Month: November 2009

My time working at the Springboard stand ended this afternoon.  Over 4 days I met with and talked to hundreds of people about the Springboard Series, explaining how it provides a central location to find out more about Windows desktop, have a successful deployment and continue to take advantage of the features and manage the network.

Springboard Champion, Stephen L. Rose, took this photo earlier today of the 4 of us who ran the booth.  Thanks to Stephen and Melissa for selecting us!  That’s me on the left, Miklos (Bolivia), Erdal (New Zealand) and Justin (UK).

Auf Wiedersehen Berlin!

I’ve attended my last session.  Actually I attended my last half session because I walked out at the 30 minute point.  This session was like the vast majority of the content I saw this week.  It was marketing slides presented by sales people.  There were a few exceptions but not enough to make me want to return to TechEd next year. I didn’t come here to Berlin from Ireland to attend sales sessions – I can do that at home.  But at least I didn’t pay €1,500-€2,000 to come here like many others will have done.  I would have been sick to my stomach if that had been the situation for me.

Overall there were maybe 4 technical sessions that I got to.  The keynote was a dreadful omen for the rest of the week.  They opened 2 doors to let over 7,000 people into a room.  The keynote was dreadful marketing drivel and the entire event continued much on that theme, unfortunately.  The coffee docks were limited to the 2 exhibition halls.  The main exhibitor hall became a bottleneck because it was the only route to and from the conference halls.  There wasn’t enough desks, power or seating outside of the halls for people who had to work between sessions.  I found myself sitting on the floor with a near flat battery on more than one occasion.  I know MS has to cut costs but the ticket costs didn’t go down for those who paid to attend.  It was only by Thursday that some coffee docks appeared in building 7 and some additional desks were put into the previously vast empty space in the front of the CommNet room.

On the plus side the swag bag was decent.  It’s an olive green laptop bag which I’ll probably use, unlike the turkeys of Amsterdam 2004 (remember the giant orange U shaped bags stuffed into bins and lying on the outside streets?) or the plastic waste of money from Barcelona 2008 that was a logo fest?  And the wireless network performed admirably under the load of 7000 laptops and twitterers. 

Overall, I felt the event was a disappointment.  Unless there is a marked change in the speakers and content that MS is providing then I have no desire to spend a week being sold to.  I came here to learn and am leaving have learned very little that I couldn’t have gotten from a 2 hour webcast.  I hope this changes but unfortunately there seems to be a trend towards rah-rah Redmond-sugar marketing speakers who we could all do with a little less of.

Speaker: Vipul Shah, Microsoft.

Oh no, another marketing head.  It’s been Need I say Vipul is a senior product manger?  Isn’t everyone in MS a senior product manager?  It also appears to me that the majority of the virtualisation technologies are developed in the MS centre in India rather than Redmond.  We heard in Ireland, recently at the lunch events, about the global around the clock effort to develop Windows.  This is further evidence of that.

Rockstar Mark Russinovich is playing in another room in this slot in a session that I wouldn’t have much time for, i.e. UAC is/isn’t a security feature.  That story has been done to death now.  That means this room is 60% empty.

Production application virtualisation (on server VM’s) has increased maybe by 100% during 2006-2008.  Lots of reasons which we know: deployment/management time, carbon foot print, flexibility, lower costs, DR, etc. 

I walked out on this session after 30 minutes of marketing filled with incorrect statements, e.g. “sure, go ahead an use more than 64 cores in your Hyper-V server and it will be supported”.  Uh uh.  It will not be supported.

I went out last night with some of the MS Ireland folks.  They had one spare ticket to go see the Blue Man Group in Berlin.  I had no idea what to expect.  To be honest I didn’t think I would have too much fun.  As it turns out, I was belly laughing quite a bit during the show.  It was great fun even before it really started.  A trip to a Brauhaus in the Sony Centre followed and I was in bed by 01:00 with a 07:00 rise to get to the conference venue.

Friday’s schedule is not a good one for the IT Pro.  I’m on at the Springboard stand at 11:30 until the show close at 14:45.  That means I get to one session today and there’s nothing on at 09:00 that appeals to me.  That’s a pity.

Speakers: Bill Anderson, Jeff Wettlaufer, Jeffrey Sutherland, Mark Florida

This session is about the successor to Configuration Manager 2007 and not ConfigMgr 2007 R3.  It will be a demo session.

The console is like a new version of the OpsMgr/VMM console.  It almost looks like a web version crossed with MMC.  This breaks up things nicely because the 2007 version is quite cluttered now.  Locations of things have been moved around to make it more natural. 

I can see straight away that advertisements are no longer involved in software distribution.

Collections, DCM and Asset Intelligence are grouped under “Assets and Compliance” and are all renamed.

Delegation appears to have been simplified with a role model.  Currently there are 12 roles in additional to Administrator, e.g. “Application Editor” is a role for a person who creates packages but doesn’t deploy them.  This makes it much simpler than the current system.  You can copy a role and customise it according to your needs.  Security scopes are new.  This can be bound with Security Roles to define who can do what actions to what assets.  The example we see has scopes for geographic regions.

We get a demo where an AD user is added as a application administrator and is granted permissions to Europe and Sales & Marketing scopes.  The console is launched as Bruce.  Now Bruce can only see the parts of the console that he has permission to.  Much better than what we currently have.  Some existing packages are now assigned to a scope that Bruce has rights to by the overall administrator.  In Bruce’s console these applications appear automatically. 

Next up is Compliance Settings (aka DCM).  A baseline is defined for an application.  We can see there is a high rate of non-compliance.  We can be notified automatically that a baseline has a specified non-compliance rate, e.g. if compliance is less than 80%.  An alert is in the Compliance Settings summary.  Depending on the baseline, there might be action links for the alert, e.g. remediate the non-compliant component.

Each major feature will have a similar alerts section in the final product, e.g. if s/w deployment is below a certain level then your application deployment team can react immediately.  You can only see alerts within your scope.  It is also possible to do automatic remediation.  This is a tick box for when there is support for a remediation, e.g. script based, WMI or registry settings.  This means ConfigMgr could fix non-compliant machines with no human action.

We get a demo of Windows registry device compliance.  The registry setting is originally non-compliant but is automatically changed to bring it into a compliant state.

Device (mobile) management will be integrated with normal (PC) management.  You’ll get to them via the same wizard start up points.  We’re shown the configuration of some Compliance Settings for Windows Mobile devices: Device Wipe (5 incorrect login attempts are allowed and 6th will automatically wipe the device), Password  (4 character minimum PIN with idle timeout) and Platform Lockdown (prohibit camera).  This baseline is assigned to all systems.  Non-mobile devices in All Systems will report as compliant because the settings are irrelevant.  That’s good.

A demo: The settings are forced onto a Windows Mobile device.

We now have “Applications”; a generic container.  This contains deployment types.  For example, you can have a mobile device deployment or a Windows deployment for a single application.  ConfigMgr figures out the right one to use.  A Detection Method is defined (e.g. the installer code or a script).  If the s/w is there then it’s not installed.  If it’s not there then it is installed.  Requirements are specified, e.g. memory, disk space.  A new one is user device affinity.  A user’s primary device might be where you install bespoke expensive software, e.g. Visio.  If they temporarily log in else where the s/w won’t be deployed, i.e. not wasting licenses/money.  “Primary Device” can be manual, a result of Asset Intelligence or even user self-defined.

Advertisements are replaced by Deployments.  You can set an Intent, e.g. mandatory, available (puts the app in a catalog) or prohibited (the uninstaller is invoked).  The catalog is a web UI where users can elect to pull down optional software, e.g. Adobe Reader.  The s/w will install automatically for the user.  A Silverlight control on the site will immediately communicate the client on the computer to kick things off quickly.  Application deployment rules are still applied, e.g. if the app is not appropriate for the user/machine then it will not install.  OH HELL SWEET: There is a workflow built into this where software can be set up to require approval.  For example, a user requests Visio but this request must be manually approved.  This is major stuff that every SMS/ConfigMgr customer will love.

Packages and Programs isn’t changing.  However there will be file level single instance storage on the Site Server between packages.

There are now distribution point groups.  You assign software to the DP group and any distribution point in it gets the software.  You can build new DP servers and add them to the group.  They automatically get the software.  Another big improvement for larger architectures. 

… With MDOP, System Center and Virtualisation

Speakers: Jeff Wettlaufer (MS), Jeremy Chapman (MS) and Michael Niehaus (MS)

I briefly considered going instead to the Russinovich session on Windows 7 kernel changes but we noticed that it’s a PDC session, i.e. aimed squarely at developers.  So here I am at a session that will probably focus on MDOP (a product set only available to purchase by desktop software assurance customers).  I’ll probably never use anything from this session but here I am anyway.

Application Compatibility Toolkit

Jeremy Chapman: He seems a bit nervous but shouldn’t be.  It’s a good presentation.

This presentation kicks off with Application Compatibility.  We get a look at the survey and the most demo’d application on Windows 7 yet: StockViewer.  It’s a XP app with loads of problems that you need to shim using AppCompat.  First, Standard User Analyser is used and that fixes some of the bits but not all.  The Compatibility Administrator is shown and it has a huge database of application shims/mitigations to make the apps work on Windows 7/Vista. 

Tip from MS: When shimming an application then shim it’s dependencies.

Tip from MS: create a single SDB shim file for the entire company and include as many application fixes as possible.  That makes it easier to deploy/manage.

Session Virtualisation can be used for some appcompat, e.g. W2008 has WOW32 for 16-bit applications.

MED-V should be used by medium/large organisations who are considering XP Mode.  It provides centralised administration and control, e.g. change control.  You also get policy for interaction between physical and virtual, e.g.  allow copy/paste but not local disk access.

App-V DOES NOT solve appcompat OS issues.  It does solve app to app compatibility issues.  You cannot run legacy IE in App-V.

Windows 7 Deployment

Using W2008 R2 WDS multicast MS went from 17 WDS unicast servers to 1 WDS multicast server and quadrupled their total output to 2100 builds per day.

Michael Niehaus takes over with WAIK and MDT (check out my whitepaper on XP to Win7 deployment).  Now we get a demo.  This is a very demo intensive session.

MDT is light touch, e.g. LiteTouch.VBS.  To get zero touch where the admin deploys from an admin station then you need to use Configuration Manager.  SP2 adds support for ConfigMgr 2007.  MDT is free.  ConfigMgr obviously allows you to automate deployment from 0-100, e.g. report/collection for suitable machines and run a job on them to upgrade/migrate and then get success/failure reports.

Jeff Wettlaufer takes over.

ACT does integrate into ConfigMgr.  V5.5 doesn’t at the moment but there is a fix on the way.  V6.0 will integrate as well.  I wasn’t aware of this integration.

You can use the Windows 7 Upgrade Assessment reports in ConfigMgr.  Obviously you can add s/w and App-V distributions into a ConfigMgr OSD task sequence.  In the future, there will be integration with MED-V similar to the current integration with App-V.  That’s 12-18 months away with V2.0 of MED-V.

Michael Niehaus takes over again.  This time to show how MDT can integrate with ConfigMgr to add additional features.  You can create MDT task sequences in ConfigMgr and create boot images.  Why?  MDT task sequences offer more functionality.  Documentation for this integration is built into MDT in the accelerator docs.

Configuration Manager 2007 R2

Jeff is back with some ConfigMgr R3 roadmap information.

The task sequencer has a new boot media creation process.  You can do a pre-staged media boot image that contains the build, e.g. for road warriors or hardware providers.  Give them the media and they build a machine outside of your network with your image using the media you create in ConfigMgr 2007 R3 – sounds similar to the MDT 2010 solution.

… to Provide VDI, Session, and Application Centralised Publishing

Speaker: Alex Balcanuqall, Senior Product Planner, Microsoft

We’re talking about VDI (Windows desktop virtualisation in the data centre), Terminal Services and application (TermSvcs and App-V) publishing to the end user via a man in the middle broker in W2008 R2.  Hyper-V is used in some of this (VDI).  VMM and SCCM used to manage VDI.

Remote Desktop Services VS Virtual Desktop Infrastructure

• Tech Maturity: RDS Proven, VDI emerging.
• Scalability: RDS gets more users per server.
• Isolation/Security: VDI isolates the user, 1 OS per user and users _can_ run as admin.  Opposite for RDS.
• Remote User Experience: Protocol (RDP in MS) dependent
• User flexibility: User is non-admin in RDS
• Application Compatibility: RDS is a server OS and requires TermScvs compatibility.  VDI is a desktop OS.

RD Virtualisation Host

• Windows Server manages VM’s
• Install the Remote Desktop Virtualisation Host Role services
• Receives commands from the Connection Broker to start VM’s
• Collects information on VM’s and sends to Connection Broker (session information and VM-state (ie. is it running or hibernated)).

User requests VM on client –> Broker determines rights –> Broker initiates VM –> host starts up VM –> Broker redirects RDP session to VM (a direct RDP connection now)

The redirection uses the RDP 5.2 redirect packet so it’s very backwards compatible.

RDP Broker

• Connection Broker: what the client connects to initially
• Publishing service: aggregates VDI VM’s, RDS session servers or published applications
• Redirector: Most common mistake in setup is not setting this up in addition to the connection broker
• Connection broker and redirector can be separate

TS Web Access talk to Centralised Publish Service on TCP 5504

Redirector

It’s a session host in “drain”/dedicated redirector mode.  It forwards RDP sessions to the connection borker and retuns the list of IP addresses received from the broker.  Users never TS into it.

Certificates

Must be done right to keep single sign-on and to have no error popups for users.

You can use a single trusted SSL cert for all components.

Prepare VDI host

• Install Hyper-V
• Install Remote Desktop Virtualisation Host role

Sizing?

It depends:

• applications
• data used
• demand cycle of users
• depends on OS

And thing about CPU and memory requirements.  Only way to know for sure is to do a pilot with real users and real applications in real usage over a period.

Prepare Client OS VM’s

• Supports XP SP3, Vista and Windows 7
• Install the Hyper-V IC’s
• Enable RDP services (GPO)
• Add users to the groups (GPO)
• Enable Remote RPC (TermSvcs GPO)
• Open firewall for RDP and Remote Service Management
• Modify RDP Listener Permissions (manual or script).  This can only be done after a domain join.  Possibly a start up script is the way to go here. 
• There’s a script from MS for this but the URL on the screen is way too long to copy (must never have heard of Tinyurl)

Configure the Connection Broker and Redirector

• Broker: Is the RD Server Role
• Redirector: Is RD session host

When you install Remote Desktop Service Role the server is automatically put in “drain” mode so users cannot log into this server.

Unfortunately, we now get a very confusing and unrehearsed demonstration.  I’m lost.  It appears to me that the presenter is here because he is a manager, not a knowledgeable techie.

I can’t keep up with note taking in this session.  Sorry; it’s all a bit of a mess.

Pooled VDI VM’s

Often people start with this and switch to dedicated per user VM’s.  Problems: when to patch them.  S/W deployment – do you really want to install/stream non-standard s/w to a VM every time a user logs in?  Probably not.

There was some slides on tips’n’tricks and common mistakes.  He rushed through it after spending too much time troubleshooting his demo lab.  Disappointing session.

Although I do a little bit of speaking and writing about Windows deployment, I am nothing compared to gurus like Johan Arwidmark, Michael Niehaus and Rhonda Layfield.  Speaking of Johan, he released a new edition of his deployment CD.  It covers MDT 2010 and Configuration Manager 2007 OSD.  It’s a free download and well worth getting your hands on.  Johan is speaking this week at TechEd Europe 2009.  I’ll miss him unfortunately but if you are here I would recommend you go along.  Based on what I see on the Minasi forum, Johan knows this stuff inside-out.