If you are like most desktop service managers, you probably have several applications that you manage and depending on your users, there may be several applications that you don’t know about. There are a few places out there where “Standard User” or “Least-Privileged User” accounts aren’t the norm and users can just install whatever applications they want. If this sounds familiar, then you probably have a bit to do in terms of detecting, rationalizing, and testing the applications your users have to prepare for Windows 7. For any compatibility issues, you can address them using a variety of approaches and we’ll discuss all of those approaches in a minute.

The next major area you’ll need to worry about is how to get those applications or corresponding newer versions onto your users’ Windows 7 desktops. There is a fair chance that you’ve been cloning hard drives over the past couple of decades and don’t necessarily have automated installation packages for all the applications that you want to deploy into the new Windows 7 environment. Some applications aren’t packaged for silent installation, making it hard to customize installs to include only applications specific to user roles. That along with other factors means there are a lot of organizations out there having 20 to 50 applications present on every workstation – even if the users only need 5-10 of those applications on average. With the newer deployment tools, you can save your money on these applications and install what is required per user instead of giving them everything. This will save you on licensing and may improve the performance of Windows if any of those applications tend to launch at startup. I’ll talk a little bit about the application packaging process after we dig a bit deeper into application compatibility.

Application Compatibility

The application compatibility process contrary to popular belief doesn’t begin with testing. The first thing you’ll probably want to do is collect an inventory of your hardware and software assets. Be prepared to discover more applications than you thought you had. One tool you can use is the Application Compatibility Toolkit (or “ACT”). The Application Compatibility Toolkit isn’t a magic wand that you wave at applications to “make them work”, but it does provide the tools to inventory your applications, hardware and devices; evaluate runtime compatibility of applications while collecting data; and compare what you’ve collected to a central database managed by Microsoft with compatibility data from ISVs and the IT pro community.

When I present the toolkit at events, I often get asked:

Yes, it’s true. ACT finds the applications wherever they may reside and also reports on hardware and devices detected as well. One thing to point out here is that while most inventory tools relegate themselves to just data found in Add/Remove Programs, ACT also looks in multiple locations of the registry (run, run once, file extension handlers, app paths, etc.), and in services. ACT tends to find any application on the system or otherwise launched by the user while we’re performing an inventory. Once you deploy ACT’s lightweight Data Collection Package agent, ACT detects the information on your users’ Windows XP workstations and sends the information back the network location you specify, then processes the data and reports its findings to you.

Check out the ACT video about Data Collection Packages here.

Many IT shops have an inventory they are confident in and don’t necessarily want to deploy agents out to their users – it’s completely understandable. Is there anything better in this case than using the consumer compatibility site to search applications and devices one-by-one? Yes, if you have more than about 20 applications, using that site probably isn’t your best option and for that we also publish a list of known compatible applications that you can query against using your own application inventory database.

What’s next? If you have a thorough inventory, it is extremely likely that you won’t want to move all of the applications you find from Windows XP into your new Windows 7 environment. There might be five different media players or eight different applications that read PDF files on your users’ collective PCs. In fact, many companies can eliminate 90% or more of the applications they inventory, because they are duplicate in nature, hardware-based or undesired. You can even use filtering in ACT to help reduce the list.

This is important, because it is much easier to test 100 applications compared to 1000 applications and reducing your inventory list can often be done in a couple of hours. I’d personally rather test 100 applications than 1000, and I’m guessing that most would agree.

See the video for working with ACT inventories here

Now that we have the rationalized list of applications and static data from ISVs as to whether they are compatible or not, the fun starts with testing those applications without information. You should find that most of your applications work in Windows 7 and this is especially true for packaged (ISV) applications that were released in the last 2-3 years. The in-house developed applications that you’ve had for 5 or more years may require special attention. The major things to look for are applications that like to run under administrative context and have free reign of the computer they run on, or if they are locked to a specific Windows version number, or Web applications that require Internet Explorer 6. If you have Internet Explorer 8 already deployed and your users generally have Standard User accounts, then you won’t have as much work to do. You can find more information on why applications may experience issues running on Windows 7 in the “Understanding Application Compatibility” guide on TechNet.

Once we find out what is not working we have a couple of options to make them work:

· For packaged applications from ISVs, the best approach is always to find an application that runs natively on the version of Windows you want to install it on. Sometimes there are free updates for these applications and sometimes not. Using the application as intended and tested by the ISV for Windows 7 ensures that the ISV can support your users and you are running their application in a way that they have tested it for.

· For in-house developed applications, the best approach is to recode the application to make it run natively. If you don’t have the source code or there is an easy fix, you can use compatibility fixes (or “shims”) to get the application to run without recoding it. More information about shims can be found in the TechNet Library.

Check out the video on commonly-used application shims here.

If you just can’t make it work, then it isn’t necessarily “game over.” If you’ve exhausted all other options to make the application run natively, then you can use Virtual PC to run the application in a Windows XP environment. Virtual PC with RemoteApp integration is much more intuitive for end users that is has been over the years. With Virtual PC, we can now publish shortcuts on the physical machine’s desktop or start menu to applications contained in the virtual machine and applications can be launched individually without exposing the whole Windows XP desktop. The trade-off is that you’ll have two operating systems to manage per user. If you do get to this point and you have a managed environment, I’d recommend that you look into Microsoft Enterprise Desktop Virtualization so you can manage the virtual environment.

Once you’ve worked through all of your applications – inventoried them, rationalized them, and mitigated incompatibilities – you might think the fun is over. Almost. Now that everything is known to be working, you’ll want to figure out how to install your applications in an automated way. In the next blog I’ll talk about approaches to get to a thinner image, but if you’ve been packing applications into your base OS image and doing sector-based captures of your reference computers’ disks, then you may want to look at ways to get your image count down and use the hardware and language neutral benefits in Windows 7 to get a single image. Getting to a single image in a larger organization typically means application packaging work is required.

Application Packaging

For some, application packaging and figuring out how to automate installation of your applications will be as easy as finding the silent install commands from the vendor. Usually these are in installation guides, Internet forums, or found using the ever-handy “/help” or “/?” switches in command line.

For in-house developed applications, there is a decent chance that silent install commands don’t exist for all of your applications and those applications will need to be packaged for the first time or repackaged if the installer package didn’t work with your new configuration (common examples are 16-bit installers when moving to 64-bit OS or OS version checks in packages looking for Windows version 5.1). There are a couple of tools out there like Flexera Software’s AdminStudio to help you create MSI packages as easily as possible. These are handy; as they tend to follow normal msiexec.exe silent install commands. Microsoft Application Virtualization also provides what is essentially a packaging mechanism with the application sequencing it uses to create virtual applications.

For some things you can avoid packaging by not including those applications in the standard OS build process and pre-staging installation files locally or making them accessible to users on the network. In the cases where everyone in the organization needs the application anyway, you can install those applications on your reference computer and create a custom image using ImageX. We’ll talk about the balance of how many applications to include in the custom image next time though.

That’s all for today and thanks for reading.

Jeremy Chapman

Windows 7 Deployment

I debated on what part 2 of this blog series should be - hardware and software compatibility or data migration. I chose data migration purely based on the automation steps in the chain I listed out in the first blog and because there aren't many things that excite me more in the Windows 7 deployment space than Hard-link Migration. Think about the speeds of large file moves versus file copies. If you're inpatient like me and hate waiting sometimes 3-4 hours for user state to migrate per computer when the operating system plus applications takes under 45 minutes in many cases, then you might appreciate Hard-Link Migration like I do.

To be fair, you could use technologies and tactics like roaming profiles, folder redirection and disallow creation of local email stores, at which point many of the problems associated with user state migration might go away, but in this case I'll cover the traditional case of user state as part of the user's computer.

If you manage desktops you probably have multiple users with files in every possible location on their PCs and there are settings like Internet Explorer favorites, known wireless network connections, application settings you want back in the new operating system. We can handle all of these things except for migrating the applications themselves. In most cases we'll want to test compatibility of older applications and not necessarily attempt to migrate them in-place from Windows XP to Windows 7, plus we can completely automate installation of managed applications at deploy time or capture them as part of the custom operating system image. I'll cover all of that in the next blog when I talk about application management.

Bringing this back to user files and settings, we know that user data is typically stored in a couple of places:

• "C:\Documents and Settings" in Windows XP, and
• "C:\Users" in Windows Vista and newer versions of Windows

Then the question that begs to be asked is...

Well, yes and no; it isn't usually that simple though. Unless you have draconian standards and policies about where your users can save data on their local drives, this won't suffice. We also have to look through settings in the registry we want to retain on the new computer, create and enable user accounts and some of us might want to block things from getting migrated. You may not want Joe in the marketing department to store his 100GB music and video collection on your managed PC, so we may want to block certain file types in the migration process (hopefully we let Joe know about this in advance so he has time to backup his media collection). On the other hand, Joe may not know where his Microsoft Office Outlook PST files are and even if we catch that PST file with our robocopy command, he'll probably call the helpdesk asking where his cached email is after we've installed Windows 7.

The good news is that we have a tool for this, the User State Migration Tool (USMT). The even better news is that if you use the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager (ConfigMgr) 2007 SP2, it's already part of the end-to-end OS deployment process. You may have seen the migration demos from Windows XP to Windows 7 occur in as little as 18 minutes (yes, with several gigabytes of data being migrated, too), but if you haven't check them out:

• As part of MDT
• As part of Configuration Manager
  

Both of these demos are using the Hard-Link Migration feature for the Computer Refresh scenario (remember I defined this and other scenarios in the first blog). In the old days, USMT could support a Computer Refresh without moving the files off the computer, but it was basically a file copy and double-instancing of files locally whereas now the files do not move on the disk when migrating from Windows XP, we simply reassign pointers to files to the appropriate locations in Windows 7. The index of hard-links consumes around 200MB, so you don't need a lot of free disk space to use Hard-Link migration. Again think about how much faster it is to "move" a 1GB file versus copy it to another location on the same disk; that is why Hard-Link Migration is so much faster and it doesn't really matter if we move 5GB or 50GB in the migration; the times will be pretty similar. Those times depend on the number of files we move and not the size of the files.

The User State Migration Tool is now part of the Windows Automated Installation Kit (AIK) (download it here) and USMT installs simply via a file copy. Once you install Windows AIK, the USMT tools for 32 and 64 bit by default are located in the "C:\Program Files\Windows AIK\Tools\USMT" folder.

You can perform a simple Computer Refresh using Hard-Link Migration and move from Windows XP to Windows 7 using normal Windows 7 install media (retail DVDs) and coupling that with USMT. I outlined the process in a video and on TechNet in written form. This will quickly migrate files from the default-created Windows.old folder when you install Windows 7 onto a Windows XP computer. Remember, if you don't follow the default process and format the Windows partition during the install process, then Windows.old won't be there to migrate from, so just follow the default install to keep your data and create Windows.old.

So you might be asking another question at this point...

Computer Replacement is pretty common as well and the tools are also built to handle this. Normally, the data is passed from the old computer to a network share and then from the network share to the new computer. Both ConfigMgr and MDT can be used to automate the entire computer replacement migration process using a network share. You can even encrypt the migration store on the network (as ConfigMgr does by default) to ensure data stores cannot be compromised. Another useful addition to the migration tools for Computer Replacement is support for Volume Shadow Copy. That means that we can gather files even while they are in use. One thing to point out with Computer Replacement is that you can't get the speed benefits from Hard-Link Migration, because we are at the mercy of physics moving the data to an external network location or external hard drive.

What about the types and locations of files that get migrated? The newest User State Migration Tool adds a new algorithm to find more user files than with previous releases versions of USMT. The control file (migdocs.xml) uses shared and comprehensive file detection logic with Windows Easy Transfer, so if you have used USMT in the past and had to extensively modify the previous control files (for example miguser.xml) to add file coverage, the new migdocs.xml should be a welcome addition.

I actually didn't set out to write this as an advertisement for the User State Migration Tool, but the truth is that the charter of USMT is to manage migration of user data and support as many mainstream options as possible for large customers. USMT does a great job in migrating user files and settings. Now for the people looking for a user interface for USMT, I would recommend you use it in conjunction with the Microsoft Deployment Toolkit or with System Center Configuration Manager. If you have used USMT in the past without a lot of success, the current version of USMT offers several enhancements to increase speed, flexibility and process reliability to make the migration portion of your operating system deployment easier and more predictable.

In the next blog, I'll take on the topic of application management - including application compatibility and automating application installation - as well as touch on hardware inventory and compatibility.

Thanks and stay tuned,

Jeremy Chapman

Windows 7 Deployment

Every day this week long-time Springboard technical contributor and Windows deployment insider, Jeremy Chapman, will post a blog about how to think about Windows 7 deployment projects.  We debated on making this a whitepaper or a feature article, but to keep things less formal, we went with a multimedia blog series. This series won't just cover steps to publish images in your Windows Deployment Services environments, instead it goes much broader into the major steps of deployment all-up; from figuring out what applications and hardware you have to migrating files, managing applications, building images, incorporating drivers and automating stuff end-to-end. Jeremy has been a veteran member of the Microsoft Deployment Toolkit team and while he won't be posting the classic "1500 pages" of how-to content, he will stay on his quest for the elusive and often escalated-for "one-page paper" to migrate enterprise customers from Windows XP to Windows 7. Let's see if he can do it!

Part 1 is already up and parts 2-5 are coming each day this week:

1. The "One-Pager" for Moving from Windows XP to Windows 7 (Overview)
2. Migrating User Files and Settings from Windows XP to Windows 7
3. Application Management and Preparing for a Windows 7 Deployment
4. Choosing and Image Strategy and Building Windows 7 System Images
5. Automating the migration from Windows XP to Windows 7 End-to-End

Subscribe to the RSS feed or check back for the rest this week. If you are coming to TechEd Europe next week, Jeremy will be delivering multiple sessions on Windows deployment and application compatibility. Please let us know what you think about these blogs, the longer multimedia format and whether you would like to see other topics covered.

 As always, thanks for reading and I hope to see some of you next week at TechEd!

 Stephen Rose

This is the first blog in a series of blogs explaining how to migrate from Windows XP to Windows 7. As the enterprise operating system deployment guy, I often get requests for a "one-page" article on performing desktop deployment or migrating Windows XP PCs to Windows 7. Although I have seen full length books printed on the head of a pen, without using either really, really small font or a really large page, I don't think it is possible to explain the entire set of desktop migration tasks when moving from one operating system version to another within one page. If you are upgrading one PC from Windows Vista or performing a clean installation on your personal computer (coming from any recent version of Windows), there is one-page guidance available here for doing that, but it probably won't satisfy you if you want to perform these tasks more than about five times.

Let's start by stating a few assumptions:

1. You are an IT professional and looking to move multiple PCs or users from Windows XP or Windows Vista to Windows 7.
2. The computers you are transitioning to Windows 7 have user data, settings and applications that somehow - either partially or completely - need to be migrated to Windows 7.
3. You don't want to manually transfer user files either via file copy or use manually-operated consumer tools (i.e. Windows Easy Transfer) from the legacy PC to Windows 7.
4. You would prefer to have applications either be part of the customized operating system you install or automate application installation as part of the all-up deployment process.
5. In the best case, you would prefer that the entire process is as automated as possible.
6. You have some previous experience with operating system installation, deployment or system imaging.

You might be thinking, what about the common process of hard drive cloning or sector-based imaging to just duplicate a reference install?

The good news is that with advances in system imaging, you don't necessarily need to spend hours saving user data off an old computer, cloning a hard drive of a reference computer and then taking the time restoring the data you saved in the first step. While the hard drive cloning process is probably the most common practice out there now to install a customized operating system, it has several disadvantages, including:

• the overall time required per system (when including user data migration),
• eventual proliferation of hard drive images based on different hardware types,
• image sizes and storage space consumed,
• hard drive cloning software may have a cost,
• unnecessary time spent to rebuild and maintain each of many images in an ongoing way, and
• per user customization of installed applications and license activation is often a manual process.

There are a few options you have when coming from Windows XP and much of it depends on the size and complexity of your environment. We highlight four primary options for migrating from Windows XP to Windows 7 (or Windows Vista) in the "Choosing a Deployment Strategy" article on Microsoft TechNet. In fact, that article will probably go into more detail than I can in a couple of blog posts and it does a great job in pointing to tools and resources.

I'm using quite a few terms interchangeably in the text above and will be throughout this series. When I use the terms like "migrate from Windows XP" or "operating system deployment" or "transition from Windows XP", I am talking about the major steps we cover in any operating system deployment:

• collecting existing user data and settings if they exist,
• installing the operating system,
• installing drivers and applications,
• activating the operating system,
• joining a domain if necessary,
• restoring user data and settings, and
• ideally providing the flexibility to customize what applications we are installing by user role andapply language preference, locale, time zone, etc. based on user needs

I usually refer to this collective process as "deployment" and there are a few other terms we'll define before concluding this series introduction. Subsequent blogs will refer to installation scenarios, so let's define the main ones:

1. Refresh Computer. This is when a user has a PC with files, settings and applications and we will be installing the new operating system to that existing computer and assume the same user keeps that computer. In this case, we try to keep user files and settings locally on that computer to save time, storage and network bandwidth. Some refer to this as an "in-place wipe and load" (without actually wiping the user's data) or loosely as "upgrading" a PC.
2. Replace Computer. This is when the user is getting a new computer or a computer is re-assigned from another user and the user data and settings need to move off the old computer through some method and onto the new computer. This scenario tends to take the most time compared to Refresh Computer and New Computer. Some refer to this as "side-by-side" migration, but it isn't necessary for the PCs to be physically near each other or otherwise connected in this scenario.
3. New Computer. This is when there is no requirement to migrate pre-existing user data or settings. New Computer is used for a new hire, a secondary PC or if an old computer was lost or damaged and user data was not previously backed-up. Some refer to this as "bare metal" deployment, but in most cases there is some OEM pre-installed operating system we will be replacing,

Now we have listed the assumptions for following the series, listed a few reasons why you may want to look at your existing deployment process if it involves hard drive cloning, roughly defined the all-up operating system deployment process and defined the primary installation scenarios. I think I've gone over a page in length, but this provides the backdrop for the upcoming blog posts. In the next blog, I'll describe the options and recommendations for user data and settings migration when moving from Windows XP to Windows 7.

Thanks and stay tuned,

Jeremy Chapman

Windows 7 Deployment 

This post was provided by Michael Murgolo a Senior Consultant with Microsoft Services, U.S. East Region.  This post (and any updates) can also be found on the Deployment Guys blog here.

Anyone who had been doing operating system deployments long enough has had to deal with configuring default settings for users that log on to the computer after the image is deployed. Some examples of these are folder settings, desktop wallpaper, and screen saver options. Most of these will be initial settings for user preferences that users will be able to change (unlike policies which are enforced). This is done so that users will have a consistent, known experience when logging on to any client computer for the first time.

This can be done in a number of ways.  Below are the methods I have seen or used with what I feel are pros and cons of each.

Implementing Default User Settings by modifying the Default User Profile

There are three main methods that have been used to configure the Default User profile.  Only one method (B) is now officially supported and I recommend that you use this method.

A. Manual or scripted copy of a configured profile over the Default User profile (unsupported)

The traditional solution for this (developed during the Windows NT Workstation days) was to configure the Administrator account (or another designated account) with the settings, then copy the Administrator (or designated account) user profile over the Default User profile.  This was previously documented in numerous Knowledge Base articles (which have now been deleted).  A tool called CopyProfile was even created to script this process during unattended installations of Windows XP.

However, there are problems with using this procedure.  It is very old procedure from NT4, when the shell was much simpler.  The shell is more complicated for Windows 2000 and higher.  This process will copy settings that should not be copied to the default user profile.  It may seem to work but you will find subtle problems.  Windows XP and later have made those subtle problems more visible.

Also, the Default User profile contains some single run actions that occur when the user logs in for the first time, which then setup that user by running those custom actions.  If you overwrite the Default User profile, those single run actions do not take place.

The manual profile copy process can cause issues such as:

• Their list of most frequently run programs is not cleared
• Whether the user has been introduced to the Start menu (will be set to TRUE for the source account, but should be FALSE for new users). Windows Explorer does some special things the first time you log on to introduce you to the Start menu and other new features.
• Whether the user is an administrator (and should therefore see the Administrative Tools, etc).
• The personalized name for "My Documents" will be incorrect. All users documents folders will be called "Administrator's Documents".  This is documented in the Knowledge Base article "The Desktop.ini File Does Not Work Correctly When You Create a Custom Default Profile" (http://support.microsoft.com/?id=321281).
• The default download directory for IE will be set to the Administrator's Desktop folder.
• The default Save and Open locations for some application with point to the Administrator's documents folder.
• Windows 7 Libraries are broken.

Because of these issues, this process is no longer supported in Windows XP and all later operating systems.  Unfortunately, the ability to copy a profile over the Default User profile was not blocked in Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.  This allowed many administrators to continue using the process and putting their Windows installations into an unsupported state.  To prevent this, Windows 7 and Windows Server 2008 R2 now block this scenario by having the Control Panel System applet gray out the option to overwrite the Default User profile.

At this time the only supported way to configure the the Default User profile using a copy of a configured profile is to use the next method described here, the automated profile copy associated with using Sysprep.

B. Automated profile copy with Sysprep (supported)

First introduced in Windows XP Service Pack 2 (http://support.microsoft.com/?id=887816), Minisetup was modified so that it will copy customizations from the local administrator account to the default user profile.  All subsequent versions of Windows will also do this with the proper entries in the answer file.  This process was designed to avoid the problems with method A and is already automated. 

I won't dwell on how the automated profile copy is used since it is documented in several Knowledge Base articles:

How to customize the default local user profile when you prepare an image of Windows Vista, Windows Server 2008, Windows XP, or Windows Server 2003
http://support.microsoft.com/?id=959753

How to customize default user profiles in Windows 7
http://support.microsoft.com/?id=973289

However this process does have a drawback.  It does not propagate all settings to Default User and there is no known documentation as to what will and will not be propagated.  It also can be difficult to determine if a setting did not carry over to a new user because it was considered inappropriate (i.e. not copied to Default User by design) or is being reset by Minisetup/Specialize or first logon processes.

One final important point to remember is the difference in behavior between Windows XP/Windows Server 2003 and Windows Vista and higher with respect to when the answer file setting must be present for the automated profile copy to occur.  On Windows XP and Windows Server 2003, if you want to change the behavior of the automated profile copy, the UpdateServerProfileDirectory entry must be present in Sysprep.inf when Sysprep is run.  This is because the profile copy happens when Sysprep is run on Windows XP and Windows Server 2003.  The exact opposite is true for Windows Vista and higher.  The CopyProfile setting must be set to True in the final answer file that is present when the OS restarts after Sysprep (Specialize phase) or the answer file used when Setup is used to deploy the custom image.  This setting does not necessarily have to be present in the answer file used during the image build when Sysprep is run (Generalize phase).  This is because the profile copy for Windows Vista and higher happens only during the Specialize phase.  So if you are using a deployment tool like ConfigMgr or MDT that may modify/replace the Unattend.xml, make sure that CopyProfile is configured in the answer file used for deployment.

C. Targeted changes to the Default User Registry hive and profile folders

I used to use this method in the before the automated profile copy existed.  I can be useful when only a small number of targeted changes are required.  It can be described as follows:

1. Identify the needed Registry changes.  Then use a tool like Reg.exe or KiXtart to load the Default User hive into a temporary location into the Registry, write only the needed settings, and then unload the hive.  The Knowledge Base article "How to run a logon script one time when a new user logs on" (http://support.microsoft.com/?id=284193) shows how to do this manually.  This can be scripted for an unattended installation using Reg.exe as shown in this example (these lines may wrap due to page width):

:: ***** Configure Default User
:: *** Load Default User hive
reg load "hku\Test" "%USERPROFILE%\..\Default User\NTUSER.DAT"
:: *** Disable Desktop Cleanup
reg add "hku\Test\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz" /v NoRun /t REG_DWORD /d 1 /f
:: *** Unload Default User hive
reg unload "hku\Test"

2. Copy only needed files or shortcuts to the Default User profile folder.

This has the advantage that all changes to Default User are known and predictable.  However, this requires that all changes be reduced to "scriptable" items (i.e. Registry or file system changes, no manual configuration). 

To get this method to work properly on various service pack versions of Windows XP or Windows Server 2003 you have to disable the automated profile copy.  In some cases you have to either install the hotfix from this KB article: http://support.microsoft.com/?kbid=887816 or set UpdateServerProfileDirectory=0 in Sysprep.inf.  Which service packs versions have the automated profile copy enabled by default are documented in KB959753.  In Windows Vista and higher the automated profile copy is disabled by default.  You would then do the Default User hive registry edits before Sysprep runs.

This method can also be used to make changes to the Default User profile for machines that are already deployed in production.

You should exercise caution using this method.  Try to keep all changes limited to only the individual Registry or file system changes needed for a particular desired result (e.g., a Windows or application setting).  Do not do wholesale export and import of Registry keys or folder trees.  This can potentially lead to the same problems as a manual profile copy.  You can use a tool like Sysinternals Process Monitor to identify the individual changes.

Implementing Default User Settings by Using Scripts or Group Policy

The following methods are not for configuring the Default user Profile directly.  However, they can be used to achieve the same effect (configuring settings the first time a new user logs on).  And they have the added advantage of potentially being centrally managed.

D. Local logon script in the RunOnce Registry key

This is documented in "How to run a logon script one time when a new user logs on" (http://support.microsoft.com/?id=284193).  This manual process can be scripted with reg.exe.

There are several advantages to using a script in the default user RunOnce key.  It completely avoids Sysprep, CopyProfile, Minisetup/Specialize, or first logon processes effects.  Also, if after deployment the default initial user settings need to changed, only the script file needs to be updated (instead of having to script a load/unload of the default user hive and fixing multiple settings).   Finally, it is easy to "reset" a user's setting to the defaults because the script can be kept up to date and present on every box through software distribution or Computer Startup Scripts.  This method also requires that all changes be reduced to "scriptable" items.

E. Local or Domain GPO logon script

A Group Policy logon script can be used to set "default settings" once by having the script set a flag after it first runs (perhaps an HKCU Registry entry) that it will look for and exit if found on subsequent runs.  A Domain logon script has the added benefit of being centrally managed.  This method also has the same advantages as method D.  This method also requires that all changes be reduced to "scriptable" items.

F. Group Policy Preferences

Group Policy preferences first shipped as part of the Group Policy Management Console (GPMC) in Windows Server 2008.  GP preferences consist of more than 20 Group Policy extensions that expand the range of configurable settings within a Group Policy object (GPO). Many of these extensions can configure settings that are commonly configured as default settings in a desktop image. Unlike policies, GP preferences can be changed by the user in most cases. Also, GP preferences can be configured to "apply once and do not reapply". This allows them to behave exactly like initial default settings configured in an image but has the benefit of being centrally managed and updated.

GP preferences cover many of the areas where default settings are usually configured such as:

• Environment Variables
• Files
• Folders
• INI File Settings
• Registry
• Shortcuts
• ODBC Data Sources
• Folder Options
• Internet Settings
• Local Users and Groups
• Network Options
• Power Options
• Regional Options
• Scheduled Tasks
• Start Menu

The main disadvantages GP preferences are that it requires either Windows Server 2008, Windows Server 2008 R2, the Remote Server Administration Tools (RSAT) update for Windows Vista with Service Pack 1 or higher, or the RSAT update for Windows 7 to manage them and client-side extensions (CSEs) have to be installed for Windows Vista RTM, Windows XP with Service Pack 2, and Windows Server 2003 with Service Pack 1 or higher.  For those still managing Windows 2000 images, you will have to use one of the previous methods mentioned since GP preferences will not work on Windows 2000.

I believe that GP preferences will likely be the best way to manage this going forward. Simply create GPOs using GP preferences, target them as needed, install the CSEs into the image(s) as needed, and you no longer need to worry about configuring these settings in the client image(s).

For information about Group Policy preferences see the following web resources:

Group Policy Preferences Overview

http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790

Group Policy Preferences Frequently Asked Questions (FAQ)

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/cc817590.aspx

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

This post was provided by Michael Murgolo a Senior Consultant with Microsoft Services, U.S. East Region.  This post (and any updates) can also be found on the Deployment Guys blog here.

I have written several posts on this topic before.  However, changes were made to Windows 7 and Windows Server 2008 R2 that warrant a full revisit of this topic.

Now that Windows 7 is available, are you looking for some security baseline recommendations from the experts? Then here’s another timely release from the Microsoft Solution Accelerators team! Today, new security baselines for Windows® 7 and Windows® Internet Explorer® 8 are available for download.

Over the past few months, the Solution Accelerators team collaborated with Microsoft security experts, multiple government agencies worldwide, and a large community of IT security professionals to develop and test these new security baselines.All of these baselines are free for you to use.

In case you are not familiar with all of the security baselines available for Microsoft products, they ship as part of the Security Compliance Management Toolkit (SCMT) Series. The SCMT helps you to plan, deploy, and monitor security baselines for Windows® operating systems, Internet Explorer, and 2007 Microsoft® Office applications. It contains background information about compliance, and planning advice about how to automate security compliance. It also refers you to other tools and guidance that you can use to establish and deploy a security baseline, and then monitor and maintain compliance with your established configuration.

Where do you start?

At a high level, security compliance consists of four basic steps:

1. Plan how to meet security baseline requirements.
2. Deploy security baseline configurations.
3. Monitor security baseline configurations.
4. Remediate security baseline configurations.

The tools, guidance, and recommendations in the SCMT help you through each step of this process and give you the support to make key decisions about security baseline settings for your specific environment.

Here’s what you get:

• Security guide – The toolkits include new and updated security guides for Windows 7, Windows Vista, Windows XP, Windows Server 2008, Windows Server 2003 SP2, Microsoft Office 2007 SP1, and Internet Explorer 8. The guidance provides you with best practices and automated tools to help you plan and deploy your security baselines.
• Attack Surface Reference workbook – A resource that lists the changes introduced as server roles are installed on computers running Windows Server 2003 and Windows Server 2008.
• Security Baseline Settings workbook – A resource that lists all of the prescribed settings for each of the preconfigured security baselines that the guides recommend.
• Security Baseline XML – XML files that allow you to consume the data defined in the security baseline settings workbooks.
• GPOAccelerator tool – A tool that you can use to create all of the Group Policy objects (GPOs) you need to deploy your chosen security configuration. This release also supports creating security configurations on computers not joined to a domain.
• Baseline Compliance Management Overview – The overview discusses best practices on how to monitor security baselines for Windows operating systems, Office applications, and Internet Explorer 8.
• DCM Configuration Pack User Guide – A step-by-step prescriptive user guide about how to use Configurations Packs with the DCM feature in Configuration Manager 2007 R2.
• DCM Configuration Packs – Configuration Packs that provide prescriptive security information, which you can use to check the compliance of systems in your environment.

What should you do next?

• Learn more about the Security Compliance Management Toolkit Series.
• Download the Security Compliance Management Toolkit Series.
• Find other Windows 7 Solution Accelerators here: Windows Desktop Solution Accelerators.
• The Solution Accelerators team is developing a new tool called the Security Compliance Manager. It will help you manage your security and compliance process for the most widely used Microsoft technologies. Join the Beta review program and provide your feedback on the features you want most.
• Get all the step by step guides, whitepapers, how to’s and screen casts on deploying and managing Windows 7 in your environment from the Springboard Series on TechNet.

This post was written by Devrim Iyigun, a Senior Product Manager here in Redmond.

I had a chance to attend Gartner Symposium/ITxpo 2009 last week in Orlando, Florida. For those of you who are at the early stages of deploying Windows 7, looking for some insider information and did not have the opportunity to attend the conference, I have a great resource I would love to share with you.

Gartner Symposium/ITxpo 2009 is one of industry’s largest and most important annual gathering of CIOs and their senior IT leaders. This year’s event focused on how business technology can help customers return to growth by balancing cost optimization and risk mitigation. Microsoft was helping customers to understand how they can realize the benefits of Windows 7. With the general availability date for Windows 7 being October 22nd, this year’s event was quite special for the Microsoft team.

One of the Microsoft –sponsored sessions that took place is Windows 7 Early Adopter Customer Panel. In this highly visible discussion, featured Gartner Research VP & Distinguished Analyst Michael Silver facilitated the panel around Windows 7 planning, deployment and customer experience with Windows 7 Early Adopter Customers: ADP, BMW, Energizer and Pella.

The panel includes discussions about topics of importance for enterprises considering the move to Windows 7 such as application compatibility and deployment goals. ADP, BMW, Energizer and Pella share their perspective on business drivers to adopt Windows 7 and the benefits they expect to achieve with deploying Windows 7. These companies also share their deployment experience and recommendations for companies new to Windows 7 deployment.

This is your chance to get valuable insider information from Microsoft Customer industry leads.  Please click here for a replay of this webcast.

For more enterprise company case studies, information on Windows 7 cost savings or our webcast series just visit our Windows Enterprise site.

For all of your Windows 7 IT pro information, visit the Springboard Series on TechNet. The destination for Windows desktop IT professionals to Discover & Explore, Pilot & Deploy and Manage Windows 7.

Beginning today, 26 October, the Springboard/Microsoft Learning “Get On The Bus” tour will kick off an 11-city European road show that will begin in Milan and end at Tech-Ed Europe in Berlin on 9 November. At each tour stop, you’ll get an exclusive preview of Microsoft Windows 7, Microsoft Windows Server 2008 R2, Microsoft Desktop Optimization Pack (MDOP), Med-V, App-V, and Microsoft Exchange Server 2010. The Career Express tour spotlights new training and certification opportunities that will sharpen your skills on next year’s hottest technologies.

Join us at a stop near you for technical training, professional networking, hands-on experiences, and real world guidance from industry experts.

Where will the bus be? Tour Dates:Milan, 26 Oct | Zurich, 27 Oct | Paris, 28 Oct | London, 29 Oct | Brussels, 30 Oct | Amsterdam, 2 Nov | Frankfurt, 3 Nov | Munich, 4 Nov | Vienna, 5 Nov | Prague, 6 Nov | Berlin, 9 Nov

We even have a web page showing you exactly where the bus is right now.

We have some great Microsoft and community experts presenting on all the topics. I will even be on the tour doing the Windows 7 sessions starting in Amsterdam Nov 2nd. So if you can’t make it to TechEd EMEA this will be one of your best opportunities to meet the experts and see the new technologies from Microsoft live and in person.

For more information on the bus tour visit The Bus Tour or follow the Twitter feed here

Over the past months, my colleagues from the Microsoft Solution Accelerators team have been hard at work to develop the planning and design guidance for DirectAccess. Today, we are pleased to announce the release of the Infrastructure Planning and Design (IPD) Guide for DirectAccess.

In case you’ve been haven’t heard, the new DirectAccess feature in Windows 7 and Windows Server 2008 R2 now gives you the ability to allow remote users to access enterprise shares, websites, and applications without the need to connect to virtual private network (VPN) systems. DirectAccess also gives IT managers like you the ability to update remote PCs anytime they are connected to the Internet, without the user being logged on to the machine.

As you prepare to take advantage of DirectAccess, your first step should be about designing your infrastructure to support this access feature that provides different security options. But how do I know where to start?

This IPD Guide for DirectAccess covers four key steps in the design process for DirectAccess to help you just that.

The IPD Guide for DirectAccess is a member of the Windows 7 Solution Accelerators family that are designed to help you accelerate the planning, deployment and operations of Windows 7 and features such as DirectAccess. Download this guide today and get started!

Next Steps

1. Download the IPD Guide for Direct Access.
2. Download other best practices from the Infrastructure Planning and Design series for products such as Windows Server 2008 R2, Hyper-V, App-V, SQL Server 2008, Exchange Online, SharePoint Online, System Center and much more at the IPD home page on TechNet.
3. Learn how DirectAccess enables remote users to access the corporate network anytime they have an Internet connection, without the extra step of initiating a virtual private networking (VPN) connection. Find out how to use DirectAccess to provide a more secure and flexible corporate network infrastructure in which computers on and off the network can remain healthy, managed, and updated.
4. Visit the Deployment Zone on Springboard to learn more about Direct Access.
5. Check out other Windows 7 Solution Accelerators.

Unless you’ve been hiding in a cave this past year you probably know that today is the official market launch of Windows 7.  While Windows 7 has been available to commercial customers since July, this milestone marks the point where the final release is now available to the general public through retail purchase or preloaded on new PCs.

It has been quite a journey—from the first beta release in January, the Release Candidate (RC) in May through the final RTM in July, IT professionals have played in instrumental role in helping make Windows 7 the best performing, most reliable and most secure Windows operating system ever.  Thank you for all of your feedback, suggestions for improvement, and support during the development process!  If you haven’t downloaded the 90 day evaluation release, you can find it here.

We hope most of you are taking the steps to prepare for adopting Windows 7 into your environment—assessing your hardware, testing your applications, and learning about the new deployment tools.  You can find helpful guidance and resources on the Springboard Series on Technet, including our recent article on the “Five Steps to Application Compatibility Readiness.”  Take a look at the Windows 7 tab, and browse through the “Discover & Explore,” “Pilot & Deploy” and “Management” sections.  In addition, you’ll find great technical drill-downs in the “Top Task” zones down the left-hand side of the site.  Finally, be sure to visit www.talkingaboutwindows.com to hear back stories from the engineers responsible for Windows 7 development, join in the conversation with other IT professionals working to adopt Windows 7, and find local events where you can join your peers and learn more about how Windows 7 can help you streamline client management.

We also understand that as an IT professional, you are often expected to offer voluntary IT services to your friends and family – which can be painful and a little thankless to say the least!  So to help you get ahead of those time consuming requests, we thought we would point out how Windows 7 will help people avoid problems and quickly remedy issues without expert intervention—um, yours to be specific.  Check out this month’s feature article, “Why You Want Friends and Family on Windows 7” for a walk through of the new features and other capabilities will help keep users PCs healthy and productive and make it easier to resolve any issues that arise.  You can find more helpful information about home use of Windows 7 in the “IT Pro at Home” zone.

We want to take a moment and thank all of you who tested the Beta and the Release Candidates. We could not have made this great product without you. We also hope that you’ll join in the community

Thank you

Stephen Rose – Sr Community Manager

Thank you again for all of you who tuned in live for our most recent virtual roundtable. We had so many questions asked during the broadcast, we were unable to get to all of them so I am dedicating this blog post to the questions and to the answers provided by our product teams involved in the broadcast.

To view all the questions and answers, click here.

For more information and resources on application compatibility with Windows 7, please visit our page on TechNet here.

Did our VRT wrap-up post wet your appetite for more? Looking to learn about virtualization as a application compatibility tool? No need to worry if you missed the live event as the is now available to stream or download here.

Windows 7 Application Compatibility Part 2: Virtualization

In part two of this Springboard Series Virtual Roundtable on Windows 7 Application Compatibility, you'll hear from Microsoft Technical Fellow Mark Russinovich and a panel of experts on how virtualization tools can help you with application compatibility concerns whether you're migrating from Windows Vista or Windows XP.

 
Here’s your chance to get powerful insight into how presentation virtualization, desktop virtualization and application virtualization can reduce testing times, expedite deployment, and ultimately help you streamline PC management. Also covered are the latest desktop virtualization technologies from Microsoft including Microsoft Application Virtualization (App-V), Microsoft Enterprise Desktop Virtualization (MED-V), and Windows XP Mode for Windows 7.

To see part one of this Virtual Roundtable or to view any of our previous roundtables, click here.

As always, visit the Springboard Series for the latest tools, walkthroughs, FAQs and information for IT pros around Windows 7 and visit our Talking About Windows Event Portal to see all the latest IT pro events worldwide on Windows 7 and Server 2008 R2 in your area. More events are being added every day!

Are you looking to learn more about Windows 7, Windows Server 2008 R2, Exchange 2010 and other Microsoft products? Well the New Efficiency Virtual Launch Event is the perfect opportunity to do so.

What will you find there?

• Steve Ballmer’s Keynote Replay
• Over 100 sessions presented by Microsoft. Topics include:
  • Windows 7 Application Compatibility
  • Windows 7 Deployment Technologies
  • Windows XP Mode Overview
  • Saving WAN costs with BranchCache
  • Remote Desktop and Applications with WS08 R2
  • Microsoft Web Platform – What’s New in IIS 7.5
  • Voice Mail with Unified Messaging in Exchange 2010
  • Outlook Web App in Exchange 2010
  • Information Protection Solutions Overview
  • MDOP; Asset Inventory Services
  • and much much more
• Visit Virtual Partner Booths from:
  • Cisco, AMD, Dell, Citrix, Intel, plus many others
• Download full version trials of Windows 7 Enterprise, Server 2008 R2, Exchange Server 2010 and Microsoft Forefront.
• Virtual backpacks to you can download transcripts from every demo, documentation and more.
• Links to hundreds of additional Microsoft resources to help you
• Links to brand new Springboard Series Windows 7 content created just for the virtual launch experience.

The best part? All of this is available to you for free. Just visit www.thenewefficiency.com later today and see what happens when cost savings, productivity and innovation come together.

Thank you to all of you who tuned in and posted or sent in questions for our most recent roundtable and made it another huge success. We will be posting all the questions and answers in the next few days so keep an eye out.

Missed the VRT? Here is the promo of what you can look forward to when the replay become available later this week.

To be the first to know when the replay goes live, follow our Twitter feed @MSSpringboard or watch for our blog post here.

Early adopters speak out on business value live September 29^th 9-10.30am PDT

Join in the conversation during this must-see event and see top technology leaders and Microsoft’s Steve Ballmer, debate the role of IT during this economic reset. Can cost savings, productivity and innovation come together to drive business growth? Get a closer look at how real companies are justifying IT investments across desktop, server, network and beyond.  You’ll also find sessions related to new releases of Windows 7, Windows Server 2008 R2, Microsoft Exchange Server 2010, Microsoft Forefront, Microsoft System Center, and Microsoft Desktop Optimization Pack.

Sign up here and mark your calendars.