Microsoft recently published a deployment guide for Microsoft Office 2010. The content in this book is a copy of selected content from the Office 2010 Resource Kit Technical library. Download the guide from here

Last week I had a Windows 7 planning meeting with one of our clients and like in any other Windows 7 related meeting that i have had in the past months with other customers, the topic about XP Mode was brought up. It appears that when speaking about application compatibility, first thing people think of is XP Mode. To be honest I don’t blame them, because when XP Mode was first introduced in April 2009 during the Windows 7 Beta phase it was promoted as a possible workaround for Application Compatibility issues and therefore got a lot of attention. The message almost sounded like “There is no barrier to move to Windows 7 because if you run into an application compatibility issue, you can always use XP Mode”. So what’s your point? Well, while the statement as such is absolutely true, there are a few things to consider when we speak about computers that run in an enterprise environment.

What is XP Mode? Windows Virtual PC is the latest Microsoft virtualization technology for Windows 7. It is the runtime engine for Windows XP Mode to provide a virtual Windows environment for Windows 7. With Windows Virtual PC, Windows XP Mode applications can be seen and accessed from a Windows 7 desktop. So in simple words, with XP Mode one can run the Windows XP operating system in a virtualized environment on top of Windows 7

System Requirements

The first version of XP mode required that the hardware supported hardware assisted virtualization (HAV), but that requirement was removed in March 2010 allowing more users to use Windows XP Mode. The hardware therefore should at least meet the Windows 7 system requirements plus an additional 512 MB – 1 GB of memory and 5-15 GB disk space for the Virtual OS.

Installation – Deployment

If only needed on a handful of clients Windows XP mode can be installed manually by a systems administrator through the following website http://www.microsoft.com/windows/virtual-pc/download.aspx which will install Windows Virtual PC and then the XP Mode Virtual Machine. But if more than just a few installations are needed, companies should consider preparing an automated process for which Microsoft has provided a guide and sample scripts that can be downloaded from here. When deploying XP mode either the standard Windows XP Service Pack 3 image provided by Microsoft or a customized Windows XP Service Pack 3 image can be used.

Applications that run in XP Mode

Applications that need to run in XP Mode can be made available either by having them pre-installed within a customized image or by installing them through Software Distribution. Of course it would also be possible to install applications manually on a per VM basis, but this is a time consuming task. When using Software Distribution, companies must take into account that also the virtual OS will consume a license.

Antivirus and Security Updates

Because the virtual OS has also access to a companies IT infrastructure (users will want to print and access data from their applications running in XP Mode), Antivirus protection and security updates must be taken into account as well. Companies will have to carefully look at the licensing aspects because usually most products are licensed on a per installed operating system basis. However some vendors offer special agreements for the use of XP Mode. McAfee allows the use of VirusScan Enterprise on both Windows 7 and XP Mode on one computer and counts this as one license, however for the use of the McAfee Host Intrusion Protection software a single license can only be used either for Windows 7 or Windows XP Mode. If both clients need HIPS, two licenses are needed. (McAfee source).

To keep the Windows XP VM up to date with operating system security patches, companies should consider to either patch these clients through their Software Distribution Patch Management infrastructure or configure these clients to directly access Windows update or an internal WSUS server and automatically install patches as they become available respectively become approved by the system administrator. Again the number of deployed clients with XP Mode enabled will dictate the best dictate the best and most efficient strategy.

Will this work out?

If the use of XP Mode is only considered for a small number of clients, the effort of manually installing XP mode or preparing an automated deployment process is acceptable, however if a company plans to deploy XP Mode on several hundreds of clients and in addition plans to use it for a longer period of time they should look at more scalable solutions such as Microsoft Enterprise Desktop Virtualization (MED-V). MED-V provides a more centralized approach for deploying and managing virtual images. However only companies that have access to MDOP which is available through the Software Assurance program can use MED-V.

Running a virtualized Windows XP on top of Windows 7 is probably the easiest way to solve compatibility issues, however companies should not consider the use of XP Mode as a way to get around the effort of testing and remediating their applications for the use with Windows 7. XP Mode should be seen as a short term temporary solution removing potential road blocks for the deployment of Windows 7. In the long run remote desktop virtualization or application virtualization might be a better option.

BranchCache is a new feature available in Windows Server 2008 R2 and Windows 7 that reduces WAN bandwidth usage and improves application responsiveness when workstations in a remote location access content from the head office or data center by downloading and caching content on the local network as it is requested, making it immediately available to other clients that subsequently request the same content.

This paper examines the BrachCache functionality specifically in the context of software distribution using System Center Configuration Manager 2007 to determine if it is an optimal solution for the deployment of software, patches and operating systems to remote, serverless branches.

Source: 1E

Download the Whitepaper from here

If you are planning deploying Office 2010 throughout an enterprise read this.

Companies that are in the process of planning a Windows 7 migration, will be required to pay some attention to Internet Explorer 8 and web site compatibility. Chris Johnson aka “The App Compat Guy” put together two video’s about how to migrate from Internet Explorer 6 to 8. The videos talk about the potential challenges , testing methods, workarounds and solutions to support companies with a smooth migration.  Thrive Live! Migrating from IE6 to IE8 (Part 1 of 2) and Thrive Live! Migrating from IE6 to IE8 (Part 2 of 2)

Then for those that really want to take a deep dive, I recommend watching the IE 8 Application Compatibility webcast with demos presented by Michel Barnett. You never stop learning…..

One of the objectives of deploying a new operating system within an Enterprise is to provide end users with a state of the art Operating System that builds the foundation for adopting new technologies and to increase end user productivity.

IT departments usually spend months in preparing an enterprise wide desktop deployment and by doing so they automatically get familiar with all the new functionality and features of the new Operating System. But what about the end users? Most end users are not involved in all the preparation and planning activities, hence they will only see the new Operating System on the day their PC is being migrated.

So unless one has recently bought a new home PC that has Windows 7 pre-installed, users will be confronted with a complete new User Interface. Windows 7 is far more intuitive than previous Windows Operating Systems,nevertheless users will need to go through a learning curve to manage their new device. Furthermore to boost end user productivity it is important that end users become familiar with the new features and functionality as otherwise there is a risk that they continue to use their device without using these.

To help Enterprises preparing their end users and IT support staff in creating the awareness and becoming familiar with the new features and functionality of Windows 7 and Office, Microsoft has put in place the Enterprise Learning Framework.

The Enterprise Learning Framework helps with:

• Raising Awareness: Helping employees understand how the new versions of Windows and Office will benefit them and helping to prepare employees before deployment
• Minimizing Disruption: Identifying a small, manageable number of learning topics to get employees up and running quickly with Windows 7, Windows Vista and the 2007 Office release
• Shortening Training: Concise learning topics requiring only a few minutes each from employees
• Gaining Productivity: Identifying the most important learning topics for improving productivity as employees continue to use Windows 7, Windows Vista and the 2007 Office release

The Enterprise Learning Framework portal allows IT departments prepare end user training content. The process of preparing the content is very straight forward.

• Choose Products
• Define User Profile
• Refine Topics

When completed the tool can automatically generate an e-mail message or Word Document that contains all the required training content. To avoid overloading end users with too much information at once, the tool allows to define the actual timeframe.

For more information or start preparing the end user training content visit the Enterprise Learning Framework portal.

In my previous post Using hard Links – Part One I explained how Hard Links work. Today’s post is about using hard links with USMT 4.0 in a Windows XP to Windows 7 migration scenario.

A typical client migration scenario for an end user usually consists of the following processes:

1. User Data and Settings backup
2. Operating System Migration
3. Application Installation
4. User Data and Settings Restore

When migrating to previous versions of Windows in most cases IT support personnel first had to copy the users data of the machine to an external USB device or network drive, this depending on the volume of data could consume quite some time, then when the new OS was installed that same data had to be restored back to the local device. With the release of USMT 4.0 IT Engineers can now design a migration process that leverages hard link functionality, which means that there is no need anymore to copy the data off the device that is being migrated. You can imagine that this will significantly speed up the overall duration of migrating a client to Windows 7.

Now let’s take a look how that works. We have a Windows XP SP3 client with a local user account “JohnDoe”. I gave John Doe some documents that I stored in his My Documents folder and added some Internet Explorer Favorites.

Next I copy the USMT 4.0 binaries from my local WAIK installation source (c:\Program Files\Windows AIK\Tools\USMT\x86) on to the Windows XP client into the  C;\Tools folder. Then I run the following command with an Administrative account.

C:\tools\USMT\SCANSTATE c:\migdata /hardlink /nocompress /i:migUser.xml /i:migdocs.xml /i:migapp.xml

Once completed I verify that the C:\migdata folder contained the hard linked data and then continue with installing Windows 7. At the beginning of the Installation process I choose the “Custom Installation” option (Upgrade isn’t possible for Windows XP). On the disk configuration screen I select Next without changing or formatting the drives. (don’t format any drives as this would destroy your local DataStore).

The Installation process prompts me with the message shown in the picture below, which i confirm this with OK.

When Windows Setup is completed its initial phase I boot the system into WinPE, just to see how things are on the local disk. As shown in the picture below, all the folders related to the Windows XP Operating System were moved into the Windows.old folder. Any folders that were created in the root of the drive remain untouched.

I then reboot the system and did let Windows 7 complete its installation. Once completed I log on to the system. Now let’s take a look at the status of the hard links. Running the HardLink Scanner tool, we can see that he files have a hard link. Below the output from one of the migrated files:

Breakdown for "c:\migdata\USMT\File\C$\Documents and Settings\JohnDoe\My Documents\Full – MS App Virt 45 Trial Guide.pdf"
=========================================================================================================================
  Unique ID:     1000000004118
  Hardlink count:            2
  Naive file size:   3,106,172 bytes
  Unique file size:  1,553,086 bytes
  Kind of file:         normal
  Filenames:
    \Windows.old\Documents and Settings\JohnDoe\My Documents\Full – MS App Virt 45 Trial Guide.pdf
    \migdata\USMT\File\C$\Documents and Settings\JohnDoe\My Documents\Full – MS App Virt 45 Trial Guide.pdf

The last step to get John Doe’s personal data and settings back into his profile is done by running the following USMT loadstate command.

C:\tools\USMT\loadstate c:\migdata /hardlink /nocompress /auto

When logging in with John Doe’s account, we can see that his personal data and Favorites are back.

Let’s take a look at the hardlink status of our migrated files. When running the hardlink scanner tool against one of the migrated files we get the following output:

Breakdown for "c:\migdata\USMT\File\C$\Documents and Settings\JohnDoe\My Documents\Managing_Shims_in_the_Enterprise.docx"
=========================================================================================================================
  Unique ID:     1000000004117
  Hardlink count:            3
  Naive file size:   1,081,188 bytes
  Unique file size:    360,396 bytes
  Kind of file:         normal
  Filenames:
    \Users\JohnDoe\Documents\Managing_Shims_in_the_Enterprise.docx
    \Windows.old\Documents and Settings\JohnDoe\My Documents\Managing_Shims_in_the_Enterprise.docx
    \migdata\USMT\File\C$\Documents and Settings\JohnDoe\My Documents\Managing_Shims_in_the_Enterprise.docx

So we now have 3 links.

• The first one relates to the file stored within the Documents folder of John Doe’s new Windows 7 profile.
• The second one relates to the file stored in the My Documents folder of John Doe’s old Windows XP profile
• The third one relates to the file stored within the USMT Data Store.

Now that we have successfully migrated John Doe’s personal data and settings, we can get rid of the USMT Data Store and the data stored under the previous Windows XP location. The USMT DataStore can be easily removed by using the usmtutils.exe which is included in the USMT Toolkit.

usmtutils.exe /rd C:\migdata

Now we only have to take care of the Windows.old folder, to get rid of that one follow the instructions as described in the Microsoft KB article How to use the Disk Cleanup feature to delete the Windows.old folder after you install Windows Vista (the content also applies for Windows 7).

So there is no need to backup data when using hard links? Well put it like this, if you are migrating a user that has business critical data stored on this device, I would still recommend to get a copy of their data on an external device or network drive, this might again add some time to the migration process, but at least, when all goes well you save the time when restoring the data from the local (hard link) data store.

That’s it, I hope these two posts were useful and provided you with some insight on how to use USMT with hard links.

Today I have spend some time in taking a look at MED-V. I reviewed MED-V already about a year ago, but had not touched it since then. Microsoft just recently released an updated version of MED-V as part of the MDOP suite. While configuring a Workspace, my attention was caught by the “Clients should use Trim Transfer when downloading images for this Workspace” setting that is shown within the Virtual Machine Tab.

The documentation describes the setting as following:

Select this check box to enable Trim Transfer when downloading images associated with this MED-V workspace. If this check box is cleared, the full image will be downloaded.

Trim Transfer requires indexing the hard drive, which might take a considerable amount of time. It is recommended to use Trim Transfer when indexing the hard drive is more efficient than downloading the new image version, such as when downloading an image version that is similar to the existing version.

A detailed description of the MED-V Trim Transfer Technology can be found here

OK, just clicking a check box is not enough , I want to see that. I first configured a Workspace called Workspace and assigned a previously created Windows XP image, once the Image was published on the MED-V Server is launched the MED-V client on a second device. As you can see from the screen shot below, the image is downloaded from the server

I then created a second Workspace and assigned a slightly different image to it that is based on the first one I created, I just added another application to it. Once that Image was published to the server, I headed over to the MED-V Client device which prompted me that there was another Workspace available, after confirming, it started downloading that other image. But as you can see from the screen shot below, it is actually retrieving the data blocks from the local drive, hence not the complete image is being downloaded from the server again. 

On July 12, 2010 Microsoft Windows XP Service Pack will reach end of support, for most companies this shouldn’t come as a surprise as this has been widely communicated when Microsoft released Windows XP Service Pack 3. however it appears that some companies didn’t took these message too serious then, but now suddenly realize that July 12, 2010 is just a few months ahead of them.

Many people have still in memory the challenges they faced with Windows XP Service Pack 2, this because this in fact was more than what people knew as being a Service Pack. Windows XP Service Pack 2 was not just a rollup of security and product fixes, but also contained various technology updates (Network protection, Memory Protection, Web Browsing security and Computer Maintenance). In these days the famous word was Trustworthy Computing and this was what Windows XP Service Pack 2 was about. From a technical and security perspective Windows XP Service Pack 2 was definitely a big step forward, but many companies faced quite some challenges in deploying it especially with regard to application compatibility.

So now when it comes to the deployment of Windows XP Service Pack 3, many people automatically think of Service Pack 2. But as mentioned previously, Service Pack 2 was a kind of special Service Pack, this isn’t the case for Service Pack 3 which is basically a rollup of security and product fixes and contains just a few new technologies or enhancements that won’t have a big impact on the existing environment.

Here’s a short checklist for planning and deploying Windows XP Service Pack 3

1. Include Windows XP Service Pack 3 in your Software Distribution or Patch Deployment System

2. Identify Test users (Application owners, Developers, standard users) and deploy Windows XP SP3

3. Monitor the Pilot clients and track any issues

4. If all is green, start deploying Windows XP Service Pack 3 throughout the Enterprise

5. In parallel you want to update your current Windows XP Service Pack 2 based images with Service Pack 3 as well, this to prevent very long new PC installation times.

Things to consider

Microsoft did not release separate Multilanguage Packs for XP SP3, companies can continue to use the previous released MUI Pack, but there is a MUI Pack update available that provides MUI support for some of the new or updated components that come with SP3.

If you were using a single image for standard desktop/laptops and TabletPC’s then be aware of the fact that with Windows XP Service Pack 3 Microsoft has removed the possibility of using a Single Image for Windows XP Professional and TabletPC Edition.  So if a company uses TabletPC devices, they will end up creating separate images for these.

Additional Information
Lifecycle Supported Service Packs
Microsoft Support Lifecycle Blog
End of Support for Windows XP SP2 and Windows Vista (with no service packs installed)
What’s up with Service Pack support?
Windows XP Service Pack 3 Overview
Release Notes for Windows XP Service Pack 3

Managing ActiveX Components within an enterprise sometimes can be a pain. Users with standard user privileges by default can’t install ActiveX components, hence whenever a larger group of users require an ActiveX component you usually end up creating a software package and distribute it via Software Distribution or you provide them with temporary Administrative rights. But if the clients are running Windows Vista or Windows 7 there is another solution available I noticed many people aren’t aware of, hence that’s why I am writing this article.

The Solution is the Windows ActiveX Installer Service. Using the Windows ActiveX Installer Service allows Enterprise Administrators to manage the deployment of ActiveX controls through Group Policy Settings. On Windows Vista the ActiveX Installer Service is not installed by default but can be added as a feature. On Windows 7 the Service is installed by default.

Configuring the ActiveX Installer Service through Group Policy can be done in two ways. Either by specifying the ActiveX Control installation URL or by configuring trusted sites. I am going to use the first option to demonstrate the configuration and behavior of the ActiveX Installer Service.

Most of you will be familiar with the Microsoft Connect, MSDN Subscriber Download or TechNet subscriber download Site that uses the File Transfer Manager for downloading content. When trying to download content from one of the above mentioned web sites for the first time with a standard user you will be prompted with a message as shown in the picture below.

But as soon as you allow the Add-on to be installed, you will be prompted to provide a user name and password of a user that has administrative privileges to allow the installation to continue. 

This is what would happen in an enterprise environment where users access a website that requires the installation of an ActiveX control. So let’s create a Group Policy that allows the installation of the Microsoft File Transfer Manager through the ActiveX Installer Service.

First we need to know the URL that points to the ActiveX Control installation file, which is usually a CAB file but can be an OCX or DLL file as well. To find out the URL of the Microsoft File Transfer Manager I open the web site’s source and search for the word “CODEBASE”.

Now that I know the location that points to the CAB file, I open the Group Policy Management Console and create a new GPO called GPO_ActiveX_Management. Within the new created GPO I navigate to the ActiveX Installer Service which is located under Computer Configuration, Policies, Administrative Templates, Windows Components.

I then enable the "Approved Installation Sites for ActiveX Controls” setting and add the Site name https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab and set the Installation control value to 2,1,1,0.

To ensure that the GPO settings is applied to my client I run GPUPDATE at the command prompt. Now when i launch the website again that tries to install the Microsoft File Transfer Manager there is no User Account Control prompt anymore, this because i have now configured this site as an approved site to install an ActiveX control.

When opening the Services list within the Microsoft Management Console, I can see that the Service has been started and looking at the Windows Application log I can see that the URL was identified as a secure location.

So after a few seconds, the Microsoft File Transfer Manager is successfully installed without having to provide administrative privileges.

If you’re interested in using the ActiveX Installer Service in your environment I recommend that you also read the below referenced articles.

Additional Resources
The ActiveX Installer Service in Windows Vista
Microsoft TechNet – ActiveX Installer Service
NirSoft – ActiveXHelper

If you plan to use the Microsoft App-V Stand-Alone Mode some Registry Settings are required for the Application Virtualization Client as described in detail on this App-V site here. But instead of setting these registry keys manually or through a custom script, you can also manage these settings through Group Policy.

First download the Microsoft Application Virtualization Administrative Template (ADM Template). The ADM Template provides configuration options for the App-V 4.5/4.6 Client settings such as Client Permissions, Client Interface behavior and Client Communication Settings.

Once you have added the ADM Template to your GPO object you can find them under the “Classic Administrative Templates (ADM)” branch as shown in the picture below.

Then configure the Group Policy Settings as shown below.   

Once the GPO is enabled run the command  gpupdate /force on the client to ensure that all GPO settings get applied. Then open the Registry Editor and validate that all settings are configured as described here

Now install your previously sequenced application through the generated MSI installation package. If all goes well, you should be able to launch your Virtual Application in Stand-Alone mode now.

Additional Resources:
Microsoft App-V 4.5 Client in Stand Alone Mode Whitepaper by Tim Mangan
App-V 4.6 Release Q & A
TechNet Virtual Lab: Learning to Configure App-V for Standalone Client Mode

If you have BranchCache deployed within your enterprise environment you might be interested in the
BranchCache Bandwidth Saving Calculation PowerShell Script for the SMB Protocol which allows you to collect and measure the amount of WAN bandwidth that is saved by your BranchCache deployment.

Get the documentation and script from here

When installing Applications or operating system hotfixes the installation process sometimes requires replacing or deleting files that are in use, if that is the case these files can only be replaced or deleted during the next system reboot.

When you plan to install multiple applications in a row you can run into the situation where an application cannot be installed due to a pending FileRename operation from a previous application installation. So if you plan to install several applications in a row without a reboot, it’s highly recommended to check if a given application does actually require a reboot or not. If you launch the installation process manually you will most likely get a “Reboot required” prompt at the end of the installation. But if you run your installation packages in silent mode with the REBOOT=ReallySuppress option you will not notice if a reboot is required or not.

The information for Pending FileRename Operations is stored within the Windows Registry under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ under the key PendingFileRenameOperations if this key does not exist there are no Pending FileRename Operations, if the key does exist the key value data contains the files that need to be replaced or deleted.

Mark Russinovich provides two useful utilities that deal with Pending FileRename Operations PendMoves.exe and MoveFile.exe. PendMoves.exe allows you to list any pending filemoves and FileMove.exe allows you to configure the system to replace or delete a file during the next system reboot. The tools can be downloaded from here and for more information you might also want to read this article. For those that are looking for a script based solution have a look at the WMI script from Tom Mills which does the same as PendMoves.exe.

Other interesting resources describing Pending FileRename Operations are:
Microsoft TechNet: A Restart from a Previous Installation is Pending
Description of the new features in the package installer for Windows software updates

Just going through an AGPM Installation (Advanced Group Policy Management) where I had to choose an Account for the AGPM Service which can be the Local System Account or a domain user account. Instead of just clicking next next…. I found some good guidance in the Ask the Directory Services Team blog – AGPM Least Privilege Scenario article. Also read Locking down AGPM fit for least privilege.

Never heard of AGPM before ? Then watch this 4-5 minute Tour on Advanced Group Policy Management. And finally here’s a video provided by Kurt Roggen showing how to install the AGPM Server.

Assume you are at a client site and plan to deploy a Windows Server (2008 / 2008-R2) or Windows Clients (Windows Vista / Windows 7) and want to check if they do already have KMS Services running on their network.

It’s very simple. Just open a command prompt and type the following command:

nslookup -type=srv _vlmcs._tcp

If KMS Services are present on the network the results will be listed as shown in the picture below.

Related Content
Upgrade your existing KMS Service to support Windows 7 and Windows 2008 R2
Volume Activation changes in Windows7
Fundamentals of Volume Activation