may optionally be configured to lock the normal boot process until the user supplies a PIN
or inserts a USB flash drive that contains keys to unlock the system.

Other Security Enhancements

Address Space Layout Randomizer
To make it more difficult to attack operating system functions, Vista has a defense capability called
Address Space Layout Randomization (ASLR). ASLR randomly assigns operating system executable
pages to different physical memory locations at system boot time. Randomly assigning these locations
reduces the likelihood that malicious code can exploit a specific system function based on location alone.

13 See http://www.trustedcomputinggroup.org/
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 25
 Chapter 2

Internet Explorer Enhancements

Vista’s Internet Explorer 7, when running on Vista, supports a new feature called Protected mode.
In Protected Mode, Internet Explorer 7 runs with reduced rights to help prevent user or system files
or settings from being changed without the user’s explicit permission. Even if a malicious site attacks a
vulnerability in Internet Explorer, the site's code will not have enough privileges to install software, copy
files to the user's Startup folder, or hijack browser settings.
A new version of the Internet Explorer Administration Kit (IEAK) simplifies the creation of customized
deployment packages. With Internet Explorer 7, administrators have centralized control over settings
through Group Policy in the Active Directory® directory service.

Integrated Rights Management Services Client

Microsoft’s Rights Management Services (RMS) helps protect the security and integrity of sensitive
information in an enterprise. Vista includes an integrated RMS client that reduces the number of
additional components that must be installed on the desktop, reducing IT intervention for deployment.
The Vista implementation of RMS also includes smart card integration and longer encryption key
lengths. When combined with the Windows Server Longhorn release RMS will be integrated with Active
Directory Federation Services, allowing companies to share sensitive information in the same manner as
they would protected internal information.
RMS also comprehends the new XML Paper Specification, and has deeper integration with Microsoft
SharePoint®—Microsoft’s suite of content management software.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 26
 Chapter 2

Networking
Microsoft Windows Vista includes significantly improved networking technology, including a new
TCP/IP stack, improved wireless networking management, and multiple security enhancements.
According to Microsoft, Vista’s improvements represent the largest set of networking innovations since
Windows 9514, and benefit users as well as administrators.

New TCP/IP Stack

The TCP/IP protocol stack has been completely rewritten for Vista, and includes redesigns of both
Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) stacks. According to Microsoft,
the redesigns address connectivity, ease of use, management, reliability, and security15.

IPv6 Support
Vista supports both IPv4 and IPv6 through a dual IP layer architecture. IPv6 is enabled by default
without any additional steps necessary by the administrator. The dual IP layer support enables a gradual
migration using IPv6 transition technologies that tunnel IPv6 traffic across private IPv4 networks or the
IPv4 Internet. Applications and services that support both IPv4 and IPv6 will by default prefer the use of
IPv6 to IPv4 (although this behavior can be configured by the administrator).

Higher performance
The Vista networking stack has multiple performance improvements. In a high-loss environment such as
sending/receiving audio and video files, throughput is improved by a new algorithm that allows a sender
to send more data while simultaneously retrying a partial acknowledgement.
Another significant change is the automatic resizing of the TCP receive window. Vista networking
performs auto tuning by continually monitoring the bandwidth and latency of a TCP connection, and
optimizing the receive window size for each connection. For example, in a high-bandwidth, high-latency
situation the window size will be increased to allow more data to be transferred in each block, increasing
overall throughput16.
To improve overall performance, Vista is capable of distributing TCP traffic processing across multiple
system processors, and supports certain network cards that have hardware-accelerated TCP/IP processing
on the card.

14 See http://technet.microsoft.com/en-us/windowsvista/aa905086.aspx
15 See http://www.microsoft.com/technet/network/evaluate/new_network.mspx
16 See http://www.microsoft.com/technet/community/columns/cableguy/cg1105.mspx

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 27
 Chapter 2

Lastly, Windows Vista supports Microsoft’s NetDMA architecture (Direct Memory Access), which
reduces the number of data copies in the system by allowing data transfers directly to/from a network
card to users’ buffers. It requires specific hardware DMA architectures, such as Intel I/O Acceleration to
be enabled.

Simpler connectivity
The proliferation of mobile computer systems requires much more flexibility in acquiring network
connectivity “on the fly,” while maintaining a seamless workplace environment and its related security.
Vista contains a new Network Center (discussed in Chapter 1). The Network and Sharing Center
provides a clear view of the current connection status, available wireless networks, a network map to
show surrounding network resources, and easy methods to create or join ad-hoc wireless networks.
Diagnostic tools built into Network Center simplify troubleshooting connectivity problems and users
can browse network resources.

Higher security
Vista networking uses the updated Windows Firewall (discussed in Chapter 1) to create network filtering
rules or require authentication. Network data can be encrypted, and through Network Access Protection
(see “Security” section in Chapter 2) clients that are deemed unhealthy can be banned from the network.
Wireless security has been enhanced, with support for more protocols and standards, and tight integration
with other related security features. For example, the capabilities of the wireless network adapter are
examined by Vista, and the most secure protocol is chosen by default when connecting to or creating
wireless networks.

Improved Manageability
Networking manageability has been improved in Vista, largely for management of wireless devices and
the inclusion of additional group policy settings.
Vista includes a native wireless networking architecture (Native Wi-Fi) as part of its core networking
support17. Native Wi-Fi provides many benefits, including deployment across many hardware brands and
models and more reliable third-party wireless adapter drivers.
Vista’s wireless features can be managed via Group Policy or command-line scripting to deploy
configuration settings and security requirements across an entire organization.

17 See http://www.microsoft.com/technet/technetmag/issues/2006/11/VistaNetworking

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 28
 Chapter 2

Management and Control

New management and control tools in Windows Vista are aimed at lowering cost of ownership by
increasing efficiency of administration, reducing the number of administrative support incidents, and
streamlining deployment.

Microsoft Management Console (MMC)

The Microsoft Management Console (MMC) is the main administrator interface for managing Windows-
based environments. The new MMC provides a simpler and more consistent user interface across a wider
range of tasks. The new interface provides an Action pane—a list of all actions that are available to the
user based on the currently selected items in the tree or results pane. This allows administrators to more
easily discover the capabilities of any management tool that uses the MMC framework.
The new MMC interface also provides “an add or remove snap-ins” dialog to make it easier to organize
snap-ins.
Figure 11. The “add or remove snap-ins” dialog for the MMC.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 29
 Chapter 2

Windows Eventing Architecture

The event log service and event viewer have been completely rewritten in Vista to improve event
management in an enterprise setting. The eventing architecture18 features increased security, increased
performance, and increased scalability.
Event tracing now provides asynchronous publishing of events, greatly reducing the performance impact
to instrumented processes. Some events, especially analytic and debugging events that are generally high
volume, are immediately saved to a file with minimal processing to avoid affecting system performance.
Administration and Operational events, which are less frequent, are tagged with information about the
current user context and the publishing process, then delivered to their respective subscribers.
The new Event Viewer is a snap-in for the revised Microsoft Management Console (MMC), described
above. New features include:
New grouping of events for faster access. To improve reporting and analysis, Microsoft analyzed
common event types and applied five different event types to each event (Table 4). Every event is
assigned a designated type to quickly narrow down report queries.

18 See http://www.microsoft.com/technet/technetmag/issues/2006/11/EventManagement

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 30
 Chapter 2

Table 4. New Windows Eventing Architecture event types and typical users

Event Type Description Used By

Admin The Admin type will suffice for the majority of system ad- Administrators, support per-
ministrators. These events are very high level and they sonnel, and Monitoring and
often provide enough information to identify a problem and analysis programs
determine its solution. At the very least, Admin events
should identify when an issue occurs or indicate when an
application, a component, or the system as a whole is in or
has recovered from an unhealthy state. Most Admin events
are errors or warnings, and they are usually actionable..

Operational Like Admin events, Operational events enable problem di- Advanced administrators,
agnosis. Operational events consist of more than just er- support personnel, and mon-
rors and warnings. They also inform users about normal itoring and analysis pro-
operation of an application or OS component. The volume grams
of these events is kept quite low so Operational events can
be enabled without affecting system performance. The Op-
erational events—along with the Admin events—are used by
support personnel, monitoring utilities, and administra-
tors..

Audit Audit events provide a historical record of any resource ac- Advanced administrators, se-
cess or actions taken by the users. These events do not in curity auditors, and Foren-
themselves represent failure or success of the program, sics specialists
but indicate a failure or success of the action. Audit events
can be completely disabled or selectively enabled with
varying levels of granularity. Security auditing at the OS
level is supported (the events can be found in the Security
log of the Event Log).

Analytic Analytic events, which are not very different from Opera- Support personnel Monitor-
tional events, are logged during normal operation of appli- ing and analysis programs
cations and components. But the volume and detail of
Analytic events is much greater than Operational events
and therefore there is a potential of them having a nega-
tive effect on system performance. Thus, Analytic events
are normally disabled. To make use of Analytic events, en-
able them before a diagnostic session and then disable
them before examining the trace.

Debug Debug events are also high-volume events that are nor- Developers
mally disabled. They are used mainly by developers and
are seldom viewed by IT professionals.

New appearance. The event viewer has been improved to provide additional information (Figure 12)
while retaining the structure of the Windows XP GUI, allowing administrators familiar with Windows
XP to easily begin using it. The viewer provides a new preview pane that will display event information
in a “friendly view” or the raw XML.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 31
 Chapter 2

Figure 12. The redesigned event viewer snap-in for the MMC.

A new event structure based on XML. The standards-based event structure and publishing the schema
simplifies reporting and manipulation of events. The new structure also facilitates automation and
integration with the Windows Task Scheduler.
New event query capability based on the XPath language and a user interface for creating queries. An
important query improvement is the ability to securely forward events, generally to a system that is
dedicated to collecting them.
Additional event attributes for queries and reporting. Events now contain additional information,
including the time at which the event occurred, the process ID, the thread ID, the computer name, and the
Security Identifier (SID) of the user. The XML provides additional details, including the EventID, Level,
Task, an Opcode, and Keywords properties.

Increased Automation
The task scheduler is used to automate management and configuration tasks. Vista features a completely
redesigned task scheduler interface and a snap-in for the MMC, which combines multiple UIs into a
single and consistent interface (Figure 13).

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 32
 Chapter 2

Figure 13. The redesigned task scheduler snap-in for the MMC.

Scheduling tasks is much more flexible and comprehensive than in Windows XP. Tasks can be scheduled
to run at predefined times, or configured to run when specific events occur. In addition, multiple triggers
may be configured to initiate one or more tasks, which may run simultaneously or in a predetermined
sequence. Tasks can also be configured to run based on a system status, such as being idle for a pre-
configured amount of time, startup, logoff, or other triggers.
The Task Scheduler supports new security features, including employing the new Credentials Manager
for storing passwords, and running tasks at a reduced privilege level (by running the task as its own
session instead of in the same session as the administrator).

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 33
 Chapter 2

New Group Policy Management

Vista expands the number of features and components that can be managed with Group Policies, from
approximately 1,800 in Windows Server 2003 Service Pack 1 to approximately 2,500 in Vista and the
forthcoming Windows Server “Longhorn.” New policies, which are primarily security-related, are group
by categories as summarized in Table 518-2.
Group Policy template files, previously known as ADM files, have a new format based on XML. The
new template files have the ADMX suffix. For domain based group policy objects (GPOs), the ADMX
files can be centrally stored, and all computers on the domain use the File Replication Service to retrieve
and configure themselves.
Group policies can be set and edited via the Group Policy Management Console (GPMC) MMC snap-in,
or by using the Group Policy editor object.
Table 5. New or Expanded Group Policy Settings
Group Policy Category Description
Antivirus Manages behavior for evaluating high-risk attachments.

Background Intelligent Transfer Service Configures the new BITS Neighbor Casting feature to facilitate peer-to-peer file transfer
(BITS) within a domain. This feature is supported in Windows Vista and Windows Server "Longhorn."

Client Help Determines where users access Help systems that may include untrusted content.

Deployed Printer Connections Allows or denies a device installation, based upon the device class or ID.

Device Installation Debug events are also high-volume events that are normally disabled. They are used mainly
by developers and are seldom viewed by IT professionals.

Disk Failure Diagnostic Controls the level of information displayed by the disk failure diagnostics.

DVD Video Burning Customizes video disc authoring.

Enterprise Quality of Service (QoS) Alleviates network congestion issues by enabling central management of Windows Vista net-
work traffic.

Hybrid Hard Disk Configures the hybrid hard disk (with non-volatile cache) properties.

Internet Explorer 7 Replaces and expands the current settings in the Internet Explorer Maintenance extension to
allow administrators the ability to read the current settings without affecting values.

Networking: Quarantine Manages three components: Health Registration Authority (HRA), Internet Authentication
Service (IAS), and Network Access Protection (NAP).

Networking: Wired Wireless Applies a generic architecture for centrally managing existing and future media types.

Power Management Configures any current power management options in the Control Panel.

Removable Storage Allows administrators to protect corporate data by limiting the data that can be read from
and written to removable storage devices.

Security Protection Combines the management of both the Windows Firewall and IPsec technologies to reduce
the possibility of creating conflicting rules.

18-2 See http://technet2.microsoft.com/WindowsVista/en/library/a8366c42-6373-48cd-9d11-2510580e48171033.mspx

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 34
 Chapter 2

Table 5. New or Expanded Group Policy Settings. Continued.

Group Policy Category Description

Shell Application Management Manages access to the toolbar, taskbar, Start menu, and icon displays..

Shell First Experience, Logon, and Privileges Configures the logon experience to include expanded Group Policy settings.

Shell Sharing, Sync, and Roaming Customizes selected schedules and behaviors.

Shell Visuals Configures desktop display attributes.

Tablet PC Configures Tablet PC.

Terminal Services Configures features to enhance security, ease-of-use, and manageability of Terminal Serv-
ices remote connections.

Troubleshooting and Diagnostics Controls the diagnostic level from automatically detecting and fixing problems to indicating to
the user that assisted resolution is available.

User Account Protection Configures selected properties of user accounts.

Windows Error Reporting Disables Windows Feedback only for Windows or for all components. By default, Windows
Feedback is turned on for all Windows components.

Reliability and Performance Monitoring

The reliability and performance monitoring utilities have been substantially rewritten for Vista to make
analysis more comprehensive, and to make it easier to pinpoint bottlenecks or misbehaving processes.
New features have been added, and the performance and monitoring tools have been consolidated into
the MMC19. Some of the major new reliability and performance features include those described below.
Data Collector Sets group data collectors into reusable elements, allowing scheduled collection of a Data
Collector Set to create logs, loading it in Performance Monitor to see the data in real time, or save it as a
template to use on other computers.
The new Resource View screen provides a real-time overview of CPU, disk, network, and memory usage
(Figure 14). Each of these metrics can be expanded upon, providing per-process information that can be
sorted on multiple keys. The detailed report provides at-a-glance usage by process.

19 See http://technet2.microsoft.com/WindowsVista/en/library/ab3b2cfc-b177-43ec-8a4d-0bfac62d88961033.mspx
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 35
 Chapter 2

Figure 14. The new at-a-glance resource view screen.

A new Reliability Monitor calculates a System Stability Index that reflects whether unexpected
problems reduced the reliability of the system. See details in the Reliability section below.
Unified property configuration for data collection and scheduling consolidates the interface for
creation and modification of data collector sets. Sets that are useful can be saved or propagated to other
systems for analyzing performance and reliability of user populations.
A new reporting interface, largely based on the Server Performance Advisor in Windows Server 2003.
The new user interface is more flexible and thorough, allowing reports to be quickly generated from any
Data Collector Set. Of course, Vista includes preconfigured performance and diagnosis reports for quick
analysis and troubleshooting.

Performance Monitor
The performance monitoring tools for Vista combines multiple Windows XP utilities (Performance Logs
and Alerts, Server Performance Advisor, Performance Monitor, and System Monitor) and wraps them in
the new standard MMC GUI. Using the performance monitor, administrators can monitor nearly every
aspect of system performance, presenting the information graphically or in report format.
The performance monitor is a component of the Windows Performance Diagnostic Console, a snap-in for
MMC (Figure 15). The console displays real-time information, allows for alerts and automatic actions,
and report generation. It can also be used to recall historical data.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 36
 Chapter 2

Figure 15. A sample of the Vista Performance monitor.

Configuring the performance monitor to sample selected metrics is a drag-and-drop interface. Multiple
metrics can be combined and saved as custom data collector sets, which can be recalled at any time.

Reliability Monitor
The reliability monitor offers a graph of the system’s stability over time, and generates a “stability index”
that quickly quantifies the overall reliability of the system, it’s software, and applications (Figure 16).
The user can quickly zoom in on each day and/or event and generate a snapshot stability report, which
provides details on the incident.
For example, a user can view a graphical log of changes to the system (installation or removal of
applications or updates to the operating system) side by side with a similar log of failures (application,
operating system, or hardware failures). The comparison helps quickly pinpoint events that lead to
reliability issues.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 37
 Chapter 2

Figure 16. A view of the reliability monitor snap-in to the MMC.

Feature Assessment
We will wrap up this chapter with an admittedly subjective assessment of the impact the features
discussed in this chapter might have on a typical enterprise. For this assessment,
we will assume a hypothetical enterprise environment, specifically:

• Desktops are centrally managed, either with Microsoft’s Group Policy infrastructure, some sort of
enterprise desktop management tool such as ScriptLogic’s Desktop Authority, or a combination of both.
• Most desktop users have a fairly static environment—a collection of corporate and third-party
applications, and are continuously connected to the corporate network.

• The enterprise has a moderate number of mobile users that move about within the enterprise, with a
subset that travels worldwide.

For each of the features described in the preceding sections, we make an assessment on the feature’s
impact on the bottom line; a return on the investment in upgrading the desktop to Windows Vista.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 38
 Chapter 2

Table 6. An assessment of Vista’s new features on enterprise productivity.

Impact on productivity/usefulness
Feature - neutral + Comments
Security
Security Development Lifecycle The improved development methodologies
won’t have a direct impact on productivity, how-
ever in the long run SDL should produce higher-
quality code

Windows Services Hardening Hardening should go a long way in reducing

malware-induced incidents; we expect a sub-
stantial impact. This could be offset by its af-
fects on certain applications.

User Account Control The reduced privilege level of users should re-
duce malware-induced incidents, however this
could be offset by the sheer annoyance of UAC,
and by its affects on applications that assumed
administrator priveleges.

Windows Defender Defender will probably not have a substantial

impact on an enterprise since most environ-
ments already employ a third-party anti-spy-
ware product.

Network Access Protection Properly implemented, NAP will improve overall

security. However, we will have to wait for Vista
Server “Longhorn” for implementation.

Data Protection and Encryption Data protection features, especially on mobile

systems, should dramatically improve data se-
curity and reduce lawsuits.

Other Security Enhancements The miscellaneous security enhancements de-

scribed in this chapter should benefit overall
security.

Networking
New TCP/IP Stack The new TCP/IP stack won’t be outwardly no-
ticeable, but should help migration to IPv6, im-
prove performance, and improve mobility and
security for mobile users.

Simpler connectivity For most administrators, simpler connectivity

shouldn’t have much of an impact.

Higher security Higher security networking will be beneficial for

mobile users.

Improved Manageability Manageability options, especially new Group

Policy settings, will provide administrators with
additional control options.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 39
 Chapter 2

Table 6. An assessment of Vista’s new features on enterprise productivity. Continued.

Impact on productivity/usefulness
Feature - neutral + Comments
Management and Control
Microsoft Management Console (MMC) The new MMC provides a consistent interface,
however most administrators are familiar with
the old ones.

Windows Eventing Architecture The new Eventing Architecture will provide ad-
ministrators with additional information when
diagnosing performance or application prob-
lems.

Increased Automation Much-needed improvements to task schedul-

ing will open up new ways of automating
today’s manual chores.

New Group Policy Management For administrators that use GP, the new set-
tings will provide additional ways of managing
desktops, however sorting through the 800-
odd new settings will require research.

Reliability and Performance Monitoring The new reliability and performance monitoring
tools will provide administrators with additional
information when diagnosing performance or
application problems

Summary
In contrast to the user-visible features reviewed in Chapter 1, it is our opinion that the core improvements
covered in this chapter have more of an impact on an enterprise. As might be expected, improvements in
security, networking, and management tools should substantially improve an IT manager’s life.
Features of particular note are Network Access Protection (once “Longhorn” is available and an
enterprise is able to implement it), increased automation, and improved networking for mobile users.
Group Policy improvements also enhance an administrator’s control over a large population of desktops,
improving security and ostensibly reducing user incidents.
That said, the deployment of Vista, and related activities, are not for the faint of heart, as we shall see in
the next chapter, “Preparing for Vista Deployment.”

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 40
 Chapter 3

Chapter 3
Preparing and Planning for Deployment

Introduction
In previous chapters we’ve reviewed the new features in Microsoft® Windows® Vista™, and provided a
cursory analysis of the benefits of each feature. In this chapter, we will make a “plan for a plan,” that is,
discuss what it will take to migrate to Vista and what the process might look like.
While the benefits of implementing Vista might be obvious to an IT manager, it is probably not obvious
to the end user or mid-level manager. In fact, just the opposite—any change is regarded as disruptive and
looked upon with suspicion and trepidation. For that reason it is imperative to create and manage a
detailed plan, train and inform clients, and maintain constant communication to the affected population.
Much of the migration to Vista involves analyzing and inventorying the installed base (both hardware
and software components), and determining impacts on the enterprise infrastructure. An additional, and
non-trivial, aspect is taking inventory of applications and determining their readiness for the new
operating environment. Lastly, we must not forget preparing end users for the change—educating them,
garnering buy-in, and generating enthusiasm for the change.
Tell me again: why are we doing this?
Let’s begin our plan with the obvious: the business case for doing a lot of work, spending a lot of money,
and potentially disturbing the user base. Every situation will be different, but Vista provides
improvements in many areas, including benefits as outlined below (straight from Microsoft20).

IT Department Benefits
• Reduced Security Mgmt
• Reduced Information Theft
• PC Recycling
• Automated Desktop Management
• Reduced Help Desk Support
• Reduced Image Management
• Third-Party Application Savings

20 http://www.microsoft.com/technet/desktopdeployment/bdd/2007/WdBusCase_9.mspx
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 41
 Chapter 3

Business Benefits
• Performance and Reliability
• Computer Failures
• Power Management
• Application Responsiveness
• Information Management

Of course, all of these benefits are offset by the time, cost, and effort required to deploy a new operating
system. Thus, the first step in our plan is to develop a business case. The business case will help garner
the crucial buy-in from management, as well as provide insight into the scope of the project.
At a minimum, the business case should develop a clear-cut and easily expressed reason for the new
deployment. For example, “Substantially improve productivity, security, and maintainability of enterprise
desktops by standardizing on the Windows Vista operating environment.” The business case will quantify
what is meant by “substantially improve,” as well as outline project scope and objectives, costs, risks,
and schedule. Microsoft provides an in-depth example case study with the Solution Accelerator for
Business Desktop Deployment (BDD) 2007 toolkit. For our purposes, a successful plan is one where the
right things (and no more) were at the right place at the right time.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 42
 Chapter 3

Planning Methodology
Microsoft recommends using BDD 2007 for planning, building, testing, and deployment of Vista (See
Figure 17). BDD 2007 is a downloadable collection of sample templates, technology files (such as scripts
and configuration files), and a case study. It also documents software that must be downloaded from
Microsoft to assist in Vista deployment. BDD assumes a Microsoft Windows Server® 2003 or Windows
Server (“Longhorn”) server domain.
Figure 17. Microsoft’s Business Desktop Deployment (BDD) model21

Generally, other tools will be used to complement BDD, including Microsoft’s Systems Management
Server (SMS), the Windows User State Migration Tool (USMT), and/or third-party products. While it is
obviously not necessary to employ BDD, we will use the model as the basis for developing our Vista
deployment plan22.
Microsoft breaks the project tasks into cross-organizational teams that are responsible for individual parts
of the overall project; however, each team is responsible for all phases of the project, including planning,
development, stabilization, and deployment.

21 http://www.microsoft.com/technet/desktopdeployment/bdd/2007/default.mspx
22 We use BDD as model only loosely; for brevity some of Microsoft’s recommended tasks are omitted in this document.
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 43
 Chapter 3

The cross-organizational teams recommended by Microsoft, and used here as a template for planning, are:
• Application Compatibility
• Application Management/Deployment
• Define Computer Imaging System
• Deployment Planning
• Infrastructure Remediation (Preparation)
• Operations Readiness
• Security Assessment
• Testing
• User State Migration
Since these planning activities are somewhat independent, they are presented (and can generally be
executed) in no particular order. Staffing requirements and availability will dictate the scheduling of each
activity.
Application Compatibility
Application compatibility is one the most important challenges faced by organizations when deploying
new operating systems. An organization is typically supported by hundreds or thousands of in-house and
third-party applications, many of which are critical to the conduct of the business. These applications can
be categorized as:
• Core line-of-business applications, such as Enterprise Resource Planning, accounting, and customer
relationship management applications. Further, these applications are generally supported by some kind
of database management system(s).
• Desktop applications such as office productivity suites and other third-party suites like Adobe
Photoshop and the like.
• Administrative tools, such as antivirus, file management, and backup/restore utilities.
• Custom tools such as logon scripts.
Some of the interactions between applications and the operating system have changed with Windows
Vista; these changes can result in behaviors from not executing at all to running but producing incorrect
results. To help plan and manage the migration to Vista, Microsoft provides the Application
Compatibility Toolkit (ACT).

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 44
 Chapter 3

Figure 18. The Microsoft Application Compatibility Toolkit (ACT) process

ACT is a comprehensive tool that allows administrators to deploy “compatibility evaluator” agents to the
client desktops to collect information on applications’ compatibility, analyze the information, and
manage test results (Figure 18). Administrators can select different agents, depending upon the type of
information desired:
• Inventory Collector: Examines client computers to identify the installed applications and system
information.
• User Account Control Compatibility Evaluator (UACCE): Enables identification of potential
compatibility issues that are due to permission restrictions enforced by the User Account Control
(UAC). UACCE provides information about both potential application permission issues and suggests
ways to fix the problems.
• Update Compatibility Evaluator (UCE): Provides insight and guidance about the potential effects of
a Windows operating system security update on installed applications. The compatibility evaluator
collects information about the modules loaded, the files opened, and the registry entries accessed by the
applications currently running on the computers and writes that information to log files that are
uploaded to the ACT database.
• Internet Explorer Compatibility Evaluator (IECE): Enables identification of potential Web
application and Web site issues that occur due to the release of a new operating system. IECE works by
enabling compatibility logging in Internet Explorer, parsing logged issues, and creating a log file for
uploading to the ACT Log Processing Service.
• Windows Vista Compatibility Evaluator: Enables identification of issues that relate to the Graphical
Identification and Authentication (GINA) DLLs, to services running in Session 0 in a production
environment, and to any application components made obsolete by changes in the Windows Vista
operating system (Figure 19).

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 45
 Chapter 3

Figure 19. Sample ACT client analysis for Windows Vista Compatibility

ACT allows administrators to maintain an application inventory, test and assess applications, and log
results in a sharable database.
Application Management/Deployment
Once applications have been inventoried, the next step is to determine priorities and deployment
mechanisms. Microsoft recommends23:
Identify core and supplemental applications. An enterprise environment typically requires multiple
applications to be deployed to different computers. Some applications, such as office productivity
applications, may be required on the majority of the computers. Others may be required on a small set of
computers. Applications should be categorized as core or supplemental. Core applications, such as
Microsoft Office programs, are built into the client computer images that organizations deploy so that all
users in the organization have the application. Supplemental applications, such as line-of-business
applications, are installed on a user-by-user basis as necessary.
Understand packaging techniques. Understand the different ways an application can be packaged for
deployment and whether the package can be incorporated in the base operating system image.
Inventory applications. Identify all applications that must be packaged for deployment before starting
to create packages.
Prioritize applications. After applications have been identified, prioritize them and create packages
based on the established priority.

23 From the BDD 2007 documentation.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 46
 Chapter 3

Identify application subject matter experts (SMEs). The deployment team may not be aware of all the
intricacies of the various applications that will be deployed in the enterprise architecture. SMEs for the
different applications can help the team understand installation and migration needs for the applications.
Additionally, SMEs can help develop end-user training materials to help users adapt to any changes that
influence them.
Identify files and settings. Different applications may contain settings that must be implemented or
migrated. SMEs can help with the identification of such settings and files that may be necessary for
deploying the applications.
Choose distribution techniques. Determine and document how to distribute enterprise applications.
Define Computer Imaging System
A specific solution is recommended for imaging the operating systems and the core applications that are
part of a standard desktop. The solution should be modular to allow team members to separately manage
each system component. The advantage of the modular approach is that when changes occur, team
members do not have to re-engineer the entire process. The solution should also provide the tools and
scripts to install, configure, and customize the Windows platforms and incorporate device drivers and
updates.
Choosing an Image Strategy
Most organizations strive for a standard desktop configuration based on a common image for each
operating system version. Of course, a single image is rarely attainable; however it is a worthy goal to
minimize the number of images. The tradeoffs between many, more specialized, images against fewer,
more general images involve development, testing, storage, and networking costs. Microsoft suggests
categorizing images by size and complexity of deployment24:
Thick Image. Thick images are monolithic images that contain core applications, language packs, and
other files. Part of the image development process is installing core applications and language packs
prior to capturing the disk image. Thick images are simpler to create, because the image contains all core
applications and language packs and can be deployed in a single (albeit large) step.
The disadvantages of thick images are increased costs. For example, updating a thick image with a new
version of an application or language packs requires rebuilding, retesting, and redistributing the entire
image.
Thin Image. Thin images contain few core applications and/or language packs; these will be installed
separately from the OS disk image. There are several advantages to thin images, including less cost to
build, maintain, and test, and lower bandwidth requirements during deployment.
The primary disadvantages of thin images are that they can be more complex to develop initially, and
core applications and language packs are not available on first start.

24 From BDD 2007 documentation, “Computer Imaging System Feature Team Guide.doc”

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 47
 Chapter 3

Hybrid Image. As the name implies, a hybrid image mixes thin and thick strategies. In a hybrid image,
the disk image is configured to install applications and language packs on first run, giving the illusion of
a thick image but applications and language packs are installed from a network source. Hybrid images
have most of the advantages of thin images; however, they are not quite as complex to develop. They do
require longer installation times, , which can raise initial deployment costs.

Deployment Planning
Deployment planning involves examining the existing production environment and deciding how to
approach deployment. Considerations include determining the deployment scenario and deployment
methods, insuring the required infrastructure is in place, and establishing a monitoring and feedback
mechanism.
High-level steps in the deployment Planning Phase include those described below.
Select the appropriate deployment scenarios.
Different deployment scenarios are used depending upon each desktop’s current state and the deployment
method (Table 7). The deployment scenario is logged with all of the other information collected during
the client population inventory.
Table 7. Deployment scenarios depending upon current system state.25

Scenario Description User state Uses File system

migrated existing preserved
client
computer
New Computer A new installation of Windows is deployed to a new com- No No No
puter This scenario assumes that there is no user data or
profile to preserve.

Upgrade Computer The current Windows operating system on the target com- Yes Yes Yes
puter is upgraded to the new operating system. The existing
user state migration data, user profile, and applications are
retained (as supported by the new operating system).

Refresh Computer A computer currently running a supported Windows operat- Yes Yes No
ing system is refreshed. This scenario includes computers
that must be re-imaged for image standardization or to ad-
dress a problem. This scenario assumes that the team is
preserving the existing user state data on the computer..

Replace Computer A computer currently running a supported Windows operat- Yes No No

ing system is replaced with another computer. The existing
user state migration data is saved from the original com-
puter. Then, a new installation of Windows is deployed to a
new computer. Finally, the user state data is restored to the
new computer.

25 Microsoft, “Deployment Feature Team Guide.doc”

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 48
 Chapter 3

Ensure that the required infrastructure exists.

Deployment planning also includes determining if the required infrastructure exists for the upgrade or
replacement. This includes storage requirements for deployment images, user state migration, backups,
and deployment logs. (Deployment logs can be centrally located if sufficient network bandwidth exists
to/from the target systems).
Similarly, each deployment point needs access to the application and operating system source files to be
used in the deployment process. These can be located on either a common network shared folder that is
accessible to all servers hosting the deployment points, or individual servers hosting deployment points.
Determine the monitoring plan.
Obviously, progress should be monitored and packaged for management review. Teams can use tools
such as Microsoft Systems Management Server (SMS) 2003, Microsoft Operations Manager (MOM)
2005, and the BDD 2007 Management Pack for MOM 2005.
Infrastructure Remediation (Preparation)
Examining and preparing the infrastructure (systems, networking, etc.) is a key activity in planning the
Vista deployment. The first step of this planning element is critical to the entire project—accurately
describing the physical location of assets, performing an inventory of systems and software, and
determining infrastructure changes to execute the deployment plan. Assessments from this phase of
planning are provided to other phases, especially deployment planning (above).
Gather and Analyze Infrastructure Inventories
The information gathering phase of defining the infrastructure produces a geographical description of the
business, inventories of hardware and software, and network infrastructure. The ultimate purpose of all
of this information is to create an analysis document that will become the basis for recommendations to
infrastructure changes. At a minimum, the inventory should produce:
• The number of computers being deployed
• The number of computers requiring upgrades to existing hardware
• The number of computers that must be replaced before the new Vista image is deployed
Inventory data collection can use the new Application Compatibility Testing (ACT) tool, as discussed in
the section “Application Compatibility” above.
Analysis of the inventory should be combined with the Application inventory taken in the Application
Management activity; the combination of the two will produce data required to determine infrastructure
modifications.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 49
 Chapter 3

Propose Infrastructure Modifications

The inventory analysis determines the scope of the deployment itself, along with suggested modifications
to the infrastructure. These modifications can include hardware upgrade/replacement, and/or
modifications to the network infrastructure.
Additional organizational changes that should be considered—include; preparing the IT organization for
increased service calls (perhaps even preparing a dedicated staff to handle migration issues), and
examining risks and remedies that might (will) be encountered during deployment.
Security Planning
Given the benefits that Vista provides in the security arena, security planning occupies a large part of the
overall planning budget. As we’ve seen in previous chapters, Vista provides extensive security technology;
each of these technologies should be tested for their applicability for each desktop (or group of desktops)
in an enterprise. At a minimum (and not a trivial task), a risk assessment must be made for each desktop
that involves weighing increased security against possibly reduced functionality and/or user efficiency.
The easiest method to approach security planning is to assume a default baseline configuration, and make
adjustments to the baseline as exceptions. Microsoft BDD 2007 provides three baseline configurations26:
Default Configuration. In this grouping, the Windows image is essentially unchanged. It is configured
with the same features and security settings that are provided when Windows is installed from the
original media.
Enterprise Client. In this grouping, security policies are applied that are more restrictive than the default
Windows configuration; these policies are targeted at a typical corporate enterprise computer. Generally,
these settings best suit most enterprise users.
Specialized Security–Limited Functionality (SSLF). In this grouping, security policies are applied that
are the most restrictive of the three options. This option focuses on securing the computer and requires
significant compromises; while security is increased, engineering time will be increased and usability
will be decreased.
System Security Settings
There are literally thousands of different settings that can be changed that will affect the security of an
individual desktop. These settings can be managed in a number of ways, including the use of Group
Policies in an Active Directory domain, third-party software such as ScriptLogic’s Desktop Authority, or
(more commonly) a combination of both.
Administrators should review required system security settings for a variety of categories (Table 8).
Changes should be carefully weighed, and described in the security plan as differences from the baseline
security configuration.

26 Adapted from BDD 2007 Documentation, “Security Feature Team Guide,” p. 19

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 50
 Chapter 3

Table 8. Security settings and considerations when planning for deployment.27

Security Category Considerations
User Accounts The Windows operating system includes several default user accounts. Care should be used if additional ac-
counts are added.

Group Memberships and Limited Vista includes multiple built-in groups, and different users can be made members of different groups. Some
Users groups (e.g., Administrators) have elevated security privileges; care must be taken in assigning users to these
groups. Pay particular attention to elevating security levels just to run legacy applications which made the as-
sumption that all users executing the application would have administrator rights (see User Account Control
in Chapter 2 for additional information on UAC).

Password Settings Passwords are the most popular authentication mechanism for desktops. Administrators may want to change
password requirement properties, including password length, complexity, and frequency of change.

File Permissions Generally, Vista’s default file permissions are sufficient to provide a level of security without limiting users’
functionality or ease-of-use. However, some legacy applications may make assumptions on file permissions;
see information on User Account Control and Application Compatibility Testing (ACT) in Chapter 2.

Registry Permissions The system’s registry is a critical repository of operating system and application configuration information.
Similar to password settings and file permissions, care must be used in granting access to the registry, espe-
cially just to allow a legacy application to execute.

Service Permissions Services executing in the background traditionally (under Windows XP) had elevated permission levels; Win-
dows Vista dramatically changed this model by running services with minimal privileges by default. See Chap-
ter 2 for additional information on Services.

Event Log and Auditing Settings While the default settings for Event Logging and Auditing are generally sufficient, security planners might
want to employ third-party software that analyzes these logs to provide intrusion detection capabilities.

User Rights Settings User Rights describe what actions users are allowed to take (e.g., program debugging, system profiling, sys-
tem shutdown). Planners will need to consider changing user rights for some selected users, especially appli-
cation development users.

Other Security Options There are a myriad of additional security options. Often the default settings will suffice, however, each situa-
tion should be reviewed and documented to insure that security settings are not changed “on the fly,” poten-
tially opening a security loophole that goes undetected.

Planning User Account Control

User Account Control (Chapter 2) has the potential to change the way a legacy application executes,
largely because the application now no longer has write access to key system files (e.g. the registry).
Planners should work with application compatibility testers to insure the proper UAC security settings
are enabled for users that will be using such applications.
Planning Windows Firewall
Vista made some significant changes to the firewall functionality, notably blocking some outbound
communications (see Chapter 2). The effect of this change may cause some applications to require non-
baseline firewall settings to execute successfully.
One of the mechanisms to help manage the non-baseline settings is firewall profiles (Figure 20). Profiles
allow administrators to create pre-packaged firewall settings and deploy them as necessary. Similarly,
firewall port exceptions may need to be configured to allow communications traffic through the firewall
for applications that make assumptions about network availability. Firewall settings may be managed
through Group Policy objects or on individual systems via the Windows Firewall MMC Snap-in.
27 Adapted from BDD 2007 Documentation, “Security Feature Team Guide,” pp. 20-25
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 51
 Chapter 3

Figure 20. Sample profile settings for Windows Firewall

Planning Data Encryption

Vista provides three methods of protecting data through encryption (RMS, EFS, and BitLocker Drive
Encryption; see Chapter 2 for additional information). Planners must work with management to
determine data sensitivity, where the data resides, and the type of encryption that is applicable.
Sometimes the need for encryption may not be obvious; even if the data on a lost or stolen computer is
not sensitive in itself, it could provide information that would allow access to an enterprise network that
does contain sensitive data. Table 9 shows the data security scenarios that each technology supports.
Table 9. Data encryption and security scenarios28
Scenario RMS EFS BitLocker
Remote document policy enforcement

Protect content in transit

Protect content during collaboration

Local multi-user file and folder protection

Remote file and folder protection

Untrusted network administration

Portable computer protection

Branch office computers

Local single-user file and folder protection

28 From Microsoft Vista BDD 2007 Documentation, “Security Feature Team Guide.”
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 52
 Chapter 3

Restricting the Use of Removable Storage Devices

The myriad of portable storage mediums today make it essential for corporations to prohibit or monitor
the use of certain devices on the company network. These devices can allow confidential data to easily be
copied to any portable device, viruses can be introduced to the network and spread corporate wide, and
illegal software can be copied to the company network.
To prevent users from installing such devices on Windows Vista, configure Group Policy settings to
allow or deny installation of specific device IDs or device classes or to deny installation of removable
devices. Alternatively, third party tools like ScriptLogic’s Desktop Authority provide extensive tools for
managing removable storage devices.
Planning Windows Defender
Windows Defender helps protect users from spyware and other potentially unwanted software by
detecting and removing known spyware on users’ computers. Defender is most often used in conjunction
with third-party tools as part of a comprehensive anti-spyware solution.
If the decision is made to deploy and activate Windows Defender, Group Policy objects or third-party
software may be used to enable and configure it within the enterprise.
Third-party Security Applications
Most organizations complement Microsoft’s security applications with additional applications for virus
protection and/or backup. Generally, and enterprise will enforce the use of a comprehensive antivirus
solution that gives administrators centralized control over the antivirus configuration and that
automatically updates antivirus signatures. (See http://www.microsoft.com/security/partners/antivirus.asp
for a list of Microsoft partners).
Infrastructure and Deployment Security
Lastly, Vista deployment planning must comprehend the deployment itself. Staging areas, servers, and
infrastructure should be examined for enforcement of security policies, both during initial deployment and
ongoing updates.
Protect Deployment Staging Areas. Staging areas where images are created, updated, and maintained
pose a significant potential vulnerability. Computers in the staging area contain critical information,
including credentials used to automatically authenticate computers during the setup process. Also,
because the staging area contains images that are distributed enterprise-wide, a compromised image can
have a widespread effect and incur very high costs.
Protecting Production Deployment Servers. Similarly, deployment servers must be protected during
deployment. Microsoft recommends protecting deployment servers with physical controls and physically
isolating them29. They also recommend limiting the services that are running, disallowing remote login (if
possible), and enforcing collaboration such that no single administrator can make critical changes to images.

29 From Microsoft Vista BDD 2007 Documentation, “Security Feature Team Guide.”
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 53
 Chapter 3

Protecting Windows PE and Client Deployment Scripts. If an organization uses the Microsoft
Windows Preinstallation Environment (Windows PE) during the client deployment process, keep
Windows PE updated and thoroughly tested. In addition, consider security in developing Windows PE
scripts, including the avoidance of including user credentials in clear text and using file and share
permissions to protect the scripts.
Other Infrastructure Security Considerations. Microsoft includes planning on additional security
considerations during deployment; see the Microsoft BDD 2007 documentation for additional
information.
Testing
A large part of a successful deployment is testing target configurations, applications, and security
settings. The testing team should develop an in-depth test plan and use that plan to establish lab
requirements, risks, and schedule. The Microsoft BDD 2007 documentation provides a detailed sample
test plan, as well as a template that follows the BDD 2007 testing methodology. An abbreviated
discussion of the most relevant topics of the test plan is discussed below.30
To keep the scope of the project manageable, it is generally simpler to assume that applications
themselves are tested independently (probably by the vendor). Assuming the application works correctly
reduces testing to those components that are sensitive to the application environment.
Lab Requirements
To accurately test applications, the test plan should specify a lab environment that closely matches the
production environment. The lab environment should reflect software packages, operating system
image(s), and networking components to insure that application behavior will be consistent after
deployment.
Bug Rating, Reporting, and Tracking
Bug reporting, rating, and tracking will allow problems to be tackled quickly and by the right
development team or SME. Issues should be prioritized and tracked, with periodic reports to the other
deployment teams. The test plan should concisely define these teams and mechanisms for
communicating with them.
Change Control
Change control centralizes management of issues and permits collaboration on changes to infrastructure,
system images, or processes. The test plan should put in place change control procedures to insure
accurate and timely communication of changes and/or proposed changes.

30 Adapted from BDD 2007 Documentation “Test Feature Team Guide,” pp 14-16

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 54
 Chapter 3

Test Schedules
A big part of the test plan is the testing schedule. Much of testing is dependent upon other planning
activities, depending on the types of tests and whether tests are done piecemeal (as items are released), or
testing is done on complete system images prior to deployment.
The testing schedule should include, at minimum, the following tasks:
• Test environment setup
• Documentation review
• Preparation of high-level test scenarios
• Test case preparation
• Test execution
• Number and duration of testing cycles
Training
Training IT staff and end users plays a critical role in a successful deployment. Planners should develop a
base set of training requirements; from that they should develop a plan that comprehends the schedule,
training methods, and the materials and resources that will be required.
The IT staff will need training on new deployment methods, security features, and changes in networking
and configuration tools. Training planners should work closely with other deployment team members to
insure consistency across teams and to minimize impact on schedule.
At a minimum, users should be trained on the new productivity and security features in Windows Vista.
Additionally, if line-of-business applications have any externally visible changes, training will be
required to avoid surprises after deployment. For example, an enterprise will generally deploy Office
2007 with Vista; users will need training on the new user interface that those applications offer.
Training Requirements
Initial steps in planning training should define the baseline requirements; given the staff and user base,
what are the minimum training requirements for testing, deployment, and ongoing operations?
Application SMEs should be consulted for materials on user visible changes to applications and
enterprise-developed tools.
Training Schedule
Given requirements, planners should develop a schedule that takes into account the user base, deployment
schedule, staff and materials availability, and budget. Certainly, IT Staff will be trained first as planning
and testing proceeds, with the user base trained in parallel as staff gains experience during testing.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 55
 Chapter 3

Training Methods
Once requirements and schedule are scoped, the training methods may be determined. Depending upon
the subject matter, there are many methods for training. Microsoft offers extensive training opportunities
(especially for developers ). Additionally, there are any number of third-party training organizations that
support multiple delivery methods. Consider the following training methods31:
• Hands-on Training
• Presentations
• Computer-based training (CBT), Web-based training (WBT)
• Handouts
• Certification (identify training requirements that will require certification to demonstrate a specified
level of proficiency).
Materials and Resources
Planners will need to make decisions on the materials and resources required to carry out the training as
it is scoped. Considerations include whether the materials need to be developed or purchased, and timing
for obtaining the materials (make sure they show up on time).
Resources also need to be scheduled, including staff to provide the training, facilities, and budget
requirements. If travel is required, the schedule and budget will need to reflect the appropriate resources.
User State Migration
The user state on a system is the user’s preferences (such as screen savers, browser favorites, etc.),
documents, and applications data. Retaining this information through an upgrade or system replacement
to Vista is obviously critical to the operation of the enterprise.
Systems that are to be upgraded in-place, using the standard Vista upgrade process, will not need state
migration because the data remains on the system throughout the upgrade. (Of course, it is advisable to
perform a system backup before any upgrade.)
It is expected that in-place upgrades will be the exception, however, and most systems will be upgraded
either through a “wipe and load” (use the same computer, but wipe it clean and load the system image from
scratch), or a “side-by-side” upgrade (where the user’s state is moved to a new system)32. Automating this
process is almost a necessity, since it is time-consuming and error-prone. Microsoft recommends using the
User State Migration Tool (USMT 3.033), updated to version 3.0 for Windows Vista.
A side note here—preserving users’ states on top of a standard system image (by whatever method)
almost guarantees that the resulting images will not adhere to a standard. Consider third-party tools that
manage enterprise-wide user settings.

31 Adapted from BDD 2007 documentation “Training Plan.doc”

32 “Migrating to Windows Vista Through the User State Migration Tool” at www.microsoft.com
33 Windows Vista technical library at http://technet2.microsoft.com/WindowsVista/en/library/

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 56
 Chapter 3

Application Inventory and Prioritization

As with other aspects of the deployment planning, the first step is to review the application inventory to
determine application migration requirements. Once the list of applications is created, it should be
prioritized to help focus the migration work. Prioritization can be on the importance of the application to
the enterprise, how prevalent an application is in the environment, and/or the complexity of the
application.
Identify Application Files and Settings
For each application, the files and settings that require migration should be documented. The best place
to start is the SME (see the section “Application Management/Deployment”) for that particular
application.
The SME should assist with several key issues34:
• Locating the software media (Often, the SME is the best source of information on where the source
media, such as CDs and floppy disks, can be found.)
• Describing the appropriate configuration, behavior, and usage of the application
• Identifying which data files (if any) must be migrated
• Identifying which preferences or settings (if any) must be migrated
• Identifying any constraints associated with restructuring file locations during the restoration
Carefully document files and settings that need to be migrated as input to the process of creating
migration scripts or USMT configuration files.
Identifying Operating System Settings
Most user preferences settings seem trivial, but nothing scares users like logging on and seeing a
different wallpaper image. Even if they understand what happened, often they forget how to recreate their
familiar environment.
Key system settings that should be migrated (for each user on a system) include35:
Appearance. Includes items such as wallpaper, colors, sounds, and the location of the taskbar
Action. Includes items such as key repeat rate, whether double-clicking a folder opens it in a new
window or the same window, and whether users must click or double-click an item to open it
Internet. Includes Internet connection settings and controls how the browser operates; additional items
include home page, favorites or bookmarks, cookies, security settings, and proxy settings

34 BDD 2007 Documentation, “User State Migration Feature Team Guide.doc”

35 BDD 2007 Documentation, “User State Migration Feature Team Guide.doc,” p. 14
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 57
 Chapter 3

Mail. Includes the information required to connect to mail servers, signature files, views, mail rules,
local mail, and contact lists
If USMT is employed, the ScanState process of USMT is an automated method of determining which
items will be migrated. As with applications state migration, document which of these items will be
moved during the upgrade.
Develop and Test
User state migration plans should be handed off to the testing teams to test the migration scripts. As
mentioned in the Test planning section, testing in an accurate lab setting reduces surprises during
deployment.

Summary
Migrating to Vista could quite possibly be the largest project an IT organization has ever undertaken. If
migration is years away, or will take place over the next few years, it is advisable to be proactive and put
a plan in place. Even if it’s a back-of-the-envelope plan, the organization needs estimated duration,
budget, manpower, and IT resources that will be required.
Microsoft has developed a huge toolset to help with the migration. While many IT organizations may
“roll their own” migration toolset, it wouldn’t hurt to take a look at the Microsoft SMS (Systems
Management Server) 2003, and all of its related tools.
An obvious alternative is the range of third-party tools that are available. If an organization already has a
third-party desktop management toolset in place, check with the vendor(s) to get the details on Vista
migration. For example, ScriptLogic, Altiris, and LANDesk have been working with Vista beta releases
for several years, and their products are already Vista compatible. Most of these vendors offer tools that
allow a proactive approach to deployment—begin planning now for future Vista deployment.
Lastly, because Vista can require extensive infrastructure changes, the tools are only a part of the plan.
Determining when to upgrade is just as important. It is advisable to work with lifecycle management
teams within the organization; upgrading to Vista when a desktop is replaced makes a lot of sense. Resist
the urge to make a wholesale upgrade within the organization—Vista migration is a big enough challenge
without trying to tackle the entire enterprise at once.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 58
 Chapter 4

Chapter 4
Deployment

Introduction
In previous chapters, we reviewed some of Vista’s improvements to desktop lifecycle management,
especially in the areas of planning and migration. In this chapter we’ll examine the deployment tools
themselves, providing a foundation for the methodologies used to deploy Vista into an enterprise
environment with minimal costs and user disruption.
During the development of Vista, Microsoft addressed one of the more common complaints about
Windows—the lack of deployment tools and technology. In previous versions of Windows, a few basic
rollout concepts were common, but Microsoft provided only rudimentary higher-level mechanisms for
software deployment across an enterprise. Out of necessity, most organizations developed “roll your
own” techniques, or employed third-party software, to deploy new versions of applications and the
operating system. These techniques have been tweaked and tuned over multiple Windows releases, and
generally work quite well in the organizations’ specific environment.
Deployment can take place over days, months, or years; however, a few basic deployment concepts
remain the same. Microsoft developers examined these concepts, and, in an attempt to standardize and
streamline processes, developed sweeping changes to the underlying Windows deployment technologies.
This chapter examines these technologies and evaluates several different rollout scenarios.
Note that this chapter assumes that extensive planning has already taken place (Chapter 3); systems are
inventoried, applications are identified, and a deployment laboratory has been created and sufficiently
equipped for testing.

Vista Deployment Technologies

Microsoft has made a considerable effort to implement a deployment solution that reduces the cost and
complexity of operating system and application deployment. Even though IT professionals will be
tempted to stick with their homemade or third-party techniques, Vista’s completely redesigned
deployment environment warrants a closer look. Of course, nothing takes the place of meticulous and
thorough planning (as described in Chapter 3); the new tools in Vista complement the planning, testing,
and deployment workflow.
Modularization
A typical enterprise environment requires a relatively large number of variations on a core configuration,
including different hardware, language packs, drivers and the like. In past versions of Windows, a
deployment engineer would have to design installation images for each combination of variables,
resulting in a large number of different images and increased complexity and cost of deployment.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 59
 Chapter 4

In developing Vista, Microsoft took a much more modular approach. Rather than deploying a single
monolithic block of code that accepts different configuration parameters, Vista is based on a relatively
small block of code that contains about 95% of core Vista functionality; additional functionality is
attained by adding code modules. Not only is this a more reliable way to develop code (it tends to isolate
the effects of bugs to a single module), but it also is an effective way to introduce configuration
flexibility.
Modularization (combined with the new Windows Image Format, below) enables a more streamlined
approach to deployment. It also provides a selective customization capability, enabling36:
• It is easier to add device drivers, service packs, updates, and languages to a Vista distribution.
• It is easier to customize certain optional Windows Vista component to specific requirements.
• Microsoft can service an individual component without breaking the whole operating system.
• It reduces testing during deployment.
It turns out that even the commercial Vista distribution uses this mechanism—there is only one Vista
core, combined with different modules, to produce the different end-user editions of Vista (see Chapter 1
for information on editions). Similarly, releases of Vista for different languages simply include the
desired language modules when the distribution disk image is created (the Vista core has no reliance on
languages whatsoever).
Windows Image Format (WIM)
The modularization of Vista is complemented by a completely new (to Microsoft) deployment
mechanism using a file-based (as opposed to sector-based) imaging format. Windows Imaging format
(WIM—the file suffix “WIF” was taken, and besides, it just didn’t sound right as a file type for
deploying system images).
Using a file-based imaging format has multiple advantages, including37:
• Hardware-agnostic (only one image is needed as long as the target hardware understands a
standard file system).
• Allows multiple images to be stored in a single file. This is how Microsoft distributes Vista; a
single WIM image file contains multiple Microsoft SKUs (Stock Keeping Unit—in this case
multiple editions) of Vista. It also allows for one of the images to be marked as bootable, allowing
a system to be booted from a disk image contained in a WIM file.
• The WIM image format enables compression and “single instancing,” which reduces the size of
image files significantly. Single instancing allows storage of two or more copies of a file for the
space cost of a single copy. For example, if images 1, 2, and 3 all contain file A, single-instancing
stores a single copy of the file A and points images 1, 2, and 3 to that copy.

36 Based on http://technet.microsoft.com/en-us/windowsvista/aa905119.aspx
37 Largely taken from http://technet.microsoft.com/en-us/windowsvista/aa905070.aspx
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 60
 Chapter 4

• Allows for offline “servicing.” Certain operating system components, patches, and drivers can be
added without creating a new image. For example, to add a patch to a Windows XP image, the
master image needs to be booted, the patch added, then the image prepared again. With Windows
Vista, the image can be service offline, without the need to be prepared a second time.
• Allows for a disk image to be installed on a partition of any size (that will hold it); sector-based
images require deployment to a partition that is the same size or larger than the original source
disk.
• Developers have access to WIM image files through an API (“WIMGAPI”), allowing application
developers to become more standardized and deployments more integrated.
• Allows for non-destructive deployment. That is, because the image is filesystem-based, application
of the image does not erase the disk’s existing contents (see below).
Management of WIM files is performed through a set of tools provided by Microsoft in the Windows
Automated Installation Kit (WAIK). The WAIK contains a collection of tools, including:
• ImageX—a command-line tool that captures and modifies WIM-based disk images.
• Windows Preinstallation Environment (WinPE)—a miniature, bootable version of Vista that can
exist in RAM and bootstrap the Vista install process.
• Windows System Image Manager—a tool that builds answer files, which Windows Setup uses to
apply custom settings for hands-off Vista installs.
• Windows Deployment Services (WDS)—a new tool that replaces the Microsoft Remote
Installation Services (RIS) in previous versions of Windows. WDS provides for the storage,
management, and deployment of images.
The WAIK toolset is discussed in greater detail in a following section.
Nondestructive imaging
Vista’s modularity and the file-based imaging changes the way systems are upgraded in place. Instead of
upgrades in which registry settings and partial files are replaced and edited (a tricky business), Vista is
always cleanly installed. After the install, data settings, and applications are applied to the new operating
system. As a by-product, if anything goes wrong with the install (prior to the first logon), the installation
can automatically be rolled back and the system restored to its original state38.
XML-based answer files
Answer files are used by the installation process to customize and installation. In previous versions of
Windows, multiple, text-based answer files were needed to create an automated installation environment.
Since Vista standardizes on XML for many applications (e.g., Office 2007), it makes sense that XML is
used during the setup process as well. The use of XML allows additional automation of the deployment
process, and provides for consolidation into a single file that supports the entire deployment process.
Employing XML also makes editing the answer file more consistent (hopefully reducing errors
introduced during editing), and is supported by a more user- (or rather, administrator-) friendly interface.

38 Windows Vista Product Guide,” November 2006

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 61
 Chapter 4

Script-based installations
Windows Vista includes extensive support for using the command line and scripting that enables remote,
automated, and repeatable deployment scenarios. For example, ImageX, Migration and Windows System
Image Manager are completely scriptable.
Table 10. Deployment Tools summary.39
Feature Brief Description
Application and Migration Planning
APIs for ISVs Windows Vista provides extensibility and an application programming interface (API) set for independent soft-
ware vendors (ISVs) and third-party applications through a software development kit (SDK).

Compatibility mitigation Windows Vista creates custom compatibility databases based on analysis and tests the fixes to make sure
they will work.

Filtering analysis reports Reports provide information about application compatibility issues and mitigation information. This informa-
tion is improved with user input.

Software Inventory Analyzer Inventories all the applications installed on user desktops across the enterprise, stores them in a central lo-
cation, and performs compatibility analysis against a compatibility database.

Engineering Desktop
Customization of images Add, update, and remove optional components (including languages, drivers, and service packs) to create a
custom image.

Desktop image creation Takes an image of an existing PC for distribution or for backup. You can save to a distribution share, from
which users can install the gold image or IT professionals can push the image to the desktop.

Hardware abstraction layer (HAL) Retail versions of Windows Vista can be HAL-independent.
independence
Offline image servicing Patch and service an offline image without creating a new image for distribution.

Scripting support in image Scripting tools can be used to create and edit images.
creation
Unattended file manipulation Create and edit XML-based configuration files for unattended installation.

Implementing the Deployment Process

Critical update installation Add critical updates to the standard image at installation by using image-based setup.

Non-destructive imaging Allows for system upgrades in-place by using a wipe-and-reload (clean install) of the operating system that
stores existing data locally or remotely on a network share.

Multiple boot options Boot from the network (PXE boot), CD, DVD, hard disk, or RAM disk.

PXE server support Allows remote installations using the PXE boot process to install the operating system.

Scripting support Enables administrators to script and automate large wipe-and-reload deployments, installations, and migra-
tions.

Secure remote deployment IT professionals can install the new desktop remotely.

The Windows Automated Installation Kit (WAIK)

For Vista, Microsoft rolled a collection of deployment tools into a single, downloadable kit called the
Windows Automated Installation Kit, or WAIK . The WAIK40 consists of the components described below.

39 Adapted from the BDD 2007 documentation; this is a subset of the BDD-recommended teams.
40 The WAIK may be obtained from www.microsoft.com/downloads/
® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 62
 Chapter 4

ImageX
ImageX is a command-line tool that captures and modifies WIM-based disk images. It allows an
engineer to view and modify Vista install images so they can be deployed either from a custom
installation DVD or from a network file share. ImageX mounts and unmounts an installation image
(see Figure 1).
Figure 21. Options available for the ImageX command-line image manager.

Windows Preinstallation Environment (WinPE)

Windows PE 2.0 is the core deployment foundation for Windows Vista, and replaces MS DOS as the pre-
installation environment. Windows PE is built from Windows Vista components; it can run many
Windows Vista applications, detect and enable most modern hardware, and communicate across
networks. Windows PE can run entirely from system memory, freeing up the optical drive for a second
CD that contains drivers or software.
Like Vista, Windows PE can be contained within a WIM file, however, Windows PE can start directly
from a WIM file without being copied to a hard disk. This functionality enables a WIM file to be store on
bootable media such as a CD or USB flash drive, and Windows PE to be directly started from that
medium. Microsoft uses this ability to load Windows PE into RAM and launch Windows PE when Vista
is installed on a new computer.
Windows System Image Manager
The System Image Manager (see Figure 1) is a graphical user interface that allows a deployment
engineer to manipulate components of a Vista installation. The Image Manager creates an XML-based
answer file that, when combined with an image, result in a customized yet fully automated Vista install.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 63
 Chapter 4

Figure 22. The Windows System Image Manager

The Image Manager accepts an installation image (named install.wim) and an associated Windows
catalog file (if the catalog file is not available, the Image Manager can create one). Once opened, all of
the available configurable components are available in the Image Manager’s GUI; the deployment
engineer can now customize the image by selecting each component, and specifying the desired
configuration parameters (see Figure 3).
Figure 23. Using the System Image Manager, individual components may be configured.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 64
 Chapter 4

After all of the desired changes have been made, the Image Manager generates and saves and XML-
based answer file. The answer file itself can subsequently be edited with the Image Manager, or any
XML editor.
Windows Deployment Services (WDS)
Windows Deployment Services is an updated version of Remote Installation Services (RIS) in Windows
Server 2000 and Windows Server 2003. (In fact, an installed version of Windows Server 2003 RIS is a
requirement to downloading WDS). WDS provides a mechanism for systems to connect to a networked
server during initial boot-up, allowing the server to then perform a local installation of Windows Vista.
The WDS update to RIS is included in the Windows Automated Installation Kit (WAIK), and includes the
WDS snap-in to the Microsoft Management Console. The WDS snap-in enables deployment engineers to
manage all of the WDS features from a single GUI. The WDS enhancements to RIS include41:
• Ability to deploy Windows Vista and Windows Server "Longhorn".
• Support for Windows PE as a boot operating system.
• Support for the Windows Imaging (WIM) format.
• Ability to transmit data and images using multicast functionality.
• Ability to transmit data and images using multicast functionality on a standalone server (when
Transport Server role service is installed).
• An extensible and higher-performing PXE server component.
• A new boot menu format for selecting boot operating systems.
• A new graphical user interface used to select and deploy images and to manage Windows
Deployment Services servers and clients.
WDS represents a suite of components, and are organized into three categories:
Server components: These components include a Pre-Boot Execution Environment (PXE) server and
Trivial File Transfer Protocol (TFTP) server for network booting a client to load and install an operating
system. Also included is a shared folder and image repository that contains boot images, installation
images, and files needed for a network boot.
Client components: These components include a graphical user interface that runs within the Windows
Pre-Installation Environment (Windows PE) and communicates with the server components to select and
install an operating system image.
Management components: These components are a set of tools used to manage the server, operating
system images, and client computer accounts.

41 “Windows Deployment Services Update Step-by-Step Guide for Windows Server 2003,” April, 2007

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 65
 Chapter 4

Windows Business Desktop Deployment

The Microsoft Windows Business Desktop Deployment package (extensively reviewed in Chapter 3)
provides two different deployment methods to deploy the target operating systems to the target
computers: Lite Touch Installation (LTI) and Zero Touch Installation (note that the “touch” refers to how
much IT has to touch the installation process, not how much is touched on the target systems). In most
cases a combination of these two methods would be used. In BDD 2007, LTI and ZTI use the same
common set of scripts and configuration files for deploying the target operating system.
In both cases, the installation is initially configured by using the BDD 2007 Deployment Workbench
(Figure 4), with further customization in the CustomSettings.ini scripts.
Figure 24. Using the System Image Manager, individual components may be configured.

Light Touch Installation (LTI)

LTI supports deployment of the target operating systems over the network (via a shared folder) or locally
by using removable storage such as a CD, DVD, or USB-based storage. The deployment process can be
initiated automatically (using a Windows Deployment Services server) or manually.
In LTI deployment, the team provides configuration settings for groups of computers. The configuration
settings for each individual computer are usually provided manually during the deployment process. As a
result, customizing LTI usually takes less effort than customizing ZTI.
Zero Touch Installation (ZTI)
ZTI requires SMS 2003, SMS 2003 SP2, and the SMS 2003 OSD Feature Pack. The ZTI deploys target
operating systems from SMS 2003 distribution points, and can be started automatically by SMS 2003 or
by Windows DS.
In ZTI deployment, the deployment team provides all configuration settings for each target computer
being deployed. As a result, customizing ZTI usually takes more effort than customizing LTI.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 66
 Chapter 4

Comparing LTI and ZTI

Table 11 compares the use of LTI and ZTI in the deployment.

Table 11. Comparison of LTI and ZTI Deployments42

Parameter LTI deployment ZTI deployment
Configuration settings Provide configuration settings that are common to Provide all necessary configuration settings for
a group of target computers. each target computer.

Time required Requires less up-front configuration time. Requires more up-front configuration time.

Network connection Can be used with slow-speed connections or in in- Requires a high-speed, persistent connection.
stances where no network connectivity exists.

Infrastructure requirements Requires little or no infrastructure to support de- Requires an infrastructure sufficient to deploy op-
ployment. erating system images by using SMS 2003 OSD
Feature Pack.

Deployment medium Supports deployment over the network or locally. Supports only network deployments.

SMS 2003 requirements Target computers are not required to be managed Target computers must be managed by SMS
by SMS 2003 (or other software management 2003.
tools).

Security policy handling Supports security policies where automatic soft- Supports only security where automatic software
ware installation is prohibited. installation is allowed.

Firewall requirements Supports deployment of target computers isolated Requires Remote Procedure Call (RPC) communi-
by firewalls. cation with the target computers (and as such
usually requires too many ports to be opened
through firewalls).

Upgrade vs. Clean Install Supports Upgrade Computer deployment scenario. Upgrade Computer scenario is not supported.

Management Pack support LTI does not support the BDD management pack Supports the BDD management pack

42 Adapted from the BDD 2007 “Deployment Feature Team Guide”

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 67
 Chapter 4

Summary
The migration to Vista is not to be taken lightly (as if any Windows migration might be!). However,
Microsoft has developed an extensive toolset—beyond anything in any previous version of Windows—to
aid in the deployment process. The new modular architecture greatly facilitates flexibility in deployment
while simplifying the entire process. At the same time, the new WAIK, WDS, and user migration tools
provide a more powerful deployment environment without adding a great deal of complexity.
Having said that “everything will be ‘easy,’” it is vital that planning begin now. For example, if it hasn’t
been done already, the enterprise desktop should be standardized well before the deployment process
begins. After all, the best operating system image can be overlaid with the messiest of user states if the
user state is that way initially. Windows deployment tools and/or other third party products that manage
existing operating environments (e.g. Windows XP) can greatly aid in pre-deployment planning and
standardization.
Finally, the migration to Vista is by definition methodical; plan, plan, and plan some more—then take a
measured approach to bringing the enterprise into the Vista world.

® 2007 ScritpLogic®

The Expert’s Guide to Implementing

Microsoft® Windows® Vista™ 68