Microsoft published some security feature documentation for Windows 7:

• Security on your terms overview: This article describes some of the new or changed security features in Windows 7. These features include the new Action Center and the updated UAC. This article also describes how Windows 7 extends BitLocker Drive Encryption to portable storage devices.
• Security Frequently Asked Questions (FAQ): This topic answers questions about security in Windows 7, which includes features like Security Development Lifecycle, User Account Control, Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization, and Data Execution Prevention.
• Security on your terms walkthrough: The step-by-step instructions in this walkthrough provide a brief tour of new security features in Windows 7.

Microsoft published some documentation on a new feature in Windows 7 Professional (and higher) called Location Aware Printing.  This is a very cool feature.  Imagine you’re a laptop user working in multiple sites.  You use printers in each of those sites.  Location Aware Printing will detect your network location and set your default printer accordingly.  This saves time and helps Office out too – it sets up document layouts based on your default printer.

1. Location Aware Printing: The Location Aware Printing Walkthrough provides a brief tour of the new Location Aware Printing feature in Windows 7 (available in Windows 7 Professional or higher). These instructions assume that your computer is connected to at least two networks. Location Aware Printing Frequently Asked Questions answers questions about using the Location Aware Printing feature in Windows 7.
2. Location Aware Printing Walkthrough: The step-by-step instructions in this walkthrough provide a brief tour of the new Location Aware Printing feature in Windows 7 (available in Windows 7 Professional or higher).
3. Location Aware Printing Frequently Asked Questions: This topic answers questions about using the Location Aware Printing feature in Windows 7.

Microsoft announced that they will release the RDP 7.0 client in Q4.  This will mean those legacy clients can take advantage of new features like media streaming.

Hyper-V Server 2008 R2 is available to download now.  This free virtualisation platform from Microsoft is based on the Core installation.  It’s a stripped down version of Windows intended solely for virtualisation.  Given that it doesn’t have the free guest OS licenses, it seems like a solution to me for things like VDI (Remote Desktop Services) or small implementations like branch offices or certain SBS/EBS scenarios.

The big change (other than all the cool stuff like Core Parking, increased scalability, VMQ, SLAT, etc) is that this version of Hyper-V Server adds cluster support and Live Migration.  Yes, clusters and Live Migration in a free virtualisation platform.

My concern is the Core installation.  I've problems with that in terms of trouble shooting and hardware management applications.  I know I'm not alone as other adventurous types have tried Core installs like me and walked away.  I’d like to see a Core installation that still has a GUI so we can still use those apps from the OEM’s to do things like VLAN tagging, check hardware, etc.  But I’m not everyone and I guess there’s an audience out there for Hyper-V Server seeing as MS has updated it.

“Microsoft Hyper-V Server 2008 R2 is a stand-alone product that provides a reliable and optimized virtualization solution enabling organizations to improve server utilization and reduce costs. With the addition of new features such as live migration and expanded processor and memory support for host systems, it allows organizations to consolidate workloads onto a single physical server and is a good solution for organizations who are consolidating servers as well as for development and test environments.

By having the ability to plug into existing IT infrastructures Microsoft Hyper-V Server 2008 R2 enables companies to reduce costs, improve utilization and provision new servers. It allows IT professionals to leverage existing patching, provisioning, management and support tools and processes. IT Professionals can continue to leverage their individual skills and the collective knowledge of Microsoft tools, minimizing the learning curve to manage Microsoft Hyper-V Server 2008 R2. In addition, with Microsoft providing comprehensive support for Microsoft applications and heterogeneous guest operating systems support, customers can virtualize with confidence and peace of mind.“

I run Windows Server 2008 Hyper-V managed by System Center Virtual Machine Machine Manager (VMM) 2008.  One of the perks of virtualisation is the ability to rapidly provision servers.  We can use the traditional methods associated with physical deployments or we can use templates stored in a library.  With VMM this means storing sysprep’ed VHD’s (virtual hard disks) in the library.  VMM makes this easy – you right click on the template VM, choose to convert it and VMM does the sysprep and moves the VM into the library.  You can then use that stored VHD as a template for future VM deployments.  The new VM boots up and goes through the mini setup wizard.

Here’s the problem.  If you use fixed sized VHD’s then a fixed sized VHD is stored in the library.  In the real world, storage is not cheap.  We don’t use laptops or PC’s in the data centre.  Server/SAN storage is not €100/terabyte.  A library of 40GB+ VHD’s to cover our varied builds is going to consume lots of space and someone has to pay for that.  Here’s my situation: the cost has to be passed on to the customer and we can’t be dong that.

What I do instead of using the power of VMM deployment is that I build my template VM’s with dynamic VHD’s.  I then store them in the library in their sysprep’ed form.  I deploy VM’s without a disk and then use the edit disk feature on the Hyper-V console on the host parent partition to edit the desired template disk and convert it to be a fixed sized VHD stored in the VM’s folder.  That’s a time consuming process but it’s worth it to save disk.  I wish VMM did that out of the box for library VHD operations but it doesn’t.

I’ve been working on deployment scenarios of Windows Server 2008 R2 and Windows 7 as part of a writing project, the upcoming launch events and as a member of Microsoft’s STEP program.  I had a realisation a few days ago that I need to consider an alternative way to deploying servers.

The free Microsoft Deployment Toolkit 2010 utility allows you to capture images of PC’s and servers as WIM files.  You can then deploy those images using either a USB media, a DVD, an ISO or via a PXE boot (using Windows Deployment Services to serve a WIM boot image).  What if I did this instead of using my above process for VMM?

• Create a file share with scripts to do things like install IIS roles, install SQL 2008, etc.
• Build my standard images for Web, Standard, Enterprise and DataCenter editions.
• Make all my customisations, patch them, etc.
• Use a capture task sequence to capture the builds (WIM’s) and store them on the MDT server.
• Build task sequences that deploy my captured WIM’s.
• Build alternative deploy task sequences, e.g. “Web Edition Web Server” will deploy the Web Edition WIM file and then run a script to configure IIS, “Enterprise SQL Server” will deploy the Enterprise edition WIM file and then run the script to install SQL.

To deploy a new VM I could do this:

• Create a hardware template that has no hard disk and boots from PXE by default.  The network card will be configured to use the VLAN that I run currently WDS and would run MDT on.  Call it my factory network.
• Deploy that VM to a host.
• Fire up the VM and boot it up.  Hit <F12> to boot from the network
• Lot into MDT and deploy the required task sequence, e.g. “Web Edition Web Server”.
• Sit back and drink a nice beverage while a new and nearly completely configured web server is deployed.
• Eventually log in, make a few customisations, patch it, change whatever passwords and change the NIC VLAN binding.

This accomplishes a few things. 

• Firstly, I only use a few GB’s of space for each edition of Windows.  A WIM file is a compressed storage medium.  It’s a file based image with single instance storage.  So I’m not storing 40GB VHD’s.  Also, I don’t need to do my manual edit disk process to convert from the library dynamic VHD to VM fixed sized VHD.
• I’ve saved a LOT of time.  With a MDT task sequence I can do some serious post boot customisations such as running SERVERMANAGERCMD.EXE with an answer file (Windows 2008) or PowerShell (Windows 2008 R2 – SERVERMANAGERCMD.EXE is being deprecated by MS, still there but PowerShell is better) to add roles and features.
• I can have 4 WIM files, 1 for each Server edition, and deploy any number of custom images with little storage space being consumed.
• Theoretically, with WIM files you could use the same WIM files and deployment process for both physical and virtual servers.  I’d want to look at a way to automate installing hardware specific software, e.g. HP PSP.

If you’re using Configuration Manager 2007 (SP2 for W2008 R2 support) then you’ll get the same functionality.  I’ve seen Mark Gibson of Microsoft Ireland give a Camtasia demo of this.  Odds are if you’re using Hyper-V and VMM then you’ve got OpsMgr too, all licensed by System Center Enterprise/Datacenter CAL’s/SAL’s.  Then you’re entitled to a ConfigMgr CAL/SAL too.  However, MDT is lightweight and free.  My lab MDT machine is running 512MB of RAM and doesn’t require a SQL instance.

Anyway, there’s an alternative way to tackle VM deployment.  This would also work in an ESX/vSphere architecture.  I’m leaning strongly towards doing this.  I use WDS already for deploying blade server operating systems.  Moving to MDT seems like a logical choice to me now.

I'd love to get your feedback on this and hear what alternative ways you're using to deploy VM's.

Microsoft released some documentation following the RTW of WSUS 3.0 SP2:

• Release Notes WSUS 3.0 SP2: These release notes describe the Windows® Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) release, including system requirements, upgrade requirements, and known issues.
• Deployment Guide WSUS 3.0 SP2: This guide describes how to deploy Microsoft Windows Server Update Services 3.0 SP2 (WSUS 3.0 SP2), including server and client workstation setup.
• Features and Fixes WSUS 3.0 SP2: This document highlights the feature improvements and important software updates provided in the Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) release.
• Operations Guide WSUS 3.0 SP2: This guide describes the major tasks involved in administering and troubleshooting Windows Server Update Services 3.0 SP2 (WSUS 3.0 SP2).
• Step By Step Guide WSUS 3.0 SP2: This guide provides instructions for getting started with Microsoft Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2).

Microsoft has released version 2 of the Linux Integration components.  There’s a detailed document on that page.  Here are some extracts:

“This version of the Linux Integration Components supports the following versions of Hyper-V:

• Windows Server® 2008 Standard, Windows Server® 2008 Enterprise, and Windows Server® 2008 Datacenter (64-bit versions only)
• Microsoft® Hyper-V Server 2008
• Windows Server 2008 R2 Hyper-V RTM (Build 7600) Standard, Enterprise, and Datacenter
• Microsoft Hyper-V Server 2008 R2 RTM (Build 7600)

This version of the Linux Integration Components supports the following guest operating systems:

• SUSE Linux Enterprise Server 10 SP2 x86 and x64
• SUSE Linux Enterprise Server 11 x86 and x64

Linux virtual machines that will be deployed in a highly-available scenario (utilizing failover clustering) should be configured with static MAC addresses for each virtual network adapter. Because of the way Linux configures the network adapter, in certain versions of Linux, there is a possibility that the networking configuration will be lost after failover because a new MAC address is assigned to the virtual network adapter. To work around this issue, ensure that each virtual network adapter has a static MAC address. This can be configured by editing the settings of the virtual machine in Hyper-V Manager.”

With Windows Server 2008 there were two types of SKU for each edition: the normal one and the “without Hyper-V” SKU.  Any “without Hyper-V” SKU could never run Hyper-V.  At the start it was said to be $28 cheaper than the normal SKU.  Later I heard it was the same price.  I know in the SPLA world there was a small price difference.

R2 does not have a “without Hyper-V” SKU.  It confused people and could lead them to buy a license and never be able to run Hyper-V with that license/install.  We in Ireland advised people to not buy it if they were in fact the same price.

The question remains now … can you upgrade from Windows Server 2008 x64 Without Hyper-V to Windows Server 2008 R2?  I’ve not tested it and not seen anything definitive yet.

Following an internal investigation by HP, I’ve updated a month old post that compared HP Blade (BL) with rack (DL) server power consumption.  It turns out the original report on the subject compared apples with oranges.

Brian Madden (Remote Desktop Services MVP) had a look at VDI (virtual desktop infrastructure – users log into virtual PC’s in the data centre) as packaged in Remote Desktop Services in W2008 R2.  It’s a long and complicated read but well worth looking at.

This is not fun reading.  It’s complex as hell.  Go read the SPUR documents if you have insomnia or you want your world to start spinning.  Microsoft just published this:

“Licensing Microsoft Server Products in Virtual Environments (Word file, 4.30 MB) is an overview of Microsoft licensing models for the server operating system and server applications under virtual environments. Licensing Microsoft Windows Server 2008 to Run with Virtualization Technologies (Word file, 1.39 MB) describes how Windows Server 2008 and other Microsoft server products are licensed when they are used with other virtualization technologies.”

This download documents how to use PowerShell and Group Policy to configure RAS/VPN connections on Windows clients if you are using the native technologies for RAS/VPN.

“This article describes how to use Group Policy, Powershell and the Remote Access Service (RAS) application programming interfaces (APIs) to configure and deploy VPN connection settings to client computers ready for use by users. The solution also describes how the Task Scheduler service can be used to configure scripts or programs that are run whenever a VPN connection is made to the VPN server. The advantage of this solution is that it is not platform specific, and can be used on all of the currently supported versions of Windows.”

Windows Server Update Services is Microsoft’s free patching solution for Microsoft networks.  It patches the OS and applications.  If you’re not patching then please check this product out … NOW.  The new release adds support for Windows Server 2008 R2, Windows 7 and features of the new OS’s, e.g. BranchCache.  That would allow for a central WSUS server with clients directly accessing it over the branch office network.  The first client in the branch office would cache the updates and it’s neighbours would access the downloads from the cache rather than needlessly hitting the WAN. 

BranchCache is a feature of Windows Server 2008 R2 and Windows 7 Enterprise (Software Assurance)/Ultimate only.  Odds are most of us will continue to run branch office WSUS servers.

“Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) delivers updates to corporate environments from Microsoft Update. This release adds new features and fixes issues found since the release of the product.

WSUS 3.0 SP2 delivers important customer-requested management, stability, and performance improvements. Some of the features and improvements include the following:

• Integration with Windows Server 2008 R2.
• Support for the BranchCache feature in Windows Server 2008 R2.
• Support for Windows 7 and Windows Server 2008 R2 clients.
• Compliance Report
• Windows Update Agent (WUA) offers a collection of performance enhancements, user experience improvements, and bug fixes software updates.

WSUS 3.0 SP2 can be installed alone, or as an upgrade of WSUS 3.0 SP1.
This package installs both the WSUS 3.0 SP2 Server, WSUS 3.0 SP2 Administration Console components and WUA client for down-level operating system. You must install the server components on a computer that is running on Windows Server 2003 SP2 or later versions. You may install the Administration Console on a remote computer that is running one of the supported operating systems, see below the Supported Operating Systems section.

WSUS 3.0 SP2 Server Installation on Windows Small Business Server 2003
If you are installing the WSUS 3.0 SP2 product on Windows Small Business Server 2003, follow the instructions in Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003.”

This was posted by MS yesterday.  Note that you need software assurance on the desktop to avail of Windows 7 Enterprise Edition.

“As of this morning, August 25^th, the following language packs are available for download from Windows Update. Please note Traditional Chinese –Taiwan will be released at a later date.

These language packs are available to our enterprise customers running Windows 7 Enterprise and Windows 7 Ultimate RTM versions only. Customers on the Windows 7 Release Candidate are not eligible for these language packs.

For information on the general availability of Windows 7 Ultimate and all other version, please refer to Brandon’s post here.

Languages:

• Arabic
• Brazilian Portuguese
• Bulgarian
• Chinese – Simplified
• Chinese – Traditional – Hong Kong
• Croatian
• Czech
• Danish
• Dutch
• English
• Estonian
• Finnish
• French
• German
• Greek
• Hebrew
• Hindi
• Hungarian
• Italian
• Japanese
• Korean
• Lithuanian
• Norwegian
• Polish
• Portuguese
• Romanian
• Russian
• Serbian Latin
• Slovak
• Slovenian
• Spanish
• Swedish
• Thai
• Turkish
• Ukrainian”

Johan Arwidmark (deployment MVP) has some online content you might want to check out:

• A free CD called Resources for deploying a Windows Environment.
• A free webinar at www.windows7summit.com on October 7th at 1PM (probably American EST).

As you may have noticed, I’ve been doing some lab work on Windows 7 deployment recently.  Last night I upgraded the MDT 2010 build to an RC.  Within 15 minutes I was in a position where I was able to deploy a clean build Windows 7 machine and do an upgrade from XP to Windows 7 while conserving the user’s state on the machine.

Ben Armstrong (the Virtual PC Guy) blogged overnight about his experience with WDS on Windows Server 2008 R2.  That was my next step: I want to get the LiteTouch.ISO mounted on there so I can run it on the network.

My MDT lab is 4 virtual machines running on Windows Server 2008 R2:

• Domain controller with DHCP/DNS.
• MDT server, MDT-SVR
• Virtual PC 1: Windows 7
• Virtual PC 2: Windows XP with a user state and a snapshot I can restore after Windows 7 upgrades

I loaded WDS (Windows Deployment Services) onto MDT-SVR in Server Manager.  It’s pretty simple from there:

• I configured the role.
• I added the Windows 7 images from the mounted ISO.
• I used the discovered boot image to create a capture image and loaded it.
• I’d previously extracted the x86 Integration Components (drivers) for Hyper-V.  I added those as a package called Hyper-V.
• I added the drivers to both boot images.

No using DISM or command prompt yet.

Now I booted up a VM with PXE Boot (F12).  I changed the boot order of the VM to get that working reliably.  Wait .. PXE in Hyper-V?  Yes, you CAN do it.

Next thing you know, the VM has loaded the pre-boot environment discovered via BOOTP/DHCP.  I picked a boot image and deployed Windows 7.

Time taken? 10 minutes.  OK, I had already extracted the drivers and I knew WDS from W2008/W2003.  But it was pretty easy!

EDIT #1: I’d say it was less than 15 minutes later before I could log into the new Windows 7 VM running on Windows Server 2008 R2 Hyper-V.

“Understand the impact of application compatibility on your environment and how you can address application compatibility concerns.

This document can help you understand the impact of application compatibility on your environment and how you can address application compatibility concerns.”

Microsoft released a few documents yesterday:

• VMM2008 R2 - Building PRO-Enabled Management Packs: Step-by-step instructions for building a simple PRO-enabled management pack for Virtual Machine Manager 2008 R2
• VMM 2008 R2 Cmdlet Reference: This document provides the Help topics for the System Center Virtual Machine Manager 2008 R2 cmdlets.
• Virtual Machine Manager 2008 R2 Release Notes: This download contains the Virtual Machine Manager (VMM) 2008 R2 Release Notes.

Here’s an upgrade guide for VMM 2008 to VMM 2008 R2 courtesy of the folks from MS.