The Federal team is a big fan of Windows Deployment Services (WDS). We have used WDS for large scale deployments, but we recently ran into a problem using WDS to install x64 builds of Windows Vista and Windows Server 2008 Beta 3. We imported the boot.wim and install.wim files from the x64 media into our WDS server (running Windows Server 2003 SP2), but the x64 clients were only seeing the x86 builds on the WDS server. We tried disabling the x86 boot image, but then the client returned the following error:
File: \Boot\BCD
Status: 0xc0000098
Windows Boot Configuration Data file does not contain a valid OS entry error.
A network capture (using Microsoft Network Monitor 3.0) revealed that the client was only requesting the x86 image. The explanation (and a solution) to this problem is outlined at http://www.microsoft.com/technet/itshowcase/content/vistadeploy_twp.mspx.
The relevant section from this document is included below:
Implementing Windows Deployment Services
To preserve its investment in RIS, Microsoft IT chose to upgrade existing RIS servers to WDS or to build new WDS servers in mixed mode. WDS mixed mode enables deployment of WIM and earlier RIS image types. To implement this functionality, Microsoft IT configured WDS by using the option OSChooser:Yes option.
Other implementation details included providing x86-based images and x64-based images, and, in the case of x64-based clients, allowing the client to choose what operating system to install, regardless of processor type. To work around an x64-based basic input/output system (BIOS), which does not report the architecture properly, Microsoft IT also set the WDS option ArchitectureDiscovery:Yes.
So, the fix for the problem outlined above is to run the following on your WDS server (from a CMD prompt):
wdsutil /set-server /ArchitectureDiscovery:Yes
At FOSE, the annual government IT conference at the DC Convention Center, Windows Vista was awarded GCN Best of FOSE Awards in the software category. I've been at the event Tuesday and Wednesday and it has been great to meet all the people genuinely interested in Windows Vista as well as our new Office 2007 product offering. The demand and attendence at our Windows Vista end-user training session is very exciting.
Windows Vista delivers great value to federal government organizations by addressing critical IT needs:
- making desktops easier to deploy, manage and support by helping to optimize IT infrastructure;
- helping keep IT environments and data secure;
- enabling a better connected and more productive workforce.
I would also urge you to take a closer look at Microsoft's Infrastructure Optimization Model (IOM) to better understand what methodologies, tools and best practices should be involved in managing your desktop infrastructure.
Again, thank you to GCN for the recognition.
Cheers,
Patrick Svenburg - on behalf of the Federal Windows Client Team
This blog post outlines the process to setup the Key Management Service setup on a Windows Vista system. The Federal Vista Team would like to thank Joel Yoker for providing this content.
Those of you not familiar with the new Volume Activation 2.0 scenarios may want to read http://www.microsoft.com/licensing/resources/vol/default.mspx for some background on this technology.
1. Install Windows Vista Enterprise VL (DO NOT ACTIVATE from the UI)
2. Run the following command to install the product key
a. cscript C:\windows\system32\slmgr.vbs -ipk <Volume License Key>
3. Run the following command to activate the product
a. cscript C:\windows\system32\slmgr.vbs -ato
4. Make the follwoing registry change
a. Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL
b. Value Name: DnsDomainPublishList
c. Value Type: REG_MULTI_SZ
5. Start and stop the Software Licensing service
a. Net stop slsvc
b. Net start slsvc
6. Validate that all domains have registered the KSM DNS SRV record entry: _VLMCS._TCP.<domain>
a. Check for the existence of the 12294 Application event log entry for both domains
b. Validate the existence of the record in DNS. E.g. -
> set type=srv
> _VLMCS._TCP.maintest.adstest.dept.mil
Server: UnKnown
Address: 10.0.0.2
_VLMCS._TCP.maintest.adstest.dept.mil SRV service location:
priority = 0
weight = 0
port = 1688
svr hostname = tismtw-kms.maintest.adstest.dept.mil
tismtw-kms.maintest.adstest.dept.mil internet address = 10.0.0.3
7. Validate by installing a client (requires 25)
8. You can also check the KMS by running the following command:
>cscript \Windows\system32\slmgr.vbs -dlv
Software licensing service version: 6.0.6000.16386
Name: Windows(TM) Vista, Enterprise edition
Description: Windows Operating System - Vista, VOLUME_KMS channel
Activation ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Application ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Extended PID: xxxxx-xxxxx-xxx-xxxxxx-xx-xxxx-xxxx.xxxx-xxxxxxx
Installation ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkId=57201
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkId=57203
Use License URL: http://go.microsoft.com/fwlink/?LinkId=57205
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkId=57204
Partial Product Key: XXXXX
License Status: Licensed
Key Management Service is enabled on this machine
Current count: 5
Listening on Port: 1688
DNS publishing enabled
KMS priority: Normal
Last week Vista RC2 (build 5744) was released. This week I spent some time testing RC2. One interesting aspect to testing Vista is seeing the different installation times. With RC2 I was seeing sub 20 minute installs from DVD, so I did some more thorough testing with RC2. The details of those tests are shown below. The numbers below each test indicate the time in minutes
Test #1
HP NC8000 laptop (Built-in DVD reader; 5400RPM disk; Pentium-M 1.7)
Default install of Vista Ultimate from DVD+R media (fully automated with autounattend.xml on a USB stick)
00 - Boot
04 - Expanding files (0%) ...
14 - Expanding files (75%) ...
29 - Installing updates
29 - First reboot
23 - Completing installation
28 - Second reboot
31 - Windows checks performance
32 - First logon prompt
Summary: 32 minutes for a 2.5 year old laptop isn't bad
Test #2
HP NC8000 laptop (Built-in DVD reader; 5400RPM disk; Pentium-M 1.7)
Custom Vista Ultimate image from DVD+R media (partially automated install with autounattend in the root of the DVD)
Image was created according to steps outlined in an earlier post to this blog.
Image includes Office 2007, VPC2007, and some other software
The core difference here is that the WIM is 3.42GB (versus a 2.40GB WIM on the default RC2 DVD)
00 - Boot
03 - Entered PID, formatted existing partition
08 - Expanding files (0%) ...
26 - Expanding files (19%) ...
28 - Expanding files (98%) ...
30 - First reboot
33 - Completing installation
37 - Completing installation
42 - Second reboot
44 - Create local admin, enter machine name
44 - Windows checks performance
47 - First logon prompt
Summary: This test shows that the size of the image is a key factor with installation times.
Test #3
Toshiba M5 laptop (Select bay DVD writer; 7200RPM SATA disk; Intel Duo)
DVD+R build of Ultimate (fully automated default install)
00 - Boot
03 - Expanding files (0%) ...
10 - Expanding files (78%) ...
14 - First reboot
17 - Completing installation ...
20 - Second reboot
22 - Windows checks performance
25 - First logon prompt
Summary: 25 minutes for a 6 month old laptop is pretty good. With the optimizations expected at RTM, this build time may be significantly faster.
What sort of times are you seeing for the installation of Vista? Post the results of your tests in comments to this blog.
Rob Campbell
Check out the link below for a great set of Windows Vista documents. Note that many of these were recently updated.
http://www.microsoft.com/downloads/details.aspx?FamilyID=311f4be8-9983-4ab0-9685-f1bfec1e7d62&DisplayLang=en
Here’s what’s available:
· Deploying Vista Step by Step Guide.doc (195 KB)
· Managing Group Policy ADMX Files Step by Step Guide.doc ( 150 KB)
· Managing Roaming User Data Deployment Guide.doc (414 KB)
· Performance Monitoring and Tuning Step by Step Guide.doc (209 KB)
· Print Management Step by Step Guide.doc (260 KB)
· Step by Step Guide to Controlling Device Installation and Usage with Group Policy.doc (640 KB)
· Step by Step Guide to Device Driver Signing and Staging.doc (748 KB)
· Step by Step Guide to Managing Multiple Local Group Policy.doc (274 KB)
· User Account Control Step by Step Guide.doc (146 KB)
· Windows BitLocker Drive Encryption Step-by-Step Guide (September 2006).doc (169 KB)
· Windows Vista Beta 2 Migration Step by Step Guide.doc (152 KB)
· Windows Vista Beta 2 Trusted Platform Module Services Step by Step Guide (May 2006).doc (157 KB)
· Windows Vista Mobile Device Center Step by Step.doc (134 KB)
· Windows Vista Multilingual User Interface Step by Step Guide.doc (158 KB)
· Windows Vista Speech Recognition Step by Step.doc (118 KB)
· Windows Vista Windows Meeting Space Step by Step Guide.doc (388 KB)
The steps below outline how to create a custom Vista DVD. The idea here is that you can manually install one Vista machine with all your software and settings, and then easily capture an image to install other machines very simply. If you have more than one machine to setup with Vista, then this is the way to go.
Two systems are required for this process - the build machine can be Vista or XP or Server 2003 – the image machine will be the Vista baseline. The WIM created with this process can also be used to install Vista via Windows Deployment Services.
1. Gather and install the necessary files and tools (on the build machine)
a. Copy the following to a local directory
i. Vista RC1 ISO (from the Connect portal, MSDN, or TechNet)
ii. Vista RC1 Windows Automated Installation Kit (WAIK) Vista RC1 ISO (from the Connect portal, MSDN, or TechNet)
b. Burn the Vista RC1 ISO to a DVD (use your favorite DVD burning software)
c. Install the RC1 WAIK
d. Build a WinPE ISO image and burn a CD
i. cd Program Files\Windows AIK\Tools\PETools\
ii. copype.cmd x86 c:\temp\winpe_x86
iii. copy “c:\program files\Windows AIK\Tools\x86\imagex.exe” c:\temp\winpe_x86\iso\
iv. copy wimscript.ini (sample attached to this post) to c:\temp\winpe_x86\iso\
v. oscdimg -n –bc:\winpe_x86\etfsboot.com c:\temp\winpe_x86\ISO c:\temp\winpe_x86.iso
vi. Burn this ISO to a CD (use your favorite CD burning software)
vii. Test the ISO (use it to boot the image machine)
1. This is very important so that the baseline system is not rebooted to the hard drive after sysprep
2. Build baseline system (on the image machine)
a. Start with the machine on A/C power, but not connected to any network (turn wireless off)
b. To automate the build process, create an autounattend.xml file, copy it to the root of a USB memory device, and ensure that the device is connected upon DVD boot
i. Contact us for a sample file that provides a completely automated build
c. Wait for the Vista build to complete; with good hardware this should take about 20 minutes
3. Customize the baseline (on the image machine)
a. Install whatever software you would like included in your image
4. Run SysPrep (on the image machine)
a. Start a CMD window
b. Navigate to \windows\system32\sysprep
c. Run “sysprep.exe /generalize /shutdown /oobe”
d. The machine will shutdown
e. DO NOT REBOOT THE MACHINE INTO ANYTHING OTHER THAN WINPE
f. If you reboot the machine to the Vista build, then you should go back step 2 “Build baseline system” and start over.
5. Capture a Windows Image (WIM) of the baseline (on the image machine)
a. Re-read steps 5e and 5f above
b. Boot to Windows PE
c. Watch for the “Press any key to boot from CD” prompt
d. Watch the system to make sure WinPE boots
e. Map a z: drive to the build machine (a dedicated high speed network or cross over cable is best)
f. d:\imagex.exe /compress fast /capture c: z:\temp\VistaRC1v1.wim "Windows Vista ULTIMATE" /flags “Ultimate” /verify
i. The file name of the WIM can be changed, keep everything else the same
g. Wait for the image to be created, with good hardware and a fast network this should take about 20 minutes
6. Build and burn a custom DVD with the new WIM (on the build machine)
a. Copy the entire contents of the Vista RC1 DVD to a directory (c:\temp\VistaDVD)
b. Delete install.wim from \VistaDVD\sources
c. Rename \temp\VistaRC1v1.wim to install.wim and move it to \VistaDVD\sources
d. To automate the build process, create an autounattend.xml file, copy it to \temp\VistaDVD
i. Contact us for a sample file that provides a completely automated build
e. Build a DVD ISO image from \temp\VistaDVD
i. cd Program Files\Windows AIK\Tools\PETools\
ii. oscdimg -n –m –lVistaRC1v1 –h –b”\x86\boot\etfsboot.com c:\temp\VistaDVD c:\temp\VistaRC1v1.iso
iii. Wait for the ISO to be created, with good hardware and a fast network this should take about 20 minutes
f. Burn the newly created ISO to a DVD (use your favorite DVD burning software)
7. Install Vista and be happy (on any machine)
a. The autounattend.xml file that we included on the DVD showed the following prompts during setup:
i. Product Key (use an Ultimate key if all steps in the process were followed)
ii. Destination drive
iii. Choose a user name and picture
iv. Choose a machine name and wallpaper
I would like to point out a new Microsoft Windows blog that recently came on line called Shell Revealed. There is a blog section as well as forums, downloads and galleries. I think it is great that the core UI design team has started this channel of communication.
Also, as most of you know, we released Windows Vista RC1 earlier this month. It is a great step forward and most of us are now running it as our main system combined with Office 2007 Beta. I can't see ever going back! :-)
If you are intersted in testing Windows Vista RC1 you can download it via MSDN, TechNet, the Windows Vista Technical Beta Program or you can simply go to the Customer Preview Program (CPP) release which is open to the general public.
Lastly, the Beta 2 of BDD 2007 is now up on the Desktop Deployment Center. If you are interested in industry best practices and tools for deploying and managing Windows Vista I strongly suggest that you check out the BDD.
Cheers,
Patrick Svenburg
Aaron over at the IEBlog posted a great compilation of IE 6/7 keyboard shortscuts back in February, but with the recent availabillity of IE7 Beta 3 I thought this would be a good time to remind people about it. Enjoy!
Cheers,
p.
It's hard keeping track of what is being written about Windows Vista in various media outlets but I would like to take the opportunity to point to a recent article from Computer World called 20 Reasons Why Windows Vista Will Be Your Next OS.
I think it hits on the key points why Windows Vista is important and provides a set of generic talking points for those of you in Federal agencies that are responsible for evaluating Windows Vista and need to present it up the food chain.
Of couse, I particularly like this section: :-)
“It's not just the best version of Windows ever, it's the best Windows upgrade ever.”
Cheers,
p.
First off, I need to apologize for not having any new content up here in a while, but with the release of Beta 2, we've been swamped here internally. All things aside, someone on the team should have found the time to post before now, but that said, I'm posting now.
It's been two weeks now that I've had the experience of playing around with Vista Beta 2. My team and I recently held a Vista Beta 2 Install-a-Thon here in the DC Office where employees could bring in their laptops and have Vista and Office 2007 installed on them. While the event came off as a success (more than 20% of the Federal Sales Team now runs Vista), we definitely learned a lot along the way about Vista, Driver Issues, BIOS Issues, well Issues in general.
To start with we didn't have the time before hand to setup WDS or even get an image based setup installed. We create a public share on a local server, dropped in all of our applications and dropped in all of the drivers. We burned off a ton of BIOS upgrade CD's for all of the Microsoft "standard" laptops, and we burned off a ton of Vista DVD's.
Internally we have the following common standard laptops: HP Compaq NC6000, HP Compaq NC8000, Toshiba M200, Toshiba M2, Toshiba M3, Toshiba M4, Toshiba M400, and the Toshiba M5. Additionally a couple of people also had the HP 6125 64-bit machine.
The older HP machines (NC6000/NC8000) run Vista fine, require no special hoops to jump through, and require no BIOS upgrades at all. The only catch is that if you don't want your neighbors on the airplane to hear your music, you'd better install the HP SoundMax driver and not use the in-box driver. The Toshiba's on the other hand were quite a lot of work.
The M200 requires a BIOS upgrade, followed by some super secret registry key to be set, otherwise UI performance is terrible. Specifically, go to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 and add the following DWORD reg key: RMHotPlugSupportDisable DWORD 0x30003
The M2 requires no BIOS upgrade, but you have two choices for drivers. You may select the in-box driver and receive no glass, or you may use the nVidia Go FX5200 driver (chosen by manually specifying it from the in-box drivers, and approving the warning message). The replaced nVidia driver lets you use glass, but you can not sleep (well you can but your machine will never wake up). The external monitor display works, but you need to disable glass before deciding to project, then you can re-enable glass.
The M3 and M4 units are virtually identical (except for tablet functionality) and both require BIOS upgrades. After which these units work well. The M400 requires a new BIOS (two new versions have been released since Beta 2). After which, the unit works well, but Glass can be a bit sluggish. The M5 requires a new BIOS, and then the machine just flys.
Now for the fine print. All of the BIOS upgrades are MS internal only right now as Toshiba is presently developing them and testing them for a future release. Thus the drivers that enable glass, and allow for many of the other features (biometric reader, HDD shock sensor, bluetooth, etc.) are also internal only now. Maybe in a future public release of Vista, we'll actually get this stuff out in front of the world to play with.
The HP 6125 runs well on 32-bit code (we didn't try on the 64-bit stuff due to the fact that we hadn't prepped for any of these laptops showing up), but once again not all of the drivers are available through Windows Update.
Enough about the machines, how is Vista? The truth is that it runs well. The biggest complaints center around all of the above quirkiness (this will be ironed out by RTM, but with a new driver model now it is presenting greater issues over past OS's, although some of this quirkiness always attaches itself to a major OS release). Additionally, there is a lot of feedback around UAP being overly zealous. Read on for more bits of goodness in this area. Network Center has also baffled and confounded many a user. Aside from that, most people are finding everything generally fast enough (although perf has continually improved since Beta 2) and the OS usable and stable. Caveat to all of this is that Vista gobbles up RAM. At least with Beta 2, 1Gig is usable, 2 Gigs is good. Anything else, and don't bother aside from testing purposes.
Well what's changing with UAP? I'm not in the product group, so I'm not privy to all of the direction setting, etc., but with newer builds (I'm now running 5452), some cool things have shown up. Specifically, the dialog box akin to "A program that you are currently not using is attempting to elevate, would you like to view the request". This has been triggered in two areas for me. Number 1, when Group Policy has pushed and executed something on my machine that I did not run. Read this as when a vulnerability (not that there are any now) is exploited and attempts to elevate, you get a sensible dialog. Number 2, when one program that I did execute, spawns off another separate program that attempts to elevate. Meaning I run a normal program (i.e. Word) and the program executes some harmful script and executes a separate program that attempts to elevate. I like these dialogs, as they mean a lot more to me than the generic UAP dialog. These are actually the times that I care about elevating applications, and not when I double click on an application. It will be interesting to see where this leads.
As for Network Center, I can't find it anymore! I don't know whether its gone completely, or I just can't find it. The bottom line is that it looks like some changes are coming in this area.
All in all, there are some hiccups in certain areas now, but I like where the road is heading. And whenever I go back to Windows XP, it just feels so clunky and dated.
-Z
Our colleague Jesper Johansson has a great post up on Windows Vista Firewall - definitely worth checking out.
p.
Recently Microsoft made available to select TAP/Beta testing groups a new build (5365) which I just finished installing. All in all, I've say that things have progressed nicely from my pervious build (5348) and the previous public release (5342). I'm running Vista smoothly on a Compaq NC6000 laptop with 1GB or RAM. There are definite performance improvements that have been integrated as Vista is now running almost as quickly as XP. With the rate things are going, I imagine that by Beta 2 parity will be achieved, and in the RC timeframe, it might actually be faster!
My only immediate complaints stem from the in-box audio driver (AC '97) not shutting off my speakers when I plug in a set of headphones. This worked on early builds, but as of the February CTP has not. I tried installing the driver posted on RealTek's webpage, but this very promptly blue-screened my box -- guess there is some sort of driver compatibility issue there. Booting to safe mode and removing the device quickly solved the issue.
The second complaint is with the over-zealous elevation dialogs. They appear with reasonable regularity to the point that I don't think end-users will actually read them, and will instead continually approve the elevation. The thing that really drives me nuts though is that the dialogs now demand immediate attention before allowing you to proceed with doing anything on the system. Fortunately (or maybe unfortunately) a visit to secpol.msc allows this behavior to be disabled or curtailed. I'm sure though that much attention will be given to this prior to shipping, to determine what the right amount of user interaction is for granting consent.
I've seen some posts where people want all locally installed programs to run without consent. This I do not agree with. While I find the current state of the prompts obnoxious, disabling this security feature opens up a large attack vector on the system. Presently installation programs that spawn new processes for rider program installations (read spyware/malware/rootkits/etc.) causes the prompt to occur. A simple click of the cancel button quickly resolves the issue. By providing this level of security, users gain much control over what enters and runs on their machines.
The true solution for all these issues is the redesign of applications to not require administrative privileges to run. There has been a lot of work put into the operating system to help along legacy applications in this space, but until appdevs start writing applications with least privilege in mind, we'll be continually granting applications administrative consent. For those that would say this is unrealistic, I merely point to the Linux/UNIX world where this has been done for years (design of applications with two-token authentication in mind). Not all legacy applications will be ported, nor should they, but future applications can and should definitely be written with this in mind.
-Z
